PART I Symmetric Ciphers CHAPTER 4 Finite Fields 4.1 Groups, Rings, and Fields
description
Transcript of PART I Symmetric Ciphers CHAPTER 4 Finite Fields 4.1 Groups, Rings, and Fields
11/121/121
Information Security Lab.Dept. of Computer Engineering
PART I Symmetric CiphersCHAPTER 4 Finite Fields 4.1 Groups, Rings, and Fields 4.2 Modular Arithmetic 4.3 The Euclidean Algorithm 4.4 Finite Fields of the Form GF(p)
4.5 Polynomial Arithmetic
4.6 Finite Fields of the Form GF(2n)
22/121/121
Information Security Lab.Dept. of Computer Engineering
4.1 4.1 GroupGroups, Rings, and Fieldss, Rings, and FieldsGroups A group G, denoted by {G, } : a set of elements with a binary operation, denoted by The following axioms are obeyed.
(A1) Closure : For a, b G, a b G(A2) Associative : a (b c) = (a b) c for all a,b,c
G(A3) Identity element : e G such that e a = a e = a (A4) Inverse element : For each a, a1 G such that a a1 = e
(A5) Commutative : a b = b a for a, b G A group is said to be abelian if it satisfies (A5) finite group (finite order), infinite group
33/121/121
Information Security Lab.Dept. of Computer Engineering
4.1 4.1 GroupGroups, Rings, and Fieldss, Rings, and FieldsGroups Example : Define Sn to be the set of all permutations of n distinct
symbols. Each element of Sn is represented by a permutation of the integers in {1,2,…, n}. Sn is a group
A1 : For , Sn, the composite mapping Sn For example, = {3, 2, 1}, = {1, 3, 2} = {2, 3, 1} Sn
A2 : The composition of mappings is easily seen to be associative. A3 : For Sn the identity element is {1, 2, …, n} A4 : For any = {2, 3, 1}, Sn , 1 = {3, 1, 2} Sn {2, 3, 1} {3, 1, 2} = {1, 2, 3}
44/121/121
Information Security Lab.Dept. of Computer Engineering
Cyclic Group define exponentiation as repeated application of group
operator a3 = a a a
let identity be : e = a0
A group G is cyclic if every element is a power of some fixed element b = ak for some a and every b G a is said to be a generator of the group G
Additive finite group G = {0, 1, 2, 3, 4, 5, 6 } G is cyclic group; identity = 0 ( 10 ) , generator = 1 3 = 13 = 1 + 1 + 1
4.1 4.1 GroupGroups, Rings, and Fieldss, Rings, and Fields
55/121/121
Information Security Lab.Dept. of Computer Engineering
Rings A ring R, denoted by { R, +, } is a set of elements with two binary operations called addition and multiplication such that for all a, b, c in R, the following axioms are obeyed : (A1 ~ A5) : an abelian group with addition operation (M1) Closure under multiplication: for a, b R, a b R (M2) Associativity of multiplication : for a, b, c R a (b c) = ( a b ) c (M3) Distributive laws: for a, b, c R a (b + c) = a b + a c, (a + b) c = a c + b
c Ring : the set of all n-square matrices over real numbers
4.1 4.1 GroupGroups, Rings, and Fieldss, Rings, and Fields
66/121/121
Information Security Lab.Dept. of Computer Engineering
Rings A ring is said to be commutative if it satisfies the following condition: (M4) commutativity of multiplication : for a, b R, ab = ba Let S be the set of even integers under the usual addition and multiplication : S is a comm. ring. Integral domain
An integral domain, which is a commutative ring that obeys the following axioms: (M5) Multiplicative identity : for all a R, 1 R such that a1 = 1a = a (M6) No zero divisors : If a, b in R and ab = 0, then either a = 0 or b = 0.
4.1 4.1 GroupGroups, Rings, and Fieldss, Rings, and Fields
77/121/121
Information Security Lab.Dept. of Computer Engineering
Fields A field F, denoted by { F, +, } is a set of elements with two binary operations, called addition and multiplication such that for all a, b, c in F the following axioms are
obeyed : (A1~M6) F is an integral domain: F satisfies axioms A1-M6 (M7) Multiplicative inverse : For each a in F, except 0, a1 F such that aa1 = (a1)a = 1 A field is an additive abelian group and multiplicative group
have hierarchy with more axioms/laws group ring field
4.1 4.1 GroupGroups, Rings, and Fieldss, Rings, and Fields
88/121/121
Information Security Lab.Dept. of Computer Engineering
4.1 4.1 GroupGroups, Rings, and Fieldss, Rings, and Fields
Field
Grou
p (A1) Closure under addition(A2) Associativity of addition(A3) Additive identity(A4) Additive inverse(A5) Commutativity of addition(M1) Closure under multiplication(M2) Associativity of multiplication(M3) Distributive law(M4) Commutativity of multiplication(M5) Multiplicative identity(M6) No zero divisors(M7) Multiplicative inverse
Abelian group
Rin
gC
omm
utative ring
Integral D
omain
Fig. 4.1 GroupGroups, Rings, and Fieldss, Rings, and Fields
99/121/121
Information Security Lab.Dept. of Computer Engineering
4.2 Modular Arithmetic4.2 Modular Arithmetic n : positive integer, a : any nonnegative integer a = qn + r 0 r n; q = a/n
define modulo operator “a mod n” to be remainder r (residue) when a is divided by n (modulus) eq : 11 mod 7 = 4
Two integers a and b are said to be congruent modulo n, if (a mod n) = (b mod n). a and b have same remainder.
a b (mod n) eq : 73 4 (mod 23), 21 9 (mod 10) Process is known as modulo reduction
1010/121/121
Information Security Lab.Dept. of Computer Engineering
Divisors A non-zero number b divides a if for some m, a = mb where a, b, m are all integers; i.e. b divides into a with no remainder; denoted by b|a If b|a then b is a divisor of a; 1,2,3,4,6,8,12,24 divide 24
If a|1, then a = 1, If a|b and b|a, then a = b Any b 0 divides 0. If b|g and b|h, then b|(mg + nh) for integers m, n
Properties of Congruence Congruence have the following properties 1. a b (mod n) if n|(a – b) 2. a b (mod n) n|(b – a) 3. a b (mod n) and b c (mod n) a c (mod n)
4.2 Modular Arithmetic4.2 Modular Arithmetic
1111/121/121
Information Security Lab.Dept. of Computer Engineering
Modular Arithmetic Operations The (mod n) operator maps all integers into the set of integers {0, 1, …, (n – 1)}; 'clock arithmetic‘
Modular arithmetic exhibits following properties: 1. (a + b) mod n = [(a mod n) + (b mod n)] mod n 2. (a b) mod n = [(a mod n) (b mod n)] mod n 3. (a b) mod n = [(a mod n) (b mod n)] mod n Define (a mod n) = ra; a = jn + ra for some j (b mod n) = rb b = kn + rb for some k (a + b) mod n = (jn + ra + kn + rb) mod n = (ra + rb + (k + j)n ) mod n = (ra + rb) mod n = [(a mod n) + (b mod n)] mod n
4.2 Modular Arithmetic4.2 Modular Arithmetic
1212/121/121
Information Security Lab.Dept. of Computer Engineering
Properties of Modular Arithmetic Define the set Zn as the set of nonnegative integers less than n: set of residue, residue classes modulo n. Zn = {0, 1, … , n 1} The residue classes modulo n [r] = { a | a is an integer, a r (mod n) } The residue classes modulo 4 : { [0], [1], [2], [3] } Zn= a commutative ring for addition with a multiplicative identity; Table 4.2 Properties of Modular Arithmetic for Zn
Two integers are relatively prime if their only common positive integer factor is 1.
4.2 Modular Arithmetic4.2 Modular Arithmetic
1313/121/121
Information Security Lab.Dept. of Computer Engineering
Properties of Modular Arithmetic if (a + b) = (a + c) mod n then b = c mod n (a) : additive inverse of a ((a) + a + b) = ((a) + a + c) mod n b = c mod n
if (a b) = (a c) mod n, then b = c mod n only if a is relatively prime to n if a is relatively prime to n, then a1 ((a1) a b) = ((a1) a c) mod n b = c mod n
4.2 Modular Arithmetic4.2 Modular Arithmetic
1414/121/121
Information Security Lab.Dept. of Computer Engineering
4.3 The Euclidean Algorithm4.3 The Euclidean AlgorithmGreatest Common Divisor (gcd) gcd : A common problem in number theory.
gcd(a, b) : (greatest common divisor of a and b) is the largest number that divides evenly into both a and b
gcd(a, b) = max{ k ; such that k|a and k|b } gcd(60, 24) = 12
If gcd(a, b) = 1, i.e. if a and b have no common factors (except 1) and hence a and b are relatively prime
gcd(8,15) = 1 8 and 15 are relatively prime
Finding the Greatest Common Divisor The Euclidean algorithm : based on the following fact. gcd(a, b) = gcd(b, a mod b) for any positive integer a, b
1515/121/121
Information Security Lab.Dept. of Computer Engineering
Finding the Greatest Common Divisor gcd(a, b) = gcd(b, a mod b)
Proof: Let d = gcd(a, b). We have d|a, d|b. a can be expressed a = kb + r r (mod b) a mod b = r where k, r I Thus (a mod b) = r = a – kb. Since d|a, d|b, d|(a mod b) This means that d is a common divisor of b and (a mod b). Conversely, let d = gcd(b, (a mod b)) d|b, d|(a mod b). Then d|kb and d|(kb + (a mod b)) d|a. Thus, d =gcd(a, b)
Euclidean Algorithm to compute gcd(a,b) : Euclid(a, b) // Input : a, b; Output : gcd(a, b) //Step 1: A = a; B = b ;Step 2: if B == 0 return A = gcd(a, b); Step 3: R = A mod B;Step 4: A = B; B = R; goto Step 2
4.3 The Euclidean Algorithm4.3 The Euclidean Algorithm
1616/121/121
Information Security Lab.Dept. of Computer Engineering
Finding the Greatest Common Divisor To find gcd(1970, 1066)
1970 = 1 x 1066 + 904 gcd(1066, 904) 1066 = 1 x 904 + 162 gcd(904, 162) 904 = 5 x 162 + 94 gcd(162, 94) 162 = 1 x 94 + 68 gcd(94, 68) 94 = 1 x 68 + 26 gcd(68, 26) 68 = 2 x 26 + 16 gcd(26, 16) 26 = 1 x 16 + 10 gcd(16, 10) 16 = 1 x 10 + 6 gcd(10, 6) 10 = 1 x 6 + 4 gcd(6, 4) 6 = 1 x 4 + 2 gcd(4, 2) 4 = 2 x 2 + 0 gcd(2, 0) Therefore, gcd(1970, 1066) = 2
4.3 The Euclidean Algorithm4.3 The Euclidean Algorithm
1717/121/121
Information Security Lab.Dept. of Computer Engineering
4.4 Finite Fields of The Form GF(4.4 Finite Fields of The Form GF(pp)) Finite fields play a key role in cryptography
The number of elements in a finite field must be a power of a prime pn
The finite field of order pn is known as Galois fields, denoted by GF(pn). in particular often use the fields:
GF(p) : prime field ( n = 1); GF(2n): binary field (p = 2)
Finite Fields of order p GF(p) is the set of integers {0,1, … , p1} with arithmetic operations modulo prime p
1818/121/121
Information Security Lab.Dept. of Computer Engineering
4.4 Finite Fields of The Form GF(4.4 Finite Fields of The Form GF(pp))Finite Fields of order p Any integer Zn = {0, 1, …, n – 1} has a multiplicative inverse the integer is relatively prime to n. If n is prime, then all of the nonzero integer in Zn are relatively prime to n, and there exists a multiplicative inverse for them. For each w Zp w 0, there exists a z Zp such that wz = zw = 1 Zp is in fact a finite field GF(p); hence can do addition,
subtraction, multiplication, and division.
Table 4.3 shows arithmetic in GF(7) (next slide)
1919/121/121
Information Security Lab.Dept. of Computer Engineering
4.4 Finite Fields of The Form GF(4.4 Finite Fields of The Form GF(pp))
Table 4.3 Arithmetic in GF(7)
2020/121/121
Information Security Lab.Dept. of Computer Engineering
4.4 Finite Fields of The Form GF(4.4 Finite Fields of The Form GF(pp))Finding the Multiplicative Inverse in GF(p) How to find the multiplicative inverse of an element a in a finite filed GF(p); Extended Euclidean Algorithm Extended Euclid(a, b) INPUT : two non-negative integers a and b with a b OUTPUT: d = gcd(a, b) and integers x, y such that ax + by = d Step 1: if b = 0 then d a, x 1, y 0 and return (d, x, y); Step 2: Set x2 1, x1 0, y2 0, y1 1; Step 3: While b > 0 do 3.1: q a/b, r a – qb, x x2 – qx1, y y2 – qy1 ; 3.2: a b, b r, x2 x1, x1 x, y2 y1, y1 y; Step 4: Set d a, x x2, y y2 and return (d, x, y)
Extended Euclid (p, a); px + ay = 1 y = a1 mod p
2121/121/121
Information Security Lab.Dept. of Computer Engineering
4.4 Finite Fields of The Form GF(4.4 Finite Fields of The Form GF(pp))Finding the Multiplicative Inverse in GF(p) Extended Euclid (p, a); px + ay = 1 y = a1 mod p px + ay = 1 ay = 1 – px ay 1 (mod p) Example : Find the inverse of 3 in GF(7); 31 = 5 q r x y a b x2 x1 y2 y1 - - - - 7 3 1 0 0 1 2 1 1 2 3 1 0 1 1 2 3 0 3 6 1 0 1 3 2 6
d a = 1, x x2 = 1, y y2 = 2 ( 5)
px + ay = d 7(1) + 3(5) = 1 31 = 5
2222/121/121
Information Security Lab.Dept. of Computer Engineering
4.5 4.5 Polynomial ArithmeticPolynomial ArithmeticOrdinary Polynomial Arithmetic A polynomial of degree n (n0) is an expression of the form;
The variable x is referred to as the indeterminate ai : i-th coefficient : an element of coefficient set S
Such polynomials are defined over S; an 0 A zeroth-degree polynomial is called constant
polynomial; if an = 1, monic polynomial Polynomial arithmetic operations : addition, subtraction, multiplication, division.
11 1 0
0
( )n
n n in n i
i
f x a x a x a x a a x
0 0
( ) ( ) ,n m
i ii i
i i
f x a x g x b x n m
2323/121/121
Information Security Lab.Dept. of Computer Engineering
4.5 4.5 Polynomial ArithmeticPolynomial ArithmeticOrdinary Polynomial Arithmetic polynomial addition and subtraction, multiplication
See Fig. 4.3 Example of polynomial Arithmetic
1 0
( ) ( ) ( )n m
i ii i i
i m i
f x g x a x a b x
0 1 1 1 1 00
( ) ( ) ,n m
ii k k k k k
i
f x g x c x c a b a b a b a b
( ) ( ) ( ) ( ) , deg( ) deg( )f x q x g x r x g r
2424/121/121
Information Security Lab.Dept. of Computer Engineering
4.5 4.5 Polynomial ArithmeticPolynomial ArithmeticPolynomial Arithmetic with Coefficient in Zp A polynomial of degree n (n0) is an expression of the form;
where ai Zp
When computing value of each coefficient do calculation modulo any prime p F[x] = { f | } : Polynomial ring
Polynomial arithmetic operations : addition, subtraction, multiplication. When polynomial arithmetic is performed over a field, then division is possible. (coefficients Zp )
11 1 0
0
( )n
n n in n i
i
f x a x a x a x a a x
0
( )n
ii
i
f x a x
2525/121/121
Information Security Lab.Dept. of Computer Engineering
4.5 4.5 Polynomial ArithmeticPolynomial ArithmeticPolynomial Arithmetic with Coefficient in Zp Division : r(x) = f(x) mod g(x)
If there is no remainder (r(x) = 0), g(x) divides f(x); denoted by g(x) | f(x). g(x) is a factor of f(x) or g(x) is a divisor of f(x) A polynomial f(x) over a field F is called irreducible f(x) cannot be expressed as a product of two polynomials. An irreducible polynomial is called a prime polynomial An arithmetic modulo an irreducible polynomial forms a field. F[x] / f(x)
( ) ( )( ) , ( ) ( ) ( ) ( )( ) ( )
f x r xq x f x q x g x r xg x g x
2626/121/121
Information Security Lab.Dept. of Computer Engineering
4.5 4.5 Polynomial ArithmeticPolynomial ArithmeticFinding the Greatest Common Divisor The polynomial c(x) is said to be the greatest common divisor of a(x) and b(x); c(x) = gcd(a(x), b(x)) if (1) c(x) divides both a(x) and b(x) (2) any divisor of a(x) and b(x) is a divisor of c(x)
Can adapt Euclid’s Algorithm to find it:
EUCLID(a(x), b(x))Step 1: A(x) a(x); B(x) b(x);Step 2: if B(x) = = 0 return A(x) = gcd[a(x), b(x)];Step 3: R(x) A(x) mod B(x);Step 4: A(x) B(x); B(x) R(x);Step 5: goto Step 2;
2727/121/121
Information Security Lab.Dept. of Computer Engineering
4.6 Finite Fields of the Form GF(24.6 Finite Fields of the Form GF(2nn)) F[x]; Polynomial ring over a field Zp(GF(p)); (p =prime) m(x) : An irreducible polynomial of degree n F[x]/m(x) (= set of polynomials less than degree n ) forms a field GF(pn) : Extension fields of GF(p) GF(pn) = { an1xn1 + an2xn2 + + a1x + a0 } ai Zp
Let p = 2; GF(2n) : called binary field GF(2n) : Extension Field of GF(2) (= Z2) = { 0, 1 } GF(2n) = { (an1, an2,…, a1, a0) } ai GF(2) = {0, 1} = { an1xn1 + an2xn2 + + a1x + a0 }
2828/121/121
Information Security Lab.Dept. of Computer Engineering
4.6 Finite Fields of the Form GF(24.6 Finite Fields of the Form GF(2nn))
(a) Addition
Table 4.6 Polynomial Arithmetic Module (x3 + x + 1)
2929/121/121
Information Security Lab.Dept. of Computer Engineering
4.6 Finite Fields of the Form GF(24.6 Finite Fields of the Form GF(2nn))
(a) Multiplication
Table 4.6 Polynomial Arithmetic Module (x3 + x + 1)
3030/121/121
Information Security Lab.Dept. of Computer Engineering
4.6 Finite Fields of the Form GF(24.6 Finite Fields of the Form GF(2nn))Computation Consideration Addition becomes XOR of these bit strings Multiplication is shift & XOR. Modulo reduction done by repeatedly substituting
highest power with remainder of irreducible polynomial (also shift & XOR) Example : x x+1 x2 x2+1 x2+x x2+x+1 GF(23) = { 000, 001, 010, 011, 100, 101, 110, 111} m(x) = x3 + x + 1 Addition : (x2+1) + (x2+x+1) = x ; 101 111 = 010 Multiplication : (x+1)(x2+1) = x(x2+1)+1(x2+1) = x3+x2+x+1 (011)(101) = (101)<<1(101)<<0 =1010 101= 1111
3131/121/121
Information Security Lab.Dept. of Computer Engineering
4.6 Finite Fields of the Form GF(24.6 Finite Fields of the Form GF(2nn))Computation Consideration Modulo reduction : (x3+x2+x+1 ) mod (x3+x+1) = 1(x3+x+1) + (x2) = x2
1111 mod 1011 = 1111 1011 = 0100
Using Generator A generator g of a finite field F of order q (contains q elements) is an element whose first q – 1 powers generate all non-zero elements of F. That is, the elements of F consists of 0, g0, g1, …, gq2
A generator is a root of the irreducible polynomial f(x) For example, f(x) = x3+x+1 : irreducible polynomial f(g) = 0 f(g) = g3+g+1= 0 g3 = g+1
3232/121/121
Information Security Lab.Dept. of Computer Engineering
4.6 Finite Fields of the Form GF(24.6 Finite Fields of the Form GF(2nn))Using Generator
Table 4.8 Generator for GF(23) using x3 + x + 1
3333/121/121
Information Security Lab.Dept. of Computer Engineering
KEY POINTSKEY POINTS A field is set of elements on which two arithmetic
operations (addition and multiplication) have been defined and which has the properties of ordinary arithmetic such as closure, associativity, commutativity, and having both additive and multiplicative inverses.
Modular arithmetic is a kind of integer arithmetic that reduces all numbers to one of a fixed set [0, …, n – 1] for some number n. Any integer outside this range is reduced to one in this range by taking the remainder after division by n.
The greatest common divisor of two integers is the
largest positive integer that exactly divides both integers.
3434/121/121
Information Security Lab.Dept. of Computer Engineering
KEY POINTSKEY POINTS Finite fields are important in several area of
cryptography. A finite field is simply a field with a finite number of elements. It can be shown that the order of a finite field (number of elements in the field) must be a power of a prime pn, where n is a positive integer.
Finite fields of order p can be defined using arithmetic mod p
Finite fields of order pn, for n > 1 can be defined using
arithmetic over polynomials.
3535/121/121
Information Security Lab.Dept. of Computer Engineering
SummarySummary have considered:
concept of groups, rings, fields modular arithmetic with integers Euclid’s algorithm for GCD finite fields GF(p) polynomial arithmetic in general and in GF(2n)