0 α 0 α 1 α 2 α 3 α 4 α 5 α 6.... α 253 α 254
var galois:array [0..255] of byte;
function checkgp(pp:integer):boolean; // check proposed primitive generates each element only once
var
found:array [0..255] of boolean;
i:integer;
x,loop:integer;
begin
result:=true;
for i:=0 to 255 do found[i]:=false;
galois[0]:=1;
found[0]:=true; // 1^0=1
x:=1;
for loop:=1 to 255 do
begin
x:=x*2;
if x>255 then x:=x xor pp; // when element overflows xor with primitive
galois[loop]:=x;
if found[x]=true then
begin
result:=false; // reject this as a primitive polnomial this element was generated already
break;
end else found[x]:=true;
end;
end;
procedure TForm1.Button1Click(Sender: TObject);
var
i,xi:integer;
ss:string;
begin
for i:=256 to 256+255 do
if checkgp(i) then
begin
ss:='';
for xi:=0 to 254 do ss:=ss+inttostr(galois[xi])+' ';
ss:='pp='+inttostr(i)+' '+ss;
memo1.Lines.Add(ss);
end;
end;
The concept of a generator of a finite field.
A generator is an element whose successive powers take on every element except the zero. For example, in the fieldZ13, try successive powers of several elements, looking for a generator:
Try powers of 5, taken modulo 13:51=5, 52%13=12, 53%13=(12*5)%13=8, 54%13=(8*5)%13=1, so succesive powers of5 just take on the values 5, 12, 8, 1, and repeat, so that5 is not a generator.
Try powers of 4, taken modulo 13:41=4, 42%13= 3,43%13=(3*4)%13=12, 44%13=(12*4)%13=9,45%13=(9*4)%13=10, 46%13=(10*4)%13=1, so successive powers make a longer cycle, just 4,3, 12, 9,10, 1, and repeat, so 4 is also not a generator.
Try successive powers of 2, taken modulo 13:21=2, 22%13=4,23%13=8, 24%13=3,25%13=(3*2)%13=6, 26%13=(6*2)%13=12,27%13=11, 28%13=9,29%13=5, 29%13 =10,29%13=7, 36%13=1, so successive powers take on all non-zero elements:2, 4, 8,3, 6, 12,11, 9, 5,10, 7, 1, and repeat, so2 is a generator.
Table of ``exponentials'': E(rs) = 03^rs | |||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
E(rs) | s | ||||||||||||||||
0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | a | b | c | d | e | f | ||
r | |||||||||||||||||
0 | 01 | 03 | 05 | 0f | 11 | 33 | 55 | ff | 1a | 2e | 72 | 96 | a1 | f8 | 13 | 35 | |
1 | 5f | e1 | 38 | 48 | d8 | 73 | 95 | a4 | f7 | 02 | 06 | 0a | 1e | 22 | 66 | aa | |
2 | e5 | 34 | 5c | e4 | 37 | 59 | eb | 26 | 6a | be | d9 | 70 | 90 | ab | e6 | 31 | |
3 | 53 | f5 | 04 | 0c | 14 | 3c | 44 | cc | 4f | d1 | 68 | b8 | d3 | 6e | b2 | cd | |
4 | 4c | d4 | 67 | a9 | e0 | 3b | 4d | d7 | 62 | a6 | f1 | 08 | 18 | 28 | 78 | 88 | |
5 | 83 | 9e | b9 | d0 | 6b | bd | dc | 7f | 81 | 98 | b3 | ce | 49 | db | 76 | 9a | |
6 | b5 | c4 | 57 | f9 | 10 | 30 | 50 | f0 | 0b | 1d | 27 | 69 | bb | d6 | 61 | a3 | |
7 | fe | 19 | 2b | 7d | 87 | 92 | ad | ec | 2f | 71 | 93 | ae | e9 | 20 | 60 | a0 | |
8 | fb | 16 | 3a | 4e | d2 | 6d | b7 | c2 | 5d | e7 | 32 | 56 | fa | 15 | 3f | 41 | |
9 | c3 | 5e | e2 | 3d | 47 | c9 | 40 | c0 | 5b | ed | 2c | 74 | 9c | bf | da | 75 | |
a | 9f | ba | d5 | 64 | ac | ef | 2a | 7e | 82 | 9d | bc | df | 7a | 8e | 89 | 80 | |
b | 9b | b6 | c1 | 58 | e8 | 23 | 65 | af | ea | 25 | 6f | b1 | c8 | 43 | c5 | 54 | |
c | fc | 1f | 21 | 63 | a5 | f4 | 07 | 09 | 1b | 2d | 77 | 99 | b0 | cb | 46 | ca | |
d | 45 | cf | 4a | de | 79 | 8b | 86 | 91 | a8 | e3 | 3e | 42 | c6 | 51 | f3 | 0e | |
e | 12 | 36 | 5a | ee | 29 | 7b | 8d | 8c | 8f | 8a | 85 | 94 | a7 | f2 | 0d | 17 | |
f | 39 | 4b | dd | 7c | 84 | 97 | a2 | fd | 1c | 24 | 6c | b4 | c7 | 52 | f6 | 01 |
Table of ``logarithms'': rs = 03^L(rs) | |||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
L(rs) | s | ||||||||||||||||
0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | a | b | c | d | e | f | ||
r | |||||||||||||||||
0 | 00 | 19 | 01 | 32 | 02 | 1a | c6 | 4b | c7 | 1b | 68 | 33 | ee | df | 03 | ||
1 | 64 | 04 | e0 | 0e | 34 | 8d | 81 | ef | 4c | 71 | 08 | c8 | f8 | 69 | 1c | c1 | |
2 | 7d | c2 | 1d | b5 | f9 | b9 | 27 | 6a | 4d | e4 | a6 | 72 | 9a | c9 | 09 | 78 | |
3 | 65 | 2f | 8a | 05 | 21 | 0f | e1 | 24 | 12 | f0 | 82 | 45 | 35 | 93 | da | 8e | |
4 | 96 | 8f | db | bd | 36 | d0 | ce | 94 | 13 | 5c | d2 | f1 | 40 | 46 | 83 | 38 | |
5 | 66 | dd | fd | 30 | bf | 06 | 8b | 62 | b3 | 25 | e2 | 98 | 22 | 88 | 91 | 10 | |
6 | 7e | 6e | 48 | c3 | a3 | b6 | 1e | 42 | 3a | 6b | 28 | 54 | fa | 85 | 3d | ba | |
7 | 2b | 79 | 0a | 15 | 9b | 9f | 5e | ca | 4e | d4 | ac | e5 | f3 | 73 | a7 | 57 | |
8 | af | 58 | a8 | 50 | f4 | ea | d6 | 74 | 4f | ae | e9 | d5 | e7 | e6 | ad | e8 | |
9 | 2c | d7 | 75 | 7a | eb | 16 | 0b | f5 | 59 | cb | 5f | b0 | 9c | a9 | 51 | a0 | |
a | 7f | 0c | f6 | 6f | 17 | c4 | 49 | ec | d8 | 43 | 1f | 2d | a4 | 76 | 7b | b7 | |
b | cc | bb | 3e | 5a | fb | 60 | b1 | 86 | 3b | 52 | a1 | 6c | aa | 55 | 29 | 9d | |
c | 97 | b2 | 87 | 90 | 61 | be | dc | fc | bc | 95 | cf | cd | 37 | 3f | 5b | d1 | |
d | 53 | 39 | 84 | 3c | 41 | a2 | 6d | 47 | 14 | 2a | 9e | 5d | 56 | f2 | d3 | ab | |
e | 44 | 11 | 92 | d9 | 23 | 20 | 2e | 89 | b4 | 7c | b8 | 26 | 77 | 99 | e3 | a5 | |
f | 67 | 4a | ed | de | c5 | 31 | fe | 18 | 0d | 63 | 8c | 80 | c0 | f7 | 70 | 07 |
Suppose one wants the product b6 * 53 . Use the L table above to look up b6 and 53: L(b6)=b1 and L(53)=30. This means that
(b6)*(53) = (03)(b1) * (03)(30) = (03)(b1 + 30) = (03)(e1).
If the sum above gets bigger than ff, just subtract 255. This works because the powers of 03 repeat after255 iterations. Now use the E table to look up(03)(e1), which is the answer: (36).
The Multiplicative Inverse of Each Field Element.Later work with the AES will also require the multiplicative inverse of each field element except0, which has no inverse. This inverse is easy to calculate. Ifg is the generator 03 , then the inverse ofgrs is gff - rs. For example, to find the inverse of6b, look up in the ``log'' table to see that 6b = g54, so the inverse of6b is gff - 54 = gab, and from the "exponential" table, this isdf.
Table of multiplicative inverses: rs*inv(rs) = 01 | |||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
inv(rs) | s | ||||||||||||||||
0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | a | b | c | d | e | f | ||
r | |||||||||||||||||
0 | XX | 01 | 8d | f6 | cb | 52 | 7b | d1 | e8 | 4f | 29 | c0 | b0 | e1 | e5 | c7 | |
1 | 74 | b4 | aa | 4b | 99 | 2b | 60 | 5f | 58 | 3f | fd | cc | ff | 40 | ee | b2 | |
2 | 3a | 6e | 5a | f1 | 55 | 4d | a8 | c9 | c1 | 0a | 98 | 15 | 30 | 44 | a2 | c2 | |
3 | 2c | 45 | 92 | 6c | f3 | 39 | 66 | 42 | f2 | 35 | 20 | 6f | 77 | bb | 59 | 19 | |
4 | 1d | fe | 37 | 67 | 2d | 31 | f5 | 69 | a7 | 64 | ab | 13 | 54 | 25 | e9 | 09 | |
5 | ed | 5c | 05 | ca | 4c | 24 | 87 | bf | 18 | 3e | 22 | f0 | 51 | ec | 61 | 17 | |
6 | 16 | 5e | af | d3 | 49 | a6 | 36 | 43 | f4 | 47 | 91 | df | 33 | 93 | 21 | 3b | |
7 | 79 | b7 | 97 | 85 | 10 | b5 | ba | 3c | b6 | 70 | d0 | 06 | a1 | fa | 81 | 82 | |
8 | 83 | 7e | 7f | 80 | 96 | 73 | be | 56 | 9b | 9e | 95 | d9 | f7 | 02 | b9 | a4 | |
9 | de | 6a | 32 | 6d | d8 | 8a | 84 | 72 | 2a | 14 | 9f | 88 | f9 | dc | 89 | 9a | |
a | fb | 7c | 2e | c3 | 8f | b8 | 65 | 48 | 26 | c8 | 12 | 4a | ce | e7 | d2 | 62 | |
b | 0c | e0 | 1f | ef | 11 | 75 | 78 | 71 | a5 | 8e | 76 | 3d | bd | bc | 86 | 57 | |
c | 0b | 28 | 2f | a3 | da | d4 | e4 | 0f | a9 | 27 | 53 | 04 | 1b | fc | ac | e6 | |
d | 7a | 07 | ae | 63 | c5 | db | e2 | ea | 94 | 8b | c4 | d5 | 9d | f8 | 90 | 6b | |
e | b1 | 0d | d6 | eb | c6 | 0e | cf | ad | 08 | 4e | d7 | e3 | 5d | 50 | 1e | b3 | |
f | 5b | 23 | 38 | 34 | 68 | 46 | 03 | 8c | dd | 9c | 7d | a0 | cd | 1a | 41 | 1c |
The essence of "arithmetic" in the Galois field is that the computer is never confronted with numbers that are too large to process;
To calculate ECC (error correction codes) a large polynomial representing incoming data is divided by another "generator" polynomial.
f(x) ÷ gp(n) --> r(x)
The message followed by the ECC produced in r(x) are sent to a decoder. If the operation can be repeated and the same ECC is produced then the message is intact and no error correction is required. If some bits are corrupted then an iterative process is engaged to locate and (if a number of equations are soluble) correct the errors. If a solution cannot be found the message is left intact (there is a chance all the errors were in the ECC bytes).
The PRODUCT of A and B is the ANTILOG of the MODULUS 255 sum of their LOGS. The LOG and ANTILOG functions can be pre-calculated as tables. We have already computed the ANTILOG for a given primitive polynomial (pp=285) .
The LOG array is indexed from 1 to 255 = 0, 1, 25, ..., 175 e.g. LOG[255]=175 , ANTILOG[175]=255
function product(a,b:byte):byte; begin result:=ANTILOG[(LOG[a]+LOG[b]) mod 255]; end;
As a simple example, suppose one wanted the area of a circle of radius 23.427 cm.So one needs to calculate 23.427 * 23.427 * 3.1416. We would look up the logarithm (base 10) of each number in the printed table: log(23.427) = 1.369716 and log(3.1416) = .497156. Now 1.369716 + 1.369716 + .497156 = 3.236588. Finally, take the ``anti-log'' (that is, take 10 to the power 3.236588) to get the final answer: 1724.2 cm2. This works because log(area) = log(pi*r2) = log(pi) + log(r) + log(r).
In finite fields one can replace the harder multiplication by the easier addition, at the cost of looking up ``logarithms'' and ``anti-logarithms.''
The terms aN serve to describe this GF(8). Equivalent values are shown in 3-bit binary and decimal.
0 | a0 | a1 | a2 | a3 | a4 | a5 | a6 |
000 | 001 | 010 | 100 | 011 | 110 | 111 | 101 |
0 | 1 | 2 | 4 | 3 | 6 | 7 | 5 |
Given 1011, describing P(x) = x3 + x + 1, then if a is a root:得到 a3 + a + 1 = 0 所以 a3 = a + 1Successive terms in aN follow as shown below.
| ||||||||||
0 | = 0 | = 0 | = 0 | = 0 | = 000 | = 0 | ||||
a0 | = a0 | = 1 | = 1 | = 1 | = 001 | = 1 | = a7 | = a14 | = a21 | ... |
a1 | = a0 × a | = (1) × a | = a | = a | = 010 | = 2 | = a8 | = a15 | = a22 | ... |
a2 | = a1 × a | = (a) × a | = a2 | = a2 | = 100 | = 4 | = a9 | = a16 | = a23 | ... |
a3 | = a2 × a | = (a2) × a | = a3 | = a+1 | = 011 | = 3 | = a10 | = a17 | = a24 | ... |
a4 | = a3 × a | = (a+1) × a | = a2+a | = a2+a | = 110 | = 6 | = a11 | = a18 | = a25 | ... |
a5 | = a4 × a | = (a2+a) × a | = a3+a2 | = a2+a+1 | = 111 | = 7 | = a12 | = a19 | = a26 | ... |
a6 | = a5 × a | = (a2+a+1) × a | = a3+a2+a | = a2+1 | = 101 | = 5 | = a13 | = a20 | = a27 | ... |
| ||||||||||
a7 | = a6 × a | = (a2+1) × a | = a3+a | = 1 | = 001 | = 1 | = a14 | = a21 | = a28 | ... |
The defining polynomial P(x) essentially becomes the modulus for all operations on this set. Each result in aN represents the remainder when xN is divided by P(x). For any P(x) of order 3, remainders will have 3-bits.
For this P(x) of order 3, a complete set of 23 - 1 = 7 non-zero elements is defined by successive terms in aN. This choice of P(x) is aprimitive prime polynomial.
The 3-bit terms including [000] describe a Galois field GF(23) generated by P(x).
Addition Example:a5 + a5 = (111) + (111) = (000) = 0 Multiplication Example:a5 × a5 = a(5+5) = a10 = a3
this polynomial M(x) has 3-bit coefficients defined in terms of aN:
M(x) | = a2 x3 + a5 x2 + a1 x + a6 |
= 4 x3 + 7 x2 + 2 x + 5 , also written as (4 7 2 5) | |
= (100) x3 + (111) x2 + (010) x + (101) | |
= the 12-bit binary value 100111010101 |
G(x) = 1 x2 + 6 x + 3
F(x) = 6 x4 + 1 x3 + 2 x2 + 2 x + 1
Multiply F(x) by x2 to append two zeros, then divide by G(x) .
F(x) x2 = 6 x6 + 1 x5 +2 x4 +2 x3 +1 x2 +0 x +0
(F(x) x2) / G(x) = (6 3 2 0 7), remainder (4 2)
A=6 1 2 2 1 0 0 B= 1 6 3
Division in GF(8), based on P(x) = x3 + x + 1
6 | 3 | 2 | 0 | 7 | = result | ||
| |||||||
6 | 1 | 2 | 2 | 1 | 0 | 0 | = A |
6 | 2 | 1 | 0 | 0 | 0 | 0 | = B × 6 x4 |
| |||||||
3 | 3 | 2 | 1 | 0 | 0 | ||
3 | 1 | 5 | 0 | 0 | 0 | = B × 3 x3 | |
| |||||||
2 | 7 | 1 | 0 | 0 | |||
2 | 7 | 6 | 0 | 0 | = B × 2 x2 | ||
| |||||||
7 | 0 | 0 | |||||
7 | 4 | 2 | = B × 7 x0 | ||||
| |||||||
4 | 2 | = remainder |
bitwise xor. We can multiply two bytes to get a degree 14 (or less) polynomial, and then take the remainder of this polynomial by the fixed irreducible polynomial
m(x) = x8 + x4 + x3 + x + 1
the Galois field on 2^8= 256 points.As a finite field, you can find the inverse of any nonzero field point.
(You should think of the m(x) as equaling zero, and you use it to reduce the degree of the product below 8.)x^8 = x^4 + x^3 + x + 1 ={1b} So it is easy to multiply a byte a by the byte x = {02},shift the 8-bit byte a one position to the left, letting the first bit fall off (but remember it) and shifting a zero into the last bit position. We write this operation << 1. If that first bit of a was a 0, we are done. If the first bit was a 1, we need to add in (that is, xor in) x^8={1b},In summary, for a a byte, a * x = a *{02} is a<< 1 if the first bit of a is 0, and it is (a << 1) xor {1b} if the first bit of a is 1.
K0 <- K
for i <-1 to 10 do
Ki[0] <- Ki-1[0] xor S(Ki-1[3] << 8) xor Ci
Ki[1] <-Ki-1[1] xor Ki[0]
Ki[2] <-Ki-1[2] xor Ki[1]
Ki[3] <-Ki-1[3] xor Ki[2]
The AES128 key-expansion algorithm maps a 128-bit key K into eleven 128-bit subkeys,K0...K10. Constants (C1...;C10) are f02000000, 04000000, 08000000, 10000000, 20000000,40000000, 80000000g, 1B000000, 36000000, 6C000000.
s0 s4 s8 s12
s1 s5 s9 s13
s2 s6 s10 s14
s3 s7 s11 s15