Alice and Bob in Cryptoland » field http://alicebob.cryptoland.net Mon, 14 Feb 2011 13:29:59 +0000 en hourly 1 http://wordpress.org/?v=3.3.1 The Frobenius endomorphism with finite fields http://alicebob.cryptoland.net/the-frobenius-endomorphism-with-finite-fields/ http://alicebob.cryptoland.net/the-frobenius-endomorphism-with-finite-fields/#comments Mon, 09 Feb 2009 03:17:29 +0000 Conrado http://alicebob.cryptoland.net/?p=153 The Frobenius endomorphism is defined as:

\Phi(x)=x^p

where p is the characteristic of the ring you’re working with. Simple, right?

If you’re working with a field with prime order, then Frobenius is actually the identity map. Since the order of the multiplicative subgroup is p, when you raise to the power of p you get back to x due to Fermat’s little theorem. Things get more interesting when you’re working with a extension field (i.e. a field which order is a prime power).

I’m studying pairings for my master’s degree and the Frobenius endomorphism appears all the time in their computation. For example, you need to do a “final exponentation” which can be split in multiple exponentiations, and some of them are to the power of p. This is good because powering to p is “easy” due to Frobenius, or at least all the papers I read said so. But for a while I couldn’t see why, and that’s the reason I’m posting this. It’s really easy; it’s just not that obvious to see why.

Why Frobenius is easy?

Say you’re working with a quadratic extension, that is, with a field GF(p^2) where p is a prime. You can represent this group with polynomials of degree 1 which can be added the usual way and multiplied taking the result modulo a irreducible polynomial of degree 2. To understand why this makes sense, I recommend this excellent write-up at Everything2. Assume that you pick a irreducible polynomial in the form X^2-\beta. Working modulo this polynomial is the same thing as working in a “world” where X^2 = \beta. (You could of course work with a polynomial in the form X^2 + aX + b but that would complicate things.)

So every element of GF(p^2) can be written as a + bX. What happens when you apply the Frobenius endomorphism? Let’s see:

(a + bX)^p = (a^p + b^pX^p)

Why is that so? That’s a known fact about the Frobenius, check the explanation at Wikipedia for more details. But basically, the expansion of (a + bX)^p has many terms, but only the first (a^p) and the last (b^pX^p) survive because all others are multiples of p. Since we’re working with coefficients modulo p, they are all zero.

Let’s continue. Since a, b \in GF(p), then raising to the power of p won’t change them (yep, that’s Frobenius again). So we have:

(a + bX)^p = (a^p + b^pX^p) = (a + bX^p)

There’s only X^p left to bother us. If p is odd (not 2), then you can rearrange this as:

(a + bX)^p = (a + bX^p) = (a + b(X^2)^{(p-1)/2}X)

Now remember that we’re working in a “world” where X^2 = \beta. Then we get:

(a + bX)^p = (a + b(X^2)^{(p-1)/2}X^p) = (a + b\beta^{(p-1)/2}X)

That’s why Frobenius is easy: “a” stays the same, all you need to do is multiply “b” with \beta^{(p-1)/2}. But according to Euler’s criterion, since \beta is not a square (if it were, X^2-\beta wouldn’t be irreducible), we have \beta^{(p-1)/2} \equiv -1 \pmod{p}. Then the formula gets much simpler:

(a + bX)^p = (a-bX)

A concrete example

Just for the sake of concreteness, let’s work out an example. I’ll use Sage for that, but I’ll explain what each command does.

sage: K = GF(7)

We create a field with 7 elements (that’s actually integers modulo 7).

sage: K(5)^7
5

We take the element 5 and power to 7. We get 5 again. If you don’t believe it works for all elements:

sage: [(x,x^7) for x in K]
[(0, 0), (1, 1), (2, 2), (3, 3), (4, 4), (5, 5), (6, 6)]

Let’s create GF(7^2).

sage: KR. = GF(7)[]

This creates a polynomial ring with the X variable and coefficients in GF(7), just to allow us to specify the modulus in the next step:

sage: K2. = GF(7^2, modulus=X^2+1)

We create the GF(7^2) field using the variable X (I’m overwriting the X used in the ring, you could use other name) and modulus X^2+1 (so \beta = -1). Let’s take an arbitrary element to the power of 7:

sage: (3*X + 2)^7
4*X + 2

Remeber when \beta = -1 then (a + bX)^p = (a-bX). And modulo 7, -3 is actually 4, so the result is correct (of course!). Again, if you don’t believe it works for all elements:

sage: all(x^7 == (x.vector()[0] - x.vector()[1]*X) for x in K2)
True

This checks, for all elements in the field K2, if the element raised to the power of 7 is equal to the element built with our special formula. The method vector() returns the coefficients of the polynomial as a list. The all function is a relatively unknown function of Python that returns True if all the elements of the iterable passed to it evaluate to True (there’s any(iter) too).

Extensions of higher degree

The trick to calculate the Frobenius endomorphism also works for extensions of higher degree. When implementing them, usually using a tower of extensions is more efficient then using a direct extension. For example, when working with GF(p^{12}), you can represent it as a quadratic extension of GF(p^6), which can be represented as a cubic extension of GF(p^2), which can be represented as a quadratic extension of GF(p).

For example, for (a + bX) \in GF(p^{12}) built this way, with a, b \in GF(p^6), you just apply the same trick explained above. The only difference is that a and b to the power of p aren’t a and b themselves, but that’s not a problem, you just apply the same trick recursively.

]]> http://alicebob.cryptoland.net/the-frobenius-endomorphism-with-finite-fields/feed/ 3 Visualizing group structure with colored addition/multiplication tables http://alicebob.cryptoland.net/visualizing-group-structure-with-colored-additionmultiplication-tables/ http://alicebob.cryptoland.net/visualizing-group-structure-with-colored-additionmultiplication-tables/#comments Sun, 07 Dec 2008 04:32:51 +0000 Conrado http://alicebob.cryptoland.net/?p=70 When working with finite fields, if the number of elements is a prime power p^m with m > 1, you can represent the elements as polynomials with degree m-1 and do the field addition and multiplication modulo a irreducible polynomial with degree m.

The field GF(5) is composed by the numbers 0 to 4. We don’t need to represent its elements as polynomials since m=1. Addition is done modulo 5 and multiplication also modulo 5. So 2 + 3 = 0; 4 * 2 = 3; and so on. This is the addition table for GF(5):

Multiplicative table of integers modulo 5

The rows, top down, represent 0 to 4. The columns, right to left, represent 0 to 4. Each square is the result of the addition of the respective numbers in the row / column it belongs to. Black is 0, purple is 1, red is 2, orange is 3, yellow is 4.

In the field GF(25) = GF(5²), as I said, you represent each element as a polynomial. So we have 25 elements: 0 to 4; x, x+ 1, …, x + 4; 2x, 2x + 1, …; 3x, 3x + 1, …; 4x, 4x + 1, …, 4x + 4.

In order to add two elements, add them as you would add two polynomials, but remember that the coefficients are in GF(5); for example, in GF(5²), we have (3x + 2) + (4x + 4) = (2x + 1). In order to multiply two elements, multiply them as usual but then take the result modulo an irreducible polynomial. So, with GF(5²) modulo x^2 + 4x + 2, you have (2x + 5) * (3x + 4) = (4x + 3).

I always wondered what would happen when you changed the modulus. Obviously the group “changes”, but in order to actually see it, I’ve built the multiplication table for GF(5²) modulus x^2 + 4x + 2 and x^2 + 3x + 3:

Multiplicative table for GF(5^2)/(x^2+4x+2)Multiplicative table for GF(5^2)/(x^2+3x+3)

Yep, they’re different :D

Of course, both are isomorphic, so you’re free to pick your favorite modulus.

Multiplicative group of integers modulo n vs group of points in a elliptic curve

Then I got curious: how would the multiplication table of integers modulo n look like? This group is the group used in many cryptographic schemes, like RSA. This is the multiplication table for integers modulo 509:

Multiplicative table for integers modulo 509

Pretty (and trippy)!

What about the group of points on a elliptic curve over a finite field, which is also a group used in cryptographic schemes? This is the additive table for the points on y^2 = x^3 + 4x + 1 over GF(503):

Additive table for points in y^2 = x^3 +4x + 1 over GF(503)

The difference between them is striking; the elliptic group seems almost random. This is (intuitively speaking! I’m not being formal here) the reason why this group is used in cryptography in the first place: since the group structure is more “messed up”, you can get away with using groups of much smaller size (no smaller than 2^{160} elements) than with multiplicative groups of integers modulo n (no smaller than 2^{1024} elements). This is not set in stone though; maybe someday someone will come up with a better method to crack this seemingly random structure (for now the best method to solve the discrete log problem for elliptic groups is exponential, while the best method for integers modulo n is sub-exponential).

It’s worth mentioning that even this elliptic group is not that extraordinary: it is isomorphic to the very simple additive group of integers modulo 506:

Additive table of integers modulo 516

The big problem is to find the isomorphism! You can see this better with a small example. This is the elliptic group of y^2 = x^3 + 3x + 2 over GF(5) (left) which is isomorphic to the additive group modulo 5 (right):

Additive table of points on y^2 = x^3 + 3x + 2 over GF(5)Additive table for integers modulo 5

(OK, it’s not that easy to see)

Software

To generate those images, I’ve used Python with PIL and Sage. Sage aims to be a open source replacement for (expensive) software like Magma, Maple, Mathematica and Matlab. Since I’ve never used those, I can’t really say how it is going in its mission, but it’s really awesome. If you’re a Windows user you’ll probably be scared by the fact that the Windows version of Sage is actually an entire Linux virtual machine! They’re working to port it natively, but even until then, it’s worth it (and you’ll have an excuse to try Linux ;) )

Update

Someone asked for the source code used to generate those. It’s ugly (I’ve added comments at least) but you can download it here: the sage script and the python script. In the sage script, uncomment the lines representing what you want to plot, then run ./sage gentable.sage (or whichever path to were sage is). It will generate a data.txt in the same folder. Now run python plottable.py img.png to plot it on the img.png file (or omit it to show on the screen). You’ll need to have PIL installed.

If you don’t want to plot fancy stuff as elliptic groups, you can easily transform the gentable.sage into a normal Python script and write the addition/multiplication yourself (like a + b % n). Have fun, and feel free to ask anything.

]]> http://alicebob.cryptoland.net/visualizing-group-structure-with-colored-additionmultiplication-tables/feed/ 5