8.4 OPERATIONS IN GF(pn)

If f is an irreducible polynomial then Zp[x]/f(x) is the Galois field GF(pn), so that every nonzero polynomial a(x) has a multiplicative inverse a−1(x). Given two polynomials

image

a variant of the extended Euclidean algorithm (Chapter 2, Section 2.1.2) allows the expression of the greatest common divider of f and a in the form

image

In particular, if gcd(f, a) = 1 then a−1(x) = b(x) mod f.

The following formal algorithm, in which degree(a) returns the degree of a and swap(a, b) interchanges a and b, computes z(x) = a−1(x).

Algorithm 8.23

u:=f; v:=a; c:=0; e:=1; m:=degree(u); t:=degree(v); if t=0 then result:=(v(0))−1; else while t>0 loop if m<t then swap(u,v); swap(c,e); swap(m,t); q:=u(m)*(v(t))-1*xm−t; r:=u-(v*q); cc:=c-(e*q); u:=v; v:=r; c:=e; e:=cc; m:=t; t:=deg(v); end loop; z:=e*(v(0))-1; end if;

Example 8.7

image

As p = 2, Algorithm 8.23 can be simplified; in particular, u(m) = υ−1(t) = υ(0) = 1.

Compute a−1(x):

image

Effectively,

image

In order to execute Algorithm 8.23, the following procedures must be defined:

  • the procedure 
    procedure degree (a: in polynomial; deg: out natural);

    computes the degree deg of a;

  • the procedure 
    procedure invert (a: in coefficient; p: in module; b: out coefficient);

    computes a−1 mod p; Algorithm 8.16 could be used;

  • the procedure by_coefficient has already been defined;
  • the procedure 
    procedure add (a, b: in polynomial; p: in module; c: out polynomial);

    computes the sum of two polynomials; Algorithm 8.17 could be used;

  • the procedure 
    procedure sub (a, b: in polynomial; p: in module; c: out polynomial);

    computes the difference of two polynomials; Algorithm 8.18 could be used;

  • the procedure 
    procedure shift (a: in polynomial; k: in natural; c: out polynomial);

    computes c(x) = a(x).xk; it is equivalent to a k-position right-shift of the coefficients of a, with the k lower-degree coefficients set to 0.

The following algorithm is deduced from Algorithm 8.23 and from the previous procedure definitions (zero and one stand for the polynomials 0 and 1, respectively):

Algorithm 8.24 Inversion in GF(pn)

u:=f(0..n−1); f_n:=f(n); v:=a; c:=zero; e:=one; degree(v,t); if t=0 then invert(v(0), p, result(0)); for i in 1..n−1 loop result(i):=0; end loop; else j:=n−t; --the initial value of m is deg(f)=n invert(v(t), p, inverted_v_t); --(v(t))−1 k:=(f_n*inverted_v_t) mod p; --f_n.(v(t))−1 by_coefficient(v, k, p, k_v); --v.f_n.(v(t))−1 shift(k_v, j, shifted_v); --v.f_n.(v(t))−1.xn−t=v.q sub(u, shifted_v, p, r); --r=u − v.q by_coefficient (e, k, p, e_v); --e.f_n.(v(t))−1 shift(e_v, j, shifted_e); --e.f_n.(v(t))−1.xn−t=e.q sub(c, eq, p, cc); --cc=c − e.q degree(r, deg_v); j:=t − deg_v; if j>=0 then u:=v; v:=r; c:=e; e:=cc; m:=t; t:=deg_v; else u:=r; c:=cc; m:=deg_v; end if; while t>0 loop j:=m-t; invert(v(t), p, inverted_v_t); --(v(t))−1 k: = (u(m)*inverted_v_t) mod p; --u(m).(v(t))−1 by_coefficient (v, k, p, k_v); --v.u(m).(v(t))−1 shift(k_v, j, shifted_v); --v.u(m).(v(t))−1.xn−t=v.q sub(u, shifted_v, p, r); --r=u - v.q by_coefficient(e, k, p, e_v); --e.u(m).(v(t))−1 shift(e_v, j, shifted_e); --e.u(m).(v(t))−1.xn−t=e.q sub(c, eq, p, cc); --cc=c - e.q degree(r, deg_v); j:=t - deg_v; if j>=0 then u:=v; v:=r; c:=e; e:=cc; m:=t; t:=deg_v; else u:=r; c:=cc; m:=deg_v; end if; end loop; invert(v(0), p, inverted_v_t); --(v(0))−1 by_coefficient(e, inverted_v_t, p, result); --e. (v(0))−1 end if;

A different method, based on a modification of the Itoh–Tsujii algorithm ([ITO1988]), can be used if f(x) is a binomial ([WOO2000], [BAI2001]). First observe that if r = 1 + p + p2 + … + pn−1, then (Chapter 2, Section 2.2.4) (a(x))r is an element of Zp (a 0-degree polynomial). As

image

the problem is reduced to the computation of exponential functions in GF(pn) and to the inversion in GF(p).

The following formal algorithm computes z(x) = a−1(x).

Algorithm 8.25

b:=1; for i in 1..n−1 loop d:=a**(p**i); --d=ar(i) where r(i)=pi b:=b*d; --b=1.ar(1)…..ar(i−1).ar(i) end loop; --b=ar−1 g:=b*a; --g=ar k:=(1/g(0)) mod p; --k=1/ar z:=b*k; --z=ar−1/ar=a−1

In order to execute the preceding algorithm the following procedures must be defined:

  • the procedure 
    procedure multiply (a, b, f: in polynomial; p: in module;
z: out polynomial);

    computes the product of a by b modulo f; Algorithm 8.20, 8.21, or 8.22 could be used;

  • the procedures by_coefficient and invert have already been defined;
  • the procedure 
    procedure exponentiation (a, f: in polynomial; p: in
module; i: in natural; b: out polynomial);

    computes ar(i) modulo f, where r(i) = pi.

It remains to generate the preceding procedure. First recall (Chapter 2, Section 2.2.5) that if α, β, …, γ are elements of GF(pn), then

image

More generally, if r(i) = pi, then

image

Observe also that, given a coefficient ak (an element of Zp), then

image

and, more generally,

image

From (8.17) and (8.18) the following relation is deduced:

image

Assume now that f is a binomial

image

and that n divides p − 1 (p mod n = 1), so that

image

Then

image

The values of

image

can be computed in advance (an algorithm for computing fki is given in Appendix 8.1), so that

image

The corresponding exponentiation procedure is the following:

procedure exponentiation (a, f: in polynomial; p: in module;
  i: in natural; b: out polynomial) is
begin
  b(0):=a(0);
  for k in 1..n−1 loop modular_product (f(k,i), a(k), p, b(k));
end loop;
end procedure;

The complete inversion algorithm is deduced from Algorithm 8.25.

Algorithm 8.26 Inversion, Second Version

b:=one; for i in 1..n−1 loop exponentiation (a, f, p, i, d); --d=(a(x))r(i) multiply (b, d, f, p, e) --e:=b.(a(x))r(i) end loop; --e=(a(x))r−1 multiply (e, a, f, p, g); --g=(a(x))r h:=g(0); invert (h, p, k); --k=h−1 by_coefficient (e, k, p, z) --z=(a(x))r−1/(a(x))r

In order to reduce the number of calls to the exponentiation procedure the following property can be used.

Property 8.1 If s = 1 + p + p2 + … + pk and t = 1 + p + p2 + … + pl, where k is odd and l = (k − 1)/2, then

image

where u = pk−l.

Proof

image

where

image

so that

image

If k+1 is a power of 2, that is, k = 2m − 1, then l = 2m−1 − 1, and the same decomposition can be recursively applied. The following algorithm computes z(x) = (a(x))s, where s = 1 + p + p2 + · · · + pk with k = 2m − 1.

Algorithm 8.27

b(0):=a;
for j in 0..m−1 loop
   exponentiation (b(2*j), f, p, 2**j, b(2*j+1));
   multiply (b(2*j), b(2*j+1), f, p, b(2*(j+1)));
end loop;
z:=b(2*m);

Example 8.8 k = 7, m = 3; in the following computation scheme r(i) stands for pi, so that r(i).r(j) = r(i + j).

image

Assume now that n−1 is a power of 2, that is,

image

Then

image

and

image

The preceding algorithm can be used for computing

image

It remains to compute

image

and

image

The complete inversion algorithm, when

image

is the following.

Algorithm 8.28 Inversion, Third Version

b(0):=a; for j in 0..m-1 loop exponentiation (b(2*j), f, p, 2**j, b(2*j+1)); multiply (b(2*j), b(2*j+1), f, p, b(2*(j+1))); end loop; --b(2.m)=(a(x))s exponentiation (b(2*m), f, p, 1, e); --e=(a(x))s.p=(a(x))r−1 multiply (e, a, f, p, g); --g=(a(x))r h:=g(0); invert(h, p, k); --k=h−1 by_coefficient (e, k, p, z); --z=(a(x))r−1/(a(x))r

Observe that the main iteration is executed m times instead of n − 1 = 2m times as in Algorithm 8.26.

Example 8.9 If p = 239 and f(x) = x17 − 2, then Algorithm 828 can be applied:

image

the coefficients fki can be computed with Algorithm A 8.1.

Another example is the binomial x6−2 with

image

As n − 1 is not a power of 2, Algorithm 8.28 must be slightly modified.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset