Cryptology - I: Appendix D - Review of Galois Field Theory

Instructors: R.E. Newman-Wolfe and M.S. Schmalz

Field theory is an important subdiscipline of cryptography that helps us determine fundamental abstract relationships between symbol sets and mappings. In this class, we will use field theory primarily to demonstrate the utility of encryptions, and as background for cryptanalysis.

In this section, we present an introduction to Galois fields, also called finite fields. The crux of this presentation is that all finite fields can be generated by (a) constructing the ring of polynomials over a prime ground field and (b) by the choice of an irreducible polynomial of appropriate degree. There are many choices for irreducible polynomials, namely, O(p^n-1) for a given p and n. This large polynomial space has yet to be explored extensively in the open literature of cryptology.

Additionally, the study of structural requirements of two operations related by distributivity, as well as the difficulty of solving even small inversion problems inside small fields, leads directly to the development of functions whose inversion is not tractable. This has direct application in public key cryptosystems.

For those who are mathematically inclined, a more detailed summary of finite fields is given in [Lid83]. Much of the development of this section is a corrected and elaborated version of Patterson [Pat87], to which the reader is referred for an interesting (but notationally ambiguous) overview. We will follow the general development given by Patterson, which demonstrates the key structure theorem for finite fields.

D-1. Basic Concepts of Fields.

• Definition. A group F = (F,·) contains a set F with a binary operation · : F × F -> F that has the following properties:
  1. Closure, meaning that the result of operation · is in F, which comprises the domain of · (i.e., domain(·) = F×F);
  2. Associativity, i.e., (f · g) · h = f · (g · h) for all f,g,h F;
  3. Identity e such that e · f = f · e = f for all f F; and
  4. Inverse: For each f F, there exists f^-1F such that f · f^-1 = f^-1 · f = e.

  Example. F = Z with addition (· = +) having identity e = 0, where f^-1 = -f.

  Example. F = Z_n with addition (· = +) taken modulo n, identity e = 0, and inverse
  f^-1 = n - f. Thus, a+b 0 (resulting from mod n).

  Example. Let F = Z_p \ {0}, a prime number p, and a group G = (F,·) with the operation · taken modulo p. Observe that:

  1. By definition of modulo-p multiplication, · is closed over F.
  2. Multiplication modulo p is associative, i.e.,

     f · g · h = f · g · h, f,g,hF.

     The proof of this assertion is left as an exercise for the reader.
  3. Modulo-p multiplication has identity e = 1.
  4. For each f in F, there exists an inverse f^-1, such that

     f · f^-1 = e, fF.

     The proof of this assertion is left as an exercise for the reader.

  Observation. If F = Z_m \ {0} and m is not prime, then there exists some x,y F such that x and y have the same inverse. The proof is left as an exercise to the reader.

  Remark. The reals with multiplication (R, ·) are not a group, because zero has no multiplicative inverse. However, (R\{0}, ·) and (R⁺, ·) are groups.

Definition. A subgroup G' = (G,·) of a group G = (F,·) is a group such that GF.

Example. (Q,·) is a subgroup of (R\{0},·) .

Example. (Z,+) is a subgroup of (Q,+).

• Definition. An onto mapping M : S -> S maps elements in S to all elements in S.

  Example. An onto mapping M: {1,2,3} -> {1,2,3} is exemplified by the graph G(M) = {(1,3), (1,2), (2,1)}.

  Remark. It follows that, if M is an onto mapping, then p₂(G(M)) = range(M), where p₂ denotes projection onto the second coordinate.

  Definition. A one-to-one mapping M : S -> S maps a given element of S to one and only one element of S.

  Example. A one-to-one mapping M: {1,2,3} -> {1,2,3} is exemplified by the graph G(M) = {(1,3), (3,2), (2,1)}.

  Definition. A bijection on F is a one-to-one and onto mapping.

  Example. Let S = {a,b,c} and T = {1,2,3}. A bijection f: S -> T could have the graph G(f) = {(a,1),(b,3),(c,2)}. The mapping is one-to-one, i.e., each element of S maps uniquely to an element of T. Additionally, f is onto, since |G(f)| = |T|.

  Example. Let S = {a,b,c} and T = {1,2,3}. Let f: S -> T have the graph G(f) = {(a,1),(b,1),(c,2)}. The mapping is not one-to-one, since two elements of S (a and b) map to the same element of T, namely, 1.

  Example. Let S = {a,b,c} and T = {1,2,3,4}. The mapping f: S -> T cannot be a bijection, since the condition |T| > |S| obviates the onto property.

  Definition. A permutation is a bijection. Example. Let S = {a,b,c} and let a = (a,c,b). If f is a permutation on S, then f(a) could have as its result (a,b,c) but not (a,a,c).

  Definition. Let A be a set with n members, and let S = { | : A -> A } denote a set of permutations on A.

  Observation. G = (S,o) is a group, where o denotes functional composition.

  One can prove the group properties of G, as follows:

  1. Closure. A permutation is a bijection. The composition of bijections is a bijection.
  2. Identity. Let the identity permutation (a) = a, where a denotes an element of A. Given ₁S, o ₁ = ₁ o = ₁, which is easily verified by inspection.
  3. Associativity. This property follows from the fact that composition is associative.
  4. Inverse. Each permutation ₁ S has an inverse (₁)^-1, S such that ₁ o (₁)^-1 = , the identity permutation.

Remark. The set of all permutations on F, denoted by S_F, is called a symmetric group, since

1. The composition of any two permutations is a permutation, which implies that closure is preserved; and

2. The inverse of any permutation f is that permutation which returns the input of f to its original order.

Remark. S_F is important in group and field theory, since every group is contained in some permutation group.

We next discuss fields, with emphasis upon the finite discrete case (i.e., Galois fields).

• Definition. An Abelian group is a group with a commutative operation.

  Definition. A field F = (F,+,·) contains a set F with two binary operations +,· : F × F -> F, such that:

  • If e denotes the identity of F with respect to the operation +, then (F,·) and
    (F \ {e}, +) are Abelian groups;
  • The operations + and · distribute as

    f · (g + h) = (f · g) + (f · h), f,g,h F .

  Example. F = R with addition (identity 0) and multiplication (identity 1).

  Example. F = Z_n, where n is a prime with + and · taken modulo n.

D-2. Rings, Subrings, Integral Domains, and Ideals.

• Definition. A ring R = (F,+,·) contains a set F with two binary operations +,· : F × F -> F, such that:
  1. (F,+) is an Abelian group;
  2. The operation · is associative; and
  3. The operation · distributes with respect to multiplication as

     f · (g + h) = (f · g) + (f · h), (g + h) · f = (g · f) + (h · f), f,g,h F ,

     and hence is commutative.

  Remark. F need not contain an inverse under ·. For example, the operation of multiplication does not have an inverse with respect to the zero element in (R,·).

  Example. The integers (Z,+,·) form a ring.

  Example. A field (F,+,·) is a ring.

The following structures exist between rings and fields.
• Definition. A ring (F,+,·) is called a ring with identity if eF such that

  f = e · f = f · e, fF .

  Definition. A ring (F,+,·) is called a commutative ring if the operation · is commutative.

  Definition. An element fF of a ring R = (F,+,·) is called a unit if f^'F such that

  f · f^' = f^' · f = e,

  where e denotes the identity of F with respect to operation · . The set of all f^' in R form a group, called the group of units.

  Definition. A division ring R = (F,+,·) with identity IF under the operation · satisfies the following condition:

  f · g = g · f, f0I, gI .

  Thus, the group of units in R = F\{0}.

  Observation. If R = (F,+,·) is a commutative division then R is a field.

• Definition. An integral domain is a commutative ring (Z,+,·) with identity.

  Definition. A finite integral domain is an integral domain whose set is finite.

  Theorem 1. Every finite integral domain R = (F,+,·) is a field.

  Proof. Let nonzero f₁, f₂, ..., f_n F and choose some nonzero fF to form the distinct products f·f₁, f·f₂, ..., f·f_n. (If the products were not distinct, then there would exist some f_i,f_j such that f·f_i = f·f_j, which implies that f · (f_i - f_j) = 0. This would imply that f has a zero divisor, and R would not be an integral domain.) Thus, one of the n products, denoted as f · f_k, must be the identity of the operation · , so f_k is the inverse of f, and similarly for all nonzero fF. Thus, (F,·) is a commutative group and R is a field.

  Definition. A subring R' = (G,+,·) of a ring R = (F,+,·) is a ring such that GF and (G,+) is a subgroup of (F,+).

  Definition. A subring R' = (G,+,·) of R = (F,+,·) is called an ideal or two-sided ideal if

  f · g = g · f, fF, gG.

  If f · g (or g · f) is in F, then R' is called a left (right) ideal. However, this distinction is moot in commutative rings, which are two-sided ideals.

  Definition. Given a ring (R,+,·) and an element rR, the symbol (r) denotes an ideal

  (r) = {r'·r + n·r : r' R, nZ} .

  Note that (r) is called a principal ideal generated by r.

  Definition. An ideal R' partitions the set F in a ring R = (F,+,·) into disjoint residue classes denoted by R/R' .

  Theorem 2. If R = (F,+,·) is a ring with ideal R' = (G,+,·), then R/R' forms a ring with operations

  (f + G) + (g + G) = f + g + G and
  (f + G) · (g + G) = f · g + G , f,gF.

  Proof. The proof is left as an exercise, which might be assigned as homework.
  Hint: Show that (F/G,+) is an Abelian group.

  The following figure illustrates the relationships between algebraic structures that have one or more binary operations.

  
  
  Figure 1. Algebraic Structures with Binary Operations.

  Theorem 3. Let pZ be prime and let Z = (Z,+,·). The residue classes Z/p form a field denoted by Z_p.

  Proof. From the preceding theorem, Z_p is finite and we need only show that Z_p is an integral domain. For purposes of argument, let (f + (p)) · (g + (p)) = 0 + (p), which means that there exists constants k₁,k₂,k₃ Z such that

  (f + k₁(p)) · (g + k₂(p)) = 0 + k₃(p).

  Thus, fg = (k₃ - k₁g - k₂f) · p, which means that f or g divides p. Let f divide p and let k₄Z. Then, a = k₄p and

  a + (p) = 0 + (p) ,

  which is a contradiction. Thus, Z_p is an integral domain.

• Definition. If R = (F,+,·) is a ring, and n is the smallest positive integer such that nr = 0, r R, then char(R) n denotes the characteristic of R. If n does not exist, then R is said to have characteristic zero.

  Theorem 4. If R is a nonzero ring with

  (a) identity,
  (b) positive characteristic, and
  (c) no zero divisors,

  then R has prime characteristic.

  Proof. The characteristic of a nonzero ring R = (F,+,·) is at least two. For purposes of argument, assume that n is composite and factors as n = km. It follows that

  0 - n · 1 = km · 1 = (k · 1) · (m · 1),

  which implies k · 1 = 0 or m · 1 = 0, since there exists no zero divisors of n. This further implies k · 1 · f = 0 or m · 1 · f = 0, fF. Thus, char(R) < n, a contradiction. Therefore n must not be factorable, so n is prime.

  Theorem 5. Finite fields have prime characteristic.

  Proof. If F = (F,+,·) is a finite field with multiplicative identity 1, then K = {k > 1 : k · 1 = 0} is finite. For fF\K, we have k · = k · 1 · · f = 0. Thus, 0 < char(F) k. By Theorem 4, char(F) is prime.

• Definition. I is a prime ideal of ring R = (F,+,·) if f,gF, f · g I implies either
  fI or gI.

  Definition. A maximal ideal I of ring R = (F,+,·) exists if

  (i) J I implies that J = I, or
  (ii) J = F .

  Definition. A ring R is a principal ideal domain (PID) if R is an integral domain and every ideal of R is a principal ideal.

  Theorem 6. If R = (F,+,·) is a commutative ring with identity and ideals I,J, then the following statements hold:

  1. I is a maximal ideal iff R/I is a field.
  2. J is a prime ideal iff R/J is an integral domain.
  3. All maximal ideals of R are prime ideals.
  4. If R is a PID, then R/(p) is a field iff pF is prime.
  Proof. (1, if part): For some Mdomain(+), if aM then I = {af+m : fF, mM} is an ideal of F. If IM then I = F, which implies that af+m = 1 for some fF and mM}. Thus, if a + m F/M does not equal 0 + m, then

  (a + M) · (f + M) = a f + M = (1-m) + M = 1 + M,

  which implies that R/M is a field.
  
  (1, only-if part): Let I M and I M be an ideal of R. For aI\M, a + M has an inverse, since R/M is a field. Thus,

  (a + M) · (r + M) = 1 + M

  implies af+m = 1 for some mM, which further implies that 1I. If the preceding statements hold, then I = F and M is a maximal ideal of R.
  
  (2, if part): Assume that P is a prime ideal of R. Then R/P is a commutative ring with identity and 1 + P 0 + P. If R/P is not an integral domain and (f + P) · (g + P) = 0 + P, then if fgP, where f,gF, either fP or gP. This implies that R/P has no divisors. Therefore, R/P is an integral domain.
  
  (2, only-if part): If R/P is an integral domain and fgP, then (f + P) · (g + P) = 0 + P. Since R/P is an integral domain, either (f + P) = 0 + P or (g + P) = 0 + P. Thus, if either fP or gP, then P is a prime ideal.
  
  (3,4): follow from Parts 1 & 2 and the preceding theorems.

D-3. Polynomial Rings.

• Definition. Given a ring R = (F,+,·), the corresponding polynomial ring P = (F[x],+,·) is defined as

  F[x] = {f(x): f(x) = f₀ + f_i· xⁱ, f₀,f_iF} .

  Definition. The highest nonzero coefficient f_n of a polynomial f(x) is called the leading coefficient, and f is called the constant term. The degree of a polynomial whose leading coefficient is f_n is n. If the leading coefficient is an element of the ring P = (F[x],+,·), then f(x) is said to be monic.

  Definition. Given polynomials f(x) = f_i· xⁱ, f_iF and g_i· xⁱ, g_iF, polynomial addition is defined as

  h(x) = f(x) + g(x) = (f_i + g_i) · xⁱ + r ,

  where k = (m,n) and

  r = g_i · xⁱ

  with l = (m,n) if m > n, and symmetrically (using f instead of g) if m < n.

  Definition. Given multiplication over monomials expressed as

  fx^m · gxⁿ = f·g·x^m+n ,

  multiplication over polynomials of equal degree follows from the distributive property as

  %%%LEFT OFF HERE%%%

References.

[Lid83] Lidl, R. and H. Niederreiter. "Finite Fields", in Encyclopedia of Mathematics, Reading, MA: Addison-Wesley (1983).

[Pat87] Patterson, W. Mathematical Cryptology for Computer Scientists and Mathematicians, Totowa, NJ:Rowan and Littlefield (1987).

This concludes our discussion of basic field theory. More involved concepts will be defined when they are introduced in theory development.