The Polynomial Constructions

In this section, we discuss the representations of binary fields in the polynomial form as well as the method for performing arithmetics for the representation.

Polynomials in F2[x]

A polynomial over F2(or a boolean polynomial) is an expression of this form

f (x) = f₀+· · · + fdx^d=

∑d i=0

f_ixⁱ ,where f_i ∈ F2 for 0≤ i ≤ d .

Here the indeterminate x is just a placeholder. F2[x] denotes the ring of univariate polynomials overF2 with the indeterminate x. We also represent a polynomial f (x) as a vector f = (f₀, f₁, . . .) with entries from F2 and a finite number of coefficients f_i’s are nonzero. Since a natural basis forF2[x] is (1, x, x², . . .), we can associate the basis elements to the boolean vectors with one nonzero entry, i.e., 1 = (1, 0, . . .), x = (0, 1, . . .), x² = (0, 0, 1, . . . ), ... etc.

Clearly, we can use the integer i to denote a boolean vector (i0, i1, . . . , id) if i is

We can then define the boolean polynomial corresponding to the binary expansion of i

Hence, we can store the polynomials of degree d in F2[x] as Boolean vectors of length (d + 1)-bits.

We also adopt a convention that a hex number denotes explicitly the value of a boolean vector. For example, the polynomial x⁸ + x⁴ + x³ + x + 1 ∈ F2[x] is represented as the Boolean vector 0x11b = 1, 0001, 1011b = 2⁸ + 2⁴+ 2³ + 2 + 1, i.e., ω(0x11b) = x⁸+ x⁴+ x³+ x + 1.

The addition and multiplication of polynomials are defined by (a₀, a₁, . . .) + (b0, b1, . . .) = (a0 + b0, a1+ b1, . . .) and (a0, a1, . . .)· (b0, b1, . . . ) = (c0, c1, . . .), with c_n =∑_n

i=0a_ib_n−i. The polynomials inF2[x] are the basic form of algebraic objects in this thesis since there are hardware instructions for multiplying Boolean polynomials of some fixed lengths.

Binary Fields of Boolean Polynomials

An element in the binary field F2^m can be represented as a polynomial in F2[x]_<m where the subscript denotes the restriction of its degree. The basic construction of F2^m is the ideal ofF2[x] modulo(mod) an irreducible polynomial of degree m. Just as a Boolean polynomial can be represented as a Boolean vector, so too the fieldF2^m :=

F2[x]_<m can be represented as the vector space F^m2 . The “vectors” {1, x, . . . , x^m−1} form a basis for F2[x]_<m. Hence, with respect to the basis (1, x, . . . , x^m−1) of F2^m, let i be a nonnegative integer with binary expansion i =∑d

j=0i_j · 2^j as in Eq. 2.1.

The field element corresponding to the binary expansion i is

ω_F2m(i) =

m∑−1 j=0

i_j · x^j . (2.3)

Explicit Constructions of particular fields Probably due to its one-byte storage, the field of 256 elements(F256) plays an important role on computers, especially in the area of cryptography and code. In Chapter 4, we use the construction of F256

as

F256 =F2⁸ :=F2[x]/(x⁸+ x⁴+ x³+ x²+ 1) . (2.4)

The construction consists with the field used in the erasure correcting code of stan-dard RAID-6 [Anv11]. Note that it differs from the one in Advanced Encryption Standard(AES) [Nat01], which constructs its field with respect to a different irre-ducible polynomial

F2[x]/(x⁸+ x⁴+ x³+ x + 1) .

We will use the term 0x11bF256 when referring to the field of 256 elements in AES.

In Chapter 7, we use the fields of 64 and 128-bits. The field of 64-bits is con-structed as

F2⁶⁴ :=F2[x]/(

x⁶⁴+ x⁴+ x³+ x + 1)

. (2.5)

For the field of 128-bits, we choose the same construction as in AES-GCM:

F2¹²⁸ :=F2[x]/(

x¹²⁸+ x⁷+ x²+ x + 1)

. (2.6)

The Multiplication of Field Elements We perform the multiplication inF2^m in two steps. The first step multiplies two corresponding polynomials inF2[x]. The second step reduces the degree of the resulted polynomial in the first step by a modulo of the irreducible polynomial of degree m.

We show an example of multiplications in F4 := F2[x]/(x² + x + 1). Given a, b ∈ F4 and their polynomial forms a(x) = a₀ + a₁x and b(x) = b₀ + b₁x. To

compute c = a· b, the first step calculates

(a₀+ a₁x)·(b0+ b₁x) = a₀·b0+ (a₀·b1+ a₁·b0)x + (a₁·b1)x² = c₀+ c₁x + c₂x² . (2.7)

Here we have c0 = a0· b0, c1 = a0· b1+ a1· b0 , and c2 = a1· b1. In the second step, since

x² ≡ x + 1 mod x²+ x + 1 , (2.8)

the term c₂· x² reduces to c₂x + c₂. We have the result

c = (c₀+ c₂) + (c₁+ c₂)x = (a₀· b0 + a₁· b1) + (a₀· b1+ a₁· b0 + a₁ · b1)x . (2.9)

It costs 4 AND and 3 XOR in total.

To perform the multiplication on computers, the straightforward method is to perform all the bit-operations. One can first isolate all coefficients of the two in-put polynomials and perform all the arithmetics in F2. We can also perform the multiplication relying on the hardware instructions on modern computers. We will discuss the method in Sec. 3.1 and 3.4.

Although we do not discuss the calculation in this thesis, a multiplicative inverse may be obtained via the Euclidean algorithm or Fermat’s little theorem.

Polynomials overF2^m

Besides representing the field elements as boolean polynomials, we can also use the polynomials overF2^m(i.e., F2^m[x]) to represent elements in the extension field ofF2. More precisely, given a field F2^m and an irreducible polynomial f (x)∈ F2^m[x] with deg f (x) = n, we can construction the extension fieldF2^m·n :=F2^m[x]/f (x). F2^m·n is isomorphic to Fⁿ₂^m as F2^m ∼=F^m₂ .

In Chapter 4, we use polynomials inF256[X]_≤1 to represent elements inF256² and construct the field as

eF256² :=F256[X]/(X²+ ω_F256(0x8)· X + 1) . (2.10)

Note that the symbol eF256² associates to the specific construction in this thesis. In the construction, an element of eF256² can also be represented as a vector of two components in F²256. Since the constant term of polynomials in F256[X] is the same as F256, an element in F256 can be represented as a constant polynomial with the same value for the constant coefficient. Hence, we say the representation of eF256² is compatible withF256.

In [AJ86], Adleman and Lenstra presented an algorithm for constructing the following tower of fields:

F4 := F2[x0]/(x²₀+ x0+ 1), eF16 := F4[x₁]/(x²₁+ x₁+ x₀), eF256 := eF16[x₂]/(x²₂ + x₂+ x₁x₀), eF65536 := eF256[x₃]/(x²₃+ x₃+ x₂x₁x₀),

...

(2.11)

In these constructions, an element in eF65536is represented as a first degree polynomial over eF256, an element in eF256is represented as a first degree polynomial over eF16, and so on. We can eventually decompose an element a of binary fields to a multivariate polynomial over F2, i.e., a∈ F2[x₀, x₁, x₂, . . .].

To construct the vector form of elements in the tower fields, given m is a power of 2, i.e., m = 2^lm, we can associate a binary expansion of k = ∑_lm−1

j=0 k_j · 2^j with the monomial

monomial(k) = x^k₀⁰x^k₁¹· · · x^k_lm^lm−1₋₁ for 0≤ k < m . (2.12)

The basis for eF2^m is

(monomial(k))_0≤k<m =(

ω_{F2[x0,x1,...,xlm−1]}(2^k))

0≤k<m . (2.13)

For example, we have the basis for the vector space eF256:

(1, x₀, x₁, x₀x₁, x₂, x₀x₂, x₁x₂, x₀x₁x₂) = (monomial(k))k=0,1,...,7 .

As the second example, we illustrate the polynomial form of ω_{F2[x0,x1,...]}(0xf)∈ eF16

ω_{F2[x0,x1,...]}(0xf) = 1 + x₀+ x₁+ x₀x₁ = (1 + x₀) + (1 + x₀)x₁ .

Note that (1 + x₀) is an element in F4. Hence, the tower fields are also compatible with their sub-fields.

The multiplication Under the representation of polynomials over F2^m, the field multiplication is similar to polynomial multiplication with reduction. However, the coefficient multiplication is inF2^m instead ofF2.

The multiplication in tower fields is more complicated. Since the field is con-structed as eF2^m := eF2^m/2[y]/y²+· · · , the field multiplication comprises a polynomial multiplication and a reduction for the term of degree 2. However, we have to per-form the coefficient multiplication in eF2^m/2 in the same way of multiplication in eF2^m. We have to apply the rules recursively down to polynomials ofF2 coefficients.