Topic

Field Isomorphisms
Concepts Covered:
❑Recap of Groups, Rings, Fields

❑Binary Finite Fields

❑Primitive Elements

❑Bases

❑Isomorphism and Composite Fields

❑Construction of Isomorphisms
Groups, Rings, and Fields

• A group denoted by {G,.}, is a set of elements G with a binary

operation ‘.’ such that for each ordered pair (a,b) of elements in G, the
following axioms hold:
• Closure: If a, b∈ 𝐺, then a.b ∈ 𝐺
• Associative: a.(b.c)=(a.b).c for all a, b, c ∈ 𝐺
• Identity Element: There is a unique element e ∈ 𝐺 such that a.e=e.a=a for all
a ∈ 𝐺.
• Inverse Element: For each a ∈ 𝐺, there is an element a’ ∈ 𝐺, such that
a.a’=a’.a=e
If the group also satisfies a.b=b.a for all a,b ∈ 𝐺 then it is known as a non-
commutative or an abelian group.
Groups, Rings, and Fields (contd.)
• A ring denoted by {R,+,.}, is a set of elements R with two binary
operations ‘+,.’ such that for all a,b,c ∈ 𝑅 the following axioms hold
• R is an abelian group under addition.
• The closure property of R is satisfied under multiplication.
• The associativity property of R is satisfied under multiplication.
• There exists a multiplicative identity element denoted by 1 such that for every
a ∈ 𝑅, a.1=1.a=a.
• Distributive Law: For all a, b, c ∈ 𝑅, a.(b+c)=a.b+a.c and (a+b).c=a.c+b.c
• The set of integers, real numbers, rational numbers, and complex
numbers are all rings.
• A ring is said to be commutative if the commutative property under
multiplication holds. That is, for all a,b ∈ 𝑅, a.b=b.a
Groups, Rings, and Fields (contd.)
• A field denoted by {F,+,.}, is a commutative ring which satisfies the
following conditions:
• Multiplicative Inverse: For every element a ∈ 𝐹, except 0, there exists a unique
element 𝑎−1 ∈ 𝐹, such that 𝑎. 𝑎−1 = 𝑎−1 . 𝑎 = 1. The multiplicative inverse is
𝑎−1 .
• No Zero Divisors: If a, b∈ 𝐹, and 𝑎. 𝑏 = 0, then either a=0 or b=0.
• The set of rational numbers, real numbers and complex numbers are
examples of fields, but the set of integers is not.
• This is because multiplicative inverse property does not hold here.
• Characteristic: It is the minimal value of the integer k, such that for any
element a∈ 𝐹, 𝑎 + ⋯ + 𝑎 𝑘 𝑡𝑖𝑚𝑒𝑠 = 𝑘. 𝑎 = 0, where 0 ∈ 𝐹, is the
additive identity of the field. Since, the inverse 𝑎−1 exists, we can
alternatively say 𝑘. 1 = 0, where 1 is the multiplicative identity of the
field F.
GF(2): An Efficient Galois Field

• Elements are {0,1}.

• Most computing systems are built on binary number systems.
• A single bit can be used to represent an element in GF(2)
• Compare it with that required for GF(3).
• Addition in GF(2) can be realized by only XORs.
• Extension fields for GF(2) are denoted as GF(2m) and also lead
to efficient arithmetic operations.
Binary Finite Fields

• A polynomial of the form 𝑎 𝑥 = 𝑎𝑚 𝑥 𝑚 + 𝑎𝑚−1 𝑥 𝑚−1 + ⋯ +

𝑎1 𝑥 + 𝑎0 is said to be a polynomial over GF(2) if the
coefficients are in GF(2).
• Furthermore, the polynomial is said to be irreducible over
GF(2) if a(x) is divisible only by c or by c.a(x) where 𝑐 ∈ 𝐺𝐹(2).
• An irreducible polynomial of degree m with coefficients in
GF(2) can be used to construct the extension field GF(2m).
• All elements of the extension field can be represented by
polynomials of degree (m-1) over GF(2).
Example GF(24)

• Irreducible Polynomial: x4+x+1

• Generator: x
• Elements:
• 1: 𝑥, 2: 𝑥 2 , 3: 𝑥 3 , 4: 𝑥 4 = 𝑥 + 1, 5: 𝑥 2 + 𝑥, 6: 𝑥 3 + 𝑥 2 , 7: 𝑥 4 + 𝑥 3 =
𝑥 + 1 + 𝑥 3 , 8: 𝑥 2 + 𝑥 + 𝑥 4 = 𝑥 2 + 𝑥 + 𝑥 + 1 = 𝑥 2 + 1,9: 𝑥 3 +
𝑥, 10: 𝑥 4 + 𝑥 2 = 𝑥 2 + 𝑥 + 1,11: 𝑥 3 + 𝑥 2 + 𝑥, 12: 𝑥 4 + 𝑥 3 + 𝑥 2 =
𝑥 + 1 + 𝑥 3 + 𝑥 2 = 13: 𝑥 2 + 𝑥 + 𝑥 4 + 𝑥 3 = 𝑥 2 + 𝑥 + 𝑥 + 1 + 𝑥 3 =
𝑥 3 + 𝑥 2 + 1,14: 𝑥 4 + 𝑥 3 + 𝑥 = 𝑥 3 + 1,15: 𝑥 4 + 𝑥 = 1
Primitive Element of a Field
• Consider the field GF(2n).
• There is an element 𝛼 such that every non-zero element can be
written in terms of the form of 𝛼 𝑘 .
• This element is called the generator or primitive element of the
group.
• A primitive polynomial is the monic polynomial of minimum degree
such that the primitive element is a root.
• A primitive polynomial is always irreducible but not vice-versa.
• Over GF(2n), there are 𝜙(2𝑛 − 1)/𝑛 primitive polynomials, where 𝜙 is
the Euler’s Totient function.
Bases of the Binary Field
• Such fields are represented using two types of bases:
• Polynomial base: Let p(x) be an irreducible polynomial over GF(2m),
and let 𝛼 be the root of p(x). Then the set: {1, 𝛼, 𝛼 2 , ⋯ , 𝛼 𝑚−1 } is
called the polynomial base.
• Normal base: Let p(x) be an irreducible polynomial over GF(2m), and
2 22 2 𝑚−1
let 𝛼 be the root of p(x). Then the set: {𝛼, 𝛼 , 𝛼 , ⋯ , 𝛼 } is called
the normal base, if the m elements are linearly independent.
Polynomial Representation

• Any element in the field can be expressed in terms of its bases.

• For example in the field GF(2m), an element can be expressed
wrt. its polynomial bases as:
𝑎 𝛼 = 𝑎𝑚−1 𝛼 𝑚−1 + ⋯ + 𝑎1 𝛼 + 𝑎0
Isomorphism

For two groups G1 and G2, a surjective function

G1 to G2 is said to be a homomorphism iff
𝑓 𝑥 ∘ 𝑦 = 𝑓 𝑥 † 𝑓(𝑦).

Note, the operators on the left and right are not

the same.

An injective (one-to-one) homomorphism is called an isomorphism.

The idea of isomorphism can be extended to rings and fields. In these extensions the only difference is
that the latter two are defined wrt. Two operators, say (+,.). Thus, we say f: R1→R2 is say a field
isomorphism iff: f(a+b)=f(a)+f(b), and f(a.b)=f(a).f(b) for every a and b in R1.
Example in 4
GF(2 )

There are 3 irreducible polynomials of degree 4, which can be used to construct the
above field elements: 𝑓1 𝑧 = 𝑧 4 + 𝑧 + 1, 𝑓2 𝑧 = 𝑧 4 + 𝑧 3 + 1, 𝑓3 𝑧 = 𝑧 4 + 𝑧 3 + 𝑧 2 +
𝑧 + 1.
The fields are denoted as F1, F2, and F3 respectively.
The resulting fields all have 16 elements, as shown above.
However, the operations are different.
Like the same operation, 𝑧. 𝑧 3 would result in 𝑧 4 = 𝑧 + 1, 𝑧 3 + 1, 𝑧 3 + 𝑧 2 + 𝑧 + 1 in the 3
fields.
Defining Isomorphism
• The fields are isomorphic and one can establish a mapping between say F1 and F2,
by computing 𝑐 ∈ 𝐹2 , 𝑠𝑡. 𝑓1 𝑐 ≡ 0 𝑚𝑜𝑑 𝑓2 .
• The mapping 𝑧 → 𝑐 is thus used to construct the isomorphism, say T: F1→F2
• An example for c could be 𝑐 = 𝑧 2 + 𝑧. To verify compute:
𝑓1 𝑧 2 + 𝑧 = 𝑧 2 + 𝑧 4 + 𝑧 2 + 𝑧 + 1 = 𝑧 8 + 𝑧 4 + 𝑧 2 + 𝑧 + 1 (𝑚𝑜𝑑 𝑓2 )
Now, note that for 𝑚𝑜𝑑 𝑓2 , we substitute 𝑧 4 = 𝑧 3 + 1.

z 4 = z 3 +1Þ z 5 = z 4 + z = z 3 + z +1Þ z 6 = z 4 + z 2 + z = z 3 + z 2 + z +1
Þ z 8 = z 6 +1 = z 3 + z 2 + z.
Thus, f1 (c) = z 8 + z 4 + z 2 + z +1 º 0(mod f 2 )
Check on Homomorphism
• Consider two elements 𝑒1 = 𝑧 2 + 𝑧, 𝑒2 = 𝑧 3 + 𝑧.
• Product in field F1: 𝑧 2 + 𝑧 𝑧 3 + 𝑧 = 𝑧 5 + 𝑧 4 + 𝑧 3 + 𝑧 2
• In field F1: 𝑧 4 = 𝑧 + 1 ⇒ 𝑧 5 = 𝑧 2 + 𝑧.
• Thus, the product is: 𝑧 2 + 𝑧 + 𝑧 3 + 𝑧 + 1 + 𝑧 2 = 𝑧 3 + 1.
• The same operation can also be performed in the field F2.
• Compute, 𝑇 𝑒1 = 𝑧 2 + 𝑧 2 + 𝑧 2 + 𝑧 𝑚𝑜𝑑 𝑧 4 + 𝑧 3 + 1 = 𝑧 4 + 𝑧 2 + 𝑧 2 +
𝑧 = 𝑧 3 + 𝑧 + 1.
• Likewise, 𝑇 𝑒2 = 𝑧 2 + 𝑧 3 + 𝑧 2 + 𝑧 𝑚𝑜𝑑 𝑧 4 + 𝑧 3 + 1
=𝑧+1
Check on Homomorphism

Multiplying in the field F2 : T (e1 ).T (e2 ) = (z + 1)(z 3 + z + 1)mod(z 4 + z 3 + 1) = z 2 .

This can be seen as the mapped result from F1 :
T (z 3 + 1) = (z 2 + z)3 + 1 = (z 6 + z 5 + z 4 + z 3 + 1)mod(z 4 + z 3 + 1)
= (z 3 + z 2 + z + 1) + (z 3 + z + 1) + (z 3 + 1) + (z 3 + 1)
= z2
Composite Fields

• The pair of the fields GF(2n) and GF(2n)m is called a composite

field.
• If there exists irreducible polynomials, Q(Y) of degree n and
P(X) of degree m, which are used to extend GF(2) to GF(2n), and
GF(2n)m from GF(2n).
• The composite field GF(2n)m is isomorphic to the field GF(2k),
where 𝑘 = 𝑚 × 𝑛.
Constructing Isomorphisms between Composite Fields

• Let the primitive polynomial used to construct 𝐺𝐹(2𝑛 ) be denoted by

Q(Y).
• Let 𝜔 be the root.
2 2𝑛 −2
• Then the elements are {0,1, 𝜔, 𝜔 , ⋯ , 𝜔 }
• The primitive polynomial used to construct 𝐺𝐹 2𝑛 𝑚 is denoted by
P(X).
• Let 𝛼 be the root.
2 2𝑛𝑚 −1
• Then the elements are {0,1, 𝛼, 𝛼 , ⋯ , 𝛼 }
• Arithmetic in the field 𝐺𝐹 2𝑘 , 𝑘 = 𝑚 × 𝑛, can be performed by
modulo the primitive polynomial 𝑅 𝑧 = 𝑧 𝑘 + 𝑟𝑘−1 𝑧 𝑘−1 + ⋯ +
1, 𝑟𝑖 ∈ 𝐺𝐹(2)
Mapping from GF(2k) to GF(2n)m, where k=nm

• A simple method to obtain such a conversion is to find the primitive element of

both the fields, GF(2k) and GF(2n)m.
• The primitive elements are denoted by 𝛾 and 𝛼 respectively.
• One checks: 𝑅 𝛾 = 0, and 𝑅 𝛼 𝑚𝑜𝑑 𝑃 𝑋 𝑄 𝑌 ≡ 0.
• Thus, we establish the following mapping from GF(2k) to GF(2n)m: 𝛾 → 𝛼.
• If the roots do not satisfy the polynomial R, we repeat the test for the next
primitive element.
• Subsequent mappings are easy to find:
• 𝐺𝐹 2𝑘 → 𝐺𝐹 2𝑛 𝑚
: 𝛾 𝑖 → 𝛼 𝑖 , 0 ≤ 𝑖 ≤ 2𝑘 − 2
Algorithm

Input: n, m, Q(Y),P(X),R(Z)
Output: 𝐺𝐹 2𝑘 → 𝐺𝐹 2𝑛 𝑚 , 𝑘 = 𝑛 × 𝑚
1. Find primitive elements of 𝐺𝐹 2𝑘 : 𝛾
2. For(𝛼 = 1; 𝛼 < 2𝑛𝑚 − 1; ) 𝑑𝑜
if(isPrimitive(𝛼)& 𝑅 𝛼 𝑚𝑜𝑑 𝑄 𝑌 𝑃 𝑋 ≡ 0) break;
end
3. For(i=0;i<2𝑛𝑚 − 1;i++)
𝑎1 = 𝛼 𝑖 𝑚𝑜𝑑 𝑄 𝑌 𝑃 𝑋 , 𝑏1 = 𝛾 𝑖 𝑚𝑜𝑑 𝑅 𝑍
𝑏1 = 𝛾 𝑖 𝑚𝑜𝑑 𝑅 𝑍
Map: 𝑎1 → 𝑏1
 4 2 2
Example: 𝐺𝐹 2 → 𝐺𝐹 2
• 𝑅 𝑍 = 𝑍 4 + 𝑍 + 1, 𝑄 𝑌 = 𝑌 2 + 𝑌 + 1, 𝑃 𝑋 = 𝑋 2 + 𝑋 + {2},
where 2 ∈ 𝐺𝐹 22 .
• Note, 𝑄 𝑌 is used to construct 𝐺𝐹(22 ), while P(X) is used to extend
to the field GF(22)2.
• First primitive element 𝛾 ∈ 𝐺𝐹(24 ) is 2. It can be checked that ‘2’ can
be used to generate all the non-zero elements of 𝐺𝐹(24 ).
• Likewise, the first primitive element of 𝐺𝐹 22 2 , st. 𝑅 𝑍 ≡
0[𝑚𝑜𝑑 𝑄 𝑌 𝑃 𝑋 ] is 4.
• Hence, the map is: 2 → 4 . Also, 0 is mapped to 0.
Example Isomorphic Mapping 𝐺𝐹 24 → 𝐺𝐹 22 2

Proof that {4} ∈ 𝐺𝐹 22 is the correct choice.

Note, 4 = 0100 = 𝑋
𝑅 𝑋 = 𝑋 4 + 𝑋 + 1 𝑚𝑜𝑑 𝑄 𝑌 𝑃 𝑋 .
Note: 𝑋 2 = 𝑋 + 2 ⇒ 𝑋 3 = 3𝑋 + 2 ⇒ 𝑋 4 = 3𝑋 2 + 2𝑋 =
3 𝑋 + 2 + 2𝑋 = 𝑋 + 1 ⇒ 𝑅 4 = 0𝑚𝑜𝑑𝑃 𝑋 , 𝑄(𝑌)

For checking, 3.2 𝑖𝑛 𝐺𝐹 22 , express 3 as Y+1, and 2 as Y. Thus,

with the irreducible polynomial 𝑄 𝑌 = 𝑌 2 + 𝑌 + 1, we have
𝑌 𝑌 + 1 = 1.
An Efficient Conversion Algorithm

• Present an efficient algorithm between binary and composite

fields.
• Maps 𝐺𝐹 2𝑘 → 𝐺𝐹 2𝑛 𝑚 , 𝑘 = 𝑛 × 𝑚
• Returns a binary 𝑘 × 𝑘, 0-1 matrix T, which performs the
mapping.
• Evidently, the inverse of T does the reverse mapping.
• The mapping works by relating only k elements (rather than 2k).
• It maps the basis vectors.
Mapping the k elements
• The polynomial bases of GF(2k) is 1, 𝛾, 𝛾 2 , ⋯ , 𝛾 𝑚−1 , where 𝛾 is the
primitive element of GF(2k).
• The unity in both fields is the polynomial 1.
• We first map the unity element in GF(2k) to the unity element in
GF(2n)m.
• The primitive element in GF(2k), say 𝛾 is mapped to the element 𝛼 𝑡 ,
the base element 𝛾 2 is mapped to 𝛼 2𝑡 . Thus continuing,

𝑇 𝛾 𝑖 = 𝛼 𝑖𝑡 , 𝑖 = 0,1, ⋯ , 𝑘 − 1
Check for t
• Of course, the choice of t cannot be arbitrary, it has to be done such that the
homomorphism is established wrt. additions and multiplications.
• We check, 𝑅 𝛼 𝑡 = 0, 𝑚𝑜𝑑 𝑄 𝑌 𝑃(𝑋).
• There will be exactly k primitive elements which will satisfy the condition, namely
𝑗
𝛼 and 𝛼 , 𝑗 = 1,2, ⋯ , 𝑘 − 1. Here the exponents are computed modulo 2𝑘 −
𝑡 𝑡2
2 2𝑗
1.[This follows from the fact that if 𝑅 𝑋 ≡ 0 ⇒ 𝑅 𝑋 ≡ 𝑅 𝑋 ≡ 0, 𝑗 =
1,2, ⋯ , 𝑘 − 1.
Algorithm
Input: n,m,Q(Y),P(X),R(Z)
Output: T
𝛼 is the primitive element in 𝐺𝐹 2𝑛 𝑚 for which 𝑃 𝛼 ≡ 0.
t=1
Initialize the array S[1:2k-1] with 2k-1 addresses and 1 bit of information.
Initialize a kxk matrix T with each column indicated by 𝑇 𝑖 , 1 ≤ i ≤ 𝑘
Set 𝑇 𝑘 = 0 ⋯ 01 𝑇
while(𝑅 𝛼 𝑡 ! = 0){
for(j=0;j<k-1;j++) S[t2jmod (2k-1)]=0; t++;
while(S[t]==0 or gcd(t, 2k-1)>1) t++;
}
for(j=2;j<k;j++) T[j]=binary(𝛼 (𝑗−1)𝑡 )
Topic
Advanced Encryption Standard (AES)
Advanced Encryption Standard (AES)

• NIST’s standard for block cipher since October 2000.

Key Length No. of rounds
AES-128 16 bytes 10
AES-192 24bytes 12
AES-256 32bytes 14
• Each round has
• Randomness Layer: Round key addition
• Confusion Layer : Byte Substitution
• Diffusion Layer : Shift row and Mix column
(the last round does not have mix column step)
The AES State Representation

16 bytes Plaintext
a b c d e f g h i j k l mn o p

a e i m A E I M
b f j n B F J N
c g k o AES C G K O
d h l p DH L P
16 bytes Cipher text

• 16 bytes arranged in a 4x4 matrix of bytes

Plaintext
Block
Secret Key

XOR key
AES-128
Encryption
Byte Substitution
Loop 10 times

Shift Rows

Mix Columns RK1

RK2
(except for the last round) RK3
Ciphertext
Block Add Round Key RK10
Key Expansion
Ciphertext Block

Secret Key

XOR RK10

Inverse Byte Substitution

AES-128
Decryption
Loop 10 times

Inverse Shift Rows

RK9
Add Round Key RK8
Plaintext
Block RK1
Inverse Mix Columns key
(except for the last round) Key Expansion
Add Round Key

a e i m k0 k4 k8 k12 a +k0 e+k4 i+k8 m+k12

b f j n k1 k5 k9 k13 b+k1 f+k5 j+k9 n+k13

c g k o k2 k6 k10 k14 c+k2 g+k6 k+k10 o+k14

d h l p k3 k7 k11 k15 d+k3 h+k7 l+k11 p+k15

Shift Rows
a a
b f
c k
a e i m a e i m d p
b f j n f j n b e e
c g k o k o c g f j
d h l p p d h l g o
h d
• ShiftRows i i
• Leave the First row untouched
• Left Rotate (2nd Row by 8 bits) j n
• Left Rotate (3rd Row by 16 bits) k c
• Left Rotate (4th Row by 24 bits) l h
• Implementation in Hardware m m
• No resources required, only mapping n b
with wires
o g
p l
Inverse Shift Rows
a a
f b
k c
a e i m a e i m
p d
f j n b b f j n e e
k o c g c g k o j f
p d h l d h l p o g
d h
• ShiftRows i i
n j
• Leave the First row untouched c k
• Right Rotate (2nd Row by 8 bits) h l
• Right Rotate (3rd Row by 16 bits) m m
b n
• Right Rotate (4th Row by 24 bits) g o
l p
Mix Columns
E = 2e + 3 f + g + h
F = e + 2 f + 3g + h
G = e + f + 2 g + 3h
H = 3e + f + g + 2h
a e i m A EE I M
b f j n B FF J N
c k o C G K O
g G
d l p D H L P
h H

• The 4x4 matrix is multiplied with the matrix

2 3 1 1
1 2 3 1

1 1 2 3
 
3 1 1 2
Inverse Mix Column
E = Ee + Bf + Dg + 9h
F = 9e + Ef + Bg + Dh
G = De + 9 f + Eg + Dh
H = Be + Df + 9g + Eh
a e i m A EE I M
b f j n B FF J N
c k o C G K O
g G
d l p D H L P
h H
• The 4x4 matrix is multiplied with the matrix
E B D 9 
 9 E B D
 
D 9 E B
 
 B D 9 E 
• The hardware implementation can be done in a similar way as mix
columns
Byte Substitution

• Makes a non-linear substitution for every byte in the 4x4

matrix
Sbox
a e i m A E I M
b ff j n B FF J N
c g k o C G K O
d h l p D H L P
Affine Transformation
b7  1 1 1 1 1 0 0 0   a7   0 
b   0 1 1 1 1 1 0 0   a6  1 
 6 
 Affine( x −1 ) if a  0 b5  0 0   a5  1 
Sbox ( x ) =    
0 1 1 1 1 1
   
 Affine(0) if a = 0 b4  = 0 0 0 1 1 1 1 1   a4   0 

 b3  1 0 0 0 1 1 1 1   a3   0 
      
b2  1 1 0 0 0 1 1 1   a2   0 
 b  1 1 1 0 0 0 1 1   a1  1 
 1     
b0  1 1 1 1 0 0 0 1   a0  1 
S-box Encryption Table
• Use a table to do the byte substitution
• Eg. Sbox[42]= 2c