Program Derivation of Operations in Finite Fields of Prime Order

Introduction Title
Program Derivation of Operations in Fp
Charles Southerland Dr. Anita Walker
Department of Mathematics & Computer Science
East Central University
Oklahoma Computing Consortium Conference 2011
Southerland, Walker Program Derivation of Operations in Fp

Introduction Thanks
Special Thanks
I would like to say a special thank you to:
Dr. Anita Walker for working closely with me throughout
this project, and for introducing me to abstract algebra
Dr. Bill Walker for introducing me to program derivation
Prof. Clay Carley for working with me on cryptology, which
ﬁrst lead me to this particular problem
The creators of Beamer for allowing LATEX to save me from
the abyss of WYSIWYG presentation software

Finite Fields Outline
Outline
1 Finite Fields
Deﬁnition
Field Order
A Well-Known Finite Field
2 Program Derivation
3 Multiplicative Inverse in Fp

Finite Fields Definition
The Definition of a Field
Definition
A field is a 3-tuple of a set F and two operations (called addition
and multiplication) for which certain properties hold:
Closure of F under both operations
Associativity of both operations
Distinct identities in F for the operations
Additive inverses for all items in F
Multiplicative inverses for all but the additive identity
Commutativity of both operations
Distributivity of multiplication over addition

Finite Fields Definition
The Galois Field
A finite field is a field in which the contained set has finite
cardinality (e.g., the field has a finite order).
All finite fields of the same order are isomorphic (so they are,
for all practical purposes, the same).
Another name for a finite field is a Galois field.
Generalized fields are often denoted as F, but finite fields in
particular are usually denoted either with GF, GF(q), or Fq,
where q is the order of the field.

Finite Fields Field Order
The Order of a Finite Field
There exists a finite field of order q iff q = pn, where p is
prime and n ∈ N..
When n = 1, Fp is isomorphic to (Zp, ⊕, ⊗) (the integers
modulo p with modular addition and modular multiplication).
When n > 1, Fpn is isomorphic to the splitting field of
f (x) = xpn
− x over Fp.
This project focuses on fields of prime order, so I’m afraid
there will be no more discussion of Fpn .

Finite Fields A Well-Known Finite Field
A Well-Known Finite Field of Prime Order: F2
Since 2 is prime, there is a finite field F2, and it has the form
(Z2, ⊕, ⊗).
The operations are defined as:
Addition
⊕ 0 1
0 0 1
1 1 0
Multiplication
⊗ 0 1
0 0 0
1 0 1
As you can see, F2 is binary with XOR as addition and AND
as multiplication.

Program Derivation Outline
Outline
1 Finite Fields
History
Dijkstra’s Guarded Command Language
Weakest Precondition Predicate Transformer
The Program Derivation Process

Program Derivation History
The History of Program Derivation
Hoare’s 1969 paper An Axiomatic Basis for Computer
Programming eﬀectively launched the Formal Methods
subﬁeld of CS.
Dijkstra’s paper Guarded Commands, Nondeterminacy and
Formal Derivation of Programs introduced many of the ideas
presented in this paper.
Gries’ book The Science of Programming brings Dijkstra’s
paper to a level undergrad CS and Math majors can
understand.

Program Derivation Dijkstra’s Guarded Command Language
Some Familiar Parts of Dijkstra’s Language
Variable Assignment
x := 1
Addition
x := x + y
Command Concatenation
b := b − a; x := x + y
Procedure Call
c := gcd(a, b)
Subtraction
b := b − a
Skip, then Abort
skip; abort

Dijkstra’s Guarded Commands
Guarded if-Block
if a > 0 → c := 2
b > 0 → c := 3; a := 5
c > 0 → c := 1
c = 6 → c := 4
ﬁ
Guarded do-Block
do b = 0 → c := 1
a > 0 → a := a − 1
b < 4 → b := b + 1
c = 1 → a := a − 1
od

A Famous Example
Greatest Common Divisor
proc gcd(a, b) ≡
do a > b → a := a − b
b > a → b := b − a
od
return a.

Program Derivation Weakest Precondition Predicate Transformer
The Weakest Precondition Predicate Transformer
Definition
The Weakest Precondition Predicate Transformer (wp) is
defined as follows:
wp : P × L → L
P is the set of all finite-length programs
L is the set of all statements about the state of a computer
wp(s, r) = q
q is the weakest precondition (the initial state)
s is the program to be executed (which changes the state)
r is the postcondition (the resulting state)

wp and Dijkstra’s Language
Skip
wp(”skip”, r) = r
Command Concatenation
wp(”b := a; x := y”, r)
= wp(”b := a”, wp(”x := y”, r))
Abort
wp(”abort”, r) = F
Variable Assignment
wp(”x := y”, r)
= deﬁned(y) ∧ rx
y

wp and Dijkstra’s if-Block
Dijkstra’s if-Block
wp(”if a > 0 → c := 2
b > 0 → c := 3; a := 5
c > 0 → c := 1
c = 6 → c := 4 ﬁ”, r)
= (a > 0 ∨ b > 0 ∨ c > 0 ∨ c = 6)
∧(a > 0 =⇒ wp(”c := 2”, r))
∧(b > 0 =⇒ wp(”c := 3; a := 5”, r))
∧(c > 0 =⇒ wp(”c := 1”, r))
∧(c = 6 =⇒ wp(”c := 4”, r))

wp and Dijkstra’s do-Block, Part I
Let’s call this ”DO”:
do b = 0 → c := 1
a > 0 → a := a − 1
b < 4 → b := b + 1
c = 1 → a := a − 1
od
Also, let’s call this ”IF”:
do b = 0 → c := 1
a > 0 → a := a − 1
b < 4 → b := b + 1
c = 1 → a := a − 1
od

wp and Dijkstra’s do-Block, Part II
We deﬁne Hn(r) for n ∈ N and r ∈ L as:
For n = 1
H1(r) = (b = 0 ∧ a ≤ 0 ∧ b ≥ 4 ∧ c = 1) ∧ r
For n > 1
Hn(r) = H1(r) ∨ wp(”IF”, Hn−1(r))

wp and Dijkstra’s do-Block, Part III
Dijkstra’s Guarded do-Block
wp(”do b = 0 → c := 1
a > 0 → a := a − 1
b < 4 → b := b + 1
c = 1 → a := a − 1 od”, r)
= (∃n ∈ N)Hn(r)

Program Derivation The Program Derivation Process
Program Derivation
Program Derivation
Given a precondition q ∈ L and a postcondition r ∈ L,
derive a program s ∈ P that satisﬁes q = wp(s, r).

Program Derivation The Program Derivation Process
Program Derivation Tips
Gather as much information as possible about the
precondition and postcondition.
Reduce the problem to previously solved ones whenever
possible.
Look for a loop invariant that gives clues on how to
implement the program.
If you are stuck, consider alternative representations of the
data.

Multiplicative Inverse in Fp Outline
Outline
1 Finite Fields
Multiplicative Inverses
The Greatest Common Divisor
Exploring Bezout’s Identity
Program to Find the Multiplicative Inverse in Fp

Multiplicative Inverse in Fp Multiplicative Inverses
Multiplicative Inverses in Fields of Infinite and Finite Order
Finding multiplicative inverses in a field of infinite order is
typically not a problem.
Example
In (Q, +, ×), multiplicative inverses are reciprocals (e.g., a−1 = 1
a ).
Finding multiplicative inverses in fields of finite order can get
tricky.
Example
In (Zp, ⊕, ⊗), multiplicative inverses are found using Bezout’s
Identity (i.e., ax + py = 1), which has two unknown values.

Multiplicative Inverse in Fp Multiplicative Inverses
Obtaining the Multiplicative Inverse from Bezout’s Identity
Noting that a and b are coprime (since b = p, and p is prime),
gcd(a, b) = 1. So:
ax + by = gcd(a, b)
ax + by = 1
ax = by + 1
ax = py + 1
ax = 1
By the deﬁnition of multiplicative inverses, x = a−1.

Multiplicative Inverse in Fp The Greatest Common Divisor
The Greatest Common Divisor
Recall the greatest common divisor program:
proc gcd(a, b) ≡
do a > b → a := a − b
b > a → b := b − a
od
return a.
This implementation was discovered by exploring the property:
gcd(a, b) = gcd(a − b, b) = gcd(a, b − a)

Multiplicative Inverse in Fp The Greatest Common Divisor
The Loop Invariant of gcd
The loop invariant used in the primary loop of this program is
gcd(a, b) = gcd(A, B).
The loop will exit when a = b, which occurs when
a = b = gcd(a, b).
Since every iteration decreases the value of either a or b, the
loop will progress toward termination (the loop is bound by
(a − gcd(a, b)) + (b − gcd(a, b))).

Multiplicative Inverse in Fp Exploring Bezout’s Identity
Bezout’s Identity and the gcd Property
Combining Bezout’s Identity with the gcd property, we get:
ax + by = gcd(a, b)
= gcd(a, b − a)
= au + (b − a)v
= au + bv − av
= a(u − v) + bv
So x ≡ u − v (mod b) and y ≡ v (mod a).
As gcd is commutative, we derive a corresponding result if we
explored gcd(a − b, b) instead of gcd(a, b − a).

Reassigning x and y as Linear Combinations: Part I
Each time the arguments of gcd get closer to their ﬁnal value, it is
shown that x is equivalent (mod b) and y is equivalent (mod a)
to a linear combination of their corresponding values from Bezout’s
Identity after a and b have been modiﬁed as described in the gcd
program.

Reassigning x and y as Linear Combinations: Part II
Specifically, it can be seen that x always has a positive coefficient
of following corresponding values of x and a negative coefficient of
corresponding values of y. Likewise, y always has a negative
coefficient of corresponding values of x and a positive coefficient of
corresponding values of y.

Reassigning x and y as Linear Combinations: Part III
Once the arguments to gcd are equal to each other (and equal to
the result of gcd), we can find the original values of x and y by
multiplying the coefficients that have been stored by the final
corresponding values of x and y. However, since we are looking for
a multiplicative inverse in Fp, we know gcd(a, p) = 1 as p is prime.
Since this will give us x = 1 by simplification after using the gcd
property one last time, we see that the y components are
inconsequential.

Reassigning x and y as Linear Combinations: Part IV
Finally, we see that only the x coefficients are of any consequence
to the final result. Specifically, once the gcd algorithm is complete,
since the initial (and desired) value of x can be found by
multiplying the final corresponding value of x by the proper
coefficient of x, and since the final corresponding value of x = 1,
we get that the desired value of x is equal to the coefficient of the
corresponding final value of x.

Multiplicative Inverse in Fp Program to Find the Multiplicative Inverse in Fp
Finding the Loop Invariant
Based on the long-winded previous slides, we can describe a loop
invariant:
Axl + Byl = gcd(a, b)
where xl is is the linear combination that the initial value of x is
equal to, and yl is the linear combination that the initial value of y.
This loop invariant is nice, as it is fully compatible with the loop
invariant of gcd, and so it also progresses toward termination and
has a bound function that diﬀers from that of gcd linearly.

A Last Look at gcd for Reference...
proc gcd(a, b) ≡
do a > b → a := a − b
b > a → b := b − a
od
return a.

Multiplicative Inverse Program
Multiplicative Inverse
proc multinv(a, b) ≡
xx := 1; yx := 0
do a > b → a := a − b; yx := yx + xx
b > a → b := b − a; xx := xx + yx
od
return xx .

Conclusion Summary
Summary
Finite fields are very useful mathematical constructs that can
behave very differently from fields of infinite order.
Program derivation is performed by using the rules of the
weakest precondition predicate transformer to determine what
sequence of conditions (and thus what program statements)
must have occured between a given precondition and
postcondition.
While the process of deriving my multiplicative inverse
program was time-consuming and complicated, the results
were well worth the effort.

Conclusion Future Work
Future Work
Program Derivation of Exponentiation in Fp
Extend scope to include Fpn
Explore factorization techniques
Finish library and create graphical front end

Conclusion Contact Me
Contact Information
You can email me at charlie@stuphlabs.com if you have any
further questions or comments.

Program Derivation of Operations in Finite Fields of Prime Order

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (14)

Ähnlich wie Program Derivation of Operations in Finite Fields of Prime Order

Ähnlich wie Program Derivation of Operations in Finite Fields of Prime Order (20)

Mehr von Charles Southerland

Mehr von Charles Southerland (11)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Program Derivation of Operations in Finite Fields of Prime Order