Finite Fields

Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

2.9. Finite Fields

Finite fields are seemingly the most important types of fields used in cryptography. They enjoy certain nice properties that infinite fields (in particular, the well-known fields like , and ) do not. We concentrate on some properties of finite fields in this section. As we see later, arithmetic over a finite field K is fast, when char K = 2 or when #K is a prime. As a result, these two classes of fields are the most common ones employed in cryptography. However, in this section, we do not restrict ourselves to these specific fields only, but provide a general treatment valid for all finite fields. As in the previous section, we continue to use the letters F, K, L to denote fields. In addition, we use the letter p to denote a prime number and q a power of p: that is, q = pⁿ for some .

2.9.1. Existence and Uniqueness of Finite Fields

Let K be a finite field of cardinality q. Then p := char K > 0. By Proposition 2.7, p is a prime, that is, K contains an isomorphic copy of the field . If , we have q = pⁿ. Therefore, we have proved the first statement of the following important result.

Theorem 2.35.

The cardinality of a finite field is a power pⁿ, , of a prime number p. Conversely, given and , there exists a finite field of cardinality pⁿ.

Proof

In order to construct a finite field of cardinality q := pⁿ, we start with and consider the splitting field K of the polynomial . Since f′(X) = –1 ≠ 0, the roots of f are distinct (Exercise 2.61). Therefore, the set has cardinality q. By Exercise 2.80, E is a field. Since F ⊆ E ⊆ K and f splits over E, by definition of splitting fields, we have K = E, that is, #K = #E = q.

Theorem 2.36. Fermat’s little theorem for finite fields

Let K be a finite field of cardinality q. Then every satisfies a^q = a.

Proof

Clearly, 0^q = 0. Take a ≠ 0. K* being a group of order q – 1, by Proposition 2.4 ord_K* (a) divides q – 1. In particular, a^q–1 = 1, that is, a^q = a.

Theorem 2.37.

Let K be a finite field of cardinality q = pⁿ and let F be the subfield of K isomorphic to . Then K is the splitting field of the polynomial over F. In particular, K is unique up to F -isomorphisms (that is, isomorphisms fixing elements of F).

Proof

By Theorem 2.37, each of the q elements of K is a root of f and consequently K is the splitting field of f. The last assertion in the theorem follows from the uniqueness of splitting fields (Proposition 2.33).

This uniqueness allows us to talk about the finite field of cardinality q (rather than a finite field of cardinality q). We denote this (unique) field by .

The results proved so far can be generalized for arbitrary extensions , where q = pⁿ, n, . We leave the details to the reader (Exercise 2.82). It is important to point out here that since is the splitting field of X^{q^m} – X over , by Exercise 2.77 we have:

Corollary 2.14.

Every finite extension of finite fields is normal.

This implies that an irreducible polynomial has either none or all of its roots in . Also if with q = pⁿ, then α^q = α^pⁿ = α. Therefore, α^{p^n–1} is a p-th root of α. By Exercise 2.76(b), we then conclude:

Corollary 2.15.

Every finite field is perfect.

Proposition 2.34.

Consider the extension , . There is a unique intermediate field with q^d elements, , if and only if d|m. Furthermore, if d|m, then belongs to the (unique intermediate) field if and only if α^{q^d} = α.

Proof

For d|m, we have (X^{q^d} – X)|(X^{q^m} – X). The q^d roots of X^{q^d} – X in K constitute an intermediate field L. If L′ ≠ L is another intermediate field with q^d elements, by Theorem 2.36 there are more than q^d elements of K, that are roots of X^{q^d} – X, a contradiction. Conversely, an intermediate field L contains q^d elements, where . Since , we have d|m. The last assertion in the proposition follows immediately from the above argument.

Corollary 2.16.

Let and . Then deg f divides m.

Proof

Consider the extension of , where d := deg f, and the fact that is a normal extension.

Now we will prove a very important result concerning the multiplicative group .

Theorem 2.38.

is a cyclic group for any finite field .

Proof

Modify the proof of Proposition 2.19 or use the following more general result.

Theorem 2.39.

Let K be a field (not necessarily finite). Then any finite subgroup G of the multiplicative group K* is cyclic.

Proof

Since K is a field, for any the polynomial Xⁿ – 1 has at most n roots in K and hence in G. The theorem then follows immediately from Exercise 2.18.

Corollary 2.17.

Every finite extension is simple. In particular, contains an irreducible polynomial of degree m (for any q and m).

Proof

Let α be a generator of the cyclic group . Then, m is the smallest of the positive integers s for which α^{q^s} = α. Let with d := deg f, so that . If d < m, then α^{q^d} = α, a contradiction. Thus d = m, that is, .

2.9.2. Polynomials over Finite Fields

In this section, we study some useful properties of polynomials over finite fields. We concentrate on polynomials in for an arbitrary q = pⁿ, , . We have seen how the polynomials X^{q^m} – X proved to be important for understanding the structures of finite fields. But that is not all; these polynomials indeed have further roles to play. This prompts us to reserve the following special symbol: .

Let be a finite extension of finite fields and let be a root of the polynomial . Since each , we have . Therefore, . More generally, for each r = 0, 1, 2, · · · the element is a root of f(X). This gives us a nice procedure for computing the minimal polynomial of α as the following corollary suggests.

Corollary 2.18.

The minimal polynomial of over is (X – α)(X – α^q) · · · (X – α^{q^d–1}), where d is the smallest of the integers for which α^{q^s} = α.

Proof

Let have degree δ. So is the smallest field containing ( and) α and hence all the roots of f_α, that is, α^{q^s} = α for s = δ and for no smaller positive integer values of s. Therefore, δ = d and all the conjugates of α are precisely α, α^q, . . . , α^{q^d–1}.

We now prove a theorem which has important consequences.

Theorem 2.40.

is the product of all monic irreducible polynomials in , whose degrees divide m.

Proof

We have . By Corollary 2.18 , the minimal polynomial f_α(X) of over divides . By Corollary 2.16, deg f_α divides m. Finally, since f_α(X) = f_β(X) or gcd(f_α(X), f_β(X)) = 1 depending on whether α and β are conjugates or not, is a product of monic irreducible polynomials of , whose degrees divide m. In order to show that is the product of all such polynomials, let us consider an arbitrary polynomial which is monic and irreducible over and has degree d|m. The polynomial g splits over (with no multiple roots, finite fields being perfect). Since d|m, by Proposition 2.34 . Thus g splits over as well and, in particular, divides .

The first consequence of Theorem 2.40 is that it leads to a procedure for checking the irreducibility of a polynomial . Let d := deg f. If f(X) is reducible, it admits an irreducible factor of degree ≤ ⌊d/2⌋. Since is the product of all distinct irreducible factors of f with degrees dividing m, we compute the gcds g₁, . . . , g_⌊d/2⌋. If all these gcds are 1, we conclude that f is irreducible. Otherwise f is reducible. We will see an optimized implementation of this procedure in Chapter 3. Besides irreducibility testing, the above theorem also leads to algorithms for finding random irreducible polynomials and for factorizing polynomials, as we will also discuss in Chapter 3.

The second consequence of Theorem 2.40 is that it gives us a formula for calculating the number of monic irreducible polynomials of a given degree over a given field. First we need to define a function on .

Definition 2.58.

The Möbius function is defined as

It follows that μ(n) ≠ 0 if and only if n is square-free.

Lemma 2.6.

For , we have

where denotes summation over all positive divisors d of n.

Proof

The result follows immediately for n = 1. For n > 1, write , where p₁, . . . , p_r are r ≥ 1 distinct primes and . The only non-zero terms in the sum are those corresponding to d = p_i₁ · · · p_{i_s} for pairwise distinct choices of . From definition, it then follows that .

Lemma 2.7. Möbius inversion formula

Let f and g be maps from to an Abelian group G.

If G is additive and , then
If G is multiplicative and , then

Proof

To prove the additive formula we note that

where the last equality follows from Lemma 2.6. The multiplicative formula can be proved similarly.

Let us denote by ν_q,m the number of monic irreducible polynomials in of degree m and by the product of all monic irreducible polynomials in of degree m. By Theorem 2.40, we have and . Applications of the Möbius inversion formula then yield the following formulas:

Equation 2.4

If p₁, . . . , p_r are all the prime divisors of m (not necessarily all distinct), Equation (2.4) together with the observation that μ(n) ≥ –1 for all imply that But each p_i ≥ 2, so that m ≥ 2^r, and hence . We, therefore, have an independent proof of the second statement in Corollary 2.17. Moreover, for practical values of q and m we have the good approximation:

Equation 2.5

Since the total number of monic polynomials of degree m in F_q[X] is q^m, a randomly chosen monic polynomial in of degree m has an approximate probability of 1/m for being irreducible, that is, one expects to get an irreducible polynomial of degree m, after O(m) random monic polynomials are picked up from . These observations have an important bearing for devising efficient algorithms for finding irreducible polynomials over finite fields. (See Chapter 3.)

The conjugates of over are α^qⁱ, . It is interesting to look at the sum and the product of the conjugates of α. By Corollary 2.18, for some . Since , the elements and belong to . Since α^{q^d} = α, for any (positive) integral multiple δ of d, the sum and the product are elements of too.

Definition 2.59.

Let , q = pⁿ, be a finite extension of finite fields and let . The trace of α over is defined as the sum

and the norm of α over is defined as

In view of the preceding discussion, the trace and norm of α are elements of . For q = p, the trace and norm of α are also called the absolute trace and the absolute norm of α and are often denoted as and . We often drop the suffix in these notations, when no ambiguities are likely.

The trace and norm functions play an important role in the theory of finite fields. See Exercise 2.86 for some elementary properties of these functions.

2.9.3. Representation of Finite Fields

is a vector space of dimension m over . Let β₀, . . . , β_m–1 be an -basis of . Each element has a unique representation a = a₀β₀ + · · · + a_m–1β_m–1 with each . Therefore, if we have a representation of the elements of , we can also represent the elements of . Thus elements of any finite field can be represented, if we have representations of elements of prime fields. But the set {0, 1, . . . , p – 1} under the modulo p arithmetic represents .

So our problem reduces to selecting suitable bases β₀, . . . , β_m–1 of over . In order to illustrate how we can do that, let us choose a priori a fixed monic irreducible polynomial with deg f = m. We then represent , where α (the residue class of X) is a root of f in . The elements are linearly independent over , since otherwise we would have a non-zero polynomial of degree less than m, of which α is a root. The -basis 1, α, . . . , α^m–1 of is called a polynomial basis (with respect to the defining polynomial f). The elements of are then polynomials of degrees < m. The arithmetic in is carried out as the polynomial arithmetic of modulo the irreducible polynomial f.

Example 2.19.

The elements of are 0 and 1 with 0 + 0 = 0, 0 + 1 = 1, 1 + 0 = 1, 1 + 1 = 0, 0 · 0 = 1 · 0 = 0 · 1 = 0 and 1 · 1 = 1. In order to represent , we choose the irreducible polynomial . Elements of are a₂α² +a₁α+a₀, where . In order to demonstrate the arithmetic in , we take . Their sum in is a+b = α+1. On the other hand, ab = α⁴+α³+α²+α = α(α³+α²+1)+α² = α.0+α² = α². The complete multiplication table for this representation is given in the Table 2.2.

Table 2.2. Multiplication table for
	1	α	α + 1	α²	α² + 1	α² + α	α² + α + 1
0	0	0	0	0	0	0	0
1	1	α	α + 1	α²	α² + 1	α² + α	α² + α + 1
α	α	α²	α² + α	α² + 1	α² + α + 1	1	α + 1
α + 1	α + 1	α² + α	α² + 1	1	α	α² + α + 1	α²
α²	α²	α² + 1	1	α² + α + 1	α + 1	α	α² + α
α² + 1	α² + 1	α² + α + 1	α	α + 1	α² + α	α²	1
α² + α	α² + α	1	α² + α + 1	α	α²	α + 1	α² + 1
α² + α + 1	α² + α + 1	α + 1	α²	α² + α	1	α² + 1	α

is represented by the set {0, 1, 2} with arithmetic operations modulo 3. Since –1 is a quadratic non-residue modulo 3, the polynomial X² + 1 is irreducible over . Therefore, the quotient field can be used to represent , being a root of this polynomial. The multiplication table of under this representation is then as shown in Table 2.3.

Table 2.3. Multiplication table for
	1	2	β	β + 1	β + 2	2β	2β + 1	2β + 2
0	0	0	0	0	0	0	0	0
1	1	2	β	β + 1	β + 2	2β	2β + 1	2β + 2
2	2	1	2β	2β + 2	2β + 1	β	β + 2	β + 1
β	β	2β	2	β + 2	2β + 2	1	β + 1	2β + 1
β + 1	β + 1	2β + 2	β + 2	2β	1	2β + 1	2	β
β + 2	β + 2	2β + 1	2β + 2	1	β	β + 1	2β	2
2β	2β	β	1	2β + 1	β + 1	2	2β + 2	β + 2
2β + 1	2β + 1	β + 2	β + 1	2	2β	2β + 2	β	1
2β + 2	2β + 2	β + 1	2β + 1	β	2	β + 2	1	2β

Polynomial bases are most common in finite field implementations. Some other types of bases also deserve specific mention in this context.

Definition 2.60.

An element is called a normal element over , if the conjugates α, α^q, . . . , α^{q^m–1} are (distinct and) linearly independent over . For a normal element α of over , the -basis α, α^q, . . . , α^{q^m–1} is called a normal basis (of over ). If, in addition, α is a primitive element (that is, a generator) of , then α and the corresponding normal basis are called a primitive normal element and a primitive normal basis respectively.

It can be shown that normal bases exist for all finite extensions . It can even be shown that primitive normal bases also do exist for all such extensions.

Example 2.20.

Consider the representation of in Example 2.19. The elements α, α² and α⁴ = α² + α + 1 satisfy

with the 3×3 transformation matrix having determinant 1 modulo 2. Thus α is a normal element of and (α, α², α⁴) is a normal basis of . Since is prime, α is a generator of , that is, α is also a primitive normal element of .

On the other hand, α + 1 is not a normal element of . Table 2.2 gives

with the transformation matrix having determinant zero modulo 2.

Computations over finite fields often call for exponentiations of elements a = a₀β₀ + · · · + a_m–1β_m–1. If β_i = α^qⁱ, i = 0, . . . , m – 1, construct a normal basis, , since α^{q^m} = α and for each i. Thus the coefficients of a^q (in the representation under the given normal basis) is obtained simply by cyclically shifting the coefficients a₀, . . . , a_m–1 in the representation of a. This leads to a considerable saving of time. In particular, this trick becomes most meaningful for q = 2 (a case of high importance in cryptography).

Now that exponentiations become cheaper with normal bases, one should not let the common operations (addition and multiplication) turn significantly slower. The sum of a = a₀β₀ + · · · + a_m–1β_m–1 and b = b₀β₀ + · · · + b_m–1β_m–1 continues to remain as easy as in the case of a polynomial basis, namely, a + b = (a₀ + b₀)β₀ + · · · + (a_m–1 + b_m–1)β_m–1, where each a_i + b_i is calculated in . However, computing the product ab introduces difficulty. In particular, it requires the representation of β_iβ_j, 0 ≤ i, j ≤ m – 1, in the basis β₀, . . . , β_m–1, say, . For i ≤ j, we have . It is thus sufficient to look only at the coefficients , 0 ≤ j, k ≤ m – 1. We denote by C_α the number of non-zero . From practical considerations (for example, for hardware implementations), C_α should be as small as possible. For q = 2, one can show that 2m – 1 ≤ C_α ≤ m². If, for this special case, C_α = 2m – 1, the normal basis α, α^q, . . . , α^{q^m–1} is called an optimal normal basis. Unlike normal (or primitive normal) bases, optimal normal bases do not exist for all values of .

We finally mention another representation of elements of a finite field , that does not depend on the vector space representation discussed so far, but which is based on the fact that the group is cyclic. If we are given a primitive element (that is, a generator) γ of , then the elements of are 0, 1 = γ⁰, γ, . . . , γ^q–2. Multiplication and exponentiation become easy with this representation, since 0 · a = 0 for all , whereas γⁱ · γ^j = γ^k with k ≡ i + j (mod q – 1). Unfortunately, this representation provides no clue on how to compute γⁱ + γ^j. One possibility is to store a table consisting of the values z_k satisfying 1 + γ^k = γ^z_k for all k = 0, . . . , q – 2 (with γ^k ≠ –1), so that for i ≤ j one can compute γⁱ + γ^j = γⁱ(1 + γ^j–i) = γⁱγ^z_j–i = γ^l, where l ≡ i + z_j–i (mod q – 1). Such a table is called Zech’s logarithm table, can be maintained for small values of q and may facilitate computations in extensions . But if q is large (or more correctly if p is large, where q = pⁿ), this representation of elements of is not practical nor often feasible. Another difficulty of this representation is that it calls for a primitive element γ. If q is large and the integer factorization of q – 1 is not provided, there are no efficient methods known for finding such an element or even for checking if a given element is primitive.

Example 2.21.

Consider the representation of in Example 2.19. By Table 2.3, γ := β + 1 is a generator of . Table 2.4 lists the powers of γ and the Zech logarithms.

Table 2.4. Zech’s logarithm table for with respect to γ = β + 1
k	γ^k	1 + γ^k	z_k
0	1	2	4
1	β + 1	β + 2	7
2	2β	2β + 1	3
3	2β + 1	2β + 2	5
4	2	0	–
5	2β + 2	2β	2
6	β	β + 1	1
7	β + 2	β	6

Exercise Set 2.9

2.80	Let F be a field (not necessarily finite) of characteristic and let a, . Prove that (a + b)^p = a^p + b^p, or, more generally, (a + b)^pⁿ = a^pⁿ + b^pⁿ for all . [H]
2.81	Let , and q := pⁿ. Prove that: If , then f(X^p) = f(X)^p. If , then f(X^p) = g(X)^p for some .
2.82	Let , n, and q := pⁿ. Let F ⊆ K be an extension of finite fields with #F = q and #K = q^m. Show that K is the splitting field of over . [H]
2.83	Write the addition and multiplication tables of (some representations of) the fields and . Use these tables to find a primitive element in each of these fields and a normal element in (over ).
2.84	Let K be a field (not necessarily finite or of positive characteristic). Let be of degree 2 or 3. Prove that f is reducible in K[X] if and only if f has a root in K. Deduce that X² + X + 1 and X³ + X + 1 are irreducible in . Let be of degree d ≥ 0. The opposite of f is the polynomial . Show that f(X) is irreducible in K[X] if and only if f^op(X) is irreducible in K[X]. Deduce that X³ + X² + 1 is irreducible in .
2.85	In this exercise, one studies the arithmetic in the finite field . Show that is irreducible. Let us represent as . Call and consider the elements a := 3α² + 2α + 1 and b := 2α² + 3 in . Compute ab^–1 in this representation of . You should compute the canonical representative of ab^–1 in , that is, a polynomial in α of degree < 3 with coefficients reduced modulo 5.
2.86	Let F ⊆ K ⊆ L be finite extensions of finite fields with [L : K] = s. Let α, and . Prove the following assertions: Tr_K\|F(α + β) = Tr_K\|F(α) + Tr_K\|F (β) and N_K\|F (αβ) = N_K\|F (α) N_K\|F (β). Tr_L\|F (α) = s Tr_K\|F (α) and N_L\|F (α) = N_K\|F (α)^s. Transitivity of trace and norm Tr_L\|F (γ) = Tr_K\|F (Tr_L\|K(γ)) and N_L\|F (γ) = N_K\|F (N_L\|K (γ)).
2.87	Let be a finite extension of finite fields. In this exercise, we treat both K and L as vector spaces over K. Show that: Tr_L\|K is a surjective linear transformation L → K. All the linear transformations L → K are given by T_α : L → K, β ↦ Tr_L\|K(αβ), where . (In this notation, Tr_L\|K = T₁.) Moreover, for distinct elements α, the linear transformations T_α and T_α′ are distinct.
2.88	Let K and L be as in Exercise 2.87 and let . Show that Tr_L\|K(β) = 0 if and only if β = γ^q – γ for some .
2.89	Let K and L be as in Exercise 2.87. Two K-bases (β₀, . . . , β_m–1) and (γ₀, . . . , γ_m–1) of L are called dual or complementary, if Tr_L\|K(β_iγ_j) = δ_ij.^[10] Show that every K-basis of L has a unique dual basis. ^[10] The Kronecker delta δ on an index set I (finite or infinite) is defined for i, as:
2.90	Prove that every finite extension of finite fields is Galois. [H]
2.91	For the extension , consider the map , α ↦ α^q. Show that is an -automorphism of . is called the Frobenius automorphism of over . Show that is cyclic of order m and with as a generator. [H]
2.92	Let be irreducible with deg f = d. Consider the extension and let r := gcd(d, m). Show that f is irreducible in if and only if r = 1. [H] More generally, show that f factors in into a product of r irreducible polynomials each of degree d/r.
2.93	Consider the representation of in Example 2.19. Construct the minimal polynomials over of the elements of . [H]
2.94	Show that the number of (ordered) -bases of is (q^m – 1)(q^m – q)(q^m – q²) · · ·(q^m – q^{m – 1}).