Normal basis explained

In mathematics, specifically the algebraic theory of fields, a normal basis is a special kind of basis for Galois extensions of finite degree, characterised as forming a single orbit for the Galois group. The normal basis theorem states that any finite Galois extension of fields has a normal basis. In algebraic number theory, the study of the more refined question of the existence of a normal integral basis is part of Galois module theory.

Normal basis theorem

Let

F\subsetK

be a Galois extension with Galois group

. The classical normal basis theorem states that there is an element

\beta\inK

such that

\{g(\beta):g\inG\}

forms a basis of K, considered as a vector space over F. That is, any element

\alpha\inK

can be written uniquely as

\alpha = \sum_ a_g\, g(\beta)

for some elements

a_g\inF.

A normal basis contrasts with a primitive element basis of the form

\{1,\beta,\beta^{2,\ldots,\beta}^n-1\}

, where

\beta\inK

is an element whose minimal polynomial has degree

n=[K:F]

Group representation point of view

A field extension with Galois group G can be naturally viewed as a representation of the group G over the field F in which each automorphism is represented by itself. Representations of G over the field F can be viewed as left modules for the group algebra F[''G'']. Every homomorphism of left F[''G'']-modules

\phi:F[G] → K

is of form

\phi(r)=r\beta

for some

\beta\inK

. Since

\{1 ⋅ \sigma|\sigma\inG\}

is a linear basis of F[''G''] over F, it follows easily that

\phi

is bijective iff

\beta

generates a normal basis of K over F. The normal basis theorem therefore amounts to the statement saying that if is finite Galois extension, then

K\congF[G]

as left

F[G]

-module. In terms of representations of G over F, this means that K is isomorphic to the regular representation.

Case of finite fields

For finite fields this can be stated as follows:^[1] Let

F=GF(q)=F_q

denote the field of q elements, where is a prime power, and let

	n)=F
GF(q
	qⁿ

denote its extension field of degree . Here the Galois group is

G=Gal(K/F)=\{1,\Phi,\Phi^{2,\ldots,\Phi}^n-1\}

with

\Phiⁿ=1,

a cyclic group generated by the q-power Frobenius automorphism

\Phi(\alpha)=\alpha^q,

with

\Phiⁿ=1=Id_K.

Then there exists an element such that

\\ = \ \

is a basis of K over F.

Proof for finite fields

In case the Galois group is cyclic as above, generated by

\Phi

with

\Phi^n=1,

the normal basis theorem follows from two basic facts. The first is the linear independence of characters: a multiplicative character is a mapping χ from a group H to a field K satisfying

\chi(h_1h_2)=\chi(h_1)\chi(h₂₎

; then any distinct characters

\chi_1,\chi_2,\ldots

are linearly independent in the K-vector space of mappings. We apply this to the Galois group automorphisms

	i:
\chi
	i=\Phi

K\toK,

thought of as mappings from the multiplicative group

H=K^x

. Now

K\congFⁿ

as an F-vector space, so we may consider

\Phi:F^n\toFⁿ

as an element of the matrix algebra M_n(F); since its powers

1,\Phi,\ldots,\Phi^n-1

are linearly independent (over K and a fortiori over F), its minimal polynomial must have degree at least n, i.e. it must be

X^n-1

The second basic fact is the classification of finitely generated modules over a PID such as

F[X]

. Every such module M can be represented as

M \cong\bigoplus_^k \frac

, where

f_i(X)

may be chosen so that they are monic polynomials or zero and

f_i+1(X)

is a multiple of

f_i(X)

f_k(X)

is the monic polynomial of smallest degree annihilating the module, or zero if no such non-zero polynomial exists. In the first case

\dim_F M = \sum_^k \deg f_i

, in the second case

\dim_FM=infty

. In our case of cyclic G of size n generated by

\Phi

we have an F-algebra isomorphism

F[G]\cong \frac

where X corresponds to

1 ⋅ \Phi

, so every

F[G]

-module may be viewed as an

F[X]

-module with multiplication by X being multiplication by

1 ⋅ \Phi

. In case of K this means

X\alpha=\Phi(\alpha)

, so the monic polynomial of smallest degree annihilating K is the minimal polynomial of

\Phi

. Since K is a finite dimensional F-space, the representation above is possible with

	n-1
f
	k(X)=X

. Since

\dim_F(K)=n,

we can only have

k=1

, and

K \cong \frac

as F[''X'']-modules. (Note this is an isomorphism of F-linear spaces, but not of rings or F-algebras.) This gives isomorphism of

F[G]

-modules

K\congF[G]

that we talked about above, and under it the basis

\{1,X,X^2,\ldots,X^n-1\}

on the right side corresponds to a normal basis

\{\beta,\Phi(\beta),\Phi^{2(\beta),\ldots,\Phi}^n-1(\beta)\}

of K on the left.

Note that this proof would also apply in the case of a cyclic Kummer extension.

Example

Consider the field

	3)=F
K=GF(2
	8

over

F=GF(2)=F₂

, with Frobenius automorphism

\Phi(\alpha)=\alpha²

. The proof above clarifies the choice of normal bases in terms of the structure of K as a representation of G (or F[''G'']-module). The irreducible factorization

X^n-1 \ =\ X^3-1\ = \ (X1)(X^2X1) \ \in\ F[X]

means we have a direct sum of F[''G'']-modules (by the Chinese remainder theorem):

K\ \cong\ \frac \ \cong\ \frac \oplus \frac.

The first component is just

F\subsetK

, while the second is isomorphic as an F[''G'']-module to

F
	2²

\cong

	2{+}X{+}1)
F
	2[X]/(X

under the action

\Phi ⋅ Xⁱ=Xⁱ⁺¹.

(Thus

K\congF_{2 ⊕}F₄

as F[''G'']-modules, but not as F-algebras.)

The elements

\beta\inK

which can be used for a normal basis are precisely those outside either of the submodules, so that

(\Phi{+}1)(\beta) ≠ 0

and

(\Phi^{2{+}\Phi{+}1)(\beta) ≠}0

. In terms of the G-orbits of K, which correspond to the irreducible factors of:

t^-t \ = \ t(t1)\left(t^3 + t + 1\right)\left(t^3 + t^2 + 1\right)\ \in\ F[t],

the elements of

F=F₂

are the roots of

t(t{+}1)

, the nonzero elements of the submodule

F₄

are the roots of

t^3+t+1

, while the normal basis, which in this case is unique, is given by the roots of the remaining factor

t^3{+}t^2{+}1

By contrast, for the extension field

	4)=F
GF(2
	16

in which is divisible by, we have the F[''G'']-module isomorphism

L \ \cong\ \mathbb_2[X]/(X^41)\ =\ \mathbb_2[X]/(X1)^4.

Here the operator

\Phi\congX

is not diagonalizable, the module L has nested submodules given by generalized eigenspaces of

\Phi

, and the normal basis elements β are those outside the largest proper generalized eigenspace, the elements with

(\Phi{+}1)^{3(\beta) ≠}0

Application to cryptography

The normal basis is frequently used in cryptographic applications based on the discrete logarithm problem, such as elliptic curve cryptography, since arithmetic using a normal basis is typically more computationally efficient than using other bases.

For example, in the field

	3)=F
K=GF(2
	8

above, we may represent elements as bit-strings:

\alpha \ =\ (a_2,a_1,a_0)\ =\ a_2\Phi^2(\beta) + a_1\Phi(\beta)+a_0\beta\ =\ a_2\beta^4 + a_1\beta^2 +a_0\beta,

where the coefficients are bits

a_i\inGF(2)=\{0,1\}.

Now we can square elements by doing a left circular shift,

	2=\Phi(a
\alpha
	2,a

_1,a₀₎=(a_1,a_0,a₂₎

, since squaring β⁴ gives . This makes the normal basis especially attractive for cryptosystems that utilize frequent squaring.

Proof for the case of infinite fields

Suppose

K/F

is a finite Galois extension of the infinite field F. Let,

Gal(K/F)=G=\{\sigma_1...\sigma_n\}

, where

\sigma₁=Id

. By the primitive element theorem there exists

\alpha\inK

such

i\nej\implies\sigma_{i(\alpha)\ne\sigma}_j(\alpha)

and

K=F[\alpha]

. Let us write

\alpha_i=\sigma_i(\alpha)

\alpha

's (monic) minimal polynomial f over K is the irreducible degree n polynomial given by the formula

\begin f(X) &= \prod_^n(X - \alpha_i)\end

Since f is separable (it has simple roots) we may define

\begin g(X) &= \ \frac\\g_i(X) &= \ \frac =\ \sigma_i(g(X)).\end

In other words,

\begin g_i(X)&= \prod_\frac\\g(X)&= g_1(X).\end

Note that

g(\alpha)=1

and

g_i(\alpha)=0

for

i\ne1

. Next, define an

n x n

matrix A of polynomials over K and a polynomial D by

\begin A_(X) &= \sigma_i(\sigma_j(g(X)) = \sigma_i(g_j(X))\\D(X) &= \det A(X).\end

Observe that

A_ij(X)=g_k(X)

, where k is determined by

\sigma_k=\sigma_i ⋅ \sigma_j

; in particular

k=1

iff

\sigma_i=

	-1
\sigma
	j

. It follows that

A(\alpha)

is the permutation matrix corresponding to the permutation of G which sends each

\sigma_i

	-1
\sigma
	i

. (We denote by

A(\alpha)

the matrix obtained by evaluating

A(X)

x=\alpha

.) Therefore,

D(\alpha)=\detA(\alpha)=\pm1

. We see that D is a non-zero polynomial, and therefore it has only a finite number of roots. Since we assumed F is infinite, we can find

a\inF

such that

D(a)\ne0

. Define

\begin \beta &= g(a) \\ \beta_i &= g_i(a) = \sigma_i(\beta).\end

We claim that

\{\beta_1,\ldots,\beta_n\}

is a normal basis. We only have to show that

\beta_1,\ldots,\beta_n

are linearly independent over F, so suppose

\sum_^n x_j \beta_j = 0

for some

x_1...x_n\inF

. Applying the automorphism

\sigma_i

yields

\sum_^n x_j \sigma_i(g_j(a)) = 0

for all i. In other words,

A(a) ⋅ \overline{x}=\overline{0}

. Since

\detA(a)=D(a)\ne0

, we conclude that

\overlinex=\overline0

, which completes the proof.

It is tempting to take

a=\alpha

because

D(\alpha) ≠ 0

. But this is impermissible because we used the fact that

a\inF

to conclude that for any F-automorphism

\sigma

and polynomial

h(X)

over

the value of the polynomial

\sigma(h(X))

at a equals

\sigma(h(a))

Primitive normal basis

A primitive normal basis of an extension of finite fields is a normal basis for that is generated by a primitive element of E, that is a generator of the multiplicative group K^×. (Note that this is a more restrictive definition of primitive element than that mentioned above after the general normal basis theorem: one requires powers of the element to produce every non-zero element of K, not merely a basis.) Lenstra and Schoof (1987) proved that every finite field extension possesses a primitive normal basis, the case when F is a prime field having been settled by Harold Davenport.

Free elements

If is a Galois extension and x in K generates a normal basis over F, then x is free in . If x has the property that for every subgroup H of the Galois group G, with fixed field K^H, x is free for, then x is said to be completely free in . Every Galois extension has a completely free element.^[2]

References

Book: S. . Cohen . H. . Niederreiter. Harald Niederreiter . Finite Fields and Applications. Proceedings of the 3rd international conference, Glasgow, UK, July 11–14, 1995 . . 978-0-521-56736-7 . 1996 . London Mathematical Society Lecture Note Series . 233 . 0851.00052 .
Lenstra . H.W. Jr . Hendrik Lenstra . Schoof . R.J. . René Schoof . Primitive normal bases for finite fields . 0615.12023 . . 48 . 177 . 217–231 . 1987 . 2007886 . 10.2307/2007886. free . 1887/3824 . free .
Book: Menezes . Alfred J. . Alfred Menezes . Applications of finite fields . 0779.11059 . The Kluwer International Series in Engineering and Computer Science . 199 . Boston . Kluwer Academic Publishers . 1993 . 978-0792392828 .

Notes and References

SIAM J. Discrete Math. 3 (1990), no. 3, 330–337.
Dirk Hachenberger, Completely free elements, in Cohen & Niederreiter (1996) pp. 97–107

Normal basis explained

Normal basis theorem

Group representation point of view

Case of finite fields

Proof for finite fields

Example

Application to cryptography

Proof for the case of infinite fields

Primitive normal basis

Free elements

See also

References

Notes and References