Download A [2]

Chapter 4.
Finite Fields
書名：Cryptography and Network Security
Principles and Practices, Fourth Edition
作者：By William Stallings
報告者：陳盈如
2008/04/03
Outline
4.1
4.2
4.3
4.4
4.5
4.6
Groups, Rings, and Fields
Modular Arithmetic
The Euclidean Algorithm
Finite Fields of the Form GF(p)
Polynomial Arithmetic
Finite Fields of the Form GF(2n)
4.7
4.8
Recommended Reading and Web Sites
Key Terms, Review Questions, and
Problems
2
4.1
Groups, Rings, and Fields
3
Groups, Rings, and Fields

Groups, rings, and fields are the
fundamental elements of a branch of
mathematics known as abstract
algebra, or modern algebra.

In abstract algebra, we are concerned
with sets on whose elements we can
operate algebraically; we can
combine two elements of the set,
perhaps in several ways, to obtain a
third element of the set.
4
Group 「群」
{G, ·}一個集合R和一種二元運算 ·
(1) Closure: 「封閉性」
若 a, b  G 則 a · b  G.
(2) Associative: 「結合率」
若a, b, c  G 則a · (b · c) = (a · b) · G.
(3) Identity element:「單位元素」
There is an element e in G such that
a · e = e · a = a for all a in G.
(4) Inverse element:「反元素」
For each a in G there is an element a' in G
such that a · a' = a' · a = e.
abelian group 「可換群」
(5) Commutative: 「交換率」
a · b = b · a for all a, b in G.
Ex: Z在加法下是group
5
{G, ·}
(1) Closure
(2) Associative
(3) Identity element
(4) Inverse element
abelian group
(5) Commutative
Ring「環」
{R, +, ·} 一個集合R和兩種二元運算
{R, +}
{R, ·}
{R, +, ·}
(1) Closure
(2) Associative
(*) Distributive laws:「分配法則」
a(b + c) = ab + ac for all a, b, c in R.
零因子(zero divisor)：
(a + b)c = ac + bc for all a, b, c in R.
設b是環中的非零元素，稱a為
左零因子，如果ab = 0；同樣
commutative ring 「交換環」
可以定義右零因子。通稱零因子。 (5) Commutative
integral domain「整環」或「整域」：含乘法單位元的無零因子的交換環。
(3) Identity element
(*) No zero divisors:
6
If a, b in R and ab = 0, then either a = 0 or b = 0.
{G, ·}
(1) Closure
(2) Associative
(3) Identity element
(4) Inverse element
abelian group
(5) Commutative
{R, +, ·}
Field「體」
{F, +, ·}
{F, +} {F, +, ·}
{F, ·}
(1) Closure
(2) Associative
(*) Distributive laws
commutative ring
(5) Commutative
integral domain
(3) Identity element
(*) No zero divisors
(4) Inverse element
7
Figure 4.1. Group, Ring, and Field
8
4.2
Modular Arithmetic
9
4.2 Modular Arithmetic

Equation 4-1
a = qn+r
0 r <n; q = a/n
where x is the largest integer less than or equal to x.

residue


When the integer a is divided by the
integer n, the remainder r is referred to
as the residue. Equivalently, r = a mod n.
a = a/n n + (a mod n)
10
congruent modulo

Two integers a and b are said to be
congruent modulo n,
if (a mod n) = (b mod n). This is
written as a  b (mod n).
73  4 (mod 23)
21  9 (mod 10)
11

a = mb b divides a  b|a
(b is a divisor of a)
21 = 37 7|21

if a  b (mod n)n|(ba)
if a  0 (mod n)n|b
1  3 (mod 2)  2|(3  1) = 2|2
12

Modular arithmetic exhibits the
following properties:
1. [(a mod n) + (b mod n)] mod n = (a + b) mod n
2. [(a mod n)  (b mod n)] mod n = (a  b) mod n
3. [(a mod n)  (b mod n)] mod n = (a  b) mod n
Ex: 11 mod 8 = 3; 15 mod 8 = 7
1. [(11 mod 8) + (15 mod 8)] mod 8
= (11 + 15) mod 8
2. [(11 mod 8)  (15 mod 8)] mod 8
= (11  15) mod 8
3. [(11 mod 8)  (15 mod 8)] mod 8
= (11  15) mod 8
13

Equation 4-2
if (a + b)  (a + c) (mod n)
then b  c (mod n)


(5 + 23)  (5 + 7)(mod 8) ;
23  7 (mod 8)
Equation 4-3
if (a  b)  (a  c) (mod n) then b  c
(mod n)
if a is relatively prime to n
Ex:
(5  3)  (5  7) (mod 4) then 3  7 (mod 4)
(6  3)  (6  7) (mod 8) then 3  7 (mod 8)
14



if a is relatively prime to n
existence of a multiplicative inverse.
((a-1)ab)  ((a-1)ac)(mod n)
b  c (mod n)
The integers 6 and 8 are not relatively
prime, since they have the common
factor 2. We have the following:
6  3 = 18  2 (mod 8)
6  7 = 42  2 (mod 8)
Yet 3  7 (mod 8).
15
Table 4.1.
Arithmetic
Modulo 8
要推回6 = 2(mod 8)
無唯一解
即乘法反元素不唯一
16
Table 4.2. Properties of Modular
Arithmetic for Integers in Zn
Property
Expression
Commutative
laws
(w + x) mod n = (x + w) mod n
(w  x) mod n = (x  w) mod n
Associative
laws
[(w + x) + y] mod n = [w + (x + y)] mod n
[(w  x)  y] mod n = [w  (x  y)] mod n
Distributive
laws
[w + (x + y)] mod n = [(w  x) + (w  y)] mod n
[w + (x  y)] mod n = [(w + x) x (w + y)] mod n
Identities
(0 + w) mod n = w mod n
(1 + w) mod n = w mod n
Additive
inverse (-w)
For each w  Zn, there exists a z such that
w + z  0 mod n
Modular Arithmetic for Integers in Zn
is a Ring.
17
4.3
The Euclidean Algorithm

最大公因數
Greatest Common Divisor

Finding the GCD
18
Greatest Common Divisor



a = mb
 nonzero b is defined to be a divisor
of a for some m (a, b, and m are
12 :1,2,3,4,6,12
integers)
18 :1,2,3,6,9,18
 gcd(12, 18) = 6
gcd(a, b) = c
The positive integer c is said to be the
greatest common divisor of a and b if
1. c is a divisor of a and of b;
 2. any divisor of a and b is a divisor of c.


An equivalent definition :
gcd(a, b) = max[k, such that k|a and k|b]
19
Some example

gcd(60, 24) = gcd(60, 24) = 12
 we require the GCD be positive,

gcd(a, b) = gcd(a, b) = gcd(a, b) = gcd(a, b).
 In


general, gcd(a, b) = gcd(|a|, |b|).
a = mb
gcd(a, 0) = |a|
0 = m0
 all nonzero integers divide 0
0
=0
m
gcd(p, q) = 1
 Integers p and q are relatively prime
 gcd(8, 15) =1;
8 1, 2, 4, 8
151, 3, 5, 15
20
Finding the GCD

Equation 4-4
gcd(a, b) = gcd(b, a mod b)

gcd(55, 22)
= gcd(22, 55 mod 22) = gcd(22, 11)
= gcd(22, 22mod11) = gcd(11, 0) =11
證明: 令d = gcd(a, b)  d|a (1) and d|b (2)
a = kb + r  r (mod b)  b|ar (3)
a mod b = r (4)
By(2) and (3)d|ar d|kb
By(1) and (3)d|kb + r, By(4)d|kb+(a mod b)
* d|kb and d|[kb + (a mod b)]  d|(a mod b)

21
Finding the GCD algorithm
EUCLID(a, b)
1. Aa; B  b
2. if B = 0
return A = gcd(a, b)
3. R = A mod B
4. A  B
5. B  R
6. goto 2

gcd(55, 22)
55
22
2
11
22
11
2
0
11
0
22
4.4
Finite Fields
of the Form GF(p)

Finite Fields:


若F是一個Field且只有有限多個元素
GF: Galois field

In honor of the mathematician who
first studied finite fields.
23
Évariste Galois

法語發音[evaʀist galwa]


1811 ~ 1832 (aged 20) France
Mathematics :
theory of equations 「方程式論」
and Abelian integrals 「亞培爾積分」
{G, ·}
(1) Closure
 Two special cases of GF(pn)
(2) Associative
(3)(1)
Identity
For element
n = 1, GF(p);
(4) Inverse element
n).
(2)
GF(2
 Prime p：
abelian group
(5) Commutative
a prime number
is an integer
whose only positive integer
factors are itself and 1.
24
GF(p)
 (1)
Finite Field
 (2)
Multiplicative inverse (w1)
For each w  Zp, w  0,
there exists a z  Zp such that
w  z  1 (mod p)
w  w1  1 (mod p)
25
Prime p 在modulo的特性

Equation 4-5
if (a  b)  (a  c) (mod p)
then b  c (mod p)
Equation 4-3
if (a  b)  (a  c) (mod n) then b  c (mod n)
if a is relatively prime to n
Ex: (4  3)  (4  10) (mod 7) then 3  10 (mod 7)
 ((a1)  a  b)  ((a1)  a  c) (mod p)
b  c (mod p)
 (2  4  3)  (2  4  10) (mod 7) then 3  10 (mod 7)
26
GF(2)

The simplest finite field is GF(2). Its
arithmetic operations are easily
summarized:
Addition

Multiplication
Inverses
In this case, addition is equivalent to the
exclusive-OR (XOR) operation, and
multiplication is equivalent to the logical
AND operation.
27
Table 4.3.
Arithmetic in
GF(7)
28
計算乘法反元素

輾轉相除法
求兩數 最大公因數，
若(a, b)=1，稱a, b兩數是互質的(relatively
prime)

利用計算展轉相除時的中間數字
2 5
7
4
2 1
5
2
2
0
1
5,7
7/5=1
51=5
7-5=2
2,5
5/2=2
22=4
5-4=1
1,2
2/1=2
12=2
2-2=0
Finding the Multiplicative Inverse
in GF(p)

EXTENDED EUCLID(m, b)
1.
(A1, A2, A3)(1, 0, m); (B1, B2, B3) (0, 1, b)
if B3 = 0 return A3 = gcd(m, b);沒有反元素
if B3 = 1 return B3 = gcd(m, b); B2 = b1 mod m
Q = A3/B3
(T1, T2, T3)  (A1QB1, A2  QB2, A3  QB3)
(A1, A2, A3)  (B1, B2, B3)
(B1, B2, B3)  (T1, T2, T3)
goto 2
2.
3.
4.
5.
6.
7.
8.
30
2 5 7 1
A[i] = B[i];
B[i] = T[i];
判斷 B3 是否為 0 或 1
A
1 0 7
B
) A
0 1 5
T
) B
T
Q = A[2]/B[2];
1 -1 2
-2 3 1
5 5 0
Q
Q
=7/5=1
=5/2=2
=2/1=2
4 5
2 1 2
2
0
T[i] = A[i]  (Q*B[i]);
1(10) 0(11) 7(15)
=1
=-1
=2
0(21) 1(2-1) 5(22)
=-2
=3
=1
1(2-2) -1(2-3) 2(21)
=5
=5
=0
If gcd(m, b) = 1
•在透過求gcd(7, 5)的整個計算
1. mB1 + bB2 = B3
過程中，下面關係式會成立：
2. mB1
1
7T[0]++ bB2
5T[1] ==T[2]
7A[0]
= A [2]
3. bB2
= +15A+[1]
mB1
7B[0] + 5B [1] = B [2]
4. bB2  1 mod m
1 0 7
0 1 5
A
1 -1 2
) B
-2 3 1
T
5 5 0
Q
•若gcd(7, 5) =1，
•最後結果B[2]=0, A[2]=1
•在前一步驟中B[2]=1，
可得到
7B[0] + 5B [1] = B[2]
7B[0] + 5B [1] = 1
5B [1] = 1 +(-B[0])  7
5B [1]  1 (mod 7)
Table 4.4. Finding the Multiplicative
Inverse of 550 in GF(1759)


gcd(1759, 550) = 1
The multiplicative inverse of 550 is
355; that is, 550  335  1 (mod 1759).
33
4.5
Polynomial Arithmetic
GF(2n)透過方程式運算
 1.方程式的運算
 2. Finite方程式運算
系數都在一定範圍
 方程式次方也在一定範圍

34
Ordinary Polynomial Arithmetic

A polynomial of degree n (integer n  0)
f(x) = anxn + an1xn1 + … + a1x + a0
n
=  ai x
i
i 0

where the ai are elements of some
designated set of numbers S, called the
coefficient set, and an  0. We say that
such polynomials are defined over the
coefficient set S.
35
Some example

A zeroth-degree polynomial is
called a constant polynomial and
is simply an element of the set of
coefficients.
f(x) = 2

An nth-degree polynomial is said
to be a monic polynomial if an = 1.
「首一多項式」
f(x) = x3 + x2 + 2
36
Polynomial Addition and
Subtraction

Addition and subtraction are performed
by adding or subtracting corresponding
coefficients.
m
n
f(x) =  a i x i ; g(x) = bi x i ; n  m
i 0

f(x) ± g(x) =
i 0
m
 (a
i 0
i
 bi ) x i 
n
a x
i  m 1
i
i
Ex：f(x) = x3 + x2 + 2 and g(x) = x2x + 1
+
x3 + x2
+2
( x2 x + 1)
x3 + 2x2 x + 3
(a) Addition
x3 + x2
+2

(x2  x + 1)
x3
+x+1
(b) Subtraction
37
Polynomial Multiplication
n


a i x i ; g(x) =
f(x) = 
i 0
f(x)  g(x) =
n m
c x
i 0
i
m
b x ; n  m
i 0
i
i
i
where ck= a0bk + a1bk1 + … + ak1b1 + akb0
x3 + x2
+2
 (x2  x + 1)
x3 + x2
+2
x4 x3
2x
x5 + x4
+2x2
x5
+3x2 2x + 2
(c) Multiplication
38
Polynomial Division

n
m
i 0
i 0
f(x) = a i x i ; g(x) =  bi x i ; n  m
x2  x + 1

The division 5/3 ?

運算後系數都在一定範圍
符合field F
x +2
x3 + x 2
+2
x3  x 2 + x
2x2  x + 2
2x2 2x + 2
x
(d) Division
39
Consider the division 5/3
within a set S.
(1) If S is the set of rational numbers, is a field.

The result is simply expressed as 5/3 and is an
element of S.
(2) Now suppose that S is the field Z7.

5/3 = (5  31) mod 7 = (5  5) mod 7 = 4
(3) If S is the set of integers, which is a ring but
not a field.

Then 5/3 produces a quotient of 1 and a remainder
of 2.
5/3 = 1 + 2/3
5=13+2
Division is not exact over the set of integers.
40
Polynomial over GF(2)

Addition
is equivalent to the XOR operation.

Multiplication
is equivalent to the logical AND operation.

Addition and subtraction
are equivalent.

mod 2:



1 + 1 = 11 = 0;
1 + 0 = 10 = 1;
0 + 1 = 01 = 1.
41
Figure 4.4. Examples of Polynomial
Arithmetic over GF(2)
f(x) = (x7 + x5 + x4 + x3 +x + 1)
g(x) = (x3 + x + 1)
x7
+ x5 + x4 + x3
+
x7
(x3
+x + 1
+ x + 1)
+ x5 + x4
(a) Addition
x7
+ x5 + x4 + x3
 (x3
x7
+ x5 + x4
(b) Subtraction
+x + 1
+x + 1)
42
x7
+ x5 + x4 + x3
 (x3
+ x5 + x4 + x3
x7
x10
x10
+x +1
+ x + 1)
+x +1
x8
+ x6 + x5 + x4
+x2 + x
+ x8 + x7 + x6
+x4 + x3
+x4
+ x2
+1
(c) Multiplication
x3
x4 + 1
+ x + 1 x7
x7
+ x5 + x4 + x3
+x +1
+ x5 + x4
x3
x3
(d) Division
+x +1
+x +1
43
方程式次方在一定範圍內

x mod p prime
f(x) mod m(x) prime polynomial.

irreducible polynomial




if and only if m(x) cannot be expressed as a
product of two polynomials, both over F, and both
of degree lower than that of m(x).
Ex: f(x) = x3 + x + 1.
The polynomial f(x) = x4 + 1 over GF(2) is
reducible, x4 + 1 = (x + 1)(x3 + x2 + x + 1)
44
Finding the GCD of polynomial

The polynomial c(x) is said to be the greatest
common divisor of a(x) and b(x) if



c(x) divides both a(x) and b(x);
any divisor of a(x) and b(x) is a divisor of c(x).
An equivalent definition is the following:

gcd[a(x), b(x)] is the polynomial of maximum
degree that divides both a(x) and b(x).
方程式找GCD與乘法反元素
其方法皆與數值時相同
45
Finding the GCD of polynomial
Algorithm
Assumes that the degree of a(x) is greater
than the degree of b(x). Then, to find
gcd[a(x), b(x)],
 EUCLID[a(x), b(x)]
1. A(x)  a(x); B(x)  b(x)
2. if B(x) = 0 return A(x) = gcd[a(x), b(x)]
3. R(x) = A(x) mod B(x)
4. A(x)  B(x)
5. B(x)  R(x)
6. goto 2

46
4.6
Finite Fields
of the Form GF(2n)


1. Z8和GF(23)大不同
2.GF(2n)透過方程式運算
系數都在0~(2n－1)
 方程式次方不超過n

47
Z8和GF(23)大不同
Z8
0
1
2
3
4
5
6
7
5
6
7
GF(23)
0
1
2
3
4
0
1
x
x+1
x2
x2+1
x2 + x
x2 + x +1
000
001
010
011
100
101
110
111
integers that fit exactly into
a given number of bits.
48
Addition in Z8and GF(23)
49
Multipition in Z8 and GF(23)
數值出現次數不平均：In the multiplication table, the nonzero
integers do not appear an equal number of times.
Integer
1 2 3 4 5 6 7
Occurrences in Z8
4 8 4 12 4 8 4
Occurrences in GF(23) 7 7 7 7 7 7 7
50
Inverse of Z8 and GF(23)
51
轉成pn個方程式
For p = 2 and n = 3, the 23 = 8 the
polynomials in the set are
GF(23)
0
1
X
x+1
x2
x2+1
x2 + x x2 + x
+1
000
001
010
011
100
101
110
111
For p = 3 and n = 2, the 32 = 9 polynomials in
the set are
GF(32)
0
1
2
x
x +1
x +2
2x
2x +1
2x +2
00
01
02
10
11
12
20
21
52
22
GF(2n)透過方程式運算: 需符合





系數都在0~(2n－1)
Arithmetic on the coefficients is performed
modulo 2. That is, we use the rules of arithmetic
for the finite field Z2.
方程式次方不超過n mod m(x)
If multiplication results in a polynomial of
degree greater than n1, then the polynomial is
reduced modulo irreducible polynomial m(x) of
degree n.
That is, we divide by m(x) and keep the
remainder.
For a polynomial f(x), the remainder is
expressed as r(x) = f(x) mod m(x).
53
irreducible polynomial m(x)


An irreducible nth-degree polynomial
m(x) satisfies：the highest power is
some integer n
Isomorphic 「同形的」或「同構」：


Any two finite-field structures of a given
order have the same structure, but the
representation, or labels, of the
elements may be different.
Ex: There are two irreducible polynomial
of degree 3 for m(x) to construct the finite
field GF(23):
(1) x3 + x2 + 1
(2) x3 + x + 1
54
Table 4.6. Polynomial Arithmetic
Modulo (x3 + x + 1)
55
Addition

Consider the two polynomials in GF(28)
from our earlier example: f(x) = x6 + x4 + x2 +
x + 1 and g(x) = x7 + x + 1.
(polynomial notation)
(x6 +
x4
+ (x7
= x7 + x6
+ x4
+ x2 + x + 1)
+ x + 1)
+ x2
(binary notation) DEC {Hex}
notation}
(01010111)
 (10000011)
= (11010100)
87 {57}
+131 {83}
212
{D4}
56
Multiplication


We will discuss the technique with reference
to GF(28) using m(x) = x8 + x4 + x3 + x + 1
Equation 4-8
x8 mod m(x) = [m(x)x8] = x4+x3+x+1
Equation 4-9
x f(x) =

(b7x9+b6x7+b5x6+b4x5+b3x4+b2x3+b1x2+b0x) mod m(x)

Equation 4-10
x f(x) =
bbbbbbb 0
6
5
4
3
2
1
0
if b  0
7
b b b b b b b 0  (00011011) if b  1
6
5
4
3
2
1
0
7
57
Multiplication example



f(x) = x6 + x4 + x2 + x + 1 (01010111)
g(x) = x7 + x + 1
(10000011)
m(x) = x8 + x4 + x3 + x + 1 求f(x)  g(x) mod m(x) =？
x f(x) =
b6 b5 b4 b3 b2 b1b0 0
if b7  0
b6 b5 b4 b3 b2 b1b0 0  (00011011) if b7  1
(01010111) x (00000001) = (01010111)
(01010111) x (00000010) = (10101110)
(01010111) x (00000100) = (01011100) (00011011) = (01000111)
(01010111) x (00001000) = (10001110)
(01010111) x (00010000) = (00011100) (00011011) = (00000111)
(01010111) x (00100000) = (00001110)
(01010111) x (01000000) = (00011100)
(01010111) x (10000000) = (00111000)
 = (01010111)  (10101110)  (00111000) = (11000001)
58
 which is equivalent to x 7 + x 6 + 1.
應用



With 8 bits have 0~255
256 is not a prime
 251 is a Field
251~255 would not be used.
GF(28) is a Field, too.
59