1

𝑛
APPLICATIONS OF GALOIS FIELDS OF ORDER 2

𝑛
Research question: How are Galois fields of order 2 constructed, and how are they applied

in the real world?

IB Mathematics Analysis & Approaches

Word count: 3054

 2

Table of contents:
1.​ Introduction…………………………………………………………………………..3
2.​ Preliminaries………………………………………………………………………….4
3.​ Error-correcting codes………………………………………………………...……10
4.​ Cryptography……………………………………………………………………….14
5.​ Conclusion…………………………………………………………………………...18
6.​ Bibliography………………………………………………………………………..19
 3

1.​ Introduction

The research question that guides this investigation is stated as follows: "How are Galois

𝑛
fields of order 2 constructed, and how are they applied in the real world?" In order to fulfill

this research question, the essay first examines the theoretical fundamentals of finite fields,

focusing on the basic properties that define them. It next examines the process of constructing

𝑛
𝐺𝐹(2 ) through using irreducible polynomials over 𝐺𝐹(2). Finally, it showcases the

real-world applications of these fields, including error-correcting codes (e.g. Reed-Solomon

and BCH), cryptography protocols (e.g. AES encryption, Elliptic Curve Cryptography). The

goal of this essay is to establish the important role of Galois fields in relation to the

aforementioned codes and algorithms, which are applied widely. Without them, management

and operation of error-correcting, digital confidentiality, and communication would be

significantly more difficult. By understanding the math that regulates Galois fields along with

their real-world use, this essay is written about the power and usability of algebra within

modern computing and communication schemes.

 4

2.​ Preliminaries

In this section, I will define all relevant terms in abstract algebra needed for the investigation.

Definition 1: A field 𝐹 is a set with two binary operations - addition and multiplication

(denoted + and · respectively) that follow a set of axioms called the field axioms, which are

as follows:

1.​ Commutativity under addition: For all 𝑥, 𝑦 ∈ 𝐹, 𝑥 + 𝑦 = 𝑦 + 𝑥

2.​ Associativity under addition: For all 𝑥, 𝑦, 𝑧 ∈ 𝐹, (𝑥 + 𝑦) + 𝑧 = 𝑥 + (𝑦 + 𝑧)

3.​ Existence of an additive identity: An element 0 ∈ 𝐹 exists such that 0 ∈ 𝐹 for all 𝑥 ∈ 𝐹

4.​ Existence of an additive inverse: For any 𝑥 ∈ 𝐹, there exists 𝑦 ∈ 𝐹 such that 𝑦 ∈ 𝐹

5.​ Commutativity under multiplication: For all 𝑥, 𝑦 ∈ 𝐹, 𝑥 · 𝑦 = 𝑦 · 𝑥

6.​ Associativity under multiplication: For all 𝑥, 𝑦, 𝑧 ∈ 𝐹, (𝑥 · 𝑦) · 𝑧 = 𝑥 · (𝑦 · 𝑧)

7.​ Existence of a multiplicative identity: There exists an element 1 ∈ 𝐹 such that

𝑥 · 1 = 1 · 𝑥 = 𝑥 for all 𝑥 ∈ 𝐹

8.​ Existence of a multiplicative inverse: For any 𝑥 ∈ 𝐹 such that 𝑥 ≠ 0, there exists

𝑦 ∈ 𝐹 such that 𝑥 · 𝑦 = 1

9.​ Distributivity of multiplication over addition: For all

𝑥, 𝑦, 𝑧 ∈ 𝐹, 𝑥 · (𝑦 + 𝑧) = 𝑥 · 𝑦 + 𝑥 · 𝑧.

10.​ Non-triviality: 1 ≠ 0. (1)

Definition 2: A vector space 𝑉 over a field 𝐹 is a set with two binary operations - vector

addition and scalar multiplication (denoted + and · respectively) that follow a set of axioms

called the vector space axioms, which are as follows:

1.​ Commutativity under vector addition: For all 𝑣, 𝑤 ∈ 𝑉, 𝑣 + 𝑤 = 𝑤 + 𝑣

 5

2.​ Associativity under vector addition: For all

𝑢, 𝑣, 𝑤 ∈ 𝑉, (𝑢 + 𝑣) + 𝑤 = 𝑢 + (𝑣 + 𝑤)

3.​ Existence of an additive identity: An element 0 ∈ 𝑉 exists such that 𝑣 + 0 = 𝑣 for

all 𝑣 ∈ 𝑉

4.​ Existence of an additive inverse: For any 𝑣 ∈ 𝑉, there exists 𝑤 ∈ 𝑉 such that

𝑣+𝑤 =0

5.​ Associativity under scalar multiplication: For all 𝑎, 𝑏 ∈ 𝐹 and

𝑣 ∈ 𝑉, (𝑎 · 𝑏) · 𝑣 = 𝑎 · (𝑏 · 𝑣)

6.​ Existence of a multiplicative identity: There exists an element 1 ∈ 𝑉 such that

𝑣 · 1 = 𝑣 for all 𝑣 ∈ 𝑉

7.​ Distributivity of scalar multiplication over vector addition: For all 𝑎 ∈ 𝐹 and

𝑣, 𝑤 ∈ 𝑉, 𝑎 · (𝑣 + 𝑤) = 𝑎 · 𝑤 + 𝑎 · 𝑣

8.​ Distributivity of scalar multiplication over scalar addition: For all 𝑎, 𝑏 ∈ 𝐹 and

𝑣 ∈ 𝑉, (𝑎 + 𝑏) · 𝑣 = 𝑎 · 𝑣 + 𝑏 · 𝑣

Definition 3: A Galois field (or finite field) 𝐺𝐹(𝑞) is a field with a finite number of elements

𝑞.

Definition 4: The characteristic of a field is the smallest positive integer 𝑝 such that

𝑛
𝑝 · 1 = 0. (The characteristic of any 𝐺𝐹(2 ) is 2.)

Definition 5: The prime subfield is the smallest subfield of a field. (The prime subfield of any

𝑛
𝐺𝐹(2 ) is 𝐺𝐹(2).)

𝑛
Definition 6: An extension field is a field that extends another field. (Any 𝐺𝐹(2 ) is an

extension field of 𝐺𝐹(2).)

 6

Definition 7: An irreducible polynomial over a finite field 𝐺𝐹(𝑞) is a polynomial 𝑝(𝑥) that

cannot be factored into a product of two lower-degree polynomials of degree 1 or higher over

the field.

Definition 8: A group 𝐺 is a set with a binary operation. The operation must be associative,

and the set must contain an identity element, as well as an inverse element for each element.

Definition 9: A cyclic group is a group 𝐺 in which all elements can be generated by taking

the powers of an element - a generator 𝑔.

𝑞
Definition 10: A multiplicative group of the finite field 𝐺𝐹(𝑞) is a group 𝐺 containing all

non-zero elements of 𝐺𝐹(𝑞) and multiplication. (Note: It is always cyclic.)

Definition 11: A ring 𝑅 is a generalization of a field such that multiplication doesn’t need to

be commutative and multiplicative inverses don’t need to exist.

Definition 12: A polynomial ring 𝐺𝐹(𝑝)[𝑥] is the ring of polynomials with coefficients in

GF(p).

Definition 13: A primitive element α of a finite field is a generator of the multiplicative group

of the field.

𝑚
Definition 14: A primitive polynomial of a finite field 𝐺𝐹(𝑞 ) is an irreducible polynomial

over 𝐺𝐹(𝑞) such that its roots are primitive elements of the field.

Definition 15: The minimal polynomial 𝑚α, 𝐹(𝑥) of an element α in a field 𝐹 is the monic

polynomial in the polynomial ring 𝐹[𝑥] of the smallest degree such that 𝑚α, 𝐹(α) = 0.

Definition 15: A splitting field of a polynomial over a field is the smallest field extension in

which the polynomial factors into linear factors.

𝑛
The elements of the Galois field 𝐺𝐹(2 ) are represented as polynomials of degree less than 𝑛

over the prime subfield 𝐺𝐹(2). 𝐺𝐹(2) is a field with two elements, 0 and 1. Each element of
 7

𝑛 𝑛−1 𝑛−2
𝐺𝐹(2 ) can be written as 𝑎𝑛−1𝑥 + 𝑎𝑛−2𝑥 + ... + 𝑎1𝑥 + 𝑎0, where each coefficient

𝑎𝑖 ∈ 𝐺𝐹(2).

3
For example: In 𝐺𝐹(2 ) the elements are all polynomials of degree less than 3 - {

2 2 2 2
0, 1, 𝑥, 𝑥 + 1, 𝑥 , 𝑥 + 1, 𝑥 + 𝑥, 𝑥 + 𝑥 + 1}. Each polynomial is a unique element of

the field.

𝑛
Construction of 𝐺𝐹(2 )

𝑛
The field 𝐺𝐹(2 ) is constructed as a field extension of 𝐺𝐹(2) using an irreducible polynomial

of degree n, or in other words as the splitting field of an irreducible polynomial of degree n

over 𝐺𝐹(2). First of all, we need to choose a monic irreducible polynomial f(x) of degree n

3 3
over 𝐺𝐹(2). For example, for 𝐺𝐹(2 ), a common choice is 𝑓(𝑥) = 𝑥 + 𝑥 + 1. Next, we

𝑛
define the field. The field 𝐺𝐹(2 ) is defined as the set of all polynomials of degree less than n

over 𝐺𝐹(2), with addition (which can also be performed modulo 2) and multiplication which

are performed modulo f(x). Any polynomial of degree n or higher is reduced modulo f(x) to

obtain a polynomial of degree less than n, which will be equivalent to an element of the field.

Now we can verify the field structure - the set of polynomials of degree less than n, together

with addition and multiplication modulo f(x), satisfies the field axioms. The irreducibility of

f(x) is also the reason that every nonzero element has a multiplicative inverse.

3
For example, in 𝐺𝐹(2 ), the elements of which have been stated above, typically uses the

3
irreducible polynomial 𝑓(𝑥) = 𝑥 + 𝑥 + 1.
 8

𝑛
Arithmetic in 𝐺𝐹(2 )

𝑛
Addition in 𝐺𝐹(2 ) is performed coefficient-wise modulo 2. Addition in finite fields is

equivalent to the bitwise XOR operation. For two polynomials

𝑛−1 𝑛−2
𝑎(𝑥) = 𝑎𝑛−1𝑥 + 𝑎𝑛−2𝑥 + ... + 𝑎1𝑥 + 𝑎0 and

𝑛−1 𝑛−2
𝑏(𝑥) = 𝑏𝑛−1𝑥 + 𝑏𝑛−2𝑥 + ... + 𝑏1𝑥 + 𝑏0, their sum is

𝑛−1
𝑎(𝑥) + 𝑏(𝑥) = (𝑎𝑛−1 ⊕ 𝑏𝑛−1)𝑥 + … + (𝑎0 ⊕𝑏0), where ⊕ is addition modulo 2.

3
For example, in 𝐺𝐹(2 ):

2 2 2
(𝑥 + 𝑥 + 1) + (𝑥 + 1) = (1 ⊕ 1)𝑥 + (1 ⊕ 0)𝑥 + (1 ⊕ 1) = 𝑥.

It should be noted that while, as a finite field, subtraction (addition with an inverse of an

𝑛
element) does exist, it's equivalent to addition in 𝐺𝐹(2 ) as demonstrated:

0⊕0 = 0

0−0 =0

0⊕1 = 1

0−1 = − 1 ≡ 1 (𝑚𝑜𝑑 2)

1⊕0 = 1

1−0 =1

1⊕1 = 0

1−1 =0
 9

𝑛
This happens because addition in 𝐺𝐹(2 ) is performed mod 2.

𝑛
Meanwhile, multiplication in 𝐺𝐹(2 ) is performed as polynomial multiplication followed by

reduction modulo the irreducible polynomial f(x). First off we multiply the two polynomials

𝑛
a(x) and b(x) as usual, treating the coefficients as elements of 𝐺𝐹(2 ), and then we divide the

resulting polynomial by f(x) and take the remainder. By doing this, we are sure that the result

𝑛
is a polynomial of degree less than n, and hence, an element of 𝐺𝐹(2 ).

3 3
For example, in 𝐺𝐹(2 ) with 𝑓(𝑥) = 𝑥 + 𝑥 + 1, we are considering multiplying

2
𝑥 + 𝑥 + 1 and 𝑥 + 1:

2 3 2 2 3
(𝑥 + 𝑥 + 1)(𝑥 + 1) = 𝑥 + 𝑥 + 𝑥 + 𝑥 + 𝑥 + 1 = 𝑥 + 1

3 3
Now we reduce 𝑥 + 1 modulo 𝑥 + 𝑥 + 1:

3
𝑥 + 𝑥 + 1 ≡ 0 (𝑚𝑜𝑑 𝑓(𝑥))

3
𝑥 + 1 ≡ − 𝑥 ≡ 𝑥 (𝑚𝑜𝑑 𝑓(𝑥))

2 3
Thus, (𝑥 + 𝑥 + 1)(𝑥 + 1) = 𝑥 in 𝐺𝐹(2 ).

Multiplicative inverses

𝑛
Every nonzero element in 𝐺𝐹(2 ) has a multiplicative inverse. The inverse of an element

𝑎(𝑥) is a polynomial 𝑏(𝑥) such that 𝑎(𝑥) · 𝑏(𝑥) ≡ 1 𝑚𝑜𝑑 (𝑓(𝑥)). The inverse can be found

using the Extended Euclidean Algorithm for polynomials.

𝑛 2
For example, in 𝐺𝐹(2 ), the inverse of 𝑥 is 𝑥 + 1, because

2 3
𝑥 · (𝑥 + 1) = 𝑥 + 𝑥 ≡ (𝑥 + 1) + 𝑥 = 1 𝑚𝑜𝑑 (𝑓(𝑥)).
 10

3. Error-correcting codes

Error-correcting codes are algorithms that add redundancy (unused data, composed of a

function containing original data bits) in order to give space for error detection, which can

occur due to interference, noise, or any form of data corruption. They are usually used for

wireless communication, satellite transmission, optical fiber networks, and data storage

systems. There are two primary types of error-correcting codes - convolutional (data streams

continuously, and as it's processed redundancy is added using linear combinations and shift

registers) and block codes. Block codes work on the principle of dividing data into blocks of

fixed size, with redundancy added to each block.

Definition 16: A block code is a mapping of a vector space of dimension 𝑘 over a finite field

𝐹 (denoted 𝑉𝑘(𝐹)) into a vector space 𝑉𝑛 of dimension 𝑛 over the same field (denoted 𝑉𝑛(𝐹))

such that 𝑛 < 𝑘. (3)

The Reed-Solomon code is a family of codes denoted by 𝑅𝑆(𝑛, 𝑘) with 𝑠-bit symbols,

usually used for data storage systems and satellite communication, and they operate over

𝑠
𝐺𝐹(𝑞), where 𝑞 is the alphabet size and 𝑞 = 2 holds. Information, which is a sequence of

binary symbols, is sent as a message containing 𝑘 symbols, and then encoded into 𝑛 code

𝑠
words. Note that the value of n can’t be higher than 2 − 1 and that the inequality

𝑘 < 𝑛 ≤ 𝑞 always holds. But how does the Reed-Solomon code handle the mapping? In

the original view, the message 𝑚 = (𝑎0, 𝑎1, …, 𝑎𝑘−1) is treated as the coefficients of a
 11

𝑘−1
polynomial 𝑃(𝑥) = 𝑎𝑘−1𝑥 + … + 𝑎0. Therefore, this code is the mapping

2 𝑛−2
(𝑎0, 𝑎1, …, 𝑎𝑘−1) → (𝑃(0), 𝑃(1), 𝑃(𝑎), 𝑃(𝑎 ), …, 𝑃(𝑎 )), where a is a primitive element

of the Galois field 𝐺𝐹(𝑞). The obtained n-tuple is the set of code words of the message.

However, during the transmission errors may occur, and the received code words might be

different than the original code words. In order to identify and correct errors, the polynomial

𝑃(𝑥) must be retrieved from the received code words. This is possible using the

Berlekamp-Welch algorithm, which when given the set of polynomial inputs and code word

outputs (𝑎𝑖, 𝑏𝑖), 𝑖 ∈ {1, 2, …, 𝑛}, the maximum amount of errors 𝑒, 𝑘, and 𝑛 is able to

retrieve the polynomial 𝑃(𝑥). First, an error locator polynomial 𝐸(𝑥) of degree 𝑒 such that

𝐸(𝑎𝑖) = 0 if and only if 𝑃(𝑎𝑖) ≠ 𝑏𝑖 is to be computed, as well as a polynomial 𝑄(𝑥) of

degree at most 𝑒 + 𝑘 − 1 such that 𝑄(𝑎𝑖) = 𝑏𝑖𝐸(𝑎𝑖), for each 𝑖. These polynomials are

computed by plugging in values and expanding the polynomials, creating a system of

equations that can be solved. The polynomial 𝑃(𝑥) is then equal to 𝑄(𝑥)/𝐸(𝑥).

However, there is a slightly different approach to block codes, called BCH

(Bose-Chaudhuri-Hocquenghem) codes. For the sake of simplicity, this essay will focus on

binary primitive BCH codes. For any positive integers 𝑚 and 𝑡 such that 𝑚 ≥ 3 and

𝑚 𝑚
𝑡 < 2 − 1, there exists a BCH code denoted as (𝑛, 𝑘, 𝑡) with block length 𝑛 = 2 − 1,

number of parity-check digits 𝑛 − 𝑘 ≤ 𝑚𝑡, and minimum distance 𝑑𝑚𝑖𝑛 ≥ 2𝑡 − 1. This

code is able to detect up to 𝑡 errors in a block of 𝑛 binary digits and hence is called a 𝑡

𝑚
-error-correcting BCH code. If we denote a primitive element of 𝐺𝐹(2 ) by α, then the

𝑚
generator polynomial 𝑔(𝑥) of the 𝑡-error-correcting BCH code of block length 2 − 1 is the

2 3 2𝑡
lowest-degree polynomial that has α, α , α , ... α as its roots. It can be proven that these
 12

powers and their conjugates are all roots of 𝑔(𝑥). Finding 𝑔(𝑥) can be done by going through

𝑖
the minimal polynomials of the roots - if 𝑝𝑖(𝑥) is the minimal polynomial of α for each

natural number 𝑖 ≤ 2𝑡, then 𝑔(𝑥) = 𝐿𝐶𝑀(𝑝1(𝑥), 𝑝2(𝑥), 𝑝3(𝑥), ... 𝑝2𝑡(𝑥)) , where

𝐿𝐶𝑀(𝑎, 𝑏, 𝑐, ...) denotes the least common multiple function. It should be noted that, due to

each even power of α there exists an odd conjugate and due to conjugates possessing the

same minimal polynomials, the formula can be reduced to

𝑔(𝑥) = 𝐿𝐶𝑀(𝑝1(𝑥), 𝑝3(𝑥), ... 𝑝2𝑡−1(𝑥)). The polynomial 𝑔(𝑥) has a degree of the number

of parity-check digits, 𝑛 − 𝑘 ≤ 𝑚𝑡. There are multiple ways to encode a message, and one

method will be presented. Systematic encoding is done by representing the message as binary

digits in the coefficients of a polynomial 𝑚(𝑥) of degree less than 𝑘. Then, the polynomial

𝑛−𝑘
𝑚(𝑥) is multiplied by 𝑥 in order to shift the degree by 𝑛 − 𝑘, and the result is divided by

𝑛−𝑘
𝑔(𝑥) in order to get a remainder 𝑟(𝑥) such that 𝑚(𝑥)𝑥 = 𝑞(𝑥)𝑔(𝑥) + 𝑟(𝑥). Then, the

𝑛−𝑘
code word polynomial is obtained by adding the remainder - 𝑐(𝑥) = 𝑚(𝑥)𝑥 + 𝑟(𝑥). The

degree of 𝑐(𝑥) is less than 𝑛. In order to decode and detect errors, most algorithms follow the

same structure. First, the syndromes 𝑆 are calculated by evaluating the roots of 𝑔(𝑥) in the

received code word 𝑣(𝑥). The received codeword may be considered as a sum

𝑣(𝑥) = 𝑐(𝑥) + 𝑒(𝑥), where 𝑒(𝑥) is the error polynomial of degree up to 𝑛. As 𝑐(𝑥) is a

𝑖
multiple of the generator polynomial, 𝑐(α ) = 0 for any natural number 𝑖 ≤ 2𝑡, and

𝑖 𝑖
therefore if 𝑣(α ) ≠ 0, that means 𝑒(α ) ≠ 0, and therefore errors occur at these points. A

𝑗 𝑗 𝑗(𝑛−1) 𝑗(𝑛−2) 𝑗
syndrome 𝑆𝑗 is defined by 𝑆𝑗 = 𝑣(α ) = 𝑒(α ) = 𝑒𝑛−1α + 𝑒𝑛−2α +... + 𝑒1α + 𝑒0

where 𝑒𝑗 ∈ 𝐺𝐹(2). If we consider that for each value 𝑖𝑙 out of 𝑧 values (total errors), where

𝑖 𝑧 𝑗𝑖
𝑙 ≤ 𝑧 ≤ 𝑡, for which 𝑒(α 𝑙) ≠ 0 ⇒ 𝑒𝑖 = 1, and otherwise 𝑒𝑖 = 0, then 𝑆𝑗 = ∑ α 𝑙, where 𝑗
𝑙 𝑙=1
 13

is a natural number smaller than 2𝑡 + 1. We can define the error locator polynomial

𝑧 𝑗𝑖
Λ(𝑥) = ∏ (1 − α 𝑙𝑥) as such, as well as the elementary symmetric polynomials of the error
𝑙=1

𝑔 𝑗𝑖𝑗 𝑧
𝑥 𝑖
locators Λ𝑔 = ∑ ∏ α for some 𝑔 ≤ 𝑧. Also note that Λ(𝑥) = ∑ Λ𝑖𝑥 . Now, the
𝑗1<𝑗2<...<𝑗𝑔 𝑥=1 𝑖=0

syndromes and the elementary symmetric polynomials can be linked using Newton’s

𝑙
identities, which can be generalized in this context as ∑ 𝑆𝑥Λ𝑙−𝑥 for any 𝑙 < 2𝑡. This
𝑥=0

identity can be expanded and transformed into matrix form and rewritten to 𝐴 · Λ = 𝑆. Now,

Peterson’s algorithm is used. After writing the matrix out, the determinant of 𝐴 is evaluated.

If the determinant isn’t 0, then two rows and columns are taken out and the process is

repeated until 𝑑𝑒𝑡(𝐴) = 0. Then the matrix is inversed and {Λ𝑖} is solved for, and the roots

𝑚
of Λ(𝑥) are found, which must be distinct and in the field GF(2 ). The bit positions in the

received code word are then complemented to correspond to the roots of Λ(𝑥), and the fixed

code word has no errors. This method of decoding especially shows how Galois fields and

their properties can be used in correspondence with other mathematical fields, like symmetric

polynomials, in order to apply in the real world.

 14

​ 4. Cryptography

Cryptography is a technique that secures messages from malicious attacks by encrypting

them so that only the sender and the receiver are able to see their contents. There are two

types of cryptography that will be covered in this essay:

1.​ Symmetric-key (or private-key) cryptography - The sender and the receiver share a

private key.

2.​ Asymmetric-key (or public-key) cryptography - There is one private and one public

key.

The AES (Advanced Encryption Standard) is a symmetric-key block cipher, in other words,

it’s an encryption algorithm that operates using blocks. It has a fixed block length 𝑛 = 128

and variable key length 𝑘 ∈ {128, 192, 256}, so the AES, in fact, contains three block

ciphers 𝐴𝐸𝑆128, 𝐴𝐸𝑆192, 𝐴𝐸𝑆256. The message 𝑀 is set at 𝑀 = 𝑠, where 𝑠 is a 16-byte

8
matrice. First of all, it should be noted that all arithmetic in AES is done over 𝐺𝐹(2 ) over

8 4 3
the irreducible polynomial 𝑚(𝑥) = 𝑥 + 𝑥 + 𝑥 + 𝑥 + 1. Now, a message 𝑖𝑛 (represented

as a hexidecimal array), the number of rounds 𝑁𝑟 (equal to 10 for 𝐴𝐸𝑆128, 12 for 𝐴𝐸𝑆192

and 14 for 𝐴𝐸𝑆256) and the word array 𝑤 of length 4 bytes for the key expansion are

inputted into 𝐶𝑖𝑝ℎ𝑒𝑟(), the function that transforms a message block into a key. The

encrypting is achieved through the transformation of the 16-byte matrice 𝑠𝑡𝑎𝑡𝑒. The value of

𝑖𝑛 is allocated to 𝑠𝑡𝑎𝑡𝑒, and the initial round key [0, 1, 2, 3] is added using the function

𝐴𝑑𝑑𝑅𝑜𝑢𝑛𝑑𝐾𝑒𝑦() which is defined as

 15

' ' ' '

[𝑠1, 𝑐, 𝑠2, 𝑐, 𝑠3, 𝑐, 𝑠4, 𝑐] = [𝑠1, 𝑐, 𝑠2, 𝑐, 𝑠3, 𝑐, 𝑠4, 𝑐] ⊕ [𝑤[4 ∗ 𝑟𝑜𝑢𝑛𝑑 + 𝑐]] for 0 ≤ 𝑐 < 4,

where 𝑤[4 ∗ 𝑟𝑜𝑢𝑛𝑑 + 𝑐] is the linear word array outputted by function 𝐾𝑒𝑦𝐸𝑥𝑝𝑎𝑛𝑠𝑖𝑜𝑛().

Then, the sequence of functions as follows is applied to 𝑠𝑡𝑎𝑡𝑒 and repeated 𝑁𝑟 − 1 times:

𝑆𝑢𝑏𝐵𝑦𝑡𝑒𝑠(𝑠𝑡𝑎𝑡𝑒), 𝑆ℎ𝑖𝑓𝑡𝑅𝑜𝑤𝑠(𝑠𝑡𝑎𝑡𝑒), 𝑀𝑖𝑥𝐶𝑜𝑙𝑢𝑚𝑛𝑠(𝑠𝑡𝑎𝑡𝑒),

𝐴𝑑𝑑𝑅𝑜𝑢𝑛𝑑𝐾𝑒𝑦(𝑠𝑡𝑎𝑡𝑒, 𝑤[4 ∗ 𝑟𝑜𝑢𝑛𝑑, ... 4 ∗ 𝑟𝑜𝑢𝑛𝑑 + 3]), where 𝑟𝑜𝑢𝑛𝑑 starts at 1 and

increases by 1 each time this sequence is repeated. 𝑆𝑢𝑏𝐵𝑦𝑡𝑒𝑠() is a transformation in which

values of the substitution table 𝑆𝐵𝑜𝑥() are applied to each byte. If 𝑏 is an input byte and

' −1 −1
𝑐 = {01100011}, 𝑏 = 𝑆𝐵𝑜𝑥(𝑏) is evaluated as follows - let 𝑏 = 𝑏 (where 𝑏 is the

8
inverse element of 𝑏 over 𝐺𝐹(2 )) for 𝑏 ≠ {0, 0}, and 𝑏 = {0, 0} otherwise. Then the bits

' '
𝑏𝑖 = 𝑏𝑖 ⊕ 𝑏(𝑖+4) 𝑚𝑜𝑑 8 ⊕ 𝑏(𝑖+5) 𝑚𝑜𝑑 8 ⊕ 𝑏(𝑖+6) 𝑚𝑜𝑑 8 ⊕ 𝑏(𝑖+7) 𝑚𝑜𝑑 8 ⊕ 𝑐𝑖, and 𝑏 may be

reconstructed. 𝑆ℎ𝑖𝑓𝑡𝑅𝑜𝑤𝑠() is a transformation that cyclically shifts the last three rows of a

'
state, and it is defined as 𝑠𝑟, 𝑐 = 𝑠𝑟, (𝑐+𝑟) 𝑚𝑜𝑑 4 for 0 ≤ 𝑟 < 4 and 0 ≤ 𝑐 < 4.

𝑀𝑖𝑥𝐶𝑜𝑙𝑢𝑚𝑛𝑠() is a transformation that multiplies each state column with a fixed matrice.

It’s defined as:

'
𝑠0, 𝑐 = ({02} · 𝑠0, 𝑐) ⊕ ({03} · 𝑠1, 𝑐) ⊕ 𝑠2, 𝑐 ⊕ 𝑠3, 𝑐

'
𝑠1, 𝑐 = 𝑠0, 𝑐 ⊕ ({02} · 𝑠1, 𝑐) ⊕ ({03} · 𝑠2, 𝑐) ⊕ 𝑠3, 𝑐

'
𝑠2, 𝑐 = 𝑠0, 𝑐 ⊕ 𝑠1, 𝑐 ⊕ ({02} · 𝑠2, 𝑐) ⊕ ({03} · 𝑠3, 𝑐)

'
𝑠0, 𝑐 = ({03} · 𝑠0, 𝑐) ⊕ 𝑠1, 𝑐 ⊕ 𝑠2, 𝑐 ⊕ ({02} · 𝑠3, 𝑐).

After the 𝑁𝑟 − 1 repetitions, 𝑆𝑢𝑏𝐵𝑦𝑡𝑒𝑠(𝑠𝑡𝑎𝑡𝑒), 𝑆ℎ𝑖𝑓𝑡𝑅𝑜𝑤𝑠(𝑠𝑡𝑎𝑡𝑒) and

𝐴𝑑𝑑𝑅𝑜𝑢𝑛𝑑𝐾𝑒𝑦(𝑠𝑡𝑎𝑡𝑒, 𝑤[4 ∗ 𝑁𝑟, ... 4 ∗ 𝑁𝑟 + 3]) are applied and the final version of

𝑠𝑡𝑎𝑡𝑒 is considered encrypted data.

 16

We can notice that for the function 𝐶𝑖𝑝ℎ𝑒𝑟() we have a function 𝑖𝑛𝑣𝐶𝑖𝑝ℎ𝑒𝑟() and such - all

the encryption steps are invertible, which is of no surprise as AEC is defined as symmetric.

However, block ciphers on their own can only handle small data and they can’t securely

encrypt large amounts of data, and that problem is solved by block cipher modes of

operation. There is a large number of classes and types of such algorithms, and this essay will

focus on GCM (Galois/counter mode), which uses universal hashing (mapping from a

non-defined data set of arbitrary size to a fixed data set) over a binary Galois field. It will be

128
explained for a 128-bit block cipher, and so it operates over 𝐺𝐹(2 ) that is constructed over

128 7 2
an irreducible polynomial 𝑚(𝑥) = 𝑥 + 𝑥 + 𝑥 + 𝑥 + 1. GCM has two unique

operations - authenticated encryption and authenticated decryption. It takes four parameters

for encryption input: a private key 𝐾 of 128-bit length denoted as 𝐸(𝐾, 𝑋), an initialization

64
vector 𝐼𝑉 of length up to 2 bits, a plaintext (message) 𝑃, and additional authenticated data 𝐴

64
of length up to 2 bits, and outputs ciphertext 𝐶 of the same bitlength as 𝑃 and an

authentication tag 𝑇 of bitlength t such that 𝑡 < 128. Let’s define a function 𝑙𝑒𝑛(𝑥) that

yields a 64-bit string containing the number of bits in 𝑥. We can denote the bitlength of 𝑃 as

128 ∗ (𝑛 − 1) + 𝑢, where 𝑢 < 128. This can also be done for the ciphertext, and they can

* *
be expressed as sequences 𝑃1, 𝑃2, ... 𝑃𝑛−1, 𝑃𝑛 and 𝐶1, 𝐶2, ... 𝐶𝑛−1, 𝐶𝑛 where each 𝑃𝑖 and 𝐶𝑖

* *
for 𝑖 < 𝑛 has a length of 128 bits, while 𝑃𝑛 and 𝐶𝑛 have a length of 𝑢 bits. 𝐴 can similarly be

*
split into a sequence 𝐴1, 𝐴2, ... 𝐴𝑚−1, 𝐴𝑚 such that the bitlength of 𝐴 is

* 𝑥
128 ∗ (𝑚 − 1) + 𝑣, 𝑣 < 128 and the bitlength of 𝐴𝑚 is 𝑣. If the notation 0 denotes a

string with 𝑥 zero bits, 𝐴||𝐵 denotes connecting strings 𝐴 and 𝐵 together, 𝑀𝑆𝐵𝑡(𝑆) (𝐿𝑆𝐵𝑡(𝑆))

denotes a function that yields the left-most (right-most) 𝑡 bits of 𝑆, [𝑛]𝑠denotes a conversion
 17

from an integer to a binary string of 𝑠 bits and {} denotes the bit string of zero length, then the

encryption operation is defined orderly by:

128
𝐻 = 𝐸(𝐾, 0 )
31
𝑌0 = 𝐼𝑉||0 for 𝑙𝑒𝑛(𝐼𝑉) = 96
𝑌0 = 𝐺𝐻𝐴𝑆𝐻(𝐻, {}, 𝐼𝑉) for 𝑙𝑒𝑛(𝐼𝑉) ≠ 96
32
𝑌𝑖 = 𝑀𝑆𝐵𝑙𝑒𝑛(𝑌 )−32
(𝑌𝑖−1)||[𝑖𝑛𝑡(𝐿𝑆𝐵32(𝑌𝑖−1) + 1 𝑚𝑜𝑑 2 ]32
𝑖−1

𝐶𝑖 = 𝑃𝑖 ⊕ 𝐸(𝐾, 𝑌𝑖)
* *
𝐶𝑛 = 𝑃𝑛 ⊕ 𝑀𝑆𝐵𝑢(𝐸(𝐾, 𝑌𝑛)
𝑇 = 𝑀𝑆𝐵𝑡(𝐺𝐻𝐴𝑆𝐻(𝐻, 𝐴, 𝐶) ⊕ 𝐸(𝐾, 𝑌0))

Furthermore, 𝐺𝑁𝐴𝑆𝐻 is defined by 𝐺𝑁𝐴𝑆𝐻(𝐻, 𝐴, 𝐶) = 𝑋𝑚+𝑛+1, where 𝑋𝑖 is recursively

defined as such:

𝑋0 = 0
𝑋𝑖 = (𝑋𝑖−1 ⊕ 𝐴𝑖) · 𝐻 for 𝑖 ∈ {1, 2, ... 𝑚 − 1}
* 128−𝑣
𝑋𝑚 = (𝑋𝑚−1 ⊕ (𝐴𝑚||0 )) · 𝐻
𝑋𝑖 = (𝑋𝑖−1 ⊕ 𝐶𝑖) · 𝐻 for 𝑖 ∈ {𝑚 + 1, 𝑚 + 2, ... 𝑚 + 𝑛 − 1}
* 128−𝑢
𝑋𝑚+𝑛 = (𝑋𝑚+𝑛−1 ⊕ (𝐶𝑚||0 )) · 𝐻
𝑋𝑚+𝑛+1 = (𝑋𝑚+𝑛 ⊕ (𝑙𝑒𝑛(𝐴)||𝑙𝑒𝑛(𝐶))) · 𝐻

The decryption operation is defined similarly to encryption, with some operations reversed. in

order to obtain 𝑃. The usage of Galois fields in AES and GCM lets the algorithms operate at

great efficiency and ensures that the results of all operations stay inside the defined bounds.
 18

5. Conclusion

This essay showcases the way binary Galois fields are applied and why are they important in

error-correcting codes and certain cryptography models. Using them ensures efficiency as the

alphabet is minimal, yet versatile, as closure while performing operations is always

guaranteed. However, even though binary fields take a majority of applications of Galois

fields in general, non-binary fields also have additional unique applications that may be

explored.
 19

6. Bibliography

https://www.math.uchicago.edu/~boller/IBL/M162script6.pdf
https://math.colorado.edu/~jonathan.wise/teaching/math3135-spring-2017/exp01.pdf
https://sites.math.rutgers.edu/~zeilberg/akherim/ReedS1960.pdf
https://personal.oss.unist.hr/~mnizetic/ZASTITNO%20LINIJSKI%20KODIRANJE/SEMINARSKI%
20RADOVI/CH06.pdf
https://pages.jh.edu/bcooper8/sigma_files/ERROR_CONTROL_CODING/06dec.pdf
https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.197-upd1.pdf
https://web.cs.ucdavis.edu/~rogaway/classes/227/spring05/book/main.pdf
https://csrc.nist.rip/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-spec.pdf
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pdf