finite fields examples - Z/pZ - (Z/3Z)[t]/(t^3+1) - (Z/pZ)[t]/(q(t)) elementary stuff - order of F = |F| - (F,0,+) is a group; F^* = (F\0,1,*) is a group; x(y+z)=xy+xz; 0*x=0 - F^* is a cyclic group - any two finite fields F,F' of same order are isomorphic (same structure, different only in representation of elements) - every finite field F has order p^e for some integer e>0, prime p, and such a field is called GF(p^e) - characteristic of GF(p^e) is p, and p*x = 0 for all x in GF(p^e) - hence Z/pZ is embedded in GF(p^e), namely, as 0,1,2,..,p-1 (note: 2=1+1, etc.) - a standard construction of GF(p) is as Z/pZ - a standard construction of GF(p^e) is as (Z/pZ)[t]/(q(t)) where q(t) is irreducible over Z/pZ and deg q = e - a standard representation is a_{e-1} t^{e-1} + .. + a_1 t + a_0 <--> (a_0,a_1,..,a_{e-1}) and this yields a vector space over GF(p) note q(t) + q'(t) <--> q xor q' properties of GF(2^e) - if p(x) has degree d > 0 over GF(2^e), then p(x) = 0 has at most d solutions for x over GF(2^e) - f(x) = x^2 is linear, since f(x+y) = (x+y)^2 = x^2 + 2xy + y^2 = x^2 + y^2 = f(x) + f(y), yet f(x) is not of the form c*x for any c - in fact x |-> x^{2^a} is linear for all integer a>=0 cipher design - linear elements - xor - rotations - bit permutations - any linear map - MDS matrices - addition modulo 2^e - PHT - decorrelation modules - nonlinear elements - fixed S-boxes (table lookup) - key-dependent S-boxes - cubing over GF(2^e) - inversion over GF(2^e) - multiplication modulo 2^e - multiplication modulo p, where p = 2^e + c for small c - data-depended rotations analysis of S-boxes - thm: the best diff. for cubing or inversion has prob. 2/2^e - ???: the best linear char. for cubing or inversion has bias 2^{1 - e/2} (I think...) fast implementation tricks - precomputed tables - for speeding up linear operations, e.g., bit permutations - merging multiple operations, e.g., key xor + S-box + MDS - for making key-dependent S-boxes run as fast as fixed S-boxes - bit-slicing