Notes on Cryptography
2012-01-14 23:36
204 查看
The operators in conventional arithmetic (divide, multiply, add, subtract etc) deal with infinite or unbounded numbers. Computer hardware uses binary arithmetic where integer results are stored in registers, bytes or words
of a finite size.Dealing with the overflows caused by very large calculations is a considerable problem if the result is to be used in bit by bit error detection.GF(256) is a field consisting of the every integer in the range 0 to 255 arranged in a particular
order. If you could devise an arithmetic where the result of each operation produces another number in the field the overflow issues could be avoided.
The generation (ordering) of the field is key.
A Galois field gf(p) is the element 0 followed by the (p-1) succeeding powers of α :1, α1, α2, ..., αp-1
Extending the gf(2) field to 256 elements that fit nicely in a computer byte: gf(28) = gf(256). Substituting the primitive element[b]α=2
in the galois field it becomes 0, 1, 2, 4, 8, 16, and so on. This series is straightforward until elements greater than 127 are created. Doubling element values 128, 129, ..., 254 will violate the range by producing a result greater than 255.
Some way must be devised to "fold" the results back into the finite field range without duplicating existing elements (this lets modulo 255 aritmetic out). This requires an irreducible primitive polynomial. "Irreducible" means it cannot be factored into smaller
polynomials over the field.
[/b]
0 α0 α1 α2 α3 α4 α5 α6.... α253 α254
[b]pp = x8+x4+x3+x2+1 =100011101=285[/b] α=2时 借助xor pp可以得到: 0
1 2 4 8 16 32 64 128 29 58 116 .....173 71 142
var galois:array [0..255] of byte;
function checkgp(pp:integer):boolean; // check proposed primitive generates each element only once
var
found:array [0..255] of boolean;
i:integer;
x,loop:integer;
begin
result:=true;
for i:=0 to 255 do found[i]:=false;
galois[0]:=1;
found[0]:=true; // 1^0=1
x:=1;
for loop:=1 to 255 do
begin
x:=x*2;
if x>255 then x:=x xor pp; // when element overflows xor with primitive
galois[loop]:=x;
if found[x]=true then
begin
result:=false; // reject this as a primitive polnomial this element was generated already
break;
end else found[x]:=true;
end;
end;
procedure TForm1.Button1Click(Sender: TObject);
var
i,xi:integer;
ss:string;
begin
for i:=256 to 256+255 do
if checkgp(i) then
begin
ss:='';
for xi:=0 to 254 do ss:=ss+inttostr(galois[xi])+' ';
ss:='pp='+inttostr(i)+' '+ss;
memo1.Lines.Add(ss);
end;
end;
pp = 301 = x8+x5+x3+x2+1
The concept of a generator of a finite field.
A generator is an element whose successive powers take on every element except the zero. For example, in the fieldZ13, try successive powers of several elements, looking for a generator:
Try powers of 5, taken modulo 13:51=5, 52%13=12, 53%13=(12*5)%13=8, 54%13=(8*5)%13=1,
so succesive powers of5 just take on the values
5, 12, 8,
1, and repeat, so that5 is not a generator.
Try powers of 4, taken modulo 13:41=4,
42%13= 3,43%13=(3*4)%13=12,
44%13=(12*4)%13=9,45%13=(9*4)%13=10,
46%13=(10*4)%13=1, so successive powers make a longer cycle, just 4,3,
12, 9,10,
1, and repeat, so 4 is also not a generator.
Try successive powers of 2, taken modulo 13:21=2,
22%13=4,23%13=8,
24%13=3,25%13=(3*2)%13=6,
26%13=(6*2)%13=12,27%13=11,
28%13=9,29%13=5,
29%13 =10,29%13=7,
36%13=1, so successive powers take on all non-zero elements:2,
4, 8,3,
6, 12,11,
9, 5,10,
7, 1, and repeat, so2 is a generator.
0x03, which is the same as x + 1 as a polynomial, is the simplest generator forGF(28).Its powers take on all
255 non-zero values of the field.The table of ``exponentials'' or ``anti-logs'' gives each possible power.
Suppose one wants the product b6 * 53 . Use the
L table above to look up b6 and
53: L(b6)=b1 and L(53)=30. This means that
If the sum above gets bigger than ff, just subtract
255. This works because the powers of 03 repeat after255 iterations. Now use the
E table to look up(03)(e1), which is the answer:
(36).
The Multiplicative Inverse of Each Field Element.
Later work with the AES will also require the multiplicative inverse of each field element except0, which has no inverse. This inverse is easy to calculate. Ifg is the generator
03 , then the inverse ofgrs is
gff - rs. For example, to find the inverse of6b, look up in the ``log'' table to see that
6b = g54, so the inverse of6b is
gff - 54 = gab, and from the "exponential" table, this isdf.
The essence of "arithmetic" in the Galois field is that the computer is never confronted with numbers that are too large to process;
To calculate ECC (error correction codes) a large polynomial representing incoming data is divided by another "generator" polynomial.
f(x) ÷ gp(n) --> r(x)
The message followed by the ECC produced in r(x) are sent to a decoder. If the operation can be repeated and the same ECC is produced then the message is intact and no error correction is required. If some bits are corrupted then an iterative process is engaged
to locate and (if a number of equations are soluble) correct the errors. If a solution cannot be found the message is left intact (there is a chance all the errors were in the ECC bytes).
The PRODUCT of A and B is the ANTILOG of the MODULUS 255 sum of their LOGS. The LOG and ANTILOG functions can be pre-calculated as tables. We have already computed the ANTILOG for a given primitive polynomial (pp=285) .
i.e. An array of 255 bytes = 1, 2, 4, 8, 16, 32, 64, 128, 29, ..., 142
The LOG array is indexed from 1 to 255 = 0, 1, 25, ..., 175 e.g. LOG[255]=175 , ANTILOG[175]=255
The Galois Field GF(23) = GF(8) based on P(x) = x3 + x + 1
in GF(8) addition and subtraction are equivalent operations, the minus signs may be replaced with plus signs.
The terms aN serve to describe this GF(8). Equivalent values are shown in 3-bit binary and decimal.
The defining polynomial P(x) essentially becomes the modulus for all operations on this set. Each result in aN represents the remainder when xN is divided by P(x). For any P(x) of order 3, remainders will have 3-bits.
For this P(x) of order 3, a complete set of 23 - 1 = 7 non-zero elements is defined by successive terms in aN. This choice of P(x) is aprimitive prime polynomial.
The 3-bit terms including [000] describe a Galois field GF(23) generated by P(x).
Addition Example:a5 + a5 = (111) + (111) = (000) = 0 Multiplication Example:a5 × a5 = a(5+5) = a10 = a3
this polynomial M(x) has 3-bit coefficients defined in terms of aN:
G(x) = 1 x2 + 6 x + 3
F(x) = 6 x4 + 1 x3 +
2 x2 + 2 x + 1
Multiply F(x) by x2 to append two zeros, then divide by G(x) .
F(x) x2 = 6 x6 + 1 x5 +2 x4 +2 x3 +1 x2 +0 x +0
(F(x) x2) / G(x) = (6 3 2 0 7), remainder ([b]4 2) [/b]
A=6 1 2 2 1 0 0 B= 1 6 3
Division in GF(8), based on P(x) = x3 + x + 1
[align=center]To understand what goes on in S and mix-cols we will need to review a bit of algebra. We describe a way to do arithmetic on bytes. [/align]
Identify each byte a = a7a6a5a4a3a2a1a0 with the formal polynomial a7x7 +a6x6 +a5x5 +a4x4 +a3x3 +a2x2 +a1x+a0. We can add two bytes by taking their
bitwise xor. We can multiply two bytes to get a degree 14 (or less) polynomial, and then take the remainder of this polynomial by the fixed irreducible polynomial
m(x) = x8 + x4 + x3 + x + 1
This remainder polynomial is a polynomial of degree at most seven which can be regarded as a byte.
GF(28)|
the Galois field on 2^8= 256 points.As a finite field, you can find the inverse of any nonzero field point.
[align=center]Since m(x) is another name for zero:m(x) = x8 + x4 + x3 + x + 1 [/align]
x^8 = x^4 + x^3 + x + 1 ={1b} So it is easy to multiply a byte a by the byte x = {02},shift the 8-bit byte a one position to the left, letting the first bit fall off (but remember it) and shifting a zero into the last bit position. We write this operation
<< 1. If that first bit of a was a 0, we are done. If the first bit was a 1, we need to add in (that is, xor in) x^8={1b},In summary, for a a byte, a * x = a *{02} is a<< 1 if the first bit of a is 0, and it is (a << 1) xor {1b} if the first bit of a is 1.
[align=center] [/align]
[align=center] For example, to compute {a1}*{03}={a1}*{02} xor {a1}*{01}={42}*{1b}*{a1} = {f8}[/align]
All arithmetic is in GF(2), meaning that addition of bits is their xor and multiplication of bits is the conjunction(and).
function expand(K)
K0 <- K
for i <-1 to 10 do
Ki[0] <- Ki-1[0] xor S(Ki-1[3] << 8) xor Ci
Ki[1] <-Ki-1[1] xor Ki[0]
Ki[2] <-Ki-1[2] xor Ki[1]
Ki[3] <-Ki-1[3] xor Ki[2]
[align=center]return (K0...;K10)[/align]
The AES128 key-expansion algorithm maps a 128-bit key K into eleven 128-bit subkeys,K0...K10. Constants (C1...;C10) are f02000000, 04000000, 08000000, 10000000, 20000000,40000000, 80000000g, 1B000000, 36000000, 6C000000.
Imagine plastering the 16 bytes of s = s0s1.. s15 going top-to-bottom, then left-to-right, to make a 4* 4 table:
s0 s4 s8 s12
s1 s5 s9 s13
s2 s6 s10 s14
s3 s7 s11 s15
of a finite size.Dealing with the overflows caused by very large calculations is a considerable problem if the result is to be used in bit by bit error detection.GF(256) is a field consisting of the every integer in the range 0 to 255 arranged in a particular
order. If you could devise an arithmetic where the result of each operation produces another number in the field the overflow issues could be avoided.
The generation (ordering) of the field is key.
A Galois field gf(p) is the element 0 followed by the (p-1) succeeding powers of α :1, α1, α2, ..., αp-1
Extending the gf(2) field to 256 elements that fit nicely in a computer byte: gf(28) = gf(256). Substituting the primitive element[b]α=2
in the galois field it becomes 0, 1, 2, 4, 8, 16, and so on. This series is straightforward until elements greater than 127 are created. Doubling element values 128, 129, ..., 254 will violate the range by producing a result greater than 255.
Some way must be devised to "fold" the results back into the finite field range without duplicating existing elements (this lets modulo 255 aritmetic out). This requires an irreducible primitive polynomial. "Irreducible" means it cannot be factored into smaller
polynomials over the field.
[/b]
0 α0 α1 α2 α3 α4 α5 α6.... α253 α254
[b]pp = x8+x4+x3+x2+1 =100011101=285[/b] α=2时 借助xor pp可以得到: 0
1 2 4 8 16 32 64 128 29 58 116 .....173 71 142
var galois:array [0..255] of byte;
function checkgp(pp:integer):boolean; // check proposed primitive generates each element only once
var
found:array [0..255] of boolean;
i:integer;
x,loop:integer;
begin
result:=true;
for i:=0 to 255 do found[i]:=false;
galois[0]:=1;
found[0]:=true; // 1^0=1
x:=1;
for loop:=1 to 255 do
begin
x:=x*2;
if x>255 then x:=x xor pp; // when element overflows xor with primitive
galois[loop]:=x;
if found[x]=true then
begin
result:=false; // reject this as a primitive polnomial this element was generated already
break;
end else found[x]:=true;
end;
end;
procedure TForm1.Button1Click(Sender: TObject);
var
i,xi:integer;
ss:string;
begin
for i:=256 to 256+255 do
if checkgp(i) then
begin
ss:='';
for xi:=0 to 254 do ss:=ss+inttostr(galois[xi])+' ';
ss:='pp='+inttostr(i)+' '+ss;
memo1.Lines.Add(ss);
end;
end;
pp = 301 = x8+x5+x3+x2+1
The concept of a generator of a finite field.
A generator is an element whose successive powers take on every element except the zero. For example, in the fieldZ13, try successive powers of several elements, looking for a generator:
Try powers of 5, taken modulo 13:51=5, 52%13=12, 53%13=(12*5)%13=8, 54%13=(8*5)%13=1,
so succesive powers of5 just take on the values
5, 12, 8,
1, and repeat, so that5 is not a generator.
Try powers of 4, taken modulo 13:41=4,
42%13= 3,43%13=(3*4)%13=12,
44%13=(12*4)%13=9,45%13=(9*4)%13=10,
46%13=(10*4)%13=1, so successive powers make a longer cycle, just 4,3,
12, 9,10,
1, and repeat, so 4 is also not a generator.
Try successive powers of 2, taken modulo 13:21=2,
22%13=4,23%13=8,
24%13=3,25%13=(3*2)%13=6,
26%13=(6*2)%13=12,27%13=11,
28%13=9,29%13=5,
29%13 =10,29%13=7,
36%13=1, so successive powers take on all non-zero elements:2,
4, 8,3,
6, 12,11,
9, 5,10,
7, 1, and repeat, so2 is a generator.
0x03, which is the same as x + 1 as a polynomial, is the simplest generator forGF(28).Its powers take on all
255 non-zero values of the field.The table of ``exponentials'' or ``anti-logs'' gives each possible power.
| Table of ``exponentials'': E(rs) = 03^rs | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| E(rs) | s | |||||||||||||||
| 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | a | b | c | d | e | f | |
| r | ||||||||||||||||
| 0 | 01 | 03 | 05 | 0f | 11 | 33 | 55 | ff | 1a | 2e | 72 | 96 | a1 | f8 | 13 | 35 |
| 1 | 5f | e1 | 38 | 48 | d8 | 73 | 95 | a4 | f7 | 02 | 06 | 0a | 1e | 22 | 66 | aa |
| 2 | e5 | 34 | 5c | e4 | 37 | 59 | eb | 26 | 6a | be | d9 | 70 | 90 | ab | e6 | 31 |
| 3 | 53 | f5 | 04 | 0c | 14 | 3c | 44 | cc | 4f | d1 | 68 | b8 | d3 | 6e | b2 | cd |
| 4 | 4c | d4 | 67 | a9 | e0 | 3b | 4d | d7 | 62 | a6 | f1 | 08 | 18 | 28 | 78 | 88 |
| 5 | 83 | 9e | b9 | d0 | 6b | bd | dc | 7f | 81 | 98 | b3 | ce | 49 | db | 76 | 9a |
| 6 | b5 | c4 | 57 | f9 | 10 | 30 | 50 | f0 | 0b | 1d | 27 | 69 | bb | d6 | 61 | a3 |
| 7 | fe | 19 | 2b | 7d | 87 | 92 | ad | ec | 2f | 71 | 93 | ae | e9 | 20 | 60 | a0 |
| 8 | fb | 16 | 3a | 4e | d2 | 6d | b7 | c2 | 5d | e7 | 32 | 56 | fa | 15 | 3f | 41 |
| 9 | c3 | 5e | e2 | 3d | 47 | c9 | 40 | c0 | 5b | ed | 2c | 74 | 9c | bf | da | 75 |
| a | 9f | ba | d5 | 64 | ac | ef | 2a | 7e | 82 | 9d | bc | df | 7a | 8e | 89 | 80 |
| b | 9b | b6 | c1 | 58 | e8 | 23 | 65 | af | ea | 25 | 6f | b1 | c8 | 43 | c5 | 54 |
| c | fc | 1f | 21 | 63 | a5 | f4 | 07 | 09 | 1b | 2d | 77 | 99 | b0 | cb | 46 | ca |
| d | 45 | cf | 4a | de | 79 | 8b | 86 | 91 | a8 | e3 | 3e | 42 | c6 | 51 | f3 | 0e |
| e | 12 | 36 | 5a | ee | 29 | 7b | 8d | 8c | 8f | 8a | 85 | 94 | a7 | f2 | 0d | 17 |
| f | 39 | 4b | dd | 7c | 84 | 97 | a2 | fd | 1c | 24 | 6c | b4 | c7 | 52 | f6 | 01 |
| Table of ``logarithms'': rs = 03^L(rs) | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| L(rs) | s | |||||||||||||||
| 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | a | b | c | d | e | f | |
| r | ||||||||||||||||
| 0 | 00 | 19 | 01 | 32 | 02 | 1a | c6 | 4b | c7 | 1b | 68 | 33 | ee | df | 03 | |
| 1 | 64 | 04 | e0 | 0e | 34 | 8d | 81 | ef | 4c | 71 | 08 | c8 | f8 | 69 | 1c | c1 |
| 2 | 7d | c2 | 1d | b5 | f9 | b9 | 27 | 6a | 4d | e4 | a6 | 72 | 9a | c9 | 09 | 78 |
| 3 | 65 | 2f | 8a | 05 | 21 | 0f | e1 | 24 | 12 | f0 | 82 | 45 | 35 | 93 | da | 8e |
| 4 | 96 | 8f | db | bd | 36 | d0 | ce | 94 | 13 | 5c | d2 | f1 | 40 | 46 | 83 | 38 |
| 5 | 66 | dd | fd | 30 | bf | 06 | 8b | 62 | b3 | 25 | e2 | 98 | 22 | 88 | 91 | 10 |
| 6 | 7e | 6e | 48 | c3 | a3 | b6 | 1e | 42 | 3a | 6b | 28 | 54 | fa | 85 | 3d | ba |
| 7 | 2b | 79 | 0a | 15 | 9b | 9f | 5e | ca | 4e | d4 | ac | e5 | f3 | 73 | a7 | 57 |
| 8 | af | 58 | a8 | 50 | f4 | ea | d6 | 74 | 4f | ae | e9 | d5 | e7 | e6 | ad | e8 |
| 9 | 2c | d7 | 75 | 7a | eb | 16 | 0b | f5 | 59 | cb | 5f | b0 | 9c | a9 | 51 | a0 |
| a | 7f | 0c | f6 | 6f | 17 | c4 | 49 | ec | d8 | 43 | 1f | 2d | a4 | 76 | 7b | b7 |
| b | cc | bb | 3e | 5a | fb | 60 | b1 | 86 | 3b | 52 | a1 | 6c | aa | 55 | 29 | 9d |
| c | 97 | b2 | 87 | 90 | 61 | be | dc | fc | bc | 95 | cf | cd | 37 | 3f | 5b | d1 |
| d | 53 | 39 | 84 | 3c | 41 | a2 | 6d | 47 | 14 | 2a | 9e | 5d | 56 | f2 | d3 | ab |
| e | 44 | 11 | 92 | d9 | 23 | 20 | 2e | 89 | b4 | 7c | b8 | 26 | 77 | 99 | e3 | a5 |
| f | 67 | 4a | ed | de | c5 | 31 | fe | 18 | 0d | 63 | 8c | 80 | c0 | f7 | 70 | 07 |
L table above to look up b6 and
53: L(b6)=b1 and L(53)=30. This means that
(b6)*(53) = (03)(b1) * (03)(30) = (03)(b1 + 30) = (03)(e1).
If the sum above gets bigger than ff, just subtract
255. This works because the powers of 03 repeat after255 iterations. Now use the
E table to look up(03)(e1), which is the answer:
(36).
The Multiplicative Inverse of Each Field Element.
Later work with the AES will also require the multiplicative inverse of each field element except0, which has no inverse. This inverse is easy to calculate. Ifg is the generator
03 , then the inverse ofgrs is
gff - rs. For example, to find the inverse of6b, look up in the ``log'' table to see that
6b = g54, so the inverse of6b is
gff - 54 = gab, and from the "exponential" table, this isdf.
| Table of multiplicative inverses: rs*inv(rs) = 01 | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| inv(rs) | s | |||||||||||||||
| 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | a | b | c | d | e | f | |
| r | ||||||||||||||||
| 0 | XX | 01 | 8d | f6 | cb | 52 | 7b | d1 | e8 | 4f | 29 | c0 | b0 | e1 | e5 | c7 |
| 1 | 74 | b4 | aa | 4b | 99 | 2b | 60 | 5f | 58 | 3f | fd | cc | ff | 40 | ee | b2 |
| 2 | 3a | 6e | 5a | f1 | 55 | 4d | a8 | c9 | c1 | 0a | 98 | 15 | 30 | 44 | a2 | c2 |
| 3 | 2c | 45 | 92 | 6c | f3 | 39 | 66 | 42 | f2 | 35 | 20 | 6f | 77 | bb | 59 | 19 |
| 4 | 1d | fe | 37 | 67 | 2d | 31 | f5 | 69 | a7 | 64 | ab | 13 | 54 | 25 | e9 | 09 |
| 5 | ed | 5c | 05 | ca | 4c | 24 | 87 | bf | 18 | 3e | 22 | f0 | 51 | ec | 61 | 17 |
| 6 | 16 | 5e | af | d3 | 49 | a6 | 36 | 43 | f4 | 47 | 91 | df | 33 | 93 | 21 | 3b |
| 7 | 79 | b7 | 97 | 85 | 10 | b5 | ba | 3c | b6 | 70 | d0 | 06 | a1 | fa | 81 | 82 |
| 8 | 83 | 7e | 7f | 80 | 96 | 73 | be | 56 | 9b | 9e | 95 | d9 | f7 | 02 | b9 | a4 |
| 9 | de | 6a | 32 | 6d | d8 | 8a | 84 | 72 | 2a | 14 | 9f | 88 | f9 | dc | 89 | 9a |
| a | fb | 7c | 2e | c3 | 8f | b8 | 65 | 48 | 26 | c8 | 12 | 4a | ce | e7 | d2 | 62 |
| b | 0c | e0 | 1f | ef | 11 | 75 | 78 | 71 | a5 | 8e | 76 | 3d | bd | bc | 86 | 57 |
| c | 0b | 28 | 2f | a3 | da | d4 | e4 | 0f | a9 | 27 | 53 | 04 | 1b | fc | ac | e6 |
| d | 7a | 07 | ae | 63 | c5 | db | e2 | ea | 94 | 8b | c4 | d5 | 9d | f8 | 90 | 6b |
| e | b1 | 0d | d6 | eb | c6 | 0e | cf | ad | 08 | 4e | d7 | e3 | 5d | 50 | 1e | b3 |
| f | 5b | 23 | 38 | 34 | 68 | 46 | 03 | 8c | dd | 9c | 7d | a0 | cd | 1a | 41 | 1c |
To calculate ECC (error correction codes) a large polynomial representing incoming data is divided by another "generator" polynomial.
f(x) ÷ gp(n) --> r(x)
The message followed by the ECC produced in r(x) are sent to a decoder. If the operation can be repeated and the same ECC is produced then the message is intact and no error correction is required. If some bits are corrupted then an iterative process is engaged
to locate and (if a number of equations are soluble) correct the errors. If a solution cannot be found the message is left intact (there is a chance all the errors were in the ECC bytes).
The PRODUCT of A and B is the ANTILOG of the MODULUS 255 sum of their LOGS. The LOG and ANTILOG functions can be pre-calculated as tables. We have already computed the ANTILOG for a given primitive polynomial (pp=285) .
i.e. An array of 255 bytes = 1, 2, 4, 8, 16, 32, 64, 128, 29, ..., 142
The LOG array is indexed from 1 to 255 = 0, 1, 25, ..., 175 e.g. LOG[255]=175 , ANTILOG[175]=255
function product(a,b:byte):byte; begin result:=ANTILOG[(LOG[a]+LOG) mod 255]; end;
As a simple example, suppose one wanted the area of a circle of radius [b]23.427 cm.So one needs to calculate 23.427 * 23.427 * 3.1416. We would look up the logarithm (base 10) of each number in the printed table: log(23.427) = 1.369716 and log(3.1416) = .497156. Now 1.369716 + 1.369716 + .497156 = 3.236588. Finally, take the ``anti-log'' (that is, take 10 to the power 3.236588) to get the final answer: 1724.2 cm2. This works because log(area) = log(pi*r2) = log(pi) + log(r) + log(r). In finite fields one can replace the harder multiplication by the easier addition, at the cost of looking up ``logarithms'' and ``anti-logarithms.''
The Galois Field GF(23) = GF(8) based on P(x) = x3 + x + 1
in GF(8) addition and subtraction are equivalent operations, the minus signs may be replaced with plus signs.
The terms aN serve to describe this GF(8). Equivalent values are shown in 3-bit binary and decimal.
| 0 | a0 | a1 | a2 | a3 | a4 | a5 | a6 |
| 000 | 001 | 010 | 100 | 011 | 110 | 111 | 101 |
| 0 | 1 | 2 | 4 | 3 | 6 | 7 | 5 |
Given 1011, describing P(x) = x3 + x + 1, then if a is a root:得到 a3 + a + 1 = 0 所以 a3 = a + 1[code]Successive terms in aN follow as shown below.
| 0 | = 0 | = 0 | = 0 | = 0 | = 000 | = 0 | ||||
| a0 | = a0 | = 1 | = 1 | = 1 | = 001 | = 1 | = a7 | = a14 | = a21 | ... |
| a1 | = a0 × a | = (1) × a | = a | = a | = 010 | = 2 | = a8 | = a15 | = a22 | ... |
| a2 | = a1 × a | = (a) × a | = a2 | = a2 | = 100 | = 4 | = a9 | = a16 | = a23 | ... |
| a3 | = a2 × a | = (a2) × a | = a3 | = a+1 | = 011 | = 3 | = a10 | = a17 | = a24 | ... |
| a4 | = a3 × a | = (a+1) × a | = a2+a | = a2+a | = 110 | = 6 | = a11 | = a18 | = a25 | ... |
| a5 | = a4 × a | = (a2+a) × a | = a3+a2 | = a2+a+1 | = 111 | = 7 | = a12 | = a19 | = a26 | ... |
| a6 | = a5 × a | = (a2+a+1) × a | = a3+a2+a | = a2+1 | = 101 | = 5 | = a13 | = a20 | = a27 | ... |
| a7 | = a6 × a | = (a2+1) × a | = a3+a | = 1 | = 001 | = 1 | = a14 | = a21 | = a28 | ... |
For this P(x) of order 3, a complete set of 23 - 1 = 7 non-zero elements is defined by successive terms in aN. This choice of P(x) is aprimitive prime polynomial.
The 3-bit terms including [000] describe a Galois field GF(23) generated by P(x).
Addition Example:a5 + a5 = (111) + (111) = (000) = 0 Multiplication Example:a5 × a5 = a(5+5) = a10 = a3
this polynomial M(x) has 3-bit coefficients defined in terms of aN:
| M(x) | = a2 x3 + a5 x2 + a1 x + a6 |
| = 4 x3 + 7 x2 + 2 x + 5 , also written as (4 7 2 5) | |
| = (100) x3 + (111) x2 + (010) x + (101) | |
| = the 12-bit binary value 100111010101 |
F(x) = 6 x4 + 1 x3 +
2 x2 + 2 x + 1
Multiply F(x) by x2 to append two zeros, then divide by G(x) .
F(x) x2 = 6 x6 + 1 x5 +2 x4 +2 x3 +1 x2 +0 x +0
(F(x) x2) / G(x) = (6 3 2 0 7), remainder ([b]4 2) [/b]
A=6 1 2 2 1 0 0 B= 1 6 3
Division in GF(8), based on P(x) = x3 + x + 1
| 6 | 3 | 2 | 0 | 7 | = result | ||
| 6 | 1 | 2 | 2 | 1 | 0 | 0 | = A |
| 6 | 2 | 1 | 0 | 0 | 0 | 0 | = B × 6 x4 |
| 3 | 3 | 2 | 1 | 0 | 0 | ||
| 3 | 1 | 5 | 0 | 0 | 0 | = B × 3 x3 | |
| 2 | 7 | 1 | 0 | 0 | |||
| 2 | 7 | 6 | 0 | 0 | = B × 2 x2 | ||
| 7 | 0 | 0 | |||||
| 7 | 4 | 2 | = B × 7 x0 | ||||
| 4 | 2 | = remainder |
Identify each byte a = a7a6a5a4a3a2a1a0 with the formal polynomial a7x7 +a6x6 +a5x5 +a4x4 +a3x3 +a2x2 +a1x+a0. We can add two bytes by taking their
bitwise xor. We can multiply two bytes to get a degree 14 (or less) polynomial, and then take the remainder of this polynomial by the fixed irreducible polynomial
m(x) = x8 + x4 + x3 + x + 1
This remainder polynomial is a polynomial of degree at most seven which can be regarded as a byte.
GF(28)|
the Galois field on 2^8= 256 points.As a finite field, you can find the inverse of any nonzero field point.
[align=center]Since m(x) is another name for zero:m(x) = x8 + x4 + x3 + x + 1 [/align]
(You should think of the m(x) as equaling zero, and you use it to reduce the degree of the product below 8.)
x^8 = x^4 + x^3 + x + 1 ={1b} So it is easy to multiply a byte a by the byte x = {02},shift the 8-bit byte a one position to the left, letting the first bit fall off (but remember it) and shifting a zero into the last bit position. We write this operation
<< 1. If that first bit of a was a 0, we are done. If the first bit was a 1, we need to add in (that is, xor in) x^8={1b},In summary, for a a byte, a * x = a *{02} is a<< 1 if the first bit of a is 0, and it is (a << 1) xor {1b} if the first bit of a is 1.
[align=center] [/align]
[align=center] For example, to compute {a1}*{03}={a1}*{02} xor {a1}*{01}={42}*{1b}*{a1} = {f8}[/align]
All arithmetic is in GF(2), meaning that addition of bits is their xor and multiplication of bits is the conjunction(and).
function expand(K)
K0 <- K
for i <-1 to 10 do
Ki[0] <- Ki-1[0] xor S(Ki-1[3] << 8) xor Ci
Ki[1] <-Ki-1[1] xor Ki[0]
Ki[2] <-Ki-1[2] xor Ki[1]
Ki[3] <-Ki-1[3] xor Ki[2]
[align=center]return (K0...;K10)[/align]
The AES128 key-expansion algorithm maps a 128-bit key K into eleven 128-bit subkeys,K0...K10. Constants (C1...;C10) are f02000000, 04000000, 08000000, 10000000, 20000000,40000000, 80000000g, 1B000000, 36000000, 6C000000.
Imagine plastering the 16 bytes of s = s0s1.. s15 going top-to-bottom, then left-to-right, to make a 4* 4 table:
s0 s4 s8 s12
s1 s5 s9 s13
s2 s6 s10 s14
s3 s7 s11 s15
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- Notes about compiling android kernel source on Mac OS Lion
- Notes on MongoDB
- 维修笔记(Notes on Diagnosing and Fixing Everything Electronic)
- Notes on MatConvNet ( I ) --- Overview
- Notes on MSBuild
- Notes on Papers (I)
- Reading Notes on Linkers & Loaders
- Notes on <High Performance MySQL> -- Ch5: Advanced MySQL Feature
- Notes on Generator 1
- Notes on Tensorflow
- Reading Notes on NS2(6)
- Essential Notes on Database(III) Normalization 范式 (I)
- Reading notes about Generic Time Subsystem implementation on linux
- Lecture Notes on Static Analysis
- notes on effective C++ (to be continued)
- Show Sidebar on Lotus iNotes startup
- Notes on <jQuery in Action> - 4
- Notes on MatConvNet(II):vl_simplenn
- Notes on <High Performance MySQL> -- Ch6: Optimizing Server Settings