Constructing normal bases in finite fields 1 ... - ScienceDirect.com
J. Symbolic Computation (1990) 10, 547-570
Constructing normal b a s e s in f i n i t e fields JOACItIM VON ZUR GATHEN MARK GIESBRECHT
Department of Computer Science, University of Toronto Toronto, Ontario M5S 1A4, Canada gathen©theory.toronto.edu mwg©theory.toronto.edu
(Received 6 June 1989)
An efficient probabilistic algorithm to find a normal basis in a finite field is presented. It can, in fact, find an element of arbitrary prescribed additive order. It is based on a density estimate for normal elements. A similar estimate yields a probabilistic polynomial-time reduction from finding primitive normal elements to finding primitive elements.
1.
Introduction 2
• • • , oqrL--1
I f F q C_ Fq, are finite fields, a E Fq,, and the conjugates a, a q , a q , of a form a basis for Fq, as a vector space over Fq, then this is called a normal basis. W e call a a normal element (of Fq. over Fq). Normal bases are useful for implementing fast arithmetic in Fq,, in particular exponentlation. Of special interest is q = 2 and n reasonably large; as an example, the Diffie &: ttellman key exchange is based on exponentiation in F2-. Algorithms and possible MOS implementations are given in Laws ~ Rushforth 1971, Wang et al. 1985, Beth et al. 1986, Agnew et al. 1988, Stinson 1990. T h e basic assumption in t h a t work is that computing qth powers in Fq, is for free (i.e., of negligible cost c o m p a r e d to a general multiplication in Fq, ; only q = 2 is considered). T h e assumption can be justified if a normal element is given, since then for an a r b i t r a r y q' ~l = r'-,o 1. We will,show that a randomly chosen element of Fq, is normal over Fq with probability ~(1/log~ n). We denote by Iq the set of monic irreducible polynomials of positive degree in Fq[x]. For m :> 1~ let N q ( m ) be the number of monic irreducible polynomials of degree m in Fq[z], and qm q(qm/2 _ 1) qm m m(q - 1) ~ Nq(m) < ~m (3.1) (Lidl & Niederreiter 1983, Exercises 3.26 and 3.27). For f E Fq[x] and f ¢ Fq, let
Ifl
=
#(Fq[z]/(f))=
qa~g;
be the number of elements of the residue class ring of Fq[z] modulo f. The analogue of Euler's totient function for integers is the number ~q(f) of polynomials in Fq[z] of smaller degree than f E Fq[x] which are relatively prime to f. This is the number of units in Fg[x]/(f), and (Lidl &: Niederreiter 1983, Leman 3.69 and Theorem 3.73)
~q(f) = Ifl I~ (1 -Igl-1), (3.2)
9Elq
gl!
, ( ~ , q) = e 0 ( ~ ~ - l ) .
Our objective is to give a lower bound of ~(1/log, n) on O q ( f ) / I f l for an f e Fq[x] of degree n. This immediately shows the required lower bound for normal elements. We will make use of the following leman adapted from Apostol (1976), Theorem 3.2(a). LEMMA 3.1. For x >_ 1 ~< 1 _ < l o g ~ z + C + l / x ?t
where C ~ 0.577216 is Euler's constant.
PROOF. Using Euler's summation formula (see Apostol 1976, Theorem 3.1), we find -
1
['d~
~=
J1
~=t-LtJdt+
t .....
t2
dt+l=log ex+l-
_< log e z -
tJ dt +
< logez+l= loge z + c + - ,
x-LxJ 1
dr+
dt = log~ x + 1 a
dt+X
1 X
where
is Euler's constant (see Apostol 1976, pp. 53). We will need the following two lemmas.
dt
[]
554
J. von zur Gathen and M. Giesbrecht
LEMMA 3.2. If 1
v(q)=EE
,
~>2 d>l
then for any q > 2 we have V(q) < q-1. Pttoor.
B y e x p a n d i n g the s u m we can write V(q) = g ( q ) + E(q) where 1
u(q)
7
5
+
=
59
4
233
+ 1--y q +
11
11
43
+ 5-6 q + 5-Vq + 1
+
1
E(q) = d,lEN ~ ( i + 1)dq id < dpiE~4 ~ idq id" dl~lO
dt>10
For n >_ 10 there exist less t h a n n pairs (i, d) E NI2 such t h a t i • d = n. It follows t h a t 1
E(q) < ~
n~lO
1
qn - qS(q_ l),
and t h a t V(q) 2. [] LEMMA 3,3. Let
w(=) = ~ (1 -Igl-~). ]al q, we have c-c/q W(x) > logq x
c log~ x
where c = e - c ,~ 0.56146 and C is Euler's constant. PROOF. Let b = logqX. Since x _> q, W(x) # 0 and we can consider the logarithm of
w(~): log, W ( z ) =
logo(1 -[g[-~) = ~
~ [91<x
Nq(d)log~(1 - q-d)
l 16 lo~ n'
e - c and C is Euler's constant.
PltOOF. For the upper bound,
~q(f)
Ill
- i'[ (i - Igl-~) _< i - Ill-I, gll gElq
and equality is achieved when f is irreducible in Fq[x]. To show the lower bound, for
l~n_(1 since (1
-
u-l)
u
-
glf gElq
Igl -~) > II (1 - q-J) gl! f]~'q
>_ ¼,
- q-~)'~ >__ (1 - q-~)q
iS all increasing function of u for u > 1, and q > 2. If n > q, we write
eq(f) = i-[ (I - Igl-~) = P~. P=, Ill ~u where
P1 = H (1 --Igl-l),
P2 = E
gll gElq Igl_-
We begin by examining P2, and write
P~ > II
(I - n -') = (I - n-~) ~,
gll gElq Igl>"
where 7 = # ' [ a e rq : g l : , lal > n}. Since
q" = Ifl-> I'i Igl--- H Igl > n-~, gl! g(~1q
M! ~E.rq Igl>.
we find V -< n~ l o ~ n and p2> (1_1)
~/1°'~
which is an increasing function of n for fixed q. We divide our analysis of the case n > q into two subcases: q < n < q4 and q4 < n. When n > q then P2 > (1 - q-1)q >_ 1/4. For a better estimate w h e n n > q4, w e use the fact that
(
1-
~"
>1
logqn'
556
J. yon zur Gathen and M. Oiesbrecht
which is obtained by raising each side to the power of logq n. Thus, for n > q4, 1
P2>1
logq n"
We now bound the function P1 for n > q by observing
-P' --- I'[ (1 -Igl -~) > l'I (1 -Igl-~). g~.lq
gElq
91Y
191 \ ]~gqn _
q-
1
e
q
1
2c -
logq n
c/___._.~q
log~ n
lo,~ n'
c
+ ~
q -
>
1
c
2e-
.q . . logq . . n
e/q
log~ n
This proves the first inequality claimed for n > q4. Since c = e -C > 1/2, and logq n > 4 when n > q4, we have @q(f)l]l > q - - 1 q >q--1 q
c61 lOgq n
2q-l) (q - 1) logq n
c ( logqn 1
2q-1 ) 1 . 4(q ~)' > 161ogqn
i:3
A similar lower bound also holds for the integer Euler function ¢, which we will make use of in Section 6. FACT 3.5. F o r n > 3, ¢(n)
c
>
n
.
log~ log e n
(11 , 1 )
,
log 2 log~ n
where c = e - C ~ 0.56146.
PROOF. From Rosser h Schoenfeld (1962), (3.41) and (3.42), we have ¢(~)
n-
>
=
,k/c+cl/l
where ~ = log, loge n and cl = 2.5036.
.
-~
1
,k2 + c l c /
> -~ 1 -
[]
This brings us to our bound on the probability of being normal.
,k2 / ,
Normal Bases in Finite Fields
557
COR.OLLAP~Y 3.6. For q a prime power and n > 1, the probability ~ = v(q,n)q -'~ of an element chosen randomly from Hq. being normal over Fq satisfies t~ < 1 - q - l . I f n < q4, then ~ >_1/34 and, if n >_ q4 then a>
c(
logqn
l-q-1
2- q-l~
1
where c = e - c and C is Euler's constant. PI~ooP. A p p l y i n g T h e o r e m 3.4 with f = x ' ~ - l , and using the fact t h a t ~ = O q ( z n - 1 ) / q ~ (Lidl & N i e d e r r e i t e r 1983, T h e o r e m 3.73), the lower bound follows immediately. We see f r o m (3.2) t h a t ~q(x n - 1)/q n is maximized when x n - 1 has only one irreducible factor; i.e., it is a p o w e r of x - 1 or, equivalently, n is a power of char Fq. Thus we have • q(z
- 1)/q
< eq((= - 1)D = 1 - q-1
a n d e q u a l i t y is achieved when n is a power of char Fq. COROLLARY 3.7. Let n, q E N, q a prime power, p = 1/34 i f n q4. Then
(i) We can choose N = pqn in Algorithm A. Then Theorem 2.1 holds with k < 1 + 2p -1 log~ e -1, which is O(log e e-1 log~ n) for n >__q4 (ii) Given a description of Fq and an irreducible polynomial of degree n in Fq[x], a normal basis for Fq. over Fq can be constructed by a probabilistic (Las Vegas) algorithm with failure probability at most e, using O ' ( n l o g e e-1) random choices in Fq, and O ' ( n ~ l o g q l o g e e -1) arithmetic operations in Fq, ire < q-1. (iii) Given only a description of Vq and an integer n > 2, we can probabilistically construct a normal basis for Fq, over Fq using an expected number O~(n21ogq) operations in l=q. P r t o o r . W e use the n o t a t i o n of Section 2. B y Corollary 3.6~ we have v(n~ q) > pq'~. W i t h N = p q n we have in T h e o r e m 2.1 k-1 log ee -1
l 2. For an a r b i t r a r y real x >_ q, let x0 = q[lo~qxJ < x. T h e n Oq(x) = Oq(x0), and since the u p p e r b o u n d on ®q for powers of q is an increasing function on R, it holds for any x > q. T h e lower b o u n d is an increasing function of x for x > 49/16. Using the fact t h a t x / q < xo, w h e n x / q > 49/16 the claimed lower bound follows. For q < x _.%_49~/16 the c l a i m is easily verified. [] W e also m a k e use of the p r i m e n u m b e r function 7r(x) - ~ { p _< x I P prime), l~osser &: Schoenfeld (1962), T h e o r e m 1, gives the following bounds on ~r. FACT 5.3. For any x >_ 17,
•
( 1+------~
~ < ~ ( z ) < ~ . log~ x
log e z
.
2 log~
T h e a n a l o g u e of the n u m b e r - t h e o r e t i c function ~r for a finite field Fq is IIq(x) = # { g 6 rq : Igl 1. We will m a k e use of t h e following function in t h e analysis of IIq:
l (d~logq z d for q >_ 2 a n d z >_ q. It can b e bounded from above as follows: [,EMMA 5.4. For any x > q and q >_ 2, -
-q- - ' ~ - " logq x
1+
PRooP. First, s u p p o s e x = qb for some integer b > 1. For 1 < b < 6 the claim can be verified directly by considering each side of the inequality as a function of q alone. We o m i t the details. W e prove t h e claim by induction on b > 7.
qd
Z a 1. F o r a n y real x > q, let x0 = q[logq zJ < x. Note first t h a t q-l"logqx"
1+
is an increasing f u n c t i o n of x for x >__ q 3 so tile claim, already proven for xo, holds for all real x >_ q3. It is easily verified that the claim holds for all real x with q < x < q3 as well. [] We will now show an analogue of the prime n u m b e r t h e o r e m for Fq[z]. IIq(z) remains c o n s t a n t w h e n qb < x < qb+l with b E N, and therefore we o b t a i n sharp estimates for IIq(x) only when x = qb for some b e N.
Normal Bases in Finite Fields
563
THEOttBM 5.5. For a n y p r i m e p o w e r q, and z: = qb f o r s o m e integer b > 1, q-1
logqz"
1-
q-- l'logqx
i+
F o r a n y real x >_ q, we have 1
.
•
.
/
q - 1 logq z PRoof.
q - 1 logqx
The lower bound follows from Hq(~)log~z = Z
log~x > ~ ] d e g g = Oq(~),
gElq t~l__2,
-
_ 3989 or n >_ exp(#(3989)). Also by Fact 5.1, logan
=
¢(~)>~(1-21o~)
>z
(
1 ) 1-21ogelog~n-+21og¢0.9 '
564
J. yon zur Gathen and M, Giesbrecht
so t h a t ( z
0, since z >_ 3989 or n ~ exp(~(3989)). Substituting this upper bound on x into our upper bound for log2 6(n) in terms of x, we get log 2 ~(n) < log~((1 + u) loge n)
2 log~((1 + u)log~ n)
(l+
3
)
< Iog~log, ~ 2 log~ log, n log~ n ( 1.25 log~ loge log~ n~ < loge loge n • 1 + log~log=n )
for n > exp(~(3989)). For i _> 1, let P~ be the product of the i smallest primes. The number 3989 is the 550th smallest prime, so the claim holds for n >_ P550. Using the computer algebra program M A P L E 4.3, we verified that the claim holds for Pi, where 3 _< i < 550, and for 9 _< n < / ° 3 = 30. This shows the claim is true for all integers n >_ 9. [] The inequality of this theorem is false for n = 8. For polynomials over finite fields, the analogue of ~ is as follows. For any prime power q, and any f 6 Fq[x], let Aq(f) be the number of distinct, monic, squarefree divisors of f (including the divisor 1). We bound Aq from above in the next theorem, and show that this bound cannot be improved much. THEOI~BM 5.7. Let f E Fq[X] of degree n. For n > 1, log2Aq(f ) < n. For n > q, n___n.__. (1 + 3.5 l°g~ l°ge n ) log2 Aq(f) < logq n log, n " Furthermore, for any fixed prime power q, there exist an infinite number o f f E F=q[X] such that
log 2 Aq(f) > logq------W_ where n = deg f .
P r t o o r . We begin with the upper bound. First note that log2Aq(f) is the number of distinct divisors of f in Iq. Suppose f = g~lg~2.. "gkek where k, el,e2 . . . . ,ek are positive integers and g l , g 2 , . . . , g ~ G Iq are pairwise distinct. If fo = g l g 2 " " g k , then Aq(f) = Aq(fo), while no = deg fo _ e, if the claim fails for f , it also fails for fo. We can therefore assume without loss of generality that el = . . . . ek --- 1. Now suppose deggl < degg2 _< .-. _< deggk and h ~ { g l , . . . , g k } for some h E Iq with degh < deggk, and let fl = h g l . . "gk-~. Once again Aq(fl) = Aq(f), and if the claim fails for f , it also fails for f l (because deg/1 < deg f). Therefore, we can assume without loss of generality that, for all h i / w i t h h E Iq, M1 ho G Iq with degho < degh also divide f. In other words, f is the product of the maximum number of distinct irreducible polynomials for its degree.
Normal Bases in Finite Fields
565
If 1 < n _< q, f is the p r o d u c t of linear polynomials in Fq[m]. Thus, log 2 A q ( f ) = n. If n > q, we write log 2 ~xq(f) = P1 + P~, where f = gl " " g k ,
E 1,
E 1,
Ig~l#
l 1619, h(q, n) is a decreasing function of n. Also, for n > 1619, h(q,n) is an increasing function of q for q > 7, and achieves its m a x i m u m with q > 7. To maximize h, we choose q as large as possible. Since fl = n/A1 > q, we have h(q, n) < h(n/A1, n) = 3n/(n - A1) < 3.02 for n > 1619. It follows t h a t log2 A q ( f ) < logq n n
1+
3.02 ÷ i2 ~
n
(
2.51A2
3.5A2 "~
< lo-&S (1 + - Tj for n > 1619. For q < n < 1619, we verified the claim using the computer algebra s y s t e m Maple 4.3.
566
J. yon zur Gathen and M. Giesbrecht
To show t h a t this upper bound cannot be improved much, let q be a fixed prime power, = qm for some integer m >_ 2, and f=XIg" gEIq
Then
log~ A q ( f ) = l l q ( x ) > (q _ i ) logq x by T h e o r e m 5.5. T h l s lower bound on IIq(z) is an increasing function of x for x ~ 4. T h e degree n of f satisfies qx n = ~ degg - E)q(z) < gezq q- 1 IgL n + n / q . This shows
log2 A,(/) >_ log~(,~+ ~ / q )
-> l o ~ q n using t h e fact that 7 / ( 2 v ~
6.
1
'
1
2
logq n
2
>- ~
< 4/logq n for all n > q > 2.
1
logqn
[2
Finding primitive normal elements
Let q b e a prime power and n a positive integer. T h e multiplicative group of Fq. is cyclic of order q~ - 1 (see Lidl & Niederreiter 1983, T h e o r e m 2.8) and for a n y nonzero a E Fq,, we define t h e multiplicative order as o r d ( a ) = min{d E N, d > 1, a d = 1}. An element of order qn - 1 is called primitive and we denote by T~ the set of all these. It is well known that there a r e ¢(qn _ 1) primitive elements in Fq,. There is no known general way to either generate or certify a primitive element in (probabillstic) polynomial time. L e t Af be the set of normal elements in Fq, over Fq. W h a t is the probability that a r a n d o m l y chosen element c~ E Fq, is simultaneously primitive and normal over Fq? This question was first addressed by Carlitz (1952) who showed in his statement (4.7) that =
IP n N I ¢(q,~ - 1). Cq(X ,~ - 1) 6 ( q n _ 1)Aq(x n _ 1) q~ >q2n q,/2
(6.1)
We will refer to the right hand side of this inequality as the Carlitz bound on the number of primitive normal elements. For sufficiently large fields Fq,, this tends towards IPl. IA/'l/q 2n, It was later shown by Davenport (1968) that for q prime and n > 2 there exists a primitive n o r m a l element in Fq, over Hq. Lenstra & School (1987) showed that for all prime powers q and n > 2 that there exists a primitive normal element in Fq, over Fq. We give a positive lower b o u n d for # for all but a finite number of pairs (q, n).
Normal Bases in Finite Fields
567
TH~ORBM 6.1. Let q be a prime power, n >_ 2, and ~ the probability that an element is primitive and normal in Fq. over Fq. Then
(i) f i n > 300 and n > qd, then ~ > 0.03/(logqn .loge(nlog~ q)), (ii) {fn > 300 and n < qd, then ~ > 0.01/log~(nlog~ q),
(iii) if300 >_ n >_ 2 and q _> 2 x 107, then ~ > 0.003/log~(nlog~ q). PROOF. Since our bounds on Sg and A~ from Theorems 3.4 and 5.7 depend u p o n the relationship between q and n, our lower bound on ~ must be divided into a n u m b e r of cases. First we examine the bounds for 6(q n - 1) and ¢(qn _ 1), which are valid when qn _ 1 :> 16. We abbreviate A1 = loge(q n - 1), A2 = log e A1 and A3 = log e A=. By T h e o r e m 5.6, ~1 ( 1.25)`3"~ nl°geq (1 + 1.25A3"~
log~6(q n - 1) < ~ .
1 + --57~ /
(81)~2). (¢q(z n -
(6.2)
1)lq n) -q,'nl:~2+1ogqaqC=n--1)--nlL
B y Theorem 5.7, for n >_ q and n >_ 300 we have
nlog,___.._~2 ( logq Aq(= n -- 1)
q~. Here, % ( = n _ 1) > qn/(161ogq n) by Theorem 3.4. In this case we have r < 0.97 and s > 0.53. Using (6.2), and (6.3) we find :> 16 logq0"53n.A2
qn(O.O7[)~2+l.44[log,n-l[2)
0.033 > logq n . ),2
q-O.O~s,~ 0.03 > log a n . A~
For case (ii), when n >_ 300 and n < q4 we consider two subcases. First, suppose q < n < q4 and n >_ 300, which implies q > 5. In this case r < 0.95, and s _> 0.54, while ~ ( x n - 1) > an~34, by T h e o r e m 3.4. Using (6.2) and (6.3), we find ~o :> 0.54 34A2
q~(O.95/A.~-l.44/log~n-I/2) > 0.015 A2
q--0.09n > 0.01 A2
For the case when 300 _< n _< q, ~q(~'~- 1) _< q'V34, and by T h e o r e m 5.7, logq A q ( x n - 1 ) 0.54, giving t)
0.01 >-34A~-'0"5_4qn(O.93/A2+logq2-I/2) :> ~0.015 A 2 -- q-O.2Sn> "~'2"
Finally, for case (iii), we use the fact that for all q _> 2 and n >_ 2, log~ A~(x'~ - 1) < n logq 2 by Theorem 5.7. Since n < q, @q(x~- i) _> q'~/34by Theorem 3.4. For 300 > n >_ 2 and q _> 2 x I0 v, r _< 1.1003 and s > 0.496, so that
_> 0.49634A___~ - q~(1.0o3/A2+log, 2/ log, q-l/2) > ~0.014 - - A 2 q-O.tTn> -0.003 -~2 '
[]
568
J. yon zur Gathen and M. Giesbreeht
This theorem covers all but finitely many values o f ( n , q). The exceptions, with n < 300 and q < 2 X 107 are about 3.5 x 10 s in number. The following proposition cuts down this number. PhOPOSITION 6.2. I f 9 ~_. n _.300, then Q > O.O1/log~(nlog¢q). PROOF. We use the notation of Theorem 6.1. For q > 300 and 300 > n >_ 9, we have r < 1 and s > 0.5. Also logq Aq(X n - 1) _< nlogq2 by Theorem 5.7 and eq(x n - 1) > q'~/34 by Theorem 3.4. Applying (6.2), this gives 0.01 > 34A-'-'~0'5_ qn(l/~2+logq2-1/2) > -0.015 - A 2 - q-O.25n> -'~'-2"
[]
This leaves us with about 8.3 x 106 exceptional pairs of fields. For each of these pairs we have used Maple 4.3 to compute the Carlitz bound (6.1), or at least a good lower bound for it. We found that it is at least 1/200 for all but 121 of the exceptional pairs of fields, and for the 121 remaining pairs it is negative. Thus, for all but 121 of the exceptional field pairs, the probability of finding a primitive normal element is at least 1/200. We have q ~ 2729 and n < 21 for all 121 remaining cases. Note also that the existence proofs of Davenport (1968) and Lenstra & Schoof(1987) showing Q > 0 both consider a (smaller) number of special cases. COROLLAR.Y 6.3. Let q be a prime power and n > 2. There exists a probabilistic polynomial. time reduction from the problem of finding a primitive normal element in Fq, over Fq to finding a primitive element in Fq,. PROOF. Construct a lookup table of the (finitely many) exceptional cases not cove~ed by T h e o r e m 6.1 (and Proposition 6.2 and the following comments), mapping a pair (q, n) to a primitive normal element in Fq, over Fq. For a given input (q,n), where q is a prime power and n > 2, check if (q, n) is in the table of exceptions. If it is, return the primitive element stored there. If not, find a primitive element fl E Fg,. Randomly select an integer j between 1 and qn _ 2, compute a = flJ, and test fl for prlmitivity and normality over Fq. In the case of Theorem 6.1 (i), we require an expected number of at most 34 log~(nlog~ q) • logq n random choices. For the remaining two cases of Theorem 6.1, we require an expected number of at most 334 log~(n log~ q) random choices. To test primitivity, we need only check that gcd(q n - 1 , j ) = 1, which requires O'(nlogq) bit operations, while to test normality requires O-(n21og~ q) operations in F:q by Theorem 2.1. [:3
Acknowledgment We thank an anonymous referee for pointing out several references, and an improvement in Proposition 2.4.
References L. Adleman and It. W. Lenstra. Finding irreducible polynomials over finite fields. In Proc. 18th Ann, A CA[ Syrup. Theory of Computing, pp. 350-355~ Berkeley CA, 1986.
Normal Bases in Finite Fields
569
G. B. Agnew, R. C. Mullin, and S. A. Vanstone. Fast exponentiation in GF(2n). In Advances in Cryptology--EUROCRYPT '88, ed. C. G. Giinther, eel. 330 of Lecture Notes in Computer Scivnce~ pp. 251-255. Springer (Berlin), 1988. A. V, Aho, J. E. Hopcroft, and J. D. Ullman. The Design and Analysis o/Computer Algorithms. AddisonWesley (Reading MA), 1974. A. A. Albert. Fundamental Concepts of Higher Algbra. University of Chicago Press(Chicago, Illinois), 1956. T. M. Apostol. Introduction to Analytic Number Theory. Springer-Voting (New York), 1976. L. Babai, E. M. Luks, and A. Seress. Fast management of permutation groups. In Prec. ~gth IEEE Syrup. on Foundations el Computer Science, pp. 272-282, White Plains, NY, 1988. M. Bender. Probabilistic algorithms in finite fields. In Prec. $~nd IEEE Syrup. Foundations Computer Science, pp. 394-398, 1981. T. Beth, B, M. Cook, and D. Gollmann. Architectures for exponentiation in GF(2'~). In Advances in Cryptelogy--CRYPTO '86, ed. A. M. Odlyzko, vol. 263 of Lecture Notes in Computer Science, pp. 302310. Springer (Berlin), 1986. D. G. Cantor and E. Kaltofen. Fast multiplication of polynomials over arbitrary rings. Technical Report 87-35, Dept. of Computer Science, Kensselaer Polytechnic Institute, 1987. Acta Inform., to appear. L. Garlitz. Primitive roots in a finite field. Trans. Amer. Math. Soc. 73, pp. 373-382, 1952. D, Coppersmith and S. Winograd. Matrix multiplication via arithmetic progressions. J. Symb. Comp. 9, pp. 251-280, 1990. H. Davenport. Bases for finite fields. J. London Math. Soc. 43, pp. 21-39, 1968. G. Eisenstein. Lehrs;[tze. J. reine angew. Math. 39, pp. 180-182, 1850. 3. yon zur Gathen. 225-264, 1985.
Irreducibility of multivariate polynomials.
J. Computer System Sciences 31, pp.
G. H, Hardy and E. M. Wright. An Introduction to the Theory el Numbers. Clarendon Press(Oxford), 1962. K. Hensel. Ueber die DarsteUung der Zahlen eines Gattungsbereiches ffir einen beliebigea Primdivisor. J. Reine Angew. Math. 103, pp. 230-7, 1888. M. A, Huang. Kiemann hypothesis and finding roots over finite fields. In Prec. 17th Ann. ACM Syrup. Theory el Computing, pp. 121-130, Providence l~I, 1985. B. A. Laws and C. K. Rushforth. A cellular-array multiplier for G F ( 2 " ) . IEEE Trans. Comput. C-20, pp. 1573-1578, 1971. H. W. Lenstra, Finding iaomorphisms between finite fields. Manuscript, May 1989. H. W. Lenstra and R. J. Schoof. Primitive normal bases for finite fields. Math. Comp. 48, pp. 217-231, 1987. B.. Lidl and H. Niederreiter. Finite Fields, vol. 20 of Encyclopedia el Mathematics and its Application~. Addison-Wesley (l%eading MA), 1983. O. Ore. Contributions to the theory of finite fields. Trans. Amer. Malh. Soc. 36, pp. 243-274, 1934. M. O. Rabin. Probabilistic algorithms in finite fields. SIAM J. Comp. 9, pp. 273-280, 1980, 5. B. Rosser and L. Schoenfeld. Approximate formulas for some functions of prime numbers. Ill, J, Math. 6, pp. 64-94, 1962. A. SchSnhage and V. Strassen. Schnelle Multiplikation grofler Zahlen. Computing 7, pp. 281-292, 1971. S. S. Schwarz. Construction of normal bases in cyclic extensions of a field. Czechoslovak Math. Journal 38(113), pp. 291-312, 1988, I. A. Semaev. Construction of polynomials irreducible over a finite field with linearly independent roots. Math. USSR Sbornik 63(2), pp. 507-519, 1989.
570
J. von zur Gathen and M. Giesbrecht
V, Shoup. On the deterministic complexity of factoring polynomials over finite fields. Information Processing Letters 33, pp. 261-267, 1990a. V, Shoup. New algorithms for finding irreducible polyn0miMs in finite fields. Math. Comp. 54(189), pp. 435-447, January 1990b. V. M. Sidel'nikov. On normal bases of a finite field. Math. USSR Sbornik 61(2)~ pp. 485-494, 1988. S. A. Step,nov and I. E. Shparlinsky. On structure complexity of normal basis of finite field. In Fundamentals of Computation Theory, Proc., ed. L. Budach, R. G. Bukharajev, and O. B. Lupanov, vol. ~78 of Lectura Notes in Computer Scienee~ pp. 414-416. Springer (Berlin), 1987. S.A. Step,nov and I.E. Shparlinsky. On the construction of a primitive normal basis of a finite field. Mat. Sbornik 180, pp. 1067-1072, 1989. D. R. Stinson. Some observations on parallel algorithms for fast exponentiatiou in GF(2~). Comp. 19(4), pp. 711-717, August 1990.
SIAM J.
B. L. van der Waerden. Algebra, Erster Tell. Springer-Verlag (Berlin), 7 edition, 1966. C. C. Wang, T. K. Truong, H. M. Shao, L. J. Deutsch, J. K. Omura, and L S. l~eed. VLS[ architectures for computing multiplications and inverses in GF(2rn). IEEE Trans. Comput. C-34, pp. 709--717, 1985.
Constructing normal b a s e s in f i n i t e fields JOACItIM VON ZUR GATHEN MARK GIESBRECHT
Department of Computer Science, University of Toronto Toronto, Ontario M5S 1A4, Canada gathen©theory.toronto.edu mwg©theory.toronto.edu
(Received 6 June 1989)
An efficient probabilistic algorithm to find a normal basis in a finite field is presented. It can, in fact, find an element of arbitrary prescribed additive order. It is based on a density estimate for normal elements. A similar estimate yields a probabilistic polynomial-time reduction from finding primitive normal elements to finding primitive elements.
1.
Introduction 2
• • • , oqrL--1
I f F q C_ Fq, are finite fields, a E Fq,, and the conjugates a, a q , a q , of a form a basis for Fq, as a vector space over Fq, then this is called a normal basis. W e call a a normal element (of Fq. over Fq). Normal bases are useful for implementing fast arithmetic in Fq,, in particular exponentlation. Of special interest is q = 2 and n reasonably large; as an example, the Diffie &: ttellman key exchange is based on exponentiation in F2-. Algorithms and possible MOS implementations are given in Laws ~ Rushforth 1971, Wang et al. 1985, Beth et al. 1986, Agnew et al. 1988, Stinson 1990. T h e basic assumption in t h a t work is that computing qth powers in Fq, is for free (i.e., of negligible cost c o m p a r e d to a general multiplication in Fq, ; only q = 2 is considered). T h e assumption can be justified if a normal element is given, since then for an a r b i t r a r y q' ~l = r'-,o 1. We will,show that a randomly chosen element of Fq, is normal over Fq with probability ~(1/log~ n). We denote by Iq the set of monic irreducible polynomials of positive degree in Fq[x]. For m :> 1~ let N q ( m ) be the number of monic irreducible polynomials of degree m in Fq[z], and qm q(qm/2 _ 1) qm m m(q - 1) ~ Nq(m) < ~m (3.1) (Lidl & Niederreiter 1983, Exercises 3.26 and 3.27). For f E Fq[x] and f ¢ Fq, let
Ifl
=
#(Fq[z]/(f))=
qa~g;
be the number of elements of the residue class ring of Fq[z] modulo f. The analogue of Euler's totient function for integers is the number ~q(f) of polynomials in Fq[z] of smaller degree than f E Fq[x] which are relatively prime to f. This is the number of units in Fg[x]/(f), and (Lidl &: Niederreiter 1983, Leman 3.69 and Theorem 3.73)
~q(f) = Ifl I~ (1 -Igl-1), (3.2)
9Elq
gl!
, ( ~ , q) = e 0 ( ~ ~ - l ) .
Our objective is to give a lower bound of ~(1/log, n) on O q ( f ) / I f l for an f e Fq[x] of degree n. This immediately shows the required lower bound for normal elements. We will make use of the following leman adapted from Apostol (1976), Theorem 3.2(a). LEMMA 3.1. For x >_ 1 ~< 1 _ < l o g ~ z + C + l / x ?t
where C ~ 0.577216 is Euler's constant.
PROOF. Using Euler's summation formula (see Apostol 1976, Theorem 3.1), we find -
1
['d~
~=
J1
~=t-LtJdt+
t .....
t2
dt+l=log ex+l-
_< log e z -
tJ dt +
< logez+l= loge z + c + - ,
x-LxJ 1
dr+
dt = log~ x + 1 a
dt+X
1 X
where
is Euler's constant (see Apostol 1976, pp. 53). We will need the following two lemmas.
dt
[]
554
J. von zur Gathen and M. Giesbrecht
LEMMA 3.2. If 1
v(q)=EE
,
~>2 d>l
then for any q > 2 we have V(q) < q-1. Pttoor.
B y e x p a n d i n g the s u m we can write V(q) = g ( q ) + E(q) where 1
u(q)
7
5
+
=
59
4
233
+ 1--y q +
11
11
43
+ 5-6 q + 5-Vq + 1
+
1
E(q) = d,lEN ~ ( i + 1)dq id < dpiE~4 ~ idq id" dl~lO
dt>10
For n >_ 10 there exist less t h a n n pairs (i, d) E NI2 such t h a t i • d = n. It follows t h a t 1
E(q) < ~
n~lO
1
qn - qS(q_ l),
and t h a t V(q) 2. [] LEMMA 3,3. Let
w(=) = ~ (1 -Igl-~). ]al q, we have c-c/q W(x) > logq x
c log~ x
where c = e - c ,~ 0.56146 and C is Euler's constant. PROOF. Let b = logqX. Since x _> q, W(x) # 0 and we can consider the logarithm of
w(~): log, W ( z ) =
logo(1 -[g[-~) = ~
~ [91<x
Nq(d)log~(1 - q-d)
l 16 lo~ n'
e - c and C is Euler's constant.
PltOOF. For the upper bound,
~q(f)
Ill
- i'[ (i - Igl-~) _< i - Ill-I, gll gElq
and equality is achieved when f is irreducible in Fq[x]. To show the lower bound, for
l~n_(1 since (1
-
u-l)
u
-
glf gElq
Igl -~) > II (1 - q-J) gl! f]~'q
>_ ¼,
- q-~)'~ >__ (1 - q-~)q
iS all increasing function of u for u > 1, and q > 2. If n > q, we write
eq(f) = i-[ (I - Igl-~) = P~. P=, Ill ~u where
P1 = H (1 --Igl-l),
P2 = E
gll gElq Igl_-
We begin by examining P2, and write
P~ > II
(I - n -') = (I - n-~) ~,
gll gElq Igl>"
where 7 = # ' [ a e rq : g l : , lal > n}. Since
q" = Ifl-> I'i Igl--- H Igl > n-~, gl! g(~1q
M! ~E.rq Igl>.
we find V -< n~ l o ~ n and p2> (1_1)
~/1°'~
which is an increasing function of n for fixed q. We divide our analysis of the case n > q into two subcases: q < n < q4 and q4 < n. When n > q then P2 > (1 - q-1)q >_ 1/4. For a better estimate w h e n n > q4, w e use the fact that
(
1-
~"
>1
logqn'
556
J. yon zur Gathen and M. Oiesbrecht
which is obtained by raising each side to the power of logq n. Thus, for n > q4, 1
P2>1
logq n"
We now bound the function P1 for n > q by observing
-P' --- I'[ (1 -Igl -~) > l'I (1 -Igl-~). g~.lq
gElq
91Y
191 \ ]~gqn _
q-
1
e
q
1
2c -
logq n
c/___._.~q
log~ n
lo,~ n'
c
+ ~
q -
>
1
c
2e-
.q . . logq . . n
e/q
log~ n
This proves the first inequality claimed for n > q4. Since c = e -C > 1/2, and logq n > 4 when n > q4, we have @q(f)l]l > q - - 1 q >q--1 q
c61 lOgq n
2q-l) (q - 1) logq n
c ( logqn 1
2q-1 ) 1 . 4(q ~)' > 161ogqn
i:3
A similar lower bound also holds for the integer Euler function ¢, which we will make use of in Section 6. FACT 3.5. F o r n > 3, ¢(n)
c
>
n
.
log~ log e n
(11 , 1 )
,
log 2 log~ n
where c = e - C ~ 0.56146.
PROOF. From Rosser h Schoenfeld (1962), (3.41) and (3.42), we have ¢(~)
n-
>
=
,k/c+cl/l
where ~ = log, loge n and cl = 2.5036.
.
-~
1
,k2 + c l c /
> -~ 1 -
[]
This brings us to our bound on the probability of being normal.
,k2 / ,
Normal Bases in Finite Fields
557
COR.OLLAP~Y 3.6. For q a prime power and n > 1, the probability ~ = v(q,n)q -'~ of an element chosen randomly from Hq. being normal over Fq satisfies t~ < 1 - q - l . I f n < q4, then ~ >_1/34 and, if n >_ q4 then a>
c(
logqn
l-q-1
2- q-l~
1
where c = e - c and C is Euler's constant. PI~ooP. A p p l y i n g T h e o r e m 3.4 with f = x ' ~ - l , and using the fact t h a t ~ = O q ( z n - 1 ) / q ~ (Lidl & N i e d e r r e i t e r 1983, T h e o r e m 3.73), the lower bound follows immediately. We see f r o m (3.2) t h a t ~q(x n - 1)/q n is maximized when x n - 1 has only one irreducible factor; i.e., it is a p o w e r of x - 1 or, equivalently, n is a power of char Fq. Thus we have • q(z
- 1)/q
< eq((= - 1)D = 1 - q-1
a n d e q u a l i t y is achieved when n is a power of char Fq. COROLLARY 3.7. Let n, q E N, q a prime power, p = 1/34 i f n q4. Then
(i) We can choose N = pqn in Algorithm A. Then Theorem 2.1 holds with k < 1 + 2p -1 log~ e -1, which is O(log e e-1 log~ n) for n >__q4 (ii) Given a description of Fq and an irreducible polynomial of degree n in Fq[x], a normal basis for Fq. over Fq can be constructed by a probabilistic (Las Vegas) algorithm with failure probability at most e, using O ' ( n l o g e e-1) random choices in Fq, and O ' ( n ~ l o g q l o g e e -1) arithmetic operations in Fq, ire < q-1. (iii) Given only a description of Vq and an integer n > 2, we can probabilistically construct a normal basis for Fq, over Fq using an expected number O~(n21ogq) operations in l=q. P r t o o r . W e use the n o t a t i o n of Section 2. B y Corollary 3.6~ we have v(n~ q) > pq'~. W i t h N = p q n we have in T h e o r e m 2.1 k-1 log ee -1
l 2. For an a r b i t r a r y real x >_ q, let x0 = q[lo~qxJ < x. T h e n Oq(x) = Oq(x0), and since the u p p e r b o u n d on ®q for powers of q is an increasing function on R, it holds for any x > q. T h e lower b o u n d is an increasing function of x for x > 49/16. Using the fact t h a t x / q < xo, w h e n x / q > 49/16 the claimed lower bound follows. For q < x _.%_49~/16 the c l a i m is easily verified. [] W e also m a k e use of the p r i m e n u m b e r function 7r(x) - ~ { p _< x I P prime), l~osser &: Schoenfeld (1962), T h e o r e m 1, gives the following bounds on ~r. FACT 5.3. For any x >_ 17,
•
( 1+------~
~ < ~ ( z ) < ~ . log~ x
log e z
.
2 log~
T h e a n a l o g u e of the n u m b e r - t h e o r e t i c function ~r for a finite field Fq is IIq(x) = # { g 6 rq : Igl 1. We will m a k e use of t h e following function in t h e analysis of IIq:
l (d~logq z d for q >_ 2 a n d z >_ q. It can b e bounded from above as follows: [,EMMA 5.4. For any x > q and q >_ 2, -
-q- - ' ~ - " logq x
1+
PRooP. First, s u p p o s e x = qb for some integer b > 1. For 1 < b < 6 the claim can be verified directly by considering each side of the inequality as a function of q alone. We o m i t the details. W e prove t h e claim by induction on b > 7.
qd
Z a 1. F o r a n y real x > q, let x0 = q[logq zJ < x. Note first t h a t q-l"logqx"
1+
is an increasing f u n c t i o n of x for x >__ q 3 so tile claim, already proven for xo, holds for all real x >_ q3. It is easily verified that the claim holds for all real x with q < x < q3 as well. [] We will now show an analogue of the prime n u m b e r t h e o r e m for Fq[z]. IIq(z) remains c o n s t a n t w h e n qb < x < qb+l with b E N, and therefore we o b t a i n sharp estimates for IIq(x) only when x = qb for some b e N.
Normal Bases in Finite Fields
563
THEOttBM 5.5. For a n y p r i m e p o w e r q, and z: = qb f o r s o m e integer b > 1, q-1
logqz"
1-
q-- l'logqx
i+
F o r a n y real x >_ q, we have 1
.
•
.
/
q - 1 logq z PRoof.
q - 1 logqx
The lower bound follows from Hq(~)log~z = Z
log~x > ~ ] d e g g = Oq(~),
gElq t~l__2,
-
_ 3989 or n >_ exp(#(3989)). Also by Fact 5.1, logan
=
¢(~)>~(1-21o~)
>z
(
1 ) 1-21ogelog~n-+21og¢0.9 '
564
J. yon zur Gathen and M, Giesbrecht
so t h a t ( z
0, since z >_ 3989 or n ~ exp(~(3989)). Substituting this upper bound on x into our upper bound for log2 6(n) in terms of x, we get log 2 ~(n) < log~((1 + u) loge n)
2 log~((1 + u)log~ n)
(l+
3
)
< Iog~log, ~ 2 log~ log, n log~ n ( 1.25 log~ loge log~ n~ < loge loge n • 1 + log~log=n )
for n > exp(~(3989)). For i _> 1, let P~ be the product of the i smallest primes. The number 3989 is the 550th smallest prime, so the claim holds for n >_ P550. Using the computer algebra program M A P L E 4.3, we verified that the claim holds for Pi, where 3 _< i < 550, and for 9 _< n < / ° 3 = 30. This shows the claim is true for all integers n >_ 9. [] The inequality of this theorem is false for n = 8. For polynomials over finite fields, the analogue of ~ is as follows. For any prime power q, and any f 6 Fq[x], let Aq(f) be the number of distinct, monic, squarefree divisors of f (including the divisor 1). We bound Aq from above in the next theorem, and show that this bound cannot be improved much. THEOI~BM 5.7. Let f E Fq[X] of degree n. For n > 1, log2Aq(f ) < n. For n > q, n___n.__. (1 + 3.5 l°g~ l°ge n ) log2 Aq(f) < logq n log, n " Furthermore, for any fixed prime power q, there exist an infinite number o f f E F=q[X] such that
log 2 Aq(f) > logq------W_ where n = deg f .
P r t o o r . We begin with the upper bound. First note that log2Aq(f) is the number of distinct divisors of f in Iq. Suppose f = g~lg~2.. "gkek where k, el,e2 . . . . ,ek are positive integers and g l , g 2 , . . . , g ~ G Iq are pairwise distinct. If fo = g l g 2 " " g k , then Aq(f) = Aq(fo), while no = deg fo _ e, if the claim fails for f , it also fails for fo. We can therefore assume without loss of generality that el = . . . . ek --- 1. Now suppose deggl < degg2 _< .-. _< deggk and h ~ { g l , . . . , g k } for some h E Iq with degh < deggk, and let fl = h g l . . "gk-~. Once again Aq(fl) = Aq(f), and if the claim fails for f , it also fails for f l (because deg/1 < deg f). Therefore, we can assume without loss of generality that, for all h i / w i t h h E Iq, M1 ho G Iq with degho < degh also divide f. In other words, f is the product of the maximum number of distinct irreducible polynomials for its degree.
Normal Bases in Finite Fields
565
If 1 < n _< q, f is the p r o d u c t of linear polynomials in Fq[m]. Thus, log 2 A q ( f ) = n. If n > q, we write log 2 ~xq(f) = P1 + P~, where f = gl " " g k ,
E 1,
E 1,
Ig~l#
l 1619, h(q, n) is a decreasing function of n. Also, for n > 1619, h(q,n) is an increasing function of q for q > 7, and achieves its m a x i m u m with q > 7. To maximize h, we choose q as large as possible. Since fl = n/A1 > q, we have h(q, n) < h(n/A1, n) = 3n/(n - A1) < 3.02 for n > 1619. It follows t h a t log2 A q ( f ) < logq n n
1+
3.02 ÷ i2 ~
n
(
2.51A2
3.5A2 "~
< lo-&S (1 + - Tj for n > 1619. For q < n < 1619, we verified the claim using the computer algebra s y s t e m Maple 4.3.
566
J. yon zur Gathen and M. Giesbrecht
To show t h a t this upper bound cannot be improved much, let q be a fixed prime power, = qm for some integer m >_ 2, and f=XIg" gEIq
Then
log~ A q ( f ) = l l q ( x ) > (q _ i ) logq x by T h e o r e m 5.5. T h l s lower bound on IIq(z) is an increasing function of x for x ~ 4. T h e degree n of f satisfies qx n = ~ degg - E)q(z) < gezq q- 1 IgL n + n / q . This shows
log2 A,(/) >_ log~(,~+ ~ / q )
-> l o ~ q n using t h e fact that 7 / ( 2 v ~
6.
1
'
1
2
logq n
2
>- ~
< 4/logq n for all n > q > 2.
1
logqn
[2
Finding primitive normal elements
Let q b e a prime power and n a positive integer. T h e multiplicative group of Fq. is cyclic of order q~ - 1 (see Lidl & Niederreiter 1983, T h e o r e m 2.8) and for a n y nonzero a E Fq,, we define t h e multiplicative order as o r d ( a ) = min{d E N, d > 1, a d = 1}. An element of order qn - 1 is called primitive and we denote by T~ the set of all these. It is well known that there a r e ¢(qn _ 1) primitive elements in Fq,. There is no known general way to either generate or certify a primitive element in (probabillstic) polynomial time. L e t Af be the set of normal elements in Fq, over Fq. W h a t is the probability that a r a n d o m l y chosen element c~ E Fq, is simultaneously primitive and normal over Fq? This question was first addressed by Carlitz (1952) who showed in his statement (4.7) that =
IP n N I ¢(q,~ - 1). Cq(X ,~ - 1) 6 ( q n _ 1)Aq(x n _ 1) q~ >q2n q,/2
(6.1)
We will refer to the right hand side of this inequality as the Carlitz bound on the number of primitive normal elements. For sufficiently large fields Fq,, this tends towards IPl. IA/'l/q 2n, It was later shown by Davenport (1968) that for q prime and n > 2 there exists a primitive n o r m a l element in Fq, over Hq. Lenstra & School (1987) showed that for all prime powers q and n > 2 that there exists a primitive normal element in Fq, over Fq. We give a positive lower b o u n d for # for all but a finite number of pairs (q, n).
Normal Bases in Finite Fields
567
TH~ORBM 6.1. Let q be a prime power, n >_ 2, and ~ the probability that an element is primitive and normal in Fq. over Fq. Then
(i) f i n > 300 and n > qd, then ~ > 0.03/(logqn .loge(nlog~ q)), (ii) {fn > 300 and n < qd, then ~ > 0.01/log~(nlog~ q),
(iii) if300 >_ n >_ 2 and q _> 2 x 107, then ~ > 0.003/log~(nlog~ q). PROOF. Since our bounds on Sg and A~ from Theorems 3.4 and 5.7 depend u p o n the relationship between q and n, our lower bound on ~ must be divided into a n u m b e r of cases. First we examine the bounds for 6(q n - 1) and ¢(qn _ 1), which are valid when qn _ 1 :> 16. We abbreviate A1 = loge(q n - 1), A2 = log e A1 and A3 = log e A=. By T h e o r e m 5.6, ~1 ( 1.25)`3"~ nl°geq (1 + 1.25A3"~
log~6(q n - 1) < ~ .
1 + --57~ /
(81)~2). (¢q(z n -
(6.2)
1)lq n) -q,'nl:~2+1ogqaqC=n--1)--nlL
B y Theorem 5.7, for n >_ q and n >_ 300 we have
nlog,___.._~2 ( logq Aq(= n -- 1)
q~. Here, % ( = n _ 1) > qn/(161ogq n) by Theorem 3.4. In this case we have r < 0.97 and s > 0.53. Using (6.2), and (6.3) we find :> 16 logq0"53n.A2
qn(O.O7[)~2+l.44[log,n-l[2)
0.033 > logq n . ),2
q-O.O~s,~ 0.03 > log a n . A~
For case (ii), when n >_ 300 and n < q4 we consider two subcases. First, suppose q < n < q4 and n >_ 300, which implies q > 5. In this case r < 0.95, and s _> 0.54, while ~ ( x n - 1) > an~34, by T h e o r e m 3.4. Using (6.2) and (6.3), we find ~o :> 0.54 34A2
q~(O.95/A.~-l.44/log~n-I/2) > 0.015 A2
q--0.09n > 0.01 A2
For the case when 300 _< n _< q, ~q(~'~- 1) _< q'V34, and by T h e o r e m 5.7, logq A q ( x n - 1 ) 0.54, giving t)
0.01 >-34A~-'0"5_4qn(O.93/A2+logq2-I/2) :> ~0.015 A 2 -- q-O.2Sn> "~'2"
Finally, for case (iii), we use the fact that for all q _> 2 and n >_ 2, log~ A~(x'~ - 1) < n logq 2 by Theorem 5.7. Since n < q, @q(x~- i) _> q'~/34by Theorem 3.4. For 300 > n >_ 2 and q _> 2 x I0 v, r _< 1.1003 and s > 0.496, so that
_> 0.49634A___~ - q~(1.0o3/A2+log, 2/ log, q-l/2) > ~0.014 - - A 2 q-O.tTn> -0.003 -~2 '
[]
568
J. yon zur Gathen and M. Giesbreeht
This theorem covers all but finitely many values o f ( n , q). The exceptions, with n < 300 and q < 2 X 107 are about 3.5 x 10 s in number. The following proposition cuts down this number. PhOPOSITION 6.2. I f 9 ~_. n _.300, then Q > O.O1/log~(nlog¢q). PROOF. We use the notation of Theorem 6.1. For q > 300 and 300 > n >_ 9, we have r < 1 and s > 0.5. Also logq Aq(X n - 1) _< nlogq2 by Theorem 5.7 and eq(x n - 1) > q'~/34 by Theorem 3.4. Applying (6.2), this gives 0.01 > 34A-'-'~0'5_ qn(l/~2+logq2-1/2) > -0.015 - A 2 - q-O.25n> -'~'-2"
[]
This leaves us with about 8.3 x 106 exceptional pairs of fields. For each of these pairs we have used Maple 4.3 to compute the Carlitz bound (6.1), or at least a good lower bound for it. We found that it is at least 1/200 for all but 121 of the exceptional pairs of fields, and for the 121 remaining pairs it is negative. Thus, for all but 121 of the exceptional field pairs, the probability of finding a primitive normal element is at least 1/200. We have q ~ 2729 and n < 21 for all 121 remaining cases. Note also that the existence proofs of Davenport (1968) and Lenstra & Schoof(1987) showing Q > 0 both consider a (smaller) number of special cases. COROLLAR.Y 6.3. Let q be a prime power and n > 2. There exists a probabilistic polynomial. time reduction from the problem of finding a primitive normal element in Fq, over Fq to finding a primitive element in Fq,. PROOF. Construct a lookup table of the (finitely many) exceptional cases not cove~ed by T h e o r e m 6.1 (and Proposition 6.2 and the following comments), mapping a pair (q, n) to a primitive normal element in Fq, over Fq. For a given input (q,n), where q is a prime power and n > 2, check if (q, n) is in the table of exceptions. If it is, return the primitive element stored there. If not, find a primitive element fl E Fg,. Randomly select an integer j between 1 and qn _ 2, compute a = flJ, and test fl for prlmitivity and normality over Fq. In the case of Theorem 6.1 (i), we require an expected number of at most 34 log~(nlog~ q) • logq n random choices. For the remaining two cases of Theorem 6.1, we require an expected number of at most 334 log~(n log~ q) random choices. To test primitivity, we need only check that gcd(q n - 1 , j ) = 1, which requires O'(nlogq) bit operations, while to test normality requires O-(n21og~ q) operations in F:q by Theorem 2.1. [:3
Acknowledgment We thank an anonymous referee for pointing out several references, and an improvement in Proposition 2.4.
References L. Adleman and It. W. Lenstra. Finding irreducible polynomials over finite fields. In Proc. 18th Ann, A CA[ Syrup. Theory of Computing, pp. 350-355~ Berkeley CA, 1986.
Normal Bases in Finite Fields
569
G. B. Agnew, R. C. Mullin, and S. A. Vanstone. Fast exponentiation in GF(2n). In Advances in Cryptology--EUROCRYPT '88, ed. C. G. Giinther, eel. 330 of Lecture Notes in Computer Scivnce~ pp. 251-255. Springer (Berlin), 1988. A. V, Aho, J. E. Hopcroft, and J. D. Ullman. The Design and Analysis o/Computer Algorithms. AddisonWesley (Reading MA), 1974. A. A. Albert. Fundamental Concepts of Higher Algbra. University of Chicago Press(Chicago, Illinois), 1956. T. M. Apostol. Introduction to Analytic Number Theory. Springer-Voting (New York), 1976. L. Babai, E. M. Luks, and A. Seress. Fast management of permutation groups. In Prec. ~gth IEEE Syrup. on Foundations el Computer Science, pp. 272-282, White Plains, NY, 1988. M. Bender. Probabilistic algorithms in finite fields. In Prec. $~nd IEEE Syrup. Foundations Computer Science, pp. 394-398, 1981. T. Beth, B, M. Cook, and D. Gollmann. Architectures for exponentiation in GF(2'~). In Advances in Cryptelogy--CRYPTO '86, ed. A. M. Odlyzko, vol. 263 of Lecture Notes in Computer Science, pp. 302310. Springer (Berlin), 1986. D. G. Cantor and E. Kaltofen. Fast multiplication of polynomials over arbitrary rings. Technical Report 87-35, Dept. of Computer Science, Kensselaer Polytechnic Institute, 1987. Acta Inform., to appear. L. Garlitz. Primitive roots in a finite field. Trans. Amer. Math. Soc. 73, pp. 373-382, 1952. D, Coppersmith and S. Winograd. Matrix multiplication via arithmetic progressions. J. Symb. Comp. 9, pp. 251-280, 1990. H. Davenport. Bases for finite fields. J. London Math. Soc. 43, pp. 21-39, 1968. G. Eisenstein. Lehrs;[tze. J. reine angew. Math. 39, pp. 180-182, 1850. 3. yon zur Gathen. 225-264, 1985.
Irreducibility of multivariate polynomials.
J. Computer System Sciences 31, pp.
G. H, Hardy and E. M. Wright. An Introduction to the Theory el Numbers. Clarendon Press(Oxford), 1962. K. Hensel. Ueber die DarsteUung der Zahlen eines Gattungsbereiches ffir einen beliebigea Primdivisor. J. Reine Angew. Math. 103, pp. 230-7, 1888. M. A, Huang. Kiemann hypothesis and finding roots over finite fields. In Prec. 17th Ann. ACM Syrup. Theory el Computing, pp. 121-130, Providence l~I, 1985. B. A. Laws and C. K. Rushforth. A cellular-array multiplier for G F ( 2 " ) . IEEE Trans. Comput. C-20, pp. 1573-1578, 1971. H. W. Lenstra, Finding iaomorphisms between finite fields. Manuscript, May 1989. H. W. Lenstra and R. J. Schoof. Primitive normal bases for finite fields. Math. Comp. 48, pp. 217-231, 1987. B.. Lidl and H. Niederreiter. Finite Fields, vol. 20 of Encyclopedia el Mathematics and its Application~. Addison-Wesley (l%eading MA), 1983. O. Ore. Contributions to the theory of finite fields. Trans. Amer. Malh. Soc. 36, pp. 243-274, 1934. M. O. Rabin. Probabilistic algorithms in finite fields. SIAM J. Comp. 9, pp. 273-280, 1980, 5. B. Rosser and L. Schoenfeld. Approximate formulas for some functions of prime numbers. Ill, J, Math. 6, pp. 64-94, 1962. A. SchSnhage and V. Strassen. Schnelle Multiplikation grofler Zahlen. Computing 7, pp. 281-292, 1971. S. S. Schwarz. Construction of normal bases in cyclic extensions of a field. Czechoslovak Math. Journal 38(113), pp. 291-312, 1988, I. A. Semaev. Construction of polynomials irreducible over a finite field with linearly independent roots. Math. USSR Sbornik 63(2), pp. 507-519, 1989.
570
J. von zur Gathen and M. Giesbrecht
V, Shoup. On the deterministic complexity of factoring polynomials over finite fields. Information Processing Letters 33, pp. 261-267, 1990a. V, Shoup. New algorithms for finding irreducible polyn0miMs in finite fields. Math. Comp. 54(189), pp. 435-447, January 1990b. V. M. Sidel'nikov. On normal bases of a finite field. Math. USSR Sbornik 61(2)~ pp. 485-494, 1988. S. A. Step,nov and I. E. Shparlinsky. On structure complexity of normal basis of finite field. In Fundamentals of Computation Theory, Proc., ed. L. Budach, R. G. Bukharajev, and O. B. Lupanov, vol. ~78 of Lectura Notes in Computer Scienee~ pp. 414-416. Springer (Berlin), 1987. S.A. Step,nov and I.E. Shparlinsky. On the construction of a primitive normal basis of a finite field. Mat. Sbornik 180, pp. 1067-1072, 1989. D. R. Stinson. Some observations on parallel algorithms for fast exponentiatiou in GF(2~). Comp. 19(4), pp. 711-717, August 1990.
SIAM J.
B. L. van der Waerden. Algebra, Erster Tell. Springer-Verlag (Berlin), 7 edition, 1966. C. C. Wang, T. K. Truong, H. M. Shao, L. J. Deutsch, J. K. Omura, and L S. l~eed. VLS[ architectures for computing multiplications and inverses in GF(2rn). IEEE Trans. Comput. C-34, pp. 709--717, 1985.
