galois field convert element in GF($2^8$) to form a+bt

Question

This question is related to cryptography, in particular Camellia cipher[1]. It's s-box includes computation of GF($2^8$) inverses. The irreducible polynomial is given as $x^8 + x^6 + x^5 + x^3 + 1$. I computed the inverse of all the 256 elements in GF($2^8$). I shall show the table below:

    0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 0x08 0x09 0x0a 0x0b 0x0c 0x0d 0x0e 0x0f 
     --------------------------------------------------------------------------------
00 | 0x00 0x01 0xb4 0xd8 0x5a 0x48 0x6c 0x78 0x2d 0x28 0x24 0xa4 0x36 0xc9 0x3c 0x38 
10 | 0xa2 0xcf 0x14 0x6a 0x12 0x6b 0x52 0x47 0x1b 0xd1 0xd0 0x18 0x1e 0xbb 0x1c 0xba 
20 | 0x51 0xb1 0xd3 0xa6 0x0a 0xa5 0x35 0x69 0x09 0x2c 0x81 0x4f 0x29 0x08 0x97 0x67 
30 | 0xb9 0xca 0xdc 0x45 0x68 0x26 0x0c 0xc8 0x0f 0x3d 0xe9 0x61 0x0e 0x39 0x5d 0xfe 
40 | 0x9c 0x8d 0xec 0xe1 0xdd 0x33 0x53 0x17 0x05 0x5b 0xe6 0xcc 0xae 0xf8 0x80 0x2b 
50 | 0xb0 0x20 0x16 0x46 0xf4 0xe4 0x93 0x98 0xa0 0x9f 0x04 0x49 0xff 0x3e 0x87 0xc5 
60 | 0xe8 0x3b 0x65 0x6f 0x6e 0x62 0x96 0x2f 0x34 0x27 0x13 0x15 0x06 0x79 0x64 0x63 
70 | 0xb3 0xfa 0xaa 0x94 0xc0 0xeb 0x84 0xdf 0x07 0x6d 0xa8 0xc3 0x9a 0xe2 0x7f 0x7e 
80 | 0x4e 0x2a 0xf2 0xc6 0x76 0xde 0xc4 0x5e 0xda 0xef 0xad 0xfc 0x9d 0x41 0xbf 0xd7 
90 | 0xb6 0xf1 0x99 0x56 0x73 0xab 0x66 0x2e 0x57 0x92 0x7c 0xe3 0x40 0x8c 0xa1 0x59 
a0 | 0x58 0x9e 0x10 0xce 0x0b 0x25 0x23 0xd2 0x7a 0xc2 0x72 0x95 0xfd 0x8a 0x4c 0xf9 
b0 | 0x50 0x21 0xfb 0x70 0x02 0xd9 0x90 0xf0 0xcb 0x30 0x1f 0x1d 0xf7 0xd4 0xd6 0x8e 
c0 | 0x74 0xea 0xa9 0x7b 0x86 0x5f 0x83 0xf3 0x37 0x0d 0x31 0xb8 0x4b 0xe7 0xa3 0x11 
d0 | 0x1a 0x19 0xa7 0x22 0xbd 0xf6 0xbe 0x8f 0x03 0xb5 0x88 0xee 0x32 0x44 0x85 0x77 
e0 | 0xed 0x43 0x7d 0x9b 0x55 0xf5 0x4a 0xcd 0x60 0x3a 0xc1 0x75 0x42 0xe0 0xdb 0x89 
f0 | 0xb7 0x91 0x82 0xc7 0x54 0xe5 0xd5 0xbc 0x4d 0xaf 0x71 0xb2 0x8b 0xac 0x3f 0x5c

But, when I use these values I am not getting proper result as given in s-box table in camellia specifications[2]. Upon further analysis, I found that after the inverse is computed, it needs to be converted to the form a+bt, where a,b belongs to GF($2^4$) and t belongs to GF($2^8$). Inorder to learn how to do this, I referred a couple of research papers [3,4], but I couldn't understand them. So, I need to know how to do it. There has to be a 8x8 matrix which when multiplied with input from GF($2^8$) yields the form a+bt as mentioned above.

I need to know the math behind this. I have listed the references below. Please feel free to go through [1]. I may also be wrong in assumption of inverse computation. It's available in Section 3.2 Function gis the one which uses inverse computation.

Thank you in advance for any help.

References:
1.https://info.isl.ntt.co.jp/crypt/camellia/dl/reference/sac_camellia.pdf
2.https://info.isl.ntt.co.jp/crypt/eng/camellia/dl/01espec.pdf
3.https://www.emsec.ruhr-uni-bochum.de/media/crypto/attachments/files/2010/04/paar_php_diss.pdf Section 2.2
4.https://my.ece.utah.edu/~kalla/Comp-Algebra/composite-field.pdf Section 4

What you need is a kind of dictionary between 2 ways of writing the 256 elements of GF(2^8). Number theorists naturally use the Galois theory of finite fields (which are sometimes called "Galois fields" for good reasons). But on your side, you should explain to them the meaning of the "values" given in your table. — nguyen quang do, Sep 19 '19 at 16:54
Actually, the values in the table are the multiplicative inverses. I computed them through a brute force approach(since the space is very small). What I need is a matrix which on multiplying with the input yields the other representation. — krishnan, Sep 19 '19 at 17:39
Yes, I understand this is a list are of inverse (hence there should be a bijection with some original list of elements). But my question is: how do you write an element of GF(2^8). I'm as ignorant about crypto. as you say you are about "the math behind". — nguyen quang do, Sep 19 '19 at 17:54
I'm a bit too busy and tired to delve into your sources. I wishfully think that the principles outlined in this old answer of mine might apply here as well. — Jyrki Lahtonen, Sep 19 '19 at 19:17
@JyrkiLahtonen your answer for transforming GF(16) to GF(4^2) was very clear. But, I couldn't understand a few things in extending this for GF(2^8) to GF((2^4)^2). I can figure out the polynomials used for generating GF(2^8) and GF(2^4) and let's name them as R(x) and Q(x) respectively. Provided these two polynomials, how can we find the polynomial used for generating GF((2^4)^2) from elements of GF(2^4)? I could see that it is of the form x^2 + x + n, n belongs to GF(2^4). Let's call it P(x). How to find n? — krishnan, Sep 23 '19 at 16:39

score 1 · Accepted Answer · answered Dec 06 '19 at 07:12

1

I was actually able to figure out that no conversion(from gf(2^8) to gf(2^4)) is needed for Camellia s-box. FreeBSD has vectorized implementation of camellia which I referred to find out this. Also the following paper was a good read and gave solution to my question.
https://link.springer.com/content/pdf/10.1007%2F978-3-540-45238-6_25.pdf

answered Dec 06 '19 at 07:12

krishnan

21

1

That paper is missing information on how δ and δ^-1 are generated. The parameters for GF((2^4)^2) primitive polynomial x^2 + x + 9, with primitive element β = x (hex 10), and GF(2^4) primitive polynomial x^4 + x + 1, with primitive element x (hex 2). GF(2^8) uses irreducible polynomial x^8 + x^4 + x^3 + x + 1, and 8 of 128 possible primitive elements α will result in isomorphic mapping. – rcgldr Jul 15 '20 at 13:48
1

In the paper, the primitive element α = x^4+x^3+x^2+x+1 was used to generate the mapping matrix δ . The indexes of the columns of δ correspond to the hex values (80 40 20 10 08 04 02 01}, which corresponds to powers of α: α^{64 c3 23 82 e1 41 a0 00} = (80 40 20 10 08 04 02 01}. The values of the columns correspond to powers of β: β^{64 c3 23 82 e1 04 a0 00} = {e9 3d d0 35 43 49 2e 01}. – rcgldr Jul 15 '20 at 14:02
Thank you @rcgldr for working out to get these values. Actually, the original paper which described Camellia also lacked these details. Since AES is more widely used, it's finite field has been worked out extensively. But, Camellia is not so popular and was difficult to get these things. – krishnan Oct 13 '20 at 10:09
1

I created a small pdf file showing how δ and δ^(-1) are generated for a different set of parameters in this composite field mapping example pdf . I have yet to find an AES article that includes how these matrices are generated. – rcgldr Oct 13 '20 at 16:53

galois field convert element in GF($2^8$) to form a+bt

1 Answers1