computer arithmetichome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · recall...

COMPUTER ARITHMETIC

13/05/2010 cryptography - math background pp. 1 / 162

COMPUTER ARITHMETIC

RECALL OFCOMPUTER ARITHMETIC

• computers implement some typesof arithmetic

• for instance, addition, subtratction, multiplication of integers and reals


multiplication of integers and reals• necessary for basic computations as found

in the programming languages• arithemtic operations directly supported

by the processor• but normally unsuited for cryptography …

COMPUTER ARITHMETIC

• computers can perform standard arithmetic operations on:– integers, i.e. 0 1 2 … −1 −2 …


– integers, i.e. 0 1 2 … −1 −2 …– reals, i.e. 1,2 −4,3 1,5 × 106 …– sometimes also other kinds of numbers,

i.e., complex numbers– and normally NOTHING ELSE

COMPUTER ARITHMETIC

• standard computer operations are:– arithmetic 1st species: addition, subtraction.– arithmetic 2nd species: multiplication,


– arithmetic 2 species: multiplication, division (integer or real).

– possibly arithmetic 3rd species: power, root, …

– sometimes (unfrequently) trascendental: exp, log, trigonometry, …

COMPUTER ARITHMETIC

• all the previous operations can be computed directly by the processor of the computer

• machine (assembler) instrucitons exist


• machine (assembler) instrucitons exist for each operation

• numbers are normally represented in:– two’s complement (integers)– IEEE 754 Floating Point (reals)

INTEGERS – NATURAL

• natural binary : binary digit b ∈{ 0, 1 }bnbn − 1bn − 2…b3b2b1 =

= bn2n − 1 + bn − 12

n − 2 + … + b221 + b12

0


= bn2n − 1 + bn − 12

n − 2 + … + b221 + b12

0

• range: [0, 2n − 1].• for instance:

10101100 = 27 + 25 + 23 + 22 == 128 + 32 + 8 + 4 = 172

INTEGERS – TWO’SCOMPLEMENT

• two’s Complement : binary digit b ∈{ 0, 1 }σbn − 1bn − 2 … b3b2b1 =

= −σ2n − 1 + bn − 12n − 2 + … + b22

1 + b120

• bit σ is called “sign bit”


• bit σ is called “sign bit”• range: [−2n − 1, 2n − 1 − 1].• for instance: 01001101 = + 26 + 23 + 22 + 20 =

32 + 8 + 4 + 1 = 45• and: 10101100 = −27 + 25 + 23 + 22 = −128 +

32 + 8 + 4 = −84

ADDITION OFNATURAL INTEGERS


ADDITION OF TWO’SCOMPLEMENT INTEGERS


NATURAL MULTIPLICATION


FULL ADDER

Full Adder

a b

cin cout

a b cin cout sum =

0 0 0 0 0 0

0 0 1 0 1 1

0 1 0 0 1 1

0 1 1 1 0 2


• sum = a XOR b XOR cin

• cout = a AND b OR a AND cin OR b AND cin

sum

1 0 0 0 1 1

1 0 1 1 0 2

1 1 0 1 0 2

1 1 1 1 1 3

RIPPLE CARRY ADDERaddition of natural integers of 3 bits

a2 b2 a1 b1 a0 b0


Full Adder

Full Adder

Full Adder

s2 s1 s0

c0 c1 c2 c3

CONSIDERATIONS

• integer and real computer arithmeticis NOT used (or seldom used)for cryptography


for cryptography• instead, finite algebraic structures

are generally adopted• for instance, finite FIELDS or RINGS• theory of such structures follows

ALGEBRAIC STRUCTURES


ALGEBRAIC STRUCTURES

ALGEBRAIC STRUCTURE

• an algebraic structure A is:A = ⟨ S, op1, op2, …, s0, s1, … ⟩

• where:


• where:S is a set of elements, or “numbers” (in a very broad sense), called “support set”opi is a binary operatore over the elements of the support set Ssi is a special element of the support set S

STRUCTURES – EXAMPLES

• natural integers (semigroup):N = ⟨ {1, 2, 3, …}, + ⟩

natural numbers, equipped with the binaryoperator of addition (+)


operator of addition (+)

• natural integers plus 0 (monoid):N0 = ⟨ {0, 1, 2, 3, …}, +, 0 ⟩natural numbers, equipped with the binaryoperator of addition (+), plus the specialelement 0 (neutral element for +)

STRUCTURES – EXAMPLE

• relative integers (abelian group):⟨ {…, −2, −1, 0, 1, 2, …}, +, 0 ⟩relative integer numbers, equipped with:


relative integer numbers, equipped with:the binary operator of addition (+)the special element 0, neutral for (+)

• this an algebraic structure with one operation and one special element


• natural integers (semiring):⟨ {1, 2, 3, …}, +, ×, 1 ⟩natural integer numbers, equipped with:


natural integer numbers, equipped with:the binary operator of addition (+)the binary operator of multiplication (×)the special element 1, neutral for (×)

• an algebraic structure with two operations and one special element


• relative integers (commutative ring):Z = ⟨ {…, −2, −1, 0, 1, 2, …}, +, ×, 0, 1 ⟩Relative integer numbers, equipped with:

the binary operator of addition (+)


the binary operator of addition (+)the binary operator of multiplication (×)the special element 0, neutral for (+)the special element 1, neutral for (×)

• an algebraic structure with two operations and two special elements

CONSIDERATIONS

• there are many possible algebraic structures

• each of them is characterized by


• each of them is characterized by properties (axioms and theorems)

• for instance:a + b = b + a (axiom for N)a2 − b2 = (a + b) × (a − b) (theorem for Z)

GROUPS


GROUPS

DEFINITION

• a GROUP G is an algebraic structure:G = ⟨ S, ⋅, 1 ⟩

• WHERE:


• WHERE:S is the support set⋅ is a binary operator, called “product”1 is a special element, neutral for (⋅)

• if the support S is a finite set, G is said to be a “finite group”

AXIOMS OF GROUP

• groups must satisfy (by definition)the following axioms

• for every a, b, c ∈ S:


• for every a, b, c ∈ S:a ⋅ b ∈ S (closure)(a ⋅ b) ⋅ c = a ⋅ (b ⋅ c) (associativity)1 ⋅ a = a ⋅ 1 (1 is neutral and commutes)∃ a’ a ⋅ a’ = a’ ⋅ a = 1 (∃ of inverse)

GROUPS – EXAMPLE

• the group of non-singular square matricesof order 2, with real elements

M = ⟨ M2, 2, matrix product, identity matrix I ⟩M is closed


M is closedthe matrix product is associativethe matrix I is the neutral element for producteach matrix admits an inverse oneNOTE: matrix product is NOT commutative

ABELIAN GROUPS• in some groups, the product operator is

commutative, i.e., a ⋅ b = b ⋅ a• abelian (or commutative) group: a group G

such that the operator (⋅) is commutative


such that the operator (⋅) is commutativeG = ⟨ S, +, 1 ⟩

• in abelian groups, the symbol (⋅) is normally replaced by (+), which is called “addition” instead of “product”

• PAY ATTENTION: a few mathematiciansstill go on calling (+) a “product” operator !!

ABELIAN GROUPS – EXAMPLES

• the world is plenty of abelian groups• for instance:

relative integers, with addition


relative integers, with additionZ = ⟨ {…, −2, −1, 0, 1, 2, …}, +, 0 ⟩

rational integers, with multiplicationQ = ⟨ {…, p / q, …}, ×, 1 ⟩

and many others …

ITERATED OPERATION

• given a group G (not necessarily abelian), an element g of the group G, and a positive or null integer k ≥ 0, it is defined:

gk = g ⋅ g ⋅ … ⋅ g (for k times)


gk = g ⋅ g ⋅ … ⋅ g (for k times)g0 = 1 (if k = 0)

• the operation “gk” is called “iterated multiplication” (or “power”)

• most cryptography lives on it

ITERATION – EXAMPLES

• given Z = ⟨ {…, −2, −1, 0, 1, 2, …}, ×, 1 ⟩zk = z × z × … × z (k times)

usually called “power” of order k.• in groups with an operation denoted (+)


• in groups with an operation denoted (+) instead of (⋅), the writing “kg” replaces “gk”

• given Z = ⟨ {…, −2, −1, 0, 1, 2, …}, +, 0 ⟩which is an abelian group:

kz = z + z + … + z (k times)

the usual multiple times k

GROUP GENERATORS

• given a finite group G, an element g ∈ G is said to be a generator for G, if its “powers” cover all the elements of G:

∀f ∈ G ∃k ≥ 0 such that f = gk


∀f ∈ G ∃k ≥ 0 such that f = gk

• in the practice a generator is a single element that allows to construct the whole group by iteration

• a group G may admit no generators, a single generator or more generators …

DISCRETE LOGARITHM (DH)

• given a generator element g ∈ G for the group, and whatever element f ∈ G, define:

k = log g f - discrete log. base g

the (smallest) integer k ≥ 0 such that f = gk


the (smallest) integer k ≥ 0 such that f = gk

• the (smallest) integer k ≥ 0 necessarily exists, since g is a generator element for G

• given a group G, it is relatively simpleto compute f = gk, but it may be very complexto compute k starting from g and f

CONSIDERATIONS

• groups (usually abelian) are an important algebraic structure for cryptography

• normally finite groups are used(examples will come soon)


(examples will come soon)• the basic operations for cryptographic

applications are iteration and discrete logarithm

• however, abelian groups appear also under the form of rings and fields (see next slides)

RINGS AND FIELDS


RINGS AND FIELDS

RINGS – DEFINITION

• a RING R is an algebraic structure:R = ⟨ S, +, ⋅, 0, and usually also 1 ⟩

where:


⟨ S, +, 0 ⟩ is an abelian group w.r.t. (+)and for every a, b, c ∈ S:a ⋅ b ∈ S (closure)a ⋅ (b + c) = (a ⋅ b) + (a ⋅ c) (left distribution)(b + c) ⋅ a = (b ⋅ a) + (c ⋅ a) (right distribution)

RINGS – DETAILS

• the operator (+) must be commutative• if the operator (⋅) commutes as well,

R is said to be a “commutative ring”


R is said to be a “commutative ring”• if (⋅) has its own neutral element 1,

R is said to be a “a ring with unity”• if the support set S of R is a finite set,

R is said to be a “finite ring”

RINGS – EXAMPLE

• the ring R of relative integer numbers, with ordinary addition and multiplication:Z = ⟨ {…, − 2, −1, 0, 1, 2, …}, +, ×, 0, 1 ⟩

• R is a commutative ring, since the operator


• R is a commutative ring, since the operator (×) commutes

• and R is said to have “a unity”, since the operation (×) has its own neutral element, 1

• the symbol “Z” is worldwide used for denoting this particular ring

FIELDS – DEFINITION• a FIELD F is an algebraic structure:

F = ⟨ S, +, ⋅, 0, 1 ⟩

where:⟨ S, +, 0 ⟩ is an abelian group w.r.t. (+)


⟨ S, +, 0 ⟩ is an abelian group w.r.t. (+)⟨ S, ⋅, 1 ⟩ is an abelian group w.r.t. (⋅)and for every a, b, c ∈ S:a ⋅ (b + c) = (a ⋅ b) + (a ⋅ c) (left distribution)(b + c) ⋅ a = (b ⋅ a) + (c ⋅ a) (right distribution)

• if the support set S of F is finite, F is saidto be a “finite field”

FIELDS – EXAMPLES

• the field Q of rational integer numbers,with ordinary addition and multiplication:Q = ⟨ {…, p / q, …}, +, ×, 0, 1 ⟩


• Q is an infinite field• other examples of infinite fields:

real numbers, with addition and multiplicationcomplex numbers, with addition and multiplicationand many others …

CONSIDERATIONS

• rings and fields are the most popularand used algebraic structures

• in particular, the mathematical theory of fields is well developed, and for finite fields (almost)


is well developed, and for finite fields (almost) everything that is of some interest has been investigated and clarified

• and an important part of cryptography actually relies upon finite fields

MODULAR OPERATIONS


MODULAR OPERATIONS

PRELIMINARIES

• there are many finite rings, but fewfinite fields, here:– modular finite rings


– modular finite rings– modular finite fields– finite extension fields– in particular, binary finite extension fields

• all these are used in cryptography

MODULAR RINGS

• everybody knows what “integer division” is• given:

an integer N (dividend, positive, null or neg.)


an integer D (divisor, always positive, non-null)

there are two uniquely determined positive or null integers Q and R, such that:

N = Q × D + R and 0 ≤ R < D

Q: quotient, R: remainder

INTEGER DIVISION – EXAMPLES

• N = Q × D + R• 5 = 2 × 2 + 1 Q = 2, R = 1, 1 < 2• 9 = 3 × 3 + 0 Q = 3, R = 0, 0 < 3


• 9 = 3 × 3 + 0 Q = 3, R = 0, 0 < 3• 20 = 3 × 6 + 2 Q = 3, R = 2, 2 < 3• −5 = −3 × 2 + 1 Q = −3, R = 1, 1 < 2• −8 = −2 × 4 + 0 Q = −2, R = 0, 0 < 4• −9 = −3 × 4 + 3 Q = −3, R = 3, 3 < 4

COMPUTING mod n

• from the definition and the examples,it is clear that (for n ≥ 1):if a ≥ 0 then

a mod n = r s. t. a = q × n + r and r < n


a mod n = r s. t. a = q × n + r and r < n

elsea mod n = n − r s. t. −a = q × n + r and 0 ≤ r < n

• for instance:r = −4 mod 3 = 2 because −4 = −2 × 3 + 2 but also 4 = 1 × 3 + 1 and hence r = 3 − 1 = 2

THE mod OPERATOR

• one writes (a ∈ Z and n ≥ 1):a mod n = b

to indicate the remainder b ≥ 0 of the


to indicate the remainder b ≥ 0 of the (integer) division of a by n

• here the symbol mod indicates a binary operator: mod: Z × N → N

• if n = 1, then a mod n = a (trivial case)

MODULAR CONGRUENCE• given a modulus n ≥ 1, two integers a, b ∈ Z

are said to be “congruent modulus n”, iff:a = b mod n ⇔ a mod n = b mod n

i.e., iff the remainder of a divided by n equals the remainder of b divided by n


the remainder of b divided by n• the “modular congruence” = mod n has

the usual formal properties of equality:Riflexivity: a = a mod nSimmetry: a = b mod n ⇔ b = a mod nTransitivity: a = b mod n and b = c mod n ⇒ a = c mod n

• here mod is a side indication, meaning that equality = is interpreted in the modular way

CONGRUENCE – EXAMPLESIt holds: 4 = 0 mod 2

In fact: 4 mod 2 = 0 = 0 mod 2

It holds: 5 = 1 mod 2

In fact: 5 mod 2 = 1 = 1 mod 2




In fact: 11 mod 4 = 3 = 7 mod 4

It holds: −13 = 2 mod 5

In fact: −13 mod 5 = 2 = 2 mod 5

It holds: −9 = 5 mod 2

In fact: −9 mod 2 = 1 = 5 mod 2

RESIDUE CLASSES• given any modulus n ≥ 1, the set A of all the

integers a ∈ Z that are congruent mod n,has the following form:A = {b ± k × n | k ∈ Z and 0 ≤ b < n}

• each set A is called a “residue class” (mod n).


• each set A is called a “residue class” (mod n).• there are exactly n − 1 such classes• the integer b ∈ A is the “reduced” form of

every other element of the class A• A = { …, −4, −1, 0, 2, 5, … } is the residue

class of 5 mod 3; 2 is the “reduced” form

IMPORTANT DETAIL

• it is true that, for any modulus n ≥ 1:

n = 0 mod n


n = 0 mod n

• put another way, 0 and n can alwaysbe freely exchanged

• more generally: ∀k kn = 0 mod n

COMPUTATION mod n

• an algebraic expression over the integers, containing (+) and (×), is said to be computed “mod n” (for n ≥ 1),


to be computed “mod n” (for n ≥ 1),if the result of the integer division by nis taken (instead of the full result)

• for instance:5 + 3 × 2 − 1 = 2 mod 4

PROPERTIES OF mod

• given n ≥ 1 and any two integers a, b ∈ Z:(a + b) mod n = ((a mod n) + (b mod n)) mod n(a − b) mod n = ((a mod n) − (b mod n)) mod n

× = ×


(a × b) mod n = ((a mod n) × (b mod n)) mod n

• put another way, the operator mod commutes with (+), (−) and (×)

• this is very useful for optimizing expression computations

COMPUTING mod n – EXAMPLE

• it holds: 5 + 3 × 2 − 1 = 2 mod 4• in fact:

5 + 3 × 2 − 1 = 10 and 10 mod 4 = 2


5 + 3 × 2 − 1 = 10 and 10 mod 4 = 2

• but also:5 mod 4 = 1 and3 × 2 mod 4 = 2 and− 1 mod 4 = 3 and(1 + 2 + 3) mod 4 = 6 mod 4 = 2

MODULAR RINGS


MODULAR RINGS

THE MODULAR RING Zn

• given a positive integer n ≥ 1, the following algebraic structure:Zn = ⟨ {0, 1, 2, …, n − 1}, +, ×, 0, 1 ⟩

is called “modular ring of order n”, provided,


is called “modular ring of order n”, provided, for every a, b ∈ Zn:a + b is computed mod na × b is computed mod n

• Zn contains exactly n elements• Z1 contains only 0 (n = 1, trivial case)

MODULAR ADDITION

• suppose for instance n = 6• modular addition works in Z6 as follows:

1 + 2 = 3 mod 6 = 3 (1 + 2 = 3 mod 6)


1 + 2 = 3 mod 6 = 3 (1 + 2 = 3 mod 6)3 + 4 = 7 mod 6 = 1 (3 + 4 = 1 mod 6)5 + 5 = 10 mod 6 = 4 …4 − 5 = −1 mod 6 = 5 …0 − 5 = −5 mod 6 = 1 …

OPPOSITE ELEMENT

• suppose for instance n = 10• opposite elements in Z10 can be found

as follows:−5 = −5 mod 10 = 1 (−5 = 1 mod 10)


−5 = −5 mod 10 = 1 (−5 = 1 mod 10)−3 = −3 mod 10 = 7 (−3 = 7 mod 10)−8 = −8 mod 10 = 2 (−8 = 2 mod 10)clearly: −a = n − a mod n

• this is coherent with:a + (−a) = a + (n − a) = a + n − a = n = 0 mod n

MODULAR MULTIPLICATION

• suppose for instance n = 9• modular multiplication works in Z9

as follows:


as follows:1 × 2 = 6 mod 9 = 6 (1 × 2 = 6 mod 9) 3 × 4 = 12 mod 9 = 3 (3 × 4 = 12 mod 9)5 × 5 = 25 mod 9 = 7 …4 × 5 = 20 mod 9 = 2 …0 × 5 = 0 mod 9 = 0 …

MODULAR POWERS• modular powers:

am = a × a × … × a mod n (for m ≥ 1 times)a0 = 1 mod n (by definition)

• for instance, given n = 6:


• for instance, given n = 6:22 = 4 mod 6 = 4 (22 = 4 mod 6)23 = 8 mod 6 = 2 (23 = 2 mod 6)26 = 64 mod 6 = 4 (26 = 4 mod 6)

• note: 26 = (23)2 = (2)2 = 4 mod 6i.e., one can use the normal, well-known properties of exponents

HINTS ON GENERATORS

• consider the ring Z5 and the element 2:1 × 2 mod 5 = 2 mod 5 = 22 × 2 mod 5 = 4 mod 5 = 43 × 2 mod 5 = 6 mod 5 = 14 × 2 mod 5 = 8 mod 5 = 35 × 2 mod 5 = 10 mod 5 = 0

Z5


5 × 2 mod 5 = 10 mod 5 = 06 × 2 mod 5 = 12 mod 5 = 2 (periodic)

• the element 2 is an additive generatorfor the ring Z5

• theorem : for any ring Zn, any element e ≠ 0 such that (e, n) = 1 is an additive generator

HINTS ON GENERATORS

• consider the ring Z5 and the element 3:31 mod 5 = 3 mod 5 = 332 mod 5 = 9 mod 5 = 433 mod 5 = 27 mod 5 = 234 mod 5 = 81 mod 5 = 135 mod 5 = 243 mod 5 = 3 (periodic …)

Z5 (excluding 0)


35 mod 5 = 243 mod 5 = 3 (periodic …)

• the element 3 is a multiplicative generatorfor the ring Z5

• how to determine the multiplicative generators for a modular ring Zn, of a generic modulus n, is a very complex problem …

MORE ON MODULAR RINGS


MORE ON MODULAR RINGS

MODULAR COMPUTATION

• frequently, computing the operator mod does not really require to perform a division

• remember in fact that n = 0 mod n• whenever in an expression to be computed


• whenever in an expression to be computed mod n, a term +n (or −n) occurs, delete it (since it is = 0 mod n)

• whenever in an expression to be computed mod n, a factor n occurs, delete the product chain it is contained in (since it is = 0 mod n)

MOD. COMPUT. – EXAMPLES• one should immediately see that:

(2 + 3) × 4 − 8 × 5 + 16 = 0 mod 4

• in fact (this must become instinctive):a × 4 = 0 mod 4 (whatever a is)8 × b = 0 mod 4 (whatever b is)and 16 = 0 mod 4


and 16 = 0 mod 4

• a well-known application:123456 mod 3 = (1×105 + 2×104 + 3×103 + 4×102 +5×101 + 6×100) mod 3 = (1 + 2 + 3 + 4 + 5 + 6) mod 3 = 21 mod 3 = 0 ⇒ 123456 = 0 mod 3since 10x = 1 mod 3 for every x ≥ 0

• it is the well-known rule for checking the divisibility by 3 of decimal integer numbers

MOD. COMPUT. – PROBLEM …

• what is the check rule of divisibility by 3 for binary natural numbers ?

• that is, given:


• that is, given:B = 10010100101011000101010

how do I quickly check whether the binary number B is divisible by 3 ?

• i might first convert B to decimal, but …

MODULAR REDUCTION

• given any modulus n ≥ 1 and any integera ≥ n, the task of finding an integer 0 ≤ b < n, such that a = b mod n is called “reduction”

• for instance, taken n = 7 and a = 20:


• for instance, taken n = 7 and a = 20:b = a mod n = 20 mod 7 = 6 ⇒ 20 = 6 mod 7

• it is said that 6 is the “reduced” form of 20, modulus 7 (as already seen before)

• actually reduction is nothing but another name for taking the result of “a mod n”

GREATEST COMMON DIVISOR

• given any two integers a, b ∈ Z, their greatest common divisor, g.c.d., usually denoted (a, b) = d,is the largest positive integer d (i.e., d ≥ 1) dividing exactly (remainder 0) both a and b


exactly (remainder 0) both a and b• for instance:

(2, 3) = 1, (12, 8) = 4, (−30, 12) = 6, (−2, −5) = 1 (not −1 !)

• two integers a, b ∈ Z are said to be co-prime(or relatively prime), i.e., they share no common integer factor ≥ 2, if and only if (a, b) = 1

• for finding the g.c.d. efficiently: Euclid algorithm

ABOUT THE INVERSION IN Zn

• given a ∈ Zn (n ≥ 2), when is it possible to find b ∈ Zn, such that:a × b = 1 mod n


(b is the multiplicative inverse of a) ?• theorem : the multiplicative inverse b

of a exists (and is unique) if and only if(a, n) = 1, i.e., if a and n are co-prime(they share no common integer factor ≥ 2)

INVERSION IN Zn – EXAMPLE

• let n = 6, i.e., work in Z6:2−1 mod 6 does not exist, (2, 6) = 23−1 mod 6 does not exist, (3, 6) = 3

− =


4−1 mod 6 does not exist, (4, 6) = 25−1 mod 6 = 5 exists, (5, 6) = 1and is 5, since 5 × 5 = 25 = 1 mod 6

• clearly, if n is a prime integer, any positive integer a < n is co-prime with n, hence …

LINEAR EQUATIONS IN Zn

• take the modular equation:a × y = b mod n

where a, b ∈ Zn are fixed coefficients, andy ∈ Z is the unknown variable to be found


y ∈ Zn is the unknown variable to be found• theorem : there exists a unique solution if

and only if a, n are co-primei.e. iff a, n share no common factor ≥ 2i.e. iff (a, n) = 1

• how to find the solution in some cases, later

FERMAT “LITTLE” THEOREM

• theorem : take any prime integer p ≥ 2, and any integer a ≥ 0, then:

ap = a mod p


a = a mod p(P. Fermat)

• for instance, taken p = 3 (prime):23 = 8 = 2 mod 333 = 27 = 0 = 3 mod 343 = 64 = 1 = 4 mod 3

CONSEQUENCES

• if p ≥ 2 is a prime integer:Since: ap = a mod pIt follows: ap − 1 = 1 mod p

≠


(with the condition that a ≠ 0 mod p)

• for instance, taken p = 5 (prime):24 = 16 = 1 mod 534 = 81 = 1 mod 544 = 256 = 1 mod 5…

SOLVING LIN. EQ.S IN Zp

• linear equations of the form:a × y = b mod p (p ≥ 2 prime)

a, b ∈ Zp coeff.s and y ∈ Zp variable, admit the following (unique, mod p) solution:


the following (unique, mod p) solution:y = a−1 × b = ap − 2 × b mod p

(by Fermat) since, being p prime, (a, p) = 1• caution: be sure that a mod p ≠ 0 !• the same can be instanced for systems

of linear equations (see later)…

MODULAR FIELDS


MODULAR FIELDS

MODULAR FIELDS

• we have seen that Zn (for any n ≥ 2) is a modular (finite) ring of n − 1 elements

• to be a (finite) field, Zn only lacks the inverse elements for multiplication, i.e. the possibility


elements for multiplication, i.e. the possibility to invert all its elements

• that is, given any a ∈ Zn, how do I find a’ ∈ Znsuch that a × a’ = 1 (of course, mod n) ?

• Is it possible to find such an a’ for any integer a < n and any value of n ?

MODULAR FIELDS• we know that, given any positive a < n, there exists a

positive integer a’ such that a × a’ = 1, if and only if a, n are co-prime

• clearly, if n is a prime integer, every positive integera < n will be co-prime with n


a < n will be co-prime with n• conversely, if n is not a prime integer, there must

exist some a < n that is not co-prime with n• theorem : all elements of Zn (but 0) are invertible

if and only if n is a prime integer• pay attention: if n is not a prime integer, a few

elements of Zn may be invertible, but not all of them

MODULAR INVERSION

• given any prime integer p ≥ 2 (Fermat):ap = a mod pap − 1 = 1 mod p(with the condition that a ≠ 0 mod p)


(with the condition that a ≠ 0 mod p)

• let us go on with the idea …ap − 2 = a−1 mod p(still with the condition that a ≠ 0 mod p)

• that is, ap − 2 behaves as the multiplicative inverse element of a (if p is prime !)

INVERSION – EXAMPLES

• for instance, taken p = 5 (prime), and knowing that p − 2 = 3, one has:13 = 1 mod 5 and 1 × 1 = 1 mod 523 = 3 mod 5 and 2 × 3 = 1 mod 5


23 = 3 mod 5 and 2 × 3 = 1 mod 533 = 2 mod 5 and 3 × 2 = 1 mod 543 = 4 mod 5 and 4 × 4 = 1 mod 553 = 0 mod 5 no inverse (since 5 = 0 mod 5)63 = 1 mod 5 and 6 × 1 = 1 mod 5… (the behaviour is periodic)

INVERSION – THAT IS …

• taken p = 5 (prime) one has:1−1 = 1 mod 52−1 = 3 mod 5


3−1 = 2 mod 54−1 = 4 mod 5

while 0 has no inverse, of course …

• note that for each element of Z5we have found an inverse (but for 0)

MODULAR FIELD Fp (or GF(p))

• every (finite) modular ring Zn, such that n ≥ 2 is a prime integer, can be turned into a (finite) field

• simply add inversion to it, and compute


• simply add inversion to it, and compute the inverse using Fermat’s litte theorem

• such a field is denoted Fp (or also Galois Field of order p, GF(p))

• a different field for every prime p

MODULAR FIELD Fp (or GF(p))

• given a prime integer p ≥ 2:Fp = ⟨ {0, 1, 2, …, p − 1}, +, ×, 0, 1 ⟩

is called “modular (Galois) field of order p”, or GF(p), provided, for every element a, b ∈ F :


GF(p), provided, for every element a, b ∈ Fp:a + b is computed mod pa × b is computed mod p−a = p − a so that a + (−a) = p = 0 mod pa−1 = ap − 2 so that a×a−1 = a×ap − 2 = ap − 1 = 1 mod p

• Fp is finite and contains exactly p elements

LINEAR EQUATIONS IN Fp

• given a prime integer p ≥ 2, take the modular linear equation:

a × y = b mod pwhere a, b ∈ Fp are fixed coefficients, and y ∈Fp is the unknown variable to be found:


Fp is the unknown variable to be found:• the unique solution (mod p) is:

y = a−1 × b mod p• for instance, given p = 7 (prime):

5 × y = 3 mod 7 ⇒y = 5−1×3 = 55×3 = 3125×3 = 9375 = 2 mod 7and actually 5 × 2 = 10 = 3 mod 7

LINEAR SYSTEMS IN Fp

• given a prime integer p ≥ 2, take the system of modular linear equations:

A × Y = B mod pwhere:

∈


A ∈ [Fp]m,m is a square matrix of orderm ≥ 2 of fixed coefficients in Fp

B ∈ [Fp]m is a vector of order m ≥ 2of constant terms in Fp

and Y ∈ [Fp]m is the vector of the unknown variables to be found in Fp

LINEAR SYSTEMS IN Fp

• the above system of linear equations admits a unique solution (mod p) iff det(A) ≠ 0

• in this case (det(A) ≠ 0), the solution is:


Y = A−1 B mod p• the determinant det(A), the matrix inverse

A−1 and the matrix-vector product A−1 B are computed as usual, remembering to take all the operations mod p over their entries

THE BINARY FIELD


THE BINARY FIELD

THE BINARY FIELD F2 (or GF(2))

• when p = 2 (smallest prime excluding 1):F2 = ⟨ {0, 1}, +, ×, 0, 1 ⟩

• this is a well-know structure, since


0 + 0 = 0 0 × 0 = 0 −0 = 2 − 0 = 2 = 00 + 1 = 1 0 × 1 = 0 −1 = 2 − 1 = 11 + 0 = 1 1 × 0 = 0 IDENTITY1 + 1 = 2 = 0 1 × 1 = 1 1−1 = 1XOR gate AND gate IDENTITY


• in F2 addition and subtraction coincide!• observe in fact:

0 + 0 = 0 0 − 0 = 0 + (−0) = 0 + 0 = 0


0 + 0 = 0 0 − 0 = 0 + (−0) = 0 + 0 = 0 0 + 1 = 1 0 − 1 = 0 + (−1) = 0 + 1 = 1 1 + 0 = 1 1 − 0 = 1 + (−0) = 1 + 0 = 11 + 1 = 0 1 − 1 = 1 + (−1) = 1 + 1 = 0 XOR gate still XOR gate

• do not extend this feature to p > 2 !


• the field F2 (or GF(2)) is also called the “binary field” and is the simplest

• its hardware counterpart are the XOR


• its hardware counterpart are the XOR and AND gates

• it is the natural field where to compute arithmetic (most arithmetic circuits are formed by XOR and AND gates only)

POLYNOMIALS


POLYNOMIALS

POLYNOMIALS

• everybody knows univariate polynomials(i.e., containing a single variable x)with integer coefficients:

C(x) = c xm + c − xm−1 + … + c x + c


C(x) = cnxm + cm−1xm−1 + … + c1x + c0

where ci ∈ Z, for every 0 ≤ i ≤ m• the integer m ≥ 0 is the degree of C(x)• here, we are interested in polynomials not as

functions of the variable x, but as objects that can be manipulated in various ways

POLYNOMIALS• the set of all the polynomials (of any degree)

with integer coefficients is denoted Z[x]• polynomials in Z[x] can be added, subtracted

and multiplied. They form a commutative ring


and multiplied. They form a commutative ring with unity (the ring Z[x] is infinite):

Z[x] = ⟨ Z[x], +, ×, 0, 1 ⟩• in general however, there is no multiplicative

inverse element, i.e. given any polynomial P(x) ∈ Z[x] it is not possible to findP’(x) ∈ Z[x] such that P(x) × P’(x) = 1

POLYNOMIAL DIVISION

• given any two polynomials P(x), D(x) ∈ Z[x], there exist two unique polynomials Q(x), R(x) ∈ Q[x] (with rational coeff.s), such that:

P(x) = Q(x) × D(x) + R(x)degree(R(x)) < degree(D(x))


degree(R(x)) < degree(D(x))

• Q(x) is the quotient, R(x) is the remainder• this property resembles integer division• but note that Q(x), R(x) have rational coeff.’s,

i.e., in general the coeff.s are not integer• the algorithm for finding R(x) is well-known

EXAMPLE OF DIVISION IN Z[x]• take x4 + 2x3 − 1, x2 + 3 ∈ Z[x]

+1x4 +2x3 −1 | ++++1x2 +3++++1x4 +2x3 +0x2 +0x −1 | ++++1x2

−1x4 −3x2 |+0x4 ++++2x3 −3x2 +0x −1 | +1x2 ++++2x

−2x3 −6x |+0x4 +0x3 −−−−3x2 −6x −1 | +1x2 +2x −−−−3

+ +


+3x2 +9 |+0x4 +0x3 +0x2 −6x +8 | end

−6x +8 | x2 +2x −3remainder quotient

• in this special case, no need of rational numbers (because the most significant coefficient of the divisor x2 + 3 is 1 !)

• verify: (x2 + 2x − 3) (x2 + 3) + (− 6x + 8) = x4 + 3x2 + 2x3 + 6x − 3x2

− 9 − 6x + 8 = x4 + 2x3 − 1 as it is expected to be

POLYNOMIALS OVER


MODULAR RINGS AND FIELDS

POLYNOMIALS OVER RINGS• restrict the set of the coeff.’s of polynomials to

the modular ring Zn (for a fixed n ≥ 2)• such polynomials can be added, subtracted

and multiplied mod n, in the obvious wayZn[x] = ⟨ Zn[x], + mod n, × mod n, 0, 1 ⟩


Zn[x] = ⟨ Zn[x], + mod n, × mod n, 0, 1 ⟩

• but in general, it is not possible to find multiplicative inverse elements

• the structure Zn[x] is still an infinite commutative ring with unity, as is Z[x]

• sample additions and multiplications …

POLYNOMIALS OVER FIELDS

• restrict the set of the coeff.’s of polynomialsto the finite field Fp (for a fixed prime p ≥ 2)

• such polynomials can be added, subtracted and multiplied mod n, in the obvious way


and multiplied mod n, in the obvious wayFp[x] = ⟨ Fp[x], + mod p, × mod p, 0, 1 ⟩

• but in general, it is not possible to find multiplicative inverse elements

• the structure Fp[x] is still an infinite commutative ring with unity, as are Z[x], Zn[x]

POLYNOMIAL DIVISION IN Fp[x]

• given any two polynomials P(x), D(x) ∈ Fp[x], there exist two unique polynomials Q(x), R(x) ∈ Fp[x], such that:

P(x) = S(x) × D(x) + R(x)degree(R(x)) < degree(D(x))


degree(R(x)) < degree(D(x))

• S(x) is the quotient, R(x) is the remainder• this property resembles integer division• note that S(x), R(x) have coeff.’s in Fp[x] !• the algorithm for finding S(x), R(x) is well-

known (same as for the polynomials in Z[x])

EXAMPLE OF DIVISION IN F3[x]• take x4 + 2x3 + 1, 2x2 + 1 ∈ F3[x]

x4 +2x3 +1 | ++++2x2 +1++++1x4 +2x3 +0x2 +0x +1 | ++++2x2

−1x4 −2x2 |+0x4 ++++2x3 +1x2 +0x +1 | +2x2 ++++1x

−2x3 −1x |+0x4 +0x3 ++++1x2 +2x +1 | +2x2 +1x ++++ 2

− −


−1x2 −2 |+0x4 +0x3 +0x2 +2x +2 | end

2x +2 | 2x2 + x + 2remainder quotient

• pay attention to: −1 = 2, −2 = 1, 2−1 = 2 mod 3.• verify (remember also that: 4 = 1, 6 = 0, 3 = 0 mod 3):

(2x2 + x + 2) (2x2 + 1) + (2x + 2) = 4x4 + 2x2 + 2x3 + x + 4x2 + 2 + 2x + 2 == 4x4 + 2x3 + 6x2 + 3x + 4 = x4 + 2x3 + 0x2 + 0x + 1 = x4 + 2x3 + 1 mod 3

POLYNOMIAL MOD.CONGRUENCE

• given any polynomials P(x), D(x)(∈ Z[x] or Zn[x] or Fp[x]), write:

P(x) mod D(x) = R(x)


P(x) mod D(x) = R(x)with R(x) the remainder of P(x) / D(x)

• modulus D(x) congruence:P(x) = Q(x) mod D(x) ⇔P(x) mod D(x) = Q(x) mod D(x)

PROPERTIES OFPOLY–MOD. CONGRUENCE• the operator “mod” commutes:

(P(x) + Q(x)) mod D(x) =((P(x) mod D(x)) + (Q(x) mod D(x))) mod D(x)the same holds for subtraction


the same holds for subtraction(P(x) × Q(x)) mod D(x) =((P(x) mod D(x)) × (Q(x) mod D(x))) mod D(x)

• same properties as mod n• modular reduction by a polynomial D(x)

defined as for modular reductionby an integer n

POLY–MOD. COMPUTATIONIN PARTICULAR …

• taking mod D(x) is equivalent to assuming that D(x) = 0 (remember n = 0 mod n !)

• for instance (in Z[x]), see immediately that:


x3 + 2x + 5 = 2x + 7 mod (x3 − 2)

because:x3 − 2 = 0 ⇒ x3 = 2

and: x3 + 2x + 5 = 2 + 2x + 5 = 2x + 7• verify dividing: (x3 + 2x + 5) mod (x3 − 2) !

POLYNOMIALS OVER


THE BINARY FIELD F2 (GF(2))

POLYNOMIALS OVER F2 (GF(2))

• when the field of the coefficients is F2(or GF(2)), things become very simple

• a coefficient is either 0 or 1 (i.e., a bit)


• a coefficient is either 0 or 1 (i.e., a bit)• a power xi is either present (coeff. 1,

usually not written) or absent (coeff. 0)• a polynomial in F2[x] is nothing but a list

of powers of x

EXAMPLES OF OP.S IN F2[x]

• let A(x), B(x) ∈ F2[x]:A(x) = x2 + x + 1 and B(x) = x3 + x

• then:A(x) + B(x) = (x2 + x + 1) + (x3 + x) == + + + + = + + + + =


= x3 + x2 + x + x + 1 = x3 + x2 + (1 + 1)x + 1 == x3 + x2 + 0x + 1 = x3 + x2 + 1A(x) B(x) = (x2 + x + 1) (x3 + x) == x5 + x4 + x3 + x3 + x2 + x = x5 + x4 + x2 + x

• pay attention to: 1 + 1 = 0 !• in general: 1 + 1 + … + 1 (even times) = 0 !

EXAMPLES OF OP.S IN F2[x]

• sometimes peculiarities may occur:(x + 1)2 = (x + 1)(x + 1) = x2 + x + x + 1 == x2 + 1 (different from ordinary algebra)


= x2 + 1 (different from ordinary algebra)(x + 1)3 = (x + 1)(x + 1)(x + 1) = x3 + x2 ++ x2 + x2 + x + x + x + 1 = x3 + x2 + x + 1(different from ordinary algebra)

• can you infer the general rule ?

PLYNOMIAL DIVISION IN F2[x]• take x4 + x3 + 1, x2 + 1 ∈ F2[x]

x4 x3 1 | x2 1x4 x3 1 | x2

x4 x2 |x3 x2 1 | x2 xx3 x |

x2 x 1 | x2 x 1


x2 1 |x | endx | x2 + x + 1remainder quotient

• pay attention to: −1 = 1 mod 2, i.e. add. and sub. coincide• verify: (x2 + x + 1) (x2 + 1) + x = x4 + x2 + x3 + x + x2 + 1 + x =

= x4 + x3 + 1 mod 2 as it is expected to be• hence we can write: (x4 + x3 + 1) = x mod (x2 + 1)

PLYNOMIAL REDUCTION IN F2[x]• computing polynomial division of F(x) by G(x) is like

setting G(x) = 0 and replacing in F(x)• from the previous slide: G(x) = x2 + 1, hence G(x) = 0 ⇒ x2 + 1 = 0 ⇒ x2 = 1

• and replacing in F(x) = x4 + x3 + 1, it yields:


• and replacing in F(x) = x + x + 1, it yields:x4 + x3 + 1 = (x2)2 + x x2 + 1 = 12 + x 1 + 1 = 1 + x + 1 = x

• hence we have:(x4 + x3 + 1) = x mod (x2 + 1)

as seen before by performing a full division.• but reduction DOES NOT REALLY REQUIRE TO

COMPUTE A FULL DIVISION (since we are not interested in the quotient, but only in the remainder)

POLYNOMIALS OVER F2

• a polynomial in F2[x] can be identifiedto a string of bits

• for instance:


• for instance:x5 + x4 + x2 + 1 ≡ 110101 (degree 5 ≡ 6 bits)

• in general: F(x) ≡ string of n + 1 bits (supposing F(x) is of degree n)

• for any degree n, how many different polynomials ? answer: 2n + 1

IRREDUCIBLE POLYNOMIALS




• a polynomial of degree m ≥ 2 is said to be irreducible if it cannot be factored into twoor more polynomials of lower degree

• A(x) is irreducible if there do not exist any two


• A(x) is irreducible if there do not exist any two polynomials B(x), C(x) (not reducing to pure constant terms) such that A(x) = B(x) C(x)

• for every degree, there exist irreducible polynomials in Z[x], Zn[x] and Fp[x], for any integer n and prime integer p


• x and x + 1 are irreducible by definition• is x2 + x irreducible ?• no, because x2 + x = x (x + 1)


• no, because x2 + x = x (x + 1)• is x2 + 1 irreducible ?• no, because x2 + 1 = (x + 1) (x + 1)• is x2 + x + 1 irreducible ?• yes, but why ?

RUFFINI RULE

• a polynomial F(x) admits the linear factor (x − a) iff a is a root of F(x)

• for the polynomials over F2 (or GF(2)):


• for the polynomials over F2 (or GF(2)):F(x) admits the factor (x − 1), which coincides with (x + 1), iff 1 is a root of F(x)hence, replace x in F(x) with 1 and see if F(1) = 0; if so, F(x) = F’(x) (x + 1)in practice, just count the terms of F(x) …

USE OF RUFFINI RULE• Ruffini rule gives an easy way for checking

whether a polynomial F(x) ∈ F2[x] admitsthe linear factor (x + 1)

• does (x2 + x + 1) admit factor (x + 1) ?no, since it has 3 terms (and 3 is odd)

• does moreover (x2 + x + 1) admit factor x ?


• does moreover (x2 + x + 1) admit factor x ? no, since it contains the constant term +1

• since the only linear factors in F2[x] are (x + 1) and x, and a F(x) of degree 2 can only be split into linear factors, (x2 + x + 1) is irreducible

• of course, Ruffini rule works also in Fp[x]

BINARY EXTENSION FIELDS


BINARY EXTENSION FIELDS

MOVING TOWARDS FIELDS

• remember that F2[x] is not a polynomial field (there are no multiplicative inverse elements, in general)


elements, in general)• how to make it into a polynomial field ?• the answer is contained in irreducible

polynomials

THE EXTENSION FIELD GF(2n)

• select an irreducible polynomial G(x) ∈ F2[x]of degree n

• G(x) is called “generator polynomial”• the extension field GF(2n) (for n ≥ 2) is:


• the extension field GF(2n) (for n ≥ 2) is:GF(2n) = ⟨ F2[xn], +, ×, 0, 1 ⟩

where:F2[xn] set of all the polynomials over F2 of degree under n+, × are the polynomial addition and multiplication modulusthe selected (and fixed) polynomial G(x)

• G(x) is the “generator polynomial” of GF(2n).

THE EXTENSION FIELD GF(2n)

• fixed a generator G(x) of degree n, take A(x), B(x) ∈ GF(2n), and compute addition and multiplication as follows:


addition and multiplication as follows:A(x) + B(x) mod G(x)and similarly for subtractionA(x) × B(x) mod G(x)

• always take the result mod G(x)

EXAMPLE IN GF(22)

• the elements of GF(2n) with n = 2 (i.e. GF(22)) are all the polynomials in F2[x] of degree under n = 2, i.e. deg. 0 or 1

0, 1 degree 0


0, 1 degree 0x, x + 1 degree 1

• then GF(22) contains 22 = 4 elements• this is, in some sense, the simplest

possible field of polynomials

EXAMPLE IN GF(22)

• fix the generator polynomialG(x) = x2 + x + 1 (degree n = 2, irred.):(x + 1) + x = 1 mod G(x)

+ = + = + + =


(x + 1)2 = x2 + 1 = x + 1 + 1 = x mod G(x)

• remember in fact that taking mod G(x)is equivalent to setting G(x) = 0, hence:x2 + x + 1 = 0 ⇔ x2 = x + 1

an replacing x2 in x2 + 1 yields x

EXAMPLE IN GF(23)

• the elements of GF(23) are all the polynomials in F2[x] of degree undern = 3, i.e. degree 0, 1 or 2


n = 3, i.e. degree 0, 1 or 20, 1 degree 0x, x + 1 degree 1x2, x2 + 1, x2 + x, x2 + x + 1 degree 2

• then GF(22) contains 23 = 8 elements• in general, GF(2n) contains 2n elements

EXAMPLE IN GF(23)

• fix gen. G(x) = x3 + x2 + 1 (deg. n = 3, irred.).• it holds: x3 + x2 + 1 = 0, i.e., x3 = x2 + 1.

(x + 1)3 = x3 + x2 + x + 1 == x2 + 1 + x2 + x + 1 = x mod G(x)


= x + 1 + x + x + 1 = x mod G(x)(x2 + 1) (x2 + x + 1) == x4 + x3 + x2 + x2 + x + 1= x4 + x3 + x + 1 == = x x3 + x3 + x + 1 = x(x2 + 1) + x2 + 1 + x + 1 == x3 + x + x2 + x = x3 + x2 == x2 + 1 + x2 = 1 mod G(x)

• note that: x2 + x + 1 = (x2 + 1)−1 mod G(x)

FINITENESS OF GF(2n)

• the elements of GF(2n) (with n ≥ 2) are all the polynomials of F2[x] of degree under n(i.e. of deg. n − 1, n − 2, …, 1, 0)

• then they can be identified to the strings


• then they can be identified to the stringsof bits of length exactly n

• there are 2n such strings• the field GF(2n) is finite and its cardinality

is of 2n elements (which are polynomials)

HOW TO FIND THE INVERSE

• we have not yet spoken of multiplicative inverse elements in GF(2n)

• but it is necessary to have inverse


• but it is necessary to have inverse elements for GF(2n) to be a field

• inverse elements can be foundin GF(2n) using the generalizationof Fermat little theorem

FERMAT “LITTLE” THEOREM

• take an irreducible generator polynomial G(x) of degree n ≥ 2 and any polynomialF(x) ∈ GF(2n), pose k = 2n, then:

F(x)k = F(x) mod G(x)


(generalisation of Fermat little theorem)• for instance, taken G(x) = x2 + x + 1 (of deg. n

= 2, irred.), it holds k = 22 = 4 and hence:(x + 1)4 = ((x + 1)2)2 = (x2 + 1)2 = (x + 1 + 1)2 == x2 = x + 1 mod G(x)

as it is expected to be

CONSEQUENCES

• if the generator G(x) is an irreducible polynomial of degree n ≥ 2 and k = 2n:since: F(x)k = F(x) mod G(x)

− =


it follows: F(x)k − 1 = 1 mod G(x)and also: F(x)k − 2 = F(x)−1 mod G(x)(with the condition that F(x) ≠ 0 mod G(x))

• therefore F(x)k − 2 is the multiplicative inverse element of F(x) (mod G(x))

INVERSION – EXAMPLE

• taken the generator G(x) = x2 + x + 1 (of deg. n = 2, irred.), it holds k = 22 = 4, and hence:(x + 1)4 − 2 = (x + 1)2 = x2 + 1 == x + 1 + 1 = x mod G(x)


= x + 1 + 1 = x mod G(x)

• and in fact:(x + 1) x = x2 + x = x + 1 + x = 1 mod G(x)

• this means that x is the inverse element of(x + 1) (of course, mod G(x))

MULTIPLICATIVE GENERATORS

• the monomial x is a multiplicative generator for binary extension fields

• for instance: G(x) = x2 + x + 1 (irred.)


• for instance: G(x) = x + x + 1 (irred.)x0 mod G(x) = 1x1 mod G(x) = xx2 mod G(x) = x + 1x3 mod G(x) = x x2 mod G(x) = x (x + 1) mod G(x) == x2 + x = x + 1 + x = 1 (periodic …).

• the same holds for GF(pn) …

GF(22) (excluding 0)

FIELD GF(2n) – IN SUMMARY

• given an irreducible generator polynomial G(x) of degree n ≥ 2, the algebraic structure:GF(2n) = < F2[xn], +, ×, 0, 1 >

is a finite field of 2n elements.


is a finite field of 2 elements.• the elements of GF(2n) are polynomials

with coefficients over GF(2) (or F2)• all the operations are computed mod G(x).• multiplicative inverse exist for all the elements

of GF(2n) (but for 0), and can by foundby Fermat little theorem

MODULAR EXTENSION FIELDS


MODULAR EXTENSION FIELDS

POLINOMYALS OVER Fp (GF(p))

• consider polynomials with coefficients over Fp (also called GF(p)), for a fixed prime integer p ≥ 2


prime integer p ≥ 2• a coefficient can be: 0, 1, 2 …, p − 1• then a polynomial in Fp[x] is a list of

powers of x, with coefficients as above• example: x2 + 2x + 1 (for p = 3, prime)

POLYNOMIALS OVER FpEXAMPLES

• for the prime p = 3:(x + 1) + (x2 + 2x + 1) = x + 1 + x2 + 2x + 1 == x2 + 3x + 2 = x2 + 2

since 3 = 0 mod 3


since 3 = 0 mod 3• for the prime p = 5:

(x2 + 3) (x3 + 2x + 4) == x5 + 2x3 + 4x2 + 3x3 + 6x + 12 == x5 + 5x3 + 4x2 + 6x + 12 == x5 + 4x2 + x + 2

since 5 = 0, 6 = 1 and 12 = 2 mod 5

THE EXTENSION FIELD GF(pn)

• the ideas for building “modular fields” Fp(p ≥ 2 prime), and “binary extension fields” F2[xn] (n ≥ 2), can be combined

• the result is the family of “modular


• the result is the family of “modular extension fields” Fp[xn](p, n ≥ 2, p is a prime integer)

• fields Fp[xn] are also denoted GF(pn) (Galois Fields of order pn, p is prime)

THE EXTENSION FIELD GF(pn)

• take an irreducible generator polynomial G(x) ∈ Fp[x], for a prime integer p ≥ 2, of degree n≥ 2, the algebraic structure:GF(pn) = ⟨ Fp[xn], +, ×, 0, 1 ⟩


GF(pn) = ⟨ Fp[xn], +, ×, 0, 1 ⟩

is a finite field of pn elements• the elements of GF(pn) are polynomials with

coefficients over GF(p) (or Fp)• all the operations are computed mod G(x)• the field GF(pn) contains pn elements

FERMAT “LITTLE” THEOREM• take an irreducible generator polynomial G(x)

∈ Fp[x], for a prime p ≥ 2, of degree n ≥ 2, and take any polynomial F(x) ∈ GF(pn),pose k = pn, then:

F(x)k = F(x) mod G(x)


F(x)k = F(x) mod G(x)(generalisation of Fermat little theorem)

• hence it follows (as in previous cases):F(x)k − 1 = 1 mod G(x)F(x)k − 2 = F(x)−1 mod G(x) (inverse!)(with the cond. that F(x) ≠ 0 mod G(x))

FIELD EXAMPLE – GF(32)• fix p = 3 (prime) and n = 2• the elements of GF(3) are: 0, 1, 2• the elements of GF(32) are:

0, 1, 2 (deg. 0, 3 poly.’s)x, 2x, x + 1, x + 2, 2x + 1, 2x + 2 (deg. 1, 6 poly.’s)

= =


• there are k = 32 = 9 elements in GF(32)• take the generator G(x) = x2 + 1• in GF(3) the polynomial G(x) is irreducible• were not so, G(x) should split into two linear

factors of the type (x + a), with a = 0, 1 or 2• but none of the a’s is a root of G(x)

INVERSION – EXAMPLE IN GF(32)• remember that:

G(x) = 0 ⇒ x2 + 1 = 0 ⇒ x2 = −1 = 2 as −1 = 2 mod 3

• to compute an inverse element:(2x + 1)−1 = (2x + 1)9 − 2 = (2x + 1)7 == (2x + 1)6 (2x + 1) = ((2x + 1)2)3 (2x + 1) == (4x2 + 4x + 1)3 (2x + 1) = (x2 + x + 1)3 (2x + 1) =


= (4x + 4x + 1) (2x + 1) = (x + x + 1) (2x + 1) == (2 + x + 1)3 (2x + 1) = (x + 3)3 (2x + 1) = x3 (2x + 1) == x2 x (2x + 1) = 2x (2x + 1) = 4x2 + 2x == x2 + 2x = 2x + 2 mod G(x)

• and in fact:(2x + 1)(2x + 2) = 4x2 + 4x + 2x + 2 = 4x2 + 6x + 2 == x2 + 2 = 2 + 2 = 4 = 1 mod G(x)

as it is expected to be

COMPOSITE GALOIS FIELDS

• suppose GF(ph) is a modular extension field, the elements of which consist of polynomials of degree under h with coeff.s that are integers mod p

• construct a new, larger modular extension field,using the elements of GF(ph) as “coefficients”


using the elements of GF(ph) as “coefficients”of new polynomials, of degree under k

• this new field is GF(GF(ph))k = GF(phk), andis called a “composite (Galois) field”

• the elements of GF(phk) are polynomials,the coefficients of which are themselves polynomials (the coeff.s of the latter ones are integers mod p)

COMPOSITE GALOIS FIELDS• dually: let GF(pm) be a modular extension field. It can

be constructed by using polynomials of degree under m, with coeff.s that are integers mod p

• but, if m = hk (for h, k ≥ 2), i.e. if m is decomposable into non-trivial factors, then the field GF(pm) can be


into non-trivial factors, then the field GF(pm) can be itself decomposed into two nested fields:– coefficient field GF(ph) - internal field– complete field GF(GF(ph)k) = GF(phk) - external field

(the roles of h, k are interchangeable)• this decomposition may be very helpful in the

implementations, but does not always apply• if m is itself prime, no decomposition is possible

EXAMPLE – COMPOSITE FIELD• take p = 2 (binary extension fields).• G(x) = x4 + x3 + 1 (irreducible, check yourself !)• G(x) generates GF(24), with 24 = 16 elements.• but 4 = 2 × 2, hence GF(24) = GF(GF(22)2) (here h = k = 2)• construct the two nested fields:

– Internal field, use the gen. G1(y) = y2 + y + 1 (irred. over GF(2))


– Internal field, use the gen. G1(y) = y + y + 1 (irred. over GF(2))– External field, use the gen. G2(x) = x2 + y x + 1 (irred. over GF(22))

• elem.s of GF(24): (ay1+ by0)x1 + (cy1 + dy0)x0 (a, b, c, d = 0, 1) • of course, interpret G2(x) as follows:

G2(x) = (0y + 1) x2 + (1y + 0) x1 + (0y + 1) x0

since its coeff.s are themselves polynomials (use two distinct variables y and x to avoid confusion).

• complete yourself (in particular, check that G2(x) is irreducible over GF(22)). Try with the field GF(26).

CONCLUSIONS ON


FINITE FIELDS

THE COMPLETION THEOREM• there exist only three familes of finite fields:

– modular fields:GF(p) for every prime p ≥ 2the elements are 0, 1, …, p − 1GF(2) is the simplest case, called binary field

– binary extension fields:≥


GF(2n) for every integer n ≥ 2the elements are the polynomials of degree under n with coefficients 0 or 1

– modular extension fields:GF(pn) for every prime p ≥ 3 and integer n ≥ 2the elements are the polynomials of degree under n with coefficients 0, 1, , …, p − 1

• no other family of finite fields exist

FIELD ISOMORPHISM

• two fields F’, F’’ are isomorphic iff there exists a one-to-one function θ: F’ → F’’ such that, taken the elements a, b ∈ F’, it holds:θ(a + b) = θ(a) + θ(b) and θ(−a) = − θ(a)


θ(a + b) = θ(a) + θ(b) and θ(−a) = − θ(a) θ(a × b) = θ(a) × θ(b) and θ(a−1) = θ(a) −1

θ(0) = 0 and θ(1) = 1

• in practice, ϕ commutes with field operations• two isomorphic fields need have the same

number of elements (θ is one-to-one)

THE ISOMORPHISM THEOREM

• let F’, F’’ be any two extension fields generated by the irred. polynomials G’(x), G’’(x), respectively

• theorem: if F’, F’’ are of the same size, they


• theorem: if F’, F’’ are of the same size, they are necessarily isomorphic, i.e. there exists an isomorphism θ: F’ → F’’

• in other terms, each element f of F’ admitsa corresponding element θ(f) in F’’, behaving in the same way (and viceversa)

THE ISOMORPHISM THEOREM

• the extension fields GF(2n) (and GF(pn)) DO NOT DEPEND on the chosen irreducible generator polynomial

• that is, fixed an integer n ≥ 2 (and prime p ≥


• that is, fixed an integer n ≥ 2 (and prime p ≥2), there exists a unique GF(2n) (and GF(pn))

• put another way, if G’(x), G’’(x) are both irreducible generators of degree n, they are equivalent for building GF(2n) (and GF(pn))

• hence, select G’(x) or G’’(x) at will (but do not mix them during the computation, of course)

ISOMORPHISM – EXAMPLE

• the binary extension field GF(23) (size 23 = 8) can be generated in two different ways:

G’(x) = x3 + x2 + 1G’’(x) = x3 + x + 1


G’’(x) = x3 + x + 1since both G’(x) and G’’(x) are irreducible over GF(2)

• each of G’(x) and G’’(x) yields a representation of GF(23)

• constructing the isomorphism θ is not so immediate, though not really difficult

FIELD REPRESENTATION• it is said that two irreducible polynomials

G’(x), G’’(x), of identical degree, generate two DIFFERENT REPERSENTATIONS of the SAME FINITE EXTENSION FIELD

• the isomorphism function θ can be effectively


• the isomorphism function θ can be effectively determined, starting from G’(x), G’’(x)

• the function θ is actually a linear transformation

• an extension field admits as many different representations as the number of irreducible polynomials of identical degree

MORE NUMBER THEORY


MORE NUMBER THEORY

EULER FUNCTION• euler function: ϕ: N → N

ϕ(1) = 1 by definitionϕ(n) = k where k is the number of integers < n and

co-prime with n (n ≥ 2)(co-prime ⇔ sharing no common factor ≥ 2)

• examples:ϕ(2) = 1 (1 is co-prime with 2)


ϕ(2) = 1 (1 is co-prime with 2)ϕ(3) = 2 (1, 2 are co-prime with 3)ϕ(4) = 2 (1, 3 are co-prime with 4)ϕ(5) = 4 (1, …, 4 are co-prime with 5)ϕ(6) = 2 (1, 5 are co-prime with 6)ϕ(7) = 6 (1, …, 6 are co-prime with 7)ϕ(8) = 4 (1, 3, 5, 7 are co-prime with 8)…

ϕ(p) = p − 1 if and only if p is a prime integer

PROPERTIES OF ϕ• euler function ϕ is multiplicative:

if (m, n) = 1 then ϕ(m n) = ϕ(m) ϕ(n)((m, n) = 1 means that m, n are co-prime)

• for instance: (2, 3) = 1, hence 2 = ϕ(6) =


• for instance: (2, 3) = 1, hence 2 = ϕ(6) =ϕ(2 × 3) = ϕ(2) ϕ(3) = 1 × 2 = 2

• in particular, if p, q are both prime, it holds: ϕ(p q) = ϕ(p) ϕ(q) = (p − 1) (q − 1) (this feature plays an important role in RSA)

• the multiplicative property does not holdif m, n are not co-prime

EULER THEOREM

• let a, n be any integers ≥ 2, if a and nare co-prime, it holds:aϕ(n) = 1 mod n (L. Euler)


• for instance:a = 9, n = 4 (a, n are co-prime), ϕ(4) = 2 ⇒92 = 81 = 1 mod 4 as expected to be

• Fermat is a special case of Euler, when n = p• but Euler cannot be always used for finding

inverse elements (while Fermat can be)

PRACTICAL ALGORITHMS


(a short list)

RELEVANT ALGORITHMS• computing Greatest Common Divisor (m, n)

(Euclid Alg.)• computing λ, µ s.t. (m, n) = λm + µn

(Euclid Extended Alg.)• computing Modular Inverse: m−1 mod n


• computing Modular Inverse: m mod n(application of Euclid Ext. Alg.)

• computing Modular Powers: ae mod n(Square & Multiply Alg.)

• all alg.s are extensible to GF(2n) and GF(pn)• and do not forget Polynomial Division !• hints on Montgomery Multiplication Alg

EUCLID G.C.D. ALG.• let a, b ∈ Z be any two integers• (a, b) = d Greatest Common Divisor of a, b• Euclid algorithm for computing d:

input (a) input (b)r0 = max (a, b) // r0 : provisional g.c.d.r = min (a, b) // r : provisional remainder


r1 = min (a, b) // r1 : provisional remainderdo

r’ = r0 mod r1 // r’ : compute new remainderr0 = r1 // r0 : new provisional g.c.d.r1 = r’ // r1 : new provisional remainder

while (r’ != 0) // exit when null remainderoutput (r0)

EUCLID ALG. – EXAMPLES

• a = b ⇒ (a, b) = a (or = b)r0 = a r1 = ar’ = a mod a = 0 r0 = a r1 = 0 (r’ == 0) exitoutput


output (a)

• a = 9 b = 6 ⇒ (a, b) = 3r0 = 9 r1 = 6r’ = 9 mod 6 = 3 r0 = 6 r1 = 3 (r’ != 0) loopr’ = 6 mod 3 = 0 r0 = 3 r1 = 0 (r’ == 0) exitoutput (3)

EUCLID – WHY DOES IT WORK?• r0 = a r1 = b (supposing a > b)• unrolling the loop:

r2 = r0 mod r1 ⇒ r0 = q1r1+r2 ⇒ gcd(r0, r1) = gcd(r1, r2)

r3 = r1 mod r2 ⇒ r1 = q2r2+r3 ⇒ gcd(r1, r2) = gcd(r2, r3)


r3 = r1 mod r2 ⇒ r1 = q2r2+r3 ⇒ gcd(r1, r2) = gcd(r2, r3) …rm = rm−2 mod rm−1 ⇒ rm−2 = qm−1rm−1+rm ⇒ gcd(rm−2, rm−1) = gcd(rm−1, rm)0 = rm−1 mod rm ⇒ rm−1 = qmrm+0 ⇒ gcd(rm−1, rm) = rm

• note that, if x = sy+z with z<y, then gcd(x, y) = gcd(y, z)• and note that, if x = sy, then gcd(x, y) = y• hence, rm is the g.c.d. of r0, r1

EXPRESSING THE G.C.D.

• theorem (Euclid): given any two integers m, n ∈ Z , it holds:

(m, n) = λm + µn (with λ, µ ∈ Z)

λ µ


for two suited integers λ, µ (not unique)• for instance:

(30, 18) = 6

(30, 18) = 2 × 30 + (−3) × 18

i.e., λ = 2 and µ = −3

EUCLID EXT. ALGORITHM• nothing but a careful backtracking:

(9, 14) = 1

• apply Euclid G.C.D. Algorithm:14 mod 9 = 5 14 = 1×9 + 5 5 = 14 − 1×99 mod 5 = 4 9 = 1×5 + 4 4 = 9 − 1×55 mod 4 = 1 5 = 1×4 + 1 1 = 5 − 1×4


5 mod 4 = 1 5 = 1×4 + 1 1 = 5 − 1×44 mod 1 = 0 end

• and now backtrack the remainder chain:1 = 5 − 1×4 = 5 − 1×(9 − 1×5) == (−1)×9 + 2×5 = (−1)×9 + 2×(14 − 1×9) == 2×14 − 3×9 = (−3×9) + 2×14

• that is, λ = −3, µ = 2

COMPUTING THE INVERSE• let m, n ∈ Z be any two integers.• thorem (Euclid, see before): (m, n) = λm + µn,

for a pair of integers λ, µ ∈ Z• if m, n are co-prime, then (m, n) = 1• it follows λm + µn = 1


• it follows λm + µn = 1• then λm = 1 mod n, since µn = 0 mod n• finally λ = m−1 mod n (λ is the inverse of m)• use the Euclid Extended Algorithm for

computing λ, µ, and hence for computing the inverse element m−1 mod n

INVERSION EXAMPLE• suppose to compute:

9−1 mod 14 = ?

(∃ as 9, 14 are co-prime, i.e., (9, 14) = 1)• applying Euclid Ext. Alg. yields:

(9, 14) = (−3) × 9 + 2 × 14 = 1 (as shown before)


(9, 14) = (−3) × 9 + 2 × 14 = 1 (as shown before)

• hence:(−3)×9 + 2×14 = 1 mod 14 ⇒ (−3)×9 = 1 mod 14⇒ 11×9 = 1 mod 14 ⇒ 9−1 = 11 mod 14

• and in fact: 9 × 11 = 99 = 1 mod 14(since 99 = 7 × 14 + 1)

COMPUTING THE INVERSEEXTENSION TO POLYNOMIALS

• the Euclid Extended Algorithm worksfor polynomials as well(A(x), B(x)) = L(x)A(x) + M(x)B(x) (theorem)

• consequence:


• consequence:(A(x), B(x)) = 1 ⇒ L(x)A(x) + M(x)B(x) = 1 ⇒L(x)A(x) = 1 mod B(x) ⇒ L(x) = A(x)−1 mod B(x)

• here, of course, all the operations are carried out on polynomials, taking care of the specific fields of the coefficients

SQUARE & MULTIPLY ALG.• frequently one has to compute:

ae mod n(e.g., for Fermat theorem) for a large exponent e and an integer a ∈ Zn


n

• code the exponent e as a binary number:e = ek−1 2k − 1 + ek−2 2k − 2 + … + e1 2 + e0,where k = log2 e and ei ∈ {0, 1}

• note that if h = 2m, then:ah mod n = (…(a)2 mod n …)2 mod n (m times)

(i.e., m nested modular squarings)

SQUARE & MULTIPLY ALG.

• now let be 0 ≤ i < k, pose: bi = 2i, andai = abi mod p if the bit eki is = 1ai = 1 if the bit eki is = 0

compute the ai’s by nested mod. squarings


compute the ai’s by nested mod. squarings• then, it holds:

ae mod n = ((…(ak−1 × ak−2) mod n × … × a1) mod n × a0) mod n

• the computation of the above formula only requires k modular squarings and k modular multiplications, and k = log2 e(i.e., k is much smaller than e)

SQUARE & MULTIPLY ALG.EXTENSION TO POLYNOMIALS

• the Square & Multiply algorithm extends to polynomials as well

• for computing:


F(x)k for a large exponent k

express k as a binary number, and proceed as for integers

• here, of course, all squarings and multiplications are computed mod G(x), where G(x) is the field generator …

MONTGOMERYMULTIPLICATION

• a clever and efficient algorithm for computing modular multiplication

• is particularly efficient when working with


• is particularly efficient when working with numbers coded in base 2 (binary numbers)

• is based on the idea of performing reduction at each addition of a row of the matrix of the partial products

• see in textbooks …

computer arithmetichome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · recall...

Documents