This document summarizes key concepts from a lecture on finite fields and their use in cryptography. It introduces finite fields and explains why they are important for cryptography. It discusses the structure of finite fields, including that every finite field has pn elements, where p is a prime number. It also provides examples of computing in finite fields through modular arithmetic.
Uniformity in mechanical properties of the slab affects quality of subsequent rolling process. One of the most important factors deciding quality of the slab is fluctuation of the molten steel level in the mould. That is, smoothing pouring without fluctuating in the mould level means improvement in quality of the slab and protects break-out problem and allows high speed casting process. If molten steel surface fluctuates severely, the forming oscillation marks on the slab is unstable, solidification of molten steel is not uniform and there will be entrapment of mould powder in the solidified cast strand. It makes quality of the slab inferior and generates defects on the slab.
We approach the screening problem - i.e. detecting which inputs of a computer model significantly impact the output - from a formal Bayesian model selection point of view. That is, we place a Gaussian process prior on the computer model and consider the $2^p$ models that result from assuming that each of the subsets of the $p$ inputs affect the response. The goal is to obtain the posterior probabilities of each of these models. In this talk, we focus on the specification of objective priors on the model-specific parameters and on convenient ways to compute the associated marginal likelihoods. These two problems that normally are seen as unrelated, have challenging connections since the priors proposed in the literature are specifically designed to have posterior modes in the boundary of the parameter space, hence precluding the application of approximate integration techniques based on e.g. Laplace approximations. We explore several ways of circumventing this difficulty, comparing different methodologies with synthetic examples taken from the literature.
Authors: Gonzalo Garcia-Donato (Universidad de Castilla-La Mancha) and Rui Paulo (Universidade de Lisboa)
Uniformity in mechanical properties of the slab affects quality of subsequent rolling process. One of the most important factors deciding quality of the slab is fluctuation of the molten steel level in the mould. That is, smoothing pouring without fluctuating in the mould level means improvement in quality of the slab and protects break-out problem and allows high speed casting process. If molten steel surface fluctuates severely, the forming oscillation marks on the slab is unstable, solidification of molten steel is not uniform and there will be entrapment of mould powder in the solidified cast strand. It makes quality of the slab inferior and generates defects on the slab.
We approach the screening problem - i.e. detecting which inputs of a computer model significantly impact the output - from a formal Bayesian model selection point of view. That is, we place a Gaussian process prior on the computer model and consider the $2^p$ models that result from assuming that each of the subsets of the $p$ inputs affect the response. The goal is to obtain the posterior probabilities of each of these models. In this talk, we focus on the specification of objective priors on the model-specific parameters and on convenient ways to compute the associated marginal likelihoods. These two problems that normally are seen as unrelated, have challenging connections since the priors proposed in the literature are specifically designed to have posterior modes in the boundary of the parameter space, hence precluding the application of approximate integration techniques based on e.g. Laplace approximations. We explore several ways of circumventing this difficulty, comparing different methodologies with synthetic examples taken from the literature.
Authors: Gonzalo Garcia-Donato (Universidad de Castilla-La Mancha) and Rui Paulo (Universidade de Lisboa)
Ch-2 final exam documet compler design elementsMAHERMOHAMED27
The "Project Risk Management" course transformed me from a passive observer of risk to a proactive risk management champion. Here are some key learnings that will forever change my approach to projects:
The Proactive Mindset: I transitioned from simply reacting to problems to anticipating and mitigating them. The course emphasized the importance of proactive risk identification through techniques like brainstorming, SWOT analysis, and FMEA (Failure Mode and Effect Analysis). This allows for early intervention and prevents minor issues from snowballing into major roadblocks.
Risk Assessment and Prioritization: I learned to assess the likelihood and impact of each identified risk. The course introduced qualitative and quantitative risk analysis methods, allowing me to prioritize risks based on their potential severity. This empowers me to focus resources on the most critical threats to project success.
Developing Response Strategies: The course equipped me with a toolbox of risk response strategies. I learned about risk avoidance, mitigation, transference, and acceptance strategies, allowing me to choose the most appropriate approach for each risk. For example, I can now advocate for additional training to mitigate a knowledge gap risk or build buffer time into the schedule to address potential delays.
Communication and Monitoring: The course highlighted the importance of clear communication regarding risks. I learned to effectively communicate risks to stakeholders, ensuring everyone is aware of potential challenges and mitigation plans. Additionally, I gained valuable insights into risk monitoring and tracking, allowing for continuous evaluation and adaptation as the project progresses.
In essence, "Project Risk Management" equipped me with the knowledge and tools to navigate the inevitable uncertainties of projects. By embracing a proactive approach, I can now lead projects with greater confidence, increasing the chances of achieving successful outcomes.
Discuss seven functions, Analysis of algorithms- Experimental Studies/Primitive operations/Asymptotic notation- Big Oh/Big-Omega/Big-Theta
(Download is recommended to make the animations work)
This paper presents a design and implementation of FPGA based Bose, Chaudhuri and Hocquenghem (BCH) codes for wireless communication applications. The codes are written in VHDL (Very High Speed Hardware Description Language). Here BCH decoder (15, 5, and 3) is implemented and discussed. And decoder uses serial input and serial output architecture. BCH code forms a large class of powerful random error correcting cyclic codes. BCH operates over algebraic structure called finite fields and they are binary multiple error correcting codes. BCH decoder is implemented by syndrome calculation circuit, the BMA (Berlekamp-Massey algorithm) and Chien search circuit. The codecs are implemented over cyclone FPGA device.
–concept of groups, rings, fields
–modular arithmetic with integers
–Euclid’s algorithm for GCD
–finite fields GF(p)
–polynomial arithmetic in general and in GF(2n)
R package 'bayesImageS': a case study in Bayesian computation using Rcpp and ...Matt Moores
There are many approaches to Bayesian computation with intractable likelihoods, including the exchange algorithm, approximate Bayesian computation (ABC), thermodynamic integration, and composite likelihood. These approaches vary in accuracy as well as scalability for datasets of significant size. The Potts model is an example where such methods are required, due to its intractable normalising constant. This model is a type of Markov random field, which is commonly used for image segmentation. The dimension of its parameter space increases linearly with the number of pixels in the image, making this a challenging application for scalable Bayesian computation. My talk will introduce various algorithms in the context of the Potts model and describe their implementation in C++, using OpenMP for parallelism. I will also discuss the process of releasing this software as an open source R package on the CRAN repository.
Ch-2 final exam documet compler design elementsMAHERMOHAMED27
The "Project Risk Management" course transformed me from a passive observer of risk to a proactive risk management champion. Here are some key learnings that will forever change my approach to projects:
The Proactive Mindset: I transitioned from simply reacting to problems to anticipating and mitigating them. The course emphasized the importance of proactive risk identification through techniques like brainstorming, SWOT analysis, and FMEA (Failure Mode and Effect Analysis). This allows for early intervention and prevents minor issues from snowballing into major roadblocks.
Risk Assessment and Prioritization: I learned to assess the likelihood and impact of each identified risk. The course introduced qualitative and quantitative risk analysis methods, allowing me to prioritize risks based on their potential severity. This empowers me to focus resources on the most critical threats to project success.
Developing Response Strategies: The course equipped me with a toolbox of risk response strategies. I learned about risk avoidance, mitigation, transference, and acceptance strategies, allowing me to choose the most appropriate approach for each risk. For example, I can now advocate for additional training to mitigate a knowledge gap risk or build buffer time into the schedule to address potential delays.
Communication and Monitoring: The course highlighted the importance of clear communication regarding risks. I learned to effectively communicate risks to stakeholders, ensuring everyone is aware of potential challenges and mitigation plans. Additionally, I gained valuable insights into risk monitoring and tracking, allowing for continuous evaluation and adaptation as the project progresses.
In essence, "Project Risk Management" equipped me with the knowledge and tools to navigate the inevitable uncertainties of projects. By embracing a proactive approach, I can now lead projects with greater confidence, increasing the chances of achieving successful outcomes.
Discuss seven functions, Analysis of algorithms- Experimental Studies/Primitive operations/Asymptotic notation- Big Oh/Big-Omega/Big-Theta
(Download is recommended to make the animations work)
This paper presents a design and implementation of FPGA based Bose, Chaudhuri and Hocquenghem (BCH) codes for wireless communication applications. The codes are written in VHDL (Very High Speed Hardware Description Language). Here BCH decoder (15, 5, and 3) is implemented and discussed. And decoder uses serial input and serial output architecture. BCH code forms a large class of powerful random error correcting cyclic codes. BCH operates over algebraic structure called finite fields and they are binary multiple error correcting codes. BCH decoder is implemented by syndrome calculation circuit, the BMA (Berlekamp-Massey algorithm) and Chien search circuit. The codecs are implemented over cyclone FPGA device.
–concept of groups, rings, fields
–modular arithmetic with integers
–Euclid’s algorithm for GCD
–finite fields GF(p)
–polynomial arithmetic in general and in GF(2n)
R package 'bayesImageS': a case study in Bayesian computation using Rcpp and ...Matt Moores
There are many approaches to Bayesian computation with intractable likelihoods, including the exchange algorithm, approximate Bayesian computation (ABC), thermodynamic integration, and composite likelihood. These approaches vary in accuracy as well as scalability for datasets of significant size. The Potts model is an example where such methods are required, due to its intractable normalising constant. This model is a type of Markov random field, which is commonly used for image segmentation. The dimension of its parameter space increases linearly with the number of pixels in the image, making this a challenging application for scalable Bayesian computation. My talk will introduce various algorithms in the context of the Potts model and describe their implementation in C++, using OpenMP for parallelism. I will also discuss the process of releasing this software as an open source R package on the CRAN repository.
CW RADAR, FMCW RADAR, FMCW ALTIMETER, AND THEIR PARAMETERSveerababupersonal22
It consists of cw radar and fmcw radar ,range measurement,if amplifier and fmcw altimeterThe CW radar operates using continuous wave transmission, while the FMCW radar employs frequency-modulated continuous wave technology. Range measurement is a crucial aspect of radar systems, providing information about the distance to a target. The IF amplifier plays a key role in signal processing, amplifying intermediate frequency signals for further analysis. The FMCW altimeter utilizes frequency-modulated continuous wave technology to accurately measure altitude above a reference point.
Cosmetic shop management system project report.pdfKamal Acharya
Buying new cosmetic products is difficult. It can even be scary for those who have sensitive skin and are prone to skin trouble. The information needed to alleviate this problem is on the back of each product, but it's thought to interpret those ingredient lists unless you have a background in chemistry.
Instead of buying and hoping for the best, we can use data science to help us predict which products may be good fits for us. It includes various function programs to do the above mentioned tasks.
Data file handling has been effectively used in the program.
The automated cosmetic shop management system should deal with the automation of general workflow and administration process of the shop. The main processes of the system focus on customer's request where the system is able to search the most appropriate products and deliver it to the customers. It should help the employees to quickly identify the list of cosmetic product that have reached the minimum quantity and also keep a track of expired date for each cosmetic product. It should help the employees to find the rack number in which the product is placed.It is also Faster and more efficient way.
Forklift Classes Overview by Intella PartsIntella Parts
Discover the different forklift classes and their specific applications. Learn how to choose the right forklift for your needs to ensure safety, efficiency, and compliance in your operations.
For more technical information, visit our website https://intellaparts.com
Water billing management system project report.pdfKamal Acharya
Our project entitled “Water Billing Management System” aims is to generate Water bill with all the charges and penalty. Manual system that is employed is extremely laborious and quite inadequate. It only makes the process more difficult and hard.
The aim of our project is to develop a system that is meant to partially computerize the work performed in the Water Board like generating monthly Water bill, record of consuming unit of water, store record of the customer and previous unpaid record.
We used HTML/PHP as front end and MYSQL as back end for developing our project. HTML is primarily a visual design environment. We can create a android application by designing the form and that make up the user interface. Adding android application code to the form and the objects such as buttons and text boxes on them and adding any required support code in additional modular.
MySQL is free open source database that facilitates the effective management of the databases by connecting them to the software. It is a stable ,reliable and the powerful solution with the advanced features and advantages which are as follows: Data Security.MySQL is free open source database that facilitates the effective management of the databases by connecting them to the software.
NUMERICAL SIMULATIONS OF HEAT AND MASS TRANSFER IN CONDENSING HEAT EXCHANGERS...ssuser7dcef0
Power plants release a large amount of water vapor into the
atmosphere through the stack. The flue gas can be a potential
source for obtaining much needed cooling water for a power
plant. If a power plant could recover and reuse a portion of this
moisture, it could reduce its total cooling water intake
requirement. One of the most practical way to recover water
from flue gas is to use a condensing heat exchanger. The power
plant could also recover latent heat due to condensation as well
as sensible heat due to lowering the flue gas exit temperature.
Additionally, harmful acids released from the stack can be
reduced in a condensing heat exchanger by acid condensation. reduced in a condensing heat exchanger by acid condensation.
Condensation of vapors in flue gas is a complicated
phenomenon since heat and mass transfer of water vapor and
various acids simultaneously occur in the presence of noncondensable
gases such as nitrogen and oxygen. Design of a
condenser depends on the knowledge and understanding of the
heat and mass transfer processes. A computer program for
numerical simulations of water (H2O) and sulfuric acid (H2SO4)
condensation in a flue gas condensing heat exchanger was
developed using MATLAB. Governing equations based on
mass and energy balances for the system were derived to
predict variables such as flue gas exit temperature, cooling
water outlet temperature, mole fraction and condensation rates
of water and sulfuric acid vapors. The equations were solved
using an iterative solution technique with calculations of heat
and mass transfer coefficients and physical properties.
Welcome to WIPAC Monthly the magazine brought to you by the LinkedIn Group Water Industry Process Automation & Control.
In this month's edition, along with this month's industry news to celebrate the 13 years since the group was created we have articles including
A case study of the used of Advanced Process Control at the Wastewater Treatment works at Lleida in Spain
A look back on an article on smart wastewater networks in order to see how the industry has measured up in the interim around the adoption of Digital Transformation in the Water Industry.
Sachpazis:Terzaghi Bearing Capacity Estimation in simple terms with Calculati...Dr.Costas Sachpazis
Terzaghi's soil bearing capacity theory, developed by Karl Terzaghi, is a fundamental principle in geotechnical engineering used to determine the bearing capacity of shallow foundations. This theory provides a method to calculate the ultimate bearing capacity of soil, which is the maximum load per unit area that the soil can support without undergoing shear failure. The Calculation HTML Code included.
Immunizing Image Classifiers Against Localized Adversary Attacksgerogepatton
This paper addresses the vulnerability of deep learning models, particularly convolutional neural networks
(CNN)s, to adversarial attacks and presents a proactive training technique designed to counter them. We
introduce a novel volumization algorithm, which transforms 2D images into 3D volumetric representations.
When combined with 3D convolution and deep curriculum learning optimization (CLO), itsignificantly improves
the immunity of models against localized universal attacks by up to 40%. We evaluate our proposed approach
using contemporary CNN architectures and the modified Canadian Institute for Advanced Research (CIFAR-10
and CIFAR-100) and ImageNet Large Scale Visual Recognition Challenge (ILSVRC12) datasets, showcasing
accuracy improvements over previous techniques. The results indicate that the combination of the volumetric
input and curriculum learning holds significant promise for mitigating adversarial attacks without necessitating
adversary training.
Harnessing WebAssembly for Real-time Stateless Streaming PipelinesChristina Lin
Traditionally, dealing with real-time data pipelines has involved significant overhead, even for straightforward tasks like data transformation or masking. However, in this talk, we’ll venture into the dynamic realm of WebAssembly (WASM) and discover how it can revolutionize the creation of stateless streaming pipelines within a Kafka (Redpanda) broker. These pipelines are adept at managing low-latency, high-data-volume scenarios.
We have compiled the most important slides from each speaker's presentation. This year’s compilation, available for free, captures the key insights and contributions shared during the DfMAy 2024 conference.
1. January 24, 2012 1
Cryptography and Network Security
Lecture 5: Basic notions of finite fields
Ion Petre
Department of IT, Åbo Akademi University
Spring 2012
http://users.abo.fi/ipetre/crypto/
http://users.abo.fi/ipetre/crypto/
2. Content of this lecture
January 24, 2012 http://users.abo.fi/ipetre/crypto/ 2
Z Zp
Zp[X] GF(pn)
Modular
arithmetics
Modular
arithmetics
Polynomials
Every finite field
has this structure
Domain of
operation
of AES
3. January 24, 2012 3
Why finite fields?
Increasingly important in cryptography
Several modern cryptographic algorithms rely on computations in various finite fields, among them
AES and elliptic curve cryptography
AES uses arithmetic in the finite field GF(28)
Virtually all modern encryption algorithms (both symmetric and public-key) involve
arithmetic operations on integers
If we decide to work on n-bit integers, for efficiency of storage we would like to be able to use all
integers on n-bits
This means we have to do operations on integers from 0 to 2n-1
We could decide to use operations in Zm, where m=2n
Difficulty 1: we may need to do divisions and Zm is not a field
Difficulty 2: arithmetic modulo 2n may give rise to weak cryptographic algorithms
Example: suppose we work with 3-bit blocks and decide to do arithmetic modulo 8
In the multiplication table of Z8, 1,2,…,7 appear with different frequency: 1 occurs 4 times, 2 occurs
8 times, 3 occurs 4 times, 4 occurs 12 times, 5 occurs 4 times, 6 occurs 8 times, 7 occurs 4 times
Solution: use a finite field GF(23) with 8 elements – division is always possible and in the
multiplication table each integer 1,…,7 occurs exactly 7 times
http://users.abo.fi/ipetre/crypto/
4. January 24, 2012 4
Why finite fields?
We need fields: y=ax+b x=a-1(y-b)
We need finite fields
They all have pn elements, with p a prime number
What is their structure (addition, multiplication table)
Are there many different fields with pn elements?
Example: a field with 8 elements
http://users.abo.fi/ipetre/crypto/
5. January 24, 2012 5
Modulo 8 example
This is not a field!
http://users.abo.fi/ipetre/crypto/
7. January 24, 2012 7
Summary of the constructions in this lecture
Consider the integers Z
Take a prime number p and do operations modulo p: Zp is a field with
p elements (order p)
Consider polynomials with coefficients in Zp: Zp[X]
Take an irreducible polynomial m(x) of degree n and do operations
modulo m(x): GF(pn) is a field with pn elements (order pn)
AES uses GF(28) with arithmetic modulo x8+x4+x3+x+1
http://users.abo.fi/ipetre/crypto/
8. January 24, 2012 8
Plan of the lecture
Introduce here (minimal) notions needed for the understanding of AES
Groups, rings, fields
Divisors, modular arithmetic
Euclid’s algorithm
Polynomial arithmetic
http://users.abo.fi/ipetre/crypto/
9. January 24, 2012 9
Basic notions of abstract algebra:
groups, rings, fields
Group (G,¤,e): a set G with a binary operation ¤ and an element e∈G
satisfying the following laws:
Associativity: a ¤ (b ¤ c)=(a ¤ b) ¤ c for any a,b,c∈G
Identity element: a ¤ e=e ¤ a=a, for any a∈G
Inverse element: for each a∈G, there exists an element a’∈G such that a ¤ a’=
a’ ¤ a=e.
a’ is usually denoted as -a and is called the inverse of a
Example of a group: the set of integers with the addition (Z,+,0)
Note that the set of integers with the multiplication (Z,x,1) is not a group: the
inverse element does not exist for all integers (it exists only for 1 and –1)
http://users.abo.fi/ipetre/crypto/
10. January 24, 2012 10
Groups
A group (G, ¤,e) is called:
Commutative (or abelian) if a ¤ b=b ¤ a for all a,b in G
Finite if set G is finite
Infinite if set G is infinite
Example:
(Z,+,0) is a commutative group
The set of nxn matrices over integers, with the addition, is a commutative
group
The set of permutations of the set {1,2,…,n} with the composition, is a finite
non-commutative group
http://users.abo.fi/ipetre/crypto/
11. January 24, 2012 11
Rings
Ring (R,+,•,0,1): a set R with two binary operations + and • satisfying the following laws:
Associative addition: (a+b)+c=a+(b+c)
Existence of 0: a+0=0+a=a
Existence of the inverse: for all a, there is –a such that a+(-a)=(-a)+a=0
Commutativity of addition: a+b=b+a
Associative multiplication: a•(b•c)=(a•b)•c for any a,b,c∈R
Existence of 1: a•1=1•a=a
Distributivity of • over +: a•(b+c)=a•b + a•c; (a+b)•c=a•c + b•c
A ring (R,+,•,0) is called commutative if the multiplication • is commutative
Example:
(Z,+,•,0,1) is an integral domain
(Z26, +,•,0,1) is a commutative unitary ring, but not an integral domain: 2•13=0 (mod 26)
The set of nxn matrices over integers with addition and multiplication is a commutative unitary
ring, but not an integral domain
http://users.abo.fi/ipetre/crypto/
12. January 24, 2012 12
Fields
Field (F,+,•,0,1):
(F,+, •,0,1) is a ring
Commutativity of the multiplication
Multiplicative inverse: for any nonzero element a in F there exists an
element a’ in F such that a•a’=a’•a=1
a’ is usually denoted as a-1 and it is called the multiplicative inverse of a
Example:
The set of rational numbers (Q,+,•,0,1), the set of real numbers (R,+,•,0,1)
are fields
The set of integers (Z,+, •,0,1) is not a field: only 1 and –1 have
multiplicative inverses
(Z26, +, •,0,1) is not field
(Z3,+, •,0,1) is a finite field: the inverse of 1 is 1 and the inverse of 2 is 2
(Z5,+, •,0,1) is a finite field: 1•1=1 mod 5, 2•3=1 mod 5, 4•4=1 mod 5
Inverse of 1 is 1, inverse of 2 is 3, inverse of 3 is 2, inverse of 4 is 4
http://users.abo.fi/ipetre/crypto/
13. January 24, 2012 13
Modular arithmetic
Consider now the set of integers: fix a positive integer n
For any integer a, there exists integers q and r such that a=qn+r and
r is from 0 to n-1
q is the largest integers less than or equal to a/n
r is called the residue of a modulo n
Define the operator mod: a mod n=r
Define the operator div: a div n=q
Example:
7 mod 5 = 2, 11 mod 7 =4,
-11 mod 7 =3: -11=(-2).7+3
Congruence modulo n: a≡b mod n if a mod n = b mod n
Example: 73 ≡ 4 mod 23, 21 ≡ -9 ≡ 1mod 10
http://users.abo.fi/ipetre/crypto/
14. January 24, 2012 14
Modulo 7 Example
The elements in each column are congruent to each other modulo 7
...
-21 -20 -19 -18 -17 -16 -15
-14 -13 -12 -11 -10 -9 -8
-7 -6 -5 -4 -3 -2 -1
0 1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30 31 32 33 34
...
http://users.abo.fi/ipetre/crypto/
15. January 24, 2012 15
Arithmetic modulo n
We can perform ordinary arithmetic (addition, subtraction,
multiplication) modulo n (as we have done in Caesar)
Useful properties (reduce the computation mod n at any step)
(a+b) mod n = ( (a mod n) + (b mod n) ) mod n
(a-b) mod n = ( (a mod n) - (b mod n) ) mod n
(a•b) mod n = ( (a mod n) • (b mod n) ) mod n
Example: to compute 117 mod 13 we do:
112=121=4 mod 13
114=42=3 mod 13
117= 4•3•11 mod 13 =2 mod 13
(Zn,+,•,0,1) is a commutative ring, where Zn= {0,1,2,…,n-1} and the
operations are performed modulo n
http://users.abo.fi/ipetre/crypto/
16. January 24, 2012 16
Arithmetic modulo n: divisions
Careful when performing operations modulo n
If (a+b) ≡ (a+c) mod n, then b ≡ c mod n
Not true that if (a•b) ≡ (a•c) mod n, then b ≡ c mod n
Example: (2•1) ≡ (2•5) mod 8 but 1 and 5 are not congruent modulo 8
The implication is true if and only if a is relatively prime to n, i.e.,
gcd(a,n)=1
Any such a has a multiplicative inverse a-1 modulo n
http://users.abo.fi/ipetre/crypto/
17. January 24, 2012 17
Modulo 8 example
http://users.abo.fi/ipetre/crypto/
18. January 24, 2012 18
Divisors
A nonzero integer b divides a if a=mb, for some integer m. We
denote it as b | a and we say that b is a divisor of a
Example: Positive divisors of 24 are 1,2,3,4,6,8,12,24
Facts:
If a | 1, then a=1 or a=-1
If a | b and b | a, then a=b or a=-b
If d | g and d | h, then d | (mg+nh), for any integers m and n
If a ≡ b (mod n), then n | (a-b)
If a ≡ b (mod n), then b ≡ a (mod n)
If a ≡ b (mod n) and b ≡ c (mod n), then a ≡ c (mod n)
http://users.abo.fi/ipetre/crypto/
19. January 24, 2012 19
Greatest common divisor
The positive integer d is the greatest common divisor of integers a and b,
denoted d=gcd(a,b) if
It is a divisor of both a and b
Any other divisor of a and b is a divisor of d
Example: gcd(8,12)=4, gcd(24,60)=12
Integers a and b are called relatively prime if gcd(a,b)=1
Computing gcd(a,b): Euclid’s algorithm
Based on the following fact: gcd(a,b)=gcd(b,a mod b)
Euclid's Algorithm to compute gcd(a,b): Euclid(a,b)
If b=0 then return a
Else return Euclid(b,a mod b)
Note: the algorithm always terminates
http://users.abo.fi/ipetre/crypto/
20. January 24, 2012 20
Example: d=gcd(1970,1066)
1970 = 1 x 1066 + 904 d= gcd(1066, 904)
1066 = 1 x 904 + 162 d= gcd(904, 162)
904 = 5 x 162 + 94 d= gcd(162, 94)
162 = 1 x 94 + 68 d= gcd(94, 68)
94 = 1 x 68 + 26 d= gcd(68, 26)
68 = 2 x 26 + 16 d= gcd(26, 16)
26 = 1 x 16 + 10 d= gcd(16, 10)
16 = 1 x 10 + 6 d= gcd(10, 6)
10 = 1 x 6 + 4 d= gcd(6, 4)
6 = 1 x 4 + 2 d= gcd(4, 2)
4 = 2 x 2 + 0 d= 2
Result: gcd(1970,1066)=2, i.e., the last nonzero residue in the above
computation
http://users.abo.fi/ipetre/crypto/
21. January 24, 2012 21
Finite fields
Fields with a finite number of elements: what is their structure?
It can be proved that if a field is finite then it has pn elements, for
some prime number p
We also say that it has order pn
We denote GF(pn) – GF stands for Galois field
For n=1 we have GF(p) which is Zp
If p is prime, then any element in Zp has a multiplicative inverse
For n>1 the field has a different structure
Start from Zp and build a field with pn elements
http://users.abo.fi/ipetre/crypto/
22. January 24, 2012 22
Example:
GF(7)=Z7
http://users.abo.fi/ipetre/crypto/
23. January 24, 2012 23
Finding the multiplicative inverse in Zp
Given an element p, how do we calculate p-1?
Euclid's Algorithm to compute gcd(a,b): Euclid(a,b)
If b=0 then return a
Else return Euclid(b,a mod b)
Result: if d=gcd(a,b), then there are integers x,y such that d=ax+by
Consequence: if gcd(a,b)=1, then there are intergers x,y such that
ax+by=1
so, ax=1 mod b, i.e., x=a-1 mod b
Question: how do we calculate x for given a,b?
Idea: run Euclid’s algorithm in such a way as to compute not only d, but also
x and y
http://users.abo.fi/ipetre/crypto/
24. Finding the multiplicative inverse in Zp
Extended Euclid’s algorithm: ExtEuclid(a,b)
Output: (d,x,y), where d=gcd(a,b) and d=ax+by
If d=1, then x = a-1 (mod b)
if b = 0 then return (a,1,0)
else (t1,t2,t3)=ExtEuclid(b, a mod b)
return (t1, t3, t2 – (a div b) * t3 )
Proof of correctness
Clearly, gcd is returned on the first component (runs like Euclid’s algorithm)
Denote a mod b=r, a div b=z: a=bz+r
The proof goes by induction
The base case for b=0: trivial
Induction step: if t1=gcd(b, r) and t1=t2*b+t3*r, then t1=t2*b+t3*(a-bz) and so,
t1=t3*a+(t2-t3*z)*b
January 24, 2012 http://users.abo.fi/ipetre/crypto/ 24
25. January 24, 2012 25
Example: the inverse of 550 in GF(1759)
Extended Euclid’s algorithm: ExtEuclid(a,b)
Output: (d,x,y), where d=gcd(a,b) and d=ax+by
if b = 0 then return (a,1,0)
else (t1,t2,t3)=ExtEuclid(b, a mod b)
return (t1, t3, t2 - (a div b) * t3 )
Z=ExtEuclid(550,1759): 550 =0•1759 + 550
compute Z1=ExtEuclid(1759,550): 1759=3•550 + 109
compute Z2=ExtEuclid(550,109): 550=5 •109 + 5
compute Z3=ExtEuclid(109,5): 109=21•5+4
compute Z4=ExtEuclid(5,4): 5=1•4+1
compute Z5=ExtEuclid(4,1): 4=4•1+0
compute Z6=ExtEuclid(1,0)=(1,1,0)
Z5=(1,0,1), Z4=(1,1,-1), Z3=(1,-1,22), Z2=(1,22,-111), Z1=(1,-111,355)
Z=(1,355,-111)
Final answer: the inverse of 550 mod 1759 is 355
http://users.abo.fi/ipetre/crypto/
26. January 24, 2012 26
Polynomial Arithmetic
To define GF(pn) we need to discuss about operations with
polynomials with coefficients in Zp: polynomial arithmetic
Consider only polynomials in one indeterminate
http://users.abo.fi/ipetre/crypto/
27. January 24, 2012 27
Ordinary Polynomial Arithmetic
Consider polynomials with coefficients in a ring or a field – e.g, Z
Adding/subtracting two polynomials is done by adding/subtracting the
corresponding coefficients
Multiplying two polynomials is done in the usual way, by multiplying all terms
with each other
Division (not necessarily exact) of two polynomials can also be defined if the
coefficients are in a field
Example: f(x) = x3 + x2 + 2, g(x) = x2 – x + 1 with coefficients in Z
f(x) + g(x) = x3 + 2x2 – x + 3
f(x) – g(x) = x3 + x + 1
f(x) x g(x) = x5 + 3x2 – 2x + 2
For a ring or a field R, (R[X],+,•,0,1) is a ring – the ring of polynomials over R
http://users.abo.fi/ipetre/crypto/
28. January 24, 2012 28
Polynomial Arithmetic with Modulo Coefficients
Consider polynomials with coefficients in Zp, for some prime p
We are mostly interested in computations mod 2: all coefficients are
0 or 1
Example: f(x) = x3 + x2 and g(x) = x2 + x + 1
f(x) + g(x) = x3 + x + 1
f(x) x g(x) = x5 + x2
Division (not necessarily exact) of two polynomials can also be
defined if the coefficients are in a field
The computations are done similarly as for integers: e.g., Euclid’s
algorithm holds also for polynomials
http://users.abo.fi/ipetre/crypto/
29. January 24, 2012 29
Division of polynomials with coefficients in Zp
For any polynomials f(x), g(x), there exist two polynomials q(x), r(x) such that:
f(x) = q(x) g(x) + r(x)
deg(r) < deg(g)
Thus, division (not necessarily exact) is possible:
q(x)=f(x) div g(x)
r(x)=f(x) mod g(x)
If r(x)=0, then we say that g(x) divides f(x): g(x) | f(x)
If f(x) has no divisors other than itself and constant polynomials, we say it is
irreducible (or prime) polynomial
Equivalently, f(x) cannot be written as g(x)h(x) with deg(g) < deg(f), deg(h) < deg(f)
Greatest common divisor gcd(f,g) is defined similarly as for integers:
It is a divisor of both f and g
Any other divisor of f and g is a divisor of gcd(f,g)
Gcd(f,g) can be computed using Euclid’s algorithm
http://users.abo.fi/ipetre/crypto/
30. January 24, 2012 30
Computing the GCD of two polynomials over Zp
Euclid(a,b)
If b=0 then return a
Else return Euclid(b,a mod b)
EUCLID[a(x), b(x)]: computes gcd(a(x), b(x))
If b(x)=0 then return a(x)
Else return EUCLID(b(x), a(x) mod b(x))
http://users.abo.fi/ipetre/crypto/
31. January 24, 2012 31
Modular Polynomial Arithmetic
(arithmetic modulo a polynomial)
Consider an irreducible polynomial f(x) with degree n and coefficients in Zp
Example: x8+x4+x3+x+1 is irreducible in Z2[x] (the polynomial used in AES)
Polynomial arithmetic modulo f(x) can be done similarly as integer arithmetic
modulo a prime number p
Take any two polynomials modulo f(x)
Do addition/subtraction/multiplication modulo f(x)
If f(x) is irreducible, then the set of all polynomials modulo f(x) forms a field
denoted GF(pn)
We are mostly interested in GF(2n) : all polynomials with binary coefficients
and degree less than n
Addition is the normal addition of two polynomials
Multiplication is done modulo f(x)
GF(2n) is indeed a field: any nonzero element has an inverse
The extended Euclid algorithm can be used here just like for integers
http://users.abo.fi/ipetre/crypto/
32. January 24, 2012 32
Computing the inverse in GF(pn)
Extended Euclid’s algorithm: ExtEuclid(a(x),b(x))
Output: (d(x),e(x),f(x)), where d(x)=gcd(a(x),b(x)) and d=a(x)e(x)+b(x)f(x)
if b(x) = 0 then return (a(x),1,0)
else (t1(x),t2(x),t3(x))=ExtEuclid(b(x), a(x) mod b(x))
return (t1(x), t3(x), t2(x) - (a(x) div b(x)) * t3(x) )
If F(x) is an irreducible polynomial and (d(x),t(x),u(x))=ExtEuclid(a(x),F(x)), then
d(x)=1
t(x)=a-1(x) mod F(x)
http://users.abo.fi/ipetre/crypto/
33. January 24, 2012 33
Example: GF(23)
http://users.abo.fi/ipetre/crypto/
34. January 24, 2012 34
Computational considerations
A polynomial in GF(2n)
can be represented by its n binary coefficients (an-1,an-2,…,a0), i.e., by a number on n
bits
Addition of polynomials becomes bitwise XOR of their n-bit representations
Multiplication is shift & XOR: example for GF(28) with m(x)=x8+x4+x3+x+1 (AES)
x8 mod m(x) = (x8 - m(x)) = x4+x3+x+1
Consider a polynomial in GF(28) f(x)=b7x7+b6x6+b5x5+b4x4+b3x3+b2x2+b1x+b0
Multiplying by x we have xf(x)=b7x8+b6x7+b5x6+b4x5+b3x4+b2x3+b1x2+b0x
If b7=0, then the result is in GF(28). If b7=1, then we need to reduce x8 mod m(x):
xf(x) = (b6x7+b5x6+b4x5+b3x4+b2x3+b1x2+b0x) + (x4+x3+x+1)
Thus, multiplication by x is in fact a 1-bit left shift followed by a conditional XOR with
(00011011)
Multiplication by higher powers of x implies an iteration of the above procedure
http://users.abo.fi/ipetre/crypto/
35. January 24, 2012 35
Summary
Consider the integers Z
Take a prime number and do operations modulo p: Zp is a field with p
elements (order p)
Consider polynomials with coefficients in Zp: Zp[X]
Take an irreducible polynomial m(x) of degree n and do operations
modulo m(x): GF(pn) is a field with pn elements (order pn)
Any finite field has order pn, for some prime p and a positive integer n
AES uses GF(28) with arithmetic modulo x8+x4+x3+x+1
http://users.abo.fi/ipetre/crypto/