1

I'm factoring polynomials in $GF(2^8)$ with modulo polynomial $m = 2^8 + 2^4 + 2^3 + 2^1 + 2^0$

In particular, I factored

a = 0x49 = $$2^6 + 2^3 + 2^0 = 2^1 * (2^1 + 2^0)^6 * (2^2 + 2^1 + 2^0) * (2^4 + 2^1 + 2^0) * (2^3 + 2^1 + 2^0) \bmod{m}$$

b = 0x64 = $$2^6 + 2^5 + 2^2 = (2^1)^3 * (2^1 + 2^0) * (2^3 + 2^1 + 2^0) * (2^3 + 2^2 + 2^0) \bmod{m}$$

these numbers are multiplicative inverses and I can calculate directly using long division that $ab\bmod{m} = 2^0$.

I assume GCD should also be $1$, i.e. $2^0$.

Now I want to calculate GCD using just factored irreducible polynomials.

I know that for integers GCD equals the product of prime numbers (including their powers) present in both factorization, does it still hold here?

$gcd = 2^1 * (2^1 + 2^0) * (2^3 + 2^1 + 2^0) \bmod{m} = 2^5 + 2^4 + 2^3 + 2^1$

Can anyone please tell me where I am mistaken?

Thank you!

alikim
  • 111
  • $GF(2^8)$ is a field, so the concept of a GCD is kinda pointless. In other words, every non-zero element evenly divides every other. Or, $\gcd(x,y)=1$ unless $x=y=0$. For the same reason the concept of an irreducible element of $GF(2^8)$ is strange. All the non-zero elements are units. – Jyrki Lahtonen Aug 28 '17 at 04:17
  • 1
    A remark to any casual observer: The OP is using a "common" (among programmers) notation, where $2^k, k=0,1,\ldots,7,$ is shorthand for the coset of $x^k$ in the quotient ring $\Bbb{F}_2[x]/\langle m(x)\rangle$, where $m(x)=x^8+x^4+x^3+x+1\in\Bbb{F}_2[x]$. $GF(2)=\Bbb{F}_2$. This comes from the fact that in a computer it is very efficient to store such cosets as bit fields. For example, addition becomes just bitwise $XOR$. – Jyrki Lahtonen Aug 28 '17 at 04:30
  • Multiplicative inverses in this field are normally calculated using Extended Euclidean Algorithm which does compute GCD, so how can it be pointless or always equal one? – alikim Aug 28 '17 at 04:41
  • Basically: there exists an element $c\in GF(2^8)$ such that $a=bc$, so $b$ is a factor of $a$. There also exists an element $d\in GF(2^8)$ such that $b=da$, so $a$ is also a factor of $b$. Also $a$ and $b$ are both factors of $2^0$. – Jyrki Lahtonen Aug 28 '17 at 04:41
  • That instance of extended Euclidean algorithm runs in the ring $GF(2)[x]$. In other words, it treats $m$ as a polynomial of degree eight. In the field $GF(2^8)$ we have $m=0$ (because everything is then done modulo $m$. This is the same in usual modular arithmetic of integers. For example, when finding the modular inverse of $3$ modulo the prime number $17$, you run the extended Euclid, and find that $6$ is the inverse of $3$, because $3\cdot6-1\cdot17=1$ in the ring of integers. So $3\cdot6=1$ in the field $\Bbb{Z}_{17}$. – Jyrki Lahtonen Aug 28 '17 at 04:48
  • When finding the inverse of $a$ in $GF(2^8)$ you temporarily view $a$ as a polynomial so that you can run the extended Euclid. But here both $a$ and $b$ are elements of $GF(2^8)$ and no longer polynomials (because they are viewed modulo $m$). This shift of perspective may be what is confusing you.To continue with that modular example. In the field $\Bbb{Z}_{17}$ it does not really make sense to say that $\gcd(3,6)=3$. Yes, $3$ is a factor of $6$ in the sense that $2\cdot3=6$. But, also $6$ is a factor of $3$ because $9\cdot6=54=3\pmod{17}$. – Jyrki Lahtonen Aug 28 '17 at 04:53
  • So, you can discuss factorizations and gcds when you are not doing anything modulo $m$. But after you reduce modulo $m$ all that becomes iffy. For example, you also have $$b=(2^1)^2*(2^4+2^3+2^0).$$ And because the polynomial $m$ is primitive, you also have $b=(2^1)^k$ for some exponent $k$ that I'm too lazy to calculate. – Jyrki Lahtonen Aug 28 '17 at 04:58
  • Unfortunately, I don't understand you answer re temporary view of a as a polynomial just to run Euclid. I'm not a math professor (and if I was one I wouldn't be here) but if Euclid gives correct result on polynomials why this result doesn't brake when you "switch" back to numbers? And why do I need to switch back if everything works under the idea of representing numbers as polynomials? – alikim Aug 28 '17 at 05:05
  • You cannot decide whether two elements of $GF(2^8)$ are equal to each other unless you treat the polynomials modulo $m$. And when you treat them modulo $m$ you lose uniqueness of factorization, because anything non-zero becomes invertible. And, you don't need to be professor (I'm not). Just studying an introductory textbook on algebraic structures will do fine. – Jyrki Lahtonen Aug 28 '17 at 05:10
  • As to you last example of b, under the assumption of reducing polynomials to lower powers till they are irreducible, the polynomial of powers 430 can be reduced further into 421 + 4210 and further into (1 + 310) + (10 + 320) ... so the form I provided is final in this sense, you can not have b factored otherwise. Your argument is like saying any number can be factored into primes but I can also factor them half way through into something else which means factorization is iffy. – alikim Aug 28 '17 at 05:14
  • I don't know what you are talking about. The polynomial $x^4+x^3+1$ is irreducible. It cannot be factored further in $GF(2)[x]$. On the other hand, in $GF(2^8)$ there are no primes because "everything is divisible by everything else." – Jyrki Lahtonen Aug 28 '17 at 05:19
  • 2^4 + 2^3 + 2^0 = 2^1 * (2^1 + 2^0) * (2^3 + 2^2 + 2^0) * (2^3 + 2^1 + 2^0) mod (2^8 + 2^4 +2^3 + 2^1+ 2^0) – alikim Aug 28 '17 at 05:29
  • I just noticed that your $m$ is not primitive. Sorry about not noticing that earlier. Anyway, to make the point concrete: you probably know that modulo $m$ we have $2^0=(2^1)^{51}$. So are you saying that $2^0$ can be factored in this way? – Jyrki Lahtonen Aug 28 '17 at 05:30
  • And when I said that $x^4+x^3+1$ is irreducible. I meant NO MODULO $m$. – Jyrki Lahtonen Aug 28 '17 at 05:33
  • And I meant from the very beginning that I'm working here with modular arithmetic, modulo being a polynomial. I know that 430 is irreducible without modulo and it's not what my question is about. Thank you for your time. – alikim Aug 28 '17 at 05:38
  • You also have relations like $(2^1+2^0)^5=(2^1)^{42}\pmod m$. Anything raised to fifth is a power of $2^1$ (modulo $m$). Sorry about not being able to clear the confusion. I just don't understand how you decide that the factorizations you give are somehow "final". I think that is at the heart of the misunderstanding. Modulo $m$ we have that $2^3+2^2+2^0$ is a factor of $2^3+2^1+2^0$ and vice versa. – Jyrki Lahtonen Aug 28 '17 at 05:44

1 Answers1

2

A fundamental problem is that while there are primes in the ring of polynomials $GF(2)[x]$ (where you can also run the (extended) Euclidean algorithm, there are no primes in the field $GF(2^8)=GF(2)[x]/\langle m(x)\rangle$. The same holds in all fields. Technically, all the non-zero elements of a field are units, and hence divisible by each other.

This manifests in many ways (reverting to the notation that $2^k$ is the residue class of $x^k$ modulo $m(x)$):

  • Because $ab=2^0$ the element $b$ divides all the "factors" you listed. For example $2^3+2^1+2^0=ab(2^3+2^1+2^0)$ is clearly "divisible" by $b$. Q: Which one of $b$ and $2^3+2^1+2^0$ is a factor of the other? A: Both!
  • Because $2^8+2^4=2^4(2^4+2^0)=(2^1)^4(2^1+2^0)^4$, and also $2^8+2^4=2^3+2^1+2^0$ (in $GF(2^8)$ "=" means the same thing as congruent modulo $m$), we see that $$2^3+2^1+2^0=(2^1+2^0)^4(2^1)^4.$$ Therefore the factor $2^3+2^1+2^0$ is not a "prime" either.
  • For some reason unknown to me here a non-primitive polynomial $m(x)$ is used in defining the field (I erred here initially in one of the comments). Anyway a computer check reveals that $x^{51}\equiv 1\pmod {m(x)}$, and that $51$ is the smallest positive exponent when this happens. Therefore the powers of $2^1$ cover one fifth of the elements of $GF(256)$. Another computer check reveals that $2^1+2^0$ is not among those $51$. But, again by computer, we do have the relation $$(2^1+2^0)^5=(2^1)^{42}=(2^1)^{-9}.$$ This implies that any element $z\in GF(2^8), z\neq0,$ can be written uniquely in the form $$z=(2^1)^k*(2^1+2^0)^\ell,$$ with $0\le k<51$, $0\le \ell<5$.
  • Therefore you never need "primes" other than $2^1+2^0$ and $2^1$. And these two are also "divisible" by each other.

It may be useful to look at the analogy of the residue class ring $\Bbb{Z}_{17}$ of integers modulo the prime $17$:

  • We have $2^4=-1$ in this ring, and therefore also $2^8=1$, so do we really want to call $2$ a "prime". It is a factor of $1$ after all!
  • We have $3=20=2^2\cdot5$, so $3$ is not a "prime" but it doesn't really make sense to call $2^2\cdot 5$ a factorization of $3$ into "primes" either.
  • Similarly $5^2=25=8=2^3$, and therefore also $5^6=(2^3)^3=2^9=2^8\cdot 2=2$. Actually all the non-zero element of $\Bbb{Z}_{17}$ are powers of $5$. But also $5=-12=-2^2\cdot3$ is "divisible" by both $2$ and $3$.

The analogy I wanted to make in comparing $GF(2^8)$ and $\Bbb{Z}_{17}$ is that when working in $GF(2^8)$ we may occasionally benefit from working inside the polynomial ring $GF(2)[x]$ where we have things like the extended Euclidean algoritm. Similarly in $\Bbb{Z}$ we have the extended Euclidean algorithm allowing us to calculate inverses in $\Bbb{Z}_{17}$. But, talking about primes in $GF(2^8)$ is equally futile as talking about primes in $\Bbb{Z}_{17}$.

I'm afraid that...

To clear up all the fog it may be necessary to read an introductory level textbook on abstract algebra.

Jyrki Lahtonen
  • 133,153