Cryptography and Network

Security, Finite Fields

From Third Edition
by William Stallings
 A Group G
• A set of elements and some generic operation/s, with
some certain relations:
• Axioms:
– A1 (Closure) If {a,b} G, operated(a,b)G
– A2 (Associative) law:(a·b)·c = a·(b·c)
– A3 (has identity) e: e·a = a·e = a
– A4 (has inverses) a’: a·a’= e
• A G is a finite group if has a finite number of elements
• A G is abelian if it is commutative,
– A5 (has commutative) a·b = b·a, for example;
– The set of positive, negative, 0, integers under addition, identity is
0, inverse element is ‘–’, inverse a = -a, a-b= a+(-b)
– The set of nonzero real numbers under multiplication, identity is I,
inverse element is division
 Cyclic Group
• A G is cyclic if every element b  G is a
power of some fixed element a
– ie b = ak
• a is said to be a generator of the group G
– example: a3=a.a.a and identity be: e=a0 =1,
and a-n = (a’)n  an a-n = 1;
• The additive group of integers is an infinite
cyclic group generated by the element 1. In
this case, powers are interpreted additively,
so that n is the nth power of 1.
• A Ring R is an abelian group with two operations
(addition and multiplication), satisfies A1 to A5
– A1-A5: for additiveness, identity is 0 and inverse is –a
– M1: Closure under multiplication: if a,bR, then abR.
– M2: Associativity of multiplication: a(bc)=(ab)c R for all
a,b,cR.
– M3: Distributive: a(b+c)=ab+ac, (a+b)c=ac+bc
– WITHOUT LEAVING THE SET
• M4: commutative ring if ba=ab for all a,b,abR,
• M5: Multiplicative identity: 1a=a1=a for all
a,1,abR
• M6: No zero divisors: If a and bR and ab = 0, then
either a = 0 or b = 0.

An integral domain is the one satisfies all the A1-5 and

M1-6, which is then a commutative ring, and abelian
gr, and obeying M5-6.
 Field
• a set of numbers with two operations:
– abelian group for addition: commutative for
addition
– abelian group for multiplication (ignoring 0):
commutative for multiplication
– It is a ring
• (A1-5, M1-6), F is an integral domain.
• M7: Multiplicative inverse. For each a F,
except 0, there is an element a-1F such that
aa-1 = (a-1)a = 1
 Galois Fields
• Galois fields are for polynomial eqns (group thry,
number theory, Euclidian geometry): Algebraic
solution to a polynomial eqn is related to the
structure of a group of permutations associated with
the roots of the polynomial, and an equation could
be solvable in radicals if one can find a series of
normal subgroups of its Galois group which are
abelian, or its Galois group is solvable. (wikipedia)

• The finite field of order pn is written GF(pn).

• A field Zn = {0,1,...,n-1} is a commutative ring in
which every nonzero element is assumed to have a
multiplicative inverse. ‘a’ is multiplicative inverse to
n, iff integer is relatively prime to n.

• Definition: If n is a prime p, then GF(p) is defined as

the set of integers Zp={0, 1,..., p-1}, + operations in
mod(p), then we can say the set Zn of integers
{0,1,...,n-1}, + operations in mod(n), is a
commutative ring. “Well-behaving”: the results of
operations obtained are confined in the field of
GF(p)
•

• We are interested in two finite fields of pn, where p

is prime,
– GF(p)
– GF(2n)
The simplest finite field is GF(2).

GF(7)
EXTENDED EUCLID(m, b)
1. [A1,A2,A3; B1,B2,B3][1,0,m;0,1,b];
2. if B3==0;
return(A3=gcd(m,b)); //no inverse
Finding the
3. if B3==1; Multiplicative
return(B3=gcd(m,b));
B2=b–1%m;
Inverse in GF(p)
4. Q = A3/B3;
5. [r1,r2,r3][A1–QB1, A2–QB2, A3–QB3];
6. [A1,A2,A3][B1,B2,B3]; If (m, b) are relatively prime,
7. [B1,B2,B3][r1,r2,r3]; then gcd(m, b) = 1, then b has a
8. goto 2 multiplicative inverse modulo m.

Inverse of 550 in GF(1759)

Following the algorithm. Starting with step 0. Denote the quotient at step i by qi.
Carry out each step of the Euclidean algorithm.
After the 2nd step, calculate pi = pi-2 – pi-1 qi-2 %(n); p0 =0, p1 =1,
Continue to calculate for pi one step more beyond the last step of the Euclidean algorithm.
If the last nonzero remainder occurs at step k, then if this remainder is 1, x has an inverse
and it is pk+2.
(If the remainder is not 1, then x does not have an inverse.)..

(21, 26) pi = pi-2 – pi-1 qi-2 %(m);

26 =1(21)+5; q0 =1; p0 = 0;
21 =4(5) +1; q1 =4; p1 = 1;
5 =5(1) +0; q2 =5; p2 = 0 -1(1)%(26) =-1%26=25.
p3 = 1 -25(4)%(26) =1-22%26=25.
=-21%26=5.
(5, 26)
26 = 5(5)+1; q0=5; p0 =0;
5 = 5(1)+0; q1=5; p1 =1;
p2 = pi-2 – pi-1 qi-2 %(m) = 0-1(5)mod(26)=21;
*******************************************************************************************
Inverse of 550 in GF(1759)
pi = pi-2 – pi-1 qi-2 %(m);
1759 = 3(550)+109; q0 = 3; p0 = 0;
550 = 5(109)+5; q1 = 5; p1 = 1;
109 = 21(5)+4; q2 = 21; p2 = 0 - 1 (3) %(550) = -3.
5 = 1(4)+1; q3 = 1; p3 = 1 -(-3) (5) %(550) = 16
4 = 4(1)+0; q4 = 4; p4 =-3 - 16(21) %(550) = -339
p5= 16 - -339 (1)%(550) = 355
Ordinary Polynomial
Arithmetic
 Polynomial Arithmetic in Zp
• Polynomial in which the coefficients are elements of some field F,
is referred as a polynomial over the field F.
• Such polynomials set is referred to as a polynomial ring.

• Division is possible if the polynomial operations are performed on

polynomials over a field, but exact division might not be possible.

• Within a field, two elements a and b, the quotient a/b is also an

element of the field. However, given a ring R that is not a field,
division will result in a quotient and a remainder; this is not exact
division.
• 5, 3 within a set S. If S is the set of rational numbers, which is a
field, then the result is simply expressed as 5/3 and is an element
of S???. Suppose that S is the field Z7. p=7. In this case, 5/3 = (5 x
3-1) mod 7 = (5 x 5) mod 7 = 4 which is an exact solution.
Suppose that S is the set of integers, which is a ring but not a field.
Then 5/3 produces a quotient and a remainder: 5/3 = 1 + 2/3; 5 = 1
x 3 + 2, division is not exact over the set of integers.

• Division is not always defined, if it is over a coefficient set that

is not a field.
 Polynomial Arithmetic in Zp if
r(x) = 0, g(x)|f(x), g(x) is divisor.

• If the coefficient set is the integers, then (5x2)/(3x) does not have a
solution, since not in the coefficient set.
• Suppose it is performed over Z7. Then (5x2)/(3x) = 4x which is a valid
polynomial over Z7.

• Suppose, degree of f(x) is n, and of g(x) is m, n ≥ m, then degree of the

quotient q(x), is (m-n) and of remainder is at most (m–1). Polynomial
division is possible if the coefficient set is a field.
– r(x) = f(x) mod g(x)

• f(x) = x3 + x2 + 2 and g(x) = x2 - x + 1

• q(x)g(x) + r(x) = (x + 2)(x2 - x + 1) + x = (x3 + x2 - x + 2) + x = x3 + x2 + 2 =
f(x)
 The simplest finite field is GF(2).

GF(7)
Integer 1 2 3 4 5 6 7
Occurrences in Z8 4 8 4 12 4 8 4
Occurrences in GF(23) 7 7 7 7 7 7 7

Z8
GF(23)
In GF(2),
addition and
multiplication
are equivalent
to the XOR,
and the logical
AND,
respectively.
Addition and
subtraction are
equivalent.
Therefore
GF(2n) is of
most interest in.
• Consider the set S of all polynomials of degree n-1 or less over the
field Zp. Thus, each polynomial has the form
• where each ai takes on a value in the set {0, 1,..., p -1}. There are a
total of pn different polynomials in S.
• For p = 3 and n = 2, the 32 = 9 polynomials in the set are
• 0 x 2x
• 1 x + 1 2x + 1
• 2 x + 2 2x + 2
• For p = 2 and n = 3, the 23 = 8 the polynomials in the set are
• 0 x + 1 x2 + x
• 1 x2 x2 + x + 1
• X x2 + 1
• mod 2:
• 1 + 1 = 1-1 = 0;
• 1 + 0 = 1 - 0 = 1;
• 0 + 1 = 0 - 1 = 1.

• if f(x) has no divisors other than itself & 1 it is said irreducible (or prime)
polynomial, an irreducible polynomial forms a field.
• f(x) = x4 + 1 over GF(2) is reducible,
– because x4 + 1 = (x + 1)(x3 + x2 + x + 1)
• f(x) = x3 + x + 1 is irreducible residual 1.

• eg. let f(x) = x3 + x2 and g(x) = x2 + x + 1

f(x) + g(x) = x3 + x + 1
• f(x) x g(x) = x5 + x2
Finite Fields Of the Form GF(2 ) n

• Polynomials over pn, with n > 1, operations

modulo pn do not produce a field. There are
structures satisfies the axioms for a field in a set
with pn elements, and concentrate on GF(2n).
• Motivation Virtually all encryption algorithms,
both symmetric and public key, involve
arithmetic operations on integers with divisions.
• For efficiency: integers that fit exactly into a
given number of bits, with no wasted bit
patterns, integers in the range 0 through 2^(n)-1,
fitting into an n-bit word. Z256 versus Z251
 Polynomial GCD
• gcd[a(x), b(x)] is the polynomial of maximum
degree that divides both a(x) and b(x).
• gcd[a(x), b(x)] = gcd[b(x), a(x)mod(b(x))]
• Euclid[a(x), b(x)]
1. A(x)  a(x); B(x)  b(x)
2. if B(x) = 0 return A(x) = gcd[a(x), b(x)]
3. R(x) = A(x) mod B(x)
4. A(x)  B(x)
5. B(x)  R(x)
6. goto 2
Example of GCD in Z2 or in GF(2),
Step1, gcd(A(x), B(x))
A(x) = x6 + x5 + x4 + x3 + x2 + 1,
B(x) = x4 + x2 + x + 1; D(x)= x2 + x;
R(x) = x3 + x2 + 1
Step 2,
A(x) = B(x) = x4 + x2 + x + 1;
B(x) = R(x) = x3 + x2 + 1,
D(x) = x + 1; R(x) =0;
Step 3,
A(x) = B(x) = x3 + x2 + 1;
B(x) = R(x) = 0;
gcd(A(x), B(x)) = x3 + x2 + 1
GF(23)
 Modular Polynomial Arithmetic
• can compute in field GF(2n)
– polynomials with coefficients modulo 2
– whose degree is less than n
– hence must reduce modulo an irreducible poly
of degree n (for multiplication only)
• form a finite field
• can always find an inverse
– can extend Euclid’s Inverse algorithm to find
Example GF(23)