Finite Fields

Introduction to Cryptography
Finite Fields
 In abstract algebra, a finite field or Galois
field (so named in honor of É variste Galois
[1811 – 1832] ) is a field that contains only
finitely many elements
 Finite fields are important in number theory,
algebraic geometry, Galois theory,
cryptography, and coding theory
 The finite fields are completely known
2
Finite Fields
1. Polynomial Ring GFp[x]
2. Galois Field GF4
3. Galois Fields GF8 and GF16
4. Galois Field GFpn
5. Multiplicative Group of GFpn

3
Galois Field GFp
 0 1  0 1
 Example 0 0 1 0 0 0
Cayley tables of GF2 1 1 0 1 0 1

 Example Solve 3 x + y + 4 z + 1 = 0
6x+5y+3z+6 = 0
x + 4 y + 2 z + 5 = 0 over GF7
 Solution
x+5y+6z+5=0 x +5=0 x = 2
y+3z+6=0  y +3=0  y = 4
z+1=0 z+1=0 z = 6
4
Polynomial Ring GFp[x]
 Polynomial ring F [x]
 The set of all polynomials whose coefficients are in
the field F with usual additions and multiplications
 Example (2x3 + 3x2 + 5x + 1)(5x2 + 3x + 2) =
3x5 + 3x3 + 5x2 + 6x + 2 in GF7[x]
 Definition The degree, denoted as deg(p(x)), of
p(x) = anx n + an -1x n -1 + … + a1x + a0  0 is the largest
m such that am  0
 Definition deg(0) =  
5
Polynomial Ring GFp[x]
 Definition The leading term of p(x), denoted as
LT(p(x)), is the monomial am x m with the highest
degree in p(x)
 Proposition For any nonzero p(x), q(x)  F [x],
1) p(x)q(x)  0
2) deg(p(x)q(x)) = deg(p(x)) + deg(q(x))
 Proof LT(p(x)q(x)) = LT(p(x))LT(q(x))  0 since F is a field

 Note Not necessarily true if F [x] is replaced by R [x]

6
Polynomial Ring GFp[x]
 Theorem (Division Algorithm) Given a(x), b(x)  F [x],
there exist q(x) [quotient] , r(x) [remainder]  F [x] such that a(x)
= b(x) q(x) + r(x) where r(x) = 0 or deg(r(x)) < deg(b(x))
 Proof (Sketch)
 a(x) = 0 : Take q(x) = r(x) = 0
 a(x)  0, deg(a(x)) < deg(b(x)) : Take q(x) = 0 and r(x) = a(x)
 a(x)  0, deg(a(x))  deg(b(x)) :
Let q1(x) = LT(a(x))/LT(b(x))  F [x], then a(x) =
b(x) q1(x) + a1(x) where a1(x) = 0 or deg(a1(x)) < deg(a(x)).
Continue until ak(x) = 0 or deg(ak(x)) < deg(b(x)).
Then r(x) = ak(x) and q(x) = q1(x) + … + qk(x)
7
Polynomial Ring GFp[x]
 Definition a(x), b(x), m(x)  F [x], then a(x) and b(x)
are congruent modulo m(x) [denoted by a(x)  b(x) (mod m(x))]
if a(x)  b(x)  < m(x) >
 Example Dividing a(x) = 3x4+5x+2 by b(x) = 2x3+x2+5
in GF11[x], we get a(x) = b(x)(7x+2) + (9x2+3x+3), thus
a(x) mod b(x) = 9x2+3x+3 and a(x)  9x2+3x+3 (mod b(x))
 Proposition Euclidean Algorithm and Extended
Euclidean Algorithm works in F [x]
 i.e. given a(x), b(x)  F [x], there exist u(x), v(x)  F [x]
such that a(x)u(x) + b(x)v(x) = gcd(a(x), b(x))
8
Polynomial Ring GFp[x]
 Definition An integral domain D is an Euclidean
domain if for each nonzero a  D there exists a
nonnegative d(a)  Z such that
1) If nonzero a, b  D, then d(a)  d(ab)

2) If a, b  D with b  0, then there exist q, r  D

such that a = bq + r, with r = 0 or d(r) < d(b)
 Example
 Z with d(a) = |a|
 F [x] with d(a(x)) = deg(a(x))
 Z [i] = {a + bi | a, b  Z } with d(a + bi) = |a + bi|2 = a2 + b2
9
Finite Fields
1. Polynomial Ring GFp[x]
2. Galois Field GF4
3. Galois Fields GF8 and GF16
4. Galois Field GFpn
5. Multiplicative Group of GFpn

10
Galois Field GF4
 We will construct GF4 in 3 ways
1) Set of Linear Polynomials
2) Set of Congruence Classes
3) Linear Combinations of a Fixed Root
 They look different, but essentially the same
 Note Z4 is not a field, since 2 does not have a
multiplicative inverse

11
Galois Field GF4
 Definition A non-constant polynomial p(x)  F [x] is
irreducible if its only divisors are its associates [ c p(x) ]
and the nonzero constant polynomials
 f (x) = x2+x+1 is irreducible over GF2
 It is confirmed by f (0) = f (1) = 1  0
 Note that f(x) = (x+2)2 over GF3

 Also f(x) = (x  )(x  2) over C where  = (-13 i ) / 2

 p(x) mod f (x) = 0, 1, x, or x+1 for any p(x)  GF2[x]

 Q：(1) Is f (x) irreducible over GF11 ?
(2) For any p(x)  GF11[x] , p(x) mod f (x) = ?
12
Galois Field GF4
1) GF4 as a Set of Linear Polynomials
 {a1x + a2 | ai = 0 or 1} with  and 
 (a1x + a2)  (b1x + b2) = (a1x + a2) + (b1x + b2) mod 2
 (a1x + a2)  (b1x + b2) = ((a1x + a2) (b1x + b2) mod x2+x+1 ) mod 2
 f(x) = a1x + a2  (a1 a2)2  2a1+a2
 0 1 x x+1  00 01 10 11  0 1 2 3
0 0 0 0 0 00 00 00 00 00 0 0 0 0 0
1 0 1 x x+1 01 00 01 10 11 1 0 1 2 3
x 0 x x+1 1 10 00 10 11 01 2 0 2 3 1
x+1 0 x+1 1 x 11 00 11 01 10 3 0 3 1 2

 Note Every nonzero element has a multiplicative inverse

13
Galois Field GF4
2) GF4 as a Set of Congruence Classes
 For f(x), g(x)  GF2[x], f(x)  g(x) (mod x2+x+1)
iff f(x) – g(x)  <x2+x+1>
 The congruence classes determined by the ideal
<x2+x+1> are [0], [1], [x], and [x+1]
 [f(x)]  [g(x)] = [f(x) + g(x)]
 [f(x)]  [g(x)] = [f(x) g(x)]
 GF4  GF2[x] / <x2+x+1>
 Quotient ring
14
Galois Field GF4
3) GF4 as Linear Combinations of a Fixed Root
 Assume  is a root of x2+x+1 over GF2
 2 + +1 = 0
 Higher power of  can be reduced by 2 =  +1
 e.g. ( +1)( +1) = 2 + 2 +1 = ( +1) +1 = 
 GF4 is the set {0, 1, ,  +1} with  and  modulo 2,
and the relation 2 =  +1

15
Finite Fields
1. Polynomial Ring GFp[x]
2. Galois Field GF4
3. Galois Fields GF8 and GF16
4. Galois Field GFpn
5. Multiplicative Group of GFpn

16
Galois Fields GF8 and GF16
 The elements of GF2n can be represented in a natural
way as binary numbers easily understood by hardware
 AES：GF28
 ECC：Elliptic Curves over GF2n or GFp where p is a prime,
not over GFpn where p > 2 and n > 1
 We look at GF2n for n = 3 and 4 now, then GFpn later
 GF8 can be represented as a2x2+a1x+a0 , ai  GF2
 GF16 can be represented as a3x3+a2x2+a1x+a0 , ai  GF2
 Additions are performed modulo 2
 Multiplications are defined below
17
Galois Fields GF8 and GF16
1) GF8 = GF23
 x3+x2+1 and x3+x+1 are the only irreducible
polynomials over GF2 of degree 3
 neither 0 nor 1 is is a root of either polynomial
 x8 x  x(x+1)(x3+x+1)(x3+x2+1) (mod 2) gives a
complete list of all the irreducible polynomials of
degree 1 and 3 over GF2
 GF8  GF2[x] / <x3+x2+1>  GF2[x] / <x3+x+1>
 e.g. in GF2[x] / <x3+x+1>
 [x2+1]  [x2+x] = [(x2+1) + (x2+x)] = [x+1]
 [x2+1]  [x2+x] = [(x2+1)(x2+x)] = [x4+x3+x2+x]
= [(x+1)(x3+x+1) + (x+1)] = [x+1]
18
Galois Fields GF8 and GF16
 Assume  is a root of x3+x+1 over GF2
  3 + +1 = 0, hence  3 =  1 =  +1 (mod 2)
  4 =  ( +1) =  2 +
  5,  6, and  7 = 1 are reduced similarly
 GF8* = < >
 Each field element is a root of x8  x since
1) 08 – 0 = 0
2) ( i )8 – ( i ) = ( 7)i   i   i =  i   i = 0
 ,  2, and  2 + are roots of x3+x+1
  +1,  2 +1, and  2 + +1 are roots of x3+x2+1
19
Galois Fields GF8 and GF16
 Definition F is a subfield of K and u  K, then
the uniquely determined monic polynomial g  F [x]
generating the ideal J = { f  F [x] | f (u) = 0 } of F [x]
is the minimal polynomial of u over F
 Example x3 +x2 +1 is the minimal polynomial of
 2 +1 over GF2 where  3 + +1 = 0, since
 x3 +x2 +1 is irreducible over GF2
 ( 2 +1)3 + ( 2 +1)2 + 1 =  6 +4 4 +5 2 +3
 ( +1)2 + 2 + 1  0 (mod 2)

20
Galois Fields GF8 and GF16
 Elements of GF8
Power Polynomial Binary Decimal / Hex Minimal
Notation Notation Notation Notation Polynomial
0 0 000 0 x
0 1 001 1 x+1
1  010 2 x3 + x + 1
2 2 100 4 x3 + x + 1
3 +1 011 3 x3 + x2+ 1
4 2 +  110 6 x3 + x + 1
5 2 +  + 1 111 7 x3 + x2+ 1
6 2 + 1 101 5 x3 + x2+ 1
21
Galois Fields GF8 and GF16
2) GF16 = GF24
 x4+x+1, x4+x3+1, and x4+x3+x2+x+1 are the only
irreducible polynomials over GF2 of degree 4
 x16 – x  x(x+1)(x2+x+1)(x4+x+1)(x4+x3+1)(x4+x3+x2+x+1)
(mod 2) gives a complete list of all the irreducible
polynomials of degree dividing 4, i.e., 1, 2, or 4
 GF16  GF2[x] / <x4+x+1>  GF2[x] / <x4+x3+1>
 GF2[x] / <x4+x3+x2+x+1>

22
Galois Fields GF8 and GF16
 Assume  is a root of x4+x+1 over GF2
  4 + +1 = 0, hence  4 =  1 =  +1 (mod 2)

 GF16* = < >

 Note If  is a root of x4+x3+x2+x+1, then GF16*  < >

since  5 = 1
 Fact
r r r
 (a+b)2 = a2+2ab+b2 = a2+b2, (a+b)2 = a2 +b2 in GF2n
r
 If u is a root of f (x) = … + c1x + c0  GF2[x], then
cmxm + is also u2
r r r
a root of f (x) for r  N, since f (u2 ) = cm(um)2 + … +c1u2 +c0
r r r1 r1
= cm2(um)2 + … +c1 +c0 = (cm(u ) +
2 u2 2 m 2 … +c1 u2 +c0)2
r r
= .... = (cmu + … +c1u+c0) = f (u) = 0
m 2 2
23
Galois Fields GF8 and GF16
 Irreducible Polynomials for the Modulus 2
n=1 e n=5 e n=7 e n=8 e 110000111 255
100101 31 10000011 127 100011011 51 110001011 85
10 1 10001001 127
101001 31 100011101 255 110001101 255
11 1 101111 31 10001111 127 110011111 51
110111 31 10010001 127 100101011 255
n=2 e 10011101 127 110100011 85
111011 31 100101101 255
10100111 127 110101001 255
111 3 111101 31 100111001 17
10101011 127 110110001 51
n=6 e 10111001 127 100111111 85
n=3 e 110111101 85
10111111 127 101001101 255 111000011 255
1011 7 1000011 63
11000001 127 101011111 255
1001001 9 11001011 127 111001111 255
1101 7 1010111 21 101100011 255 111010111 17
11010011 127
1011011 63 11010101 127 101100101 255 111011101 85
n=4 e
1100001 63 11100101 127 101101001 255 111100111 255
10011 15 1100111 63 11101111 127
1101101 63 101110001 255 111110011 51
11001 15 11110001 127
1110011 63 11110111 127 101110111 85 111110101 255
11111 5 1110101 21 11111101 127 101111011 85 111111001 85
24
Galois Fields GF8 and GF16
 Definition For nonzero f  GFq [x] with f (0)  0,
the least positive integer e for which f (x) | (x e 1) is
the order of f and denoted by ord( f ) = ord( f (x) )
 Theorem f is irreducible of degree m and f (0)  0,
then ord( f ) = the order of any root of f in the
multiplicative group GFqm*
 Proof See

25
Finite Fields
1. Polynomial Ring GFp[x]
2. Galois Field GF4
3. Galois Fields GF8 and GF16
4. Galois Field GFpn
5. Multiplicative Group of GFpn

26
Galois Field GFpn
 Definition F is a subfield of K, f(x)  F [x] is of
degree n, then K is the splitting field of f(x) if K is
the smallest field containing all roots of f(x), i.e., f(x)
= a(x  1)(x  2) … (x  n) where i  K for all i
 We will show that GFpn is the splitting field of
n
x – x, which contains exactly pn elements
p

27
Galois Field GFpn
 Theorem
 Assumptions：
 p is a prime
 q(x)  GFp[x] is irreducible with deg(q(x)) = n > 1
 S is a set of all polynomials of the form
an 1xn 1 + …+ a1x + a0 where ai  GFp
 f(x)  g(x) = f(x) + g(x) mod p
 f(x)  g(x) = (f(x)g(x) mod q(x)) mod p
 Conclusion：S with  and  is a field of pn
elements, which is GFpn
28
Galois Field GFpn
 Proof (Sketch)
 There are exactly pn polynomials
r(x) = an 1xn 1 + …+ a1x + a0 where ai  GFp
 These are the elements of GFpn
 For each nonzero r(x)  GFp[x], there exists
s(x)  GFp[x] such that
(r(x)s(x) mod q(x)) mod p = 1
since q(x) is irreducible
 s(x) is the multiplicative inverse of r(x) in GFpn

29
Galois Field GFpn
 Example Which quotient is isomorphic to GF64 ?
GF2 [ x] GF2 [ x]
A: B:
 x  x 1
6 2
 x6  x5  x 4  x3  x2  x  1
GF2 [x] GF2 [ x]
C: D:
 x6  x3  1  x6  x 4  x3  x2  1

Solution In GF2[x]:
 x6 + x2 +1 = (x3 + x + 1)2
 x6 + x5 + x4 + x3 + x2 + x +1 = (x3 + x2 + 1)(x3 + x + 1)
 x6 + x3 +1 is irreducible
 x6 + x4 + x3 + x2 +1 = (x2 + x + 1)(x4 + x3 + x2 + x +1 )
Hence GF2 [ x] 6 is a field of order 26 = 64
 x  x 1
3
30
Galois Field GFpn
 Corollary If f(x)  GFp[x], then GFpn contains
a root of f(x) for some n
 Proof (Sketch)
 There exists an irreducible q(x) | f(x)
 Use q(x) to construct GFpn where n = deg(q(x))
 For x  GFpn , (f(x) mod q(x)) mod p = 0
since q(x) | f(x), hence x is a root of f(x)

31
Galois Field GFpn
 Proposition The set K consisting of the roots of
xpn  x with  and  over GFp is a field
 Proof
 0, 1  K
n pn= pn=
 Suppose 1, 2 are roots of x –
p x, then 1 1 , 2 2
n n n
 1 +2  K since (1 +2 )p = 1p +2p = 1 +2
n n n
 1 2  K since (1 2 )p = 1 p 2 p = 1 2
n
 Suppose   0 with  p –  = 0
n n
 –  K since (– )p =  p =  = –  for p = 2, or
n n
(– )p = –  p = –  for odd prime p
n n
  –1  K since ( –1)p = ( p )–1 =  –1
32
Galois Field GFpn
 Lemma f(x) of degree n splitting completely has
n distinct roots iff f(x) and its (formal) derivative f (x)
are relatively prime
 Proof Write f(x) =  (x i )ki where i are distinct,
then f (x) =  ( ki (x i )ki  1 j  i (x j )kj )
 () ki = 1 for all i, then f (i )  0 for all i, so f(x)
and f (x) have no common factor
 () ki  1 for some i, then x i is a common factor

33
Galois Field GFpn
 Remark f (x) = xpn– x has no multiple roots over
GFp since f (x) = pnxpn1–1  –1 (mod p) relatively
prime to f(x)
 Remark The splitting field of xpn– x over GFp
consists precisely of its pn distinct roots
 This is another representation of GFpn
 Proposition f(x)  GFp[x] of degree n has at
most n distinct roots in GFpn
 Proof Use the Division Algorithm
34
Galois Field GFpn
 Remark Let F be a field. Then any polynomial f(x)
 F[x] has at most n roots
 Proof Use the Division Algorithm
 Example
 In Z8, 1, 3, 5, 7 are roots of x2  1 = 0
 Note that Z8 is not a field

35
Galois Field GFpn
 Theorem For each prime p and positive integer
n, there is exactly one field GFpn with pn elements
up to isomorphism, which is the splitting field of
n
xp – x over GFp
 up to isomorphism：any two fields with pn elements are
isomorphic

 Remark GFpn is a vector space over GFp with the

basis {xn–1, xn–2, …, x, 1}

36
Galois Field GFpn
 Proposition Any subfield of GFpn is of the form
GFpd, d |n
 Example GF224
GF212 GF28

GF26 GF24

GF23 GF22
GF2
37
Finite Fields
1. Polynomial Ring GFp[x]
2. Galois Field GF4
3. Galois Fields GF8 and GF16
4. Galois Field GFpn
5. Multiplicative Group of GFpn

38
Multiplicative Group of GFpn
 Definition G is a group, a  G, the order of a [denoted
as o(a)] is the smallest positive integer t such that at = 1
 Note If G is finite, then o(a) = o(<a>) | o(G) by
Lagrange’s Theorem
 Theorem GFpn* = <g > for some g  GFpn
 We will prove the theorem in the following way:
 For each d | (pn – 1), there are exactly  (d) elements of order
d in GFpn*
 In particular, there are  (pn – 1) generators

39
Multiplicative Group of GFpn
 Proof of Theorem (Sketch)
 Denote n(d) the number of elements in GFpn* of
order d
 For d | (pn 1), we have (xd 1) | (xpn1 – 1)
 n(q) = q  1 for prime q
 n(qm) = qm1 (q  1)
 n(ab) = n(a) n(b) for relatively prime a, b
 n(d) =  (d)

40
Multiplicative Group of GFpn
 Example Since P(x) = x5 + 2x + 1 is irreducible over
GF3, the quotient ring K = GF3[x] / (P(x)) is a finite field
 Let Q(x) = x2 + 2x + 1
 The number of elements in K is |K| = 35 = 243
 (K  {0}, ) is a cyclic group of order 242
 Q(x)1213 = Q(x)242．5 + 3 = Q(x)3 = 2x3 + x2 + 2x + 1 in K
 Since Q(x)(x4 + x3 + 2x + 1)  (x5 + 2x + 1)．x = 1, we have
Q(x)1 = x4 + x3 + 2x + 1 in K

41
Multiplicative Group of GFpn
 Definition f (x)  GFp[x] with deg(f (x)) = n is a
primitive polynomial if it is the minimal polynomial of
a primitive element [a generator of GFp ] in GFpn n

 Lemma If f is the minimal polynomial of   GFp , n

then f is irreducible
 Proof
 Suppose f(x) = a(x) b(x) for some a(x), b(x)  GFp[x]
 f ( ) = 0 = a( ) b( ) implies a( ) = 0 or b( ) = 0
 If a( ) = 0, then deg(a(x)) = deg(f (x)) since f (x) is the minimal
polynomial of , thus b(x) is a constant
 Similarly, if b( ) = 0, then a(x) is a constant
 Thus f(x) is irreducible 42
Multiplicative Group of GFpn
 Proposition The polynomial x  x is precisely
pn

the product of all the distinct irreducible polynomials

in GFp[x] of degree d where d runs through all
divisors of n
 Example
 x8  x = x(x + 1)(x3 + x + 1)(x3 + x2 + 1) (mod 2)
 x16  x  x(x+1)(x2+x+1)(x4+x+1)(x4+x3+1)(x4+x3+x2+x+1)
(mod 2)
 Q: How many irreducible polynomials of degree 7 over GF2?
43
Multiplicative Group of GFpn
 Theorem Given any prime p and n  P, there
exists at least one monic irreducible f (x)  GFp [x]
of degree n
 Proof (Sketch)
 Let  be a primitive element of GFpn , and f (x)
with deg(f (x)) = m be its minimal polynomial
 f (x) is irreducible by Lemma
 We obtain m = n by showing m  n and m  n

44
Multiplicative Group of GFpn
 Example
 To construct GF25 , we can use g(x) = x2 +3 GF5[x]
 g(0), g(1), g(2), g(3), g(4) mod 5 = 3, 4, 2, 2, 4 respectively
 None of these are zero, hence x2 +3 is irreducible over GF5
 To get a primitive element, we should find q(x) such that
(q(x)24 mod x2 +3) mod 5 = 1 and  1 with less power
 Take q(x) = x+3
 ((x+3)8 mod x2+3) mod 5 = 2x+2
 ((x+3)12 mod x2+3) mod 5 = 4
 ((x+3)24 mod x2+3) mod 5 = 1
 Q: Is g(x) a primitive polynomial? If not, how to get one?
45