1

I've read a paper (Partitions in the S-Box of Streebog and Kuznyechik) about a Russian S-Box.

They describe how this S-Box is generated with a Function they call TKlog which works with multiplicative and additive cosets of the subgroup $\operatorname{GF}(2^{4})$ in $\operatorname{GF}(2^{8})$.

In their definition of TKlog they say that a primitive polynomial of even degree $n=2m$ is needed so that there is a root $\alpha \in \operatorname{GF}(2^{8})^*$. This root is then with $\alpha^{17}$ the multiplicative generator of $\operatorname{GF}(2^{4})^*$ (more about that here in my other question).

So my questions are now:

  1. Is their a reason why $p$ must be a primitive polynomial?
  2. Wouldn't it be enough to just have a generator $g$ in this group? Because for all generators it holds that $g^{17}$ is a multiplicative generator of $\operatorname{GF}(2^{4})^*$.

By the way: I don't understand how I can interpret this notation: $x^{p^m} - x$. (I somehow never saw this before - so if it's needed for the answer it would be great if this is explained, too.)

winklerrr
  • 135
  • Some confusion there. A primitive element of a finite field means exactly the same as a generator of its multiplicative group. An element $\alpha\in GF(256)^$ is thus primitive if and only if it has order $255$, implying that $\alpha^{17}$ has order $15$ and is thus a generator of the group $GF(16)^$. Also by the definition, an irreducible polynomial of degree $n$ with coefficients in $GF(2)$ is primitive if and only if its roots are primitive elements of the field $GF(2^n)$. – Jyrki Lahtonen Jul 12 '19 at 03:37
  • Basic Galois theory (the so called Freshman's dream is all we need actually) tells that if one of the roots of an irreducible polynomial is primitive, they all are. Therefore we don't need to specify the root when we discuss primitivity of polynomials. – Jyrki Lahtonen Jul 12 '19 at 03:38
  • $f(x)=x^{p^m}-x$ is just the lowest degree polynomial over $GF(p)$ such that all the elements of $GF(p^m)$ are roots of $f$. It comes in very handy when developing the theory of finite fields from the direction of the general theory of field extensions. It is usually not that important when actually using the field. Just something you can use to reduce high powers to lower ones as $z^{p^m}=z$ holds for all the elements $z\in GF(p^m)$. – Jyrki Lahtonen Jul 12 '19 at 03:42
  • One more confusion is in your title. The properties of an element A) it is primitive and B) it generates a normal basis are not causally linked to each other at all. An element of a finite field can be primitive but not generate a normal basis (an example of this is the zeros of $x^4+x+1$ in $GF(16)$). And an element of a finite field can generate a normal basis without being primitive (an example of this is the zeros of $x^4+x^3+x^2+x+1$ in $GF(16)$). Actually the generators of known optimal normal bases are hardly ever primitive. – Jyrki Lahtonen Jul 12 '19 at 03:46
  • 1
    Primitive elements are used to generate discrete logarithm tables, like here. Those are handy for implementing the multiplication of a finite field if your hardware has memory to support two look-up-tables of size $2^n$, and has integer arithmetic implemented. Tiny chips with scarcity of mem sometimes don't have that mem. Of course, if the app calls for a large field with $n>100$, that mem never exists, and other methods (such as optimal/good normal bases) are required. – Jyrki Lahtonen Jul 12 '19 at 03:50
  • @JyrkiLahtonen of you add this as an answer I will accept it – winklerrr Jul 12 '19 at 12:05

0 Answers0