Title: There%20are%20those%20who%20are%20destined%20to%20be%20good,%20but%20never%20to%20experience%20it.%20I%20believe%20I%20am%20one%20of%20them.
1
 "There are those who are destined to be good,
but never to experience it. I believe I am one of
them."   Evariste Galois (18111832)
2Mathematical Background A Revision
 finite fields (FF)
 required for understanding
 AES
 Elliptic Curve Cryptography
 To study FF, we shall revise the concepts of
 groups, rings, fields from abstract algebra
 Modular arithmetic and Euclidean Algorithm
 Finite fields of the form GF(p), where p is a
prime number
3Group Theory History
 Groups First used by Evariste Galois (b.1811
d.1832) in his work, without defining a Group  Galois, a student of M. Vernier in 1827 and
 a contemporary of Cauchy, Poisson, Abel,
Jacobi, Fourier, Gauss and Napolean (ruled during
18001815)  He failed to join Ecole Polytechnique, though he
appeared twice in the entrance tests.  An ardent Republican, he was sent to prison twice
by the King.
4Quest for Academy Award
 1829 Galois (only 18 years old) submitted two
papers to Académie des Sciences for publication
in its Memoirs Cauchy was the referee for the
papers.  Galois read a posthumous paper of Abel and found
that there was an overlap between his and Abels
work. So he consulted Cauchy. Cauchy (winner of
Grand prix in 1816) advised him to rewrite it and
submit it for Grand Prix.  Feb 1830 Galois submitted the modified paper to
Fourier for Grand Prix Fourier died in April
1830 and the paper was lost Abel and Jacobi got
the Grand Prix prize.
5Last Night
 1831 Galois again submitted to Académie des
Sciences Poisson was the Reviewer. He did not
understand the paper and rejected it.  night of 30 May 1832 injured at the duel with
Perscheux d'Herbinville over the prisons
physicians daughter named StephanieFelice du
Motel abandoned by both Perscheux as well as his
seconds. A peasant took him to a hospital, where
he died at the age of 21 in 1832.  A story? an injured Galois wrote notes on the
rejected paper a night of furious writings by
Galois
6First definitions
 Liouville, Galoiss elder brother, copied his
papers and sent them to Gauss, Jacobi and others  14 years later
 1846 Liouville got Galois' papers published
 1845 Cauchy defined a "conjugate system of
substitutions, another name of Groups. During
184546, he wrote 25 papers on it.  1854 The first person to try to give (not
completely correct) an abstract definition of a
group Cayley.  1863 Jordans commentary on Galois paper and his
book used the term GROUP
7Group Theory the first
modern book
 Walter Ledermann's book Introduction to the
theory of finite groups, published by publisher
Oliver Boyd in Edinburgh  1949 (when Ledermann was 38 years old,
assistant lecturer at St Andrews )  was based on Schur's lectures on group theory.
8Group Theory and communism
 Ledermann wrote it in the British Museum Library
(sitting in the same chair where Karl Marx wrote
Das Capital)  Ledermann came for a lecture on Group Theory at
University of Notre Dame in the United States
the parcel of books was stopped by US Customs,
who mistook it as a book of Communist groups,
till the Head of Dept of Notre Dame personally
spoke to Customs.
9A note on types of numbers
 Positive integers and Integers
 Rational numbers A rational number is any
number that can be written as a ratio of two
integers. Reference 1 http//bing.search.symp
atico.ca/?qdifference20between20a20real20numb
er20and20a20rational20numbermktencasetLang
enCA  Examples Integers, fractions, mixed numbers,
and decimals together with their negative
images.  Examples of irrational numbers v2, v3, v5, pi
(p), e  p a mathematical constant whose value is the
ratio of any circle 's circumference to its
diameter 3.14159265358979323846264338327950288419
716939937510  e base of the natural logarithm known as
Napier's constant symbol honors Euler  2.718281828459045235360287471352662497757
.  is the unique number with the property that
the area of the region bounded by the hyperbola
y 1/x, the xaxis, and the vertical lines x 1
and x e is 1. In other words 
1?e (dx/x) ln e 1. 

10A note on types of numbers..2
 Real numbers
 Any number that can be found on the number line
 a number required to label any point on the
number line  a number whose absolute value names the distance
of any point from 0.  both rational and irrational numbers
 Between any two rational numbers on the number
line there is an irrational number. 1  Between any two irrational numbers there is a
rational number 1
11A note on types of numbers..3
 Complex numbers Example x i y ,
 where
 x and y real numbers and
 i v(1) .
 The field of complex numbers includes the field
of real numbers as a subfield.  References (i) http//www.themathpage.com/aPreCal
c/rationalirrationalnumbers.htm  (ii) http//mathworld.wolfram.com/ComplexNumber.ht
ml
12Group
 DEFINITION
 a set of elements or numbers
 with some operation whose result is also in the
set (closure)  (The operation is shown through the symbol .
in the examples below.)  obeys
 associative law (a.b).c a.(b.c)
 has an identity element e so that for all
 a ? G, e.a a.e a
 For each a ? G, there exists an inverse element
a1 ? G,such that a.a1 e
13Example of a group
 Example 1 N a set of n distinct symbols
 1,2,..,n
 S set of all permutations of the n symbols
 S is a Group, under the operation of permutation.
 Prove
 Closure
 Association
 Existence of an identity element as a member of
the group  Existence of an inverse for every member of the
Group  A Finite Group if the number of members of the
group  is finite.
 An Infinite Group
14Abelian Group
 If in addition to the three properties stated in
 slide 2, the property of commutation is
 satisfied, G is said to be an abelian group.
 Commutative if for all a,b ? G,
 a.b b.a
 Examples 2. Prove that S, as defined in
 Example 1, is not an Abelian group.
 3. Prove that the set of integers (positive,
 negative and zero) is an Abelian group under
 addition. Hint Identity element 0, Inverse
 element of X is X.
15Some Definitions and the definition of a
Cyclic Group
 Exponentiation defined as repeated application
of an operator.  example a3 a.a.a
 Identity Element ea0
 If a be the inverse of a, an (a)n
 A Group is cyclic if every member of the Group is
generated by a single element a, (called the
Generator) through exponentiation. a is a
member of the Group.  A cyclic group is Abelian.
16Cyclic Group (continued)
 Cyclic group
 b ak
 For some integer value of k, b should stand
for every member of the Group  A cyclic Group may be finite or infinite.
 Subgroups of a cyclic group are also cyclic.
 A cyclic group may have more than one generator
element.  Example 4a A group of integers, under the
operation of addition, is a cyclic group. Both 1
and 1 are the generators.
17Cyclic Groups of Finite Group Order
 A cyclic group of finite group order n is denoted
as Cn with a generator element a and an identity
element e such that e an.  The operations of such a group may be defined
mod n.  Example 4b Zn is a finite cyclic group of
integers 0,1,2(n1), under the operation of
addition mod n, with a generator element of 1
and an identity element of 0
18Generator of a Field
 GENERATOR an element whose successive powers
take on every element of the field except the
zero  For Prime number fields a gj modp
 Not every element of a field is a generator.
 For every 0ltjlt(p1), a different element is
obtained.  ORDER of a generator element the smallest
exponent j (lt p), that gets the identity element.
 gj mod p 1

19Example of a generator and order
 Examples1 Modulo 13
 4 and 5 are NOT generator elements.
 a 2 is a generator element.
 Its order is 12.
1 2 3 4 5 6 7 8 9 10 11 12
2 4 8 3 6 12 11 9 5 10 7 1
exponent, b ab mod13
20Another Example a generator and order
 Examples 2 Modulo 11 2, 6, 7 and 8 are examples
of generator elements.  Order of 2, 6, 7 and 8 10.
21Ring
 Consider a set of numbers with two binary
operations, called  addition and multiplication.
 If the set constitutes an Abelian group with
addition operation, and,  if with multiplication operation, the set
 has closure For a, b ? G, a.b ? G
 is associative For a, b, c ? G, (a.b).c
a.(b.c)  distributive over addition
 a.(bc) a.b a.c
 the set constitutes a Ring.
 In a Ring, we can do multiplication,
 addition and subtraction without leaving the
Ring.
22Commutative Ring
 Ex 5 The set of all square matrices is a Ring
over addition and multiplication.  For a Ring, if multiplication operation is
commutative, the set forms a commutative ring.  Examples
 Ex 6 The set of matrices of Ex 5 is NOT a
commutative Ring.  Ex 7 The set S2 of even integers ( positive,
negative and 0), under the operations of addition
and multiplication, is a Commutative Ring. 
23Integral Domain
 A commutative ring R is said to constitute an
Integral Domain if,  multiplication operation has an identity
 a.1 1.a for all a ? R,
 and if,
 for a, b ? R, if a.b 0, then either
 a 0 or b 0.
 Ex 8 S3, the set of integers (positive, negative
and 0) under the operations of addition and
multiplication is an Integral domain.
24Field
 a Field a set of elements F, with two binary
 operations, called addition and multiplication,
 such that
 F is an Integral Domain, and,
 For each a ? F, except 0, there is an element a1
in F such that  a. a1 a1.a 1
 (Existence of multiplicative inverse)
25Field (continued)
 Thus in a Field, we can do addition, subtraction,
multiplication and division without leaving the
set.  Ex 9.The set of all integers S3 is not a Field.
 10.The following are Fields
 The set of Rational Numbers
 The set of real numbers
 The set of complex numbers.
 All of the above examples of Fields have infinite
 number of elements. We shall see that Fields
 can be finite also.
26Group, Ring and Field
A1 closure under addition
A2 Associativity of addition
A3 Additive identity
A4 Additive inverse
Group
Abelian Group
A5 Commutativity of addition
M1 closure under multiplication
M2 Associativity of multiplication
Ring
M3 Distributive laws
M4 Commutativity of multiplication
Commutative Ring
M5 Multiplicative identity
Integral domain
M6 No zero divisors
Field
M7 Multiplicative inverse
27Mathematical properties 1
 A1 If a and b belong to S, then a b is also in
S  A2 a (bc) (ab) c for all a,b,c in S
 A3 There is an element 0 in R such that
 a 0 0 a a for all a in S
 A4 For each a in S there is an element a in S
 such that a (a) (a) a 0
 A5 a b b a for all a,b in A
 M1 If a and b belong to S, then ab is also in S
 M2 a (bc) (ab) c for all a, b, c in S
28Mathematical properties 2
 M3 a(bc) ab ac for all a, b, c in S
 (ab)c ac bc for all a, b, c in S
 M4 ab ba for all a, b in S
 M5 There is an element 1 is S such that
 a1 1a a for all a in S
 M6 If a , b in S and ab 0, then either
 a 0 or b 0
 M7 If a belongs to S and a ? 0, there is an
 element a1 in S such that a. a1 a1. a
1
29Agenda
 After defining Rings and Fields
 Modular arithmetic
 Divisors, GCD, Euclids theorem
 prime numbers
 Fields of type Zp
 Finite Fields, Extended Euclids Theorem for
 finding multiplicative inverse
 Polynomial arithmetic
30Modular Arithmetic Definitions
 modulo operator a mod n b
 where b is the remainder when a is divided by
n b is called the residue of a mod n.  a q.n b 0 lt b lt n q ?a/n?
 where ?x? is the largest integer
 less than or equal to x
 Example 13 a (bc)mod 8
 In the next slide, b is the element given in the
first column (outside the box). c is the element
given in the top row (outside the box).  The values of a are given in the box.
31Modulo 8 Example
32Congruency mod n
 If a mod n b mod n, a and b are said to be
congruent mod n.  The above statement may be written as,
 ab mod n
 reducing k modulo n The process of finding the
smallest Nonnegative integer, to which k is
congruent
33Modular Arithmetic A
Revision (continued)
 Modular Arithmetic
 a qn r.
r
0 1.n
2.n q.n a
(q1).n
r
0
q.n a (q1).n
3.n 2.n n
Thus 11 1.7 4 ? r 4 11 mod 7
11 2.7 3 ? r 3 11mod 7
34k mod m
 11 mod 7 4
 (11) mod 7 3
 In general, If r k mod m,
 (  k) mod m m  r if r ? 0
 But (  k) mod m 0 if r 0.
 i.e. k mod m may or may not be equal to (k) mod
m.  r k mod m k mod (m) k mod(lml)
35Reducing k modulo 7
Example 12
 ...
 21 20 19 18 17 16 15
 14 13 12 11 10 9 8
 7 6 5 4 3 2 1
 0 1 2 3 4 5 6
 7 8 9 10 11 12 13
 14 15 16 17 18 19 20
 21 22 23 24 25 26 27
 28 29 30 31 32 33 34
 ...
 All the elements in a column are congruent mod 7
 O .,21,14,7,0,7,14.
 is called a Residue Class. (Every column
constitutes a Residue Class.)  The Smallest Nonnegative integer of the class is
used to represent the class.
Reduced values
36Modular Arithmetic
 a mod n b mod n mod n
 (a b)mod n
 a mod n  b mod n mod n
 (a  b)mod n
 a mod n x b mod n mod n
 (a x b)mod n
 Ex 14 of ExponentiationTo evaluate 1211mod 7
 122mod 7 4 128mod 7 44mod 7 4
 12 x 122 x 128 mod 7 5 x 4 x 4 mod 7 3
37 Note that the positions of primes constitute
just about the most fundamental, inarguable,
nontrivial information available to our
consciousness. This transcends history, culture,
and opinion. It would appear to exist 'outside'
space and time and yet to be accessible to any
consciousness with some sense of repetition,
rhythm, or counting.  
Matthew R. Watkins,  School of Mathematical Sciences at Exeter
University, UK http//www.maths.ex.ac.uk/7E
mwatkins/zeta/ssb.htm, as of November 3, 2007

38Modular Arithmetic Additive and multiplicative
inverses
 additive inverse Let c be the inverse of a.
 Then a c 0 mod n.
 Example 15 Additive inverse of 5 mod 8
 5 c 0 mod 8. Therefore c 3
 multiplicative inverse Let c be the
 inverse of a.
 Then a x c 1 mod n.
 Example 16 Multiplicative inverse of 5 mod 8
 5 x c 1 mod 8. Therefore c 5, 13, .
39Relatively Prime Numbers
 Two integers are said to be relatively prime if
their only common positive integer factor is 1.  In Example 16,
 5 and 8 are relatively prime.
 Consider the case where a and n have a common
factor other than 1 (i. e. the case where a and
n are not relatively prime)
40Multiplicative Inverse (continued)
 Example 17 a6 n8
 6.c 1 mod 8
 No value of c, that satisfies the above, can be
found .  In general an integer has a multiplicative
inverse in Zn if that integer is relatively
prime to n.
41Inverses for modulo 8
a Additive Inverse of a Multiplicative Inverse of a
0 0 
1 7 1
2 6 
3 5 3
4 4 
5 3 5
6 2 
7 1 7
42Multiplicative Inverse Table 2
a 6.a mod 8 5.a mod 8
0 0 0
1 6 5
2 4 2
3 2 7
4 0 4
5 6 1
6 4 6
7 2 3
a 5 is the multiplicative inverse of 5 mod 8.
43Multiplicative Inverse Table 2
Continued
a 6.a mod 8 5.a mod 8
8 0 0
9 6 5
10 4 2
11 2 7
12 0 4
13 6 1
14 4 6
15 2 3
a 13 is the multiplicative inverse of 5 mod 8.
44Multiplicative Inverse
 Let c be the Multiplicative Inverse of b mod n.
 b.c 1 mod n k.n 1
 Therefore
 b.(c n) (k b).n 1
 k1.n 1
 Thus c, c n, c 2n. are all multiplicative
inverses of c. However for a field Zp, with
members as 0,1,2,3.(p1), the smallest positive
number would be said to be the Multiplicative
Inverse.
45Some properties of modulo operator
 some peculiarities
 if (ab)(ac) mod n then bc mod n
 but if (a.b)(a.c) mod n then bc mod n
 only if a is relatively
prime to n  Proof
 Given (ab) (ac) mod n
 Add a (the additive inverse of a) to both sides.
 a ab a ac mod n
 b c mod n

46properties of modulo operator Proof
 Proof
 Given (a x b) (a x c) mod n
 Multiply with a1 (Multiplicative inverse of a)
on both sides  a1 (a x b) a1 (a x c) mod n
 b c mod n
 REVISION However the multiplicative inverse of
a exists only if a and n are relatively
prime.  a b mod n if n(ab)
47Agenda
 After studying examples of modular arithmetic
 Modular arithmetic
 Divisors, GCD, Euclids theorem
 prime numbers
 Fields of type Zp
 Finite Fields, Extended Euclids Theorem for
 finding multiplicative inverse
 Polynomial arithmetic
48Divisors
 If for some m, amb (a,b,m all integers),
 that is b divides into a with no remainder ,
 denote this as ba
 and say that b is a divisor of a
 eg. all of 1,2,3,4,6,8,12,24 are the divisors of
24.
49Properties of Divisors
 If a1, then a ?1.
 If ab and ba, then a ?b.
 Any b ? 0, divides 0.
 If bg and bh,
 then b(mg nh)
 for arbitrary integers m and n
50Greatest Common Divisor
 gcd(a,b) max k, such that ka and kb
 Properties
 1. gcd is required to be positive.
 gcd(a,b) gcd(a, b) gcd(a,b)
gcd(a,b) gcd(a,b)  2. gcd(a,0) a
 3. If gcd(a,b) 1, a and b are relatively prime.

51Properties of gcd function contd
 Assume that a b.
 4. gcd(a,b) gcd (b, a mod b)
 called a Theorem on the
next slide  Proof
 let d gcd(a,b)
 Then da and db ( i. e. a k1d and b
k2d )  If (a mod b) r,
 a kb r or r a kb
 k1.d k. k2d
 This proves dr.

 Thus (4) can be repetitively used to find d.
52Greatest Common Divisor 2 definitions
 c gcd(a,b) is the largest number that divides
evenly into both a and b  eg gcd(60,24) 12
 Positive integer c is gcd of two positive
integers a and b if  c is a divisor of a and b
 Any divisor of a and b is a divisor of c.
 Theorem gcd(a,b) gcd (b, a mod b)
 RHS may be a simpler function if agtb.
53Euclids algorithm
 Stated in his book Elements, written in 300 BC.
Historians believe that the algorithm was devised
200 years earlier  an efficient way to find gcd(a,b)
 derived from the observation
 If a b have a common factor d (ie am.d
bn.d),  then d is also a factor in any difference
between them, ap.b (m.d)p.(n.d) d.(mp.n).
 uses successive instances of the theorem
 gcd(a,b) gcd(b, a mod b)
 Note This MUST always terminate by giving gcd
since eventually we get a mod b 0 (no
remainder).
54Euclid's GCD Algorithm
 Euclid's Algorithm to compute gcd(a,b)
 A ? a, B ? b
 while Bgt0
 R A mod B
 A ? B, B ? R
 return A gcd(a,b)
 The example on the next slide uses Euclids
algorithm.  Even more useful Extended Euclids Algorithm
Used for finding out the Multiplicative Inverse
55Example GCD(1970,1066)
 1970 1 x 1066 904 gcd(1066, 904)
 1066 1 x 904 162 gcd(904, 162)
 904 5 x 162 94 gcd(162, 94)
 162 1 x 94 68 gcd(94, 68)
 94 1 x 68 26 gcd(68, 26)
 68 2 x 26 16 gcd(26, 16)
 26 1 x 16 10 gcd(16, 10)
 16 1 x 10 6 gcd(10, 6)
 10 1 x 6 4 gcd(6, 4)
 6 1 x 4 2 gcd(4, 2)
 4 2 x 2 0 gcd(2, 0)
 Hence gcd(1970,1066) 2
56Agenda
 After the Euclids theorem
 Modular arithmetic
 Divisors, GCD, Euclids theorem
 prime numbers
 Fields of type Zp
 Finite Fields, Extended Euclids Theorem for
 finding multiplicative inverse
 Polynomial arithmetic
57Prime Numbers
 A prime number p an integer, whose only integer
factors are itself and 1.  Aug 6, 2002 Manindra Agrawal, Neeraj Kayal,
Nitin Saxena of IIT Kanpur  Theorem There is a deterministic
polynomialtime algorithm for determining whether
a number is a prime or a composite.  Odd Primes all prime numbers except 2
 The magical prime 2, used in cryptography
58Prime Numbers sequence Referencehttp//www.maths.
ex.ac.uk/7Emwatkins/zeta/ssb.htm
Here the sequence of primes is presented
graphically in terms of a step function or
counting function which is traditionally denoted
as ?(x). (Note this has nothing to do with the
value 3.14159...) The height of the graph at
horizontal position x indicates the number of
primes less than or equal to x. Hence at each
prime value of x, we see a vertical jump of one
unit.
59Prime Numbers sequence Referencehttp//www.maths.
ex.ac.uk/7Emwatkins/zeta/sse.htm
Now zooming out by a factor of 2500, we get the
above graph. Senior Max Planck Institute
mathematician Don Zagier, in his article "The
first 50 million primes" Mathematical
Intelligencer, 0 (1977) 119 states "For me,
the smoothness with which this curve climbs is
one of the most astonishing facts
in mathematics."
60Prime Number Factors of a number
 Unique factors of any integer a gt 1
 a ? pap where P is the set of prime
numbers  p? P and where ap is the degree
of p  c a.b ? cp (apbp) for all p.
 Ex33033 3x7x112 X13 85833 3x3x3x11x172
 c3 31 4, c7 1, c11 2 1 3, c13 1, c17
2  gcd(33033, 85833) 3x11 33
 db ? dp ? bp for all p Thus if d 143,
14333033  Calculating the prime factors of a large number
is a difficult task. So prime number
factorization ? NOT used for evaluation of a.b or
of the greatest common divisor (gcd) of a and b.
61Agenda
 After discussing prime numbers
 Modular arithmetic
 Divisors, GCD, Euclids theorem
 prime numbers
 Fields of type Zp
 Finite Fields, Extended Euclids Theorem for
 finding multiplicative inverse
 Polynomial arithmetic
 with coefficient obeying modulo n arithmetic
 with modulo m(x) and with coefficient
obeying  modulo n arithmetic
62Modular Arithmetic
 Consider the set of non negative integers
 Zp 0, 1, 2, 3(p1)
 Each element of Zp represents a residue class
modulo p where p is a prime number.  Properties of Modular Arithmetic for Integers in
Zp are given in table 4.2 (Stallings) 4th Ed.
63Table 4.2 Reference Page
105 Stallings, 4th Edition
Properties Expressions
Commutative Laws (wx) mod p (xw) mod p (w.x) mod p (x.w) mod p
Associative laws (wx) y mod p w(xy) mod p (w.x). y mod p w.(x.y) mod p
Distributive Laws w. (x y) mod p w.x w.y mod p
Identities (0 w)mod p w mod p (1 . w) mod p w mod p
Additive inverse (w) Multiplicative Inverse (w1) For each w ? Zp , there exists a z such that wz ? 0 mod n For each w ? Zp ,there exists a z such that w .z 1 mod p
64Agenda
 After discussing Fields of type Zp
 Modular arithmetic
 Divisors, GCD, Euclids theorem
 prime numbers
 Fields of type Zp
 Finite Fields, Extended Euclids Theorem for
 finding multiplicative inverse
 Polynomial arithmetic
65Order of a Finite Field
 Order of a Finite Field the number of elements
in the field  For
 Zp 0, 1, 2, 3(p1)
 Order p
66Galois Fields
 Galois Field GF(pn) A finite field of order pn
 For p any prime integer and
 n any integer, greater than or equal to 1, there
is a unique field with pn elements, denoted by
GF(pn).  Unique Any two fields with the same number of
elements must be essentially the same, except
perhaps for giving the elements of the field
different names. ? An interesting fact
67Galois fields of interest in cryptography
 GF(p)
 GF(2n).
 Let us first consider GF(p)
 GF(p) 0, 1, 2, . (p1), with arithmetic
operations modulo p.
68Galois Fields GF(p)
Some Properties
 Every element in GF(p) relatively prime to p
 ? every element has a multiplicative inverse.
 ? Hence GF(p) is a Field.
 CHARACTERISTIC of a Field The number of times a
multiplicative identity can be added to itself
before you get to zero.  For GF(p), Characteristic the number of
elements in the field p.  A Field of characteristic p Fp
69Mutiplicative Inverse Algorithm
 finding the multiplicative inverse of b, such
that b.b1 1  Given that b ltm
 Extended Euclid (m,b) Algorithm
 To find c such that c.b 1 mod m
70Finding Inverses
for mgtgtb
 EXTENDED EUCLID(m, b) ALGORITHM
 1.(A1, A2, A3)?(1, 0, m)
 (B1, B2, B3)?(0, 1, b)
 2. if B3 0,
 return A3 gcd(m, b) no inverse
 3. if B3 1
 return B3 gcd(m, b) B2 b1 mod m
 i.e. B2 multiplicative inverse of b
 4. Q ?A3/B3?
 5. (T1, T2, T3)?(A1 Q B1, A2 Q B2, A3 Q B3)
 6. (A1, A2, A3)?(B1, B2, B3)
 7. (B1, B2, B3)?(T1, T2, T3)
 8. goto 2
71Example Inverse of 550 in GF(1759)
Ti Ai Bi x Q
Hence 355 is multiplicative inverse of 550 mod
1759. If B2 be ve, subtract it from m to get the
answer.
72Finite Field GF(2)
 A B AB AB A.B
 0 0 0 0 0
 0 1 1 1 0
 1 0 1 1 0
 1 1 0 0 1
 Thus in GF(2),
 ab ab is an XOR operation.
 a.b is an AND operation.
73Agenda
 Polynomial arithmetic
 (Ordinary polynomial algebra is of no interest in
cryptography.)  with coefficients obeying modulo n arithmetic
 Prime polynomials and polynomial gcd
 with modulo m(x) and with coefficient obeying
 modulo n arithmetic
74Polynomial Arithmetic
 Consider a polynomial
 A zeroth degree polynomial is a constant
polynomial.  A nth degree polynomial is called a MONIC
polynomial, if an 1.  several alternatives available
 ordinary polynomial arithmetic Not used in
cryptography  poly arithmetic with coeff arithmetic as mod p
called polynomial basis over a finite field  poly arithmetic with coeff mod p and polynomials
mod M(x)
75 A Revision Group, Ring and Field
A1 closure under addition
A2 Associativity of addition
A3 Additive identity
A4 Additive inverse
Group
Abelian Group
A5 Commutativity of addition
M1 closure under multiplication
M2 Associativity of multiplication
Ring
M3 Distributive laws
M4 Commutativity of multiplication
Commutative Ring
M5 Multiplicative identity
Integral domain
M6 No zero divisors
Field
M7 Multiplicative inverse
76Polynomial Arithmetic with
Modulo Coefficients
 Poly arithmetic is based on the fact that powers
of x are linearly independent  Let coefficients be elements of a Field GF(p).
 The set of such polynomials forms a polynomial
ring.  Difference between a Field and a Ring Consider
two elements a and b.  Field a/b a.b1 is also an element of the
field.  Ring (that is not a Field) b1 may not exist
as an element of the Ring. ( a/b may not result
in an exact division.)  Even if the coeff are the elements of a Field,
the division of polynomials may leave a
remainder.
77Polynomials over GF(2)
 In cryptography, we are interested in mod 2
 all coefficients are 0 or 1
 The coeff use modulo 2 arithmetic
 EXAMPLE f(x) x3 x2 and g(x) x2 x 1
 ADDITION f(x) g(x) x3 x 1
 Addition of polynomials requires XOR of
coeffs  MULTIPLICATION
 multiplication of g(x) with x3 x5 x4 x3
 multiplication of g(x) with x2 x4 x3 x2
 f(x) . g(x) x5 x2
78Polynomials over GF(2)
Multiplication and Addition
 f(x) 1100
 g(x)0111
 Addition XOR process yields 1011
 Multiplication Uses shifting and XOR
 multiplication of g(x) with x3 111000 Lshift by
3  multiplication of g(x) with x2 011100 Lshift by
2  f(x) . g(x) 100100
79Agenda
 Polynomial arithmetic
 (Ordinary polynomial algebra is of no interest in
cryptography.)  with coefficients obeying modulo n arithmetic
 Prime polynomials and polynomial gcd
 with modulo m(x) and with coefficient obeying
modulo n arithmetic
80Modulo m(x) A preliminary view
 Multiplication increases the degree of the
resultant polynomial.  To ensure that the degree remains the same, we
may consider  ( f(x) . g(x) ) mod m(x).
 If a(x) f(x) . g(x),
 a(x) q(x).m(x) r(x),
 ( f(x) . g(x) ) mod m(x) may be said to be equal
to r(x)  The degree of r(x) lt that of m(x).
81A Prime Polynomial
 can write any polynomial in the form
 a(x) q(x) m(x) r(x)
 if the remainder is zero, m(x) divides a(x)
 If f(x), over a Field F, has no divisors other
than itself 1, it is called  an irreducible (or prime) polynomial.
 Another definition f(x), over a Field F, is
irreducible, iff f(x) cannot be expressed as a
product of two  polynomials, both of degree lower than that of
f(x).
82Polynomial GCD
 Definition c(x) is the greatest common divisor
of a(x) and b(x) if  c(x) divides both a(x) and b(x).
 Any divisor of a(x) and b(x) is a divisor of
c(x).  Euclids Algorithm to find polynomial gcd
 Based on
 gcda(x), b(x) gcdb(x), a(x) mod b(x)
 with the assumption that
 the degree of a(x) gt the degree of b(x).
83Euclids Algorithm to find gcda(x), b(x)
 similar to Extended Euclid(m, b) Algorithm
 gcda(x), b(x)
 Assume the degree of a(x) gt the degree of b(x).
 1. A(x) ? a(x) B(x) ? b(x)
 2. if B(x) 0 return A(x) gcda(x), b(x)
 3. R(x) A(x) mod B(x)
 4. A(x) ? B(x)
 5. B(x) ? R(x)
 6. goto 2
84Euclids Algorithm to find gcda(x), b(x)
An Example
 Givena(x) x6x5x4x3x2x1
 b(X) x4 x2 x1
 Euclids Algorithm
 A x6x5x4x3x2x1x1 x4 x2 x1 x3 x21
 B x4 x2 x1 x3 x21 0
 R x3 x21 0
 Q x2 x x 1
 gcda(x), b(x) A(x) x3 x21
85Agenda
 Polynomial arithmetic
 (Ordinary polynomial algebra is of no interest in
cryptography.)  with coefficients obeying modulo n arithmetic
 Prime polynomials and polynomial gcd
 with modulo m(x) and with coefficient obeying
 modulo n arithmetic
86Polynomials over GF(2)
 Polynomial arithmetic modulo an irreducible
polynomial forms a Field.  By analogy with modulo operations studied
earlier, if a and b are relatively prime, the
multiplicative inverse exists.  We shall look at an extended Euclid algorithm
to evaluate the multiplicative inverse of a(x)
modulo b(x), where b(x) is an irreducible
polynomial.  On the coefficients, the arithmetic is modulo 2.
87Extracts from earlier slides
 If a mod 7 b mod 7, a and b are said to be
congruent mod 7.  O .,21,14,7,0,7,14.
 is called a Residue Class Mod 7.
 The Smallest Nonnegative integer of the class is
used to represent the class.  To find the smallest Nonnegative integer, to
which k is congruent, is called reducing k modulo
n  Zp 0, 1, 2, 3(p1)
 Each element of Zp represents a residue class
modulo p where p is a prime number.
88Set of Residues modulo m(x)
 m(x) nth degree polynomial
 Example residue class (x1), modulo m(x)
consists of all such polynomials a(x) such that  a(x) (x1)mod m(x)
 Or all the polynomials, which satisfy
 a(x) mod m(x) x1.
 For m(X) x3 x1,
 one possible value of a(x) is x4 x2 1.

89GF (pn) with an irreducible polynomial b(x)
 Set of residues
 consisting of pn elements.
 Each of these elements represented by one of the
pn polynomials of degree mltn  Example GF (23)
 with an irreducible polynomial b(x) x3 x1
 The set of residues are
 0, 1, x, (x1), x2, (x2 1), (x2 x), (x2x1)

 Finding Multiplicative inverse of b(x) modulo
m(x)  Assume degree of b(x) lt degree of m(x)
 gcdm(x),b(x) 1
9023 elements of finite polynomial
field GF(23)
 Decimal number Binary number Polynomial
 0 000 0
 1 001 1
 2 010 x
 3 011 x1
 4 100 x2
 5 101 x21
 6 110 x2x
 7 111 x2x1
 Choose m(x)(x3x1) as the irreducible
polynomial.
91Example GF(23)
92Multiplicative Inverse a(x).b(x) mod (x3 x1)
1
a(x) b(x) a1(x)
x x2 1
x 1 x2 x
x2 x2 x 1
x2 1 x
x2 x x 1
x2 x 1 x2
1 1
93Additive and Multiplicative Inverses in GF (23)
 w 0 1 2 3 4 5 6 7
 Additive Inverse
 w 0 1 2 3 4 5 6 7
 Multiplicative Inverse
 w1 1 5 6 7 2 3 4
 If mult results in a polynomial a(x) of degree
greater than 2 (ie n1 for pn or a degree
greater than or equal to n), reduce it to a
polynomial, r(x), of degree less than or equal to
2 by using  r(x) a(x)
mod(x3x1).
94Multiplicative inverse Extended
Euclidm(x), b(x) Algorithm
 (A1, A2, A3)? (1, 0, m)
 (B1, B2, B3)? (0, 1, b)
 If B3 0,
 return A3 gcd(m, b) no inverse
 If B3 1
 return B2 as the multiplicative inverse of B
 (i.e. b(x).B2 1 mod m(x) )
 Q ?A3/B3?
 (T1, T2, T3)? (A1 Q B1, A2 Q B2, A3 QB3)
 (A1, A2, A3)? (B1, B2, B3)
 (B1, B2, B3)? (T1, T2, T3)
 Go to 2
95Modular Polynomial Arithmetic
 can compute in field GF(2n)
 polynomials with coefficients modulo 2
 The elements of GF are polynomials, whose degree
is less than n  hence must reduce modulo an irreducible poly of
degree n (for multiplication only)  The polynomials form a finite field. The number
of elements in the field is 2n.  For every element of the field, a multiplicative
inverse can always be found by using Euclids
Inverse algorithm.
96ARITHMETIC OPERATIONS GF(28) with m(x)
(x8x4x3x1)
 AES uses GF(28) and an irreducible polynomial
(x8x4x3x1).  In binary, it is 100011011
 In HEX, the polynomial 0x11B
 Justification The first out of the 30
irreducible polynomials of degree 8, given in
Lidl, R., Niederreiter, H. Introduction to
Finite Fields and Their Applications, Cambridge
University Press, 1994  For comments on how to choose a prime polynomial
for a specific size of the field, please see the
paper by E. De Win et al.  Reference E. De Win, A. Bosselaers, S.
Vandenberghe, P. De Gersem and J.VandeWalle, A
fast Software Implementationfor Arithmetic
Operations in GF(2n) , ASIACRYPT 96,
SpringerVerlag, pp 6576
97 MULTIPLICATIVE INVERSE To find c(x) such that
(x7x1).c(x) 1 mod(x8x4x3x1)
 A1 1 0 1
x3 x21  A2 0 1 x
x4x3 x1  A3 x8x4x3x1 x7x1 x4x3 x21 x
 B1 0 1 x3 x21
x6x2 x1  B2 1 x x4x3 x1
x7  B3 x7x1 x4x3 x21 x
1  Q  x x3 x21
x3 x2x  Answer The Multiplicative Inverse of
 (x7x1) mod(x8x4x3x1) c(x) x7
98
 "Genius is condemned by a malicious social
organization to an eternal denial of justice in
favor of fawning mediocrity"   Evariste Galois
99Representation
 A polynomial with coeff, obeying modulo 2
arithmetic, can be represented by a binary or a
HEX number.  Example 0x11B 100011011 represents

x8x4x3x1.  This is an irreducible polynomial.
 A polynomial in GF (28), a(x)
a7x7a6x6a1xa0  can be represented as ( a7 a6 a5. a1 a0 )
 Addition of two polynomials a(x) and b(x) Use
XOR operation on two bit arrays  ( a7 a6 a5.. a1 a0 ) ? ( b7 b6 b5 ..b1 b0 )
100ARITHMETIC OPERATIONS MULTIPLICATION for
GF(28) with m(x) (x8x4x3x1)
 Reduction
 Example 1
 x8 mod m (x) m (x) x8 x4 x3 x 1
 Note x4 x3 x 1 can be represented as
0x1B.  In general xn mod m (x) m (x) xn
 Multiplication Let b(x) b7x7 b6x6 b1x
b0  Example 2 Consider multiplication of b (x) with
x  x . b (x) mod m (x)
 if b7 0, x b (x) is in the reduced form.
 If b7 1 using results of Example 1,
 (b6x7b1x2b0x) ? (x4 x3 x 1)
101ARITHMETIC OPERATIONS MULTIPLICATION
Generalized Result
 This multiplication x . b (x) mod m (x) is done
as follows  x . b (x) mod m (x) b6b5b4b3b2b1b00 if b7
0  (b6b5b4b3b2b1b00) ? (00011011) if b7 1
 Multiplication by a higher power can be achieved
by a repeated application of Step2.  Example 3
 r (x) b (x) . a (x) mod m (x)
 (x6 x4 x2 x 1) . (x7 x 1) mod
(x8x4 x3 x 1)
102ARITHMETIC OPERATIONS MULTIPLICATION
Example 3
 To get r (x),
 Step1
 (x6x4 x2 x 1) . x mod m (x)
 (0101 0111) . (0000 0010)
 Shift left ? 1010 1110
 step2
 (x6x4 x2 x 1) . x2 mod m (x)
 (0101 0111) . (0000 0100)
 (1010 1110) . (0000 0010) ? ( 0001 1011)
 (0101 1100) ? (0001 1011)
 (0100 0111)
103ARITHMETIC OPERATIONS MULTIPLICATION Example
(continued)
 Step3
 (x6 x4 x2 x 1) . x3 mod m (x)
 (0101 0111) . (0000 1000)
 (0100 0111) . (0000 0010)
 1000 1110
 Step4 Multiplication of b (x) by x4 mod m (x)
 (0101 0111) . (0001 0000)
 (1000 1110) . (0000 0010) ? (0001 1011)
 (0001 1100) ? (0001 1011)
 (0000 0111)
104ARITHMETIC OPERATIONS MULTIPLICATION Example
(continued)
 Step5 Multiplication of b (x) by x5 mod m (x)
 (0101 0111) . (0010 0000)
 (0000 0111) . (0000 0010)
 0000 1110
 Step6 Multiplication of b (x) by x6 mod m (x)
 Result 0001 1100
 Step7 Multiplication of b (x) by x7 mod m (x)
 Result 0011 1000
105ARITHMETIC OPERATIONS MULTIPLICATION Example
(continued)
 Step8 b (x) . a (x) mod m (x) where a (x) x7
x 1  (0011 1000) ? (1010 1110) ? ( 0101 0111)
 1100 0001
 Hence
 b (x) . a (x) mod m (x)
 (x6x4 x2 x 1) . (x7 x 1) mod (x8x4
x3 x 1)  x7x6 1
106Computational Considerations
 Since coefficients are 0 or 1, any such
polynomial can be represented as a bit string.  Addition becomes XOR of the bit strings.
 Multiplication is shift or shift XOR.
 cf longhand multiplication
 See, again, the line in red, five slides back.
 Modulo reduction done by repeatedly applying the
rule of that slide.
107Use of the bit notation for polynomials Ex for
GF(28) with m(x) x8x4x3x1.
 Example rc1(x) 1
 rcj(x) x.rcj1(x) mod m(x) for j 2 to 10
 Denoted by RC(1) 1
 RC(j) 2.RC(j1) for j 2 to 10
 For GF(28), the number of members of the finite
group are 256, starting from 0 to 255.  Thus RC(2) 2,RC(8) 128
 rc9(x) x8 mod m(x) x4x3x1 ? RC(9) 1B
 RC(10) 0011 0110 3616 x5x4x2x
 obtained by shifting RC(9) to
the left 
108Win thousands of dollars!
 Solve problems in Number theory, Graph theory and
Combinatorics and WIN!  Paul Erdos, the great Hungarian problem solver,
 is the purser of all of the problems.
 (The purser is the final judge and arbiter of
prizewinning solutions.  The award only goes to the person who solves a
problem first, and  the purser is the arbiter of that too.)
 Volunteer Advisor for solvers greg_at_math.berkeley.
edu  References 1.A Tribute to Paul Erdos,
Cambridge University  Press, 1990, pp. 467477. 2. Paths, Flows, and
VLSI Layout,  SpringerVerlag, 1980, pp. 3545. 3. Erdos on
graphs, his legacy  of unsolved problems, Fan Chung RonGraham, AK
Peters 1998  4. http//www.math.upenn.edu/chung/