Notes on Cryptography

    The operators in conventional arithmetic (divide, multiply, add, subtract etc) deal with infinite or unbounded numbers. Computer hardware uses binary arithmetic where integer results are stored in registers, bytes or words of a finite size.Dealing with the overflows caused by very large calculations is a considerable problem if the result is to be used in bit by bit error detection.GF(256) is a field consisting of the every integer in the range 0 to 255 arranged in a particular order. If you could devise an arithmetic where the result of each operation produces another number in the field the overflow issues could be avoided.

     The generation (ordering) of the field is key.

     A Galois field gf( p) is the element 0 followed by the ( p-1) succeeding powers of α : 1,  α¹, α², ..., α^p-1

    Extending the gf(2) field to 256 elements that fit nicely in a computer byte: gf(2⁸) = gf(256). Substituting the primitive elementα=2 in the galois field it becomes 0, 1, 2, 4, 8, 16, and so on. This series is straightforward until elements greater than 127 are created. Doubling element values 128, 129, ..., 254 will violate the range by producing a result greater than 255. Some way must be devised to "fold" the results back into the finite field range without duplicating existing elements (this lets modulo 255 aritmetic out). This requires an irreducible primitive polynomial. "Irreducible" means it cannot be factored into smaller polynomials over the field.
   

 0 α ⁰ α ¹ α ² α ³ α ⁴ α ⁵ α ⁶....     α ²⁵³ α ²⁵⁴

pp  = x⁸+x⁴+x³+x²+1  =100011101=285  α=2时  借助xor pp可以得到： 0 1 2 4 8 16 32 64 128 29 58 116 .....173 71 142                 

                 
var   galois:array [0..255] of byte;
function checkgp(pp:integer):boolean;  // check proposed primitive generates each element only once
var
    found:array [0..255] of boolean;
    i:integer;
    x,loop:integer;
begin
    result:=true;
    for i:=0 to 255 do found[i]:=false;
    galois[0]:=1;
    found[0]:=true; // 1^0=1
    x:=1;
    for loop:=1 to 255 do
      begin
        x:=x*2;
        if x>255 then x:=x xor pp; // when element overflows xor with primitive
        galois[loop]:=x;
        if found[x]=true then
          begin
            result:=false; // reject this as a primitive polnomial this element was generated already
            break;
          end else found[x]:=true;
      end;
end;

procedure TForm1.Button1Click(Sender: TObject);
var
  i,xi:integer;
  ss:string;
begin
    for i:=256 to 256+255 do
      if checkgp(i) then
       begin
          ss:='';
          for xi:=0 to 254 do  ss:=ss+inttostr(galois[xi])+' ';
          ss:='pp='+inttostr(i)+'  '+ss;
          memo1.Lines.Add(ss);
       end;
end;                                                                                                                                                                                                                                                                    

pp = 301 = x⁸+x⁵+x³+x²+1

The concept of a generator of a finite field.

    A generator is an element whose successive powers take on every element except the zero. For example, in the fieldZ₁₃, try successive powers of several elements, looking for a generator:
    Try powers of 5, taken modulo 13:5¹=5,  5²%13=12,  5³%13=(12*5)%13=8,  5⁴%13=(8*5)%13=1, so succesive powers of5 just take on the values 5, 12, 8, 1, and repeat, so that5 is not a generator.
    Try powers of 4, taken modulo 13:4¹=4, 4²%13= 3,4³%13=(3*4)%13=12, 4⁴%13=(12*4)%13=9,4⁵%13=(9*4)%13=10, 4⁶%13=(10*4)%13=1, so successive powers make a longer cycle, just 4,3, 12, 9,10, 1, and repeat, so 4 is also not a generator.
    Try successive powers of 2, taken modulo 13:2¹=2, 2²%13=4,2³%13=8, 2⁴%13=3,2⁵%13=(3*2)%13=6, 2⁶%13=(6*2)%13=12,2⁷%13=11, 2⁸%13=9,2⁹%13=5, 2⁹%13 =10,2⁹%13=7, 3⁶%13=1, so successive powers take on all non-zero elements:2, 4, 8,3, 6, 12,11, 9, 5,10, 7, 1, and repeat, so2 is a generator. 

0x03, which is the same as x + 1 as a polynomial, is the simplest generator for GF(2⁸).Its powers take on all 255 non-zero values of the field.The table of ``exponentials'' or ``anti-logs'' gives each possible power. 

Table of ``exponentials'': E(rs) = 03^rs
E(rs)		s
		0	1	2	3	4	5	6	7	8	9	a	b	c	d	e	f
r
	0	01	03	05	0f	11	33	55	ff	1a	2e	72	96	a1	f8	13	35
	1	5f	e1	38	48	d8	73	95	a4	f7	02	06	0a	1e	22	66	aa
	2	e5	34	5c	e4	37	59	eb	26	6a	be	d9	70	90	ab	e6	31
	3	53	f5	04	0c	14	3c	44	cc	4f	d1	68	b8	d3	6e	b2	cd
	4	4c	d4	67	a9	e0	3b	4d	d7	62	a6	f1	08	18	28	78	88
	5	83	9e	b9	d0	6b	bd	dc	7f	81	98	b3	ce	49	db	76	9a
	6	b5	c4	57	f9	10	30	50	f0	0b	1d	27	69	bb	d6	61	a3
	7	fe	19	2b	7d	87	92	ad	ec	2f	71	93	ae	e9	20	60	a0
	8	fb	16	3a	4e	d2	6d	b7	c2	5d	e7	32	56	fa	15	3f	41
	9	c3	5e	e2	3d	47	c9	40	c0	5b	ed	2c	74	9c	bf	da	75
	a	9f	ba	d5	64	ac	ef	2a	7e	82	9d	bc	df	7a	8e	89	80
	b	9b	b6	c1	58	e8	23	65	af	ea	25	6f	b1	c8	43	c5	54
	c	fc	1f	21	63	a5	f4	07	09	1b	2d	77	99	b0	cb	46	ca
	d	45	cf	4a	de	79	8b	86	91	a8	e3	3e	42	c6	51	f3	0e
	e	12	36	5a	ee	29	7b	8d	8c	8f	8a	85	94	a7	f2	0d	17
	f	39	4b	dd	7c	84	97	a2	fd	1c	24	6c	b4	c7	52	f6	01

Table of ``logarithms'': rs = 03^L(rs)
L(rs)		s
		0	1	2	3	4	5	6	7	8	9	a	b	c	d	e	f
r
	0		00	19	01	32	02	1a	c6	4b	c7	1b	68	33	ee	df	03
	1	64	04	e0	0e	34	8d	81	ef	4c	71	08	c8	f8	69	1c	c1
	2	7d	c2	1d	b5	f9	b9	27	6a	4d	e4	a6	72	9a	c9	09	78
	3	65	2f	8a	05	21	0f	e1	24	12	f0	82	45	35	93	da	8e
	4	96	8f	db	bd	36	d0	ce	94	13	5c	d2	f1	40	46	83	38
	5	66	dd	fd	30	bf	06	8b	62	b3	25	e2	98	22	88	91	10
	6	7e	6e	48	c3	a3	b6	1e	42	3a	6b	28	54	fa	85	3d	ba
	7	2b	79	0a	15	9b	9f	5e	ca	4e	d4	ac	e5	f3	73	a7	57
	8	af	58	a8	50	f4	ea	d6	74	4f	ae	e9	d5	e7	e6	ad	e8
	9	2c	d7	75	7a	eb	16	0b	f5	59	cb	5f	b0	9c	a9	51	a0
	a	7f	0c	f6	6f	17	c4	49	ec	d8	43	1f	2d	a4	76	7b	b7
	b	cc	bb	3e	5a	fb	60	b1	86	3b	52	a1	6c	aa	55	29	9d
	c	97	b2	87	90	61	be	dc	fc	bc	95	cf	cd	37	3f	5b	d1
	d	53	39	84	3c	41	a2	6d	47	14	2a	9e	5d	56	f2	d3	ab
	e	44	11	92	d9	23	20	2e	89	b4	7c	b8	26	77	99	e3	a5
	f	67	4a	ed	de	c5	31	fe	18	0d	63	8c	80	c0	f7	70	07

Suppose one wants the product b6 * 53 . Use the L table above to look up b6 and 53: L(b6)=b1 and L(53)=30. This means that

• 
  (b6)*(53) = (03)(b1) * (03)(30)
            = (03)(b1 + 30) = (03)(e1).
  

If the sum above gets bigger than ff, just subtract 255. This works because the powers of 03 repeat after255 iterations. Now use the E table to look up(03)^(e1), which is the answer: (36).

The Multiplicative Inverse of Each Field Element.

Later work with the AES will also require the multiplicative inverse of each field element except0, which has no inverse. This inverse is easy to calculate. Ifg is the generator 03 , then the inverse ofg^rs is g^{ff - rs.} For example, to find the inverse of6b, look up in the ``log'' table to see that 6b = g⁵⁴, so the inverse of6b is g^{ff - 54} = g^ab, and from the "exponential" table, this isdf. 

Table of multiplicative inverses: rs*inv(rs) = 01
inv(rs)		s
		0	1	2	3	4	5	6	7	8	9	a	b	c	d	e	f
r
	0	XX	01	8d	f6	cb	52	7b	d1	e8	4f	29	c0	b0	e1	e5	c7
	1	74	b4	aa	4b	99	2b	60	5f	58	3f	fd	cc	ff	40	ee	b2
	2	3a	6e	5a	f1	55	4d	a8	c9	c1	0a	98	15	30	44	a2	c2
	3	2c	45	92	6c	f3	39	66	42	f2	35	20	6f	77	bb	59	19
	4	1d	fe	37	67	2d	31	f5	69	a7	64	ab	13	54	25	e9	09
	5	ed	5c	05	ca	4c	24	87	bf	18	3e	22	f0	51	ec	61	17
	6	16	5e	af	d3	49	a6	36	43	f4	47	91	df	33	93	21	3b
	7	79	b7	97	85	10	b5	ba	3c	b6	70	d0	06	a1	fa	81	82
	8	83	7e	7f	80	96	73	be	56	9b	9e	95	d9	f7	02	b9	a4
	9	de	6a	32	6d	d8	8a	84	72	2a	14	9f	88	f9	dc	89	9a
	a	fb	7c	2e	c3	8f	b8	65	48	26	c8	12	4a	ce	e7	d2	62
	b	0c	e0	1f	ef	11	75	78	71	a5	8e	76	3d	bd	bc	86	57
	c	0b	28	2f	a3	da	d4	e4	0f	a9	27	53	04	1b	fc	ac	e6
	d	7a	07	ae	63	c5	db	e2	ea	94	8b	c4	d5	9d	f8	90	6b
	e	b1	0d	d6	eb	c6	0e	cf	ad	08	4e	d7	e3	5d	50	1e	b3
	f	5b	23	38	34	68	46	03	8c	dd	9c	7d	a0	cd	1a	41	1c

The essence of "arithmetic" in the Galois field is that the computer is never confronted with numbers that are too large to process;
To calculate ECC (error correction codes) a large polynomial representing incoming data is divided by another "generator" polynomial.
f(x) ÷ gp(n) --> r(x)
The message followed by the ECC produced in r(x) are sent to a decoder. If the operation can be repeated and the same ECC is produced then the message is intact and no error correction is required. If some bits are corrupted then an iterative process is engaged to locate and (if a number of equations are soluble) correct the errors. If a solution cannot be found the message is left intact (there is a chance all the errors were in the ECC bytes).  


            

   The PRODUCT of A and B is the ANTILOG of the MODULUS 255 sum of their LOGS. The LOG and ANTILOG functions can be pre-calculated as tables. We have already computed the ANTILOG for a given primitive polynomial (pp=285) .

i.e. An array of 255 bytes = 1, 2, 4, 8, 16, 32, 64, 128, 29, ..., 142

The LOG array is indexed from 1 to 255 = 0, 1, 25, ..., 175 e.g. LOG[255]=175 , ANTILOG[175]=255

function product(a,b:byte):byte;     begin       result:=ANTILOG[(LOG[a]+LOG[b]) mod 255];     end;

As a simple example, suppose one wanted the area of a circle of radius 23.427 cm.So one needs to calculate 23.427 * 23.427 * 3.1416. We would look up the logarithm (base 10) of each number in the printed table: log(23.427) = 1.369716 and log(3.1416) = .497156. Now  1.369716 + 1.369716 + .497156 = 3.236588. Finally, take the ``anti-log'' (that is, take 10 to the power 3.236588) to get the final answer: 1724.2 cm2. This works because log(area) = log(pi*r2) = log(pi) + log(r) + log(r). 
In finite fields one can replace the harder multiplication by the easier addition, at the cost of looking up ``logarithms'' and ``anti-logarithms.''

The Galois Field GF(2 ³) = GF(8) based on P(x) = x ³ + x + 1

 in GF(8)  addition and subtraction are equivalent operations, the minus signs may be replaced with plus signs.

The terms a^N serve to describe this GF(8). Equivalent values are shown in 3-bit binary and decimal.

0	a0	a1	a2	a3	a4	a5	a6
000	001	010	100	011	110	111	101
0	1	2	4	3	6	7	5

   
   

    
    Given 1011, describing P(x) = x3 + x + 1, then if a is a root:
   
   

   
   

    
    得到 a3 + a + 1 = 0
所以 a3 = a + 1
   
   
   
   

    
    
Successive terms in aN follow as shown below.


   
   

0	= 0	= 0	= 0	= 0	= 000	= 0
a0	= a0	= 1	= 1	= 1	= 001	= 1	= a7	= a14	= a21	...
a1	= a0 × a	= (1) × a	= a	= a	= 010	= 2	= a8	= a15	= a22	...
a2	= a1 × a	= (a) × a	= a2	= a2	= 100	= 4	= a9	= a16	= a23	...
a3	= a2 × a	= (a2) × a	= a3	= a+1	= 011	= 3	= a10	= a17	= a24	...
a4	= a3 × a	= (a+1) × a	= a2+a	= a2+a	= 110	= 6	= a11	= a18	= a25	...
a5	= a4 × a	= (a2+a) × a	= a3+a2	= a2+a+1	= 111	= 7	= a12	= a19	= a26	...
a6	= a5 × a	= (a2+a+1) × a	= a3+a2+a	= a2+1	= 101	= 5	= a13	= a20	= a27	...
a7	= a6 × a	= (a2+1) × a	= a3+a	= 1	= 001	= 1	= a14	= a21	= a28	...

The defining polynomial P(x) essentially becomes the modulus for all operations on this set. Each result in a^N represents the remainder when x^N is divided by P(x). For any P(x) of order 3, remainders will have 3-bits.

For this P(x) of order 3, a complete set of 2³ - 1 = 7 non-zero elements is defined by successive terms in a^N. This choice of P(x) is aprimitive prime polynomial.
The 3-bit terms including [000] describe a Galois field GF(2³) generated by P(x). 

Addition Example:a⁵ + a⁵ = (111) + (111) = (000) = 0   Multiplication Example:a⁵ × a⁵ = a⁽⁵⁺⁵⁾ = a¹⁰ = a^{3
 this polynomial M(x) has 3-bit coefficients defined in terms of aN:}

M(x)	= a2 x3 + a5 x2 + a1 x + a6
	= 4 x3 + 7 x2 + 2 x + 5 , also written as (4 7 2 5)
	= (100) x3 + (111) x2 + (010) x + (101)
	= the 12-bit binary value 100111010101

G(x) = 1 x² + 6 x + 3

F(x) = 6 x⁴ + 1 x³ + 2 x² + 2 x + 1

Multiply F(x) by x² to append two zeros, then divide by G(x) .

F(x) x² = 6 x⁶ + 1 x⁵ +2 x⁴ +2 x³ +1 x² +0 x +0

(F(x) x²) / G(x) = (6 3 2 0 7), remainder (4 2) 

A=6 1 2 2 1 0 0      B= 1 6 3   
Division in GF(8), based on P(x) = x³ + x + 1

		6	3	2	0	7	= result
6	1	2	2	1	0	0	= A
6	2	1	0	0	0	0	= B × 6 x4
	3	3	2	1	0	0
	3	1	5	0	0	0	= B × 3 x3
		2	7	1	0	0
		2	7	6	0	0	= B × 2 x2
				7	0	0
				7	4	2	= B × 7 x0
					4	2	= remainder

To understand what goes on in S and mix-cols we will need to review a bit of algebra. We describe a way to do arithmetic on bytes. 

Identify each byte a = a7a6a5a4a3a2a1a0 with the formal polynomial a7x7 +a6x6 +a5x5 +a4x4 +a3x3 +a2x2 +a1x+a0. We can add two bytes by taking their
bitwise xor. We can multiply two bytes to get a degree 14 (or less) polynomial, and then take the remainder of this polynomial by the fixed irreducible polynomial
m(x) = x8 + x4 + x3 + x + 1    

This remainder polynomial is a polynomial of degree at most seven which can be regarded as a byte.

GF(28)|
the Galois field on 2^8= 256 points.As a finite field, you can find the inverse of any nonzero field point.

Since m(x) is another name for zero:m(x) = x8 + x4 + x3 + x + 1  

(You should think of the m(x) as equaling zero, and you use it to reduce the degree of the product below 8.)

x^8 = x^4 + x^3 + x + 1 ={1b}     So it is easy to multiply a byte a by the byte x = {02},shift the 8-bit byte a one position to the left, letting the first bit  fall off  (but remember it) and shifting a zero into the last bit position. We write this operation  << 1. If that first bit of a was a 0, we are done. If the first bit was a 1, we need to add in (that is, xor in) x^8={1b},In summary, for a a byte, a * x = a *{02} is a<< 1 if the first bit of a is 0, and it is (a << 1) xor {1b} if the first bit of a is 1.

 

 For example, to compute {a1}*{03}={a1}*{02} xor  {a1}*{01}={42}*{1b}*{a1} = {f8}

All arithmetic is in GF(2), meaning that addition of bits is their xor and multiplication of bits is the conjunction(and).

 function expand(K)
K0 <- K
for i <-1 to 10 do
Ki[0] <- Ki-1[0] xor S(Ki-1[3] << 8) xor Ci
Ki[1] <-Ki-1[1] xor Ki[0]
Ki[2] <-Ki-1[2] xor Ki[1]
Ki[3] <-Ki-1[3] xor Ki[2]

return (K0...;K10)

 The AES128 key-expansion algorithm maps a 128-bit key K into eleven 128-bit subkeys,K0...K10. Constants (C1...;C10) are f02000000, 04000000, 08000000, 10000000, 20000000,40000000, 80000000g, 1B000000, 36000000, 6C000000.

Imagine plastering the 16 bytes of s = s0s1.. s15 going top-to-bottom, then left-to-right, to make a 4* 4 table:
s0 s4 s8 s12
s1 s5 s9 s13
s2 s6 s10 s14
s3 s7 s11 s15