Cryptography

and Network
Security
Sixth Edition
by William Stallings
 Chapter 4

Basic Concepts in Number Theory and

Finite Fields
“Mathematics has long been known in the printing
trade as difficult, or penalty, copy because it is
slower, more difficult, and more expensive to
set in type than any other kind of copy.”

—Chicago Manual of Style,

14th Edition
 Divisibility
• We say that a nonzero b divides a if a = mb for
some m, where a, b, and m are integers
• b divides a if there is no remainder on division
• The notation b | a is commonly used to mean b
divides a
• If b | a we say that b is a divisor of a

The positive divisors of 24 are 1, 2, 3, 4, 6, 8, 12, and 24

13 | 182; - 5 | 30; 17 | 289; - 3 | 33; 17 | 0
 Properties of Divisibility
• If a | 1, then a = ±1
• If a | b and b | a, then a = ±b
• Any b ≠ 0 divides 0
• If a | b and b | c, then a | c

• If b | g and b | h, then b | (mg + nh) for

arbitrary integers m and n

11 | 66 and 66 | 198 = 11 | 198

 Properties of Divisibility
• To see this last point, note that:
– If b | g , then g is of the form g = b * g1 for some integer g1
– If b | h , then h is of the form h = b * h1 for some integer h1
• So:
– mg + nh = mbg1 + nbh1 = b * (mg1 + nh1 )
and therefore b divides mg + nh

b = 7; g = 14; h = 63; m = 3; n = 2
7 | 14 and 7 | 63.

To show 7 (3 * 14 + 2 * 63),
we have (3 * 14 + 2 * 63) = 7(3 * 2 + 2 * 9),
and it is obvious that 7 | (7(3 * 2 + 2 * 9)).
 Division Algorithm
• Given any positive integer n and any
nonnegative integer a, if we divide a by n we get
an integer quotient q and an integer remainder r
that obey the following relationship:

a = qn + r 0 ≤ r < n; q = [a/n]
Euclidean Algorithm
• One of the basic techniques
of number theory
• Procedure for determining
the greatest common divisor
of two positive integers
• Two integers are relatively
prime if their only common
positive integer factor is 1
Greatest Common Divisor (GCD)
• The greatest common divisor of a and b is the
largest integer that divides both a and b
• We can use the notation gcd(a,b) to mean the
greatest common divisor of a and b
• We also define gcd(0,0) = 0
• Positive integer c is said to be the gcd of a and b if:
• c is a divisor of a and b
• Any divisor of a and b is a divisor of c

• An equivalent definition is:

gcd(a,b) = max[k, such that k | a and k | b]

 GCD
• Because we require that the greatest common divisor be
positive, gcd(a,b) = gcd(a,-b) = gcd(-a,b) = gcd(-a,-b)
• In general, gcd(a,b) = gcd(| a |, | b |)
gcd(60, 24) = gcd(60, - 24) = 12
• Also, because all nonzero integers divide 0, we have
gcd(a,0) = | a |
• We stated that two integers a and b are relatively prime if
their only common positive integer factor is 1; this is
equivalent to saying that a and b are relatively prime if
gcd(a,b) = 1
8 and 15 are relatively prime because the positive divisors of 8 are 1, 2, 4, and 8, and
the positive divisors of 15 are 1, 3, 5, and 15. So 1 is the only integer on both lists.
 Table 4.1
Euclidean Algorithm Example

(This table can be found on page 91 in the textbook)

 Modular Arithmetic
• The modulus
– If a is an integer and n is a positive integer, we define
a mod n to be the remainder when a is divided by n;
the integer n is called the modulus
– thus, for any integer a:
a = qn + r 0 ≤ r < n; q = [a/ n]
a = [a/ n] * n + ( a mod n)

11 mod 7 = 4; - 11 mod 7 = 3
 Modular Arithmetic
• Congruent modulo n
– Two integers a and b are said to be congruent
modulo n if (a mod n) = (b mod n)
– This is written as a = b(mod n)2
– Note that if a = 0(mod n), then n | a

73 = 4 (mod 23); 21 = - 9 (mod 10)

 Properties of Congruences
• Congruences have the following properties:
1. a = b (mod n) if n (a – b)
2. a = b (mod n) implies b = a (mod n)
3. a = b (mod n) and b = c (mod n) imply a = c
(mod n)
• To demonstrate the first point, if n (a - b), then (a - b)
= kn for some k
• So we can write a = b + kn
• Therefore, (a mod n) = (remainder when b + kn is divided by
n) = (remainder when b is divided by n) = (b mod n)

23 = 8 (mod 5) because 23 - 8 = 15 = 5 * 3
- 11 = 5 (mod 8) because - 11 - 5 = - 16 = 8 * (- 2)
81 = 0 (mod 27) because 81 - 0 = 81 = 27 * 3
 Modular Arithmetic
• Modular arithmetic exhibits the following properties:

1. [(a mod n) + (b mod n)] mod n = (a + b) mod n

2. [(a mod n) - (b mod n)] mod n = (a - b) mod n

3. [(a mod n) * (b mod n)] mod n = (a * b) mod n

• We demonstrate the first property:
• Define (a mod n) = ra and (b mod n) = rb. Then we can write a = ra + jn for
some integer j and b = rb + kn for some integer k
• Then:

(a + b) mod n = (ra + jn + rb + kn) mod n

= (ra + rb + (k + j)n) mod n

= (ra + rb) mod n

= [(a mod n) + (b mod n)] mod n

 Remaining Properties:
• Examples of the three remaining properties:

11 mod 8 = 3; 15 mod 8 = 7
[(11 mod 8) + (15 mod 8)] mod 8 = 10 mod 8 = 2
(11 + 15) mod 8 = 26 mod 8 = 2
[(11 mod 8) - (15 mod 8)] mod 8 = - 4 mod 8 = 4
(11 - 15) mod 8 = - 4 mod 8 = 4
[(11 mod 8) * (15 mod 8)] mod 8 = 21 mod 8 = 5
(11 * 15) mod 8 = 165 mod 8 = 5
Table 4.2(a) Arithmetic Modulo 8
Table 4.2(b) Multiplication Modulo 8
Table 4.2(c)

Additive
and
Multiplicative
Inverses
Modulo 8
 Table 4.3
Properties of Modular Arithmetic for Integers in Zn
 Table 4.4
Extended Euclidean Algorithm Example
For given integers a and b, find <d,x,y> satisfying: ax + by = d = gcd(a,b)

a
b

Result: d = 1; x = –111; y = 355

 Groups
• A set of elements with a binary operation denoted by  that
associates to each ordered pair (a,b) of elements in G an element
(a  b ) in G , such that the following axioms are obeyed:
• (A1) Closure:
• If a and b belong to G, then a  b is also in G
• (A2) Associative:
• a  (b  c) = (a  b)  c for all a, b, c in G
• (A3) Identity element:
• There is an element e in G such that a  e = e  a = a for all a in G
• (A4) Inverse element:
• For each a in G, there is an element a in G such that aa = a  a = e
• (A5) Commutative:
• a  b = b  a for all a, b in G
 Cyclic Group
• Exponentiation is defined within a group as a
repeated application of the group operator, so that
a3 = aaa
• We define a0 = e as the identity element, and a-n =
(a’)n , where a’ is the inverse element of a within the
group

• A group G is cyclic if every element of G is a power

ak (k is an integer) of a fixed element
• The element a is said to generate the group G or to be a
generator of G
• A cyclic group is always abelian and may be finite or infinite
 Rings
• A ring R , sometimes denoted by {R , + , * }, is a set of elements with two binary
operations, called addition and multiplication, such that for all a , b , c in R the
following axioms are obeyed:
(A1–A5)
R is an abelian group with respect to addition; that is, R satisfies axioms A1 through A5. For
the case of an additive group, we denote the identity element as 0 and the inverse of a as –a
(M1) Closure under multiplication:
If a and b belong to R , then ab is also in R
(M2) Associativity of multiplication:
a (bc ) = (ab)c for all a , b , c in R
(M3) Distributive laws:
a (b + c ) = ab + ac for all a , b , c in R
(a + b )c = ac + bc for all a , b , c in R

• In essence, a ring is a set in which we can do addition, subtraction [a - b = a + (-b )],

and multiplication without leaving the set
 Rings (cont.)
• A ring is said to be commutative if it satisfies
the following additional condition:
(M4) Commutativity of multiplication:
ab = ba for all a, b in R
• An integral domain is a commutative ring that
obeys the following axioms.
(M5) Multiplicative identity:
There is an element 1 in R such that a 1 = 1a = a
for all a in R
(M6) No zero divisors:
If a , b in R and ab = 0, then either a = 0 or b = 0
 Fields
• A field F , sometimes denoted by {F, +,* }, is a set of elements with two
binary operations, called addition and multiplication, such that for all a,
b, c in F the following axioms are obeyed:
(A1–M6)
F is an integral domain; that is, F satisfies axioms A1 through A5 and M1

through M6
(M7) Multiplicative inverse:
For each a in F, except 0, there is an element a-1 in F such that aa-1 = (a-1 )a = 1
• In essence, a field is a set in which we can do addition, subtraction,
multiplication, and division without leaving the set. Division is defined
with the following rule: a /b = a (b-1 )
Familiar examples of fields are the rational numbers, the real numbers, and
the complex numbers. Note that the set of all integers is not a field,
because not every element of the set has a multiplicative inverse.
Group,
Ring,
and
Field
Finite Fields of the Form GF(p)
• Finite fields play a crucial role in many
cryptographic algorithms
• It can be shown that the order of a finite field
must be a power of a prime pn, where n is a
positive integer
• The only positive integers that are divisors of p are
p and 1
• The finite field of order pn is generally written
GF(pn )
• GF stands for Galois field, in honor of the
mathematician who first studied finite fields
Table 4.5(a) Arithmetic in GF(7)

(a) Addition modulo 7

Table 4.5(b) Arithmetic in GF(7)

(b) Multiplication modulo 7

Table 4.5(c)

Arithmetic
in GF(7)

(c) Additive and multiplicative

inverses modulo 7
In this section, we have • 1. GF(p) consists of p elements
shown how to construct a
finite field of order p, where • 2. The binary operations + and *
p is prime. are defined over the set. The
operations of addition, subtraction,
GF(p) is defined with the multiplication, and division can be
following properties: performed without leaving the set.
Each element of the set other than
0 has a multiplicative inverse

• We have shown that the elements

of GF(p) are the integers {0, 1, . . .
, p – 1} and that the arithmetic
operations are addition and
multiplication mod p
 Polynomial Arithmetic
• We can distinguish three classes of polynomial
arithmetic:

• Ordinary polynomial arithmetic, using the basic rules of

algebra

• Polynomial arithmetic in which the arithmetic on the coefficients is

performed modulo p; that is, the coefficients are in GF(p )

• Polynomial arithmetic in which the coefficients are in GF(p ), and

the polynomials are defined modulo a polynomial m (x ) whose
highest power is some integer n
Ordinary Polynomial Arithmetic Example
As an example:
let f(x) = x3 + x2 + 2 and g(x) = x2 - x + 1, where S is
the set of integers

Then:
f(x) + g(x) = x3 + 2x2 - x + 3
f(x) - g(x) = x3 + x + 1
f(x) * g(x) = x5 + 3x2 - 2x + 2

Figures 4.3a through 4.3c show the manual calculations

 Polynomial Arithmetic With
Coefficients in Zp
• If each distinct polynomial is considered to be an
element of the set, then that set is a ring
• When polynomial arithmetic is performed on polynomials
over a field, then division is possible
• Note: this does not mean that exact division is possible

• If we attempt to perform polynomial division over a coefficient set

that is not a field, we find that division is not always defined
• Even if the coefficient set is a field, polynomial division is not
necessarily exact
• With the understanding that remainders are allowed, we can say
that polynomial division is possible if the coefficient set is a field
 Polynomial Division
• We can write any polynomial in the form:
f(x) = q(x) g(x) + r(x)
• r(x) can be interpreted as being a remainder
• So r(x) = f(x) mod g(x)

• If there is no remainder we can say g(x) divides f(x)

• Written as g(x) | f(x)
• We can say that g(x) is a factor of f(x)
• Or g(x) is a divisor of f(x)

• A polynomial f(x) over a field F is called irreducible if and only if

f(x) cannot be expressed as a product of two polynomials, both
over F, and both of degree lower than that of f(x)
• An irreducible polynomial is also called a prime polynomial
Example of Polynomial
Arithmetic
Over GF(2)

(Figure 4.4 can be found on page 110 in

the textbook)
 Polynomial GCD
• The polynomial c(x) is said to be the greatest common
divisor of a(x) and b(x) if the following are true:
• c(x) divides both a(x) and b(x)
• Any divisor of a(x) and b(x) is a divisor of c(x)

• An equivalent definition is:

• gcd[a(x), b(x)] is the polynomial of maximum degree that divides
both a(x) and b(x)

• The Euclidean algorithm can be extended to find the

greatest common divisor of two polynomials whose
coefficients are elements of a field
Table 4.6(a) Arithmetic in GF(23)

(a) Addition
Table 4.6(b) Arithmetic in GF(23)

(b) Multiplication
Table 4.6(c)

Arithmetic
in GF(23)

(c) Additive and multiplicative inverses

Table 4.7 Polynomial Arithmetic Modulo (x3 + x + 1)

(a) Addition

(b) Multiplication

(page 117 in textbook)

 Table 4.8
Extended Euclid [(x8 + x4 + x3 + x + 1), (x7 + x + 1)]

(Table 4.8 can be found on page 118 in textbook)

 Computational Considerations
• Since coefficients are 0 or 1, they can
represent any such polynomial as a bit
string
• Addition becomes XOR of these bit strings
• Multiplication is shift and XOR
– cf long-hand multiplication
• Modulo reduction is done by repeatedly
substituting highest power with remainder of
irreducible polynomial (also shift and XOR)
 Using a Generator
• A generator g of a finite field F of order q (contains
q elements) is an element whose first q-1 powers
generate all the nonzero elements of F
• The elements of F consist of 0, g0, g1, . . . ., gq-2

• Consider a field F defined by a polynomial f(x)

• An element b contained in F is called a root of the
polynomial if f(b) = 0

• Finally, it can be shown that a root g of an irreducible

polynomial is a generator of the finite field defined on that
polynomial
 Table 4.9
Generator for GF(23) using x3 + x + 1
 Table 4.10
GF(23) Arithmetic Using Generator for the Polynomial (x3 + x + 1)

(a) Addition

(b) Multiplication

(page 123 in textbook)

 Summary
• Divisibility and the • Finite fields of
division algorithm the form GF(p)
• The Euclidean • Polynomial
algorithm arithmetic
• Modular arithmetic • Finite fields of
• Groups, rings, and the form GF(2n)
fields
 Chapter 5
Advanced Encryption Standard
“It seems very simple.”
“It is very simple. But if you don’t know
what the key is it’s virtually
indecipherable.”

—Talking to Strange Men,

Ruth Rendell
 Finite Field Arithmetic
• In the Advanced Encryption Standard (AES) all operations are
performed on 8-bit bytes
• The arithmetic operations of addition, multiplication, and
division are performed over the finite field GF(28)
• A field is a set in which we can do addition, subtraction,
multiplication, and division without leaving the set
• Division is defined with the following rule:
• a /b = a (b-1 )

• An example of a finite field (one with a finite number of elements) is

the set Zp consisting of all the integers {0, 1, . . . . , p - 1}, where p is
a prime number and in which arithmetic is carried out modulo p
Finite Field Arithmetic
If one of the operations For convenience and for
used in the algorithm is implementation efficiency
division, then we need we would like to work
to work in arithmetic with integers that fit
defined over a field exactly into a given
• Division requires that each number of bits with no
nonzero element have a wasted bit patterns
multiplicative inverse
• Integers in the range 0 through
2nn – 1, which fit into an n-bit
word

The set of such integers, A finite field containing

Z22n, using modular 2nn elements is referred
arithmetic, is not a field to as GF(2n)
• Every polynomial in GF(2 nn)
• For example, the integer 2 has
can be represented by an n-
no multiplicative inverse in Z 22nn, bit number
that is, there is no integer b,
such that 2b mod 2nn = 1
AES
Encryption
Process
AES Data Structures
 Table 5.1
AES Parameters
AES
Encryption
and
Decryption
 Detailed Structure
• Processes the entire data block as a single matrix during each round using substitutions and
permutation
• The key that is provided as input is expanded into an array of forty-four 32-bit words, w[i]
Four different stages are used:
• Substitute bytes – uses an S-box to perform a byte-by-byte substitution of the block
• ShiftRows – a simple permutation
• MixColumns – a substitution that makes use of arithmetic over GF(28)
• AddRoundKey – a simple bitwise XOR of the current block with a portion of the expanded key

• The cipher begins and ends with an AddRoundKey stage

• Can view the cipher as alternating operations of XOR encryption (AddRoundKey) of a block,
followed by scrambling of the block (the other three stages), followed by XOR encryption, and so
on
• Each stage is easily reversible
• The decryption algorithm makes use of the expanded key in reverse order, however the
decryption algorithm is not identical to the encryption algorithm
• State is the same for both encryption and decryption
• Final round of both encryption and decryption consists of only three stages
AES
Byte
Level
Operations
Table 5.2
(a) S-box

(Table can be found on page 139 in textbook)

Table 5.2
(b) Inverse S-box

(Table can be found on page 139 in textbook)

 S-Box Rationale
• The S-box is designed to be resistant to known
cryptanalytic attacks
• The Rijndael developers sought a design that has a low
correlation between input bits and output bits and the
property that the output is not a linear mathematical
function of the input
• The nonlinearity is due to the use of the multiplicative
inverse
 Shift Row Transformation

Figure 5.7 AES Row and Column Operations

(Figure can be found on page 144 in textbook)

 Shift Row Rationale
• More substantial than it may first appear
• The State, as well as the cipher input and output,
is treated as an array of four 4-byte columns
• On encryption, the first 4 bytes of the plaintext are
copied to the first column of State, and so on
• The round key is applied to State column by
column
• Thus, a row shift moves an individual byte from one
column to another, which is a linear distance of a
multiple of 4 bytes
• Transformation ensures that the 4 bytes of one
column are spread out to four different columns
MixColumn Transformation

Figure 5.7 AES Row and Column Operations

(Figure can be found on page 144 in textbook)
 Mix Columns Rationale
• Coefficients of a matrix based on a linear code
with maximal distance between code words
ensures a good mixing among the bytes of each
column
• The mix column transformation combined with
the shift row transformation ensures that after a
few rounds all output bits depend on all input
bits
 AddRoundKey Transformation
• The 128 bits of State
are bitwise XORed with
the 128 bits of the Rationale:
round key
• Operation is viewed as Is as simple as possible
and affects every bit of
a columnwise operation State
between the 4 bytes of
a State column and one The complexity of the
round key expansion plus
word of the round key the complexity of the other
• Can also be viewed as a stages of AES ensure
security
byte-level operation
Inputs
for
Single
AES
Round
 AES Key Expansion
• Takes as input a four-word (16 byte) key and produces a
linear array of 44 words (176) bytes
• This is sufficient to provide a four-word round key for the initial
AddRoundKey stage and each of the 10 rounds of the cipher
• Key is copied into the first four words of the expanded key
• The remainder of the expanded key is filled in four words at a time
• Each added word w[i] depends on the immediately
preceding word, w[i – 1], and the word four positions back,
w[i – 4]
• In three out of four cases a simple XOR is used
• For a word whose position in the w array is a multiple of 4, a more
complex function is used
 AES
Key
Expansion
 Key Expansion Rationale
• The Rijndael developers
The specific criteria that were used
designed the expansion are:
key algorithm to be
• Knowledge of a part of the cipher key
resistant to known
or round key does not enable
cryptanalytic attacks calculation of many other round-key
• Inclusion of a round- bits
dependent round constant • An invertible transformation
eliminates the symmetry • Speed on a wide range of processors
• Usage of round constants to eliminate
between the ways in which
symmetries
round keys are generated • Diffusion of cipher key differences into
in different rounds the round keys
• Enough nonlinearity to prohibit the full
determination of round key differences
from cipher key differences only
• Simplicity of description
 Table 5.3

AES
Example
Key
Expansion
(Table is located on page 151
in textbook)
 Table 5.4

AES
Example

(Table is located on page 153

in textbook)
 Table 5.5
Avalanche
Effect
in AES:
Change in
Plaintext
(Table is located on page 154
in textbook)
 Table 5.6
Avalanche
Effect
in AES:
Change
in Key
(Table is located on page 155
in textbook)
 Equivalent Inverse Cipher
• AES decryption cipher is
not identical to the Two separate changes are needed to bring
the decryption structure in line with the
encryption cipher encryption structure
• The sequence of
transformations differs
although the form of the
key schedules is the same The first two stages of the decryption round
need to be interchanged
• Has the disadvantage that
two separate software or
firmware modules are
needed for applications
that require both The second two stages of the decryption
round need to be interchanged
encryption and decryption
 Interchanging
InvShiftRows and InvSubBytes
• InvShiftRows affects the sequence of bytes in State
but does not alter byte contents and does not
depend on byte contents to perform its
transformation
• InvSubBytes affects the contents of bytes in State
but does not alter byte sequence and does not
depend on byte sequence to perform its
transformation
• Thus, these two operations commute and can be
interchanged
 Interchanging
AddRoundKey and InvMixColumns

If we view the
The key as a
transformations sequence of
These two
AddRoundKey words, then both
operations are
and AddRoundKey
linear with
InvMixColumns and
respect to the
do not alter the InvMixColumns
column input
sequence of operate on State
bytes in State one column at a
time
Equivalent
Inverse
Cipher
 Implementation Aspects
• AES can be implemented very efficiently on an 8-bit
processor
• AddRoundKey is a bytewise XOR operation
• ShiftRows is a simple byte-shifting operation
• SubBytes operates at the byte level and only
requires a table of 256 bytes
• MixColumns requires matrix multiplication in the
field GF(28), which means that all operations are
carried out on bytes
 Implementation Aspects
• Can efficiently implement on a 32-bit processor
• Redefine steps to use 32-bit words
• Can precompute 4 tables of 256-words
• Then each column in each round can be computed
using 4 table lookups + 4 XORs
• At a cost of 4Kb to store tables
• Designers believe this very efficient
implementation was a key factor in its selection
as the AES cipher
AES Rijndael Encryption Cipher
Overview

• Youtube Example
AES Rijndael Cipher - Visualization

• Thanks to Abin Alichin and Youtube

• Example

• Scholartica Channel – some details and

examples

• https://www.youtube.com/watch?v=nL1ApwEXrz0
 Summary
• AES transformation
• Finite field arithmetic
functions
• AES structure
• Substitute bytes
– General structure
• ShiftRows
– Detailed structure
• MixColumns
• AES key expansion • AddRoundKey
– Key expansion
algorithm • AES implementation
– Rationale • Equivalent inverse
cipher
• Implementation
aspects