350 likes | 626 Vues
COM5336 Cryptography Lecture 12 Construction & Basic Properties of Finite Fields. Scott CH Huang. COM 5336 Cryptography Lecture 10. COM5137: Finite Field and Its Applications in Engineering. Construction of Finite Fields. Ideas. We wish to construct a finite field from a Euclidean domain.
COM5336 CryptographyLecture 12Construction & Basic Properties of Finite Fields Scott CH Huang COM 5336 Cryptography Lecture 10
COM5137: Finite Field and Its Applications in Engineering Construction of Finite Fields COM 5336
Ideas • We wish to construct a finite field from a Euclidean domain. • Elements of a Euclidean domain may not have multiplicative inverses. We wish to find this cause and somehow “remove” this cause. • The idea of “removing this cause” is analogous to “dividing an algebraic structure”. COM 5336
Equivalence Relations • Let S be any set. A relation ~ on S is an equivalence relation iff the following three conditions hold: • Reflexivity: a~a for any a in S. • Symmetry: For any a,b in S, a~b implies b~a. • Transitivity: For any a,b,c in S, if a~b and b~c then a~c. • Any equivalence relation on a set induces a partition of this set. COM 5336
Equivalence Relation on an Algebraic Structure • We may be able to define similar operations on these partitioned subsets. • However, we have to make sure such operations are well-defined. • The resulted “quotient” structure may be similar to the mother structure. i.e. quotient groups, quotient rings, quotient spaces (in a vector space),… COM 5336
Theorem • Given a Euclidean domain D and a prime p. Then D mod p is a field. • Application: Consider the polynomial ring . Find an irreducible polynomial . Then is a field. COM 5336
Direct Construction of Finite Fields • Consider the polynomial ring over a field .Find an irreducible polynomial . Then is a field. • In short, if we consider the polynomial ring over and find an irreducible polynomial of degree n, then is a finite field of pn elements. This is how we construct the Galois field GF(pn). • is also written as in some Math books. COM 5336
An Example: GF(128) in AES • The irreducible polynomial: • GF(128) is constructed as COM 5336
Alternative View of GF(pn) • Let be the irreducible polynomial used to construct GF(pn). • We can view GF(pn) as follows. “Imagine” is a solution to the equation . Then GF(pn) is a vector space over GF(p) of with basis and an “extra” relation • For example: Let be a solution to GF(128) is a vector space over with basis with the relation . COM 5336
Number of Elements in Finite Fields • Theorem : Let be a finite field. Then , for some prime number and . COM 5336
COM5137: Finite Field and Its Applications in Engineering Basic Properties of Finite Fields COM 5336
Homomorphism • A homomorphism is a structure-preserving map between two algebraic structures. • The definition depends on the type of algebraic structure under consideration. • A group homomorphism is a homomorphism between two groups. • A ring homomorphism is a homomorphism between two rings. COM 5336
Group Homomorphism • A group homomorphism from (G,*) to (H,·) is a function COM 5336
Group Homomorphism (cont) • We define the kernel of h to be the set of elements in G which are mapped to the identity in H, i.e., • We define theimage of h to be • Ker(h) is a (normal) subgroup of G and Im(h) is a subgroup of H. • Lagrange Theorem: If G is a finite group and H is a subgroup of G. Then COM 5336
Ring Homomorphism • A ring homomorphism from R to S is a function • h(u+v)=h(u)+h(v) • h(uv)=h(u)h(v) • The kernel of h is defined to be the set of elements in R mapped to the 0 in S, i.e., • Ker(h) is an ideal of R and Im(h) is a subring of S. COM 5336
Isomorphism • If a homomorphism is bijective (both injective and surjective), it is called an isomorphism. COM 5336
Subfield and Field Extension • If are both fields and . Then is called a field extension of and is called a subfield of . • We can view as a vector space over by defining the scalar product as field multiplication. COM 5336
Ring Homomorphism from Zp to F • Let be a finite field and . • p must be a prime. (why?) • Define as follows: • h(0)=0. h(1)=1. • h(n+1)=h(n)+h(1) • h is a ring homomorphism. i.e., • h(m+n)=h(m)+h(n) • h(mn)=h(m)h(n) COM 5336
Ring Homomorphism from Zp to F • h is injective. • Im(h) is a subfield of . • Therefore, contains a subfield isomorphic to . This subfield is called the prime subfield of . • Every field of characteristic p (p<∞) contains a prime subfield isomorphic to . In fact, every field of characteristic 0 contains a prime subfield isomorphic to . COM 5336
Cyclic Subgroup and Order of an Element • Let G be a finite group and αG. • Since G is finite, the set {e,α,α2,…} is finite. At some point, there must be some repetition. • Let αk=αk+t be the first repetition. Then αt=e. This t is called the order of α, denoted by ord(α). COM 5336
Multiplicative Structure of a Finite Field • Given a finite field . Consider the multiplicative group . • For any . We have . • Lemma: If and the deg(p(x))=m, then p(x)=0 can have at most m solutions. • Lemma: Let ord(α)=t. Then ord(αi) =t/gcd(i,t). COM 5336
The Euler φ-function • φ(n) is defined as “the number of integers in {1,2,…,n-1} that are relatively prime to n. • Formally, • The multiplicative group has φ(n) elements. • Theorem: In any field , there are either no element of order t or exactly φ(t) elements of order t. • Theorem: COM 5336
Theorem: Let be a finite field with q elements. . If t does not divide (q-1), then there are no elements of order t. If t divides (q-1), then there are exactly φ(t) elements of order t. • Corollary: In any finite field of size q, there exists at least one element α of order q-1. i.e., the multiplicative group is cyclic. (This can also be proved by applying the Fundamental Theorem of Finite Abelian Groups). • Definition: Such α is called a primitive root of . COM 5336
Fundamental Theorem of Finite Abelian Groups Every finite abelian group G can be expressed as the direct sum of cyclic subgroups of prime-power order. In other words, every finite abelian group is isomorphic to where k1, k2,… can be are powers of primes. (Primary decomposition). Or equivalently, k1|k2, k2|k3 ,… (Invariant factor decomposition) COM 5336
An Example of Finite Abelian Group Decomposition 360=23*32*5. COM 5336
Proof of Existence of Primitive Elements • Let be a finite field. Then is a finite abelian group. • Apply the fundamental theorem of finite abelian group with invariant factor decomposition: where • Therefore, • The above means every element in is a solution to the equation , which has degree • Moreover, 0 is also a solution to this equation, so this equation has exactly solutions in . • Since the number of solutions in a field cannot exceed its degree, we have is cyclic and there exists an element of order . COM 5336
Gauss’s Algorithm • Set i=1. Pick . Let ord(α1)=t1. • If ti=q-1, stop and return αi. • Otherwise we choose , β is not a power of αi. Let ord(β)=s. If s=q-1, stop and return αi+1 =β. • Otherwise we find d|ti and e|s with gcd(d,e)=1 and de=lcm(ti,s). Let αi+1 = and ti+1=lcm(ti,s). i=i+1. Goto step 2. COM 5336
Lemma: Let ord(α)=m, ord(β)=n. gcd(m,n)=1. Then ord(αβ)=mn COM 5336
Minimal Polynomials • Theorem 5.9: Let be a finite field of size pm . . Then there is a polynomial (where the prime subfield of ) such that • p(α)=0 • deg(p) ≤ m • If such that f(α)=0, then p(x)|f(x). • Such p(x) is called a minimal polynomial of α w.r.t. . If we only consider monic polynomials, then the minimal polynomial is unique. COM 5336
Primitive Polynomials • For any finite field and , the minimal polynomial of α exists. (Why?) • The minimal polynomial of a primitive root of is called a primitive polynomial. • It is quite convenient to represent a finite field using its primitive polynomial. COM 5336
Let be a finite field and be a subfield (not necessarily the prime subfield). Let . Then there is a unique monic polynomial such that • p(α)=0 • If such that f(α)=0, then p(x)|f(x). • Lemma: Let be a finite field and be a subfield (not necessarily the prime subfield). Let . Let . Then iff . COM 5336
Conjugates • Let be two fields, . If p(α)=0. Then p(αq)=0. • Therefore, if α is a zero of p(x), so is • These elements are called the conjugates of α. COM 5336
Number of Distinct Conjugates • The number d of distinct conjugates of α is called the degree of α. • Theorem: Let d be the degree of α and n is the dimension of vector space over . Then d|n, and d can be determined as the smallest integer holds. Moreover, if then COM 5336
Explicit Formula for Minimal Polynomial • Let be a finite field and be one of its subfields with and . Let Then the minimal polynomial of αw.r.t. is given by where d is the degree of α w.r.t. . COM 5336