information security lab. dept. of computer engineering 87/121 part i symmetric ciphers chapter 4...

11/121/121

Information Security Lab.Dept. of Computer Engineering

PART I Symmetric CiphersCHAPTER 4 Finite Fields 4.1 Groups, Rings, and Fields

4.2 Modular Arithmetic

4.3 The Euclidean Algorithm

4.4 Finite Fields of the Form GF(p)

4.5 Polynomial Arithmetic

4.6 Finite Fields of the Form GF(2n)

22/121/121


4.1 4.1 GroupGroups, Rings, and Fieldss, Rings, and FieldsGroups A group G, denoted by {G, } : a set of elements with a binary operation, denoted by The following axioms are obeyed.

(A1) Closure : For a, b G, a b G(A2) Associative : a (b c) = (a b) c for all a,b,c

G(A3) Identity element : e G such that e a = a e = a (A4) Inverse element : For each a, a1 G such that a a1 = e

(A5) Commutative : a b = b a for a, b G A group is said to be abelian if it satisfies (A5) finite group (finite order), infinite group

33/121/121


4.1 4.1 GroupGroups, Rings, and Fieldss, Rings, and FieldsGroups Example : Define Sn to be the set of all permutations of n distinct

symbols. Each element of Sn is represented by a permutation of the integers in {1,2,…, n}. Sn is a group

A1 : For , Sn, the composite mapping Sn For example, = {3, 2, 1}, = {1, 3, 2} = {2, 3, 1} Sn

A2 : The composition of mappings is easily seen to be associative. A3 : For Sn the identity element is {1, 2, …, n}

A4 : For any = {2, 3, 1}, Sn , 1 = {3, 1, 2} Sn

{2, 3, 1} {3, 1, 2} = {1, 2, 3}

44/121/121


Cyclic Group define exponentiation as repeated application of group

operator a3 = a a a

let identity be : e = a0

A group G is cyclic if every element is a power of some fixed element b = ak for some a and every b G a is said to be a generator of the group G

Additive finite group G = {0, 1, 2, 3, 4, 5, 6 } G is cyclic group; identity = 0 ( 10 ) , generator = 1 3 = 13 = 1 + 1 + 1

4.1 4.1 GroupGroups, Rings, and Fieldss, Rings, and Fields

55/121/121


Rings A ring R, denoted by { R, +, } is a set of elements with two binary operations called addition and multiplication such that for all a, b, c in R, the following axioms are obeyed : (A1 ~ A5) : an abelian group with addition operation (M1) Closure under multiplication: for a, b R, a b R (M2) Associativity of multiplication : for a, b, c R a (b c) = ( a b ) c (M3) Distributive laws: for a, b, c R a (b + c) = a b + a c, (a + b) c = a c + b

c Ring : the set of all n-square matrices over real numbers


66/121/121


Rings A ring is said to be commutative if it satisfies the following condition: (M4) commutativity of multiplication : for a, b R, ab = ba Let S be the set of even integers under the usual addition and multiplication : S is a comm. ring. Integral domain

An integral domain, which is a commutative ring that obeys the following axioms: (M5) Multiplicative identity : for all a R, 1 R such that a1 = 1a = a (M6) No zero divisors : If a, b in R and ab = 0, then either a = 0 or b = 0.


77/121/121


Fields A field F, denoted by { F, +, } is a set of elements

with two binary operations, called addition and multiplication such that for all a, b, c in F the following axioms are

obeyed : (A1~M6) F is an integral domain: F satisfies axioms A1-M6 (M7) Multiplicative inverse : For each a in F, except 0, a1 F such that aa1 = (a1)a = 1 A field is an additive abelian group and multiplicative group

have hierarchy with more axioms/laws group ring field


88/121/121



Fiel

d

Grou

p (A1) Closure under addition(A2) Associativity of addition(A3) Additive identity(A4) Additive inverse

(A5) Commutativity of addition

(M1) Closure under multiplication

(M2) Associativity of multiplication

(M3) Distributive law

(M4) Commutativity of multiplication

(M5) Multiplicative identity

(M6) No zero divisors

(M7) Multiplicative inverse

Ab

elian grou

p

Rin

gC

omm

utative rin

g

Integral

Dom

ain

Fig. 4.1 GroupGroups, Rings, and Fieldss, Rings, and Fields

99/121/121


4.2 Modular Arithmetic4.2 Modular Arithmetic n : positive integer, a : any nonnegative integer a = qn + r 0 r n; q = a/n

define modulo operator “a mod n” to be remainder r (residue) when a is divided by n (modulus) eq : 11 mod 7 = 4

Two integers a and b are said to be congruent modulo n, if (a mod n) = (b mod n). a and b have same remainder.

a b (mod n) eq : 73 4 (mod 23), 21 9 (mod 10) Process is known as modulo reduction

1010/121/121


Divisors A non-zero number b divides a if for some m, a = mb where a, b, m are all integers; i.e. b divides into a with no remainder; denoted by b|a If b|a then b is a divisor of a; 1,2,3,4,6,8,12,24 divide 24

If a|1, then a = 1, If a|b and b|a, then a = b Any b 0 divides 0. If b|g and b|h, then b|(mg + nh) for integers m, n

Properties of Congruence Congruence have the following properties 1. a b (mod n) if n|(a – b) 2. a b (mod n) n|(b – a) 3. a b (mod n) and b c (mod n) a c (mod n)

4.2 Modular Arithmetic4.2 Modular Arithmetic

1111/121/121


Modular Arithmetic Operations The (mod n) operator maps all integers into the set of integers {0, 1, …, (n – 1)}; 'clock arithmetic‘

Modular arithmetic exhibits following properties: 1. (a + b) mod n = [(a mod n) + (b mod n)] mod n 2. (a b) mod n = [(a mod n) (b mod n)] mod n 3. (a b) mod n = [(a mod n) (b mod n)] mod n

Define (a mod n) = ra; a = jn + ra for some j (b mod n) = rb b = kn + rb for some k (a + b) mod n = (jn + ra + kn + rb) mod n = (ra + rb + (k + j)n ) mod n = (ra + rb) mod n = [(a mod n) + (b mod n)] mod n


1212/121/121


Properties of Modular Arithmetic Define the set Zn as the set of nonnegative integers less than n: set of residue, residue classes modulo n. Zn = {0, 1, … , n 1} The residue classes modulo n [r] = { a | a is an integer, a r (mod n) } The residue classes modulo 4 : { [0], [1], [2], [3] } Zn= a commutative ring for addition with a multiplicative identity; Table 4.2 Properties of Modular Arithmetic for Zn

Two integers are relatively prime if their only common positive integer factor is 1.


1313/121/121


Properties of Modular Arithmetic if (a + b) = (a + c) mod n then b = c mod n (a) : additive inverse of a ((a) + a + b) = ((a) + a + c) mod n b = c mod n

if (a b) = (a c) mod n, then b = c mod n only if a is relatively prime to n if a is relatively prime to n, then a1 ((a1) a b) = ((a1) a c) mod n b = c mod n


1414/121/121


4.3 The Euclidean Algorithm4.3 The Euclidean AlgorithmGreatest Common Divisor (gcd) gcd : A common problem in number theory.

gcd(a, b) : (greatest common divisor of a and b) is the largest number that divides evenly into both a and b

gcd(a, b) = max{ k ; such that k|a and k|b } gcd(60, 24) = 12

If gcd(a, b) = 1, i.e. if a and b have no common factors (except 1) and hence a and b are relatively prime

gcd(8,15) = 1 8 and 15 are relatively prime

Finding the Greatest Common Divisor The Euclidean algorithm : based on the following fact. gcd(a, b) = gcd(b, a mod b) for any positive integer a, b

1515/121/121


Finding the Greatest Common Divisor gcd(a, b) = gcd(b, a mod b)

Proof: Let d = gcd(a, b). We have d|a, d|b. a can be expressed a = kb + r r (mod b) a mod b = r where k, r I Thus (a mod b) = r = a – kb. Since d|a, d|b, d|(a mod b) This means that d is a common divisor of b and (a mod b). Conversely, let d = gcd(b, (a mod b)) d|b, d|(a mod b). Then d|kb and d|(kb + (a mod b)) d|a. Thus, d =gcd(a, b)

Euclidean Algorithm to compute gcd(a,b) : Euclid(a, b) // Input : a, b; Output : gcd(a, b) //Step 1: A = a; B = b ;Step 2: if B == 0 return A = gcd(a, b); Step 3: R = A mod B;Step 4: A = B; B = R; goto Step 2

4.3 The Euclidean Algorithm4.3 The Euclidean Algorithm

1616/121/121


Finding the Greatest Common Divisor To find gcd(1970, 1066)

1970 = 1 x 1066 + 904 gcd(1066, 904) 1066 = 1 x 904 + 162 gcd(904, 162) 904 = 5 x 162 + 94 gcd(162, 94) 162 = 1 x 94 + 68 gcd(94, 68) 94 = 1 x 68 + 26 gcd(68, 26) 68 = 2 x 26 + 16 gcd(26, 16) 26 = 1 x 16 + 10 gcd(16, 10) 16 = 1 x 10 + 6 gcd(10, 6) 10 = 1 x 6 + 4 gcd(6, 4) 6 = 1 x 4 + 2 gcd(4, 2) 4 = 2 x 2 + 0 gcd(2, 0) Therefore, gcd(1970, 1066) = 2

4.3 The Euclidean Algorithm4.3 The Euclidean Algorithm

1717/121/121


4.4 Finite Fields of The Form GF(4.4 Finite Fields of The Form GF(pp)) Finite fields play a key role in cryptography

The number of elements in a finite field must be a power of a prime pn

The finite field of order pn is known as Galois fields, denoted by GF(pn). in particular often use the fields:

GF(p) : prime field ( n = 1); GF(2n): binary field (p = 2)

Finite Fields of order p GF(p) is the set of integers {0,1, … , p1} with arithmetic operations modulo prime p

1818/121/121


4.4 Finite Fields of The Form GF(4.4 Finite Fields of The Form GF(pp))Finite Fields of order p Any integer Zn = {0, 1, …, n – 1} has a multiplicative inverse the integer is relatively prime to n. If n is prime, then all of the nonzero integer in Zn are relatively prime to n, and there exists a multiplicative inverse for them.

For each w Zp w 0, there exists a z Zp such that

wz = zw = 1

Zp is in fact a finite field GF(p); hence can do addition, subtraction, multiplication, and division.

Table 4.3 shows arithmetic in GF(7) (next slide)

1919/121/121


4.4 Finite Fields of The Form GF(4.4 Finite Fields of The Form GF(pp))

Table 4.3 Arithmetic in GF(7)

2020/121/121


4.4 Finite Fields of The Form GF(4.4 Finite Fields of The Form GF(pp))Finding the Multiplicative Inverse in GF(p) How to find the multiplicative inverse of an element a in a finite filed GF(p); Extended Euclidean Algorithm

Extended Euclid(a, b) INPUT : two non-negative integers a and b with a b OUTPUT: d = gcd(a, b) and integers x, y such that ax + by = d Step 1: if b = 0 then d a, x 1, y 0 and return (d, x, y); Step 2: Set x2 1, x1 0, y2 0, y1 1; Step 3: While b > 0 do 3.1: q a/b, r a – qb, x x2 – qx1, y y2 – qy1 ; 3.2: a b, b r, x2 x1, x1 x, y2 y1, y1 y; Step 4: Set d a, x x2, y y2 and return (d, x, y)

Extended Euclid (p, a); px + ay = 1 y = a1 mod p

2121/121/121


4.4 Finite Fields of The Form GF(4.4 Finite Fields of The Form GF(pp))Finding the Multiplicative Inverse in GF(p) Extended Euclid (p, a); px + ay = 1 y = a1 mod p px + ay = 1 ay = 1 – px ay 1 (mod p) Example : Find the inverse of 3 in GF(7); 31 = 5

q r x y a b x2 x1 y2 y1 - - - - 7 3 1 0 0 1 2 1 1 2 3 1 0 1 1 2 3 0 3 6 1 0 1 3 2 6

d a = 1, x x2 = 1, y y2 = 2 ( 5)

px + ay = d 7(1) + 3(5) = 1 31 = 5

2222/121/121


4.5 4.5 Polynomial ArithmeticPolynomial ArithmeticOrdinary Polynomial Arithmetic A polynomial of degree n (n0) is an expression of the form;

The variable x is referred to as the indeterminate ai : i-th coefficient : an element of coefficient set S

Such polynomials are defined over S; an 0 A zeroth-degree polynomial is called constant

polynomial; if an = 1, monic polynomial Polynomial arithmetic operations : addition, subtraction, multiplication, division.

11 1 0

0

( )n

n n in n i

i

f x a x a x a x a a x

0 0

( ) ( ) ,n m

i ii i

i i

f x a x g x b x n m

2323/121/121


4.5 4.5 Polynomial ArithmeticPolynomial ArithmeticOrdinary Polynomial Arithmetic polynomial addition and subtraction, multiplication

See Fig. 4.3 Example of polynomial Arithmetic

1 0

( ) ( ) ( )n m

i ii i i

i m i

f x g x a x a b x

0 1 1 1 1 00

( ) ( ) ,n m

ii k k k k k

i

f x g x c x c a b a b a b a b

( ) ( ) ( ) ( ) , deg( ) deg( )f x q x g x r x g r

2424/121/121


4.5 4.5 Polynomial ArithmeticPolynomial ArithmeticPolynomial Arithmetic with Coefficient in Zp

A polynomial of degree n (n0) is an expression of the form;

where ai Zp

When computing value of each coefficient do calculation modulo any prime p F[x] = { f | } : Polynomial ring

Polynomial arithmetic operations : addition, subtraction, multiplication. When polynomial arithmetic is performed over a field, then division is possible. (coefficients Zp )

11 1 0

0

( )n

n n in n i

i

f x a x a x a x a a x

0

( )n

ii

i

f x a x

2525/121/121


4.5 4.5 Polynomial ArithmeticPolynomial ArithmeticPolynomial Arithmetic with Coefficient in Zp Division : r(x) = f(x) mod g(x)

If there is no remainder (r(x) = 0), g(x) divides f(x); denoted by g(x) | f(x). g(x) is a factor of f(x) or g(x) is a divisor of f(x)

A polynomial f(x) over a field F is called irreducible f(x) cannot be expressed as a product of two polynomials. An irreducible polynomial is called a prime polynomial An arithmetic modulo an irreducible polynomial forms a field. F[x] / f(x)

( ) ( )( ) , ( ) ( ) ( ) ( )

( ) ( )

f x r xq x f x q x g x r x

g x g x

2626/121/121


4.5 4.5 Polynomial ArithmeticPolynomial ArithmeticFinding the Greatest Common Divisor The polynomial c(x) is said to be the greatest common divisor of a(x) and b(x); c(x) = gcd(a(x), b(x)) if (1) c(x) divides both a(x) and b(x) (2) any divisor of a(x) and b(x) is a divisor of c(x)

Can adapt Euclid’s Algorithm to find it:

EUCLID(a(x), b(x))Step 1: A(x) a(x); B(x) b(x);Step 2: if B(x) = = 0 return A(x) = gcd[a(x), b(x)];Step 3: R(x) A(x) mod B(x);Step 4: A(x) B(x); B(x) R(x);Step 5: goto Step 2;

2727/121/121


4.6 Finite Fields of the Form GF(24.6 Finite Fields of the Form GF(2nn)) F[x]; Polynomial ring over a field Zp(GF(p)); (p =prime)

m(x) : An irreducible polynomial of degree n F[x]/m(x) (= set of polynomials less than degree n ) forms a field GF(pn) : Extension fields of GF(p)

GF(pn) = { an1xn1 + an2xn2 + + a1x + a0 } ai Zp

Let p = 2; GF(2n) : called binary field GF(2n) : Extension Field of GF(2) (= Z2) = { 0, 1 } GF(2n) = { (an1, an2,…, a1, a0) } ai GF(2) = {0, 1}

= { an1xn1 + an2xn2 + + a1x + a0 }

2828/121/121


4.6 Finite Fields of the Form GF(24.6 Finite Fields of the Form GF(2nn))

(a) Addition

Table 4.6 Polynomial Arithmetic Module (x3 + x + 1)

2929/121/121


4.6 Finite Fields of the Form GF(24.6 Finite Fields of the Form GF(2nn))

(a) Multiplication

Table 4.6 Polynomial Arithmetic Module (x3 + x + 1)

3030/121/121


4.6 Finite Fields of the Form GF(24.6 Finite Fields of the Form GF(2nn))Computation Consideration Addition becomes XOR of these bit strings Multiplication is shift & XOR. Modulo reduction done by repeatedly substituting

highest power with remainder of irreducible polynomial (also shift & XOR) Example : x x+1 x2 x2+1 x2+x x2+x+1 GF(23) = { 000, 001, 010, 011, 100, 101, 110, 111} m(x) = x3 + x + 1 Addition : (x2+1) + (x2+x+1) = x ; 101 111 = 010 Multiplication : (x+1)(x2+1) = x(x2+1)+1(x2+1) = x3+x2+x+1 (011)(101) = (101)<<1(101)<<0 =1010 101= 1111

3131/121/121


4.6 Finite Fields of the Form GF(24.6 Finite Fields of the Form GF(2nn))Computation Consideration Modulo reduction : (x3+x2+x+1 ) mod (x3+x+1) = 1(x3+x+1) + (x2) = x2

1111 mod 1011 = 1111 1011 = 0100

Using Generator A generator g of a finite field F of order q (contains q elements) is an element whose first q – 1 powers generate all non-zero elements of F. That is, the elements of F consists of 0, g0, g1, …, gq2

A generator is a root of the irreducible polynomial f(x) For example, f(x) = x3+x+1 : irreducible polynomial f(g) = 0 f(g) = g3+g+1= 0 g3 = g+1

3232/121/121


4.6 Finite Fields of the Form GF(24.6 Finite Fields of the Form GF(2nn))Using Generator

Table 4.8 Generator for GF(23) using x3 + x + 1

3333/121/121


KEY POINTSKEY POINTS A field is set of elements on which two arithmetic

operations (addition and multiplication) have been defined and which has the properties of ordinary arithmetic such as closure, associativity, commutativity, and having both additive and multiplicative inverses.

Modular arithmetic is a kind of integer arithmetic that reduces all numbers to one of a fixed set [0, …, n – 1] for some number n. Any integer outside this range is reduced to one in this range by taking the remainder after division by n.

The greatest common divisor of two integers is the

largest positive integer that exactly divides both integers.

3434/121/121


KEY POINTSKEY POINTS Finite fields are important in several area of

cryptography. A finite field is simply a field with a finite number of elements. It can be shown that the order of a finite field (number of elements in the field) must be a power of a prime pn, where n is a positive integer.

Finite fields of order p can be defined using arithmetic mod p

Finite fields of order pn, for n > 1 can be defined using

arithmetic over polynomials.

3535/121/121


SummarySummary have considered:

concept of groups, rings, fields modular arithmetic with integers Euclid’s algorithm for GCD finite fields GF(p) polynomial arithmetic in general and in GF(2n)

information security lab. dept. of computer engineering 87/121 part i symmetric ciphers chapter 4...

Documents

c b c ring

fixed element b

element of s n

b g a2 associative

s n a2

finite fields

b c m3 distributive

group a1