In what sense addition modulo $n$ ($n>2$) isn't linear in the field $\mathbb{F}_2$?

Question

I've been reading the Reason why “XOR” is a linear operation, but ordinary “addition” isn’t? question, in which one of the answers states that addition modulo $n$ ($n>2$) is linear in $\mathbb{Z}_n$ but not in $\mathbb{F}_2$, it also states that - conversely - $XOR$ is linear in $\mathbb{F}_2$ but not in $\mathbb{Z}_n$($n>2$).

But in what sense?

I mean, how can I think about a $n$ ($n>2$) modular addition in $\mathbb{F}_2$?

When I've to sum modulo $n$ I usually sum the digits modulo $10$ (or directly reducing them modulo $n$ before doing the sum) and then reduce the result modulo $n$

F.i.: Taking $n = 3, x_1=2, x_2=2$

$$x_1+x_2 = 2+2 = 4 = 1 \pmod 3$$

But how can I think about a sum modulo $n$ in $\mathbb{F}_2$ ? And why it isn't linear in $\mathbb{F}_2$?

Conversely, how can I think about a $XOR$ in $\mathbb{Z}_n$, and why it isn't linear?

Answer 1

Sicne your question is refering to an answer on this site, I will not quote the entire answer here. But the crucial point is there in the last paragraph:

If none of that made any sense to you, that's OK. You just need to read up about Abstract Algebra, and Fields, Rings and Groups. It's a fascinating and beautiful area of mathematics, and much of cryptography will make no sense without at least some understanding of it.

I can only suggest you do the same and carefully read the answer again, because $\mathbb{F}_2$ was not mentioned in the answer at all. It contained statements about (finite) fields of Characteristic 2, which are $\mathbb{F}_{2^k}$ for any integer $k$.

If you carefully read the statements again, you will see that $\mathbb{F}_2$ actually meets both criteria, being a finite field of characteristic 2 and being a ring of the form $\mathbb{Z}_n$. In fact, XOR and modular addition are the very same group operation. It is quite obvious in this example, but could easily be checked by writing down the operator tables.

Considering your real question about linearity in finite fields, let's look at $\mathbb{F}_4$, which has characteristic 2, and is also described in the according Wiki article. So we got $\mathbb{F}_4 = {0,1,a,1+a}$, where addition is just the normal addition of polynomials, coefficients are reduced modulo 2, and multiplicaion is the regular multiplication of polynomials modulo $X^2+X+1$.

Unfortunately, the answer in question has a few points, which only make sense under a certain point of view. Basically, if you consider a number in a binary format, and then interpret each bit as a coefficient in $\mathbb{F}_{2^k}$ (see above construction for $\mathbb{F}_4$, with 2 coefficients before $a$ and a constant $1$), then XOR-ing numbers can be interpreted as the actual addition of polynomials in that finite field. However, you can't express XOR in $\mathbb{Z}_4$ as a linear equation - which has a quite different meaning than linear function in algebra. Analog, you can't express addition modulo 4 (in $\mathbb{Z}_4$) as linear equation in the field $\mathbb{F}_4$.

As a final note I can only say: Notation and details matter a lot in algebra. Especially if you don't understand the exact statement, this becomes even more important to avoid confusion - or even worse, that you learn something that is just false.

Answer 2

Well, as the author of the answer you cited, I can't much improve on tylo's answer. However, perhaps a couple of examples will be an useful supplement.

First, note that for $a,b \in \mathbb{Z}_4$: $$a \oplus b \equiv a + b + 2ab \pmod 4$$ Where the $\oplus$ on the left side means XOR and on the right side are addition and multiplication modulo 4. In other words, you can express XOR in $\mathbb{F}_4$ using an equation with addition and multiplication modulo 4, but notice that the equation (well, congruence) is not linear on the right hand side because it involves a term that multiplies two variables. That is what I meant by XOR not being expressible as a linear equation in $\mathbb{Z}_n$ for $n>2$.

Similarly, you can express addition modulo $2^n$ in terms of $n$ equations with bits as variables where XOR is addition and bitwise AND is multiplication (i.e. as equations in $\mathbb{F}_2$). Let $a_0$ and $b_0$ be the least significant bits of two $n$-bit strings $A$ and $B$, (and $a_{n-1}$ and $b_{n-1}$ conversely be the most significant bits). The string $C$, where $C\equiv A+B \pmod {2^n}$, can be expressed by the following system of equations: $$c_0 = a_0 + b_0 \\ c_1 = a_1 + b_1 + y_1 \\ ... \\ c_{n-1} = a_{n-1} + b_{n-1} + y_{n-1}$$ These equations appear to be linear, but aside from the first one they all include temporary variables for the carry bits, denoted by $y_x$ which have a nonlinear expression involving multiplication of variables (i.e. bitwise AND): $$y_1 = a_0b_0 \\ y_2 = a_1b_1 + (a_1 + b_1)y_1 \\ ... \\ y_{n-1} = a_{n-2}b_{n-2} + (a_{n-2} + b_{n-2})y_{n-2}$$