Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Chapter 4. Finite Fields 書名:Cryptography and Network Security Principles and Practices, Fourth Edition 作者:By William Stallings 報告者:陳盈如 2008/04/03 Outline 4.1 4.2 4.3 4.4 4.5 4.6 Groups, Rings, and Fields Modular Arithmetic The Euclidean Algorithm Finite Fields of the Form GF(p) Polynomial Arithmetic Finite Fields of the Form GF(2n) 4.7 4.8 Recommended Reading and Web Sites Key Terms, Review Questions, and Problems 2 4.1 Groups, Rings, and Fields 3 Groups, Rings, and Fields Groups, rings, and fields are the fundamental elements of a branch of mathematics known as abstract algebra, or modern algebra. In abstract algebra, we are concerned with sets on whose elements we can operate algebraically; we can combine two elements of the set, perhaps in several ways, to obtain a third element of the set. 4 Group 「群」 {G, ·}一個集合R和一種二元運算 · (1) Closure: 「封閉性」 若 a, b G 則 a · b G. (2) Associative: 「結合率」 若a, b, c G 則a · (b · c) = (a · b) · G. (3) Identity element:「單位元素」 There is an element e in G such that a · e = e · a = a for all a in G. (4) Inverse element:「反元素」 For each a in G there is an element a' in G such that a · a' = a' · a = e. abelian group 「可換群」 (5) Commutative: 「交換率」 a · b = b · a for all a, b in G. Ex: Z在加法下是group 5 {G, ·} (1) Closure (2) Associative (3) Identity element (4) Inverse element abelian group (5) Commutative Ring「環」 {R, +, ·} 一個集合R和兩種二元運算 {R, +} {R, ·} {R, +, ·} (1) Closure (2) Associative (*) Distributive laws:「分配法則」 a(b + c) = ab + ac for all a, b, c in R. 零因子(zero divisor): (a + b)c = ac + bc for all a, b, c in R. 設b是環中的非零元素,稱a為 左零因子,如果ab = 0;同樣 commutative ring 「交換環」 可以定義右零因子。通稱零因子。 (5) Commutative integral domain「整環」或「整域」:含乘法單位元的無零因子的交換環。 (3) Identity element (*) No zero divisors: 6 If a, b in R and ab = 0, then either a = 0 or b = 0. {G, ·} (1) Closure (2) Associative (3) Identity element (4) Inverse element abelian group (5) Commutative {R, +, ·} Field「體」 {F, +, ·} {F, +} {F, +, ·} {F, ·} (1) Closure (2) Associative (*) Distributive laws commutative ring (5) Commutative integral domain (3) Identity element (*) No zero divisors (4) Inverse element 7 Figure 4.1. Group, Ring, and Field 8 4.2 Modular Arithmetic 9 4.2 Modular Arithmetic Equation 4-1 a = qn+r 0 r <n; q = a/n where x is the largest integer less than or equal to x. residue When the integer a is divided by the integer n, the remainder r is referred to as the residue. Equivalently, r = a mod n. a = a/n n + (a mod n) 10 congruent modulo Two integers a and b are said to be congruent modulo n, if (a mod n) = (b mod n). This is written as a b (mod n). 73 4 (mod 23) 21 9 (mod 10) 11 a = mb b divides a b|a (b is a divisor of a) 21 = 37 7|21 if a b (mod n)n|(ba) if a 0 (mod n)n|b 1 3 (mod 2) 2|(3 1) = 2|2 12 Modular arithmetic exhibits the following properties: 1. [(a mod n) + (b mod n)] mod n = (a + b) mod n 2. [(a mod n) (b mod n)] mod n = (a b) mod n 3. [(a mod n) (b mod n)] mod n = (a b) mod n Ex: 11 mod 8 = 3; 15 mod 8 = 7 1. [(11 mod 8) + (15 mod 8)] mod 8 = (11 + 15) mod 8 2. [(11 mod 8) (15 mod 8)] mod 8 = (11 15) mod 8 3. [(11 mod 8) (15 mod 8)] mod 8 = (11 15) mod 8 13 Equation 4-2 if (a + b) (a + c) (mod n) then b c (mod n) (5 + 23) (5 + 7)(mod 8) ; 23 7 (mod 8) Equation 4-3 if (a b) (a c) (mod n) then b c (mod n) if a is relatively prime to n Ex: (5 3) (5 7) (mod 4) then 3 7 (mod 4) (6 3) (6 7) (mod 8) then 3 7 (mod 8) 14 if a is relatively prime to n existence of a multiplicative inverse. ((a-1)ab) ((a-1)ac)(mod n) b c (mod n) The integers 6 and 8 are not relatively prime, since they have the common factor 2. We have the following: 6 3 = 18 2 (mod 8) 6 7 = 42 2 (mod 8) Yet 3 7 (mod 8). 15 Table 4.1. Arithmetic Modulo 8 要推回6 = 2(mod 8) 無唯一解 即乘法反元素不唯一 16 Table 4.2. Properties of Modular Arithmetic for Integers in Zn Property Expression Commutative laws (w + x) mod n = (x + w) mod n (w x) mod n = (x w) mod n Associative laws [(w + x) + y] mod n = [w + (x + y)] mod n [(w x) y] mod n = [w (x y)] mod n Distributive laws [w + (x + y)] mod n = [(w x) + (w y)] mod n [w + (x y)] mod n = [(w + x) x (w + y)] mod n Identities (0 + w) mod n = w mod n (1 + w) mod n = w mod n Additive inverse (-w) For each w Zn, there exists a z such that w + z 0 mod n Modular Arithmetic for Integers in Zn is a Ring. 17 4.3 The Euclidean Algorithm 最大公因數 Greatest Common Divisor Finding the GCD 18 Greatest Common Divisor a = mb nonzero b is defined to be a divisor of a for some m (a, b, and m are 12 :1,2,3,4,6,12 integers) 18 :1,2,3,6,9,18 gcd(12, 18) = 6 gcd(a, b) = c The positive integer c is said to be the greatest common divisor of a and b if 1. c is a divisor of a and of b; 2. any divisor of a and b is a divisor of c. An equivalent definition : gcd(a, b) = max[k, such that k|a and k|b] 19 Some example gcd(60, 24) = gcd(60, 24) = 12 we require the GCD be positive, gcd(a, b) = gcd(a, b) = gcd(a, b) = gcd(a, b). In general, gcd(a, b) = gcd(|a|, |b|). a = mb gcd(a, 0) = |a| 0 = m0 all nonzero integers divide 0 0 =0 m gcd(p, q) = 1 Integers p and q are relatively prime gcd(8, 15) =1; 8 1, 2, 4, 8 151, 3, 5, 15 20 Finding the GCD Equation 4-4 gcd(a, b) = gcd(b, a mod b) gcd(55, 22) = gcd(22, 55 mod 22) = gcd(22, 11) = gcd(22, 22mod11) = gcd(11, 0) =11 證明: 令d = gcd(a, b) d|a (1) and d|b (2) a = kb + r r (mod b) b|ar (3) a mod b = r (4) By(2) and (3)d|ar d|kb By(1) and (3)d|kb + r, By(4)d|kb+(a mod b) * d|kb and d|[kb + (a mod b)] d|(a mod b) 21 Finding the GCD algorithm EUCLID(a, b) 1. Aa; B b 2. if B = 0 return A = gcd(a, b) 3. R = A mod B 4. A B 5. B R 6. goto 2 gcd(55, 22) 55 22 2 11 22 11 2 0 11 0 22 4.4 Finite Fields of the Form GF(p) Finite Fields: 若F是一個Field且只有有限多個元素 GF: Galois field In honor of the mathematician who first studied finite fields. 23 Évariste Galois 法語發音[evaʀist galwa] 1811 ~ 1832 (aged 20) France Mathematics : theory of equations 「方程式論」 and Abelian integrals 「亞培爾積分」 {G, ·} (1) Closure Two special cases of GF(pn) (2) Associative (3)(1) Identity For element n = 1, GF(p); (4) Inverse element n). (2) GF(2 Prime p: abelian group (5) Commutative a prime number is an integer whose only positive integer factors are itself and 1. 24 GF(p) (1) Finite Field (2) Multiplicative inverse (w1) For each w Zp, w 0, there exists a z Zp such that w z 1 (mod p) w w1 1 (mod p) 25 Prime p 在modulo的特性 Equation 4-5 if (a b) (a c) (mod p) then b c (mod p) Equation 4-3 if (a b) (a c) (mod n) then b c (mod n) if a is relatively prime to n Ex: (4 3) (4 10) (mod 7) then 3 10 (mod 7) ((a1) a b) ((a1) a c) (mod p) b c (mod p) (2 4 3) (2 4 10) (mod 7) then 3 10 (mod 7) 26 GF(2) The simplest finite field is GF(2). Its arithmetic operations are easily summarized: Addition Multiplication Inverses In this case, addition is equivalent to the exclusive-OR (XOR) operation, and multiplication is equivalent to the logical AND operation. 27 Table 4.3. Arithmetic in GF(7) 28 計算乘法反元素 輾轉相除法 求兩數 最大公因數, 若(a, b)=1,稱a, b兩數是互質的(relatively prime) 利用計算展轉相除時的中間數字 2 5 7 4 2 1 5 2 2 0 1 5,7 7/5=1 51=5 7-5=2 2,5 5/2=2 22=4 5-4=1 1,2 2/1=2 12=2 2-2=0 Finding the Multiplicative Inverse in GF(p) EXTENDED EUCLID(m, b) 1. (A1, A2, A3)(1, 0, m); (B1, B2, B3) (0, 1, b) if B3 = 0 return A3 = gcd(m, b);沒有反元素 if B3 = 1 return B3 = gcd(m, b); B2 = b1 mod m Q = A3/B3 (T1, T2, T3) (A1QB1, A2 QB2, A3 QB3) (A1, A2, A3) (B1, B2, B3) (B1, B2, B3) (T1, T2, T3) goto 2 2. 3. 4. 5. 6. 7. 8. 30 2 5 7 1 A[i] = B[i]; B[i] = T[i]; 判斷 B3 是否為 0 或 1 A 1 0 7 B ) A 0 1 5 T ) B T Q = A[2]/B[2]; 1 -1 2 -2 3 1 5 5 0 Q Q =7/5=1 =5/2=2 =2/1=2 4 5 2 1 2 2 0 T[i] = A[i] (Q*B[i]); 1(10) 0(11) 7(15) =1 =-1 =2 0(21) 1(2-1) 5(22) =-2 =3 =1 1(2-2) -1(2-3) 2(21) =5 =5 =0 If gcd(m, b) = 1 •在透過求gcd(7, 5)的整個計算 1. mB1 + bB2 = B3 過程中,下面關係式會成立: 2. mB1 1 7T[0]++ bB2 5T[1] ==T[2] 7A[0] = A [2] 3. bB2 = +15A+[1] mB1 7B[0] + 5B [1] = B [2] 4. bB2 1 mod m 1 0 7 0 1 5 A 1 -1 2 ) B -2 3 1 T 5 5 0 Q •若gcd(7, 5) =1, •最後結果B[2]=0, A[2]=1 •在前一步驟中B[2]=1, 可得到 7B[0] + 5B [1] = B[2] 7B[0] + 5B [1] = 1 5B [1] = 1 +(-B[0]) 7 5B [1] 1 (mod 7) Table 4.4. Finding the Multiplicative Inverse of 550 in GF(1759) gcd(1759, 550) = 1 The multiplicative inverse of 550 is 355; that is, 550 335 1 (mod 1759). 33 4.5 Polynomial Arithmetic GF(2n)透過方程式運算 1.方程式的運算 2. Finite方程式運算 系數都在一定範圍 方程式次方也在一定範圍 34 Ordinary Polynomial Arithmetic A polynomial of degree n (integer n 0) f(x) = anxn + an1xn1 + … + a1x + a0 n = ai x i i 0 where the ai are elements of some designated set of numbers S, called the coefficient set, and an 0. We say that such polynomials are defined over the coefficient set S. 35 Some example A zeroth-degree polynomial is called a constant polynomial and is simply an element of the set of coefficients. f(x) = 2 An nth-degree polynomial is said to be a monic polynomial if an = 1. 「首一多項式」 f(x) = x3 + x2 + 2 36 Polynomial Addition and Subtraction Addition and subtraction are performed by adding or subtracting corresponding coefficients. m n f(x) = a i x i ; g(x) = bi x i ; n m i 0 f(x) ± g(x) = i 0 m (a i 0 i bi ) x i n a x i m 1 i i Ex:f(x) = x3 + x2 + 2 and g(x) = x2x + 1 + x3 + x2 +2 ( x2 x + 1) x3 + 2x2 x + 3 (a) Addition x3 + x2 +2 (x2 x + 1) x3 +x+1 (b) Subtraction 37 Polynomial Multiplication n a i x i ; g(x) = f(x) = i 0 f(x) g(x) = n m c x i 0 i m b x ; n m i 0 i i i where ck= a0bk + a1bk1 + … + ak1b1 + akb0 x3 + x2 +2 (x2 x + 1) x3 + x2 +2 x4 x3 2x x5 + x4 +2x2 x5 +3x2 2x + 2 (c) Multiplication 38 Polynomial Division n m i 0 i 0 f(x) = a i x i ; g(x) = bi x i ; n m x2 x + 1 The division 5/3 ? 運算後系數都在一定範圍 符合field F x +2 x3 + x 2 +2 x3 x 2 + x 2x2 x + 2 2x2 2x + 2 x (d) Division 39 Consider the division 5/3 within a set S. (1) If S is the set of rational numbers, is a field. The result is simply expressed as 5/3 and is an element of S. (2) Now suppose that S is the field Z7. 5/3 = (5 31) mod 7 = (5 5) mod 7 = 4 (3) If S is the set of integers, which is a ring but not a field. Then 5/3 produces a quotient of 1 and a remainder of 2. 5/3 = 1 + 2/3 5=13+2 Division is not exact over the set of integers. 40 Polynomial over GF(2) Addition is equivalent to the XOR operation. Multiplication is equivalent to the logical AND operation. Addition and subtraction are equivalent. mod 2: 1 + 1 = 11 = 0; 1 + 0 = 10 = 1; 0 + 1 = 01 = 1. 41 Figure 4.4. Examples of Polynomial Arithmetic over GF(2) f(x) = (x7 + x5 + x4 + x3 +x + 1) g(x) = (x3 + x + 1) x7 + x5 + x4 + x3 + x7 (x3 +x + 1 + x + 1) + x5 + x4 (a) Addition x7 + x5 + x4 + x3 (x3 x7 + x5 + x4 (b) Subtraction +x + 1 +x + 1) 42 x7 + x5 + x4 + x3 (x3 + x5 + x4 + x3 x7 x10 x10 +x +1 + x + 1) +x +1 x8 + x6 + x5 + x4 +x2 + x + x8 + x7 + x6 +x4 + x3 +x4 + x2 +1 (c) Multiplication x3 x4 + 1 + x + 1 x7 x7 + x5 + x4 + x3 +x +1 + x5 + x4 x3 x3 (d) Division +x +1 +x +1 43 方程式次方在一定範圍內 x mod p prime f(x) mod m(x) prime polynomial. irreducible polynomial if and only if m(x) cannot be expressed as a product of two polynomials, both over F, and both of degree lower than that of m(x). Ex: f(x) = x3 + x + 1. The polynomial f(x) = x4 + 1 over GF(2) is reducible, x4 + 1 = (x + 1)(x3 + x2 + x + 1) 44 Finding the GCD of polynomial The polynomial c(x) is said to be the greatest common divisor of a(x) and b(x) if c(x) divides both a(x) and b(x); any divisor of a(x) and b(x) is a divisor of c(x). An equivalent definition is the following: gcd[a(x), b(x)] is the polynomial of maximum degree that divides both a(x) and b(x). 方程式找GCD與乘法反元素 其方法皆與數值時相同 45 Finding the GCD of polynomial Algorithm Assumes that the degree of a(x) is greater than the degree of b(x). Then, to find gcd[a(x), b(x)], EUCLID[a(x), b(x)] 1. A(x) a(x); B(x) b(x) 2. if B(x) = 0 return A(x) = gcd[a(x), b(x)] 3. R(x) = A(x) mod B(x) 4. A(x) B(x) 5. B(x) R(x) 6. goto 2 46 4.6 Finite Fields of the Form GF(2n) 1. Z8和GF(23)大不同 2.GF(2n)透過方程式運算 系數都在0~(2n-1) 方程式次方不超過n 47 Z8和GF(23)大不同 Z8 0 1 2 3 4 5 6 7 5 6 7 GF(23) 0 1 2 3 4 0 1 x x+1 x2 x2+1 x2 + x x2 + x +1 000 001 010 011 100 101 110 111 integers that fit exactly into a given number of bits. 48 Addition in Z8and GF(23) 49 Multipition in Z8 and GF(23) 數值出現次數不平均:In the multiplication table, the nonzero integers do not appear an equal number of times. Integer 1 2 3 4 5 6 7 Occurrences in Z8 4 8 4 12 4 8 4 Occurrences in GF(23) 7 7 7 7 7 7 7 50 Inverse of Z8 and GF(23) 51 轉成pn個方程式 For p = 2 and n = 3, the 23 = 8 the polynomials in the set are GF(23) 0 1 X x+1 x2 x2+1 x2 + x x2 + x +1 000 001 010 011 100 101 110 111 For p = 3 and n = 2, the 32 = 9 polynomials in the set are GF(32) 0 1 2 x x +1 x +2 2x 2x +1 2x +2 00 01 02 10 11 12 20 21 52 22 GF(2n)透過方程式運算: 需符合 系數都在0~(2n-1) Arithmetic on the coefficients is performed modulo 2. That is, we use the rules of arithmetic for the finite field Z2. 方程式次方不超過n mod m(x) If multiplication results in a polynomial of degree greater than n1, then the polynomial is reduced modulo irreducible polynomial m(x) of degree n. That is, we divide by m(x) and keep the remainder. For a polynomial f(x), the remainder is expressed as r(x) = f(x) mod m(x). 53 irreducible polynomial m(x) An irreducible nth-degree polynomial m(x) satisfies:the highest power is some integer n Isomorphic 「同形的」或「同構」: Any two finite-field structures of a given order have the same structure, but the representation, or labels, of the elements may be different. Ex: There are two irreducible polynomial of degree 3 for m(x) to construct the finite field GF(23): (1) x3 + x2 + 1 (2) x3 + x + 1 54 Table 4.6. Polynomial Arithmetic Modulo (x3 + x + 1) 55 Addition Consider the two polynomials in GF(28) from our earlier example: f(x) = x6 + x4 + x2 + x + 1 and g(x) = x7 + x + 1. (polynomial notation) (x6 + x4 + (x7 = x7 + x6 + x4 + x2 + x + 1) + x + 1) + x2 (binary notation) DEC {Hex} notation} (01010111) (10000011) = (11010100) 87 {57} +131 {83} 212 {D4} 56 Multiplication We will discuss the technique with reference to GF(28) using m(x) = x8 + x4 + x3 + x + 1 Equation 4-8 x8 mod m(x) = [m(x)x8] = x4+x3+x+1 Equation 4-9 x f(x) = (b7x9+b6x7+b5x6+b4x5+b3x4+b2x3+b1x2+b0x) mod m(x) Equation 4-10 x f(x) = bbbbbbb 0 6 5 4 3 2 1 0 if b 0 7 b b b b b b b 0 (00011011) if b 1 6 5 4 3 2 1 0 7 57 Multiplication example f(x) = x6 + x4 + x2 + x + 1 (01010111) g(x) = x7 + x + 1 (10000011) m(x) = x8 + x4 + x3 + x + 1 求f(x) g(x) mod m(x) =? x f(x) = b6 b5 b4 b3 b2 b1b0 0 if b7 0 b6 b5 b4 b3 b2 b1b0 0 (00011011) if b7 1 (01010111) x (00000001) = (01010111) (01010111) x (00000010) = (10101110) (01010111) x (00000100) = (01011100) (00011011) = (01000111) (01010111) x (00001000) = (10001110) (01010111) x (00010000) = (00011100) (00011011) = (00000111) (01010111) x (00100000) = (00001110) (01010111) x (01000000) = (00011100) (01010111) x (10000000) = (00111000) = (01010111) (10101110) (00111000) = (11000001) 58 which is equivalent to x 7 + x 6 + 1. 應用 With 8 bits have 0~255 256 is not a prime 251 is a Field 251~255 would not be used. GF(28) is a Field, too. 59