## Two snippets that I rewrite every three or four months…April 23rd, 2013 Patrick Stein

A friend of mine is taking a cryptography course this semester. One of his current homework problems involves creating $n$, $e$, and $d$ values for RSA Encryption. Always one to play the home game when math is involved, I found myself rewriting two snippets of code that I always end up writing any time I do any number-theory related coding.

One of them is simple EXPONENT-MODULO that takes a base $b$, an exponent $e$, and a modulus $m$ and returns $b^e \pmod m$. There are more efficient ways to do this, but this one is much faster than the naïve method and quite easy to rewrite every time that I need it. The idea is that when $e$ is odd, you recursively calculate $b^{e-1} \pmod m$ and return $b \cdot b^{e-1} \pmod m$. When $e$ is even, you recursively calculate $a = b^{e/2} \pmod m$ and return $a^2 \pmod m$.

(defun expt-mod (b e m)
(cond
((zerop e) 1)
((evenp e) (let ((a (expt-mod b (/ e 2) m)))
(mod (* a a) m)))
(t (mod (* b (expt-mod b (1- e) m)) m))))

The other snippet of code is a good deal trickier. Every time I need it, I spend way more time than I want to futzing with examples, getting lost in subscripts, etc. So, while I could rewrite the above in a moment, what’s below, I hope I have the search-fu to find this post next time I need it.

If you have a number $n$ and some number $a$ which is relatively prime to (shares no factors except for one with) $n$, then there exists some number $b$ such that $a \cdot b \equiv 1 \pmod n$. And, in fact, all such numbers $b$ for a given $a$ differ by a multiple of $n$, so there is a unique such $b \in [1,n)$.

Another way of saying $a$ and $n$ are relatively prime is to say that their greatest common divisor $\gcd(a,n)$ is one. Besides being the biggest number that divides into both $n$ and $a$, the $\gcd(a,n)$ is also the smallest positive number expressible as $x \cdot a + y \cdot n$ for integers $x$ and $y$. If you keep track of the steps you use when calculating the greatest common divisor (which in this case is $1$) while using the Euclidean algorithm you can (with enough care) backtrack through the steps and determine $x$ and $y$ for your given $a$ and $n$.

For example, suppose you had $n = 40$ and $a = 31$. You want to know what $b$ you’d need for $31b \equiv 1 \pmod{40}$.
The steps in the Euclidean algorithm show:

$\begin{array}{rcl}40 & = & 31 \cdot 1 + 9 \\31 & = & 9 \cdot 3 + 4 \\9 & = & 4 \cdot 2 + 1\end{array}$

Working backwards, you can express $1$ as a combination of $x_0 \cdot 4 + y_0 \cdot 9$. Then, you can express $4$ as a combination of $x_1 \cdot 9 + y_1 \cdot 31$ and so on:

$\begin{array}{rcl}1 & = & (-2)\cdot4 + 9\cdot{1} \\ & = & (-2)\cdot\left((-3)\cdot9 + 31\right) + 9\cdot{1} \\ & = & (-2)\cdot31 + 7\cdot9 \\ & = & (-2)\cdot31 + 7\cdot(40 - 31\cdot1) \\ & = & (-9)\cdot31 + 7\cdot(40) \equiv 1 \pmod{40}\end{array}$

Wheee… in my example chosen to be easy to backtrack, the answer comes out to be $-9$ which is equal to $31$ modulo $40$. So, $31^2 \equiv 1 \pmod{40}$. I picked a lucky number that is its own inverse modulo $40$. It’s not usually like that. For example, $3 \cdot 27 \equiv 7 \cdot 23 \equiv 1 \pmod{40}$.

So, anyhow, here’s a function that takes $a$ and $n$ and returns two values $x$ and $y$ so that $x\cdot{}a + y\cdot{}n \equiv \gcd(a,n) \pmod n$.

(defun gcd-as-linear-combination (a n)
(multiple-value-bind (q r) (truncate n a)
(if (zerop r)
(values 1 0)
(multiple-value-bind (x y) (gcd-as-linear-combination r a)
(values (- y (* q x)) x)))))

Assuming that $a$ and $n$ are relatively prime with $a < n$, the first value returned is $a$‘s inverse modulo $n$.

## Visualizing Galois FieldsMay 17th, 2012 Patrick Stein

Galois fields are used in a number of different ways. For example, the AES encryption standard uses them.

### Arithmetic in Galois Fields

The Galois fields of size $2^n$ for various $n$ are convenient in computer applications because of how nicely they fit into bytes or words on the machine. The Galois field $GF(2^n)$ has $2^n$ elements. These elements are represented as polynomials of degree less than $n$ with all coefficients either 0 or 1. So, to encode an element of $GF(2^n)$ as a number, you need an $n$-bit binary number.

For example, let us consider the Galois field $GF(2^3)$. It has $2^3 = 8$ elements. They are (as binary integers) $000$, $001$, $010$, $011$, $100$, $101$, $110$, and $111$. The element $110$, for example, stands for the polynomial $x^2 + x$. The element $011$ stands for the polynomial $x + 1$.

The coefficients add together just like the integers-modulo-2 add. In group theory terms, the coefficients are from $\mathbb{Z}/2\mathbb{Z}$. That means that $0 + 0 = 0$, $0 + 1 = 1$, $1 + 0 = 1$, and $1 + 1 = 0$. In computer terms, $a + b$ is simply $a$ XOR $b$. That means, to get the integer representation of the sum of two elements, we simply have to do the bitwise-XOR of their integer representations. Every processor that I’ve ever seen has built-in instructions to do this. Most computer languages support bitwise-XOR operations. In Lisp, the bitwise-XOR of $a$ and $b$ is (logxor a b).

Multiplication is somewhat trickier. Here, we have to multiply the polynomials together. For example, $(x + 1) \cdot x = x^2 + x$. But, if we did $(x^2 + x) \cdot x$, we’d end up with $x^3 + x^2$. We wanted everything to be polynomials of degree less than $n$ and our $n$ is 3. So, what do we do?

What we do, is we take some polynomial of degree $n$ that cannot be written as the product of two polynomials of less than degree $n$. For our example, let’s use $x^3 + x + 1$ (which is $1011$ in our binary scheme). Now, we need to take our products modulo this polynomial.

You may not have divided polynomials by other polynomials before. It’s a perfectly possible thing to do. When we divide a positive integer $a$ by another positive integer $b$ (with $b$ bigger than 1), we get some answer strictly smaller than $a$ with a remainder strictly smaller than $b$. When we divide a polynomial of degree $m$ by a polynomial of degree $n$ (with $n$ greater than zero), we get an answer that is a polynomial of degree strictly less than $m$ and a remainder that is a polynomial of degree strictly less than $n$.

Dividing proceeds much as long division of integers does. For example, if we take the polynomial (with integer coefficients) $x^3 + 2x + 5$ and divide it by the polynomial $x + 3$, we start by writing it as:

$x + 3 \overline{\left) x^3 + 0x^2 + 2x + 5\right.}$
We notice that to get $(x+3) \cdot q(x)$ to start with $x^3$, we need $q(x)$ to start with $x^2$. We then proceed to subtract $(x+3) \cdot x^2$ and then figure out that we need a $-3x$ for the next term, and so on. We end up with $x^2 - 3x + 11$ with a remainder of $-28$ (a degree zero polynomial).

$\begin{array}{ccrcrcrcr}& & & & x^2 & - & 3x & + & 11 \\& \multicolumn{8}{l}{\hrulefill} \\(x+3) & ) & x^3 & + & 0x^2 & + & 2x & + & 5 \\& & x^3 & + & 3x^2 & & & & \\& & \multicolumn{3}{l}{\hrulefill} & & & & \\& & & - & 3x^2 & + & 2x & & \\& & & - & 3x^2 & - & 9x & & \\& & & \multicolumn{4}{l}{\hrulefill} & & \\& & & & & & 11x & + & 5 \\& & & & & & 11x & + & 33 \\& & & & & & \multicolumn{3}{l}{\hrulefill} \\& & & & & & & - & 28\end{array}$
For the example we cited earlier we had $x^3 + x^2$ which we needed to take modulo $x^3 + x + 1$. Well, dividing $x^3 + x^2$ by $x^3 + x + 1$, we see that it goes in one time with a remainder of $x^2 + x + 1$. [Note: addition and subtraction are the same in $GF(2^n)$.]

$\begin{array}{ccrcrcrcr}& & & & & & & & 1 \\& \multicolumn{8}{l}{\hrulefill} \\(x^3+x+1) & ) & x^3 & + & x^2 & + & 0x & + & 0 \\& & x^3 & + & 0x^2 & + & x & + & 1 \\& & \multicolumn{7}{l}{\hrulefill} \\& & & & x^2 & + & x & + & 1\\\end{array}$
For a reasonable way to accomplish this in the special case of our integer representations of polynomials in $GF(2^n)$, see this article about Finite Field Arithmetic and Reed Solomon Codes. In (tail-call style) Lisp, that algorithm for $GF(2^8)$ might look something like this to multiply $a$ times $b$ modulo $m$:

(flet ((next-a (a)
(ash a -1))
(next-b (b)
(let ((overflow (plusp (logand b #x80))))
(if overflow
(mod (logxor (ash b 1) m) #x100)
(ash b 1)))))
(labels ((mult (a b r)
(cond
((zerop a) r)
((oddp a) (mult (next-a a) (next-b b) (logxor r b)))
(t (mult (next-a a) (next-b b) r)))))
(mult a b 0)))

### How is the Galois field structured?

The additive structure is simple. Using our 8-bit representations of elements of $GF(2^8)$, we can create an image where the pixel in the $i$-th row and $j$-th column is the sum (in the Galois field) of $i$ and $j$ (written as binary numbers). That looks like this:

Just before the above-mentioned article hit reddit, I got to wondering if the structure of the Galois field was affected at all by the choice of polynomial you used as the modulus. So, I put together some code to try out all of the polynomials of order 8.

Remember way back at the beginning of multiplication, I said that the modulus polynomial had to be one which couldn’t be written as the product of two polynomials of smaller degree? If you allow that, then you have two non-zero polynomials that when multiplied together will equal your modulus polynomial. Just like with integers, if you’ve got an exact multiple of the modulus, the remainder is zero. We don’t want to be able to multiply together two non-zero elements to get zero. Such elements would be called zero divisors.

Zero divisors would make these just be Galois rings instead of Galois fields. Another way of saying this is that in a field, the non-zero elements form a group under multiplication. If they don’t, but multiplication is still associative and distributes over addition, we call it a ring instead of a field.

Galois rings might be interesting in their own right, but they’re not good for AES-type encryption. In AES-type encryption, we’re trying to mix around the bits of the message. If our mixing takes us to zero, we can never undo that mixing—there is nothing we can multiply or divide by to get back what we mixed in.

So, we need a polynomial that cannot be factored into two smaller polynomials. Such a polynomial is said to be irreducible. We can just start building an image for the multiplication for a given modulus and bail out if it has two non-zero elements that multiply together to get zero. So, I did this for all elements which when written in our binary notation form odd numbers between (and including) 100000001 and 111111111 (shown as binary). These are the only numbers which could possibly represent irreducible polynomials of degree 8. The even numbers are easy to throw out because they can be written as $x$ times a degree 7 polynomial.

The ones that worked were: 100011011, 100011101, 100101011, 100101101, 100111001, 100111111, 101001101, 101011111, 101100011, 101100101, 101101001, 101110001, 101110111, 101111011, 110000111, 110001011, 110001101, 110011111, 110100011, 110101001, 110110001, 110111101, 111000011, 111001111, 111010111, 111011101, 111100111, 111110011, 111110101, and 111111001. That first one that worked (100011011) is the one used in AES. Its multiplication table looks like:

Here’s it is again on the left with the multiplication table when 110011111 is the modulus on the right:

So, the addition image provides some insight into how addition works. The multiplication tables, at least for me, provide very little insight into anything. They don’t even make a good stereo pair.

To say two of the multiplication tables have the same structure, means there is some way to map back and forth between them so that the multiplication still works. If we have table $X$ and table $Y$, then we need an invertible function $f$ such that $f(a \cdot_X b) = f(a) \cdot_Y f(b)$ for all $a$ and $b$ in the table $X$.

### What’s next?

If there is an invertible map between two multiplication tables and there is some element $a$ in the first table, you can take successive powers of it: $a$, $a^2$, $a^3$, $\ldots$. There are only $2^n$ elements in $GF(2^n)$ no matter which polynomial we pick. So, somewhere in there, you have to start repeating. In fact, you have to get back to $a$. There is some smallest, positive integer $k$ so that $a^{k+1} \equiv a$ in $GF(2^n)$. If we pick $a = 0$, then we simply have that $k = 1$. For non-zero $a$, we are even better off because $a^k \equiv 1$.

So, what if I took the powers of each element of $GF(2^n)$ in turn? For each number, I would get a sequence of its powers. If I throw away the order of that sequence and just consider it a set, then I would end up with a subset of $GF(2^n)$ for each $a$ in $GF(2^n)$. How many different subsets will I end up with? Will there be a different subset for each $a$?

I mentioned earlier that the non-zero elements of $GF(2^n)$ form what’s called a group. The subset created by the powers of any fixed $a$ forms what’s called a subgroup. A subgroup is a subset of a group such that given any two members of that subset, their product (in the whole group) is also a member of the subset. As it turns out, for groups with a finite number of elements, the number of items in a subgroup has to divide evenly into the number of elements in the whole group.

The element zero in $GF(2^n)$ forms the subset containing only zero. The non-zero elements of $GF(2^n)$ form a group of $2^n - 1$ elements. The number $2^n - 1$ is odd (for all $n \ge 1$). So, immediately, we know that all of the subsets we generate are going to have an odd number of items in them. For $GF(2^8)$, there are 255 non-zero elements. The numbers that divide 255 are: 1, 3, 5, 15, 17, 51, 85, and 255.

It turns out that the non-zero elements of $GF(2^n)$ form what’s called a cyclic group. That means that there is at least one element $a$ whose subset is all $2^n - 1$ of the non-zero elements. If take one of those $a$‘s in $GF(2^8)$ whose subset is all 255 of the elements, we can quickly see that the powers of $a^3$ form a subset containing 85 elements, the powers of $a^5$ form a subset containing 51 elements, …, the powers of $a^{85}$ form a subset containing 3 elements, and the powers of $a^{255}$ form a subset containing 1 element. Further, if both $a$ and $b$ have all 255 elements in their subset, then $a^k$ and $b^k$ will have the same number of elements in their subsets for all $k$. We would still have to check to make sure that if $a^i + a^j = a^k$ that $b^i + b^j = b^k$ to verify the whole field structure is the same.

This means there are only 8 different subset of $GF(2^8)$‘s non-zero elements which form subgroups. Pictorially, if we placed the powers of $a$ around a circle so that $a^0 = 1$ was at the top and the powers progressed around the circle and then drew a polygon connecting consecutive points, then consecutive points in the $a^3$ sequence and consecutive points in the $a^5$ sequence, etc…. we’d end up with this:

If we don’t reorder them and just leave them in the numerical order of their binary representation, the result isn’t as aesthetically pleasing as the previous picture. Here are the same two we used before 100011011 (on the left) and 110011111 (on the right). They are easier to look at. They do not lend much more insight nor make a better stereo pair.

*shrug* Here’s the source file that I used to generate all of these images with Vecto and ZPNG: group.lisp