Finite Fields
Finite Fields
Finite Fields
1 Introduction 3
1 Group theory: a brief summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2 Rings and fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
3 Polynomials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
3 Finite fields 23
6 Characterizing finite fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
7 Irreducible polynomials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
6 Applications to Cryptography 44
13 The Digital Signature Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
13.1 The scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
13.2 Cryptographic hash functions . . . . . . . . . . . . . . . . . . . . . . . . 46
13.3 Algorithms to solve the DLP . . . . . . . . . . . . . . . . . . . . . . . . . 46
2
Chapter 1
Introduction
Finite fields is a branch of mathematics which has come to the fore in the last 50 years due to
its numerous applications, from combinatorics to coding theory. In this course, we will study the
properties of finite fields, and gain experience in working with them.
In the first two chapters, we explore the theory of fields in general. Throughout, we emphasize
results particularly important to finite fields, but allow fields to be arbitrary unless otherwise stated.
Definition 1.1
A group is a set G, together with a binary operation , such that the following axioms hold:
Closure: G is closed under the operation : x, y G = x y G;
Identity: there exists an element e G (called the identity of G) such that x e = e x = x for
all x G;
Inverses: for every element x G there exists an element x1 G (called the inverse of x) such
that x x1 = x1 x = e.
Note: We often write instead of or leave it out completely.
Definition 1.2
A group G is said to be abelian if the binary operation is commutative, i.e. if x y = y x for all
x, y G. The operation is often replaced by + for abelian groups, i.e. x y is written x + y
We then say that the group is written additively (as opposed to being written multiplicatively).
Example 1.3
The following are examples of groups:
the set GLn (R) of invertible (n n)-matrices with real entries, with the operation of matrix
multiplication, forms a group (for n > 1 this is not abelian).
Let G be the set of remainders of all the integers on division by n, e.g. G = {0, 1, . . . , n 1}.
Let a b be the operation of taking the integer sum a + b and reducing it modulo n. Then
(G, ) is a group (this is abelian).
3
4 CHAPTER 1. INTRODUCTION
Definition 1.4
A multiplicative group G is said to be cyclic if there is an element a G such that for any b G
there is some integer j with b = aj . Such an element is called a generator of the cyclic group, and
we write G = hai.
Note we may have more than one generator, e.g. either 1 or 1 can be used to generate the additive
group Z.
Definition 1.5
For a set S, a subset R of S S is called an equivalence relation on S if it satisfies:
The collection of all equivalence classes forms a partition of S, and [s] = [t] (s, t) R.
Definition 1.6
For arbitrary integers a,b and positive integer n, we say that a is congruent to b modulo n if the
difference a b is a multiple of n, i.e. a = b + kn for some integer k. We write a b mod n for
this.
It is easily checked that congruence modulo n is an equivalence relation on the set Z of
integers. Consider the equivalence classes into which the relation partitions Z. These are the sets:
[a] = {m Z : m a mod n}
= {m Z : m = a + kn for some k Z}.
Definition 1.8
A group is called finite (respectively, infinite) if it contains finitely (respectively, infinitely) many
elements. The number of elements of a finite group G is called its order, written |G|.
Definition 1.9
A subset H of the group G is a subgroup of G if H is itself a group with respect to the operation of
G, this is written H G. The (cyclic) subgroup consisting of all powers of some element a G is
denoted hai and called the subgroup generated by a. If | hai | is finite, it is called the order of a, it is
the smallest natural number i such that ai = e.
Theorem 1.10
If H is a subgroup of G, then the relation RH on G defined by (a, b) RH if and only if a = bh
for some h H (additively, a = b + h for some h H) is an equivalence relation. The relation is
called left congruence modulo H.
The equivalence classes are called the left cosets of H in G; each has size |H|. Right congruence
and right cosets are defined analogously.
Note that when (G, ) = (Z, +) and H = hni, we get back our previous definition of congru-
ence, since a b mod n a = b + h for some h hni.
Definition 1.11
The index of H in G (denoted by [G : H]) is the number of left cosets of H in G, and is equal to
the number of right cosets of H in G.
Theorem 1.12
The order of a finite group G is equal to the product of the order of any subgroup H and the index
of H in G. In particular, the order of H divides the order of G and the order of any element a G
divides the order of G.
Proof. Exercise
We can easily describe subgroups and orders for cyclic groups. In what follows, is Eulers
function; i.e. (n) := the number of integers k with 1 k n which are relatively prime to n. If
the integer n has the prime factorization pk11 pk22 . . . pkr r , then
1 1 1
(n) = n(1 )(1 ) (1 ).
p1 p2 pr
So, for example, (7) = 6 and (30) = 2 3 5 21 32 45 = 8. See Example Sheet for more details.
Theorem 1.13
(i) Every subgroup S of a cyclic group G = hai is cyclic.
m
(ii) In a finite cyclic group hai of order m, the element ak generates a subgroup of order gcd(k,m) .
(iii) For any positive divisor d of m, hai contains precisely one subgroup of order d and precisely
one subgroup of index d.
(v) A finite cyclic group hai of order m contains (m) generators, namely the powers ar with
gcd(r, m) = 1.
6 CHAPTER 1. INTRODUCTION
Proof.
(i) If S = {e}, then S is cyclic with generator
ke. Otherwise, k be the least positive integer
let
k k
for which a S. We will show: S = a . Clearly a S. Now, take an arbitrary
s S, then s = an for some n Z. By the division algorithm for integers, there exist
q, r Z with 0 r < k such that n = qk + r. Then an = aqk+r = (ak )q ar , implying
ar S. If r > 0,
this contradicts the minimality of k, so we must have r = 0 and hence
s = an = (ak )q ak .
(ii) Set d := gcd(k, m). The order of ak is the least positive integer n such that akn = e. This
identity holds if and only if m divides kn, i.e. if and only if m
d divides n. The least positive n
with this property is n = m d .
(iii) Exercise: see Exercise Sheet 1.
(iv) Let | hai | = m and m = df . By (ii), the element ak is of order f if and only if gcd(k, m) = d.
So the number of elements of order f is equal to the number of integers k with 1 k m
and gcd(k, m) = d. Equivalently, writing k = dh with 1 h f , the condition becomes
gcd(h, f ) = 1. There are precisely (f ) such h.
(v) The first part follows from (iv), since the generators of hai are precisely the elements of order
m. The second part follows from (ii).
Definition 1.14
A subgroup H of G is normal its left and right cosets coincide.
We write H / G in that case.
For a normal subgroup H, the set of (left) cosets of H in G forms a group, denoted G/H.
The operation is
(aH)(bH) := (ab)H.
Definition 1.15
A mapping f : G H of the group G into the group H is called a homomorphism of G into H
if f preserves the operation of G, i.e. (gk)f = (gf ) (kf ) for all g, k G. If f is a bijective
homomorphism it is called an isomorphism and we say G and H are isomorphic and write G = H.
An isomorphism of G onto itself is called an automorphism of G.
Definition 1.16
The kernel of the homomorphism f : G H of the group G into the group H is the set (actually,
normal subgroup)
ker(f ) := {a G : af = eH }.
The image of f is the set (actually, subgroup)
im(f ) := {af : a G}.
Theorem 1.17
[First Isomorphism Theorem] Let f : G H be a homomorphism of groups. Then kerf is a
normal subgroup of G and
G/kerf = imf by the isomorphism g ker (f ) 7 gf.
Proof. Omitted.
Example 1.18
Take G := Z, H := Zn and f : a 7 [a]. Then f is a homomorphism with ker(f ) = hni and
im(f ) = Zn , and so the First Isomorphism Theorem says that Z/ hni and Zn are isomorphic as
groups.
2. RINGS AND FIELDS 7
R is closed under ;
Typically, we use 0 to denote the identity element of the abelian group R with respect to addition,
and a to denote the additive inverse of a R.
Definition 2.2
A ring is called a ring with identity if the ring has a multiplicative identity (usually denoted e
or 1).
A ring is called a division ring (or skew field) if the non-zero elements form a group under .
Example 2.3
the integers (Z, +, ) form an integral domain but not a field;
the rationals (Q, +, ), reals (R, +, ) and complex numbers (C, +, ) form fields;
the set of 2 2 matrices with real entries forms a non-commutative ring with identity w.r.t.
matrix addition and multiplication.
the group Zn with addition as before and multiplication defined by [a][b] := [ab] is a com-
mutative ring with identity [1].
So, in summary: a field is a set F on which two binary operations, called addition and multiplic-
ation, are defined, and which contains two distinguished elements e and 0 with 0 6= e. Moreover,
F is an abelian group with respect to addition, having 0 as the identity element, and the non-zero
elements of F (often written F ) form an abelian group with respect to multiplication having e as
the identity element. The two operations are linked by the distributive laws.
Theorem 2.4
Every finite integral domain is a field.
Proof. Let R be a finite integral domain, and let its elements be r1 , r2 , . . . , rn . Consider a fixed
non-zero element r R. Then the products rr1 , rr2 , . . . , rrn must be distinct, since rri = rrj
implies r(ri rj ) = 0, and since r 6= 0 we must have ri rj = 0, i.e. ri = rj . Thus, these
products are precisely the n elements of R. Each element of R is of the form rri ; in particular, the
identity e = rri for some 1 i n. Since R is commutative, we also have ri r = e, and so ri is
the multiplicative inverse of r. Thus the non-zero elements of R form a commutative group, and R
is a field.
8 CHAPTER 1. INTRODUCTION
Definition 2.5
A subset S of a ring R is called a subring of R if S is closed under + and and forms a ring
under these operations.
A subset J of a ring R is called an ideal if J is a subring of R and for all a J and r R
we have ar J and ra J.
Let R be a commutative ring with an identity. Then the smallest ideal containing an element
a R is (a) := {ra : r R}. We call (a) the principal ideal generated by a.
Definition 2.6
An integral domain in which every ideal is principal is called a principal ideal domain (PID).
Example 2.7
Z is a PID.
An ideal J of R defines a partition of R into disjoint cosets (with respect to +), residue classes
modulo J. These form a ring w.r.t. the following operations:
(a + J) + (b + J) = (a + b) + J,
(a + J)(b + J) = ab + J.
This ring is called the residue class ring and is denoted R/J.
Example 2.8
The residue class ring Z/(n)
Here, (n) is the principal ideal generated by the integer n (same set nZ as the subgroup hni but now
with two operations). As in the group case, we denote the residue class of a modulo n by [a], as well
as by a + (n). The elements of Z/(n) are [0] = 0 + (n), [1] = 1 + (n), . . . , [n 1] = n 1 + (n).
Theorem 2.9
Z/(p), the ring of residue classes of the integers modulo the principal ideal generated by a prime p,
is a field.
Proof. By Theorem 2.4, it is enough to show that Z/(p) is an integral domain. Now, [a][b] =
[ab] = [0] if and only if ab = kp for some k Z. Since p is prime, p divides ab if and only if p
divides one of the factors. So, either [a] = [0] or [b] = [0], so Z/(p) contains no zero divisors.
Remark 2.11
As you will prove in Exercise Sheet 1, the above result does not hold if p is replaced by a composite
n.
Definition 2.12
A mapping : R S (R,S rings) is called a ring homomorphism if for any a, b R we have
A ring homomorphism preserves both + and and induces a homomorphism of the additive group
of R into that of S. Concepts such as kernel and image are defined analogously to the groups case.
We have a ring version of the First Isomorphism Theorem:
We can use mappings to transfer a structure from an algebraic system to a set without structure.
Given a ring R, a set S and a bijective map : R S, we can use to define a ring structure on S
that converts into an isomorphism. Specifically, for s1 = (r1 ) and s2 = (r2 ), define
Definition 2.14
For a prime p, let Fp be the set {0, 1, . . . , p 1} of integers, and let : Z/(p) Fp be the mapping
defined by ([a]) = a for a = 0, 1, . . . , p 1. Then Fp endowed with the field structure induced by
is a finite field, called the Galois field of order p.
From above, the mapping becomes an isomorphism, so ([a] + [b]) = ([a]) + ([b]) and
([a][b]) = ([a])([b]). The finite field Fp has zero element 0, identity element 1 and its structure
is that of Z/(p). So, computing with elements of Fp now means ordinary arithmetic of integers with
reduction modulo p.
Example 2.15
F2 : the elements of this field are 0 and 1. The operation tables are:
+ 0 1 0 1
0 0 1 , 0 0 0
1 1 0 1 0 1
We have Z/(5), isomorphic to F5 = {0, 1, 2, 3, 4}, where the isomorphism is given by [0] 7
0, . . . , [4] 7 4. The operation tables are:
+ 0 1 2 3 4 0 1 2 3 4
0 0 1 2 3 4 0 0 0 0 0 0
1 1 2 3 4 0 1 0 1 2 3 4
,
2 2 3 4 0 1 2 0 2 4 1 3
3 3 4 0 1 2 3 0 3 1 4 2
4 4 0 1 2 3 4 0 4 3 2 1
Definition 2.16
If R is an arbitrary ring and there exists a positive integer n such that nr = 0 for every r R
(i.e. r added to itself n times is the zero element) then the least such positive integer n is called the
characteristic of R, and R is said to have positive characteristic. If no such positive integer n exists,
R is said to have characteristic 0.
Example 2.17
F2 and F5 have characteristic 2 and 5 respectively.
10 CHAPTER 1. INTRODUCTION
Theorem 2.18
A ring R 6= {0} of positive characteristic with an identity and no zero divisors must have prime
characteristic.
Proof. Since R contains non-zero elements, R has characteristic n 2. If n were not prime, we
could write n = km with k, m Z, 1 < k, m < n. Then 0 = ne = (km)e = (ke)(me), so either
ke = 0 or me = 0, since R has no zero divisors. Hence either kr = (ke)r = 0 for all r R or
mr = (me)r = 0 for all r R, contradicting the definition of n as the characteristic.
Corollary 2.19
A finite field has prime characteristic.
Proof. From Theorem 2.18, we need only show that a finite field F has a positive characteristic.
Consider the multiples e, 2e, 3e, . . . of the identity. Since F contains only finitely many elements,
there must exist integers k and m with 1 k < m such that ke = me, i.e. (k m)e = 0, and thus
(k m)f = (k m)ef = 0f = 0 for all f F so F has a positive characteristic.
Example 2.20
The field Z/(p) (equivalently, Fp ) has characteristic p.
for a, b R and n N.
and induction on n establishes the first identity. The second identity follows since
n n n n
ap = ((a b) + b)p = (a b)p + bp .
3 Polynomials
Let R be an arbitrary ring. A polynomial over R is an expression of the form
n
X
f= ai xi = a0 + a1 x + + an xn ,
i=0
DefinitionP 3.1
n i n
Let f = i=0 ai x = a0 + a1 x + + an x be a polynomial over R which is not the zero
polynomial, so we can suppose an 6= 0. Then n is called the degree of f . By convention, deg(0) =
. Polynomials of degree 0 are called constant polynomials. If the leading coefficient of f is 1
(the identity of R) then f is called a monic polynomial.
Pn i
Pn i
Given two polynomials f and g, we can write f = i=0 ai x and g = i=0 bi x (taking
coefficients zero if necessary to ensure the same n). We define their sum to be
n
X
f +g = (ai + bi )xi
i=0
Note that the degree of the product of two non-zero polynomials f and g is equal to the sum of the
degrees of f and g.
Theorem 3.2
With the above operations, the set of polynomials over R forms a ring. It is called the polynomial
ring over R and denoted by R[x]. Its zero element is the zero polynomial, all of whose coefficients
are zero.
Proof. Exercise.
Let F denote a (not necessarily finite) field. From now on, we consider polynomials over fields.
We say that the polynomial g F [x] divides f F [x] if there exists a polynomial h F [x]
such that f = gh.
Theorem 3.4
F [x] is a principal ideal domain. In fact, for every ideal J 6= (0) of F [x] there is a uniquely
determined monic polynomial g F [x] such that J = (g).
Proof. Let I be an ideal in F [x]. If I = {0}, then I = (0). If I 6= {0}, choose a non-zero
polynomial k I of smallest degree. Let b be the leading coefficient of k, and set m = b1 k. Then
m I and m is monic. We will show: I = (m). Clearly, (m) I. Now take f I; by the division
algorithm there are polynomials q, r with f = qm + r where either r = 0 or deg(r) < deg(m).
Now, r = f qm I. If r 6= 0, we contradict the minimality of m; so we must have r = 0, i.e. f
is a multiple of m and I = (m).
We now show uniqueness: if m1 F [x] is another monic polynomial with I = (m1 ), then
m = c1 m1 and m1 = c2 m with c1 , c2 F [x]. Then m = c1 c2 m, i.e. c1 c2 = 1, and so c1 , c2 are
constant polynomials. Since both m and m1 are monic, we must have m = m1 .
Definition 3.5
A polynomial p F [x] is said to be irreducible over F if p has positive degree and p = bc with
b, c F [x] implies that either b or c is a constant polynomial. A polynomial which does allow a
non-trivial factorization over F is called reducible over F .
Note that the field F under consideration is all-important here, e.g. the polynomial x2 + 1 is irredu-
cible in R[x] but reducible in C[x], where it factors as (x + i)(x i).
f = ape11 . . . pekk
where a F , p1 , . . . , pk are distinct monic irreducibles in F [x] and e1 , . . . , ek are positive integers.
This factorization is unique up to the order in which the factors occur; it is called the canonical
factorization of f in F [x].
Proof. Omitted.
Example 3.7
Find all irreducible polynomials over F2 of degree 3.
First, note that a non-zero polynomial in F2 [x] must be monic. The degree 3 polynomials are of
the form x3 + ax2 + bx + c, where each coefficient is 0 or 1, i.e. there are 23 = 8 of them. Such
a polynomial is reducible over F2 precisely if it has a divisor of degree 1. Compute all products
(x + a0 )(x2 + b1 x + b0 ) to obtain all reducible degree 3 polynomials over F2 . There are 6 of these,
leaving 2 irreducibles: x3 + x + 1 and x3 + x2 + 1.
Theorem 3.8
For f F [x], the residue class ring F [x]/(f ) is a field if and only if f is irreducible over F .
Proof. Details omitted. For those who know some ring theory this is immediate since, for a PID
S, S/(c) is a field if and only if c is a prime element of S. Here, the prime elements of the PID R[x]
are precisely the irreducible polynomials.
We will be very interested in the structure of the residue class ring F [x]/(f ), for arbitrary non-
zero polynomial f F [x]. To summarize,
Two residue classes g +(f ) and h+(f ) are identical if and only if g h mod f , i.e. precisely
if g h is divisible by f . This is equivalent to: g and h have the same remainder on division
by f .
Each residue class g + (f ) contains a unique representative r F [x] with deg(r) < deg(f ),
namely the remainder when g is divided by f . The process of moving from g to r is called
reduction mod f . (Exercise: uniqueness?)
Hence the distinct residue classes comprising F [x]/(f ) are precisely the residue classes r +
(f ), where r runs through all polynomials in F [x] with deg(r) < deg(f ).
Example 3.9
Let f = x F2 [x]. The field F2 [x]/(x) has 21 = 2 elements, namely 0 + (x) and 1 + (x).
This field is isomorphic to F2 .
3. POLYNOMIALS 13
+ 0 + (f ) 1 + (f ) x + (f ) x + 1 + (f )
0 + (f ) 0 + (f ) 1 + (f ) x + (f ) x + 1 + (f )
1 + (f ) 1 + (f ) 0 + (f ) x + 1 + (f ) 0 + (f ) ,
x + (f ) x + (f ) x + 1 + (f ) 0 + (f ) 1 + (f )
x + 1 + (f ) x + 1 + (f ) x + (f ) 1 + (f ) 0 + (f )
0 + (f ) 1 + (f ) x + (f ) x + 1 + (f )
0 + (f ) 0 + (f ) 0 + (f ) 0 + (f ) 0 + (f )
1 + (f ) 0 + (f ) 1 + (f ) x + (f ) x + 1 + (f ) .
x + (f ) 0 + (f ) x + (f ) x + 1 + (f ) 1 + (f )
x + 1 + (f ) 0 + (f ) x + 1 + (f ) 1 + (f ) x + (f )
Note that, in the multiplication table,
(x + (f ))(x + (f )) = x2 + (f ) = f x 1 + (f ) = x + 1 + (f ),
(x + (f ))(x + 1 + (f )) = x2 + x + (f ) = f 1 + (f ) = 1 + (f ),
(x + 1 + (f ))(x + 1 + (f )) = x2 + 1 + (f ) = f x + (f ) = x + (f ).
Comparing these tables to those of Z4 we see that the field F2 [x]/(f ) is not isomorphic to Z4 ,
which is not a field since in Z4 we have 2 2 = 0.
What is the multiplicative order of x+(f ) in F2 [x]/(f )? The multiplicative group of this field
has order 22 1 = 3, so the order must be 1 or 3. Clearly x+(f ) 6= 1+(f ), so the order must
be 3. Check: (x + (f ))3 = (x + (f ))(x2 + (f )) = x(x + 1) + (f ) = x2 + x + (f ) = 1 + (f ).
Let f = x2 + 2 F3 [x]. We find that F3 [x]/(f ) is a ring of 9 elements which is not even an
integral domain, let alone a field. Its elements are {0 + (f ), 1 + (f ), 2 + (f ), x + (f ), x +
1 + (f ), x + 2 + (f ), 2x + (f ), 2x + 1 + (f ), 2x + 2 + (f )}. To see that it is not an integral
domain, note that (x + 1 + (f ))(x 1 + (f )) = x2 1 + (f ) = x2 + 2 + (f ) = 0 + (f ),
but neither x + 1 + (f ) nor x 1 + (f ) are zero.
Definition 3.10
An element a F is called a root (or zero) of the polynomial f F [x] if f (a) = 0.
Example 3.11
(i) The elements 2, 3 Q are roots of x2 5x + 6 Q[x].
(ii) The polynomial x2 + 1 Q[x] has no roots in Q, but two roots i C.
Definition 3.12
If f = a0 + a1 x + a2 x2 + + an xn F [x], then the derivative f 0 of f is defined by f 0 =
a1 + 2a2 x + + nan xn1 F [x].
Theorem 3.13
An element a F is a root of the polynomial f F [x] if and only if x a divides f .
f = q (x a) + c
Definition 3.14
Let a F be a root of f F [x]. If k is a positive integer such that f is divisible by (x a)k but
not (x a)k+1 , then k is called the multiplicity of a. If k 2 then a is called a multiple root of f .
Theorem 3.15
An element a F is a multiple root of f F [x] if and only if it is a root of both f and its derivative
f 0.
Proof. Exercise
Example 3.16
Consider the polynomial f = x3 7x2 + 16x 12 Q[x]. It factors as (x 2)2 (x 3), so its roots
are 2 (with multiplicity 2) and 3 (with multiplicity 1). Here, f 0 = 3x2 14x + 16 which factors as
(x 2)(3x 8), so we can verify that 2 is also a root of f 0 .
The following observation is very important.
Theorem 3.17
If F is a field and f F [x] has degree n, then F contains at most n roots of f .
4 Field Extensions
Definition 4.1
Let F be a field. A subset K that is itself a field under the operations of F is called a subfield of F .
The field F is called an extension field of K. If K 6= F , K is called a proper subfield of F .
Definition 4.2
A field containing no proper subfields is called a prime field.
For example, Fp is a prime field, since any subfield must contain the elements 0 and 1, and since it
is closed under addition it must contain all other elements, i.e. it must be the whole field.
Definition 4.3
The intersection of all subfields of a field F is itself a field, called the prime subfield of F .
Remark 4.4
The prime subfield of F is a prime field, as defined above (see Exercise sheet).
Theorem 4.5
The prime subfield of a field F is isomorphic to Q if F has characteristic 0 and is isomorphic to Fp
if F has characteristic p.
Proof. Denote by P (F ) the prime subfield of F . Let F be a field of characteristic 0; then the
elements n1F (n Z) are all distinct, and form a subring of F isomorphic to Z. The set
is a subfield of F isomorphic to Q. Any subfield of F must contain 1 and 0 and so must contain
Q(F ), so Q(F ) P (F ). Since Q(F ) is itself a subfield of F , we also have P (F ) Q(F ), so in
fact Q(F ) is the prime subfield of F . If F has characteristic p, a similar argument holds with the set
Definition 4.6
Let K be a subfield of the field F and M any subset of F . Then the field K(M ) is defined
to be the intersection of all subfields of F containing both K and M ; i.e. it is the smallest
subfield of F containing both K and M . It is called the extension field obtained by adjoining
the elements of M .
15
16 CHAPTER 2. SOME FIELD THEORY
an n + an1 n1 + + a1 1 + a0 = 0
Definition 4.9
If is algebraic over K, then the uniquely determined monic polynomial g K[x] generating the
ideal J = {f K[x] : f () = 0} of K[x] is called the minimal polynomial of over K. We refer
to the degree of g as the degree of over K.
The key properties of the minimal polynomial are summarised in the next theorem. The third
property is the one most useful in practice.
Theorem 4.10
Let F be algebraic over a subfield K of F , and let g be the minimal polynomial of . Then
(i) g is irreducible in K[x];
(ii) For f K[x], we have f () = 0 if and only if g divides f ;
(iii) g is the monic polynomial of least degree having as a root.
Proof. (i) Since g has the root , it has positive degree. Suppose g = h1 h2 in K[x] with
1 deg(hi ) < deg(g) (i = 1, 2). This implies 0 = g() = h1 ()h2 (), and so one of h1 or h2
must lie in J and hence is divisible by g, a contradiction.
(ii) Immediate from the definition of g.
(iii) Any monic polynomial in K[x] having as a root must be a multiple of g by (ii), and so is
either equal to g or has larger degree than g.
Example 4.11
The element 3 3 R is algebraic over Q since it is a root of x3 3 Q[x]. Since x3 3 is
irreducible over Q, it is the minimal polynomial of 3 3 over Q, and hence 3 3 has degree 3
over Q.
5. FIELD EXTENSIONS AS VECTOR SPACES 17
The element i = 1 C is algebraic over the subfield R of C, since it is a root of the
polynomial x2 + 1 R[x]. Since x2 + 1 is irreducible over R, it is the minimal polynomial
of i over R, and hence i has degree 2 over R.
Definition 5.1
A vector space V over F is a non-empty set of objects (called vectors) upon which two operations
are defined
addition: there is some rule which produces, from any two objects in V , another object in V
(denote this operation by +)
scalar multiplication: there is some rule which produces, from an element of F (a scalar) and
an object in V, another object in V
and these objects and operations obey the Vector Space Axioms:
1. x + y = y + x for all x, y V
2. (x + y) + z = x + (y + z) for all x, y, z V
8. 1x = x for all x V
Definition 5.2
A basis of a vector space V over F is defined as a subset {v1 , . . . , vn } of vectors in V that
are linearly independent and span V . If v1 , . . . , vn is a list of vectors in V , then these vectors
form a basis if and only if every v V can be uniquely written as
v = a1 v1 + + an vn
A vector space will have many different bases, but there are always the same number of basis
vectors in each. The number of basis vectors in any basis is called the dimension of V over
F.
Suppose V has dimension n over F . Then any sequence of more than n vectors in V is
linearly dependent.
18 CHAPTER 2. SOME FIELD THEORY
To see that the vector space axioms hold for a field L over a subfield K, note that the elements of
L form an abelian group under addition, and that any vector L may be multiplied by an r K
(a scalar) to get r L (this is just multiplication in L). Finally, the laws for multiplication by
scalars hold since, for r, s L and , K we have r( + ) = r + r, (r + s) = r + s,
(rs) = r(s) and 1 = .
Example 5.3
Take L = C and let K be its subfield R. Then we can easily check that C is a vector space over R.
Since we know from school that C = {a + bi : a, b R}, it is clear that a basis is given by {1, i}.
Definition 5.4
Let L be an extension field of K. If L is finite-dimensional as a vector space over K, then L is said
to be a finite extension of K. The dimension of the vector space L over K is called the degree of L
over K and written [L : K].
Example 5.5
From above, C is a finite extension of R of degree 2.
Theorem 5.6
If L is a finite extension of K and M is a finite extension of L, then M is a finite extension of K
with
[M : K] = [M : L][L : K].
with coefficients rij K. We claim that the mn elements j i form a basis of M over K. Clearly
they span M ; it suffices to show that they are linearly independent over K.
Suppose we have
Xm X n
sij j i = 0
i=1 j=1
for 1 i m. Now, since the j are linearly independent over K, it follows that all the sij are 0,
as required.
Theorem 5.7
Every finite extension of K is algebraic over K.
5. FIELD EXTENSIONS AS VECTOR SPACES 19
Example 5.12
Consider the simple extension Q( 3 3) of Q. We saw earlier that 3 3 has minimal polynomial x3 3
over Q.
So Q( 3 3) = Q[x]/(x3 3), and {1, 3, ( 3)2 } is a basis for Q( 3) over Q. So
3 3 3
Q( 3) = {a + b 3 + c( 3)2 : a, b, c Q}.
3 3 3
Note that we have been assuming that both K and are embedded in some larger field F . Next,
we will consider constructing a simple algebraic extension without reference to a previously given
larger field, i.e. from the ground up.
The next result, due to Kronecker, is one of the most fundamental results in the theory of fields:
it says that, given any non-constant polynomial over any field, there exists an extension field in
which the polynomial has a root.
Theorem 5.13 (Kronecker)
Let f K[x] be irreducible over the field K. Then there exists a simple algebraic extension of K
with a root of f as a defining element.
Proof.
Consider the residue class ring L = K[x]/(f ), which is a field since f is irreducible. Its
elements are the residue classes [h] = h + (f ), with h K[x].
For any a K, think of a as a constant polynomial in K[x] and form the residue class
[a]. The mapping a 7 [a] gives an isomorphism from K onto a subfield K 0 of L (exercise:
check!), so K 0 may be identified with K. Thus we can view L as an extension of K.
For every h = a0 + a1 x + + am xm K[x], we have
[h] = [a0 + a1 x + + am xm ]
= [a0 ] + [a1 ][x] + + [am ][x]m
= a0 + a1 [x] + + am [x]m
(making the identification [ai ] = ai ). So, every element of L can be written as a polyno-
mial in [x] with coefficients in K. Since any field containing K and [x] must contain these
expressions, L is a simple extension of K obtained by adjoining [x].
If f = b0 + b1 x + + bn xn , then
f ([x]) = b0 + b1 [x] + + bn [x]n = [f ] = [0],
i.e. [x] is a root of f and L is a simple algebraic extension of K.
Example 5.14
Consider the prime field F3 and the polynomial x2 + x + 2 F3 [x], irreducible over F3 . Take to
be a root of f , in the sense that is the residue class [x] = x + (f ) L = F3 [x]/(f ). Explicitly,
we have:
f () = f ([x]) = f (x + (f ))
= (x + (f ))2 + (x + (f )) + (2 + (f ))
= x2 + x + 2 + (f )
= f + (f )
= 0 + (f )
= [0].
5. FIELD EXTENSIONS AS VECTOR SPACES 21
The other root of f in L is 2 +2, since f (2 +2) = 2 + +2 = 0. By Theorem 5.9, the simple
algebraic extension L = F3 () consists of the nine elements 0, 1, 2, , +1, +2, 2, 2 +1, 2 +2.
Example 5.15
Consider the polynomial f = x2 +x+1 F2 [x], irreducible over F2 . Let be the root [x] = x+(f )
of f ; then the simple algebraic extension L = F2 () consists of the four elements 0, 1, , +1. (The
other root is + 1). The tables for addition and multiplication are precisely those of Example 3.9,
now appropriately relabelled. We give the addition table:
+ 0 1 +1
0 0 1 +1
1 1 0 +1 .
+1 0 1
+1 +1 1 0
Note that, in the above examples, adjoining either of two roots of f would yield the same
extension field.
Theorem 5.16
Let F be an extension field of the field K and , F be two roots of a polynomial f K[x] that
is irreducible over K. Then K() and K() are isomorphic under an isomorphism mapping to
and keeping the elements of K fixed.
Proof. By Theorem 5.9 both are isomorphic to the field K[x]/(f ) since the irreducible f is the
minimal polynomial of both and .
Given a polynomial, we now want an extension field which contains all its roots.
Definition 5.17
Let f K[x] be a polynomial of positive degree and F an extension field of K. Then we say that
f splits in F if f can be written as a product of linear factors in F [x], i.e. if there exist elements
1 , . . . , n F such that
f = a(x 1 ) (x n )
where a is the leading coefficient of f . The field F is called a splitting field of f over K if it splits
in F and if F = K(1 , . . . , n ).
So, a splitting field F of a polynomial f over K is an extension field containing all the roots of
f , and is smallest possible in the sense that no subfield of F contains all roots of f . The following
result answers the questions: can we always find a splitting field, and how many are there?
(ii) Any two splitting fields of f over K are isomorphic under an isomorphism which keeps the
elements of K fixed and maps roots of f into each other.
So, we may therefore talk of the splitting field of f over K. It is obtained by adjoining to K
finitely many elements algebraic over K, and so we can show (exercise!) that it is a finite extension
of K.
22 CHAPTER 2. SOME FIELD THEORY
Example 5.19
Find the splitting field of the polynomial f = x2 + 2 Q[x] over Q.
The polynomial f splits in C, where it factors as (x i 2)(x + i 2). However, C itself is not
the splitting field for f
. It turns out to be sufficient to adjoin just one of the complex roots of f to
Q. The field K = Q(i 2) contains both of the roots of f , and no smaller subfield has this property,
so K is the splitting field for F .
Splitting fields will be central to our characterization of finite fields, in the next chapter.
Chapter 3
Finite fields
We have seen, in the previous chapters, some examples of finite fields. For example, the residue
class ring Z/pZ (when p is a prime) forms a field with p elements which may be identified with the
Galois field Fp of order p.
The fields Fp are important in field theory. From the previous chapter, every field of character-
istic p contains a copy of Fp (its prime subfield) and can therefore be thought of as an extension of
Fp . Since every finite field must have characteristic p, this helps us to classify finite fields.
Proof. F is a vector space over K, finite-dimensional since F is finite. Denote this dimension by
m; then F has a basis over K consisting of m elements, say b1 , . . . , bm . Every element of F can
be uniquely represented in the form k1 b1 + km bm (where k1 , . . . , km K). Since each ki K
can take q values, F must have exactly q m elements.
We are now ready to answer the question: What are the possible cardinalities for finite fields?
Theorem 6.2
Let F be a finite field. Then F has pn elements, where the prime p is the characteristic of F and n
is the degree of F over its prime subfield.
Proof. Since F is finite, it must have characteristic p for some prime p (by Corollary 2.19).
Thus the prime subfield K of F is isomorphic to Fp , by Theorem 4.5, and so contains p elements.
Applying Lemma 6.1 yields the result.
So, all finite fields must have prime power order - there is no finite field with 6 elements, for
example.
We next ask: does there exist a finite field of order pn for every prime power pn ? How can such
fields be constructed?
We saw, in the previous chapter, that we can take the prime fields Fp and construct other finite
fields from them by adjoining roots of polynomials. If f Fp [x] is irreducible of degree n over Fp ,
then adjoining a root of f to Fp yields a finite field of pn elements. However, it is not clear whether
we can find an irreducible polynomial in Fp [x] of degree n, for every integer n.
The following two lemmas will help us to characterize fields using root adjunction.
23
24 CHAPTER 3. FINITE FIELDS
Lemma 6.3
If F is a finite field with q elements, then every a F satisfies aq = a.
Proof. Clearly aq = a is satisfied for a = 0. The non-zero elements form a group of order q 1
under multiplication. Using the fact that a|G| = 1G for any element a of a finite group G, we have
that all 0 6= a F satisfy aq1 = 1, i.e. aq = a.
Lemma 6.4
If F is a finite field with q elements and K is a subfield of F , then the polynomial xq x in K[x]
factors in F [x] as Y
xq x = (x a)
aF
Proof. Since the polynomial xq x has degree q, it has at most q roots in F . By Lemma 6.3, all
the elements of F are roots of the polynomial, and there are q of them. Thus the polynomial splits
in F as claimed, and cannot split in any smaller field.
We are now ready to prove the main characterization theorem for finite fields.
Proof. (Existence) For q = pn , consider xq x in Fp [x], and let F be its splitting field over Fp .
Since its derivative is qxq1 1 = 1 in Fp [x], it can have no common root with xq x and so,
by Theorem 3.15, xq x has q distinct roots in F . Let S = {a F : aq a = 0}. Then S is a
subfield of F since
S contains 0;
On the other hand, xq x must split in S since S contains all its roots, i.e its splitting field F is
a subfield of S. Thus F = S and, since S has q elements, F is a finite field with q = pn elements.
(Uniqueness) Let F be a finite field with q = pn elements. Then F has characteristic p by Theorem
6.2, and so contains Fp as a subfield. So, by Lemma 6.4, F is a splitting field of xq x. The result
now follows from the uniqueness (up to isomorphism) of splitting fields, from Theorem 5.18.
As a result of the uniqueness part of Theorem 6.5, we may speak of the finite field (or the
Galois field) of q elements. We shall denote this field by Fq , where q denotes a power of the prime
characteristic p of Fq .
Example 6.6
In Example 5.14, we constructed a field L = F3 () of 9 elements, where is a root of the
polynomial x2 + x + 2 F3 [x]. By Theorem 6.5, L is the field of 9 elements, i.e. F9 .
Proof. Clearly, a subfield K of F must have order pm for some positive integer m n. By
Lemma 6.1, q = pn must be a power of pm , and so m must divide n.
m
Conversely, if m is a positive divisor of n, then pm 1 divides pn 1, and so xp 1 1 divides
n m
xp 1 1 in Fp [x]. So, every root of xp x is a root of xq x, and hence belongs to Fq . It follows
m
that Fq must contain a splitting field of xp x over Fp as a subfield, and (from proof of Theorem
6.5) such a splitting field has order pm . If there were two distinct subfields of order pm in Fq , they
m
would together contain more than pm roots of xp x in Fq , a contradiction.
So, the unique subfield of Fpn of order pm , where m is a positive divisor of n, consists precisely
m
of the roots of xp x in Fpn .
Example 6.8
Determine the subfields of the finite field F230 . To do this, list all positive divisors of 30. The
containment relations between subfields are equivalent to divisibility relations among the positive
divisors of 30. (For diagram, see lectures!)
We can also completely characterize the multiplicative group of a finite field. For the finite field
Fq , we denote the multiplicative group of non-zero elements of Fq by Fq .
Theorem 6.9
For every finite field Fq , the multiplicative group Fq of nonzero elements of Fq is cyclic.
Proof. We may assume q 3. Set h = q 1, the order of Fq , and let h = pr11 pr22 . . . prmm be
its prime factor decomposition. For each i, 1 i m, the polynomial xh/pi 1 has at most h/pi
roots in Fq . Since h/pi < h, it follows that there are nonzero elements of Fq which are not roots of
ri ri
h/p p
this polynomial. Let ai be such an element, and set bi = ai i . Now, bi i = 1, so the order of bi
divides pri i and so has the form psi i for some 0 si ri . On the other hand,
ri 1
p h/pi
bi i = ai 6= 1,
so the order of bi is precisely pri i .
Let b = b1 b2 . . . bm . We claim: b has order h(= q 1), i.e. is a generator for the group.
Suppose, on the contrary, that the order of b is a proper divisor of h. It is therefore a divisor of at
least one of the m integers h/pi , 1 i m; wlog, say of h/p1 . Then
h/p1 h/p1
1 = bh/p1 = b1 b2 bh/p
m .
1
h/p h/p
Now, if 2 i m, then pri i divides h/p1 , and so bi 1 = 1. This forces b1 1 = 1. Thus the order
of b1 must divide h/p1 , which is impossible since the order of b1 is pr11 . Thus Fq is a cyclic group
with generator b.
Definition 6.10
A generator of the cyclic group Fq is called a primitive element of Fq .
By Theorem 1.13, Fq contains (q 1) primitive elements, where is Eulers function: the
number of integers less than and relatively prime to q 1. Recall that, if the integer n has the prime
factorization pk11 pk22 . . . pkr r , then
1 1 1
(n) = n(1 )(1 ) (1 ).
p1 p2 pr
26 CHAPTER 3. FINITE FIELDS
Example 6.11
F5 has (4) = 2 primitive elements, namely 2 and 3.
Theorem 6.12
Let Fq be a finite field and Fr a finite extension field. Then
So, we can express any finite field K with subfield F , by adjoining to F a root of an appropri-
ate irreducible polynomial f , which of course must have degree d = [K : F ]. Although the proof
of Theorem 6.12 uses a which is a primitive element of K, it is not in fact necessary for to be a
multiplicative generator of K , as the next example shows.
Example 6.13
Consider the finite field F9 . We can express F9 in the form F3 (), where is a root of the polyno-
mial x2 + 1, irreducible over F3 . However, since 4 = 1, does not generate the whole of F9 , i.e.
is not a primitive element of F9 .
Corollary 6.14
For every finite field Fq and every positive integer n, there exists an irreducible polynomial in Fq [x]
of degree n.
Proof. Let Fr be the extension field of Fq of order q n , so that [Fr : Fq ] = n. By Theorem 6.12,
Fr = Fq () for some Fr . Then, by properties of minimal polynomials, the minimal polynomial
of over Fq is an irreducible polynomial in Fq [x] of degree n.
7 Irreducible polynomials
In this section, we investigate irreducible polynomial over finite fields.
Lemma 7.1
Let f Fq [x] be an irreducible polynomial over a finite field Fq and let be a root of f in an
extension field of Fq . Then, for a polynomial h Fq [x], we have h() = 0 if and only if f divides
h.
Proof. The minimal polynomial of over Fq is given by a1 f , where a is the leading coefficient
of f (since it is a monic irreducible polynomial in Fq [x] having as a root). The proposition then
follows from part (ii) of Theorem 4.10.
Lemma 7.2
n
Let f Fq [x] be an irreducible polynomial over Fq of degree m. Then f divides xq x if and
only if m divides n.
7. IRREDUCIBLE POLYNOMIALS 27
n
Proof. First, suppose f divides xq x. Let be a root of f in the splitting field of f over
n
Fq . Then q = , so Fqn . Thus Fq () is a subfield of Fqn . Since [Fq () : Fq ] = m and
[Fqn : Fq ] = n, we have n = [Fqn : Fq ()]m, so m divides n.
Conversely, suppose m divides n. Then by Theorem 6.7, Fqn contains Fqm as a subfield. Let
be a root of f in the splitting field of f over Fq . Then [Fq () : Fq ] = m, and so Fq () = Fqm .
n n
Thus Fqn , hence q = , and so is a root of xq x Fq [x]. Therefore, by Lemma 7.1, f
n
divides xq x.
Theorem 7.3
If f is an irreducible polynomial in Fq [x] of degree m, then f has a root in Fqm . Moreover, all
2 m1
the roots of f are simple and are given by the m distinct elements , q , q , . . . , q of Fqm .
Proof. Let be a root of f in the splitting field of f over Fq . Then [Fq () : Fq ] = m, hence
Fq () = Fqm , and so Fqm .
We now show that, if Fqm is a root of f , then q is also a root of f . Write f = am xm +
+ a1 x + a0 (ai Fq ). Then
f ( q ) = am qm + + a1 q + a0
= aqm qm + + aq1 q + aq0
= (am m + + a1 + a0 )q
= f ()q = 0,
mk+j m
q = q = .
mk+j
It then follows from Lemma 7.1 that f divides xq x. By Lemma 7.2, this is possible only if
m divides m k + j, a contradiction since 0 < m k + j < m.
Corollary 7.4
Let f be an irreducible polynomial in Fq [x] of degree m. Then the splitting field of f over Fq is
Fq m .
Proof. Theorem 7.3 shows that f splits in Fqm . To see that this is the splitting field, note that
m1
Fq (, , . . . , q
q ) = Fq () = Fqm .
Corollary 7.5
Any two irreducible polynomials in Fq [x] of the same degree have isomorphic splitting fields.
As we shall see later, sets of elements such as those in Theorem 7.3 appear often in the theory
of fields.
Theorem 7.6
For every finite field Fq and every n N, the product of all monic irreducible polynomials over Fq
n
whose degrees divide n is equal to xq x.
28 CHAPTER 3. FINITE FIELDS
Proof. By Lemma 7.2, the monic irreducible polynomials over Fq which occur in the canonical
n
factorization of g = xq x in Fq [x] are precisely those whose degrees divide n. Since g 0 = 1,
by Theorem 3.15 g has no multiple roots in its splitting field over Fq . Thus each monic irreducible
polynomial over Fq whose degree divides n occurs exactly once in the canonical factorization of g
in Fq [x].
Example 7.7
Take q = n = 2; the monic irreducible polynomials over F2 [x] whose degrees divide 2 are x, x + 1
and x2 + x + 1. It is easily seen that x(x + 1)(x2 + x + 1) = x4 + x = x4 x.
Corollary 7.8
If Nq (d) is the number of monic irreducible polynomials in Fq [x] of degree d, then
X
qn = dNq (d) for all n N,
d|n
This corollary allows us to obtain an explicit formula for the number of monic irreducible poly-
nomials in Fq [x] of a given degree. To do so, we need the following arithmetic function, which will
also prove useful in the next chapter.
Definition 7.9
The Moebius function is the function on N defined by
1
if n = 1;
(n) = (1)k if n is the product of k distinct primes
0 if n is divisible by the square of a prime.
Example 7.10
(i)(5) = 1; (ii)(35) = 1; (iii)(50) = 0.
Lemma 7.11
For n N, the Moebius function satisfies
(
X 1 if n = 1
(d) =
d|n
0 if n > 1.
Proof. The n = 1 case is immediate. For n > 1 we need only consider the positive divisors d of
n for which (d) is non-zero, namely those d for which d = 1 or d is a product of distinct primes.
If p1 , . . . , pk are the distinct prime divisors of n then
X k
X X
(d) = (1) + (pi ) + (pi1 pi2 ) + + (p1 p2 . . . pk )
d|n i=1 1i1 <i2 k
k k 2 k
= 1+ (1) + (1) + + (1)k
1 2 k
= (1 + (1))k = 0.
7. IRREDUCIBLE POLYNOMIALS 29
Multiplicative version: let h and H be two functions from N into a multiplicatively written
abelian group G. Then
Y
H(n) = h(d) for all n N (3.3)
d|n
if and only if Y n Y n
h(n) = H(d)( d ) = H( )(d) for all n N. (3.4)
d
d|n d|n
Proof. Additive version: we prove the forward implication; the converse is similar and is left as
an exercise. Assume the first identity holds. Using Lemma 7.11, we get
X n X n X X
( )H(d) = (d)H( ) = (d) h(c)
d d n
d|n d|n d|n c| d
XX X X
= (d)h(c) = h(c) (d) = h(n)
c|n d| nc c|n d| nc
for all n N.
Multiplicative version: immediate upon replacing sums by products and multiples by powers.
We can now apply this result as follows.
Theorem 7.13
The number Nq (n) of monic irreducible polynomials in Fq [x] of degree n is given by
1X n d 1X n
Nq (n) = ( )q = (d)q d .
n d n
d|n d|n
Proof. Apply the additive case of the Moebius Inversion Formula to the group G = (Z, +). Take
h(n) = nNq (n) and H(n) = q n for all n N. By Corollary 7.8, the identity (3.1) is satisfied, and
so the result follows.
Remark 7.14
Since it is clear from this formula that Nq (n) is greater than zero for all n, this gives an alternative
proof of Theorem 6.14.
Example 7.15
The number of monic irreducibles in Fq [x] of degree 12 is given by
1
Nq (12) = ((1)q 12 + (2)q 6 + (3)q 4 + (4)q 3 + (6)q 2 + (12)q)
12
1
= (1.q 12 + (1)q 6 + (1)q 4 + 0.q 3 + 1.q 2 + 0.q)
12
1 12
= (q q 6 q 4 + q 2 ).
12
30 CHAPTER 3. FINITE FIELDS
We can also obtain a formula for the product of all monic irreducible polynomials in Fq [x] of
fixed degree.
Theorem 7.16
The product I(q, n; x) of all monic irreducible polynomials in Fq [x] of degree n is given by:
Y d n Y nd
I(q, n; x) = (xq x)( d ) = (xq x)(d) .
d|n d|n
Now apply Moebius Inversion in the multiplicative form to the multiplicative group G of non-zero
n
rational functions over Fq . Take h(n) = I(q, n; x) and H(n) = xq x to get the desired formula.
Example 7.17
Take q = 2 and n = 4. Then the product of all monic irreducible quartics in F2 [x] is:
Definition 8.1
Let n N. The splitting field of xn 1 over a field K is called the nth cyclotomic field over K and
denoted by K (n) . The roots of xn 1 in K (n) are called the nth roots of unity over K and the set
of all these roots is denoted by E (n) .
The following result, concerning the properties of E (n) , holds for an arbitrary (not just a finite!)
field K.
Theorem 8.2
Let n N and K a field of characteristic p (where p may take the value 0 in this theorem). Then
(i) If p - n, then E (n) is a cyclic group of order n with respect to multiplication in K (n) .
(ii) If p | n, write n = mpe with positive integers m and e and p - m. Then K (n) = K (m) ,
E (n) = E (m) and the roots of xn 1 are the m elements of E (m) , each occurring with
multiplicity pe .
Proof.
(i) The n = 1 case is trivial. For n 2, observe that xn 1 and its derivative nxn1 have no
common roots; thus xn 1 cannot have multiple roots and hence E (n) has n elements. To see
that E (n) is a multiplicative group, take , E (n) : we have ( 1 )n = n ( n )1 = 1
and so 1 E (n) . It remains to show that the group E (n) is cyclic; this can be proved by
an analogous argument to the proof of Theorem 6.9 (exercise: fill in details).
e e
(ii) Immediate from xn 1 = xmp 1 = (xm 1)p and part (i).
Definition 8.3
Let K be a field of characteristic p and n a positive integer not divisible by p. Then a generator of
the cyclic group E (n) is called a primitive nth root of unity over K.
31
32 CHAPTER 4. FINITE FIELDS: FURTHER PROPERTIES
By Theorem 1.13, E (n) has (n) generators, i.e. there are (n) primitive nth roots of unity over
K. Given one such, say, the set of all primitive nth roots of unity over K is given by
{ s : 1 s n, gcd(s, n) = 1}.
We now consider the polynomial whose roots are precisely this set.
Definition 8.4
Let K be a field of characteristic p, n a positive integer not divisible by p and a primitive nth root
of unity over K. Then the polynomial
n
Y
Qn (x) = (x s )
s=1
(s,n)=1
is called the nth cyclotomic polynomial over K. It is clear that Qn (x) has degree (n).
Theorem 8.5
Let K be a field of characteristic p and n a positive integer not divisible by p. Then
(i) xn 1 = d|n Qd (x);
Q
(ii) the coefficients of Qn (x) belong to the prime subfield of K (and in fact to Z if the prime
subfield is Q).
Proof. (i) Each nth root of unity over K is a primitive dth root of unity over K for exactly one
positive divisor d of n. Specifically, if is a primitive nth root of unity over K and s is an arbitrary
nth root of unity over K, then d = n/gcd(s, n), i.e. d is the order of s in E (n) . Since
n
Y
xn 1 = (x s ).
s=1
we obtain the result by collecting together those factors (x s ) for which s is a primitive dth root
of unity over K.
(ii) Proved by induction on n. It is clearly true for Q1 (x) = x 1. Let n > 1 and suppose it is true
for all Qd (x) where 1 d < n. By (i),
xn 1
Qn (x) = Q .
d|n,d<n Qd (x)
By the induction hypothesis, the denominator is a polynomial with coefficients in the prime subfield
of K (or Z if charK = 0). Applying long division yields the result.
Example 8.6
Let n = 3, let K be any field with charK 6= 3, and let be a primitive cube root of unity over K.
Then
Q3 (x) = (x )(x 2 ) = x2 ( + 2 )x + 3 = x2 + x + 1.
Example 8.7
Let r be a prime and let k N. Then
k1 k1 k1
Qrk (x) = 1 + xr + x2r + + x(r1)r
since k k
xr 1 xr 1
Qrk (x) = = rk1
Q1 (x)Qr (x) Qrk1 (x) x 1
by Theorem 8.5 (i). When k = 1, we have Qr (x) = 1 + x + x2 + + xr1 .
8. ROOTS OF UNITY IN FINITE FIELDS 33
In fact, using the Moebius Inversion Formula, we can establish an explicit formula for the nth
cyclotomic polynomial Qn , for every n N.
Theorem 8.8
For a field K of characteristic p and n N not divisible by p, the nth cyclotomic polynomial Qn
over K satisfies Y n Y n
Qn (x) = (xd 1)( d ) = (x d 1)(d) .
d|n d|n
Proof. Apply the multiplicative form of the Mobius Inversion Formula (Theorem 7.12) to the
multiplicative group G of non-zero rational functions over K. Take h(n) = Qn (x) and H(n) =
xn 1 for all n N. By Theorem 8.5, the identity (3.3) is satisfied, and so applying Moebius
Inversion yields the desired formula.
Example 8.9
Let n = 12, and let K be any field over which Q12 is defined. Then
Y 12
Q12 (x) = (x d 1)(d)
d|12
= (x12 1)(1) (x6 1)(2) (x4 1)(3) (x3 1)(4) (x2 1)(6) (x 1)(12)
(x12 1)(x2 1)
= = x4 x2 + 1.
(x6 1)(x4 1)
Before the next theorem, we make a definition.
Definition 8.10
Let n be a positive integer and b an integer relatively prime to n. Then the least positive integer k
such that n|bk 1 (equivalently, bk 1 mod n) is called the multiplicative order of b modulo n,
and denoted ordn (b).
Example 8.11
(i) ord8 (5) = 2; (ii) ord31 (2) = 5; (iii) ord9 (4) = 3.
Theorem 8.12
The cyclotomic field K (n) is a simple algebraic extension of K. Moreover, if K = Fq with
gcd(q, n) = 1, and d = ordn (q), then
Qn factors into (n)/d distinct polynomials in K[x] of the same degree d;
[K (n) : K] = d.
Proof. If there exists a primitive nth root of unity over K, then K (n) = K(). Otherwise, we
have the situation of Theorem 8.2 (ii); here K (n) = K (m) and the first result again holds.
Now let K be the finite field Fq , assume gcd(q, n) = 1, such that primitive nth roots of unity
over Fq exist. Let be one of them. Then
k
Fqk q = q k 1 mod n.
The smallest positive integer for which this holds is k = d, so is in Fqd but not in any proper
subfield. Thus the minimal polynomial of over Fq has degree d. Since was an arbitrary root of
Qn (x), the result follows, because we can successively divide by the minimal polynomials of the
roots of Qn (x).
34 CHAPTER 4. FINITE FIELDS: FURTHER PROPERTIES
Example 8.13
Take q = 11 and n = 12.
From Example 8.9, we have K = F11 and Q12 (x) = x4 x2 + 1 F11 [x]. We are interested
in K (12) .
So, Q12 (x) factors into (12)/2 = 4/2 = 2 monic quadratics, both irreducible over F11 [x],
and the cyclotomic field K (12) = F121 .
We can check that the factorization is in fact Q12 (x) = (x2 + 5x + 1)(x2 5x + 1).
The following result, which ties together cyclotomic and finite fields, is very useful.
Theorem 8.14
The finite field Fq is the (q 1)st cyclotomic field over any one of its subfields.
Proof. Since the q 1 non-zero elements of Fq are all the roots of the polynomial xq1 1,
this polynomial splits in Fq . Clearly, it cannot split in any proper subfield of Fq , so that Fq is the
splitting field of xq1 1 over any one of its subfields.
Find the decomposition of the (q 1)st cyclotomic polynomial Qq1 Fp [x] into irreducible
factors in Fp [x], which are all of the same degree.
A root of any of these factors is a primitive (q 1)st root of unity over Fp , and hence a
primitive element of Fq .
Example 9.1
Consider the field F9 .
(8)
F9 = F3 , the eighth cyclotomic field over F3 .
As in Example 8.7,
x8 1
Q8 (x) = = x4 + 1 F3 [x].
x4 1
Its decomposition into irreducible factors in F3 [x] is
We can now ask: how does this new representation for F9 correspond to our earlier viewpoint,
where F9 was considered as a simple algebraic extension of F3 of degree 2, obtained by adjoining a
root of an irreducible quadratic?
9. USING CYCLOTOMIC POLYNOMIALS 35
Example 9.2
Consider the polynomial f (x) = x2 + 1 F3 [x]. This quadratic is irreducible over F3 . So we can
build F9 by adjoining a root of f (x) to F3 . Then f () = 2 + 1 = 0 in F9 , and the nine elements
of F9 are given by {0, 1, 2, , + 1, + 2, 2, 2 + 1, 2 + 2}.
Now, note that the polynomial x2 + x + 2 F3 [x], from Example 9.1, has = 1 + as a root.
So, the elements in the two representations of F9 correspond as in the following table
i i
1 1+
2 2
3 1 + 2
4 2
5 2 + 2
6
7 2+
8 1
Another use of cyclotomic polynomials is that they help us to determine irreducible polynomi-
als.
Theorem 9.3
Let I(q, n; x) be (as in Theorem 7.16) the product of all monic irreducible polynomials in Fq [x] of
degree n. Then for n > 1 we have
Y
I(q, n; x) = Qm (x),
m
where the product is extended over all positive divisors m of q n 1 for which n is the multiplicative
order of q modulo m, and where Qm (x) is the mth cyclotomic polynomial over Fq .
Proof.
For n > 1, let S be the set of elements of Fqn that are of degree n over Fq . Then every
S has a minimal polynomial over Fq of degree n and is therefore a root of I(q, n; x).
Conversely, if is a root of I(q, n; x), then is a root of some monic irreducible polynomial
in Fq [x] of degree n, implying S. Thus
Y
I(q, n; x) = (x ).
S
Now, Sm contains precisely all elements of Fqn of order m. So Sm is the set of primitive mth
roots of unity over Fq . From the definition of cyclotomic polynomials, we have
Y
(x ) = Qm (x),
Sm
Example 9.4
We determine all monic irreducible polynomials in F3 [x] of degree 2.
Here q = 3 and n = 2, so q n 1 = 8 and 2 = ordm (3) for divisors m = 4 and m = 8 of
q n 1. Thus from Theorem 9.3 we have
I(3, 2; x) = Q4 (x)Q8 (x).
From Theorem 8.12, we know that Q4 (x) factors into (4)/2 = 1 monic irreducible quadratic
over F3 , while Q8 (x) factors into (8)/2 = 2 monic irreducible quadratics over F3 .
By Theorem 8.8,
Y 4 x4 1
Q4 (x) = (x d 1)(d) = 2 = x2 + 1,
x 1
d|4
while
Q8 (x) = x4 + 1 = (x2 + x + 2)(x2 + 2x + 2)
as in Example 9.1. Thus the irreducible polynomials in F3 [x] of degree 2 are x2 +1, x2 +x+2
and x2 + 2x + 2.
Example 9.5
We determine all monic irreducible polynomials in F2 [x] of degree 4.
Here q = 2 and n = 4, so q n 1 = 15 and 4 = ordm (2) for divisors m = 5 and m = 15 of
q n 1. Thus from Theorem 9.3 we have
I(2, 4; x) = Q5 (x)Q15 (x).
From Theorem 8.12, we know that Q5 (x) factors into (5)/4 = 1 monic irreducible quartic
over F2 , while Q15 (x) factors into (15)/4 = 8/4 = 2 monic irreducible quartics over F2 .
By Theorem 8.8,
Y 5 x5 1
Q5 (x) = (x d 1)(d) = = x4 + x3 + x2 + x + 1
x1
d|5
and
Y 15
Q15 (x) = (x d 1)(d)
d|15
(x15 1)(x 1)
=
(x5 1)(x3 1)
x10 + x5 + 1
=
x2 + x + 1
= x8 + x7 + x5 + x4 + x3 + x + 1.
We note that Q5 (x + 1) = x4 + x3 + 1 is also irreducible in F2 [x] (since Q5 is and shifting by
a constant preserves irreducibility) and hence must divide Q15 (x) (from the above we know
that every irreducible polynomial of degree 4 over F2 either divides Q5 or Q15 ), leading to
the factorization
Q15 (x) = (x4 + x3 + 1)(x4 + x + 1).
Thus the irreducible polynomials in F2 [x] of degree 4 are x4 + x3 + x2 + x + 1, x4 + x3 + 1
and x4 + x + 1.
Chapter 5
10 Automorphisms
In this chapter, we will once again adopt the viewpoint that a finite extension F = Fqm of a finite
field K = Fq is a vector space of dimension m over K.
In Theorem 7.3 we saw that the set of roots of an irreducible polynomial f Fq [x] of degree m
2 m1
is the set of m distinct elements , q , q , . . . , q of Fqm .
Definition 10.1
m1
Let Fqm be an extension of Fq and let Fqm . The elements , q , . . . , q are called the
conjugates of with respect to Fq .
Remark 10.2
The conjugates of Fqm with respect to Fq are distinct if and only if the minimal polyno-
mial g of over Fq has degree m.
Otherwise, the degree d of the minimal polynomial g of over Fq is a proper divisor of m, and
d1
in this case the conjugates of with respect to Fq are the distinct elements , q , . . . , q ,
each repeated m/d times.
Theorem 10.3
The conjugates of Fq with respect to any subfield of Fq have the same order in the group Fq .
Proof. Apply Theorem 1.13 to the cyclic group Fq , using the fact that every power of the charac-
teristic of Fq is coprime to the order q 1 of Fq .
Corollary 10.4
If is a primitive element of Fqm , then so are all its conjugates with respect to Fq .
Example 10.5
Expressing F4 as F2 () = {0, 1, , + 1}, where 2 + + 1 = 0, we saw in Example 6.11 that is
a primitive element of F4 . The conjugates of F4 with respect to F2 are and 2 ; from Example
6.11, 2 = + 1 is also a primitive element.
Example 10.6
Let F16 be a root of f = x4 + x + 1 F2 [x]. Then the conjugates of with respect to F2 are
, 2 , 4 = + 1, 8 = 2 + 1, and all of these are primitive elements of F16 . The conjugates of
with respect to F4 are and 4 = + 1.
37
38 CHAPTER 5. AUTOMORPHISMS AND BASES
We next explore the relationship between conjugate elements and certain automorphisms of a
finite field.
Definition 10.7
An automorphism of Fqm over Fq is an automorphism of Fqm which fixes the elements of Fq
pointwise. Thus, is a one-to-one mapping from Fqm onto itself with
( + ) = () + ()
and
() = ()()
for all , Fqm and
(a) = a for all a Fq .
This definition may look familiar to anyone who has studied Galois theory!
Theorem 10.8
The distinct automorphisms of Fqm over Fq are precisely the mappings 0 , 1 , . . . , m1 defined
by
j
j () = q
for Fqm and 0 j m 1.
Proof. We first establish that the mappings j are automorphisms of Fqm over Fq .
Now, suppose is an arbitrary automorphism of Fqm over Fq ; we show that it is in fact j for
some 0 j m 1.
Let be a primitive element of Fqm and let f = xm + am1 xm1 + + a0 Fq [x] be its
minimal polynomial over Fq . Then
0 = ( m + am m1 + + a0 )
= ()m + am1 ()m1 + + a0 ,
j
so that () is a root of f in Fqm . By Theorem 7.3, we must have () = q for some j,
j
0 j m 1. Since is a homomorphism and primitive, we get that () = q for all
Fq m .
Hence the conjugates of Fqm are obtained by applying all automorphisms of Fqm over Fq
to the element .
Remark 10.9
The automorphisms of Fqm over Fq form a group under composition of mappings, called the Galois
group of Fqm over Fq and denoted Gal(Fqm /Fq ). From Theorem 10.8, this group of automorphisms
is a cyclic group of order m, generated by 1 .
11. TRACES AND NORMS 39
Definition 11.1
For F , the trace TrF/K () of over K is defined by
g = xm + am1 xm1 + + a0
m1
= (x )(x q ) (x q ).
TrF/K () = am1 .
Theorem 11.3
Let K = Fq and let F = Fqm . Then the trace function TrF/K satisfies the following properties.
(iii) For all F we have TrF/K () K; this follows from the discussion above, or immedi-
ately from
m1
(TrF/K ())q = ( + q + + q )q
m1
= q + + q +
= TrF/K ().
Combining this with (i) and (ii) shows that TrF/K is a K-linear transformation from F into
K. To show that it is surjective, it suffices to demonstrate that there exists some F with
m1
TrF/K () 6= 0. We have TrF/K () = 0 is a root of xq + + xq + x K[x] in F ; since
this polynomial has at most q m1 m
roots in F whereas F has q elements, the result follows.
i
(iv) By Lemma 7.3, aq = a for all a K and i 0, and the result follows.
m
(v) For F we have q = , and so
2 m
TrF/K (q ) = q + q + + q = TrF/K ().
In fact, the trace function provides a description for all linear transformations from F into K, in
the following sense.
Theorem 11.4
Let F be a finite extension of the finite field K (both viewed as vector spaces over K). Then
the K-linear transformations from F into K are precisely the mappings L ( F ) given by
L () = TrF/K () for all F . Moreover, if , are distinct elements of F then L 6= L .
for all E.
11. TRACES AND NORMS 41
Definition 11.6
For F = Fqm and K = Fq , the norm NF/K () of over K is defined by
Comparing this definition with the characteristic polynomial g of over K, as before, we see
that
NF/K () = (1)m a0 .
In particular, NF/K () is always an element of K.
Theorem 11.7
Let K = Fq , and F its degree m extension. The norm function NF/K satisfies the following
properties:
onto K.
(iii) Result is immediate upon noting that, for a K, all conjugates of a are equal to a.
(iv) By (i), NF/K (q ) = NF/K ()q ; by (ii), NF/K () K and so NF/K ()q = NF/K ().
for all E.
q mn 1
= q1 = NE/K ().
42 CHAPTER 5. AUTOMORPHISMS AND BASES
Definition 12.1
Let K = Fq and F = Fqm .
A polynomial basis of F over K is a basis of the form {1, , 2 , . . . , m1 }, where is a
defining element of F over K.
We can always insist that the element is a primitive element of F , since by Theorem 6.12, every
primitive element of F can serve as a defining element of F over K.
Example 12.2
Let K = F3 and F = F9 . Then F is a simple algebraic extension of K of degree 2, obtained by
adjoining an appropriate to K. Let be a root of the irreducible polynomial x2 + 1 K[x]; then
{1, } is a polynomial basis for F over K. However, is not primitive since 4 = 1. Now let be
a root of x2 + x + 2; then {1, } is another polynomial basis for F over K, and is a primitive
element of F .
Definition 12.3
m1
Let K = Fq and F = Fqm . A normal basis of F over K is a basis of the form {, q , . . . , q },
consisting of a suitable element F and all its conjugates with respect to K. Such an is called
a free or normal element.
Example 12.4
Let K = F2 and F = F8 . Let F8 be a root of the irreducible polynomial x3 + x2 + 1 in F2 [x].
Then B = {, 2 , 1 + + 2 } is a basis of F8 over F2 . Since 4 = 1 + + 2 , this is in fact
a normal basis for F over K. To the contrary, let F be a root of the irreducible polynomial
x3 + x + 1 K[x]. Then the conjugates {, 2 , 2 + } of do not form a basis of K.
a1 1 (g) + . . . + am m (g) 6= 0.
Definition 12.6
If T is a linear operator on a finite dimensional vector space V over an arbitrary field K, then
a polynomial f = an xn + + a1 x + a0 K[x] is said to annihilate T if an T n + +
a1 T + a0 I = 0, where I and 0 are the identity and zero operator on V , respectively.
The uniquely determined monic polynomial of least degree with this property is called the
minimal polynomial for T . It divides any other polynomial in K[x] which annihilates T .
12. BASES AND THE NORMAL BASIS THEOREM 43
Applications to Cryptography
Definition 13.1
Let G be a cyclic group and x G a generator. The discrete logarithm problem (DLP) is the
following: Given y G, find k Z with y = xk and 0 k < |G|.
Remark 13.2
Since x is a generator, such a k always exists and is uniquely defined.
Remark 13.3
The difficulty of the DLP depends on the representation of G. For example if G = Z/mZ with
addition as operation, then for x = 1 the result k is just equal to y, so it can be read off readily from
the input. Even for other x with gcd(x, m) = 1 it is an easy calculation to find k for any given y.
However, if G = Fq for some prime power q with multiplication as the operation, then the DLP is
much more difficult.
Preparations:
44
13. THE DIGITAL SIGNATURE ALGORITHM 45
Signing documents:
Let m be a document, use a secure hash function H to compute H(m) {0, 1, . . . , q 1}.
Verification of signatures:
Correctness: By the definition of w and s it follows that k H(m)w + xrw (mod q). Thus
x (s k H(m)) r1 (mod q)
Even knowing that the same k was used twice producing signatures (r, s) for m and (r0 , s0 ) for m0
leads to an attack:
x (s k H(m)) r1 (mod q)
0 0 01
x (s k H(m )) r (mod q)
gives
(s k H(m)) r1 (s0 k H(m0 )) r01 (mod q)
and this allows to compute k and thus x.
Even knowing a few bits of the binary expansion of k in a few signatures could be enough to break
the signature scheme.
46 CHAPTER 6. APPLICATIONS TO CRYPTOGRAPHY
H takes a block of data of arbitrary length and returns a fixed length result (e.g. 160 bit).
Given m (and thus H(m)), it is infeasible to modify m to m0 such that H(m) = H(m0 )
(second preimage resistance).
It is infeasible to find two different messages m1 and m2 with H(m) (collision resistance).
In summary: A cryptographic hash function should be as random as possible, while still being
deterministic and efficiently computable.
Remark 13.4
Note that the length of the result gives an approximate upper bound for the strength of the preimage
resistance and second preimage resistance. The half of the length of the result gives an approximate
upper bound for the strength of the collision resistance due to the birthday paradox. Difficulty or
infeasibility is usually measured by complexity theory (upper bound for the runtime in terms of
the input size).
Algorithm 13.6
The trivial method is trial multiplication: Given y G, simply try k = 1, 2, . . . , n, compute xk
and compare with y. If n = |G| 2` , then storing a group element needs approximately ` bits. In
the worse case, this needs n multiplications, which is exponential in `.
Algorithm 13.7
A fairly simple extension of this is the Baby-step Giant-step algorithm: Let m := d ne, imagine
k = im + j. Compute and store all xj for 1 j m, if y is among them the solution is found.
Otherwise, compute y, yxm , yx2m , . . . (each with one multiplication) and try to find it amongst the
stored xj . This finds the solution after at most 2m multiplications but uses memory for m group
elements.
Algorithm 13.8
The memory requirements can be reduced by Pollards rho algorithm for discrete logarithms:
Assume we know y = xk and x and want to find k. We try to find a, b, A, b Z with xa y b = xA y B ,
then
(b B)k = (A a) (mod n),
13. THE DIGITAL SIGNATURE ALGORITHM 47
Remark 13.9
Both these methods are generic, they do not use any special representation of the cyclic group. Both
have a runtime of n, so they are still exponential in the input length log n.
Remark 13.10
There is an efficient procedure by Peter Shor that uses a (so for non-existing) quantum computer.