COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL...
Transcript of COMPUTER ARITHMETIChome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=... · 2011-05-02 · RECALL...
COMPUTER ARITHMETIC
13/05/2010 cryptography - math background pp. 1 / 162
COMPUTER ARITHMETIC
RECALL OFCOMPUTER ARITHMETIC
• computers implement some typesof arithmetic
• for instance, addition, subtratction, multiplication of integers and reals
13/05/2010 cryptography - math background pp. 2 / 162
multiplication of integers and reals• necessary for basic computations as found
in the programming languages• arithemtic operations directly supported
by the processor• but normally unsuited for cryptography …
COMPUTER ARITHMETIC
• computers can perform standard arithmetic operations on:– integers, i.e. 0 1 2 … −1 −2 …
13/05/2010 cryptography - math background pp. 3 / 162
– integers, i.e. 0 1 2 … −1 −2 …– reals, i.e. 1,2 −4,3 1,5 × 106 …– sometimes also other kinds of numbers,
i.e., complex numbers– and normally NOTHING ELSE
COMPUTER ARITHMETIC
• standard computer operations are:– arithmetic 1st species: addition, subtraction.– arithmetic 2nd species: multiplication,
13/05/2010 cryptography - math background pp. 4 / 162
– arithmetic 2 species: multiplication, division (integer or real).
– possibly arithmetic 3rd species: power, root, …
– sometimes (unfrequently) trascendental: exp, log, trigonometry, …
COMPUTER ARITHMETIC
• all the previous operations can be computed directly by the processor of the computer
• machine (assembler) instrucitons exist
13/05/2010 cryptography - math background pp. 5 / 162
• machine (assembler) instrucitons exist for each operation
• numbers are normally represented in:– two’s complement (integers)– IEEE 754 Floating Point (reals)
INTEGERS – NATURAL
• natural binary : binary digit b ∈{ 0, 1 }bnbn − 1bn − 2…b3b2b1 =
= bn2n − 1 + bn − 12
n − 2 + … + b221 + b12
0
13/05/2010 cryptography - math background pp. 6 / 162
= bn2n − 1 + bn − 12
n − 2 + … + b221 + b12
0
• range: [0, 2n − 1].• for instance:
10101100 = 27 + 25 + 23 + 22 == 128 + 32 + 8 + 4 = 172
INTEGERS – TWO’SCOMPLEMENT
• two’s Complement : binary digit b ∈{ 0, 1 }σbn − 1bn − 2 … b3b2b1 =
= −σ2n − 1 + bn − 12n − 2 + … + b22
1 + b120
• bit σ is called “sign bit”
13/05/2010 cryptography - math background pp. 7 / 162
• bit σ is called “sign bit”• range: [−2n − 1, 2n − 1 − 1].• for instance: 01001101 = + 26 + 23 + 22 + 20 =
32 + 8 + 4 + 1 = 45• and: 10101100 = −27 + 25 + 23 + 22 = −128 +
32 + 8 + 4 = −84
ADDITION OFNATURAL INTEGERS
13/05/2010 cryptography - math background pp. 8 / 162
ADDITION OF TWO’SCOMPLEMENT INTEGERS
13/05/2010 cryptography - math background pp. 9 / 162
NATURAL MULTIPLICATION
13/05/2010 cryptography - math background pp. 10 / 162
FULL ADDER
Full Adder
a b
cin cout
a b cin cout sum =
0 0 0 0 0 0
0 0 1 0 1 1
0 1 0 0 1 1
0 1 1 1 0 2
13/05/2010 cryptography - math background pp. 11 / 162
• sum = a XOR b XOR cin
• cout = a AND b OR a AND cin OR b AND cin
sum
1 0 0 0 1 1
1 0 1 1 0 2
1 1 0 1 0 2
1 1 1 1 1 3
RIPPLE CARRY ADDERaddition of natural integers of 3 bits
a2 b2 a1 b1 a0 b0
13/05/2010 cryptography - math background pp. 12 / 162
Full Adder
Full Adder
Full Adder
s2 s1 s0
c0 c1 c2 c3
CONSIDERATIONS
• integer and real computer arithmeticis NOT used (or seldom used)for cryptography
13/05/2010 cryptography - math background pp. 13 / 162
for cryptography• instead, finite algebraic structures
are generally adopted• for instance, finite FIELDS or RINGS• theory of such structures follows
ALGEBRAIC STRUCTURES
13/05/2010 cryptography - math background pp. 14 / 162
ALGEBRAIC STRUCTURES
ALGEBRAIC STRUCTURE
• an algebraic structure A is:A = ⟨ S, op1, op2, …, s0, s1, … ⟩
• where:
13/05/2010 cryptography - math background pp. 15 / 162
• where:S is a set of elements, or “numbers” (in a very broad sense), called “support set”opi is a binary operatore over the elements of the support set Ssi is a special element of the support set S
STRUCTURES – EXAMPLES
• natural integers (semigroup):N = ⟨ {1, 2, 3, …}, + ⟩
natural numbers, equipped with the binaryoperator of addition (+)
13/05/2010 cryptography - math background pp. 16 / 162
operator of addition (+)
• natural integers plus 0 (monoid):N0 = ⟨ {0, 1, 2, 3, …}, +, 0 ⟩natural numbers, equipped with the binaryoperator of addition (+), plus the specialelement 0 (neutral element for +)
STRUCTURES – EXAMPLE
• relative integers (abelian group):⟨ {…, −2, −1, 0, 1, 2, …}, +, 0 ⟩relative integer numbers, equipped with:
13/05/2010 cryptography - math background pp. 17 / 162
relative integer numbers, equipped with:the binary operator of addition (+)the special element 0, neutral for (+)
• this an algebraic structure with one operation and one special element
STRUCTURES – EXAMPLE
• natural integers (semiring):⟨ {1, 2, 3, …}, +, ×, 1 ⟩natural integer numbers, equipped with:
13/05/2010 cryptography - math background pp. 18 / 162
natural integer numbers, equipped with:the binary operator of addition (+)the binary operator of multiplication (×)the special element 1, neutral for (×)
• an algebraic structure with two operations and one special element
STRUCTURES – EXAMPLE
• relative integers (commutative ring):Z = ⟨ {…, −2, −1, 0, 1, 2, …}, +, ×, 0, 1 ⟩Relative integer numbers, equipped with:
the binary operator of addition (+)
13/05/2010 cryptography - math background pp. 19 / 162
the binary operator of addition (+)the binary operator of multiplication (×)the special element 0, neutral for (+)the special element 1, neutral for (×)
• an algebraic structure with two operations and two special elements
CONSIDERATIONS
• there are many possible algebraic structures
• each of them is characterized by
13/05/2010 cryptography - math background pp. 20 / 162
• each of them is characterized by properties (axioms and theorems)
• for instance:a + b = b + a (axiom for N)a2 − b2 = (a + b) × (a − b) (theorem for Z)
GROUPS
13/05/2010 cryptography - math background pp. 21 / 162
GROUPS
DEFINITION
• a GROUP G is an algebraic structure:G = ⟨ S, ⋅, 1 ⟩
• WHERE:
13/05/2010 cryptography - math background pp. 22 / 162
• WHERE:S is the support set⋅ is a binary operator, called “product”1 is a special element, neutral for (⋅)
• if the support S is a finite set, G is said to be a “finite group”
AXIOMS OF GROUP
• groups must satisfy (by definition)the following axioms
• for every a, b, c ∈ S:
13/05/2010 cryptography - math background pp. 23 / 162
• for every a, b, c ∈ S:a ⋅ b ∈ S (closure)(a ⋅ b) ⋅ c = a ⋅ (b ⋅ c) (associativity)1 ⋅ a = a ⋅ 1 (1 is neutral and commutes)∃ a’ a ⋅ a’ = a’ ⋅ a = 1 (∃ of inverse)
GROUPS – EXAMPLE
• the group of non-singular square matricesof order 2, with real elements
M = ⟨ M2, 2, matrix product, identity matrix I ⟩M is closed
13/05/2010 cryptography - math background pp. 24 / 162
M is closedthe matrix product is associativethe matrix I is the neutral element for producteach matrix admits an inverse oneNOTE: matrix product is NOT commutative
ABELIAN GROUPS• in some groups, the product operator is
commutative, i.e., a ⋅ b = b ⋅ a• abelian (or commutative) group: a group G
such that the operator (⋅) is commutative
13/05/2010 cryptography - math background pp. 25 / 162
such that the operator (⋅) is commutativeG = ⟨ S, +, 1 ⟩
• in abelian groups, the symbol (⋅) is normally replaced by (+), which is called “addition” instead of “product”
• PAY ATTENTION: a few mathematiciansstill go on calling (+) a “product” operator !!
ABELIAN GROUPS – EXAMPLES
• the world is plenty of abelian groups• for instance:
relative integers, with addition
13/05/2010 cryptography - math background pp. 26 / 162
relative integers, with additionZ = ⟨ {…, −2, −1, 0, 1, 2, …}, +, 0 ⟩
rational integers, with multiplicationQ = ⟨ {…, p / q, …}, ×, 1 ⟩
and many others …
ITERATED OPERATION
• given a group G (not necessarily abelian), an element g of the group G, and a positive or null integer k ≥ 0, it is defined:
gk = g ⋅ g ⋅ … ⋅ g (for k times)
13/05/2010 cryptography - math background pp. 27 / 162
gk = g ⋅ g ⋅ … ⋅ g (for k times)g0 = 1 (if k = 0)
• the operation “gk” is called “iterated multiplication” (or “power”)
• most cryptography lives on it
ITERATION – EXAMPLES
• given Z = ⟨ {…, −2, −1, 0, 1, 2, …}, ×, 1 ⟩zk = z × z × … × z (k times)
usually called “power” of order k.• in groups with an operation denoted (+)
13/05/2010 cryptography - math background pp. 28 / 162
• in groups with an operation denoted (+) instead of (⋅), the writing “kg” replaces “gk”
• given Z = ⟨ {…, −2, −1, 0, 1, 2, …}, +, 0 ⟩which is an abelian group:
kz = z + z + … + z (k times)
the usual multiple times k
GROUP GENERATORS
• given a finite group G, an element g ∈ G is said to be a generator for G, if its “powers” cover all the elements of G:
∀f ∈ G ∃k ≥ 0 such that f = gk
13/05/2010 cryptography - math background pp. 29 / 162
∀f ∈ G ∃k ≥ 0 such that f = gk
• in the practice a generator is a single element that allows to construct the whole group by iteration
• a group G may admit no generators, a single generator or more generators …
DISCRETE LOGARITHM (DH)
• given a generator element g ∈ G for the group, and whatever element f ∈ G, define:
k = log g f - discrete log. base g
the (smallest) integer k ≥ 0 such that f = gk
13/05/2010 cryptography - math background pp. 30 / 162
the (smallest) integer k ≥ 0 such that f = gk
• the (smallest) integer k ≥ 0 necessarily exists, since g is a generator element for G
• given a group G, it is relatively simpleto compute f = gk, but it may be very complexto compute k starting from g and f
CONSIDERATIONS
• groups (usually abelian) are an important algebraic structure for cryptography
• normally finite groups are used(examples will come soon)
13/05/2010 cryptography - math background pp. 31 / 162
(examples will come soon)• the basic operations for cryptographic
applications are iteration and discrete logarithm
• however, abelian groups appear also under the form of rings and fields (see next slides)
RINGS AND FIELDS
13/05/2010 cryptography - math background pp. 32 / 162
RINGS AND FIELDS
RINGS – DEFINITION
• a RING R is an algebraic structure:R = ⟨ S, +, ⋅, 0, and usually also 1 ⟩
where:
13/05/2010 cryptography - math background pp. 33 / 162
⟨ S, +, 0 ⟩ is an abelian group w.r.t. (+)and for every a, b, c ∈ S:a ⋅ b ∈ S (closure)a ⋅ (b + c) = (a ⋅ b) + (a ⋅ c) (left distribution)(b + c) ⋅ a = (b ⋅ a) + (c ⋅ a) (right distribution)
RINGS – DETAILS
• the operator (+) must be commutative• if the operator (⋅) commutes as well,
R is said to be a “commutative ring”
13/05/2010 cryptography - math background pp. 34 / 162
R is said to be a “commutative ring”• if (⋅) has its own neutral element 1,
R is said to be a “a ring with unity”• if the support set S of R is a finite set,
R is said to be a “finite ring”
RINGS – EXAMPLE
• the ring R of relative integer numbers, with ordinary addition and multiplication:Z = ⟨ {…, − 2, −1, 0, 1, 2, …}, +, ×, 0, 1 ⟩
• R is a commutative ring, since the operator
13/05/2010 cryptography - math background pp. 35 / 162
• R is a commutative ring, since the operator (×) commutes
• and R is said to have “a unity”, since the operation (×) has its own neutral element, 1
• the symbol “Z” is worldwide used for denoting this particular ring
FIELDS – DEFINITION• a FIELD F is an algebraic structure:
F = ⟨ S, +, ⋅, 0, 1 ⟩
where:⟨ S, +, 0 ⟩ is an abelian group w.r.t. (+)
13/05/2010 cryptography - math background pp. 36 / 162
⟨ S, +, 0 ⟩ is an abelian group w.r.t. (+)⟨ S, ⋅, 1 ⟩ is an abelian group w.r.t. (⋅)and for every a, b, c ∈ S:a ⋅ (b + c) = (a ⋅ b) + (a ⋅ c) (left distribution)(b + c) ⋅ a = (b ⋅ a) + (c ⋅ a) (right distribution)
• if the support set S of F is finite, F is saidto be a “finite field”
FIELDS – EXAMPLES
• the field Q of rational integer numbers,with ordinary addition and multiplication:Q = ⟨ {…, p / q, …}, +, ×, 0, 1 ⟩
13/05/2010 cryptography - math background pp. 37 / 162
• Q is an infinite field• other examples of infinite fields:
real numbers, with addition and multiplicationcomplex numbers, with addition and multiplicationand many others …
CONSIDERATIONS
• rings and fields are the most popularand used algebraic structures
• in particular, the mathematical theory of fields is well developed, and for finite fields (almost)
13/05/2010 cryptography - math background pp. 38 / 162
is well developed, and for finite fields (almost) everything that is of some interest has been investigated and clarified
• and an important part of cryptography actually relies upon finite fields
MODULAR OPERATIONS
13/05/2010 cryptography - math background pp. 39 / 162
MODULAR OPERATIONS
PRELIMINARIES
• there are many finite rings, but fewfinite fields, here:– modular finite rings
13/05/2010 cryptography - math background pp. 40 / 162
– modular finite rings– modular finite fields– finite extension fields– in particular, binary finite extension fields
• all these are used in cryptography
MODULAR RINGS
• everybody knows what “integer division” is• given:
an integer N (dividend, positive, null or neg.)
13/05/2010 cryptography - math background pp. 41 / 162
an integer D (divisor, always positive, non-null)
there are two uniquely determined positive or null integers Q and R, such that:
N = Q × D + R and 0 ≤ R < D
Q: quotient, R: remainder
INTEGER DIVISION – EXAMPLES
• N = Q × D + R• 5 = 2 × 2 + 1 Q = 2, R = 1, 1 < 2• 9 = 3 × 3 + 0 Q = 3, R = 0, 0 < 3
13/05/2010 cryptography - math background pp. 42 / 162
• 9 = 3 × 3 + 0 Q = 3, R = 0, 0 < 3• 20 = 3 × 6 + 2 Q = 3, R = 2, 2 < 3• −5 = −3 × 2 + 1 Q = −3, R = 1, 1 < 2• −8 = −2 × 4 + 0 Q = −2, R = 0, 0 < 4• −9 = −3 × 4 + 3 Q = −3, R = 3, 3 < 4
COMPUTING mod n
• from the definition and the examples,it is clear that (for n ≥ 1):if a ≥ 0 then
a mod n = r s. t. a = q × n + r and r < n
13/05/2010 cryptography - math background pp. 43 / 162
a mod n = r s. t. a = q × n + r and r < n
elsea mod n = n − r s. t. −a = q × n + r and 0 ≤ r < n
• for instance:r = −4 mod 3 = 2 because −4 = −2 × 3 + 2 but also 4 = 1 × 3 + 1 and hence r = 3 − 1 = 2
THE mod OPERATOR
• one writes (a ∈ Z and n ≥ 1):a mod n = b
to indicate the remainder b ≥ 0 of the
13/05/2010 cryptography - math background pp. 44 / 162
to indicate the remainder b ≥ 0 of the (integer) division of a by n
• here the symbol mod indicates a binary operator: mod: Z × N → N
• if n = 1, then a mod n = a (trivial case)
MODULAR CONGRUENCE• given a modulus n ≥ 1, two integers a, b ∈ Z
are said to be “congruent modulus n”, iff:a = b mod n ⇔ a mod n = b mod n
i.e., iff the remainder of a divided by n equals the remainder of b divided by n
13/05/2010 cryptography - math background pp. 45 / 162
the remainder of b divided by n• the “modular congruence” = mod n has
the usual formal properties of equality:Riflexivity: a = a mod nSimmetry: a = b mod n ⇔ b = a mod nTransitivity: a = b mod n and b = c mod n ⇒ a = c mod n
• here mod is a side indication, meaning that equality = is interpreted in the modular way
CONGRUENCE – EXAMPLESIt holds: 4 = 0 mod 2
In fact: 4 mod 2 = 0 = 0 mod 2
It holds: 5 = 1 mod 2
In fact: 5 mod 2 = 1 = 1 mod 2
It holds: 11 = 7 mod 4
13/05/2010 cryptography - math background pp. 46 / 162
It holds: 11 = 7 mod 4
In fact: 11 mod 4 = 3 = 7 mod 4
It holds: −13 = 2 mod 5
In fact: −13 mod 5 = 2 = 2 mod 5
It holds: −9 = 5 mod 2
In fact: −9 mod 2 = 1 = 5 mod 2
RESIDUE CLASSES• given any modulus n ≥ 1, the set A of all the
integers a ∈ Z that are congruent mod n,has the following form:A = {b ± k × n | k ∈ Z and 0 ≤ b < n}
• each set A is called a “residue class” (mod n).
13/05/2010 cryptography - math background pp. 47 / 162
• each set A is called a “residue class” (mod n).• there are exactly n − 1 such classes• the integer b ∈ A is the “reduced” form of
every other element of the class A• A = { …, −4, −1, 0, 2, 5, … } is the residue
class of 5 mod 3; 2 is the “reduced” form
IMPORTANT DETAIL
• it is true that, for any modulus n ≥ 1:
n = 0 mod n
13/05/2010 cryptography - math background pp. 48 / 162
n = 0 mod n
• put another way, 0 and n can alwaysbe freely exchanged
• more generally: ∀k kn = 0 mod n
COMPUTATION mod n
• an algebraic expression over the integers, containing (+) and (×), is said to be computed “mod n” (for n ≥ 1),
13/05/2010 cryptography - math background pp. 49 / 162
to be computed “mod n” (for n ≥ 1),if the result of the integer division by nis taken (instead of the full result)
• for instance:5 + 3 × 2 − 1 = 2 mod 4
PROPERTIES OF mod
• given n ≥ 1 and any two integers a, b ∈ Z:(a + b) mod n = ((a mod n) + (b mod n)) mod n(a − b) mod n = ((a mod n) − (b mod n)) mod n
× = ×
13/05/2010 cryptography - math background pp. 50 / 162
(a × b) mod n = ((a mod n) × (b mod n)) mod n
• put another way, the operator mod commutes with (+), (−) and (×)
• this is very useful for optimizing expression computations
COMPUTING mod n – EXAMPLE
• it holds: 5 + 3 × 2 − 1 = 2 mod 4• in fact:
5 + 3 × 2 − 1 = 10 and 10 mod 4 = 2
13/05/2010 cryptography - math background pp. 51 / 162
5 + 3 × 2 − 1 = 10 and 10 mod 4 = 2
• but also:5 mod 4 = 1 and3 × 2 mod 4 = 2 and− 1 mod 4 = 3 and(1 + 2 + 3) mod 4 = 6 mod 4 = 2
MODULAR RINGS
13/05/2010 cryptography - math background pp. 52 / 162
MODULAR RINGS
THE MODULAR RING Zn
• given a positive integer n ≥ 1, the following algebraic structure:Zn = ⟨ {0, 1, 2, …, n − 1}, +, ×, 0, 1 ⟩
is called “modular ring of order n”, provided,
13/05/2010 cryptography - math background pp. 53 / 162
is called “modular ring of order n”, provided, for every a, b ∈ Zn:a + b is computed mod na × b is computed mod n
• Zn contains exactly n elements• Z1 contains only 0 (n = 1, trivial case)
MODULAR ADDITION
• suppose for instance n = 6• modular addition works in Z6 as follows:
1 + 2 = 3 mod 6 = 3 (1 + 2 = 3 mod 6)
13/05/2010 cryptography - math background pp. 54 / 162
1 + 2 = 3 mod 6 = 3 (1 + 2 = 3 mod 6)3 + 4 = 7 mod 6 = 1 (3 + 4 = 1 mod 6)5 + 5 = 10 mod 6 = 4 …4 − 5 = −1 mod 6 = 5 …0 − 5 = −5 mod 6 = 1 …
OPPOSITE ELEMENT
• suppose for instance n = 10• opposite elements in Z10 can be found
as follows:−5 = −5 mod 10 = 1 (−5 = 1 mod 10)
13/05/2010 cryptography - math background pp. 55 / 162
−5 = −5 mod 10 = 1 (−5 = 1 mod 10)−3 = −3 mod 10 = 7 (−3 = 7 mod 10)−8 = −8 mod 10 = 2 (−8 = 2 mod 10)clearly: −a = n − a mod n
• this is coherent with:a + (−a) = a + (n − a) = a + n − a = n = 0 mod n
MODULAR MULTIPLICATION
• suppose for instance n = 9• modular multiplication works in Z9
as follows:
13/05/2010 cryptography - math background pp. 56 / 162
as follows:1 × 2 = 6 mod 9 = 6 (1 × 2 = 6 mod 9) 3 × 4 = 12 mod 9 = 3 (3 × 4 = 12 mod 9)5 × 5 = 25 mod 9 = 7 …4 × 5 = 20 mod 9 = 2 …0 × 5 = 0 mod 9 = 0 …
MODULAR POWERS• modular powers:
am = a × a × … × a mod n (for m ≥ 1 times)a0 = 1 mod n (by definition)
• for instance, given n = 6:
13/05/2010 cryptography - math background pp. 57 / 162
• for instance, given n = 6:22 = 4 mod 6 = 4 (22 = 4 mod 6)23 = 8 mod 6 = 2 (23 = 2 mod 6)26 = 64 mod 6 = 4 (26 = 4 mod 6)
• note: 26 = (23)2 = (2)2 = 4 mod 6i.e., one can use the normal, well-known properties of exponents
HINTS ON GENERATORS
• consider the ring Z5 and the element 2:1 × 2 mod 5 = 2 mod 5 = 22 × 2 mod 5 = 4 mod 5 = 43 × 2 mod 5 = 6 mod 5 = 14 × 2 mod 5 = 8 mod 5 = 35 × 2 mod 5 = 10 mod 5 = 0
Z5
13/05/2010 cryptography - math background pp. 58 / 162
5 × 2 mod 5 = 10 mod 5 = 06 × 2 mod 5 = 12 mod 5 = 2 (periodic)
• the element 2 is an additive generatorfor the ring Z5
• theorem : for any ring Zn, any element e ≠ 0 such that (e, n) = 1 is an additive generator
HINTS ON GENERATORS
• consider the ring Z5 and the element 3:31 mod 5 = 3 mod 5 = 332 mod 5 = 9 mod 5 = 433 mod 5 = 27 mod 5 = 234 mod 5 = 81 mod 5 = 135 mod 5 = 243 mod 5 = 3 (periodic …)
Z5 (excluding 0)
13/05/2010 cryptography - math background pp. 59 / 162
35 mod 5 = 243 mod 5 = 3 (periodic …)
• the element 3 is a multiplicative generatorfor the ring Z5
• how to determine the multiplicative generators for a modular ring Zn, of a generic modulus n, is a very complex problem …
MORE ON MODULAR RINGS
13/05/2010 cryptography - math background pp. 60 / 162
MORE ON MODULAR RINGS
MODULAR COMPUTATION
• frequently, computing the operator mod does not really require to perform a division
• remember in fact that n = 0 mod n• whenever in an expression to be computed
13/05/2010 cryptography - math background pp. 61 / 162
• whenever in an expression to be computed mod n, a term +n (or −n) occurs, delete it (since it is = 0 mod n)
• whenever in an expression to be computed mod n, a factor n occurs, delete the product chain it is contained in (since it is = 0 mod n)
MOD. COMPUT. – EXAMPLES• one should immediately see that:
(2 + 3) × 4 − 8 × 5 + 16 = 0 mod 4
• in fact (this must become instinctive):a × 4 = 0 mod 4 (whatever a is)8 × b = 0 mod 4 (whatever b is)and 16 = 0 mod 4
13/05/2010 cryptography - math background pp. 62 / 162
and 16 = 0 mod 4
• a well-known application:123456 mod 3 = (1×105 + 2×104 + 3×103 + 4×102 +5×101 + 6×100) mod 3 = (1 + 2 + 3 + 4 + 5 + 6) mod 3 = 21 mod 3 = 0 ⇒ 123456 = 0 mod 3since 10x = 1 mod 3 for every x ≥ 0
• it is the well-known rule for checking the divisibility by 3 of decimal integer numbers
MOD. COMPUT. – PROBLEM …
• what is the check rule of divisibility by 3 for binary natural numbers ?
• that is, given:
13/05/2010 cryptography - math background pp. 63 / 162
• that is, given:B = 10010100101011000101010
how do I quickly check whether the binary number B is divisible by 3 ?
• i might first convert B to decimal, but …
MODULAR REDUCTION
• given any modulus n ≥ 1 and any integera ≥ n, the task of finding an integer 0 ≤ b < n, such that a = b mod n is called “reduction”
• for instance, taken n = 7 and a = 20:
13/05/2010 cryptography - math background pp. 64 / 162
• for instance, taken n = 7 and a = 20:b = a mod n = 20 mod 7 = 6 ⇒ 20 = 6 mod 7
• it is said that 6 is the “reduced” form of 20, modulus 7 (as already seen before)
• actually reduction is nothing but another name for taking the result of “a mod n”
GREATEST COMMON DIVISOR
• given any two integers a, b ∈ Z, their greatest common divisor, g.c.d., usually denoted (a, b) = d,is the largest positive integer d (i.e., d ≥ 1) dividing exactly (remainder 0) both a and b
13/05/2010 cryptography - math background pp. 65 / 162
exactly (remainder 0) both a and b• for instance:
(2, 3) = 1, (12, 8) = 4, (−30, 12) = 6, (−2, −5) = 1 (not −1 !)
• two integers a, b ∈ Z are said to be co-prime(or relatively prime), i.e., they share no common integer factor ≥ 2, if and only if (a, b) = 1
• for finding the g.c.d. efficiently: Euclid algorithm
ABOUT THE INVERSION IN Zn
• given a ∈ Zn (n ≥ 2), when is it possible to find b ∈ Zn, such that:a × b = 1 mod n
13/05/2010 cryptography - math background pp. 66 / 162
(b is the multiplicative inverse of a) ?• theorem : the multiplicative inverse b
of a exists (and is unique) if and only if(a, n) = 1, i.e., if a and n are co-prime(they share no common integer factor ≥ 2)
INVERSION IN Zn – EXAMPLE
• let n = 6, i.e., work in Z6:2−1 mod 6 does not exist, (2, 6) = 23−1 mod 6 does not exist, (3, 6) = 3
− =
13/05/2010 cryptography - math background pp. 67 / 162
4−1 mod 6 does not exist, (4, 6) = 25−1 mod 6 = 5 exists, (5, 6) = 1and is 5, since 5 × 5 = 25 = 1 mod 6
• clearly, if n is a prime integer, any positive integer a < n is co-prime with n, hence …
LINEAR EQUATIONS IN Zn
• take the modular equation:a × y = b mod n
where a, b ∈ Zn are fixed coefficients, andy ∈ Z is the unknown variable to be found
13/05/2010 cryptography - math background pp. 68 / 162
y ∈ Zn is the unknown variable to be found• theorem : there exists a unique solution if
and only if a, n are co-primei.e. iff a, n share no common factor ≥ 2i.e. iff (a, n) = 1
• how to find the solution in some cases, later
FERMAT “LITTLE” THEOREM
• theorem : take any prime integer p ≥ 2, and any integer a ≥ 0, then:
ap = a mod p
13/05/2010 cryptography - math background pp. 69 / 162
a = a mod p(P. Fermat)
• for instance, taken p = 3 (prime):23 = 8 = 2 mod 333 = 27 = 0 = 3 mod 343 = 64 = 1 = 4 mod 3
CONSEQUENCES
• if p ≥ 2 is a prime integer:Since: ap = a mod pIt follows: ap − 1 = 1 mod p
≠
13/05/2010 cryptography - math background pp. 70 / 162
(with the condition that a ≠ 0 mod p)
• for instance, taken p = 5 (prime):24 = 16 = 1 mod 534 = 81 = 1 mod 544 = 256 = 1 mod 5…
SOLVING LIN. EQ.S IN Zp
• linear equations of the form:a × y = b mod p (p ≥ 2 prime)
a, b ∈ Zp coeff.s and y ∈ Zp variable, admit the following (unique, mod p) solution:
13/05/2010 cryptography - math background pp. 71 / 162
the following (unique, mod p) solution:y = a−1 × b = ap − 2 × b mod p
(by Fermat) since, being p prime, (a, p) = 1• caution: be sure that a mod p ≠ 0 !• the same can be instanced for systems
of linear equations (see later)…
MODULAR FIELDS
13/05/2010 cryptography - math background pp. 72 / 162
MODULAR FIELDS
MODULAR FIELDS
• we have seen that Zn (for any n ≥ 2) is a modular (finite) ring of n − 1 elements
• to be a (finite) field, Zn only lacks the inverse elements for multiplication, i.e. the possibility
13/05/2010 cryptography - math background pp. 73 / 162
elements for multiplication, i.e. the possibility to invert all its elements
• that is, given any a ∈ Zn, how do I find a’ ∈ Znsuch that a × a’ = 1 (of course, mod n) ?
• Is it possible to find such an a’ for any integer a < n and any value of n ?
MODULAR FIELDS• we know that, given any positive a < n, there exists a
positive integer a’ such that a × a’ = 1, if and only if a, n are co-prime
• clearly, if n is a prime integer, every positive integera < n will be co-prime with n
13/05/2010 cryptography - math background pp. 74 / 162
a < n will be co-prime with n• conversely, if n is not a prime integer, there must
exist some a < n that is not co-prime with n• theorem : all elements of Zn (but 0) are invertible
if and only if n is a prime integer• pay attention: if n is not a prime integer, a few
elements of Zn may be invertible, but not all of them
MODULAR INVERSION
• given any prime integer p ≥ 2 (Fermat):ap = a mod pap − 1 = 1 mod p(with the condition that a ≠ 0 mod p)
13/05/2010 cryptography - math background pp. 75 / 162
(with the condition that a ≠ 0 mod p)
• let us go on with the idea …ap − 2 = a−1 mod p(still with the condition that a ≠ 0 mod p)
• that is, ap − 2 behaves as the multiplicative inverse element of a (if p is prime !)
INVERSION – EXAMPLES
• for instance, taken p = 5 (prime), and knowing that p − 2 = 3, one has:13 = 1 mod 5 and 1 × 1 = 1 mod 523 = 3 mod 5 and 2 × 3 = 1 mod 5
13/05/2010 cryptography - math background pp. 76 / 162
23 = 3 mod 5 and 2 × 3 = 1 mod 533 = 2 mod 5 and 3 × 2 = 1 mod 543 = 4 mod 5 and 4 × 4 = 1 mod 553 = 0 mod 5 no inverse (since 5 = 0 mod 5)63 = 1 mod 5 and 6 × 1 = 1 mod 5… (the behaviour is periodic)
INVERSION – THAT IS …
• taken p = 5 (prime) one has:1−1 = 1 mod 52−1 = 3 mod 5
13/05/2010 cryptography - math background pp. 77 / 162
3−1 = 2 mod 54−1 = 4 mod 5
while 0 has no inverse, of course …
• note that for each element of Z5we have found an inverse (but for 0)
MODULAR FIELD Fp (or GF(p))
• every (finite) modular ring Zn, such that n ≥ 2 is a prime integer, can be turned into a (finite) field
• simply add inversion to it, and compute
13/05/2010 cryptography - math background pp. 78 / 162
• simply add inversion to it, and compute the inverse using Fermat’s litte theorem
• such a field is denoted Fp (or also Galois Field of order p, GF(p))
• a different field for every prime p
MODULAR FIELD Fp (or GF(p))
• given a prime integer p ≥ 2:Fp = ⟨ {0, 1, 2, …, p − 1}, +, ×, 0, 1 ⟩
is called “modular (Galois) field of order p”, or GF(p), provided, for every element a, b ∈ F :
13/05/2010 cryptography - math background pp. 79 / 162
GF(p), provided, for every element a, b ∈ Fp:a + b is computed mod pa × b is computed mod p−a = p − a so that a + (−a) = p = 0 mod pa−1 = ap − 2 so that a×a−1 = a×ap − 2 = ap − 1 = 1 mod p
• Fp is finite and contains exactly p elements
LINEAR EQUATIONS IN Fp
• given a prime integer p ≥ 2, take the modular linear equation:
a × y = b mod pwhere a, b ∈ Fp are fixed coefficients, and y ∈Fp is the unknown variable to be found:
13/05/2010 cryptography - math background pp. 80 / 162
Fp is the unknown variable to be found:• the unique solution (mod p) is:
y = a−1 × b mod p• for instance, given p = 7 (prime):
5 × y = 3 mod 7 ⇒y = 5−1×3 = 55×3 = 3125×3 = 9375 = 2 mod 7and actually 5 × 2 = 10 = 3 mod 7
LINEAR SYSTEMS IN Fp
• given a prime integer p ≥ 2, take the system of modular linear equations:
A × Y = B mod pwhere:
∈
13/05/2010 cryptography - math background pp. 81 / 162
A ∈ [Fp]m,m is a square matrix of orderm ≥ 2 of fixed coefficients in Fp
B ∈ [Fp]m is a vector of order m ≥ 2of constant terms in Fp
and Y ∈ [Fp]m is the vector of the unknown variables to be found in Fp
LINEAR SYSTEMS IN Fp
• the above system of linear equations admits a unique solution (mod p) iff det(A) ≠ 0
• in this case (det(A) ≠ 0), the solution is:
13/05/2010 cryptography - math background pp. 82 / 162
Y = A−1 B mod p• the determinant det(A), the matrix inverse
A−1 and the matrix-vector product A−1 B are computed as usual, remembering to take all the operations mod p over their entries
THE BINARY FIELD
13/05/2010 cryptography - math background pp. 83 / 162
THE BINARY FIELD
THE BINARY FIELD F2 (or GF(2))
• when p = 2 (smallest prime excluding 1):F2 = ⟨ {0, 1}, +, ×, 0, 1 ⟩
• this is a well-know structure, since
13/05/2010 cryptography - math background pp. 84 / 162
0 + 0 = 0 0 × 0 = 0 −0 = 2 − 0 = 2 = 00 + 1 = 1 0 × 1 = 0 −1 = 2 − 1 = 11 + 0 = 1 1 × 0 = 0 IDENTITY1 + 1 = 2 = 0 1 × 1 = 1 1−1 = 1XOR gate AND gate IDENTITY
THE BINARY FIELD F2 (or GF(2))
• in F2 addition and subtraction coincide!• observe in fact:
0 + 0 = 0 0 − 0 = 0 + (−0) = 0 + 0 = 0
13/05/2010 cryptography - math background pp. 85 / 162
0 + 0 = 0 0 − 0 = 0 + (−0) = 0 + 0 = 0 0 + 1 = 1 0 − 1 = 0 + (−1) = 0 + 1 = 1 1 + 0 = 1 1 − 0 = 1 + (−0) = 1 + 0 = 11 + 1 = 0 1 − 1 = 1 + (−1) = 1 + 1 = 0 XOR gate still XOR gate
• do not extend this feature to p > 2 !
THE BINARY FIELD F2 (or GF(2))
• the field F2 (or GF(2)) is also called the “binary field” and is the simplest
• its hardware counterpart are the XOR
13/05/2010 cryptography - math background pp. 86 / 162
• its hardware counterpart are the XOR and AND gates
• it is the natural field where to compute arithmetic (most arithmetic circuits are formed by XOR and AND gates only)
POLYNOMIALS
13/05/2010 cryptography - math background pp. 87 / 162
POLYNOMIALS
POLYNOMIALS
• everybody knows univariate polynomials(i.e., containing a single variable x)with integer coefficients:
C(x) = c xm + c − xm−1 + … + c x + c
13/05/2010 cryptography - math background pp. 88 / 162
C(x) = cnxm + cm−1xm−1 + … + c1x + c0
where ci ∈ Z, for every 0 ≤ i ≤ m• the integer m ≥ 0 is the degree of C(x)• here, we are interested in polynomials not as
functions of the variable x, but as objects that can be manipulated in various ways
POLYNOMIALS• the set of all the polynomials (of any degree)
with integer coefficients is denoted Z[x]• polynomials in Z[x] can be added, subtracted
and multiplied. They form a commutative ring
13/05/2010 cryptography - math background pp. 89 / 162
and multiplied. They form a commutative ring with unity (the ring Z[x] is infinite):
Z[x] = ⟨ Z[x], +, ×, 0, 1 ⟩• in general however, there is no multiplicative
inverse element, i.e. given any polynomial P(x) ∈ Z[x] it is not possible to findP’(x) ∈ Z[x] such that P(x) × P’(x) = 1
POLYNOMIAL DIVISION
• given any two polynomials P(x), D(x) ∈ Z[x], there exist two unique polynomials Q(x), R(x) ∈ Q[x] (with rational coeff.s), such that:
P(x) = Q(x) × D(x) + R(x)degree(R(x)) < degree(D(x))
13/05/2010 cryptography - math background pp. 90 / 162
degree(R(x)) < degree(D(x))
• Q(x) is the quotient, R(x) is the remainder• this property resembles integer division• but note that Q(x), R(x) have rational coeff.’s,
i.e., in general the coeff.s are not integer• the algorithm for finding R(x) is well-known
EXAMPLE OF DIVISION IN Z[x]• take x4 + 2x3 − 1, x2 + 3 ∈ Z[x]
+1x4 +2x3 −1 | ++++1x2 +3++++1x4 +2x3 +0x2 +0x −1 | ++++1x2
−1x4 −3x2 |+0x4 ++++2x3 −3x2 +0x −1 | +1x2 ++++2x
−2x3 −6x |+0x4 +0x3 −−−−3x2 −6x −1 | +1x2 +2x −−−−3
+ +
13/05/2010 cryptography - math background pp. 91 / 162
+3x2 +9 |+0x4 +0x3 +0x2 −6x +8 | end
−6x +8 | x2 +2x −3remainder quotient
• in this special case, no need of rational numbers (because the most significant coefficient of the divisor x2 + 3 is 1 !)
• verify: (x2 + 2x − 3) (x2 + 3) + (− 6x + 8) = x4 + 3x2 + 2x3 + 6x − 3x2
− 9 − 6x + 8 = x4 + 2x3 − 1 as it is expected to be
POLYNOMIALS OVER
13/05/2010 cryptography - math background pp. 92 / 162
MODULAR RINGS AND FIELDS
POLYNOMIALS OVER RINGS• restrict the set of the coeff.’s of polynomials to
the modular ring Zn (for a fixed n ≥ 2)• such polynomials can be added, subtracted
and multiplied mod n, in the obvious wayZn[x] = ⟨ Zn[x], + mod n, × mod n, 0, 1 ⟩
13/05/2010 cryptography - math background pp. 93 / 162
Zn[x] = ⟨ Zn[x], + mod n, × mod n, 0, 1 ⟩
• but in general, it is not possible to find multiplicative inverse elements
• the structure Zn[x] is still an infinite commutative ring with unity, as is Z[x]
• sample additions and multiplications …
POLYNOMIALS OVER FIELDS
• restrict the set of the coeff.’s of polynomialsto the finite field Fp (for a fixed prime p ≥ 2)
• such polynomials can be added, subtracted and multiplied mod n, in the obvious way
13/05/2010 cryptography - math background pp. 94 / 162
and multiplied mod n, in the obvious wayFp[x] = ⟨ Fp[x], + mod p, × mod p, 0, 1 ⟩
• but in general, it is not possible to find multiplicative inverse elements
• the structure Fp[x] is still an infinite commutative ring with unity, as are Z[x], Zn[x]
POLYNOMIAL DIVISION IN Fp[x]
• given any two polynomials P(x), D(x) ∈ Fp[x], there exist two unique polynomials Q(x), R(x) ∈ Fp[x], such that:
P(x) = S(x) × D(x) + R(x)degree(R(x)) < degree(D(x))
13/05/2010 cryptography - math background pp. 95 / 162
degree(R(x)) < degree(D(x))
• S(x) is the quotient, R(x) is the remainder• this property resembles integer division• note that S(x), R(x) have coeff.’s in Fp[x] !• the algorithm for finding S(x), R(x) is well-
known (same as for the polynomials in Z[x])
EXAMPLE OF DIVISION IN F3[x]• take x4 + 2x3 + 1, 2x2 + 1 ∈ F3[x]
x4 +2x3 +1 | ++++2x2 +1++++1x4 +2x3 +0x2 +0x +1 | ++++2x2
−1x4 −2x2 |+0x4 ++++2x3 +1x2 +0x +1 | +2x2 ++++1x
−2x3 −1x |+0x4 +0x3 ++++1x2 +2x +1 | +2x2 +1x ++++ 2
− −
13/05/2010 cryptography - math background pp. 96 / 162
−1x2 −2 |+0x4 +0x3 +0x2 +2x +2 | end
2x +2 | 2x2 + x + 2remainder quotient
• pay attention to: −1 = 2, −2 = 1, 2−1 = 2 mod 3.• verify (remember also that: 4 = 1, 6 = 0, 3 = 0 mod 3):
(2x2 + x + 2) (2x2 + 1) + (2x + 2) = 4x4 + 2x2 + 2x3 + x + 4x2 + 2 + 2x + 2 == 4x4 + 2x3 + 6x2 + 3x + 4 = x4 + 2x3 + 0x2 + 0x + 1 = x4 + 2x3 + 1 mod 3
POLYNOMIAL MOD.CONGRUENCE
• given any polynomials P(x), D(x)(∈ Z[x] or Zn[x] or Fp[x]), write:
P(x) mod D(x) = R(x)
13/05/2010 cryptography - math background pp. 97 / 162
P(x) mod D(x) = R(x)with R(x) the remainder of P(x) / D(x)
• modulus D(x) congruence:P(x) = Q(x) mod D(x) ⇔P(x) mod D(x) = Q(x) mod D(x)
PROPERTIES OFPOLY–MOD. CONGRUENCE• the operator “mod” commutes:
(P(x) + Q(x)) mod D(x) =((P(x) mod D(x)) + (Q(x) mod D(x))) mod D(x)the same holds for subtraction
13/05/2010 cryptography - math background pp. 98 / 162
the same holds for subtraction(P(x) × Q(x)) mod D(x) =((P(x) mod D(x)) × (Q(x) mod D(x))) mod D(x)
• same properties as mod n• modular reduction by a polynomial D(x)
defined as for modular reductionby an integer n
POLY–MOD. COMPUTATIONIN PARTICULAR …
• taking mod D(x) is equivalent to assuming that D(x) = 0 (remember n = 0 mod n !)
• for instance (in Z[x]), see immediately that:
13/05/2010 cryptography - math background pp. 99 / 162
x3 + 2x + 5 = 2x + 7 mod (x3 − 2)
because:x3 − 2 = 0 ⇒ x3 = 2
and: x3 + 2x + 5 = 2 + 2x + 5 = 2x + 7• verify dividing: (x3 + 2x + 5) mod (x3 − 2) !
POLYNOMIALS OVER
13/05/2010 cryptography - math background pp. 100 / 162
THE BINARY FIELD F2 (GF(2))
POLYNOMIALS OVER F2 (GF(2))
• when the field of the coefficients is F2(or GF(2)), things become very simple
• a coefficient is either 0 or 1 (i.e., a bit)
13/05/2010 cryptography - math background pp. 101 / 162
• a coefficient is either 0 or 1 (i.e., a bit)• a power xi is either present (coeff. 1,
usually not written) or absent (coeff. 0)• a polynomial in F2[x] is nothing but a list
of powers of x
EXAMPLES OF OP.S IN F2[x]
• let A(x), B(x) ∈ F2[x]:A(x) = x2 + x + 1 and B(x) = x3 + x
• then:A(x) + B(x) = (x2 + x + 1) + (x3 + x) == + + + + = + + + + =
13/05/2010 cryptography - math background pp. 102 / 162
= x3 + x2 + x + x + 1 = x3 + x2 + (1 + 1)x + 1 == x3 + x2 + 0x + 1 = x3 + x2 + 1A(x) B(x) = (x2 + x + 1) (x3 + x) == x5 + x4 + x3 + x3 + x2 + x = x5 + x4 + x2 + x
• pay attention to: 1 + 1 = 0 !• in general: 1 + 1 + … + 1 (even times) = 0 !
EXAMPLES OF OP.S IN F2[x]
• sometimes peculiarities may occur:(x + 1)2 = (x + 1)(x + 1) = x2 + x + x + 1 == x2 + 1 (different from ordinary algebra)
13/05/2010 cryptography - math background pp. 103 / 162
= x2 + 1 (different from ordinary algebra)(x + 1)3 = (x + 1)(x + 1)(x + 1) = x3 + x2 ++ x2 + x2 + x + x + x + 1 = x3 + x2 + x + 1(different from ordinary algebra)
• can you infer the general rule ?
PLYNOMIAL DIVISION IN F2[x]• take x4 + x3 + 1, x2 + 1 ∈ F2[x]
x4 x3 1 | x2 1x4 x3 1 | x2
x4 x2 |x3 x2 1 | x2 xx3 x |
x2 x 1 | x2 x 1
13/05/2010 cryptography - math background pp. 104 / 162
x2 1 |x | endx | x2 + x + 1remainder quotient
• pay attention to: −1 = 1 mod 2, i.e. add. and sub. coincide• verify: (x2 + x + 1) (x2 + 1) + x = x4 + x2 + x3 + x + x2 + 1 + x =
= x4 + x3 + 1 mod 2 as it is expected to be• hence we can write: (x4 + x3 + 1) = x mod (x2 + 1)
PLYNOMIAL REDUCTION IN F2[x]• computing polynomial division of F(x) by G(x) is like
setting G(x) = 0 and replacing in F(x)• from the previous slide: G(x) = x2 + 1, hence G(x) = 0 ⇒ x2 + 1 = 0 ⇒ x2 = 1
• and replacing in F(x) = x4 + x3 + 1, it yields:
13/05/2010 cryptography - math background pp. 105 / 162
• and replacing in F(x) = x + x + 1, it yields:x4 + x3 + 1 = (x2)2 + x x2 + 1 = 12 + x 1 + 1 = 1 + x + 1 = x
• hence we have:(x4 + x3 + 1) = x mod (x2 + 1)
as seen before by performing a full division.• but reduction DOES NOT REALLY REQUIRE TO
COMPUTE A FULL DIVISION (since we are not interested in the quotient, but only in the remainder)
POLYNOMIALS OVER F2
• a polynomial in F2[x] can be identifiedto a string of bits
• for instance:
13/05/2010 cryptography - math background pp. 106 / 162
• for instance:x5 + x4 + x2 + 1 ≡ 110101 (degree 5 ≡ 6 bits)
• in general: F(x) ≡ string of n + 1 bits (supposing F(x) is of degree n)
• for any degree n, how many different polynomials ? answer: 2n + 1
IRREDUCIBLE POLYNOMIALS
13/05/2010 cryptography - math background pp. 107 / 162
IRREDUCIBLE POLYNOMIALS
IRREDUCIBLE POLYNOMIALS
• a polynomial of degree m ≥ 2 is said to be irreducible if it cannot be factored into twoor more polynomials of lower degree
• A(x) is irreducible if there do not exist any two
13/05/2010 cryptography - math background pp. 108 / 162
• A(x) is irreducible if there do not exist any two polynomials B(x), C(x) (not reducing to pure constant terms) such that A(x) = B(x) C(x)
• for every degree, there exist irreducible polynomials in Z[x], Zn[x] and Fp[x], for any integer n and prime integer p
IRREDUCIBLE POLYNOMIALS
• x and x + 1 are irreducible by definition• is x2 + x irreducible ?• no, because x2 + x = x (x + 1)
13/05/2010 cryptography - math background pp. 109 / 162
• no, because x2 + x = x (x + 1)• is x2 + 1 irreducible ?• no, because x2 + 1 = (x + 1) (x + 1)• is x2 + x + 1 irreducible ?• yes, but why ?
RUFFINI RULE
• a polynomial F(x) admits the linear factor (x − a) iff a is a root of F(x)
• for the polynomials over F2 (or GF(2)):
13/05/2010 cryptography - math background pp. 110 / 162
• for the polynomials over F2 (or GF(2)):F(x) admits the factor (x − 1), which coincides with (x + 1), iff 1 is a root of F(x)hence, replace x in F(x) with 1 and see if F(1) = 0; if so, F(x) = F’(x) (x + 1)in practice, just count the terms of F(x) …
USE OF RUFFINI RULE• Ruffini rule gives an easy way for checking
whether a polynomial F(x) ∈ F2[x] admitsthe linear factor (x + 1)
• does (x2 + x + 1) admit factor (x + 1) ?no, since it has 3 terms (and 3 is odd)
• does moreover (x2 + x + 1) admit factor x ?
13/05/2010 cryptography - math background pp. 111 / 162
• does moreover (x2 + x + 1) admit factor x ? no, since it contains the constant term +1
• since the only linear factors in F2[x] are (x + 1) and x, and a F(x) of degree 2 can only be split into linear factors, (x2 + x + 1) is irreducible
• of course, Ruffini rule works also in Fp[x]
BINARY EXTENSION FIELDS
13/05/2010 cryptography - math background pp. 112 / 162
BINARY EXTENSION FIELDS
MOVING TOWARDS FIELDS
• remember that F2[x] is not a polynomial field (there are no multiplicative inverse elements, in general)
13/05/2010 cryptography - math background pp. 113 / 162
elements, in general)• how to make it into a polynomial field ?• the answer is contained in irreducible
polynomials
THE EXTENSION FIELD GF(2n)
• select an irreducible polynomial G(x) ∈ F2[x]of degree n
• G(x) is called “generator polynomial”• the extension field GF(2n) (for n ≥ 2) is:
13/05/2010 cryptography - math background pp. 114 / 162
• the extension field GF(2n) (for n ≥ 2) is:GF(2n) = ⟨ F2[xn], +, ×, 0, 1 ⟩
where:F2[xn] set of all the polynomials over F2 of degree under n+, × are the polynomial addition and multiplication modulusthe selected (and fixed) polynomial G(x)
• G(x) is the “generator polynomial” of GF(2n).
THE EXTENSION FIELD GF(2n)
• fixed a generator G(x) of degree n, take A(x), B(x) ∈ GF(2n), and compute addition and multiplication as follows:
13/05/2010 cryptography - math background pp. 115 / 162
addition and multiplication as follows:A(x) + B(x) mod G(x)and similarly for subtractionA(x) × B(x) mod G(x)
• always take the result mod G(x)
EXAMPLE IN GF(22)
• the elements of GF(2n) with n = 2 (i.e. GF(22)) are all the polynomials in F2[x] of degree under n = 2, i.e. deg. 0 or 1
0, 1 degree 0
13/05/2010 cryptography - math background pp. 116 / 162
0, 1 degree 0x, x + 1 degree 1
• then GF(22) contains 22 = 4 elements• this is, in some sense, the simplest
possible field of polynomials
EXAMPLE IN GF(22)
• fix the generator polynomialG(x) = x2 + x + 1 (degree n = 2, irred.):(x + 1) + x = 1 mod G(x)
+ = + = + + =
13/05/2010 cryptography - math background pp. 117 / 162
(x + 1)2 = x2 + 1 = x + 1 + 1 = x mod G(x)
• remember in fact that taking mod G(x)is equivalent to setting G(x) = 0, hence:x2 + x + 1 = 0 ⇔ x2 = x + 1
an replacing x2 in x2 + 1 yields x
EXAMPLE IN GF(23)
• the elements of GF(23) are all the polynomials in F2[x] of degree undern = 3, i.e. degree 0, 1 or 2
13/05/2010 cryptography - math background pp. 118 / 162
n = 3, i.e. degree 0, 1 or 20, 1 degree 0x, x + 1 degree 1x2, x2 + 1, x2 + x, x2 + x + 1 degree 2
• then GF(22) contains 23 = 8 elements• in general, GF(2n) contains 2n elements
EXAMPLE IN GF(23)
• fix gen. G(x) = x3 + x2 + 1 (deg. n = 3, irred.).• it holds: x3 + x2 + 1 = 0, i.e., x3 = x2 + 1.
(x + 1)3 = x3 + x2 + x + 1 == x2 + 1 + x2 + x + 1 = x mod G(x)
13/05/2010 cryptography - math background pp. 119 / 162
= x + 1 + x + x + 1 = x mod G(x)(x2 + 1) (x2 + x + 1) == x4 + x3 + x2 + x2 + x + 1= x4 + x3 + x + 1 == = x x3 + x3 + x + 1 = x(x2 + 1) + x2 + 1 + x + 1 == x3 + x + x2 + x = x3 + x2 == x2 + 1 + x2 = 1 mod G(x)
• note that: x2 + x + 1 = (x2 + 1)−1 mod G(x)
FINITENESS OF GF(2n)
• the elements of GF(2n) (with n ≥ 2) are all the polynomials of F2[x] of degree under n(i.e. of deg. n − 1, n − 2, …, 1, 0)
• then they can be identified to the strings
13/05/2010 cryptography - math background pp. 120 / 162
• then they can be identified to the stringsof bits of length exactly n
• there are 2n such strings• the field GF(2n) is finite and its cardinality
is of 2n elements (which are polynomials)
HOW TO FIND THE INVERSE
• we have not yet spoken of multiplicative inverse elements in GF(2n)
• but it is necessary to have inverse
13/05/2010 cryptography - math background pp. 121 / 162
• but it is necessary to have inverse elements for GF(2n) to be a field
• inverse elements can be foundin GF(2n) using the generalizationof Fermat little theorem
FERMAT “LITTLE” THEOREM
• take an irreducible generator polynomial G(x) of degree n ≥ 2 and any polynomialF(x) ∈ GF(2n), pose k = 2n, then:
F(x)k = F(x) mod G(x)
13/05/2010 cryptography - math background pp. 122 / 162
(generalisation of Fermat little theorem)• for instance, taken G(x) = x2 + x + 1 (of deg. n
= 2, irred.), it holds k = 22 = 4 and hence:(x + 1)4 = ((x + 1)2)2 = (x2 + 1)2 = (x + 1 + 1)2 == x2 = x + 1 mod G(x)
as it is expected to be
CONSEQUENCES
• if the generator G(x) is an irreducible polynomial of degree n ≥ 2 and k = 2n:since: F(x)k = F(x) mod G(x)
− =
13/05/2010 cryptography - math background pp. 123 / 162
it follows: F(x)k − 1 = 1 mod G(x)and also: F(x)k − 2 = F(x)−1 mod G(x)(with the condition that F(x) ≠ 0 mod G(x))
• therefore F(x)k − 2 is the multiplicative inverse element of F(x) (mod G(x))
INVERSION – EXAMPLE
• taken the generator G(x) = x2 + x + 1 (of deg. n = 2, irred.), it holds k = 22 = 4, and hence:(x + 1)4 − 2 = (x + 1)2 = x2 + 1 == x + 1 + 1 = x mod G(x)
13/05/2010 cryptography - math background pp. 124 / 162
= x + 1 + 1 = x mod G(x)
• and in fact:(x + 1) x = x2 + x = x + 1 + x = 1 mod G(x)
• this means that x is the inverse element of(x + 1) (of course, mod G(x))
MULTIPLICATIVE GENERATORS
• the monomial x is a multiplicative generator for binary extension fields
• for instance: G(x) = x2 + x + 1 (irred.)
13/05/2010 cryptography - math background pp. 125 / 162
• for instance: G(x) = x + x + 1 (irred.)x0 mod G(x) = 1x1 mod G(x) = xx2 mod G(x) = x + 1x3 mod G(x) = x x2 mod G(x) = x (x + 1) mod G(x) == x2 + x = x + 1 + x = 1 (periodic …).
• the same holds for GF(pn) …
GF(22) (excluding 0)
FIELD GF(2n) – IN SUMMARY
• given an irreducible generator polynomial G(x) of degree n ≥ 2, the algebraic structure:GF(2n) = < F2[xn], +, ×, 0, 1 >
is a finite field of 2n elements.
13/05/2010 cryptography - math background pp. 126 / 162
is a finite field of 2 elements.• the elements of GF(2n) are polynomials
with coefficients over GF(2) (or F2)• all the operations are computed mod G(x).• multiplicative inverse exist for all the elements
of GF(2n) (but for 0), and can by foundby Fermat little theorem
MODULAR EXTENSION FIELDS
13/05/2010 cryptography - math background pp. 127 / 162
MODULAR EXTENSION FIELDS
POLINOMYALS OVER Fp (GF(p))
• consider polynomials with coefficients over Fp (also called GF(p)), for a fixed prime integer p ≥ 2
13/05/2010 cryptography - math background pp. 128 / 162
prime integer p ≥ 2• a coefficient can be: 0, 1, 2 …, p − 1• then a polynomial in Fp[x] is a list of
powers of x, with coefficients as above• example: x2 + 2x + 1 (for p = 3, prime)
POLYNOMIALS OVER FpEXAMPLES
• for the prime p = 3:(x + 1) + (x2 + 2x + 1) = x + 1 + x2 + 2x + 1 == x2 + 3x + 2 = x2 + 2
since 3 = 0 mod 3
13/05/2010 cryptography - math background pp. 129 / 162
since 3 = 0 mod 3• for the prime p = 5:
(x2 + 3) (x3 + 2x + 4) == x5 + 2x3 + 4x2 + 3x3 + 6x + 12 == x5 + 5x3 + 4x2 + 6x + 12 == x5 + 4x2 + x + 2
since 5 = 0, 6 = 1 and 12 = 2 mod 5
THE EXTENSION FIELD GF(pn)
• the ideas for building “modular fields” Fp(p ≥ 2 prime), and “binary extension fields” F2[xn] (n ≥ 2), can be combined
• the result is the family of “modular
13/05/2010 cryptography - math background pp. 130 / 162
• the result is the family of “modular extension fields” Fp[xn](p, n ≥ 2, p is a prime integer)
• fields Fp[xn] are also denoted GF(pn) (Galois Fields of order pn, p is prime)
THE EXTENSION FIELD GF(pn)
• take an irreducible generator polynomial G(x) ∈ Fp[x], for a prime integer p ≥ 2, of degree n≥ 2, the algebraic structure:GF(pn) = ⟨ Fp[xn], +, ×, 0, 1 ⟩
13/05/2010 cryptography - math background pp. 131 / 162
GF(pn) = ⟨ Fp[xn], +, ×, 0, 1 ⟩
is a finite field of pn elements• the elements of GF(pn) are polynomials with
coefficients over GF(p) (or Fp)• all the operations are computed mod G(x)• the field GF(pn) contains pn elements
FERMAT “LITTLE” THEOREM• take an irreducible generator polynomial G(x)
∈ Fp[x], for a prime p ≥ 2, of degree n ≥ 2, and take any polynomial F(x) ∈ GF(pn),pose k = pn, then:
F(x)k = F(x) mod G(x)
13/05/2010 cryptography - math background pp. 132 / 162
F(x)k = F(x) mod G(x)(generalisation of Fermat little theorem)
• hence it follows (as in previous cases):F(x)k − 1 = 1 mod G(x)F(x)k − 2 = F(x)−1 mod G(x) (inverse!)(with the cond. that F(x) ≠ 0 mod G(x))
FIELD EXAMPLE – GF(32)• fix p = 3 (prime) and n = 2• the elements of GF(3) are: 0, 1, 2• the elements of GF(32) are:
0, 1, 2 (deg. 0, 3 poly.’s)x, 2x, x + 1, x + 2, 2x + 1, 2x + 2 (deg. 1, 6 poly.’s)
= =
13/05/2010 cryptography - math background pp. 133 / 162
• there are k = 32 = 9 elements in GF(32)• take the generator G(x) = x2 + 1• in GF(3) the polynomial G(x) is irreducible• were not so, G(x) should split into two linear
factors of the type (x + a), with a = 0, 1 or 2• but none of the a’s is a root of G(x)
INVERSION – EXAMPLE IN GF(32)• remember that:
G(x) = 0 ⇒ x2 + 1 = 0 ⇒ x2 = −1 = 2 as −1 = 2 mod 3
• to compute an inverse element:(2x + 1)−1 = (2x + 1)9 − 2 = (2x + 1)7 == (2x + 1)6 (2x + 1) = ((2x + 1)2)3 (2x + 1) == (4x2 + 4x + 1)3 (2x + 1) = (x2 + x + 1)3 (2x + 1) =
13/05/2010 cryptography - math background pp. 134 / 162
= (4x + 4x + 1) (2x + 1) = (x + x + 1) (2x + 1) == (2 + x + 1)3 (2x + 1) = (x + 3)3 (2x + 1) = x3 (2x + 1) == x2 x (2x + 1) = 2x (2x + 1) = 4x2 + 2x == x2 + 2x = 2x + 2 mod G(x)
• and in fact:(2x + 1)(2x + 2) = 4x2 + 4x + 2x + 2 = 4x2 + 6x + 2 == x2 + 2 = 2 + 2 = 4 = 1 mod G(x)
as it is expected to be
COMPOSITE GALOIS FIELDS
• suppose GF(ph) is a modular extension field, the elements of which consist of polynomials of degree under h with coeff.s that are integers mod p
• construct a new, larger modular extension field,using the elements of GF(ph) as “coefficients”
13/05/2010 cryptography - math background pp. 135 / 162
using the elements of GF(ph) as “coefficients”of new polynomials, of degree under k
• this new field is GF(GF(ph))k = GF(phk), andis called a “composite (Galois) field”
• the elements of GF(phk) are polynomials,the coefficients of which are themselves polynomials (the coeff.s of the latter ones are integers mod p)
COMPOSITE GALOIS FIELDS• dually: let GF(pm) be a modular extension field. It can
be constructed by using polynomials of degree under m, with coeff.s that are integers mod p
• but, if m = hk (for h, k ≥ 2), i.e. if m is decomposable into non-trivial factors, then the field GF(pm) can be
13/05/2010 cryptography - math background pp. 136 / 162
into non-trivial factors, then the field GF(pm) can be itself decomposed into two nested fields:– coefficient field GF(ph) - internal field– complete field GF(GF(ph)k) = GF(phk) - external field
(the roles of h, k are interchangeable)• this decomposition may be very helpful in the
implementations, but does not always apply• if m is itself prime, no decomposition is possible
EXAMPLE – COMPOSITE FIELD• take p = 2 (binary extension fields).• G(x) = x4 + x3 + 1 (irreducible, check yourself !)• G(x) generates GF(24), with 24 = 16 elements.• but 4 = 2 × 2, hence GF(24) = GF(GF(22)2) (here h = k = 2)• construct the two nested fields:
– Internal field, use the gen. G1(y) = y2 + y + 1 (irred. over GF(2))
13/05/2010 cryptography - math background pp. 137 / 162
– Internal field, use the gen. G1(y) = y + y + 1 (irred. over GF(2))– External field, use the gen. G2(x) = x2 + y x + 1 (irred. over GF(22))
• elem.s of GF(24): (ay1+ by0)x1 + (cy1 + dy0)x0 (a, b, c, d = 0, 1) • of course, interpret G2(x) as follows:
G2(x) = (0y + 1) x2 + (1y + 0) x1 + (0y + 1) x0
since its coeff.s are themselves polynomials (use two distinct variables y and x to avoid confusion).
• complete yourself (in particular, check that G2(x) is irreducible over GF(22)). Try with the field GF(26).
CONCLUSIONS ON
13/05/2010 cryptography - math background pp. 138 / 162
FINITE FIELDS
THE COMPLETION THEOREM• there exist only three familes of finite fields:
– modular fields:GF(p) for every prime p ≥ 2the elements are 0, 1, …, p − 1GF(2) is the simplest case, called binary field
– binary extension fields:≥
13/05/2010 cryptography - math background pp. 139 / 162
GF(2n) for every integer n ≥ 2the elements are the polynomials of degree under n with coefficients 0 or 1
– modular extension fields:GF(pn) for every prime p ≥ 3 and integer n ≥ 2the elements are the polynomials of degree under n with coefficients 0, 1, , …, p − 1
• no other family of finite fields exist
FIELD ISOMORPHISM
• two fields F’, F’’ are isomorphic iff there exists a one-to-one function θ: F’ → F’’ such that, taken the elements a, b ∈ F’, it holds:θ(a + b) = θ(a) + θ(b) and θ(−a) = − θ(a)
13/05/2010 cryptography - math background pp. 140 / 162
θ(a + b) = θ(a) + θ(b) and θ(−a) = − θ(a) θ(a × b) = θ(a) × θ(b) and θ(a−1) = θ(a) −1
θ(0) = 0 and θ(1) = 1
• in practice, ϕ commutes with field operations• two isomorphic fields need have the same
number of elements (θ is one-to-one)
THE ISOMORPHISM THEOREM
• let F’, F’’ be any two extension fields generated by the irred. polynomials G’(x), G’’(x), respectively
• theorem: if F’, F’’ are of the same size, they
13/05/2010 cryptography - math background pp. 141 / 162
• theorem: if F’, F’’ are of the same size, they are necessarily isomorphic, i.e. there exists an isomorphism θ: F’ → F’’
• in other terms, each element f of F’ admitsa corresponding element θ(f) in F’’, behaving in the same way (and viceversa)
THE ISOMORPHISM THEOREM
• the extension fields GF(2n) (and GF(pn)) DO NOT DEPEND on the chosen irreducible generator polynomial
• that is, fixed an integer n ≥ 2 (and prime p ≥
13/05/2010 cryptography - math background pp. 142 / 162
• that is, fixed an integer n ≥ 2 (and prime p ≥2), there exists a unique GF(2n) (and GF(pn))
• put another way, if G’(x), G’’(x) are both irreducible generators of degree n, they are equivalent for building GF(2n) (and GF(pn))
• hence, select G’(x) or G’’(x) at will (but do not mix them during the computation, of course)
ISOMORPHISM – EXAMPLE
• the binary extension field GF(23) (size 23 = 8) can be generated in two different ways:
G’(x) = x3 + x2 + 1G’’(x) = x3 + x + 1
13/05/2010 cryptography - math background pp. 143 / 162
G’’(x) = x3 + x + 1since both G’(x) and G’’(x) are irreducible over GF(2)
• each of G’(x) and G’’(x) yields a representation of GF(23)
• constructing the isomorphism θ is not so immediate, though not really difficult
FIELD REPRESENTATION• it is said that two irreducible polynomials
G’(x), G’’(x), of identical degree, generate two DIFFERENT REPERSENTATIONS of the SAME FINITE EXTENSION FIELD
• the isomorphism function θ can be effectively
13/05/2010 cryptography - math background pp. 144 / 162
• the isomorphism function θ can be effectively determined, starting from G’(x), G’’(x)
• the function θ is actually a linear transformation
• an extension field admits as many different representations as the number of irreducible polynomials of identical degree
MORE NUMBER THEORY
13/05/2010 cryptography - math background pp. 145 / 162
MORE NUMBER THEORY
EULER FUNCTION• euler function: ϕ: N → N
ϕ(1) = 1 by definitionϕ(n) = k where k is the number of integers < n and
co-prime with n (n ≥ 2)(co-prime ⇔ sharing no common factor ≥ 2)
• examples:ϕ(2) = 1 (1 is co-prime with 2)
13/05/2010 cryptography - math background pp. 146 / 162
ϕ(2) = 1 (1 is co-prime with 2)ϕ(3) = 2 (1, 2 are co-prime with 3)ϕ(4) = 2 (1, 3 are co-prime with 4)ϕ(5) = 4 (1, …, 4 are co-prime with 5)ϕ(6) = 2 (1, 5 are co-prime with 6)ϕ(7) = 6 (1, …, 6 are co-prime with 7)ϕ(8) = 4 (1, 3, 5, 7 are co-prime with 8)…
ϕ(p) = p − 1 if and only if p is a prime integer
PROPERTIES OF ϕ• euler function ϕ is multiplicative:
if (m, n) = 1 then ϕ(m n) = ϕ(m) ϕ(n)((m, n) = 1 means that m, n are co-prime)
• for instance: (2, 3) = 1, hence 2 = ϕ(6) =
13/05/2010 cryptography - math background pp. 147 / 162
• for instance: (2, 3) = 1, hence 2 = ϕ(6) =ϕ(2 × 3) = ϕ(2) ϕ(3) = 1 × 2 = 2
• in particular, if p, q are both prime, it holds: ϕ(p q) = ϕ(p) ϕ(q) = (p − 1) (q − 1) (this feature plays an important role in RSA)
• the multiplicative property does not holdif m, n are not co-prime
EULER THEOREM
• let a, n be any integers ≥ 2, if a and nare co-prime, it holds:aϕ(n) = 1 mod n (L. Euler)
13/05/2010 cryptography - math background pp. 148 / 162
• for instance:a = 9, n = 4 (a, n are co-prime), ϕ(4) = 2 ⇒92 = 81 = 1 mod 4 as expected to be
• Fermat is a special case of Euler, when n = p• but Euler cannot be always used for finding
inverse elements (while Fermat can be)
PRACTICAL ALGORITHMS
13/05/2010 cryptography - math background pp. 149 / 162
(a short list)
RELEVANT ALGORITHMS• computing Greatest Common Divisor (m, n)
(Euclid Alg.)• computing λ, µ s.t. (m, n) = λm + µn
(Euclid Extended Alg.)• computing Modular Inverse: m−1 mod n
13/05/2010 cryptography - math background pp. 150 / 162
• computing Modular Inverse: m mod n(application of Euclid Ext. Alg.)
• computing Modular Powers: ae mod n(Square & Multiply Alg.)
• all alg.s are extensible to GF(2n) and GF(pn)• and do not forget Polynomial Division !• hints on Montgomery Multiplication Alg
EUCLID G.C.D. ALG.• let a, b ∈ Z be any two integers• (a, b) = d Greatest Common Divisor of a, b• Euclid algorithm for computing d:
input (a) input (b)r0 = max (a, b) // r0 : provisional g.c.d.r = min (a, b) // r : provisional remainder
13/05/2010 cryptography - math background pp. 151 / 162
r1 = min (a, b) // r1 : provisional remainderdo
r’ = r0 mod r1 // r’ : compute new remainderr0 = r1 // r0 : new provisional g.c.d.r1 = r’ // r1 : new provisional remainder
while (r’ != 0) // exit when null remainderoutput (r0)
EUCLID ALG. – EXAMPLES
• a = b ⇒ (a, b) = a (or = b)r0 = a r1 = ar’ = a mod a = 0 r0 = a r1 = 0 (r’ == 0) exitoutput
13/05/2010 cryptography - math background pp. 152 / 162
output (a)
• a = 9 b = 6 ⇒ (a, b) = 3r0 = 9 r1 = 6r’ = 9 mod 6 = 3 r0 = 6 r1 = 3 (r’ != 0) loopr’ = 6 mod 3 = 0 r0 = 3 r1 = 0 (r’ == 0) exitoutput (3)
EUCLID – WHY DOES IT WORK?• r0 = a r1 = b (supposing a > b)• unrolling the loop:
r2 = r0 mod r1 ⇒ r0 = q1r1+r2 ⇒ gcd(r0, r1) = gcd(r1, r2)
r3 = r1 mod r2 ⇒ r1 = q2r2+r3 ⇒ gcd(r1, r2) = gcd(r2, r3)
13/05/2010 cryptography - math background pp. 153 / 162
r3 = r1 mod r2 ⇒ r1 = q2r2+r3 ⇒ gcd(r1, r2) = gcd(r2, r3) …rm = rm−2 mod rm−1 ⇒ rm−2 = qm−1rm−1+rm ⇒ gcd(rm−2, rm−1) = gcd(rm−1, rm)0 = rm−1 mod rm ⇒ rm−1 = qmrm+0 ⇒ gcd(rm−1, rm) = rm
• note that, if x = sy+z with z<y, then gcd(x, y) = gcd(y, z)• and note that, if x = sy, then gcd(x, y) = y• hence, rm is the g.c.d. of r0, r1
EXPRESSING THE G.C.D.
• theorem (Euclid): given any two integers m, n ∈ Z , it holds:
(m, n) = λm + µn (with λ, µ ∈ Z)
λ µ
13/05/2010 cryptography - math background pp. 154 / 162
for two suited integers λ, µ (not unique)• for instance:
(30, 18) = 6
(30, 18) = 2 × 30 + (−3) × 18
i.e., λ = 2 and µ = −3
EUCLID EXT. ALGORITHM• nothing but a careful backtracking:
(9, 14) = 1
• apply Euclid G.C.D. Algorithm:14 mod 9 = 5 14 = 1×9 + 5 5 = 14 − 1×99 mod 5 = 4 9 = 1×5 + 4 4 = 9 − 1×55 mod 4 = 1 5 = 1×4 + 1 1 = 5 − 1×4
13/05/2010 cryptography - math background pp. 155 / 162
5 mod 4 = 1 5 = 1×4 + 1 1 = 5 − 1×44 mod 1 = 0 end
• and now backtrack the remainder chain:1 = 5 − 1×4 = 5 − 1×(9 − 1×5) == (−1)×9 + 2×5 = (−1)×9 + 2×(14 − 1×9) == 2×14 − 3×9 = (−3×9) + 2×14
• that is, λ = −3, µ = 2
COMPUTING THE INVERSE• let m, n ∈ Z be any two integers.• thorem (Euclid, see before): (m, n) = λm + µn,
for a pair of integers λ, µ ∈ Z• if m, n are co-prime, then (m, n) = 1• it follows λm + µn = 1
13/05/2010 cryptography - math background pp. 156 / 162
• it follows λm + µn = 1• then λm = 1 mod n, since µn = 0 mod n• finally λ = m−1 mod n (λ is the inverse of m)• use the Euclid Extended Algorithm for
computing λ, µ, and hence for computing the inverse element m−1 mod n
INVERSION EXAMPLE• suppose to compute:
9−1 mod 14 = ?
(∃ as 9, 14 are co-prime, i.e., (9, 14) = 1)• applying Euclid Ext. Alg. yields:
(9, 14) = (−3) × 9 + 2 × 14 = 1 (as shown before)
13/05/2010 cryptography - math background pp. 157 / 162
(9, 14) = (−3) × 9 + 2 × 14 = 1 (as shown before)
• hence:(−3)×9 + 2×14 = 1 mod 14 ⇒ (−3)×9 = 1 mod 14⇒ 11×9 = 1 mod 14 ⇒ 9−1 = 11 mod 14
• and in fact: 9 × 11 = 99 = 1 mod 14(since 99 = 7 × 14 + 1)
COMPUTING THE INVERSEEXTENSION TO POLYNOMIALS
• the Euclid Extended Algorithm worksfor polynomials as well(A(x), B(x)) = L(x)A(x) + M(x)B(x) (theorem)
• consequence:
13/05/2010 cryptography - math background pp. 158 / 162
• consequence:(A(x), B(x)) = 1 ⇒ L(x)A(x) + M(x)B(x) = 1 ⇒L(x)A(x) = 1 mod B(x) ⇒ L(x) = A(x)−1 mod B(x)
• here, of course, all the operations are carried out on polynomials, taking care of the specific fields of the coefficients
SQUARE & MULTIPLY ALG.• frequently one has to compute:
ae mod n(e.g., for Fermat theorem) for a large exponent e and an integer a ∈ Zn
13/05/2010 cryptography - math background pp. 159 / 162
n
• code the exponent e as a binary number:e = ek−1 2k − 1 + ek−2 2k − 2 + … + e1 2 + e0,where k = log2 e and ei ∈ {0, 1}
• note that if h = 2m, then:ah mod n = (…(a)2 mod n …)2 mod n (m times)
(i.e., m nested modular squarings)
SQUARE & MULTIPLY ALG.
• now let be 0 ≤ i < k, pose: bi = 2i, andai = abi mod p if the bit eki is = 1ai = 1 if the bit eki is = 0
compute the ai’s by nested mod. squarings
13/05/2010 cryptography - math background pp. 160 / 162
compute the ai’s by nested mod. squarings• then, it holds:
ae mod n = ((…(ak−1 × ak−2) mod n × … × a1) mod n × a0) mod n
• the computation of the above formula only requires k modular squarings and k modular multiplications, and k = log2 e(i.e., k is much smaller than e)
SQUARE & MULTIPLY ALG.EXTENSION TO POLYNOMIALS
• the Square & Multiply algorithm extends to polynomials as well
• for computing:
13/05/2010 cryptography - math background pp. 161 / 162
F(x)k for a large exponent k
express k as a binary number, and proceed as for integers
• here, of course, all squarings and multiplications are computed mod G(x), where G(x) is the field generator …
MONTGOMERYMULTIPLICATION
• a clever and efficient algorithm for computing modular multiplication
• is particularly efficient when working with
13/05/2010 cryptography - math background pp. 162 / 162
• is particularly efficient when working with numbers coded in base 2 (binary numbers)
• is based on the idea of performing reduction at each addition of a row of the matrix of the partial products
• see in textbooks …