As finite fields are a very basic building block for many cryptographic protocols that play an essential role in modern life, we start with introducing them. Loosely speaking, a (finite) field consists of a (finite) set of elements, and two operations, namely addition (denoted “+”) and multiplication (denoted “·”). These operations need to fulfil certain criteria. Details can be found in any book of algebra such as [130].
Definition 2.1.1. A ring (R, +, ·) is a set R, together with two binary operations, denoted by + and ·, such that (R, +) is an abelian group. · is associative and the distributive laws hold.
Recall that a ring is called a ring with identity if the ring has a multiplicative identity. A ring is called commutative if · is commutative. In this thesis by a ring we shall always mean a commutative ring with identity element. An ideal I of a ring R is a subring of R such that for all a ∈ I and r ∈ R we have ar ∈ I and ra ∈ I.
Definition 2.1.2. A field (K, +, ·) is a ring such that (K \ {0}, ·) is a group. If a field (K, +, ·) contains only finitely many elements, it is called a finite field.
Note that for brevity, we usually write xy instead of x.y. If it is clear from the context which addition and multiplication we use with the field, we also write K instead of (K, +, ·). Our first examples of finite fields are the residue class fields Z/hpi, where hpi is a principal ideal generated by a prime p.
Definition 2.1.3. Let p be a prime number, let Fp be the set {0, . . . , p − 1} of integers and let ϕ : Z/hpi −→ Fp be the map defined by ϕ(¯a) = a for a ∈ {0, . . . , p − 1}. Then Fp, equipped with the field structure induced by ϕ, is a finite field, called the Galois field of order p.
Note that computing with elements of Fp means ordinary arithmetic of integers with reduction modulo p. We also know that every finite field has prime characteristic and the prime subfield of a finite field K is isomorphic to Fp.
Before going into further details of finite fields. We need to recall a few results from field theory. Let K ⊆ L be a field extension. The extension (field) K(α) of K obtained by adjoining the element α ∈ L is called a simple extension of K and α is called a defining element of K(α) over K. If α is algebraic over K then there exists a uniquely determined monic polynomial f ∈ K[x] such that f (α) = 0, where K[x] is the polynomial ring over K in one indeterminate. The uniquely determined monic polynomial f ∈ K[x] is called the minimal polynomial (or defining polynomial, or irreducible polynomial) of α over K. By the degree of α over K we mean the degree of f .
Proposition 2.1.4. Let α ∈ L be algebraic of degree e over K and let f be the minimal polynomial of α over K.
a) The extension field K(α) is isomorphic to K[x]/(f ), where K[x] is the polynomial ring over K in one indeterminate.
b) The set {1, α, . . . , αe−1} is a basis of K(α) over K.
c) Every β ∈ K(α) is algebraic over K and its degree over K is a divisor of e.
Proof. See [130], Theorem 1.86.
Due to the proposition above any element of K(α) can be uniquely represented in the form a0 + a1α + · · · + ae−1αe−1 with ai ∈ K for 0 ≤ i ≤ e − 1. The construction
of a simple algebraic extension without reference to a previously given larger field L is given by the following theorem.
Proposition 2.1.5. Let K be a field, K[x] be the polynomial ring in one indeterminate and let f ∈ K[x] be an irreducible polynomial. Then there exists a simple algebraic extension of K with a root of f as a defining element.
Proof. See [130], Theorem 1.87.
The construction of a simple algebraic extension as given by above proposition is some times refereed as root adjunction. By adjoining different roots of the polynomial f we can get the same simple algebraic extension as given by the following result.
Proposition 2.1.6. Let K be a field and let K[x] be the polynomial ring in one in-determinate. Let α and β be two roots of the polynomial f ∈ K[x] that is irreducible over K. Then K(α) and K(β) are isomorphic under an isomorphism mapping α to β and keeping the elements of K fixed.
Proof. See [130], Theorem 1.89.
Now the splitting field is the extension field to which all roots of the polynomial f belong.
Theorem 2.1.7. Let K be a field, K[x] be the polynomial ring in one indeterminate, and let f be a polynomial of positive degree in K[x]. Then there exists a splitting field of f over K. Any two splitting fields of f over K are isomorphic under an isomorphism which keeps the elements of K fixed and maps roots of f into each other.
Proof. See [130], Theorem 1.91.
The splitting fields are obtained from K by adjoining finitely many algebraic ele-ments over K, and the splitting field of f over K is a finite extension of K. We can identify isomorphic field due to Theorem 2.1.7. Therefore, we can speak of the splitting field of f over K. Recall that any finite field with characteristic p has q = pe elements for some positive integer e and if Fq is a finite field with q elements and Fp is a subfield of Fq, then Fq is a splitting field of xq − x over Fp. The following characterization theorem for finite fields tells us more about finite fields.
Theorem 2.1.8. (Existence and Uniqueness of Finite Fields) Let p be a prime and let e be a positive integer.
a) There exists a finite field with pe elements.
b) There exists a unique (up to isomorphism) field having pe elements.
Proof. See [130], Theorem 2.5.
Uniqueness in Theorem 2.1.8 is a consequence of the uniqueness (up to isomorphism) of splitting fields. The uniqueness provides the justification for speaking of the finite field (or Galois filed) with q = pe elements, or of the finite field (or the Galois field) of order q. From now on, we shall denote this field by Fq. Now we know that all finite fields of same size are isomorphic, and so we have constructed the finite field of size pe which is isomorphic to Fp[x]/hf (x)i where f (x) ∈ Fp[x] is an irreducible polynomial of degree e. Since finite fields are of central importance in this thesis, we briefly recall some useful results for finite fields.
Lemma 2.1.9. Let Fq be a finite field with q elements, then every element a ∈ Fq
satisfies aq = a.
Proof. If a is zero, then 0q = 0 is trivial. If a is non-zero, then the nonzero elements of Fq form a group of order q − 1 under multiplication. Thus aq−1 = 1 for all a ∈ Fq with a 6= 0, and multiplication by a yields the required result.
A useful property of the multiplicative group F×q of Fq is given by the following result.
Lemma 2.1.10. Let Fq be a finite field. The multiplicative group F×q of non-zero elements of Fq is cyclic.
Proof. See [130], Theorem 2.8.
Lemmas 2.1.9 and 2.1.10 will prove particularly useful in the context of systems of polynomial equations defined over extension fields and in the context of polynomial maps. Recall that the pth root of an element a ∈ Fq is uniquely determined. For instance, if we have b, c ∈ Fq such that bp = cp = a, then we have bp− cp = (b − c)p = 0, which implies b = c.
Definition 2.1.11. The map ϕ : Fq −→ Fq defined by ϕ(a) = ap is called the Frobe-nius map.
Note that Frobenius map is a field homomorphism, since for all a, b ∈ Fq we have (a + b)p = ap+ bp,
(ab)p = apbp.
Since Fq is a finite field, ϕ is bijective. In the field Fp every element is its own pth root.
This can be generalized to an arbitrary finite field Fq as follows. For all a ∈ Fq we have the map a 7→ ape−1 such that ape−1 = aq = a. Thus this map provides pth roots.
Representing Elements of Finite Fields
From now on, let p be a prime number, let q = pe for some e > 0, and let Fq be the finite field with q elements. Recall that there are three ways of representing the elements of the finite field Fq with q = pn elements. For details we refer to [130], Chapter 2. Here we recall the way which is based on the fact that Fq is a simple algebraic extension of Fp. Let f (x) ∈ Fp[x] be an irreducible polynomial of degree e, then f (x) has a root α in Fq according to Proposition 2.1.4. So we have Fq = Fp(α).
In this way we may view Fq as the residue class ring Fp[x]/hf (x)i and every element of Fq can be uniquely expressed as a polynomial in α over Fp of degree less than e. Note that this representation is unique (up to isomorphism). Therefore it does not matter which irreducible polynomial f (x) ∈ Fp[x] we choose. In other words, all finite fields of the same size are isomorphic.
Example 2.1.12. We can represent elements of the field F4 as follows. The field F4 is a simple algebraic extension of the field F2 of degree 2. The extension F4 is obtained by adjunction of a root α of an irreducible polynomial of degree 2 over F2, say f (x) = x2+ x + 1 ∈ F2[x]. We have f (α) = α2+ α + 1 = 0 ∈ F4. The multiplicative group for the non-zero elements of F4 is generated by the field element α which satisfies α2+ α + 1 = 0. The elements of F4 can be represented as {0, 1, α, α2}. The operation tables for F4 can be easily constructed with α playing the role of the residue class x ∈ F¯ p[x]/hf (x)i.
For the other two ways of expressing the elements of Fqwe refer to [130], Chapter 2.