computer arithmetichome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · recall...
TRANSCRIPT
![Page 1: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/1.jpg)
COMPUTER ARITHMETIC
13/05/2010 cryptography - math background pp. 1 / 162
COMPUTER ARITHMETIC
![Page 2: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/2.jpg)
RECALL OFCOMPUTER ARITHMETIC
• computers implement some typesof arithmetic
• for instance, addition, subtratction, multiplication of integers and reals
13/05/2010 cryptography - math background pp. 2 / 162
multiplication of integers and reals• necessary for basic computations as found
in the programming languages• arithemtic operations directly supported
by the processor• but normally unsuited for cryptography …
![Page 3: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/3.jpg)
COMPUTER ARITHMETIC
• computers can perform standard arithmetic operations on:– integers, i.e. 0 1 2 … −1 −2 …
13/05/2010 cryptography - math background pp. 3 / 162
– integers, i.e. 0 1 2 … −1 −2 …– reals, i.e. 1,2 −4,3 1,5 × 106 …– sometimes also other kinds of numbers,
i.e., complex numbers– and normally NOTHING ELSE
![Page 4: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/4.jpg)
COMPUTER ARITHMETIC
• standard computer operations are:– arithmetic 1st species: addition, subtraction.– arithmetic 2nd species: multiplication,
13/05/2010 cryptography - math background pp. 4 / 162
– arithmetic 2 species: multiplication, division (integer or real).
– possibly arithmetic 3rd species: power, root, …
– sometimes (unfrequently) trascendental: exp, log, trigonometry, …
![Page 5: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/5.jpg)
COMPUTER ARITHMETIC
• all the previous operations can be computed directly by the processor of the computer
• machine (assembler) instrucitons exist
13/05/2010 cryptography - math background pp. 5 / 162
• machine (assembler) instrucitons exist for each operation
• numbers are normally represented in:– two’s complement (integers)– IEEE 754 Floating Point (reals)
![Page 6: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/6.jpg)
INTEGERS – NATURAL
• natural binary : binary digit b ∈{ 0, 1 }bnbn − 1bn − 2…b3b2b1 =
= bn2n − 1 + bn − 12
n − 2 + … + b221 + b12
0
13/05/2010 cryptography - math background pp. 6 / 162
= bn2n − 1 + bn − 12
n − 2 + … + b221 + b12
0
• range: [0, 2n − 1].• for instance:
10101100 = 27 + 25 + 23 + 22 == 128 + 32 + 8 + 4 = 172
![Page 7: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/7.jpg)
INTEGERS – TWO’SCOMPLEMENT
• two’s Complement : binary digit b ∈{ 0, 1 }σbn − 1bn − 2 … b3b2b1 =
= −σ2n − 1 + bn − 12n − 2 + … + b22
1 + b120
• bit σ is called “sign bit”
13/05/2010 cryptography - math background pp. 7 / 162
• bit σ is called “sign bit”• range: [−2n − 1, 2n − 1 − 1].• for instance: 01001101 = + 26 + 23 + 22 + 20 =
32 + 8 + 4 + 1 = 45• and: 10101100 = −27 + 25 + 23 + 22 = −128 +
32 + 8 + 4 = −84
![Page 8: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/8.jpg)
ADDITION OFNATURAL INTEGERS
13/05/2010 cryptography - math background pp. 8 / 162
![Page 9: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/9.jpg)
ADDITION OF TWO’SCOMPLEMENT INTEGERS
13/05/2010 cryptography - math background pp. 9 / 162
![Page 10: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/10.jpg)
NATURAL MULTIPLICATION
13/05/2010 cryptography - math background pp. 10 / 162
![Page 11: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/11.jpg)
FULL ADDER
Full Adder
a b
cin cout
a b cin cout sum =
0 0 0 0 0 0
0 0 1 0 1 1
0 1 0 0 1 1
0 1 1 1 0 2
13/05/2010 cryptography - math background pp. 11 / 162
• sum = a XOR b XOR cin
• cout = a AND b OR a AND cin OR b AND cin
sum
1 0 0 0 1 1
1 0 1 1 0 2
1 1 0 1 0 2
1 1 1 1 1 3
![Page 12: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/12.jpg)
RIPPLE CARRY ADDERaddition of natural integers of 3 bits
a2 b2 a1 b1 a0 b0
13/05/2010 cryptography - math background pp. 12 / 162
Full Adder
Full Adder
Full Adder
s2 s1 s0
c0 c1 c2 c3
![Page 13: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/13.jpg)
CONSIDERATIONS
• integer and real computer arithmeticis NOT used (or seldom used)for cryptography
13/05/2010 cryptography - math background pp. 13 / 162
for cryptography• instead, finite algebraic structures
are generally adopted• for instance, finite FIELDS or RINGS• theory of such structures follows
![Page 14: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/14.jpg)
ALGEBRAIC STRUCTURES
13/05/2010 cryptography - math background pp. 14 / 162
ALGEBRAIC STRUCTURES
![Page 15: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/15.jpg)
ALGEBRAIC STRUCTURE
• an algebraic structure A is:A = ⟨ S, op1, op2, …, s0, s1, … ⟩
• where:
13/05/2010 cryptography - math background pp. 15 / 162
• where:S is a set of elements, or “numbers” (in a very broad sense), called “support set”opi is a binary operatore over the elements of the support set Ssi is a special element of the support set S
![Page 16: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/16.jpg)
STRUCTURES – EXAMPLES
• natural integers (semigroup):N = ⟨ {1, 2, 3, …}, + ⟩
natural numbers, equipped with the binaryoperator of addition (+)
13/05/2010 cryptography - math background pp. 16 / 162
operator of addition (+)
• natural integers plus 0 (monoid):N0 = ⟨ {0, 1, 2, 3, …}, +, 0 ⟩natural numbers, equipped with the binaryoperator of addition (+), plus the specialelement 0 (neutral element for +)
![Page 17: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/17.jpg)
STRUCTURES – EXAMPLE
• relative integers (abelian group):⟨ {…, −2, −1, 0, 1, 2, …}, +, 0 ⟩relative integer numbers, equipped with:
13/05/2010 cryptography - math background pp. 17 / 162
relative integer numbers, equipped with:the binary operator of addition (+)the special element 0, neutral for (+)
• this an algebraic structure with one operation and one special element
![Page 18: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/18.jpg)
STRUCTURES – EXAMPLE
• natural integers (semiring):⟨ {1, 2, 3, …}, +, ×, 1 ⟩natural integer numbers, equipped with:
13/05/2010 cryptography - math background pp. 18 / 162
natural integer numbers, equipped with:the binary operator of addition (+)the binary operator of multiplication (×)the special element 1, neutral for (×)
• an algebraic structure with two operations and one special element
![Page 19: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/19.jpg)
STRUCTURES – EXAMPLE
• relative integers (commutative ring):Z = ⟨ {…, −2, −1, 0, 1, 2, …}, +, ×, 0, 1 ⟩Relative integer numbers, equipped with:
the binary operator of addition (+)
13/05/2010 cryptography - math background pp. 19 / 162
the binary operator of addition (+)the binary operator of multiplication (×)the special element 0, neutral for (+)the special element 1, neutral for (×)
• an algebraic structure with two operations and two special elements
![Page 20: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/20.jpg)
CONSIDERATIONS
• there are many possible algebraic structures
• each of them is characterized by
13/05/2010 cryptography - math background pp. 20 / 162
• each of them is characterized by properties (axioms and theorems)
• for instance:a + b = b + a (axiom for N)a2 − b2 = (a + b) × (a − b) (theorem for Z)
![Page 21: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/21.jpg)
GROUPS
13/05/2010 cryptography - math background pp. 21 / 162
GROUPS
![Page 22: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/22.jpg)
DEFINITION
• a GROUP G is an algebraic structure:G = ⟨ S, ⋅, 1 ⟩
• WHERE:
13/05/2010 cryptography - math background pp. 22 / 162
• WHERE:S is the support set⋅ is a binary operator, called “product”1 is a special element, neutral for (⋅)
• if the support S is a finite set, G is said to be a “finite group”
![Page 23: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/23.jpg)
AXIOMS OF GROUP
• groups must satisfy (by definition)the following axioms
• for every a, b, c ∈ S:
13/05/2010 cryptography - math background pp. 23 / 162
• for every a, b, c ∈ S:a ⋅ b ∈ S (closure)(a ⋅ b) ⋅ c = a ⋅ (b ⋅ c) (associativity)1 ⋅ a = a ⋅ 1 (1 is neutral and commutes)∃ a’ a ⋅ a’ = a’ ⋅ a = 1 (∃ of inverse)
![Page 24: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/24.jpg)
GROUPS – EXAMPLE
• the group of non-singular square matricesof order 2, with real elements
M = ⟨ M2, 2, matrix product, identity matrix I ⟩M is closed
13/05/2010 cryptography - math background pp. 24 / 162
M is closedthe matrix product is associativethe matrix I is the neutral element for producteach matrix admits an inverse oneNOTE: matrix product is NOT commutative
![Page 25: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/25.jpg)
ABELIAN GROUPS• in some groups, the product operator is
commutative, i.e., a ⋅ b = b ⋅ a• abelian (or commutative) group: a group G
such that the operator (⋅) is commutative
13/05/2010 cryptography - math background pp. 25 / 162
such that the operator (⋅) is commutativeG = ⟨ S, +, 1 ⟩
• in abelian groups, the symbol (⋅) is normally replaced by (+), which is called “addition” instead of “product”
• PAY ATTENTION: a few mathematiciansstill go on calling (+) a “product” operator !!
![Page 26: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/26.jpg)
ABELIAN GROUPS – EXAMPLES
• the world is plenty of abelian groups• for instance:
relative integers, with addition
13/05/2010 cryptography - math background pp. 26 / 162
relative integers, with additionZ = ⟨ {…, −2, −1, 0, 1, 2, …}, +, 0 ⟩
rational integers, with multiplicationQ = ⟨ {…, p / q, …}, ×, 1 ⟩
and many others …
![Page 27: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/27.jpg)
ITERATED OPERATION
• given a group G (not necessarily abelian), an element g of the group G, and a positive or null integer k ≥ 0, it is defined:
gk = g ⋅ g ⋅ … ⋅ g (for k times)
13/05/2010 cryptography - math background pp. 27 / 162
gk = g ⋅ g ⋅ … ⋅ g (for k times)g0 = 1 (if k = 0)
• the operation “gk” is called “iterated multiplication” (or “power”)
• most cryptography lives on it
![Page 28: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/28.jpg)
ITERATION – EXAMPLES
• given Z = ⟨ {…, −2, −1, 0, 1, 2, …}, ×, 1 ⟩zk = z × z × … × z (k times)
usually called “power” of order k.• in groups with an operation denoted (+)
13/05/2010 cryptography - math background pp. 28 / 162
• in groups with an operation denoted (+) instead of (⋅), the writing “kg” replaces “gk”
• given Z = ⟨ {…, −2, −1, 0, 1, 2, …}, +, 0 ⟩which is an abelian group:
kz = z + z + … + z (k times)
the usual multiple times k
![Page 29: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/29.jpg)
GROUP GENERATORS
• given a finite group G, an element g ∈ G is said to be a generator for G, if its “powers” cover all the elements of G:
∀f ∈ G ∃k ≥ 0 such that f = gk
13/05/2010 cryptography - math background pp. 29 / 162
∀f ∈ G ∃k ≥ 0 such that f = gk
• in the practice a generator is a single element that allows to construct the whole group by iteration
• a group G may admit no generators, a single generator or more generators …
![Page 30: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/30.jpg)
DISCRETE LOGARITHM (DH)
• given a generator element g ∈ G for the group, and whatever element f ∈ G, define:
k = log g f - discrete log. base g
the (smallest) integer k ≥ 0 such that f = gk
13/05/2010 cryptography - math background pp. 30 / 162
the (smallest) integer k ≥ 0 such that f = gk
• the (smallest) integer k ≥ 0 necessarily exists, since g is a generator element for G
• given a group G, it is relatively simpleto compute f = gk, but it may be very complexto compute k starting from g and f
![Page 31: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/31.jpg)
CONSIDERATIONS
• groups (usually abelian) are an important algebraic structure for cryptography
• normally finite groups are used(examples will come soon)
13/05/2010 cryptography - math background pp. 31 / 162
(examples will come soon)• the basic operations for cryptographic
applications are iteration and discrete logarithm
• however, abelian groups appear also under the form of rings and fields (see next slides)
![Page 32: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/32.jpg)
RINGS AND FIELDS
13/05/2010 cryptography - math background pp. 32 / 162
RINGS AND FIELDS
![Page 33: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/33.jpg)
RINGS – DEFINITION
• a RING R is an algebraic structure:R = ⟨ S, +, ⋅, 0, and usually also 1 ⟩
where:
13/05/2010 cryptography - math background pp. 33 / 162
⟨ S, +, 0 ⟩ is an abelian group w.r.t. (+)and for every a, b, c ∈ S:a ⋅ b ∈ S (closure)a ⋅ (b + c) = (a ⋅ b) + (a ⋅ c) (left distribution)(b + c) ⋅ a = (b ⋅ a) + (c ⋅ a) (right distribution)
![Page 34: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/34.jpg)
RINGS – DETAILS
• the operator (+) must be commutative• if the operator (⋅) commutes as well,
R is said to be a “commutative ring”
13/05/2010 cryptography - math background pp. 34 / 162
R is said to be a “commutative ring”• if (⋅) has its own neutral element 1,
R is said to be a “a ring with unity”• if the support set S of R is a finite set,
R is said to be a “finite ring”
![Page 35: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/35.jpg)
RINGS – EXAMPLE
• the ring R of relative integer numbers, with ordinary addition and multiplication:Z = ⟨ {…, − 2, −1, 0, 1, 2, …}, +, ×, 0, 1 ⟩
• R is a commutative ring, since the operator
13/05/2010 cryptography - math background pp. 35 / 162
• R is a commutative ring, since the operator (×) commutes
• and R is said to have “a unity”, since the operation (×) has its own neutral element, 1
• the symbol “Z” is worldwide used for denoting this particular ring
![Page 36: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/36.jpg)
FIELDS – DEFINITION• a FIELD F is an algebraic structure:
F = ⟨ S, +, ⋅, 0, 1 ⟩
where:⟨ S, +, 0 ⟩ is an abelian group w.r.t. (+)
13/05/2010 cryptography - math background pp. 36 / 162
⟨ S, +, 0 ⟩ is an abelian group w.r.t. (+)⟨ S, ⋅, 1 ⟩ is an abelian group w.r.t. (⋅)and for every a, b, c ∈ S:a ⋅ (b + c) = (a ⋅ b) + (a ⋅ c) (left distribution)(b + c) ⋅ a = (b ⋅ a) + (c ⋅ a) (right distribution)
• if the support set S of F is finite, F is saidto be a “finite field”
![Page 37: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/37.jpg)
FIELDS – EXAMPLES
• the field Q of rational integer numbers,with ordinary addition and multiplication:Q = ⟨ {…, p / q, …}, +, ×, 0, 1 ⟩
13/05/2010 cryptography - math background pp. 37 / 162
• Q is an infinite field• other examples of infinite fields:
real numbers, with addition and multiplicationcomplex numbers, with addition and multiplicationand many others …
![Page 38: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/38.jpg)
CONSIDERATIONS
• rings and fields are the most popularand used algebraic structures
• in particular, the mathematical theory of fields is well developed, and for finite fields (almost)
13/05/2010 cryptography - math background pp. 38 / 162
is well developed, and for finite fields (almost) everything that is of some interest has been investigated and clarified
• and an important part of cryptography actually relies upon finite fields
![Page 39: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/39.jpg)
MODULAR OPERATIONS
13/05/2010 cryptography - math background pp. 39 / 162
MODULAR OPERATIONS
![Page 40: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/40.jpg)
PRELIMINARIES
• there are many finite rings, but fewfinite fields, here:– modular finite rings
13/05/2010 cryptography - math background pp. 40 / 162
– modular finite rings– modular finite fields– finite extension fields– in particular, binary finite extension fields
• all these are used in cryptography
![Page 41: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/41.jpg)
MODULAR RINGS
• everybody knows what “integer division” is• given:
an integer N (dividend, positive, null or neg.)
13/05/2010 cryptography - math background pp. 41 / 162
an integer D (divisor, always positive, non-null)
there are two uniquely determined positive or null integers Q and R, such that:
N = Q × D + R and 0 ≤ R < D
Q: quotient, R: remainder
![Page 42: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/42.jpg)
INTEGER DIVISION – EXAMPLES
• N = Q × D + R• 5 = 2 × 2 + 1 Q = 2, R = 1, 1 < 2• 9 = 3 × 3 + 0 Q = 3, R = 0, 0 < 3
13/05/2010 cryptography - math background pp. 42 / 162
• 9 = 3 × 3 + 0 Q = 3, R = 0, 0 < 3• 20 = 3 × 6 + 2 Q = 3, R = 2, 2 < 3• −5 = −3 × 2 + 1 Q = −3, R = 1, 1 < 2• −8 = −2 × 4 + 0 Q = −2, R = 0, 0 < 4• −9 = −3 × 4 + 3 Q = −3, R = 3, 3 < 4
![Page 43: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/43.jpg)
COMPUTING mod n
• from the definition and the examples,it is clear that (for n ≥ 1):if a ≥ 0 then
a mod n = r s. t. a = q × n + r and r < n
13/05/2010 cryptography - math background pp. 43 / 162
a mod n = r s. t. a = q × n + r and r < n
elsea mod n = n − r s. t. −a = q × n + r and 0 ≤ r < n
• for instance:r = −4 mod 3 = 2 because −4 = −2 × 3 + 2 but also 4 = 1 × 3 + 1 and hence r = 3 − 1 = 2
![Page 44: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/44.jpg)
THE mod OPERATOR
• one writes (a ∈ Z and n ≥ 1):a mod n = b
to indicate the remainder b ≥ 0 of the
13/05/2010 cryptography - math background pp. 44 / 162
to indicate the remainder b ≥ 0 of the (integer) division of a by n
• here the symbol mod indicates a binary operator: mod: Z × N → N
• if n = 1, then a mod n = a (trivial case)
![Page 45: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/45.jpg)
MODULAR CONGRUENCE• given a modulus n ≥ 1, two integers a, b ∈ Z
are said to be “congruent modulus n”, iff:a = b mod n ⇔ a mod n = b mod n
i.e., iff the remainder of a divided by n equals the remainder of b divided by n
13/05/2010 cryptography - math background pp. 45 / 162
the remainder of b divided by n• the “modular congruence” = mod n has
the usual formal properties of equality:Riflexivity: a = a mod nSimmetry: a = b mod n ⇔ b = a mod nTransitivity: a = b mod n and b = c mod n ⇒ a = c mod n
• here mod is a side indication, meaning that equality = is interpreted in the modular way
![Page 46: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/46.jpg)
CONGRUENCE – EXAMPLESIt holds: 4 = 0 mod 2
In fact: 4 mod 2 = 0 = 0 mod 2
It holds: 5 = 1 mod 2
In fact: 5 mod 2 = 1 = 1 mod 2
It holds: 11 = 7 mod 4
13/05/2010 cryptography - math background pp. 46 / 162
It holds: 11 = 7 mod 4
In fact: 11 mod 4 = 3 = 7 mod 4
It holds: −13 = 2 mod 5
In fact: −13 mod 5 = 2 = 2 mod 5
It holds: −9 = 5 mod 2
In fact: −9 mod 2 = 1 = 5 mod 2
![Page 47: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/47.jpg)
RESIDUE CLASSES• given any modulus n ≥ 1, the set A of all the
integers a ∈ Z that are congruent mod n,has the following form:A = {b ± k × n | k ∈ Z and 0 ≤ b < n}
• each set A is called a “residue class” (mod n).
13/05/2010 cryptography - math background pp. 47 / 162
• each set A is called a “residue class” (mod n).• there are exactly n − 1 such classes• the integer b ∈ A is the “reduced” form of
every other element of the class A• A = { …, −4, −1, 0, 2, 5, … } is the residue
class of 5 mod 3; 2 is the “reduced” form
![Page 48: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/48.jpg)
IMPORTANT DETAIL
• it is true that, for any modulus n ≥ 1:
n = 0 mod n
13/05/2010 cryptography - math background pp. 48 / 162
n = 0 mod n
• put another way, 0 and n can alwaysbe freely exchanged
• more generally: ∀k kn = 0 mod n
![Page 49: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/49.jpg)
COMPUTATION mod n
• an algebraic expression over the integers, containing (+) and (×), is said to be computed “mod n” (for n ≥ 1),
13/05/2010 cryptography - math background pp. 49 / 162
to be computed “mod n” (for n ≥ 1),if the result of the integer division by nis taken (instead of the full result)
• for instance:5 + 3 × 2 − 1 = 2 mod 4
![Page 50: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/50.jpg)
PROPERTIES OF mod
• given n ≥ 1 and any two integers a, b ∈ Z:(a + b) mod n = ((a mod n) + (b mod n)) mod n(a − b) mod n = ((a mod n) − (b mod n)) mod n
× = ×
13/05/2010 cryptography - math background pp. 50 / 162
(a × b) mod n = ((a mod n) × (b mod n)) mod n
• put another way, the operator mod commutes with (+), (−) and (×)
• this is very useful for optimizing expression computations
![Page 51: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/51.jpg)
COMPUTING mod n – EXAMPLE
• it holds: 5 + 3 × 2 − 1 = 2 mod 4• in fact:
5 + 3 × 2 − 1 = 10 and 10 mod 4 = 2
13/05/2010 cryptography - math background pp. 51 / 162
5 + 3 × 2 − 1 = 10 and 10 mod 4 = 2
• but also:5 mod 4 = 1 and3 × 2 mod 4 = 2 and− 1 mod 4 = 3 and(1 + 2 + 3) mod 4 = 6 mod 4 = 2
![Page 52: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/52.jpg)
MODULAR RINGS
13/05/2010 cryptography - math background pp. 52 / 162
MODULAR RINGS
![Page 53: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/53.jpg)
THE MODULAR RING Zn
• given a positive integer n ≥ 1, the following algebraic structure:Zn = ⟨ {0, 1, 2, …, n − 1}, +, ×, 0, 1 ⟩
is called “modular ring of order n”, provided,
13/05/2010 cryptography - math background pp. 53 / 162
is called “modular ring of order n”, provided, for every a, b ∈ Zn:a + b is computed mod na × b is computed mod n
• Zn contains exactly n elements• Z1 contains only 0 (n = 1, trivial case)
![Page 54: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/54.jpg)
MODULAR ADDITION
• suppose for instance n = 6• modular addition works in Z6 as follows:
1 + 2 = 3 mod 6 = 3 (1 + 2 = 3 mod 6)
13/05/2010 cryptography - math background pp. 54 / 162
1 + 2 = 3 mod 6 = 3 (1 + 2 = 3 mod 6)3 + 4 = 7 mod 6 = 1 (3 + 4 = 1 mod 6)5 + 5 = 10 mod 6 = 4 …4 − 5 = −1 mod 6 = 5 …0 − 5 = −5 mod 6 = 1 …
![Page 55: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/55.jpg)
OPPOSITE ELEMENT
• suppose for instance n = 10• opposite elements in Z10 can be found
as follows:−5 = −5 mod 10 = 1 (−5 = 1 mod 10)
13/05/2010 cryptography - math background pp. 55 / 162
−5 = −5 mod 10 = 1 (−5 = 1 mod 10)−3 = −3 mod 10 = 7 (−3 = 7 mod 10)−8 = −8 mod 10 = 2 (−8 = 2 mod 10)clearly: −a = n − a mod n
• this is coherent with:a + (−a) = a + (n − a) = a + n − a = n = 0 mod n
![Page 56: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/56.jpg)
MODULAR MULTIPLICATION
• suppose for instance n = 9• modular multiplication works in Z9
as follows:
13/05/2010 cryptography - math background pp. 56 / 162
as follows:1 × 2 = 6 mod 9 = 6 (1 × 2 = 6 mod 9) 3 × 4 = 12 mod 9 = 3 (3 × 4 = 12 mod 9)5 × 5 = 25 mod 9 = 7 …4 × 5 = 20 mod 9 = 2 …0 × 5 = 0 mod 9 = 0 …
![Page 57: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/57.jpg)
MODULAR POWERS• modular powers:
am = a × a × … × a mod n (for m ≥ 1 times)a0 = 1 mod n (by definition)
• for instance, given n = 6:
13/05/2010 cryptography - math background pp. 57 / 162
• for instance, given n = 6:22 = 4 mod 6 = 4 (22 = 4 mod 6)23 = 8 mod 6 = 2 (23 = 2 mod 6)26 = 64 mod 6 = 4 (26 = 4 mod 6)
• note: 26 = (23)2 = (2)2 = 4 mod 6i.e., one can use the normal, well-known properties of exponents
![Page 58: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/58.jpg)
HINTS ON GENERATORS
• consider the ring Z5 and the element 2:1 × 2 mod 5 = 2 mod 5 = 22 × 2 mod 5 = 4 mod 5 = 43 × 2 mod 5 = 6 mod 5 = 14 × 2 mod 5 = 8 mod 5 = 35 × 2 mod 5 = 10 mod 5 = 0
Z5
13/05/2010 cryptography - math background pp. 58 / 162
5 × 2 mod 5 = 10 mod 5 = 06 × 2 mod 5 = 12 mod 5 = 2 (periodic)
• the element 2 is an additive generatorfor the ring Z5
• theorem : for any ring Zn, any element e ≠ 0 such that (e, n) = 1 is an additive generator
![Page 59: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/59.jpg)
HINTS ON GENERATORS
• consider the ring Z5 and the element 3:31 mod 5 = 3 mod 5 = 332 mod 5 = 9 mod 5 = 433 mod 5 = 27 mod 5 = 234 mod 5 = 81 mod 5 = 135 mod 5 = 243 mod 5 = 3 (periodic …)
Z5 (excluding 0)
13/05/2010 cryptography - math background pp. 59 / 162
35 mod 5 = 243 mod 5 = 3 (periodic …)
• the element 3 is a multiplicative generatorfor the ring Z5
• how to determine the multiplicative generators for a modular ring Zn, of a generic modulus n, is a very complex problem …
![Page 60: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/60.jpg)
MORE ON MODULAR RINGS
13/05/2010 cryptography - math background pp. 60 / 162
MORE ON MODULAR RINGS
![Page 61: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/61.jpg)
MODULAR COMPUTATION
• frequently, computing the operator mod does not really require to perform a division
• remember in fact that n = 0 mod n• whenever in an expression to be computed
13/05/2010 cryptography - math background pp. 61 / 162
• whenever in an expression to be computed mod n, a term +n (or −n) occurs, delete it (since it is = 0 mod n)
• whenever in an expression to be computed mod n, a factor n occurs, delete the product chain it is contained in (since it is = 0 mod n)
![Page 62: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/62.jpg)
MOD. COMPUT. – EXAMPLES• one should immediately see that:
(2 + 3) × 4 − 8 × 5 + 16 = 0 mod 4
• in fact (this must become instinctive):a × 4 = 0 mod 4 (whatever a is)8 × b = 0 mod 4 (whatever b is)and 16 = 0 mod 4
13/05/2010 cryptography - math background pp. 62 / 162
and 16 = 0 mod 4
• a well-known application:123456 mod 3 = (1×105 + 2×104 + 3×103 + 4×102 +5×101 + 6×100) mod 3 = (1 + 2 + 3 + 4 + 5 + 6) mod 3 = 21 mod 3 = 0 ⇒ 123456 = 0 mod 3since 10x = 1 mod 3 for every x ≥ 0
• it is the well-known rule for checking the divisibility by 3 of decimal integer numbers
![Page 63: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/63.jpg)
MOD. COMPUT. – PROBLEM …
• what is the check rule of divisibility by 3 for binary natural numbers ?
• that is, given:
13/05/2010 cryptography - math background pp. 63 / 162
• that is, given:B = 10010100101011000101010
how do I quickly check whether the binary number B is divisible by 3 ?
• i might first convert B to decimal, but …
![Page 64: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/64.jpg)
MODULAR REDUCTION
• given any modulus n ≥ 1 and any integera ≥ n, the task of finding an integer 0 ≤ b < n, such that a = b mod n is called “reduction”
• for instance, taken n = 7 and a = 20:
13/05/2010 cryptography - math background pp. 64 / 162
• for instance, taken n = 7 and a = 20:b = a mod n = 20 mod 7 = 6 ⇒ 20 = 6 mod 7
• it is said that 6 is the “reduced” form of 20, modulus 7 (as already seen before)
• actually reduction is nothing but another name for taking the result of “a mod n”
![Page 65: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/65.jpg)
GREATEST COMMON DIVISOR
• given any two integers a, b ∈ Z, their greatest common divisor, g.c.d., usually denoted (a, b) = d,is the largest positive integer d (i.e., d ≥ 1) dividing exactly (remainder 0) both a and b
13/05/2010 cryptography - math background pp. 65 / 162
exactly (remainder 0) both a and b• for instance:
(2, 3) = 1, (12, 8) = 4, (−30, 12) = 6, (−2, −5) = 1 (not −1 !)
• two integers a, b ∈ Z are said to be co-prime(or relatively prime), i.e., they share no common integer factor ≥ 2, if and only if (a, b) = 1
• for finding the g.c.d. efficiently: Euclid algorithm
![Page 66: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/66.jpg)
ABOUT THE INVERSION IN Zn
• given a ∈ Zn (n ≥ 2), when is it possible to find b ∈ Zn, such that:a × b = 1 mod n
13/05/2010 cryptography - math background pp. 66 / 162
(b is the multiplicative inverse of a) ?• theorem : the multiplicative inverse b
of a exists (and is unique) if and only if(a, n) = 1, i.e., if a and n are co-prime(they share no common integer factor ≥ 2)
![Page 67: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/67.jpg)
INVERSION IN Zn – EXAMPLE
• let n = 6, i.e., work in Z6:2−1 mod 6 does not exist, (2, 6) = 23−1 mod 6 does not exist, (3, 6) = 3
− =
13/05/2010 cryptography - math background pp. 67 / 162
4−1 mod 6 does not exist, (4, 6) = 25−1 mod 6 = 5 exists, (5, 6) = 1and is 5, since 5 × 5 = 25 = 1 mod 6
• clearly, if n is a prime integer, any positive integer a < n is co-prime with n, hence …
![Page 68: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/68.jpg)
LINEAR EQUATIONS IN Zn
• take the modular equation:a × y = b mod n
where a, b ∈ Zn are fixed coefficients, andy ∈ Z is the unknown variable to be found
13/05/2010 cryptography - math background pp. 68 / 162
y ∈ Zn is the unknown variable to be found• theorem : there exists a unique solution if
and only if a, n are co-primei.e. iff a, n share no common factor ≥ 2i.e. iff (a, n) = 1
• how to find the solution in some cases, later
![Page 69: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/69.jpg)
FERMAT “LITTLE” THEOREM
• theorem : take any prime integer p ≥ 2, and any integer a ≥ 0, then:
ap = a mod p
13/05/2010 cryptography - math background pp. 69 / 162
a = a mod p(P. Fermat)
• for instance, taken p = 3 (prime):23 = 8 = 2 mod 333 = 27 = 0 = 3 mod 343 = 64 = 1 = 4 mod 3
![Page 70: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/70.jpg)
CONSEQUENCES
• if p ≥ 2 is a prime integer:Since: ap = a mod pIt follows: ap − 1 = 1 mod p
≠
13/05/2010 cryptography - math background pp. 70 / 162
(with the condition that a ≠ 0 mod p)
• for instance, taken p = 5 (prime):24 = 16 = 1 mod 534 = 81 = 1 mod 544 = 256 = 1 mod 5…
![Page 71: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/71.jpg)
SOLVING LIN. EQ.S IN Zp
• linear equations of the form:a × y = b mod p (p ≥ 2 prime)
a, b ∈ Zp coeff.s and y ∈ Zp variable, admit the following (unique, mod p) solution:
13/05/2010 cryptography - math background pp. 71 / 162
the following (unique, mod p) solution:y = a−1 × b = ap − 2 × b mod p
(by Fermat) since, being p prime, (a, p) = 1• caution: be sure that a mod p ≠ 0 !• the same can be instanced for systems
of linear equations (see later)…
![Page 72: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/72.jpg)
MODULAR FIELDS
13/05/2010 cryptography - math background pp. 72 / 162
MODULAR FIELDS
![Page 73: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/73.jpg)
MODULAR FIELDS
• we have seen that Zn (for any n ≥ 2) is a modular (finite) ring of n − 1 elements
• to be a (finite) field, Zn only lacks the inverse elements for multiplication, i.e. the possibility
13/05/2010 cryptography - math background pp. 73 / 162
elements for multiplication, i.e. the possibility to invert all its elements
• that is, given any a ∈ Zn, how do I find a’ ∈ Znsuch that a × a’ = 1 (of course, mod n) ?
• Is it possible to find such an a’ for any integer a < n and any value of n ?
![Page 74: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/74.jpg)
MODULAR FIELDS• we know that, given any positive a < n, there exists a
positive integer a’ such that a × a’ = 1, if and only if a, n are co-prime
• clearly, if n is a prime integer, every positive integera < n will be co-prime with n
13/05/2010 cryptography - math background pp. 74 / 162
a < n will be co-prime with n• conversely, if n is not a prime integer, there must
exist some a < n that is not co-prime with n• theorem : all elements of Zn (but 0) are invertible
if and only if n is a prime integer• pay attention: if n is not a prime integer, a few
elements of Zn may be invertible, but not all of them
![Page 75: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/75.jpg)
MODULAR INVERSION
• given any prime integer p ≥ 2 (Fermat):ap = a mod pap − 1 = 1 mod p(with the condition that a ≠ 0 mod p)
13/05/2010 cryptography - math background pp. 75 / 162
(with the condition that a ≠ 0 mod p)
• let us go on with the idea …ap − 2 = a−1 mod p(still with the condition that a ≠ 0 mod p)
• that is, ap − 2 behaves as the multiplicative inverse element of a (if p is prime !)
![Page 76: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/76.jpg)
INVERSION – EXAMPLES
• for instance, taken p = 5 (prime), and knowing that p − 2 = 3, one has:13 = 1 mod 5 and 1 × 1 = 1 mod 523 = 3 mod 5 and 2 × 3 = 1 mod 5
13/05/2010 cryptography - math background pp. 76 / 162
23 = 3 mod 5 and 2 × 3 = 1 mod 533 = 2 mod 5 and 3 × 2 = 1 mod 543 = 4 mod 5 and 4 × 4 = 1 mod 553 = 0 mod 5 no inverse (since 5 = 0 mod 5)63 = 1 mod 5 and 6 × 1 = 1 mod 5… (the behaviour is periodic)
![Page 77: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/77.jpg)
INVERSION – THAT IS …
• taken p = 5 (prime) one has:1−1 = 1 mod 52−1 = 3 mod 5
13/05/2010 cryptography - math background pp. 77 / 162
3−1 = 2 mod 54−1 = 4 mod 5
while 0 has no inverse, of course …
• note that for each element of Z5we have found an inverse (but for 0)
![Page 78: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/78.jpg)
MODULAR FIELD Fp (or GF(p))
• every (finite) modular ring Zn, such that n ≥ 2 is a prime integer, can be turned into a (finite) field
• simply add inversion to it, and compute
13/05/2010 cryptography - math background pp. 78 / 162
• simply add inversion to it, and compute the inverse using Fermat’s litte theorem
• such a field is denoted Fp (or also Galois Field of order p, GF(p))
• a different field for every prime p
![Page 79: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/79.jpg)
MODULAR FIELD Fp (or GF(p))
• given a prime integer p ≥ 2:Fp = ⟨ {0, 1, 2, …, p − 1}, +, ×, 0, 1 ⟩
is called “modular (Galois) field of order p”, or GF(p), provided, for every element a, b ∈ F :
13/05/2010 cryptography - math background pp. 79 / 162
GF(p), provided, for every element a, b ∈ Fp:a + b is computed mod pa × b is computed mod p−a = p − a so that a + (−a) = p = 0 mod pa−1 = ap − 2 so that a×a−1 = a×ap − 2 = ap − 1 = 1 mod p
• Fp is finite and contains exactly p elements
![Page 80: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/80.jpg)
LINEAR EQUATIONS IN Fp
• given a prime integer p ≥ 2, take the modular linear equation:
a × y = b mod pwhere a, b ∈ Fp are fixed coefficients, and y ∈Fp is the unknown variable to be found:
13/05/2010 cryptography - math background pp. 80 / 162
Fp is the unknown variable to be found:• the unique solution (mod p) is:
y = a−1 × b mod p• for instance, given p = 7 (prime):
5 × y = 3 mod 7 ⇒y = 5−1×3 = 55×3 = 3125×3 = 9375 = 2 mod 7and actually 5 × 2 = 10 = 3 mod 7
![Page 81: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/81.jpg)
LINEAR SYSTEMS IN Fp
• given a prime integer p ≥ 2, take the system of modular linear equations:
A × Y = B mod pwhere:
∈
13/05/2010 cryptography - math background pp. 81 / 162
A ∈ [Fp]m,m is a square matrix of orderm ≥ 2 of fixed coefficients in Fp
B ∈ [Fp]m is a vector of order m ≥ 2of constant terms in Fp
and Y ∈ [Fp]m is the vector of the unknown variables to be found in Fp
![Page 82: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/82.jpg)
LINEAR SYSTEMS IN Fp
• the above system of linear equations admits a unique solution (mod p) iff det(A) ≠ 0
• in this case (det(A) ≠ 0), the solution is:
13/05/2010 cryptography - math background pp. 82 / 162
Y = A−1 B mod p• the determinant det(A), the matrix inverse
A−1 and the matrix-vector product A−1 B are computed as usual, remembering to take all the operations mod p over their entries
![Page 83: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/83.jpg)
THE BINARY FIELD
13/05/2010 cryptography - math background pp. 83 / 162
THE BINARY FIELD
![Page 84: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/84.jpg)
THE BINARY FIELD F2 (or GF(2))
• when p = 2 (smallest prime excluding 1):F2 = ⟨ {0, 1}, +, ×, 0, 1 ⟩
• this is a well-know structure, since
13/05/2010 cryptography - math background pp. 84 / 162
0 + 0 = 0 0 × 0 = 0 −0 = 2 − 0 = 2 = 00 + 1 = 1 0 × 1 = 0 −1 = 2 − 1 = 11 + 0 = 1 1 × 0 = 0 IDENTITY1 + 1 = 2 = 0 1 × 1 = 1 1−1 = 1XOR gate AND gate IDENTITY
![Page 85: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/85.jpg)
THE BINARY FIELD F2 (or GF(2))
• in F2 addition and subtraction coincide!• observe in fact:
0 + 0 = 0 0 − 0 = 0 + (−0) = 0 + 0 = 0
13/05/2010 cryptography - math background pp. 85 / 162
0 + 0 = 0 0 − 0 = 0 + (−0) = 0 + 0 = 0 0 + 1 = 1 0 − 1 = 0 + (−1) = 0 + 1 = 1 1 + 0 = 1 1 − 0 = 1 + (−0) = 1 + 0 = 11 + 1 = 0 1 − 1 = 1 + (−1) = 1 + 1 = 0 XOR gate still XOR gate
• do not extend this feature to p > 2 !
![Page 86: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/86.jpg)
THE BINARY FIELD F2 (or GF(2))
• the field F2 (or GF(2)) is also called the “binary field” and is the simplest
• its hardware counterpart are the XOR
13/05/2010 cryptography - math background pp. 86 / 162
• its hardware counterpart are the XOR and AND gates
• it is the natural field where to compute arithmetic (most arithmetic circuits are formed by XOR and AND gates only)
![Page 87: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/87.jpg)
POLYNOMIALS
13/05/2010 cryptography - math background pp. 87 / 162
POLYNOMIALS
![Page 88: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/88.jpg)
POLYNOMIALS
• everybody knows univariate polynomials(i.e., containing a single variable x)with integer coefficients:
C(x) = c xm + c − xm−1 + … + c x + c
13/05/2010 cryptography - math background pp. 88 / 162
C(x) = cnxm + cm−1xm−1 + … + c1x + c0
where ci ∈ Z, for every 0 ≤ i ≤ m• the integer m ≥ 0 is the degree of C(x)• here, we are interested in polynomials not as
functions of the variable x, but as objects that can be manipulated in various ways
![Page 89: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/89.jpg)
POLYNOMIALS• the set of all the polynomials (of any degree)
with integer coefficients is denoted Z[x]• polynomials in Z[x] can be added, subtracted
and multiplied. They form a commutative ring
13/05/2010 cryptography - math background pp. 89 / 162
and multiplied. They form a commutative ring with unity (the ring Z[x] is infinite):
Z[x] = ⟨ Z[x], +, ×, 0, 1 ⟩• in general however, there is no multiplicative
inverse element, i.e. given any polynomial P(x) ∈ Z[x] it is not possible to findP’(x) ∈ Z[x] such that P(x) × P’(x) = 1
![Page 90: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/90.jpg)
POLYNOMIAL DIVISION
• given any two polynomials P(x), D(x) ∈ Z[x], there exist two unique polynomials Q(x), R(x) ∈ Q[x] (with rational coeff.s), such that:
P(x) = Q(x) × D(x) + R(x)degree(R(x)) < degree(D(x))
13/05/2010 cryptography - math background pp. 90 / 162
degree(R(x)) < degree(D(x))
• Q(x) is the quotient, R(x) is the remainder• this property resembles integer division• but note that Q(x), R(x) have rational coeff.’s,
i.e., in general the coeff.s are not integer• the algorithm for finding R(x) is well-known
![Page 91: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/91.jpg)
EXAMPLE OF DIVISION IN Z[x]• take x4 + 2x3 − 1, x2 + 3 ∈ Z[x]
+1x4 +2x3 −1 | ++++1x2 +3++++1x4 +2x3 +0x2 +0x −1 | ++++1x2
−1x4 −3x2 |+0x4 ++++2x3 −3x2 +0x −1 | +1x2 ++++2x
−2x3 −6x |+0x4 +0x3 −−−−3x2 −6x −1 | +1x2 +2x −−−−3
+ +
13/05/2010 cryptography - math background pp. 91 / 162
+3x2 +9 |+0x4 +0x3 +0x2 −6x +8 | end
−6x +8 | x2 +2x −3remainder quotient
• in this special case, no need of rational numbers (because the most significant coefficient of the divisor x2 + 3 is 1 !)
• verify: (x2 + 2x − 3) (x2 + 3) + (− 6x + 8) = x4 + 3x2 + 2x3 + 6x − 3x2
− 9 − 6x + 8 = x4 + 2x3 − 1 as it is expected to be
![Page 92: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/92.jpg)
POLYNOMIALS OVER
13/05/2010 cryptography - math background pp. 92 / 162
MODULAR RINGS AND FIELDS
![Page 93: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/93.jpg)
POLYNOMIALS OVER RINGS• restrict the set of the coeff.’s of polynomials to
the modular ring Zn (for a fixed n ≥ 2)• such polynomials can be added, subtracted
and multiplied mod n, in the obvious wayZn[x] = ⟨ Zn[x], + mod n, × mod n, 0, 1 ⟩
13/05/2010 cryptography - math background pp. 93 / 162
Zn[x] = ⟨ Zn[x], + mod n, × mod n, 0, 1 ⟩
• but in general, it is not possible to find multiplicative inverse elements
• the structure Zn[x] is still an infinite commutative ring with unity, as is Z[x]
• sample additions and multiplications …
![Page 94: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/94.jpg)
POLYNOMIALS OVER FIELDS
• restrict the set of the coeff.’s of polynomialsto the finite field Fp (for a fixed prime p ≥ 2)
• such polynomials can be added, subtracted and multiplied mod n, in the obvious way
13/05/2010 cryptography - math background pp. 94 / 162
and multiplied mod n, in the obvious wayFp[x] = ⟨ Fp[x], + mod p, × mod p, 0, 1 ⟩
• but in general, it is not possible to find multiplicative inverse elements
• the structure Fp[x] is still an infinite commutative ring with unity, as are Z[x], Zn[x]
![Page 95: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/95.jpg)
POLYNOMIAL DIVISION IN Fp[x]
• given any two polynomials P(x), D(x) ∈ Fp[x], there exist two unique polynomials Q(x), R(x) ∈ Fp[x], such that:
P(x) = S(x) × D(x) + R(x)degree(R(x)) < degree(D(x))
13/05/2010 cryptography - math background pp. 95 / 162
degree(R(x)) < degree(D(x))
• S(x) is the quotient, R(x) is the remainder• this property resembles integer division• note that S(x), R(x) have coeff.’s in Fp[x] !• the algorithm for finding S(x), R(x) is well-
known (same as for the polynomials in Z[x])
![Page 96: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/96.jpg)
EXAMPLE OF DIVISION IN F3[x]• take x4 + 2x3 + 1, 2x2 + 1 ∈ F3[x]
x4 +2x3 +1 | ++++2x2 +1++++1x4 +2x3 +0x2 +0x +1 | ++++2x2
−1x4 −2x2 |+0x4 ++++2x3 +1x2 +0x +1 | +2x2 ++++1x
−2x3 −1x |+0x4 +0x3 ++++1x2 +2x +1 | +2x2 +1x ++++ 2
− −
13/05/2010 cryptography - math background pp. 96 / 162
−1x2 −2 |+0x4 +0x3 +0x2 +2x +2 | end
2x +2 | 2x2 + x + 2remainder quotient
• pay attention to: −1 = 2, −2 = 1, 2−1 = 2 mod 3.• verify (remember also that: 4 = 1, 6 = 0, 3 = 0 mod 3):
(2x2 + x + 2) (2x2 + 1) + (2x + 2) = 4x4 + 2x2 + 2x3 + x + 4x2 + 2 + 2x + 2 == 4x4 + 2x3 + 6x2 + 3x + 4 = x4 + 2x3 + 0x2 + 0x + 1 = x4 + 2x3 + 1 mod 3
![Page 97: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/97.jpg)
POLYNOMIAL MOD.CONGRUENCE
• given any polynomials P(x), D(x)(∈ Z[x] or Zn[x] or Fp[x]), write:
P(x) mod D(x) = R(x)
13/05/2010 cryptography - math background pp. 97 / 162
P(x) mod D(x) = R(x)with R(x) the remainder of P(x) / D(x)
• modulus D(x) congruence:P(x) = Q(x) mod D(x) ⇔P(x) mod D(x) = Q(x) mod D(x)
![Page 98: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/98.jpg)
PROPERTIES OFPOLY–MOD. CONGRUENCE• the operator “mod” commutes:
(P(x) + Q(x)) mod D(x) =((P(x) mod D(x)) + (Q(x) mod D(x))) mod D(x)the same holds for subtraction
13/05/2010 cryptography - math background pp. 98 / 162
the same holds for subtraction(P(x) × Q(x)) mod D(x) =((P(x) mod D(x)) × (Q(x) mod D(x))) mod D(x)
• same properties as mod n• modular reduction by a polynomial D(x)
defined as for modular reductionby an integer n
![Page 99: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/99.jpg)
POLY–MOD. COMPUTATIONIN PARTICULAR …
• taking mod D(x) is equivalent to assuming that D(x) = 0 (remember n = 0 mod n !)
• for instance (in Z[x]), see immediately that:
13/05/2010 cryptography - math background pp. 99 / 162
x3 + 2x + 5 = 2x + 7 mod (x3 − 2)
because:x3 − 2 = 0 ⇒ x3 = 2
and: x3 + 2x + 5 = 2 + 2x + 5 = 2x + 7• verify dividing: (x3 + 2x + 5) mod (x3 − 2) !
![Page 100: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/100.jpg)
POLYNOMIALS OVER
13/05/2010 cryptography - math background pp. 100 / 162
THE BINARY FIELD F2 (GF(2))
![Page 101: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/101.jpg)
POLYNOMIALS OVER F2 (GF(2))
• when the field of the coefficients is F2(or GF(2)), things become very simple
• a coefficient is either 0 or 1 (i.e., a bit)
13/05/2010 cryptography - math background pp. 101 / 162
• a coefficient is either 0 or 1 (i.e., a bit)• a power xi is either present (coeff. 1,
usually not written) or absent (coeff. 0)• a polynomial in F2[x] is nothing but a list
of powers of x
![Page 102: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/102.jpg)
EXAMPLES OF OP.S IN F2[x]
• let A(x), B(x) ∈ F2[x]:A(x) = x2 + x + 1 and B(x) = x3 + x
• then:A(x) + B(x) = (x2 + x + 1) + (x3 + x) == + + + + = + + + + =
13/05/2010 cryptography - math background pp. 102 / 162
= x3 + x2 + x + x + 1 = x3 + x2 + (1 + 1)x + 1 == x3 + x2 + 0x + 1 = x3 + x2 + 1A(x) B(x) = (x2 + x + 1) (x3 + x) == x5 + x4 + x3 + x3 + x2 + x = x5 + x4 + x2 + x
• pay attention to: 1 + 1 = 0 !• in general: 1 + 1 + … + 1 (even times) = 0 !
![Page 103: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/103.jpg)
EXAMPLES OF OP.S IN F2[x]
• sometimes peculiarities may occur:(x + 1)2 = (x + 1)(x + 1) = x2 + x + x + 1 == x2 + 1 (different from ordinary algebra)
13/05/2010 cryptography - math background pp. 103 / 162
= x2 + 1 (different from ordinary algebra)(x + 1)3 = (x + 1)(x + 1)(x + 1) = x3 + x2 ++ x2 + x2 + x + x + x + 1 = x3 + x2 + x + 1(different from ordinary algebra)
• can you infer the general rule ?
![Page 104: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/104.jpg)
PLYNOMIAL DIVISION IN F2[x]• take x4 + x3 + 1, x2 + 1 ∈ F2[x]
x4 x3 1 | x2 1x4 x3 1 | x2
x4 x2 |x3 x2 1 | x2 xx3 x |
x2 x 1 | x2 x 1
13/05/2010 cryptography - math background pp. 104 / 162
x2 1 |x | endx | x2 + x + 1remainder quotient
• pay attention to: −1 = 1 mod 2, i.e. add. and sub. coincide• verify: (x2 + x + 1) (x2 + 1) + x = x4 + x2 + x3 + x + x2 + 1 + x =
= x4 + x3 + 1 mod 2 as it is expected to be• hence we can write: (x4 + x3 + 1) = x mod (x2 + 1)
![Page 105: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/105.jpg)
PLYNOMIAL REDUCTION IN F2[x]• computing polynomial division of F(x) by G(x) is like
setting G(x) = 0 and replacing in F(x)• from the previous slide: G(x) = x2 + 1, hence G(x) = 0 ⇒ x2 + 1 = 0 ⇒ x2 = 1
• and replacing in F(x) = x4 + x3 + 1, it yields:
13/05/2010 cryptography - math background pp. 105 / 162
• and replacing in F(x) = x + x + 1, it yields:x4 + x3 + 1 = (x2)2 + x x2 + 1 = 12 + x 1 + 1 = 1 + x + 1 = x
• hence we have:(x4 + x3 + 1) = x mod (x2 + 1)
as seen before by performing a full division.• but reduction DOES NOT REALLY REQUIRE TO
COMPUTE A FULL DIVISION (since we are not interested in the quotient, but only in the remainder)
![Page 106: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/106.jpg)
POLYNOMIALS OVER F2
• a polynomial in F2[x] can be identifiedto a string of bits
• for instance:
13/05/2010 cryptography - math background pp. 106 / 162
• for instance:x5 + x4 + x2 + 1 ≡ 110101 (degree 5 ≡ 6 bits)
• in general: F(x) ≡ string of n + 1 bits (supposing F(x) is of degree n)
• for any degree n, how many different polynomials ? answer: 2n + 1
![Page 107: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/107.jpg)
IRREDUCIBLE POLYNOMIALS
13/05/2010 cryptography - math background pp. 107 / 162
IRREDUCIBLE POLYNOMIALS
![Page 108: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/108.jpg)
IRREDUCIBLE POLYNOMIALS
• a polynomial of degree m ≥ 2 is said to be irreducible if it cannot be factored into twoor more polynomials of lower degree
• A(x) is irreducible if there do not exist any two
13/05/2010 cryptography - math background pp. 108 / 162
• A(x) is irreducible if there do not exist any two polynomials B(x), C(x) (not reducing to pure constant terms) such that A(x) = B(x) C(x)
• for every degree, there exist irreducible polynomials in Z[x], Zn[x] and Fp[x], for any integer n and prime integer p
![Page 109: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/109.jpg)
IRREDUCIBLE POLYNOMIALS
• x and x + 1 are irreducible by definition• is x2 + x irreducible ?• no, because x2 + x = x (x + 1)
13/05/2010 cryptography - math background pp. 109 / 162
• no, because x2 + x = x (x + 1)• is x2 + 1 irreducible ?• no, because x2 + 1 = (x + 1) (x + 1)• is x2 + x + 1 irreducible ?• yes, but why ?
![Page 110: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/110.jpg)
RUFFINI RULE
• a polynomial F(x) admits the linear factor (x − a) iff a is a root of F(x)
• for the polynomials over F2 (or GF(2)):
13/05/2010 cryptography - math background pp. 110 / 162
• for the polynomials over F2 (or GF(2)):F(x) admits the factor (x − 1), which coincides with (x + 1), iff 1 is a root of F(x)hence, replace x in F(x) with 1 and see if F(1) = 0; if so, F(x) = F’(x) (x + 1)in practice, just count the terms of F(x) …
![Page 111: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/111.jpg)
USE OF RUFFINI RULE• Ruffini rule gives an easy way for checking
whether a polynomial F(x) ∈ F2[x] admitsthe linear factor (x + 1)
• does (x2 + x + 1) admit factor (x + 1) ?no, since it has 3 terms (and 3 is odd)
• does moreover (x2 + x + 1) admit factor x ?
13/05/2010 cryptography - math background pp. 111 / 162
• does moreover (x2 + x + 1) admit factor x ? no, since it contains the constant term +1
• since the only linear factors in F2[x] are (x + 1) and x, and a F(x) of degree 2 can only be split into linear factors, (x2 + x + 1) is irreducible
• of course, Ruffini rule works also in Fp[x]
![Page 112: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/112.jpg)
BINARY EXTENSION FIELDS
13/05/2010 cryptography - math background pp. 112 / 162
BINARY EXTENSION FIELDS
![Page 113: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/113.jpg)
MOVING TOWARDS FIELDS
• remember that F2[x] is not a polynomial field (there are no multiplicative inverse elements, in general)
13/05/2010 cryptography - math background pp. 113 / 162
elements, in general)• how to make it into a polynomial field ?• the answer is contained in irreducible
polynomials
![Page 114: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/114.jpg)
THE EXTENSION FIELD GF(2n)
• select an irreducible polynomial G(x) ∈ F2[x]of degree n
• G(x) is called “generator polynomial”• the extension field GF(2n) (for n ≥ 2) is:
13/05/2010 cryptography - math background pp. 114 / 162
• the extension field GF(2n) (for n ≥ 2) is:GF(2n) = ⟨ F2[xn], +, ×, 0, 1 ⟩
where:F2[xn] set of all the polynomials over F2 of degree under n+, × are the polynomial addition and multiplication modulusthe selected (and fixed) polynomial G(x)
• G(x) is the “generator polynomial” of GF(2n).
![Page 115: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/115.jpg)
THE EXTENSION FIELD GF(2n)
• fixed a generator G(x) of degree n, take A(x), B(x) ∈ GF(2n), and compute addition and multiplication as follows:
13/05/2010 cryptography - math background pp. 115 / 162
addition and multiplication as follows:A(x) + B(x) mod G(x)and similarly for subtractionA(x) × B(x) mod G(x)
• always take the result mod G(x)
![Page 116: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/116.jpg)
EXAMPLE IN GF(22)
• the elements of GF(2n) with n = 2 (i.e. GF(22)) are all the polynomials in F2[x] of degree under n = 2, i.e. deg. 0 or 1
0, 1 degree 0
13/05/2010 cryptography - math background pp. 116 / 162
0, 1 degree 0x, x + 1 degree 1
• then GF(22) contains 22 = 4 elements• this is, in some sense, the simplest
possible field of polynomials
![Page 117: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/117.jpg)
EXAMPLE IN GF(22)
• fix the generator polynomialG(x) = x2 + x + 1 (degree n = 2, irred.):(x + 1) + x = 1 mod G(x)
+ = + = + + =
13/05/2010 cryptography - math background pp. 117 / 162
(x + 1)2 = x2 + 1 = x + 1 + 1 = x mod G(x)
• remember in fact that taking mod G(x)is equivalent to setting G(x) = 0, hence:x2 + x + 1 = 0 ⇔ x2 = x + 1
an replacing x2 in x2 + 1 yields x
![Page 118: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/118.jpg)
EXAMPLE IN GF(23)
• the elements of GF(23) are all the polynomials in F2[x] of degree undern = 3, i.e. degree 0, 1 or 2
13/05/2010 cryptography - math background pp. 118 / 162
n = 3, i.e. degree 0, 1 or 20, 1 degree 0x, x + 1 degree 1x2, x2 + 1, x2 + x, x2 + x + 1 degree 2
• then GF(22) contains 23 = 8 elements• in general, GF(2n) contains 2n elements
![Page 119: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/119.jpg)
EXAMPLE IN GF(23)
• fix gen. G(x) = x3 + x2 + 1 (deg. n = 3, irred.).• it holds: x3 + x2 + 1 = 0, i.e., x3 = x2 + 1.
(x + 1)3 = x3 + x2 + x + 1 == x2 + 1 + x2 + x + 1 = x mod G(x)
13/05/2010 cryptography - math background pp. 119 / 162
= x + 1 + x + x + 1 = x mod G(x)(x2 + 1) (x2 + x + 1) == x4 + x3 + x2 + x2 + x + 1= x4 + x3 + x + 1 == = x x3 + x3 + x + 1 = x(x2 + 1) + x2 + 1 + x + 1 == x3 + x + x2 + x = x3 + x2 == x2 + 1 + x2 = 1 mod G(x)
• note that: x2 + x + 1 = (x2 + 1)−1 mod G(x)
![Page 120: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/120.jpg)
FINITENESS OF GF(2n)
• the elements of GF(2n) (with n ≥ 2) are all the polynomials of F2[x] of degree under n(i.e. of deg. n − 1, n − 2, …, 1, 0)
• then they can be identified to the strings
13/05/2010 cryptography - math background pp. 120 / 162
• then they can be identified to the stringsof bits of length exactly n
• there are 2n such strings• the field GF(2n) is finite and its cardinality
is of 2n elements (which are polynomials)
![Page 121: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/121.jpg)
HOW TO FIND THE INVERSE
• we have not yet spoken of multiplicative inverse elements in GF(2n)
• but it is necessary to have inverse
13/05/2010 cryptography - math background pp. 121 / 162
• but it is necessary to have inverse elements for GF(2n) to be a field
• inverse elements can be foundin GF(2n) using the generalizationof Fermat little theorem
![Page 122: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/122.jpg)
FERMAT “LITTLE” THEOREM
• take an irreducible generator polynomial G(x) of degree n ≥ 2 and any polynomialF(x) ∈ GF(2n), pose k = 2n, then:
F(x)k = F(x) mod G(x)
13/05/2010 cryptography - math background pp. 122 / 162
(generalisation of Fermat little theorem)• for instance, taken G(x) = x2 + x + 1 (of deg. n
= 2, irred.), it holds k = 22 = 4 and hence:(x + 1)4 = ((x + 1)2)2 = (x2 + 1)2 = (x + 1 + 1)2 == x2 = x + 1 mod G(x)
as it is expected to be
![Page 123: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/123.jpg)
CONSEQUENCES
• if the generator G(x) is an irreducible polynomial of degree n ≥ 2 and k = 2n:since: F(x)k = F(x) mod G(x)
− =
13/05/2010 cryptography - math background pp. 123 / 162
it follows: F(x)k − 1 = 1 mod G(x)and also: F(x)k − 2 = F(x)−1 mod G(x)(with the condition that F(x) ≠ 0 mod G(x))
• therefore F(x)k − 2 is the multiplicative inverse element of F(x) (mod G(x))
![Page 124: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/124.jpg)
INVERSION – EXAMPLE
• taken the generator G(x) = x2 + x + 1 (of deg. n = 2, irred.), it holds k = 22 = 4, and hence:(x + 1)4 − 2 = (x + 1)2 = x2 + 1 == x + 1 + 1 = x mod G(x)
13/05/2010 cryptography - math background pp. 124 / 162
= x + 1 + 1 = x mod G(x)
• and in fact:(x + 1) x = x2 + x = x + 1 + x = 1 mod G(x)
• this means that x is the inverse element of(x + 1) (of course, mod G(x))
![Page 125: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/125.jpg)
MULTIPLICATIVE GENERATORS
• the monomial x is a multiplicative generator for binary extension fields
• for instance: G(x) = x2 + x + 1 (irred.)
13/05/2010 cryptography - math background pp. 125 / 162
• for instance: G(x) = x + x + 1 (irred.)x0 mod G(x) = 1x1 mod G(x) = xx2 mod G(x) = x + 1x3 mod G(x) = x x2 mod G(x) = x (x + 1) mod G(x) == x2 + x = x + 1 + x = 1 (periodic …).
• the same holds for GF(pn) …
GF(22) (excluding 0)
![Page 126: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/126.jpg)
FIELD GF(2n) – IN SUMMARY
• given an irreducible generator polynomial G(x) of degree n ≥ 2, the algebraic structure:GF(2n) = < F2[xn], +, ×, 0, 1 >
is a finite field of 2n elements.
13/05/2010 cryptography - math background pp. 126 / 162
is a finite field of 2 elements.• the elements of GF(2n) are polynomials
with coefficients over GF(2) (or F2)• all the operations are computed mod G(x).• multiplicative inverse exist for all the elements
of GF(2n) (but for 0), and can by foundby Fermat little theorem
![Page 127: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/127.jpg)
MODULAR EXTENSION FIELDS
13/05/2010 cryptography - math background pp. 127 / 162
MODULAR EXTENSION FIELDS
![Page 128: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/128.jpg)
POLINOMYALS OVER Fp (GF(p))
• consider polynomials with coefficients over Fp (also called GF(p)), for a fixed prime integer p ≥ 2
13/05/2010 cryptography - math background pp. 128 / 162
prime integer p ≥ 2• a coefficient can be: 0, 1, 2 …, p − 1• then a polynomial in Fp[x] is a list of
powers of x, with coefficients as above• example: x2 + 2x + 1 (for p = 3, prime)
![Page 129: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/129.jpg)
POLYNOMIALS OVER FpEXAMPLES
• for the prime p = 3:(x + 1) + (x2 + 2x + 1) = x + 1 + x2 + 2x + 1 == x2 + 3x + 2 = x2 + 2
since 3 = 0 mod 3
13/05/2010 cryptography - math background pp. 129 / 162
since 3 = 0 mod 3• for the prime p = 5:
(x2 + 3) (x3 + 2x + 4) == x5 + 2x3 + 4x2 + 3x3 + 6x + 12 == x5 + 5x3 + 4x2 + 6x + 12 == x5 + 4x2 + x + 2
since 5 = 0, 6 = 1 and 12 = 2 mod 5
![Page 130: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/130.jpg)
THE EXTENSION FIELD GF(pn)
• the ideas for building “modular fields” Fp(p ≥ 2 prime), and “binary extension fields” F2[xn] (n ≥ 2), can be combined
• the result is the family of “modular
13/05/2010 cryptography - math background pp. 130 / 162
• the result is the family of “modular extension fields” Fp[xn](p, n ≥ 2, p is a prime integer)
• fields Fp[xn] are also denoted GF(pn) (Galois Fields of order pn, p is prime)
![Page 131: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/131.jpg)
THE EXTENSION FIELD GF(pn)
• take an irreducible generator polynomial G(x) ∈ Fp[x], for a prime integer p ≥ 2, of degree n≥ 2, the algebraic structure:GF(pn) = ⟨ Fp[xn], +, ×, 0, 1 ⟩
13/05/2010 cryptography - math background pp. 131 / 162
GF(pn) = ⟨ Fp[xn], +, ×, 0, 1 ⟩
is a finite field of pn elements• the elements of GF(pn) are polynomials with
coefficients over GF(p) (or Fp)• all the operations are computed mod G(x)• the field GF(pn) contains pn elements
![Page 132: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/132.jpg)
FERMAT “LITTLE” THEOREM• take an irreducible generator polynomial G(x)
∈ Fp[x], for a prime p ≥ 2, of degree n ≥ 2, and take any polynomial F(x) ∈ GF(pn),pose k = pn, then:
F(x)k = F(x) mod G(x)
13/05/2010 cryptography - math background pp. 132 / 162
F(x)k = F(x) mod G(x)(generalisation of Fermat little theorem)
• hence it follows (as in previous cases):F(x)k − 1 = 1 mod G(x)F(x)k − 2 = F(x)−1 mod G(x) (inverse!)(with the cond. that F(x) ≠ 0 mod G(x))
![Page 133: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/133.jpg)
FIELD EXAMPLE – GF(32)• fix p = 3 (prime) and n = 2• the elements of GF(3) are: 0, 1, 2• the elements of GF(32) are:
0, 1, 2 (deg. 0, 3 poly.’s)x, 2x, x + 1, x + 2, 2x + 1, 2x + 2 (deg. 1, 6 poly.’s)
= =
13/05/2010 cryptography - math background pp. 133 / 162
• there are k = 32 = 9 elements in GF(32)• take the generator G(x) = x2 + 1• in GF(3) the polynomial G(x) is irreducible• were not so, G(x) should split into two linear
factors of the type (x + a), with a = 0, 1 or 2• but none of the a’s is a root of G(x)
![Page 134: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/134.jpg)
INVERSION – EXAMPLE IN GF(32)• remember that:
G(x) = 0 ⇒ x2 + 1 = 0 ⇒ x2 = −1 = 2 as −1 = 2 mod 3
• to compute an inverse element:(2x + 1)−1 = (2x + 1)9 − 2 = (2x + 1)7 == (2x + 1)6 (2x + 1) = ((2x + 1)2)3 (2x + 1) == (4x2 + 4x + 1)3 (2x + 1) = (x2 + x + 1)3 (2x + 1) =
13/05/2010 cryptography - math background pp. 134 / 162
= (4x + 4x + 1) (2x + 1) = (x + x + 1) (2x + 1) == (2 + x + 1)3 (2x + 1) = (x + 3)3 (2x + 1) = x3 (2x + 1) == x2 x (2x + 1) = 2x (2x + 1) = 4x2 + 2x == x2 + 2x = 2x + 2 mod G(x)
• and in fact:(2x + 1)(2x + 2) = 4x2 + 4x + 2x + 2 = 4x2 + 6x + 2 == x2 + 2 = 2 + 2 = 4 = 1 mod G(x)
as it is expected to be
![Page 135: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/135.jpg)
COMPOSITE GALOIS FIELDS
• suppose GF(ph) is a modular extension field, the elements of which consist of polynomials of degree under h with coeff.s that are integers mod p
• construct a new, larger modular extension field,using the elements of GF(ph) as “coefficients”
13/05/2010 cryptography - math background pp. 135 / 162
using the elements of GF(ph) as “coefficients”of new polynomials, of degree under k
• this new field is GF(GF(ph))k = GF(phk), andis called a “composite (Galois) field”
• the elements of GF(phk) are polynomials,the coefficients of which are themselves polynomials (the coeff.s of the latter ones are integers mod p)
![Page 136: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/136.jpg)
COMPOSITE GALOIS FIELDS• dually: let GF(pm) be a modular extension field. It can
be constructed by using polynomials of degree under m, with coeff.s that are integers mod p
• but, if m = hk (for h, k ≥ 2), i.e. if m is decomposable into non-trivial factors, then the field GF(pm) can be
13/05/2010 cryptography - math background pp. 136 / 162
into non-trivial factors, then the field GF(pm) can be itself decomposed into two nested fields:– coefficient field GF(ph) - internal field– complete field GF(GF(ph)k) = GF(phk) - external field
(the roles of h, k are interchangeable)• this decomposition may be very helpful in the
implementations, but does not always apply• if m is itself prime, no decomposition is possible
![Page 137: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/137.jpg)
EXAMPLE – COMPOSITE FIELD• take p = 2 (binary extension fields).• G(x) = x4 + x3 + 1 (irreducible, check yourself !)• G(x) generates GF(24), with 24 = 16 elements.• but 4 = 2 × 2, hence GF(24) = GF(GF(22)2) (here h = k = 2)• construct the two nested fields:
– Internal field, use the gen. G1(y) = y2 + y + 1 (irred. over GF(2))
13/05/2010 cryptography - math background pp. 137 / 162
– Internal field, use the gen. G1(y) = y + y + 1 (irred. over GF(2))– External field, use the gen. G2(x) = x2 + y x + 1 (irred. over GF(22))
• elem.s of GF(24): (ay1+ by0)x1 + (cy1 + dy0)x0 (a, b, c, d = 0, 1) • of course, interpret G2(x) as follows:
G2(x) = (0y + 1) x2 + (1y + 0) x1 + (0y + 1) x0
since its coeff.s are themselves polynomials (use two distinct variables y and x to avoid confusion).
• complete yourself (in particular, check that G2(x) is irreducible over GF(22)). Try with the field GF(26).
![Page 138: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/138.jpg)
CONCLUSIONS ON
13/05/2010 cryptography - math background pp. 138 / 162
FINITE FIELDS
![Page 139: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/139.jpg)
THE COMPLETION THEOREM• there exist only three familes of finite fields:
– modular fields:GF(p) for every prime p ≥ 2the elements are 0, 1, …, p − 1GF(2) is the simplest case, called binary field
– binary extension fields:≥
13/05/2010 cryptography - math background pp. 139 / 162
GF(2n) for every integer n ≥ 2the elements are the polynomials of degree under n with coefficients 0 or 1
– modular extension fields:GF(pn) for every prime p ≥ 3 and integer n ≥ 2the elements are the polynomials of degree under n with coefficients 0, 1, , …, p − 1
• no other family of finite fields exist
![Page 140: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/140.jpg)
FIELD ISOMORPHISM
• two fields F’, F’’ are isomorphic iff there exists a one-to-one function θ: F’ → F’’ such that, taken the elements a, b ∈ F’, it holds:θ(a + b) = θ(a) + θ(b) and θ(−a) = − θ(a)
13/05/2010 cryptography - math background pp. 140 / 162
θ(a + b) = θ(a) + θ(b) and θ(−a) = − θ(a) θ(a × b) = θ(a) × θ(b) and θ(a−1) = θ(a) −1
θ(0) = 0 and θ(1) = 1
• in practice, ϕ commutes with field operations• two isomorphic fields need have the same
number of elements (θ is one-to-one)
![Page 141: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/141.jpg)
THE ISOMORPHISM THEOREM
• let F’, F’’ be any two extension fields generated by the irred. polynomials G’(x), G’’(x), respectively
• theorem: if F’, F’’ are of the same size, they
13/05/2010 cryptography - math background pp. 141 / 162
• theorem: if F’, F’’ are of the same size, they are necessarily isomorphic, i.e. there exists an isomorphism θ: F’ → F’’
• in other terms, each element f of F’ admitsa corresponding element θ(f) in F’’, behaving in the same way (and viceversa)
![Page 142: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/142.jpg)
THE ISOMORPHISM THEOREM
• the extension fields GF(2n) (and GF(pn)) DO NOT DEPEND on the chosen irreducible generator polynomial
• that is, fixed an integer n ≥ 2 (and prime p ≥
13/05/2010 cryptography - math background pp. 142 / 162
• that is, fixed an integer n ≥ 2 (and prime p ≥2), there exists a unique GF(2n) (and GF(pn))
• put another way, if G’(x), G’’(x) are both irreducible generators of degree n, they are equivalent for building GF(2n) (and GF(pn))
• hence, select G’(x) or G’’(x) at will (but do not mix them during the computation, of course)
![Page 143: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/143.jpg)
ISOMORPHISM – EXAMPLE
• the binary extension field GF(23) (size 23 = 8) can be generated in two different ways:
G’(x) = x3 + x2 + 1G’’(x) = x3 + x + 1
13/05/2010 cryptography - math background pp. 143 / 162
G’’(x) = x3 + x + 1since both G’(x) and G’’(x) are irreducible over GF(2)
• each of G’(x) and G’’(x) yields a representation of GF(23)
• constructing the isomorphism θ is not so immediate, though not really difficult
![Page 144: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/144.jpg)
FIELD REPRESENTATION• it is said that two irreducible polynomials
G’(x), G’’(x), of identical degree, generate two DIFFERENT REPERSENTATIONS of the SAME FINITE EXTENSION FIELD
• the isomorphism function θ can be effectively
13/05/2010 cryptography - math background pp. 144 / 162
• the isomorphism function θ can be effectively determined, starting from G’(x), G’’(x)
• the function θ is actually a linear transformation
• an extension field admits as many different representations as the number of irreducible polynomials of identical degree
![Page 145: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/145.jpg)
MORE NUMBER THEORY
13/05/2010 cryptography - math background pp. 145 / 162
MORE NUMBER THEORY
![Page 146: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/146.jpg)
EULER FUNCTION• euler function: ϕ: N → N
ϕ(1) = 1 by definitionϕ(n) = k where k is the number of integers < n and
co-prime with n (n ≥ 2)(co-prime ⇔ sharing no common factor ≥ 2)
• examples:ϕ(2) = 1 (1 is co-prime with 2)
13/05/2010 cryptography - math background pp. 146 / 162
ϕ(2) = 1 (1 is co-prime with 2)ϕ(3) = 2 (1, 2 are co-prime with 3)ϕ(4) = 2 (1, 3 are co-prime with 4)ϕ(5) = 4 (1, …, 4 are co-prime with 5)ϕ(6) = 2 (1, 5 are co-prime with 6)ϕ(7) = 6 (1, …, 6 are co-prime with 7)ϕ(8) = 4 (1, 3, 5, 7 are co-prime with 8)…
ϕ(p) = p − 1 if and only if p is a prime integer
![Page 147: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/147.jpg)
PROPERTIES OF ϕ• euler function ϕ is multiplicative:
if (m, n) = 1 then ϕ(m n) = ϕ(m) ϕ(n)((m, n) = 1 means that m, n are co-prime)
• for instance: (2, 3) = 1, hence 2 = ϕ(6) =
13/05/2010 cryptography - math background pp. 147 / 162
• for instance: (2, 3) = 1, hence 2 = ϕ(6) =ϕ(2 × 3) = ϕ(2) ϕ(3) = 1 × 2 = 2
• in particular, if p, q are both prime, it holds: ϕ(p q) = ϕ(p) ϕ(q) = (p − 1) (q − 1) (this feature plays an important role in RSA)
• the multiplicative property does not holdif m, n are not co-prime
![Page 148: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/148.jpg)
EULER THEOREM
• let a, n be any integers ≥ 2, if a and nare co-prime, it holds:aϕ(n) = 1 mod n (L. Euler)
13/05/2010 cryptography - math background pp. 148 / 162
• for instance:a = 9, n = 4 (a, n are co-prime), ϕ(4) = 2 ⇒92 = 81 = 1 mod 4 as expected to be
• Fermat is a special case of Euler, when n = p• but Euler cannot be always used for finding
inverse elements (while Fermat can be)
![Page 149: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/149.jpg)
PRACTICAL ALGORITHMS
13/05/2010 cryptography - math background pp. 149 / 162
(a short list)
![Page 150: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/150.jpg)
RELEVANT ALGORITHMS• computing Greatest Common Divisor (m, n)
(Euclid Alg.)• computing λ, µ s.t. (m, n) = λm + µn
(Euclid Extended Alg.)• computing Modular Inverse: m−1 mod n
13/05/2010 cryptography - math background pp. 150 / 162
• computing Modular Inverse: m mod n(application of Euclid Ext. Alg.)
• computing Modular Powers: ae mod n(Square & Multiply Alg.)
• all alg.s are extensible to GF(2n) and GF(pn)• and do not forget Polynomial Division !• hints on Montgomery Multiplication Alg
![Page 151: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/151.jpg)
EUCLID G.C.D. ALG.• let a, b ∈ Z be any two integers• (a, b) = d Greatest Common Divisor of a, b• Euclid algorithm for computing d:
input (a) input (b)r0 = max (a, b) // r0 : provisional g.c.d.r = min (a, b) // r : provisional remainder
13/05/2010 cryptography - math background pp. 151 / 162
r1 = min (a, b) // r1 : provisional remainderdo
r’ = r0 mod r1 // r’ : compute new remainderr0 = r1 // r0 : new provisional g.c.d.r1 = r’ // r1 : new provisional remainder
while (r’ != 0) // exit when null remainderoutput (r0)
![Page 152: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/152.jpg)
EUCLID ALG. – EXAMPLES
• a = b ⇒ (a, b) = a (or = b)r0 = a r1 = ar’ = a mod a = 0 r0 = a r1 = 0 (r’ == 0) exitoutput
13/05/2010 cryptography - math background pp. 152 / 162
output (a)
• a = 9 b = 6 ⇒ (a, b) = 3r0 = 9 r1 = 6r’ = 9 mod 6 = 3 r0 = 6 r1 = 3 (r’ != 0) loopr’ = 6 mod 3 = 0 r0 = 3 r1 = 0 (r’ == 0) exitoutput (3)
![Page 153: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/153.jpg)
EUCLID – WHY DOES IT WORK?• r0 = a r1 = b (supposing a > b)• unrolling the loop:
r2 = r0 mod r1 ⇒ r0 = q1r1+r2 ⇒ gcd(r0, r1) = gcd(r1, r2)
r3 = r1 mod r2 ⇒ r1 = q2r2+r3 ⇒ gcd(r1, r2) = gcd(r2, r3)
13/05/2010 cryptography - math background pp. 153 / 162
r3 = r1 mod r2 ⇒ r1 = q2r2+r3 ⇒ gcd(r1, r2) = gcd(r2, r3) …rm = rm−2 mod rm−1 ⇒ rm−2 = qm−1rm−1+rm ⇒ gcd(rm−2, rm−1) = gcd(rm−1, rm)0 = rm−1 mod rm ⇒ rm−1 = qmrm+0 ⇒ gcd(rm−1, rm) = rm
• note that, if x = sy+z with z<y, then gcd(x, y) = gcd(y, z)• and note that, if x = sy, then gcd(x, y) = y• hence, rm is the g.c.d. of r0, r1
![Page 154: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/154.jpg)
EXPRESSING THE G.C.D.
• theorem (Euclid): given any two integers m, n ∈ Z , it holds:
(m, n) = λm + µn (with λ, µ ∈ Z)
λ µ
13/05/2010 cryptography - math background pp. 154 / 162
for two suited integers λ, µ (not unique)• for instance:
(30, 18) = 6
(30, 18) = 2 × 30 + (−3) × 18
i.e., λ = 2 and µ = −3
![Page 155: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/155.jpg)
EUCLID EXT. ALGORITHM• nothing but a careful backtracking:
(9, 14) = 1
• apply Euclid G.C.D. Algorithm:14 mod 9 = 5 14 = 1×9 + 5 5 = 14 − 1×99 mod 5 = 4 9 = 1×5 + 4 4 = 9 − 1×55 mod 4 = 1 5 = 1×4 + 1 1 = 5 − 1×4
13/05/2010 cryptography - math background pp. 155 / 162
5 mod 4 = 1 5 = 1×4 + 1 1 = 5 − 1×44 mod 1 = 0 end
• and now backtrack the remainder chain:1 = 5 − 1×4 = 5 − 1×(9 − 1×5) == (−1)×9 + 2×5 = (−1)×9 + 2×(14 − 1×9) == 2×14 − 3×9 = (−3×9) + 2×14
• that is, λ = −3, µ = 2
![Page 156: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/156.jpg)
COMPUTING THE INVERSE• let m, n ∈ Z be any two integers.• thorem (Euclid, see before): (m, n) = λm + µn,
for a pair of integers λ, µ ∈ Z• if m, n are co-prime, then (m, n) = 1• it follows λm + µn = 1
13/05/2010 cryptography - math background pp. 156 / 162
• it follows λm + µn = 1• then λm = 1 mod n, since µn = 0 mod n• finally λ = m−1 mod n (λ is the inverse of m)• use the Euclid Extended Algorithm for
computing λ, µ, and hence for computing the inverse element m−1 mod n
![Page 157: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/157.jpg)
INVERSION EXAMPLE• suppose to compute:
9−1 mod 14 = ?
(∃ as 9, 14 are co-prime, i.e., (9, 14) = 1)• applying Euclid Ext. Alg. yields:
(9, 14) = (−3) × 9 + 2 × 14 = 1 (as shown before)
13/05/2010 cryptography - math background pp. 157 / 162
(9, 14) = (−3) × 9 + 2 × 14 = 1 (as shown before)
• hence:(−3)×9 + 2×14 = 1 mod 14 ⇒ (−3)×9 = 1 mod 14⇒ 11×9 = 1 mod 14 ⇒ 9−1 = 11 mod 14
• and in fact: 9 × 11 = 99 = 1 mod 14(since 99 = 7 × 14 + 1)
![Page 158: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/158.jpg)
COMPUTING THE INVERSEEXTENSION TO POLYNOMIALS
• the Euclid Extended Algorithm worksfor polynomials as well(A(x), B(x)) = L(x)A(x) + M(x)B(x) (theorem)
• consequence:
13/05/2010 cryptography - math background pp. 158 / 162
• consequence:(A(x), B(x)) = 1 ⇒ L(x)A(x) + M(x)B(x) = 1 ⇒L(x)A(x) = 1 mod B(x) ⇒ L(x) = A(x)−1 mod B(x)
• here, of course, all the operations are carried out on polynomials, taking care of the specific fields of the coefficients
![Page 159: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/159.jpg)
SQUARE & MULTIPLY ALG.• frequently one has to compute:
ae mod n(e.g., for Fermat theorem) for a large exponent e and an integer a ∈ Zn
13/05/2010 cryptography - math background pp. 159 / 162
n
• code the exponent e as a binary number:e = ek−1 2k − 1 + ek−2 2k − 2 + … + e1 2 + e0,where k = log2 e and ei ∈ {0, 1}
• note that if h = 2m, then:ah mod n = (…(a)2 mod n …)2 mod n (m times)
(i.e., m nested modular squarings)
![Page 160: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/160.jpg)
SQUARE & MULTIPLY ALG.
• now let be 0 ≤ i < k, pose: bi = 2i, andai = abi mod p if the bit eki is = 1ai = 1 if the bit eki is = 0
compute the ai’s by nested mod. squarings
13/05/2010 cryptography - math background pp. 160 / 162
compute the ai’s by nested mod. squarings• then, it holds:
ae mod n = ((…(ak−1 × ak−2) mod n × … × a1) mod n × a0) mod n
• the computation of the above formula only requires k modular squarings and k modular multiplications, and k = log2 e(i.e., k is much smaller than e)
![Page 161: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/161.jpg)
SQUARE & MULTIPLY ALG.EXTENSION TO POLYNOMIALS
• the Square & Multiply algorithm extends to polynomials as well
• for computing:
13/05/2010 cryptography - math background pp. 161 / 162
F(x)k for a large exponent k
express k as a binary number, and proceed as for integers
• here, of course, all squarings and multiplications are computed mod G(x), where G(x) is the field generator …
![Page 162: COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL OF COMPUTER ARITHMETIC • computers implement some types of arithmetic • for](https://reader033.vdocuments.us/reader033/viewer/2022042002/5e6e19ebb818ea668d4d5698/html5/thumbnails/162.jpg)
MONTGOMERYMULTIPLICATION
• a clever and efficient algorithm for computing modular multiplication
• is particularly efficient when working with
13/05/2010 cryptography - math background pp. 162 / 162
• is particularly efficient when working with numbers coded in base 2 (binary numbers)
• is based on the idea of performing reduction at each addition of a row of the matrix of the partial products
• see in textbooks …