Transcript Document

COM5336 Cryptography
Lecture 12
Construction & Basic Properties of
Finite Fields
Scott CH Huang
Scott CH Huang
COM 5336 Cryptography Lecture 10
COM5137: Finite Field and Its Applications in Engineering
Construction of Finite Fields
Scott CH Huang
COM 5336
Ideas
• We wish to construct a finite field from a Euclidean domain.
• Elements of a Euclidean domain may not have multiplicative
inverses. We wish to find this cause and somehow “remove”
this cause.
• The idea of “removing this cause” is analogous to “dividing an
algebraic structure”.
Scott CH Huang
COM 5336
Equivalence Relations
• Let S be any set. A relation ~ on S is an equivalence relation iff
the following three conditions hold:
– Reflexivity: a~a for any a in S.
– Symmetry: For any a,b in S, a~b implies b~a.
– Transitivity: For any a,b,c in S, if a~b and b~c then a~c.
• Any equivalence relation on a set induces a partition of this
set.
Scott CH Huang
COM 5336
Equivalence Relation on an Algebraic Structure
• We may be able to define similar operations on these
partitioned subsets.
• However, we have to make sure such operations are welldefined.
• The resulted “quotient” structure may be similar to the
mother structure. i.e. quotient groups, quotient rings,
quotient spaces (in a vector space),…
Scott CH Huang
COM 5336
Theorem
• Given a Euclidean domain D and a prime p. Then D mod p is a
field.
• Application: Consider the polynomial ring
. Find an
irreducible polynomial
. Then
is a field.
Scott CH Huang
COM 5336
Direct Construction of Finite Fields
• Consider the polynomial ring over a field
.Find an
irreducible polynomial
. Then
is a field.
• In short, if we consider the polynomial ring
over
and
find an irreducible polynomial
of degree n, then
is a finite field of pn elements. This is how we
construct the Galois field GF(pn).
•
is also written as
in some Math
books.
Scott CH Huang
COM 5336
An Example: GF(128) in AES
• The irreducible polynomial:
• GF(128) is constructed as
Scott CH Huang
COM 5336
Alternative View of GF(pn)
• Let
be the irreducible polynomial used to
construct GF(pn).
• We can view GF(pn) as follows. “Imagine”
is a solution to
the equation
. Then GF(pn) is a vector space over
GF(p) of with basis
and an “extra” relation
• For example: Let
be a solution to
GF(128) is a vector space over
with basis
with the relation
.
Scott CH Huang
COM 5336
Number of Elements in Finite Fields
• Theorem : Let
prime number
be a finite field. Then
and
.
Scott CH Huang
COM 5336
, for some
COM5137: Finite Field and Its Applications in Engineering
Basic Properties of Finite Fields
Scott CH Huang
COM 5336
Homomorphism
• A homomorphism is a structure-preserving map between two
algebraic structures.
• The definition depends on the type of algebraic structure
under consideration.
• A group homomorphism is a homomorphism between two
groups.
• A ring homomorphism is a homomorphism between two rings.
Scott CH Huang
COM 5336
Group Homomorphism
•
A group homomorphism from (G,*) to (H,·) is a function
Scott CH Huang
COM 5336
Group Homomorphism (cont)
• We define the kernel of h to be the set of elements in G which
are mapped to the identity in H, i.e.,
• We define the image of h to be
• Ker(h) is a (normal) subgroup of G and Im(h) is a subgroup of
H.
• Lagrange Theorem: If G is a finite group and H is a subgroup
of G. Then
Scott CH Huang
COM 5336
Ring Homomorphism
• A ring homomorphism from R to S is a function
– h(u+v)=h(u)+h(v)
– h(uv)=h(u)h(v)
• The kernel of h is defined to be the set of elements in R
mapped to the 0 in S, i.e.,
• Ker(h) is an ideal of R and Im(h) is a subring of S.
Scott CH Huang
COM 5336
Isomorphism
• If a homomorphism is bijective (both injective and surjective),
it is called an isomorphism.
Scott CH Huang
COM 5336
Subfield and Field Extension
• If
are both fields and
. Then is called a field
extension of
and
is called a subfield of .
• We can view
as a vector space over
by defining the
scalar product as field multiplication.
Scott CH Huang
COM 5336
Ring Homomorphism from Zp to F
• Let
be a finite field and
• p must be a prime. (why?)
• Define
as follows:
.
– h(0)=0. h(1)=1.
– h(n+1)=h(n)+h(1)
• h is a ring homomorphism. i.e.,
– h(m+n)=h(m)+h(n)
– h(mn)=h(m)h(n)
Scott CH Huang
COM 5336
Ring Homomorphism from Zp to F
• h is injective.
• Im(h) is a subfield of .
• Therefore, contains a subfield isomorphic to . This
subfield is called the prime subfield of .
• Every field of characteristic p (p<∞) contains a prime subfield
isomorphic to . In fact, every field of characteristic 0
contains a prime subfield isomorphic to .
Scott CH Huang
COM 5336
Cyclic Subgroup and Order of an Element
• Let G be a finite group and α G.
• Since G is finite, the set {e,α,α2,…} is finite. At some point,
there must be some repetition.
• Let αk=αk+t be the first repetition. Then αt=e. This t is called
the order of α, denoted by ord(α).
Scott CH Huang
COM 5336
Multiplicative Structure of a Finite Field
• Given a finite field . Consider the multiplicative group
.
• For any
. We have
.
• Lemma: If
and the deg(p(x))=m, then p(x)=0 can
have at most m solutions.
• Lemma: Let ord(α)=t. Then ord(αi) =t/gcd(i,t).
Scott CH Huang
COM 5336
The Euler φ-function
• φ(n) is defined as “the number of integers in {1,2,…,n-1} that
are relatively prime to n.
• Formally,
• The multiplicative group
has φ(n) elements.
• Theorem: In any field , there are either no element of
order t or exactly φ(t) elements of order t.
• Theorem:
Scott CH Huang
COM 5336
• Theorem: Let be a finite field with q elements.
. If t
does not divide (q-1), then there are no elements of order t. If
t divides (q-1), then there are exactly φ(t) elements of order t.
• Corollary: In any finite field
of size q, there exists at least
one element α of order q-1. i.e., the multiplicative group
is
cyclic. (This can also be proved by applying the Fundamental
Theorem of Finite Abelian Groups).
• Definition: Such α is called a primitive root of .
Scott CH Huang
COM 5336
Fundamental Theorem of Finite Abelian Groups
Every finite abelian group G can be expressed as the direct
sum of cyclic subgroups of prime-power order. In other words,
every finite abelian group is isomorphic to
where k1, k2,… can be are powers of primes. (Primary
decomposition). Or equivalently, k1|k2, k2|k3 ,… (Invariant
factor decomposition)
Scott CH Huang
COM 5336
An Example of Finite Abelian Group Decomposition
360=23*32*5.
Primary decomposition
Invariant factor decomposition
Z2× Z2× Z2× Z3× Z3× Z5
Z2× Z6× Z30
Z2× Z2× Z2× Z9× Z5
Z2× Z2× Z90
Z2× Z4× Z3× Z3× Z5
Z6× Z60
Z2× Z4× Z9× Z5
Z2× Z180
Z8× Z3× Z3× Z5
Z3× Z120
Z8× Z9× Z5
Z360
Scott CH Huang
COM 5336
Proof of Existence of Primitive Elements
• Let
be a finite field. Then
is a finite abelian group.
• Apply the fundamental theorem of finite abelian group with
invariant factor decomposition:
where
• Therefore,
• The above means every element in
is a solution to the
equation
, which has degree
• Moreover, 0 is also a solution to this equation, so this
equation has exactly
solutions in .
• Since the number of solutions in a field cannot exceed its
degree, we have
is cyclic and there
exists an element of order
.
Scott CH Huang
COM 5336
Gauss’s Algorithm
1.
2.
3.
4.
Set i=1. Pick
. Let ord(α1)=t1.
If ti=q-1, stop and return αi.
Otherwise we choose
, β is not a power of αi. Let
ord(β)=s. If s=q-1, stop and return αi+1 =β.
Otherwise we find d|ti and e|s with gcd(d,e)=1 and
de=lcm(ti,s). Let αi+1 =  t / d  s / e and ti+1=lcm(ti,s). i=i+1. Goto
step 2.
i
Scott CH Huang
COM 5336
• Lemma: Let ord(α)=m, ord(β)=n. gcd(m,n)=1. Then
ord(αβ)=mn
Scott CH Huang
COM 5336
Minimal Polynomials
• Theorem 5.9: Let be a finite field of size pm .
. Then
there is a polynomial
(where
the prime
subfield of ) such that
– p(α)=0
– deg(p) ≤ m
– If
such that f(α)=0, then p(x)|f(x).
• Such p(x) is called a minimal polynomial of α w.r.t. . If we
only consider monic polynomials, then the minimal
polynomial is unique.
Scott CH Huang
COM 5336
Primitive Polynomials
• For any finite field and
, the minimal polynomial of α
exists. (Why?)
• The minimal polynomial of a primitive root of is called a
primitive polynomial.
• It is quite convenient to represent a finite field using its
primitive polynomial.
Scott CH Huang
COM 5336
• Let be a finite field and
be a subfield (not necessarily
the prime subfield). Let
. Then there is a unique monic
polynomial
such that
– p(α)=0
– If
such that f(α)=0, then p(x)|f(x).
• Lemma: Let be a finite field and
necessarily the prime subfield). Let
iff
.
Scott CH Huang
COM 5336
be a subfield (not
. Let
. Then
Conjugates
• Let
be two fields,
. If p(α)=0.
Then p(αq)=0.
• Therefore, if α is a zero of p(x), so is
• These elements are called the conjugates of α.
Scott CH Huang
COM 5336
Number of Distinct Conjugates
• The number d of distinct conjugates of α is called the degree
of α.
• Theorem: Let d be the degree of α and n is the dimension of
vector space over . Then d|n, and d can be determined
as the smallest integer
holds. Moreover, if
then
Scott CH Huang
COM 5336
Explicit Formula for Minimal Polynomial
• Let
be a finite field and
be one of its subfields with
and
. Let
Then the minimal polynomial
of α w.r.t. is given by
where d is the degree of α w.r.t. .
Scott CH Huang
COM 5336