Skip to content

The Rijndael Field

Mathematical groundwork for our small-field zerocheck

In this page, we lay some mathematical groundwork, necessary to explain our Rijndael zerocheck.

The Rijndael Field

The Rijndael field [FIPS197, § 4] is a small, 8-bit field used in AES, Grøstl and various other places. It's defined as the quotient ring

KF2[X]/(X8+X4+X3+X+1);\begin{equation*}K \coloneqq \mathbb{F}_2[X] \mathbin{/} \left( X^8 + X^4 + X^3 + X + 1 \right);\end{equation*}

KK is isomorphic to F28\mathbb{F}_{2^8}. During the univariate skip, our goal will be to perform "as much work as possible" over KK.

Tensor Basis

We now pick three elements ρ0,ρ1,ρ2\rho_0, \rho_1, \rho_2 of KK such that the elements of the tensor

(eq~(ρ,u))uB3\begin{equation*}\left( \widetilde{\texttt{eq}}(\rho, u) \right)_{u \in \mathcal{B}_3}\end{equation*}

yield an F2\mathbb{F}_2-basis of KK.

The KK-elements ρ0X\rho_0 \coloneqq X, ρ1X2\rho_1 \coloneqq X^2, and ρ2X4\rho_2 \coloneqq X^4 satisfy this property. Indeed, taking all subproducts of (X,X2,X4)(X, X^2, X^4), we get the list (1,X,X2,,X7)(1, X, X^2, \ldots , X^7), which is clearly linearly independent over F2\mathbb{F}_2. The actual tensor (eq~(ρ,v))vB3\left( \widetilde{\texttt{eq}}(\rho, v) \right)_{v \in \mathcal{B}_3} contains not

(1,ρ0,,ρ0ρ1ρ2),\begin{equation*}\left( 1, \rho_0, \ldots , \rho_0 \cdot \rho_1 \cdot \rho_2 \right),\end{equation*}

but rather

((1ρ0)(1ρ1)(1ρ2),ρ0(1ρ1)(1ρ2),,ρ0ρ1ρ2);\begin{equation*}\left( (1 - \rho_0) \cdot (1 - \rho_1) \cdot (1 - \rho_2), \rho_0 \cdot (1 - \rho_1) \cdot (1 - \rho_2), \ldots , \rho_0 \cdot \rho_1 \cdot \rho_2 \right);\end{equation*}

on the other hand, these two lists differ from each other by an invertible F2\mathbb{F}_2-linear transformation from F288F288\mathbb{F}_{2^8}^8 \to \mathbb{F}_{2^8}^8, so the distinction doesn't affect linear independence.

Embedding

We moreover assume that we have a fixed field embedding from ι:KF2128\iota : K \to \mathbb{F}_{2^{128}}. Since we have fixed F2\mathbb{F}_2-bases for both fields, ι\iota can be represented in practice as an 128×8128 \times 8 F2\mathbb{F}_2-matrix. Embedding looks like taking a subset sum of that matrix's 88 columns. In practice, it turns out to be more efficient to implement the entire transformation as a single lookup table. In this case, we precompute and store all 256 images in F2128\mathbb{F}_{2^{128}} of the various KK-elements.

Mathematically, the embedding ι\iota is not unique; it amounts to choosing a root of the Rijndael polynomial X8+X4+X3+X+1X^8 + X^4 + X^3 + X + 1 within F2128\mathbb{F}_{2^{128}}. There are 8 choices.

We write σ0\sigma_0, σ1\sigma_1, and σ2\sigma_2 for the images under ι\iota of ρ0\rho_0, ρ1\rho_1 and ρ2\rho_2. We note that the elements (eq~(σ,u))uB3\left( \widetilde{\texttt{eq}}(\sigma, u) \right)_{u \in \mathcal{B}_3} are also linearly independent over F2\mathbb{F}_2. Indeed,

eq~(σ,u)=eq~(ι(ρ),u)=ι(eq~(ρ,u))\begin{equation*}\widetilde{\texttt{eq}}(\sigma, u) = \widetilde{\texttt{eq}}(\iota(\rho), u) = \iota\left( \widetilde{\texttt{eq}}(\rho, u)\right)\end{equation*}

holds for each uB3u \in \mathcal{B}_3, since ι\iota is a field embedding (and "commutes" with the equality indicator). Moreover, ι\iota takes F2\mathbb{F}_2-linearly independent lists to F2\mathbb{F}_2-linearly independent lists, since it's injective and F2\mathbb{F}_2-linear.

Deterministic Zerocheck

We now explain a zerocheck variant, adapting an idea of Dao and Thaler [DT24a]. We fix an \ell-variate F2\mathbb{F}_2-polynomial t(X0,,X1)t(X_0, \ldots , X_{\ell - 1}), which is claimed to vanish identically on B\mathcal{B}_\ell.

In the usual zerocheck, the verifier samples an \ell-dimensional fully random challenge rxF2128r_x \gets \mathbb{F}_{2^{128}}^\ell; the parties then run a sumcheck on the claim

0=?xBt(x)eq~(rx,x).\begin{equation*}0 \stackrel{?}= \sum_{x \in \mathcal{B}_\ell} t(x) \cdot \widetilde{\texttt{eq}}(r_x, x).\end{equation*}

By a standard analysis, the soundness analysis of this maneuver is bounded from above by 2128\frac{\ell}{2^{128}}.

Instead, we instruct the verifier to sample an 3\ell - 3-dimensional random challenge rx\overline{r_x}, and let

rx(σ0,σ1,σ2,rx,0,,rx,4).\begin{equation*} r_x \coloneqq (\sigma_0, \sigma_1, \sigma_2, \overline{r_{x, 0}}, \ldots , \overline{r_{x, \ell - 4}}).\end{equation*}

The first three components of rxr_x are now "deterministic". The parties can now sumcheck

0=?xBt(x)eq~(rx,x).\begin{equation*}0 \stackrel{?}= \sum_{x \in \mathcal{B}_\ell} t(x) \cdot \widetilde{\texttt{eq}}(r_x, x).\end{equation*}

This variant is also sound. In fact, its soundness error is bounded from above by just 32128\frac{\ell - 3}{2^{128}}. Indeed, if we write

t(X0,,X4)uB3t(u0,u1,u2,X0,,X4)eq~(σ,u)\begin{equation*}\overline{t}(X_0, \ldots , X_{\ell - 4}) \coloneqq \sum_{u \in \mathcal{B}_3} t(u_0, u_1, u_2, X_0, \ldots , X_{\ell - 4}) \cdot \widetilde{\texttt{eq}}(\sigma, u)\end{equation*}

for the "bit-packing" of t(X0,,X1)t(X_0, \ldots , X_{\ell - 1}) over (eq~(σ,v))vB3\left( \widetilde{\texttt{eq}}(\sigma, v) \right)_{v \in \mathcal{B}_3}, then

xBt(x)eq~(rx,x)=vB3[uB3t(uv)eq~(σ,u)]eq~(rx,v)=vB3t(v)eq~(rx,v).\begin{align*} \sum_{x \in \mathcal{B}_\ell} t(x) \cdot \widetilde{\texttt{eq}}(r_x, x) &= \sum_{v \in \mathcal{B}_{\ell - 3}} \left[ \sum_{u \in \mathcal{B}_3} t(u \mathbin{\Vert} v) \cdot \widetilde{\texttt{eq}}(\sigma, u) \right] \cdot \widetilde{\texttt{eq}}(\overline{r_x}, v) \\ &= \sum_{v \in \mathcal{B}_{\ell - 3}} \overline{t}(v) \cdot \widetilde{\texttt{eq}}(\overline{r_x}, v). \end{align*}

Since the F2128\mathbb{F}_{2^{128}}-elements (eq~(σ,v))vB3\left( \widetilde{\texttt{eq}}(\sigma, v) \right)_{v \in \mathcal{B}_3} are linearly independent over F2\mathbb{F}_2 (see above), if t(X0,,X1)t(X_0, \ldots , X_{\ell - 1}) is not identically zero over B\mathcal{B}_\ell, then t(X0,,X4)\overline{t}(X_0, \ldots , X_{\ell - 4}) is likewise not identically zero over B3\mathcal{B}_{\ell - 3}. Here, we use the fact that t(X0,,X1)t(X_0, \ldots , X_{\ell - 1})'s restriction to B\mathcal{B}_\ell is F2\mathbb{F}_2-valued.

On the other hand, the right-hand sum above is exactly the evaluation of the multilinear extension of t(X0,,X4)\overline{t}(X_0, \ldots , X_{\ell - 4}) at rx\overline{r_x}. Since we just argued that t(X0,,X4)\overline{t}(X_0, \ldots , X_{\ell - 4}) is not identically zero over B3\mathcal{B}_{\ell - 3}, the usual soundness analysis of the zerocheck imples that, except with probability at most 32128\frac{\ell - 3}{2^{128}} over the verifier's choice of rx\overline{r_x}, the above sum is nonzero.

We will say more later about how the prover can actually exploit the structure of this rxr_x during its univariate skip.