In [1]:
import numpy as np

# To be able to use the 'galois' library, you must install it locally - https://galois.readthedocs.io/en/v0.3.9/getting-started/
import galois

# The Galois Field in Cryptography

## Abstract

This project is about Galois fields, what properties they have and how they can be used in cryptography.

The project starts with the basics of Galois fields. Some of the basics of *Groups*, *Rings* and *Fields* and how they are used to define a Galois field are discussed. The difference between *prime* and *extension* fields is explained.

This is followed by an introduction to symmetric/asymmetric cryptography.

At the end, some example implementations of symmetric encryption using Galois fields are shown.

## 1. Group, Ring and Field

Group, Ring, and Field are fundamental structures in abstract algebra. They provide a framework for understanding and working with algebraic systems.

### 1.1. Group

A *group* is a set equipped with a **single binary operation** $\circ$ that satisfies four fundamental properties:

1. **Closure**: For any two elements $a$ and $b$ in the set $G$, the result of the operation $a \circ b$ is also in $G$.
2. **Associativity**: For any three elements $a$, $b$, and $c$ in $G$, $(a \circ b) \circ c = a \circ (b \circ c)$.
3. **Identity Element**: There exists an element $e$ in $G$ such that for every element $a$ in $G$, $e \circ a = a \circ e = a$.
4. **Inverse Element**: For every element $a$ in $G$, there exists an element $b$ in $G$ such that $a \circ b = b \circ a = e$, where $e$ is the identity element.

A group G is *abelian* (or commutative) if $a \circ b = b \circ a \ \forall \ a,b \in G$.

Roughly speaking, a group is set with one operation and the corresponding inverse operation. If the operation is called *addition*, the inverse operation is *subtraction*; if the operation is *multiplication*, the inverse operation is *division* (or multiplication with the inverse element)[1].

**Examples of Groups:**
1. The set of integers $\mathbb{Z}$ with the operation of *addition* forms a group. The identity element is 0, and the inverse of any integer $a$ is $-a$.

2. The set of integers $\mathbb{Z_m}$ = {0,1, . . . ,m−1} and the operation *addition modulo m* form a group with the neutral element 0. Every element $a$ has an inverse $-a$ such that $a+(−a) = 0 \ mod \ m$. Note that this set does not form a group with the operation *multiplication* because most elements $a$ do not have an inverse such that $a \cdot a^{-1} = 1 \ mod \ m$ [1].

### 1.2. Ring

A *ring* is a set equipped with **two binary operations**, usually called *addition* and *multiplication*, satisfying the following properties:

1. **Addition forms an abelian group**:
   - **Closure**: For any $a, b \in R$, $a + b$ $\in$ $R$.
   - **Associativity**: For any $a, b, c \in R$, $(a + b) + c = a + (b + c)$.
   - **Identity Element**: There exists an element $0 \in R$ such that $a + 0 = a$ for all $a \in R$.
   - **Inverse Element**: For every $a \in R$, there exists $-a \in R$ such that $a + (-a) = 0$.
   - **Commutativity**: For any $a, b \in R$, $a + b = b + a$.

2. **Multiplication is associative**:
   - **Closure**: For any $a, b \in R$, $a \cdot b \in R$.
   - **Associativity**: For any $a, b, c \in R$, $(a \cdot b) \cdot c = a \cdot (b \cdot c)$.

3. **Distributivity**:
   - For any $a, b, c \in R$, $a \cdot (b + c) = (a \cdot b) + (a \cdot c)$ and $(a + b) \cdot c = (a \cdot c) + (b \cdot c)$.

**Example**: The set of integers $\mathbb{Z}$ with the usual addition and multiplication forms a ring.

### 1.3. Field

In order to have all four basic arithmetic operations (i.e., addition, subtraction, multiplication, division) in one structure, we need a set which contains an **additive** and a **multiplicative group**[1].

A *field* is a set equipped with **two binary operations** (*addition* and *multiplication*) satisfying the following properties:

1. **Addition forms an abelian group** (same as in a ring):
   - **Closure**: For any $a, b \in F$, $a + b \in F$.
   - **Associativity**: For any $a, b, c \in F$, $(a + b) + c = a + (b + c)$.
   - **Identity Element**: There exists an element $0 \in F$ such that $a + 0 = a \ \forall \ a \in F$.
   - **Inverse Element**: For every $a \in F$, there exists $-a \in F$ such that $a + (-a) = 0$.
   - **Commutativity**: For any $a, b \in F$, $a + b = b + a$.

2. **Multiplication forms an abelian group over non-zero elements**:
   - **Closure**: For any $a, b \in F$, $a \cdot b \in F$.
   - **Associativity**: For any $a, b, c \in F$, $(a \cdot b) \cdot c = a \cdot (b \cdot c)$.
   - **Identity Element**: There exists an element $1 \in F$ such that $a \cdot 1 = a$ for all $a \in F$.
   - **Inverse Element**: For every $a \in F$, $a \ne 0$, there exists $a^{-1} \in F$ such that $a \cdot a^{-1} = 1$.
   - **Commutativity**: For any $a, b \in F$, $a \cdot b = b \cdot a$.

3. **Distributivity**:
   - For any $a, b, c \in F$, $a \cdot (b + c) = (a \cdot b) + (a \cdot c)$ and $(a + b) \cdot c = (a \cdot c) + (b \cdot c)$.

**Examples of Fields**:

- **Real Numbers ($\mathbb{R}$)**: The set of real numbers with standard addition and multiplication.
- **Complex Numbers ($\mathbb{C}$)**: The set of complex numbers with standard addition and multiplication.
- **Rational Numbers ($\mathbb{Q}$)**: The set of fractions where the numerator and denominator are integers and the denominator is non-zero, with standard addition and multiplication.
- **Finite Fields ($\mathbb{F}_p$ or $GF(p)$)**: Fields with a finite number of elements, where $p$ is a prime number. For example, $GF(2)$ consists of the elements $\{0, 1\}$ with arithmetic modulo 2.

Fields are fundamental structures in algebra and are used extensively in various areas of mathematics, including number theory, algebraic geometry, and cryptography. They provide a framework for studying and understanding the properties of numbers and their operations in a rigorous way.

**Summary**
 
- **Group**: A set with a single associative operation, an identity element, and inverses for all elements.
- **Ring**: A set with two operations (addition and multiplication) where addition forms an abelian group, multiplication is associative, and multiplication distributes over addition.
- **Field**: A ring in which every non-zero element has a multiplicative inverse, and both addition and multiplication are commutative.

These structures form the basis for many areas of mathematics and are essential for understanding more complex algebraic systems.

## 2. Finite Fields. Galois field - GF(2)

A *finite field*, sometimes also called *Galois field*, is a set with a finite number of elements. Roughly speaking, a Galois field is a finite set of elements in which we can add, subtract, multiply and invert. [1]

$GF(2)$, specifically, is the Galois field with 2 elements. It is the simplest finite field and plays a crucial role in many areas of mathematics and computer science, particularly in coding theory and cryptography.

The number of elements in a finite field is called the **order** or **cardinality** of the field. Of fundamental importance is the following theorem:


> A field with order *m* only exists if *m* is a **prime power**, i.e., $m = p^n$, for some positive integer $n$ and prime integer $p$. $p$ is called the **characteristic** of the finite field [1].


This theorem implies that there are, for instance, finite fields with 11 elements, or with 81 elements (since $81$ = $3^4$) or with $256$ elements (since $256 = 2^8$, and $2$ is a prime).
 However, there is *no finite field* with $12$ elements since $12 = 2^2 * 3$, and $12$ is thus not a prime power.
 
 In the remainder of this section we look at how finite fields can be built, and how we can do arithmetic in them.

### 2.1. Construction of Finite Fields

1. **Prime Fields $GF(p)$**:
   - A finite field $GF(p)$ can be constructed where $p$ is a prime number. The elements of $GF(p)$ are the integers $\{0, 1, 2, ..., p-1\}$ with addition and multiplication performed modulo $p$.
   - Example: $GF(3)$ consists of the elements $\{0, 1, 2\}$. Arithmetic operations are performed *modulo 3*.

2. **Extension Fields $GF(p^n)$**:
   - When $n > 1$, we can construct finite fields with $p^n$ elements where $p$ is a prime number and $n$ is a positive integer. These are called *extension fields*.
   - Extension fields are constructed using a polynomial basis. Specifically, they are created by taking polynomials over $GF(p)$ and factoring them by an *irreducible polynomial of degree $n$*.
   - Example: $GF(4)$ can be constructed as $GF(2^2)$. To construct $GF(4)$, we use an irreducible polynomial of degree 2 over $GF(2)$, such as $x^2 + x + 1$. The elements of $GF(4)$ can be represented as $\{0, 1, x, x+1\}$.

### 2.2. Prime Fields - $GF(p)$

The most intuitive examples of finite fields are fields of *prime order*, i.e., fields with $n=1$. Elements of the field $GF(p)$ can be represented by integers $\{0,1, . . . , p−1\}$. The two operations of the field are *modular integer addition* and *integer multiplication modulo p*.

> Let $p$ be a prime. The integer ring $Zp$ is denoted as $GF(p)$ and is referred to as a *prime field*, or as a *Galois field* with a prime number of elements. All nonzero elements of $GF(p)$ have an inverse. Arithmetic in $GF(p)$ is done *modulo p* [1].

In order to do arithmetic in a prime field, we have to follow the rules for integer rings: 
- *Addition* and *multiplication* are done *modulo p*, 
- the *additive inverse* of any element *a* is given by $a + (−a) = 0 \ mod \ p$, and 
- the *multiplicative inverse* of any nonzero element a is defined as $a * a^{−1} = 1$. 


#### 2.2.1. GF(2) - Elements

A very important prime field is $GF(2)$, which is the smallest finite field that exists. The set of elements in $GF(2)$ is $\{0, 1\}$. These elements are often interpreted as the binary values used in digital logic.

#### 2.2.2. GF(2) - Operations

The two operations defined in $GF(2)$ are *addition* and *multiplication*, both of which are performed modulo 2.

##### 2.2.2.1. Addition in $GF(2)$

Addition in $GF(2)$ is equivalent to the **XOR** operation in binary logic.

- $0 + 0 = 0$
- $0 + 1 = 1$
- $1 + 0 = 1$
- $1 + 1 = 0$  ( since $2 \equiv 0 \mod 2$)


##### 2.2.2.2. Multiplication in $GF(2)$

Multiplication in $GF(2)$ is straightforward since the product is 1 only when both operands are 1.

- $0 \times 0 = 0$
- $0 \times 1 = 0$
- $1 \times 0 = 0$
- $1 \times 1 = 1$

*$GF(2)$ addition*, i.e., modulo 2 addition, is equivalent to an **XOR** gate. What we see from the example above is that *$GF(2)$ multiplication* is equivalent to the logical **AND** gate.

#### 2.2.3. Properties of $GF(2)$

$GF(2)$ is classified as an algebraic field as it fulfills all the axioms defining a field in abstract algebra. Specifically, a field is a set equipped with two operations, *addition* and *multiplication*, that satisfy the following properties:

1. **Closure**: The set is closed under both addition and multiplication.
2. **Associativity**: Addition and multiplication are associative.
3. **Commutativity**: Addition and multiplication are commutative.
4. **Distributivity**: Multiplication distributes over addition.
5. **Identity Elements**: There exist additive and multiplicative identities (0 and 1, respectively).
6. **Additive Inverses**: Every element has an additive inverse.
7. **Multiplicative Inverses**: Every non-zero element has a multiplicative inverse.

Let's verify that $GF(2)$ satisfies these properties:

1. **Closure**: 
   - Addition: The sum of any two elements in $GF(2)$ (0 and 1) remains in $GF(2)$ (0 + 0 = 0, 0 + 1 = 1, 1 + 0 = 1, 1 + 1 = 0).
   - Multiplication: The product of any two elements in $GF(2)$ remains in $GF(2)$ (0 * 0 = 0, 0 * 1 = 0, 1 * 0 = 0, 1 * 1 = 1).

2. **Associativity**:
   - Addition: (a + b) + c = a + (b + c) for all a, b, c in $GF(2)$.
   - Multiplication: (a * b) * c = a * (b * c) for all a, b, c in $GF(2)$.

3. **Commutativity**:
   - Addition: a + b = b + a for all a, b in $GF(2)$.
   - Multiplication: a * b = b * a for all a, b in $GF(2)$.

4. **Distributivity**:
   - a * (b + c) = (a * b) + (a * c) for all a, b, c in $GF(2)$.

5. **Identity Elements**:
   - *Additive identity*: The element $0$ is the additive identity since adding $0$ to any element in $GF(2)$ leaves the element unchanged (a + 0 = a for all a in $GF(2))$.
   - *Multiplicative identity*: The element $1$ is the multiplicative identity since multiplying $1$ by any element in $GF(2)$ leaves the element unchanged (a * 1 = a for all a in $GF(2)$).

6. **Additive Inverses**:
   - Every element is its own additive inverse. That is, for any element $a$ in $GF(2)$, $a + a = 0$.

7. **Multiplicative Inverses**:
   - The element $1$ is its own multiplicative inverse since $1 * 1 = 1$. The element $0$ has no multiplicative inverse.

Since $GF(2)$ satisfies all these properties, it qualifies as a field in algebraic terms. This makes $GF(2)$ an algebraic field, and its simple structure is particularly useful in various areas of mathematics, computer science, and engineering, especially in binary logic and coding theory:

In summary, $GF(2)$ is a very simple yet powerful mathematical structure that underlies much of modern computing and information theory.

#### 2.2.4. Prime Filed Arithmetic - Examples

As already discussed, a finite field is a finite set that is closed under *addition*, *subtraction*, *multiplication*, and *division*. Galois proved that finite fields exist only when their **order** (or size of the set) is a **prime power** $p^m$.

When the order is prime, the arithmetic is mostly computed using integer arithmetic $modulo \ p$. 
When the order is a *prime power*, namely extension fields $GF(p^m)$, the arithmetic is mostly computed using polynomial arithmetic modulo the *irreducible polynomial* $f(x)$.

For the examples we will consider the prime field $GF(7)$

In [2]:
GF7 = galois.GF(7)
print(GF7.properties)

Galois Field:
  name: GF(7)
  characteristic: 7
  degree: 1
  order: 7
  irreducible_poly: x + 4
  is_primitive_poly: True
  primitive_element: 3


The elements of the finite field $GF(p)$ are naturally represented as the integers $\{0, 1, 2, ..., p-1\}$

In [3]:
GF7.elements

GF([0, 1, 2, 3, 4, 5, 6], order=7)

Addition, subtraction, and multiplication in $GF(p)$ is equivalent to integer addition, subtraction, and multiplication reduced modulo $p$. Mathematically speaking, this is the integer ring $\mathbb{Z}/p\mathbb{Z}$.

##### 2.2.4.1. Addition

In [4]:
# Define first number in GF(7)
a = GF7(3)
print("first num: ", a)

# Define second number in GF(7)
b = GF7(5)
print("second num: ", b)

# Addition of '3' and '5' in GF(7)
sum = a + b
print("sum in GF(7): ", sum)

first num:  3
second num:  5
sum in GF(7):  1


The *galois library* includes the ability to display the arithmetic tables for any finite field. Here is the addition table:

In [5]:
# Arithmetic table for addition in GF7
print(GF7.arithmetic_table("+"))

x + y | 0  1  2  3  4  5  6 
------|---------------------
    0 | 0  1  2  3  4  5  6 
    1 | 1  2  3  4  5  6  0 
    2 | 2  3  4  5  6  0  1 
    3 | 3  4  5  6  0  1  2 
    4 | 4  5  6  0  1  2  3 
    5 | 5  6  0  1  2  3  4 
    6 | 6  0  1  2  3  4  5 


##### 2.2.4.2. Subtraction

In [6]:
print("first num: ", a)
print("second num: ", b)

# Subtraction of '3' and '5' in GF(7)
diff = a - b
print("difference in GF(7): ", diff)

first num:  3
second num:  5
difference in GF(7):  5


Here is the subtraction table for completeness:

In [7]:
# Arithmetic table for subtraction in GF7
print(GF7.arithmetic_table("-"))

x - y | 0  1  2  3  4  5  6 
------|---------------------
    0 | 0  6  5  4  3  2  1 
    1 | 1  0  6  5  4  3  2 
    2 | 2  1  0  6  5  4  3 
    3 | 3  2  1  0  6  5  4 
    4 | 4  3  2  1  0  6  5 
    5 | 5  4  3  2  1  0  6 
    6 | 6  5  4  3  2  1  0 


##### 2.2.4.3. Multiplication

In [8]:
print("first num: ", a)
print("second num: ", b)

# Multiplication of '3' and '5' in GF(7)
prod = a * b
print("product in GF(7): ", prod)

first num:  3
second num:  5
product in GF(7):  1


Here is the multiplication table:

In [9]:
# Arithmetic table for multiplication in GF7
print(GF7.arithmetic_table("*"))

x * y | 0  1  2  3  4  5  6 
------|---------------------
    0 | 0  0  0  0  0  0  0 
    1 | 0  1  2  3  4  5  6 
    2 | 0  2  4  6  1  3  5 
    3 | 0  3  6  2  5  1  4 
    4 | 0  4  1  5  2  6  3 
    5 | 0  5  3  1  6  4  2 
    6 | 0  6  5  4  3  2  1 


##### 2.2.4.4. Multiplicative Inverse

The *galois library* uses the *Extended Euclidean Algorithm* to compute multiplicative inverses (and division) in prime fields. The inverse of $5$ in $GF(7)$ can be easily computed in the following way:

In [10]:
print("number to get the multiplicative inverse from: ", b)

# compute multiplicative inverse with 'galois' library
mult_inv_g = b ** -1
print("multiplicative inverse 'galois': ", mult_inv_g)

# compute multiplicative inverse with 'numpy'
mult_inv_np = np.reciprocal(b)
print("multiplicative inverse 'numpy': ", mult_inv_np)

number to get the multiplicative inverse from:  5
multiplicative inverse 'galois':  3
multiplicative inverse 'numpy':  3


##### 2.2.4.5. Division

To compute ${3}/{5}$ in $GF(7)$, we can equivalently compute $3 \cdot 5^{-1}$ in $GF(7)$

In [11]:
quot_1 = a * b**-1
print("multiplication with inversed number: ", quot_1)

multiplication with inversed number:  2


In [12]:
quot_2 = a / b
print("quotient: ", quot_2)

quotient:  2


Here is the division table. Notice that division is not defined for $y = 0$.

In [13]:
# Arithmetic table for division in GF7
print(GF7.arithmetic_table("/"))

x / y | 1  2  3  4  5  6 
------|------------------
    0 | 0  0  0  0  0  0 
    1 | 1  4  5  2  3  6 
    2 | 2  1  3  4  6  5 
    3 | 3  5  1  6  2  4 
    4 | 4  2  6  1  5  3 
    5 | 5  6  4  3  1  2 
    6 | 6  3  2  5  4  1 


#### 2.2.5. Practical Applications

1. **Coding Theory**: $GF(2)$ is extensively used in error detection and correction codes, such as CRC (Cyclic Redundancy Check) and Reed-Solomon codes.

2. **Cryptography**: Many cryptographic algorithms utilize operations over $GF(2)$, particularly in the construction of linear feedback shift registers (LFSRs) and block ciphers

3. **Digital Logic**: Boolean algebra, which underpins digital circuit design, is fundamentally based on operations in $GF(2)$.

### 2.3. Extension Fields $GF(p^n)$

Extending the field to have more elements, such as $GF(3)$, $GF(4)$, and so on, allows for a wider range of mathematical and practical applications in various fields, including coding theory, cryptography, and error detection and correction. These larger finite fields are often referred to as Galois fields in honor of the mathematician Évariste Galois.

In AES (Advanced Encryption Standard) the finite field contains $256$ elements and is denoted as $GF(2^8)$. This field was chosen because each of the field elements can be represented by one byte. For the *S-Box* and *MixColumn* transforms, AES treats every byte of the internal data path as an element of the field $GF(2^8)$ and manipulates the data by performing arithmetic in this finite field.

However, if the *order* of a finite field is not prime, and $2^8$ is clearly not a prime, the addition and multiplication operation cannot be represented by addition and multiplication of integers modulo $2^8$. Such fields with m > 1 are called extension fields.

In order to deal with extension fields we need:
1. Different notation for field elements
2. Different rules for performing arithmetic with the elements. 

We will see in the following that elements of extension fields can be represented as polynomials, and that computation in the extension field is achieved by performing a certain type of *polynomial arithmetic*.

In extension fields $GF(2^m)$ elements are not represented as integers but as polynomials with coefficients in $GF(2)$. The polynomials have a maximum degree of $m−1$, so that there are $m$ coefficients in total for every element. In the field $GF(2^8)$, which is used in AES, each element $A \in GF(2^8)$ is thus represented as:

$$A(x) = a_7x^7 + \dots + a_1x + a_0, \ a_i \in GF(2) = \{0,1\}$$

Note that there are exactly $256 = 2^8$ such polynomials. The set of these $256$ polynomials is the finite field $GF(2^8)$. It is also important to observe that every polynomial can simply be stored in digital form as an 8-bit vector:

$$A = (a_7, a_6, a_5, a_4, a_3, a_2, a_1, a_0)$$

In particular, we do not have to store the factors $x^7$, $x^6$, etc. It is clear from the bit positions to which power $x^i$ each coefficient belongs.

#### 2.3.1. Operations in $GF(2^m)$

##### 2.3.1.1. Addition and Subtraction in $GF(2^m)$

*Addition* and *subtraction* are simply achieved by performing standard polynomial addition and subtraction: We merely add or subtract coefficients with equal powers of $x$. The coefficient additions or subtractions are done in the underlying field $GF(2)$.

>Extension field addition and subtraction:
> 
> >Let $A(x)$, $B(x) \in GF(2^m)$. The sum of the two elements is then computed according to:
> >$$C(x) = A(x) + B(x) = \sum_{i=0}^{m-1}c_ix^i, \ c_i ≡ a_i + b_i \ mod \ 2$$ 

>> and the difference is computed according to:
>> $$C(x) = A(x) - B(x) = \sum_{i=0}^{m-1}c_ix^i, \ c_i ≡ a_i - b_i ≡ a_i + b_i \ mod \ 2$$ 

Note that we perform modulo 2 addition (or subtraction) with the coefficients. Addition and subtraction modulo 2 are the same operation. Moreover, addition modulo 2 is equal to bitwise **XOR**. Let’s have a look at an example in the field $GF(2^8)$ which is used in AES:

>Here is how the sum $C(x)=A(x) + B(x)$ of two elements from $GF(2^8)$ is computed:
>$$A(x) = x^7 + x^6 + x^4 + \     1$$
>$$B(x) = \     \    x^4 + x^2 + 1$$
>$$C(x) = x^7 + x^6 + x^2$$


Note that if we computed the difference of the two polynomials $A(x)−B(x)$ from the example above, we would get the same result as for the sum.

##### 2.3.1.2. Multiplication in $GF(2^m)$

In a first step, two elements (represented by their polynomials) of a finite field $GF(2^m)$ are multiplied using the standard polynomial multiplication rule:

$$A(x) \cdot B(x) = (a_{m−1}x^{m−1} + \dots + a_0) \cdot (b_{m−1}x^{m−1} + \dots + b_0)$$
$$C'(x) = c'_{2m-2}x^{2m−2} + \dots + c'_0$$

where:

$$c'_0 = a_0b_0 \ mod \ 2$$
$$c'_1 = a_0b_0 + a_1b_1 \ mod \ 2$$
$$c'_{2m-2} = a_{m-1}b_{m-1} \ mod \ 2$$



Note that all coefficients $a_i$, $b_i$ and $c_i$ are elements of $GF(2)$, and that coefficient arithmetic is performed in $GF(2)$. In general, the product polynomial $C(x)$ will have a degree higher than $m−1$ and has to be *reduced*. 
The basic idea is an approach similar to the case of multiplication in **prime fields**: in $GF(p)$, we multiply the two integers, divide the result by a prime, and consider only the remainder. 
Here is what we are doing in **extension fields**: The product of the multiplication is divided by a certain *polynomial*, and we consider only the remainder after the polynomial division.We need **irreducible polynomials** for the *module reduction*.
*Irreducible polynomials* are roughly comparable to *prime numbers*, i.e., their only factors are 1 and the polynomial itself.

> Definition: **Extension field multiplication**
> 
>>Let $A(x)$,$B(x)$ ∈ $GF(2^m)$ and let
>>$$P(x) = \sum_{i=0}^mp_ix^i, \ p_i \in GF(2)$$ 

>> be an **irreducible polynomial**. Multiplication of the two elements $A(x)$,$B(x)$ is performed as
>> $$C(x) = A(x) \cdot B(x) \ mod \ P(x)$$ 

Thus, every field $GF(2^m)$ requires an irreducible polynomial $P(x)$ of degree $m$ with coefficients from $GF(2)$. Note that not all polynomials are irreducible. For example, the polynomial $x^4+x^3+x+1$ is reducible since

$$x^4+x^3+x+1 = (x^2 + x + 1)(x^2 + 1)$$

and hence cannot be used to construct the extension field $GF(2^4)$.

For AES, the irreducible polynomial $$P(x) = x^8 + x^4 + x^3 + x + 1$$ is used. It is part of the AES specification.

##### 2.3.1.3. Inversion in $GF(2^m)$

Inversion in $GF(2^8)$ is the core operation of the *Byte Substitution transformation*, which contains the AES S-Boxes. For a given finite field $GF(2^m)$ and the corresponding irreducible reduction polynomial $P(x)$, the inverse $A^{−1}$ of a nonzero element $A \in GF(2^m)$ is defined as:

$$A^{−1}(x) \cdot A(x) = 1 \ mod \ P(x)$$

For small fields - in practice this often means fields with $2^{16}$ or fewer elements - lookup tables which contain the precomputed inverses of all field elements are often used.

#### 2.3.2. Extension Fileds Arithmetic - Examples

As already discussed, finite fields exist only when their **order** (or size of the set) is a **prime power** $p^m$.
 
When the order is a *prime power*, namely extension fields $GF(p^m)$, the arithmetic is mostly computed using polynomial arithmetic modulo the *irreducible polynomial* $f(x)$.

For the examples we will consider the extension field $GF(3^2)$

In [14]:
# Create extension field GF(9). 
# repr="poly" - using the polynomial representation to display the elements
GF9 = galois.GF(3**2, repr="poly")
print(GF9.properties)

Galois Field:
  name: GF(3^2)
  characteristic: 3
  degree: 2
  order: 9
  irreducible_poly: x^2 + 2x + 2
  is_primitive_poly: True
  primitive_element: x


The elements of $GF(p^m)$ are polynomials over $GF(p)$ with degree less than $m$. Formally, they are all polynomials
$$a_{m-1}x^{m-1} + \dots + a_1x^1 + a_0, \ \in GF(p)[x]$$
There are exactly $p^m$ elements.

The elements of the finite field are:

In [15]:
GF9.elements

GF([     0,      1,      2,      α,  α + 1,  α + 2,     2α, 2α + 1,
    2α + 2], order=3^2)

##### 2.3.2.1. Irreducible polynomial

Every extension field must be defined with respect to an irreducible polynomial $f(x)$. This polynomial defines the arithmetic of the field.

In [16]:
# get irreducible polynomial for GF(3)
f = GF9.irreducible_poly
print("irreducible polynomial: ", f)
f

irreducible polynomial:  x^2 + 2x + 2


Poly(x^2 + 2x + 2, GF(3))

Also note, when factored, $f(x)$ has no irreducible factors other than itself – an analogue of a prime number.

In [17]:
f.is_irreducible()

True

In [18]:
f.factors()

([Poly(x^2 + 2x + 2, GF(3))], [1])

##### 2.3.2.2. Arithmetic

Addition, subtraction, and multiplication in $GF(p^m)$ with irreducible polynomial $f(x)$ is equivalent to polynomial addition, subtraction, and multiplication over $GF(p)$ reduced modulo $f(x)$. Mathematically speaking, this is the polynomial ring $GF(p)[x]/f(x)$.

 We will consider two field elements $a = x + 2$ and $b = x + 1$

Here are $a$ and $b$ represented using **Poly** objects

In [19]:
GF3 = galois.GF(9)

a_poly = galois.Poly([1, 2], field=GF3); a_poly

Poly(x + 2, GF(3^2))

In [20]:
b_poly = galois.Poly([1, 1], field=GF3); b_poly

Poly(x + 1, GF(3^2))

 Here are $a$ and $b$ represented as extension field elements. Extension field elements can be specified as integers or polynomial strings:

In [21]:
# Define first element from the GF(9)
a = GF9("x + 2")
print("first element from GF(9): ", a)
a

first element from GF(9):  α + 2


GF(α + 2, order=3^2)

In [22]:
# Define second element from the GF(9)
b = GF9("x + 1")
print("second element from GF(9): ", b)
b

second element from GF(9):  α + 1


GF(α + 1, order=3^2)

##### 2.3.2.3. Addition

In polynomial addition, the polynomial coefficients add degree-wise in $GF(p)$. Addition of polynomials with degree less than $m$ will never result in a polynomial of degree $m$ or greater. Therefore, it is unnecessary to reduce modulo the degree-$m$ polynomial $f(x)$, since the quotient will always be zero.

We can see that: $$a + b = (1 + 1)x + (2 + 1) = 2x$$

In [23]:
# Sum of a = x + 2 and b = x + 1 in GF(3^2)
sum = a + b
sum

GF(2α, order=3^2)

In [24]:
# Arithmetic table for addition in GF(3^2)
print(GF9.arithmetic_table("+"))

 x + y |      0       1       2       α   α + 1   α + 2      2α  2α + 1  2α + 2 
-------|------------------------------------------------------------------------
     0 |      0       1       2       α   α + 1   α + 2      2α  2α + 1  2α + 2 
     1 |      1       2       0   α + 1   α + 2       α  2α + 1  2α + 2      2α 
     2 |      2       0       1   α + 2       α   α + 1  2α + 2      2α  2α + 1 
     α |      α   α + 1   α + 2      2α  2α + 1  2α + 2       0       1       2 
 α + 1 |  α + 1   α + 2       α  2α + 1  2α + 2      2α       1       2       0 
 α + 2 |  α + 2       α   α + 1  2α + 2      2α  2α + 1       2       0       1 
    2α |     2α  2α + 1  2α + 2       0       1       2       α   α + 1   α + 2 
2α + 1 | 2α + 1  2α + 2      2α       1       2       0   α + 1   α + 2       α 
2α + 2 | 2α + 2      2α  2α + 1       2       0       1   α + 2       α   α + 1 


##### 2.3.2.4. Subtraction

Subtraction, like addition, is performed on coefficients degree-wise and will never result in a polynomial with greater degree.

We can see that $a - b = (1 - 1)x + (2 - 1) = 1$

In [25]:
# Subtraction of a = x + 2 and b = x + 1 in GF(3^2)
diff = a - b
diff

GF(1, order=3^2)

Here is the entire subtraction table for completeness:

In [26]:
# Arithmetic table for subtraction in GF(3^2)
print(GF9.arithmetic_table("-"))

 x - y |      0       1       2       α   α + 1   α + 2      2α  2α + 1  2α + 2 
-------|------------------------------------------------------------------------
     0 |      0       2       1      2α  2α + 2  2α + 1       α   α + 2   α + 1 
     1 |      1       0       2  2α + 1      2α  2α + 2   α + 1       α   α + 2 
     2 |      2       1       0  2α + 2  2α + 1      2α   α + 2   α + 1       α 
     α |      α   α + 2   α + 1       0       2       1      2α  2α + 2  2α + 1 
 α + 1 |  α + 1       α   α + 2       1       0       2  2α + 1      2α  2α + 2 
 α + 2 |  α + 2   α + 1       α       2       1       0  2α + 2  2α + 1      2α 
    2α |     2α  2α + 2  2α + 1       α   α + 2   α + 1       0       2       1 
2α + 1 | 2α + 1      2α  2α + 2   α + 1       α   α + 2       1       0       2 
2α + 2 | 2α + 2  2α + 1      2α   α + 2   α + 1       α       2       1       0 


##### 2.3.2.5. Multiplication

Multiplication of polynomials with degree less than $m$, however, will often result in a polynomial of degree $m$ or greater. Therefore, it is necessary to reduce the result modulo $f(x)$.

First compute $ab = (x + 2)(x + 1) = x^2 + 2$. Notice that $x^2 + 2$ has degree 2, but the elements of $GF(3^2)$ can have degree at most 1. Therefore, reduction modulo $f(x)$ is required. After remainder division, we see that $ab \equiv x \ mod \ f(x)$.

In [27]:
# Multiplication of a = x + 2 and b = x + 1 in GF(3^2)
prod = a * b
prod

GF(α, order=3^2)

Here is the entire multiplication table for completeness:

In [28]:
# Arithmetic table for multiplication in GF(3^2)
print(GF9.arithmetic_table("*"))

 x * y |      0       1       2       α   α + 1   α + 2      2α  2α + 1  2α + 2 
-------|------------------------------------------------------------------------
     0 |      0       0       0       0       0       0       0       0       0 
     1 |      0       1       2       α   α + 1   α + 2      2α  2α + 1  2α + 2 
     2 |      0       2       1      2α  2α + 2  2α + 1       α   α + 2   α + 1 
     α |      0       α      2α   α + 1  2α + 1       1  2α + 2       2   α + 2 
 α + 1 |      0   α + 1  2α + 2  2α + 1       2       α   α + 2      2α       1 
 α + 2 |      0   α + 2  2α + 1       1       α  2α + 2       2   α + 1      2α 
    2α |      0      2α       α  2α + 2   α + 2       2   α + 1       1  2α + 1 
2α + 1 |      0  2α + 1   α + 2       2      2α   α + 1       1  2α + 2       α 
2α + 2 |      0  2α + 2   α + 1   α + 2       1      2α  2α + 1       α       2 


##### 2.3.2.6. Multiplicative Inverse

As with prime fields, the division $a(x)/b(x)$ is reformulated into $a(x)/b(x)^{-1}$. So, first we must compute the multiplicative inverse $b^{-1}$ before continuing onto division.

The `galois` library uses the *Extended Euclidean Algorithm* to compute multiplicative inverses (and division) in extension fields. The inverse of $x + 1$ in $GF(3^2)$ can be easily computed in the following way.

In [29]:
print("number to get the multiplicative inverse from: ", b)

# compute multiplicative inverse with 'galois' library
b ** -1

number to get the multiplicative inverse from:  α + 1


GF(2α + 2, order=3^2)

In [30]:
# compute multiplicative inverse with 'numpy'
np.reciprocal(b)

GF(2α + 2, order=3^2)

##### 2.3.2.7. Division

Now let’s return to division in finite fields. As mentioned earlier, $a(x)/b(x)$ is equivalent to $a(x)/b(x)^{-1}$.

Let’s compute $a/b = (x + 2)(x + 1)^{-1}$ in $GF(3^2)$.

In [31]:
print("multiplication with inversed number: ")
a * b**-1

multiplication with inversed number: 


GF(2α, order=3^2)

In [32]:
print("quotient: ")
a / b

quotient: 


GF(2α, order=3^2)

Here is the division table for completeness. Notice that division is not defined for $y = 0$.

In [33]:
print(GF9.arithmetic_table("/"))

 x / y |      1       2       α   α + 1   α + 2      2α  2α + 1  2α + 2 
-------|----------------------------------------------------------------
     0 |      0       0       0       0       0       0       0       0 
     1 |      1       2   α + 2  2α + 2       α  2α + 1      2α   α + 1 
     2 |      2       1  2α + 1   α + 1      2α   α + 2       α  2α + 2 
     α |      α      2α       1   α + 2   α + 1       2  2α + 2  2α + 1 
 α + 1 |  α + 1  2α + 2       α       1  2α + 1      2α   α + 2       2 
 α + 2 |  α + 2  2α + 1  2α + 2      2α       1   α + 1       2       α 
    2α |     2α       α       2  2α + 1  2α + 2       1   α + 1   α + 2 
2α + 1 | 2α + 1   α + 2   α + 1       α       2  2α + 2       1      2α 
2α + 2 | 2α + 2   α + 1      2α       2   α + 2       α  2α + 1       1 


#### 2.3.3. Practical Applications of Extension Fields

1. **Error Detection and Correction**:
   - Finite fields are fundamental in coding theory. Reed-Solomon codes, for example, use extension fields ($GF(2^8)$) to encode data such that it can be transmitted over noisy channels and corrected if errors occur.
   - BCH codes, another class of error-correcting codes, also use extension fields for constructing codes with specific properties.

2. **Cryptography**:
   - Many cryptographic algorithms rely on the arithmetic of finite fields. For instance, elliptic curve cryptography (ECC) often uses fields like $GF(2^n)$ or $GF(p)$.
   - Fields like $GF(2^{128})$ are used for constructing secure cryptographic primitives that provide a high level of security with efficient computation.

3. **Digital Communications**:
   - Finite fields are used in modulation schemes and other aspects of digital communications to ensure that signals can be transmitted and decoded accurately.
   - Fields like $GF(4)$ and $GF(16)$ are used in certain modulation techniques such as Quadrature Amplitude Modulation (QAM).

4. **Computer Science**:
   - Finite fields play a critical role in hash functions, error detection algorithms (e.g., CRCs), and other fundamental algorithms in computer science.


**Conclusion**

Extending fields to have more elements, such as $GF(3)$, $GF(4)$, $GF(2^8)$, and so on, enables the application of advanced mathematical concepts in practical fields like error correction, cryptography, and digital communications. These larger fields provide the necessary algebraic structures to design robust, efficient, and secure systems. The ability to work in various finite fields is a powerful tool that underpins many modern technological advancements.

## 3. Symmetric vs. Asymmetric Cryptography

*Asymmetric*, i.e., *public-key*, algorithms are very different from *symmetric* algorithms such as *AES(Advanced Encryption Standard)* or *DES(Data Encryption Standard)*. Most public-key algorithms are based on number-theoretic functions. This is quite different from symmetric ciphers, where the goal is usually not to have a compact mathematical description between input and output. Even though mathematical structures are often used for small blocks within symmetric ciphers, for instance, in the AES S-Box, this does not mean that the entire cipher forms a compact mathematical description.

### 3.1. Symmetric Cryptography

In order to understand the principle of symmetric cryptography, let us first recall the basic symmetric encryption scheme in Fig. 3.1.

>![Alt text](./data/Principle-of-symmetric-key-encryption.png)

>Fig. 3.1 Principle of symmetric-key encryption

Such a system is symmetric with respect to two properties:

1. The same secret key is used for encryption and decryption.
2. The encryption and decryption function are very similar (in the case of DES they are essentially identical).

There is a simple analogy for symmetric cryptography, as shown in Fig. 3.2. Assume there is a safe with a strong lock. Only Alice and Bob have a copy of the key for the lock. The action of encrypting of a message can be viewed as putting the message in the safe. In order to read, i.e., decrypt, the message, Bob uses his key and opens the safe.

>![Alt text](./data/Analogy-for-symmetric-encryption-a-safe-with-one-lock.png)

>Fig. 3.2 Analogy for symmetric encryption a safe with one lock

Modern symmetric algorithms such as AES or 3DES are very secure, fast and are in widespread use. However, there are several shortcomings associated with symmetric-key schemes, as discussed below.

1. **Key Distribution Problem:** The key must be established between Alice and Bob using a secure channel. Remember that the communication link for the message is not secure, so sending the key over the channel directly - which would be the most convenient way of transporting it - can’t be done.
2. **Number of Keys:** Even if we solve the key distribution problem, we must potentially deal with a very large number of keys. If each pair of users needs a separate pair of keys in a network with *n* users, there are $\frac{n \cdot (n - 1)}{2}$ key pairs, and every user has to store n−1 keys securely. Even for mid-size networks, say, a corporation with 2000 people, this requires more than 4 million key pairs that must be generated and transported via secure channels.
3. **No Protection Against Cheating by Alice or Bob:** Alice and Bob have the same capabilities, since they possess the same key. As a consequence, symmetric cryptography cannot be used for applications where we would like to prevent cheating by either Alice or Bob as opposed to cheating by an outsider like Oscar. For instance, in e-commerce applications it is often important to prove that Alice actually sent a certain message, say, an online order for a flat screen TV. If we only use symmetric cryptography and Alice changes her mind later, she can always claim that Bob, the vendor, has falsely generated the electronic purchase order. Preventing this is called *nonrepudiation* and can be achieved with asymmetric cryptography. Digital signatures provide nonrepudiation.

#### 3.1.1. Advantages and Disadvantages

**Advantages**:
- **Speed**: Faster encryption and decryption compared to asymmetric methods.
- **Efficiency**: Suitable for encrypting large volumes of data.

**Disadvantages**:
- **Key Distribution**: The main challenge is securely distributing and managing the secret key between parties.
- **Scalability**: As the number of participants grows, the number of required unique keys increases exponentially.

#### 3.1.2. Common Symmetric Encryption Algorithms

- **AES (Advanced Encryption Standard)**: Widely used in various applications for secure data encryption. AES supports key sizes of 128, 192, and 256 bits.
- **DES (Data Encryption Standard)**: An older encryption standard with a 56-bit key size. It has largely been replaced by AES due to security concerns.
- **3DES (Triple DES)**: An enhancement of DES that applies the DES algorithm three times to each data block, effectively increasing security.
- **Blowfish**: Known for its speed and effectiveness, with a variable key length from 32 to 448 bits.
- **RC4**: A stream cipher that is simple and fast, but with known vulnerabilities making it less secure than other algorithms.



### 3.2. Asymmetric Cryptography

In order to overcome the drawbacks of the *Symmetric Cryptography*, Diffie, Hellman and Merkle had a revolutionary proposal based on the following idea: It is not necessary that the key possessed by the person who *encrypts* the message (that’s Alice in our example) is secret. The crucial part is that Bob, the receiver, can only *decrypt* using a secret key. In order to realize such a system, Bob publishes a public encryption key which is known to everyone. Bob also has a matching secret key, which is used for decryption. Thus, Bob’s key *k* consists of two parts, a public part, *kpub*, and a private one, *kpr*.

>![Alt text](./data/Analogy-for-public-key-encryption.png)

>Fig. 3.3 Analogy for public-key encryption: a safe with public lock for depositing a message and a secret lock for retrieving a message

A simple analogy of such a system is shown in Fig. 3.3. This systems works quite similarly to the good old mailbox on the corner of a street: Everyone can put a letter in the box, i.e., *encrypt*, but only a person with a *private (secret)* key can retrieve letters, i.e., *decrypt*. If we assume we have cryptosystems with such a functionality, a basic protocol for public-key encryption looks as shown in Fig. 3.4.

>![Alt text](./data/Basic-protocol-for-public-key-encryption.png)

>Fig. 3.4 Basic protocol for public-key encryption

By looking at that protocol you might argue that even though we can encrypt a message without a secret channel for key establishment, we still cannot exchange a key if we want to encrypt with, say, AES. However, the protocol can easily be modified for this use. What we have to do is to *encrypt a symmetric key*, e.g., an AES key, using the *public-key* algorithm. Once the symmetric key has been decrypted by Bob, both parties can use it to encrypt and decrypt messages using symmetric ciphers. Figure 3.5 shows a basic key transport protocol where we use AES as the symmetric cipher for illustration purposes (of course, one can use any other symmetric algorithm in such a protocol). The main advantage of the protocol in Fig. 3.5 over the protocol in Fig. 3.4 is that the payload is encrypted with a symmetric cipher, which tends to be much faster than an asymmetric algorithm.

>![Alt text](./data/Basic-key-transport-protocol-with-AES-as-symmetric-cipher.png)

>Fig. 3.5 Basic key transport protocol with AES as an example of a symmetric cipher

The *public-key* algorithms are all built from one common principle, the **one-way function**. The informal definition of it is as follows:

>Definition: **One-way function**

>A function $f()$ is a one-way function if:
>1. $y = f (x)$ *is computationally easy, and*
>2. $x = f^{−1}(y)$ *is computationally infeasible*.

Obviously, the adjectives “easy” and “infeasible” are not particularly exact. In mathematical terms, a function is easy to compute if it can be *evaluated in polynomial time*, i.e., its running time is a polynomial expression. In order to be useful in practical crypto schemes, the computation $y = f (x)$ should be sufficiently fast that it does not lead to unacceptably slow execution times in an application. The inverse computation $x = f^{−1}(y)$ should be so computationally intensive that it is not feasible to evaluate it in any reasonable time period, say, 10,000 years, when using the best known algorithm.
There are two popular one-way functions which are used in practical public-key schemes:
 1. The first is the **integer factorization problem**, on which *RSA(Rivest–Shamir–Adleman)* is based. Given two large primes, it is easy to compute the product. However, it is very difficult to factor the resulting product. In fact, if each of the primes has 150 or more decimal digits, the resulting product cannot be factored, even with thousands of PCs running for many years.
2. The other *one-way function* that is used widely is the **discrete logarithm problem**.

## 4. Example of Symmetric Encryption

### 4.1. One-Time Pad (OTP) for One-Bit Messages

#### 4.1.1 Definition

Encrypting *one-bit* messages can be done using various methods, with the simplest and most secure being the *One-Time Pad (OTP)* approach in the context of *symmetric encryption*. 

The One-Time Pad provides a straightforward and theoretically secure method to encrypt and decrypt *one-bit* messages using *XOR* operations. The key must be random and used only once to ensure *perfect secrecy*. This method highlights the simplicity and effectiveness of symmetric encryption for very small messages.

*Perfect secrecy* is a concept in cryptography that ensures that a message encrypted with a cipher cannot be deciphered by an eavesdropper, no matter how much computational power they have, as long as certain conditions are met. This concept was formalized by Claude Shannon in 1949.

*Perfect secrecy* is achieved when the ciphertext (the encrypted message) provides no additional information about the plaintext (the original message) to an eavesdropper. Mathematically, this means that the probability distribution of the plaintext remains unchanged, even after observing the ciphertext. In other words, knowing the ciphertext does not help an eavesdropper in determining what the plaintext is.

**One-Time Pad for One-Bit Messages**:

1. **Key Generation**: Generate a random one-bit key (either 0 or 1).
2. **Encryption**: XOR the one-bit message with the one-bit key.
3. **Decryption**: XOR the ciphertext with the same one-bit key to retrieve the original message.



**Security Considerations**

- **Key Length**: For perfect security, the key must be truly random and used only once (hence the name One-Time Pad).
- **Key Distribution**: The key must be securely shared between the sender and the receiver. For one-bit messages, this is trivial, but for larger-scale communication, key distribution can be challenging.


#### 4.1.2 Implementation in Python - Encryption and Decryption Functions

In [34]:
import random

def generate_one_bit_key():
    """Generate a random one-bit key (0 or 1)."""
    return random.randint(0, 1)

def encrypt_one_bit_message(message, key):
    """Encrypt a one-bit message using the one-time pad."""
    return message ^ key

def decrypt_one_bit_message(ciphertext, key):
    """Decrypt a one-bit message using the one-time pad."""
    return ciphertext ^ key


In [35]:
# Example usage

# One-bit message (0 or 1)
message = 1  # Let's assume the message is '1'
key = generate_one_bit_key()
print(f"Key: {key}")

# Encryption
ciphertext = encrypt_one_bit_message(message, key)
print(f"Ciphertext: {ciphertext}")

# Decryption
decrypted_message = decrypt_one_bit_message(ciphertext, key)
print(f"Decrypted Message: {decrypted_message}")

# Verify correctness
assert message == decrypted_message, "Decryption failed!"

Key: 0
Ciphertext: 1
Decrypted Message: 1


**Explanation of the Example*:*

1. **Key Generation**:
   - The `generate_one_bit_key` function generates a random one-bit key (either 0 or 1).

2. **Encryption**:
   - The `encrypt_one_bit_message` function takes a one-bit message and a one-bit key and XORs them to produce the ciphertext.

3. **Decryption**:
   - The `decrypt_one_bit_message` function takes the ciphertext and the same one-bit key and XORs them to retrieve the original message.



### 4.2. Extension one-bit encryption system to many bits

#### 4.2.1 Definition

To extend the one-bit encryption system to many bits, you can use the same principles of the One-Time Pad (OTP) applied to a longer sequence of bits. The OTP is a symmetric encryption method that can be scaled to any length of message, provided that the key is of equal length to the message, truly random, and used only once. Here’s how you can implement it for multi-bit messages:

**One-Time Pad for Multi-Bit Messages**
1. **Key Generation**: Generate a key that is truly random and as long as the message.
2. **Encryption**: XOR each bit of the plaintext message with the corresponding bit of the key.
3. **Decryption**: XOR each bit of the ciphertext with the corresponding bit of the same key to retrieve the original plaintext.


**Key Characteristics of One-Time Pad**

1. **Key Length**: The key must be as long as the message. This ensures that each bit or character of the plaintext has a corresponding bit or character in the key.
2. **Randomness**: The key must be truly random. Pseudorandom keys can potentially be predicted, compromising security.
3. **Key Usage**: The key must be used only once. Reusing the key for different messages destroys the security and makes the encryption vulnerable to cryptanalysis.
4. **Secrecy**: The key must be kept completely secret between the sender and the receiver. If an adversary gains access to the key, the security is compromised.



**Mathematical Representation**

If $P$ is the plaintext, $K$ is the key, and $C$ is the ciphertext, the encryption and decryption can be represented as:
- Encryption: $C = P \oplus K$
- Decryption: $P = C \oplus K$

Where $\oplus$ denotes the XOR operation.

**Example**

Let's consider a simple example with binary messages:
To encrypt:
1. **Plaintext (P)**: `1101`
2. **Key (K)**: `1010`
3. **Ciphertext $C = P \oplus K$**:
   - `1101` XOR `1010` = `0111`

To decrypt:
- **Plaintext $P = C \oplus K$**:
   - `0111` XOR `1010` = `1101`

**Advantages**:
- **Perfect Secrecy**: If used correctly, the OTP provides perfect secrecy, meaning the ciphertext gives no information about the plaintext without the key.
- **Simplicity**: The algorithm is simple to understand and implement.

**Disadvantages**:
- **Key Management**: Generating, distributing, and securely storing the key are significant challenges, especially for long messages.
- **Practicality**: The requirement for the key to be as long as the message makes it impractical for many applications, especially for large-scale communication.

**Conclusion**

By applying the XOR operation to each bit of a multi-bit message with a corresponding bit of a randomly generated key of the same length, you can extend the one-bit encryption system to many bits. This implementation maintains the properties of the One-Time Pad, ensuring perfect secrecy as long as the key is truly random, of equal length to the message, and used only once.
The One-Time Pad is a theoretically unbreakable encryption method if all its conditions are met. However, the practical difficulties in key management and distribution limit its use to special scenarios where the utmost security is required and key management is feasible, such as secure diplomatic communications or espionage.

#### 4.2.2. Implementation in Python: Key Generation, Encryption and Decryption Functions

In [36]:
import os

def generate_key(length):
    """Generate a random key of specified length in bytes."""
    return os.urandom(length)

def xor_bytes(a, b):
    """XOR two byte strings of the same length."""
    return bytes(x ^ y for x, y in zip(a, b))

def encrypt(message, key):
    """Encrypt the message with the key using XOR."""
    return xor_bytes(message, key)

def decrypt(ciphertext, key):
    """Decrypt the ciphertext with the key using XOR."""
    return xor_bytes(ciphertext, key)

In [37]:
# Example usage

# Multi-bit message (byte string)
message = b'HELLO WORLD'
key = generate_key(len(message))
print("key:", key)

# Encryption
ciphertext = encrypt(message, key)
print("Ciphertext:", ciphertext)

# Decryption
decrypted_message = decrypt(ciphertext, key)
print("Decrypted Message:", decrypted_message)

# Verify correctness
assert message == decrypted_message, "Decryption failed!"

key: b'\xd9\xd1\xfd\x0b\x1bN\\\xcf\xffP\xb4'
Ciphertext: b'\x91\x94\xb1GTn\x0b\x80\xad\x1c\xf0'
Decrypted Message: b'HELLO WORLD'


**Explanation of the Example**

1. **Key Generation**:
   - The `generate_key` function generates a random key of the specified length (in bytes). The length of the key should be the same as the length of the message.

2. **Encryption**:
   - The `encrypt` function takes a multi-bit message and a key, both as byte strings, and XORs them to produce the ciphertext.

3. **Decryption**:
   - The `decrypt` function takes the ciphertext and the same key, both as byte strings, and XORs them to retrieve the original message.

#### 4.2.3. Test Cases

In [38]:
# Test Case 1: Basic Message

message = b'HELLO WORLD'
key = generate_key(len(message))

# Encryption
ciphertext = encrypt(message, key)
print("Ciphertext:", ciphertext)

# Decryption
decrypted_message = decrypt(ciphertext, key)
print("Decrypted Message:", decrypted_message)
assert message == decrypted_message, "Decryption failed!"

Ciphertext: b'\x9eqN\x0b\x91\x05\xbe\xdem\x89\x80'
Decrypted Message: b'HELLO WORLD'


In [39]:
# Test Case 2: Different Message

message = b'CRYPTOGRAPHY'
key = generate_key(len(message))

# Encryption
ciphertext = encrypt(message, key)
print("Ciphertext:", ciphertext)

# Decryption
decrypted_message = decrypt(ciphertext, key)
print("Decrypted Message:", decrypted_message)
assert message == decrypted_message, "Decryption failed!"

Ciphertext: b'\x81\xc4z\xdc\x9f\x98\xe1\x90\xe21\xc6\xd3'
Decrypted Message: b'CRYPTOGRAPHY'


In [40]:
# Test Case 3: Empty Message

message = b''
key = generate_key(len(message))

# Encryption
ciphertext = encrypt(message, key)
print("Ciphertext:", ciphertext)

# Decryption
decrypted_message = decrypt(ciphertext, key)
print("Decrypted Message:", decrypted_message)
assert message == decrypted_message, "Decryption failed!"

Ciphertext: b''
Decrypted Message: b''


### 4.3. AES (Advanced Encryption Standard)

#### 4.3.1. Definition

The AES cipher is almost identical to the block cipher Rijndael. The Rijndael block and key size vary between 128, 192 and 256 bits. However, the AES standard only calls for a block size of 128 bits. Hence, only Rijndael with a block length of 128 bits is known as the AES algorithm. We will only discuss the standard version of Rijndael with a block length of 128 bits.

>![Alt text](./data/AES-input-output-parameters.png)

>Fig. 4.2.1 AES input/output parameters

Three key lengths must be supported by Rijndael as this was an NIST design requirement. The number of internal rounds of the cipher is a function of the key length according to Table 4.2.1.

  key lengths   | # rounds = $n_r$ |
----------------|------------------|
 128 bit        | 10               |
 192 bit        | 12               |
 256 bit        | 14               |

Table 4.2.1. Key lengths and number of rounds for AES

In contrast to DES, AES does not have a Feistel structure. Feistel networks do not encrypt an entire block per iteration, e.g., in DES, 64/2 = 32 bits are encrypted in one round. AES, on the other hand, encrypts all 128 bits in one iteration. This is one reason why it has a comparably small number of rounds.

AES consists of so-called *layers*. Each layer manipulates *all 128 bits* of the data path. The data path is also referred to as the state of the algorithm. There are only three different types of layers. Each round, with the exception of the first, consists of all three layers as shown in Fig. 4.2.1: 
- the plaintext is denoted as $x$, 
- the ciphertext as $y$ and 
- the number of rounds as $n_r$. 
Moreover, the last round $n_r$ does not make use of the *MixColumn transformation*, which makes the encryption and decryption scheme symmetric.

Brief description of the layers:
1. **Key Addition layer**: A 128-bit round key, or subkey, which has been derived from the main key in the key schedule, is XORed to the state.
2. **Byte Substitution layer (S-Box):** Each element of the state is nonlinearly transformed using lookup tables with special mathematical properties. This introduces *confusion* to the data, i.e., it assures that changes in individual state bits propagate quickly across the data path.
3. **Diffusion layer:** It provides diffusion over all state bits. It consists of two sublayers, both of which perform linear operations:
- The **ShiftRows layer** permutes the data on a byte level.
- The **MixColumn layer** is a matrix operation which combines (mixes) blocks of four bytes.

Similar to DES, the key schedule computes round keys, or subkeys, $(k_0,k_1, \dots ,k_{n_r})$ from the original AES key.
*Galois field computations* are needed for all operations within the AES layers.

>![Alt text](./data/AES-encryption-block-diagram.png)

>Fig. 4.2 AES encryption block diagram

#### 4.3.2. AES implementation in Python

Here's a simple example of using the AES algorithm from the **pycryptodome** library in Python.

In [41]:
# In order to run this code you have to install 'pycryptodome' locally:
# - https://github.com/conda-forge/pycryptodome-feedstock
#
# 1. conda config --add channels conda-forge
# 2. conda config --set channel_priority strict
# 3. conda install pycryptodome

from Crypto.Cipher import AES
from Crypto.Random import get_random_bytes

def pad(data):
    """Pad data to be a multiple of AES block size (16 bytes)."""
    padding_length = AES.block_size - len(data) % AES.block_size
    return data + bytes([padding_length]) * padding_length

def unpad(data):
    """Remove padding from data."""
    return data[:-data[-1]]

def encrypt(plaintext, key):
    """Encrypt plaintext using AES."""
    cipher = AES.new(key, AES.MODE_CBC)
    ciphertext = cipher.iv + cipher.encrypt(pad(plaintext))
    return ciphertext

def decrypt(ciphertext, key):
    """Decrypt ciphertext using AES."""
    iv = ciphertext[:AES.block_size]
    cipher = AES.new(key, AES.MODE_CBC, iv)
    plaintext = unpad(cipher.decrypt(ciphertext[AES.block_size:]))
    return plaintext

In [42]:
# Example usage

key = get_random_bytes(16) # AES key must be 16, 24, or 32 bytes long
print("key: ", key)
plaintext = b"Secret Message"
ciphertext = encrypt(plaintext, key)
print("Ciphertext:", ciphertext)

decrypted_message = decrypt(ciphertext, key)
print("Decrypted Message:", decrypted_message)

# Verify correctness
assert plaintext == decrypted_message, "Decryption failed!"

key:  b'>\xf5\x92\x8bS`\xdc\x8b\xeb\xec\xd5\xf1\xbe\x82\x18\xc2'
Ciphertext: b'\xba\xbbA\xa8\xab\xd7\xb9\xa8CNL\xcf\xfc\xb2\xca\xbf=\x88{\xd7\x84\xe1\xca\x89\xf3\xf2\xdb4{\xdd\x05\xf6'
Decrypted Message: b'Secret Message'


#### 4.3.3. AES implementation in Java

The following is an example of a Java implementation of AES. The library implements AES with *Galois/Counter Mode (GCM)*, which is a mode of operation for *symmetric key cryptographic block ciphers* that has been widely adopted because of its efficiency and performance.

Every encryption produces a new `12 byte` random *Initialization Vector (IV)* because the security of GCM depends on choosing a unique initialization vector for every encryption performed with the same key [3].

`128, 192 or 256 bit` keys are allowed.

The `iv`, `encrypted content` and `auth tag` will be encoded to the following format:
>**out** = byte[] {x y y y y y y y y y y y y z z z ...}
>
>**x = IV** length as byte
>
>**y = IV** bytes
>
>**z = content bytes** (encrypted content, auth tag)


##### 4.3.3.1. Configuration

You **must** provide an encryption key! The encryption key must be a `16, 24 or 32 byte array`. Afterwards the byte array must be converted to `Base64-String`.

There are two options to generate such key:
1. You can use the following `shell` script. E.g. for generating of a 256 bit (32 byte) encryption key:
```shell
    #!/bin/sh
    
    echo "Generating a 256 bit (32 byte) key. The key will be Bas64 encoded."
    echo
    echo -n "The entropy available on this system is: "
    head -c -1 -q /proc/sys/kernel/random/entropy_avail
    echo "."
    echo "If the entopy is too low this might take a while. In that case try to move the cursor around to create more entropy."
    echo
    echo -n "The key is: "
    dd if=/dev/random bs=32 count=1 status=none | base64
 ```

2. You can use the following `java` code to generate a 256 bit (32 byte) encryption key:
```java
 public String generate256BitRandomKey() {
     byte[] bytesArr = new byte[32];
     SecureRandom secureRandom = new SecureRandom();
     secureRandom.nextBytes(bytesArr);
     
     // Encode the randomKey to Base64-String
     return Base64.getEncoder().encodeToString(bytesArr);
 }
 ```

##### 4.3.3.2. Implementation

```java
package com.aesencryption.crypt;

import jakarta.annotation.PostConstruct;
import java.nio.ByteBuffer;
import java.nio.charset.StandardCharsets;
import java.security.SecureRandom;
import java.security.spec.AlgorithmParameterSpec;
import java.util.Arrays;
import java.util.Base64;
import javax.crypto.Cipher;
import javax.crypto.SecretKey;
import javax.crypto.spec.GCMParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;

/**
 * Implements AES (Advanced Encryption Standard) with Galois/Counter Mode (GCM), which is a mode of
 * operation for symmetric key cryptographic block ciphers that has been widely adopted because of
 * its efficiency and performance.
 * <p>
 * Every encryption produces a new 12 byte random Initialization Vector (IV) (see
 * http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pdf) because the
 * security of GCM depends choosing a unique initialization vector for every encryption performed
 * with the same key.
 * <p>
 * The iv, encrypted content and auth tag will be encoded to the following format:
 * <p>
 * out = byte[] {x y y y y y y y y y y y y z z z ...}
 * <p>
 * x = IV length as byte y = IV bytes z = content bytes (encrypted content, auth tag)
 * <p>
 * The library accepts 128, 192 or 256 bit keys
 */
@Service
public class CryptService {

  public static final String CRYPT_PREFIX = "$[[aescrypt]]$";

  private static final String ALGORITHM = "AES/GCM/NoPadding";
  private static final int TAG_LENGTH_BIT = 128;
  private static final int IV_LENGTH_BYTE = 12;

  private final ThreadLocal<Cipher> cipherWrapper = new ThreadLocal<>();
  private final SecureRandom secureRandom = new SecureRandom();
  private SecretKey secretKey;

  public CryptService() {
  }

  @PostConstruct
  public void initializeSecretKey() throws Exception {
    String key = generate128BitRandomKey();

    if (key == null || key.isBlank()) {
      throw new Exception("Encryption Key is missing!");
    }

    byte[] encryptionKey;

    try {
      // Convert Base64-String to byte[]
      encryptionKey = Base64.getDecoder().decode(key);
    } catch (Exception e) {
      throw new Exception("Encryption Key must be a valid Base64-String");
    }

    if (encryptionKey.length != 16 && encryptionKey.length != 24 && encryptionKey.length != 32) {
      throw new Exception("Encryption Key length must be 16, 24 or 32 bytes");
    }

    secretKey = new SecretKeySpec(encryptionKey, "AES");
  }

  public String encryptStringData(String dataToEncrypt) throws Exception {
    return encryptStringData(dataToEncrypt, null);
  }

  public String encryptStringData(String dataToEncrypt, String associatedDataStr)
      throws Exception {

    if (dataToEncrypt == null || dataToEncrypt.isBlank()) {
      throw new Exception(
          "The received data to encrypt is invalid - the data is null or empty");
    }

    byte[] dataToEncryptBytes = dataToEncrypt.getBytes(StandardCharsets.UTF_8);
    byte[] associatedDataBytes =
        associatedDataStr != null ? associatedDataStr.getBytes(StandardCharsets.UTF_8) : null;

    return encryptBytesData(dataToEncryptBytes, associatedDataBytes);
  }

  private String encryptBytesData(byte[] dataToEncrypt, byte[] associatedData) throws Exception {

    if (dataToEncrypt == null || dataToEncrypt.length == 0) {
      throw new Exception(
          "The received data is invalid - the data to encrypt is null or empty");
    }

    byte[] iv = null;
    byte[] encrypted = null;

    try {
      //Create an Initialization Vector (IV)
      iv = new byte[IV_LENGTH_BYTE]; // Never reuse this IV with the same key

      // Populate the IV with random values
      secureRandom.nextBytes(iv);

      // Create new Cipher instance. We are using the AED-GCM mode
      final Cipher cipher = getCipher();

      // Constructs a GCMParameterSpec using the specified authentication tag bit-length and IV buffer
      GCMParameterSpec parameterSpec = new GCMParameterSpec(TAG_LENGTH_BIT, iv);

      // Initialize the cipher with a key and a set of algorithm parameters.
      cipher.init(Cipher.ENCRYPT_MODE, secretKey, parameterSpec);

      // Add optional associatedData to the authentication tag (for instance meta data)
      if (associatedData != null) {
        cipher.updateAAD(associatedData);
      }

      // Encrypt the dataToEncrypt
      encrypted = cipher.doFinal(dataToEncrypt);

      ByteBuffer byteBuffer = ByteBuffer.allocate(1 + iv.length + encrypted.length);
      byteBuffer.put((byte) iv.length);
      byteBuffer.put(iv);
      byteBuffer.put(encrypted);
      byte[] cipherMessage = byteBuffer.array();

      // Encode the cipherMessage to Base64-String and prepend with the CRYPT_PREFIX
      return CRYPT_PREFIX + Base64.getEncoder().encodeToString(cipherMessage);

    } catch (Exception exc) {
      throw new Exception("Could not encrypt the data", exc);
    } finally {
      Arrays.fill(iv, (byte) 0);

      if (encrypted != null) {
        Arrays.fill(encrypted, (byte) 0);
      }
    }
  }

  public String decryptBase64StringData(String dataToDecryptB64) throws Exception {
    return decryptBase64StringData(dataToDecryptB64, null);
  }

  public String decryptBase64StringData(String dataToDecryptB64, String associatedDataStr)
      throws Exception {

    if (dataToDecryptB64 == null || dataToDecryptB64.isBlank()) {
      throw new Exception(
          "The received data to decrypt is invalid - the data is null or empty");
    }

    // If the input data (dataToDecryptB64) is not prefixed with the 'CRYPT_PREFIX', then the input data
    // will be returned without decryption
    if (!dataToDecryptB64.startsWith(CRYPT_PREFIX)) {
      return dataToDecryptB64;
    }

    String dataToDecryptWithoutPrefix = dataToDecryptB64.substring(CRYPT_PREFIX.length());

    // Convert Base64-String to byte[]
    byte[] cipherMessageByteArr = Base64.getDecoder().decode(dataToDecryptWithoutPrefix);
    byte[] associatedDataBytes =
        associatedDataStr != null ? associatedDataStr.getBytes(StandardCharsets.UTF_8) : null;

    return decryptBytesData(cipherMessageByteArr, associatedDataBytes);
  }

  private String decryptBytesData(byte[] dataToDecryptBytes, byte[] associatedData)
      throws Exception {

    if (dataToDecryptBytes == null || dataToDecryptBytes.length == 0) {
      throw new Exception(
          "The received data to decrypt is invalid - the data is null or empty");
    }

    try {
      int initialOffset = 1;
      int ivLength = dataToDecryptBytes[0];

      if (ivLength != 12) {
        throw new Exception("Unexpected Initialization Vector length");
      }

      final Cipher cipher = getCipher();

      AlgorithmParameterSpec gcmIv = new GCMParameterSpec(TAG_LENGTH_BIT, dataToDecryptBytes,
          initialOffset, ivLength);

      cipher.init(Cipher.DECRYPT_MODE, secretKey, gcmIv);

      if (associatedData != null) {
        cipher.updateAAD(associatedData);
      }

      // Use everything from (initialOffset + ivLength) bytes on as ciphertext
      byte[] decryptedDataByteArr = cipher
          .doFinal(dataToDecryptBytes, initialOffset + ivLength,
              dataToDecryptBytes.length - (initialOffset + ivLength));

      return new String(decryptedDataByteArr, StandardCharsets.UTF_8);

    } catch (Exception exc) {
      throw new Exception("Could not decrypt the data", exc);
    }
  }

  public String generate128BitRandomKey() {
    byte[] bytesArr = new byte[16];
    SecureRandom secureRandom = new SecureRandom();
    secureRandom.nextBytes(bytesArr);

    // Encode the randomKey to Base64-String
    return Base64.getEncoder().encodeToString(bytesArr);
  }

  private Cipher getCipher() throws Exception {
    Cipher cipher = cipherWrapper.get();
    if (cipher == null) {
      try {
        cipher = Cipher.getInstance(ALGORITHM);
      } catch (Exception e) {
        throw new Exception("Could not get cipher instance", e);
      }
      cipherWrapper.set(cipher);
      return cipherWrapper.get();
    } else {
      return cipher;
    }
  }
}
```

## 5. Applications of encryption over GF(2)

Encryption over  $GF(2)$ (Galois Field of two elements) is widely used in various enterprise-grade applications, especially due to its alignment with binary systems, which are fundamental to digital computers. Here are some notable applications:
1. **Error Correction Codes**
- **Reed-Solomon Codes**: Used in data storage systems like CDs, DVDs, and Blu-ray discs, as well as in data transmission technologies such as satellite communications and QR codes. Reed-Solomon codes are based on $GF(2^m)$, which is an extension of $GF(2)$.
- **Hamming Codes**: Employed in computer memory (RAM) to detect and correct errors. Hamming codes work directly with binary data and use $GF(2)$ arithmetic.

2. **Cryptographic Algorithms**
- **AES (Advanced Encryption Standard)**: While AES operates over $GF(2^8)$, it heavily relies on finite field arithmetic, including operations in $GF(2)$. The S-box, a fundamental component of AES, is constructed using the inverse in $GF(2^8)$.
- **Stream Ciphers**: Algorithms like A5/1 used in GSM mobile communication use linear feedback shift registers (LFSRs) which are based on $GF(2)$ arithmetic.

3. **Hash Functions**
- **SHA (Secure Hash Algorithm)**: Although SHA functions do not directly operate over $GF(2)$, they use binary operations extensively, which can be considered as operations in $GF(2)$. This is particularly true for bitwise operations like AND, OR, XOR, and bitwise rotations.

4. **Digital Signatures and Authentication**
- **Elliptic Curve Cryptography (ECC)**: ECC relies on the arithmetic of elliptic curves over finite fields, including $GF(2^m)$. This is particularly used in secure communications for mobile devices and SSL/TLS for web security.
- **HMAC (Hash-based Message Authentication Code)**: Used in various security protocols, such as SSL/TLS, IPsec, and others, to verify data integrity and authenticity.

5. **Data Compression**
- **LZ77 and LZ78 Algorithms**: These algorithms are the basis for many data compression techniques, including gzip and PNG file formats. While not directly operating over $GF(2)$, these algorithms benefit from binary arithmetic and bitwise operations.

6. **Network Security**
- **VPNs (Virtual Private Networks)**: Use encryption algorithms like AES which rely on $GF(2^8)$ arithmetic for securing data transmission over the internet.
- **SSL/TLS**: Secure Socket Layer and Transport Layer Security protocols use cryptographic algorithms that operate over finite fields, including $GF(2^m)$.

7. **Secure Storage**
- **Disk Encryption**: Tools like BitLocker and FileVault use AES for encrypting data stored on hard drives and SSDs. These systems rely on the underlying finite field arithmetic for their cryptographic operations.

8. **Blockchain and Cryptocurrencies**
- **Bitcoin and Other Cryptocurrencies**: Use ECC over $GF(2^m)$ for secure key generation and transaction validation.
- **Blockchain Technologies**: Employ various cryptographic techniques that use finite field arithmetic to ensure the integrity and security of the ledger.

These applications highlight the pervasive use of $GF(2)$ arithmetic in modern cryptographic and error-correction systems, ensuring data security, integrity, and efficiency across a wide range of enterprise-grade technologies.

## References

[1] Paar, C., & Pelzl, J. (2011). *Understanding cryptography: A Textbook for Students and Practitioners*. Springer. ISBN 978-3-642-04100-6

[2] Socratica. (2013). *Abstract Algebra: The definition of a Field*. YouTube. https://www.youtube.com/watch?v=bjp4nF8TW7s

[3] Socratica. (2018). *Field Definition (expanded) - Abstract Algebra*. YouTube. https://www.youtube.com/watch?v=KCSZ4QhOw0I

[4] The very basics of groups, rings, and fields. In Math 152, Spring 2006. https://www-users.cse.umn.edu/~brubaker/docs/152/152groups.pdf

[5] Intro to Prime Fields - galois. (2024). https://galois.readthedocs.io/en/v0.3.9/tutorials/intro-to-prime-fields/

[6] Intro to Extension Fields - galois. (2024). https://galois.readthedocs.io/en/v0.3.9/tutorials/intro-to-extension-fields/

[7] Dworkin, M. & National Institute of Standards and Technology. (2007). Recommendation for block cipher modes of operation: Galois/Counter Mode (GCM) and GMAC. In NIST Special Publication 800-38D. https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-38d.pdf