loic/libft_ssl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

doc: add GF(2^8) context

Browse source
This commit is contained in:
lohhiiccc 2026-05-18 10:31:37 +02:00
parent d89e7a37d6
commit babfbb72bd
1 changed files with 71 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

84
doc/whirlpool.tex
View file

@ -16,10 +16,67 @@ substitution, a column shift, a row mixing, and a round key addition.
\vspace{1em} \vspace{1em}
The padding scheme follows the same structure as MD5 and SHA-256: a single The padding scheme appends a single \texttt{1} bit, followed by \texttt{0}
\texttt{1} bit is appended, followed by \texttt{0} bits until the message bits until the message length is congruent to 256 bits modulo 512. The original
length is congruent to 448 bits modulo 512. The original message length in bits message length in bits is then appended as a 256-bit big-endian integer,
is then appended as a 64-bit big-endian integer. bringing the total padded length to an exact multiple of 512 bits. Whirlpool
uses a 256-bit length field (rather than the 64-bit field of MD5 and SHA-256)
to support messages up to $2^{256} - 1$ bits in length.
\vspace{1em}
\textbf{Arithmetic in $\mathrm{GF}(2^8)$.}
A \textbf{finite field} (or Galois field) is a finite set in which addition,
subtraction, multiplication and division (by any non-zero element) are all
well-defined and satisfy the usual algebraic laws. The simplest example is
$\mathrm{GF}(2) = \{0, 1\}$, where addition is XOR and multiplication is AND.
\vspace{1em}
$\mathrm{GF}(2^8)$ extends this to 256 elements by representing each element
as a polynomial of degree less than 8 with coefficients in $\{0, 1\}$. A byte
$b_7 b_6 \cdots b_0$ encodes the polynomial
$b_7 x^7 + b_6 x^6 + \cdots + b_0$; for example,
\texttt{0b10100011} $= x^7 + x^5 + x + 1$.
\vspace{1em}
This construction is analogous to modular arithmetic: just as
$\mathbb{Z}/p\mathbb{Z}$ is a field because $p$ is prime, the set of
polynomials with binary coefficients forms a field when reduced modulo an
\emph{irreducible} polynomial --- one that cannot be factored. Without this
reduction, multiplying two polynomials could produce a degree greater than 7,
stepping outside the 256-element set. Reducing modulo an irreducible polynomial
of degree 8 keeps every result within one byte, and guarantees that every
non-zero element has a multiplicative inverse.
\vspace{1em}
\textbf{Addition} is coefficient-wise addition modulo 2, equivalent to a
bitwise XOR (there is no carry: $1 + 1 = 0$):
\begin{align*}
a + b = a \oplus b
\end{align*}
\textbf{Multiplication by $x$} (called \emph{xtime}) is a left shift by one
bit, followed by a conditional reduction: if the original high bit was 1, the
degree of the result would reach 8 and must be reduced modulo the irreducible
polynomial $p(x) = x^8 + x^4 + x^3 + x^2 + 1$ (\texttt{0x11d}), which means
XORing with its low byte \texttt{0x1d}:
\begin{align*}
\mathrm{xtime}(a) =
\begin{cases}
a \ll 1 & \text{if } b_7 = 0 \\
(a \ll 1) \oplus \texttt{0x1d} & \text{if } b_7 = 1
\end{cases}
\end{align*}
\textbf{Multiplication by an arbitrary element} decomposes the multiplier into
powers of 2, applies xtime repeatedly for each power, then combines the results
with XOR. For example, multiplying by \texttt{0x05} $= x^2 + 1$:
\begin{align*}
\texttt{0x05} \cdot a = \mathrm{xtime}(\mathrm{xtime}(a)) \oplus a
\end{align*}
\newpage \newpage
@ -44,27 +101,28 @@ b_{i,j} = a_{i',\ j} \quad \text{where } i' = (i - j) \bmod 8
\medskip \medskip
\textbf{MixRows} multiplies each row of the state matrix by a fixed MDS matrix \textbf{MixRows} multiplies each row of the state matrix by a fixed circulant
over $\mathrm{GF}(2^8)$ with irreducible polynomial $x^8 + x^4 + x^3 + x^2 + MDS matrix over $\mathrm{GF}(2^8)$ with irreducible polynomial
1$, providing diffusion across the eight bytes of each row. Formally, for each $x^8 + x^4 + x^3 + x^2 + 1$, providing diffusion across the eight bytes of
row $i$, each output byte $b_j$ is computed as: each row. The MDS matrix is fully determined by its first row
$(c_0,\ c_1,\ \ldots,\ c_7)$; the entry at row $j$, column $k$ equals
$c_{(j-k) \bmod 8}$. Formally, for each row $i$, each output byte $b_{i,j}$
is computed as:
\begin{align*} \begin{align*}
b_j = \bigoplus_{k=0}^{7} \mathrm{MDS}[(j - k) \bmod 8] \cdot a_{i,k} b_{i,j} = \bigoplus_{k=0}^{7} c_{(j-k) \bmod 8} \cdot a_{i,k}
\end{align*} \end{align*}
\noindent where $\cdot$ denotes multiplication in $\mathrm{GF}(2^8)$ and $\oplus$ denotes XOR. \noindent where $\cdot$ denotes multiplication in $\mathrm{GF}(2^8)$ and $\oplus$ denotes XOR.
\medskip \medskip
\textbf{AddRoundKey} XORs the state with the current round key. \textbf{AddRoundKey} XORs the state with the current round key:
\begin{align*} \begin{align*}
%TODO: \forall i \in \mathbb{N},\ 0 \leq i < 8, S \leftarrow S \oplus K[r]
\end{align*} \end{align*}
\newpage
The S-box and the MDS matrix coefficients are fixed tables defined in the The S-box and the MDS matrix coefficients are fixed tables defined in the
Whirlpool specification; their values are too large to reproduce here. The Whirlpool specification; their values are too large to reproduce here. The
round constants $\mathrm{RC}[r]$, $r \in \mathbb{N},\ 1 \leq r \leq 10$, are round constants $\mathrm{RC}[r]$, $r \in \mathbb{N},\ 1 \leq r \leq 10$, are