doc: add GF(2^8) context
This commit is contained in:
lohhiiccc
parent
d89e7a37d6
commit
babfbb72bd
1 changed files with 71 additions and 13 deletions
|
|
@ -16,10 +16,67 @@ substitution, a column shift, a row mixing, and a round key addition.
|
|||
|
||||
\vspace{1em}
|
||||
|
||||
The padding scheme follows the same structure as MD5 and SHA-256: a single
|
||||
\texttt{1} bit is appended, followed by \texttt{0} bits until the message
|
||||
length is congruent to 448 bits modulo 512. The original message length in bits
|
||||
is then appended as a 64-bit big-endian integer.
|
||||
The padding scheme appends a single \texttt{1} bit, followed by \texttt{0}
|
||||
bits until the message length is congruent to 256 bits modulo 512. The original
|
||||
message length in bits is then appended as a 256-bit big-endian integer,
|
||||
bringing the total padded length to an exact multiple of 512 bits. Whirlpool
|
||||
uses a 256-bit length field (rather than the 64-bit field of MD5 and SHA-256)
|
||||
to support messages up to $2^{256} - 1$ bits in length.
|
||||
|
||||
\vspace{1em}
|
||||
|
||||
\textbf{Arithmetic in $\mathrm{GF}(2^8)$.}
|
||||
A \textbf{finite field} (or Galois field) is a finite set in which addition,
|
||||
subtraction, multiplication and division (by any non-zero element) are all
|
||||
well-defined and satisfy the usual algebraic laws. The simplest example is
|
||||
$\mathrm{GF}(2) = \{0, 1\}$, where addition is XOR and multiplication is AND.
|
||||
|
||||
\vspace{1em}
|
||||
|
||||
$\mathrm{GF}(2^8)$ extends this to 256 elements by representing each element
|
||||
as a polynomial of degree less than 8 with coefficients in $\{0, 1\}$. A byte
|
||||
$b_7 b_6 \cdots b_0$ encodes the polynomial
|
||||
$b_7 x^7 + b_6 x^6 + \cdots + b_0$; for example,
|
||||
\texttt{0b10100011} $= x^7 + x^5 + x + 1$.
|
||||
|
||||
\vspace{1em}
|
||||
|
||||
This construction is analogous to modular arithmetic: just as
|
||||
$\mathbb{Z}/p\mathbb{Z}$ is a field because $p$ is prime, the set of
|
||||
polynomials with binary coefficients forms a field when reduced modulo an
|
||||
\emph{irreducible} polynomial --- one that cannot be factored. Without this
|
||||
reduction, multiplying two polynomials could produce a degree greater than 7,
|
||||
stepping outside the 256-element set. Reducing modulo an irreducible polynomial
|
||||
of degree 8 keeps every result within one byte, and guarantees that every
|
||||
non-zero element has a multiplicative inverse.
|
||||
|
||||
\vspace{1em}
|
||||
|
||||
\textbf{Addition} is coefficient-wise addition modulo 2, equivalent to a
|
||||
bitwise XOR (there is no carry: $1 + 1 = 0$):
|
||||
\begin{align*}
|
||||
a + b = a \oplus b
|
||||
\end{align*}
|
||||
|
||||
\textbf{Multiplication by $x$} (called \emph{xtime}) is a left shift by one
|
||||
bit, followed by a conditional reduction: if the original high bit was 1, the
|
||||
degree of the result would reach 8 and must be reduced modulo the irreducible
|
||||
polynomial $p(x) = x^8 + x^4 + x^3 + x^2 + 1$ (\texttt{0x11d}), which means
|
||||
XORing with its low byte \texttt{0x1d}:
|
||||
\begin{align*}
|
||||
\mathrm{xtime}(a) =
|
||||
\begin{cases}
|
||||
a \ll 1 & \text{if } b_7 = 0 \\
|
||||
(a \ll 1) \oplus \texttt{0x1d} & \text{if } b_7 = 1
|
||||
\end{cases}
|
||||
\end{align*}
|
||||
|
||||
\textbf{Multiplication by an arbitrary element} decomposes the multiplier into
|
||||
powers of 2, applies xtime repeatedly for each power, then combines the results
|
||||
with XOR. For example, multiplying by \texttt{0x05} $= x^2 + 1$:
|
||||
\begin{align*}
|
||||
\texttt{0x05} \cdot a = \mathrm{xtime}(\mathrm{xtime}(a)) \oplus a
|
||||
\end{align*}
|
||||
|
||||
\newpage
|
||||
|
||||
|
|
@ -44,27 +101,28 @@ b_{i,j} = a_{i',\ j} \quad \text{where } i' = (i - j) \bmod 8
|
|||
|
||||
\medskip
|
||||
|
||||
\textbf{MixRows} multiplies each row of the state matrix by a fixed MDS matrix
|
||||
over $\mathrm{GF}(2^8)$ with irreducible polynomial $x^8 + x^4 + x^3 + x^2 +
|
||||
1$, providing diffusion across the eight bytes of each row. Formally, for each
|
||||
row $i$, each output byte $b_j$ is computed as:
|
||||
\textbf{MixRows} multiplies each row of the state matrix by a fixed circulant
|
||||
MDS matrix over $\mathrm{GF}(2^8)$ with irreducible polynomial
|
||||
$x^8 + x^4 + x^3 + x^2 + 1$, providing diffusion across the eight bytes of
|
||||
each row. The MDS matrix is fully determined by its first row
|
||||
$(c_0,\ c_1,\ \ldots,\ c_7)$; the entry at row $j$, column $k$ equals
|
||||
$c_{(j-k) \bmod 8}$. Formally, for each row $i$, each output byte $b_{i,j}$
|
||||
is computed as:
|
||||
|
||||
\begin{align*}
|
||||
b_j = \bigoplus_{k=0}^{7} \mathrm{MDS}[(j - k) \bmod 8] \cdot a_{i,k}
|
||||
b_{i,j} = \bigoplus_{k=0}^{7} c_{(j-k) \bmod 8} \cdot a_{i,k}
|
||||
\end{align*}
|
||||
|
||||
\noindent where $\cdot$ denotes multiplication in $\mathrm{GF}(2^8)$ and $\oplus$ denotes XOR.
|
||||
|
||||
\medskip
|
||||
|
||||
\textbf{AddRoundKey} XORs the state with the current round key.
|
||||
\textbf{AddRoundKey} XORs the state with the current round key:
|
||||
|
||||
\begin{align*}
|
||||
%TODO: \forall i \in \mathbb{N},\ 0 \leq i < 8,
|
||||
S \leftarrow S \oplus K[r]
|
||||
\end{align*}
|
||||
|
||||
\newpage
|
||||
|
||||
The S-box and the MDS matrix coefficients are fixed tables defined in the
|
||||
Whirlpool specification; their values are too large to reproduce here. The
|
||||
round constants $\mathrm{RC}[r]$, $r \in \mathbb{N},\ 1 \leq r \leq 10$, are
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue