[CS304] Introduction to Cryptography and Network Security

Course Instructor: Dr. Dibyendu Roy Winter 2023-2024

Scribed by: Shah Vedant Rupeshkumar (202151143) Lecture (Week 4)

1 Subgroups and Cyclic Groups

A non empty subset H of a group (G,*) is a subgroup of G if H is itself a group with respect to
the operation * of G. If H is a proper subset and group with respect to * of G, then it is called a
proper subgroup of (G,*). The following conditions must follow:

(i) H ⊆ G or not
(ii) H is itself a group with *

From this we can say that if we consider set of all integers Z as a group with operation + and
H contains only element 0 in its set, then as H is a subset of G and it forms a group (0,+), So, we
can say that H is a subgroup of G.

G : (z, +) & H : (0, +) implies that 0 ⊆ Z

Assume (G,*) as a group, then a ∈ G implies a*a ∈ G, a*a*a ∈ G, a*a*a*a ∈ G... Then, we
can define

a ∗ a = a2 , a ∗ a ∗ a = a3 , a ∗ a ∗ a ∗ a = a4
So, we can say that
ai = a ∗ a ∗ a...i times
For a*a mapping of groups is created as G × G → G

A group G is cyclic if there is an element α ∈ G such that for every b ∈ G there is an integer
with b = αi . This α is called the generator of (G,*).

Order of an element
Order of an element α ∈ G O(α) is the least positive integer m such that αm = e where e is the
identity element of G.

Now, we will assume {Zm , +} as a Group where m can be any integer. If we assume m=5 So,
for {Z5 , ∗} O(4)=2 as 42 = 1 as mod 5 is done.

So, to generalise we can say that if a ∈ G and a ̸= e where e is the identity element of G, then
O(a) = 5 if a5 = e. So, the set S of the group is defined as

S = {e, a, a2 , a3 , a4 }
Here, we can say that a ∗ a4 = e and a2 ∗ a3 = e.

So, (s,*) must satisfy the following properties to be a subgroup of (G,*):

1
 (i) S ⊆ G or not

(ii) (S,*) is itself a group with *

If G is a group and a ∈ G,then the set of all powers of a will form a cyclic subgroup and it is
denoted by < a >.

Here, S forms a cyclic subgroup < a > of G.

Let G be a group and a ∈ G be an element of finite order t, then | < a > | denotes the size of
the subgroup generated by a and it is equal to t.

2 Lagrange’s Theorem
If G is a finite group and H is a subgroup of G, then |H| divides |G| . Here, if a ∈ G and its order
is O(a), then

S = {e, a, a2 , ..., aO(a)−1 } =< a >

So, if (S,*) is a subgroup of (G,*) from the above mentioned conditions, then

|S| | |G|

and it implies
O(a) | |G|
If the order of a ∈ G is t, then order of ak will be t/gcd(t,k).

< a >= {e, a, a2 , ..., aO(a)−1 }

t )−1
< at >= {e, at , a2t , ..., at.O(a }
Now, assume b=at
S = {e, a, a2 , ..., aO(a)−1 } =< a >
Now, lets take example to understand above part. So, lets take (Z6 , +6 as a group, we can say
that O(2) = 3 and O(4)=3 and if we use formula assuming a=2, k=2 and so, t=3 and so using
formula

O(at ) = 3/gcd(3, 2) = 3

3 Ring
A ring (R,+R , XR consists of a set R with 2 binary operations arbitrarily decided by +R (addition)
and ×R (multiplication) on R satisfying the following properties:

(i) (R,+R ) is an abelian group with identity element 0R .

(ii) The operation ×R is associative i.e.

a ×R (b ×R C) = (a ×R b) ×R C

for all a,b,c ∈ R

2
(iii) There is a multiplication identity denoted by IR with IR ̸= 0R such that IR ×R a = a×R IR = a
for all a ∈ R.

(iv) The operation ×R is distributive over +R i.e.

(b +R c) ×R a = (b ×R a) +R (c ×R a)

a ×R (b + Rc) = (a ×R b) +R (a ×R c)

Now, we will check that whether (Z,+,.) forms a ring or not where Z represents a set of integers.

(i) We can say that (Z,+) forms an abelian group as:

(a) a+(b+c) = (a+b)+c : satisfies assocciative property

(b) a+0 = 0+a =a where 0 represents identity element
(c) a+(-a) = 0 = (-a)+a
(d) a+b = b+a for all a,b ∈ Z : satisfies commutative property

(ii) a.(b.c) = (a.b).c for all a,b,c ∈ Z

(iii) a.1 = 1.a where 1 represents the identity element

(iv) a.(b+c) = a.b + a.c and (b+c).a = (b.a) + (c.a) : satisfies distributive property

Now, we will take a ring (R,+R ,×R ) and it satisfies

a ×R b = b ×R a

for all a,b ∈ R then it is said to be a commutative ring. For example (Z,+,.) is a commutative ring
as a.b = b.a and here we just need to check the second part as first part must be commutative by
the defination of ring.

An element ’a’ of ring R is called unit or an invertible element if there is an element b ∈ R such
that a ×R b = 1R

The set of units of a ring R forms a group under multiplication operation. This is known as
group of units of R.

4 Field
A field is a non empty set F together with two binary operations +(additive) and *(multiplicative)
for which following properties are satisfied:

(i) (F,+) is an abelian group

(ii) If 0F denotes the additive identity element of (F,+) then (F/0,*) is a commutative/abelian
group.

(iii) For all a,b,c ∈ R, we have

(a ∗ (b + c)) = (a ∗ b) + (a ∗ c)

3
 So, by above rules we can say that (Z,+,.) will not form a field(As inverse of all numbers are
not integers) but (Q,+,.) will form a field where Z represents set of all integers and Q represents
set of all rational numbers.

Here, in conventions 0 represents additive identity and 1 represents multiplicative idenity. So,
(Q/0,.) is a commutative group.

Let F = 0,1,2,...,p-1 where p is some prime number. Then, Fp , +p , ∗p represents a field. Here,
+p represents (x+y) mod p and ∗p represents (x.y) mod p. Here, in this case inverse of x will be
p-x. Also, the set will satisfy distributive property.

5 Field Extension
Suppose K2 is a field with addition + and multiplication * and suppose k1 ⊆ K2 is closed under
both these operations such that K1 itself is a field for the restrictions of + and * to the set K1 .
Then, K1 is called a subfield of K2 and K2 is called a field extension of K1 .

Let F represent a field (F,+,*). Then, F[x] = a0 + a1 .x + a2 .x2 + ... + an−1 .xn−1 |ai ∈ F will
represent a polynomial ring.

6 Operations in polynomial ring

Addition Operation in Polynomial Ring

Let there be two polynomials:

a0 + a1 .x + a2 .x2 + ... + an−1 .xn−1 |ai ∈ F

b0 + b1 .x + b2 .x2 + ... + bn−1 .xn−1 |bi ∈ F

Then, there addition would be as:

(a0 + b0 ) + (a1 + b1 ).x + (a2 + b2 ).x2 + ... + (an−1 + bn−1 ).xn−1

where ai + bi represents additive property in Field F.

If we assume addition % 2, then coefficients are added under % 2.

Multiplication Operation in Polynomial Ring

Let there be two polynomials:

a0 + a1 .x + a2 .x2 + ... + an−1 .xn−1 |ai ∈ F

b0 + b1 .x + b2 .x2 + ... + bn−1 .xn−1 |bi ∈ F

Then, there multiplication would be as:

(a0 ∗ b0 ) + (a0 ∗ b1 + a1 ∗ b0 ).x + ... + (an−1 ∗ bn−1 ).x2.n−2

4
where ai ∗ bi represents multiplicative property in Field F.

Additive Inverse and Multiplicative Inverse in Polynomial Ring

We define additive inverse as -F[x] which represents a negative or additive inverse of all the
coefficients and is also called a 0 polynomial. Also, identity of multiplication is represented as 1
which is just a representation and does not mean actual 1.

It must also satisfy the commutative and distributive property in order to ensure that it will
form a ring.

If, F2 = 0,1 and (F2 ,+,*) forms a field, so we will check for

F2 = a0 , a1 .x + ... + an .xn−1 |ai ∈ F2

where + represents addition modulo 2 and * represents multiplication modulo 2.

So, let us assume P(x) = x+1 and q(x) = x2 + x + 1

P (x) + q(x) = (x + 1) + (x2 + x + 1) = x2 + (1 + 1).x + (1 + 1) = x2

It is also commutative under x and so it forms abelian group.

P (x) ∗ q(x) = (x + 1) ∗ (x2 + x + 1) = 1 + (1 + 1).x + (1 + 1).x2 + x3 = 1 + x3

7 Irreducible and Reducible Polynomials

A polynomial P(x) ∈ F[x] of degree n ≥ 1 is called irreducible if it cannot be written in the form
p1 (x) * p2 (x) with p1 (x), p2 (x) ∈ F[x] and degree of p1 (x), p2 (x) must be ≥ 1.

Now, we will represent I = < P (x) > = q(x).P(x) | q(x) ∈ F[x] and here I represents set of all
polynomials from F[x] which are multiples of q(x) and it does not represent cyclic polynomials.

If we represent polynomial ring as (F[x],+,*). We can consider P(x) as an irreducible polyno-

mial and now we will consider a field F[x] / < P (x) > and we will consider q(x) ∈ F(x) and q(x) =
d(x) * P(x) + r(x). Here, d(x) will represent quotient and r(x) will represent remainder. So, r(x)
∈ F[x]/< P (x) >. Here, r(x) will also contain 0 as an element and r(x) = 0 means P(x) completely
divides q(x). So, a new field can be formed.

(F [x]/ < P (x) >, +, ∗)

where + and * represents + and * under modulo P(x) and it will give remainder after multiplying
P(x).

If a polynomial is reducible it can be represented as P(x) = q1 (x).q2 (x) where deg(q1 (x) ≥ 1)
and deg(q2 (x) ≥ 1). If we consider polynomial x2 + 1 in F[x], then we can say that it is irreducible

5
in R and reducible in C set.

If we consider a polynomial x2 + x + 1 ∈ F2 [x] and where F2 [x] = {0, 1} where + represents ad-
dition mod 2 and * represents multiplication mod 2. Here x2 + x + 1 is an irreducible polynomial as
neither x+0 nor x+1 is a factor. So, as it does not have any factor of degree 1 and so it is irreducible.

So for two degree polynomials we just need to check if 0 nd 1 are roots or not and if they
are not, they will form an irreducible polynomial. So, now we will consider a polynomial ring (
F2 [x]/ < x2 + x + 1 >, +x2 +x+1 , ∗x2 +x+1 ). So, here if we represent q(x) as q(x) = d(x) * P(x) +
r(x) then deg(r(x)) will be atmost 1. So, set r(x) = 0,1,x,x+1.

If we divide x2 by x2 + x + 1, then we will get x+1 as remainder and if we divide x2 + 1 by

x2 + x + 1, then we will get x as remainder as all calculations are done will respect to F2 or mod 2.

So, by this analogy it is clear that to find r(x) we need to replace x2 by x+1 and so by applying
this analogy we get

x2 + 1 = (x+1) + 1 = x

x3 = x.x2 = x.(x+1) = x2 + x = x + 1 + x = 1.

So, x3 can be reduced to 1 if polynomial is x2 + x + 1.

x4 = x2 .x2 = (x+1).(x+1) = x2 + 2.x + 1 = x + 1 + 1 = x and so, x4 will be reduced to x. And

so, if we know the polynomial then we can find the remainders very easily and there is no need to
divide them.

For such polynomials we just assume x as the root and generate all possible sets of values which
can be remainders to create the set r(x).

Now, if we consider polynomial x3 + x2 + 1 then we can form remainder set by equating it with
0 and so r(x) formed will be equal to { 0,1,x,x2 , x2 + 1, x2 + x + 1, x + 1, x2 + x } and so we can
say if max degree = n, then we can get 2n possiblities of elements in the r(x) set and similarly if
we consider a polynomial x4 + x3 + 1, we get 16 possible elements in set r(x).

So, in short we will consider P(x)=0 and check if x is a root and if it is we generate a polynomial
of root deg > deg(P(x))

8 Advanced Encryption Standard(AES)

AES is an iterated block cipher. It is a standardised cryptography algorithm certified by NIST. It
is a substitution Permutation Network(SPN). It is a more secure algorithm as compared to DES.
The most secured cipher is the Reindel cipher which became popular as AES.

AES algorithm can be classified as

AES-128

6
 (i) Block Size - 128 bits

(ii) Number of rounds - 10

(iii) Secret Key size - 128 bits

AES-192

(i) S Block Size - 128 bits

(ii) No. of rounds - 12

(iii) Secret Key Size - 192 bits

AES-256

(i) Block Size - 128 bits

(ii) Number of rounds - 14

(iii) Secret Key Size - 256 bits

The block diagram for AES-128 can be represented as below:

128-bit Secret Key

Key Scheduling

K1 K2 K3

f1 f2 f3 ... Continues for 10 rounds

Plaintext
128-bits C1 C2

10th Round

K10 K11

f 10 C
C1 Ciphertext
So, there are 10 round functions and 11 round keys in AES-128. As there are only 10 rounds,
one round key is applied before the start of round 1. So, in general total no. of round keys would
be number of rounds + 1.