finite field arithmetic

In mathematics, finite field arithmetic is arithmetic in a finite field (a field containing a finite number of elements) contrary to arithmetic in a field with an infinite number of elements, like the field of rational numbers.

There are infinitely many different finite fields. Their number of elements is necessarily of the form ''pⁿ'' where ''p'' is a prime number and ''n'' is a positive integer, and two finite fields of the same size are isomorphic. The prime ''p'' is called the characteristic of the field, and the positive integer ''n'' is called the dimension of the field over its prime field.

Finite fields are used in a variety of applications, including in classical coding theory in linear block codes such as BCH codes and Reed–Solomon error correction, in cryptography algorithms such as the Rijndael ( AES) encryption algorithm, in tournament scheduling, and in the design of experiments.

Effective polynomial representation

The finite field with ''p''^''n'' elements is denoted GF(''p''^''n'') and is also called the Galois field of order ''p''^''n'', in honor of the founder of finite field theory, Évariste Galois. GF(''p''), where ''p'' is a prime number, is simply the ring of integers modulo ''p''. That is, one can perform operations (addition, subtraction, multiplication) using the usual operation on integers, followed by reduction modulo ''p''. For instance, in GF(5), is reduced to 2 modulo 5. Division is multiplication by the inverse modulo ''p'', which may be computed using the extended Euclidean algorithm.

A particular case is GF(2), where addition is exclusive OR (XOR) and multiplication is AND. Since the only invertible element is 1, division is the identity function.

Elements of GF(''p''^''n'') may be represented as polynomials of degree strictly less than ''n'' over GF(''p''). Operations are then performed modulo ''R'' where ''R'' is an irreducible polynomial of degree ''n'' over GF(''p''), for instance using polynomial long division. The addition of two polynomials ''P'' and ''Q'' is done as usual; multiplication may be done as follows: compute as usual, then compute the remainder modulo ''R''. This representation in terms of polynomial coefficients is called a monomial basis (a.k.a. 'polynomial basis').

There are other representations of the elements of GF(''p''^''n''); some are isomorphic to the polynomial representation above and others look quite different (for instance, using matrices). Using a normal basis may have advantages in some contexts.

When the prime is 2, it is conventional to express elements of GF(''p''^''n'') as binary numbers, with the coefficient of each term in a polynomial represented by one bit in the corresponding element's binary expression. Braces ( "" ) or similar delimiters are commonly added to binary numbers, or to their hexadecimal equivalents, to indicate that the value gives the coefficients of a basis of a field, thus representing an element of the field. For example, the following are equivalent representations of the same value in a characteristic 2 finite field:

Primitive polynomials

There are many irreducible polynomials (sometimes called reducing polynomials) that can be used to generate a finite field, but they do not all give rise to the same representation of the field.

A monic irreducible polynomial of degree having coefficients in the finite field GF(), where for some prime and positive integer , is called a primitive polynomial if all of its roots are primitive elements of GF(). In the polynomial representation of the finite field, this implies that is a primitive element. There is at least one irreducible polynomial for which is a primitive element. In other words, for a primitive polynomial, the powers of generate every nonzero value in the field.

In the following examples it is best not to use the polynomial representation, as the meaning of changes between the examples. The monic irreducible polynomial over GF(2) is not primitive. Let be a root of this polynomial (in the polynomial representation this would be ), that is, . Now , so is not a primitive element of GF(2⁸) and generates a multiplicative subgroup of order 51. Consider the field element (in the polynomial representation this would be ). Now . As all the roots of this primitive polynomial are primitive elements, is a primitive element of GF(2⁸) ( and no smaller power does). GF(2⁸) has 128 generators (see Number of primitive elements). Having as a generator for a finite field is beneficial for many computational mathematical operations.

Addition and subtraction

Addition and subtraction are performed by adding or subtracting two of these polynomials together, and reducing the result modulo the characteristic.

In a finite field with characteristic 2, addition modulo 2, subtraction modulo 2, and XOR are identical. Thus,

Under regular addition of polynomials, the sum would contain a term 2''x''⁶. This term becomes 0''x''⁶ and is dropped when the answer is reduced modulo 2.

Here is a table with both the normal algebraic sum and the characteristic 2 finite field sum of a few polynomials:

In computer science applications, the operations are simplified for finite fields of characteristic 2, also called GF(2^''n'') Galois fields, making these fields especially popular choices for applications.

Multiplication

Multiplication in a finite field is multiplication modulo an irreducible reducing polynomial used to define the finite field. (I.e., it is multiplication followed by division using the reducing polynomial as the divisor—the remainder is the product.) The symbol "•" may be used to denote multiplication in a finite field.

Rijndael's (AES) finite field

Rijndael (standardised as AES) uses the characteristic 2 finite field with 256 elements, which can also be called the Galois field GF(2⁸). It employs the following reducing polynomial for multiplication:

:''x''⁸ + ''x''⁴ + ''x''³ + ''x'' + 1.

For example, • = in Rijndael's field because

:

and

:

The latter can be demonstrated through long division (shown using binary notation, since it lends itself well to the task. Notice that exclusive OR is applied in the example and not arithmetic subtraction, as one might use in grade-school long division.):

11111101111110 (mod) 100011011
^100011011
01110000011110
^100011011
0110110101110
^100011011
010101110110
^100011011
00100011010
^100011011
000000001

(The elements and are multiplicative inverses of one another since their product is 1.)

Multiplication in this particular finite field can also be done using a modified version of the " peasant's algorithm". Each polynomial is represented using the same binary notation as above. Eight bits is sufficient because only degrees 0 to 7 are possible in the terms of each (reduced) polynomial.

This algorithm uses three variables (in the computer programming sense), each holding an eight-bit representation. a and b are initialized with the multiplicands; p accumulates the product and must be initialized to 0.

At the start and end of the algorithm, and the start and end of each iteration, this invariant is true: a b + p is the product. This is obviously true when the algorithm starts. When the algorithm terminates, a or b will be zero so p will contain the product.

* Run the following loop eight times (once per bit). It is OK to stop when a or b is zero before an iteration:
*# If the rightmost bit of b is set, exclusive OR the product p by the value of a. This is polynomial addition.
*# Shift b one bit to the right, discarding the rightmost bit, and making the leftmost bit have a value of zero. This divides the polynomial by x, discarding the ''x''⁰ term.
*# Keep track of whether the leftmost bit of a is set to one and call this value carry.
*# Shift a one bit to the left, discarding the leftmost bit, and making the new rightmost bit zero. This multiplies the polynomial by x, but we still need to take account of carry which represented the coefficient of ''x''⁷.
*# If carry had a value of one, exclusive or a with the hexadecimal number 0x1b (00011011 in binary). 0x1b corresponds to the irreducible polynomial with the high term eliminated. Conceptually, the high term of the irreducible polynomial and carry add modulo 2 to 0.
* p now has the product

This algorithm generalizes easily to multiplication over other fields of characteristic 2, changing the lengths of a, b, and p and the value 0x1b appropriately.

Multiplicative inverse

See also Itoh–Tsujii inversion algorithm.

The multiplicative inverse for an element a of a finite field can be calculated a number of different ways:

* By multiplying a by every number in the field until the product is one. This is a brute-force search.
* Since the nonzero elements of GF(''pⁿ'') form a finite group with respect to multiplication, (for ), thus the inverse of ''a'' is ''a''.
* By using the extended Euclidean algorithm.
* By making logarithm and exponentiation tables for the finite field, subtracting the logarithm from ''pⁿ''−1 and exponentiating the result.
* By making a modular multiplicative inverse table for the finite field and doing a lookup.
* By mapping to a composite field where inversion is simpler, and mapping back.
* By constructing a special integer (in case of a finite field of a prime order) or a special polynomial (in case of a finite field of a non-prime order) and dividing it by ''a''.

Implementation tricks

Generator based tables

When developing algorithms for Galois field computation on small Galois fields, a common performance optimization approach is to find a generator ''g'' and use the identity:

:$ab = g^ = g^$

to implement multiplication as a sequence of table look ups for the log_''g''(''a'') and ''g''^''y'' functions and an integer addition operation. This exploits the property that every finite field contains generators. In the Rijndael field example, the polynomial (or ) is one such generator. A necessary but not sufficient condition for a polynomial to be a generator is to be irreducible.

An implementation must test for the special case of ''a'' or ''b'' being zero, as the product will also be zero.

This same strategy can be used to determine the multiplicative inverse with the identity:

:$a^ = g^ = g^ = g^$

Here, the order of the generator, , is the number of non-zero elements of the field. In the case of GF(2⁸) this is . That is to say, for the Rijndael example: . So this can be performed with two look up tables and an integer subtract. Using this idea for exponentiation also derives benefit:

:$a^n = g^ = g^ = g^$

This requires two table look ups, an integer multiplication and an integer modulo operation. Again a test for the special case must be performed.

However, in cryptographic implementations, one has to be careful with such implementations since the cache architecture of many microprocessors leads to variable timing for memory access. This can lead to implementations that are vulnerable to a timing attack.

Carryless multiply

For binary fields GF(2^''n''), field multiplication can be implemented using a carryless multiply such as CLMUL instruction set, which is good for ''n'' ≤ 64. A multiplication uses one carryless multiply to produce a product (up to 2''n'' − 1 bits), another carryless multiply of a pre-computed inverse of the field polynomial to produce a quotient = ⌊product / (field polynomial)⌋, a multiply of the quotient by the field polynomial, then an xor: result = product ⊕ ((field polynomial) ⌊product / (field polynomial)⌋). The last 3 steps (pclmulqdq, pclmulqdq, xor) are used in the Barrett reduction step for fast computation of CRC using the x86 pclmulqdq instruction.

Composite field

When ''k'' is a composite number, there will exist isomorphisms from a binary field GF(2^''k'') to an extension field of one of its subfields, that is, GF((2^''m'')^''n'') where . Utilizing one of these isomorphisms can simplify the mathematical considerations as the degree of the extension is smaller with the trade off that the elements are now represented over a larger subfield. To reduce gate count for hardware implementations, the process may involve multiple nesting, such as mapping from GF(2⁸) to GF(((2²)²)²). There is an implementation constraint, the operations in the two representations must be compatible, so explicit use of the isomorphism is needed. More precisely, the isomorphism will be denoted by map(), it is a bijection that maps an element of GF(2^''k'') to GF((2^''m'')^''n''), satisfying: and , where the operations on the left side occur in GF(2^''k'') before mapping and the operations on the right side occur in GF((2^''m'')^''n'') after mapping.
/ref> The isomorphism is usually implemented with a ''k'' row by ''k'' bit matrix, used to perform a matrix multiply over GF(2) of an element of GF(2^''k'') treated as a ''k'' row by 1 bit matrix. Define ''α'' as a primitive element of GF(2^''k''), and ''β'' as a primitive element of GF((2^''m'')^''n''). Then ''β''^''j'' = map(''α''^''j'') and ''α''^''j'' = map⁻¹(''β''^''j''). The values of ''α'' and ''β'' determine the mapping matrix and its inverse. Since the actual math is performed in GF((2^''m'')^''n''), the reducing polynomial for GF((2^''m'')^''n'') is usually primitive and ''β'' = ''x'' in GF((2^''m'')^''n''). In order to meet the compatibility constraint for addition and multiplication, a search is done to choose any primitive element ''α'' of GF(2^''k'') that will meet the constraint. In the case where reducing polynomial for GF(2^''k'') is primitive, an alternate mapping method is possible: the 1 bit coefficients of the reducing polynomial for GF(2^''k'') are interpreted as ''m'' bit elements 0 or 1 of GF(2^''m''), and there will be ''m'' primitive factors of degree ''n'', any of which can be used as the reducing polynomial for GF((2^''m'')^''n''). Mapping to a composite field can be generalized to map GF(''p''^''k'') to a composite field such as GF((''p''^''m'')^''n''), for ''p'' any prime.

Program examples

C programming example

Here is some C (programming language), C code which will add and multiply numbers in the characteristic 2 finite field of order 2⁸, used for example by Rijndael algorithm or Reed–Solomon, using the Russian peasant multiplication algorithm:

/* Add two numbers in the GF(2^8) finite field */
uint8_t gadd(uint8_t a, uint8_t b)

/* Multiply two numbers in the GF(2^8) finite field defined
* by the modulo polynomial relation x^8 + x^4 + x^3 + x + 1 = 0
* (the other way being to do carryless multiplication followed by a modular reduction)
*/
uint8_t gmul(uint8_t a, uint8_t b)

This example has cache, timing, and branch prediction side-channel leaks, and is not suitable for use in cryptography.

D programming example

This D program will multiply numbers in Rijndael's finite field and generate a PGM image:

/**
Multiply two numbers in the GF(2^8) finite field defined
by the polynomial x^8 + x^4 + x^3 + x + 1.
*/
ubyte gMul(ubyte a, ubyte b) pure nothrow

void main()

This example does not use any branches or table lookups in order to avoid side channels and is therefore suitable for use in cryptography.

See also

* Zech's logarithm

References

Sources

* (reissued in 1984 by Cambridge University Press ).
*

External links

*
*
*
* {{cite web, url=http://web.eecs.utk.edu/~plank/plank/papers/CS-07-593/, title=Fast Galois Field Arithmetic Library in C/C++, first1=James S., last1=Planck, year=2007
* Wikiversity: Reed–Solomon for Coders – Finite Field Arithmetic

Arithmetic
Arithmetic
Articles with example D code
Articles with example C code