Unexpected Result from Finite Field Calculations in GF(2^8)

Question

I'm performing calculations within the finite field $GF(2^8)$ and I can't seem to get the expected results. This is my first time working with finite fields, so my understanding is quite basic. I would love some guidance to help me solve this problem.

Problem Setup:

Select a generator $g$ from a multiplicative cyclic group $G$, and sample a private key $Pr_K = (\beta_1, \beta_2, \beta_3)$ where $\beta_i \in F$, and compute a public key $PU_K = (g^{\beta_1}, g^{\beta_2}, g^{\beta_3})$

I've chosen the following values and parameters:

$g = 2$
$Pr_K = (\beta_1, \beta_2, \beta_3)=(20, 30, 40)$
$PU_K = (g^{\beta_1}, g^{\beta_2}, g^{\beta_3}) = (180, 96, 106)$
$t'_1 = 216$
$t'_2 = 233$

Equations:

The equations I am working with are:

Equation for $Sign$:

$$ sign =- \frac{ \sum_{i=1}^{2} \beta_i t'_i }{ {b_3} } $$

Equation for $ n $:

$$ n= \left( \prod_{i=1}^{2} g^{{\beta_i}^{t'_i}} \right) \cdot g^{{\beta_3}^{sign}} $$

Calculation Steps:

Using the above equations, my calculation steps are as follows:

Calculated $sign$ as:

$ \text{sign} = -\frac{(20 \cdot 216) + (30 \cdot 233)}{40}$
$ \text{sign} = -\frac{70 + 97}{40} $
$ \text{sign} = -\frac{39}{40} $
$ \text{sign} = -235 \equiv 235 \text{ in } F(2^8) $

Applied the second equation to calculate $ n $:

$ n = (180^{216} \cdot 96^{233}) \cdot 106^{235} $
$ n = (44 \cdot 26) \cdot 172 $
$ n = 160 $

Issue:

The expected result for $ n $ is 1, but my calculation gives 160. I don't quite understand why this is and I'm unsure if there is a calculation error or a conceptual misunderstanding of finite field operations.

Could someone please help me identify the source of this discrepancy? Any guidance would be greatly appreciated.

Polynomial Update

Irreducable polynomial = $^8+^4+^3+^2+1$
$Pr_K = (\beta_1, \beta_2, \beta_3)=((x^4+x^2), (x^4+x^3+x^2+x), (x^5+x^3))$
$PU_K = (g^{\beta_1}, g^{\beta_2}, g^{\beta_3}) = ((x^7+x^5+x^4+x^2), (x^6+x^5), (x^6+x^5+x^3))$
$g=x$
$t'_1 = x^7+x^6+x^4+x^3$
$t'_2 = x^7+x^6+x^5+x^3+1$
$sign = x^7+x^6+x^5+x^3+x+1$

Using the polynomials I still get the final result = $x^7+x^5$

Hello and welcome to math.stackexchange. Why are you using ordinary integer notation when you are working in a finite field? — Hans Engler, Dec 15 '23 at 01:53
Probably the polynomial $a_0 + a_1 x + \ldots + a_7 x^7$ as an element in GF($2^8$) with $a_i \in \mathbb{F}_2$ is being represented as the integer whose binary representation is $a_7 a_6 \ldots a_0$. But in order to make sense of the calculations, we have to know what irreducible polynomial we are using. — Ted, Dec 15 '23 at 02:39
@DurangoOlsen What is the irreducible polynomial you are working with representing elements of GF($2^8$)? Or can you give the source where you are getting these formulas? Unfortunately, the notation you are using for finite fields is very nonstandard to mathematicians. — Ted, Dec 15 '23 at 02:42
Seconding Ted's question. As long as you keep it a secret which irreducible polynomial you are using, we cannot help. You need to understand that the integer notation is just mapping the element $a_0+a_1g+a_2g^2+\cdots+a_tg^7$ to the byte $a_7a_6\ldots a_0$. Phrasing the question differently: what is $g^8$ in you implementation? — Jyrki Lahtonen, Dec 15 '23 at 03:58
If I need to make a guess, you may be using the AES/Rijndael polynomial, but I don't want to guess. Setting up the relevant arithmetic in my computer will take a while, and I would try and reverse-engineer the problem only on my paid time. — Jyrki Lahtonen, Dec 15 '23 at 04:08
Thanks for the replies. Sorry for the missing information, I've added new information to the post. — DurangoOlsen, Dec 15 '23 at 09:43
The quantities $\beta_i$, $i=1,2,3$, appear as exponents. So they must be integers as opposed to elements of the finite field. A power $x^m$ is defined only when $x\in GF(2^8)$ and $m\in\Bbb{Z}$. — Jyrki Lahtonen, Dec 15 '23 at 10:32
I don't know what your program is doing wrong, but Mathematica gives me $$g^{\beta_1}=x^{20}\equiv 1 + x + x^2 + x^4 + x^7=151,$$ $$g^{\beta_2}=x^{30}\equiv 1 + x^3 + x^4 + x^5=57,$$ $$g^{\beta_3}=x^{40}\equiv x^2 + x^4 + x^7=148.$$ You didn't describe, how $t_i'$s are calculated, so I cannot check further. — Jyrki Lahtonen, Dec 15 '23 at 10:39
I see that my program changed the irreducible polynomial to $x^8+x^4+x^3+x+1$, instead of $x^8+x^4+x^3+x^2+1$. The tags $t'_i$ should be able to be random. — DurangoOlsen, Dec 15 '23 at 11:03
Ok. Then the calculation of $\beta_i$s checks out (the last one should be $x^6+x^5+x^3+x=106$, one term missing). But I don't understand what you are doing with the variable sign. Remember that the exponent is a usual integer, so sign is not an element of $GF(256)$. However, because $g^{255}=1$ you can do arithmetic of the exponents modulo $255$ (usual modular arithmetic). So for example with $t_1=216$, $t_2=233$, it goes like $$-\frac{20\cdot216+30\cdot233}{40}=-\frac{1131}4\equiv36\pmod{255}.$$ — Jyrki Lahtonen, Dec 16 '23 at 15:03
(cont'd) Indeed, with the correct components of the public key $p_1=x^2 + x^4 + x^5 + x^7$, $p_2=x^5 + x^6$, $p_3=x + x^3 + x^5 + x^6$, we have (as we should) $$ p_1^{216}\cdot p_2^{233}\cdot p_3^{36}\equiv1. $$ — Jyrki Lahtonen, Dec 16 '23 at 15:09
Two more remarks: 1) There are some lingering notation weaknesses in your text. Like the iteraed powers should read $(g^{\beta_1})^{t_i'}$ instead of $g^{\beta_1^{t_1'}}$ etc. 2) It was, in my opinion, a bit dangerous to use $\beta_3$ such that it has common factor five with $255$. It may happen that the modular division does not work at all when that is the case. Now it did work out because the other $\beta$s were also divisible by five. But, for this reason, the division process is multivalued. Don't know if that is a problem in practice? — Jyrki Lahtonen, Dec 16 '23 at 15:13
Anyway, after this much guessing I sort of see where the formula (for $n$ in particular) comes from. Do check your sources for fitting pieces. If you think I deciphered the question correctly, I can post a compilation as an answer. — Jyrki Lahtonen, Dec 16 '23 at 15:15

Unexpected Result from Finite Field Calculations in GF(2^8)

0 Answers0