Introduction to Finite Fields and their Applications

ds Introduction to finite fiel and their applications RU D O LF L1 DL , /iubart, AWilraliu Unirersil)' (If Tasmania

RE IT FR IIA RA LD N fE D I:R oI ScijJ1Ju's. Vie llna , All.'it/"ia Aus tria /1 Aca dem y

= -= =

~",,;:;,,;~;Z;~~;,~, ImlI II I "a, III I :::::=:::====.. =tJ .

10

p"m end sell


/It'nr f VII!

~f

l ' ""

! '. ;"

;t, 1<34.

r" :: , Ihe {;~''''','" nil.> p"~l

i

onJ phb".'/>(.J c&",;n~O'l$l

"nrr /."\4.

ER SI TY PR ES S CA M BR ID G E UN IV Cambridge NeH' Rochelle Lo nd on Ne w York Melhourne !>:vdn<'j

Published hy the Press Syndicate of the Universit)' of Cambridge The Pitt Ruilding, Trumpington Street, Cambridge CB2 I RP 32 East 57th Street, New York, NY 10022, USA 10 Stamford Road, Oakleigh, \r1elbourne 3166, Au~tralia (L; Camhridge

First

pub1i~hcd

Univer~ity

Press 1996

19R6

Printed in Great Britain at the

Univer~it)'

Press, Camhridge

British I.ibrary Cataloguing in Puhlication Dala Lidl, Rudolf Introduction to finite fields and their applications. 1. Finite ricld~ (Algebra)

I. Title

512'.3

lI. l\iiederreiter, I larald QA247.3

Library of C01tKr£>ss Cara/oRillg in Publication Data Lidl, Rudolf. Introduction to finite fields and their applications. Bihliography: p. lndudes index. 1. Finite fields (Algebra) 1. Niederrciter, Harald, 1944 Il. Title. QA247.3.L54 19R5 512'.3 85-9704 ISBN 0-521-30706-6

Contents

vii

Preface Chapter I

AI~ebraic

Foundations

I Groups

2 Rings and Fields 3 Polynomials 4 Field Extensions Exercises Chapter 2 Structure of Finite Fields I Characterization of Finite Fields 2 Roots of Irreducible Polynomials 3 Traces, Norms, and Bases 4 Roots of Cnity and Cyclotomic Polynomials 5 Representation of Elements of Finite Fields 6 Wedderburn's Theorem Exercises Chapter 3 Polynomials over Finite Fields I Order of Polynomials and Primitive Polynomials 2 Irreducible Polynomials

I

2

" 18

30 37 43

44 47 50 59 62 65 69 74

75 R2

Contents

3 Construction of Irreducible Polynomials 4 Linearized Polynomials 5 Binomials and Trinomials Exercises Chapter 4 I 2 3

Factorization of Polynomials Factorization over Small Finite Fields Factorization over Large Finite Fields Calculation of Roots of Polynomials Exercises

87 98 115 122 129 130 J 39 150 J 59

Chapter 5 Exponential Sums I Characters 2 Gaussian Sums Exercises

162 163 168 181

Chapter 6 I 2 3 4 5 6 7

Linear Recurring Sequences Feedback Shift Registers. Periodicity Properties Impulse Response Sequences. Characteristic Polynomial Generating Functions The Minimal Polynomial Families of Linear Recurring Sequences Characterization of Linear Recurring Sequences Distribution Properties of Linear Recurring Sequences Exercises

185 186 193 202 210 215 228 235 245

Chapter 7 I 2 3 4

Theoretical Applications of Finite Fields

251 252 262 271 281 294

Chapter 8 I 2 3

Algebraic Coding Theory Linear Codes Cyclic Codes Goppa Codes

Finite Geometries Combinatories Linear Modular Systems Pseudorandom Sequences Exercises

Exercises Chapter 9 Cryptology I Background

299 300 311 325 3:12

338 339

v

Contents

2 Stream Ciphers 3 Discrete Logarithms 4 Further Cryptosystcms Exercises Chapter 10 Tables I Computation in Finite Fields 2 Taoles of Irreducible Polynomials

342 346 360 363 367 367 377

Biblio2raphy

392

List of Symbols

397

Index

401

To Pamela and Gcrlindc

Preface

This book is designed as a textbook edition of our monograph Finite Fields which appeared in 1983 as Volume 20 ofthe Encyclopedia ofMathematics and Its Application.,. Several changes have been made in order to tailor the book to the needs of the student. The historical and bibliographical notes at the end of each chapter and the long bibliography have been omitted as they arc mainly of interest to researchers. The reader who desires this type of information may consult the original edition. There are also changes in the text proper, with the present book having an even stronger emphasis on applications. The increasingly important role of finite fields in cryptology is reneeted by a new chapter on this topic. There is now a separate chapter on algebraic coding tbeory containing material from tbe original edition togetber with a new section on Goppa codes. New material on pseudorandom sequences bas also been added. On the other hand, topics in tbe original edition that are mainly of theoretical interest have been omitted. Thus, a large part of the material on exponential sums and tbe ebapters on equations over finite fields and on permutation polynomials cannot be found in the present volume. The tbeory offinite fields is a branch of modern algebra that has come to the fore in the last 50 years because of its diverse applications in eombinatories, coding theory, cryptology, and the mathematical study of switching circuits, among others. The origins of the subject reach back into the 17th and 18th centuries, with such eminent mathematicians as Pierre de Fermat (1601-1665), Leonhard Euler(1707 1783), Joseph-Louis Lagrange (1736-1813), and Adrien-Marie Legendre (1752 1833) contributing to the structure theory of special finite fields --namely, the so-called finite prime fields. The eeneral theorv of finite fields mav be said to begin with the work of

Preface

viii

Carl Friedrich Gauss (1777-1855) and Evariste Galois (1811 1832). hut it only became of interest for applied mathematicians in recent decades with the emergence of discrete muthematic~ as a serious discipline. In this hook wc have aimed at presenting hoth the dassical and the applications-oriented aspects of the suhject. Thus, in addition to what has to bc eonsidcrcd the essential core of the theory, the reader will find results and techniques that arc ofimportancc mainly heeause of their usc in applications. fleeause of the vastness of the suhjeet, limitations had to be imposed on the choice of material. In trying to make the book as self-contained as possible, we have refrained from discussing results or methods that helong properly to algebraic geometry or to the theory ofalgebruic fum.:tion fields. Applications are described to the extent to which this can he done without too much digression. The only noteworthy prerequisite for the book is a haekground in linear algehra, on the level of a first course on this topic. 1\ rudimentary knowledge of analysis is needed in a few passages. Prior exposure to ahstraet algebra is cenainly hdpful, although all the necessary information is summarized in Chapter I. Chapter 2 is basic for the rest of the hook as it contains the general structure theory of finite ficids as well as the discussion of concepts that arc used throughout the book. Chapter 3 on the theory of polynomials and Chapter 4 on faetori/ation algorithms for polynomials arc dosely linked and should hest be studied together. Chapter 5 on exponential sums uses only the dementary structure theory of finite fields. Chapter (> on linear recurring sequences depends mostly on Chapters 2 and 3. Chapters 7. 8, and 9 are devoted to applications and draw on various material in the previous chapters. Chapter 10 supplements parts of Chapters 2, 3, and 9. Each chapter starts with a hrief description of its contents, hence it should not he necessary to give a synopsis of the hook here. In order to enhance the attractiveness of this hook as a text hook, we have inserted worked-out examples at appropriate points in the text and inciuded lists of exercises for Chapters I -9. These exercises range from routine problems to alternative proofs of key theorems, but contain also material going beyond what is covered in the text. With regard to cros~-rcferences, we have numbered all items in the main text consecutively by chapters, regardless of whether they are definitions. theorems, examples, and so on. Thus, "Definition 2.41" refers to item 41 in Chapter 2 (which happens to be a definition) and "Remark 6.23" refers to item 23 in Chapter 6 (which happens to he a remark). In the same vein, "Exercise 5.21" refers to the list of exercises in Chapter 5. We gratefully acknowledge the help of Mrs. Melanic Barton and Mrs. Retty Golding who typed the manuscript with great care and efficiency. R. LIDL

H.

r-;tEllI'RRI'.ITI.R

Chapter I

Algebraic Foundations

Thi' introductory chapter contains a survey of some basic algebraic concept' that will be employed throughout the hook. Elementary algebra uses the operations of arithmetic ,uch a, addition and multiplication, hut replaces particular numbers hy symbol, and thereby ohtains formulas that, by suhstitution, provide solutions to specific numerical problems. In modern algebra the level of abstraction is raised further: instead of dealing with the familiar operations on real numhers, one treats general operations

-processes of t:omhining two or more clements to yield another element·- in general sets. The aim is to study the common properties of all systems consisting of sets on which are defined a fixed number of operations interrelated in some definite way-for instance, sets with two binary

operations behaving like + and· for the real numbers. Only the most fundamental definitions and properties of algehraic systems- that is. of sets together with one or more operations on the

set will be introduced, and the theory will be discussed only to the extent needed for our ,pecial purposes in the study of finite fields later on. We state some standard results without proof. With regard to sets we adopt the naive standpoint. We use the following sets of numbers: the set I'\J of natural numbers, the set 7L of integers, the set Q of rati,mal numhers, the ,et IR of real numbers, and the set C of complex numhers.

2

I.

Algehraic Foundation.,

GROUPS

In the set of all integers the two operations addition and multiplication arc well known. We can generalize the concept of operation to arbitrary sets. Let S be a set and let S X S denote the set of all ordered pairs (s, I) with s E S, IE S. Then a mapping from S X S into S will be called a (billa~v) operalioll on S. Under this definition we require that the image of (5, t) E S X S must be inS; this is the closure property of an operation. By an alf{ehraic structure or algehraic system we mean a set S together with one or more operations on S. In elementary arithmetic we are provided with two operations.

addition and multiplication, that have associativity as one of their most important properties. Of the various possible algebraic systems having a single associative operation, the type known as a group has been by far the most extcnsively studied and developed. The theory of groups is one of the oldest parts of abstract algcbra as well as onc particularly rich in applications.

1.1.

Definition. A group is a set G together with a binary operation

0

on

G sueb that the following three properties hold;

1.

* is associative; that is. for any a, h, c E

(j,

ao(boc)~ (aob)oc.

2.

3.

There is an identity (or unity) elemelll e in G such that for all aEG, For each a E

a*e=e*a=a. G, there cxists an inverse element a- J E G such that

If the group also satisfies 4. Foralla.hEG, a*h=b*a,

then the group is called abelian (or commutative). It is easily shown tbat the identity element e and lhe inverse clement a J of a given element a E G are uniquely determined by the properties above. Furthermore, (a 0 b) J ~ b- J 0 a J for all a. bEG. For simplicity, we shall frequently use the notation of ordinary multiplication to designate the operation in the group. wriling simply ah instead of a 0 h. But it must be emphasized that by doing so we do not assume that the operation actually is ordinary multiplication. Sometimes it is also convenient to write a + h instead of a 0 hand - a instead of a J. bUI this additive notation is usually reserved for abelian groups.

I.

(jroup~

3

The associative law guarantees that expressions such as a 1Q 2' •• an with aj E G, I ~ j ~ n, are unambiguous, since no matter how we insert parenthcses, the expression will always represcnt the same clement of G. To indicate the n-fold composite of an element a E G with itself, where n E I'll, we shall write an=aa"'a

(nfactorsa)

if using multiplicative notation, and we call an the nth power of a. If using additive notation for the operation' on G, we write na=a+a+'" +a

(nsummandsa).

Following customary notation, we have the following rules:

Multiplicative Notation

Additive Notation

a-n=(a- I )" a lla m = an t m (a")m=a"m

(-n)a=n(-a) na + ma = (n + m)a m(na)~(mn)a

For n = 0 E Z, one adopts the convention aO ~ e in the multiplicative notation and Oa = 0 in the additive notation, where the last "zero" represents the identity element of G. 1.2.

Examples (i)

Let G be the set of integers with the operation of addition. The ordinary sum of two integers is a unique integer and the associativity is a familiar fact. The identity element is 0 (zero), and the inverse of an integer a is the integer - a. We denote this group by Z. (ii) The set consisting of a single element e, with the operation' defined bye' e ~ e, forms a group. (iii) Let G be the set of remainders of all the integers on division by 6-that is, G ~ CO, 1,2,3,4, 5}-and let a • b he the remainder on division by 6 of the ordinary sum of a and b. The existence of an identity element and of inverses is again obvious. In this case, it requires some computation to establish the associativity of '. This group can be readily generalized by replacing the 0 integer 6 hy any positive integer n. These examples lead to an interesting class of groups in which every element is a power of some fixed clement of the group. If the group operation is written as addition, we refer to "multiple" instead of "power" of an element. 1.3. Definition. A multiplicative group G is said to be cyclic if there is an clement a E G such that for any bE (j there is some integer j with b = a i .

Algchrail.: roundation:;

4

Such an dement a is called a gel1eralOr of the cyclic group, and we write G = (a). It follows at once from the definition that every cyclic group is commutative. We also note that a cyclic group may very well have more than one dement that is a generator of the group. For instance, in the additive group il. both I and - I arc generators. With regard to the "additive" group of remainders of the integers on division hy 11, the generalil.ation of Example 1.2(iii). we find that the type of operation used there leads to an equivalence relation on the set of integers. In general, a subset R of S X S is called an equivalel1ce relaliol1 on a set S if it has the following three properties:

(a) (', s) E R for all s E S (reflexiGitv). (b) U (s, I) E R, then (c, s) E R (symmelry). (c) U(S,I), (c.u)E R, then (s.u)E= R (cral1siliviZv). The most ohvious example of an equivalence relation is that of equality. It is an important fact that an equivalence relation R on a set S induces a partition of S -that is, a representation of S as the union of nonempty, mutually disjoint subsets of S. If we collect all clements of 5 equivalent to a fixed S E S. we obtain the equiwlel1ce class of s. denoted by [sl~ (I E S:(S.I) E= R}.

The collection of all distinct equivalence classes forms then the desired partition of S. We note that [s J = [I J precisely if (s. r) E= R. Example 1.2(iii) suggests the following concept.

1.4. Definition. For arbitrary integers a. h and a positive integer 11, we say that a is cOl1gruent to h modulo n, and write a'" hmod 11. if the differcnce a - h is a multiple of n -that is, if a ~ h + kn for some integer k. It is easily verified that I'congruence modulo Jl" is an equivalence relation on the set il. of integers. The relation is ohviously rel1exive and symmetric. The transitivity also follows easily: if a ~ h + kl1 and h = c + In for some integers k and I. then a = c +(k 0 1)11, so that a'" hmod 11 and b '" c mod n together imply a '" C mod 11. Consider now the equivalence classes into which the rclation of congruence modulo n partitions the sct il.. These will bc tic scts

[0]

= {

[i]=(

-211, - n.D.I1,2n .... }. -2n+I,-n~I,I.n-I,211,I .... },

[11 - 1] = { .... - n - I. . I. 11 - I. 211 - I. 3n - I, ... }. We may definc on the set ([D].[I]..... [I1-IJ) of equivalence classes a binary

5

operation (which we shall again write as ordinary addition) by

+, although it is eenainly not

[al+[b]~[a th],

( 1.1)

where a and h are any clements of the respective sets [aj and [b] and the sum a I h on the right is the ordinary sum of a and b. In order 10 show that we have actually defined an operation-that is, that this operation is wcll defined- we must verify that the image element of the pair ([aj,[h]) is uniquely determined by raj and [b] alone and does not depend in any way on the representatives a and h. We leave thi1:i proof as an exercise. Associativity of the operation in (1.1) follows from the aS1-.ociativity of ordinary addition. The identity clement is [0] and the inverse of [a] is [- oj. Thus the elements of the set ([OJ,ll]..... [n· Ij) form a group. 1.5. Uefinition, The group formed by the set ([OJ,[lj.... ,[n -I]) of equivalence clas.ses modulo n with the operation (1.l) is called the group of illlexers modulo n and denoted hy 1'.".

71" is actually a cyclic group with the equivalence class [I J as a generator, and it is a group of order n according to the following definition. 1.6, Definition, A group is called finite (resp. illfinile) if it contains finitely (resp. infinitely) many elements. The number of elements in a finite group is called its order. We shall write: CI for the order of the finite group C. Th~rc is a convenient way of presenting a finite group. i\ table displaying the group operation, nowadays referred to as a Cayler IOhle, is constructed hy indexing the rows and the columns of the tahle hy the group clements. The element appearing in the row indexed hy a and the column indexed hy h is then taken to he ah.

1.7.

Example,

The Cayley tahle for the group 1'., is:

~[OJ

[Il

[0]

[II [21

[0]

[II [Il

[21 [2]

[3]

[3] [4] [5] [3] [4] [5] [4] [5] [0] [5] [0] [ I]

[3] [4] [3 J [3] [41 [5] [0] [4] [4] [5] [0] [Il [5] [5] [0] [ I ] [2] [21 . [2]

[I] [21

[2]

[3] [3] [4]

u

A group (j ~ontains certain suhsets that form groups in their own rig,ht under the "peration of G. for instance, the subset ([OJ, [2j, [4j} of 1'., is easil:v :,een to have thi:-. property.

Alg,chra:c

roundation~

1.8. Uefinition. II subset fI of the group G is a subgroup of G if 1I is itself a group with re:-.pect to the operation of G. Subgroups of G other than the frivinlsuhgroup.\ {e} and G ihclf are called nontrivial suhgroups of G. One verifie' at once that for any fixed a in a group G. the set of all powe", of a is a subgroup of G. 1.9. Definition. The subgroup of G consisting of all powers of the clement a of G is called the subgroup generated hy a and is denoted by (a). This subgroup is necessarily cyclic. If (a) is finite. then its order is called the order of the clement a. Otherwise. 11 is called an dement of infillite order. Thus. a is of finite order k if k is the least positive integer such that e. Any other integer m with am = e is then a multiple of k. If S is a nonempty subset of a group G. then the suhgroup /I of G consisting of all finite products of powers of clements of S is called the subgroup genCfaled hy S. denoted by /1- (5). If (S) ~ G. we say that S generate., G. or that G is generated hv S. for a positive element n of the additive group 71. of integers. the subgroup (n) is elo~ely associated with the notion of congruence modulo n, since a '" hmod n if and only if a - b'" (II). Thu, the subgroup (n) defines an equivalence relation on 71... This situation can be generalized as follows.

(lA

.

1./0. Theorem. If H is a subgroup of G. thell the re/otioll R II on G defilled hy (a. h) E R II if and only if a ~ "h for sO/lle h r 1I. is WI equimlellee relaTion.

The proof is immediate. The equivalence relation R If i' called left congruence modulo II. I.ike any equivalence rehnion, it induces a partition of G into nonempty. mutually disjoint suhsets. These subsets ( - equivalence classes) are called the left coselS of G modulo /I and they arc denoted hy all

~

{ah: h

C

H}

(or (/ -'- H·· (a - h: h'" H) if G is written additively). where a is a fixed clement of G. Similarly, there i:-. a decompositilm of G in\{) right coset5 modulo /I, which have the form I/a .. (ha: h E /I). If G is abelian. then the di:-.tinction between left and right cosclS modulo II is unnecessary. 1.11. Example. Let G ~ 71." and let 1I be the subgroup {IO].13j.[6].[9]}. Then the distinct (left) coset; of G modulo 1I arc given by:

[0]1 H·· ([01.[3J.[6].[9]). [i]+ /I ([il.[4].[7j.[IO]). [2J-II" ([2].[S].{KJ.lJ I]). 1./2. Theorem. If /I is a fillile suhgroup of (;. then ,,"err (I"ft or risht) ('oset of G moduln H has the same number of dements as H.

1.

(jroup~

7

1.13. Definition. If the subgroup I/ of G only yields finitely many distinct left eosets of (; modulo I/. then the number of sucb cosets is called the index of fl in G. Since the kft eosets of G modulo I/ form a partition of G, Theorem 1.12 implies the following important result. 1.14. Theorem. The order of afinire group G is equal TO rhe producr of rhe order of any subgroup I/ and rhe index of H in G. In parricular, rhe order of H dieides rhe order of G and rhe order of any e1emenr a E G divides rhe order of G.

The subgroups and the orders of elements arc easy to describe for

cyclic groups. We summarize the rdcvant facts in the suhsequent theorem. 1.15.

Theorem

Every suhgroup of a ()'Clic group is ,:rdic. /n a finire cvdic group (a) of order m. rhe elemenr a k generares a suhgroup of order m/ged(k. m), where ged(k, m) denores rhe greatesT common dil:isor of k and m. (iii) If d is a posiriee dieisor of rhe order m of a finire ,ydic group (a). rhen (a) conrain; one and on!r one suhgroup of index d. For any posirive didsor f of m. (a) conrains precisely one subgroup of order f. (iv) Ler f he a posiriee dieisor of rhe order-of a finire cvclic group (a). Then (a) conrains ( elemenrs of order f. Here 9(/) is Euler's function and indicaTes the number of integers n with l.:s;;; n .:s; ; f rhar are relarively prime TO f. (v) A finire cyclic group (a) of order m conrains ( m] generarors-rhar is. e1emenrs a' such rhar (a') = (a). The generarors are rhe powers a' wirh gcd( r, m) = 1. (i)

(ii)

n

Proof (i) Let I/ be a subgroup of the cyclic group (a) with 1/ (e). If a" E H. then a "E I/: hence I/ contains at least one power of a with a positive exponent. Let d be the least positive exponent such that a d ,= H. and let a' E H. Dividing s by d gives s = qd + r, 0", r < d. and q. r E 71.. Thus a'(a-d)q = a' E H. which contradicts the minimality of d, unless r = O. Therefore the exponents of all powers of a that belong to Hare divisible by d. and so I/ = (ad). (ii) Put d = gcd( k, m). The order of (a k ) is the least positive integer n such that a'" = e. The laner identity holds if and only if m divides kn, or equivalently. if and only if mid divides n. The least positive n with this property is n = mid. (iii) If d is given, then (a J ) is a subgroup of order mid. and so of index d. because of (ii). If (a') is another subgroup of index d, then its

=

order is m / d, and so d ~ ged( k, m) by (ii). In particular, d divides k, so that a' E (ad) and (a') is a suhgroup of (ad). But since hoth groups have the same order, they are identical. The second part follows immediately because the subgroups of order I arc precisely the subgroups of index m / f. (iv) Let I(a) I ~ m and m ~ df. By (iii, an clement a' is of order I if and only if ged(k, m) = d. Hence, the numher of clements of order lis equal to the numher of integers k with I,;; k,;; m and ged(k, m) = d. We may write k ~ dh with I,;; h,;; I, the condition ged(k, m) ~ d heing now equivalent to ged(h,j) ~ I. The numher of these h is equal to $(/). (v) The generators of (a) are precisely the elements of order m, so 0 that the first part is implied by (iv). The second purt follows from (ii). When comparing the structures of two groups, mappings hetween the groups that preserve the operations play an important role. 1.16, Definition. A mapping/: (i ~ II of the group (i into the group 1/ is culled a homomorphism of G into 1/ if I preserves the operation of G. That b. if * and· arc the operations of G and 1/, respectively. then I preserves the operation of G if for all a.hEG we huve l(a*h)~/(a)·/(h). If. in adctition, I is onto 1/, then I is called an epimorphism (or homomorphism "onto") and 1/ is a homomorphic image of G. A homomorphism of G into G is called an endomorphism. If I is a one-to-one homomorphism of G onto 1/. then/is called an isomorphism und we say that G und 1/ arc isomorphic. An isomorphism of G onto (j is called an tlUlomorphism.

Consider. for instance, the mapping I of the additive group 1L of the integers onto the group 1L" of the integers modulo n, defined hy I(a I ~ ra]. Then I(a+h) ~ ra+hl~laJ+lhl~/(a)I I(h)

fora,hElL,

and I is a homomorphism. If I: G -. II is a homomorphism and e is the identity clement in G, then ee ~ e implies I( e )J( e) ~ I( e), so that I( e) ~ e'. the identity clement in II. fromaa-'=eweget/(a ')~(/(a))-' forallac(i. The automorphisms of a group G are often of particular interest, partly heeause they themselves form a group with respect to the usual composition of mappings, as can he easily verified. Important examples of automorphisms are the iflller llUlomorphisms. For fixed t1 c- (j, define Ju hy fo(h) ~ aba I for beG. Then la is an automorphi.sm of G of the indicated type, and ",e get all inner automorphisms of G by letting a run through all clements of G. The elements hand aba I arc said to he ('(JIIjugat", and for a nonempty subset S of G the set aSa I ~ (asa -, : .\ C S) is called a conjugale of S. Thus, the conjugates of S arc just the images of S under the ,arious inner automorphisms of G.

9

(jf()L1P~

1.17. Definition. The kernel of the homomorphismf: G G into the group /I is the set kerf~

~

II of the group

(a'=G:f(a) . e'},

where e' is the identity clement in JI. 1,18. Fxampl<'. For the homomorphism f: 7L ~ 7L" given hy f(a) ~ [aJ, ker f consists of all a F 7L with la I ~ [OJ. Since this condition holds exactly for all multiples a of n. we have kcr f ~ (n), the suhgroup of 7L generated hy n. It is easily checked that kerf is always a subgroup of G. Moreover, kerf has a special property: whenever a (" G and bE: kerf, then aha I EO kerf. This leads to the following concept. 1.19. Definition. The subgroup II of the group G is called a normal subgroup of G if aha I E II for all a (" (i and all h'= H. Every ~uhgroup of an ahelian group is normal ~ince we then have 1/1 eli = h. We shall state some alternative characterizations of the property of normality of a subgroup.

aha

1

= aa"' 1.20, (i)

(ii)

Theorem The subgroup H of G is normal if and onlv if /I is equal II! ils conjugates, or equi1;a/em/y. if and only if JI is im;ariant under al! t/1(' inner QUlOmorp/1isms of (i. Ihe subgroup /I of Ii is normal if and only if Ihe lefl COSe1 all is equal (() the rig/1t Cosel Jla for rrery a C
One important feature of a normal suhgroup is tbe fact tbat tbc set of its (left) cosets can be endowed with a group structure.

1.21. 7heorem. If II is a normal subgroup of G, Ihen Ihe sel of (/ef1) 10sels of G modulo /I forms a group wilh respeCI II! Ihe operalion (aH)( bH) (ab)lI. 1.22. Definition. for a normal suhgroup /I of G. the group formed by the (left) easets of Ii modulo H under the operation in Theorem 1.21 is called the faclor group (or qU01ienl group) of Ii modulo H and denoted by G/I/. If (i/II is finite. then its order is equal to the index of H in G. Thus, by Theorem 1.14. we get for a finite grclup G.

. II

I( '/ I ~

IGI iHi

b.lch nnrmal suhgroup of a group (; uetermines in a natural way a hpIll0mDrphbm of G anu vice v~rsa.

10

Al~chraic Foundation~

/.23.

Theorem (Homomorphism Theorem). LeI f; G ~ f(G) = G , be a homomorphism of a group G omo a group 0 I' Theil kerf is a lIormal subgroup of G. alld Ihe group G I is isomorphic 10 Ihe faclOr group GIker f. COllcersely. if 11 is allY 1I0rmai subgroup of G. Ihen Ihe mappillg 1/-; 0 ~ GI H defilled by I/-(a) ~ aH for a EGis a homomorphism of G 01110 G/H wilh kerl/-~H.

We shall now derive a rdation known as the dass equacion for a finite group. which will be needed in Chapter 2. Section 6.

1.24. Definition. Let S be a nonempty suhset of a group G. The 1I0rmalizer of S in G is the set N( S) ~ {a '= 0; aSa- 1 ~ S}. /.25. Theorem. For allY 1I0llemply subsel S of Ihe group G. N( S) is a suhgroup of G and [here is (l one-to-one correspondence berween the left cosels of 0 modulo N( S) alld Ihe dislillcl cOlljuKales aSa I of S.

Proof We have e F N(S), and if a, b E N(S), then a-I and ab arc also in N(S), so that N(S) is a subgroup of 0. Now aSa l~bSb '=S=a-lhSb 'a~(a 'h)S(a 'h)

1

=a 'bEN(S)=hEaN(S).

Thus, conjugates of S arc equal if and only if they arc defined by elements in the same left coset of G modulo N(S}, and so the second part of the theorem is shown. 0 If we collect all clements conjugate to a fixed element a, we obtain a set called the conjU?;aly class of a. For certain elements the corresponding conjugacy class has only one member, and this will happen precisely for the clements of the center of the group.

1.26. Definition. For any group G. the cemer of (; is defined as the set C -, (c Eo 0; ac~· ca for all a E G}. It is straightforward to check that the center C is a normal subgroup of G. Clearly, 0 is abelian if and only if C ~ G. A counting argument leads to the following result.

/.27, Theorem (Class Equation). center C. 71zen

LeI 0 be a finile group wilh

,

IGI '-ICI~

L: ""

, -I

where each n, is ~ 2 Gild a diri.wr of IGI. In jact, "l' n 2 ..... n k are the numhers of elements of the distinct conjuy,acy c1a.'ises in G containillf? more than nne member.

II

Pruo/ Since the rclati()n "(1 is conjugate to /I'" is
2.

RII\GS ANn FIELDS

In mo:-.t of the numhcr systems used in ckmcntary arithmctit: there .He two distinct binary operations: addition and multiplication. Exampks are provided by the integers, the rational numbers. ami the real nUlllher..,. We now define a type of algehraic structure known as a ring that sllJres some of the basic properties of these number systems.

1.28.

Definition.

A ring (R, ,-,.) i, a set R, together with two hinary

operations. denoted by I- and·. such that:

1. R i~ an ahelian group \kith respect to 2. . is assoeiativc--that is, (a·h)·,- a·(h·c) for all a,h,n" R. 3. The distriburice laws hold: that i,,,,. for all a. h. (' E-.:.: R we have a·(h.c c) ~ a·b + a'c and (Ii· c)·a h'a I c·a. We ,..,hall use R as a designation for the ring (R. - .. ) and stress th'll the operations t- and . arc not necessarily the ordinary operations with number:-:.. In following convention. we use 0 (called the :('(0 e!enW1l!) to d~n{)te the identity ckment of the ahelian group H with respect to addition. and the additive inverse of a is denoted hy u: abo. a + (- h) i... ahhrc\'i~ ated h y a-b. Instead of (l·b we will u,..,ually write uh. As a consequence of the ddinition of a ring one ohtains the g~n~ral property (J() On 0 for all a cR. This. in turn. implies (- alb ~ a( - Ii) ali for all u. Ii (" R. The most natural example of a ring is perhaps the ring of ordinary integers. If we examine the properties of this ring.. we realil.e that it has properties not enjoyed by rings in general. '( hus. ring.., (,:an he fun her classified according to the following definitions.

1.29.

Definition (i)

!\ ring b called a ring with identity if the ring has a multiplicative identity that b, if there b an clement c ~uch that (1(' "- ('(J ~

(ii)

a fpr all a

E

R.

!\ ring i~ c<.lllcd omllnututhe if . is commutdtive:.

(iii) (iv) (v)

A ring is called an illlexral domain if it is a commutative ring with identity f -r 0 in which ah ~ 0 implies a ~ 0 or h ~ O. II ring is called a dirision ril1g (or skew field) if the non7.ero dements of R form a group under·. A commutative division ring is called a field.

Since our study is devoted tD fields, we cmphasii'.c again the

dcfini~

tion of this concept. In the first place. a field is a set Fan "hich tWI' binary operations. called addition and multiplication. are defined and which con-

tains two distinguished clements 0 and

e

with O"f:"

c.

Furthampre. F is an

abelian group with respect to addition having 0 as the identity ekment. and the ekments of F that are -r 0 form an abelian group with respect to

multiplication having e as the idt..·ntity

c1~ment.

The two operations of

addition and multiplication arc linked by the distributive law II( h -+ e) ~ ah + ae. The second distributive law (b·\ da·· hll -,- ea follows automatically from the commutativity of multiplication. The element 0 is called the ~ero element and t' is called thc multiplicative identity elemem or simply the idelllil}'. Later on. the identity will usually be denoted by I. The property appearing in Definition 1.29(iii)-namely. that lib·· 0 implies a ~ 0 or h = 0 is expressed by saying that tbcre arc 110 ~ero divisors. In particular, a field has no 7.ero divisors. for if ah -= 0 and II =1= O. then multiplication hy a \ yields h ~ a' \0 ~ O. In order to give an indication of the generality of the concept of ring.

we present some examples. 1.30.

Examples (i) (ii)

Let R be any abclian group with group operation -. Define ah ~ 0 for all a. b EO: R: then R is a ring. The integers form an integral domain. but not a field.

(iii) The l:\'cn integers form a commutative ring without identity. (iv)

The functions from the real numhe", into the real numhers

form a commUlative ring with identity ufl.der the definitions for f • g and fl( given by (j T g )(x) - f( x) • g(x) and (fg)( x) " f(x)l(x) for x c-Ihl. (v) The set of all 2 x 2 matrices with real numhers as entries forms a noncommutativc ring 'with identity with respect to matrix addition and multiplication. L1 We ha\'e :-,een uhove that a field is. in particular, an integral domain. The converse is not true in general (sec Example 1.30(ii)). hut it will hold if

the structures contain only finitely many elements. 1.31.

Theorem.

F."ery finite integral domam is

II

field.

['roo! I.et the clements of the finite integral domain R be a l • Q 2 · ... ,a'1. For a fixed nonzero element a CR. c()Osider the products "" "', nil Thp,p Mf' di"tincl. for if aa" = all . then a( ll. - ll") = o. and

13

2. Rings and ridd:-.

since G '=t= 0 we must have at - a, := O. or a/ = a i . Thus each clement of R is of the form Ga i , in particular. e = aa l for some i with I ~ i ~ n. where e is the identity of R. Since R is commutative, we have also a/a ,-= e, and so a/ is the multiplicative inverse of a. Thus the nonzero clements of R form a commutative group, and R is a field. U

1.32. Definition. A subset 5 of a ring R is called a 5uhrinf!, of R provided S is closed under - and . and form~ a ring under these operations. 1.33. Definition. A subset J of a ring R is called an ideal provided J is a >uhring of R and for all a Eo J and r F R we have ar F J and ra r J.

1.34.

Examplc, (i)

Lei R he the field 4)
int~gers i~ a

(ii) (iii)

Oefinition. Let R he a commutative ring. An ideal J of R i~ ~:lid to be principal if then~ is an a C R such that J . (£1). In this case. J i.;, also called the principal ideal generaTed hv a. 1.35.

Since ideals arL' normal suhgroups of the additive g.rl1Up llf a rin~. it immediatc1) that an ideal J pf the ring. R defines a rartitil)1l lIt' R into disjoint cnsets. culh.:d residue cla;;s('~ modul0 J. The re~iduc L'1a~s of thl' dement lJ of R modulo J will he denoted by laJ a + J. ~inl.'L' it L'l)n~i:-;ts l)f all clements of R that arc of thL' form lJ + (" for :'l~lme (" L J. I:klllcnh a. h E:= R arc called congrllem modulo J. written lJ·- hlllod.l. if they are ill the samL' residue class modulo J. or e4uivalelltly. if (1 h \ J (~l)mparL' Vvith Definition 1.4). One can verify that a = bmod.l implit:s IJ • I' -::-: h ' rJlll)d J. ar -= hrmod J. and ra == rhmod J for any r E:= Rand na =. nh mod J f~\r any 11 E:= Z. If. in additipn. r ==.\ mod J. then IJ + r - h I smod J and arhSInodJ. It is shown hy a straightf0f\I,:an.l arg.ument that the set of re~idu~ L'lasse:-. of a ring R tnl)dulo an ideal J forms a ring with r~spcL't III the opcrutions f()llow~

(u' J)T(h I (u I J)( h

l-

J)~

J)

~

(u+/o)+.I.

( 1.2)

u/o + .I.

(U)

1.36. Definition. ("he ring of resiJuL' da:-.~e ... of th~ ring. R nwdulo the ideal J undL'r the opt:ration~ (1.2) and (1.3) is called the residue da.\.\' ring (or

14

Algehraic l;oundations

1.37. Example (The residue class ring Z/(I1)). As in the case of groups (compare with Definition 1.5). we denote the coset or residue class of the integer a modulo the positive integer n by [a], as well as by a +(n), where (nl is the principal ideal generated by n. The elements of Z/(n) are

°

I I ~ 0 • (n). [I] ~ I ~ ( n ) .... . [n - 1]

.~ n - 1+ (n ).

D

• 1.38. Theorem. Z /( p), th" ring of residue classes of the integers modulo the principal ideal generated hy a prime p, is a field. Proof Ry Theorem 1.31 it suffices to show that Z/( p) is an integral domain. 'low [1] is an identity of Zj(p), and [al[bl=[abl~[OI if and only if ail '. kp for some integer k. But since p is prime, p divides ab if and onlv if p divides at least one of the factors. Therefore, either raj ~ [OJ or [hi ~ [01. s<) that Z/( p) contains no 7ero divisors. D

1.39. Example. Let p"~ 3. Then Z/( p) consists of the elements [0], [I], and [21. The operations in this field can be described by operation tables tbat are similar to Cayley tables for finite groups (see Example 1.7);

:J [0-,--]----,[~1]

[2]

. I [0]

[I]

[2]

[11 12] [0]

[2] [01

~I[0]

[0] [I]

[0] [2]

[2]

[I]

[0]" [0] [I] 1[1] [2] 12]

[1].[0] [211 [0]

[11

D

The residue e1ass fields Z/( p) are our first examples of finite field, that is, of fields that contain only finitely many elements. The general theory of sueh fields will be developed later on. The reader is cautioned not to assume that in the formation of residue e1ass rings all the properties of the original ring will be preserved in all eases. For example, the lack of 7ero divisors is not always preserved, as may be seen by considering the ring Z/(n), where n is a composite integer. There is an obvious extension from groups to rings of the definition of a homomorphism. 1\ mapping 'P: R --> S from a ring R into a ring S is called a homomorphism if for any a, h EO R we have 'f ( a + b ) ~ 'P ( a ) + 'P ( h)

and

'f (ab ) = 'P (a) 'P (h).

Thus a homomorphism 'f: R --> S preserves both operations + and . of R and induces a homomorphism of the additive group of R into the additive group of S. The set ker'f - {a

E

R ; 'f ( a ) ~ 0 (= S}

is called the kernel of 'f. Other concepts, such as that of an isomorphism, are analogous to those in Definition 1.16. The homomorphism theorem for rings, similar to Theorem 1.23 for groups, runs as follows. 1.40.

Iheorem (Homomorphism Theorem for Rings). .'

01

..

l. __ ..

:_

,. •.

;.J __ "

n~

If 'P is a D

~.~.I

C' ;"

2. Ring.:. and

Fi~'ld~

;-:>/(C' U

.'

>.:-

\ ':.

l~

.~'.

k

i,omorphic 10 Ihe faclor ring /ker
r,

r,

/<1.41. Definition. For a prime p. let Fp be tbe set (O.I. ...• p - I) of integers and lot
Examples (i)

Consider Z/(5), isomorphic to 11',. {a, 1,2,3,4}, witb the isomorphism given by: [OJ--. 0. [I] --.1, [2j--. 2, [3j--. 3. [4]" 4. The tables for the two operations + and . for elements in 11'5 are as follows:

. ,. I ° I 2 3 4 ° I 2 3 4 I 2 3 4 ° ° ° ° 0 0 ° 0 I 2 3 4 ° I ° I 2 3 4 I 21 () 2 4 1 3 2 2 3 4 ° I 3 3 4 0 I 2 ° 3 I 4 2 4 0 I 2 3 0 4 3 2 I 4 An even simpkr and more important example is the finite field II' 2' Tbe clements of tbis field of order two arc 0 and I. and the operation tables have the following form:

+

~I

(ii)

°

+

0 I I °iOIO,OO I ; I I I 0 I In this context. the clements ° and I arc called binarv elemell!>. ~

°

0

16

If h is any nonzero dement of the ring 7L of integers. then- the additive order of b is infinite; that is. nh _. 0 implies II O. lloweva. in the ring lL/( p). p prime. the additive order of every nonl.ef\) ekment b is p: that is. pb ~ O. and p is the kast positive intcger for which this holds. It is of interest to formali7c this property. ::..0

If R is an arhitrary ring and thcre exists a positive such that nr = 0 for every r E:::: R. then the least ~uch p{)sitivc integer n is called the charaClcrislic of Rand R i, said to have (positive) characteristic n. If no such positive integl'r 11 exists. R is said to have characteristic O. 1.43.

Definition.

integer

11

1.44. Theorem. A ring R '1=- {O} of posilire cJll1f(lCleristk hoeing WI identizv and no ;ero divisors mUll have prime clwracfuisfir.

Proof Since R contain~ nonzero clements. R has chara~teristic 2. If n were not prime. we could write n = km with k. m E lL. I < k. m < Ii. Then 0 ~ nc ~ (km)e ~ (ke)(me). and this implies that either ke ~ 0 or mc ~ 0 since R has no zero divisors. It follows that either kr ~ (ke)r .~ 0 for all r E R or mr - (me)r- 0 for all r E: R. in contradiction to the

Ii ~

definition of the '.:haractcrislic n. 1.45.

Corollary.

_J

A finil£" field has prim£" charaumsliL

Prvvf Ily Theorem 1.44 it sufficcs to show that a finite field F has a positive charactcristic. Consider the multiples c.2e.3e.... of thc identity. Since F c.:ontains only finitely many distinct elements. there exist integers k and m with 1 ~ k < m such that k" m£". or (m - k)c ~ O. and so F has a positive characteristic. ..J The finitc field lL/( p) (or, equivakntly. IF p) obviously has characteristic p. wherea, the ring lL of integers and thc field Q of rational number,

have characteristic O. We note that in a ring R of charal'tcristic 2 we have 2a a -'- a ~ O. hence a = - Q for all Q E R. !I. useful property of commutative rings of prime characteristic is thl.: following. 1.46. p.

Theorem.

I.e! R be

£l

cvmmUlatire ring vf prime charaClt'fi'ilic

1Ileli

(a + h)r·· ~ v p " + h P· and (a - b)"" ~ aP' for

Q.

h E: R and

Proof

Ii

hr

"N.

We usc the facl that .. ·(p i+l) l'P)i ., -p(p-I) - I T:':. -'i- -

'= II mod

p

for all i E lL with 0 < i < p. which follow, from I;') heing an intcgcr and the observation that the factor p in thc numerator cannot bc cancellcd. Then hy

2. Ring:'. and held:.

17

the binomial theorem (see Exercise 1.8),

(a+b)P~aP+(~)ap

'b·· ... \

(p~l)ahP-'+hP~ap+bP.

and induction on n completes the proof of the first identity. By what we have shown, we get aP'~ «a- h) 1 h)P" ~ (a-h)P' +h P'.

o

and the second identity follows.

Next we will show for the case of commutative rings with identity which ideals give rise to factor rings that are integral domains or fields. ror

this we need some definitions from ring theory. I.ct R bl.: a commutative ring with identity. An element u E:: R is called a diui",r of heR if there exists e Eo R such that ae ~ h. A unil of R is a-J-livisQr_91J.h.e.id..c.ntity; two dements a, b E R are said to hi_~Q5,~)~f there is a unit t: of R :"luch that a _. hL An element (' E R is called a prime dement if it is no u~i.~_~.~_d i~ .i.t ha~.~..>n}.x~~h~-~.~i~;~"~~f B.,~.l:!d_ the associatcs of (' as divis(;r'CAnideal p; R of the ring .K.is.qllc.dLPJ:i!.ntJdeaJ. if for a. hER we have ah E' P only if either a r: P or h E' P. An ideal M < R of R is called a maximal ideal of R if for any ideal J of R the property Me J implie, J R or J ~ M. Furthermore. R is said to be a prillcipal ideal domain if R is an integral domain and if every ideal J of R is principal-that is. if there is a generating clement a for J such that J (a) ~ (ra: r E R).

1.47.

Theorem.

l.et R he

II

commuTative ring with idenTity. Then:

An ideal M of R i\ a maximal ideal if and only if RIM is a field. lin ideal P of R is a prime ideal if and onlv if RIP is all illlegral domain. Fr;ery maximal idelll of R is u prime ideal. If R i' a principal ideal domaill, Ihell RI(e) is afield if alld ollly if (' i'i a prime element of R.

(i)

(ii)

(iii) tiv)

!)roo;' (i)

I.et M he a maximal ideal of R. Then for a if M, a

Eo

R, the set

J ~ (ar . m: r r R. m EM) is an ideal of R properly containing M, and therefore J . R. In particular. ar -'- m I for some sliitahle r cR. m E= AI. where I denotes the multiplicative iden-

tity element of R. In other words. if a - M' 0 1 M is an clement of RIM different from the zero clement in RIM. then it posscsses a multiplicative inverse, hecau:-.c (ll + M)( r + M) = ar ~ M ~ (I m) \ M ~ I + M. Therefore. RIM is a field. Conversely. let RIM be a field and let J ~ M. J .. M, be an ideal of R. Then for a c. J. a
11<

Algebraic

roundation~

plicative invc"e, so that (a + M )(r + M) = I + M for some r E R. This implies ar + In = 1 for some In EM. Sincc J is an ideal, we have IE J and therefore (I) ~ R c J, hcneeJ = R. Thus M is a maximal ideal of R. (ii) Let P he a prime ideal of R; then RIP is a commutative ring with identity 1+ P "" 0+ P. Let (a + P)(b + P) = 0+ P, hence ah E P. Since P is a prime ideal, either a E P or bE P; that is, either a + P = 0+ P or h + P = 0+ P. Thus, RIP has no zero divisors and is therefore an integral domain. The converse follows immediately by reversing the steps of this proof. (iii) This follows from (i) and (ii) since every field is an integral domain. (iv) Let e E R. If c is a unit, then (c) = R and the ring RI(c) consists only of one element and is no field. If c is neither a unit nor a prime element, then c has a divisor a E R that is neither a unit nor an associate of c. We nOie that a 0, for if a = 0, then e = 0 and a would be an associate of c. We can write c = ah with hER. Next we claim that a'f- (c). For otherwise a = cd = ahd for some d E R, or a( I - hd) = O. Since a "" O. this would imply bd = I, so that d would be a unit, which contradicts the fact that a is not an associate of c. It follows that (c) c (a) ~ R, where all containments arc proper, and so RI(e) cannot bc·a field because of (i). Finally, we are left with the case where c is a prime clement. Then (c) R since e is no unit. Furthermore, if J;;) (c) is an ideal of R, then J = (a) for some a E R since R is a principal ideal domain. It follows that c E (a), and so a is a divisor of c. Consequently, a is either a unit or an associate of c, so that either J = R or J = (c). This shows that (c) is a maximal 0 ideal of R. lIence R/(c) is a field hy (i).

=

=

As an application of this theorcm, let us consider the case R = Z. We note that Z is a principal idcal domain since thc additive subgroups of Z arc already generated by a single clement because of Theorem I, 15(i). A primc numher p fits the definition of a prime clement. and so Theorcm 1,47(iv) yields another proof of the known result that Z/( p) is a field. Consequently, (p) is a maximal ideal and a prime ideal of Z. ·For a composite integer n. the ideal (n) is not a prime idcal of Z, and so Z/(n) is not even an integral domain. Othcr applications will follow in the next section when we consider residue class rings of polynomial rings over fields.

3.

POLYNOMIALS

In elementary algebra one regards a polynomial as an expression of the -+Y I- ... -+- 11 y'l Thp 11 '", ;Irt~ CBlkd (:oefficicnts and are usuallv

f ..... rm "

1/

3. Polynomiab

14

real or complex numbers; x is viewed a!:l a variable: that is, substituting an arbitrary number a for x, a well-defined numher Go + ala + ... + Gna n is ohtained. The arithmetic of polynomials is governed by familiar rules. The concept of polynomial and th~ associated operations can be generali7ed to a formal algehraic setting in a straightforward manner. Let R be an arbitrary ring. A polynomial over R is an expression of the form

f(x)

"

La/x':..:.. an + u1x + ... + GnX",

=

1=0

where n is a nonnegative integer, the coefficients a , . 0.:::;; i .: : ; n, are clements of R. and x is a symhol not belonging to R. called an indeterminate over R. Whenever it is clear which indeterminate is meant, we can use f as a designation for the polynomial fix). We adopt the convention that a term a,x i with a, ~ 0 need not he written down. In particular, the polynomial fix) above may then also he given in the equivalent form f(x) ~ a o + a,x + ... + anx n +Ox n ' I + ... +Ox n I h, where h is any positive integer. When comparing two polynomialsf(x) and g(x) over R, it is therefore possible to assume that they hoth involve the same powers of x. The polynomials n

f( x) ~

L

n

a,x'

and

g( x) ~

/,... 0

L

h,x i

1=0

over R are considered equal if and only if the sum of fix) and g(x) hy

0i =

hi for 0

~

i ~ 1l. We define

n

f(x)+g(x)~

L

(a,+h,)x i •

,- 0

To define the product of two polynomials over R, let n

f(x) ~

L

m

a,x'

and

g(X) ~

i=U

L

hjx i

J-O

and set n+ m

f(x)g(x) ~

L

1<=0

c,x',

where c, ~

L

a,h)"

ilJ="1< 00;;.':;;; n.O:;;; ,.,;;. m

It is easily seen that with these operations the set of polynomials over R forms a ring. 1.48. Definition. The ring formed by the polynomials over R with the above operations is called the polynomial ring over R and denoted hy R[x]. The 7ero element of R[x] is the polynomial all of whose coefficients are O. This polynomi~1 is called the zero polynomial and denoted hy O. It should always be clear from the context whether 0 stands for the zero clement of R or the zero polynomial.

2U

Algebraic f(lundations

1.49. Definition. Letf(x) = [:_oa,x' he a polynomial over R that is not the zero polynomial. so that we can suppose a" '" O. Then a" is callcd the leadinr, coefficiellt of f(x) and 0 0 the cOllstant term, while n is called the der,ree of f(x), in symbols n = deg(/(x)) = deg(/). By convention, we set deg(O) = - x. Polynomials of degree", 0 are called constant polyllomials. If R has the identity I and if the leading coefficient of f(x) is I, then f(x) is called a monic polyllomial. By computing the leading coefficient of the sum and the product of two polynomials. one finds the following result. 1.50.

Theorem.

Let f. r,

E

R[x]. Then

deg(f + g) '" max(deg(f), deg( g )). deg(fg) '" deg(f) + deg( g).

If R i, all integral domain, we have dcg(fr, ) = deg( f} + deg( r, ).

( 1.4)

If onc identifies constant polynomials with elements of R, then R can he vicwed as a suhring of R[x]. Certain properties of R are inherited by R[x]. The essential step in the proof of part (iii) of the suhsequent theorem depends on (1.4).

1.51. (i)

(ii) (iii)

Theorem.

Let R be a ring. Then:

R[x] is commutati"e if and only if R is commutative. R[x] is a rinr, with identity if and on(v if Rho" an identity. R[x] is all intewal domain if alld only if R is an integral domain.

In the following chapters we will deal almost exclusively with polynomials over fields. Let F denote a field (not necessarily finite). The concept of divisibility, when specialized to the ring F[x], leads to the following. The polynomial g E FIx] divide" the polynomial f E FIx] if there exists a polynomial h E FIx] such thatf = r,h. We also say that g is a divisor of f, or that f is a multiple of r" or that f is divi,ible by r,. The units of Ff x] are the divisors of the constant polynomial I, which are precisely all nonzero constant polynomials. As for the ring of integers, there is a division with remainder in polynomial rings over fields.

1.52, Theorem (Division Algorithm). Let r, '" 0 be a polynomial in Flx]. Then for any f E FIx] there exist polynomials q, r E F[x] such that f = qr, + r.

Example. Consider f(x) = 2x' + x' +4x +3 E !',lx], r,(x) = 3x' + !',Ix]. We compute the polynomials q, r E !',Ix] withf = qr, + r by using

1.53. IE

where deg( r ) < deg( r, ).

21

3. Poiynomiab

long division: 4x'+ 2x'+2x+ 3x' +

II

2x'+x' -2x' -4

+4x+3 X"

x4 + x3

-x'

-2x'

x' +3x'+4x

- x'

-2x 3x'+2x+ 3 -3x' - I 2x-r2

Thus q(x) ~ 4x' +2x' +2x + I. r(x) ~ 2x +2, and obviously deg( r) < C deg(g). The fact that F[x] permits a division algorithm implies by a standard argument that every ideal of F[x] is principal. 1.54. Theorem. F[x] is a principal ideal domain. In fact, for every ideal J ~ (0) of FIx] there exists a uniquely determined monic polynomial g E FIx] with J = (g). Proof F[x] is an integral domain by Theorem 1.51(iii). Suppose J ~ (0) is an ideal of F[x]. Let h(x) be a nonzero polynomial of least degree contained in J, let b be the leading coefficient of h (x), and set g( x) ~ b 'h(x). Then g E J and g is monic. If f E J is arbitrary, the division algorithm yields q.rEF[x] withf~qg+r and deg(r)<deg(g)~deg(h). SineeJ is an ideal. we getf - qg ~ r E J, and by the definition of h we must have r = O. Therefore, f is a multiple of g, and so J = (g). If g, E F[x] is another monic polynomial with J=(g,). then g=c,g, and g, ~c2g with c,.c,EF[x]. This implies g~c,c,g. hence c,c,~I. and c, and c, are constant polynomials. Since both g and g, are monic. it follows that g = g,. and the uniqueness of g is established. 0 1.55. Theorem. Let f" . . ..fn be polynomials in F [x] not all of which are O. Then there exists a uniquely determined monic polynomial dE F[x] with the following properties: (i) d divides each 1;. I" j" n: (ii) any polynomial c E F[x] dividing each 1;, I" j" n. divides d. Moreover. d can be expressed in the form d~h,j,+'" +bnfn

Proof

withb" .... bnEF[x].

(1.5)

The set J consisting of all polynomials of the form c,j,

+ ... + cnfn with c" ... ,cn E F[x] is easily seen to be an ideal of F[x].

Since not all 1; arc 0, we have J

~

(0). and Theorem 1.54 implies that J

~ (d)

22

1\1).!,t'hra:c rOUnOalll.ln<;

for some monic polynomial d'- Flx I. Propeny (i) and the representation (1.5) follow immediately from the construction of d. Propeny (ii) follows from (1.5). If d l is another monic polynomial in Flx] satisfying (i) and (ii). then these properties imply that d and d, are divisible hy each other. aneLso (d) ~ (d l ). An application of the uniqucne" part of Theorem 1.54 yields d-d l • U The monic polynomial d appearing in the theorem ahove is called the greUl"t common divisor of 11.· .../.,. in symhols d ~ gcd(j, .. ...1,). If gcd(j, .... ./,) ~ I. then the polynomials II ... · ·1" arc said to he relUlively prime. Thcy are called pairwise relativel,. prime if gcd(j;. I,) ~ I for I", i < j ~

n.

The greatest common divisor of two polynomials I. g E FIx I can he computed by the Eudidean algorithm. Supposc. without 105' of generality. that g ~ 0 and that g docs not divide f. Then we repeatcdly use the division algorithm in the following manner:

I

~

q,g -'- r,

0", deg(r,) < deg(g)

g

=

Q'!Jl +'!

0", deg(r,) < deg(r,)

rl

= q~r2

+

'1

0", deg( r,) < deg(r,)

0", deg(rJ < deg(r, I)

's

1= qj' 1',_

Here q, ..... q", and r, ..... r, arc polynomials in Fix]. Since deg(g) is finite, the procedure must SlOp aftcr finitely many stcps. If thc last nonzero remainder r, has leading coefficient b, then gcd(j. g) - h 'r,. In ordcr to find gcd(jl .... ./,) for n > 2 and nonzero polynomials I" one first computes gcd(j,./,), then gcd(gcd(jl./' )./3)' and so on, hy the Euelidean algorithm. 1.56.

Example.

The Euclidean algorithm applied to

l(x)~2x6+x'+x'+2<=0'3[X].

g(X)~X4 +X'+2XE0'3[X]

yields:

2x' +x 3 + x',.2 ~ (2x' -'-1)(x 4 + x' +2x)+ x-2 x 4 ,. x" -t 2x ~ (x' + x' + 2x -'- 1)( x .. 2) + I x+2~(x+2)1.

Therefore gcd(j, g)

= I andl and g are relatively prime.

0

A counterpart to the notion of greatest common divisor is that of least common multiple. Let 1, ... .,1, be nonzero polynomials in F[xl. Then one shows (see Exercise 1.25) that there exists a uniquely determined monic

J. Polynomials

2J

polynomial m, Flxl with the following properties: (i) m is a multiple of each f i , I ~.i" n; (ii) any polynomial hE F[xl that is a multiple of each fj, I .:S.; j.:S.; n. is 3 multiple of m. The polynomial m i~ t:alh:d th~ Icast common mulliple of fl .... ,j" and denoted bv m - lcm(/I'"·. Jo)' For two nonzero polynomials J, g E FI x] we have

a

'f~

-

lcm(f, K )ged(f, g),

(1.6)

wher~

a is the kading coeffkient of fK. This relation t:onveniently reduc~s the calculation of lcm(/. g) to that of gcd( J, K). Ther<' is no direct analog of (1.6) for three or morc polynomials. In this c(Jsc. one uses the identity Icm(/,.···./o)c Icm(1em(/,'" .. ./o _I). fo) to compute the least common multiple. The prime clements of the ring FIx] arc usually called irreducible polynomials. To emphasizc this important concept. wc givc the definition again for the present contcxt. 1.57. nefinition, A polynomial p E FIx] is said t,) he irredueihle ocer I' (or irredueib!::.!.!!-..tJ x]. orJ'c!,!,eIn-n,,jfiTp"ii'us posit;v"~~d p he wifhh,CCi-'[x] i~s that either h or e is a e'2E'~~~lial.

Briefly stated. a polynomial of positivc degrec is irreducihle ()ver F if it allows only trivial factorintions. A polynomial in Fix J of positive degree that is not irreducihle over I' is called redueihle vrer F. The rcducihilitv or irreducibility of a given polynomial depends heavily on the field under consideration. For instance. the polynomial x' 2, O[x] is irredueihle over the field Q of rational numbers. hut x' ,·2,' (x' /2 )(x ,Ii) is reducihle over the field of real numbers, Irreducihle polynomials are of fundamental importance f,)r the structure of the ring FIx] since the polynomials in Fix] can be written as products of irrcducibk polynomials in an e~sential1) unique manner. for the proof we need the following result.

1.5/1. I. emma. If an irredueihle polynvmial p ill F[x] dil;ides a produel f, ... f rn of polp/omiols ill Fix]. Ihen iJl I('(iSI olle of liz.. faoors fj is dieisihle hy p. Proof Since p divides J, ... fM' we get the identitv (/, - (p)) . .. (/rn ~ (p) ~ 0 - (p) in the factor ring Flxll( p). 'Jaw Flxl/( p) is a field by Theorem 1.47(iv). and so /, - (p) ~ 0 - ( p) fe'r Sl)me j; that is. p divides fj. C

f

1.59. Theorem (Unique factorization in I"[.\j). E F[x] of posilive degree ran he I>'rillell ill the form

f

~

ap; ... p;',

AllY polynomial

(1.7)

where a E F, PI ....•PJ.. are distinct monic Irreducihle polynomials in F[xl. and el, .... e" are posiTive imegers. Moreocer. this factorization is unique lIparr

from Ihe order in whieh Ihe faclOrs occur.

24

Alg".:bra:(,: Foundation:.

Proof The fact that any nonconstant f E F[ x] can be represented in the form (1.7) is shown by induction on "the degree of f. The case deg( f) = I is trivial since any polynomial in F[ x] of degree I is irreducible over F. Now suppose the desired factorization is established for all noneonstant polynomials in F[x] of degree < II. If deg(f) = 1/ and f is irreducible over F, then we are done since we can write f = a( a 'f), wbere a is tbe leading coefficient of f and a If is a monic irreducible polynomial in FIx]. Otberwise,f allows a factorization f = gh with I ~ deg( g) < n, I ~ deg( h) < n, and g, h E F[x]. By the induction hypotbesis, g and h can be factored in the form (1.7). and so f can be factored in this form. To prove uniqueness, suppose f has two factorizations of the form (1.7). say

( 1.8)

By comparing leading coefficients. we get a = h. Furthermore, the irreducible polynomial PI in FIx] divides the right-hand side of (1.8), and so Lemma 1.58 sbows that PI divides ql for some j. I ~ j ~ r. Rut q, is also irreducible in F[x]. so that we must have ql = CPI with a constant polynomial c. Since ql and p, are both monic, it follows that qj = P ,. Thus we can cancel PI against ql in (1.8) and continue in the same manner with the remaining identity. After finitely many steps of this type. we ohtain that the two factorizations are identical apart from the order of the factors. 0 We shall refer to (1.7) as the canol/ira/facTOrizatiol/ of the polynomial in FIx]. If F= Q. there is a method due to Kronecker for finding the canonical factorization of a polynomial in finitely many steps. This method is hriefly described in Exercise 1.30. For polynomials over finite fields, factorization algorithms will be discussed in Chapter 4. A central question about polynomials in F[x] is to decide wbether a given polynomial is irreducihle or reducihle over F. For our purposes, irreducible polynomials over IFp are of particular interest. To determine all monic irreducible polynomials over IF, of fixed degree n, one may first compute all monic reducihle polynomials over IF, of degree n and then eliminate them from the set of monic polynomials in IFp!x] of degree 1/. If P or n is large, this method is not feasible, and we will develop more powerful methods in Chapter 3, Sections 2 and 3.

f

1.60, Example. Find all irreducible polynomials over IF, of degree 4 (note that a nonzero polynomial in 1F,[x] is automatically monic). There are 2 4 .~ 16 polynomials in 1F,lx] of degree 4. Such a polynomial is reducible over IF, if and only if it has a divisor of degree I or 2. Therefore, we compute all products (a o - a,x + a,x' + x')(b\) • x) and (a o I- a,x + x' I(b o -r b,x + x') with ai' bl E IF, and obtain all reducible polynomials over IF, of degree 4. Comparison with tbe 16 polynomials of degree 4 leaves

25

us with the irredueihle polynomialsf,(x) ~ x' f,(x) ~ x 4 -.- X" + X" + X + I in 1F,[x].

+x

~ 1. f,(x) ~ x 4

+ x' r I, -J

Since the irreducible polynomials over a field F are exactly the prime clements of F[x], the following result. one part of which was already used in Lemma 1.58. is an immediate consequence of Theorems 1.47(iv) and 1.54. 1,61, Theorem, For f E FIx], the residue class rillg F[xl/(j) is a field if alld only if f is irreducihle o"er F.

As a preparation for the next section, we shall take a closer look at the structure of the residue class ring F[xl/(/), where f is an arbitrary nonzero polynomial in F[x]. We recall that as a residue class ring Flxl/(/) consists of residue classes g ~(/) (also denoted hy [gj) with g E F[x], where the operations arc defined as in (1.2) and (1.3). Two residue classes g + (j) and h + (j) are identical ptecisely if g " h mod f -that is, precisely if g - h is divisihle hy f. This is equivalent to the requirement that g and h leave the same remainder after division hy f. Each residue class g + (f) contains a unique representative r E FlxJ with deg(r) < deg(j), which is simply the remainder in the division of g hy f. The process of passing from g to r is called reduction mod f. The uniqueness of r follows from the ob,ervation that if r, E g 'i-(j) with deg(r,) < deg(/), then r - r, is divisihle by f and deg( r - r,) < deg( I). which is only possible if r ~ r,. The distinct residue classes comprising F[xl/(j) can now he descrihed explicitly; namely. they are exactly the residue c1assesr + (/). where r runs through all polynomials in F[ x] wi th deg( r ) < deg( fl. Thus. ifF o. IF, and deg( /) ~ n ? O. then the numher of elements of IF ,[x]l( j) is equal to the numher of polynomial, in 1F,[x] of degree < 11, which is p".

1.62.

[xamples (i)

(ii)

Let I(x) ~ x E 1F,[xJ. The p" ~ 2' polynomials in 1F,[xJ of degree < I determine all residue classes comprising 1F,[xl/(x). Thus. n=, [x III x) consists of the residue classes [0] and [I] and is isomorphic 10 iF 1I.et Ir.,) ~ X' -I- X - I E iF ,[xJ. Then IF ,[xl/(/) has the p" ~ 2' clements [OJ, [I], [x], [x -IJ. The operation tahles for this residue class ring are obtained hy performing the required

operations with the pnlynnmials determining tht.: residue classes and by carrying out reduction mod I if necessary: t

[0] [ I] [x] Ix+1]

[0] [0] [ I] [x] [x

+IJ

[IJ

[x J

[IJ [oj [x+ IJ 1x ]

I x]

[x + I] ----[x + I]

[x - Ii [0 J [I J

[x]

[I] [OJ

26

Algcorruc hlUnJ:J.lions

~O]

I [OJ

[OJ [1] [xJ

[0] [OJ [[oj

'I

[x-'-I]

[xl

[X' I]

[OJ [I] [xJ [x-I]

[OJ [x] [x -,-IJ [I]

[01

I [a]

[I I

[2J

1°1 TiOlli] [21 [i]

[21

lui

[,...:.1_.:...[' _.' _I_['_1_2]_

[.'J

[,+i]

[,'1[

Ix·2[

[,-,I ['I

I']

[dl]

12" ' I[

I~·'· 21 12 ,]

['J Id2J

[21 ['I

[2.,]

1"lJ

[2,,21

[X'2]1

[2"lJ

[2., J

12.,

I

'I

I2I-2J

12, 12J [II]

[2'1 [ IJ

\211 i] 12J

1'1 I'] 1'1

12 1

1°1

IIIJ

Ii]

1"'1

[,.21

I ' . 2]

I 'I [, , I[

[I]

12]

1'1

[Ui1[O]T0]

[0]

[0]

[21

IxJ pxJ

10J

I"

ii]

II[

\21 [,J I x + I] [x 121 [2x]

P,-i], [h ,

[x]

12'1 12x·11- [2,12] ---. 2 \2,] 1 '.'J 12,.2] [2, . II [2" 12 1 [I., I

I

I I[

[x ·1] [IJ

By inspecting these tahles. or from the irreducihility of lover IF, and Theorem 1.61. it follows thatIF,lxl!(f) is a field. This is our first example of a finite field fl'r which the numher of clements is not a prime. Let I(x) ~ x' + 2 EO: IF ,[x]. Then IF ,[x I!(f) consists of the p" ~ 3' residue classes [OJ. [I]. [2J. [xl.[x , l]. Ix + 21.lh].[2x f I]. [2x +2]. The operation tables for IF,[xl/(f) arc again produced hy performing polynomial operations and using reduction mod I whenever necessary. Since IF.,[ x 1/( j) is a commutative ring. we only have to compute the entries ()n and ahove the main diagonal.

(iii)

;

[Ij

211

[x·lJ [,,21 121 1 '-- --[01 IU] 1°1

'--

[II

I,·IJ 12 "-21

1,-1] [2,. II [';'] 12.,,1[ [2.,'21101 I ' ' 2J

12.,J [.,]

[2., . lJ 111 1

12 ) , I J

1,1

I ' , 2] I ' -i I

[2,,21 I ' . 21

[0] [Y., . I[

[I]

\2'

I

'J

I ) + '·1

[2, .

21

°

I I

\2' . 2]

I ' . I] 12 )

-

21

[ , . 'I I I I ' I '] 1°]

°

[7.x

·21

Note that IF,[xl/(f) is nol a field (and not even an integral domain). This is in accordance with Theorem 1.61 since x' + 2 = (x + I)(x +2) is reducible over IF,. [1 If F is again an arbitrary field and I( x) F F\ x]. then replacement of the indeterminate x in I( x) by a fixed element of F yields a well-defined

27

3. Polynomial:-.

clement of F. In detail, if I(x) ~ a o '" alx + ... + anx n E F[x] and bE F, then replacing x hy h wc gct I(b) ~ a o + alh + ... + anb n E F. In any polynomial identity in F[x] we can substitute a fixed b E F for x and obtain a valid identity in F (prillciple 01 subSlilutioll). 1.63. Definition, An element bE F is called a rool (or a zero) of the polynomial IE F[x] if I(h) ~ O. An important connection between roots and divisibility is given by the followi ng theorem. 1.64. Theorem. All elemem hE F is a rool F[x] il alld ollly il x - h divides I(x).

01 Ihe

polyllomial f

E

Proof We use the division algorithm (sec Theorem 1.52) to write q(x)( x - b)+ c with q E F[x] and c E F. Substituting b for x, we get I(b)~c, hence/(x)~q(x)(x-b)+/(b). The theorem follows now from 0 this identity.

I(x)

~

1.65. Definition. Let b E F be a root of the polynomial I E F[x]. If k is a positive integer ,uch that/(x) is divisible by (x - b)', but not by (x - b)' I I, then k is called the mulliplicily of b. If k ~ I, then b is called a simple rool (or a simple zero) of I, and if k ;;, 2, then b is called a mulliple rool (or a multiple zero) of f. 1.66, Theorem, I.et I E F[xt wilh degl = II ~ O. II bl,. .. ,bm E F are dislillct roots 01 I wilh multiplicities kl,. .. ,k m , respectively, Ihen (xb, )"'" (x - bm )'" divides/(x). Consequemly, k l + ... + k m ~ n, andl can hace at most n distinct roots in F.

Proof We note that each polynomial x - bi' I ~ j ~ m, is irreducible over F, and so (x - hi)', occurs as a factor in thc canonical factorization of f. Altogether, tbe factor (x - b l )" .. • (x - bm )'· appears in the canonical factorization of I and is thus a divisor of f. By comparing degrees, we get k I .......... + k m .:s;;; n, and m : : ; k 1 + ... + k m ~ n shows the last state· ment. 0 1.67. Definition. If I(x) ~ au + alx + a,x' + ... + anx n E F[x], then tbe derivative I' of lis defined by!,~ !,(x) ~ a, + 2a,x + ... + nanx n- I E F[x]. ;'

1.68. Theorem. The demem b E F is a multiple rool and only il it is a root 01 hOlh I and 1'.

011 E

F[ x]

if

There is a relation between the nonexistence of roots and irreducibility. If I is an irreducible polynomial in F[x] of degree;;, 2, then Theorem 1.64 shows tbat I bas no root in F. The converse holds for polynomials of degree 2 or 3, but not necessarily for polynomials of higher degree.

2X

Algebraic Foundations

1.69. Theorem. The polynomial! E Flx J o! degree 2 or 3 is irredacihle in F[x] i! and only i!! has no rool ill F. Proof The necessity of the condition was already noted. Conversely. if! has no root in F and were reducible in FlxJ. we could write !~gh with g.hEF[x] and I';;deg(g),;;deg(h). But deg(g)+deg(h)~ deg(/),;;3. hence deg(g)~I; that is. g(x)~ax+h with a.bEF. a"'O. Then - ba" 1 is a root of g. and so a root of! in F. a contradiction. [] 1.70. Example. Because of Theorem 1.69. the irreducible polynomials in 1F,[x] of degree 2 or 3 can be obtained by eliminating the polynomials with roots in IF, from the set of all polynomials in IF,lxJ of degree 2 or 3. The only irrcducible polynomial in 1F,[x] of degree 2 is !(x) = x' + x + 1. and the irreducible polynomials in 1F,[x] of degree 3 are!,(x)~x3 +x + I and !,(x)=x-'+x'-t 1. 0 In elementary analysis there is a well-known method for constructing a polynomial with real coefficients which assumes certain assigned values for given values of the indeterminate. The same method carries over to any field.

1.71. Theorem (Lagrange Interpolation Formula). for n" 0. leI u(), ... ,a n be n -l.. I distinct demems of F. and let ho, ...• bn be n + I arbitrary elemems o! 1-". Then Ihe~e exisls exacllv Olle po(vnomial! E F[x] o! degree ,;; n such Ihal !( a, ) ~ b,jor i = O-.~.~ -: This polynomial is given hy n

!(x)~

L: I·

n

b,

0

n (a,-a

k )"

'(x-a,).

k - 0 k .,

One can also consider polynomials in several indeterminates. Let R denote a commutative ring with identity and let x, ..... x n be symbols that will serve as indeterminates. We form the polynomial ring R[xd. then the polynomial ring R[x,.x,J= R[x,Ux,J. and so on. until we arrive at R[x, •...• xnJ= R[x, ..... xn_lJ[x n]. The clements of R[x, ..... xnJ arc then expressions of the form

f:.:.. /(x 1····.x ll ) = La, ... ,.. X;:··· x~~ with coefficients Q/ .. I C R, where the summation is extended over finitely many II-tuples (i ".'".in ) of nonnegative integers and the convention ~I (1 ~ j ~ n) is observed. Such an expression is called a po~vnomial in Xl" .• , X n over R. Two polynomials f. g E R[x, ..... x n] are equal if and only if all corresponding coefficients arc equal. It is tacitly assumed that the indeterminates x l ••••• x l1 commute with each other. so that. for instance, the exprcs51ions x 1x}.X 3X 4 and X 4 X\X 3 X 2 arc identified.

x?

1.72.

Oefinition.

Letl'= Rlx, •...• x"l be given by (tv

....

\_"""

.... 1 • • • • yin

}

29

P01~-nomiab

It' all"" "I,,:.J. O. then all" ",,,X~I •.. x~' is called a Term of f and i j + ... + in is the degree of the term. for! '" 0 one defines the de!!,ree of!, denoted by deg(f), to he the maximum of the degrees of the terms of f. for ! ~ 0 one sets deg(/) ~ - oc. If ! ~ 0 or if all terms oll.fulVe the same degree, then! is called ho,,:ogel!!_o.-us. -- - -,

Any! E Rlx" ... ,x"l can be written as a finite sum of homogeneous polynomials. The degrees of polynomials in R[x, .... ,x"l satisfy again the inequalities in Theorem 1.50, and if R is an integral domain, then (1.4) is valid and Rlx" ... ,x"J is an integral domain. If F is a field, then the polynomials in Ff x " ... ,x,,] of positive degree can again be factored uniquely into a constant factor and a product of "monic" prime clements (using a suitahle definition of "monic"), hut for n;;, 2 there is no analog of the division algorithm (in the ease of commuting indeterminates) and F[x,,. .. ,x,,l is not a principal ideal domain. An important special class of polynomials in n indeterminates is that of symmetric polynomials.

1.73. Definition. A polynomial! EO R[x,,. .. ,x"J is called symmetric if !(x, ,. . .,x; ) ~ !(x,,. .. ,x,,) for any permutation i" .... i" of the integers L .. ~.n. ~ 1.74. Example.

Let: be an indeterminate over R[x,,. .. ,x,,l, and let

g( z ) = (z - x, )( z - x,)··· (z - x,,). Then

!!,(:)~z"-a,:" '+a,:" '-I ... +(-l)"a"

with

L

a,~a,(x" .. .,x,,)= 1,,;;

II

< ."" <

x,,···x;. I~ ~

(k~1.2, .. .,n).

n

Thus: 01 = Xl I Xl

+ ...

a;? -'- XIX:!"";" X1X~

I XI/'

+ '" + XIX n

t- X 2 X 3 "";" .••

+ X:!X n "";'"

... ...... XfI·" IXn'

As g remains unaltered under any permutation of the x" all the a, are symmetric polynomials: they are also homogeneous. The polynomial a, = a,(x" .. .,x")ER[x,, ... ,x"l is called the kth elementary symmetric polynomial in the indeterminates xj ..... x n over R. The adj~ctive "elementary" is used heeause of the so-called" fundamental theorem on symmetric polynomials," which states that for any symmetric polynomial! E R[x".,.,x"l there exists a uniquely determined polynomial h EO R[x" .. .,x"l such that !(x,,. .. ,x,,) ~ h(a" .. .,a,,). ::J

1,75.

Theorem (NeWlOn's formula).

~""""_'_:n

~~/ •. ~"~.:,.,f,,

;..

'V

..-w'n ..

I.CT a" .. .,"" he the elemen1) n."n '0' .. c::: 71 lInn =."

Algehraic Foundations

)1)

s,(x, .... ,xn)~x;~···+x~ERlx,,.. .,xnjfork"'l. Then the formula

s,

holds for k;, I. where m

= min(k, n).

1.76. Theorem (Waring's Formula). Theorem 1.75, we have

With /he same I/olatiol/ as il/

for k;, I, where the summaliol/ is extended over alll/-lUples (i" ... ,i,) of nonnegative integers with i J + 2i 2 + ... + /lin = k. The coefficient of (J~la~~' •• a> is always an imeger.

4.

FIELD EXTENSIONS

.. Let F be a field. A subset K of F that is itself a field under the operations of F will be called a .,uhfield of F. In this context. F is called an ex/ension (field) of K. If K ~ F, we say that K is a proper subfield of F. If K is a subfield of the finite field IF p' p prime, then K must contain the elements 0 and I, and so all other elements of IF p by the elosure of K under addition. It follows that IF p contains no proper subfields. We arc thus led to the following concept. 1.77. field.

Definition,

A field containing no proper subfields is called a prime

By the above argument, any finite field of order p, p prime, is a prime field. Another example of a prime field is the field (I of rational numhers.

The intersection of any nonempty collection of subfields of a given field F is again a subfield of F. If we form the intersection of all subfields of F. we obtain tbe prime suhfield of F. It is obviously a prime field. 1.78, Theorem. The prime suhfield of a field F is isomorphic to either IF l' or Q. according as [he characterislic of F is a prime p or O.

1.79. Definition. Let K be a subfield of the field F and M any subset of F. Then the field K( M) is defined as the intersection of all subfields of F containing both K and M and is called the extension (field) of K obtained by adjoining the clements in M. For finite M = (0" ... ,On} we write K (M) ~ K(O" ... ,On)' If M consists of a single clement E F, then L ~ K(O) is said to be a simple ex/elISion of K and is called a defil/ing element of I. over K.

°

°

4. Field Extcn!'.ions

31

Obviously, K( M) is the smallest subfield of F containing both K and M. We define now an important type of extension. 1.80. Definition. Let K be a subfield of F and 0 E F. If 0 satisfies a nontrivial polynomial equation with coefficients in K, that is, if anon + ... + 0 10 + 0 0 ~ 0 with a, E K not all being 0, then 0 is said to be algebraic over K. An extension L of K is called algebraic over K (or an algehraic extension of K) if every element of L is algebraic over K. Suppose 0 E F is algebraic over K, and consider the set J = K[x): f(O) ~ 0). It is easily checked that J is an ideal of K[x]. and we have J". (0) since 0 is algebraic over K. It follows then from Theorem 1.54 that there exists a uniquely determined monic polynomial g E K[x] such that J is equal to the principal ideal (g). It is important to note that Ir is irreducible in K[x]. For, in the first place, g is of positive degree since it has' the root 0; and if g ~ h,h, in K[x] with I", deg(h;l < deg(g) (i ~ 1,2), then ~ g(O) ~ h,(O)h,(O) implies that either hi or h, is in J and so divisible by

(j

E

o

g, which is impossible.

1.81. Definition. If 0 E F is algebraic over K, then the uniquely de· termined monic polynomial I( E K [x] generating the ideal J ~ (j E K[x): f( 0) ~ 0) of K I x) is called the minimal polynomial (or defining polynomial, or irreducible polynomial) of 0 over K. By the degree of 0 over K we mean the degree of g. 1.82. Theorem. If 0 E F is algehraic over K. rhen its minimal po(vnomial g ocer K has the following proper/ies:

g is irreducible in K[x). For fE K[x] wehavef(O)~O ifandonlv ifgdividesf. (iii) I( is lhe monic polynomial in K[x] of leasl degree hacing 0 as a (i) (ii)

rool.

Proof Property (i) was already noted and (ii) follows from the definition of g. As to (iii). it suffices to note that any monic polynomial in K [x 1having 0 as a rool must be a multiple of g. and so it is either equal to g or its degree is larger than that of g. D

We note that both the minimal polynomial and the degree of an algebraic element 0 depend on the field K over which it is considered. so that one must be careful not to speak of the minimal polynomial or the degree of 0 without specifying K, unless the latter is amply clear from the context. If L is an extension field of K, then I. may be viewed as a vector space over K. For the elements of L ( ~ .. vectors") form, first of all, an ahelian group under addition. Moreover. each "vector" a E t. can be multiplied hy a .. scalar" r E K so that ra is again in L (here ra is simply the

32

Algebrail.:

foundation~

product of the field elements r and a of L) and the laws for multiplication by scalars arc satisfied: r( a -'- {3) = ra + r{3, (r +,)a = ra + sa, (rs)a = r(sa), and la = a, where r, s E K and a, {3 E L. " 1.83. Definition. Let L bc an extension field of K. If L, considered as a vector space over K, is finite-dimensional. then L is called a finiTe e:.aension of K. The dimension of the vector space I. over K is then called the degree of I. over K. in symbols l J.: K]. 1.84. Theorem. If J. is a finile eXlension of K and M i, a finile eXTension of /., [hen M is a finite eXlension of K wilh

[M:K]=[M:L][L:K]. Proof PUlrM:Ll=m,II.:Kl~n.andlet{a,.... ,a",}beabasis of M over I. and ({3, .... ,{3,) a basis of I. over K. Then every aC' M is a linear combination a = YIO':I; ••. - YmCt m with y, E:: I. for I.:;:;: i:::;; »1, and writing each Yi in terms of the basb clements 13, we get m

n,

!

m

11

1J

I: Y,a, = I: II:, r,A In, = I: I: r, ,Il,a,

a~ I

I

,.- I \ J - ,

1-1 / -

I

I

with coefficients rlt E K. If we can show that the: n1n clements f3J D.,. I ~ i ~ m. I ~ j s:;; n, arc linearly independent over K, then we are done. So suppose we bave m

,

I: I: I

witb coefficients s'J

E

s,,{3,a,

=0

-= I / -!

K. Then

and from the linear independence of the a, over I. we infer

L s,/l, -- 0

for I ~ i ~

In.

1·1

But since the {I, arc linearly independent over K. Wl.: concluul.: that all

SII

Q 1.85.

Iheurem,

are 0

LGcry finile cXlensioll of K is algehraic IiDer K.

Proof Let l. be a finite extension of K and put 1/.: K J = m. For 0("" L. the m + I clement> I, 0, .. .,0"' must then be linearly dependent over K, and so we get a relation a o I il 1(J •..• + ilfYI()m =-= 0 with a i C K not all being O. Thi,just says that 0 is algebraic over K. CJ

4. Field

r..xtension~

33

For the study of the structure of a simple extension K(O) of K obtained hy adjoining an algebraic element. let F he an extension of K and let 0 E F he algebraic over K. It turns out that K(O) is a finite (and therefore an algehraic) extension of K. 1.86. Theorem 1RI 0 E F he algebraic o[ degree n ocer K and leI g he Ihe minimal polvnomial o[ 0 over K. Then: (i)

(ii) (iii)

K(O) is i.wmorphic 10 K[x]j(g). [K(O):K]~nand{I,O, .... On ') is a basis o[K(O) over K. t'cer} a E K (0) is algebraic neer K and its degree over K is a dicisor o[ n.

Proof (i) Consider the mapping T: K[xJ ~ K(O), defined hy T(j) for [E K[x], which is easily seen to he a ring homomorphism. We have kerT ~ {j E K[x]: [(0) = O}~ (g) by the definition of the minimal polynomial. Let S be the image of T: that is, S is the set of polynomial expre"ions in 0 with coefficients in K. Then the homomorphism theorem for rings (see Theorem lAO) yields that S is isomorphic to K [x]j( g). But K[x]j(g) is a field by Theorems 1.61 and 1.82(i), and so S is a field. Since K >; S >; K(O) and 0 E S, it follows from the definition of K(O) that S ~ K(O), and (i) is thus shown. (ii) Since S = K(O), any given a E K(O) can he written in the form a ~ [(0) for some [E K[x]. By the division algorithm, [~qg -i- r with q,rEK[x] and deg(r)<deg(g)~n. Then a~[(O)=q(O)g(O)Tr(O)~ r( 0), and so a is a linear combination of 1,0, .... 0' 'with coefficients in K. On the other hand, if a o + a,O + ... + an ,0'-' ~ 0 for certain a, E K, then the polynomial h(x) ~ a o + a,x + ... + an ,Xn 'E K[x] has 0 as a root and is thus a multiple of g by Theorem 1.82(ii). Since deg(h) < n ~ deg(g), this is only possible if h = O-that is, if all a, ~ O. Therefore, the elements 1,0.... ,0'-' arc linearly independent over K and (ii) follows. (iii) K(O) is a finite extension of K by (ii), and so a E K(O) is algehraic over K hy Theorem 1.85. Furthermore, K(a) is a subfield of K(O). If d is the degree of a over K. then (ii) and Theorem 1.84 imply that n=[K(O):K]~[K(O):K(a)][K(a):K]=[K(O):K(a)]d.hence d di= [(0)

vides n.

LJ

The clements of the simple algehraic extension K(O) of K are therefore polynomial expressions in O. Any element of K(O) can be uniquely represented in the form a o + 0 1 + ... + an Ion 1 with a/ E K for 0 ~ i ~ n-1. It should he pointed Out that Theorem 1.86 operates under the asoumption that hoth K and 0 are emhedded in a larger field F. This is necessary in order that algebraic expressions involving make sense. We

°

°

now want to construct a simpk algehraic extension ah oeo

that is, without

34

Algebraic roundations

reference to a previously given larger fidd. The clue to this is contained in part (i) of Theorem I.R6. 1.87. Theorem. l.et f E K[x] be irreducible ""er the field K. Then Ihere exisls a .,imple algebraic extension of K wirh a roOi of f as a defining element. Proof Consider the residue class ring 1. = K[xl/(/), which is a field hy Theorem 1.61. The clements of L are the residue dasses [h] = h + (/) with hE K [x 1. For any a E K we can form the residue class ra] determined by the constant polynomial a, and if a, h E K arc distinct, then [aj'" [h]' since f has positive degree. The mapping a""""" [a] gives an isomorphism from K onto a subfield K' of L, so that K' may be identified with K. In other words, we can view 1. as an extension of K. For every h(x) = au + a,x + ... + amx m E K[x] we have [h]= [aD + a,x + ... + amx m]= [au]+[aJ![x]+ ... +[am][x]m = aD + a,[x]+ ... + am[x]m hy the rules for operating with residue classes and the identification [a,] = a,. Thus, every clement of L can he written as a polynomial expression in [x] with coefficients in K. Since any field containing both K and [x] must contain these polynomial expressions, 1. is a simple extension of K obtained hy adjoining [x]. If f(x)=bu+b,x+'" +hnx n. then f([x])=bo+b,lx] + ... + bn[x)" = [bo + h,x + ... + hnx n ] = [f] = [0], so thatfx] is a root of f and L is a simple algehraie extension of K. 0

1.88. Example. As an example of the formal process of root adjunction in Theorem 1.87, consider the prime field IF, and the polynomial f(x) = x' + x + 2 E 1F,[x], which is irreducible over IF,. Let 6 be a "root" of f; that is, 6 is the residue class x + (/) in I. = 1F.,[x 1/(/). The other root of fin L is then 26 +2. since f(26 +2) = (26 +2)' +(20 +2)+2 = 6' + 6 +2 = O. By Theorem 1.86(ii), or by the known structure of a residue class field. the simple algebraic extension I. = 1F,(6) consists of the nine dements 0,1.2.6,6+1.6+2,26,26+1,26+2. The operation tables for 1. can he constructed as in Example 1.62. 0 We observe that in the above example we may adjoin either the root 6 or the root 26 + 2 of f and we would still obtain the same field. This situation is covered hy the following result, which is easily established. 1.89. Theorem. Ler a and f3 he fWO rools of the polynomial f E K l x] Ihat is irreducible over K. Then K(a) and K(f3) are isomorphic under an isomorphism mapping a 10 f3 and keeping the elemellls of K fixed.

We are now asking for an extension field to which all roots of a given polynomial helong. 1.90. Definition. Let f E Klx] he of positive degree and F an extension field of K. Then f is said to splil in F if f can be written as a product of

4 field

LXIl·m.ion~

35

linear factors in Flx] that

that is, if there exist elements "" "" ... ,". E F such

/(x)~a(x- "I)(X

- ",) ... (x-".),

where a is the leading cocfficicnt of f. The field F is a splilling /ield of / over Kif / splits in F and if, morcovcr, F= K("I' "" ... ,,,.). It is clear that a splitting field F of / over K is in the following sense the smallest field containing all the roots of /: no proper suhfield of F that is an extcnsion of K contains all thc roots of f. By repeatcdly applying the process used in Theorem 1.87, onc obtains the first part of the subsequent result. Thc second part is an extcnsion of Thcorem 1.89. 1.91. Theorem (Existcncc and Uniqueness of Splitting Field). 1/ K is a /ield and / any polynomial 0/ posilive degree in K rx], lhen lhere exisls a splilling /ield 0/ / over K. Any IWD splilling /ields 0/ / oeer K are isomorphic

under an isomorphism which keeps lhe elemenrs into each other.

0/ K fixed and maps roOlS all

Sincc isomorphic ficlds may he identified, we can speak of lhe splitting field of / over K. It is obtained from K hy adjoining finitely many algehraic elements over K, and therefore one can show on the basis of Theorems 1.84 and 1.86(ii) that the splitting field of / over K is a finite extension of K. As an illustration of the usefulness of splitting ficlds, we consider the question of deciding whether a given polynomial has a multiple root (compare with Definition 1.65).

1.92. Definition. Let / E K [x J be a polynomial of degree n;, 2 and suppose that/(x)~au(x-"I)"'(x-".) with ", ..... ". in the splitting field of / over K. Then the discriminanr D(/) of / is defined by D(f) ~

a6·'

n (", - "y. 1 .... 1

< , .... n

It is obvious from the definition of D(/) that/has a multiple root if and only if D(/) = O. Although D(/) is defined in terms of elements of an extension of K. it is actually an clement of K itself. For smalln this can he seen hy direct calculation. For instance. if n ~ 2 and /(x) ~ ax' + bx + c = a(x-"I)(x-a,). then D(/)~a'(al-a,)'~a'«a,+a,)'-4a,a,)= a'(b'a-' -4ca- I ), hence

D(ax' + hx + c) ~ h' -4ac. a well-known expression from the theory of quadratic equations. If n ~ 3 and /(x)~ak'+bx'-rcx+d~a(x-a,)(x-a,)(x-- a,). then D(/)= a 4("1 - "')'("1- ",)'(a 2 - a,)". and a more involved computation yields

D(ax'

-r

hx' ~ ex

f

d) ~ h'(" -4b'd -4ac' - 27a'd' + 18ahcd. (1.9)

Algehraic

roundation~

In the general case, consider first the polynomial s E K[x" ... ,x"] given by 2n' S ( X1'''·'X n ) --a O

n (

X/-X;

1 ,;;

I <.

)2 .

j ., ; : n

Then s is a symmetric polynomial, and by a result in Example 1.74 it can he written as a polynomial expression in the elementary symmetric polynomials 0, .... ,on -that is, s = h( 0, .... ,on) for some h E K [x " .. .,x n]. If f(x) = auxn+a,x n '+ ... +an=aO(x-a,)"'(x-a n ), then the definition of the elementary symmetric polynomials (see again Example 1.74) implies that o,(a" ... ,an)~(-I)kakao'EK for I.;k.;n. Thus, D( j) ~s( a" ... ,an) ~ h (0, (a" ... ,a") ... .,0n (a p

•••

,a"»

~ h ( - a,a o ', .. ., ( - I) n ana o ') E K.

Since D(f) E K, it should be possihle to calculate D(/) without having to pass to an extension field of K. This can he done via the notion of resultant. We note first that if a polynomial f E K [x 1 is given in the form f(x) = aox n + a,x n-' + ... + an and we accept the possibility that a o ~ 0, then n need not be the degree of f. We speak of n as the formal degree of f; it is always greater than or equal to deg(f). 1.93. Definition. Let f(x)= aux n + a,x n '+ ... + an E K[x] and g(x) = box m

+ h,x m '+ ... + bm E K[x] be two polynomials of formal degree

n resp. m with n, mEN. Then the resultant R(f, g) of the two polynomials is defined by the determinant ao

a,

0

00

an a,

0 an

0

~

:I 1

mrows

0 hu

R(j,g)~

0 I 1

of order

JJI

"T"

0 h, bo

ao

a, bm

h,

0 hm

:

0

0

hu

b,

a ' " 0

0

1--

hmi

n.

If deg(/) ~ II (i.e., if a" = 0) and fix) ~ ao(x - a,)'" (x - an) in the splitting field of f over K, then R(f, g) is also given hy the formula n

R(j,g)~aong(a,).

(1.10)

1=1

In this case, we obviously have R(f, g) ~ 0 if and only if f and g have a common root. which is the same as saying that f and g have a common divisor in K rx 1of positive degree.

37

Theorem 1.68 suggests a connection between the discriminant D(j) and the resultant R( I.et E K rx 1 with deg( /) = tl ;;, 2 and leading coefficient au' Then we have, in fael. the identity

t, /,).

t

D(f)~(-I)"("

II!2 a ,,'R(j,j'),

(1.11)

where /' is viewed as a polynomial of formal degree tl - I. The last remark is needed since we may have deg(j') < tl -- I and even /' .~ 0 in case K has prime characteristic. At any rate, the identity (1.11) shows that we can obtain D(/) by calculating a determinant of order 2tl- I with entries in K.

~:XERCISF:S

1.1.

Prove that the identity element of a group is uniqucly determined. For a multiplicative group G, prove that a non empty suhset 11 of G is a suhgroup of G if and only if II, b c H implies ab 'Eo N. If H is finite, then the condition can be replaced hy: II, b c H implies lib Ell. 1.3. Let II be an element of finite order k in the multiplicative group G. Show that for til EO Z we have am - e if and only if k divides m. 1.4. For mEN, Euler's function ¢( til) is defined to be the numher of integers k with I,,; k ,,; til and gcd( k, m) = I. Show the following pr()pcrtie~ for 111, II, S F N and a prime p: , I ) (a) ¢(p')=p,II-. : \ p (b) ¢(mtl)=¢(m)¢(tl)ifged(m,n)~I: , I \ ' I' Ie) ¢lm)=til!1 - / ... 11--- \' where m=p; "'p; is the , PI I \ Pr J 1.2.

prime factor dccompo~ition of m.

1.5. 1.6.

1.7.

Caleulate <1>(490) and ¢(68). Usc the class equation to sliow the following: if the order of a finite group is a prime power p~. p prime, S ~ I, then the order of it~ center is divisihle hy p. Prove that in a ring R we have (- a)( - hI -- IIh for all II, "EO R.

I.g,

Prove th(jt in a commutative ring R the formula

I.Y. 1.10.

holds for all II," F R and II c N. (Binomial Theorem) Let p he a prime number in Z. for all integers II not divisible by p, show that p divides a f I - I. (Fermat's Little Theorem) Prove that for any prime p we have (p -I)' -- -- I mod p, (Wilson's Theorem)

1.11. 1.12.

J. D.

1.14. 1.15.

Prove: if p is a prime. we have ( p

Provt:: if m 1 , ... ,n1 A arc positive integers that arc pairwise relatively prime-that is. ged(m,. r>lJ! ~ I for I,;; i < j,;; k -then for any integers a l' ...• a" the system of congruences y == a I mod mI ' i = 1,2, .... k. has a simultaneous solution,. that is uniquely determined modulo m 111 1 '" m". (Chinese Remainder Theorem) Solve the system of congruences 5x:c. 20mod6. 6x '" 6mod5. 4x '" 5 mod 77. For a commutative ring R of prime characteristic p. show that (11

"" + ... -a,) p.:....:af . . . ...

p

,

L ;

1.18.

p~ +(1\

for all a, ..... a, E Rand n E' I'll. Deduce from Exercise 1.11 that in a commutative ring R of prime characteristic p we have

(a-h)" : 1.17.

I ) '"" (- I)J mod p for 0 ,;; j ,;;

p- I.jE7L. A conjecture of Fermat stated that for all n ;, 0 the integer 2'" + I is a prime. Euler found to the contrary that 641 divides 2" t I. Confirm this by using congruences.

(

1.16.

7

alh" , ,

foralla.hC" R.

II

Let F be a field and f0 Fix]. Prove that (K(j(x)):KE F[x]) is equal to FIx] if and only if deg(j) - I. Show that p'(x)- xq'(x) ~ xr'(x) for p. q. r E D;l[ x] implies p ~ q ~

r ~ O. 1.19. 1.20.

1.21. 1.22. 1.23. 1.24.

Show that if f. K Eo Fix]. then the principal ideal (j) is contained in the principal ideal (K) if and only if K dividesf. Prove: iff. K E Fix] are relatively prime and not both constant. then tbere exist a. b E F[x] such that af + hK ~ I and deg(a) < deg(g). deg( b) < deg(j). Let f, .....f" E Fix] with gcd(j, !.,) ~ d. so that !, ~ dl(, with K, E FIx] for 1,;; i,;; n. Prove that g, K" arc relatively prime. Prove that ged(j, ... ..f,) ~ ged(ged(j, J, ,). f,) for II ;, 3. Prove: if f.l(. h E FIx]. f divides I(h. and ged(j.1( ).- I. then f divides h. Use the Euclidean algorithm to compute ged(j. g) for the polynomials f and I( with coefficients in the indicated field F: (a)

F~Q. f(X)~X7+2x'+2x'-x+2. l(x)~x'-2X'-X41

x 2 +2x.-+ 3 (h) (c)

(d)

F=1F2,f(X)~x7~1.I(x)~xs+xl-jx

tl

F~IF,,f(x)~x'+x+l.l(x)~x6I x'+x 4 +1 F~1F3' f(X)~X8-i-2xs~X3 ex'+I. g(X)~2X6+X5+2xl

+2x'

+2

.19

Exercises

1.25.

1.26. 1.27.

1.2B. 1.29.

Let 1, .... ./" be nonzero polynomials in F[x]. By considering the intersection (/,)(1 ... n(/,,) of principal ideals. prove the existence and uniqueness of the monic polynomial mE F[x] with the properties attributed to the least common multiple of 1, .... ./" Prove (1.6). If I, ...../" to FIx] are nonzero polynomials that arc pairwise relatively prime. show that Icm(/, ... .. I,,) ~ a "/, ... I". where a is the leading coefficient of I, ... I". Prove that lem( I,.··· .f~) ~ Iem(lem( f, .... ./" ,). /,,) for n '" 3. Let 1, .... ./" to F[x] he nonzero polynomials. Write the canonical factorization of each j" I ~ i ~ II, in the form

where u/

E::

F, the product is extended over all monic irreducihle

polynomials pin Flx]. the e,( p) arc nonnegative integers. and for each i we have e,( p) > 0 for only finitely many p. For each p set m( p) ~ min(e,( p)..... e,,( pi) and M( p) - max(e,( p)..... e,,( pl). Prove that {)-nU'IP' gc d(11'··· 'In (J •

IemU, ... ../,,) ~ 11 pMII". 1.30.

Kronecker's method for finding divisors of degree.;; s of a noneanstant polynomial IE Q[x] proceeds as follows: (I) By multiplying I by a constant. we can assume I E Z[x]. (2) Choose distinct elements ao, ...• a,E Z that are not roots of I and determine all divisors of I(a,) for each i.O';; i.;; s. (3) For each (s + I)-tuple (h" ..... h,) with h, dividing I(a,) for 0.;; i.;; s. determine the polynomial g E Q[x] with deg(g).;; s and g(a,)=h, for O.;;i.;;s (for instance. hy the Lagrange interpolation formula). (4) Decide which of these polynomials g in (3) are divisors of f. If deg(j) = n ?> I and s is taken to be the greatest integer <; n/2. then I is irreducible in Oix1 in case the method only yields constant polynomials as divisors. Otherwise. Kronecker's method yields a nontrivial factorization. By applying the method again to the faclors and repeating the process. one eventually gets the canonical faetori/,ation of f. Use this procedure to find the canonical factorization of

I(x)" :x'-ix s f2x 4 -x' t5x'- \'x-IEQ[xl· 1.31.

Construct

the addition

and

multiplication

tahle for IF ,Ix 1/

(x' - x' + x). Determine whether or not this ring is a field. 1.32. Letlx+lj be the residue class of x+1 in IF,lx1/(x 4 +1). Find the residue classes comprising the principal ideal ([x + III in IF,lxJl ( .. 4

I

1\

Algchmic f-'oundalit)n . .

4{\

Let I' he a field and a. h. g r FI x 1 with g ~ O. Prove that the congruence af ~ h mod g has a solution 1 '" FI x] if and only if gcd( a. g) divides h. 1.34. Solve thc congruence (x' I IJ./h) = I mod(x' + I) in f "lxJ, if possible. 135. Solve (x' I x" I x' - I)!(.<)=(x' T I)mod(x' .,,1) in r,rxl if

1.33.

possihle.

1.36.

Prove that R[xl!(x 4

T

X"

+ x'" I) eannot he a field. no malter what

the commutative ring R with identity is.

1.37.

Prove: given a field F. nonzero polynomiabli"",f, c. Flxlthat are gl g" E }-·[xl. then the simultaneous c(mgruenccs h ::== XI mod!,. i = 1.2 ,k. have a unique solution hE FIx 1 modulo 1 . 1, ... 1,. (Chinese Remainder Theorem for Ff x 1> Evaluate 1(3) for 1( x) - X 214 -:1.<".' + 2x 4 " I 2 c IF ,I x]. Let p h~ a prime and a v'" .. il" int~gcrs with p not dividing a l1 • Show that all + illY' ... I a,tY n - Omoo p has at moM n different :o,olutions y modulo p. If P > 2 is a prime, ~how that there ar~ exactly two dements il F U- p sueh that a) - 1. Show: if fElix] and 1(0) '" 1( I) '" I mIld 2. then 1 has no ro,'ts in 1. Let p he a prime and 1 E l[xl. Show: l(a)" Omod p holds for all a c 1 if and only if l(x)'" (XC x)g(x) I ph(x) with 1'. h E 1lxl· Let p be a prime integer and (' an ekment of the field F. Show that x P - c is irreducihle over F if and only if x" - c has no root in F. Show that for a polynomial I r Fix] of positive degree the following puirwis~ rdatively prime. and arbitrary polynomials

1.3H. LN.

lAO.

1.41. 1.42. 1.43. 1.44.

condition~ are cquivi;llcnt:

1.45.

(a) I is irredueihle over F: (h) the principal ideal (/) of F[x] is a maximal ideal: (e) the principal ideal (/) of Fix] is a prime ideal. Show the following properties of the derivative for polynomials in FIx]: (a) (h) (c)

(/,-'" (f~)'~

+ I",)'~ I{+ ... -

'" Ll,"'I, ,/,'/,.,"-/,,,.

(/""/,,,)'~ I

1.46.

1.47. 1.48.

1.49.

I~:

j'g'" II": =- I

For I c FIx) and I' of characteristic 0, provc that j' ~ 0 if and only if 1 is a constant polynomial. If I' has prime characteristic p, prove thatj'=O if and only if/(x)~g(xP) forsomcgE Flxl. Prove Theorem 1.68. Provc that thc nonzcro polynomial I E F[ x] has a multipk root (in some extension field of F) if and only if I and j' arc not relativcly prime. Usc the criterion in the previous exercise to determine whether the

41

following polynomials have a multiple root: f(x)~x'-5x'+6x'i4x-8EOQ[x]

(a)

(h) f(x)~x' ex ' 1 x' 1 xJ-IEf,lx] 1.50, The nth derivativef'"' of f C Fix] is defined recursively a, follows: 4 f'"'·= 1./'''' ~
(fg)''''~

L" I""

1,51,

1.52.

Let F he a field and k a positive integer such that k < p in ca,e Fha., prime characteristic p, Prove: bE F is a root of f c= FI x J of multiplicity k ifand only iff"'(h)~O forO"i"k -·1 andf'k'(h)~O. Show that the Lagrange interpolation formula can also be written in the form

~

f(xl=

1...J I

1.53,

1.55. 1.56,

. L57,

1.58,

L59. 1.60. 1.61.

o

1.62.

()

n

b( '(a») ,g(x) I

g

I

X -

withg(x)~

a

I

n (x-a,).

k=U

Determine a polynomial fEIF,[xJ with f(0)~f(1)~f(4)~1 and ~ f(3) ~ 3, Determine a polynomial f EO Qlx] of degree" 3 such that f( 1) = - I. flO) ~ 3, f( I) = 3, and f(2) = 5, Express s)(xl.X2.x.~.X4)=xf+x~-1-x~+X~ElF3rXI,X2.X1,X4J in terms of the elementary symmetric polynomials ° 1_ 02' °3 _ °4 , Prove that a subset K of a field F is a subficld if and only if the following conditions are satisfied: (a) K contains at least two elements: (b) ifa,bE K, then a-hE K: (c) ifa,hEK and h~O, then ab 1 EK, Prove that an extension /, of the field K is a finite extension if and only if /. can be ohtained from K hy adjoining finitely many algebraic clement> over K. Prove: if 0 is algebraic over /, and L is an algehraie extension of K, then 0 is algehraie over K. Thus show that if F i, an algehraie extension of /., then F is an algehraie extension of K. Prove: if the degree [L: KJ is a prime, then the only field, F with KeF r;; L are F = K and F = L. Construct the operation tahles for the field I. ~ ~J(Ol in Example 1.88. Show that f(x)~x4-x+IEIF,lxJ is irreducible over IF,. Then construct the operation tahles for the simple extension IF.,(O), where is a root of 1. Calculate the discriminant D(f) and decide whether or not f ha> a multiple root: (a) f(x) = 2x 3 -3x' -x + I E Q[xJ

f(2) 1.54,

(~)f'" "g''',

0

42

Alg,chra;c

Foundat~ons

(0) I(x)' 2x'l-k;+X2+2x-2c~,,[x] 1.63. 1.64.

1.65. 1.66. 1.67.

Deducc (1.9) from (1.11). Prove that I. g E K [x] have a common root (in "orne extension field of K) if and only if I and g have a common divisor in K [x] of positive degree. Determine the common roots of the polynomials x 7 - 2x' - k' + 2 and x' - 3x 4 - Xi 3 in O[x]. Prove: if I and g arc as in Definition 1.93. then R(/. g) =

(- l)m'R(g. fl. Let I. g E K[x] be of positive degree and suppose that I(x) ~ Go(x-a,)"·(x-a,,). Go*O. and g(x)~h(](x-fJ')"'(x-fJm)' bo * O. in the splitting field of Ig over K. Prove that m

n

J

1.6~.

1.70.

I"'"

1j - I

where nand m are also taken as the formal degrees of I and g. respectively. Calculate the resultant R(/. g) of the two given polynomials I and g (with the formal degree equal to the degree) and decide whether or not I and g have a common root: (a) I(X)-X'+X+l.g(x)~2x'· x'· 2FIF,[x]

(0) 1.69.

1

n (a;-fJjl. 111

R(f.g)= (_l)m"h~n/(fJ)~a;;'h;;1l

I(X)~X4+X'll.g(x)~X4_X2+X-ICIF,[x]

For 1'= Klx, ..... x,]. n" 2. an II-tuple (a, ..... a,) of clements n. od<1llging to some extension L of K may be called a zero of I if l(a, ..... a,)~O. :-.low let /'g'= Klx, ..... x,,] with x, actually appearing in I and g. Then I and g can be regarded as polynomials fix,,) and )(x,) in Klx, ..... x, ,Ux,,] of positive degree. Their resultant with respect to x, (with formal degree ~ degree) is R(/.)() ~ R,.
zeros of the polynomials/(x.y)~x(y'-x)'·v' and g(x.y)y4 + r'; - x' in O[x. y].

Chapter 2

Structure of Finite Fields

This chaptl.:f i~ of central importanl:l.: :-.incc it contains various fundamentul properties of finite fields and a dc:-.cription of mcthoos for L'on~tructing

finite fields.

The field of integers modulo a prime numher

i~.

of course. the most

familiar example of a finite field. hut many of its properties extend to arhitrary finite fields. The eharaeteriLation of finite field, bee Section I)

shows that every finite field is of prime-power order and that. conversely. for every prime power there exists a finite field whose numha ()f elements is exactly that prime power. Furthermore. finite fields with the same numher of clements are isomorphic and may therefore he identified. The next two sections provide information on roots of irrcducihlc polylwmiab. leading to

an interpretation of finite fields as splitting fields of irredueihle polynomi-

als. and on traces. norms, and

has~s

rdative to fidd extensions.

Section 4 treats roots of unity from the viewpoint of general field theory. which will he needed occasionally in Section 6 as well as in Chapter 5. Section 5 presents different ways of representing the elements of a finite field. In Section 6 we give two proofs of the famous theorem of Wedderburn

acc(xding to which every finite

divi~ion

ring

i~

a field.

Many discussions in this chapter will he foll,)wed up. continued. and partly generalized in later chapters.

Strudurl' of hnill' rkld:-

:j.4

/1.

C1IARACTERIZA1'101'1 OF FINITE FIELDS

In the previous chaptcr we have already encountered a basic c1a~~ of finite field., that i,. of fields with finitely many elements. For every prime p the residue class ring Z /( p) forms a finite field with p clements (see Theorem U~). which may be identified with the Galois field I'p of order p (sec Uefinition 1.41). The fields I' p play an important role in general field theory since every field of charactcri~tic p must contain an i~omorphic copy of IF p hy Theorem 1.7X and can thus he thought of as an extension of I'p. This ohservation. tngether with the fact that every finite field has prime charaucristil: (sec Corollary 1.45), is fundam~ntal for the classification of finitc fields. We first e~tahlish a simple neces~ary condition on the numher of e1cmenb of a finite field.

2.1. I. emma. I.e[ F he u finite field containing elemems. nlell F hw qnl ell'mems, where m .;..·1 f': K 1.

U

SlIlifield K with q

Prvoj. F i~ a vcctor ~pace over K. and since F is finite, it is finite-dimensional as a vector space over K. If [F: K J ~ m. then f' has a hafo.is over K consisting of In element~, say hi' b'!. .... ,hm • Thus every element of F can hc uniquely represented in the form alh j + a 2 b.,. - ...• a...,hm • where at. £1'!., .... a m 0" K. Sincc each £1 , can have q values, F has exactly qm clements. D 2.2. Theorem. I.e[ F he u Jini[e field. Then F has p" ('I('mellls. where the prinze p is the charu(,(t'fistic vf F £1lld 11 is the degree of F Ol::er irs prime suhfield.

Pmo! Sinl:c F i~ finite, its charal:tcri~tic is a prime p according to Corollary I.4S. Therefore the prime suhfield K of F is isomorphic to I'p by Theorem 1.7X and thus contain" p ekments. The r~st follow~ from Lemma

2. I.

"

Starting from the prim~ fields I!-". W~ can construct other finite fields h) thl,.' proce~:-; l)f root adjunction desnibed in Chapter I. Section 4. If f ( 1',,[ x I is an irredueihle polvnomial over ~ p of degree n. then hy adjoining a f()()t of f to 1f fJ we get a finite fidd with p" elem~nts. llowever. at this stage it i.. . nl)t dl.:ar whether for every positive intege.:r II there.: exists an irrcducihlc polyll0mial in I' p lx1 of degree n. In order to estahlish that for every prime p and e.:vcry n E N then.~ i:-- a finite field with pfl elemenb, we use an approach suggested hy the following results.

2.3. slillsjies a" th~

I. emma.

If F is u filli[(' field with q elemems. [hen everv a

F

F

= li.

PrO(~f The.: identity £11{ '- a i~ trivial for a = O. On the other hand, mml'e.:ro elements of F form J group of order q - I under multiplication.

4.'

Thu:'l a
E:

F with a

=1=

O. and mUltiplication hy a yic:lds

thL'

Il

2.4. Lemma. If F is a !lIli(e jle/d \1I"ii/l (/ c1eml!III.\ and K i.\ a suhj/('/d of F. rhen rhe polynomial x'· x in KI.,jfatiors in Fix] as

.,'1- x

~

n (x -

'I l:.

and F is a splilling field of x q

'.

II)

I"

x vrer K.

Proof The polynomial .>.:" - X of Jcgrt::e q has at !n\l..,t q wots in F. By Lemma 2.3 "e know q ,ueh rool> namely. all the elements of F. Thu, the given polynomial splits in F in the indicated manner, and it can no! :-:.plit in any smaller field. c:: W...:- ar~ now ahle to prove the main t.:haracteriLution thcon:m for finite fields. the leading idea being contained in Lemma 2.4.

2.5. Jheorem (Existence and Lniquenc>s of finite helds). For every prime p and erery positive inlef.{er n there exists a finite field WiTh p" f~ elemen/s. Any jinife field Ifilh q = p" elemenl.\ is isomorphic 10 Ilze s1;jliil;,~ ,field of x q • x orer IF p' Proof (F.xiwncfl For q . p" consider x a x in "pix I. ani let I-" he its splitting field over IF p. This polynomial has £I distinct roots in F since I in IFplx] and so can h<.lve no common ront its derivative is £IX" 1 - I with x" -.\ (compare with Theorem L6K). Let S ~ {a C F: a 4 - a ~ Oi. Then S is a subfield of F since: (i) S contain, () and I; (ii) a. I> r S implie., by Theorem 1.46 that (a- I»q ~ a' 1>' ~ a- b. and so a- I> c S: (iii) for a. b Eo S and I> ~ 0 we have (al> ,)q a'l> 'I = ab '. and so Ill> 'c S. Hut. on the other hand, x l( - x must split in S since S conwin.. . all its roots. Thus F = S. and since S has q elements. F i, a finite fidd with q elements. (Uniqueness) Let F be a finite field with q p" elemenl>. Then F has characteristic p by Theorem 2,2 and so contain.;,lF p a~ a ...uhfield. It follows from Lemma 2.4 that F is a splitting field of \"" -.' o,er ~ p' Thu, the desired result is a consequence of the uniquene~." (up !l) isomorphisms) of splitting fields, which was noted in Theorem 1.91. .1

The uniquene.:ss part of Theorem 2.5 provides the ju~tification for speaking of rhe finite field (or rh" Galois field) with q element;. M of I!I" finite field (or rhe Galois field) of order q. We shall denote thi, field hy If". where.: it i~ of course understood that q is a power of the prime characterisl it' p of Fa' The notation (iF(q) is abo used by many authors. q

=

2.6. Theorem (Subfield Criterion). Ler} q I", Ihe fill ire field wah pI/ elen/ems. Then el;ery suhjhdd of IF" has order p'''. where m is a fO'ii{in'

divi'ior of 11. Convene/)'. if m is a fosiffl:e diuSOf of 11. {hen (here is eXl1l'fl)' one wl>field of F" wirh p'" elemellls.

Proof. It is dear that a subfidd K of IF q has order pm for some positive integer m :;;; II. Lemma 2.1 shows that q ,- pll must be a pow~r of pn,. and so In is neces~arily a divisor of n. Conversely. if In b a positive divisor of fl, then pm - 1 divides pi' - I.

and ~() Xf'~1 1 -I dividct' x p "' 1 I in iF-vrx]. Consequently. x P "'.- x divides x P " - x "x" - x in IF{,lx J. Thu~. every root of ),./,." - x is a root of Xii - x and so hehmgs to ~ q' It follows that '-" must contain as a subficld a splitting field of x p " x over IF p' and as wc have seen in the proof of Theorem 2.5. such a splitting field has order p"'. If there were two distinct suhfields of order pm in IF q' they would together contain more than pm fools of X p'~ - X in IF
IF

21()

/~

1F2~

D-i"

!F l ,·

1F , .-

IF). I

lF1s

IXIX "~I/ IF,

By Thcon.:m 2.6. the containment relations are equivalent to divisibility r.: relations among the positive divi~()rs of 30. For a finite field IF q we denote by' IF; the multiplicative group of nnnzero elements of iF,," The following result enunt.:iates a useful property of thi, group. 1.8. Theorem. J-I" e"ery finile field IF q lhe muliiplieali"e group IF; of nonzero e/emems of IF q is (yc!ic. Proof We may a"ume q;;, 3. Let h ~ P;'P2"" p;';- be the prime factor decompo,it;on of the order h ~ q - 1 of the group IF;. For every i. I ~i~m. the polynomial X hIP . I ha, at most hlp, roots in IF q • Since h/ PI < II. it follows that there are nonzero clements in IF,! that are not ronb of this polynomial. Let £1 1 he such an element and set b l = a;/P>. We have b(- I. hence the order of b,. is a divisor of p;' and i~ therefore of the form P; with () ~ s, ~ r,. On the other hand.

h('

= a:I!Jl:

J

I,

and ~o the order of h, i~ 1';-. We: claim that the element h = hlh., ... bm has order II. Suppose. on the contrary. that the order of h is a proper divi~or of II

2.

Root~

47

of lrn:dudblc Polynomials

and is therefore a divisor of at kast one of the m integers hip" I <;; i <;; m, say of hlp\, Then we have 1 = hh/p,

= h7/P'b~/P'

...

h::/

P1 •

:>low if 2 <;; i <;; m, then P~' divides hip" and hence b;/p, ~ I. Therefore b;/P, ~ I. This implies that the order of h, must divide hlp" which is impossible since the order of b, is P,'. Thus, IF; is a cyclic group with [j generator b.

2.9. Definition. elemen! of IF q'

A generator of the cyclic group IF; is called a primiliee

It follows from Theorem 1.15(v) that IF q contains ¢(q - I) primitive clements, where ¢ is Euler's function. The existence of primitive elements can he used to show a result that implies. in particular, that every finite field can be thought of as a simple algebraic extension of its prime suhfield. 2./0.. Theorem. LeI IF q he a finile field and IF, a finile extension field. Then IF, is a simple all;ebraic extension oflF q and eeery primitive element of IF, can sen;e as a defining element of IF r over IF q'

Proof Let 1 be a primitive element of IF,. We clearly have IF q(n <;; IF,. On the other hand, IFq(n contains 0 and all powers of I, and so all elements of IF,. Therefore IF, ~ IF q(n. I 0 2.11. Corollary. For every finite field IF q and every posiliee in!eger n lhere exiS1S an irreducihle polynomial in IFqlx] of dewee n.

Proof Let IF, he the extension field of IF q of order q", so that llF,; IF q] ~ n. By Theorem 2.10 we have IF, = IF.
2.

ROOTS OF IRREDUCIBLE POLYNOMIALS

In this section we collect some information about the set of roots of an irreducible polynomial over a finite field. 2.12. Lemma. Let f E IF q[x] be an irreducible polynomial ocer a finile field IF q and let a he a root of f in an extension field of IF q' Then for a polynomial h E IF qlA] we have h( a) = a if and only iff divides h.

Proof Let a be the leading coefficient of f and set g(x) ~ a-'f(x). Then g is a monic irreducible polynomial in IFq[x] with g(a) ~ 0 and so it is the minimal polynomial of a over IF q in the sense of Definition 1.81. The rest follows from Theorem 1.82(ii). 0

Structure (If rin:tt' T"ickb

degree

2.13. I.emma. I.el [ C',IFql X j be all irreducible polvnomial orer IF, o[ lhell [(xl dirides x q - x i[ alld only i[ m divides n.

Ill,

Proof Suppose [(xl divid"" x,' - x. Let a be a root of [in tbe splitting field of [over IF q. Then a q" ~ a. so that a E IF q•. It follows that IFq(a) is a subficld of IF q... But since IlFq(a):lFqj~m and [lFq":lFql~ll, Theorem 1.84 shows that m divides Il. Conversely, if m divides n. then Theorem 2.6 implies that IF," contains IF q"' as a subficld. If a is a root of [in the splitting field of [over IF,!, then [IF ("):IF,,j- m, and so IF (a) ~ IF q ",. Consequently, we have aE IF ", q "., If"
~,_ Theorem. 1[[ is all irreducible po(vnomial ill 1F,lx] o[ degree m. Ihen [has a rOOI a ill IF q"" Funhermore, all the roots 0[[ are simple and are l' given hy the m distincT elements a.a.q.aq~,.",alfm I ofrFq'tl,

{

Z

Let a be a root of [in the splitting field of [ over IF q' Then hence 1F,(a)-lFq"" and in particular "ElF q",. I'\ext we show that if fl c IF"" is a root of [, then fl" is also a roO! of f. Write [( x) ~ il,Y/X +il 1X I au with a,ElF q for O~i~m. Then, using Lt.:mma 2.3 and The(>rem 1.46. we gct Proof

IlFq(,,):lFq]~m. fll

....;..

••

,

[( 13") - am 13 qm ~

(a m f3 m

I

+ a,fl q I

>

+ a,li tau)' = [(13)' ~ O.

00 ~

a'/"f3 qm + ... + aYIi'

I a~

Therdore. the clements a, a q, aq~, ... , a q'" I are rooh of f. It rcmain5. to prove that these clements arc distinct. Suppose, on the contrary, that "q' ~ "q' for somc integers j and k with 0", j < k '" m - I. By raising this identity to the power qm k, we get

It follows then from Lemma 2.12 that [( x) divides x q "' ,., - x. By Lemma 2.13, this is only possible if m divides m - k + j. But we have 0 < m - k T j < m, and so we arrive at a contradiction. 0 2.15, Corollary. 1£1 [ he an irreducihle polynomial ill IFqlx] o[ dewee m. Then the splilting[ield 0[[ over IF, is given bv IF q"" Proof Theorem 2.14 shows that [ splits in IF q "" Furthermore, IF,,('""', ""'. ... ,,,," ')~lFq(")~lFq", for a root" of [in IF q "" where the LJ second identity is taken from the proof of Theorem 2.14. 2.16. Corollary. Any IWO irreducible polYllomials in IF ,Ix J o[ the same degree have isomorphic spliltillg [ields.

49

2. Root:; of Irreducihle Polynomiab

We introduce a convenient terminology for the elements appearing in Theorem 2.14, regardless of whether a E 0' q"' is a root of an irreducible polynomial in fq[x] of degree m or not. 2,~7, Definition, elements a, q ,

Let

fqm

be an extension of f q and let a

E f q ".

Then the 10 IE,

a a< ... ,a.q.':.~-llfe ..calkd..t.heAU2jugal.e.LQU!.~ith.respe<:l

The conjugates of a E 0' q" with respect to 0' q are distinct if and only if the minimal polynomial of a over 0' q has degree m. Otherwise, the degree d of this minimal polynomial is a proper divisor of m, and then the conjugates of a with respect to Fq are the distinct elements a.a q , .••• a q1 repeated m / d times.

' . •

each

2.18, Theorem. The cOl/jugates of a E 0'; wirh respecr to any subfield of 0' q have the .same order In the group 0';' Proof Since 0'; is a cyclic group hy Theorem 2.8. the result follows from Theorem 1.15(ii) and the facl that every power of the characteristic of f q is relatively prime to the order q -I of 0';. 0 2,19. Corollary. If a is a primitive element of 0' q' then so are all its conjugates with respect to any subfield of 0' q'

2.20. Example, Let a EO'" he a root of f(x) = x 4 + X + I E f,[x]. Then the conjugates of a with respect to 0', are a. a', a 4 = a + I. and a" = a' + I. each of them being a primitive clement of IF 16' The conjugates of a with 0 respect to 0'4 are a and a 4 = a + I. There is an intimate relationship between conjugate elements and certain automorphisms of a finite field. Let 0' qm be an extension of 0' q' By an . automorphism
50

StrUl'lurt' of finite Fields

The mappings 00- a I'··· ,01>1_ I arc distinct since they attain distinct values for a primitive element of IF q"" :-iow suppose that a is an arbitrary automorphism of IF q"' over IF q' Let 13 be a primitive clement of IF q ", and let [(x) = x m ~ am_lx m 1+ ... + 0 0 E IF qlx J he its minimal polynomial over IF q' Then O=a(f3m","am_lf3m-1 + '" +ao) = a(f3)m + am la(f3)m 1+ ... + au. so that

a(

13)

is a root of [ in IF q"" It follows from Theorem 2.14 that

a( 13) = f3 q ' for some j. 0", j '" m - 1. Since a is a homomorphism. we get

then a( a) = a q ' for all a E IF q""

D

On the basis of Theorem 2.21 it is evident that the conjugates of a E IF q"' with respect to IF q are obtained hy applying all automorphisms of IF q. over IF q to the element a. The automorphisms of IF q_ over IF q form a group with. the. operation. heing the. usual eompositiolL of mappings. The information provided in Theorem 2.21 shows that this group of llutomorphisms of IF q ., over IF q is a eyelicgroup of order m generated by a,.

3.

TRACES, NORMS. AND BASES

In this section we adopt again the viewpoint of regarding a finite extension F = IF q_ of the finite field K = IF q as a veetor spaee over K (compare with Chapter I, Seetion 4). Then F has dimension mover K, and if (al ..... a m) is a hasis of F over K, each element a E F ean be uniquely represented in the form a

= cIa]

+ ... + ('»Jam with

cj E

K

for 1 ~ j

~

m.

We introduce an important mapping from F to K which will turn out to be linear.

2.22. Definition. For aEF=lF q ", and K=lF q , the trace Tr'/K(a) of a over K is defined hy TrF/K(a)=a+a q + .. · +a q "" If K is the prime suhfield of F. then TrF/K(a) is called the absolute trace of a and simply denoted hy TrF(a).

In other words, the traee of a over K is the sum of the eonjugates of a with respeet to K. Still another deseription of the trace may he obtained as follows. Let[ E K[x] he the minimal polynomial of a over K; its degree d is a divisor of m. Then I(x) = [(x)m/d E K [x] is called the characteristic polynomial of a over K. By Theorem 2.14. the roots of [in F are given by

3.

TrJ~'c~. :'\'orm~.

and

Bas~'~

51

a. a", ... , a"' " and then a remark following Definition 2.17 implies that the

roots of II in F arc precisely the conjugates of a with respect to K. Hence g(x)=xm+am_lxm-I+y.. +a o ~ (x - a)(x - aq) ... (x - a q" '),

(2.1)

and a comparison of coefficients shows that TrF/K(a)~ -am

(2.2)

,.

In particular, TrF/K(a) is always an element of K.

2,23, Theorem, 1£1 K~lFq and Tr F/ K satisfies the followinx properties:

F~lFq"' Then lhe lrace junction

(i) Tr f/K (a + (3) ~ Tr f / K ( a) +Tr F/K ({3) jor all a, (3 E F; (ii) Trf/K(ca) ~ cTrf / K (a) jor all c E K, a E F; (iii) Tr F/ K is a linear transjormation jrom F onl0 K. where both F and K are ciewed as vector spaces over K; (iv) TrF/K(a) ~ rna jor all a E K; (v)

q TrF/K(a ) ~ Trf/K(a) jor all a

E

F.

Proof

(i)

For a, {3 E F we use Theorem 1.46 to get n,'

Tr F/ K (a+{3)=a+{3+(a+{3)q+ ~a

+ a qm

+ {3 + a q + {3q +

I

+(a+{3)q

'-+- (3qm ,

~ Tr f / K (a)+ Tr F/ K ({3).

(ii)

For c E K we have c q ' ~ c for all} '" 0 by Lemma 2.3. Therefore we ohtain for a E F. Trf/K ( co:) = co. + cqa q + t, c 4"" a qm'

= co. + co. q +

+ ca q '"

I

~ cTrF/K(a).

(iii) The properties (i) and (ii), together with the fact that Trf/K(a) E K for all a E F. show that Tr r / K is a linear transformation from F into K. To prove that this mapping is onto, it suffices then to show the existence of an a E F with TrF/K(a) = O. Now TrF/K(a) ~ 0 if and only if a is a root of the polynomial qm x '+ ... + x q + X E K[x] in F. But since this polynomial can have at most qm I roots in F and F has qm clements. we are done. (iv) This follows immediately from the definition of the trace function and Lemma 2.3. qm (v) For a E F we have a ~ a hy Lemma 2.3, and so Tr f / K (a q ) = 42 0. 4 +0. + ... + a q "'= TrF/K(o.). :::J

52

Strul'lUrl' of Finite Field...

The trace function Trf/J\ is not only in itself a linear transformation from F onto K. but serves for a description of all linear transformations from F into K (or. in an equivalent terminology. of all linear functionals on F) that has the advantage of heing independent of a chosen basis. 2.24. Theorem. I.el F be a finile eXlension of Ihe finile field K. hOlh considered as ceclor spaces over K. Then the linear trunsformations from F il/lo K are exaelly Ihe mappings LR• fJ E F. where La(a) ~ Tr F/ K( fJa) for all ex E F. Furthermore, we have Lfl ~ l.y wheneGer f3 Gild yare disTinct eleme1lls of F.

Proof Each mapping 1'8 is a linear transformation from F into K by Theorem 2.23(iii). For fJ. y c F with fJ '" Y. we have 1.8(a)- I./a) ~ Trf/K(fJa)- Tr'/K(ya)'~TrF/K«fJ' y)a)'" for suitable aE F since Tr F/ K maps F onto K. and so the mappings 1'8 and I. y arc different. If K ~ IF q and F ~ IF q"" then the mappings I' R yield qrn different linear transformations from F into K. On the other hand. every linear transformation from F into K can be obtained by assigning arbitrary elements of K to the m clements of a given basis of F over K. Since this can he done in qrn different ways. the mappings L# already exhaust all possihle linear transformations from F into K. 0

°

2.25. Theorem. I.el F he a finile eXlension of K ~ IF q' Then for a E F we ha"e Tr'/K(a) ~ if and only if a ~ fJq - fJ for some fJ E F.

°

Proof The sufficiency of the condition is obvious hy Theorem 2.23(v). To prove the necessity. suppose a E F ~ IF q" with Tr F(K (a) = 0 and let fJ he a root of x q - x - a in some extension field of F. Then fJq - fJ ~ a and

so that

fJ E

fJ) ~ (fJq -

f3) q +

=

(f3q -

=

(fJq - fJ)+ (fJ q' - fJq)+

~

fJqm -

"" (fJq ~

(fl q" -

f3) q" fJq- ')

fJ.

o

F.

In case a chain of extension fields is considered. the composition of trace functions proceeds according to a very simple rule. 2.26. Theorem (Transitivity of Trace). LeI K be a finile field. leI F be a finile eXlension of K and t· a finile eXlension of F. Then

Tr':/K(a)~Tr'/K(Tr"/F(a))

forallaE E.

.i '[ rael". i\nrm.<:" and Ib"l':::

Proof

I.dK

53

~I'"letIF:K]~mand[r::F]~n,sothat[F: K]c

mn by Theorem I.R4. Then for nEt' we have

IrrIA(Tr/(f(n»)~

m

;

.

>n '" I

L Trfll(n)"~ L

;"'0 fI,

I,/

()

" q"

I

/-0\/0

L L: I

! /1

I L: a"'J

I

1

/'/1/

L:

a"I"'~

(J

/..

i

1

a"~TrE;K(I». ()

Anothc.:r inter~~ting function from a finite field to a suhfield IS obtained hy f()rming the.: product of the conjugate:-. of an element of the field with respect to the subfield.

,

2.27. Oefinilion, for over K is defined hy l\fjA"

aE F~I',..

and K -F" the norm l"f/,,(a) of a

(a) "'- a- at{ - ... - a<{~' "= a(It'''

II/III

1).

Ily comparing the constant terms in (2.1). we see that '1// A (I» can be read off from the characteristic polynomial g of a over K -namely, :sIF/K(a) ~

It follows. in particular, that N f /

':'\ 1'/;""

K

(a)

(2.3 )

(-I)"'a". is always an element of K.

2.28. Theorem, Let K ~ 1', and F • 1'," lhen the norm lunl'/ion .'iatisfies the fol/owing properties: (i)

(ii) (iii) (iv)

'IF! A (a{3) ~ N'IK (a)NF! I< (f!) lor all n, {3 N FiA maps F onto K and F* ontO K':

F

F:

l"f/K(a) ~ am lor all a E K: l"FIA(a')~l"f/,,(a)/orallaE

F.

Proof (i) follows immediately from the definition of the norm. We have already noted that l" FlA maps F into K. Since NFl" (a) ~ 0 if and only if a ~ 0, l"FlK maps F' into K'. Property (i) shows that 'If/I< is a group homomorphism hetween these multiplicative groups. Since the elements of the kernel of N FIK are exactly the roots of the polynomial xlqm I)Aq I) - I E K rx I in F, the order d of the kernel satisfies d <; (qm .. I )/( q - I). By Theorem 1.23. the image of N'/K has order (qm -I)jd, which is ;" q-1. Therefore. "'fiK maps F' onto K' and so F ontO K. Property (iii) follows from the definition of the norm and the fact that for a c K the conjugates of a with respect to K arc all equal to a. finally, we have NFIK(a') ~ N flK (a)' .. l" FIK (a) because of (i) and t\ FIK (a) E K. and so (iv) is shown. :J

54

Structure of Finite Fieldf-

2.29. Theorem (Transitivity of :-Jorm). Let K be a finire field. let F be a finite extension of K and E a finite extension of F. Then NI'IK(a) ~ N'IK(N'jF(a»)

forallaE E.

Proof With the same notation as in the proof of Theorem 2.26, we have for a E E. N' fJI<. (,. I"":/F (») a --.'oJ F/K ('q ex ....

·"I'..."')

= (a(4~'~

. l)/(q'"

-

_,q'"

I)/,q

-

u.

1)

,,~

r

qon

... ,

-])/(q

'~t/K

1)

(_)

.......

0

If (a" ... ,a m ) is a basis of the finite field F over a subfield K, the question arises as to the calculation of the coefficients cj(a)E K, 1 ~) ~ m, in the unique representation a=c,(a)a,+'"

+cm(a)a m

(2.4)

of an element aE F. We note that cj : a>-+cj(a) is a linear transformation from F into K, and thus, according to Theorem 2.24, there exists a f3j E F such that c,f a) ~ Tr'IK Wja) for all a E F. Putting a ~ a" I ~ i ~ m, we sec that Tr'!K (f3la,) = 0 for i'" ) and 1 for i ~). Furthermore, (13" ... ,13m) is again a basis of F over K, for if d,f3,+'" +dmf3m~O withd,E K for I~i~m.

then by multiplying by a fixed a, and applying the trace function Tr FIK . one shows that d, ~ O. 2.30. Definition. Let K be a finite field and F a finite extension of K. Then two bases (a, ... .,a",) and (13" ... ,13m) of F over K are said to be dual (or complementary) bases if for I ~ i,) ~ m we bave

fori"'), fori=). In the discussion above we have shown tbat for any basis (a, .... ,a"') of F over K there exists a dual basis {f3" ... ,f3m}. The dual basis is, in fact, uniquely determined since its definition implies that the coefficients c,fa), I~)~m. in (2.4) arc given by ("i(a)~TrFIK(f3ia) for all aEF. and by Theorem 2.24 the element f3i E F is uniquely determined by the linear transformation ci . 2.31.

Example.

Let a E IF, be a root of the irreducible polynomial

+ x' + I in 1F,[x]. Then (a. a'. I + a + a') is a basis of IF, over IF,. One checks easily that its uniquely determined dual basis is again {a, a'. I + a + x'

a'}. Such a basis that is its own dual basis is called a self-dual hasis. The element as E IF Il can he uniquely represented in the form as = cia + Czet:! ......

3. Tran's, ;"'0rms. and

55

Ib~c:-

J

c,(

1 , a -t a·~) with

('I'

('~. c., E=!F ~. and the coefficients are given hy

'" =Tr,)a·a') (' 2 .. Tr r ~ (a"a') c, = so that a'· a' , (I

O. ~

1.

1r,.((1- a+ a.')a')

~ 1.

+ a + a').

0

The number of distinct hases of F over K is rather large (see Exercise 2.37). but there are two special types of bases of particular importance. The first is a polynomial 1)Q.}i.r. {I. U. u 2 •••. , urn I}, made:: up of the powers of a defining clement" elf Faver K. The clement a is often taken to be a primitive clement of F (compare wi)h Theorem 2.10). Another type of basis s a ormal basis defined by a suitahle element of F.

.g

. . Definition. • Let K .. IF q and F ~ IF q"' Then a basis of F over K of the form Ct.ex 4 ••.. ,a 4 }. consisting of a suitabk clement aE F and its conjugates with respect to K, is called a normal hasis of F over K. The basis (a. a.'. I + a - a'} of IF, over IF, discussed in Example 2.31 is a normal basis of!F g over!F~ since I t- ex + a 2 = a 4 . We shall show that a normal hasi."i exists in the general case as well. The proof depends on two lemmas. one on a kind of linear independence property of certain group homomorphisms and one on linear operators. 2.33. Lemma (Artin Lemma). I.el J/.;1 ..... ~>1/ be dislincr homomorphi.wls from a group G infO the mulliplicalice group F* of (In arhilrary field F. and leI a I' .... am he elemenl.'! of F lhal are not all O. Then for some g E G we hace

a,,,,,(g)

1 ••. +am';'m(g)~O.

Proof We proceed by induction on m. The case m ~ I being trivial. we a~~ume that m > 1 and that the statement b shown for any m - I distinct homomorphisms. I'\ow, take ~I, .... J/.;m and a 1..... £J m as in the lemma. If a, ~ O. the induction hypothesis immediately yields the desired result. Thus let a, ~ O. Suppose we had

a,"',(g)+ .. ·• Since

am';'»,(g)~O

forallgEG.

(2.5)

Y. = Ym' there exists h E C with';' ,( h) '" ';'m(h). Then. replacing g hy

hg in (2.5). we get a,y,(h)';',(g)+·'" A fter multiplication hy

ym( h)

amYm(h)';'n,(g)··O

forallgEC.

'we obtain

h,';',(g)+ ... +bm ''''m_,(g)+amYm(g)~O forallgEC. where bl .::..: aiJ/.;i{h)~f'1(h) I for I ~ i ~ m -I. By suhtracting this identity

S6

Slructure of Finite Fit'lds

from (2.5), we arrivc at

where c = a b , for 1 ~ i ~ m 1. But ('I"':' u l - Ul~l(h)o/m(h)-1 we have a contradiction to the induction hypothcsi,. j

j

-

=1=

0, and 0

We recall a few concepts and facts from linear algebra. If T is a linear operator on the finite-dimensional vector space V over the (arbitrary) field K, thcn a polynomial f(x) ~ a,x" ~ ... + a,x + a o C K [xl is said to annihilate T if an Tn + ... -+- Q l T -{ G o 1 = 0, where 1 is the identity operator and 0 the zero operator on V. The uniquely determined monic polynomial of least positivc degree with tbis property is called the millimal polYllomial for T. It divides any other polynomial in K[x] annihilating T. In particular, the minimal polynomial for T divides the characleristic pO(Yllomial x(x) for l' (Cayley-Hamilton theorem), which is given by g(x) ~ det(xl- T) and is a monic polynomial of degree equal to the di mension of V. A vector a E V is callcd a cyclic veClOr for T if the vectors T'a, k ~ 0, I, ... , span V. The following is a standard result from linear algebra.

2.34. I.emma. Let T be a lillear operaTOr all Ihe finile-dimellsiollal vector space V. Then r has a ,yclic veCTOr if and ollly if the characterisric and minimal polynomials for l' are idemical. 2.35. Theorem (:-.Iormal Basis Thcorcm). For any finite field K and any/iniTe eXTension F of K, There exisTs a normal hasis of F over K,

Proof Let K ~ !', and F ~ !'" wi th m ;> 2. hom Theorem 2.21 and the remarks following it, we know that tbe distinct automorphisms of F over K arc given by La. a',. . .,a m '. where e is the identity mapping on F, a( a) - a' for a Eo F. and a power a I refers to the j-fold composition of a with itself. Because of o(a t /3l ~ a(a)+ a(/3) and a(ca) = a(c)a(a) ~ car a) for a, /3 F F and CEo K, the mapping a may also be considered as a linear operator on the vector sptlce F over K. Since am = E, the polynomial x m - I c= K [xl annihilates a. Lemma 2.33, applied to e, a, a 2,. .. , am 'viewed as endomorphisms of P. shows that no nonzero polynomial in K[x] of degree less than m annihilates 0. Consequently, xf'l - I is the minimal polynomial for the linear operator a. Since the characteristic polynomial for a is a monic polynomial of degree m that is divisible by the minimal polynomial for a, it follows that the characteristic polynomial for a is also given by x m - 1. Lemma 2.34 implies thcn the existence of an element a E F such that a.a(a),a'(<»,. .. span F. By dropping repeated elements, we see that It. a( a), 0 '( <» •••• • a m · '( a) span F and thus form a basis of F over K.

Since thi~ ha:-.is consists of ex and its cnnju5atcs with respect to K. it is a normal basis of F over K. ~

3 Tra(t's, Norm" and B,):>t'':>

57

An alternative proof of the normal basis theorem will be provided in Chapter 3. Section 4. by using 50-called linearized polynomials. We introduce an expression that allows us to decide whether a given set of dements forms a basis of an extension field. 2.36.

Definition.

Let K be a finite field and F an extension of K of degree

mover K. Then the discriminQ1lf j,J-;J<(£xl .... 'O':m) of the elements C F is defined hy the determinant of order m given hy

01 ....

'O':m

Tr'/K(a,a,)

Trr/K(ala,)

TrFlK(ala m )

Trr;k(a,a, )

Tr'/K(a,a,)

Tr,/K(a,aml

It follows from the definition that D.F/,(a, ..... an,l is always an clement of K. The following simple characterization of hases can now be

gIven. 1.37. Theorem. Let K he a finite field. F an extension of K of degree mover K. and a l "m E F. ]ilen {a l •...• am} is a basis of F oeer K if and only if D.'/K(a, a m ) '" O. Proof. Let (a, ..... a m ) be a basis of F over K. We prove that D.r/K(a, ..... "ml'" 0 hy showing that the row vectors of the determinant defining D.'/K(a, ..... "m) arc linearly independent. For suppose that c:TrF/K(O':IO':j)- ... .... cmTrr/J«amai)=O

for l:S;;:j~m.

where cl .... .(m E K. Then with f3 = CICt: 1 - ... + cmo m we get TrJ-iI\({3O':j) ~ 0 for 1 <; j <; m. and since a: ..... a .., 'pan F. it follows that Tr F/ K(f3al ~ 0 for all a E F. However. this is only possible if f3 ~ O. and then c:a, + ... + cII/O':m = 0 implies c\ = . . . = (''''1 = O. Conversely. suppose that J. r /1I.·(ol ..... om)==O and cla l - ... ('ma", = 0 for some ': ... "c m E K. Then (,O~O; ...... • cmCt:n/x I 0 fur 1:( j ~ m. >:..

and b\ applying the trace function we get ('~Trr;K(Ct:IOi)..;... ...

+ CmTr,../K(a*1O':j) =0

forl~j~m.

Rut since the row vector:, of the determinant defining Ll OK (ol ..... a*1) are (I ~ . . . ~ c' n ~ O. Therefore. a l ... .. a .., C

linearly independent. it folio",' that ar~ linearly independent over K.

There:.: is another determinant of order m that :-.erve:, the same purpose as the discriminant ,j,flK(Ct:I ..... Ct: m ). The e:.:ntries of this determinant arc. however. elements of the extension field F. For Ct:l ..... o m E F. let

5~

Structuft' (If !:'nill' hl..'lds

A he the m x In matrix. whose entry in the ith row and jth column i~ af-I, where q is the number of elements of K. If AT denotes the transpose of A. then a simple calculation shows that A 'A ~ R. where B is the m x m matrix whose entry in the ith row and jth column is TrF/K(aia J ). By taking determinants. we ohtain

:>J/K(IX, ..... a n ,) ~ det(A)'.

The following result is now implied by Theorem 2.37.

Fq"'

2.38. Corollary. Let a, ....."m Fq if and only if

E

Fq.... Then {a, ..... a m} i, u hu,i, of

Ol,",

a,

a,

al

(Xi

am a mq I

;


a~

I a,

..

O.

Ci~;"

From the criterion above we are led to a relatively simple way of checking whether a given element gives rise to a normal hasis. 2.39. Theorem. For 0: E IF({-. {a. all. Qq! •..•• alj~ '} is a normal ha.~is of F .. Olea F if and only if the polvnomials x m . I and ax m '+ :j 2 q ... ) ...., -1 aqx m -l- . . . . . . . . c/I X + a" in IF l/~,lx I arc rf:'la(iee~v prime.

Proof When (Xl Corollary 2.3R becomes

lX,

-

aq

a q" a

±

a q" aq

4 0':2 = 0. , ...• a"l

I

a q a "

a q'

-a q"

the determinant

aq aq

a q" .. aq

a

a q '"

a

q,

10

" (2.6)

a

after a suitable permutation of the rows. Now consider the resultant R(f. g) of the polynomials fix) ~ x m -I and g(x) - ax m '+ aqx m 2 + ... + a"m' \ "t' a'/"'- I of formal degree m resp. m - I. which is given hy a determinant of order 2m - I in accordance with Definition 1.93. In this determinant. add the (m + 1)st column to the first column, the (m + 2)nd column to the second column. and so on, finally adding the (2m - I)st column to the (m - I)st column. The resulting determinant factorizes into the determinant of the diagonal matrix of order m - I with entries - I along the main diagonal and the determinant in (2.6). Therefore. R(f. g) is. apart from the sign, equal to the determinant in (2.6). The statement of the theorem follows

4. Routs of Unity and (v(:lotolnH.: Polynomiab

59

then from Corollary 2.38 and the fact that R(j.g) = 0 if and'only if f and g 0 are relatively prime.

In connection with the preceding discussion. we mention without proof the following refinement of the normal basis theorem. 2.40 Theorem. Fo,. any fillite ext elISion F of a jinite .field K there exists a normal hasis of F oz.;er K tllat consiSTS (?l primilive elements of f. 4.

ROOTS OF (;!'IITY AND CYCI.OTO:vJ1C POI.YNOMIALS

In this section we investigate the splitting field of the polynomial x" - I over an arhitrary field K. where n is a positivc integer. At the same time we ohtain a generalization of the concept of a root of unity. well kno"n for complex numbers. 2.41. Delinition. Let 11 be a positive integer. The splitting field of x" - I over a field K is called the nIh cvclolomic field over K and denoted by K '" '. The roots of x" - 1 in K Ull are called the 11th roots of unit)' over K and the set of all these roob is denoted by F.(t/). 1\ special case of this general definition is ohtained if K is the field of rational numbers. Then K (111 is a suhfidd of the field of complex numbers and the nth roots of unity have their known geometric interpretation as the vcrtices of a regular polyg~)fi with 1l vertices on the unit circle in the complex plane. For our purposes. the most important case is that of a finite field J(. The hasic properties of rooh of unity can. however. he established without using this restriction. The structure .of 1;.'.{nl .i~ determined hy the relation of 1l to the characteristic of K. as the following thcorem show:... When"we refer to the characteristic"p ~)f k in this discussion. we permit the case p = 0 a~ well.

2.42. Theurem. llCTenstll' p. Then: (i)

(ii)

Lei n he u posilire inleger and K a field uf char-

If P dues nor divide n. then 1:.'('1) is a cyclic group of order n with respect to multiplication in K llll . If P diridt!s n. ',1.·rite n = mp" with positive i1llegers m and e and m not dieisihle hy p. Then K,t/} = K 1no • Ern) = Elm,. and the roots of .\.n - I in KIn) art! the m elements of Elml. ellch a!1ained widE mulliplicily p".

Proof (i) The case n = I is trivial. For n ~ 2. x" - I and its derivative nx') 1 hav~ no common roots. as nx n I only has the root 0 in KIn). Therefore. by Theorem 1.68. x" I cannot have multipic roots. and hence f;'"' has n clements. I'ow if t.~E fY'. then (t~ 1)"=t"(~")-1 =1. thus

60

Structure of Finill' Fil'kls

1;1/ IE E lnl . It follows that 1::'"' is a multiplicative group. Let n ~ pi'p,'" .. p{' be the prime factor decomposition of n. Then one shows by the same argument as in the proof of Theorem 2.8 that for each i, ) <; i <; I, there exists an clement IX, E E'n' that is not a root of the polynomial x"/ p , - 1, that 13/ = Ci.7IP~' has order pf'. and that £1/1) is a cyclic group with generator P ~ PIP,' .. p,. (ii) This follows immediately from x n - I ~ x mp ' - I ~ (x m - I) p' and part (i). 0

2.43. Definition. Let K he a field of characteristic p and n a positive integer not divisible by p. Then a generator of the cyclic group E,n' is called a primitive nth rool of unity over K. By Theorem 1.I5(v) we know that under the conditions of Definition 2.43 there are exactly ¢(n) different primitive nth roots of unity over K. If I; is one of them, then all primitive nth roots of unity over K are given by 1;', where I <; s <; nand gcd(s. n) ~ I. The polynomial whose roots arc prccisely the primitive nth roots of unity over K is of great interest. 2.44. Definition. Let K be a field of characteristic p, n a positive integer not divisible by p, and I; a primitive nth root of unity over K. Then the polynomial n

n

Qn(x)~

(x-I;')

-;-1

gcd(s.n)-l

is called the nth cyclotomic polynomial over K. The polynomial Qn(x) is clearly independent of the choice of 1;. The degree of Qn(x) is (n) and its coefficients obviously belong to the nth cyclotomic field over K. A simple argument will show that they arc actually contained in the prime suhfield of K. We use the product symhol to denotc a product extended over all positive divisors d of a positive integer n.

ndn

2.45. Theorem. Let K be a field of characleristic p and integer nol divisihle by p. Then: (i) x n - I = IldlnQd(x); \ ..•.. \ ;.···.v (ii)

/I

a positive

'

c'· the prime subfield of K. and to

the coefficients of Qnix) heiOf/g 10 Z if the prime subfield of K is the field of rational numbers.

Proof (i) Each nth root of unity over K is a primitive dth root of unity over K for exactly one positive divisor d of n. In detail, if I; is a primitivc /lth root of unity over K and 1;' is an arbitrary nth root of unity over K. then d ~ n /gcd(s, n); that is, d is the order of 1;' in 1::'"'. Since n

xn_)~

n(x-I;'), 5

= 1

..' ,: '-

4. I{O()b

of Lnity and Cvdotomk Polynomiab

61

the formula in (i) is obtained hy collecting those factOrs (x . K') 'for which is a primitive dth root of unity over K. (ii) This is proved by induction on n. "ote that Q,,(x) is a monic polynomial. For n = I we have Q,(x) ~ x - I, and the claim is obviously valid. Now let n > I and suppose the proposition is true for all Qd(X) with I,,;d
K'

2.46.

Example,

Lct r he a prime and k c 1'\1. Then

by Theorem 2.45(i). For k ~ I we simply have Q,(x) ~ I + x xr 1

+ x' + ... + U

An explicit expression for the nth cyclotomic polynomial generalizing the formula for Q,,(x) in Example 2.46 will be given in Chapter 3, Section 2. For applications to finite fields it is useful to know some properties of cyclotomic fields. 2,47.

Theorem.

The lye/otomic field K (", is u simple ulgehraic

ex/ension of K. Moreover: (i)

(ii)

If K ~ 0. Ihen Ihe cye/olOmic polvnomial Q. is irreducihle oDer K und [K'''': Kl ~ ¢(n). If K ~ IF q wirh gcd(q. n) ~ I. Ihen Q"fuctors infO ¢(n)/d disiinci monic irred/lcihle polvnomiu/l in K [x] of Ihe sume degree d. K (., i.1 Ihe SplillillX field of uny such irreducihle fm·tor ODer K. and [K'·': K]= d. where d is Ihe leasl positive integer sucli that qJ", I mod n.

Proof If there exists a primitive nth root of unity rover K. it is clear that K''''· K(KJ, Otherwise. we have the situation described in Theorem 2.42(ii), then K'"'' ~ K'm, and the result follows again. As to the remaining statements, we prove only Oi). the important case for our purposes. Let ~ he a primitive nth root of unitv over IF q • Then ~ E ~ q' if and only if ~q' ~~' and the latter identity is equivalent to q' '" I mod n. Thc smallest positivc integcr for which this holds is k ~ d. and so ~ is in iF q" but

Structure of Finite fields

02

in no proper suhfield thereof. Thus the minimal polynomial of ~ over I'q has degree d, and since ~ is an arhitrary root of Q", the desired results follow. D 2.48. Example. Let K~I'" and Q"(x)~x4-x'-'-I,=I',,lxJ. In the notation of Theorem 2.47(ii) we have d ~ 2. In detail. Q,,(x) factors in the form QI2( x) = (x' + 5x .;. I )(x' - 5x + I), with both factors heing irreduciD ble in I' ,,[x]. The cyclotomic field K I1 " is equal 10 I' "~I' A further connection between cyclotomic fields and finite fields is given hy the following theorem. 2.49, Theorem, The fillite field I' q is Ihe (q - 1 )SI 'J'clolomic field over OilY Olle of itI subfields. Proof The polynomial x q ' - I splits in I' q since its roots are exactly all nonzcro elements of I' q' Ohviously, the polynomial cannot split in any proper subfield of I'q, so that I'q is the splitting field of x q I -lover anyone of its subfields. D

Since IF; is a cyclic group of order q -. I hy Theorem 2.8, there will exist, for any positive divisor n of q - I, a cyclic suhgroup (I, a.... ,an -') of IF; of order n (sec Theorem 1.15(iii)). All elements of this suhgroup are nth roots of unity over any suhfield of IF q and the generating clement a is a primitive nth root of unity over any suhfield of IF q • We conclude this section with a lemma we shall need later on. 2,50, I.emma. If dis 0 dicisnr of Ihe positive integer n willt 1" d < n, Ihen Q"(x) divides (x n -I)j(x d -I) whenever Qn(x) is defined. Proof

From Theorem 2.45(i) we know that Qn(x) divides xn_ I

n

~ (x" .. 1). x - I , x d -I

Since d is a proper divisor of n, the polynomials Qn(x) and x d - 1 have no common root, hence gcd(Qn(x), x d -I) ~ I and the proposition is true. D

5.

REPRESENTATION OF ELEMENTS OF FINITE FIELDS

In this section we describe three different ways of repre;enting the clements of a finite ficld IF q with q ~ pn elements, where p is the characteristic of IF q' The first method is hased on principles expounded in Chapter I, Section 4, and in the present chapter. We note that I' q is a simple algebraic extension of IF p by Theorem 2.10, In fact, if f is an irreducihle polynomial in IFplx] of degree n, thenfhas a root a in I'q according to Theorem 2.14, and so IF q ~ IFp ( a). Then, by Theorem 1.86, every element of IF q can he uniquely

63

~xpresscJ as a polynomial in a over

view Irq as the residue cia'S ring

It fI of degree less than

11.

We may also

~r[xll(f).

251. Example. To represent the elements of 0', in this way. we regard 0', as a simple algebraic extension of 0', of degree 2. which is obtained by adjunction of a root" of an irreducible quadratic polynomial over 0'" say [( x)" x' / IE 0'3[X]. Thus [(a) ~ a' / I ~ 0 in 0'" and the nine elements of IF g are given in the form Go'l ilia with ao' G l E IF j • In detail, IF g = (U. I. 2. o. I + a.2/ a,2a, I / 2a,2 + 2a). The operation tables for 0', may be constructed as in Example 1.62, with a playing the role of the residue e1ass Ixl. 0 If we use Theorems 2.47 and 2.49. we get another possibility of expressing the elements of 0' q' Since 0'" is the (q I)st cyclotomic field over ~r' we can construct it hy finding the decomposition of the (q -I)st cyclotomic polynomial Qq I E= O'rlx[ into irreducible factors in O'r[x], which are all of the same degree. A root of anyone of these factors is then a primitive (q I)st root of unity over 0'r and therefore a primitive element of IF q_ Thus, IF q consish of 0 and appropriate powc:rs of that primitive clement.

2.52. Example. To apply this to the construction of 0'" we note that 0' 9 ~ 0' J". the eighth cyclotomic field over 0:: ,. I\ow Q,(x) ~ x' + 1 ED',[ x I hy Example 2.46. and Q,(x)~ (x' +X~2)(X2

+2x,

2)

is the decomposition of Qx into irn.::ducihlc factors in IF dx J. Let t he a root of x' ~ x ~ 2: then \ is a primitive eighth root of unity over 0'" Thus. all non/.em clements of IF\} can be expressed as powers of and so IF g = (0.1-\'.\'.\4,1'1.\'.\'.\'). We may arrange the nonzero elements of 0', in a "Hailed index tahle. where we list the elements \' according to their exponents i. In order 10 eMablish the connection with the representation in Example 2.51. we ohserve that x' / x I 2 C 0' ,[ x ] has \ ~ 1 + a as a root, where ,,' ~ I ~ 0 as in hample 2.51. Therefor~. the index table for 0', may

r.

ot:'

written as follows:

t

\' I 1-" 2 1 2" 3, 1+2" 4 1 2

5 6

2 - 2a

7

2

8

I

"I " I

We see that we ohtain. of cour~L'. the same clements as in Example 2.51. just in a different order. U A third po~sjhility of representing the dements of IF q is given hy mean:-- of matrices. (n general. the companion maTrix of a monic polynomial

(,4

Structure of Finitt.'

Ficld~

I(x) ~ a o + a,x + ... + an IX" 1+ x n of positive degree n over a field is defined to be the n X n matrix

0 0 I

O·

I 0

0

0

0

(0 A=

0 0

0 0 0

- ao -at

- a,

- an

! It is well known in linear algebra that A satisfies the equation I( A) ~ 0; that is, Go! . . . alA + ... + a n _ IAn 1 + An = O. where I is the n X n identity I

matrix.

Thus, if A is the companion matrix of a monic irreducible polynomial lover IFp of degree n, then I(A) ~ 0, and therefore A can play the role of a root of f. The polynomials in A over IF p of degree less than n yield a representation of the clements of IF q'

2.53. t:xample. As in Example 2.51, let/(x)=x'+IEIF , [x]. The companion matrix of I is

The field IF. can then be represented in the form IF q 21 + A,2A, I +2A,21 +2A). Explicitly:

o = (~ I+A=(: 1+2A=(i

1=

(6

2/+ A

~

{O, 1,21, A, I + A,

n 21~(~ n A~(~

~ (i ~), 2A=(~

2/+2A~(~

~ ),

With IF. given in this way, calculations in this finite field arc then carried out by the usual rules of matrix algebra. For instance,

(2/+A)(J+2A)~(i ~)(~ :)=(~ 6)~2A.

0

In the same way, the method based on the factorization of the cyclotomic polynomial Qq I in IFp[x] can be adapted to yield a representation of the elements of IF q in terms of matrices. 2,54. Example. As in Example 2.52, let h(x) ~ x' + x + 2 E 1F 3 [x] be an irreducible factor of the cyclotomic polynomial Q, E IFJ[x]. The companion matrix of h is

65

The field

~q

can then he represen ted in the form ~" ~ {O. C.

(". ('3. (". c' .C'.

c'. C').

Explicitly:

o· c- '0 I' o ~ (~ 0)' 2). \ I ~

('4

(2

.0)

c'- ~ (2I

c' ~ (:

b)'

:).

-

2

c'- (0 2'- - 2

c'~(; ~ ).

O

(', __ (I

C'.

(6

;).

n-

n

Caleulations proceed hy the rules of matrix algehra. ror instance.

c" -;- C ~ (. 2I 6.

I• (2 2) - 2

D

WEDDERRURYS THEOREM I

All results for finite fields are at the same time also true for all finite division rings hy a famous theorem due to Wedderburn. This theorem states lhat in a finite ring in which all the field properties except commutativity of

multiplication are assumed (i.e.. in a finite division ring), the multiplication must also he commutative. Basically. the first -proof we present of the theorem considers a suhring of the finite divison ring that is a field and establishes a numerical relation between the multiplicative group of the field and the multiplicative group of the whole division ring. Using this relation and information ahout cyclotomic polynomials. one ohtains a contradiction-unless the field is all of the division ring. Before we prove Wedderhurn's theorem in detail. we mention some general principles that will be employed. I.et D be a division ring and Fa subring that is a field (later on, we will express this more hriefly hy saying that F is a subfield of D). Then D can be viewed as a (left) vector space over F (compare with the discussion of the analogous situation for fields in Chapter I. Section 4). If F~ ~q and D is of finite dimension /I over ~q' then D has q" elements. We shall write D* for the multiplicative group of nonzero clements of D. For a group G and a nonempty subset S of G, we defined the normali/.er N(S) of Sin G in Definition 1.24. If S is a singleton {b). we may also refer to N({b}) as the normalizer of the clement h in G. From Theorem This .;,ccti(1n ('iln he omitted without lo~ing nl'~c5~af) information for thl.: following

thaptcf5.

Structurt' of Pinitc fidds

- 66

1.25 we infer that if (; is finite, then the numher of elements in the conjugacy class of h is given hy ICI/IN«b))I. 2.55. is a field.

Theorem (Wedderhurn's Theorem).

f:verv finite dieision ring

Firs! Proof Let () be a finite division ring and let Z ~ {z ED: zd = E D) he the ("emer of D. We omit the ohvious verification that Z is a field. Thus Z = IF q for some prime power q. Now D is a vector space over L of finite dimension n, and so D has q" clements. We shall show that D ~ Z, or. equivalently, that n ": I. Let us suppose, on the contrary. that n > J. "low let a E D and define Nu = {h co D: ab = hal· Then N u is a division ring and N u contains L. Thus N{/ has qr clements, where I ~ r ~ n. We wish to show that r divides n. Since N: is a suhgroup of D*, w~ know that q' - I divides q" 1. If 11 =' rm 1 t with 0" t < r, then qn. I· q'"'q' -I ~ q'(q'''' -I)+(q' -I). "low q'-I divides q" .. I and also q'''' - I, thus it follows that q' - I divides q' - I. But q'. I < q' - I. and so we must have t - O. This implies that r divides n. We consider now the class equation for the group D* (see Theorem 1.27). The center of D* is L*. which has order q - I. For a E D*, the normali/'er of a in D* is exactly N{/*. Therefore, a conjugacy class in D* containing more than one memher has (q" . 1V( q' - I) elements, where r is a divisor of n with I ~ r <. n. Hence the class equation hecomes

dz for all d

q" . I ~ q -I +

Lk

"

i'"' 1

I

q qr, - 1

(2.7)

where r l .... , r A are (not necessarily distinCt} divisors of n with 1 ~ r/

<.

11

for

l:(i~k.

!"ow Jet Q" he the nth cyclotomic polynomial over the field of rational numbers. Then Q,,(q) is an integer by Theorem 2.45(ii). Furthermore. Lemma 2.50 implies that Q,,(q) divide;(q" - I)/(q" - J) for I" i " k. We conclude then from (2.7) that Q,,(q) divides q - I. However. this will lead to a contradiction. By definition. we have n

Q,,(x)~

n

, 1 gcd(5,nl

(x =

1"),

1

r

where the complex numher is a primitive II th root of unity over the field of rationals. Therefore. as compkx numher~. IQ"(q)l~

n"

1 g,CUls.nl

Iq-\'I>

5=

1

n

(q-Ibq-I

5 1 ~cJ(5.n)-1

since n > I and q ~ 2. This inequality is im.:ompatihlc with the

~tatement

6. Wedderhurn\ Theorem

1>7

that Q"(q) divides q - I. Hence we must have theorem is proved.

II ~

I and D = 7, and the 0

Before we start with the second proof of Wedderburn's theorem, we establish some preparatory results. Let D be a finite division ring with center 7, and let F denote a maximal sllbfield of D; that is, F is a subfic1d of D such that thc only subfield of D containing F is F itself. Then F is an extcnsion of Z, for if there were an element: E Z with z ff- F, we could adjoin: to F and obtain a subfield of D properly containing F. from Theorem 2.10 we know that F ~ 7( 0, where ~ E F* is a root of a monic irreducible polynomial f E Z[xl. If we view D as a vector space over F, then for each a ED the assignment Ta ( d) ~ da for d E D defines a linear operator '1~ on this vector space. We consider now the linear operator 7i. If d is an eigenvector of T" then for some A E F* we have d~ = Ad. This implies d~d A and hence dF*d" ~ F*, thus dE N( F*), the normalizer of 1'* in the group D*. Conversely, if d E N( F*), then d~d '~A for some A E F*. and so d is an eigenvector of 7(. This proves the following result.

'=

2.56. Lemma. if dE N( 1'*).

All elemenf d

EO

D* is

1111

eigmGector of 'Ii if alld ollly

Let A be an eigenvalue of 7( with eigenvector d, then d~ ~ Ad. It follows that ~ df(O ~ f(A)d, hence A must he a root of f. If do is another eigenvector corresponding to the eigenvalue A, then dod 'Add o ' ~ A. and so the element b = dod ' commutes with A and, consequently, with every element of F~ 7(A). Let P be the set of all polynomial expressions in h with coefficients in F. Then it is easily checked that P forms a finite integral domain, and so P is a finite field by Theorem 1.31. But P contains F, and thus P ~ F by the maximality of F. In particular, we havc hE F, and since do ~ hd, we conclude that every eigenspace of T( has dimension 1. We use now the following result from linear algebra.

°

2.57. Lemma. Let T be a linear operator on the finite-dimensional veCTOr space V OGer the field K. [hen V has a basis consisting of eigenGectors of T if and onlv if the minimal polynomial for [splits in K infO distincI monic linear factors.

Since frO ~ 0, the polynomial f annihilates the linear operator T". Furthermore, f splits in F into distinct monic linear factors by Theorem 2.14. The minimal polynomial for T" dividesf, and so it also splits in F into distinct monic linear factors. It follows then from Lemma 2.57 that D has a basis as a vector space over' F consisting of eigenvectors of "It. Since every eigenspacc of T( has dimension 1. the dimension m of D ovcr F is equal to the number of distinct eigenvalues of T". Let ~ ~ ~" ~, ..... L bc thc distinct eigenvalues of 7( and let I ~ d" d" .... d m bc corresponding eigenvectors.

Structure of }-in:tc Fields

Because N( F*) is closed under multiplication. it follows from Lemma 2.56 that d,d i must correspond to an eigenvalue~,. say, and hence d,dJ~ ~~, d,dl' Using dJ~ ~ ~idi' we ohtain d'~J ~~, d,. or d/Jd, I.~ ~,. This shows that for eal:h i, 1 ~ i ~ m. the mapping that takes ~j to di~jdl I permutes th~ eigenvalues among themselves. Consequently, the coefficients of K(X) c. (x - ~,) ... (x - ~m) commute with the eigenvectors d" d, ... .,d m of T". Since the coefficients of K ohviously belong to F and thus commute with all the clements of F, they commute with all the elements of D. since these can he written as linear comhinations of d ,. d 2 , ...• d.1I with coefficientt, in F. Thus the coefficients of g arc elements of the center 7. of D. Since g( ~) ~ O. Lemma 2.12 implies that / divides~. On the other hand. we have already observed that every eigenvalue of 1i must he a root of /. and so / ~ g. It follows thatl F: 7. J - lZ( 0: Zj ~ deg( j) ~ m. :"ow m is also the dimension of Dover F, and so the argument in the proof of Theorem I.X4 shows that D is of dimcnsion m~· over 7.. Since thc lattcr dimension is independ~nt of 1". we conclude that every maximal subfield of D ho> the same degree over L. We state this result in the following equivalent form. 1.58.

Lemma.

All maximal suh/ield, a/ D hal'<' Ihe same lirda.

Secolld Proof of Theorem !.55. Let D he a finite division ring. and let 7.. F ~ L( ~). and / Eo 7.[ x [ he as above. Let I:" he an arhitrary maximal subfield of D. Then. hy Lemma 2.5X. L' and F have the sam" order. say q. In view of I.emma 2.4. both F and F arc splitting fields of x' - x over L. It follows then from Theorem 1.91 ,hat there exists an isomorphism from F onto F that keeps the elements of L fixed. The image ~ C". 1,'* of ~ under this isomorphism is therefore a root of / in t·. and so F. ~ 7.( ~). Consider the linear operator T, on the vector space Dover F. Since /( ~) = 0, the polynomial/annihilates T,. But f splits in F, and so there exists a wot A E F of f that is an eigenvalue of TlJ' For a corrc:-oponding eigenvector d we have then d~ ~ Ad. and this implies L* ~ d 'Pd. Thus. f;* is a conjugate of the subgroup F* of D*. For an arbitrary (' C D*, the set of polynomial expressions in (' with coefficients in 7. forms a finite integral domain. and thus a finite field hy Theorem 1.31. Hence. any clement of D* is contained in some suhfield of D, and so in some maximal subfield of D. hom what we have already shown. it follows that any element of D* helongs to some conjugate of F*. fly Theorem 1.25, the numher of distinct conjugates of P is given hy :/)"1 / IN( F*) I. and so it is at most' D* j IF"I. Since each conjugate of F* contains the identity element of D"". the union of the cunjugatc~ of F* has at most

/)"1

- - ( F'

WI

69

Excn:iscs

clements. This number is less than D ~ F. and D is a field.

ID"I

except when D" ~

P.

Hence C

EXERCISES 2.1.

2.2.

2.3. 2.4. 2.5. 2.6. 2.7.

2.R.

2.9. 2.10. 2.11.

2.12. 2.13. 2.14.

2.15. 2.16.

Prove that x 2 + I is irreducible over IF; I and show directly that ~ "~I 'lI(x" I I) has 121 element>. Prove also that x' • x +4 is irreducible over 0: 11 and show that If "Ix \/( x' + I) is isomorphic to If:dxll(x' , x +4). Show that the :-.um of all dements of a finite field is 0, except for IF l . I.et U, be elements of 0: r. n odd. Sbow tbat u' - ab + h" ~ 0 implies a ,. h ~ O. Determine all primitive clements of IF 7' Determine all primitive clements of 1F]7' Determine all primitive clements of IF'!. Write all elements of IF 25 as linear comhinations of hasis clements over 0:,. Then find a primitive clement fJ of 0:" and determine for each 0: E IF Ii the least nonnegative integer II such that a = If the elements of arc represented as powers of a fixed primitive element h <: I' q' then addition in 0: q is facilitated by the introduction of Jarobi's !0l'.arirhm Un) defined by thc cquation I ~ b' ~ b l.",. where the case hn 1 is excluded. Show that we have then bill + hfl = h"" J (n- m) whenever I. is defined. Cot:\struct a tahle of Jacobi's logarithm for 0: 9 and 0: 17' Prove: for any field F. every finite subgroup of the multiplicative group F* is cyclic. Let F be any field. If F' is eyelie, show that F is finite. Prove: if F is a finite field. then H ~ {O} is a subfield of F for every subgroup 11 of the multiplicativc group P if and only if the order of r'" i~ either 1 or a prime number of the form 2 Jl - I with a prime p. For every finite field 0: q -of characteristic p, show that there exists exactly one pth root for each element of 0: q' For a finite field 0:, with q odd, show that an clement a E 0:; has a square root in IF q if and only if a('/ 11(2 = 1. Prove that for given k "N tbe element a is the k th power of Some element of IF II if and only if a(
n

rr.

n=:

EO:;

a"

Strul.:lun: of Finite' fidds

70

2.17. 2.IR. 2.19. 2.20. 2.21.

2.22. 2.23.

2.24.

Prove that [(x)" ~ [(x") for [ en:) x]. Show that any quadratic polynomial in IFq!x] splits over IF. into linear factors. Show that for a E IF q and n f? N the polynomial x q ' - x ;- na is divisible by x q - x /. a over IF". Find all automorphisms of a finite field. If Fis a field and 0/: F ~ F is the mapping defined hy 0/( a) ~ a I if a .r O. 0/( a) ~ 0 if a ~ O. show that 0/ is an automorphism of F if and only if F has at most four dements. Prove: if p is a prime and n a positive integer. then 11 divides (p" -I). (!lim: Usc Corollary 2.19.) Let IFq be a finite field of characteristic p. Prove that [ E IFqlx] satisfies ['(x) ~ 0 if and only if [is the pth power of some polynomial in IFq! x]. Let F be a finite extension of the finite field K with [F: K] ~ m and let [(x) ~ x d + bd' IXd- I + ... + ho E K[x] be the minimal polynomial of aE F over K. Prove that TrF/K(a)~ -(mjd)hd _ 1 and Nf/x(a)

= (_l)mhO'/d

Let F be a finite extension of the finite field K and a E F. The mapping L: fJ E F>-+ afJ E F is a linear transformation of F. considered as a vector space over K. Prove that the characteristic polynomial g( x) of a over K is equal to the characteristic polynomial of the linear transformation L; that is. g(x) = det(xl- L). where 1 is the identity transformation. 2.26. Consider the same situation as in Exercise 2.25. Prove that Trf/x(a) is equal to the trace of the linear transformation L and that NF/K(a) ~ det( I.). 2.27. Prove properties (i) and (ii) of Theorem 2.23 by using the interpretation of Trf/K(a) obtained in Exercise 2.26. 2.28. Prove properties (i) and (iii) of Theorem 2.28 by using the interpretation of NF/K(a) obtained in Exercise 2.26. 2.29. l.et F be a finite extension of the finite field K of characteristic p. Prove that Tr F/. (a P") = (Tr F/.f a»P' for all a E F and 11 EN. 2.30. Give an alternative proof of Theorem 2.25 by viewing F as a vector space over K and showing by dimension arguments that the kernel of the linear transformation Tr F/ K is equal to the range of the linear operator L on F defined by I. f fJ ) ~ fJq - fJ for fJ E F. 2.31. Give an alternative proof of the necessity of the condition in Theorem 2.25 by showing that if aE F with Trfl.(a) = O. y E F with TrflKfY) = - I. and 8, ~ a + a q + ... + a q ' '. then

2.25.

IF: KI

L o,Y"' ,

fJ~ r

satisfies

fJ" - fJ ~ a.

1

2.32. 2.33. 2.34. 2.35.

Let F be a finite extension of K ~ IF q and a = {3q - {3 for some {3 E F. Prove that a ~ yq - y with y E F if and only if {3 - y E K. Let F be a finite extension of K ~ IF q' Prove that for a E F we have ~F/K(a)~l ifandonlyifa~{3q 'forsome{3EF*. Ptove '[7-o'x q ' - c ~ x - a) for all c E K ~ IF q' where the product is extended overall aE F~lFq"' with TrF/K(a)~c. Prove

m

x q "'

..

x

~

n (' mL:' x ,"E-i

2 36,

2.37,

q

q' -

(')'

j=-O

for any m EO N. Consider IF q"' as a vector space over IF q and prove that for every linear operator L on IF q"' there exists a uniquely determined m-tuple ( a", a" " "a m ,) of elements of IF q"' such that

Prove that if the order of basis elements is taken into account, then the number of different bases of IF q"' over IF q is

(qm _ J)(qm- q)(qm _ q').,. (qm _ qm-'), 2.38. 2.39. 2.40.

Prove: if (a"".,a m ) is a basis of F~lFq", over K ~lFq' then Trr/K(a/)=t=O for at least one i, l~i~m.. .., I Prove that there exists a normal basis (a, a q ,,,,, a q ) of F ~ IF q"' over K ~ IF q with TrF/K(a) ~ I. Let K he a finite field, I"~ K(a) u finite simple extension of degree n, and f C K Ix I the minimal polynomial of a over K. Let

f(x)

x-a

2.41.

2.42. 2.43.

~fl0 -{3x+'" +fl 1

II

I

x" 'cF[x]

and

y~f'(a).

Prove that the dual basis of {La"",a" '} is {{joY ',{3,y ' ..... {3" - ,-I . , }. Show that there is a self-dual normal hasis of 1F 4 over IF" hut no self-dual normal basis of ff'16 over IF, (see Example 2.31 for the definition of a self-dual hasis). Construct a self-dual hasis of IF 16 over IF, (see Example 2.31 for the definition of a self-dual hasis). Prove that the dual hasis of a normal hasis of IF q"' over IF q is again a normal hasis of IF qn. over IF/I"

2.44.

Let F he an extension of the finite field K with basis {a" .... a m } over K. Let {3, .. ",{3mEFwith {3,·-"ij_lh,jaj for I«i«m and b,jEK. Let B be the m x m matrix whose U, j) entry is h,j' Prove that !:!. '/K W,,,, "flm) ~ det( 8 )'!J. TIK( a, .. " ,am)'

Structure of I"initl' Fidd"

2.45.

~

Let K

IF q and F ~ IF q"" Prove that for a E F we have A UfiK

(I • a ..... a m

')

n

~

0"

2.46.

2.47. 2.48. 2.49. 2.50.

2.51.

2.53.

2.54.

2.55. 2.56. 2.57.

J ,; m

(.. .

~ I(

""q')' ~

1

Prove that for a F F = IF q" with m " 2 and K ~ IF '/ the diseriminant 6. 1/ K (1. a, .... am - 1) is equal to the discriminant of the characteristic polynomial of a over K. Determine the primitive 4th and Xth roots of unity in IF". Determine the primitive 9th root, of unity in IF ,,,. Let I' bc an nth root of unity over a field K. Prove that 1+ K I 1" f ... + K' ,~O or n according", 1'" I or I' I. For 2 let 1', ..... 1', be all thc (not necessarily distinct) nth roots of unity over an arbitrary field K. Prove that I'f + . " . K;, ~ II for k ." and I'f + ... - 1',; ~ II for k ~ I. 2..... n - I. For an arbitrary field K and an odd positive integer n. show that

n"

°

K(2n)

2.52.

I <

=

K(nl.

Let K be an arbitrary field. Prove that the eyclotomie field Kid' is a subfield of K (,) for any positive divisor d of n E N. Determine thc minimal polynomial over K (4) of a root of unity that can serve as a defining element of K(l2) over K(4). Prove that for p prime the p - I primitive pth roots of unity over Q are linearly independent over Q and therefore form a basis of QIP' over Q. Let K be an arbitrary field and n:;, 2. Prove that the polynomial x n 1+ x l1 - 2 + ... ... x ~ 1 is irrcducihle over K only if n is a prime number. Find the least prime p sueh that x" .,. x" + .. '1 X f I is irreduci· ble over IF p' Find the ten least primes p sueh that XC '+ x P ' - .•• + x ~ I is irreducible over IF,. Prove the following properties of cyelotomic polynomials over a field for which the polynomials exist: (a) Qmpfx) ~ Qm(x P )/Qm(x) if P is prime and meN is not divisible by p: (b) Qmp(x) ~ Qm(x P ) for all mEN divisible by the prime p: (e) Qmp.(x)~Qmp()/ ') if p is a prime and m.kF.N are arbi· trary: (d) Q,,(x) = Qn( - x) if n:;, 3 and II odd: (e) Qn(O)~ I if n:;, 2: (f)

Q,(x ))x·ln)~Q,(x)ifn:;'2;

(g)

O

f Qn(J)~IP ,I

if n ~ I, if n is a power of the prime p, if n has at least two distinct prime faetors:

I·. \L'f<:: 'l'~

(h)

if II ,;, 2. if II ~ I, if n is 2 times a power of the prime p. otherwise.

2.58. 2.59.

Give the matrix representation for the elements of F, uSing the irreducible polynomial .<3 + x + lover F,. Let t he a primitive element of F ~ F 16 with t 4 , t - I ~ O. For k ;;, 0 write ~1.. = L~_ua"mrm with a"m E IF~, and let M k he the 4 x 4 matrix whose (i,i) entry is a k ./ 1,/ I' Sho'N that the 15 matrices M". o~ k ~ 14. and the 4 x 4 zero matrix form a field (with respect to addition and matrix multiplication over F 2) which is isomorphic to F. For 0 ~ k ~ 14 prove that TrF{t') ~ trace of M, ~ a".

Chapter 3

Polynomials over Finite Fields

The th~()ry of pol.vnomials over finik fidd.., i~ important for investigating the algchrail: structure of finik field~ as well as for many applications.

.'\hove all. irreducihle polynomials the prime elements of the polynomial ring over J finite fidJ ar~ indispensable for constructing finite fields and computing with the clements of a finite field.

Scctiml 1

introdllce~

the notion of the order of a polynomial. An

ilnp\)rtant f:.tet i~ the connection hetwecn minimal polynomials of primitive

elemellh (so-called primitive polynomials) and polynomials of thc highest p\)ssihlc orJcr for a given degree. Results ahout irreducihle polynomials going hcyond those di~cus~ed in the prcviou,:; chapters are presented in Sct:tilm 2. The next section i~ devoted In constructive aspects of irreducibil-

ity and deJ.b abll with the prohlcm of cukulating the minimal polynomial of an ckm~nt in an extcn~ion field. Certain ~peciul types of polynomials arc discussed in the last two sections. LineariLed polynomials arc singled out by the property that all the exponent~ occurring in them are powers of the characteristic. The remarkahle theory of these plllynomials enables us. in particular, to give an ultcrnative proof of the normal hasis theorem. Hinomials and trinomials th,.It is, two-term and three-term polynomiab form another class of polynomials for which special results of eonsiderahle interest can he estahlished. We remark that another useful collection of polynomialsnamelv, that of eyclotnmie polynomials-was already considered in Chapter

2. Section 4. and that some additional information on cydotomic polynomi-

al> is contained in Section 2 of the present chapter.

1.

ORDER OF P01.YNOVIIALS ANI> PRIMITIVE I'OLY"OVIIALS

Besides the degree. there is another important integer attached to a nonzero

polynomial over a finite field, namely its order. The definition of the order of a polynomial is based on the following result. 3.1. Lemma. I.el / E IFqlxj he a polynomial 0/ degree m;;, I wilh /(0) '" O. Then Ihere exiSIS a posilive inleger e ,;; q" - I such Ihal /( x) divides

xe

-

J.

Proof The residue class ring IFq[xll(fJ contains q" - I non/.ero residue classes. The q~ residue classes x' I (/).j'=O.L ... ,q~-I, are all nonzero, and so then.: exist intc:gcrs r and .~ with 0 ~ r < s ~ qlll - I such that x' '" x'mod/(x). Since x and /(x) arc relatively prime. it follows that x' '", I mod/(x); that is./(x) divides x' '-I and 0 < S r,;; q" - I. [l

Since a non7ero constant polynomial divides x _. L these polynomials can he included in the following definition. Definition. Let / E IF qlx I he a non7ero polynomial. If /(0), O. then the least positive integer e for which /(x) divides x' - I is called the order of / and denoted by ord( fJ ~ ord(/(x). If /(0) ~ 0, then /(x) ~ x'g(x). where h E 1'\1 and g E IF.rx I with g(O) ""' 0 arc uniquely determined; ord( fJ is then defined to he ord( g).

3.2.

The order of the polynomial/is sometimes also called the period of / or the exponenl of f. The order of an irreducible polynomial/can be characterized in the following alternative fashion. 3.3. Theorem. Lel / E 1F"lx I he an irreducihle polynomial over F q 0/ degree m and wilh /(0) '" O. Then ord(/) is equal 10 order 0/ any rool all in the multiplicative group IF;.".

"Ie"

Proof According to Corollary 2.1 S. IF q" is the splitting field of / over IF q' The roots of / have the same order in the group IF;. hy Theorem 2.1 g. Let" E IF;., be any root of /. Then we ohtwn from I.emma 2.12 that we have ,,' ~ I if and only if /(x) divides x' -I. The result follows now from C the definitions of ord(/) and the order of" in the group IF;... 3.4. Corollary. 1// E IFq[x] is an irreducihle polynomial over degree tn, Ihen ord(/) divides q" - L

IF q 0/

7"

Polynomial... over rinil~' ril'kb

Proof If f(x)~CX with ('Ff;. then ord(f)~'1 and the result is trivial. Othcrwbc. the result follows from Theorem 3.3 and the fact thut lr}, i~ a group of order qm - I. c....; For reducihle polynomials the result of Corollary 3.4 need not he valid (sec Example 3.10). There is another interpretati"n of ordUl hased "n associating a square matrix to J in a canonical fashion and considering the order of this matrix in a certain grnup of matrices (sec LL'mma 6.26). Theorem 3.3 leads to a formula for the numher of monic irrc.:ducihle polynomials of given degree and given order. We usc again $ to denote Euler's function introduced in Theorem 1.I5(iv). The following terminol(')gy will he convenient: if n is a positive integer and the integer h is relatively prime to n. then the least positive integer k for which 1/ .. I mod n is called the multiplicaTive order of h modulo n.

3.5.

Iht!orem.

The numher of

mOlli('

irreducihle polynomial.'\ in

f q["] of degree m and order e is equal 10 $( e)1 m if e " 2 and m is the mulJiplicullre order of q modulo e. l!quallO 2 if m ,- e = I. and equal to 0 in all other cases. In pllrl/l'ular. the degree of WI irreducihle po~rnomial in Irqfxl of order e musT he equal to the nlUITiplicaTit'i' order of q modulo e.

Proof. Let f he an irreducihle polynomial in fqlx] with f(Ol~ O. Then. according to Theorem 3.3. we have ord( f) ~ e if and only if all roots of f ar~ primitive eth mOb of unity over II-(/" In other words. we have ord( f) ~ (' if and only if f divide., the cvclotomic polynomial Q... By Theorem 2.47(ii). any monic irrcducihlc factor of Qe has the same degree m. the Icaq positive integer such that q>n =: 1mod e. and the numher of sW..·h factors i:-. givl:n hy $({')/m. For nl = e.:... 1. we also have 10 take into account the monic irreduejhle polynomial ((.x.) ~ x. U Value, of ord( j) arc availahlc in tahulated form. at least for irreducihle polyn"mials f (sec Chapter 10. Section 2). Since any polynon,ial of positi\'~ degree can he written as a product of irreducible polynomials. the computation of orders of polynomials can he achieved if one kn()\.I;s how to det~rmine the order ()f a power of an irreducihle polynomial anu the order of the product of pairv.'i:-.e relatively prime polynomials. The suhsequent discus~ion i~ devoted to these queqions.

3.6 f

C

I.emma.

I.el

C

he

If- q[ x J "'itll frO) * 0 dit'idel' ., '

(1

positive if1ll!.f!,t'f. Theil the polyll()JlIial I if alld linh' I[ ord( [ ) di"ides "-

If e = ord( [ ) divides "- then f( X) divides x e - I and x" divides XC - I. so that f( x) divides .,' I. Conversely. if f( x) divides x" we have c ~ e. so thut we can write (' . ,., me _. r with 111 L Nand O:S.( r < Since XC 1.= (x me -1)/· (x' - I). it follows that {(x) divide, x' which i, only possihle for r . O. Therefore. e di,ide., (.

Prolif

I

J. (',

I. ~

I Ohkr (If

l)ol~m()mial.' and

Primitivt'

P()l~n()mi..ll"

77

3.7. Corollary. If £'1 alld e:: are posiTi!:e iJ1l('gers. Then The greaTesT common divisor of X"I I and x"·' - 1 in IF qr x 1 is x J - I. where d is The grealeST common dioisor of e] and e:>. Proof I.et f(x) he the (monic) greatest common divisor of x" - I and xt'; - 1. Since x d - I is a common divisor of xt'o - 1, i .:. ;. L 2, it follows that x"" I divides f(x), On the other hand, f(x) is a common divisor of x", I. i ~ 1.2, and so Lemma 3.6 implies that ord(j) divides c, and e,.. Consequently, ord(j) divides d, and hence fIx) divides x" - I by Lemma 3.6. Altogether, we have shown thatf(x) ~ x" I. D Since powers of x arc factored out in advance when determining the order of a polynomial. we need not consider powers of the irreducible polynomials I(x) with g(O) ~ O.

".Ix]

],8. Theorem. rei g <= he irr"du"ihle over "" wilh g(O) ~ 0 and ord(g) ~ e, and lei f ~ gb wilh a posilive inleger h. I.el I he Ihe smallesl inleger wiTh pt ~ b, where p is The characteriSTic of IF IF 171ell ord(f) = ep'. Proof Setting c ~ ordU) and noting that the divisibility of x' - I by f(x) implies the divisibility of x' - I by g(x), we obtain that e divides c by Lemma 3.6, Furthermore, I(x) divides x" -I: therefore, f(x) divides (x" _I)h and, a fortiori, it divides (x' I)r' - x'P' . I. Thus according to I.emma 3.6, c divides ep'. It follows from what we have shown so far that c is of the form c ~ epu with 0 <;; u <;; I. We note now that x" - I has only simple roots, since e is not a multiple of p because of Corollary 3.4, Therefore, all the roots of x,p" - I ~ (x" - I) p" have multiplicity pU, But g(X)h divides x,p" I, whence pU;' h hy comparing multiplicities of roots. and so U;, I. Thus we get u . rand r' ep', 0

3.9. Theorem. l.eT XI'.· .. gA he pairwise rellllieezy prime nvnzero polynumial, over ,,", alld 1"1 f - g,'" g" Theil ord(j) is cqualw Ihe leasl commoll //lUlliplc of ord( g,),.,. ,ord( g, ), Proof It is easily seen that it suffices 10 consider the case where g,(O) ~ 0 for I,,; i <;; k, Set e ~ ord(j) and e, ~ ord(g,) for I,,; i <;; k, and let c ,-: lcm( t' I.·· . . e A ). Then each ,\,U.'(). I ~ i ~ k. divides x<'; - I. and so .~) x) divide~ x( .. 1. Because of the pairwise relative primality of the polynomiab g,,, . .,g,, '-'e <'htain that/Ix) divides x' -I. An application of l.emma 3,(i shows that c divides c. On the other hand, f( x) divides x' .- 1, and so each g,(X), I ~ i ~ k. divides xl" .-1. Again hy I.emma 3.6. it follows that each £',. I ~ i ~ k. divides e. and therefore (' di\'ide~ £'. Thus we ,-=ondude that t' = c.

n By u~ing the same argument as above. nne may. in fact. show that the order of the least common multiple of finitdy many non7ero polynomials is equal to the least'eommon multiple of the orders of the polynomials.

7~

3.10. hample. Let us compute the order of f(X)~XIO+X9+X3~ x' -I '= 6',[x]. The canonical factorization of fiX) over IF, is given hy f(X)~(x'.,-x-I)\x4+x+I). Since ord(x'+x+1)~3. we get ord«x' + x + 1)3) ~ 12 by Theorem 3.8. Furthermore. ord(x 4 + x + 1) = 15_. and so Theorem 3.9 implies that ord(j) is equal to the least common multiple of 12 and 15: that is. ord(j)~60. Note that ord(j) docs not divide 2'" I. which shows that Corollary 3.4 need not hold for reducible polynomials. ':J On the hasis of the information provided above. one arrives then at the following general formula for the order of a polynomial. It suffices to consider polynomials of positive degree and with nonzero constant term. l.ll. Theorem. I.el iF" he a fillile field of eharaeleri,lic p. and ler f E IF q[x] he a po(vnomial of positive degree and Wilh frO) '" O. LeI f = aft'· ··ft·. where aElFq,h, ..... b, EN. alld f" ... ./, are dislinel monic irredueihle polvnomials in IFq[x]. he the callollieal faetorizOlion of fin IFq[x]. '!hen ord(j) ~ ep'. where e i, the leasl common mulliple of ord(j,)..... ord(j,) and t i, the smallest illleger with p' ;, maxi b,..... h, ).

A method of determining lhe order of an irreducible polynomial f in IF) x 1 with frO) ~ () is based on the ohservation that the order e of f is the least positive integer such that X'" I modf(x). Furthermore. hy Corollary 3.4. e divides qffl - I, where m ~ deg(j). Assuming qffl > 2, we stan from the prime factor decomposition qffl_1 ~

n P;"

i _.

I

for 1<; j,,;, we calculate the residues of x'q' "/P'modf(x). This is accomplished by multiplying together a suitable comhi nation of the residues of x, x q. x q', .... x q"' 'mod f( x), If x,qO Ii/p, '" I mod f( x), then e is a multiple of p; . If x lq "' "~ip; '" I mod f( x), then e is not a multiple of p;'. In the latter case we check to sec whether e is a multiple of fI;' '. fI;'-' .... ,Pj by calculating the residues of x(qn,

[liP},

x
[liP,' •••• , X{
f( x).

Thi, computation is repeated for each prime factor of qffl - 1. A key step in the method above is the factorization of the integer qffl _ I. There exist extensive tahles for the complete factorization of num-

hers of this form, especially for the case q ~ 2. We compare now the orders of polynomials obtained from each other hy simple algehraic transformations. The following is a typical example. 3.12.

Oefillition.

Let

79

with a" " O. 1 hen the reciprocal polYllomial 1* of f is defined by

. _." (1) _ "

!(x)-'\!x-aox-ra1x

"' + ... -'-

Q"I X111 '1'

3./3. Theorem. I.el f he a lIoll;era polYllomial ill 1',[ x 1 alld 1* ils renprocall'olvllomial. Theil ord( f) ~ ord( 1*). Proof First consider the casef(O) ~ O. Then the result follows from the fact that f(x) divides x' -I if and only if I*(x) does. If f(O)· O. write f(x) x"g(x) with h EN and g E ~q[xl satisfyingg(O) ~ O. Then from what we have already shown it foll"",s that ord(j) ~ ord(g) ord(g') ~ ordU'). where tht.: last identity is valid since g'" = f"'. 0 0

There is also a close relationship hetween the orders of f(x) and f( x). Since f( x) ~ f( - x) for a field "f eharacteristie 2. it suffices to e"nsidcr finite fields of odd characteristic. 3./4. Theorem. For odd q. leI f (" [1').< I he a polrllomwl of posilit"e degree wilh f(O) * O. LeI e alld F he Ihe orders of f( x) and f( - x). respeclively. lhell £ e if e is a mulliple of 4 and t' ~ 2e if e i, odd. 1/ e i\ [Wice an odd numher. Ihen 1:: ~ e /2 i/ all irreduf"ihle lacrors 011 have evell order and E = e vthenvise. Proof Since ordU(x)) ~ e. f(x) divides x"- I. and so I( x) divides ( X ) ' ' - I ~ x" _. I. Thus L divides 2e by Lemma 3.6. By the same argument. e divides 2£. and so L can only bc 2e. e. or e/2. If e is a multiple of 4. then both e and f; are even. Sincef(x) divides x' 1./( -:<) divides (- x)' - I ~'x' -I. and so £ divides e. Similarly. e divides F. and thus it follows that F ~ e. If e is odd. then I( - x) divides ( - x)' - I ~ - x' - I and so x' + I. But then I( x) cannot divide x' - I. and so we must have E ~ 2e. In the remaining case we have e ~ 2h with an odd integer h. Let I be a power of an irreducible polynomial in 1F,[x]. Then I(x) divides (x h - I)(x h + 1) and I(x) does not divide x h -I since ord(j)~ 2h. But x h - I and x h + I are relatively prime. and this implies that I(x) divides x h - I. Consequently.j( - x) divides (- X)h + I ~ - x" -'- I and so x h - I. 11 follows that £ = e /2. Note that by Theorem 3.8 the power of an irreducihle polynomial has even order if and only if the irreducihle polynomial itself has even order. For general I we have a factorization I ~ g, ... g,. where each g, is a power of an irreducible polynomial and g, ..... g, are pairwise relatively prime. Furthermore. 2h ~ lcm(ord(g,)..... ord(g,)) according to Theorem 3.9. We arrange the g, in such a way that ord(g,) ~ 2h, for I ~ i ~ m and ord(g,) ~ h, for m + I ~ i ~ k. where the h, are odd imegers with lcm(h, ..... h,) ~ h. By what we have already shown. we get "rd(Ii,( x)) ~ h, for I ~ i ~ m and ord(g,( - x))·" 2h, for m' I ~ i ~ k. Then Theorem 3.9 yields ,:: :-:" !/'ITl(

h

h

J 11

') h ,

and . . lJ I. ::.;. II - (' /2 if In = k and F..:..:.. 211 "- (! if m < k. Thcse formula.. . are equivaknl 10 lho:-.e given ill the la:-'1 part of the thcorem. 0 It fnllow ... from I.emma 3.] and Definition 3.2 that the order of a pol;noJllial of degree m:;:] ovcr 0- q is at most qn, --I. Thi~ hound i~ attained fl..)r ;In important c1as", of polynomials-namely, so-called primitive polyn~)mi:ll". I he definition of a primitive polynomial is ha~cd nn the notion of primitive ekment introduced in Definition 2.9.

In"

3.15. Definition. i\ polynomial I c= ~ ,I x] of degree I ;, called a primlflre polynomial over if 4 if it is thc minimal polynomial over IT- 11 of a primitive clement of f '!~. Thu:-.. J primitive polynomi;11 OVCf IF" of degree m may hl: dcscribed a:-- a monic polynomial that is irrl:ducihle ovcr IF Q and has a root ex E IF({- that g.enerate:-- the multiplicative group of [f- " .... Primitive polynomiab can also he charaClerii'.ed a~ follow:"'>. 3./6. Theorem. A polynomial I c= IFqlxl 01 degree m IS a primilive fl0lrnomwl ore< IF" if and on/r il I is mOl/i<. 1(0) ~ O. alld ord( I) q"' - I. " mo/. If J i, primitive over} q' thcn J is monic and 1(0) T O. Sincc I i.. . irrcducihle over :I- l 1 for i - l. 2 h) Lemma 3.1, hence

r

l

l


m,

..

qm_1.

a contradict ion. ThL'rcf~)rL'. J i~ irreducihk over :F,,' and it follows then from Theorcni 3.3 thtlt I i~ a primitive polynomial over [F ". Wc remark that the eonJitioll 1(0) ~ 0 in the tht:0rcm ahove is only nl.'eJcd t~) fllk ~)ul thL' non-primitive p(.llynomial f(x) - x in case q = 2 and nI I. Still
O.

.\Olllt'

I. emma.

J.('1 J "= 0= ,,1).:1 Iw

tl p(l~yl1omi(11 of

pOSiliGe degree wit/z mod I(x) a mod J(x) Kith a ulliqut'~v delermined

I.('! r he IIU' It'us{ [Josili[;e Imeger/or 'r\'/Zich x' is congruent

clemen! of if- q' so that x r

=

Order of Polynomials and Primitive Polynomials

1.

U Eo

1';.

~l

Then ord( /) = hr. where h is the order 0/ a in the multiphcatiDe group

1'*

".

Proof Put e ~ ord(J). Since x' '" I mod/Ix), we must have e;, r. Thu.s we can write e = sr t { with sEN and 0 ::s.;;; { < r. Now

(3.1 ) thus x' '" u 'mod/Ix), and because of the definition of r this is only possihle if t ~ O. The congruence (3.1) yields then II' =;; I mod /( x), thus a' = I, and so s;, hand e", hr. On the other hand, x h, " a' '" I mod f< x), and so e = hr. C ],18, Theorem. The monic polynomial/ E I' qlx I 0/ degree m ;, I is primiti"e polvnomial o"er 1', i/ and only i/ (- I )",/(0) is u primiti"e element 0/1', and the least positive integer r for which x' is congruent mod/Ix) [0 some element o/I'q is r ~ (q"' -I)I(q -I). In case / is primitive o"er I'q. we ha"e x' '" (- 1)m/(o) mod /(x).

II

Proof If / is primitive over I' q' then / has a root a c= I' q.' which is a primitive clement of 1'". By calculating the norm :""./<,,
(3.2)

II.

It follows that the order of (- 1)'''/(0) in 1'; is q - I; that is, (- 1)'''/(0) is a primitive element of I'q. Since/is the minimal polynomial of a over I'q, the identity (3.2) implies that X,,"'-II/tq "", (-I)m/(O)mod/(x),

and so r,;; (qm - 1)1 (q - I). But Theorem 3.16 and Lemma 3.17 yield qm _ I ~ ord(J)';; (q -I)r, thus r ~ (q"' -I)I(q - I). Conversely, suppose the conditions of the theorem arc satisfied. It follows from r ~ (qm - 1)1 (q - I) and Lemma 3.17 that ord(J) is relatively prime to q. Then Theorem 3.11 shows that / has a factorization of the form / = /, ... /" where the J, are distinct monic irreducihle polynomials over I' q' If m,~deg(/,), then ord(J,) divides qm'_1 for I,;;i,;;k according to Corollary 3.4. Now qm, - 1 divides d~(qm'_I)"'(qm'_I)/(q_I)'

"

thus ord(J,) divides d for I,;; i,;; k. It follows from Lemma 3.6 that /,(x) divides x d - I for I,;; i,;; k, and sO/Ix) divides x d - 1:lf k '" 2, then d < (qm"

.. "", - 1)1 (q - I)

~

(qm - 1)/ (q .. I)

a contradiction to the definition of r. Thus k

~

~

r.

I and/is irreducible over 1',.

Polynomial:-. over F:ni{l' I-idJ<;

If fJ E F q"' is a root of f. fJ' ~ ( - I )"'f(O). and so

then the argument leading w (3.2) shows that x' '" ( _. l)"'f(O) mod f (x). Since the order of (- 1)"'f(O) in F; is q - 1, it follows from Lentma 3.17 that ordU) ~ q'" - I. so that f is primitive over Fq by Theorem 3.16. 0

3.19. Example. Consider the polynomial f( x) ~ x' " x' i .x·' ." 2x .\ 2 C F3lx J. Since f is irredueihle over F3' one can use the method outlined after Theorem 3.11 to show that ord(j) ~ RO ~ 34 -1. Consequently. f is primitive over F 3 hy Theorem 3.16. We have x 40 " 2 mod f( x) in accordance with 0 Theorem 3.18.

2.

IRREUUCIBLE POLYNOMIAI.S

We recall that a polynomial f E F"lx J is irreducihle over F q if f has positive degree and every factorization of f in F,,[x] must involve a constant polynomial (see Definition 1.57). Elementary properties of irredueihle polynomials over F" were discussed in Chapter 2. Section 2.

3.20. Theorem. [or eGery finile field F" and merr n C N. Ihe product of all monk irreducible polynomials over IF
Proof According to I.emma 2.13. the monic irredueihle polynomials over IF If occurring in the canoni<.:al factoril.atinn of g( x) ,..., xq~ - x in F"rxl arc precisely. those whose degrees divide n. Since g'(x) .. - 1. Theorem 1.68 implies that g has no multiple roots in its splitting field over Fq • and so each monic irrcducihle polynomial over

IF/I

whose degree divide~

occurs exactly once in the canonical factorization of gin F"lx I.

11

:::J

3.21. Corollary. If Nq(d) is Ihe numher of numi<' irreducihle polynomials in Fq[xl of degree d, Ihen qn~ L.dNq(d)

foral/nEN.

(3.3)

din

where the sum is extended aGer all positir:e di!:-isors d

(~f 11.

Proof The identity (3.3) follows from Theorem 3.20 hy comparing the degree of g(x) ~ x'" - x with the total degree of the canonical factoriLa~ tion of g(x). With a little elementary number theory we can derive from (3.3) an explicit formula for the number of monic irredueihle polynomials in F'/lx I of fixed degree. We need an arithmetic function. called the .\1oebius function. which is defined as follows.

83

2. lrrcducihle Polynomials

3.22.

The Moebius fUllclion p. is the function on 1'\1 defined hy

Definition.

ifll~1.

I

p.( II) ~

{

o( -

I)'

if n is the product of k distinct primes. if II is divisihle hy the square of a prime.

As in (3.3), we usc the summation symbol Lul n to denote a sum extended over all positive divisors d of n E 1'\1. A similar convention applies to the product symholll",".

Lemma.

3,23.

For n Eo 1'\1 Ihe Moehius fUllclion p. salisfies if II ~ I. if n > I.

Proof ror 11 > I we have to take into account only those positive divisors d of II for which p.( d) ~ O-that is, for which d ~ lord is a product of distinct primes. Thus, if p" p, ..... p, are the distinct primc divisors of n. we get

,

L:

LP.(d)~p.(I)+ d

I

1/

L:

p,(p,)+

-1

I.,;;

I

<

p.(p, p,,)+'" +p.(PJ!',"·Pk)

I)";;

-I+(~)(' I)~(~)(-I)'-t

A.

... -(~)(-I)'

~(I+(-I))'~O.

The case

II =

3.24.

(i)

n

I is trivial.

Theorem (Moehius Invcrsion formula) Additivc case: Lei hand H he two funclions from 1'\1 inlo all addilively wrillen ahelian group G. Then H(n) ~

L: h ( d )

for aI/ n E 1'\1

(3.4)

d,n

if and only if

h(n)~ LP.(S)lI(d)~· LP.(d)lI(:) din

(ii)

foral/nEI'\I.

(3.5)

din

Multiplicative case: I.el hand 1I be IWO funclions from 1'\1 inlO a mulliplicatively wrillen aheliall group G. Then H(n) ~

n h(d )

for aI/II '= 1'\1

(3.6 )

d n

If and only if h(n)~ nll(d)"("ld)~ dJn

nil ( -dn )f.!/ dIn

J)

for aI/II EI'\I. (3.7)

Polynvmiah owr Finitc 1-"it'1U:-.

84

Proof

Assuming (3.4) and using Lemma 3.23. we get

LI'(~)H(d)= LI'(d)J[(~)= din

dill

~ L ('In

LI'(d) L din

h(c)

,In/d

I'(d)h(c) ~ Lh(c) L

L d-nle

I'(d) ~ h(n)

din/I'

rln

for all n E N. The converse is derived by a similar calculation. The proof of part (ii) follows immediately from the proof of part (i) if we replace the 0 sums by products and the multiples by powers. 3.25. Theorem. The number Nq( n) of monic irreducible polynomials in !'q[ x I of de?;ree n is gicen by Nq(n)

~ 1. n

L I'(!!-)qd ~

don

d

1. L n

I'(d)q"/d.

din

Proof We apply the additive case of the Moebius inversion formula to the group G~Z.the additive group of integers. Let h(n)=nNq(n) and H( n) = qn for all n E N. Then (3.4) is satisfied because of the identity (3.3). and so (3.5) already gives the desired formula. 0

3.26. Example. The number of monic irreducible polynomials in !'q[x] of degree 20 is given by Nq(20) ~ -'\'(I'(l)q'O + 1'(2)q'O + 1'(4)q' + 1'(5)q4 + l'(lO)q2

+ 1'(20)q)

~2~(q20_qlO_q4+q2).

0

It should be noted that the formula in Theorem 3.25 shows again that for every finite field!' q and every n E N there exists an irreducible polynomial in !'q[xl of degree n (compare with Corollary 2.11). Namely. using 1'(1) ~ I and I'(d)" -I for all dEN. a crude estimate yields N (n);, q

1.n (q' _ qn

1_

qn-2 _ ... _ q) =

1.n (q" _

-.!i) > O.

q" q-l

As another application of the Moebius inversion formula. we establish an explicit formula for the nth cyclotomic polynomial Q" 3.27. Theorem. For a field K of characteristic p and dicisible by p. the nih cyclotomic polynomial Q. acer K satisfies Qn(x) ~

1/ E

N not

n (x d _l)",·/dl n (x·/ d _l)"(d l =

d>1

din

Proof We apply the multiplicative case of the Moebius inversion formula to the multiplicative group G of nonzero rational functions over K. Let h(n) ~ Q"(x) and 1I(n) = x' - I for all n E N. Tben Theorem 2.45(i) shows that (3.6) is satisfied. and so (3.7) yields the desired result. 0

2.

lrrl'uu~ihlc

3.28.

Polynomiab

Example.

H5

For fields K over which Q" is defined. we havc

Q,,(x) ~

n (X"/d .. I)"'dl dl12

~ (x" -I)"«'(x' - 1)"'''(x 4

_

I)"
(x' -1)"(6'(x _1)""21 ~

(x"-I)(x 2 -1) (x' -1)(x 4 -I)

~ x4 - r

,

I- I.

D

The explicit formula in Theorem 3.27 can be uscd to establish the basic properties of cyclotomic polynomials (comparc with Exercise 3.35). In Theorem 3.25 we detcrmined the numher of monic irredueiblc polynomials in !'qlx] of fixed degree. We present now a formula for the product of all monic irreducible polynomials in !' q[ x 1of fixed degree. 3.29. Theorem. The product I(q. n; x) of all monic irreducible polynomials in !' ql x 1of degree II is giGen hv I(q.n;x)~ n(xq'-x)"('/d)~ n(x q··"· X)"'d) d n

Proof

d

11

It follows from Theorem 3.20 that x q"- x= n/(q.d;x). dl'

We apply the multiplicative case of the Moebius inversion formula to tbe multiplicative group (i of nonzero rational functions over IF q' putting

h(n)· I(q. n; x) and H(n) dcsired formula. 3.30.

Example.

=

x q'

x for all nEON. and we obtain the D

For q ~ 2. n = 4 we gct

4 )"(2)( x-x 2 )"(4) 1(2 ,4; x) =(x(6- x )",Il( x-x

X1fl_X

x 15 -1

x4

xJ

--=X

12

-

X

+X

ll

_Xf>+x

1

+1.

D

All monic irreducible polynomials in !'q[x] of degree n can be determined hy factoring I(q. n; x). for this purpose it is advantagcous to have I(q. n; x) availahle in a partially factored form. This is achicved by the following result. 3.31. we have

Theorem.

Let l(q.lI;x) he as 1(". n;

xl =

III

nQm(xl. m

Theorem 3.29. Then for n > I (}.X)

Polynomiah ovcr Finite held!';

where the product is extended over all positive divisors m of qn - I for which n is the multiplicative order of q modulo m, and where Qm(x) is the mth cyclotomic polynomial over IF q' Proof For n > I let S be the set of clements of IF q" that arc of degree n over IF q' Then every a E S has a minimal polynomial over IF q of degree n and is thus a root of I( q, n; x). On the other hand, if fJ is a root of I(q, n; x), then fJ is a root of some monic irreducible polynomial in IFqlx] of degree n, which implies that fJ E S. Therefore,

n (x-a).

I(q,n;x)~

aE:S

If a E S, then a E IF;", and so the order of a in that multiplicative group is a divisor of q" - I. We note that y E IF;" is an element of a proper subfield IF q" of IF q" if and only if yq"~ y-that is, if and only if the order of y divides qd _ I. Thus. the order m of an element a of 8 must be such that n is the least positive integer with q" '" I mod m -that is, such that n is the multiplicative order of q modulo m. For a positive divisor m of qn - I with this property. let 8m be the set of elements of S of order m. Then S is the disjoint union of the subsets Sm' so that we can write

l(q,n;x)=n

n

(x- a).

m al'::Sm

Now Sm contains exactly all clements of IF;" of order m. In other words, 8m is the set of primitive mth roots of unity over IF q' From the definition of cyclotomic polynomials (sec Oefinition 2.44), it follows that

n

(x-a)~Qm(x).

aES",

and so (3.8) is established.

D

3.32. Example. We determine all (monic) irreducible polynomials in 1F,lx] of degree 4. The identity (3.8) yields 1(2,4; x) ~ Q,(x)Q,,(x). By Theorem 2.47(ii),Q,(x)~x'.;-x'+x'+x-rl is irreducible in 1F,lx]. By the same theorem, Q,,(x) factors into two irreducible polynomials in 1F,[x] of degree 4. Since Q,(x+I)=x'+xJ+I is irreducible in 1F,[x], this polynomial must divide Q,,(x), and so

Q,,(x) =x'+x 7+x' +x· + x' +x+ I = (x' +k' + I)(x' Therefore, the irreducible polynomials in 1F,[xj of degree 4 arc + x + I. x' + x) + 1. and x 4 + x + I.

T X

+ I).

x'., x' + x' D

Irreducible polynomials often arise as minimal polynomials of elements of an extension field. Minimal polynomials were introduced in Definition 1.81 and their fundamental properties established in Theorem 1.82. With special reference to finite fields, we summarize now the most useful facts about minimal pOlynomials.

87

.\ Construt'tivn of Irn:ducib1c Polynomiab

3.33. Theorem. LeI" be an elemen/ vf Ihe eXlension field IF q' vf IF q' Suppose (/WI Ihe degree of" ocer IF q is d and Ihal g E IFq[x] is Ihe minimal polYllomial oj " vver IF q' Then: (i) (ii)

g is irreducible acer IF q and ils degree d divides m. A polynomial f ElF q[ x 1salisfies f (,,) = 0 if and only if g divides

j. If f is a monic irreducible polynomial in IF ,[x 1 wi/h f( ,,) = O. (hen j= g. (iv) g(x) divides X,d - x and x q ' - x. (v) The rool,' of g are ". ,,'•...• ",' " and g iI Ihe minimal polynomial acer IF, oj alllhese elemen/s. (vi) If" '" O. Ihen ord(g) is equal 10 Ihe vrder of" in Ihe mulliplica-

(iii)

tive group IF;",. (vii)

g is a primilive polynomial over IF, if and only ij" is of order q d - I 'In IF'q""

Proof (i) The first part follows from Theorem 1.82(i) and the second part from Theorem 1.86. (ii) This follows from Theorem 1.82(ii). (iii) This is an immediate consequence of (ii). (iv) This follows from (i) and Lemma 2.13. (v) The first part follows from (i) and Theorem 2.14 and the second part from (iii). (vi) Since" E IF;, and IF;, is a subgroup of IF;., the result is contained in Theorem 3.3. (vii) If g is primitive over IF" then ord(g) = qd -1, and SO" is of order qd - I in IF;., because of (vi). Conversely, if " is of order qd - I in IF;. and so in IF;d, then a is a primitive element of IF qd. and therefore g is primitive over IF, by Definition 3.15. 0

3. CONSTRUCTION OF IRREDUCIBLE POLYNOMIALS We first deserihe a general principle of obtaining new irreducible polynomials from known ones. It depends on an auxiliary result from number theory. We recall that if n is a positive integer and the integer b is relatively prime to n. then the least positive integer k for which bk I mod n is called the multiplicalive order of b modulo n. We note that tbis multiplicative order divides any other positive integer h for which b h = I mod n.

=

3.34. Lemma. l.el s;" 2 and e ;" 2 be relalively prime inlegers and leI m be Ihe muiliplicalice order of s modulo e. LeI I;" 2 be an in/eger whose prime faclOrs divide e bUI not (sm - I)/e. Assume also Ihal sm I mod4 if I " 0 mod4. Then Ihe mulliplicalive order of s modulo et iI equal to mt.

=

PolXnomials over Finite Fields

Proof We proceed by induction on the number of prime factors of each counted with its multiplicity. First, let 1 bc a prime number. Writing d = (sm -I)/e, we have sm = I + de, and so

I,

s""=(I+de)'

=1+( :)de+U)d'e'+'"

+C~I)d'-'e'

'-rd'e'.

In the last expression, each term except the first and the last is divisible by el because of a property of binomial coefficients noted in the proof of Theorem 1,46. Furthermore, the last term is divisible by el since 1 divides e. Therefore, sm, = I mod el, and so the multiplicative order k of s modulo el divides mI. Also, s' = I mod el implies s' = I mod e, and so k is divisible by m. Since I is a prime number, k can only be m or mI. If k = m, then sm = I mod el, hence de = omod el and I divides d, a contradiction, Thus we must have k = ml, I\ow suppose that 1 has at least two prime factors and write I = rio, where r is a prime factor of I. By what we have already shown, the multiplicative order of s modulo er is equal to mr. If we can prove that each prime factor of 10 divides er but not do = (sm, -I)/er, then the induction hypothesis applied to 10 yields that the multiplicative order of s modulo ert o = el is equal to mrt o = mi. Let ro be a prime factor of 10 , Since every prime factor of I divides e, it is trivial that ro divides er. We write again d=(sm-I)/e.Wehavesm'-I=c(sm-l)withe=sm" "+ .. , +sm+1. thus do = e(sm -Iller = ed/r. Furthermore, since sm = I mode and r divides e, we get sm=lmodr, and so e=r=Omodr, Thus e/r is an integer. Since ro docs not divide d, it suffices to demonstrate that ro docs not divide elr in order to prove that ro does not divide do = edlr. We notc that sm=lmodro, and so e=rmodro' If ro"'r, then elr=lmodro, thus ro does not divide elr. Now let ro = r, Then sm = I + brmod r 2 for some bE Z, hence sml = (I + br)1 = I + }brmod r' for all);> 0, and thus , e=r+br

L

, }=r+br

r(r-I) 2 modr'.

r O

It follows that e r(r-I) -=I+b modr . r 2

If r is odd, then elr = I modr, so that ro = r does not divide elr. In the remaining case we have ro = r = 2. Thcn I = 0 mod 4, and so s m '" I mod 4 by hypothesis. Since e = sm + I in this case, we get e = 2 mod 4, and thus clr = cl2 = I mod2. It follows again that ro does not divide clr. 0 3.35, Theorem, LeI /,(.<), /,(.<), ... ./1"(.<) be alllhe dlwlncl monic Irreducible polynomials in 0= ql'<10/ degree m and order e, and lei I ;> 2 he an

3. Con:-trudion of Irreducihle Polynomial&

R9

integer whme prime factors dicide e but not (qrn -I)/e. Assume also that omod 4. Theil f,(x').f,(x') .... ,fN(x') are all the distinct monic irreducible polynomials ill IF qlx] of degree mt and order el.

qrn" I mod4 if t '"

Proof The condition on e implies e ~ 2. According to Theorem 3.5. monic irreducible polynomials in IF q[x 1 of degree m and order e ~ 2 exist only jf m is the multiplicative order of q modulo e. and then N ~ $(e)/m. By Lemma 3.34. the multiplicative order of q modulo et is equal to mI. and since $(et)/ml ~ (e)/m hy the formula in Exercise 1.4. part (c), it follows that the number of monic irreducible polynomials in IF qlx] of degree ml and order el is also equal to N. Therefore. it remains to show that each of the polynomialsJ;(x'). I" j" N. is irreducible in IFq[x] and of order el. Since the roots of each !,(x) are primitive eth roots of unity over IFq by Theorem 3.3. it follows that !,(x) divides the cyclotomic polynomial Q,(x) over IF q. Then !,(x') divides Q,(x'). and repeated use of the property enunciated in Exercise 2.57. part (b), shows that Q,(x') ~ Q,,(x). Thus J;(x') divides Q,,(x). According to Theorem 2.47(ii). the degree of each irrcducible factor of Q,,(x) in IFq[x] is equal to the multiplicative order of q modulo el. which is mI. Since!,(x') has degree mI. it follows thatJ;(x') is irreducible in IFq[x]. Furthermore, since.!i(x') divides Q,,(x). the order of J;(x') is el. 0

3.36. Example. The irreducible polynomials in IF,lx] of degree 4 and order 15 are x 4 + x + I and x 4 + x 3 + I. Then the irreducible polynomials in 1F,[x] of degree 12 and order 45 are x" + x 3 + I and x" + x 9 + 1. The irreducible polynomials in 1F,[x] of degree 60 and order 225 are x 60 + XIS + I and x 60 + x., + I. The irreducible polynomials in 1F,[x] of degree 100 and order 375 are X'OO + x" + I and x"1O + x" + I. 0 The case in which I " Omod4 and qrn" - I mod 4 is not covered in Theorem 3.35. Here we must have q" - 1 mod4 and m odd. The result referring to this case is somewhat more complicated than Theorem 3.35. 3.37. Theorem. /..el f,(x). f,(x), ... ,fN(x) be alllhe dislincl monic irreducible polynomials in IFq[x] of odd degree m and of order e. LeI q = 2"u - I. I ~ 2bc wilh a, b ~ 2. where u and v are odd and all prime factors of I divide e hUI nOI (qrn - l)j e. LeI k be the smaller of a and b. Then each of Ihe polynomials J; (x') faclors as a producl of 2 k -, monic irreducible polynomials g,,(x) in IFq[x] of degree ml2' - '. The 2 k -'N polynomials g,/x) are alllhe dislincl monic irreducible polynomials in IFq[x] of degree mt2' k and order et. Proof If v ~ 3. then Theorem 3.35 implies that f,(x"). f,(x V ) . . . . , fN(x") are all the distinct monic irreducible polynomials in IFq[x] of odd degree mv and of order ev. Thus we will be done once the special case I = 2 h is settled. Let now 1= 2b • and note that as in the proof of Theorcm 3.35 we obtain that m is the multiplicative order of q modulo e, N = (e)/m. and

YO

Polynomial!:. over Finite Fields

eachfj(x') divides Q,,(x). By Theorem 2.47(ii), Q,.,(x) factors into distinct monic irreducible polynomials in 8'q[x] of degree d, where d is the multiplicative order of q modulo el. Since qd" I mod el, we have qd" I mod e, and so m divides d. Consider first the case a", h. Then q2m - I = (qm _I)(qm + I), and the first factor is divisible bye, whereas the second factor is divisible by I since q" - I mod2" implies q" - I mod I, and thus qm" (_ I)m" - I mod I. Altogether, we get q'm" I mod el, and so d can only be m or 1m. If d ~ m, then qm" I mod el, hence qm" 1mod I, a contradiction. Thus d = 1m = m2 h - ' . , since k ~ b in this case. Now consider the case a < b. We prove hy induction on h that

qm2'" I +.w2 a"h modl a"h"

for all hEN,

(3.9)

where w is odd. For h = 1 we get q2m = (la u _ I )2m =l-l a+'um+

2m

L.

(2;')(_1},m.nlnaun"l+w2a"modla'2

n' 2

with w = - urn. If (3.9) is shown for some hEN, then h

qm2 =

I + w2 ai h + C2 u - hi

I

for some (' E lL.

It follows that

and so the proof of (3.9) is complete. Applying (3.9) with h ~ b - a + I. we get qm2 b ,,~I =. ] mod 2b .... I. Furthermore, qrn.= 1mod e implies qm2 b 0·1 == 1mod e, and so qm2' 0"" I mod L. whcre L is the least common multiple of and e. Now e is even since all prime factors of 1 divide e, but also e"$ Omod4 since qm" 1mod e and qrn " - I mod4. Thcrefore, L ~ el b ~ el, and thus qm2' 0"" 1mod e1. On the other hand, using (3.9) with h = h - a we get

1""'

qm2'

0" I + w2 b '" I mod2 h '

'.

which implies qm2' 0", 1mod el. Consequently, we must have d ~ ml b - a ' , = ml b k+' since k = a in this case. Therefore, the formula d ~ ml b , . , = mlll - k is valid in both cases. Since Q,,(x) factors into distinct monic irreducible polynomials in IFq [x] of degree mIl' -k, each Jj(x') factors into such polynomials. By comparing degrecs, the number of factors is found to be 1" '. Since each irreducihle factor g,/x) of Jj(x') divides Q,,(x), each g'l(x) is of order el. The various polynomials g,/x), I.; i.; 2' " I.;).; N, are distinct, for otherwise one such polynomial, say g(x). would dividcf,,(x') andf,,(x') for )1'" )2' and then any root (3 of g(x) would lead to a common root (3' of Jj-,( x) and Jj,( x). a contradiction. By Theorcm 3.5. the number of monic

3. Construuion of Irreducible Polynomiah

91

irreducible polynomials in IF qlx I of degree m12 1 - k and order el is (el)/mI21.-' = 2' I",(et)/ml = 2k I",(e)/m ~ 2 k - IN. and so the gi/X) yield all such polynomials. D We will show how. from a given irreducible polynomial of order e. all the irreducible polynomials whose orders divide e may be obtained. Since in all cases g(x) ~ x will be among the laller polynomials, we only consider polynomials g with g(O) "" O. Let f be a monic irreducible polynomial in IF ql x] of degree m and order e and with f(O) "" O. Let lX E IFq" be a root of f, and for every I E 1'\1 let g, E IFql x] be the minimal polynomial of lX' over IF q' Let T~ (II' 1" .... 1.) be a set of positive integers such that for each IE 1'\1 there ex.ists a uniquely determined I, I" I" n. with I'" I,qbmod e for some integer b:;, O. Such a set T can. for instance, be constructed as follows. Put 1 1 =1 and. when 11.1, ..... 1;_1 have been constructed. let Ij be the least positive integer such that Ij '" I,qbmod e for 1" I < j and all integers h:;, O. This procedure stops after finitely many steps. With the notation introduced above. we have then the following general result. 3.38. Theorem. The polynomials g", g" .... ,g" are all Ihe dlsllncl monic IrredUcible polynomials in IFqlx] whose orders divide e and whose constant terms are nonzero. Proof Each g" is monic and irreducible in IFqlx] by definition and satisfies g, (0) "" O. Furthermore. since g, has the root lX" whose order in the group 1F;;divides the order of lX, it foll~ws from Theorem 3.3 that ord(g,) divides e. Let g be an arbitrary monic irreducible polynomial in IFqlx] of order d dividing e and with g(O) "" O. If /3 is a root of g. then /3d ~ I implies /3' = 1. and so /3 is an eth root of unity over IFq' Since a is a primitive eth root of unity over IF q' it follows from Theorem 2.42(i) that /3 ~ lX' for some IE 1'\1. Then the definiti0n of the set T implies that I'" liqbmod e for some I. I" i.;; n. and some b:;, O. Hence /3 = a' = (a,,)q', and so /3 is a root of g, because of Theorem 2.14. Since g is the minimal polynomial of /3 over IFq' it follows from Theorem 3.33(iii) that g = g, .. It remains to show that the polyn~mials g,. I.;; I "n, are distinct. Suppose g, = g, for i"" j. Then a" and ,,'j are roots of g,. and so a', ~ (a")"" for ~ome b:;, O. This implies I; '" I,qbmod e. but sin~e we also have I, '" l,qOmod e, we obtain a contradiction to the definition of the set T. D

The minimal polynomial g, of a' E IF q" over IF q is usually calculated by means of the characteristic polynomial f, of a' E IF q" over IFq' From the discussion following Definition 2.22 we know that f, = where r ~ m / k and k is the degree of g,. Since g, is irreducible in IFq[x]. k is the multiplicative order of q modulo d = ord(g,). and d is equal to the order of

gr.

92

Polynomials over Finite Fields

a' in the group IF;"" which is e/gcd(t, e) by Theorem 1.l5(ii), Therefore d, and so k and r, can be determined easily. Several methods are known for calculating!,. One of them is based on a useful relationship between!, and the given polynomial f. 3.39, Theorem, Let J he a monic irreducihle polynomial in IFq[x] oj degree m. Let a E IF q" he a root oj J, and Jor tEN let!, be the characteristic polynomial oj a' E IF q" over IF q' Then

,

!,(x')=(-l)ml'+l)nJ(w;x), 1-"'1

where WI".' \ Wt are the [th roots of unity over IF q counted according to multiplicity.

Proof Let a = a" a, ,, .. ,am be al1 the roots of f. Then a:, are the roots of!, counted according to multiplicity. Thus !,(x')

a~, .. .,a~

n'" (x' -a:)

=

i-'-l

n'" n, (x-a,w

=

/"'-1 J=l

=

n'" n, wJ(w

I ..... ] }

= 1

j

j )

'x-a,).

A comparison of coefficients in the identity x' -I

=

n (x - w) 1-'-1

shows that

, nw;=(-I)"', /=1

and so J,(x')

=

(_1)"'1'-1)

n, n'" (W;-'x - a,) I

= ( -I) ml' -I)

~

,

1i = 1

n J( W 'x) = ( - I) I = I

since

J

,

ml' • I)

n J( w;x) J= 1

w,'" .. ,"',- , run exactly through alit th roots of unity over IF

q'

0

3.40. Example. Consider the irreducihle polynomial J(x) = x + X + I in 1F,[x]. To ealculateJ,. we note that the third roots of unity over IF, are I, w. 4

J. Construction of Irreduc:iblc Polynomial!:.

0.1

and (.,i. where w is a root of x 2 + x + 1 in IF 4' Then

fl(X l ) = (-I)'6 f (x)f(wx)f(w'x) =

(x 4 + X + l)(wx 4 + wx+ 1)(w'x 4 + w2 x + I)

= X 12 + x 9 + X O + x 3 + I, 4 so thatf)(x) = x + xl + x' + x + 1.

o

Another method of calculating I, is hased on matrix theory. Let fIx) ~ x m - am ,x m ' - ... - a,x - a o and let A be the companion matrix of f. which is defined to be the m X m matrix

A=

(o

0

1

0

0

I

o

0

o o o am

'I

Then f is the characteristic polynomial of A in the sense of linear algehra: that is. f( x ) ~ det( x I - A) with I being the m X m identity matrix over IF q' For each tEN, I, is the characteristic polynomial of A', the Ith power of A. Thus, by calculating the powers of A one ohtains the polynomials 1,.

3,4 1. Example. It is of interest to determine which polynomials I, are irreducible in IFq[x]. From the discussion prior to Theorem 3.39 it follows immediately that I, is irreducible in IFq[x] if and only if k ~ m, that is. if and only if m is the multiplicative order of q modulo d ~ e/gcd(l, e). Consider. for instance. the case q ~ 2, m = 6. e ~ 63. Since the multiplicative order of q modulo a divisor of e must be a divisor of m. the only possibilities for the multiplicative order apart from mare k ~ 1.2.3. Then q' - I = I, 3. 7. and q'" I mod d is only possible when d ~ 1.3.7. Thus I, is reducible in 1F,[x] precisely if gcd(l,63) ~ 9.21,63. Since it suffices to consider values of t with 1<;; t <;; 63, it follows that I, is irreducible in 1F 2 [x] except when t = 9,18,21.27,36,42.45.54,63. 0 In practice. irreducihle polynomials often arise as minimal polynomials of elements in an extension field. If in the discussion above we letfbe a primitive polynomial over IF q , so that e ~ qm -I, then the powers of a run through all nonzero elements of IF q" Therefor~. the methods outlined above can be used to calculate the minimal polynomial over IF q of each element of

IF;....

A straightforward method of determining minimal polynomials is the following one. Let 0 be a defining element of IF q" over IF q' so that (I.o,. ... om-') is a basis of IF., over IF q • In order to find the minimal polynomial g of PElF;, over IFq, we express the powers pO,p', ... ,pm in

Polynomials over Finite Fields

94

terms of the basis clements. Let

pi

m

L b,je

1=

I

j

for 1 ~ i .::;; rn

+ 1.

j=l

We write g in the form g(x) ~ cmx m + ... + c,x + co' We wantg to be the monic polynomial of least positive degree with g( (3) ~ O. The condition g(f3) = cmf3 m + ... + c , f3 + Co ~ 0 leads to the homogeneous system of linear equations m-I

E

cl_tb'J=O

forl~j~m

(3.10)

i=1

with unknowns CO,c,'""c m . Let B be the matrix of coefficients of the system-that is, B is the (m + I)Xm matrix whose (i, j) entry is bjj-and let r be the rank of B. Then the dimension of the space of solutions of the system is s = m + 1- r, and since I ~ r ~ m, we have 1 ~ s ~ m. Therefore, we can prescribe values for s of the unknowns co' c,' ... ,cm ' and then the remaining ones are uniquely determined. If s = I, we set C m ~ I, and if s > I, we set em = cm_ 1 = ... = cm-~+2 = 0 and cm_$~ 1 = 1.

3.42. Example. Let 0 E IF64 be a root of the irreducible polynomial x' + x + I in 1F,[x]. For 13 = 0' + O· we have f3o~

1

13 ' ~

0'+0·

f3'~ I +0 + 0'+ 0' f3'~ 0+0'+0'

13·= 13'=1

0 + 0'

+0· +0'+0· f3'~1+0+02 +0·

Therefore, the matrix

B is given by

0 0 0 0 0 I I 0 I I 0 0 B= I I 0 0 1 0 I 0 0 I I 0 I 0 1 o; and its rank is r = 3. Hence., ~ m + I - r = 4, so that we set c, = c, = c. ~ 0, c, = l. The remaining coefficients arc determined from (3.10), and this yields c, ~ I, c, = O. Co = I. Consequently, the minimal polynomial of 13 over I 0 1 0 0 I I

1F2isg(x)~x'+x'+l.

0 0 I I I 0 I

D

Still another method of determininK minimal polynomials is based on Theorem 3.33(v). If we wish to find the minimal polynomial g of 13 E IF qm

95

over IF,. we eakulate the power" {3. fl'. {3". ... until we find the least po,ilJve integer d for which {3'" ". {3. Thi, integer d is the degree of g, and g it'elf i, given by g(x)~(x-{3)(x-{3')",(x-{3q'

'j.

1 he clements {3. fl",· .. ,fJ"" , are the distinct conjugates of {3 with respect to ~ q' anJ g is the minimal polynomial ovcr IF q of all these elements. 3.43. Example. We compute thc minimal polynomials over IF, of all elements of IF ",' Let 0 f' IF 16 he a root of the primitive polynomial x 4 + x + I over !F 2' so that every nonzero clement of IF 16 can be written as a power of O. We have the following index table for IF 16:

0'

0'

o

I

I

0 0' 0' 1+0 0 + 0'

8 9

2 3 4 5 6

0' + 0 3

7

1-0+0 3

1+0' 0 - 03 10 i 1+0 + 0' 110+0',0' 12 I-O~O'+O' 13 1+0'+0 3 14 1+ 0 3

The minimal polynomiab of the clements

{I

(I

fl

~

f3

of IF It> over IF;! are:

0: I:

g,(x)~x.

0:

the Jistinet conjugates of 0 with respect to IF, are 0,0',0 4 ,0'. and the minimal polynomial is

g,(x)~x+1.

g,(x)=(x-O)(x-0')(x-0 4 )(x-0')

= x4 +

fl

~ 0':

+ 1. The di'tinct conjugates of 0' with re'pect to IF, are 0'.0'.0 1',0 240 0'. anJ the minimal polynomial is X

g4(X) = (x - O')(x - 06)(X - 8')(x - 8 1' )

= x4 + X 1

{3

~

8':

x 2 -:- x + 1. Since fJ4 ~ {3. the Jistinct conjugates of this clemcnt with respect to IF, arc 0'. 8 10 • and the minimal polynomial is -

g, (x) ~ (x - 8')( x - 8 10 ) ~ x' + x + I.

/i

0':

The distinct conjugates of 8 7 with respect to IF, arc 0",0'4, 0" ~ 0\.'. 8" ~ 8 11 , and the minimal polynomial is

g, ( , )

(x -

0 7 )(.\ l

=x 4 _x· +l.

-

8 '1 )( X

-

8 13 )( X

-

8 14 )

Polynomial~ over

96

Finite

hcld~

These elements, together with their conjugates with respect to IF ,. exhaust LJ

iF ](>.

I\n important problem is that of the rJelermil1alion of primitive polynomials. Onc approach is hased on the fact that the product of all primitive polynomials over IF q of degree m is equal to the cyclotomic polynomial Q, with e ~ qm - I (sec Theorem 2.47(ii) and Excreise 3.42). Thcrcfore. all primitive polynomials over IF q of dcgree m can he determined by applying one of the factorization algorithms in Chapter 4 to the cyclotomic polynomial Q,. Another method dcpends on constructing a primitive clement of IF q" and then determining the minimal polynomial of this clement ovcr IF q by the mcthods described above. To find a primitive element of IF q_' one sturts from the order qm - I of such an element in thc group IF:., and factors it in the form qm -I ~ h, ... h" where the positive integers h, .... ,h, arc pairwise relatively prime. If for each i. I ~ i ~ k. one can find an element £XI E IF;~. of order hi' then the product 0: 1'" a" has order qm -1 and is thus a primitive element of IF
x' + I = (x 4 - I)' ., x 4 ~(x4-I+x')(x4- I-x'),

and so I(x) = x 4 - x' - I is irredueihle over IF] and with a root 0 of I we have IF,\ ~IF](O). Furthermore, 0 is an element of IF 8' of order 16. To find an elemcnt a of order 5, we write a ~ a _ bO + cO' + dO] with a, h, c, d ElF], and since we must have a lO = I, we get I ~ a'a= (a

+ hO' + cO" + dO")(a + hO + cO' + dO])

~ (a - bO + cO' - dO])(a + bO

~ (a =

+ cO' + dO')

+ CO,)2 _ (bO + dOl)' ~ a' + (2ac - h2 )0 2 + (c' - 2bd) 0 4

-

d'O·

a' + c' - d' + bd + (c' + d 2 - b' - ac + hd )0 2

A comparison of coefficients yields

a' + (', - d' + hd ~ 1. c 2 + d 2 - h' - ac + hd = O. Setting a ~ d = O. we get h' = c' ~ I. Take b ~ c ~ I. and then it is easily checked that a ~ 0 + 0' has order 5. Therefore. t ~ Oa ~ 0' - 0] has order 80 and is thus a primitive clement of IF". The minimal polynomial Ii of t

3.

Con~tructjoll

97

of I rrcducihlc Polynomials

over IF] is g(x) ~

(x - n(x _;-3)(X -;-')(x _;-27)

~ (x -

0' - 03)(x-1 +0 + O')(x- 0' + O')(x -1- ° + 0')

and we have thus obtained a primitive polynomial over 1F 3 of degree 4.

0

3.45. Example. We determine a primitive polynomial over IF, of degree 6. Since 26 -1 ~ 9·7. we first construct two elements of IF:, of ordcr 9 and 7. respectively. The multiplicative ordcr of 2 modulo 9 is 6, and so the cyclotomic polynomial Q,(x) ~ x' + X 3 + I is irreducible over IF,. A root of Q, has order 9 and 1F6,=IF,(0). An element "elF'::' of order 7 satisfies a H = a, thus writing a = L;.. . oa I 8' with OJ E 1F 2 , 0 ~ i ~ 5, we get

°

L5 0,0' ~ (5L /=0

0;0;

)8

/= 0

5

= ,

L0 °i 8R1

~ au

+ 0,0' + 0,07 + 0306 + 0,0 5 + 05°'

~ 00

+ 03 + 0,0 + 0,0' + 0 30 3 + (a, + 05)0' + (a, + a,)OS,

and a comparison of coefficients yields a, ~ 0, a, = a" a, = a, + a,. Choose aO~aJ=a,~0,a,~a,=a5=1, so that ",~O+O'+O' is an clement of order 7. Thus, ;- = 0", ~ 1 + 0' is a primitiVe element of IF... Then ;-' = I + 0',;-3 ~ 0' + 0' + 0',;-' ~ I + 0' + 0 5,;-5 ~ I + ° + 0',;-6 = 1 + 0' + oj + 0' + 0' An application of the method in Example 3.42 yields thc minimal polynomial g(x) = x 6 + x' + x' + x + I of ;- over IF, and thus a primitive polynomial over IF, of degree 6. 0 If a primitivc polynomial g over IF q of dcgree m is known, all other such primitive polynomials can be obtained by considering a root of g in IF q' and detcrmining the minimal polynomials over IF q of all c1cmcnts 0', where I runs through all positive integers,;;; qm - I that are relatively prime to qm - 1. The calculation of these minimal polynomials is carried out by the methods described earlicr in this section. It is useful to be able to decide whcther an irreduciblc polynomial over a finite field remains irreducible over a ccrtain finite extension ficld. The following results address themselves to this question.

°

3.46. Theorem. I.el f be an irreducible polynomial over IFq of degree n and leI keN. fhen f facrors into d irreducible polynomials in IFq.[x] of Ihe same degree n / d, where d ~ gcd( k, n ).

Polynomials over Finite Fields

Proof Since the case frO) ~ 0 is trivial, we can assume frO) ~ o. Let g be an irreducihle factor of fin 0' q' rx]. If ord(f) ~ e. then also ord( g) ~ e hy Theorem 3.3 since the roots of Ii are also roots of f. By Theorem 3.5 the multiplicative ordcr of q modulo e is Ii and the degree of g is equal to the multiplicative order of q' modulo e. Thc powers ql, j ~ 0, I, ... ,considered modulo e, form a cyclic group of order Ii. Thus it follows from Theorem 1.15(ii) that the multiplicative order of q' modulo e is Ii/d, and so the degree of Ii is n! d. 0 3.47. Corollary. An irreducihle po!vnomial over 0' q of deliree remains irreducihle ocer IF <{!- if and on(v if k and 11 are relQiirely prime. Proof

This is an immediate consequcnce of Theorem 3.46.

Ii

0

Example. Consider the primitive polynomial Ii(X) = x' + x 4 ., Xl + X + lover 0', from Example 3.45 as a polynomial over 0' 16' Then. in the notation of Theorem 3.46, we have n ~ 6, k ~ 4. and thus d ~ 2. Therefore. Ii factors in 0' IO[X] into two irreducihle cuhic polynomials. Using thc notation of Examplc 3.45, let g, be thc factor that has I: ~ I + 0' as a root. Thc other roots of g, must he the conjugates 1: 16 and 1:'56 ~ 1: 4 with respect to 0' 10' Since these e1emcnts arc also conjugates with respect to 0'4' it follows that g, is actually in 0'4[X]. Now P = !:," is a primitive third root of unity over 0'" and so 0'4 ~ (O,I.p.p'). Furthermore,

3.48.

x' + (!: + 1: 4 ... 1: 10 )x' -r (!:' + 1: 17 ... l:'O)x '- 1: 21 . We have 1: 4 = I + 0' + 0', 1:" ~ I + 0', and so I: + 1: 4 -r 1: 10 ~ I. Similarly, we ohtain I:s + 1: 17 + I:"' ~ I, so that g,(x) = xJI x' + x 1 p. By dividing g by ~

Ii, we get the second factor and thus the factorization Ii( x) = (Xl

+ x' .\ x I P)( x J + x' + x + P')

in 0'4[X], and hence in O'IO[x]. The two factors of Ii arc primitive polynomials over 0'4' but not over 0' 16' By Corollary 3.47, the polynomial g remains irreducible ovcr certain other extension fields of 0"., such as 0'" and 0' I'"~ 0

4.

LINEARIZED POLYNOMIALS

Both in theory and in applications the spedal class of polynomials to he introduced below is of importance. A useful feature of these polynomials is the structure of the set of roots that facilitates the determination of the roots. Let q, as usual, denote a prime power.

4.

Lincari"l.~d

3.49.

Polynomiab

Definition.

99

A polynomial of the form n

L(x) ~

L

a,x q'

/=0

with coefficients in an extension field I' qm of I' q is called a q-polynomialover I' qm.

If the value of q is fixed once and for all or is clear from the context. it is also customary to speak of a linearized polynomial. This terminology stems from the following property of linearized polynomials. If F is an arbitrary extension field of I'qm and L(x) is a linearized polynomial (Le.• a q-polynomial) over !'qm. then L(p+y)~L(P)+L(y)

L(cP)~cL(P)

forallp,yEF,

forallcEl'q

(3.11)

andallpEF.

(3.12)

The identity (3.11) follows immediately from Theorem 1.46 and (3.12) follows from the fact that cq' ~ c for eEl' q and i;;, O. Thus, if F is considered as a vector space over I'q, then the linearized polynomial L(x) induces a linear operator on F. The special character of the set of roots of a linearized polynomial is shown by the following result. 3.50. Theorem. Let L(x) be a nonzero q-polynomial ocer I'qm and let the extension field I' q' of I'qm contain all the roots of 1.( x). Then each root of L(x) has the same multiplicity, which is either I or a power of q. and the roots form a linear subspace of I' q" where I'q' is regarded as a vector space over IF q" Proof It follows from (3.11) and (3.12) that any linear combination of roots with coefficients in I'q is again a root. and so the roots of L(x) form a linear suhspace of I' q" If n

L(x)~

L

a,x q',

/ ..... 0

then L'(x) ~ ao, so that L(x) has only simple roots in case a o " O. Otherwise, we have a o ~ a, ~ ... = ak 1 = 0, but a k .. 0 for some k ;;, I, and then

L(x)

=

Ln /=1..

a1x q'=

Ln l~k

a~m\q'=

(

Ln

a~(m

If\q'

I

)q'

I=k

which is the q'th power of a linearized polynomial having only simple roOlS. In this case, each root of L(x) has multiplicity qk. 0 There is also a partial converse of Theorem 3.50, which is given hy Theorem 3.52. It depends on a result ahout certain determinants which extends Corollary 2.38.

Polynomiab over Finite hckls

lOa

3.51.

1

1

Lemma.

Let f3 l.f3,•...• f3n be elements oflF q•. Then

13 1 f3r

(3f'

13(-' I

f3i

f3i'

f3r '

13, f3n

13:

~r

13:'

n -I ~f3l

n

j= I c t _

!J".,(f3J ,

1-

,~/,f3,).

1

(3.13)

and so the determinant is '" 0 if and only if 131,13, ..... f3n are linearly independent over IF q' Proof Let Dn be the determinant on the left-hand side of (3.13). We prove (3.13) by induction on n and note that the formula is trivial for n ~ I if the empty product on the right-hand side is intcrpreted as I. Suppose the formula is shown for some n ;;, I. Consider the polynomial

13 1 f3i 13, f3,q

f3( ,

f3( I

f3r '

f3r'

13:"

D(x)=, : f3n

13:

fJnqn

x

xq

x q'

I

x q"

By expansion along the last row we get

D( x)

=

Dnx q" +

n

L

I

a,x q'

,- 0

i"

with a, E IF q", for 0.;; n -I. Assume first that f3 l .... ,f3n are linearly independent over IF q. We have D(f3,) = 0 for I" k" n, and since D(x) is a q-polynomial over IF q ", all linear comhinations c l f3 1 + '" + c"f3n with c, E IFq for I" k" n are roots of D(x). Thus D(x) has qn distinct roots. so that we ohtain a factorization

D(x)

=

D"c,.I)",,( x -

}:, C,f3,).

(3.14)

If f3 l•...• f3n arc linearly dependent over IF q• then Dn = 0 and "[k~lbkf3k = 0 for some hi'" ., bn E IF q' not all of which are O. It follows that

f: b,f3t~ (f: b,f3,)"' =0

k = I

A --1

forj~O.I ..... n.

and so the first n row vectors in the determinant defining D(x) are linearly

Inl

4. Lincari7.cd Polynomiab

dependent OYer IF,,. Thus cases. Consequently.

1)"_,

D(x)~O.

and the identity (3.14) is satisfied in all

~ D(f3".,)~ D",.,.Q"F,(f3".,- '-£,C,f3,). o

and (3.13) is established.

3.52. Theorem. Let U be a linear subspace of IF q"" considered as a Vector space over IF q' Theil for any nOllnegative i/lleger k the polYllomial

n

L(x)~

{x-(3)q

,

PEU

is a q-polynomial over IF q"" Proof Since the q'th power of a q-polynomial over IF q"' is again such a polynomial. it suffices to consider the case k ~ O. Let {f3, •.... f3n) be a basis of U over IF q' Then the determinant Dn on the left-hand side of (3. I3) is "" 0 by Lemma 3.51. and so

L(x)=

n (x-(3)

(jEll

'" DeF'(x- ,tc,f3,)

=

Dn-'D(x)

by (3.14). which shows already that I.(x) is a q-polynomial over IF q""

0

The properties of linearized polynomials lead to the following method of determining roots of such polynomials. Let

L"

L(x) ~

a,x q'

i=O

be a q-polynomial over IF q ",. and suppose we want to find all roots of I.(x) in the finite extension F of IF q"" As we noted above. the mapping I.: f3 E F~ L(f3) E F is a linear operator on the vector space F over IF q . Therefore. L can be represented by a matrix over IF q • Specifically. let {f3 I • • " . f3J be a basis of F over IF q' so that every f3 E F can be written in the form

f3

L cA

= J

with

c, E IF

q

for I

,

then

,

L(f3) ~

L j=l

cI L(f3j

).

"j" ,;

Polynomial.;. OVl'r Finite

102

hdd~

Now let L(f3}) ~

L:

b"f3,

for I"},, s,

k - ,

where bi, ElF q for I " }, k (j, k) entry is h". Then, if

"s, and let H be the s x s matrix over IF

q

whose

(e,,. .. ,c,}B ~ (d,,. ..,d,l, we have L(f3)~

L:

d,f3,.

/';=1

Therefore, the equation L(f3) = 0 is equivalent to

(c" .. .,c,}B ~ (0, ... ,0).

(3.15)

This is a homogeneous system of s linear equation; for c, ..... c,. If r is the rank of the matrix B, then (3.15) has q' 'solution vectors (c,,. . .,c,). Each solution vector (c" ... ,c,) yields a root f3 ~ L~~ of L(x) in F. Thus, the problem of finding the roots of L(x) in F is reduced to the easier prohlem of solving a homogeneous system of linear equations.

,eA

Example, Consider the linearized polynomial I.(x) ~ x' - x 3 - ax 1F 9 [x], where a is a root of the primitive polynomial x' + < -lover IF J • In order to find the roots of I.(x) in IF,;, we choose the hasis {I, l", l"', l"3} of IF"

3.53, E

over 1F 3 , where l" is a root of the primitive polynomial x 4 + x' + x' - x - I over IF, (compare with Example 3.44). Because of the orders involved, we must have a ~ l"'o/ with} ~ I, 3, 5, or 7, and since l"'o + l"'o - I ~ 0, we can take a ~ l"'o ~ - I + l" + l"' -l"J. Next. we calculate I. (I) ~ - a = I -l"-l"' + l"',

t',

L{n ~ l"' -l"3 - al" ~ -l"-l"' L(l') ~ l"" -l"6 - al"' ~ - I + l"'. L(l"3)~l""-l"'-al"'=I-l"3,

and so we get

R~( ~ -I I

-I -I

o o

-I -I

0 0

-

:) I

.

-I,

The system (3.15) has two linearly independent solutions, such as (0,0, I, I) and (-1,1,0, I). All solutions of (3.15) are obtained by forming all linear combinations of these two vectors with coefficients in IF,. The roots of L(x) in 1F 8I arc then 0,=0, O,~l"'+l"J, O,~-l"'-l"j, 04~-1+l"+l"',

103

4. 1.!Oearizl'd I'olynomials

8,=I-K-K'. 8,=-I+K+K'-K 3, 8,=I-K-K'+K 3 • 88 =I-K+K', 8y =-I+K-K'. 0 This method of finding roots can also be applied to a somewhat more general class of polynomials-- namely. affine polynomials. 3.54. Definition. A polynomial of the form A(x) = L(x)- ". where L(x) is a q-polynomial over 0' qm and" E 0'qm, is called an affine q-polynomial over 0' qm. An element (3 E F is a root of A(x) if and only if L({3) = ". In the notation of (3.15), the equation 1.( (3) = 01. is equivalent to (3.16) where "='[;t-,d k{3k' The system (3.16) of linear equations is solved for c" .... c,. and each solution vector (cl .... ,c,) yields a root (3='[;j_ 1cj {3j of A(x) in F. The fact that roots arc easier to determine for affine polynomials suggests the following method of finding the rools of an arbitrary polynomial fIX) over O'.m of positive degree in an extension ficld F of O'qm. First determine a nonzero affine q-polynomial A(x) over 0' qm that is divisible by f(x)-that is, a so-called affine multiple of fIx). Next, obtain all the roots of A(x) in F by the method described above. Since the roots of fIx) in F must be among the roots of A(x) in F. it suffices then to calculatef({3) for all roots (3 of A(x) in F in order to locate the roots of fIx) in F. The only point that remains to be settled is how to determine an affine multiple A(x) of fIx). This can be achieved as follows. Let n:;, I be the degree off(x). For i=O,I, ... ,n-l, calculate the unique polynomial r,(x) of degree <; n -I with x q' " r,(x)modf(x). Then determine elements ", E 0'••. not all 0, such that '[;7~J",r,(x) is a constant polynomial. This involves n .. I conditions concerning the vanishing of the coefficients of xi, 1<; j <; n - I, and thus leads to a homogeneous system of n - I linear equations for the n unknowns "0' "" ... ,,,,. ,. Such a system always has a nontrivial solution. Once a nontrivial solution has been fixed, we have '[;7~J",r,(x) =" for some" E 0' It follows that

.m.

n

I

L i=O

n- 1

",x

q

'"

L

",r,(x)" "modf(x).

i=O

and so

, A (x)

=

L

, ",x q ' -

"

1=0

is a nonzero affinc q-polynomial over O'qm divisible by fIx). It is clear that we may take A(x) to be a monic polynomial.

104

Polynomiab O\"l'r Finite Fields

3.55. Example. Letf(x)~x'+O'x), OxJ. 1x +O E "4[xl,whereOisa root of x' + x+ I eo ",[xl, We want to find the roots of f(x) in We first determine an affine multiple A(x) of fIx) by using the method described above with q ~ 2. Modulo fIx) we havc x ," x', ro(x). x" 7 x' rl(x). x' '" O'x' + Ox' + x + 0 ~ r,( x), x' '" Ox' + 0,' + x ~ 0 ~ r,(x), The condition that ~,,ro(x), a,r,(x'+"I',(x)+,.\r.\(x) should be a eon stant polynomial leads to the system

"04'

0: 0 0: 1

We choose

0: 3

+ +

0'2+

=

=0 0 0-:-

O'IX,+OIX,~().

= I and then obtain

IX

0':3

8a~+8al

0 7 • ex]

0: 2 -

=

IXoro{x)+ IXlrl{x)-r IX,r,{x)

t

02., a o

=

IX"r,( x)

8. Furthermore, =

OJ.,

and so A (x)

= D:3XIl

+ lX 2 X 4 + a 1x 2 ,.

a=

lXOX -

xl'!

+ 0 2 x 4 + fJ2 Xl + Ox + fj'2..

"04'

Next, we caleulate the roots of A(x) in We have to solve the equation L(x) ~ 0' with the 2-polynomial L(x) ~ x' + O'x' + O'x' + Ox over ",. Let be a root of the primitive polynomial x· + x + lover ",. Then (I, t. t'. t'. t'. t') is a basis of over" ,. Sinee 0 is a primitive third root of unity over ",. we can take 0 ~ t" ~ I + t + + t' + t 5 Using 0' = 0 + I ~ t + t' + t' + t'. we obtain

t

L{ I)

Lm

"04

t t

+

t' t2

t'

tS

t'

+

+

r'

+

tJ

t' + t' + t' + t'

+

LW) LW)

r'

+

+

t

tS

L(t')

t'

L(t' )

t'

+

+

t'

Thus the matrix B in (3.16) is given by 10

B=

o 0 o o o

I I

0

0 I I

I 0 I

I 0 I

I I I

I 0

0 0

I 0

I 0

0 I

0

I

I

I

0;

From the representation for 0' given above it follows that the vector (dl,· .. ,d,) in (3.16) is equal to (0,1.0, I. I. I). The general solution of the system (3.16) is then

(1.0.0.0,0.0) + a l (0.1.1.1.0.0) + a,{ I. I. 1.0, 1.0) ~ a,{ I, 1.0.0.0. I)

4. I ,illl::trl/l:J Pohnom:.1h

105

with a,.a,.al"''''' Thus the roots of A(x) in "04 are ~,~I. ~,~I+t'. 4 ~3 ~ I + +1 • ~4 ~ I + I' -CI' + I'.~, ~ I + I +I' + t'. ~6 ~ I' +I' -I'. ~,~ t' _I'. '18 ~ I +I + t' _I' + t' ~ 8. By calculating f(~/) for j ~ 1.2..... R. we find that the roots of f( x) in "04 are ~3' ~,. ~" ~,. 0

r

The method of determining the roots of an affine polynomial shows, in particular. that these roots form an affine subspace-that is. a translate of a linear subspace. This can also be deduced from abstract principles, together with a ~tatcmcnt concerning mUltiplicities.

3.56.

Theorem.

I.et A(x) be an affille q-po(vilomial over "". of

positive df.'gree and let the extension field IF q' of IF q'" contain all The roots of

A(x). Then each root of A(x) has the ,ame multiplicily, which is eilher I or a power of q. and the roOlS form an affine subspace of" q" where" q' is rel{arded as a veCTOr space orer IF cl"

Proof The result about the mUltiplicities is shown in the same way as in the proof of Theorem 3.50. Now let A(x) ~ I.(x)- a. where L(x) is a q-polynomial over" q'" and let {3 be a fixed root of A( x). Then y is a root of A(x) if and only if L(y)~a~ L({3) if and only if L(y-{3)~O if and only if y E {3 + U, where U is the linear suhspace of consisting of the roots of I.(x). Thus the roots of A(x) form an affine subspace of D

E""

"q'

"q"

3.57. Theorem. Let T be an affine subspace of" q'" considered as a cecwr space ocer Theil for any nonnel{atice imeger k Ihe polynomial

"q'

A(x)~

n (x-y)'y~

T

is an affine q-polynomial over",'" Proof

Let T

~ ~

+ U, where U is a linear subspace of "," Then I.(x)=

n (x-{3)'fJ(?-li

is a q-polynomial over" A(x)~

n (x-y)' , ~ n

y€CT

and L(x -

~)

,m according to Theorem 3.52. Furthermore, ,

(x-~-{3)' ~L(x-~).

I3~U

is easily seen to be an affine q-polynomial over"

,m.

C

The ordinary product of linearized polynomials need not be a lineariled polynomial. However, the composition L,( I.,(x)) of two q-polynomials L, (x), L, (x) over",. is again a q-polynomial. Instead of the word composition (or suhstitution) we use the phrase "symbolic multiplication." Thus. we define svmbolic multiplicQlion by

1.,(x)0/.,(x) = 1.,(I.,(x).

Pulynomiab over Finite

rield~

If we consider only q-polynomials over IF", thc.:n a simple investigation shows that symbolic multiplication is commutative, associativc, and distributivc (with rcspect to ordinary addition). In fact. the set of q-polynomials ov~r lFl{ forms an integral domain under the operations of symholic multiplication and ordinary addition. Thc operation of symholie multiplication can he related to the conventional arithmetic of polynomials hy means of the following notion.

3.58.

Ocfinition.

The polynomials

L"

I(x)~ ,

and

",X'

,.

/.(x)

II

t... a,x

,

q'

II

over O'q_ are called q-associales of each other. More specifically. I(x) is the rnnoenlional q-associare of I.(x) and L(x) is thc linearized qwtlssoeiare of I( x).

3.59. Lemma. I.el I.,(x) and 1.,(x) be q-poll'nomials over O'q wilh convelllional q-assoeiales I,(xl alld I,(x). Theil I(xl -/,(x)/,(x) and L(x) I.,(x)@!.,(x) are q-as>ociales of each olher.

Proof

The equations I(x) ~ La,x'~ Lb,X1L",X' ~/,(x)/2(X)

,

,

and

are each true if and only if

al

=

L I • k =

b,c"

for every i.

D

I

If I.,(x) and L(xl are q-polynomials over O'q' we say that I,,(x) svmbolicallv divides L(x) (or that L(x) is symbolically divisible by I,,(x)) if L(x)" L,(x)@!.,(x) for some q-polynomial I.,(x) over O'q. The following criterion is then an immediate consequence of Ll.:mma 3.59. 3.60. Corollary. Lei L,(x) and L(x) be q-polynomials over 0', wilh convelllional q-associares I,(x) and I(x). Ihen I.,(x) symbolically divides L(x) if and ollly if I,(x) divides I(x).

3.61. Example. Let L(x) be a q-polynomial over 0', that symholically x for some mEN. Then there exists a q-polynomial L, (x) divides x" over IF Q such that (3.17)

107

4. [,int'JTl/t'ul'olyllomiJls

This can be applied as follows. Let a be a fixed element of Fq_' Then the affine polynomial L(x)- a has at least one root in Fq"' if and only if L,(a) ~ 0, and if L,(a) ~ 0, then actually all the roots of L(x)- a arc in Fq",. For if fJEF q", is a root of L(x)-a, then L(fJ)= a, and substituting x by fJ in (3.17) yields L,(a)~fJq·-fJ~O. Conversely, suppose L,(a)~O and let y be a root of L(x)- a in some extension field of Fq _; then L( y) = a, and substituting x by y in (3.17) yields yq'" - y ~ I. ,( a) ~ 0, so that y E Fq _. The polynomiall,,(x) can be calculated by Ictting I(x) be the conventional q-associate of L(x), determining I,(x) = (x m -1)II(x), and then taking L,(x) to be the linearized q-associate of I,(x). This application contains Theorem 2.25 as a special case, as one sees easily by choosing L(x) = x q - x. 0 It is an important fact that although symbolic multiplication and ordinary multiplication are quite different operations, the divisibility concepts for linearized polynomials based on these operations are equivalent. 3.62. Theorem. Let L,(x) and l.(x) be q-polynomials over Fq Wilh conventional q-associates I,(x) and I(x). Then the following properties are equivalent; (i) L,(x) symbolically divides L(x); (ii) L,(x) divides l.(x) in the ordinary "ense; (iii) I,(x) divides I(x). Proof Since the equivalence of (i) and (iii) has been established in Corollary 3.60. it suffices to show the equivalence of (i) and (ii). If L,(x) symbolically divides l,(x), then L(x) ~ L,(x )@L,(x) ~ I., (x )@L,(x) ~ 1. 2 (I., (x)) for some q-polynomial L 2 (x) over Fq • Let n

L,(x) =

q a,x ',

L 1"-'

0

then L(x)=aoL,(x)+a,L,(x)q+ .. · +anl.,(x)q',

and so L,(x) divides L(x) in the ordinary sense. Conversely, suppose L,(x) divides L(x) in the ordinary sense, where we can assume that l.,(x) is nonzero. Using the division algorithm, we write I(x) ~ k(x)l,(x)+ r(x), where deg(r(x)) < deg(l,(x», and turning to linearized q-associates we get in an obvious notation L(x) = K(x)@L,(x)+ R(x). By what we have already shown, L,(x) divides K(x)@L,(x) in the ordinary sense, and so I., (x) divides R(x) in the ordinary sense. But since deg( R(x)) < deg( I. ,(x ), R(x) must be the zero polynomial, and this proves that L,(x) symbolically divides L(x). 0 This result can be used to establish an interesting relationship between an irreducible polynomial and the irreducible factors of its linearized q-associate.

10k

Polynomials over finite hdds

3.63. Theorem. I.el j(x) be irreducible in F)x] and lei F(x) be i15 linearized q-as50ciaie. Then Ihe degree oj everv irreducible jaclOr oj F(x)/x in I'"lx] iI' equallU or<1(/(x». I'roo! Since the case j(O) ~ 0 is Irivial, wc can assume flO) '" O. Put e· or<1(/(x» and lei h(x)EFq[x] be an irreducihle factor of F(x)/x of degree d. Then fix) dividcs x' - l. and so hy Theorem 3.62 F(x) divides x q ' - x. It follows that h(x) dividcs x q- - x, hence d divides e by Theorem 3.20. By the division algorithm. we can write x d -I ~ g(x)!(x)+ r(x) wilh g( x). r(x) E= Fqlx] and dcg( r(x)) < deg(/(x ». Turning to linearized q-asso-

ciatcs. we

gC:l

x q "· x~C(x)0F(x).,.R(x),

and since h( x) divides x q ' - x and C(x )®F(x), it follows that h(x) divides R(x). If r(x) is nm the zero polynomiaL then r(x) and!(x) arc relatively prime. and so hy Theorem 1.55 there exist polynomials six). k(x) c F"lx] with s (x) r ( x ) I- k ( x ) j( x )

~

I.

Turning to linearized q.assm.:iatcs, we get S(x)0R(x)-K(x)®F(x)~x.

Since h(x) divides R(x) and F(x), it follows that h(x) divides x. which is impo"ihle. Thus r(x) is the zero polynomial. ><, that fix) divides x d - l. and therefore e divides d by Lemma 3.6. Altogether. we have shown d ~ e. n We say that a q-polynomial L(x) over Fq of degree> I is 5ymbolically irreducihle over Fq if the only symbolic decompositions 1.( x) = I.,(x) ®L,( x) with q-polynomials L, (x), 1.,( x) over F" arc those for which one of the factors has degree I. A symbolically irreducihle polynomial is always reducihle in the ordinary sense since any linearized polynomial of degree > I has the nontrivial factor x. By using l.emma 3.59, one shows immediately that the q-polynomial L(x) is symholically irreducible over Fq if and only if its conventional q-a'Sociate I(x) is irreducible over Fq' hery q-polynomial L(x) over F q of degree> I has a symbolic !aclorizalion into symholically irreducible polynomials over F q and this factorization is essentially unique, in the sense that all other symholic factorilations arc obtained by rearranging factors and by multiplying fac-

tors by nonzero clements of IF q" Using the:

corrcspond~nce

between lin-

earized polynomials and their conventional q-associatcs. DOl: sees that the symholic factorization of I.(x) is obtained by writing down the canonical factorization in !' "Ix J of its conventional q-associate I( x) and then turning to

lineari7.ed q-associatcs.

3.64. Example. Consider the 2-polynomial L(x) ~ x"" x' • x' + x over !F:. Its <.:oo\'cmional 2-associate [(x) = .),..4....;.. x J • x·~ 1 ha~ the canonical

4

109

Lincari/.~rl PolynomJaI~

factorization I(x) ~ (x 2 + X + I)(x

j.

If in 1F,[xJ. Thus.

1. (x) ~ (x 4 1 x' '- x) ® (x' ~ x) ® (x' ~ x) is the symholic factorization of l.(x) into symbolically irredueihle polynomials over !F2. D

For two or more q-polynomials over IF". not all of them 0, we may define their greQ/esr common symbolic divisor to he the monic q-polynomial over IF" of highest degree that symbolically divides all of them. In order to compare this notion with that of the ordinary greatest common divisor, we note first that the roots of the greatest common divisor arc exactly the common roots of the given q-polynomials. Since the intersection of linear subspaees is another linear subspace, it follows that the roots of the greatest common divisor form a linear suhspace of some extension field IF qm, considered as a vector space over IF q' Furthermore, by applying the first part of Theorem 3.50 to the given q-polynomials. we conclude that each root of the greatest common divisor has the same multiplicity, which is either 1 or a power of q. Therefore, Theorem 3.52 implies that the greatest common divisor is a q-polynomial. It follows then from Theorem 3.62 that Ihe , greatest common divisor and the greatest common symholic divisor are identical. An efficient way of calculating the greatest common (symholic) divisor of q-polynomials over IF" is to consider the conventional q-assoeiates and determine their greatest common divisor; then the linearized q-associate of this greatest common divisor is the greatest common (symbolic) divisor of the given q-polynomials. By Theorem 3.50 the roots of a nonzero q-polynomial over IF" form a vector space over IF q • The roots have the additional property that the qth power of a root is again a root. A finite-dimensional vector space Mover!F q that is contained in some extension field of IF q and has the property that the qth power of every element of M is again in M is called a q-modulus. On the basis of this concept we can estahlish the following criterion. 3.65. Theorem. The mOllie polynomial L(x) is a q-polyllomial over IF" if alld only if each roOl of L(x) has Ihe same muliiplicily. which is dlher 1 or a power of q. and The roots form a q-n1odulus. Proof The necessity of the conditions follows from Theorem 3.50 and the remarks ahove. Conversely. the given conditions and Theorem 3.52 imply that I.(x) is a q-polynomial over some extension field of IF". If M is the q-modulus consisting of the roo!> of I.(x). then

L(x)~

n

fi (-

(x-/3)'"

,'vi

for some nonnegative integer k. Since M I.(x)" ."

II fir

11

(x'-!3")"' ~

~

(/I": /I to

n f1~'Af

M). we ohtain

(x'-IJ}'I' ~ I,(x"),

110

Polynomials over hnit(' Fields

If n

L(x) ~

L

a,xq'.

1=0

then n

L

n

L

aixq'·'~l.(x)q~L(xq)~

i=O

so that for 0 ~ i:E; n we have a? = q-polynomial over I' q'

(Xl

and thus

(XI

a,x q" 0

I

E:

IF q" Therefore, /J(x) is a D

Any q-polynomial over I' q of degree q is symholieally irreducible over I' q' for q-polynomials of degree > q, the notion of q-modulus can be used to characterize symbolically irreducible polynomials.

3.66. Theorem. The q-polynomial L (x) over I' q of def!,Yee > q is symholically irreducible over I' q if and only if I. (x) has simple roots and the q-modulus M consisting of the roots of L(x) contains no q-modulus olher than (OJ and M itself. Proof Suppose l.(x) is symbolically irreducible over ff'q. If L(x) had multiple roots, Ihen Theorem 3.65 would imply that we could write l.(x)~ L,(x)q with a q-polynomial L,(x) over ff'q of degree> I. But then l.(x) . xq®L,(x). a contradiction to the symbolic irreducibility of l.(x). Thus l.(x) has only simple roots. Furthermore, if N is a q-modulus contained in M, then Theorem 3.65 shows that 1.,(x)~II#, N(X-f3) is a q-polynomial over ~ q' Since l.,.(x) divides L(x) in the ordinary sense, it symbolically divides L(x) by Theorem 3.62. But L(x) is symbolically irreducible over I'q' and so deg( L,( x» must be either I or deg( L(x)); that is, N is either (OJ or M. To prove the sufficiency of the condition. suppose that L(x) = L,(x) ®I.,(x) is a symbolic decomposition with q-polynomials L,(x). L,(x) over ~ q' Then l.,(x) symholically divides L(x). and so it divides l.(x) in the ordinary sense by Theorem 3.62. It follows that L,(x) has simple roots and that the q-modulus N consisting of the roots of L,(x) is contained in M. Consequently, N is either (OJ or M. and so deg(l.,(x) is either I or deg(L(x)). Thus, either l.,(x) or l.,(x) is of degree I. which means that L(x) is symbolically irreducible over ff'q. D .~.67. Definition. Let L( x) be a nonzero q-polynomial over I' q"' A root l of L(x) is tailed a q-primi(ir~e root over IF t(" if it is not a root of any noo7cro q-polynomial over i'" of lower degree.

Tbis concept may also be viewed as follows. Let g(x) be the minimal polynomial of Z; ovcr 1'." Then Z; is a q-primitive root of l.(x) over ff'q_ if

4. I ,incaril.cd Polynomiab

III

and only if g(x) divides L(x) and g(x) docs not divide any nonzero q-polynomial over I' q. of lower degree. Given an elementl' of a finite extension field of I' q"" one can always find a nonzero q-polynomial over I' q. for which l' is a q-primitive root over I'q"" To sce this. we procced as in the construction of an affine multiple. Lct g(x) bc the minimal polynomial of l' over I'q •• let n be the degree of g(x). and calculate for i ~ O.I ..... n the unique polynomial r,(x) of degree ~ n-I with x q ' = r,(x) mod g(x). Then determine elements a, E I' q.' not all O. such that [7-0 a,r,(x) ~ O. This involves n conditions concerning thc vanishing of the coefficients of Xl. 0 ~ j ~ n -I. and thus leads to a homogeneous system of n linear equations for the n + 1 unknowns aD_ a l •.. •• ll:n' Such a system always has a nontrivial solution. and with such a solution we gct n

L(x)~

L

n

a,x q '=

/"" 0

L

a,r,(x)=Omodg(x).

i=O

so that l.(x) is a nonzero q-polynomial ovcr I'q_ divisible by g(x). By choosing the ", in such a way that L(x) is monic and of the lowest possible degree. one finds that l' is a q-primitive root of L(x) over 1'••. It is easily seen that this monic q-polynomial l.(x) over I'q. of Icast positive degree that is divisible by g(x) is uniquely determined; it is called the minimal q-polynomial of l' over I' qm. 3.68. Theorem. l.ell' be an element of a finile eXlellsion field of 1'". and leI M(x) be its minimal q-po(ynomial ocer I'q-. Then a q-polyllomial K(x) DCer I'q"' has l' as a root if and only if K(x) ~ L(x)0M(x) for some q-polynomial L(x) over I'q •. In particular. for Ihe case m ~ I Ihis means Ihal K(x) has l' as a rOOI if and only if K(x) is symbolically dicisihle hy M(x). Proof If K(x) = L(x)0M(x) that K(l') ~ O. Convcrscly. let

M(x) =

, L

~

L(M(x». it follows immediately

YjX q ,

with Y, = I

"hXq'

with r :;,

J=O

and suppose K (x) ~

L

I

h""'O

has l' as a roo!. Put s ~ r -

I

and Y,

=

0 for j < O. and consider the followir.g

Polynomiab over Finite rields

112

system of s

+I

linear equations in the s + I unknowns {3o'{3" .... {3,: {3u+Ylq-tf3l+yl2f32+'"

" +

PI

q' " v1,-]""2

f3~=o,

+y,q's

+... + vIt

q

' 5 t tPj , , -- U (- t

q' '"" . , + y,-,

f3s =

Or

It i' clear that this system has a unique solution involving elements (3o,{3" ... ,{3,oflF q _. With L(x)~ 'L{3,x q ,

and

R(x)=K(x)-I.(M(x))

0

we get

=

"

"- 0hX h..,.U

q"" "" Y,q' q'" -

"- P, ",-0 J-O

X

t (Uh-t y:~,{3,')Xq,

h=U

1-'-0

It follows from the system ahove that R( x) has degree < q'. But since R(I;) ~ K(I;) - 1.( M(~)) ~ 0, the definition of M(x) implie, that R(x) i' the zero polynomial. Therefore, we have K(x) ~ L( M(x)) ~ L(x)®M(x). LJ

We consider now the problem of determining the number Nl. of q-primitive roots over IF q of a nonzero q-polynomial/.(x) over IF q • If L(x) has multiple root', then by Theorem 3.65 we can write L(x) ~ L,(x)q with a q-polynomial/.,(x) over IF q • Since every root of L(x) is then also a root of L,(x), we have Nl. ~ O. Thus we can assume that L(x) has only simple roots. If I.(x) has degree I, it is obviou, that NJ• ~ L If L(x) has degree qn > I and is monic (without loss of generality), let L(x) ~ L,(x)®'" \

"v

®L,(x) ® ... ® I.,(x)®··· ®L,(x) -'

'-

-y-"-----'

e,

be the symbolic factorization of L(x) with distinct monic symbolically

,, , "

,I

113 ,

irrcducible polynomials L,(x) over IF q' We obtain Nl. by subtracting from th~ .. total number q" of roots the numbcr of roots of L(x) that are already roots' .. of somc nonzero q-polynomial over IFq of degree < q", If I is a root of I,(x) of thc lattcr kind and M(x) is the minimal q-polynomial of lover IF q• then deg(M(x)) < q" and M(x) symbolically divides L(x) by Theorem 3,68. It follows that M(x) symbolically divides one of the polynomials K,(x). I,,; i,,; r. obtaincd from the symbolic factorization of L(x) by omitting thc symbolic factor I,,(x). in which case K,(n ~ 0 by Theorem 3.68. Since every root of K,(x) is automatically a root of L(x). it follows that NL is qn minus the number of I that arc roots of somc K,(x). If qn, is the degree of L,(x). tben the degree. and thus tbe number of roots. of K,(x) is qn n,. If i ,..... i, are distinct subscripts. then thc numbcr of common roots of K, ,(x)..... K,(x) is equal to the degree of the greatest common divisor. , which is thc same as the degree of the greatcst common symbolic divisor (see the discussion following Example 3.64). Using symbolic factorizations. one finds that this degree is equal to qll

11"

..• -11,

Altogether. the inclusion-cxclusion principle of combinatorics yiclds

,

L

N,.=ql1_ Lql1 11,+ 1.,..,1

1~

I

qn 11, I1,T ... +{_l)rqn-nl "'-11,

< J"" r

=qn(I_q-n')· .. (I_q-n,).

This exprcssion can also bc interpreted in a different way. Let l(x) be the conventional q-associate of L(x). Then l(x) = l,(x)"·· ·l,(x)e.

is the canonical factorization of l(x) in IFqlx]. where l,(x) is the conventional q-associate of L,(x). Wc dcfinc an analog of Euler's <[>-function (see Exercise 1.4) for nonzero f E IF qlx 1by letting q(j(x)) ~ /fl denote the number of polynomials in IF ql x 1 that are of smaller degree than f as well as rclatively prime to f. The following rcsult will thcn imply the identity N L ~ q(l(x)) for thc casc undcr considcration. 3.69.

Lemma.

The function q defined for nonzero polynomials in

IF q[ x 1has the following properties: (i) (ii)

(iii)

q(j) = I if dcg(j) = 0: q(jg) ~ /flq( g) wheneGer f and g are relatiGely prime: if deg(j) ~ n.", 1. then q(f) = qn(l_ q-n,)." (1_ q-n,). where the n, are the degrees of the distinct monic irreducible polynomials appearing in the canonical factorization off in IF qlx].

.

,

114

Polynomials over Finite Fields

Proof Property (i) is trivial. For property (ii). lot q(j) ~ sand q(g) ~ I, and let f, .... .[, resp. g, •... ,g, be the polynomials counted by /f) resp. q,q(g). [f h E IFqlx] is a polynomial with deg(h)" deg(jl() and gcd(jl(,h)~I. then gcd(j,h)~gcd(l(.h)=I. and so h=[,modf. h= I(jmod I( for a unique ordered pair (i. j) with [" i "s, [" j " I. On the other hand, given an ordered pair (i, j). the Chinese remainder theorem for IFq[x] (see Exercise 1.37) shows that there exists a unique hE IFq[x] with h [,mod f. h gjmod g, and deg(h) " deg(jl(). This h satisfies gcd(j, h) ~ gcd(l(. h) = I. and so gcd(jl(. h) = I. Therefore. there is a one-to-one correspondence hetween the sl ordered pairs (i, j) and the polynomials hElFq[x] with deg(h)<deg(jg) and gcd(jl(.h)~1. Consequently. q(jg) ~ sl ~ q(f)q(I(). For an irreducible polynomia[ b in IFq[x] of degree m and a positive integer e. we can cakulate q(b') directly. The polynomials h ElF q[x] with deg(h) < deg(h') ~ em that are not relatively prime to h' are exactly those divisible by b, and they are thus of the form h = I(b with dcg(I() < em - m. Since there are q,m-m different choices for g. we get q(b') = q,m _ q,m m = q,m( I - q m). Property (iii) follows now from property (ii). D

=

=

3.70, Theorem, LeI L (x) be a nonzero q-polynomial ocer IF q with conventional q-associale I(x). Then Ihe numher NL of q-primilive rools of I.(x) over IF q is given by NL ~ 0 if L(x) has multiple roots and by N I, = "'q(f(x» if L(x) has simple rOOls.

Proof ~.

This follows from Lemma 3.69 and the discussion preceding D

3.71. Corollary. Every nonzero q-polynomial over IF q wilh "imple rooa has at least one q-primililJe root over IF q"

Earlier in this section we introduced the notion of a q-modu[us. The results about q-primitive roots can be used to construct a special type of basis for a q-modulus. 3,72. Theorem. Let M be a q-modulus of di,!,ensio~ ":' '" I over IFq • Then Ihere exiSlS an element I: E M such thaI {1:.l:q.l:q ,. .. •I:q ) is a basis of M ocer IF q"

Proof According to Theorem 3.65. L(x) ~ np , M(X - (3) is a qpolynomial over IF q • By Corollary 3.7[, L(x) has a q-primitive root I: over IF q • Then 1:,l:q.I:<', ... ,l:qm , are elements of M. If these elements were linearly dependent over IFq • then I: would he a root of a nonzero q-polynomial over IF q of degree less than qm ~ deg( 1.( x a contradiction to the definition of a q-primitive root of 1.( x) over IF q' Therefore. these m elements arc linearly independent over IF q' and so they form a basis of M over IF q' D

n.

5.

Binomiab and

Trinomi31~

liS

3.73. Theorem. I~ IF q " There exisl exacTly $q(x m -I) elemenls qm such Ihal (r.rq.rq·, ...• r ) is a basis oflFqm VGer IF q.

r

Proof . Since IF q" can be viewed as a q-modulus, the argument in the proof of Theorem 3.72 applics. Here

n

L(x)~

f1

F.

(x-fJ)=xqm-x

if lI'"

by Lemma 2.4, and every q-primitive root of L(x) over IFq yields a hasis of the desired type. On the other hand, if E IF q" is not a q-primitive root of qm L(x) over IF q' then r q, r q'.... ,r , are linearly dependent over IFq' and so they do not form a basi~ of IF <" over IF q' Consequently. the number of E IF q"' such that r q•r q·, .. '. q ') is a hasis of IF qm over IFq is equal to the numbcr of q-primitivc roots of L(x) over IF q, which is given by $q(x m -1) according to Theorem 3.70. 0

r. (r,

r

r

r

This result provides a refinement of thc normal basis theorem (compare with Definition 2.32 and Theorcm 2.35). Since each of the clcments r q, r q', ... ,rq" , gcnerates the same normal basis of IF qm over IF q' the numher of diffcrent normal bases of IF qm over IF q is given by (I/m)$q(x m -I).

r,

3.74. Example. We calculate the number of different normal bases of IF.. over IF,. Since 64 ~ 2', this number is given hy t$2(X' - I}. From the canonical factorization

x' - I = (x + 1)'( x 2 + X + 1)2 in 1F,[x] and Lemma 3.69(iii) it follows that

$2(x' -I) ~ 2'(1- t)(1-~) ~ 24, and so there are four different normal hases of 1F'4 over 1F 2.

5.

o

BINOMIALS AND TRINOMIALS

A binomial is a polynomial with two nonzcro terms, one of them being the constanttcrm. Irreducible binomials can bc characterized explicitly. For this purpose it suffices to consider nonlinear. monic binomials. 3.75. Theorem. Lei I" 2 be an intel!er and a ElF;. Then Ihe binomial x' - a is irreducible in IFq[x] if and only if the following two condilions are salisfied: (i) each prime faclOr of I divides Ihe order e of a in IF;, but not (q -I)/e; (ii) q '" 1mod4 if I '" omod 4.

Polynomials over Finite Fields

11(\

Proof Suppose (i) and (ii) are satisfied. Then wc note that f(x) ~ x - a is an irreducible polynomial in IF qf x] of order e, and so fix') ~ x' - a

is irrcducible in IF.[x] by Theorem 3.35. Suppose (i) is violated. Then therc exists a prime factor r of I that either divides (q -Ille or does not divide e. In the first case, we havc rs ~ (q -I)/e for some .. E N. The subgroup of IF; consisting of rth powers has order (q - III r = es and thus contains the subgroup of order e of IF: generated by a. In particular, a ~ b' for some bE IF;, and so x' - a = X'" - b' has the factor x" - h. In the remaining case, r divides neither (q - I)/e nor e, and so r does not divide q -I. Then rlr '" I mod(q -I) for some r l E N, and thus x t

-

a=

XII' -

art' has the factor x tl

-

0'1.

Suppose (i) is satisfied and (ii) is violated. Then 1= 41, for some I, EN and q'" I mod4. But (i) implies that e is even, and since e divides q -I, q must be odd. Hence q '" 3mod4. The fact that x' - a is reducible in IFqlx] is then a consequence of Theorem 3.37. This can also be seen directly as follows. First we note that the information on e and q yields e '" 2mod4. Moreover. a e / 2 = -1, and so Xl - a = Xl + a(e/2)+ 1 = Xl + ad, where d = (e /2)+ I is even. Now ad ~ 4(2- la d/')' ~

4(r la d / ' ) q • I ~ 4c 4 with c ~ (2' lad/' )(q + \)/4,

and this leads to the decomposition ~ (x'" +2cx" +2c')(x'" -2cx" +2c').

o

If q '" 3mod4, we can writc q in the form q ~ 2 u -I with A;, 2 and u odd. Suppose condition (i) in Theorem 3.75 is satisfied and t is divisible by 2 A • We write t ~ Be with B ~ 2 A I and v even. Then k = A in Theorem 3.37, so that with fix) ~ x - a the polynomial fix') ~ x' - a factors as a product of B monic irreducible polynomials in IF qlx 1 of degree 1/ B = c. These irreducible factors can be determined explicitly. Wc note that as in the last part of the proof of Theorem 3.75, d ~ (e/2)+ I is even. Since gcd(2B, q -I) ~ 2, there exists r E N with 2Br '" dmod(q - I). Setting b ~ a' E IF q' we get then the following canonical factorizalion. A

3.76. above, leI

Theorem.

f ·( x )-

Then Ihe rools

'"1, ... ,C 8

Wilh Ihe condilions and Ihe nOlation introduced

~'(B-i-I)!B R', EIF x [ I. ~ -·----x

,oi!(B-2i)!

q

of F(x) are all in IF q, and in IFqlx] we have the

5.

117

l3inomiab and Trinomials

canonical jactorization x' - a ~

8

0

(x" - bc,x'/2 - h 2 ).

, .,j

Proof

For a nonzero element l' in an extension field of IF q we have (x-y)(x+y-I)=x'-f3x-1 withf3=y-y'l

Using the statement and the notation of Waring's formula (see Theorem 1.76). we get ,,(xi' x,) = xf

+ xf '\'

(

£...

-)

)" (i l

+ "I" i, -I)!B ( )" 1 01 XI.Xz

11.12 ~

~2

(B-2'1 )'"./ 2

2

~ 1',

x, =

2,

)"

x,

XI

)/, XIX,.

- 1'-1, we obtain (B'

B/2

I)IB

+ 1'-8 = /~o (-I)' i!(-R'~2i)'1

1"

X I ,X 2

+. )8-",(

(_I),,(B-i,-I)!B(

L..

XI

(

0

i -O

Putting

02

1 1 .1 2 _

11, 2/ 2- 8

f3H "( - I)'

~

If cJ is a root of F(x) in some extension field of IF q and

F(f3). YJ

is such that

then 1'8+1"'= F(c,)~O and so 1"'= -I • Since q+l~ l', -y'I=C ) " J) J' J

2Bu with u odd, we get 1';"+ 1= - I, hence 1';" = - 1'1

I.

Then

cq=(y _y-I)q~yq_y q~_y,-I+y ~c f

and so cj

E

J

J)

J

J

I)'

IFq' Since F( x) is monic, we have B

0

F(x)~

(x-c j

),

)=1

hence B

1" + l' B ~ F( f3) ~

B

0 (f3 - c)J~,0~ 1 (y - y j _ I

I_C) 1 •

It follows that B

y2B+I~

0(y2- c,y-I). j"'" 1

Since this identity holds for any element l' of any eXlension field of IF" (also for l' = 0), we gel the polynomial identity 8

x'B+I~

0 ) = 1

(X' -c1x-!).

Polynomial." over finite Fields

II~

By substituting h -IX'!' for x and multiplying by b 2R , we get a factorization of x Rv + b 2R = Xl + a 2Hr = Xl + ad = x t - a (compare with the final portion of the proof of Theorem 3.75 for the last step). The resulting factors are irreducible in IFq[x] because we know already that the canonical factorization of x' - a involves B irreducible polynomials in IFq[x] of degree v (sec the discussion preceding Theorem 3.76). 3.77. Example. We factor the binomial x 24 - 3 in 1F,!x]. Here q = 23 - 1. so that A = 3, B ~ 4, and c ~ 6. Furthermore, the clement a ~ 3 is of order e ~ 6 in IFj, and so condition (i) in Theorem 3.75 is satisfied and Theorem 3.76 can be applied. We have d ~ 4, and a solution of the congruence 8r" 4mod6 is given by r = 2. Therefore, h ~ 0 2 = 2. Furthermore, F(X)~X4+4x'+2 has the roots ±l and ±3 in IF,. Thus x 24 -3= (X'-2X3_4)(x'+2x'-4)(X6+X3_4)(X6_X3_4) is the canonical factorization in IF,lx]. 0 A trinomial is a polynomial with three nonzero terms, one of them being the constant term. We first consider trinomials that arc also affine polynomials. 3.78, Theorem, Let a E IF q and ler p be the characteristic of IF q' Then the trinomial x P - x - a is irreducihle in IFq[x 1if and only if it has no root in IF q'

Proof If f3 is a root of x P- x - a in some extension field of IFq' then by the proof of Theorem 3.56 the set of roots of x P - x - a is f3 + U, where U is the set of roots of the linearized polynomial x P - x. But U = IFp , and so xP-x-a=

n (x-f3-h).

hEF p

Suppose now that x P - x - a has a factor g E IF q[ x] with I "" r and g monic. Then g{x)~

=

deg( g) < p

n (x-f3-b,)

I-=-\

for certain h, ElF P' A comparison of the coefficients of x' I shows that rf3 + b l + ... + b, is an element of IFq' Since r has a multiplicative inverse in IFq' it follows that f3 E IF q' Thus we have shown that if x P - x - a factors nontrivially in IFq[x], then it has a root in IF q. The converse is trivial. 0 3.79. Corollary. With the nOlOtion of Theorem 3.78, the trinomial x P - x - a is irreducible in IFq[x] if and only ifTrF}a) '" O.

Proof By Theorem 2.25, x P - x - a has a root in IF q if and only if the absolute trace Tr F ,(a) is O. The rest follows from Theorem 3.78. 0

5.

Binomials and Trinomials

119

Since for bE IF; the polynomial fIx) is irreduciblc over IFq if and only if f(bx) is irreduciblc over IFq • the critcria above hold also for trinomials of the form bPx P - bx - a. If we considcr more gcneral trinomials of the above type for which thc degree is a higher powcr of the characteristic. then thesc criteria need not be valid any longer. In fact. the following decomposition formula can be established.

3.80. Theorem. For x q - x - a with a being an element of the subfield K = IF, of F = IF q' we have the decomposition ql,

xLx-a=

n (x'-x-P

1-'

I

(3.18)

)

in IFql x]. where the PI are the distinct elements of IFq with TrFI K(PI) = a. Proof For a givcn P" let y be a root of x' - x extension field of IF q' Then y' - y = PI' and also a = TrFIK(Pj

Pj

in some

)

=TrFIK(y'-y) =(y'-y)+(y'-y)' +(y'-y)" + ... +(y'_y)ql'=yq_y. so that y is a root of x" - x-a. Since x' - x - Pj has only simple roots, x' - x - p] divides x q - x-a. Now the polynomials x' - x - Pi' I (; j (; q/r, are pairwise relatively prime, and so the polynomial on the right-hand side of (3.18) divides x q - x-a. A comparison of degrees and of leading coefficients shows that the two sides of (3.18) are identical.

0

3.81. Example. Consider x' - x -1 in 1F,lx]. Viewing IF, as 1F,(a), where a is a root of the irreducible polynomial x' - x -I in 1F,[x]. we find that the elements of IF, with absolute tracc equal to I are - I, a, I-a. Thus (3.18) yields the decomposition

x' - x -I

=

(x' - x + I)(x' - x - a)(x' - x - I + a).

Since all three factors are irreducible in 1F,lx], we have also ohtained the 0 canonical factorization of x' - x -I in 1F,lx]. The information ahout irreducible trinomials can be applied to the construction of new irreducible polynomials from given ones.

3.82. Theorem. Let f(x)=xm+a m ,x m.'+ ... +a o he an irreducible polynomial over the finite field IFq of characteristic p and let b E IF q' Then the polynomial f(x P - x - b) is irreducihle over IFq if and only if the absolute trace Tr. ,(mb - am ,) is '" O.

Polynomials over Finite

120

Fi~kls

Proof Suppose Tr,}mh - am ,) ~ O. Put K = IF q and let F be tbe splitting field off over K. If a E: F is a root of f. then. according to Theorem 2.14, all the roots of f arc given by a, a q, .... a q" , and F ~ K( a). rurthermore. Trf/K(a) ~ - a m _, by (2.2), and using Theorem 2.26 we get

Tr F (a + h)

=

Tr K(Tr flK (a + b)) ~ Tr K( - a m _, + mb) ~ O.

lJy Corollary 3.79, the trinomial x P - x - (a + b) is irreducible over F. Thus + h). It follows from

[ F(,8); F] ~ p. where ,8 is a root of x P - x - (a Theorem \.R4 that

[F( ,8 ) : K] = [F(,8) : F][ F: K 1~ pm. :>:owa=!JP f3 ·h,sothataEK(,8)andK(,8)~K(a,,8)=F(,8).Hence [K (,8): K ] ~ pill and the minimal polynomial of ,8 over K has degree pm. !lut f(fJP -,8 - b) ~ f(a) ~ 0, and so ,8 is a root of the monic polynomial f(xP-x-h)EK[x] of degree pm. Theorem 3.33(ii) shows that f(x P - x - h) is the minimal polynomial of,8 over K. By Theorem 3.33(i), f(x P - x - b) is irreducible over K = IF q • If Tr, (mb-a m ,)=0, then xP-x-(a+b) is reducible over F, and so [F(,8): FJ< P for any TOot,8 of xP-x-(a+b). The same arguments as above show that,8 is a root of f(x P - x - h) and that [F(,8): K] < pm, heneef(x P - x - b) is reducible over K ~ IF q • D

For certain types of reducible trinomials we can establish the form of the canonical factorization. The hypothesis for this result involves the irreducibility of a binomial, which can be checked by Theorem 3.75. 3.83. Theorem. l£t f(x)~x'-ax-hEI',[x], where r>2 is a power of the characteristic of IF q' and suppose that the binomial x'-' - a is irreducihle ocer IF q • Then fIx) is the product of a linear polynomial and an irreducihle polynomial over 1', of de!?ree r - 1. Proof Since /'( x) = - a '" O,j(x) has only simple roots. If p is the characteristic of IF q• then fIx) is an affine p-polynomial over IF q. Hence, Theorem 3.56 shows that the difference y of two distinct roots of fix) is a root of the p-polynomial x' - ax. and so a root of X,-I - a. From r - I > I and the hypothesis about this binomial, it follows that y is not an element of I'q' and so there exists a root a of fIx) that is not an element of IF q • Then a q ~ a is also a root of fix) and, by what we have already shown, a' - a is a root of the irreducible polynomial X,-l - a over 1'" so that [l'q(aq-a):lFq]=r-\' Since IFq(a'-a)~IF'<")' it follows that m= [IF q( a); IFqJ is a multiple of r - \. On the other hand, a is a root of the polynomial fix) of degree r, so that m", r. Because of r> 2, this is only possible if m ~ r - \. Thus the minimal polynomial of a over IF, is an irrcducible polynomial ovcr IF q of degree r -I that dividesf(x). The result follows now immcdiately. D

~

1~1

Binomial!;, and Trinomials

In the special case of prime fields, one can eharacteri7.c the primitivc polynomials among trinomials of a certain kind. J,84,

Theorem,

rr

For a prime p, the trinomial x P - x - a to IF x Jis a

primitive po~vllomial over IFp if and only if a is a primitive element of IFp and ord(xP-x-I)~(pP-I)/(p-I).

Proof Suppose first that [(x) ~ x P - x - a is a primitive polynomial over IFp • Then a must be a primitive clement of IFp because of Theorem 3.18. If f3 is a root of g(x) ~ x P - x - I in somc extension field of IFp' then

o ~ ag(f3) ~ a({3P -

f3 -I) = a Pf3P - af3 - a ~ [(af3).

,,=

and so af3 is a root of [( x). Conscquently, we have {3' '" I for 0 < r < (pP-I)/(p-I), for othcrwise ,,'(P t'~1 with O
W)· .. (x - W' ').

A comparison of the constant tcrms leads to {3,p'-ItAp-1t

=

I, hence

ord(x P - x - I) ~ (pP - 1)/( p . I) on account of Theorem 3.3.

Conversely, if thc conditions of the theorcm are satisfied, then a and {3 have orders p - I and (pP - 1)/( P -. I), rcspectively, in the multiplicative group IF;,. Now (pP . 1)/( p - I)

= I + P + p' + ... + pp-I

'" I

+ I + I + ... + I

" p" I mod( p - I),

,,=

so that p - I and (pP - 1)/( p " I) are relatively prime. Therefore. a{3 has order (p -1)·( pP -1)/( p - I) = pP -I in IF;,. Hence" is a primitive element of IFp ' and[(x) is a primitive polynomial over IFp • 0 3.85. Example. For p~5 we have (pP-I)/(p-I)=781=11·7J. !'rom the proof of Theorem 3.84 it follows that x"'" I mod(x' - x - I). and since x" .. 1 mod(x' - x -I) and x 7l .. 1mod(x' - x -I), we obtain ord(x' - x-I) ~ 78 J. Now 2 and 3 arc primitive clements of IF,. and so x' - x -2 and x' - x -3 are primitive polynomials over IF, by Theorem ].~

0

for a trinomial x' + x + a over a finite field IF. of odd characteristic. it is easily seen that it is irrcdueible over IF q if and only if a is not of the form a = 4 t - h'. bE IF•. Thus. there are exactly (q - 1)/2 choices for a F IF" that make x' + x + a irreducible over IF q' More generally, the number of a c IF. that make x" + x + a irreducible over IF q is usually asymptotic to q/n. according to the following result.

Polynomials over Finite Fields

122

3.86. Theorem. Let"q be a finite /ield 0/ characteristic p. For an illleger n '" 2 such that 2n(n -I) is not dirisible by p. let T,(q) denote the number 0/ for which the trinomial x' + x + a is irreducible orer Theil there is a constant B" depending only on n, such that

aE".

"q'

IT,(q)-;I",

B,ql/2.

We omit the proof, as it depends on an elaborate investigation of certain Galois groups. In Definition 1.92 we defined the discriminant of a polynomial. The following result gives an explicit formula for the discriminant of a trinomial. 3.87. Theorem. The discriminant ".Ix] with n > k '" I is given by

0/ the

trinomial x' + ax' + bE

D(x'+ax'+b)=(-I)"'-I)/2 b'-1 '(nNb N- K _( -I)N(n _ k)N- KeaN)d, where d = ged(n. k), N

~

nld, K = kid.

EXERCISES

3.1.

Determine the order of the polynomial (x 2 + x + 1)5(x' + X

+ I)

over 0=2'

3.2. 3,3.

Determine the order of the polynomial x' - x· + x 4

-

x2

+ x over

"Determine ,. ord(f) for all monic irreducible polynomials/in ",Ix] of

degree 3. Prove that the polynomial x 8 + x' + x' + x + I is irredueihle over" 2 and determine its order. 3.5. Let / E "qlx] be a polynomial of degree m '" I with /(0) = 0 and suppose that the roots "I'" .,"m of / in the splitting field of / over I' q arc all simple. Prove that ord(f) is equal to the least positive integer e such that af = I for 1 :!S; i ~ m. 3.6. Prove that ord(Q,)= e for all e for which the cyclotomic polynomial Q, E "qlx] is defined. 3.7. Let / be irredueihle over"q with /(0) = O. for e E N relatively prime to q, prove that ord(f) ~ e if and only if / divides the cyclotomic polynomial Q" 3.8. Let / E "qlx] be as in Exercise 3,5 and let bEN. find a general formula showing the relationship between ord(fh) and ord(f). 3.9. Let f q be a finite field of characteristic p, and let / E fqlxl he a 3.4.

123

3.10.

3.11.

3.12. 3.13.

3.14. 3.15.

3.16. 3.17. 3.18. 3.19.

3.20. 3.21.

3.22.

polynomial of positive degree with/(O) * O. Prove that ord(j(x P )) = p ord(j( x)). Let I be an irreducible polynomial in IF qlx] with 1(0) * 0 and ord(j) = e. and let r be a prime not dividing q. Prove: (i) if r divides e. then every irreducible factor of I(x') in IFqlx] has order er; (ii) if r does not divide e. then one irreducible factor of I(x') in IFqlx] has ordcr e and the other faclOrs have ordcr er. Deduce from Exercise 3.10 that if I E IF qlx] is a polynomial of positive degree with 1(0) =O. and if r is a prime not dividing q. then ord(j(x')) = rord(j(x)). Prove that the reciprocal polynomial of an irreducible polynomial I over IF q with 1(0) * 0 is again irreducihle over IF q' A nonzero polynomial I E IF qlx] is called sell-reciprocal if 1= 1*. Prove that if I = gh. whcre g and h are irreducible in IFq[x] and I is self-reciprocal. thcn cithcr (i) h* = ag with a E IF;; or (ii) g* = bg, h* = hh with b = :!: 1. Prove: if I is a self-reciprocal irreducible polynomial in IFqlx] of degree m > I. then m must be even. Prove: if I is a self-reciprocal irredueihle polynomial in IF ql x] of degree> 1 and of order e, then every irreducible polynomial in IFqlxl of degree> 1 whose order divides e is self-reciprocal. Show that x' + x' + x' + x + I is a primitive polynomial over IF,. Show that x' + x' + x' -;- x + I is a primitive polynomial over IF,. Show that x' -x+ 1 is a primitive polynomial over IF,. Let I E IF ql x] be monic of degree m ;, 1. Prove that I is primitive over IF q if and only if I is an irredueihle faclOr over IF q of the cyciOiomic polynomial Qd E IFqlx] with d = qm - I. Determine the number of primitive polynomials over IF" of degree m. If mEN is not a prime. prove that not every monic irreducible polynomial over IF q of degree m can he a primitive polynomial over IF q' If m is a prime. prove that all monic irreducible polynomials over IF q of degree m are primitive over IF q if and only if q = 2 and 2m - I is a prime.

3.23.

If I is a primitive polynomial over IF q' prove that 1(0)

'/*

is again

primitive over IFq.

3.24.

3.25. 3.26.

Prove that the only self-reciprocal primitive polynomials are x I 1 and x' +x+ lover IF, and x+ lover IF, (see Exercise 3.13 for the definition of a self-reciprocal polynomial). Prove: if I(x) is irreducible in IF qlx]. then I( ax + h) is irreducible in IF qlx] for any a, h E IF q with a * O. Prove that Nq(n) '" (ljn)(q" - q) with equality if and only if n is prime.

124

3.27.

Polynomials over Finite Fidds

Prove that N (nb .!.q' - -q._--(q'I' q n n ( q -- I)

3.28. 3.29. 3.30.

-I).

Give a detailed proof of the fact that (3.5) implies (3.4). Prove that the Moebius function p. satisfies p.(mn) = p.(m)p.(n) for all m,nEN with gcd(m.n)=1. Prove the identity

L

p.(d)

din

d

~

$(n)

foralinEN.

n

Prove that '[d"p.(d)$(d) ~ 0 for every even integer n;" 2. Prove the identity '[dl,Ip.(d)1 ~ 2k • where k is the numher of distinct prime factors of n E N. 3.33. Prove that Nq(n) is divisihle hy eq provided that n;" 2, e is a divisor of q - I, and gcd(eq, n) = 1. 3.34. Caleulatc the cyclotomic polynomials QI2 and Q30 from the explicit formula in Theorem 3.27. 3.35. Establish the properties of cyclotomic polynomials listed in Exercise 2.57. Parts (a)-(f), by using the explicit formula in Theorem 3.27. 3.36. Prove that the cyclotomic polynomial Qn with gcd(n,q)=1 is irreducihle over IF q if and only if the multiplicative order of q modulo n is
3.31. 3.32.

b.erci&cs

125

Find the factorization of x J2 - x into irreducible polynomials over IF 2' 3.44. Calculate 1(2,6; x) from the formula in Theorem 3.29. 3.45. Calculate 1(2,6; x) from the formula in Theorem 3.31. 3.46. Prove that 3.43.

1(q,n;x ) =

n( x q' - I -I ),'"/d)

forn>!.

dl"

3.47. 3.48.

3.49.

3.50. 3.51. 3.52. 3.53. 3.54.

3.55. 3.56.

3.57. 3.58. 3.59. 3.60. 3.61. 3.62.

3.63.

Prove that over a finite field of odd order q the polynomial -)(1 + x,q· 1)/' +(1- x),q+ 1)/') is the square of a polynomial. Determine all irreducible polynomials in O=,[x] of degree 6 and order 21 and then all irreducible polynomials in O=,[x] of degree 294 and order 1029. Determine all monic irreducible polynomials in O=,[x] of degree 3 and order 26 and then all monic irreducible polynomials in O=,[x] of degree 6 and order 104. Proceed as in Example 3.41 to determine which polynomials /, are irreducible in 0=q[ x] in the case q = 5, m = 4, e = 78. In the notation of Example 3.41, prove that if I is a prime with I - I dividing m - I, then /, is irreducible in 0=, [x]. Given the irreducible polynomial I(x) ~ x' - x 2 + X + lover 0=" calculate I, and Is by the matrix-theoretic method. Calculate I, and Is in the previous exercise by using the result of Theorem 3.39. Use a root of the primitive polynomial x' - x + lover 0=, to represent all elements of 0=;, and compute the minimal polynomials over 0=, of all elements of 0=27' Let 0 E 0=64 be a root of the irreducible polynomial x· + x + I in O=,[x]. Find the minimal polynomial of f3 ~ I + 0' + 0' over 0=2' Let 0 E 0='4 be a root of the irreducible polynomial x' + x 4 + x' + x + I in o=,[x]. Find the minimal polynomial of f3 = I + 0 + Os over 0=, . Determine all primitive polynomials over 0=, of degree 2. Determine all primitive polynomials over 0=4 of degree 2. Determine a primitive polynomial over O=s of degree 3. Factor the polynomial g E O=,[x] from Example 3.44 in O=q[x] to obtain primitive polynomials over 0=9' ractor the polynomial Ii E O=,[x] from Example 3.45 In O=,[x] to obtain primitive polynomials over 0=,. Find the roots of the following lineari7.ed polynomials in thcir splitting fields: (a) L(x) ~ x'·· x 4 + x' + X E O=,[x]; q (b) I,(x) ~ x + x E o=,[x]. find the roots of the following polynomials in the indicated fields by

126

Polynomials over finite fidds

first determining an affine multiple: (a) !(x)~x'+x'+x'+x'+ I <=IF,[x] in IF,,: (h) fIx) ~ x 4 + Ox' - x' -(0 + I)x + 1- 0 E 1F,[x] in 1F 729 , where 0 is a root of x' - x - I E 1F,lx]. 3.64. Prove that for every polynomial! over IF q"' of positive degree there exists a nonzero q-polynomial over IF qrn that is divisible by!. 3.65. Prove that the greatest common divisor of two or more nonzero q-polynomials over IF ,rn is again a q-polynomial. hut that their least common multiple need not necessarily be a q-polynomial. 3.66. Determine the greatest common divisor of the following linearized polynomials: L,(x) ~ x 64 + x 16 + x' + x 4 + x' + X E IF,fx], l.,(x) ~ x 32 + x' + x' + X E 1F,lx]: (b) l.,(x) ~ X'4' - x" - x' + x' + X E 1F,[x], [.,(x) ~ x" + X E 1F,lx].

(a)

3.67.

Determine the symbolic factorization of the following linearized polynomials into symholieally irreducible polynomials over the given prime fields: (a) [,(x) = x 32 + x 16 + x' + x 4 + x' + x E 1F,lx]: (b) L(x) ~ x" - x' - x' - X E IF,fx]. 3.68. Prove that the q-polynomial L,(x) over IF,rn divides the q-polynomial L(x) over IF q_ if and only if [,(x) ~ [.,(x)0[,,(x) for some q-polynomial [,,(x) over IFq_. 3.69. Prove that the greatest common divisor of two or more affine q-polynomials over IF,"" not all of them 0, is again an affine q-polynomial. 3.70. If A,(x) ~ L,(x)- a, and A,(x) ~ L,(x)- a, are affine q-polynomials over IF,rn and A,(x) divides A,(x), prove that the q-polynomial [,,(x) divides the q-polynomial[,,(x). 3.71. Let fIx) be irreducible in IFqlx] with flO) = and let F(x) be its linearized q-assoeiate. Prove that F(x)/x is irreducible in 1F,[x] if and only if fIx) is a primitive polynomial over IF, or a nonzero constant multiple of such a polynomial. 3.72. Let I be an clement of a finite extension field of IF,rn. Prove that a q-polynomial K(x) over IF,_ has I as a root if and only if K(x) is divisible by the minimal q-polynomial of lover IF q-' 3.73. For a nonzero polynomial !EIF,[x], prove that L,(g)~qd"(j,, where the sum is extended over all monic divisors g E IF ,Ix] of f. 3.74. For a nonzero polynomial! E 1F.r x] and g E IF qlx] with ged(/. g) ~ I. prove that g' '" I mod f. where k - q(/)' 3.75. The function 1', is defined on the set S of nonzero polynomials! over IF, by I'/f) = I if deg(/) ~ 0, 1',(/) ~ if!has at least one multiple root, and I',(f) ~ (-I)' if deg(f) ~ I and! has only simple roots, where k is the numher of irreducible factors in the canonical faetori-

°

°

127

zation of I in IF q[x]. Let L denote a sum extended over all monic divisors g E IFq[x] of j. Prove the following propcrtics: I if deg(j) ~ 0, (a) Ll'q(g)~ { 0 ifdeg(j);d; (b) I'ilg) ~ I'q(j )I'ig) for all I, g E S with gcd(j, g) = I; (c) Lqd"('ll'q(j/g)~~q(j) for alliES; (d) if If is a mapping from S into an additively written abelian group G with If( ej) = If(j) for all e E IF; and IE S, and if '!'(j)=LIf(g) for alliES, thcn If(j)=L.l'q(j/g)'!'(g)~ Ll'q(g)'l'(j/g) for all I E S. 3.76. Prove that the number of different normal bases of IF q" over IF q is

~ m

3.77.

n (qO(dl_l) d!m

provided that gcd( m, q) = I and the multiplicative order of q modulo m is (m). Refer to Example 2.31 for the definition of a self-dual basis and

show that there exists a self-dual normal basis of 1F 2 " over 1F 2 whenever m is odd. (Hinr: Show first that the number of different normal bases of 1F 2" over 1F 2 is odd whenever m is odd.) 3.78. For a prime r and a E IF q' prove that x' - a is either irreducible in IFq[x] or has a root in IF q. 3.79. For an odd primc r, an integer n ;. I, and dE IF q' prove that x," - a is irreducible in IFq[x] if and only if a is not an rth power of an element of IFq' 3.80. Find the canonical factorization of the following binomials over the given prime fields: (a) I(x)= x· + I E 1F 3 [x]; (h) l(x)=x 27 -4EIF 19 [x]; (c) I(x) ~ x" -10 E 1F 23 [x].

3.81. 3.82.

3.83.

3.84. 3.85.

Prove that under the conditions of Theorem 3.76 the roots of the polynomial F( x) introduced there are simple. Prove that the resultant of two binomials x" - a and x m - b in IFq[x] is given by (-I)"(b"/d - am/d)d with d ~ gcd(n, m), where nand m are considered to bc thc formal degrees of the binomials (compare with Definition 1.93). For a nonzero element b of a prime field IF p' prove that the trinomial XC - x - h is irreducible in IFp'[x] if and only if n is not divisible by p. Prove that any polynomial of the form xq-ax-bElFq[x] with a = I has a root in IF q. Prove: if x P - x - a is irredueihle over the field IF q of characteristic p

12~

Polynomials ov('r Finite Hdd...

and fJ is a root of this trinomial in an extension field of IF q' then x P - x - afJP I is irreducible over IFq(fJ). 3.86.

3.87. 3.88.

3.89.

3.90. 3.91. 3.92. 3.93.

3.94. 3.95.

Prove: if f(x) = x m + am IXm 1 + ... + £10 is irreducihlc over the field IF q of charaetcristic p and b E IF q is such that Tr r ,( mb - am. I) = 0, then f(x P - x - h) is the product of p irreducible polynomials over IF q of degree m. If m and p are distinct primes and the multiplicative ordcr of p modulo m is m - I, provc that L;"_o'(X P - x); is irrcdueiblc over IF" Find thc canonical factorization of the given polynomial over thc indicated field: (a) f(x) ~ x' - ax - I E 1F'4[X], where a satisfies ,,' ~ a + I: (b) f(x) ~ x· - ax + a E IFq[x], where ex satisfies ex' ~ ex + 1. Lct A(x)= l.(x)-aElFq[x] be an affine p-polynomial of degrcc r> 2, and suppose the p-polynomial L(x) is such that L(x)jx is irreduciblc over IF q • Prove that A(x) is thc product of a linear polynomial and an irreduciblc polynomial ovcr IF q of degrec r - 1. Prove: tbc trinomial x" + ax' + hE IFq[x], n > k;, I, q evcn, has multiple roots if and only if nand k arc both even. Prove that the degree of cvcry irreducible factor of xl" + x + I in 1F,[x] divides 2n. Prove that the degree of every irreducible factor of x'''· , ~ x + I in 1F,[x] divides 3n. Recall the notion of a self-reciprocal polynomial defined in Exercise 3.13. Prove that if f E 1F,[x] is a self-reciprocal polynomial of positive degree, then f divides a trinomial in IF,lxj only if ord(f) is a multiple of 3. Prove also that the convcrse holds if f is irreducible over !F2' Prove that for odd dEN the cyelotomie polynomial Qd E 1F,[x] divides a trinomial in 1F,[x] if and only if d is a multiple of 3. Let f(x) = x" + ax' + b E IFqlxj, n > k;, I, be a trinomial and let mEN be a multiple of ord(f). Prove thatf(x) divides the trinomial g(x)~xrn '+b-'x"-'+ab

3.96. 3.97.

Prove that only if n = Prove that only if n =

'.

the trinomial x'" + x" + I is irreducible over IF, if and 3' for some nonnegative integer k. the trinomial x 4n + x" + I is irreducible over IF 2 if and 3'5 rn for some nonnegative integers k and m.

Chapter 4

Factorization of Polynomials

Any nonconstant polynomial over a field can bc expressed as a product of irreducible pOlynomials. [n the case of finite fields, somc reasonably efficient algorithms can be devised for the actual calCulation of thc irrcducible factors of a given polynomial of positive degree. The availability of feasible factorization algorithms for polynomials over finite fields is important for coding theory and for the study of linear recurrence relations in finite fields. Beyond the realm of finite fields, there are various computational problems in algebra and number theory that depend in one way or another on the factorization of polynomials over finite fields. We mention the factorization of polynomials over the ring of intcgcrs, the determination of the decomposition of rational primes in algebraic numbcr fields. the calculation of the Galois group of an equation over the rationals, and the construction of field extensions. We shall present several algorithms for the factorization of polynomials over finitc fields. The decision on the choice of algorithm for a specific factorization problem usually depends on whether the underlying finite field is "small" or "large." In Section I we describe those algorithms that are better adapted to "small" finite fields and in the next section those that work belter for "large" finite fields. Some of these algorithms reduce the problem of factoring polynomials to that of finding the roots of certain other polynomials. Therefore. Section 3 is devoted to the discussion of the latter problem from the computational vicwpoint.

Fal:ton1.ation of

130

1.

Pol~momials

FACTORIZATION OVER SMALL FINITE FIELDS

Any polynomialf E IFqlx] of positivc degrce has a canonical factorization in IFqlx] by Theorem 1.59. For the discussion of factorization algorithms it will sufficc to consider only monic polynomials. Our goal is thus to express a monic polynomial f E IF .[x] of positive degrce in the form f~f,"···f:'.

(4.1)

wherc f\ .... ./k are distinct monic irreducible polynomials in IFqlx] and e I" .. , ek are positive integers. First we simplify our task by showing that thc problem can be reduced to that of factoring a polynomial with no repeated faclOrs. which means that the exponents e\ ..... ek in (4.1) are all equal to I (or. equivalently. that the polynomial has no multiplc roots). To this cnd. we calculate d(x) = gcd(f(x).j'(x».

thc greatest common divisor of fix) and its derivative. by thc Euclidean algorithm. If d(x) ~ I. then we know thatf(x) has no repeatcd factors becausc of Thcorem 1.68. If d(x) ~ fix). we must have f'(x) = O. Hcnce fix) = g(x)P. wherc g(x) is a suitable polynomial in IFqlxJ and pis thc characteristic of IFq. If necessary. the reduction process can be continucd by applying the method to g( x). If d(x) = I and d(x) = f(x). thcn d(x) is a nontrivial factor of fix) andf(x)/d(x) has no repeated factors. The factorization off(x) is achievcd by factoring d(x) andf(xJld(x) separately. In casc d(x) still has rcpeated factors. further applications of the rcduction proccss will havc to bc carried out.

By applying this process sufficiently often. the original problcm is reduced to that of factoring a certain number of polynomials with no repeated factors. The canonical factorizations of these polynomials lead directly to the canonical factorization of the original polynomial. Therefore. we may restrict the attention to polynomials with no repeated factors. The following theorem is crucial. 4.1. Theorem. h q ", hmodf. then

If f

fix) ~

E

IFqlx] is monic and

hE

n gcd(f(x). h(x)-c).

IFqlx] is such that (4.2)

eE IF q

Proof Each greatest common divisor on thc right-hand side of (4.2) divides fix). Since the polynomials h(x)- c. c E IF q• are pairwise relatively prime. so arc the greatest common divisors withf(x}. and thus the product of these greatest common divisors divides fix). On the other hand. fix)

l. Factor1lation oVI,.'r Small Finite FiL'1d:,

131

divides

h(x)q-h(x)=

n (h(x)-c),

c E= nq

and sof(x) divides the right-hand side of (4.2). Thus, the two sides of (4.2) are monic polynomials that divide each other, and therefore they must be equal. D In general, (4.2) does not yield the complete factorization of f since ged(f(x), h(x)- c) may be reducible in IFq[x]. If h(x) '" cmodf(x) for some c E IF q' then Theorem 4.1 gives a trivial factorization of f and therefore is of no use. However, if h is such that Theorem 4.1 yields a nontrivial factorization of f, we say that h is an f-reducing polynomial. Any h with II" '" hmodf and 0< deg(h) < deg(f) is obviously f-redueing. In order to obtain factorization algorithms on the basis of Theorem 4.1. we have to find methods of constructing f-reducing polynomials. It should be clear at this stage already that since the factorization provided by (4.2) depends on the calculation of q greatest common divisors, a direct application of this formula will only be feasible for small finite fields IF q • The first method of constructing f-redueing polynomials makes usc of the Chinese remainder theorem for polynomials (see Exercise 1.37). Let us assume that f has no repeated factors, so that f = f, ... fA is a product of distinct monic irreducible polynomials over IF q . If (c" .. .,c,) is any k-tuple of elements of IF", the Chinese remainder theorem implies that there is a unique h E IF qlx] with h(x) '" c, mod j,(x) for I <; i <; k and deg(h) < deg(f). The polynomial h(x) satisfies the condition

h(x)q '"

<' ~ c, '" h(x )modj,(x)

for I <; i <; k,

and therefore

h"=:hmodf,

deg(h) <deg(f}.

(4.3)

On the other hand, if h is a solution of (4.3), then the identity

h(x)"-h(x)=

n (h(x)-c) I" E=

LF q

implies that every irreducible factor of f divides one of the polynomials h(x)- c. Thus, all solutions of (4.3) satisfy h(x) '" c,modj,(x), 1<; i <; k, for some k-tuple (c" ... ,c,) of elements of IF q. Consequently, there are exactly q' solutions of (4.3). We find these solutions by reducing (4.3) to a system of linear equations. With n = deg(f) we construct the II X II matrix B ~ (h,), 0<; i,j <; n ... I, by calculating the powers x,qmodf(x). Specifically, let

x,q",

"

L: t b,;x'modf(x)

r O

forO<;i<;n-1.

(4.4)

Fat:tori/at;on of PolYlh)mial~

Then h(x) ~ only if

00

+ o,x ' ... + n"

,x"

'", IFqlx] is a solution of (4.3) if and

(° 0 ,0, ..... 0" ,)B~ (° 0 .0, ..... 0,,_,).

(4.5)

This follows from the fact that (4.5) holds if and only if

"- ,

L

h(x)·

0rtJ

1=0 1n- I

f/

~

L L } =- ()

I -

"

,

1"-

a

'" L

a,b'J xJ (J

a,x'" ~ h(x)qmodf(x).

The system (4.5) may be written in the equivalent form

(° 0 .0"

.... °"_,)(8 -I) -

(0,0, ... ,0),

(4.6)

where 1 is the n X n identity matrix over 1F1t" By the considerations ahove. the system (4.6) has q' solutions. Thus, the dimellsioll of the Ilull spoce of lhe malrix R - 1 is k. the number of distinct monic irreducible factors of f, and lhe rOllk of 8 . 1 is II - k. Since the constant polynomial h,(x) ~ I is always a solution of (4.3), the vector (1,0, ... ,0) is always a solution of (4.6), as can also he checked directly. There will exist polynomials h,(x).... ,h,(x) of degree "11-' I such that the vectors corresponding to h,(x), h,(x) ,h,(x) form a hasis for the null space of B-1. The polynomials h,(x), ,h,(x) have positive degree and are thus f-reducing. In this approach, an important role is played hy the determination of the rank r of the matrix 8 - I. We have r ~ II - k as noted ahove, so that once the rank r is found. we know that The number of diSTincT monic irredllcih/e faclOrs off is [(ivell hy n - r. On the basis of this information we can then decide when the factorization procedure can he stopped. The rank of B-1 can he determined hy using row and column operations to reduce the matrix to echelon form. However, since we also want to solve the system (4.6), it is advisable to usc only column operations because they leave the null space invariant. Thus. we are allowed to multiply any column of the matrix B-1 by a nonzero clement of IF q and to add any multiple of one of its columns to a different column. The rank r is the numher of nonzero columns in the column echelon form. Having found r, we form k ~ II - r. If k·- I, we know that f is irreducible over IF q and the procedure terminates. In this case, the only solutions of (4.3) are the constant polynomials and the null space of 8 - 1 contains only the vectors of the form (c,O, ... ,0) with C E IF q' If k ~ 2, we take the f-redueing basis polynomial h 2 (x) and calculate

l. facton/.ation

()Wf

133

Small finite Fields

gcd(j(x), h",(x)- c) for all c E IF q' The result will be a nontrivial factorization of f(x) afforded by (4.2). If the usc of h,(x) does not succeed in splittingf(x) into k factors, we calculate ged( g(x), h J(x)- c) for alJ c E IF q and all nontrivial factors K(X) found so far. This procedure is continued until k factors of f(x) arc obtained. Thc process described above must eventualJy yield all the factors. for if we consider two distinct monic irreducible factors of f(x), say f,(x) and f, (x), then hy the argument folJowing (4.3) there exist elements cJ " c j' F IF. such that hj(x) =' cj,modf,(x), h/x) =' cJ,modf,(x) for I",) '" k. Suppose we had C,I = c" for I",) '" k. Then, since any solution h(x) of (4.3) is a linear combination of hl(x)•.... hk(x) with coefficient:s in IF q • there would exist for any such h(x) an element cElF q with h(x)=,cmodf,(x), h(x) '" cmodf,(x). But the argument leading to (4.3) shows, in particular. that there is a solution h(x) of (4.3) with h(x)=Omodf,(x), h(x)=' I modf,(x). This contradiction proves that cJ ' = cj ' for some) with I",) '" k (in fact, since h,(x) = I, we will have) ~ 2). Therefore, hj(x)-c" will be divisible by f,(x), but not by f,(x). Hence any two distinct monic irredueihle factors of f(x) will be separated by some h,(x).

This factorization algorithm based on determining f-redueing polynomials by solving the system (4.6) is ealJed Berlekamp's algorithm. 4.2. Example. factor f(x) = x' + x· + x' + x' + lover IF, hy Berlckamp's algorithm. Since gcd(j(x).j'(x))=J. f(x) has no repeated factors. We have to compute x,qmodf(x) for q = 2 and 0", i '" 7. This yields the following congruences mod f(x):

, =I

XO

x-

x'

:=

x 4 .=:

x'

x~ .=

x·

x' = 1 x lO = I X X

12

=

14

=:

I

+ x·~ + x 4

+ x·

-t-X 2 +X 3 +X 4 +X S 4 7 5 6 x' +X +X +X +X 4 3 5 +x +X +X +X

Therdore, the 8 x 8 matrix FJ is given by I

B=

0 0 0 1 I

0 I

0 0 0 0 0 0 0 1

0 1 0 0 0 1 1 0

0

0 0 1 0 1 1

0 0 0 0 0

0 0 0 I

I

0

0

I

I

1

1 1

I

I

0

0

0

0 0 I I

I

0 0 0 0 0 0

Fal'loriLalion of Polynomiab

1.14

and B - J is given by 0

0

0 0 0

0 0 0 0

I

I I I

I 0

0 I

° ° I I

I

0 0

B-J~

I

I 0 I

0 0 0 0 0

0 0

I

I

I I I

0

°

0 0 0

I I

0 0 0

0 0 0 0

I I

0 0 0 0 0 0 I I

The matrix B-1 has rank 6, and the two vectors (1,0,0,0,0,0,0,0) and (0, I, 1,0,0, I, I, I) form a basis of the null space of B-1. The corresponding polynomials arc h,(x) ~ I and h,(x) = x + x' + x' + x' + x'. We caleulate gcd(j(x), h ,(x)- c) for c E IF, hy the Euelidean algorithm and obtain gcd(j(x), h,(x)) ~ x' + x' + x 4 + X + I, ged(j(x), h,(x)-I) = x' + x -. I. The desired canonical factorization is therefore

I( x l ~ (x' + x' + x 4 + X + 1)( x' + x + I).

D

A second method of obtaining I-reducing polynomials is based on the explicit construction of a family of polynomials among which at least onel-reducing polynomial can he found. Lctlbe again a monic polynomial of degree n with no repeated factors. Let I ~ I, ... Ik he its canonical factorization in IFqlx] with dcg(J;)=n J for I",j",k. If N is the least qN positive integer with x xmod/(x), then it follows from Theorem 3.20 that N = Iem(n" ... ,n,), and it is also easily seen that N is the degree of the splitting field F of lover IF q • Let the polynomial T E IFqlx] be given by , N. . 1;(x)~T(x') fori= 0,I ..... T(x)~x+xq+xq + ... +x q an d defme The following result guarantees that in the case of interest, namely, when I is reducible, there are I-reducing polynomials among the 1;.

=

4.3, polynomials

Theorem. II I is reducible ill IFqlx]. then at least one 1 ~ i ~ n - 1, is I-reducing.

1;,

01 the

Proof It is immediate that any polynomial 1; satisfies 1;q = 1; mod f. Suppose now that for all 1;, I", i '" n -I, the factorization of I afforded by (4.2) were trivial. This means that there exist elements c" ... ,c" ,E IF q such that 1;(x) = c;mod I( x) for I '" i '" n - I, With Co ~ N. viewed as an clcment oflF q, we get T(x;)=c,mod/(x)forO",i",n-1. For any n -,

g(x)=

L a,x;EIF.[x] ,-,

of degree less than n we have then

T(g(X))~T(nt'a,x') = 1-'- ()

nt'a,F(x'l= "t'a,c,mod/(x). 1-0

I - 0

1. Fal'lOrization over Small Finite Fields

135

Putting

n-'

c(g)~ Lu,c,ElF q • 1=0

we obtain T(g(x»=c(g)mod/;(x)

for I «j«k.

(4.7)

Sinec N ~ Icm( n " ... ,n,). at Icast one of the intcgers Nj nJ , say Nj n ,. is not divisible by the charactcristic of IF q' Let 0, be a root of I, in the splitting field F, of I, over IF q . Because of Theorem 2.23(iii) there exists g, ElFq[x] with (4.8) Since k ;;, 2 by assumption, we can apply the Chinese remainder theorem to obtain a polynomial g E IFq[x] of degree < n with g

= g,mod Ii' g = Omod 12'

(4.9)

From (4.8) and (4.9) we deduce that Tr F,/ F,(g(O,»)

=

I.

and Theorems 2.23(iv) and 2.26 imply that Tr F/ F,(g(O,») ~ Njn,. Bceause of thc dcfinitions of the trace and of the element 0,. it follows that

Howcvcr. the second congruence in (4.9) leads to T(g(x» '" Omod I,(x), and since N/n, '" 0 as an element of IF q, we get a contradiction to (4.7). Therefore, at least onc of thc T" 1« i« n -I, is I-reducing. 0 4.4. Example. Factor I(x) ~ x 17 + x 14 + x" + x 12 + x" + x lO + x 9 + x' + x' + x' + x· + x + lover IF,. We have gcd(f(x), j'(x» = x'~ + x' + I, and so/u(x) = I(x)jgcd(f(x),f'(x» = x' + x' + x· + x + I has no repeatcd factors. We factor 10 by finding an fo-reducing polynomial of the type described abovc. To this end, we calculate the powers x, x', x ..... mod/u(x) until we obtain the least positive integcr N with x'" = xmod/o(x). We simplify thc notation by identifying a polynomial l:7:d a;x' with the n-tuple aDa, ... an ,of its coefficients, so that, for instance,fo(x) = 11001101. The calculation of the rcquircd powers of xmod/o(x) is facilitated by thc observation that squaring a polynomial aoa, ... a 6mod/o(x) is the samc as multiplying the vector aDa, ... a 6 by the 7 X 7 matrix of even powers

136

Factorization of Polynomials

xO,x', ... ,x"mod/o(x). This matrix is obtaincd from

=

xO I x' =0 x' =0 x' 0 x' 0 x'o I l2 X == 0

0 0 0 0

= = =

0 I 0 0 1 I 0

I

0 I

0 0 0 0 0 I 0

0 0 1 0 0 0 I

0 0 0 0

0 0 0 I

I

I I

0 0

1

wherc all the congruences are mod/o(x). Thcrefore we gct mod/o(x):

x=o x' =0 x' =0 x' 0 X

X X

I6

l2 64

I2R

X

= =. 1 =I I

I

.= 1

1 0 0 I

=.

256

== 1 == 0 X 1024 == 0 X

512

X

Thus N

~

1 0 0 1 I 0

0 1 0 I 0 1 0 I 0 1 0

0 0 0 0 I 0 0 0 0 I

0

0 0 1 0 0 0 0 I

0 0 0

0 0 0 I 0 0 0 0 1 0 0

0 0 0 I 0 1 I

1 0 1 0

10 and 9

T,lx)=I;x"=1 J

0 0 0

1mod/u(x).

0

Since T,(x) is not congruent to a constant mod/o(x), T,(x) ishrreducing. We have gcd(fo (x).T, (x» ~ gcd(l I 0 0 I 1 0 1, I I I 0 0 0 I) x 5 + x 4 + x 3 + x 2 + 1, gcd(fo(x).T,(x)-I)~ged(1 100 I 10 1.0 I 10001) =

=x' + x + I, and so /u(x) ~ (x' + x'.,.

Xl

+ x' + I)(x' + x + 1).

The second factor is obviously irrcducible in 1F,[x]. Sinec N ~ 10 is the least common multiple of the dcgrees of thc irreducihle factors of /o(x), any nontrivial factorization of the first factor would lead to a value of N diffcrcnt from 10, so that the first factor is also irreducible in 1F,[x].

I. Factorization over Small finite Fil'1d:-.

137

It remains to factor gcd(f(x), !,(X))~XlO+X'+1. We have x 'O + x' + I = (·x' + x 4 + I)', and by checking whether x' + x 4 + I is divisihIe by one of the irreducible factors of lo(x), we find that x' + x 4 + I ~ (x' + x + I )(x' + x + I), with Xl + x + I irreducible in f,lxJ. Hence

I( x)

=

(x' + x 4 + x' -r x' -r 1)( x I + X + 1)'( x'

is the canonical factorization of I(x) in f ,lx J.

-t

x

+ I) I 0

It should be noted that, in general, the I-reducing polynomials T; do not yield the complcte factorization of I since the 7; are not ablc to separate those irreducible factors.li for which Njn, is divisible hy the characteristic of f q • In practice, however, one calculates thc first I-reducing T; and then calculates new T, for each of the resulting factors. In this way, one eventually obtains the complete factorization of f. It is, however, possible to construct a related set of polynomials R i that are capable of separating all the irreducible factors of I at once. We assume, without loss of generality, that 1(0) '" O. Let ord(f(x)) = e, so that I(x) divides x' -1. Since I has no repeated factors, e and q are relatively prime by Corollary 3.4 and Theorem 3.9. ror each i;3 0 let m, be the least positive integer with

x,qm, '" x'mod/(x).

(4.10)

Then we define

R I ( x) =

Xl

+ x lq +

't m , ... + x lq ,

XiII

Since (4.10) is equivalent to iqm, =. imode,

(4.11 )

which is in tum equivalent to qm, '" I mod( e jgcd( e, i)), it follows that m i can also he described as the multiplicativc order of q moduloejgcd(e. i). A comparison with the definition of T;(x) shows that N

T; (x) '" - R, (x )mod/(x). mi It is elear that R~ '" R,modl for all i. so that the R, can he used in (4.2) in place of h. We prove now the claim about the R, made above.

4.5. Theorem. Let I he monic and reducible in f q[x J with no repeated lactors, and suppose that 1(0) =0 and ord(f) ~ e. Then, il all the polynomials R i, I" i" e -I, are used in (4.2), they will separate all irreducible lactors 01

f. Proof Let h(X)~L~~daixiEfqlxJ bc a solution of h(x)q", h(x)mod(x' - I). If we interpret subscripts mod e, then h(x) '" L;:.d a,qxiqmod(x' - I) since iq, i ~ 0,1, ... , e - 1, runs through all residues

ractorintion of Polynomials

mod e as q and e are relatively prime. Since h(x)q = L~-:-ri a,x,q, we get e

L

I

u,x ,q =.

,..,. 0

('

L

I

a,qxlqrnod(x'" -1).

,.,- 0

By considering the exponents mod e, it follows that corresponding coefficients are identical. Thus Q I = a,q for all i, and so a, = a'if = Q ,q 2 = ... for all i. Since tn, is the least positive integer for which (4.11) holds, we ohtain h(x)==

I: a,R,(x)mod(x'-I), I")

where the set J contains exactly one representative from each equivalence class of rcsidues mod e determined by the equivalence relation - which is dcfined by i l - i, if and only if i l == i,q'mod e for some t;" O. Thus, for suitable b, ElF q we havc , - I

h(x)==

I: b,R,(x)mod(x'-I).

(4.12)

1=0

Let now [1(.<) and [,(x) be two distinct monic irreduciblc factors of [(x), and so of x' - I. By the argument leading to (4.3), there is a solution hex) E IFq[x] of hex)" == h(x)mod(x' -I), deg(h(x)) < e, with h(x)==Omod[l(x),

h(x) == I mod[,(x).

(4.13)

Since Ri==R,mod[, the argument subsequent to (4.3) shows that there exist c1cments Cd' C" ElF q with Ri(x) == Cd mod [I(X), R i(X) == cil mod [,(x) for 0 ~ i ~ e - I. If we had cl1 = Ci2 for 0 ~ i ~ e - I, then it would follow from (4.12) that hex) == C mod [,(x), h(x) == c mod [,(x) for some C E IF q' a contradiction to (4.13). Thus cl1 =1= el2 for some i with 0 ~ i ~ e - 1, and since Ro(x) ~ I. we must have i;" I. Then R,(x)- Cd will be divisible by [I(X), but not by [,(x). Hence the use of this R,(x) in (4.2) will separate [,(x) from[,(x). 0 The argument in the proof of Theorem 4.5 shows, of course, that the polynomials R i , with i running through the nonzero elements of the set J, are already separating all irreducible factors of f. However, the determination of the set J depends on knowing the order e, and a direct ealeulation of e (i.e., one that does not have recourse to the canonical factorization of will be lengthy in most eascs. This problem docs not arise in the special cases [(x) ~ x'-I and [(x) ~ Q,(x), the eth cyclotomic polynomial, since it is trivial that ord(x' -I) ~ ord(Q,(x)) ~ e. The polynomials R, are, in fact, well suited for factoring these binomials and cyclotomic polynomials.

n

2. I-"aeloriLalion over Large rinik'l:idds

139

4.6. Example. We dctcrmine the canonical factorization of thc cyclotomic polynomial Q,,(x) in D',[x]. According to Theorcm 3.27 wc have

(x" -I)(x' -·1)

Qs2(X)~ (x"-I)(x 4 -1) = X 24

_ X 22

-x IO

+ x 20

_ XiI!

+X 8 _ X O

x9

X 27

+ x1

X l4 T

(> _

rx 4 -x 2

"1"

x l2

I.

X 243 ,

and since x 2(>:;:::;: - I mod Q,,(x), we get R I(X) '= 0 mod Q,,(x). so that R I is not Q,,-redueing. With R,(x) ~ x' + x' + x" wc get ~ow

RI(x) = x

+

x·~

+

+

gcd( Q" (x). R 2 (x)) ~ x' - x' gcd(Qdx), R,(x)+ I)

= x'

~ x

4

+ Xl(I + +I. x'

-

gcd( Qs2 (x), R 1 (x) - 1) ~ X 12 + x 'O

-

+ I.

x' ~ x' .,. x 4 + x' + 1"' 1(( x),

say, so that (4.2) yields

Q" (x ) ~ (x' - X2 + 1)( x' + x 4

-

X2 + 1) I( (x),

By Theorem 2.47(ii), Q,,(x) is thc product of four irrcducihlc factors in D'3lx] of degree 6. Thus, it remains to factor g(x). Sincc R 3(x) ~ x 3 + x 9 +

+ X 243 + x 72Y == OmodQ52(X)' we next use R 4(x) = x 4 + X I2 + x 30 , We note that x 12 '= - x lO + x' - x 6 - x 4 - x' .. I mod g(x), x l6 '=

x 27 + X!ll

-xlOmodl((x), and so R4(X)'=X'O+X8_X6_X' -I modl((x). Thereforc, gcd( g(x), R 4 (x)) = gcd( 1(( x), x 'O

+ x' - x 6 - x' -

1) ~ 1,

gcd( I((x), R 4(x) + 1) ~ gcd( g( x), x 'O + x' - x 6 - x') ~ x' - x 4 + x' - I. gcd(I((x), R 4(x )-1) ~ gcd(g(x). x 'O + x' - x' - x' + I) ~ x" - x 4 + I. Thus,

Q,,(x) ~ (x' - x' + I)(x' +x 4 - x' + l)(x' - x 4 + x' + l)(x 6 . x 4

,

1)

is the desired canonical factorization.

2.

FACTORIZATION OVER LARGE FINITE FIEI.DS

If D' q is a finitc field with a large number q of c1cmcnts, thc practical implementation of thc methods in the previous section will become morc difficult. We may still be able to find an [-reducing polynomial with a reasonable effort, but a direct application of thc basic formula (4.2) will he

Fnctorizalion of Polynomials

140

prohlematic since it requires the calculation of q greatest common divisors. Thus, to make the usc of j-reducing polynomials feasiblc for large finite fields, it is imperative that we devise ways of reducing the number of elements c E IF q for which the greatest common divisor in (4,2) needs to be calculated, We note that in the context of factorization we consider q to be "large" if q is (suhstantially) bigger than the degree of the polynomial to bc factored. Let j again be a monic polynomial in IF q[x J with no repeated factors, let deg(j) ~ n, and let k be the number of distinct monic irrcducible factors of f. Suppose that hE IFq[x] satisfies h q '" hmodj and 0 < deg(h) < n, so that h is I-reducing. Since the various greatest common divisors in (4.2) arc pairwise relatively prime, it is elcar that at most k of these greatest common divisors will be '" I. The problem is to find an a priori characterization of those cEIF. for which gcd(j(x),h(x)-c)'" I. One such characterization can be obtained hy using thc theory of resultants (see Definition 1.93 and the remarks following it). Let R(j(x), h(x)- c) be the resultant of j(x) and h(x)- c, where the degrees of the two polynomials are taken as the formal degrees in the definition of the resultant. Then gcd(j(x), h(x)- c) '" I if and only if R(j(x), h(x)- c) ~ O. We are thus led to consider F(y)~

R(j(x),h(x)- y),

which, from the representation of the resultant as a detcrminant, is seen to be a polynomial iny of degree", n. Then we bave gcd(j(x), h(x)- c) ~ I if and only if c is a root of F( y) in IF q' The polynomial F(y) may be calculated from the definition, which involves the evaluation of a determinant of order.:::;;; 2n - 1 whose entries arc either elemcnts of IF. or linear polynomials in y. In many eascs it will, however, be preferable to use the following method. Choose n + I distinct clements co' c\, .... C, E IF q and ealeulatc the rcsultantsr, ~ R(j(x). h(x) - c,) for 0", i '" n. Then the unique polynomial F(y) of degree", n with F(c,) ~ r, for 0", i '" n is obtained from the Lagrange interpolation formula (sec Theorem 1.71). This method has the advantage that if any of the r, are 0, we automatically get roOlS of thc polynomial F( y) in IF q' At any rate, the qucstion of isolating the elcments c E IF q with gcd(j(x), h(x)- c) '" I is now reduced to that of finding the roots of a polynomial in IFq' Computational methods for dealing with this problcm will bc discussed in the next section. Factor j(x) = x' - 3x 5 + 5x 4 - 9x' - 5x' + 6x + 7 over IF". Since gcd(j(x),j'(x)) = I.j(x) has no rcpeated factors. We proceed by Berlckamp's algorithm and ealeulatc x";modj(x) for 0 '" i '" 5. This yields

4,7,

Example,

2. I"al.:ton/.ation over Largl.: Finite Field!'>

141

the 6 x 6 matrix

R

I 5 -10

~,

o

0 0 10

o

7

o\

o

0

R

-10

10

o

-3 I

-8

10

7 9

7 2

9 - II 2

-I

II

0

9 - 4

-3

0

-10

-- 9 ;

and thus B-1 is given by

R- I

0 5 -10 0

~

0

0

0

0

-I

-I

8

10

9 9 -4 -10

0 -9

-3 I

0 10 -9

10

-II

7

0 0

2 2 -10 ; Reduction to column echelon form shows that R - I has rank r ~ 3. so that I has k ~ 6 - r ~ 3 distinct monic irreducible factors in IF,,lx 1- A basis for the null space of R - I is given by the vectors h, ~ (1,0,0,0.0,0), h, ~ (0,4,2,1.0,0), h, ~ (0. - 2.9.0, I, I), which correspond to the polynomials h,(x)-Lh,(x)~x3+2x'1-4x.h,(x)~x'+x4+9x'2x. We take the I-reducing polynomial h,(x) and consider II - 3

6

7

9

l-(y)~R{f(x).h,(x)- y)

16 0

~I~

,0

I~

'0

-3 I

5

0 2

-3 I 4

I

2

0 0 0 0

I

0 0 0

9 5 -3

-y 4 2 I 0 0

-5 -9 5 0 -y

6

-5 -9 0 0

4 2 I' 0

Y 4 2 I

7 6

0 7 6

-5 0 0 0 -y 4 2

~I 7

0 0 0

0

0

0

-.I"

4

~l'

-~I

In this case a direct computation of F( y) is feasible. and we obtain F(y)~y'+4y'+3v4-7v·'+IOy'+lly+7.Since I has three distinct monic irreducible factors in 1F,.,[xj. the polynomial Fean have at most three roots in IF". By using either the methods to he discussed in the next section or trial and error, one determines the roots of F in IF" to he - 3. 2. and 6.

Furthc.:rmore. ged{f(x).h,(x)-3) -x -4, ged{f(x),,,,(x)-2)~.\'-.\17.

ged{f( x). ",(x )-6) ~ x'

+ 2x' + 4x - 6,

Fat:torization of Polynomials

so that f{ X) ~ (X .- 4)( x' - x -7)( x) + lx' ~ 4x - 6)

is thc canonical factorization off(x) in IFdxl.

D

Another method of eharaeterizjng thc elements c E IF q for which the greatest common divisors in (4.2) need to bc calculated is hascd on the following considerations. With the notation as ahovc, Ict C be the set of all c '" IF q such that ged(f(x), h(x)- c) * 1. Then (4.2) implies f{x)~

n gcd(f{x),h{x)-c),

(4.14)

( cC

and so fIx) divides nc~c(h(x)- c). We introduec the polynomial G{y)~

n Lv-c).

r" C

Then fIx) dividcs G(h(x» and the polynomial G(y) may be characterized a, follows. 4.11. Theorem. Among 0/1 the polynomial, g E IF q[Y 1such that f(x) divides g(h(x)), the polynomial G(y) is the unique monic polynomial of least degree. Proof We have already shown that the monic polynom;al G(y) is such that fIx) divides G(h(x)). It is easily seen that the polynomials g E IFq[Yl with fIx) dividing g(h(x)) form a nonzero ideal of IFq[y]. By Theorem 1.54, this ideal is a principal ideal generated by a uniquely determined monic polynomial Go E IFq[y]. It follows that Go(y) divides G(y), and so Go{Y)~

n

(Y-c)

ce::C 1

for some subset C, of C. Furthermore, fIx) divides Go(h(x»

n,., c,(h(x)-c), and hence f{x) =

~

n gcd(f{x), h{x)-c). cE:i::C 1

A comparison with (4.14) shows that C, the theorem follows.

~

C. Therefore Go(y) = G(y), and D

This result is applied in the following manner. Let m be the number of clemcots of the set C. Then we write G( y ) =

m

n (y - c) ~ rE C

L I

0

bJ y}

143

2. I-"at'lorilation over 1:ar/z'l' Flnill' Fit::1ds

with coefficient' b,

EO

IF,. !':ow J(x} divides G(h(x». so that we have

L"' J

hjh(x)J:oOmodJ(x). I)

Since bnj = I. this may be viewed as a nomriviallinear dependence relation over IF" of the residues of L h(x). h(x)' ....• h(xj"'modJ(x). Thcorem 4.8 says that with the normalization bm = I this linear dep~ndcnc~ re\(.ltion is unique. and that the rc,idue, of I.h(x}.h(x)' ..... h(x)"' 'modJ(x) are k follows from (4.14). linearly independent over IF,. The bound The polynomial G can thus be determined by calculating the residues modJ(x) of I. h(x). h(x}' .... until wc findthc smalle't power of h(x) that i, linearly depcndcnt (over IF,) on it, predecessors. Thc coefficient' of this first linear dependence relation. in the normalized form, ar~ the coefficients of G. We know that we need not go heyond h(x)' to find this linear depende)1ce relation. and k can he ohtuined from Ikrlekamp's algorithm. The clements of C are now precisely the roots of thc polynomial G. This mcthod of reducing the problem of finding the element' of C to that of calculating the roots of a polynomial in IF q is called the Zussellhulls ulgo-

In"

rifllm.

4.9. Example. Consider again thc polynomial J E 1F2J[x] from Example 4.7. From Berlekamp's algorithm we obtained k ~ 3 and the J-reducing polynomial h(x) ~ xl + 2x' ... 4x E IF ,.,[x]. We apply thc Zassenhaus algorithm in order to determine the clement' (' ElF" for which ged(J( x). h(x}- c} '" L We have h(x) 2

modJ(x).

=: -

4

<

1

h(x) =7x'+7x T2x -2x -6x-7modJ(x).

and '0 it i, clear that h(xl' is not lincarly dependent on I and h(x). Therefore, h(x)" mu,t bc the smallest power of h(x) that is linearly dependent on its predecessors. We have h(x)""'-llx'

Ilx 4 -x'

9x'

5x·-2modJ(x).

and the linear dependence relation is h (x)' - 5h (x)' -'- Ilh (x) - 10 '"

amod J( x).

so that G(y) - v l . 5y'llly' 10. By using either the method, to be discu~s~d in th~ next section or trial and error, one determines the roots of G to he -3,2, and 6. The canonical factorization of J in IF,,,[x] is then ::J ohtained as in thc last part of Examplc 4.7. A method that is conceptually more complicated. but of great theoretical interest, is based on the use of matrices of polynomials. By a

144

nlmrix oj polynomials we I' qlx].

m~an

here a matrix whose entries arc clements of

4.10. Definition. A square matrix of polynomials is called /lOllsingular if its determinant is a nonzero pOlynomial. and it is called unimodular if its determinant is a nonLero clement of IF q"

4.11. Definition. Two square matrices P and Q of polynomials are said to he equivalent if there exists a unimodular matrix U of polynomials and a nonsingular matrix F: with entries in I' q such that P ~ UQf:. It is easily verified that this notion of equivalence is an equivalence

relation, in the scn~c that it is rcncxivc, symmetric, and transitive. We have seen in Section I that there arc polynomials h" .... h, E I'qlx] with 0 < deg(h) < deg(f) for 2 <; i <; k. which together with h, ~ 1 are solutions of h q '= h mod f that arc linearly independent over I' q' Clearly, the polynomials h, may be taken to be monic. The following theorem is fundamental. 4.12, Theorem, Lei f=fl" 'f" where fl, ....f, are distinct monic irreducihle polynomials in I'q[x], and let h, .... ,h, GO I'q[x] he monic pozv/lomials with 0 < deg(h;) < deg(/) for 2 <; i <; k, which together with hi ~ 1 are solution> of h q =: h mod f that are linearly independent over I' q' Then the diagonal matrix of polynomials

f,

0 0

o o

0

[,

()

0

0

, fl

0

0 0 0

D=

f, '

is equivalent to the matrix of polynomials

I f A~

h, h)

"- I

0 0

0

-I

h,

0

()

0

O'

o o -I

Proof By the argument following (4.3) we have h, (x) '= e'l mod f;(x) with e'J C' 1"1 for 1 <:: i,j <:: k. Let F: be the k X k matrix whose (i, j) entry is elj" We shuw first that E is nonsingular. Otherwise. there would exist

145

2. FaCIOri7.ation ovcr I ,i1Tge "ini\t' Fkld:-

clements d" ... ,d, ElF q' not all zero, such that

,

Ld/ejj=O ,~

This implies that

,

forl~j~k.

, L

d;h, '" OmodJ;

for 1,; j", k,

i -1

and '" I:7 ,d,h, '" Omodf. Since deg(h,) < deg(f) for I '" i '" k, it follows that i7_,d,h, ~ O. a contradiction to the linear independence of h, ... .,h,. !':cxt we note that A E is a nonsingular matrix of polynomials. Thus we can write D~(D(AE) ')IIE. so that the theorem is cstahlished once we have shown that U~ D(AE)-' is a unimodular matrix of polynomials. Let b" co IFqlx] he the (i. j) entry of AL·. Then b,; = Ie,} ~ I '" Omod~ ·for 1~.i~A, and for 2~i~k we have bij=h/e1j-e/,= h, - e" ~ OmodJ; for I,; j,; k, so that b" =Omod!,

for

I ';i.j,;k.

(4.15)

Now

"I (AL) ~ dei{AL') (B,}),<,.Jd

(-1)' ,

~ dei(i17(B,J,<;.,<"

where R" is the cofactor of the (j, i) entry in AE, and

. U=D(Al:.)

,

(-1)' ,

~ det(E)!(/,R,;),
Since (4.15) implies that B;J '" 0 mod(j/ /,), it follows that each entry of U is a polynomial over IF q' Furthermore, ( - I)' , det( D) det( U) . d~'tCA I:') ~ det( E) ,

which is a nonzero clement of IF q' Thus, U is a unimodular matrix of polynomials. 0 Theorem 4.12 leads to the theoretical possibility of determining the irreducible factors of I by diagonalizing the matrix A. The number k as well as the entries h" ... .,h, in the first column of II can he obtained with relative case hy Berlckamp's algorithm. The algorithm that achieves the diagonalization of A is, however, quite complicated. The dia!(onalization algnrirhm is hased on the use of the following e1emelltar)' operations: (i) permute any pair of rows (columns): (ii) multiply any row (column) hy an element of IF;: (iii) multiply some row (column) by a monomial (element of IF q) and add the result to any other row (column).

rac!oril.ation of Polynomials

146

The elementary row operations may he performed by multiplying the original matrix from the left by an appropriate unimodular matrix of polynomials. whereas the elementary column operations may be performed hy multiplying the original matrix from the right hy an appropriate nonsingular matrix with entries in I'q. Therefore. the new matrix obtained by any

of these elementary operations is equivalent

to

the original matrix.

One ean show that A is equivalent to a matrix R of polynomials with the property that for each row of R the degree of the diagonal entry is greater than the degrees of the other entries in the row. The matrix R can be computed from A hy performing at most (211 t· k - l)(k - I) elementary operations. where II ~ deg( h 2) 1- ••• + deg( h k)' We note that the diagonal entries of R can be permuted by carrying out suitable row and column permutations. We can thus obtain a matrix S

that. in addition to the property of R stated ahove. satisfies deg(s;,l;> deg(s}/) for I " i " j" k. where the s" are the diagonal entries of S. By multiplying if nece'Sary. we may assume the rows of S hy appropriate elements of that the.\" arc monic polynomials. A matrix S of polynomials with all these properties is called a llormali=ed matrix. The diagonal entries of the matrix D in Theorem 4.12 may also he arranged in such a way that deg(/,)? deg(/,) for I" i" j" k. The resulting equivalent matrix. which we again call D. is then diagonal and normaliled. Using thc fact that the normalized matrix S is equivalent to D. one can then show that deg(s,,) = deg(/,) for I" i " k. Thus. one can read off the degrees of the various irreducihle factors of! from the diagonal entries of S. Furthermore. if d is a positive integer which occurs as the degree of some sJi' and if S(d/ is the square submatrix of .\' whose main diagonal contains exactly all s" of degree d. then one can prove that the determinant of Sed' is equal to the determinant of the corresponding suhmatrix of D. Thus det(S,d')= lid' where gd is the product of all/, of degree d. In this way we are led to the partial faetori'ation

1';.

(4.16) where the product is over all positive integers d that occur as the degree of

some!,. In summary. we see that the matrix S can he used to ohtain the following information ahout the distinct monic irreducible factors of f: the degrees of these factors. the numher of these factors of given degree. and the product of all these factors of given degree. If the /, have distinct degrees. or. equivalently. if the s" have distinct degrees. then (4.16) represents already the canonical factorilation of! in I'qlx]. If (4.16) is not yet the canonical factori7.ation. then one can proceed in various ways. An ohvious option is the application of one of the methods discu'Sed earlier to factor the polynomials Rd' One can also continue with

2. factorization over Largl' Finite hd<.b

147

the diagonalization algorithm in order to obtain the diagonal matrix D equivalent to the normalized matrix S. For the latter purpose, we assume as above that D is put in normalized form. In addition to the properties mentioned above, it is then also true that each of the submatriccs S'd' is equivalent to the corresponding submatrix D,d' of D. It is thcrefore sufficicntlO diagonalizc eaeh of the submatrices S'd' separately. By thc equivalence of S'd' and D'd' wc have S'd} ~ UD'd'/:; for some unimodular matrix U of polynomials and some nonsingular matrix E with entries in IF q • We may then write

where the S;'il. D)dl. and Uf' 0 ~ r ~ d, O:s;; I ~ m, are matrices with entries in IF q , Um "" 0, and 5)/' = D)/l ~ /, the identity matrix of appropriate order. A comparison of thc matrix coefficients of the highest powers of x on both sides of thc equation S,dl = UD,dl/:; yields / ~ UmIE and m ~ O. Thus. U = Uo ~ L'- I and hcnee S,d' ~ E' (D'dlE. Comparing thc matrix coefficicnts of like powers of x in the last identity gives S}J) = E ID}JlF. for O:s;; r:s;; d. Consequently, S)d) and Dr(d) havc the same characteristic polynomial and eigenvalues. and since Did' is diagonal. its eigenvalucs are exactly its diagonal entrics. Therefore, the latter can be determined by finding the roots of the characteristic polynomial of Si dl . which must all be in IF q' As in the earlier methods. we have thus again reduced the factorization problem to that of finding the rOots of certain polynomials in IF q' The partial factorization (4.16) can also be obtained by an entirely different mcthod. To this end, we extend the definition of I:d by letting 1:" i;;, I, be the product of all monic irreducible polynomials in IFq[x] of degrcc i that divide f. In particular. I:,(x) ~ I in case f has no irreducible factor in IFqlx] of dcgrce i. We can thus write

It is trivial that only thosc i with i " dcg( /) need to be considered. Wc calculate now recursively the polynomials ",,(x). '(x),. .. and /'o(x), F(x).... as well as d(x). d,(x), .... Wc start with

148

and for i ~ I we use the formulas

r, (x) "" r, ,(x )qmod F, _,(x ).deg( r,) < deg( F,-,). d,(x) ~ gcdU; ,(x),r,(x)-x). r;(x) ~ r;_

b

)/d,(x).

The algorithm can he stopped when d,(x) 4.13. all i -;, I.

Theorem.

= F,

,(x).

With lhe notation abm;e. we have d,(x) = g,(x)!or

Proof Using the fact that F; divides F; tion shows that r,(x) "" xq'mod /.; ,(x)

I'

a straightforward induc-

for all i -;, I.

(4.17)

We prove now hy induction that

F,

,= n g)

and

d, ~ g,

for all i -;, I.

(4.18)

i"-"'" i

For i have

= I the first identity holds since Fo = f. As to the second identity. we d,(x) ~ ged(ro(x). r,(x )-x) = ged(j(x). x q - x)

by (4.17). and since x q - x is the product of all monic linear polynomials in !'q[xl. it follows that d, is the product of all monic linear polynomials in !' q[xl dividing!. and hence d, = g,. Now assume that (4.18) is shown for some i ~ 1. Then F,~r;_,/di~r;_,/g,~

n / ;;. I I

g).

(4.19)

I

which proves the first identity in (4.18) for i + I. Furthermore. d" ,( x) ~ ged( F, (x). r, , ,( x) - x) = ged( f; (x). x q'" - x)

by (4.17). According to Theorem 3.20. x q '" - x is the product of all monic irreducible polynomials in !'q[xl whose degrees divide i + I. Consequently. d, . , is the product of all monic irreducible polynomials in !' qf x 1that divide F, and whose degrees divide i + I. It follows then from (4.19) that d, _ , = g, , ,. D

In the algorithm above. the most complicated step from the viewpoint of calculation is that of obtaining r, by computing the qth power of r,_,mod r; ,. A common technique of cutting down the amount of ealcula· tion somewhat is based on computing first the residues mod /.; , of r,_I,r/ 1,r/~I.· ... rI2~1 by repeated squaring and reduction mod F; .1' where 2' is the largest power of 2 that is '" q. and then multiplying togcth~r an appropriate combination of these residues mod l; ,to ohtain the residue of

2. Factorization over Large rinite ridds

149

f; _l' For instance, to get the residue of ,/23 1mod F; I' one would multiply together the residues of fjl~ I' r,~ I' "~ I' and r, _Imod F; I. Instead of working with the repeated squaring technique. we could employ the matrix B from Bcrlekamp's algorithm in Section I to calculate r, from r,_,. We write n ~ deg(f) and f,q I mod

,

"

r j

-

1(x)

~ "i..J r'" , 1x' ' /=0

and define

(Sj(O),

s}1) .... ,Sj(n 1») E IF; hy the matrix identity

s(I) ( SIO) , ' I ,

••••

S~lI-I))= (r.(O) ,

/

I'

,.(1) j

,(TI

1····· I-I

I»)B '

(4.20)

where B i' the n x n matrix in (4.5). With

" Sj(x) =

L

,

(4.21 )

S,(Il X l

/ .., 0

we get then r; ,(x)q=s,(x)mod!(x). hence r, ,(x)q=s,(x)modF; ,(x). and thus r;(x) '" s,(x ) mod F; _, (x)

Therefore. once the matrix B has been calculated, we compute r, from r, , in each step by reduction mod f;_, of the polynomial s, obtained from (4.20) and (4.21). 4.14. Example. We consider !(x) ~ x' - 3x' 7 E 1F2J[x] as in Example 4.7. Then

B=

o

+ 5x·

- 9k' - 5x'

I

0

0

o

0

5 -10

0

-I

8

-3

-10

10 7

0

I

-9

-8 7

9

10 7 2

-II 2 -9

II

0

10 9 --4

-3

0

-10

o

+ ox +

We start the algorithm with ro(x) ~ x. f;,(x) ~ !(x). From (4.20) and (4.21) we get s,(x) ~ - lOx' - 3x· + 8x J - x' + 5. and reduction mod f;'(x) yields r,(x) = s,(x). By Theorem 4.13 we have X,(x) ~ d,(x) = gcd(f;'(x), r,(x)-x)~x-4. Furthermore, F,(x)= fo(x)jd,(x)~x'+x·+9x3+ 4x' + Ilx t 4. In the 'econd iteration, we usc again (4.20) and (4.21) to obtain ",(x) ~ 5x' -8x· +9x J -lOx' -II, and reduction mod F,(x) leads to r,(x)~IOx·+IOk'-7x'-9x-'8. By Theorem 4.13 we have g,.<x)= d,(x) ~ gcd(F,(x), r,(x)- x)·= x' - x 17. Furthermore. f,(x) = F,( x )/d,( x) ~. x J + 2x' -t 4x - 6. But, according to the first part of (4.18). all irreducible factors of fi(x) have degree? 3, '0 thot F,.(x) itself must he

ral.:!or.zation of Polynomiab

150

irreducible in n=,',3[X] and

1(3(x)~

1',(x), Thus. we arrive at Ihe partial

factorization !(X)~(X-4)(X2_X+7)(X312x2+4x-6).

which. in this case. is already the canonical factorization of !(x) in n= ,,[ x 1. LJ

3.

CALCULATIO"l OF ROOTS OF POLY"IOVIIALS

We have seen in the preceding section that the problem of determining the canonical factorization of a polynomial can often he reduced to that of finding the roots of an auxiliary polynomial in a finite field. The calculation of roots of a polynomial is. of course. a matter of independent interest as well. In general. on~ will be interested in determining the roots of a polynomial in an extension of the field from which the coefficients arc taken. However, it suffices to consider the situation in which we arc asked to find the roots of a polynomial! '= n= q[x] of positive degree in n=q. since a polynomial over a suhfield can always he viewed as a polynomial over n= q' It is clear that every factorilation algorithm is. in particular. a root-finding algorithm since the roots of! in n= q can he read off from the linear factors that occur in the canonical factorization of! in n=q[x]. Thus. the algorithms presented in the earlier sections of this chapter can also he used for the determination of roots. However. these algorithms will often not be the most efficient procedures for the more specialized task of calculating roots. Therefore. we shall discuss methods that are better suited to this particular purpose. As a first step. one may isolate that part of! which contains the roots of! in n= q' This is achieved by calculating gcd(j(x). x q - x), Since x q - x is the product of all monic linear polynomials in n= qlx I. this greatest common divisor is the product of all monic linear polynomials over n= q dividing!. and so its roots are preciscly the roots of! in n= q' Therefore. we may assume. without loss of generality. that the polynomial for which we want to find the roots in IF
A useful method of finding roots of polynomials was already discussed in Chapter 3. Section 4. It is based on the determination of an affine multiple of the given polynomial. See Example 3.55 for an illustration of this method. In order to arrive at mhcr methods, we consider firM the case of a prime field n=p, As we have seen above. it suffices to deal with polynomials of the form !(x)~

n (x-c,).

,

I

3. Cakulatilln of I{oot:- of Polynomial.;

lSI

where c, ....• c" arc distinct elements of IF p • If p is small. then il is feasible to determine the roots of f by trial and error. that is. hy simply calculating f(O),/( I).... .f( P - I). For large p the following method may be employed. For bE IF p' P odd. we consider f(x-b)~

n" (x-(b+c,»).

,

I

We note thatf(x - b) divides x P - x ~ x(X,p-I)/2 + I)(x" 1)/2 -I). If x is a factor of f( x - b), then f( - b) ~ 0 and a root of f has been found. If x is not a factor of fix - b), then we have

fix - b)

~

ged(f(x - b). x'p-I)/'

+ I)ged(f(x -

b), x,p-1)/2 - I). (4.22)

The identity (4.22) is now used as follows. We calculate the residue modf(x - b) of x'P 'lI'-for example, hy the repeated squaring technique discussed after Theorem 4.13. If X,p-11/2", ± I modf(x - b), then (4.22) yields a nontrivial partial factorization of fix - b). Replacing x by x + b. we get then a nontrivial partial factorization of fix). In the rather unlikely case where x" - 1)/2 '" ± I mod f( x - b), we try another value of b. Thus. by using. if necessary. several choices for b, we will find either a root of f or a nontrivial partial factorization of f. Continuing this process. we will eventually obtain all the roots off. It should be noted that. strictly speaking. this is not a deterministic, but a probabilistic root-finding algorithm, as it depends on the random selection of several elements b E IF p' 4.15. Example. Find the roots of f( x) = x' - 7x' + 3x 4 - 7x' + 4x' x -2EIF,,[x] contained in IF". The roots of f(x) in IF" arc precisely the roots of g(x)~ged(j(x).x"-x) in IF". By the Euclidean algorithm we obtain g(x) ~ x 4 + 6x' - 5x' + 7x - 2. To find the roots of g( x), we usc the algorithm above and first sclect h ~ O. A straightforward calculation yields x' p Ill' ~ x' '" I mod g( x), and so this value of h does not afford a nontrivial partial factorization of g(x). I\ext we choose b = 1. Then g(x - I) = x 4 +2x' -3x - 2 and x' '" -4x' -7x' + 8x -5modg(x - 1). so that b = I yields a nontrivial partial factorization of g(x -I). We have

gcd(g(x-I),x'

+ I) ~ged(x4+2x' -3x -2. -4x' -7x' +8x -4)

and ged(g(x-I).x' -1)~gcd(x4 +2x' -3x-2. -4x'-7x' -r8x-6) ~X2

-8x+8.

152

ractorization (If

Pt)lY:1om~als

hence (4.22) implies g(x-I)~(x'·-7xT4)(x'··8x-,-8),

which leads to the partial factorization g(x)~(x'-5x-2)(x'

6x-I)· 8,(x)g,(x),

say. In order to factor 8,(x) and 8,(X), wc try h ~ 2. We have 8,(x - 2) ~ x' + 8x - 5 and x' = - 8x -t 2mod 8,(x - 2). I'urthermore, gcd( 8, (x - 2), x' -+ I) ~ gcd( x' + 8x - 5, - 8x ~ 3) ~ x -,- 6, and long division yields 8,(X - 2) =

(x ~6)(x ~

8,(X) ~ (x

2), so that

+ 8)(x +4).

Turning to 8,(x), we have g,(x - 2) ~ x' + 7x ~ of 8,(x) and

XIX

+ 7), thus - 2 is a root

8,(X)~(x+2)(x-8).

Comhining these factorizations, we get 8(X)~(x+8)(xT4)(x·,2)(x-8).

Therefore, the roots of 8(x), and thus of f(x), in 1'17 are - 8, - 4. - 2, 8.

D

Next we discuss a root-finding algorithm for large finite fields I' q with small characteristic p. As before, it suffices to consider the case where

"

f(x)=n(x-y,)

,

with distinct clements y,,. . ., y"

E

-,

Fq' Let q = p'" and define the polynomial m

SIx) ~

,

L I ~

x P' 0

We note that for yE:1' II we have S(y)~Tr, a(y)01'", where Tr, q is the ahsolute trace function (sec Definition 2.22). Because of Theorem 2.23(iii), the equation .'i( y) = c has pm' , wluti,ms y '= I' q for every c E Fp' and this ohservation leads to the identity I"

xq

x~

n (S(x)-c). ,'f::

(4.23 )

Fp

Sineef(x) divides x" - x, we get

II

c, l

(S(x)

c)=Omodf(x),

p

and so f(x)c

nr ged(f(x),S(x)-i).

(" (=-

p

(4.24)

.1.

Calculation of Roots of Polvnomiab

Ij.]

This yields a partial factorization of f(x) that calls for thc cakulation of p greatest common divisors. If p is small. this is certainly a feasihle method. It can. howcver. happen that the factorization in (4.24) is trivial- ·-namely. precisely whcn S(x) '" Cmod f(x) for some cEO"f" In this case. othcr auxiliary polynomials relatcd to S(x) have to he used. Let fJ be a defining elemcnt of I'q over I'p, so that (l.fJ.fJ' .... ,flm I) is a hasis of 1'. ovcr I'p. For} ~ O.1.. ... m - I we suhstitute {Jix for x in (4.23) and we get ({Ji)qx"-{Jix~

n (S(fJIX)-C).

c E:.lFp

Sincc WI)q

~

{Ji, we obtain xq-x=fJ

'n (S(fJix)-c). l:' J p

This yields the following gencralization of (4.24): f(x)~

n

gcd(J(x).S(fJJx)-c)

forO.,;;}.;;m-1.

(4.25)

,ElF p

Wc show now that if n ~ dcg( /) '" 2, then there exists at kast one }, O.;;}.;; In -1, for which the partial factorization in (4.25) is nontrivial. For suppose, on the contrary, that all the partial factorizations in (4.25) arc trivial. Then for each}, O.;;}.;; In - I, there exists a cJ E I'p with

.\.( {Jix) '" ci modf( x) .. In particular, we get

S( {JiYI)

=

S( fJly,)

~ ci

for 0 .;; } .;; m - 1.

By the linearity of thc trace it follows that Tr. ,(( YI - y,){Ji) = 0

for O';;},;; m - 1

and

Using the second part of Theorem 2.24, wc concludc that YI - Y2 ~ O. which is a contradiction. Thus, for at least onc} thc partial factorization in (4.25)

is nontrivial. The defining element fJ of I'q ovcr I'p used in .(4.25) is choscn as a root of a known irreducible polynomial in I'p[xl of degree m. Once a nontrivial factorization of the form (4.25) has bccn found. the method is applicd to the nontrivial factors by employing othcr values of j. The argument above shows also that all distinct roOis of f can cventually hc separated by using all the values of} in (4.25).

154

I-actori/i.llion of Polynomials

4.16. Example. Consider IF" '" [F,.Ul). where {3 i, a root of the irredueihle polynomial XU + x -'-I in 1I'.,[x]. and let f( x) = x' -'- ({3' T fl' r fl"

T

{3' )x 3

+ ({3' , {3' + {3' -'- {3 + 1lx'

T(!J'-fl'.,.fl)·,.,.fl't{3<:IF 64 lx]. U~ing

x"", (fl' T fl -t

r

l)x 3 ,(fl' "{3"

{3')x' +(P' -'- {3'1 {3' + 1)x

P'+P'+p'-'-lmodf(x).

we get the following congruences modf(x) hy repeated squaring: x

--;;

x

x·1 ':""(/~~

•

x

(f3~ I /14 ~ /12 .

{f34. /1 3 _fJ))x\'

xl>.., lt

{{4" fJ3 ~ /~:1~3;

l/~)

'J{' , 11x11

N"' -

t

/1)'(. /1J I /~

(fJ~ rfi· 1)'(: '{/1~-r/~' llx -/1~' fJ~

(fi~,/~l_/~lxl_

,.

x 3Z .....

/1' 1)x24-(/f~

(/~)-f3)xJ~fJ~){ltJ':1J~3.{{I-/1'1

(f3~

j

~ 13 2 .

{{4 - {{3

H

t

l)x 2 '(f34

1

fJ'l_t·

W I /1'

, Thus.f(x) divid~s X M

-

x and so has four distinct roots in 1F(J4" We consider

now S(x) =.'(, x 2 +.'(4 t xl!·\

X

l6

-\

x J2 . from the congrucncc:~ above we

ohtuin Six)

=.

({3' + P' + fl' + {3·1 I)x'" {3'x' , ({33

i

{32)X

T fl3 , {3' -r I mOdf(x). and therefore ged(j(x).S(x))~ged(j(x).(fis+fl'I {3'-t {3-'-I)x J +/i'x' ~(fl'

I {32)X

tfl'

i-{3' 11)

~x' t-({34-'-fl'r{32),,'-r(f3'+p'-rI)x+{3'" {3'~K(')

say. and ged(j(x).S(x) -1)" ged(f(x).({3'-r{3'-r{3'

I

{3-I)x'+{3'x'

"(fl' "{32)""'P'+fl')=x

i

{35

Then (4.24) yields f(x)~

g(x)(xTfl')·

To find the roots of g( x). we next usc (4.25) with j

S( flx)

(4.26 ) ~

~

I. We have

{3xr {32 x' + {34 x 4 + fl'x' + p'ox'o -t {3"x" " {3x -'- {3' X 2 T {34 x ' + ( {3' + {32 ) XX ... ( {3"+ {3 +

1) X '0 -'- ({3' + I) x" .

155

and the congruences above yield

S(f3x)=((I'+llx'-(f3'+(I+I)x'-(f3'+f3"

f3'

I

13' .f3+l)x

4

_f3 +f3'-'-f3mndf(x). Since g( x) divides I( x). this congruence holds also mod g(x l. and '" .'i ( f3x ) " ((I'

+ 1).\' - ( 13' + 13 + 1) x' - (f3' I f3' + 13'

+ 13'

f

I-

13) - 13 + I) x

13'1 f3

" (13' + 13' )x' - 13 3X ~ 13 '" f3' . f3 mod g (x). Thu.. . , gcd(g(x).S(f3x))-gcd(g(x).(f3'

I

f3')x'-f3'x-t

~x'-(flJ+I)x-f34-f3''13'

fl'

j

f33'fl)

'f3=h(x).

say. and gcd(g(x).S(f3x)-I)~gcd(g(x).(f!'·f32).\.' .f33 X +f3'-'-f33+f3+l) ~

Then (4.25) with)

~ I

x _ 13' - f3' + J.

yields

(4.27) Tn find the ronts of h(x). we usc (4.25) with) ~ 2. We have

5( 13 'x ) ~ f3'x + f3'x' + f3'x' + f3"x' • f3"x" -t f3"x" 13 'x + (I'x' + (f3J -'- f3')x' +(13' + 13 -I)x' f (13 3 - I )x" _ f3x·\l. and a similar calculation as for S( f3x) yields

S( 13 '.\ ) '" (fl'

f

13 2 + I) x - 13 5 + 13 ' + f3' mod h ( x ).

Therefore. gcd(h(x).S(f3'X»)~gcd(h(x).(f3'+f3)f I)X~f3'+f33 ~x-f3-

i

fl2)

I

and ged(h(x).S(f3'x)-I)~gcd(h(x).(f3'+f3'+I)x4 13'· 13.\+(1'+1)

-x "13 3 -13. so that from (4.25) with)

~

2 we get

h (x) - (x

i

f3

I

1)( x ~ 13' + 13).

(4.2X)

raclOr:z.:lIion of Polynomiab

15(,

Comhining (4.26). (4.27). and (4.28). we arrive at the factorization f( x ) ~ ( x

+ f3 - I) (x

f3' -'- fl)( x - f34 + f3' + 1)( x -'- f3' ).

0

f3 - I. fJ3

and so the roots of f(x) are

-r

f3. f34 + fl' + I. and f35

[]

Finally we consider the root-finding problem for large finite fields" 4 with large characteristic p. As we have seen hefore. it suffices to know how to treat polynomials of the form f(x)~n(x-y,)

E"

i=1

with distinct elements y,,, ... y" q' To cheek whether f(x) has this form. we need only verify the congruence x q " xmodf(x) (compare with the first part of Example 4.16). We can assume that q is the least power of p for which this holds. The polynomial f(x) will. of course. be given by its standard representation

L "/'.

fix)'

i -'- 0

E IF'I for 0 ~ j ~ 1l and an = 1. It will he our first aim to find a nontrivial factor of f(x). To exelude a trivial <..:ase. we can assume 1l ~ 2. I.et q = pt>J and define the polynomials

where

0.,

n

f,(X)~LIX{xi

(4.29)

forO,;;',;;m-l.

i ... 0

so that fo(x) Furthermore.

~

f(x) and each f,(x) is a monic polynomial over {I/

f/

f, ( y,P')

~

L

IX;' YiP'

~I

J' 0

L

\

IX I yi )

pA

~

\ I _. 0

"q.

°

for I ~ i ~ n. O::s; k ::s; m - 1. and so n

f, (x) ~

n (x - Yo")

for 0 ,;; , ,;;

In -

I.

i-I

We ealeulate now the polynomial m-l

F(x)~

[J f,('), /..

-

(4.30)

()

This is a polynomial over IF p sin<..:e

F(x)~

min

n

II (x-y()=

k· O/-"l

n n (x-y'p')~ fU;(x)m1d. I/m-]

/",.1 k

0

n

1-1

where l'~'( x) is the minimal polynomial of y, over" p and d, is its degree (compare with the discussion following Definition 2.22). The F,(x) arc

Y. CaklJl,l1ion of RON" of Polynomials

157

therdore the irreducihle factof' of F(x) in Fplx], hut certain F,(x) could he identical. Thus, the canonical factorization of F(x) in Fplx] has the form F(x) ~G\(x)··· G,(x),

I"

(4.31)

where the C,(x), I" r, arc powers of the distinct ;-;(x). This canonical factorization can he ohtaincd by one of the factorization algorithms in Section 2 of this chapter. Since /(x) ~ /o(x) divides F(x), it follows from (4.31) that

n gcd(f(x),G,(x».

/(x)~

(4.32)

[=1

In most cases, (4.32) will provide a nontrivial panial factorization of /(x). The factorization will be trivial precisely if gcd(/(x),G,(x)) = /(x) for some I, I" r. which is equivalent to r ~ I and/(x) dividing F\(x). A

t"

comparison of degrees shows then n:s:;;: d l = m. Furthermore. the roots of J(x) arc then all conjugate with respect to FP' Thus. hy labelling the roots of /( x) suitably, we can write y,

=

y("

for

I::;;,;

i.:::;;;

n, with 0 -= b l < b 2 < ... < bn < m.

W..: sct hn t I -= m and d~

min (b,. \ - b,). 1";;'1"" n

It is clear that d (A)

(B)

~

111/n. The following two

p()~sibilitics

can occur:

h,. I hi > d for some i. I ~ i ~ n; b,. \ - b, ~ d for all i, I" i " n.

In case (A) we note that the set of roots of [(x) is

(y(',yr" ..... y(.) and the set of roots of /d( x) is

The condition in (A) implies that these two ~Cb of roots are not identical. On thc oth..:r hand. sinl:c hi. I - h, = d for somc i, I ~ i ~ n, the two sets of roots have a common elemcnt. Thus, gcd(/(x), f:/(X»f /(x) and ~ I; that is. gcd
•

=

y{

d,·

1,

for I ~ i ::;;,; n.

I-"actorilation of Polynomial~

15R

hence thc Y, arc exactly all thc conjugatcs of YI with respect to 0'r" Consequently,.!(x) is thc minimal polynomial of y, over O'p' and thus irredudhlc over IF pd.

Thcrefore, corresponding to the cases (A) and (ll) above we have thc following alternativcs: (A)

(ll)

gcd(j(x),j,(x)) is a nontrivial factor of f(x) for some k,l.,;k<m/II: gcd(j(x), f,(x)) ~ I for I .,; k < d = min EN andf(x) = falX) is the minimal polynomial of YI over 0' p"

In alternative (A)

OUf

aim of finding a nontrivial factor of !(x) has

bcen achicved. Furthcr work is needcd in alternative (Il). Let f3 again dcnote a defining element of 0', over 0' P' Then I' p'( f3) ~ 0' q ~ 0'r.' and so /3 is of degrec mid ~ n over lOr" In particular, wc havc f3' '" lOp' for I.,; j.,; n-1. Now let thc coefficients a, of f{x) be such that a" = 0 for some jl1 with I.:::; Jo ~ n -I. Consider f(x)~f3

nf(f3x),

(4.33)

which is a monic polynomial of dcgree n ovcr 0',. Since f3"'j., '" lOr' and a j.l E 1"" it _follows that the coefficicnt of Xl., in f(x) is not an elemcnt of p O'p" Thus fIx) is not a polynomial over lOr" and so .the altcrnative (ll) cannot occur if thc proccdure above is applied to f(x). Since f(x)·' fl"f{ f3 IX), any nontrivial factor of j(x) yields immcdiately a nontrivial factor of f(x). It remains to consider the cast: where alternative (8) is valid and a, ~ 0 for l.,;j";n-1. Thcnf(x) is thc hinomialx" -,-""Cl'p"lx]. !\ow II is not a multiple of p, for otherwise we would havcf{x) ~ (x"/r.,. at )r, which would contradict the irreducihility of f(x) over lOr" We set (4.34 ) and thcn it is casily seen from fl ' 'f lOr' that the coefficicnt of x" I in j(x) is not in IFp'" Thus. the alternative (B) cannot ~ccur if the procedure descrihed ahovc is applied to f(x). Since f{ x) = Wf( fl I( x - I n, any non· trivial factor of j(x) yields immediatcly a nontrivial factor of fIx). This ",,)t·finding algorithm is thus carried l'ut as follows. We first form the polynomials f,(x) according to (4.29) and then thc polynomial F( x) EO 0' pl x] according to (4.30). !\ext, wc apply a factorization algorithm to <)htain thc canonical factorization (4.31) of F(x) in I'p[x]. This leads to thc partial factorization of f(X) given hy (4.32). Should this factorization be trivia\. we calculategcd(j(x),fk(x») for I.;k "OJIl/n. If this also docs nol produce a nontrivial fal·tor of f( x). we trunsform f( x) into j( x) hy eithcr (4.34) or (4.33), depcnding on whether i(x) is a hinomial or no!. As we have shown ahove, an application of the alg,<>rithm to fIX) is bound to yield a

159

EXl.:n.:i~l:s

nontrivial factor of /(x) and thus of I(x). Once a nontrivial factor of I(x) has bccn found, the proccdurc is continucd with the resulting factors in place of I(x), until I(x) is split up completely into lincar factors.

EXERCISES

4.1. 4.2.

4.3. 4.4.

4.5. 4.6. 4.7.

Factor x 12 + x' + x' + x' + x' + x' + lover IF, hy Berlekamp's algorithm. Factor x' + x' + x' - x' + x' - x -I ovcr 1F, by Berlekamp's algorithm. Let IF. = IF,(O) and factor x' + Ox' + x' +(1 + O)x + 0 over IF. by Berlekamp's algorithm. Use Berlekamp's algorithm to prove that x' - x' - x - I is irreducihle in IF ,[x]. Usc Bcrlekamp's algorithm to determine the number of distinct monic irreducible factors of x· + I in IF p[x] for all odd primes p. Usc the polynomials T; in Section I to factor x' + x· + lover IF,. Determine the splitting field of x' + x' + x' + x· + x' -r x' + lover

IF, . 4.8. 4.9.

Determine the splitting field of x' - x· - x' - x.,.. lover IF,. Usc the polynomials R, in Section I to factor the polynomial of

4.10.

Find the canonical factorization of XX + x' + x· + x' + I in 1F,[x] by using the polynomials R, in Section 1. Determine the canonical factorization of the cyclotomic polynomial Q3I(x) in IF,lx]. Factor I(x) = x' + xl + lover IF, and determine ord(j(x )). Factor/(x)=x 9 +x'+ x'+x'+x'+x+1 over IF, and detcrmine ord(j(x)). Prove in detail that if I is a nonzero polynomial over a field and d = gcd(j.j'), then lid has no repeated factors. (Note: Count nonzero constant polynomials among the polynomials with no repeated factors.) Let I be a monic polynomial of positive degrec with integer coefficients. Prove that if I has no repeated factors, then there are only finitely many primcs p such that I, considered as a polynomial over IF p' has repeated factors. Dctermine the numher of monic polynomials in IF .[x 1of degree n ~ I with no repeated factors. Let I be a monic polynomial over IF. and let g" ... ,g, he nonzero polynomials over IF. that are pairwise relatively prime. Prove that if I divides 1(, ••. 1(,. then I = I 1;_, gcd(j, 1(, ). L:se Berlekamp's algorithm to prove the following special case of

Exercise 4.1 over F 2'

4.11. 4.12. 4.13.

4.14.

4.15.

4.\6. 4.17.

4.\ K

J-."iJ~torizJ.li(ln

160

of Poh·nomials

Theorem 3.75: the hinomial x' - a. where I is a prime divisor of q - I and a E IF;. is irreducible in IF ,lx1if and only if a,q ,>/1 * I. 4.19. Let I be an irredueihle polynomial in IF qlx J of degree n and define the n X n matrix B = (b'j) by (4.4). Prove that the characteristic polynomial det(xl - B) of B is equal to x" - I. 4.20. Let 1=1\ I, he a product of k distinct monic irreducihle poly./, in IFq[x] of degree 11\ .... ,11,. respectively. Put nomials 1\ deg(f) ~ II ~ 11\ + ... + II, and define the n X II matrix B ~ (b,) by (4.4). Prove that thc characteristic polynomial det(xl - B) of B is cquallO (x", -I)·" (x n , -- I). 4.21. In the notation of Section 1. prove that the polynomialf.. ~ do not separate thosc irreducible factors 1; of I for which N In I is divisible by the characteristic of IF q' 4.22. Let I E IF ,Ix J bc monic of dcgree n ;, I. Define h E IF ,Ix. y J hy

h (x, y) ~ (y - x)( y - x')( y - x'')· .. (y .. x'' ') - I( y) and write h(X.Y)~5" \(x)y" \+ ... +5\(X)Y+'o(x).

Prove that

I

is irreducihle over IF, if and only if

I

divides " for

O.:E;j~n-I.

4.23.

Usc the criterion in the prceeding exercise to prove that x 7 -I

x" -t

x 3 + x 2 -t 1 is reducihle over 1F 2 "

Prove that the quadratic polynomial I(x) ~ x' T hx I C is irrcducible ovcr IF, if and only if I(x) divides x' + x -'- b. 4.25. Let I be an irrcducible polynomial in IF nIx I of degree m and let I. he a root of lin IF,•. Let g and h he nonzero polynomials in IFq[x]. Prove that h(xjml(g(x)lh(x)) is irreducible in IF)x] if and only if g(x)I.h(x) is irreducible in 1F.,[x]. 4.26. Use the method in Example 4.7 to factor x' -t 3x'; +4x' + 2x - I

4.24.

over IF

4.27. 4.28. 4.29. 4.30.

11"

Use the method in Example 4.7 to factor x' - 6x' 8x" 8 over IF I"~ Usc the Zassenhaus algorithm to factor x' + 3x; + 4x' + 2x - lover IF (J' Lse the Zassenhaus algorithm to factOf x 3 - 6x' - S.x - 8 over IF I"~ Use the Zassenhaus algorithm to factor X'" 3x' + 2x 3 - 6x' - 5 over IF 17.

4.3 I. 4.32. 4.33. 4.34.

Factor x' - 7x) + 4x' -'- 2x j 4 over IF \7' Factor x' 3x 3 -t 4x' .. 6x - 8 over IF ''I' Prove in detail that equivalence of square matrices of polynomials as defined by Definition 4.11 is reflexive. symmetric, and transitive. Lse the method in Example 4.14 10 faelor x 3 - 6x' - 8x - 8 over IF 19.

4.35. 4.36.

Use the method in Example 4.14 to factor x·1 ~3x' -2x-' -6x' + 5 over IF 1";' Usc the method in Example 4.14 to obtain a partial factorilation of x 7 - 2xo - 4.\·4 + 3x 3 - 5x·~ + 3x + 5 over !F; I and t.'omplcte the factorization

4.37. 4.38. 4.39. 4.40.

4.41.

4.42.

4.43.

by

another method.

find the roots of I(x)·- x' - x 4 I 2x' , x)· x -2 E ~\!x] can· tained in IF 5' Find the roots of I( x) ~ x' + 6x 4 + 2x' .. 6x' - 5x- 5 C IF ufx] contained in IF lJ' Prove that all the rool> of l(x)~X"'T8x'+6x-7EIFI9[xJ arc contained in IF It} and find them. Let IF" ~ IF,( Ill, where (j is a root of the irreducible polynomial x' i x' - lover IF,. Prove that all the roots of I(x) ~ x' +(f3' + f3'" I)x' r f32 x + f3' ~ f3' - f3 + I E IF,,[xJ are contained in IF 32 and find them. Let IF" ~ IF,(/l), where (j is a root of the irreducible polynomial x' x + lover IF,. Prove that all the roots of I(x) ~ x' + x 2 (f32 -f3+1)x-f3' -I EIF,,!x] are contained in IF" and find them. I.et IF '" ~ IF ,,( f3), where fI is a root of the irreducible polynomial x'-x-I over IF". Find the roots of l(x)~x'+(3f3-I)x-'-f3­ 5 E IF 169[X J contained in IF 164' If the polynomial I(x - h) in (4.22) is quadratic with constant term t'" 0, prove that the factorization in (4.22) is nontrivial if and only if (' is not the square of an clement of IFf"

4.44.

Let f3 be a defining clement of F~IF,., over IF,. Prove: (a) There exists k, 0", k '" n1 - I. with Tr r ({3') ~ I. (h) For eaeh i ~ 0, 1.. . .,n1 - I there exists an n, E F such that .' a- ,

(c)

({j' =

(Y

,

.-

\f3'+{j'

ifTr F (f3')" O. ifTrF(f3i)~l.

If y~r.';'-U'c,f3', c,EIF" and Trr(Y)~O, then the roots of 1 1 Xl ...... X + Y arc L~ 0 cia' and 1 + 1:;':..0 ('/0'/,

Chapter 5

Exponential Sums

Exponential sums arc important tools in numher theory for solving problems involving integers- and real numhers in general-that are often intractahle hy other means. Analogous sums can be considered in the framework of finite fields and turn out to be useful in various applications of finite fields. A hasie role in setting up exponential sums for finite fields is played hy special group homomorphisms called characters. It is necessary to distinguish between two types of characters-namely, additive and multiplicative characters-depending on whether reference is made 10 the additive or the multiplicative group of the finite field. Exponential sums arc formed hy using the values of one or more characters and possihly eomhining them with weights or with other function values. If we only sum the values of a single character, we speak of a character sum.

In Section I we lay the foundation by first discussing characters offinite abelian groups and then specializing to finite fields. Explicit formulas for additive and multiplicative characters of finite fields can be given. Roth types of characters satisfy important orthogonality relations. Section 2 is devoted to Gaussian sums, which are arguably the most important types of exponential sums for finite fields as they govern the transition from the additive to the multiplicative structure and vice versa. They also appear in many other contexts in algehra and number theory. /Is an illustration oftheir usefulness in number theory, we present a proof of the law of quadratic reciprocity based on properties of Gaussian sums.

j

10J

CharJ.t'ter'

Lxponential sums with the terms of a linear recurring sequence as arguments will be treated in Chapter 6, Section 7. Deep investigations on exponential sums for finite fields have hecn earricd out with thc help of algehraic geomctry, Icading to thc famous results of Weil and Oelignc, hut a prcsentation of this work would lead far beyond the scope of this hook.

I. CHARACTERS

I.et G be a finite ahelian group (written multiplicatively) of order IGlwith identity dement 1(I' A t.:lzaracler X of G is a homomorphism from G into the

multiplicative group U of complex numhers of ahsolute value I-that is, a mapping from G into U with X( g, g,) ~ X( g, )X( g,) for all 15 ,,15, E G. Since X(I,,) ~ x(I" )x(l,,), we must have x(l,,) ~ I. I'urthermore. (X (g))" ~ X (g'" ) ~ X (I,,) ~ I

for every g E G. so that the values of X arc IGlth roots of unity. We note also lhat, X(g)X(g 1)~X(gg ')~x(l,,)~I. and so X(g-')= (X( g»

I

~ X( g) for every 15 E G, where the bar dcnotes complex conjuga-

tion.

Among the eharactcrs of G we have thc tricial character Xo defined hy Xu(,~) ~ I for all 15 E G; all other characters of G arc called nontricial. With cach character X of G there is associated the conjugate character X

x(

defined hy g) ~ X( g) for all 15 E G. Given finitcly many characters x" .... X, of G. one can form the product character X,'" X, hy sctting (XI"'X,)(g)~XI(g)"'X"(g) for all gEG. If XI~"'=X,=X, we write X" for X,'" X,. It is obvious that the set G A of characters of G forms an abelian group under this multiplication of characters. Since the valucs of characters of G can only bc IGlth roots of unity, (i A is finite. After brieny considering the special case of a finitc cyclic group, we establish some basic facts about characters. 5,1. Example. Let G he a finite cyclic group of order n, and let g be a generator of G. For a fixed integer), 0 <; ) <; n - 1, the function XJ ( 15 , ) ~ e"'"

1" "

k

~

0 I •••• , n - I •

defines a character of G. On the other hand. if X is any charactcr of G, then x(g) must he an nth root of unity, say x(g)~e";I/' for some), 0<;)<; n - I. and it follows that X C XI' Therefore. G A consists exactly of the

charactersXO'XI ... .,Xn I'

::l

5.2. Theorem. I,et If he a suhgroul' of the /illite ahelian group (i and let y he u character of If. Then y can be extended to a ('haraerer of G; thar is, there exists a character X of G with X(iI) ~ y(h) for all h E II.

Fxponcnli<.ll Sums

164

Proof We may suppose that !I is a proper suhgraup of C. Choose a Eo G with a'" H. and let H, he the subgroup of C generated hy Hand Q. Let 111 be the kasl PO~ilivc imegcr f\)f which a'" F.1I. Then l..:\"ery ~h.:ment g E HI can be written uniquely in the form g,-:: alh with 0 ~ j < m :.mu hE H. Define a function y, on !I, hy y,(g)~",ly(h). where w is a fixed (,;ompkx numher satisfying v,;o"l = y(01l1). To check that y. is indeed a character of H,.let g, ~ a'h,. 0 <;: k < nJ. h, F /I. he another clement of II,. If j -t k < nJ. then y, ( gg, ) ,- Wi' 'y ( hh, ) ~ y:( g ) y, <.~,). If j - k " nJ, then ggl' llj·l<-m(a'tlhh l ). and ~o

y

(gg,)' w i -' '"y(amhh,) ~ wI'< - my (am)y (hh,) ~ w' "" (hh,) ~

y, (g )", (g,).

It is ohvious that ",(h) ~ ,,(h) for h c- 1/. If II, ~ G. then we art done. Otherwise. we can continue the process above untiL after finitely many

steps. we obtain an extension of y to G. 5.3.

Corollary.

For any

{11:0

:J

distinct

ell!nu:'nl5 .~1'

g::.

E:::

G {here (!xis{s

a characler X of G "-ilh X( g oJ ~ X( g,).

Proof It suffices to show that for h = gig.' 1=1=-1<1 there L'xists a character X of G with X( h) ~ I. This follows. however. from Example 5.\ and Theorem 5.2 hy letting /I he the cyclic suhgroup (If G generated hy h. [' 5.4.

Theorem.

If X is a nontrivial chUfUuer of ,he finf(e uhelil.1f1

group G. Ihel/ (5.1 )

If g

Eo G wilh

g "" Iv- Ihel/

L x ("

Proof

X(g)-O.

(5.2)

(i '

Since X is nontrivial. there exists h Eo G with X( h) "" 1. Then X (h)

L

X (g) ~

L

X (hg ) ~

L

X (g).

g ( (;

heeause if g rullS through G. so does hg. Thus we have

L

(X(h)-I) ~

X(g) ~

o.

t: G

which already implies (5.1). For the second part, we note that the function g defined by ,g(X) ~ X(g) for X eGA is a character of the finite abelian group GA. This character is nontrivial since, hy Corollary 5.3. there exists X E C A with X(g) "" X(1G) = 1. Therefore from (5.1) applied to the group CA.

I.

Charal,:tl'r~

165

o XCG~

The number of characters of a fillite ahelian 1V0uP G

5.5. Theorem. is equa/to IGI· Proof

xE-G~

This follows from

IG'I~

L L

X(g)~

L L

x(g)~IGI.

where we used (5.2) in the first identity and (5.1) in the last identity.

C

The statements of Theorems 5,4 and 5.5 ean be eombined into the orthogonality relations for characters. Let X and", be characters of G. Then

I iGT

-

LX(g)",(g) = 1? E.

{OI

(,

for X "'~. forX~~·

(5.3)

The first part follows. of course. by applying (5.1) to the character x~; the second part is trivial. Furthermore, if g and h are elements of G. then

I

--- (0

iG' x~;. X(g)X(h) ~

,I

for g '" h.

forg~h.

(5,4)

Here. the first part is obtained from (5.2) applied to the clement gh '. whereas the second part follows from Theorem 5.5. Character theory is often used to obtain expressions for the number of solutions of equations in a finite abelian group G. Let f be an arbitrary map from the cartesian produet Gn ~ G X ... x G (n factors) into G. Then. for fixed hc(;, the number N(h) of n-tuples (g" ... ,g,,)EG" with f(g, .... ,g,,)~h is given by I N(h)~jGT

L ... L gllC-G

L

x(f(g, ..... g,,))X(h)

(5.5)

g"cGxE-G"

on account of (5,4). A character X of G may be nontrivial on G, but still annihilate a whole subgroup II of G. in the sense that X(h) ~ I for all h '= H. The set of all characters of G annihilating a given subgroup II is called the annihilator of H in G '. 5.6. Theorem. /.et II he a suhgroup of the finite ahelian group G. Theil the annihilator of'H ill G' is a suhgroup of G' of order! GI / I Hi· Proof Let A be the annihilator in question. Then it is obvious from the definition that A is a subgroup of GA. Let X E A; then p.(gll) = X(g), g E G. is a well-defined character of the faetor group G/H. Conversely, if p.

I-.xpont'ntial Sum:;

166

is a character of GI H, then Xun = Ji(gH), g E G, defines a character of G annihilating H, Distinct clements of A correspond to distinct characters of GIH. Thereforc, A is in one-to-one correspondence with the character group (G/H)", and so thc order of A is equal to the order of (GIH)", which is IGIHI ~ IGI/IIlI according to Theorem 5.5. 0 In a finite field IF q there arc two finite abelian groups that arc of significance-namely, the additivc group and the multiplicativc group of thc field. Therefore, wc will havc to makc an important distinction between the characters pcrtaining to thcse two group structurcs. In hoth cases, cxplicit formulas for the characters can be given. Considcr first the addilice group of IF q' Let p bc the characteristic of IF q: then the prime field contained in IF q is IF p' which we identify with lL/(p). Lct Tr;lFq-lFp be the absolute trace function from IF q to IFp (see Definition 2.22). Then thc function XI dcfined by XI(c) ~ e,.. TWllp

for all c E IF q

(5.6)

is a character of the additive group of IF q' since for c l ' c, E IF q we have Tr(c i + c,) ~ Tr(c l )+ Tr(c,), and so X,(c, + c,) ~ XI(CI)X,(c,). Instead of "character of thc additivc group of IF q," wc shall henceforth usc the term additive character of IF q' Thc eharactcr XI in (5.6) will bc called the canonical additice character of IF q' All additive characters of IF q can he exprcssed in tcrms of XI' 5.7. Theorem, For hElF q , the function Xh with Xh(c)~xl(hc)for all (' EO IF q is an additice character of IF q' and every additive character of IF q is ohtained in this way.

Proof

For c\, ('2

E

IF lj we have

Xb(C, I,·,) = XI(hc I + bc,) = x,(hcllxl(hc,) ~ Xh(cllxb(C,),

and the first part is established. Since Tr maps IF q onto IF p by Theorem 2.23(iii), X, is a nontrivial eharactcr. Thcrefore, if a, b E IF q with a '" h, then x,(c) x,(ac) - - ' ~ - - ~ x,«a - h)c) '" I XI(hc) Xh(C)

for suitable c E IF q' and so Xa and Xh are distinct charactcrs. Hence, if h runs through IF q' wc get q distinct additive charactcrs Xh' On the other hand, IF q has exactly q additive characters hy Thcorem 5.5, and so the list of additive characters of IF q is already complete. 0 By setting h ~ 0 in Theorem 5.7, we obtain the trivial additive character XO' for which Xo( c) = I for all c E IF q' Let E he a finite extension field of IF q' let XI be the canonical

l. Characters

167

additive character of IF q , and let III be the canonical additive character of /:; defined in analogy with (5.6), where Tr is of course replaced hy the ahsolute trace function Tr, from E to IF" Then X, and III are connected hy the identity (5.7)

"I'

is the trace function from E to IF q' This follows from the where Tr transitivity relation Tr,,(fJ) ~ Tr(Tr EI' ,UJ))

for all /l

E

E,

which was shown in Theorem 2.26. Characters of the multiplicati"e group IF: of II- q arc called multiplicati"e characters of IF q' Since IF; is a cyclic group of order q - I by Theorem 2.8, its characters can he easily determined.

5.8. Theorem. Let I( be a fixed primitive element of IF q' For each } ~ 0, I, ... ,q -2. the function.yj with >y,(I(')=e'''''/lq

I)

fork

~0,1, ... ,q-2

defines a multiplicative character of IF q' and every multiplicative character of IF q is obtained in this way. Proof

This follows immediately from Example 5.1.

0

No matter what g is, the character.yo will always represent the trivial multiplicative character, which satisfies .yo(c) ~ I for all c E IF;' 5.9. Corollary. The group of multiplicative characters of IF q is cyclic of order q - 1 with identity element .yo' Proof

Every character.yJ in Theorem 5.8 with} relatively prime to 0

q - I is a generator of the group in question.

5.10. Example, Let q be odd and let 'I be the real-valued function on IF; with '1(c) ~ 1 if c is the square of an element of IF; and '1(c) = -I otherwise. Then 'I is a multiplicative character of IFq' It can also be obtained from the characters in Theorem 5.8 by setting} ~ (q -1)/2. The character 'I annihilates the subgroup of IF; consisting of the squares of elements of IF;, and by Theorem 5.6 it is the only nontrivial character of IF; with this property. This uniquely determined character 'I is called the quadratic character of IFq' If q is an odd prime, then for c E IF; we have '1(e) = (~), the Legendre symbol from elementary number theory. 0 The orthogonality relations (5.3) and (5.4), when applied to additive or multiplicative characters of IFq , yield several fundamental identitie;. We consider first the case of additive characters. in which we use the notation from Theorem 5.7. Then, for additive characters Xu and Xh we have

Exponential SUn1~

16R

fora=h, = b.

(5.H)

fora

In particular, L

Xa(c)=O

(5.9)

fora*O.

cFlF"q

Furthermorc, for e1cmcnts c, d

E

0: q we obtain fOfC"'d, forc=d.

(5.10)

I'or multiplicative characters 'i and T of 0: q we have forY~T,

(5.11 )

for1f=T.

In particular, (5.12)

L'i(c)=Ofor'i"''in' cf:i::

If c, d

E

F;

0:;, then L1f(c)1f(d) =

"

{~_I

forc"'d, forc=d,

wherc thc sum is extended over all multiplicative eharactcrs

2,

(5.13)

y of 0: q'

GAUSSIAN SU:vJS

Lct y be a multiplicativc and X an additive character of 0: q' Then thc Gaussian sum G( 'i, X) is dcfined by

G('i,X)

L

=

Y(c)X(c)·

rEIF:

The ahsolute value of G( 'i, X) can obviously he at most q - 1, hut is in general much smaller, as the following theorem shows. We recall that 'in denotes the trivial multiplicative character and Xo the trivial additive character of 0: q'

5,1/. Theorem, Lei 'i he a rnuliiplicalice and X an addilice character oj 0: q' lhen the Gaussian sum G( 'i, X) salisjies G('i,X)=

{

q-l

jor'i='io,X=Xo'

-I

jor'i='io'X"'Xo'

°

jory'" Yo' X = Xo'

(5.14)

169

If ~ *"

"4- 0

alld X =1"'_

XO'

{hen (5.15 )

Proof The first case in (5.14) is trivial. the third case follows from (5.12). and in the second case we have

L:

G(",o.X)=

X(c)~

("
hy (5.9). for", = >{o and X

~

X(c)-X(O)~-

XI> we get

L: L:

=

L: ("r.F q

,f""lF,;

>{(c) x(e) >{(e,)x(e,)

cfE=iF;

; L: L:

>{(c 'c,h(c,-c). ,;C:..:r; In the inner sum we suhstitute (' 1('1 = d. Then. rt.::lr;

L: L

IG(>{.x)I'=

Cf:-~;

",(d)X(c(d-I»

dE-irq

dF.; f(d{E., X(c(d -1»- X(O») L:

~

",(d)

dc.lf;

L:

X(c(d- I»)

rE::Ir'l

by (5.12). The inner sum has the value q if d = I and the value 0 if d'" I. according to (5.9). Therefore. IG(>{. x)I' = >{(I)q ~ q. and (5.15) is estahCJ lished. The study of the hchavior of Gaussian sums under various transformations of the additive or multiplicative character leads to a number of useful identities.

5.12. Theorem. followinf( properties: (i)

Gaussian sums for the finite field IFq satisfy the

G(>{,Xab)=>{(a) G(f'Xh)foraEIF;.bElFa;

(ii) (iii)

G(f,X)~1f(-I)G(f:X2~

(iv) (v)

G(>{.X)G(.r.X)~"'(-I)qforf=fo.X=x,,; G( ",p. Xh) = (i( >{, XOl bl) for b e: IF q' where p is the charactaisTic

G(.r,X)~Ji;(-I)G(>{.X):

of lF a and a( h) = hP. Proof

(i) for

,'Eo

lFa we have Xah(c)

~ x,(ahc)'~

Xh(ac) hy the

Exponential SUI11:'

17{)

definition in Theorem 5.7. Therefore,

Now set

a(' ~

d. Then G(",Xuh)~

L

>/;(a'd)x,,(d)

den;

. >/;(a ')

L

>/;(d)Xh(d)

d t: n~

~ >/;(a) G(>/;.Xh)'

(ii) We have X~XI, for a suitable hFf. and X«')~Xh(-c)'~ X h( c) for cEo f q' Therefore. by using (i) with a ~ - I and noting that ,,(- I) ~ 1. I. wc gct G(".X)~G(".X ,,)- >/;(-1) G(>/;,Xh)~>/;(-I)G(>/;.X).

,,(

(i~follows from (ii) that G(f. X) ~ f( - I)G(';'. X) = I)G(';'.X)· (iv) By _combining (iii) and (5.15), we obtain G(1J"x)G(f,x)~

y( . I)G(l!q)G(';', X) ·';'(-I)IG(1J"x)['~';'(-I)q. (v) Since Tr(a) ~ Tr(a P ) for a E f q by Theorem 2.23(v), we have :1:,(11) ~ x,(a P) according to (5.6). Thus, for c Eo f q we get Xb(c) ~ x,(bc) = x,lliP('P) ~ X",,,ICP), and '0 G(>/;P,Xh)~

I:

';'P(C)xh(C)~

(" f-IF";

But

('P

run,

through~; as

c runs through

L

1J,(C P )xQ'h'(C P),

(" E:-IF~

f;. and thc dcsircd result follows. o

S.U. Remark. In connection with thc properties above, the value.;,( - I) is of interest. Wc obviously have 1{( -I) ~ ± I. Let m be the order of';': that is, m is th~ least positive integer such that tP rn = t/;o. Then m divides q - 1 ~incl:: \f;iI I Yo' The values of \f are mth roots of unity; in particular, - I can only appear as a value of y if m is even. If X is a primitive clement of IF q' then >/;( K) ~ I. a primitive mth root of unity. If m is even (and so q odd), then >/;( . I) ~ "U".-I,n) ~ I,q '1/'. which is - I precisely if (q - 1)/2 '" m /2 mod m. or. equivalently. (q 1)/ ttl" I mod 2. Therefore. YI - 1) ~ - I if and only if ttl is even and I q .. 1)/ ttl is odd. In all other ca,es we have Y(1)~1.

U

Gaussian sums occur in a variety of contexts, for example in the following. Let y bc a multiplicative character of f q : then, using (5.10). we

may writc

1

(jau~sjan

171

Sum:,>

for any c E IF;. Therefore, I _ ~(c)~ - LG(~,X)x(c) q x

forcEIF;.

(5.16)

where the sum is extended over all additive characters X of IF q' This may be thought of as the Fourier expansion of>} in terms of the additive characters of IF q' with Gaussian sums appearing as Fourier coefficients. Similarly, if X is an additive character of IF q' then. using (5.13), we may write

~_I-I L>}(c) L f(d)x(d) q-

~

forcEIF;'

de:lf-;

Thus we obtain

X(c)

=

-I I "£..,G(>},X)>}(c)

q-

~

for

C

E

IF;,

(5.17)

where the sum is extended over all multiplicative characters ~ of IF q' This can be interpreted as the Fourier expansion of the restriction of X to IF; in terms of the multiplicative characters of IF q' again with Gaussian sums as Fourier coefficients. Therefore, Gaussian sums arc instrumental in the transition from the additive 10 the multiplicative structure (or vice versa) of a finite field. Refore we establish further properties of Gaussian sums, we develop a useful general principle. Let be the set of monic polynomials over IF q' and let A he a complex-valued function on which is multiplicative in the sense that A(gh)~A(g)A(h)

forallg,hE,

(5.18)

and which satisfies IA(g)1 ",I for all gE and A(l)~1. With <1>, denoting the subset of containing the polynomials of degree k, consider the power series

L(z)~

f (L

k -0

A(g))Z'

(5.19)

,l:'1::¢lk

Since there are q' polynomials in <1>" the coefficient of z' is in absolute value", q', and so the power series converges absolutely for Izl < q' '. Because of (5.IR) and unique factorization in lFalx], we may write

t-:..... poncntial Sum"

172

/.(z)~

L

A(g) Z M 8'"

,~

~n(I+A(j)Z'I,,'jl~A(J')Zd"<J"+... ) I

~

n(1 + A(J)Zd,g<J'+A(J)2Z2"O"J'~ ... ). I

where the product is taken over all monic irreducible polynomialsfin IFJx]. It follows that L(z)~ n(I-A(J)Z",,,,,)-1 I

Now apply logarithmic differentiation and multiply the result by z to get

dlogL(z) z-dz'Expansion of (1- A(flz"O"f')

7--1~Tf)zd,g'/J

A(j)deg(fl=",·"f'

= 1

into a geometric series leads to

zdlogL(z) ~ LA(J)deg(J)z'lo"J' dz f

.(1 + A(flz d,g'J'+A(f)'Z2rl"'J'+

... )

~ Ldeg{f)(A(f)z"""I' tA{f)'Z2""'J' I T

A{f)JzJd"'jl_ ... ),

and collecting equal powers of z we ohtain (5.20)

with L, =

L deg( f)A(f) '/do"n.

(5.21 )

I

where the sum is extended over all monic irreducible polynomialsfin with dcg(j) dividing s. Now suppose there exists a positive integer t such that

L

A(g) ~ 0

for all k >

I.

~qlxJ

(5.22)

XC etJ k

Then 1.( Z) is a complex polynomial of degree", t with constant term I. so that we can write

L(z)

~ (1-

"'1=)(1- w2z)'" (1- "',z)

(5.23)

2.

(jau~"ian Sllm~

with complex

Z

number~ wI'

u.:z ....• w,. It follow1:i that

dlog I. (z) ~ _ " dz '-

Wml

,

= -

x

L ," 'X

- L

L

Wml

i-

I i

!

W~,Zj 0 'X

IL

101m-I

/!

\

W~'-')z'-' ~ - L i L W:")"" \" I

\m-l

and comparison with (5.20) yields

1.\

= -

W1 -

w2 -

... -

u:!~

for all s

~

I.

(5.24)

As an application of the principle expressed in (5.24), we consider the following situation. Let X be an additive and if a multiplicative character of I'q. and let F. be a finite extension field of I'q. Then X and y can be "lifted" to F. by setting x'(/3)~x(Tr,./,"({3)) for {3E E and y'({3)= y(N ,/>,<{3)) for {3 E F.". From the additivity of the trace and the multiplieativity of the norm it follows that X' is an additive and if' a multiplicative character of f.-. The following theorem establishes an important relationship between the Gaussian sum G( y. X) in IF q and the Gaussian sum G( y', X') in E. J.I4. Theorem (Davenport-llasse Theorem). I.el X be all addilice and if a mulliplicUlice diGr""ler of IF q' nOI Iimh of Ihem IriDial. Suppose X alld yare lifled 10 charaCler" X' alld if', respeuioe!v. of Ihe fillile exlellsion field E of IF q wilh [ F.: IF q 1= s. Then G(';/·X')

= (

I)' 'G(Y.X)'

Proof It is convenient to extend the definition of if hy setting y(O) = O. We usc the notation of the discussion leading to (5.24); in particular. '" denotes again the set of monic polynomials over IF q • We define A by setting A( I) = I as required. and for I: E '" of positive degree, say g(x)=x' --c,x' ' - ... +(- I)'c" we setA(I:)~Y(c,)X(c,). The multiplicative property (5.IR) i, then easily checked. For k > 1 we split up <1>, according to the values of ('j and c". Each given pair «('1'(''') occurs q"-2

times in

~/..'

and so

L

A(I:) - q'

XL $.

':' (" (

=q'

2( L

n.,

'-cE,n;

y(cll(. (,nL X(c)). q

174

Since one of X and y i, nontrivial. it follows from either (5.9) or (5.12) that

L

A (g) ~ 0 for k > l.

J!€-lP~

Therefore, (5.22) is satisfied with 1 ~ 1. furthermore,
L g0"$:

A(g)=

L

Y(c)X(c)~

(f-'f

L:

"'(clx(c)~ G(y,X)'

'f::.J-;

q

Thu" L(z)=I" G(!f"X)z from (5.19), hence w,~ G(y,X) hy (5.23). Now we consider I"}. which, by (5.21) and the multiplicativity of A, is given by

t, ~

L deg( f)A( f) ,;d'gll, I

.. L • deg( f) A(f,;d'" Ii), (

where the sum is extended over all monic irreducible polynomials I in IF qlx J with deg( I) dividing s, and where the a,terisk indicates that I(x) ~ x is excluded. Faeh sueh/has deg(j) distinct nonzero roots in 1:.", and each root {3 of I has as ito characteristic polynomial over IF q the polynomial , ';0".(/, I(.v)

X.' - ( I X "

-l-

.••

(1)' c~. +_

say. where c, ~ Tr,/,,,<{3) and c, ~ t'lJf}{3) by (2.2) and (2.3). Therefore, I A(f';d'<1 ') ~ ~

and

."k)x(c,) ~ .,,(N u ,}{3))x(Tr,/,"({3)) y'(fl)X'({3),

~o

t, -

L 'deg( f) A(/';."." ") = L ' L (

l(P) If

f

';:(fllx'({3)·

13 ('" F (l

run ... through the fLlnge of summation above. then

f3

runs exactly

through all clements of /:"'. Consequently.

I, -

L

""(fllx'(fl): G(Y·.x·).

Ii ( L'

and an application of (5.24) yields

C(y',X')= -( -C("',X))', which completes the proof.

o

For certain special characters, the assodatcd Gaussian sums can be evaluated explicitly. We therehy obtain formulas that go beyond the trivial

2. (j
175

Sll;T1<:

cases listed in (5.14). A celebrated formula of this kind holds for the quadratic character 1) considered in Example 5.10. 5.15. Theorem. Let IF q he a finite field with q ~ P'. where p is an odd prime and sEN. Let 1) be the quadratic character of IF q and let XI be the canonical additive character of IF q' Then ifp '" I mod4. ifp'" 3mod4. Proof Using Theorem 5.12(iv) and j)~1), we obtain G(1),XI)'~ 1)( - I)q. and since 1)( - I) = I for q'" I mod4 and 1)( -I) ~ - I for q '" 3 mod4 by Remark 5.13. it follows that

if q '" I mod4.

(5.25)

if q '" 3mod4. Thc difficulty of the proof lics in the determination of the correct signs. We first consider the case s = I. Let V be the sct of all complexvalued functions on IF;; it is a (p - I)-dimensional vcctor space over thc complex numbers. A basis for V is formed by the characteristic functions f,.f" ... '/p., of elements of IF;: that is,!,(c)=1 if c~j and 0 othcrwise, wherc j ~ 1.2, ... ,p .. I. From the orthogonality relation (5.11) it follows easily that the multiplicative characters >/;0' ~"",,>/;P 2 of IFp described in Theorem 5.8 also form a basis for V. Let \ ~ e";/p, and define a linear operator T on V by letting Th for h E' V be given by p - 1

(Jh)(c)-

L k

t'h(k)

forc-I.2 ..... p-1.

(5.26 )

1

Then Theorem 5.12(i) implies that T~ = G( >/;. XI),[' for every multiplicative character ~ of IF P' Since ~ ." ~ precisely for the trivial character and the quadratic character. th~ matrix T in the basis Yo. l/;l····.1ft p 2 contains two diagonal entries-namely. G(~",XI)= .. I and G(1).x,)-and a collection of blocks

i

0 \ G(y,X,)

corresponding to pairs

G(;ro'x,l',')

1ft. ~ of conjugate characters that are nontrivial and

nonquadratic. If we compute the determinant of T. then each block contributes

lxponeotia\ Sum,

176

hy'l heorem 5.12(iv). Thu, we obtain (p .. ))/2

II

det(T) ~ - G( '), XI)( - p)IP' 311'

I

l'ow >/-,< -,1) = lp-Jl/2

n

I

",{(-I)~

(-1)1. and so

>/-(-I)~(-I)""-'P 111'

1

(5.27)

>/-i( - I).

I

~

( _ I )IP

I lIP

-31/'

(5.28)

1

Furthermore, si nee

if p" I mod4, if p"' 3mod4, it follows from (5.25) that (5.29) Comhining (5.27), (5.28). and (5.29). we get det(T) ~ ±( -1)'P 1II'iIP 11'/4( -1)'P IIIP 31/'p'P"2)I'

hence (5.30) "low we compute det(T) utilizing the matrix of T in the hasis

II./, .... Jp I' From (5.26) we find det(T)~det(U;')I<j.,

Ii)'
=>I-""'-IP-Ildet((>IU Ii). ) ~ ~ l ..... /,ko;,;p-! ~det(Uj"

II)I<;.,
I)'

whieh is a Vandermonde determinant. Therefore. det(7') =

n

l.,,;;:m<.n ..... p-]

With

(j.

e1://f'

we get

n

det(T)I",

t>1

< n.,,; II

(0'''_8'''') I

(I"-r m ).

d

177

2. Gaussian Sums

II I '"

In <.

8""(8' m-8-'" ml)

n ,;;: f'

n

1,-;: m <

1

n

I)'."

11 '"

I

P

I,;: '" <

(2isin'TT(I/-mJ).

1/ '"-

pIP

Since P

L

(n -

I

1

1/·

L L

mJ-

(nl m)

,,-2m·l

I"'tn
3

P - 1

JP

L

2

1/ (n - I) ~.:.. L (1/' + n) 2 n =2. 2n_1

~.-

~ 3 ( ( I' - 2)( P - 1)( 2 P - 3 J 2 6

\-

(p: 2)( I' - I J) 2

1'( P -1)( I' -2)

~--2

the fiN product is equal to 1)/2

Illf'

furthermore.

A~

[I I,;: m<

'I';;;

P

I

' 'TT(n-m))' - - > 0. (2 smp.

and so det(r)~(-I)(P 1)/2 i

,?

I)/p

21/ l A

withA>O.

Comparison with (5.30) shows that the plus sign always applies in (5.29). and the theorem is estahlished for s ~ I. The general case follows from Theorem 5.14 since the canonical additive character of IFp is lifted to the canonical additive character of IF q by (5.7) and the quadratic character of IF p is lifted to the quadratic character of

Fq •

L

Ikeause of (5.14) and Theorem 5.12(i). a formula for C(11.X) can also be established for any additive character X of'lF q' We turn to another special formula for Gaussian sums which applies to a wider range of multiplkative characters but needs a restriction on the underlying field. We shall have to usc the notion of order of a multiplicative character as introduced in Remark 5.13. 5.16. Theorem (Stiekelberger's Theorem). Lei q be a prime power, Ie/ '" be a nontrivial multiplicative character of IF q' of order m dividing q + I, and let X, be the canonical additive character oflF q ,. Then,

E",pon~'nlial Sum~

I JH

('(' )J

q .,.1 if m odd or ._- even, m q+ 1 if m even and - - odd. m

q

, y, XI - \

\- q

Proof We write F. = IF q' and F = IF q' Let y be a primitive clement of L" and set g = yq- '. Then gq-' = I. so that g E F; furthermore, g is a primitive clement of F. Every IX E E* can be written in the form IX = gly' with 0", j < q -I and 0 '" k < q + 1. Since >{(g) = >{q. I(y) = I, we have q -:.

q

L L

G(";,X,)=

>{(g'y')x,(gly')

,-=Ok ..... O "

cj

L

=

.,;'(y) 0

k

L"

=

-:2

L X,(gly') ,= 0 L

>{'(y)

If T, is the canonical additive character of F, then XI(hyk) by (5.7), Therefore,

L

L

X,(by')=

bcF*

=

TI(TrtjF(hy'»

TI{hTrm(yk»)

hf::.:F"

-I

for 1'r"I" ( y') '" 0,

= { q-I

for Tr"IF( yk) = 0,

Tr tjF( yk) = 0

if and only if y"q-

11 = -

If q is odd, the last condition is equivalent to k = (q (5.32), -I ( q_1

I.

+ 1)12,

fork

=

q+1 -2-'

Together with (5.31) we get G ( y, X, ) =

L"

. A ,

k ((,1-

>{k ( Y) + ( q - I ) >Ii q• 11/' ( Y) 0

1)/2

(5.33) and then by

q+1 for 0 " k < q + I, k '" -2-'

X,(by')=

b0F"

(5.32)

= y' + yk q, and so

because of (5.9). "'ow TrF1F(yk)

L

(5.31)

XI(by').

brP

k=O

q

1: A

';"(y)+ qt/-,q. 11I2(y) 0

~q';"""1I2(y)

,inee y(y)' I and ,;,q;'(y)-I. Now t/-(q-III'(y)-1 if (q+I)/111 is even and· I if ('I + 1)/111 i, odd. and thus for q odd we have .f q -/ I I

--

even.

if

12 I

odd.

111

(5.34)

m

If q is ewn. then the condition in (5.33) is equivalent to ykiq- Ii - I. and the only k with 0" k < q + I satisfying this property is k ~ O. Then hy (5.32).

-I ( q -I

forl:::;;k~q. ~

for k

O.

and (5.31) yields q

(i(Y.XI)~-

1:

'-I

'I

t/-'(y)-q-l~-

1:

1fk(y)_q~q.

k~(l

Comhined with (5.34). this implies the theorem.

We show how to usc G(Jussian sums to estahlish a classical result of number theory. namely the law of quadratic reciprocity. We recall from Example 5.10 that if p is an odd prime and 'I is the quadratic character of ; p' then for c t 0 mod p the I.egendre symbol

(~) is defined hy (~) -11(c).

5.17. Fhmrem (Law of Quadratic Reciprocity). odd primes [J and r we flat'l'

(~)(~) _ ( Proof

I)"

iii'

For any di'tinct

li/4

I.et 11 he the quadratic character of IF p' let X I he the canoni-

cal additive character of IF,. and put G ~ (i( 1/. XI). Then it follows from (5.25) that (i2. ( I)IP lili p = fi. and so

0"

.(G··)"-"/2G~fi"

"1'0'.

(5.35)

Let R he the ring of algehraic integers: that i,. R consists of all complex numbers that arc roots of monic polynomials with integer coefficients. Since the values of (additive and multiplicative) characters of finite fields are complex roots of unity. and since every l.:omplex root of unity is an

algehraic integer, the values of Gaussian sums arc algehraic integers. In particular. G FR. Let (r) he the principal ideal of R generated bv r. Then

IflO

b.poncntial

Sum~

the residue class ring R/(r) has characteristic r. and thus an application of Theorem 1.46 yields

G'~ ( I: ~(cJxI(c)r'" I: ~'(c)Xl(c)mod(r). (,J;

Ct&;

~ow

by Theorem 5.12(i), and so G'=~(r)Gmod(r).

Together with (5.35) we get pi' 1)/2G=~(r)Gmod(r),

and multiplication by G leads to pi' "12p=~(r)pmod(r)

because of G" = p. Since the numbers on both sides of the congruence above arc. in fact. clements of 7L. it follows that fi"

as a congruence in 7L. But

'I/'P:': ~(r)fimod

r

p and r arc relatively prime. hence pi' 1I/)=~(r)modr.

'low fi - (- I)'? "I'p and p' yiclds

'= I mod r.

thus multiplication by pi'

(-I)'? I", "/4=p,,-1)/2~(r)modr. We havc pl'

and the plus sign applies if and only if p is r. Thus.

plr-ll/1

~(r) ~

(5.36)

'>/.' '" :±. I mod r.

congruent to a slJ.uare mod

Sinee

Ill:!

==

(If: )mOdr.

(!..pit we gct from (5.36) (- W ''''

1)/4

= (~)( ~) mod r.

But the integers on both sides of this congruence can only he :: I. and sinee r ? 3, the congruence holds only if the two sides are identical. 0 We consider now charactc:r ~ums involving the quadratic character 11 of f"q odd, and having a quadratic polynomial in the argument. The following cxplicit formula will he needed in Chaptcr 7, Section 2. a2

I

5,/8. Theorem. LeI fix) ~ a,x' + a,x - a o 0I',[x] wilh q odd and O. Pur d ~ af - 4a oa, and leI ~ he Ihe quadraric charader of 'f q' ,hell

Excrci~~~

L '1 (f( c)} ~ (!:IF
L

I -'1(a,) \ ( _. I) ( ) lJ

11 u'2

if d , O. if d

~

0.

Multiplying the sum hy '1(4aj) ~ I, we get

'1 (f(c}) ~'1(a,) L '1(4ajc' +4a,a,c; 4a"a,)

rt:.:.lF"

I

C}1

~'1(a,} L '1((2a)c-a,})-d)~'1(a,} L'1(h'-II). (" .... tr" q

The result for the case d ~

h .... 1 -1

°

follows now immediately. For II '

L '1(h'-II)~ h,n.,. and sinrL' I -t 11( b 2

-

(I

q+ L

we write

f ~(h'-d)).

hr~"

d) is the number of (' r IF with 'I

L

°

(5.37)

'1(h' - d) ~

(,'2 =

h2

q, S(d).

d. we ohtain

(5.38)

be} 1

where S( d) is the numher of ordered pai" (b. c) with h. c E f q and h' - (, ~ d. To sohe this equation. we put h + c ~ u, h - c = c and note that the ordered pairs (h. c) and (u. ,,) are in one-to-one correspondence since q is odd. Thus S( d) is equal to the number of ordered pairs (u. r) with u. I' E f'J and "" ~ d, hence Sid) ~ q - L Together with (5.37) and (5.38), this implies the desired formula. [j

EXERCISES 5. L

Let G be a finite abelian group. H a proper subgroup of G. and g f£ H. Prove that there exists a character X of G that annihilates H. but for which X( g) ~ I. Let H be a subgroup of the finite ahelian group G. Prove that the annihilator II of II in G' is isomorphic to G/ II and that G'/ A is isomorphic to II. Let G he a finite abelian group and mEN. Prove that g '= G is an mth power of an element of G if and only if X(g)~1 for all characters X of (i for which X m is trivial. Let (i , __ . __ G, he finite abelian groups. Define multiplication of k-tuplcs (g,. __ .. g,). (h, __ . __ h,) with g,. h, E G, for I" i" k hy

.~ E G.

5.2.

5.3.

5.4.

( g, . . .. g, )( h, ..... h, ) ~ (g, h, ,. ... g, h, ). Show that with this operation the set of all such k-tup!es forms again a finite abelian group. the so-called direct product (i,0 .. , 0G,.

E"'ponl..'ntial SUI11~

1H2

5.5.

5.6.

5.7. 5.8.

Then prove that (G,0 ... 0G,) A is isomorphic to G( 0 ... 0Ct. Use the structure theorem for finitc ahelian groups. which says in its simplest form that evcry such group is isomorphic to a direct product of finite cyclic groups. to prove that G A is isomorphic to C whcncver C is a finite ahelian group. For additivc characters of IF q in the notation of Theorem 5.7. show that X,Xb ~ X, .. for all a. h E IF q. Thus prove without refcrcncc to Exercise 5.5 that the group of additive characters of IF q is isomorphic to the additive group of IF q' If X, is the canonical additivc character of the finite field IF q of characteristic p. prove that X,( c P ') ~ X, (c) for all c E IF. and j E "". If ti- is a multiplicative character of IF., of order m. provc that the

restriction of y to IF q is a multiplicative character of order m/gcd(m,(q' -I)/(q -I)).

5.9. 5.10.

With the notation of Exercisc 5.8, prove that the restriction of lj. to IF q is the trivial character if and only if m divides (q' -I)/(q -I). Let ti- he a multiplicative charactcr of IF. and let ti-' hc the lifted character of the extension ficld IF q,. Prove that lj.'(c) ~ y'(c) for

cFIF;. Prove that a multiplicative character T of IF q' is equal to a character ti-' lifted from IF. if and only if T q - ' is trivial. 5. I2. If q " I mod m and ti- varies over all multiplicative characters of IF q of order dividing m, prove that the lifted character ti-' of IF., varies over all multiplicative characters of IF., of ordcr dividing m. 5.13. Prove that an additive character X of thc finite cxtension ficld F. of IF q is equal to a character lifted from IF. if and only if X ~ Jlh with hE IF q' whcrc Jl, is the canonical additivc charactcr of L'. 5.14. Prove for c EO IF; that 5.1 I.

L

Jl(d)

Ly'd'(C)

"I',,· Ii ¢(d) ,'"

if (' is a primitive element of IF q' otherwise. where in the outer sum d runs through all positive divisors of q - I and in the inner sum tJ/dl runs through the ¢( d) multiplicative characters of IF" of order d. Here Jl dcnotes the Moebius function (sec Definition 3.22) and Euler's function (see Theorem 1.15 (iv)). 5.15. Show that ~(2) ~ (- I)'" iii', where ~ is the quadratic character of iF" q odd. 5.16. For rEI'\I prove G(ti-P',Xb)~C(Y.Xp'b,), where p(h)~hP' for h F IF q and p is the characteristic of IF q'

IX]

r."'cn;iscs

5.17. 5.18. 5.19.

5.20.

Prove Lx C( y. x) ~ 0 for all multiplicative characters y of IF q • where the sum is extended over all additive characters X of IF q' Prove r..;G(Y.X)~(q -I)X(I) for all additive characters X of IF q • where the sum is extended over all multiplicative characters y of IF q' For the quadratic character ~ of IF,!. q ~ p'. p an odd prime. seN. and an additive character Xb' b <= IF q • in the notation of Theorem 5.7. prove that G ( ~. Xb ) ~ ~ (b )( - I)' q , IlI'i ,,,' . 'p • Sl/4 q 1/2 • If q is odd and

~

is the quadratic character of IF q' prove that

G(~.Xa)C(~,X")- ~(-ah)qfora.hEIF:.

5.21.

ese the law of quadratic reciprocity to evaluate the Legendre symhols ( Po) and (i, ).

5.22.

Determine all primes p such that (

5.23.

~J ) =

I.

Determine all odd prime powers q such that the quadratic character of IF q satisfies ~(3) ~ I. Prove that the polynomial x' t ax - h E 1F"lx]. q odd. is irreducible in IF ql x] if and only if ~(a' - 4b) ~ - I. Determine whether the polynomial X", -12.x +41 is irreducihle in 1F",lx]. Let p and r be distinct odd primes. let sEN he sueh that r' '" 1mod p. and let r he an element of order p in IF,":. For k E Z define

~

5.24. 5.25. 5.26.

C,

p

I

,

I

~ L (~)r"EIF, •. P

Prove the following properties: (i) G, - (; (.

1)lp· 1)/2 p .

)c,;

(ii)

G~ ~

when.~ the last expre~sion is viewed as an clement of

IF,. 5.27.

5.2R.

Use the results of Exercise 5.26 to prove the law of quadratic reciprocity. Prove that

L

5.29.

y(c-a)y(c+b)= ·1

for a. h E= IF If with a ~ b. where V i~ a nontrivial multiplicative character of IF q' Let y he a nontrivial multiplicative character of IF q and let 5 he a suhset of IF q with h clements. Prove that 2

L 'L cC IF

5.30.

,I

(j ("

y(c+a) .I)

=h(q

h).

:

I.et A,. A,. A, be nontrivial multiplicative characters of IF. and let

lX4

Exponential Sums

q2 .. 3q ~ { q'-2q-l 5.31.

if 1"1,, nontriviaL if 1,,1,2 triviaL

Let tf, he a multiplicative character of I' q of ordcr prove

L:

tf,(ac") - {(q -l)y(a) ,err, 0 5.32.

if

In

In>

I. For a E I' q

divides n,

otherwise.

Prove that L".• ~l.rk)) = 0 if q = 3 mod4. ~ is the quadratic character of t", and jErqlx] is an odd polynomial that is, a polynomial with

fl - x) =

fIx).

Chapter 6

Linear Recurring Sequences

Sc.:<..juencc~

in finite fields whose terms depend in a simple manner on their

prcdecc~sors

are of importance for a variety of applications. Such sequences

are ~asy to generate by recursive procedures, which is certainly an advantageous feature from the computational viewpoint, and they also tend to have u~dul structural properties. Of particular interest is the case where the terms depend linearly on a fixed number of predecessors, resuiting in a so-called linear recurring sequence. These sequences arc employed. for instance. in coding theory (sec Chapter g, Section 2), in cryptography (sec Chapter 9, Section 2), and in several branches of electrical engineering. Tn these applications, tbc underlying field is often taken to be l 2' but the theory can be developed quite generally for any finite field. In Section I we show how to implement the generation of linear recurring sequences on special switching circuits called feedback shift registers. We discuss also some basic periodicity properties of such sequences. Section 2 introduces the concept of an impulse response sequence, which is of both practical and theoretical interest. I'urther relations to periodicity properties are found in this way, and also through the use of the so-called characteristic polynomial of a linear recurring sequence. Another application of the characteristic polynomial yields explicit formulas for the terms of

a linear n.::curring sequence. Maximal period sequenc~s arc also defined in this section. These scquem:es will appear in various applications in later chapters. The theory of linear recurring sequences can be approached via linear algebra. ideal theory, or formal power scrics. An approach hased on

l.incaf I'h'curring Sequenccs

the latt~r is pft:sl..:nt~d in Section 3. Thi~ leads to a computation-oriented way of introducing th~ minimal polynomial of a linear recurring sequence in the next section. The minimal polynomial is of crucial importance for the linear recurring sequence, since the order of the minimal polynomial gives the least period of the sequence. In Section 5 we study the collection of all sequences satisfying a given linear recurrence relation. This information is useful in the discussion of opaation~ with lin~ar recurring sequences, such as termwise addition and multiplication for sequences in general finite fields and binary complementation for sequences in F,. We consider also the problem of determining the vari()u~ least periods: of th~ s~qucnces generated by a fixed linear recurrence relation. Section 6 presents some dcterminantal criteria characterizing linear recurring sequences as well as the Berlekamp-Massey algorithm for the calculation of minimal polynomials. Section 7 is devoted to distribution properties of linear rl..:eurring :"lequencl..:s. Exponential sums with linear recurring sequences are the main tools for studying sucb properties.

I.

FEEDBACK SHIFT REGISTERS, PERIODICITY PROPERTIES

I.et k he a positive integer. and let u. QW.;,.•• a k _ 1 be given elements of a finite field IF q' i\ sequence so. s, .... of elcments of IF q satisfying tbe relation ·\'1.k=ak.

ISn·A

I ;·aJ"- 2 .'i'1'J,,

)

•..•

-l-aosn~a

forn~O.l....

(6.1)

is called a (Juh-order) linear recurring st!quence in IF'I' The terms so. I' which determine the: reM of the sequence: uniquely. are referred to as tbe inilial willes. i\ relation of tbe form (6.1) is called a (klh-order) linear recurrenc(' relation. In the older literature one may also find the term "difference: equation:' We ~pea'" of a homogeneous linear recurrence relation if a = 0: othe:rwise th~ linear r~currence rdation is inhomogeneous. The se4u~nce SUo Sl···· it."elf is eall~d a homogeneous. or inhomo/l,eneous. linear recurring "it!quenc(' in IF q' respectively. The generatil)O of linear recurring sequence~ ean he imple:mented on a jeedhack ,hijl regisler. This i, a special kind of electronic switcbing circuit handling inf0rmativn in the form of elements of IF q' which are reprcsentl:d suitahly. Fl)llr types of devices are used. The first is an adder, which ha~ two inputs and one output. the output heing th~ sum in lr,{ of the two inputs. The second is a COlIStWll multiplier, which has one: input and yields as the output tbe prnduct of tbe input witb a constant clement of IF q' Tbe third is a constant udder, which is analogous to a constant multiplier, hut adds a constant element (If IF q to the input. Tbe fourth type of device is a de/av

SI ..... S/..

IR7

e1emell[ ("nip-OOP"), which has one input and one output and is regulated

by an external synchronous clock so that its input at a panicular time appears as its output one unit of time later. We shall not he concerned here with the physical realization of these devices. The representation of the components in circuit diagrams is shown in Figure 6.1.

A feed hack shift register is huilt by interconnecting a finite number of adders, constant multipliers, constant adders, and delay elements along a closed loop in such a way that two outputs are never connected together. Actually, for the purpose of generating linear recurring sequences. it suffices 10 connect the components in a rather special manner. A feedback shift register that gt.:ncrates a linear recurring sequence satisfying (6.1) is shown

in Figure 6.2. At the outset. each delay element {)i' j ~ 0, I, .... k - I, contains the initial value ")' If we think of the arithmetic operations and the transfer along the wires to be performed instantaneously, then after one time unit

each V) will contain ")' \. Continuing in this manner, we sec that the output of the feedback shift register is the string of element so' S\, 5" .... received in intervals of one time unit. In most of the applications the desired linear recurring sequence is homogeneous. in which case the constant adder is not needed. 6.1. Example. In order to generate a linear recurring sequence in .0=, satisfying the homogeneous linear recurrence relation sn+6=sn .

(a) Adder

.s+2s1114-t sn'I+3sn

(bJ C:on<;lant Olultiplier

(c) Consrant adder

for mulTiplying by a

H(;1 IRE 6.1

forn=O,I, ... ,

lbc building block~ of feedback ~hift regiMer<;. (a) Adder. (b) Constant multiplier multiplyin~ b~· a. (c) Con..ta01 adder for addin~ a. (d) Delay element.

for

_--H OUl["lll1

~

FI<;t:RE h.2

(d) LJclay element

for adding a

The

1)1

~en!tral

0 form ofa fel'dback 'ihift

I~l r('gi~ter.

IXX

J.int'ar Recurring, Sr.:qurnccs

one may use the feedback shift register shown in Figure 6.3. Since a 2 O. no connections are necessary at these points. 6.2.

Example.

-

a, :J

Consider the homogeneous linear recurrence relation

S'l.7::'~Sn.4""'Sn'1+S'lt2+Sn'

n=O,l, ... , inlF 2 •

A feedback shift register corresponding to this linear recurrence relation is shown in Figure 6.4. Since multiplication by a constant in IF 2 either preserves or annihilates clements. the effect of a constant multiplier can be simulated by a wire connection or a disconnection. Therefore. a feedback shift register for the generation of binary homogeneous linear recurring sequences requires only delay clements. adders, and wire connections. 0

Let so. 5\, ... be a k th-ordcr linear recurring sequence in IF I{ satisfying (6.1). As we have noted. this sequence can be generated by the feedback shift register in Figure 6.2. If II is a nonnegative integer. then after II time units the delay clement Dr} ~ O.l ..... k -I. will contain So .,' It is therefore natural to call the row vector sn = (sn' sn_ \.... ,5'1 t" I) the nth stale reclOr of the linear recurring sequence (or of the feedback shift register). The state vector so'" (so' s\ ..... s" I) is also referred to as the initial state veCTOr. It is a characteristic feature of linear recurring sequences in finite fields that. after a possibly irregular behavior in the beginning. such sequences arc eventually of a periodic nature (or ultimately periodic in the sense of Definition 6.3 below). Before studying this property in detail. we introduce some terminology and mention a few general facts about ultimately periodic sequences.

Output

FI(;LN.F. 6.3 The feedback 'Shift regiS(Cf for F:xamplc 6.1.

_.-LJ Output

FI (; li RE 6.4

L----'

The feedback shifl regiMer for Example 6.2.

l. I"t'cdhack Shift I{cgislcrs. Pcriodicit.y Propcrtic.. .

1~9

6.3. Definition. Let S be an arhitrary nonempty set, and let 5", 5, •... he a sequence of clements of S. If there exist integers r > 0 and no;;' 0 such that sn I r = sn for all n )- no, then the sequence is called UITimalely periodic and r is called a period of the sequence. The smallest numher among all the possible periods of an ultimately periodic sequence is called the leusl period of the sequence. 6.4. Lemma. Every period of un uilimalelv periodic sequence is divisible hy Ihe leasl period. Proof Let r be an arbitrary period of the ultimately periodic sequence so' SI.· .• and let r\ he its least period. so that we have s1/ {r = sn for alln ~ no and Sn~ r l = SII for all n)- n\ with suitable nonnegative integers no and n,. If r were not divisible by rio we could use the division algorithm for integers to write r ~ mr, + I with integers m;;, 1 and 0 < I < rio Then, for all n;;, max(n o' {/,) we get and so I is a period of the sequence. which contradicts the definition of the least period. 0 6.5. Definition. An ultimately periodic sequence "0,5, period r is called periodic if sn', = 5 n holds for all n = O. I .

with least

The following condition, which is sometimes found in the literature. is equivalent to the definition of a periodic sequence. 6.6.

Lemma.

The sequence so'

exiSTS an inreg,er r > 0 such thaT

SII t

r

5" ..• is periodic if and = s" for all n = O. 1.....

only if Ihere

Proof The necessity of the condition is obvious. Conversely, if the condition is satisfied, then the sequence is ultimately periodic and has a least period rl' Therefore. with a suitable no we have sn+rl = sn for all n)- no' Now let n be an arhitrary nonnegative integer. and choose an integer In ~ no with m == nmod r. Then s""f"r = sm I rl = sm = sn' which shows that the l 0 sequence is periodic in the sense of Definition 6.5. If so. ", .... is ultimately periodic with least period r, then the least nonnegative integer no such that Sn_r = sn for all n ~ 11 0 is called the preperind. The sequence is periodic precisely if the preperiod is O. W~ return now to linear recurring sequences in finite fields and establish the basic results concerning the periodicity behavior of such sequences.

6.7.

Thearem.

Lel I'q he any finile field and k any posilice inreger.

Then every kTh-order linear recurrinfS sequence in IF q i.f ultimaTe~v periodic with least period r SaTisfying r ~ qk. and r .:::;; qk - I If the sequence is honzo!Seneous.

Proof We note that there arc exactly q' distinct k-tuples of elements of IF q' Therefore, hy considering the state vcctor~ sm' 0 ~ rn ~ q~. of a given k lh-order linear recurring sequence in IF q' it follows that s, = Sj for some i and j with 0 ~ i < j ~ qf... Using the linear recurrence relation and indU<.:tion, we arrive at sn+J-1 = sn for all n;::. i, which shows that the linear recurring sequence itself is ultimately periodic with least period r ~ j - i ~ qk. In case the linear recurring sequence is homogeneous and no state vector is the zero vector, one can go through the same argument, but with qk replaced hy q' - 1, to obtain r <; q' - I. If, however, one of the state vectors of a homogeneous linear recurring sequence is the 7.cro vector, then all suhse4ucnt ~tatc vet.:tors are Lero vcctor.s, and so the sequence has least period r ~ I <; qk 1. C 6.8. Example. The first-order linear recurring sequence 5",5, .... in IFp' P prime. with s" . , ~ S" + I for n ~ 0, J.... and arhitrary So EO IF p shows that the upper hound for r in Theorem 6.7 may be attained. If IF q is any finite field and g is a primitive element of IF q (sec Definition 2.9), then the first-order

homogeneous linear recurring sequence so' .'1\, ••• in IF q with .'ill + 1 = gSn for ~ 0, 1, ... and So '" 0 has least period r ~ q - 1, Therefore, the upper bound for r in thc homogeneous case may also be attained. Later on, we shall show that in any IF q and for any k ;, I there exist k tb-order'homogeneous linear [] recurring sequences with least period r ~ q' _. I (see Theorem 6.33).

11

6.9. Example. For a first-order homogeneous linear recurring sequence in IF.,. it is easily seen that the least period divides q - 1, However, if k;;, 2, then the least period of a k th-order homogeneous linear recurring sequence need not divide q" - I. Consider. for instance. the sequence so- 51'''' in IF s

with

so·

O.

St =

1. and s,/ t )

-'"'

.'In. 1

+ fin for

11 =

0, 1..... which has least

period 20. as is shown by inspection.

0

6.10. Example. A linear recurring sequence in a finite field is ultimately periodic. but it need not be periodic, as is illustrated by a second-order

lincur recurring sequence so.St •... in IF q with n

~

0.1,....

SO~SI

and

sn_2=sl/.1

for 0

An important sufficient condition for the periodicity of a linear recurring sequence is provided by the following result.

6.11. Theorem. If so- 51 •... is a linear re('urrin~ sequence in a finite field ,uri.living the linear recurrellce relurion (6.1), alld if the coefficient a o in (6.1) is flOl1:ero. thell the sequence So- S I' ... is periodic.

Proof According to Theorem 6.7, the given linear recurring sequence is ultimately periodic. If r is its least period and no its preperiod, then so, .. ~ 5" for all ;,;;, no' Suppose we had n,,;;, 1, !'rom (6.1) with

191

n

~

no + r - I and the fact that au Sn,)

~

0, we obtain

l.r-"'aol(Sn()'k-l~r-ak-1Snlt_k_2_r- ... -alSnf)~r-a)

Using (6.1) with n ~ no -I, we find the same expression for s'o \, and so I I r -=-= !inn \- This is a contradiction to the definition of the prcperiod. D

sno

I.et so' s\, ... be a kth-order homogeneous linear recurring sequence in IF l{ satisfying the linear recurrence relation sn,,,=ak

ISI/'J.,

1+al<.1'\'I1~"-2+···+aosn forn=O.1, .... (6.2)

where aJ EO IF q for 0 <; j <; k - I. With this linear recurring sequence we associate the k X k matrix A over IF q defined by

A~

'0

0

0

0

ao

0 0

a, a,

I

0

0

0

I

0

10

0

0

(6.3)

Uk _]

If k ~ I, then A is understood to be the I X I matrix (a o )' We note that the matrix A depends only on the linear recurrence relation satisfied by the given scqucm:c. 6.12. I.emma. If so' .'i l .... is a homogeneous linear recurring sequellce ill IF q sali;j)'ill!!, (6.2) and A is Ihe ma/rix ill (6.3) as.wcia/ed wilh ii, Then jor fhe SWlt' Vf!c!Ors of the sequence we have sfI=soA"

/orl1=O.J .....

(6.4)

Proof Since sn (sn,Snt \ .... ,51/." I)' onc checks easily that D '" \ ~ s,A for all II ;, 0, so that (6.4) follows by induction. We note that the set of all nonsingular k x k matrices over IF q forms a finite group under matrix Inultiplication, called the general linear group
6./3. Theorem. If so' s 1"" i.~ a kth-order homogeneous linear recurring sequence ill IF q sa/is/rinK (6.2) wilh an ~ 0, Ihen Ihe lea'
I,im'ar

t92

R~curring

Sequent''':'

Proof We have det A ~ (- I)' '0" ~ 0. so that A is indeed an element of GL(k. F.}. If m is the order of A in (iL( k. F'I)' then from Lemma 6.J2 we obtain sn-tm=soA n . m ,., soAn "S'I for all n~O. and so 111 is a period of the linear recurring sequence. The rest follows from Lemma 6.4. 0 We remark that the above argument. together with l.emma 6.6, yields an alternative proof for Theorem 6.11 in the homogeneous case. From Theorem 6.13 it follows. in panicular. that the least period of the sequence So.5, .... divides the order of GL(k.F q ). which is known to be q'k' kil2 (q-I}(q'-I)"·(q'-I). Let now so' }t, ... be a kth-ordcr inhnmoxeneolls linear recurring

sequence in F q satisfying (6.1). By using (6.1) with n replaced by 1/ + I and subtracting from the resulting identity the original form of (6.1) we obtain sn~J..Tl=bASn."+b,, ISn+k_l+···...l.hOsn

forn=O,I, ....

(6.5)

where h" ~ - ao. hi ~ 0, , a, for j ~ 1,2..... k - I, and h, - 0, ,+ l. Therefore. the sequence 5 0 .5, .... ean be interpreted as a (k t I )st-order homogeneous linear recurring sequence in IF q" Consr.::qucntly, results on homogeneous linear recurring sequences yield information for the inhomogeneous case as well. An alternative approach to the inhomogeneous case proceeds as follows. Let "0' ", .... be a k th-order inhomogeneous linear recurring sequence in F. satisfying (6.1). and consider the (k -i-1}X(k -i-I) matrix C over F, defined by I

C~

If k

~

I. take

0

° °

° 0 0

0

°° ° ° °°° I 0

0

I

C -- (I0

° "

0

a, a,

Ok

:0 ).

We introduce modified state vectors by setting S~~(1,5",5n" .... ,S"'k_')

forn~O.I.....

Then it is easily seen that S:I_l = s~C for all n ~ O. and ~o S:, '-'- s;)C I1 for al] n;;,O by inductinn.lfo o "O in (6.1). then detC~(-I}' '° 0 .. 0. so that the matrix C is an element of GI.(k ~ I,F,}. One shows then as in the proof of Thcorem 6.13 that the least period of "o.s,.... divides the order of C in GL(k + I,F,}.

).

2.

Impulse

Rc~pLlnsc

Scqucl1l:c..... Cliaractcristic l)ol}nLlllllal

19.1

IMPULSE RESPONSE SEQUENCES, CHARACTERISTIC POLYNOMIAL

Among all the homogeneous linear recurring sequences in FQ satisfying a given k th-order linear recurrence relation such as (6.2), we can single out one that yields the maximal value for the least period in this class of sequences. This is the impulve response sequence do, d,.... dctermined uniquely by its initial values do ~ ... = d, . 2 ~ 0, d, ,= I (do ~ I if k ~ I) and the linear recurrence relation

6.14.

Example.

Consider the lincar recurrence relation

Thc impulse response sequence do, d" ... eorrcsponding to it is given by the string of binary digits

000010001100101011 I 1 100001··' of least pcriod 21. A feedback shift register generating this sequence is shown in Figure 6.5. We can think of this sequence as being obtained by starting with the state in which each delay element is "cmpty" (i.e.. contains 0) and then sending the "impulse" I into the rightmost delay e1cmcnt. This 0 explains the term" impulse response sequence." 6.15. Lemma. LeT do, d I .... be [he impulse response .fequence in IF 4 salisfyill?; (6.6), and lei A he the matrix in (6.3). Then two Slate vectors d m and d n are identical if and only if Am ~ An.

The sufficiency follows from Lemma 6.12. Convcrsely, supd". From thc linear recurrence relation (6.6) we obtain then n dm.,~dn_, for all t;,O. By Lemma 6.12 we get d,Am=d,A for all t;,O. But since the vectors do,d, .... ,d, ,obviously form a basis for the k-dimensional vector space [F: over [F q' we conclude that Am = A". U Proof pose that d m

~

6./6. Theorem. The least period of a homo?;eneous linear recurrin?; sequence in IF q divides [he leas[ period of [he corresponding impulse re~pon.~e sequence.

OutPul

~y--='~ L}1-{J-

F1GLRI.:: 6.5

The feedback

~hift r('~iMcr

for Example 6.14.

194

Linl..'ar R.l,'currin);!,

SC4ucncc~

Proof Let so' S 1' ... be a homogeneous linear recurring sequence in 0' q satisfying (6.2), let do' d" ... be the corresponding impulse response sequence, and let A be the matrix in (6.3). If r is the least period of do, d, .... and no the preperiod, then d"" ~ d" for all n ~ no' It follows from Lemma 6.15 that An r = A" for all n ~ no, and so slJ-l r = sn for all n ~ no by Lemma 6.12. Therefore, r is a period of so' s" ... , and an C application of Lemma 6.4 completes the proof. t

(',/7, Theorem, If do, d,,. .. is a kth-order impulse response sequence in 0' q satisfying (0.6) with a o ." 0 and A is the matrix in (6.3) associated with it, then the least period of the sequence is equa/IO the order of A in the genera/linear group GI.(k'O'q)' Proof If r is the least period of do, d" ... , then r divides the order of A according to the Theorem 6.13. On the other hand, we have d, ~ do by Theorem 6.11, and so Lemma 6.15 yields A' ~ AO, which implies already the 0 desired result.

6.18.

Example.

for the linear recurrence relation

51/_5 = sn_l

+

SOl'

n = 0, 1, ... , in 0', considered in Example 6.14 we have seen that the least period of the corresponding impulse response sequence is equal to 21, which is the same as the order of the matrix

o A~

1 0

o o

0 0 0 I 000 I I 0 0 0 0 100 0 0 I 0

I

in GL(5,O',). If the initial state vector of a linear recurring sequence in 0', satisfying the given linear recurrence relation is equal to One of the 21 different state vectors appearing in the impulse response sequence, then the least period is again 21 (since such a sequence is just a shifted impulse response sequence). If we choose the initial state vector (I, I, 1,0, I), we get the string of binary digits I I I 0 I 00 I I I 0 I ... of least period 7, and the same least period results from anyone of the 7 different state vectors of this sequence in the role of the initial state vector. If the initial state vector is (1,1,0, I, I), then we obtain the string of binary digits I 101 101 I··· of least period 3, and the same least period results if anyone of the 3 different state vectors of this sequence is taken as the initial state vector. The initial state vector (0,0,0,0,0) produces a sequence of least period l. We have now exhausted all 32 possibilities for initial state vectors. ::J 6.19.

Theorem.

Let so' s, .... be a kth-order homogeneous linear

recurring sequence ill IF II with preperiod no' If !here exiSl k state vectors sm:'sm:'···. sl11.\ with mI ~ no (1 ~ j ~ k) ThaT are linearly independenT orer IF 1/'

2. hllpubt' Rc!'pome Sl'4ul'm't':>. CharacI('n.:ilic Polynomial

195

Then bOTh 51)' SI"" and iTS corresponding impulse response sequence are periodic and They have The same leasT period.

Let r be the least period of s", s" ... . For I '" j '" k we have by using Lemma 6.12, and so A' is the k xk identity , , ' matrix over IF q' Thus we get s, = soAr = so. which shows that su_ s! •.•. is periodic. Similarly, if d" denotes the nth state vector of the impulse response sequence. then d, ~ doA' ~ do, and an application of Theorem 6.16 completes the proof. 0

Proof

'mA'~sn, .,~sm

6.20. Example. The condition m l ;;, no in Theorem 6.19 is needed since there are k th-order homogeneous linear recurring .scqucnce.s that are not periodic hut contain k linearly independent state vectors. Let do. d, •... be the second-order impu1.sc rc.sponse sequence in IF 4' with d n 2 = d n . I for n ~ 0. I. .... The terms of this sequence arc 0, I, I, I, .... Clearly, the state vectors do and d l are linearly independent over I' q' hut the sequence is not periodic (notc that no ~ I in this case). The converse of Theorem 6.19 is not in 1', with true. Consider the third-order linear recurring sequence so' 5" 5"._,~5" for n~O.I, ... and so~(I,I.O). Then both so,s, and its corresponding impulse response sequence arc periodic with least period 3, 0 but any three state vectors of s", s, .... arc linearly dependent over 1',. t

Let s". s, .... he a kth-order homogeneous linear recurring sequence in IF q satisfying the linear recurrem.:c relation sn_k

where a i

=

Ok -ISn+k _I -:- Uk _ 2 Sn_k _ 2 -

E

I' q for 0 '" j '" k - I. The polynomial

f(x)~xk-a, ,x'

•.. -..

aus n for n -=- 0, I.....

(6.7)

'-a,_,x' ' - "'-aEI'[x] "

q

is called the characteristic polynomial of the linear recurring sequence. It depends, of course, only on the linear recurrence relation (6.7). If A is the matrix in (6.3), then it is easily seen that f(x) is identical with the characteristic polynomial of A in the sense of linear algebra- that is, f(x) = det(xl - A) with I being the k X k identity matrix over 1',. On the other hand, the matrix A may be thought of as the companion matrix of the monic polynomial f( x). As a first application of the characteristic polynomial, we show how the terms of a linear recurring sequence may be represented explicitly in an important 5lpecial case.

6.21.

Theorem.

Let so' SI .... be a kth-order homogeneoas linear

recurrinr, .'lequence in IF q WiTh charaCTerisTic polynomial f(x). If !he roofs

", ..... ", of f(x) are all distinct. then

,

s" ~

L {J1"7 J= I

for n ~ 0, I .....

(6.8)

1%

Linear Recurring. Se<.juenl'es

where f31 ..... 13k lJre i'lemenrs that are uniquely determined by the initial values 10 (he spliuing field of f(x) over I' q'

of {he sequence and helong Proof

The constants

of linear equation:-,

13,,, ...13,

can he determined from the system

,

L: al13! ~ ,",

n~, 0, I, ... ,k-\'

J= 1

Since the determinant of this system is a Vandermonde determinant, which is nonzero by the condition on a, .... ,ak , the clements 13" ... ,13, are uniquely determined and helong to the splitting field I'q("""""') of f(x) over I'q, as is seen from Cramer's rule. To prove the identity (6.8) for all n :;, O. it suffices now to check whether the elements on the right~hand side of (6.8). with these specific values for 13, .....13" satisfy the linear recurrence relation (6.7). But

,

1_

aA

"

,

(l a'!f I

I - 2 i...J J = 1

A

2

... - a o

E f3 a;' J

! -,

A

L: fJ,f( a) al ~ 0 I

,

for all n :;, O. and the proof is complete.

[j

6,22. Example. Consider the linear recurring sequence '0"""" in 1', with .\'0':::"'5 1 .,.-1 and sll_2=SIlI1-t.'i for n=O.l •.... The characteristic polynomial is f(x) - X'" x-I E I',lx]. If 1', ~ 1'2(a), then the roots of f( x) arc ", ~" and '" ~ 1 I a. Lsing the given initial values, we obtain fJ, -;- 13, ~ 1 and 13," + (l,( I + a) ~ l. hence 13, ~ a and 13, ~ I,. a. By Theo~ rem 6.21 it follows that '" ~ a"" -(I + a)"-' for all II :;, O. Since 13' ~ I for every nonzero f3 E:: IF 4' we deduce that 5 11 t .l '-"- 5 n for all n ~ 0, which is in accordance with the fact that the least period of the sequence is 3. 0 1l

6.23. Remark. A formula similar to (6.8) is valid if the multiplicity of each root of f(x) is at most the characteristic p of I' q' In detail, let a" .... "m be the distinct roots of f(x), and suppose that each a" i ~ 1,2..... m, has multiplicity e, <; p and that e, ~ 1 if a, ~ O. Then we have m

s"~

L: P,(II)a7

forn~O,I, ... ,

1=1

where each P" i ~ l.2" ... m, is a polynomial of degree less than e, whose coefficients arc uniquely determined by the initial values of the sequence and belong to the splitting field of f(x) over I'q. The integer II is of course identified in the usual way with an clement of I' q' The reader familiar with differential equations will observe a certain analogy with the general solu~

2 Impulse Re"'ponse

Sl'4Ul'm:e~. Charaderi.';t~c

PolynomiJl

197

tion of a homogeneous linear differential equation with constant coefficients. 0 In case the characteristic polynomial is irreducible, the elements of the linear recurring sequence can he represented in terms of a suitahle trace function (see Definition 2.22 and Theorem 2.23 for the definition and basic properties of trace functions). 6,24, Theorem. Let so' s, .... he a ktl,-order homogeneous linear recurring sequence in K = IF q whose characteristic polynomial f( x) is irreducible ocer K. Let a be a root off(x) in the extensiol/field F~lFq" Thel/ there exists a ul/iquely determil/ed 0 E F such that s,~TrF/K(Oa') forn~O,I .....

Proof Since {I. a ..... a' '} constitutes a basis of F over K, we can define a uniquely determined linear mapping L from F into K by setting I.(a") ~ s, for n ~ O.I ..... k - I. By Theorem 2.24 there exists a uniquely determined 0 E F such that L(y) ~ TrF/K(Oy) for all y E F. In particular. we have s"~Tr'/K(Oa')

forn=O,I, .... k-1.

It remains (0. show that the elements Tr'/K(Oa"), 1/ ~ 0, I. .... form a homogeneous linear recurring sequence with characteristic polynomial f(x). But if f(x)=xk-a, .. ,x' ,- ... -aoEK[x]. then using properties of the trace function we get TrF/K(Oa"'k}-a,

-- Tr folK (Ban'

,TrF/K(Oa"" A _.

a A IBa ll -

~ TrF/K (Oa"f(a) ~

k - I -

')- ... -aol'rF/K(Oa") •.. -

aoOa')

0

c

for all n ;;, 0.

Further relations between linear recurring sequences and their <.:haraeteristic polynomials can be found on the hasis of the following polynomial identity.

6.25. Theorem. Let 5" ..', .... he a kth-order homoliel/eous linear recurring sequence in IF q that satisfies the linear recurrence relarion (6.7) and i.f periodi<' with period r. Let fIx) he the characteristic pO(f'nomial of the 'icquence. Then the idemity f(x)s(x)

~

(1- x')h(x)

(6.9)

holds with s(x)~soxr-I+S,xr-2+···+S r 2 x+s r-l

ElF q [x]

J.ilh.'.:tr I{l'wrrinll, Sl.:qu('nt'.:~

19R

and I<.

L:

h(x)=

0

) =

where we set

G/.. =

I k

I

L:

J

a dj .,5,X J EU'q[X],

(6.10)

1·0

-1.

Praa! We compare the coefficients on both sides of (6.9). For 0.; r .; k + r - L let c, (resp. d,) be the coefficient of x' on the left-hand side (resp. right-hand side) of (6.9). Since fIx) = - [7_oa,x', we have

L

('/=-

forO~I~k+r-l.

a/I, I.)

(6.1 J)

O"';lo;;:k.O~jo;;.r-l

i ... J = t

We note also that the linear recurrence relation (6.7) may be written in the form k

L 0/5'1_' =

0

for

all n ): O.

(6.12)

1=0

We distinguish now four cases. If k.; r.; r - L then by (6.11) and (6.12),

,

c,=-

E a,s,_I_I+,=O=d,. i=O

If 1 .; r - 1 and 1 < k, then by (6.11), (6.12), and the periodicity of the givcn sequence,

,

k

L O,5,_I_r_,= L

l',=-

1=0 k

/=1'

0/5,-1"1_1

I

kit

La/Ii

E

(-1=

i~t-l

aj+I~!s,=dt·

I~O

If r?- rand r?- k, then by (6.11), k

c=,

1<.-1-1-r

E

L

Q/5,_I_l+'=-

,.J

1=1

Q/
1=0

If r .; r < k, then by (6.11) and the periodicity of the given sequence, r

r -

L

c=,

1=1'-

ajs,_l_t_,=-

r • 1

L. k.

I

t

L.

1=0 I

k

I

E 1-"0

tI r

I.

01_t_1 5 /+r -

1=0

"

L

GiTt_r_IS,r

E Q'+I-r_1 5 ;

1=0 klt-,

klt-' 1=

I

a'+l~ r+ lSi

i=O Ii.

I

Gj·(·ISj-

1

l'

E

1-0

r Qj_!

rllSj=d(.

o

2. Impulse Rc"'pon:l('

S('qu('nc('~,

Charac:tcristic Polynomial

199

In Lemma 3.1 we haw seen that for any polynomial f(x) F 1F,[x] with flO) or 0 there exists a positive integer e such that f(x) divides x"· I. This gave rise to the definition of the order of f(see Definition 3.2). We give the following interpretation of ord(/). 6.26.

Lemma.

LeI

f(x)-x'-a,.

IX'

I

ak

2 x'

2-

... -

a0

E'

IF II [xl

wilh k ;, I and au "" O. lnen ord(/(x)) is equa/l11 Ihe order of Ihe mmrix A from (6.3) in the gellera/linear group GL(k.lF q ). Proof Since A is the companion matrix of f(x). the polynomial f( x) is. in turn, the minimal polynomial of A. Consequently, if I is the k X k identity matrix over IF q' then we.: have At' = J for some positive integer e if and only if f(x) divides x' - I. The result follows now from the definitions D of the order of f( x) and the order of A. 6.27. Theorem. Let sn' St •..• be a homogeneous linear recurring -,equellce in 1', with chara"leristic po/vllomia/ f(x)E IFqlxj. Then the least period of the sequella ,IiGides ord(/(x)). alld Ihe /easl period of the corre,pondillg impuiIe respollse sequellce is equal to ord(/(x)). If frO) "" 0, Ihell horh sequences are periodic. Proo]. If frO) "" 0, then in the light of Lemma 0.26 the result is essentially a restatement of Theorems 0.13 and 6.17. In this case. the periodicity property follows from Theorem 0.11. If fro) ~ 0, then we write i( x) ~ xhg(x) as in Definition 3.2 and set t" ~ S". h for n ~ O. I. .... Then 10 , t l . . . .

is a homogeneou~ linear recurring sequence with characteristic

polynomial g(x), provided that deg(g(x)) > O. Its least period is the same as Therefore, by what we have already shown, that of the sequence so,s, divides ord(g(x)) ~ ord(/(x)). The desired the least period of -'0' s" result concerning the impulse response sequence follows in a similar way. If D g( x) is constant, the theorem is trivial. We remurk that for frO) < 0 the least period of the impulse response sequence may also be obtained from the identity (6.9) in the following way. For the impulse response sequence with characteristic polynomial f(x), the polynomial h(x) in (6.10) is given by h(x) ~ - I. Therefore, if r is the least period of the impulse response sequence. then f( x) divides x' - I by (6.9) and so r ;, ord(/( x On the other hand, r must divide ord(/( x)) by the first part of Theorem 6.27, and so r ~ ord(f(x)).

».

6.28. Theorem. I.et so' .\·1 •..• he a homogeneous linear recurrinf.!, sequence in IF'I with nonzero initial Slate ceClOr. and suppose the characteristic po/vllomia/ f( x) E I' q[ x 1is irreducihle OGer I' q alld satisfie-, frO) "" O. Then the sequence i-, periodic wilh /ea.H period equal to ord(/( x».

200

Linear Recurring, Sl.:quencl.:':'

Proof The sequence is periodic and its least period r divides ord(j(x)) by Theorem 6.27. On the other hand. it follows from (6.9) that fIx) divides (x' '.' I)h(x). Since sIx), and therefore h(x), is a nonzero polynomial and since deg(h(x)) < deg(j(x)), the irreducibility of f(x) implies that f(x) divides x' - 1, and so r " ord(j( x)). C

Now we present a different proof of Corollary 3.4, which we restate for convenience. 6.19. Theorem, Let fIx) E IFqlx] he irreducible over IF, with deg(j(x» = k. Then ord(j(x)) divides q' - I. Proof We may assume without loss of generality that frO) '" 0 and that f(x) is monic. We take a homogeneous linear recurring sequence in IF q that hasf(x) as its characteristic polynomial and has a nonzero initial state vector. According to Theorem 6.28, this sequence is periodic with least period ord(j(x)), so that altogether ord(j(x») different state vectors appear in it. If ord(j(x)) is less than q' - 1, the total number of nonzero k-lUples of clements of IFq' we can choose such a k-tuple that docs not appear as a state vector in the sequence ahove and use it as an initial state vector for another homogeneous linear recurring sequence in IF q with characteristic polynomialf(x). None of the ord(j(x») different state vectors of the second sequence is equal to a state vector of the first sequence, for otherwise the two sequences would be identical from some points onwards and the initial state vector of the second sequence would eventually appear as a state vector in the first sequence-a contradiction. Ry continuing to gcnerutc linear recurring sequences of the type above, we arrive at a partition of the set of q' - I nonzero k-tuples of elements of IF q into subsets of cardinality ord(j(x)), and the conclusion of the theorem follows. CJ

6.30. Example. Consider the linear recurrence relation sn . 6 =- Sn ~ 4 + Sn_2 + s". 1 + ,". n = 0, I,. .. , in IF,. The corresponding characteristic polynomial is fIx) = x· - x 4 - x' - x - I E IF,fx]. The polynomial f(x) is irreducible over IF,. furthermore, fIx) divides x 21 - 1 and no polynomial x' - I with 0< e < 21, so that ord(j(x)) = 21. The impulse response sequence corresponding to the linear recurrence relation is given by the string of hi nary digits

000001010010011001011000001··· of least period 21, as it should he. If (0,0,0,0, I, I) is taken as the initial state vector, we arrive at the string of hinary digits 0000 II I 101 1010101 1 10 I 0000 I I ... of least period 21. and if (0,0,0, 1,0,0) is taken as the initial state vector, we

2 Impuhc

Rt'spon:.~·

S"4ucncc.... Chara(:t~'ri~ti(: Polynomial

ohtain the string of binary digits .000100011011111100111000100··· of least period 21. Each onc of the nonzcro sextuples of clements of IF 2 appears as a state vector in cxactly one of the three sequences. Any other nonzcro initial statc vector will produce a shiftcd version of onc of thc threc :J sequences. which is again a sequence of least period 21. 6.31. Example. If j(x),=lFqlx] with deg(j(x))~k is reducible. thcn ord(j( x)) need not divide q' - I. Consider j( x) ~ x 5 -;- X + I Eo IF ,Ix]. Then j (x) is reducible since x·1 I x+I~(x'-x'·+I)(x'+x·I·I).

It follows. for instance. from Theorcm 6.27 and Example 6.14 that ord(j(x)) ~ 21. and this is not a divisor of 2 5 - I ~ 31. 0 I.inear recurring sequences whose least periods arc very large arc of particular importance in applications. We know from Thcorem 6.7 that for a k th-order homogeneous linear recurring sequence in IF q the least period can he at most q' - I. In order to generate such sequences for which the least period is actually equal to q' I. we have to use the notion of a primitive polynomial (sec Definition 3.15). 6.32. Definition. A homogeneous linear recurring sequence in IF q whose charactcrbtic polynomial is a primitivc polynomial over IF q and which has a nonzero initial state vcctor is called a maximal period sequence in IF If'

6.33. lheorem. F.eery kth-order maximal period sequence in IF q is periodic and its least period is equal 10 the largest possihle value for the least period of any kth-order homogeneous linear recurring sequence in IF 4 - name(v. q' I. Proof The fact that the sequence is periodic and that the least period is q' I is a consequence of Theorem 6.2R and Theorem 3.16. The remaining assertion follows from Thcorem 6.7. CJ 6.34. Example. The linear recurrence relation ·\'n I 7 = sn_4 + Sll~ 3 - -"II' ~ + s". 11 - 0.1 ..... in IF, considered in Example 6.2 has the polynomial f( x) ~ x.' - x' X 1 x' - I Eo IF .'.1 x I as its characteristic polynomial. Since f( x) is a primitive polynomial over IF I' any scquence with nonzero initial statc vector arising from this linear rccurrence relation is a maximal period ~equence in IF). If we choose one particular non7.ero initial ~tatl.: vcctor, then the resulting ~equcncl.: so' S I' •.. has least period 27 - I = 127 according to Theorem 6.33. Therefore. all possihle nonzef<) vectors of IFJ appear as state vccwrs in this ~equenl:e. !\ny other maximal period sequence arising from the given linear recurrence n::lation is just a shifted version of the seque.::ncC' 50' ·~1'··· .

D

3.

GENERA'IlNG FUNCTIONS

So far. our approach to linear recurring sequences has employed only linear algehra. polynomial algehra. and the theory of finite fields. By using the algcbraic apparatus of formal power series, other remarkable facts about linear recurring sequences can be establishcd. Given an arbitrary sequence so- S of clements of IF q' we associate with it its generaling fUllclion, which is a purely formal expression of the type J ••••

oc

G(x)=SO~SIX+S2X:"+

. . . ....... SIlX'I+ . . . =

L

sn xll

(6.13)

11-"0

with an indetcrminate x. The underlying idea is that in G(x) we have "stored" all the terms of the sequence in the correct order, so that G(x) should somehow reneet the properties of the sequence. The name "generatiog function" is. strictly speaking, a misnomer since we do not consider G(x) in any way as a function, but just as a formal ohject (in an obvious

analogy, polynomials are essentially formal objects not to be confused with functions). The !Crm is carried over from the case of real or complex sequences, where it may often turn out that the series analogous to the one in (6.13) is convergent after suhstitution of a real or complex number X o for x, thus enabling us to attach a meaning to G(x o ). In our present situation, the question of the convergence or divergence of the expression in (6.13) is moot, since we think of G(x) as being nothing but a hieroglyph for the sequence So. s]_ ....

In general, an ohject of the type x

L

hllx".

n -- ()

with ho' hi"" being a sequence of elements of 0' q' is called a formal power series (over 0',). In this context, the terms bo, b ,,,,, of the sequence arc also called the coefficiems of the formal power series. The adjective "formal" refers again to the idea that the convergence or divergence (whatever that may mean) of these expressions is irrelevant for their study. Two such formal power series x

R(x) ~

I:

h"x"

and

11-0 c "" for all II ~ 0, I, .... The set of all formal power ~~rics over IF q is then in an obvious one-to-one correspondence

over 0', arc considered identical if h"

with the set of all sequences of clements of if,. Thus, it seems as if we have not gained anything from the transition to formal power series (save a conceptual complication). The raisoll d 'hre of these objects is the fact that we can endow the set of all formal power scries over 0' q with a rich and

J. (icncrating Functions

203

interesting algebraic structure in a fairly natural way. Thi, will be discussed in the sequel. We note first that we may think of a polynomial p(x) ~ Po + PIX - ... ~ P,x'

C

I',,[X 1

as a formal power series over I'q by identifying it with P(x)~ PII+ P,x+ ...

+ P,x' +O·x'·' ·O·x'"'·+

We introduec now the algebraic operations of addition and multiplication for formal power series in such a way that they extend the corresponding operations for polynomials. In detail. if 00

B( x)·~

L

C(x) ~

and

box"

L:

c"x"

n· ()

n""'O

are two formal power scries ovcr IF If' we define their sum to he the formal power series oc

L

B(x)+C(x)~ ,

(h"+c")x" 0

and their product to be the formal power series

L

B(x)C(x) ~ n

d"x",

whered,,~

L"

forn=O.I, ....

b,c" ,

I.. ·0

0

If R( x) and C(x) are both polynomials over I' q' then the operations above obviously coincide with polynomial addition and multiplication, respectively. It should be ohserved at this point tbat the substitution principle. which is so useful in polynomial algebra, is not valid for formal power scries, the simple reason being that the expression R( a) with a E 1'" and B( x) a formal power series over I' q may be meaningless. This is. of course, the pricc wc have to pay for disregarding convergence questions.

6.35,

F.xample.

Let B(x)-2+x'

and 00

C( x)

I

I x.j

x'

+ ... + x" +

L

I_x"

n"""O

he formal power series over IF 3- Then B(x)+C(x)~x+2x2+X'+

... +x" \ ...

L "

with

do~O,

d,

~I,

d,

~2, andd,,~1

B(x)C(x) - 2\ 2x

I

dux" ()

forn;;, 3. and

O·x·' +O·x' + ... ~ 2+2x.

u

Linear Recurring,

204

Sequcnn'~

Auuition of formal powa seric:"l over IF
•

tl

x

/I(x) ~

x

L /I ,-

0

"

•••

~

L

L(x) ~

h"x".

,

and

'"x".

L

D(x) ~

Ii"x n •

1/-(\

u

then (R(x)C(x))D(x) and R(x)(C(x)D(x)) are hoth identical with x

-

\

L ( '1 -

0

L (1,1.1-.)

r

h,cA )x". I,(n)

where L(n) is the set of all ordered triples (i. j. k) of nonnegative integer> with i + j - k = n. Furthermore, the distributive law is satisfied since :Xl

B( x)( C( x) 1- D( x))

{

n

'

~ n~" (, L" b, (en _, -

Ii"

k

J) x n

n

,- L

•

h, d" ,) x"

k-"O OC

fI

=

'

'I

L I L h,cn

=

0 \ I. - ()

,lx"

I

t (' t

In'"

n A·,

)x ,

h,d" A (I

n

R(x)Llx)- R(x)D(x).

Altogether. we have shown that the set of all formal power series Over IF
OlB

I' q is

Ull

Proof. It remains to verify that I',[[xl[ has no Lero divi,ors-that is. that a product in I',,[[x]] can only he Lew if one of the factors is I.ero. Suppose, on the contrary. that we have B( x)C( x) ~ 0 with xc

x

L

R(.\)~ 1/

hnx" ""0 0

and

C(xl-

L:

"nxn=O

inl'q[[xll.

n = ()

Let k he the least nonnegative integer for which h, "" O. and let m he the

\ Gen..'rJl::1c, J-'uncti'lnc.

least nonnegative integer for which C m 0<= O. Then the coefficient of x'-m in 0<= 0, which contradicts lI(x )C(x) ~ o. [C

B( x )C(x) is b,c",

It will be important for the applications to linear recurring sequences to find those B(x) E IF qllxH that possess a multiplicative inverse -that is, for which there exists a C(x)E=lFqllx]] with lI(x)C(x)"·1. The,e formal

power series can, in fact, be characterized easily. 6.37.

lhe formal power series

Theorem.

L

B(x)~

b,X"ElFq[[xlJ

n-I)

has a multiplicative inverse if and only if bo 0<= O. Proof

If oc

C(x) ~

L c/' E IFq[[x 11

n"-O

is such that B(x)C(x) = I, then the following infinite system of equations must be satisfied: hoco~ I hoc, +h,co~O hoc, t h,c, +-h2co~0

bOcn

. . + hlen 1+'" + bnco""-'O

From the first equation we conclude that nece"arily ho 0<= O. However, if this condition is satisfied, then Co is uniquely determined hy the first equation. Passing to the second equation, we sec that c, is then uniquely determined. In general, the coefficients co' c" ... can he computed recursively from the first equation and the recurrence relation n

cn

=

-

ho

I

L k

hkc n "

for n = 1.2, ....

,

The resultip.g formal power series C(x) is then a multiplicative inverse of B(x).

0

If a multiplicative inverse of B(x) C IF qllx II exists, then it is, of course, uniquely determined. We usc the notation 1/ B(x) for it. A product A(x)(I/B(x)) with A(x)ElFqllx]] will usually be written in the form A(x)/II(x). Since IFqllxll is an integral domain, the familiar rules for operating with fraction, hold. The multiplicative inverse of B(x) or an expression A(x)/B(x) can be computed hy the algorithm in the proof of

206

Linear

R.('~'urring, Scqu~'nl'(,s

The\)fcm 6.37. I.ong di\'i~ion also provides an effective means for accomplishing such computations. 6.38. Example. Let H(x) ~ 3 ~ x - x', considered as a formal power series ovcr IF,. Then 8(x) has a multiplicative inverse by Theorcm 6.37. We compute I/LJ(x) by long division:

2+ x

+ 2x 4

1 4x"

3+x+.''''11+0·x'+ O·x' -1-2x- 2x

3x+ 3x

+

+ ... 3

0·X +O·X 4 +O·x S 10·x'+ .,.

2

3x'

O·x'

Xl

.~~ T

4x·'+0·x 4 4x 3 - 4x 4

Thus we get

, .,.,. 2 'f 3 ..... x - x" 6.39.

Example.

X ;-

4x 2 + 2x 4 + ... ,

[J

Wc compute A(xl/B(x) in 1F 2 ([x]]. where 00

lI(x)-I+x+x}+xJ+ .. ·~

L

I·x"

11-0

and Blx) ~ I ~ x + X". Lsing long division, dropping the terms with zero coefficients. and recalling that I" - 1 in IF" wc get: l+x2:+x\~x·l·t

II

x I

... i 1 Ix +x "-tX 4

xJII·'j x 11 x

+X5+X6+X7+X8+X9+XIO+ •••

+X·\

x2 +x 4 +x'i 2 x +x·\ tx'i x4

+x 6

X 3 +X 4

+xf>

X

I

I

Thereforc, l-x+x l . I x' I I

t X

I

x'

I+X,'+X 3 +X 7 + . . . .

IJ

207

In order to apply the theory of formal power series. we.: consider now r~curring sequence soo S I'··· in IF II satisfying the linear recurrence relation (6.7) and define.: its reciprocal charucterislic polvi/omial to be

a k th-ordcr homogeneous linear

f*(x)~I-a,_,x-a'_2x2-...

-aux''=I'Jx].

(6.14)

The characteristic polynomial f(x) and the reciprocal characteristic polynomial are related hy f*(x) ~ x'f(l/x). The following basic identity can then he shown for the generating function of the given sequence. 6.40. Theorem. I.et so- 51 .... be a kfh-order homogeneous linear recurring sequence in IF q salis/yin?, (he linear recurrence relolion (6.7). lei

/*( x) E I' qr x 1he its reciprocal characteristic polYnomial, and let G( x) E I'.\[ x II be its general/ng fUl/ction in (6.13). Then the identitv

G(x)~ g(x)

(6.15)

f*(x) hold, with

,, L

g(x)~-

/

Laid

(6.16)

j"·,X1FI',J,j.

)-01'-0

where we seI G" = -I. Com;ersely. if g(x) is uny polynomial ODer IF I{ WiTh deg( g(x» < k and if f*( x) E I' qr x 1 is given hv (6.14), then the formal power series G(x) E I'q[[xll defined hy (6.15) is the gel/erating (unction of a kth-order homogeneous linear recurring sequence in IF I( .'Wli,\!ying fhe linear recurrence relation (6.7).

Proof

We have

t

"X")( ,,-'0 s"x") k'(} I: L a, . k I = {)

1 -

\

0

I

oct

L

;,,) Xl J

J.. \

J

L I

=',I«x) - /~k(,ta,-" ,.,jx"

ai ·

,-', )x;

J." J..

(6.17)

Thus, if the sequence so,s, .... satisfies (6.7), then f*( x )G( x) ~ ,1« x) hecause of (6.12). Since /*(x) has a multiplicative inverse in I')[xll hy Theorem 6.37, the identity (6.15) follows. Conversely, we infer from (6.17) that /*( x )G( x) is equal to a polynomial of degree Ie" than k only if

,

'i' 1..J 1=0

a I sI

"t

l ;;:"

0

forall):;'k.

I.irll:~r RC~'urrinf!, Sl:4UCnl:l:.~

But lh~:-.e id~ntities just exprt.:ss th~ fad that th~ scquence coefficients l)f "(; (x) sati~fies the linear recurrenee relation (6.7).

SO,St' ...

of U

()n~ may ~ummari:t.e the theorem ahove hy saying that the k th-order homogeneous linear recurring sequ~nces with reciprocal characteristic polynomial J *( x) are in one-to-on~ correspondence with the fractions .~(x)/r(x) with deglg(x)) < k. The identity (6.15) can be u,ed to compute the terms of a linear recurring sequence hy long division.

6.41.

Example.

Con:-.ider the linear recurrence relation

Sn.4 ··S". ~ '• .'In. I 1 SII'

Its reciprocal characteri:-.tic polynomial

l' (x) = I -

x - x' - x'

0.1 ..... in IF?,

n j:-.

=I+x

-I

x-' .• x' (" IF,[ x 1.

If the initial state vector is (I. J. O. I). then the polynomial g( x) in (6.16) turns out to he g(x) = I + x'. Therefore. the generating function G(x) of thc st.:qucnce can he ohtained from the following long division: ~

x

+.\:~ 1 x 4 ,t xh-l

+x 1 +x"+x"

+x

x +x::lx';'Ix 4 X I.\"2 I x4 1

),:'

x'

_ xl"- + X 7

x:' , x(' 1 .\"7

x)

Th~

I

x·' .

Xli

rL'"ult is I

i X·

tXIX'~X4

\\ hich Cl)rre:-.ponos to the :-.tring of binary digit~ 1 10110 I . .. of least peril)d 3. The imrubL' re~pon:-.t.: scqucnce associated with tht.: given linear recurrence relation c
l-x-x'-X-

which L'orrc:--pond.. . l() the lL'ast pL'riod 6.

:--Irill~

()f hinar.\ digib 000 I 110001 I I ... of --.

209

On the hasis of the identity (0.15). we present now an allernalire

proof of Theorem 6.25. Since the sequence so' s, .... is periodic with period r. it~ generating function G(x) can he written in the form

('(x)-(s +' '+ , 01'

... +,'" · 1 ' \"

1)(I_x'_X2, .....

)~s.1x) I-x'

r with .\ *( x) so' S I X t s, :x i. On the other hand, using the notation of Theorem 6.40 we have G(x) K(XVf*(X) by (6.15). By equating these expressions for CI x). we arrive at the polynomial identity/*Ix)s'(x) ~ (1- X')Klx). If fix) and six) are as in (6.9), then 4

!(x)s(x)

•••

~x'r( ~ lx' ' IS ' ( ~) ~ (x' -I)x'

g ( ~).

I

and a comparison of (6.10) and (6.16) shows that I '

x' Ig ( -:)~-"(x). ,\,

(6.IR)

.

which implies already (6.9). As another application of (6.15) we dcrive a gel/eral formula for Ihe [anH of a Uneur recurring sequence. Let so, 51"" be a kth-ordcr homogeneous lincar recurring sequence in ~ q with characteristic polynomialf(x)E} J x 1- Let eo be thc multiplicity 01'0 as a root of !(x), wherc wc can have eo + 0, and let 2 1 .... ,2 m he the distinct nonzero roots of f(x) with multiplicities e" ... , em' rcspeetively. for the reciprocal characteristic polynomial we obtain then f*(x) =

X

kl ( I )

-

X

(I (I - ~iX)".

i-I

Since deg(f*(x)) -, k - Co, we get from (6.15) g(x) eo G(x) = j.(x) =

Jo

1

b(x)

,

I,X

+ j'(x)

with I,E Fq and deg(b(x)) < k - eo. Partial fraction dccomposition yields h(x)

m"

Pij

1

-,-= L j~O L (I- J (x) 1='

~iX)

F"

where the flij belong to thc splitting field of J(x) over

(I

_

I ")T+T =

(XiX

=

L Sox' = L '£

n=O

,,-,

,,-0

I,X'

+

Now

L~(n+j)" . ~IX ,

n=O

)

and so G(x)

~ q'

LL.L }-o 00

11-"-0

(

m

1-1

.J j) flIP? )x'.

C,·' ( ' ' "

Linear Recurring Sequences

210

Comparison of coefficients yields s, = e, +

I: "-'(n+ I: . j ) {3ij~7 m

for

n = 0, 1, ... ,

J where In = 0 for n;::: eo- This is the desired formula. If eo ~ I and ei::S;" for I ~ i ~ m, where p is the characteristic of f q , then it is easily secn that this i . 1 j-a

foemula is equivalent to the onc given in Remark 6.23.

4.

THE MINIMAL POLYNOMIAL

Although wc have not yet pointcd it out. it is evident that a linear recurring sequence satisfies many other linear recurrence relations apart from the onc

hy which it is defincd. For instance. if the sequence so' s, .... is periodic with period r, it satisfies the linear recurrence rdations sn. r =::i n (n = O. I.... ), Sn /2r"'" Sn (II = 0.1 ). and ~o on. The most extreme case is represented hy the sequence 0.0.0 which satisfies any homogeneous linear recurrence celation. The follOWing theorem desceihes the relationship between the various linear recurrence relations valid for a given homogeneous linear recurn ng scqucnl,;c.

6.42. lheorem. LeI so' s] .... he a homogeneous linear recurring sequence in IF q. Then there exists a unique~v determined monic po~vnvmial

nI(x) C

O',lxJ having ehe following properey: a nlonie polynomial f(x) E O',lxl

of posilice degree is a charaCTeristic polynomial of .'1(1' .'II.· .• if and vn~v if m( x}

dil"ides f(x). Proof Let fo(X) C O'.lx] he the characteristic polynomial of a homogeneous linear recurrence rdation satisfied by the sequence. and let ",,(x) to!r "Ix J bc the polynomial in (6.10) determined hy for x) and the sequence. If d( x) is the (monic) greatest common divisor (If j,,( x) and h,,(x). then we can write fo(x) ~ mlx)d(x) and ",,(xl·- h(x)d(x) with nI( x I. h( x) C 0' ,Ix J. We shall prove that m( x) is the desired polynomial. (\curly. m( x) is monic. ?'ow \ct f( x) E 0' ,I x] he an arhitraey characteristic polynomial of the given sequence, and let h(x) to O',lx] be the polynomial in (6.10) determined by f(x) and the sequence. By applying Theorem 6.40, wc ohtain that the generating function G(x) of thc sequence satisfies G(x) ~ g..,(x) ~ g(x) J.j(x) !*(A) with go(x) and g(x) determined hy (6.16). Therefore gfxlJ.j(x)· go(xl!*(x). and using (6.IX) we arrive at h (x )fo( x)

~

- x",·.
)

4

211

fhe Ylinimal Polynomial

~

_xd"u""n- 'g

o

(~)xrl'''f'')Jf*(l) ~h 0 (x)f(x). X X

After division hy d(x) we have h(x)m(x) ~ b(x)f(x), and sinee m(x) and h(x) are relatively prime. it follows thai m(x) dividesf(x). Now suppose that f(x) EO IF qlx] is a monie polynomial of positive degree that is divisible hy m(x). say f(x)~m(x)c(x) wilh c(x)EolFq[xl· Passing to reciproeal polynomials. we gctf*(x) ~ m*(x)c*(x) in an obvious notation. We also have ho(x)m(x) ~ b(x)fo(x), so that, using the relation (6.18), we ohtain

go(.<)m*(x)

~-

xd,g,!""n 'h o ( ~ )xd'"m"nm ( ~)

= _ xde'f.',( m(

;ll)

Ih (

±)xrl~·f.',(

rot x 1I/ ( 0

±).

Since deg(h(x» < deg(m(x», the product of the first two factors on the right-hand side (negative sign included) is a polynomial a(x) Eo IF qlxl. Therefore. we have go(x )m*(x) = a(x )!<J(x). It follows then from Theorem 6.40 that the generating funetion G(x) of the sequenee satisfies

G(x) ~ go(x) /o*(x)

= ~ ~ a(x)c*(x) ~ ~Jc*(xl m*(x)

m*(x)c*(x)

f*(x)

Since deg( a( x )c*(x))

~

dcg( a(x) + deg( c*( x))

< deg( m(x) +deg( c( x)

=

deg(J(x

»,

the .,emnd part of Theorem 6.40 shows that f(x) is a eharaeteristie polynomial of the sequence. It i, clear that there can only be one poly0 nomial m( x) with the indicated properties. The uniquely determined polynomial m(x) over IF, associated with the sequence so' s, .... according to Theorem 6.42 is called the minimal (lo/\'nomial of the sequence. If sn = 0 for all n '" 0, the minimal polynomial i, equal to the constant polynomial I. For all other homogeneous linear recurring sequenees. m(x) i, a monic polynomial with deg(m(x))> 0 that i~.

in fact. the characteristic polynomial of the linear recurrcncc relation

llf

Icast possihle order satisfied by the sequence. Another method of calculating the minimal polyn0mial will he introduc'ed in Section 6.

6.43.

E:\ample.

Let s().

Si

.'i1l,4"'""s'I

he the linear recurring scqucncc in IF? with +s'l.1+sn'

/l

.

().I .....

and initial state vector (I, 1,0.1). I" find the minimal p01ynomial. we proceed as in the proof of Theorem 6.42. We may take fo(x) = x' x',,-I ~ + x" + x -I c: IF,[xl. Then hy (6.10) the polynomial h,,(.\) is

,,4

I.:nt"in I{t'curr:n~ S('quencc'>

212

given hy ho(x) = x' •.\. The greateq common divisor <,f 10(.\) and ho(x) is d(x) ~ x' I I. and so the minimal polyn<,mial of the sequence is lIl(x) ~ !t,(x)/d(x) ~ x' + x + I. One cheds easily that the sequence satisfies the linear rccurrcm:c n.:lation S,/ • .!=Sn'l I"n'

as it should according

whil.:h

1<'

n-=O.I .....

the general theory. We note that <,rd(lIl(x))

3.

i~

identical with the least period ()f the sequence «(:omparc with Example 6.41). Wc shall see in Theorem 6.44 hclow that this is true In general. ...J The minimal polynomial play~ a decisive role in the determination of the least period of a linear n:curring sequence. This is shown hy the following result.

6.44.

Theorem.

I.el so-

S I""

be u homogeneous linear recurring

sequence in lFlj WiTh minimal polynomial m(x) E::: IF "lx1. TJu!n The leas! period of (he sequewe is equal 10 ord( III I x).

Proof If r is the least period of the sequence and "" its preperiod. then we have .'Ill t r - .'In for all 11?: no' Therefore. the sequence s(Jtisfics the homogeneous linear recurrence relation S" I '/:.

r

= ·\'1'

'If'

for n = O. I .....

Then. according to Theorem 6.42, m( x) divide!'! x'l,,· r xnc - \:n o( x' - 1). ,0 that lIl(x) is of the form m(x) xhglX) with h<;;lI)) and g(x),=Fqlx]. where g(O) , 0 and g(x) divide, x' - I. It follows from the definition of the order of a polynomial that ord(lIllx» ~ ordlg(x)) ~ r. On the other hand. r divides ord( m( x)) hy Theorem 6.27, and so r ~ ord( III ( x)). ::J I.et SUo S: •... be the linear recurring sequence in 11', with O. I. .... and initial state vector (I. I. 1.0. I). Following the method in the proof of Theorem 6.42, we take !tJ(x) X-' - x - ] ~ x' , x -I E F,[xl and get h o(.') x 4 + x 3 I x' from (6.10). Then d(x) ~ x 2 -.I': -I. and so the minimal polynomial m(x) of the .'equence is given hy lIl(x) ~ lo(.<)/dlx) ~ x' I x' I I. We have ord(lIl(x))'· 7. and so Theorem 6.44 implies that the Iea,t period of the sequence is 7 (compare with U Example 6.18). 6.45.

'n"

Example.

= Sn'

I

+ 'n'

II ,.

The argument in the example ahove shows how to find the least period of a linear recurring sequence without t'valuating its tcrm~. The method is particularly effective if a table of orders of polynomials is available. Sinee such tables usually incorporate only irreducihle pnlynpmials (see Chapter 10. Section 2). the results in Theorems 3.g and 3.9 may have to be used to find the order of a given polynomial (compare with Example 3.10).

.,

·,:

/

4 Tht't\hfl:miilI'0Iynonl,dl

·/213

6.46.

Example. The method in Example 6.45 ean al'o he applied 10 inhomogeneous linear recurring sequences. Let '\"'\ I •... be such a sequ~n·~e.· in IF, with ·\·n+4=s"".+Snl-l1'5n ....... 1 forn=0.1 .... and initial state vector (I. I. O. I). According to (6.5). the sequence is also given hy the homogeneous linear recurrence rdation \"n 1-.~ """" sn' , .•. ~;n ~ + sn' II = O. L. ... with initial state vector (1.1.0.1.0). Proceeding as in Example 6.45. we find that the characteristic polynomial t

r(x) ~ x; - Xl -

I ~ (x + I) '( x"'

X' -

- X

+ I) ElF, Ix J

is in the present e",e identical with the minimal polynomial mix) of the 'equence. Since ord«x'" I)') ~ 4 by Theorem 3.8 and ord(x' t X f I) ~ 3. it follows from Theorem 3.9 that ord(m(x»·· 12. Therefore. the sequence .\0' s! .... is periodic with Ic.:ast period 12. 0 6.47. with

Example.

Consider the linear recurring sequence so' SI •.•• In IF::. Sn.4 = Sn

sn' I

t} -

for

11 ""'-

O. I, ...

and initial state vector (1.0.1,0). Then f(x)

x 4 tx 2

x(x·'.x+I)LIF,[x]

·X

is a characteristic polynomial of the sequence. and ~ince neither x nor I is a characteristic polynomial. we have m( x) = x 4 -l- x 2 + x. Thc sequence is not periodic, but ultimately periodic with least period

.\" \ 1 x 1

ord(m(xJ)~7.

L

6.48. Theorem. Lei SCl"~ I"" be a homogeneous linear re(,llrrin~ sequence in !F,{ and lei h he £i pnsiliG£' in(('ger. "lhen lhe minimal polynomtal In I( x) of (he .~hifled .~equence }h' sf>, 1.... divides lhe minimal pnlynomiu! m (x) of The origillal sequence. If 'n' 't .... is periodic. [hen 111, ( x) 111 ( "). Prvo! To prove the first a~sertion, it suffices to ~how hecausc of Theorem 6.42 that every homogeneous linear recurrence relation satisfied hy the original sequence is abo . . ati:,fied hy the shifted sequence. Hut this is immediately evident. For the second part. let S'Ilh'A =U k

lSn.b'"

be a homogeneous linear quence. Let r be a period choose an integer c with a with n replaced by n ! cr th," 5'llk.

=a k

I

~

••• +ll()SplD'

n=O.1. ... ,

recurrence relution sati~fied hy the ~hifted seof so' .'Ii ..... S() that ~'n~' = .'i'l f{)r all n? 0, and ~ h. Then, hy u~ing the linear recurrence relation h and invoking the periodicity property. we find

I S I7'!<

1-' ••. +aos n

f()[alln?: 0,

that is. that the sequence '\0< St •... satisfies the same linear recurrence relation as the ,hifted sequence. By applying again Theorem 6.42, we conclude that m.l x\ = m( (\. I'

--'

214

I.inl'ar I{t't"urrin!o!, Sl'ljut'IlCe<;

6.49. Example. Let '\(l' S I •... be the linear recurring sequence in Ir 1 considen:J in Example 6.47. Its minimal polynomial is x 4 I' x! I, x, whereas the minimal polynomial of the shifted sequence s]. s::. •... is x 3 1 x 1 1. which is a proper divisor of x 4 -l- xl + x. This example shows that the second a:-.:-.ertion in Theorem 6.48 need not hold if so' SI .... is only ultimately :J periodic. hut not periodic.

6.50. Iheorem. I.er ffx) E ~ ql "1 be mOllie alld irreducible Oller IF". and IN So' .\1 •.•. he a homo.1',ell('ous lineur recurring sequence in IF q nOT al/ of whose tams {Jre O. If the .\equel/ce has (xl G.\ a charai'feri.'itic polynomial. then tilt' minimal polynomial of the scquel/cc is equal [() !<x). Proof Since the minimal polynomial mf x) of the sequence divides ffx) according to Theorem 6.42, the irreducibility of f(x) implies that either m( x) ~ I or m(.') ~ f(x). But m(x) I holds only for the sequence all of whose terms arc O. and ~o the result follows. U There is u g.eneral criterion for deciding whether the characteristic polynomiul of the linear recurrence relation ddining a given linear recurring ~cquence i:-. already the minimal polynomial of the sequence.

6.51. Theorem. Lt't so' "'I •... he a 'it'quence in IF q saris/vlIlg a kfh~ order homogeneous linear rccurr('Il("{! relarion with characteristic po~vnomiul .I( x) E ")x]. Then f( x) i, rhe mil/imal polrnomial of rhe sequel/ce if al/d illllr if the Sfafe "eNors so."iI ..... Sk I ure linc(Jr~r independcfll ora IF q • Suppo,e I( ~) is the minimal polynomial of the sequence. If ~O"sl""'~k : were linearly dependent over IF". we would hav~ hos o + h,s , ~ ... -!>k "k I~Owitheocffieientsb",b".... hk_IE!'qnotallofwhich arc /.ero. \o1ultiplying from the right hy powers of the matrix ;I in (6.3) associated with the given linear recurrence relation yields

Proilf

"O'rl ] hl"'rl' I -

...

:

hI<.

IS'1' k

0

for n

=

U. I. .. ,.

heeause of (6.4). In particular. we ohtain

hO\.n-b'·\n,, 1 '"

-hI..

I\",,'t..

Oforn~O.I,....

If b, ~ 0 for I " j '" k - I, it follows that .1'" ~ 0 for all n '" 0, a contradiction to the fact that the minimal polynomial f(x) of the ,equenee has positive degree. In the remaining case, let} '" I be the largest index with b, ~ O. Then it f()II(lw:-, that the sequence so' s],... sati:-,fies a jth-order homogeneous lint:ar recurrenc~ relation withj < k. which again contradicts the assumption that I( x) is the minimal polynomial. Therefore we have shown that SO.'SI ..... ~1<. ~ art.: linearly indept.:ndent over IF q . Conversely, suppose that srl.'I .... 'sJ... I are linearly independent over Since so'" O. the minimal polynomial has positive degree. If fIX) were not the minimal polynomial. the scqucnce '~U' .'11 .... would satisfy an

"q'

215

m th-ordcr homogeneous linear recurrence relation with I ~ snlm=a m

with

lS'Hm-l+'"

+

(10Sn

111

< k. say

fOfn:-:O,l, ...

cocfficicnt~

ilOS O' ,1

from IF I}" But this would imply ~m = Urn ISm contradiction to the given linear independence property.

,+ ... + D

6.52. Corollary. If so- 51 •..• if) an impulse respo1l5e sequence for some homogeneous linear recurrl:'nce fe/alion ill IF q' then ifS minimal po(v/lumia! l"i equal to the characteristic po(vnomial of Ihut linear recurrence fe/a/ion.

Proof This follows from Theorem 6.51 since the required linear independence property is obviously satisfied for an impulse response sequence. C

5.

FAMILIES OF LINEAR RFCl;RRING SEQLE;'IICES

Letf(xJ'lFqlx] be a monic polynomial of positive degree. We denote the set ,)( all homogeneous linear recurring sequences in IF <./ with characteristic polynomial f(x) hy S(f(x)). In other words. S(j(x)) consists of all scqucncl:s in IF 4 satisfying the homogcncou~ linear recurrence relation determined by f(x). If deg(j(x» ~ k. then S(j(x» contains exactly qk scquenccs~ corresponding to the qk different choices for initial state vectors. The set S( f( may be considered as a vector space over IF q if orcration~ for sequences are defined termwisc. In detail. if 0 is the sequence

x»

so' Sl.··· and T the sequence 1(\. II .... in IF q" then the sum a I T is taken to be

the sC4ucnce So + to' i" 1 - i l •··· . }:urthcrmore. if c E IF- ,,' then Co is ddincd a~ the sC4uencc..: cSo, {·Sl ..... It is seen immediately from the rccurrcm:c relation that S( ( x)) is closed under this addition and scalar multiplication. The required axioms arc easily checked. and so S(j(x)) is indeed a vector space over Fq" fhe role of the zero vcctnr is played hy the zero sequence, all of whose terms arc O. Since S(j(x)) has q' clements, the dimension of the vector space is k. We ohtain k linearly independent clements of S(j( x)) by choosing k linearly independent k-tuples ~" .... ~, of clements of IF q and considering the sequences a" .... a, helonging to S(j(x)), where each ai' I ~ j ~ k, has Yj as its initial state vector. A natural choke for YI' ...• Yk is to take the standard basis vectors

e,

~

(1.0... .,0), e,

(0, 1. .... 0) ..... e,

~

(0..... 0.1).

Another possibility that is often advantageous is to consider the impulse response sequence do, d, .... helonging to S(j( x)) and to choose for y,,, .. 'Yk the state vectors do, ... ,d k I of this impulse response scqucm:c. In the following discussion, we shall explore the relationship hetween the various sets S(j( x)).

linear Rccurring.

216

St.:Lluencc~

6.53. Theorem. 1£1 f(x) and I(x) be IwO noneonSIOIII monic poirnominis o"er IF q . Then S(/(x» i, a subsel of S(I(x» if and onlv if f(x) di"id"s 1( x). Proof Suppose S(/(x» is contained in S(x(x». Consider the impulse response sequence belonging to S( f( x This sequence has f( x) as its minimal polynomial because of Corollary 6.52. By hypothesis. the sequence belongs also to S( I(x Therefore. according to Theorem 6.42. its minimal polynomial f(x) divides x( x). Conversely. if f( x) divides g( x) and SO",·, •... is any sequence belonging to S(/(x)). then the minimal polynomiallll(x) of the sequence divides f(x) by Theorem 6.42. Consequently. m( x) divides 1( x ). and so another appheation of Theorem 6.42 shows that the sequence .1'0' " .... belongs to S(x(x». Therefore. S(f(x» is a subset of S(g(x». :J

».

».

6.54. Theorem. Lei f,(X) .... ./h(X) he nOnCO/l.1/01II monic polvl/olllia/s (mer IF q . Iffl(X) .... ./h(X) are re/atit~('~r prime. then the imerseclion S(/,(x»)r .. · rS(/h(X) eum'i')I.\' on~r of Ihl' zero sequenct'. If fl (x) . ... Jh (x) IlUGe u (monie) grcatesl common diDisor d{x) of posiliGe degree. Ihell S(I,(.\

»'1 ... ~,S(/h(X))

S(d(x».

"ro/~( Th~ minimal polynomial m(x) of a sequence in the inta:-,ection must divide f,(x) .... .(,(x). In the ca;e of relative primality. III(X) is necessarily th~ L'on~tant polynomial I: hut (mly the zero :-,~qucncc has thi:, minimal p0!ylwmial. In the :-.ccond case. W~ conl..:lll(k that m(.\") divides d(x). and then I'he
We define S(/(x))+ S(I(x» to be the set of all sequence",. - T with S(/(x» and T E S(g(x)). This definition can. of course. be extended to any finite number of such sets.

(J

E

6.55. Theorem. £lIs oeer IF(/' Then

I.el f, (x) .. .. ./" (x) he noncon.
S(/,(x»+'"

-S(/h(X))~S(c(x)).

where c( x) is Ihe (monic) leasl comlllon mulriple off, (x) .. .. ./h (x). Proof It suffices to consider the case h ~ 2 since the general case follows easily by induction. We note first that. according to Theorem 6.53. each sequence belonging to S(/, (x)) or to S(/2 (x)) belongs to S( c( x». and since the latter is a vector space, it follows that S(/,(x})+ S(/,(x)) is contained in S(c(x)). We compare now the dimensions of thcsc vector

5. Familic~ of Liol'ar Rl'wrring, Scqul'ncl"~

217

spaces over IF q. Writing V, ~ S(j,(x)) and V, = S(j,(x)) and letting d(x) be the (monic) greatest common divisor of f,(x) and f,(x), we get dim( V, + V,) ~ dim( V, )+dim( V, )-dim( V, n V,) ~

deg( f, (x) ) ~ deg( f, (x») - dcg( d (x)),

where we have applied Theorem 6.54. \lut c(x) dim( V, + V,)

~

deg( c(x»)

~

= f,(x)f,(x)/d(x), and so

dim(S( c( x))).

Therefore, the linear subspace S(j,(x))~ S(j,(x» has the same dimension D as the vector space S(c(x)), and so S(j,(x»+ S(j,(x)) ~ S(c(x)). In the special case where f(x) and g(x) are relatively prime nonconstant monic polynomials over IF q' we will have

S(j(x )g(x»

~

S(j(x)) + S( g(x )).

Since, of the direct every

in this case, Theorem 6.54 shows that s(j(x))n S( g(x)) consists only zero sequence, S(j(x)g(x» is (in the language of linear algebra) the sum of the linear subspaces S(f(x)) and S(g(x)). In other words, sequence" E S(j(x)g(x)) can he expressed uniquely in the form "~'" + '" with '" E S(j(x)) and '" E S(g(x)). Let us recall that S(j(x)) is a vector space over IF q whose dimension is equal to the degree of f(x). This vector space has an interesting additional property: if the sequence so,s, .... belongs to S(j( x)), then for every integer b;3 the shifted sequence Sb' Sb. , .... again belongs to S(j(x». This follows, of course, immediately from the linear' recurrence relation. We express this property by saying that S(j(x)) is closed under shifls of sequences. Taken together, the properties listed here characterize the sets S(j(x)) completely.

°

6.56, Theorem. l.el F: be a sel of sequences in IF q' lhen E ~ S( f( x» for some monic polynomial f(x) ElF) x I of posilice degree if and only if t.. is a !:('C/Or ':ipace over IF(/ of pO.~iTiGe finiTe dimension (under The usual addiTion and ~calar mulTiplicaTion of sequences) which i.'I closed under shifTS of sequences. Proof

We have already noted ahove that these conditions arc

necessary. To estahlish the converse, consider an arhitrary sequence acE that is not the 7.ero sequence. If so' .'0 1 ,." are the terms of a and b ~ 0 i!ol an

integer, we denote by

,,(h,

the shifted sequence

Sh' Sh' , .....

By hypothesis,

the sequences a(OI. aliI. a(2l, ... all belong to E. Rut F: is a finite set. and so there exist nonnegative integers i < j with aU) = aliI. It follows that the original sequence a satisfies the homogeneous linear recurrence relation Ii' n·· 0, I, .... According to Theorem 6.42, the sequence" has then a minimal polynomial mo(x) E IFqlx] of positive degree k, say. The state vectors so,s, .... ,s, _, of the sequence" are thus linearly independent over IF. by virtue of Theorem 6.51. Consequently, the sequences

sO'J _. So

~lX

Linear Recurring SCl.Juence;:,

an.: linearly independent elements of S(m(l(x» and hence form a ba~is for S(mo(x)). Since "'0'.0"' •...• ,,,' 1) belong to the vector space E. it follows that S(mo(x)) is a linear subspaec of 1::. Letting E* denote the set E with thc zero sequence deleted and carrying out the argument above for every 0 E L'*, we arrive at the statement that the finite sum [0' pS(mo(x)) of vector spaces is a lincar subspace of E. On the other hand. it is trivial that E is contained in [OE ,.,S(mo(x)). and so E = [0' ",S( m o ( x)). By invoking Theorem 6.55, we gct OC01. 0 l1) •••.• O(l<

I)

L

F. '.~

(It

S(mo(x»

= S(I(x».

E"

wheref(x) is the least common multiple of all the polynomials mo(x} with LJ " running through F.*. It follows from Theorem 6.55 that the sum of two or more homogeneous linear recurring sequences in 0= q is again a homogeneous linear recurring scquencc. A characteristic polynomial of thc sum sequcnce is also obtaincd from this thcorem. In important special cascs. the minimal polynomial and thc least pcriod of the sum sequence can he determined directly on the basis of the corrcsponding information for the original sequcnces.

6.57. Theorem. For each i ~ 1.2..... h. let ", be a homogeneous linear recurring sequence in IFq wilh minimal polynomial m.( x} E IFqlx 1. If Ihe polynomials m ,(x}.... ,mh(x) are pain"isc relatively prime, Ihen Ihe minimal polynomial of Ihe sum ", + ... + "h is equal ro Ihe producl m,(x)'" mh(x). Proof It suffices to consider the case h ~ 2 since thc general case follows thcn hy induction. If m,(x) or m,(x} is thc constant polynomial I, the rcsult is trivial. Similarly. if the minimal polynomial mix} E IFqlx] of a j + oJ. is the constant polynomial 1. we obtain a trivial case. Therefore. we assume that thc polynomials m ,( x). m ).( x}. and m( x} have positive degrees. Since ", T ", Eo S(m,(x»

+ S( m2(x»

~ S(m\ (x )m,(x»

on account of Theorem 6.55. it follows that mix) divides m,(x}m,(x}. Now suppose that the tcrms of 0\ are so. 5\ ..... that thosc of ", arc 10' I, .... , and that m(x)· x'-a,

\

x' \

'"

- 00,

Then SnTI<.+ln-t,,=Ok

I(Sn+k

l-tt n1A

I)-t···

rUO(sn+tn)

forll=O.I •....

If we set Un=Sn.I<.-O" 'l'\nlJ, 1/llk+Ok

I[n-/<

1 - . . . -UOs n

1+ '"

+uot n

forll.::O.1. ...

5. hlmJlit's uf Linear Recurring

219

Se4ucnce.~

and recall that S(m,(x» and S(m,(x)) are vector spaces over IF q closed under shifts of sequences (see Theorem 6.56), then we can conclude that the sequence uO'u, .... belongs to hoth S(m,(x» and S(m,(x)) and is thus the zero sequence. according to Theorem 6.54. But this shows that hoth m,(x} and m,(x) divide mix). hence m,(x}m,(x} divides mIx). and so m(x}~ m,(x)m,(x}.

0

If the minimal polynomial, m,(x).... ,mh(x} of the individual sequences 01 •...• Oh are not pairwise relatively prime. then the special nature of the sequences 01 •...• Oh has to be taken into account in order to determine

the minimal polynomial of the sum sequence "~'" + ... + "h' The most feasible method is based on the use of generating functions. Suppose that for i ~ 1,2..... " the generating function of ", is G,(x) E IFqllx]]. Then the generating function of " is given by G(x} ~ G, (x)+ ... ~ Gh(X}. By Theorem 6.40, each Gi ( x) can he written as a fraction with. for instance, the reciprocal polynomial of m,(x) as denominator. We add these fractions. reduce the resulting fraction to lowest terms. and combine the second part of Theorem 6.40 and the method in the proof of Theorem 6.42 to find the minimal polynomial of ". This technique yields also an alternative proof for Theorem 6.57. 6.58, Example. Let a, be the impulse response sequence in IF 2 helonging to Six' + x' , x + I) and the impulse response sequence in IF, helonging to Six' + x' , I). Then. according to Corollary 6.52, the corresponding minimal polynomials are

a,

m,(x)

x't x·', x-rl~(x' -

X

t

l)(x-I)',=IF,[x]

and m, (x) ~ x' - x 4 -r I ~ (x'

+x

+ 1)( X

\ -

X -r

I)

E

IF, [x].

Using Theorem 6.40, the generating function G(x) of the sum sequence a = O~ - n., turns nut to he G( x )

~

x3 (x'+x+l)(x

_1)1

+

x4 ---,----,-(x'+x+l)(x·\ \ x'+I)

By the second part of Theorem 6.40. the reciprocal polynomial lo( x} + + X + I)(x + I)' of the denominator is a characteristic polynomial of ". According to (6.18), the associated polynomial ",,(x} is given hy "o(x)~ - x 4 (I/x}' = - r. Since fo(x} and ",,(.,) arc relativelv prime. the meth,)d

(x 3

Linear Recurring, Scqul..'nce\

220

in the proof of Theorem 6.42 yields the minimal polynomial m (x) ~ (x'

j

x -e 1)( x + I)'

for a. We note that m(x) is a proper divisor of the least common multiple of m,(x) and m,(x). which is c..:

(x'.,-x'·I)(x'I)'(x'tx+I).

From the information about the minimal polynomial contained in

Theorem 6.57. one can immediately deduce a useful result concerning the least period of a sum sequence. 6.59. Theorem. filr each i ~ 1.2•...• h. let 0, he a homof!,eneow; linear recurring sequence in IF q with minimal po~vnomial m/(x) E [F "lx} and

lea.11 period r,. If Ihe polynomial, m,(x)•...• m,(x) are pairwi.,. relalivelv prime. Ihen the leasl period of Ihe sum a, + ... + a, is equal 10 Ihe leaSI common multiple of r I' ... , rh ·

Proof We consider only the case h ~ 2. the general result following hy induction. If r is the least period of 0, + then r ~ ord(m,(x)m,.(x)) hy Theorems 6.44 and 6.57. An application of Theorem 3.9 shows that r is the least common multiple of ord(m,(x)) and ord(m,(x)). and so of r, and

a,.

0.

[1

6.60. Example. Let the sequences a, and a, he as in Example 6.5R. Then the least periods of a, and a, are r, ~ ord(m, (x)) ~ 6 and r, ~ ord( III ,(.x)) .~ 21. respectively. The least period r of a, + is r ~ ord(m(x)) = 14. In these computations of orders we use. of course. Theorem 3.9. The arguments ahove havc heen carried out without having evaluated the terms of the

0,

:\equences involved. In this special case we may. of course, compare the

result> with explicit computations of the least periods:

a,: 0001110001110001 I 10001 1100··· a,: 00001111101010011000100001···

leastperiodr,'=6 least period r, ~21

-a-,-e-a-,:-OO-O-I0-0 /-1-1-10 I 10000-10-0-1-1 j-:I-:O-:I-·-·-· --:1-ea-s-t-p-er-:io-d"-r-~""1"""'4 Notice that r is a proper divisor of the least common multiple of r, and r2 •

~

6.61. Theorem. For each i" 1.2... .,h, leI a, he an ullimalely periodic sequence in IF q 'With least period r" If rl, ... .rh are paindse relatit~e1y prime, then the least period of the sum 01 - . . . + 0h is equal 10 the product r

1

. . . rho

Proof It suffices to considcr the case " ~ 2 since the general casc follows then by induction. It is ohvious that r,r, is a pcriod of a, + a" so that the least period r of a, + a, divides r,r,. Therefore. r is of the form

221

r ~ did, with d l and d, heing positive divisors of r l and r,. respectively. In

particular. d 1'2 is a period of 01 + 02' Consequently, if the terms of 01 are and those of 02 arc {o' fl.···' then we have

So' SI.···

I"J,. ~ t, for all suffieicntly large n. and so for all sufficiently large 11: Therefore"1 divide~ d\'2' and since'l

for all sufficiently large n. But sn+d 1 r 2 = SII

and r, are relatively prime. r l divides d l . which implics d l ~ r l . Similarly. one shows that d, ~ r,. 0 In the finite field IF 2' there is an intcresting opcration on scquences

called hinary complementation. If a is a sequence in ",. then its binary romplemem. denoted by 0. is obtained by rcplacing cach digit 0 in a by I and each digit I in a by O. Binary complementation is. in fact. a special case of addition of sequences since the hinary complement 0 of 0 arises by adding to (J the sequence all of whose terms arc I. Thcrefore. if (J is a homogcneous Iincar rccurring sequcnce. then ij is one as well. Clearly. the least period of ij is the same as that of (J. The minimal polynomial of ij can he ohtained from that of a in an easy manner. 6.62.

Theorem.

Lef ° he a homogeneous linear recurring sequence in

", wilh hinary romplemenl ij. Wrile Ihe minimal polynomial m(x) E ",[x] of a in Ihe form m(x) = (x + I )'m I( x) wilh all imeger h " 0 and m I( x) E" ,.Ix] satisfying ml(1)~ I. Then Ihe minimal polynomial m(x) of ij is given by m(.r)~(x+l)m(x) ifh~O. m(x)~ml(x) ifh~l. and m(x)~m(x) if

h>1. Proof ij ~

Let r be the sequencc in ", all of whose terms arc I. Since

a + r and the minimal polynomial of f is x + I. the case h ~ 0 is settled

by invoking Theorem 6.57. If h" I. then ij ~ (J + fE S(m(x)) bceausc of Theorem 6.55, and so m(x) divides m(x). If mix) is the constant poly, nomial I, then

a is necessarily the zero sequence and ° =

E.

and the theorem

holds. Thcrefore. we assumc from now on that nl(x) is of positive degree. We get a ~ (J + E E S( m(x)( x + I)) because of Theorems 6.53 and 6.55, thus mix) divides ,h(x)(x + I), and so for h" I we have either m(x) = m(x) or m(x) ~ (x r I)' Iml(X). If h > I, it follows that a = ij + E E S(m(x)). which yields mix) = mix). If h ~ I, let the terms of a bc 5 0 ,5 1,,,, and let 1n 1

(x)

=

x k ;- a" .. IXk

1

+ ...

-l- Q

o

he of positive degree, the excluded case heing trivial. We set

Since the sequence so' 51"" has m(x) ~ (x ~ I)tnl(x) as a characteristic polynomial. it follows easily that U,.I ~ u, for all n" O. Therefore, u, ~ Uo for all "" 0, and we must have U o = I, for otherwise ml(x) would he a

222

Linear

R{'(,'urrin~

Sl'qw:nce!'>

characteristic polynomial of o. Consequently, sn..-k-+-)=ak-Isn,k

\+ ...

+aOs"

for all

n):

O.

Sinecnl,(I)'"ITa, ,I- ... +00=1, we obtain

s,.," I=a,_,(s,_,

,+1)+ ... +ao(s,+I)

foralln;>O,

and this means that nl,(x) is a characteristic polynomial of ii. Thus, m(x) = m,(x) in the case where h = I. 0 We recall that S(j(x)) denotes the set of all homogeneous linear recurring sequences in IF q with characteristic polynomial f(x), where f<x) EO. 1F,,[x] is a monic polynomial of positive degree. We want to determine the posilive illlege" Ihal appear as leasl periods of sequences from S(j(x)). and also. lor how many sequences from S(j(x)) such a positive integer is attained as a least period. The polynomial I(x) can be written in the form I(x) = xhg(x). where h;> 0 is an integer and g(x) E IFqrx] with g(O) '" O. The case in which g(x) is a constant polynomial can he dealt with immediately. since then every sequence from S(j(x)) has least period 1. If h;> I and g(x) is of positive degree. then. hy the discussion following Theorem 6.55. every sequence 0 co S(j(x)) can be expressed uniquely in the form 0 = ", + "2 with 0, E S(x h ) and "2 E S(g(x)). Apart from finitely many initial terms, all terms of 0, arc zero. so that the least period of" is equal to the least period of ",. Furthermore, a given sequence '" E S(g(x)) leads to qh different sequences from S(j(x)) hy adding to it all the qh sequences from S(x'). Consequently. if r, ..... r, are the least periods of sequences from S(g(x)) and N, ..... N, are the corresponding numbers of sequences from S(g(x)) having these least periods. then. for I '" i '" I, there arc exactly q'N; sequences helonging to S(j(x» with least period r,. and no other least periods oecur among the sequences from S(j(x)). We may assume from now on that h = O-that is. that 1(0) '" O. Suppose first that I( x) is irreducible over IF q' Then, according to Theorems 6.44 and 6.50, every sequence from S(j(x» with nonzero initial state vector has least period ord(/(x)). Therefore, one sequence from S(/(x)) has least period I and qd'g(j(x)) -I sequences from S(j(x)) have least period ord(/(x». Next. we consider the case that I(x) is a power of an irreducihle polynomial. Thus, let I(x) = g(X)b with g(x) E IF.Ix] monic and irredueihle over IF q and h ;> 2 an integer. The minimal polynomial of any sequence from S(j(x)) with nonzero initial state vector is then of the form g(x)' with I '" c '" h. According to Theorem 6.53, we have S(g(x») C;; S(g(x)')

Therefore, if deg(g(x»

c .. · <:: S(f(x»).

= k, then there arc q' - I sequences from S(j(x))

5. Families of I.in~ar Recurnnl', Sl..'l\lIcn..::c!'

22.1

with minimal polynomial g(x). q" - q' sequences from S(/(x)) with minimal polynomial g(x)'. and. in general. for (' ~ 1.2....• h there are q" - q"'- '" sequences from S(/(x)) with minimal polynomialg(x)'. By combining this information with Theorems 3.8 and 6.44, we arrive at the following result. 6.63. Theorem. Let f(x) ~ g(x)" with g(x) E IF qlx I monic and irreducible OGer IF q• g(O) '" 0, deg(g(x)) ~ k. ord(g(x)) ~ e. and h a positiGe integer. Let t he the smallest integer with p';;, h. where p is the characteristic of IF q. Then S(/(x)) contains the following numbers of sequences with the following leasr periods: one .'equence with least period I. q' - I sequences with least period e, and for b ~ 2, qk. pJ - qk. pl 1 sequences with least period epi (j ~ 1,2, . ... t - I) and qAh - q' p' 'sequences with least period ep'.

In the case of an arbitrary monic polynomialf(x) E IFqlx I of positive degree with f(O) '" 0, we start from the canonical factorization h

f(x)~ ng,(x)"', i-I

where the g,(x) are distinct monic irreducible polynomials over IF q and tbe b, are positive integers. It follows tben from Tbeorem 6.55 tbat

In fact. every sequence from S(/(x» is obtained exactly once by forming all possible sums 11, + ... + 11" with 11, E S(g,(x)"') for I" i " h. Since the least periods attained by sequences from S(g,(x)"') are known from Theorem 6.63. the analogous information about S(/(x» can thus be deduced from Theorem 6.59. 6.64. Example.

Let f( x) ~ (x' + x -;- 1)'(.<' ~ x' -;- I) E IF., [x].

According to Theorem 6.63. S«x' + x + 1)2) contains one sequence with least period 1.3 sequences with least period 3, and 12 sequences with least period 6. whereas S(.<4 + x' + I) contains one sequence with least period I and 15 sequences with least period 15. Therefore. by forming all possible sums of sequences from S(x' + x + I)') and S(x 4 +.<' + I) and using Theorem 6.59, we conclude that S(/(x» contains one sequence with least period I. 3 sequences with least period 3. 12 sequences with least period 6. 60 sequences with least period 15. and 180 sequences with least period 30. 0 We have already investigated the behavior of linear recurring sequences under term wise addition. A similar theory can be developed for the

Linear Recurring

7:24

Sequcn~es

operation of termwise multiplication, although it presents greater difficulties. If cr is the sequence of clements so,s,,, .. of IF q and T is the sequence of elements to' t" ... of IF q' then the product sequence crT has terms so'o' s, I" .... Analogously. one defines the product of any finite numbcr of sequences. Let S be the vector space over IF q consisting of all sequences of clements of IF q' under the usual addition and scalar multiplication of sequences. For nonconstant monic polynomials 1,(X), ... ,fh(X) over IF q • let S(j,(x))'" S(jh(X)) he the subspace of S spanned by all products cr,'" 0h with cr, E S(j;ix)), 1<; i <; h. The following result is basic. 6.65. Theorem. II 1,(X).... ,fh(X) are nonconslant monic polynomials OGer IF", then there exists a nonconstal/I monic polYl/omial g(x) E IF.lx] such Ihat

S(j, (x)· .. S(jh (x»

~

S( g( x».

Proof Set E ~ S(j,(X))'" S(jh(X». Since each S(j,(x)). 1<; i <; h. contains a ~cquenee with initial term I, the vector space E contains a

nonzero sequence. Furthermore, E is spanned hy finitely many sequences and thus finite-dimensional. From the fact that each S(j,(x)), 1<; i <; h. is closed under shifts of sequences it follows that E has the same property, and then the argument is complete by Theorem 6.56. D 6.66. Corollary. The product ollil/ilely mal/Y linear recurring sequences in IF 1/ is again a linear recurring sequence in IF lr

Proof By the remarks following (6.5), the given linear recurring sequences can he taken to he homogeneous. The result is then implicit in Theorem 6.65. []

The explicit determination of the polynomial g(x) in Theorem 6.65 is, in general. not easy. There is. however, a special case that allows a simpler treatment of the problem. For nonconstant polynomials 1,(X), ... ,fh(X) over IF., we define 1,(x)V ... v Ih(X) to be the monic polynomial whose roots are the distinct elements of the form ",'" "h, where each ", is a root of fix) in the splitting field of I,(x)" 'lh(X) over IF q • Since the conjugates (over IF q ) of such a product ",'" "h are again clements of this form. it follows that 1,(x)V ... v Ih(X) is a polynomial over IF•. 6.67. Theorem. For each i ~ 1,2, .. .,h, leI fix) be a nOl/constant munic polynomial over IF q without muliiple rOOlS. Then we hare

S(j,(x»'" S(jh(X») ~ S(j,(x)v", V I,,(x).

We need a preparatory lemma and some notation for the proof of this result. For a finite extension field F of IF q • let SF he the vector space

225

over F

(.;()nsi~ling

of all

sequen'.:e~

of elements of F, under termwise addition

and scalar multiplication of sequences. Thus. in particular, Sf ~ S. By the product V, ... Vh of h subspaces V,,, .. , Vh of SF we mean thc'subspaec of .\'F spanned hy all produ(.;ts (11'" (Jh with (J/ E V:' I ~ i ~ h. For a nonconstant monic polynomial f(x) E FIx], let SFU(X» bc the vcetor space ovcr ,.. con~isting of all homogeneous linear recurring sequences in F with

characteristic polynomial f(x).

6.68, l.emma. Let F be a finite extension field of IF q' and let f,(x) ..... fh(X) he nonconstant monic polynomials orer IF q • Then, S(f,(x)'" S(fh(X» ~ Sn(·\Af,(x»··· Sr(fh(X»). Proof Clearly, the vector space on the left-hand sidc is contained in the vector space on the right-hand side. To show the converse, we note first that each SU,(x», I,. i,. h. spans S,(j,(x» over F. Therefore, SU, (x»··· SU},(x» spans SFU,(X»'" S,Uh(X» over 1'. Let p,,, ... Pm bc a basis of SU,(X))' .. SUh(X)) over IF q' and let", I ..... W, be a basis of F over IF q with w, ElF q' Then any a E S,U,( x»· .. SF Uh( X» can be written in the form , (1=

m

L 12 cl,W,P

j

,

i = 1 j-l

where the coefficients el , are in IF q' Let the terms of the sequence Pj , I :::;;: j:::;;: m. be the elements ',u. rJl ... , of IF 1/' If now (J E S. then for the terms .1'",

n ~ 0, I" ... of a we get

Since the cocfficicnt of each w, is in IF q • it follows from the definition of W1 ..... u.:" that L;~.lc'/i'1 =- 0 for 2 ~ i ~ k and all n, Consequently. 0=

I: CI/W,P,<=S(f,(.,j)",S(fh(X) J"" 1

and the proof is '.:omplctc,

D

Proof of Theorem 6.67. Let F be the splitting field of f,(x)" 'f},(x) over IF,,. 1'01 I,. i,. h. let ex, run through the roots of j,(x). Then by Theorem

6.55,

We note that we have the distributive law V,r V,. + Vl ) ~ V,V, ~ V,VJ for subspaces V" V, . V; of SF' which is shown by obscrving that the left-hand

linear Recurring Scquenn's

226

vector space is contained in the right-hand vector space (hy the distrihutive law for sequences) and that V,V,cV,(V,-V,) and V,V\~V,(V,+V,) imply V,V, + V,V] C V,(V,. ~ V,). On the basis of the distributive law, it follows that

It is easy to check directly that Sr(x-",)···,')r(X-"h)~S,(X· ","'''h)'

and so

~

sr(f,(x) v ... v!,,(x»)

hy Theorem 6.55. The result of Theorem 6.67 follows now from Lemma 6.68. 0 Theorem 6.67 shows, in particular, how to find a characteristic polynomial for the product of homogeneous linear recurring sequences. at least in the spccial case considered therc. for this purpose, an alienlalire argumelll may be based on Theorem 6.21. It suffices to carry out the details for the product of two homogencous linear rccurring sequences. Let the

sequence 5". -', .... belong to ,')(f(x)) and let 10 , I" ... helong to ,')(g(x)). If !(x) has only the simple roots "" .... ", and g(x) has only the simple roots (3, ..... {3".' then hy (6.8),

,

s n~i "h.,,:' .-l ,

and

whcn~

In=

L. eJ3p i

i = 1

the coefficients b, and

C'j

forl1--0,1, ... ,

,

belong w a

finit~

extension field of

IF- 1/.

If

y\ ..... y, are the distinct values of the products aJ3;. 1 ~ i ~ k. I ~ j ~ m,

thcn ,

U"~S"I"~

m

L L

b,Cj("A)"~

i= 1 J = 1

L

,= \

d,Y," forn~O.I, ... ,

with suitable coefficients d" ... ,d, in a finite extension field of I'q. Now let h(x)~!(x)Vg(x)=x'-a,

Then for

II ~

,x' ' - ... -ooEl'q[X].

O. I, ... we have

U,llr- a r-I Un_r_l- ... -aou n =

L d/y,nh(Yi)::':::'O, 1"""\

and so the product sequence un, u" ... has h(x) as a characteristic polynomial.

5. Familil':- of Lincar Rccurrn!", Scqul.:ncci.

227

6.69. Example. Consider the sequence 0.1,0, I, ... in 0', with the least period 2 and minimal polynomial (x -1)'. If we multiply this sequence with itself, we gct back thc same scquence. On the other hand, (x - I)' V (x - 1)' ~ x - I, which is not a characteristic polynomial of the product sequence. Therefore. the identity in Theorem 6.67 may cease to hold if some of the polynomials/;(x) are allowed to have multiple roots. 0 There is an analog of Theorem 6.61 for multiplication of sequences. For obvious reasons, sequences for which all but finitely many terms are zero have to he excluded from consideration. 6.70.

Theorem.

For each i

~

1,2, ... ,h, leT

(J,

he an ullimaTely peri-

odic sequence in IF q with infinitely many nonzero terms and with least period rio If r, .. ··Jh are pairwise relaTively prime, Ihen The leasT period of The prodUCT

°" l' . . O"h is equal 10 r\ ... rho

Proof We consider only thc casc h ~ 2 since the general case follows then by induction. As in thc proof of Theorem 6.61 one shows that the least period r of (J,(J, must be of the form r ~ did, with d, and d, heing positive divisors of r 1 and r2 _ respectively. In particular. d 1r2 is a period of 0"10"2' Thus. if the terms of 0" 1 are so' S I"" and those of 0"2 are to_ t I .... _ then we have

for all sufficiently large n. Since there exists an integer h with Tn'" 0 for all sufficiently large 11 == hmod r2 _ it follows that SIl_dl'~ = sn for all sueh n. Now fix a sufficiently large n; by the Chinese remainder theorem, we can choose an integer m ~ n with m::= nmod r l and In == hmod r2 • Then

and so d\r"1 is a period of 0"1' Therefore. r l divides d 1r2 • and since r l and r2 arc rclativcly prime, r, divides d,. which implies d, - rio Similarly, one shows that d, ~ r,. n

Multiplication of sequenc", can be used to describe the relation hetween homogeneous linear recurring sequences belonging 10 characteristic polynomials that arc powers of each other. The case in which one of the charadcristic polynomials is linear has to be considered first. 6.71. Lemma. inTeger, then

S(x Proof

If c is a nonzero elemenT of lF q and k is a posi{ive

c)')-S(x-c)S((x-I)').

I.et the sequence s", s ,.... belong to S( x - ('), and let' o. T, ••••

Linear Recurring St:quences

228

belong to S« x _. I)'). Then s" = c"s" for n = 0, I, ... and

,

L:(~)(-I)'-'I"" a forll~O,I. .... I""

0

It follows that ,

L: 1=0

for

II·

.k

l; )(-c)'

0.1, .... and so

. 'x'··(x-c)

,

is a chara<.:tcristic polynomiall)f the product sequen<.:c Solo. SIll •.... Consequently, the vector space S( x - c)S« x-I)') i' a subspace of S« x - e)' ). Since ('"'1= O. thc fir~l vector space has dimension k over IF q and is thu~ equal Il) S«(:( e)k). which has the ~ame dimcnsion over iFlt' ; j

6,71,

Lei J(x) C IF qr x I he U IIOllconSlWll mOIl;c polv*" 0 and withoUl multiple fOOl}, and leI k. hI:' II pO.\ilir-e inH:,ger.

Iheorem,

nOn/iallA'ilh /(0) Then.

S(j(x)') = S(f(x »)S( (x - I)'). Proof Let F he the splitting field of running through the roots of I( x), we get

I( x)

over IF". Then, with"

s,(j(.d)~L:s,((x-,,)') hy Theorem 6.55. lsing I.emma 6.71 and the di,trihutive law ,hown in the proof of Theorem 6.67, we obtain

SF([( x)' ) ~ L:

sA (x -

I)' ) 5 F(x - IX) ~ SF(( x -I)' ) L: SF( x - IX)

~ SF( (x - I)k )S,(f(x )), where we applied Theorem 6.55 in the last step. The desired result follows now from Lemma 6.68. c: 6,

CHARACTERIZATION 01' LINEAR RECURRING SEQUENCES

It is an important problem to decide whether a given sequence of clements of IF q is a linear recurring sequence or nol. From the theoretical point of

6. Ch<Jr:l.l'tcrization of Linear Recurring

Scqucncc~

229

view, the question can be settled immediately since the linear recurring sequences in IF q are precisely the ultimately periodic sequences. However. the periods of a linear recurring sequence (even of one of moderately low order) can be extremely long, so that in practice it may not he feasible to determine the nature of the sequence on the basis of this criterion. Alternative ways of charaeteri7jng linear recurring sequences employ techniques from linear algebra. Let "0' S"", be an arbitrary sequence of elements ofIF:•. For integers n ~ 0 and r ~ I. we introduce the Hankel determinants "n

D(r)=

Sn

t

1

Sn·l

Sn . r

Sn . 2

Sn

t

I

r

n

Sn ~ r

Sn'r

Sn'

2, 2i

It will transpire that linear recurring sequences can be characterized in terms of the vanishing of sufficiently many of these Hankel determinants.

11

~

6.73, I.emma. Let so' S, .... be an arbitrary sequence in IF., and leI 0 and r ~ 1 be integers. Then D~r) = D~r' 1) = 0 implies D~~)I = O.

Proof for m~O define the vector sm=(sm.sm ... I.... 'sm ... '_I). From D~r) = 0 it follows that the vectors sn,sn' I' .... sn -r- I are linearly dependent over IF•. If sn_I' .... sn.' I arc already linearly dependent over IF 4' we immediately get D,::)l = O. Otherwise. 5n is a linear combination of sn.I"",snTr_I' Set s:n= (sm"'1 m _ I ' .. ·.sm_r) for m;:::O. Then the vectors s~.s~. I' .... s:' ... r. being the row vectors of the vanishing determinant D~r-I). arc linearly dependent over IF q • If s~,s~ 11 •••• 's~+r_l are already linearly dependent over IF., then an application of the linear transformation L I: (au' a l "

..

,a r )

E

IF;'

1 0-+

(a l ... .. a r )

E

IF;

shows that sn-rj,Snt2, •.. ,sn_r are linearly dependent over IF q , and so D,:~) I = O. Otherwise, s~ t r is a linear combination of s~, s~ _ I' ... , s~ +r- I' and by an application of the linear transformation

L,: (00, ... ,0, " a,) E IF;-I,..., (0 0" ... 0,_1) E IF; we ohtain that sl/' r is a linear combination of sn,sn .I.· .. 'sn+r .. I' But in the case under consideration sn is a linear combination of sn+ 1.... ,5 n r I'SO that the row vectors sn' 1' .... sn_r_I'sn' r of D~~)I are linearly dependent over IF q , which implies D~:" = O. 0 I

6.74. Theorem. The sequence so' SI'''' in IF q is a linear recurring sequence if and only if there exists a positice integer r such that D~') = 0 for all bill finitely many n ~ O.

I.im:ar Recurring

230

Scquencc~

Proof Suppose 5 0 ,5 1"" satisfies a kth-ordcr homogeneous linear rccurrence relation. For any fixed n;' 0, consider thc determinant D~k-I). Because of the Iincar recurrence relation, the (k + I)st row of D~k-1) is a linear combination of the first k rows, and so D~k" 1) = O. The inhomogencous case reduccs to thc homogencous casc by (6.5). To show sufficiency, let k + 1 be the least positivc integer such that D~k -1) = 0 for all but finitely many n ;, O. If k + I ~ 1, thcn we are dO(lc, and so we may assume k ;, 1. There is an integer m;, 0 with D~h 1) = 0 for all n ;, m. If we had D~:) ~ 0 for somc no;' m, then D~k) ~ 0 for all n ;, no by Lemma 6.73, which contradicts thc definition of k + 1. Therefore, D~k)::t:O for all n~m. Setting sn=(sn"\"n+I"",sn'k)' we note that for n;;::'m the vectors sn,sn"'I"",sn'k_ being the row vectors of D~k+l). are linearly dependent over IF q . Since D~k)*O, the vectors sn.sn_I .... ,5n~k_l are linearly independent over 0: g' and so sn"k is a linear combination of sn,sn I 1'·" ,5 11 +k-I' It follows then by induction that each Sn with n ~ m is a linear combination of sm' sm 1-.·.' sm+k. [. The latter arc k vectors in IF: + I, therefore there exists a nonzero vector (00' 0 1,,, .,a k ) EO:;" 1 with t

aOsn+alsn+l+ ... +aksn+k=O

form~n:::;;m+k-l.

This implies

or

Thus, the sequence so' "1"" satisfies a homogeneous linear recurrence 0 relation of order at most m + k. 6.75, Theorem. The sequence 5 0 ,5 1" " in 0: g is a homogeneous linear recurring sequence with minimal polynomial o! degree k i! and only i! DJ" = 0 !or all r ;, k + I and k + 1 is Ihe leaII positive integer !or which Ihis holds. Proof If a given linear recurring sequence is the zero sequencc, the necessity of the condition is clear. Otherwise, we have k ;, 1. and DJ" ~ 0 for all r;' k + 1 follows since the (k + l)st row of DI\') is a linear combination of the first k rows. Moreover, we get DJ') '" 0 from Theorcm 6.51, and so thc necessity of the condition is shown in all caSes. Conversely, suppose the condition on the Hankel determinants is satisfied. By using Lemma 6.73 and induction on n, one establishes that D;" ~ 0 for all r;, k + I and all n;' O. In particular, D~k' I) ~ 0 for all n;:, 0, and so so' 5, .... is a linear recurring sequence by Theorem 6.74. If its minimal polynomial has degree d, then, by what we have already shown in

(I

ChJrac!erizJtion (If Linear Rl'l'urring Sequence;:,

2JI

the first part. we know that DJ" ~ 0 for all r '" d + I and that least positive integer for which this holds. It follows that d ~ k.

d + I is

the 0

We note that if a homogeneous linear rcc.::urring sequence is known to

have a minimal polynomial of degree k '" I, then the minimal polynomial is determined by the first 2k terms of the sequence. To see this. write down the equations (6.2) for n ~ O.I, .... k -I. therehy obtaining a system of k linear equations for the unknown coefficients 0 0 , 0, ..... 0,., of the minimal polynomial. The determinant of this system is DJ". which is .. 0 by Theorem 6.51. Therefore, the system can be solved uniquely. An important question is that of the actual computation of the minimal polynomial of a given homogeneous linear recurring sequence. To be sure. a method of finding the minimal polynomial was already prescnted in the course of the proof of Theorem 6.42. This method depends on the prior knowledge of a characteristic polynomial of the sequence and on the determination of a greatest common divisor in IFqlx]. We shall now discuss a recursive algorithm (called Berlekamp-Massey algorithm) which produces the minimal polynomial after finitely many steps, provided we know an upper bound for the degree of the minimal polynomial. Let so. s, .... he a sequence of elements of IFq with generating function G(x) ~ I~~os"x". For j ~ 0.1, ... we define polynomials gj(x) and h,(x) over IF q, integers m;, and clements hj of IF q as follows. Initially. we set go(x)=I.

ho(x)~x.

and

mo~O.

Then we proceed recursively by letting hj be the coefficient of gj(x)G(x) and setting:

(6.19) Xl

in

gl.,(x)~gj(x)-hjhj(x).

if bj

..

0 and m, '" O. (6.20)

otherwise. if bi .. 0 and m j

'"

0,

otherwise. If So' .'i] .... is a homogeneous linear recurring sequence with a minimal polynomial of degree k, then it turns out that g,,(x) is equal to the reciprocal minimal polynomial. Thus, the minimal polynomial m(x) itself is given by m(x) = x'g" (I Ix). If it is only known that the minimal polynomial is of degree "k, then set r ~ lk + -1- j m" where ly J denotes the greatest integer "y, and the minimal polynomial mix) is given by m(x) ~ x'g,,(llx). In hoth cases, it is seen immediately from the algorithm that mix) depends only on the 2k terms so' s" . ....,,, _, of the sequence.

J,

linear I{cc.:urring Sequcnl..'l':;

212

Therefore, one may replace the generating function G(x) in the algorithm by the polynomial HI

L

G2k.'(X)~

Sn xn .

n=O

6,76. Example. The first 8 terms of a homogeneous linear recurring sequence in IF, of order ,,;4 are given by 0.2,1,0,1,2.1,0. To find the minimal polynomial. we use the Berlekamp-Massey algorithm with G7(x)~2x+x'+x'+2x5+x6EIF3[xl

in place of G(x). The computation is summarized in the following table. j

1{J{ x)

h,(X )

0 I 2

I I

x x' 2x

I

+ xl

3

1+ x + Xl

4

I

5 6 7

B

1- x

I X I

-i- Xl

I;

m,

0 I

2x 2

x2 + 2x 3

2x~

lx -:-.2x 2

x'

2x 2

l_x 2 _2x ' +X 4 112x-x"+2r'

h,

+ 2x l

2x 3 +2x 4 x+ x 4 I·

0 2

-1

I

0 I -I 0

0 2 2

0 0

I I

Then, r = l4+ t - jm,j = 4, and so mix) ~ x' +2x 3 + x' +2x. The homogeneous linear recurrence relation of least order satisfied by the sequence is therefore Sn' 4 = Sn' .' + 2s,,_ 2 + Sn I I for n = 0, L .. _. 0 6.77. Example. Find the homogeneous linear recurring sequence in IF, of least order whose first R terms are 1,1,0,0,1,0.1,1. We use the BerlekampMassey algorithm with G./(x) ~ 1 + x -;- x' + x· + x 7 E IF,lx] in place of G(x). The computation is summarized in the following table. h j ()..

8;{ x)

---)

In

J

hI

I

x

0

I

.\

0 1

0

7

I I X I I x 1- x-t xI 1 of x' + Xi I, I xi I X·- + \ j

~

1- .x.'

0 1 2 3 4 5 6

,'

I X

,

x·

x

.x 2

r

I

.\".

,

;

.\ .

0 0 I

x

2

I

X

-'

I I I 0

0 0

233

Thcn.r -14-; -" ~mllJ=J. and SOnl{x):o- x' + x I 1. Th~rdor~. the given terms form the initial segment of a homogeneous linear recurring sequence 5 0 .5 1"" satisfying Sn+.' = Sn I I -- ,\, for 11 - O. I..... and no :-.uch sequence of lower order with these initial terms exists. 1"1 We shall now prove. in general. that The lJer!f!kamp~Mas\e.r al,;oriThm

yields Ihe minimal polynomial after the indicated number of 'teps. To this end. we define auxiliary selling

polynomial~ ll;{ ,.)

1I0(X)~O

and then for j

~

"0(.\")·-1.

(6.21)

0, I. ....

II j _,(X) ",. ,( x)

II j (X)

hj"l(x),

(hi 'Xllj(X)

ifhi ' Oandmi~O,

\ .n:1 (x)

otherwise.

We daim that for each)

~

J) " ! (j -

I

deg( Xj (x

and

and t)/( x) over !F,{ rel.:ursively hy

0

\'ve

(6.22)

ha\'~

nI, )

and

deg( h, ('d h

l (I

t 2-

mj

).

(6.23) Thi..., is ohvious for j = 0 hecause ()f the initial Llmdition;.., ill (6.19), and assuming the inequalities to he shown for some);.<:-. n. we get from (6.20) In th~ case when..' h,.:t:. 0 and nl j ";3 O. deg(Xj ,(x))" max(deg(x,(x)).deg(h,(x))) ".,()+2~mi)~'(J··2-",;.,).

Otherwise. deg(gj.,(x)),,:(j-I-"'i) .. !(J' 2

m, .• ).

The :--allle dbtillclion of cases prove:-- the ~econd inequality in (6,23), ;\ :-,imilar indul.:tive argument shows that for eal.:hj:;:.: 0 we have

The auxiliary polynomials " 1 ( x) and v j (.\") are related to the polynomial; "i(x) occurring in the algorithm by means of the following congruence.'. valid for each i ~ 0:

gj(X) and

gi(x)(i(X) '" II,(X)' h,xjmo
"j(x)(i(x)

Xl",

(6.25) (0.26)

r,!x)+x1modx l " .

Both (6.25) and (6.26) arc true for )=0 because of (6.19), (6.11), and the .

,

l,lnl'ar Rl.:currinF,

j

~'

ScquCnl'l'~

0, we get

gj

, :(

x ) G' (x) ~ g, ( x ) G ( x ) - ", h, ( ., ) G ( x )

.-uJ(x)+b(J(': - U·) • I (

x)

I

e;

ejll).:},1

, 1-r'

h,(t)x)tx1+df_1xJ'I)

, : mod x J

' ,

with ~uitahle t:ocfficienb (J' I' d). l' ('j. ~ ~ IF I ( Sint:e \rn,1 ~ j, af- is seen easily by induetion. we have deg( uj , I (x»" i fmm (6.24). Therefore. ")" I is the coefficient of x j ' 1 in g, ~ 1(x )G( x). and so eJ . 1 -= h;. I' The induction ,top for (6.26) i, earried out similarly. Next. 0ne estahlishes by u :-,traightforwmu induction argument that h j (.')lI j (X)-gj(x)",(x), x' l\(lW

>(0)

foreaeh);>O.

s(x)G(x)~ II(X)

let s(x) and u(x) he polynomials over n'q with I. Then hv (6.26). h,(.' )II(X)

~(l

and

.1(X)"j(x ll(x)( h,(x )G(x) - "J(x»)

== s(x )x' -= ximod x j4

and

(6.27)

1,

for some lJ;(x)Ef,,[xj we have hJ(x)u(x)-,(x)J;,(.y)~x'V,(x)

with V,(O) ~ I.

(6.2R)

Similarly. ,me u,e, (6.25) 10 ,how that there exists J:;(x)c-n'"lx] with g,( dll(.')-S(x)u,(x)~."J:;(x).

(6.29)

I\O\\,.' suppo,e the minimal polynomial m(x) of the given homogelinear recurring sequenl'e satisfies deg(m(x)) ~ f..:. and let s(x) he the reeipr,'eal minimal polynomial. Then s(O) = I and deg(s(x) " k, and from

IlL'OliS

(6.15) we know that there exists U(x)En'Qlx] with \(x)C(x)- u(x) and deg( II( ,)) " deg( m( x)) 1" k - I. Consider (6.2g) with) ~ H, Lsing (6.23) .lOd (6.24), we l)htain deg( h ,', ( x ) II ( .,. ))

"

;

(2 k

+ 2 + m" ) -

k - I

2 k\ ; m "

and

and so deg(h,,(x)u(x)-s(x)r,,(x» '" H

+ ;m".

On the other hand, deg(h" (x )II(X )-s(x )r" (x» = deg(x"U" (x»);> H, and these inequalities are only mmpatible if m'k ;> O. Lsing again (6.23) and (6.24), one verifies that deg(g,,(x)u(x)) and deg(s(x)u,,(x)) are hath

7.

DIstribution Properties of Linear Recurring

~ 2k

-! - 1m".

Sequenec~

235

hence (6.29) shows that

deg( x" V" (x)) ~ deg( g" (x) u(x) - six )11" (x») < 2k. But this is only possible if V,,(x) is the zero polynomial. Consequently.

(6.29) yields g" (x )u(x) = s(x)u ,,(x). and multiplying (6.2R) for j = 2k by g" (x) leads to h

2k (x )g" (x )u( x)- six )g" (x) c" (x) ~ six )(h,,(x )II,,(X)- g" (x )c" (x») ~ x"u" (x)g" (x).

Together with (6.27). we get six) ~ U,,(x)g,,(x). which implies II(X) = U" (x )11" (x). Since s(x) is the reciprocal minimal polynomial. it follows from the second part of Theorem 6.40 that six) and u(x) arc relatively prime. Because of this fact. U,,(x) must be a constant polynomiaL and since U,,(O) ~ I by (6.2R). we actually have U,,(x) ~ I. Therefore .,(x) ~ g,,(x). and as a by-product we obtain u(x)~ u,,(x). If deg(m(x» -- k. then

m(x)~x's(~)~X'g2k(~)' as we claimed earlier. If deg(m(x» ~ I';; k. then we have s(x) - g,,(x). u(x) ~ u,,(x). and O. Clearly. max(deg(s(x)).1 I deg(lI(x))),;; I. and the second part of Theorem 6.40 implies that

m" '"

1~

max(deg(s(x».1 +deg(u(x))).

It follows then from (6.23) and (6.24) that 1

= max( deg( g,,( x). I + deg( u" (x))) "

1

+

!-

1m".

and so In" ~ 0 or I. Furthermore. we note that g ,( x) - s(x) and hJ - 0 for all j:;, 21. so that m J ~ m" + j -21 for all j:;, 21 hy the definition of mi' Setting}

= 2k.

we obtain

(=

k + ~m21" ~m2J,. and sinc~

nl.'., -'-"

0 or I, w~

conclude that Therefore. m(x)-

x's(~) ~X,g,,(~).

in accordance with our claim.

7.

I>ISTRIBUTION PROPERTIES OF LINEAR RECURRING SEQUENCES

We are interested in the number of occurrences of a given clement of IF q in

either the full period or parts of the period of a linear recurring sequence in

230

I "ncar Kt.'Cluring, St'quentl'S

FfI' In order to provide general information on this question. we first carry nut a detailed study of exponential f,ums that involve linear recurring sequenees. It will then become apparent that in the case of linear recurring sequences for which the least period is large, the elements of the underlying finite field appear about equally often in the full period and also in large segments of the full pcriod. Let so. 51 ... · he a k th-order linear recurring sequence in IF q satisfying (6.1), let r be its least period and " 0 its preperiod, so that ""., ~ .." for n ;3 no- With this sequence we associate a positive integer R in the following way. Consider the impulse response sequence do, d ,.... satisfying (6.6), let r j be it!:. least period and n l its preperiod: then we set R = r 1 + n 1• Of course, R depends only On the linear recurrence relation (6.1) and not on the ~pecifil' form of the sequence. If so' St .... is a homogeneous linear recurring sequence with characteristic polynomial I(x) E IF q[x], then r l ~ or
6.78. Theorem. I.et s()' Sl .... he a kth-order linear recurrillK sequence in IF q I-\'ith least period rand preperiod no. and let R he tile positive integer introduced ahoce. Let X he a nOlllrivia/ additire character of 1F1t" 'lhell for ecery integer h we have !u-rl

L

In/.<

hnl r-I/2 x( .. ")e(-;:-)I~(R) ,,'/2 lorallu;;'I1".

(6.30)

In pUrlieu/ur. we hape III . r·· I

I

_1/2

t X(S,,)I,;;(;J

(6.31)

4'1' lorallu;;'lI o'

"-" Proof By changing the initial ~tate vector from So to suo which does not affecl the upper bound in (6.30), we may assume, without loss of generality. that the sequence so' SI .... is periodic and that II = O. For a hJ" I)T in IF; and an integer h. we set column vector b = (hu ' hl a(b;h)

a(ho,h, ,

L

= 11

h,

I;h)

I

X(hOs n -hI 5' l t I I

'"

hll ' -l-h~ ISf1t~ l)e ( ----;).

()

Sinct: the general ll:rm of this sum \\·ritt:

ha~

period r as a function of n, we can

, ' I

a(b;h)=

L

X(hIJS'lII-hl.\n~2-

....f

+-.!l)

h A I·, n • A )e (!l(n r '

"j

237

O:<..tr:hut'nn PrOpCltiL:-' of I.mC<.lf RLclIrr:ng SLl.jlJl'l1l..'l'5

Lsing the Iint:ar recurrence relation (6.1), we gct r ". I

:a(b:h)I""-! ~

L X(b()SIl'I+bISn~:='+

fI -

...

I

h" 2S"."

I •

,hI<

lliOS"

0

la(h"

llil, .... h k

]li{).h()+b k

::..+h"

lli"

1:/1)1.

This identity can be written in the form la(b; h)1 ~ la( Ab; h )1. "here A is the matrix in (6.3). It follows hy induction that la(b;")I~la(A;b;h)1

forallj~O.

(6.32)

0:;.

and let d".d, .... he the Let d he the column v"etor d ~ (I,O..... O)f in state vectors of thc impulse responsc sequence do. d, .... satisfying (6.6). Then we claim that two state vectors d m and d n are identical if and only if Amd ~ A"d. For if d m '.- do' then Amd ~ A"d follows from Lemma 6.15. On the other hand. if Amd ~ A"d. then Am' id ~ A" ·Id. and so A m( Ajdj ~ A"( Aid). for all j '" O. But since the vcctors d. Ad. A'd..... A' 'd form a hasis for the vector space IF; over IF tf' wc gct AnI "'- All, which implies d rn = d'l hy Lemma 6.15. The distinct vectors in the sequence do,d ,.... are exactly given hy dll,dl ..... d R I' Therefore. hy what wc havc jUq shown. thc distinct vectors am'.'"g d, Ad. A'd.... are exactlv given hy d. Ad..... A R 'd. U;ing (6.32), we gCI

R

,

Rla(d;h)I"~ L

,

la(Aid;hl l "'Lla(b;h)2

(6.33)

JOb

where the last sum is taken over all column vector~ b in IFI~' ~ow Lla(b; h )1' h

La(b; h) a(b; h) h .

L Of),b,

t

•••

'L' m,n -0

L

,/)J.

1"

,

,'=IF"m.n

hk

X(b"(.'m /)

I(Sm'"

e ( Il.Jn!r- II) )

l-SI/I"

-'")~b,(sm.' -'".,)

"(m-II)) .l))e ( -"~--"(6.34)

l.inl'ar Rl'curring.

'X(b, ,(Sm"

m,n ,0

LX(ho(.'m -Sn»))'" bo€"&"

.( L bk

'-Sn" ,))

e( ~(mr-IIL)(

- 'L'

Scqu('ncC',~

1 E::.

X(h, '(Sm" ,-S"., ,))). &q

We note that for c f..' IF q we have

0

It

LE-IF" x(hr) ~ { q

if c =1= O. ifc=O.

according 10 (5.9). Therefore. in the last expression in (6.34) one only gets a contrihution from those onJercd pairs (m, n) for which simultaneously ,\'m = Sn.··· • .'I m ~k 1 sn + k I' But since 0:( m. n ~ r - L this is only possible for m II. It follows that

L1a(b; h )\' ~ rq'. b

By combining this with (6.33), we arrive at r ')'/2 lo(d: h)l" ( Ii q'I'. which proves (6.30). The inequality (6.31) results from (6.30) by setting U h" O. 6.79. Remark. I.et X be a nontrivial additive character of u: q and let'" be an arhitrary multiplicative character of IF q' Then the Gaussian sum

can be considered a; a special case of the sum in (6.30). To see this. let g be a primitive element of U-
G(v.x)=

"L/(X")",(g")= nL/(Sn)e(f)·

If V is nontrivial. then in this special case both sides of (6.30) are identical aeeonling to (5.15). [J The sums in Theorem 6.7R arc extended over a full period of the given linear recurring sequence. An estimate for character sums over seg-

7.

Di~trihuti()n Propl'rt:~·"

(If

Lin~'ar

2.19

Recurrin§, SeLjllcncc<;

ments of the period can he deduced from this result. We need the following auxiliary inequality.

6.80.

Lemma. ,

L

Ii ..

Proof

For any posititie imegers rand N we hal;e .\'

I

I'

o· i

0

r

I

I

1

2

'TT

5

Le(JLl<~rlogr+-r+N.

(6.35)

The inequality is trivial for r· I. For r ;;, 2 we have

I

'\~I e( hj ll' ~ r

i-O

I ,dhNlr)-11 ~ ""si'--n-,,-c,IC,h-I;-r"lI Idhlr)-II

~ esc "II ~ I

for 1

~h~r

I,

where 1II' denotes the absolute distance from the real numher nearest integer. It follows that

I

to the

(6.36)

By comparing sums with integrals, we obtain

l,/2J

L

h-l

"h cscr

l,/'I

=

~

=

" + '-' \' esc "h ~ csc"fl'/'J "X csccsc-dx r h.2 r r I r csc ".. . .;. -r r 1f

1"/2

c~c

t dl

-r./r

1f r 1f csc- + -!ogcot .r 'TT 2r

~

'TT

r

2r

r

7l

7i

csc- - -log-.

For r ;;, 6 we have ("I r) 'sin("1 r ) ;;, ("/6) 'si n( ,,/6). hence si n( "/ r) ;, 3j r. This implies

l,/'J

L

"h I (I I csc--;:-~,;:rlogr-\ 3 -;:Iog

II"'" 1

"J i

forr~6.

r

and so

l,pj I " esc "h-<-rlogr+-r 'h

I

r

7i

5

for r

.;?

6.

This inequality is easily checked for r ~ 3.4. and 5. '0 that (6.:15) hold, for r ~ :1 in view of (6.36). For r ~ 2 the inequality (6.35) i, ,hown hy Inspection.

n

.240

I.int.'ur R.l'l'urrim.

S~'qUl·I1<.:~·~

6.81. theorem. Lel so' SI' ... he t.J klh-order linear recurrinx sequence in IF", and lel r, nil' alld R be as in Theorem 6.7X. Then. for any n0111rivial addilir;e characler X of IF q we har;e

,I"··Y' ,,1;" X(s") I< ( i) Proof. ",N-'

L

n

'/2

2

(

q'/2 :,;logr··

N)

2

s +-;:-

o

!oru;;'ll andl<;N<;r.

We ,tart from the identity

x(s,,)~

u

",,-,

N

(h( 11 -

'I' ,

U _.

.))

J

L xC',,) L -; L e .'-;'--

n-u

/-0

forl~N~r,

h=O

which is valid since the sum over j is I for u ~ n ~ u + N - I and 0 for ~ n ~ u -+- r - 1. Rearranging terms, we get

u- N

""f:J" 'xC,,,) ~ ~ :~:r~\: e( ~ h(~' j)))I" ,,~:' XC,,,)e( h; )). and

'0

by (6.30).

," . S . ,

'1"

!

,r

I·YL-, e(- h (u

L xC',,),<;- L

11 -

U

<;

h

I)

, ....

r

1)

I

j) ) Ii" -,.

!

.!. ( !.. ) '12 q' I ' ' [ ' '. NL ' e ( hj ) r R. h-O: ;""0 r

,

( hn ) I

L x(s,,)e-I

11

Ii

r

I'

An application of Lemma 6.RO yields the desired inequality,

D

It ,hould be noted that the inequalities in Theorems 6.7g and 6.8\ are only ()f interest if the least period r of so' .'i j •••• is sufficiently large. For small r, these result~ are actually \\'eaker than the trivial e~timate

Iu "~,,

x(s")1

<; N

for I<; N" r,

In order (() l)hwin nomri\-ial :--tatemenb, r . . hould he somewhat larger than q '" Let \"0' ,\, •• :. he a linear recurring sequence in If-'I \\ith least period r and preperiod Il U' I-"or h C IF'I we denote hy 7(h) the numher of II, no ~ n ~ 11 11 r L with sn = h. Therefore Z(h) is the numher of occurrences of h in a full period of the linear recurring sequence. If so.s; .... is a kth-order maximal period ~equence. then 7(b) can he dctennineu explicitly. We have r = qA. I and " 0 = 0 according to Theorem 6.33, and <';0 the :--tate vcctor~ "ill.sl' .... ~r I of the sequence run exactly through all non7ero vector:-- in IF,;. Consequently, 7(h) i~ equal to the numher of nonzero vector~ in IF~ that have h as a first coordinate. Ekmentarv counting arguments sh,'''' then that L(h) ~ q' 'for" '" 0 and

"I.

DISfr:but:oll I'ropt:'nks of l.inear Recurring Sl.:quencl..'''''

241

L(O) ~

q' '" L Therefore, up to a slight aherration for the zero element, the elements of !' q occur equally often in a full period of a maximal period

sequence.

In the general ease, one cannot expeet sueh an equitable distribution of elements" One may, however, estimate the deviation between the actual number of occurrences and the ideal number r/ q, If r is sufficiently large, then this deviation is comparatively small.

6.82. Theorem. l.er so- S 1-'" be a krh-vrder linear recurrin!{ sequence in !' q with least period r, and let R he as in Theorem 6"78. Then ,for any h c: IF q we hare

Proof For given b EO !' q' let the real-valued function 8h on !'. be defined hy 8b (h) ~ I and 8h ( c) ~ 0 for c ~ h" Because of (5.10), the function 8h can he represented in the form I '\(C)~-LX(c-h) q x

forallcE!'.,

where the sum is extcndcd over all additive characters X of !'q. It follows that n(\

r

I

L

L(h)~

I

8h (sJ

1/-"0

~

1

'~

fi" i r

q

oX

fi =

- LX (h) L

I

Xes,,).

no

By separating the contrihution from the trivial additive character of !'. and using an asterisk to indicate the deletion of this character from the range of

summation, we get

Thus, by using (6.31), we obtain

'I Z(h)- r:,;; -

I

q.

q

L* X

no -,

L

n

,

X(sn)

no

since there are q - I nontrivial additive characters of!' q"

6.83.

Corollary.

o

Let so' s',""" he a homogeneous linear recurring

l.im:ar I{('wrrin!-l

242

S~'4u~'n('e~

sequence in IF- q with least period r whose minimal polynomial m(x) E IF qf x 1has degree k;;, I and sarisfies m(O)"" O. lhen, for erery b C IF q we hare

Proof We have r ~ ord( m (x)) aeeordi ng to Theorem 6.44. Furthermore. R - ord(m(x)) by a remark preceding Theorem 6.7S, and Theorem 6.82 yields the desired result. 0 If the linear recurring sequence has an irredueihle minimal polynomial. then an alternative method based on Gaussian sums leads to somewhat better estimates. In the subsequent proof. we shall use the formulas for Gaussian sums in Theorem 5.11.

6.84. Theorem. Let so' Sl"" be a homogeneous linear recurring .\'equence in IF q wirh least period r. Suppo>e rhe minimal polynomial m(x) of rhe sequence is irreducihle OlW IF q • has degree k, and satisfies m(O) '" O. Ler h he rhe least common multiple of rand q - 1. Then,

1.)(!__ r .)qA/2 q h q' _ I and

l

. q ' I r I <; .r - -r- +h-..r q I j"l- ) q'/l "2 L(b)--· q' _ I h q' I h I

1

(6.37)

jiJrh1-0.

(6.38)

Prnof Set K ~lFq' and let F be the splitting field of m(x) over K. Let IX be a fixed root of m(x) in F; then IX '" 0 because of m(O) '" O. Fly Theorem 6.24, there exists 0 E F such that (6.39) We clearly have 0 7" O. Let).,' be the canonical additive character of K. Tben, for any given h r K. the character relation (5.9) yields

1.q

L ,L

).,·(t{h k

(I

s"»)~ \0

ifs"~b.

if sn

'=1=

h.

and so. together with (6.39), 7(b) ~

1

r- I

q

n

L L

)"·(hc».,'(TrfjK( - COIX"»).

Oc,1\"

If)., denotes the canonical additive character of F. then ).,' and)" are related by ).,'(1' r f/ x (j3)) ~ ).,(j3) for all j3 C F(see (5.7». Therefore.

7. [)btrlbU!Il.ln Propertit':- uf l.inear

L(h)

Rl'curr~ng

SCLjuC'ncC'.:,

24.1

,. I

~ -'-

L A'(he) L I\(co"n)

q(r:-K

nO

1

~':._-

L

qe(""·~

l/

r -

A'(hcJ

L

I

l\(cOa n ).

(6.40)

n-O

t\ow hy (5.17). A(f1)

~

I '\' -,-L.G(Ii.A)y(j3) q -I y

forj3E P.

is extended over all Inultipli(;ativc (;haractcrs 1f of F. For K* it follows that

whcr~ th~ ~Um cEo

r

L

I

1

r

A(cOa") ~ - , II .... 0 q .. I

L:

f1."

1 0

LG(,J". 1\)>/-(cOa n ) li-

I ~ - , - LY(cO)G(,J". 1\) q -} ,;,

r- I

L

n

Ii(a)". (}

Th~

inner sum in the last expression is a finite geometric scrie~ that vanishes if Ii( a) ~ I. because of Ii( a r ~ y( a') ~ y(l) - I. Therefore. we only have to ~um (wer the sd J of th()~c characters t¥ for which if;(o.) = 1. and so ,

I

L

l\(cOan)~

n""O

_,_r_ L q -}

';'(cO)G(y.I\).

';'t=)

Suh,tituting this in (6.40), we get 7(b)~

r -

r

k

" L. , A(hc) "L. y(cO)G(,;,.A)

'I

'1('1 -I)

r

.._;__ L Ii(O)G(,J".I\) L y(c)A'(hc). '1('1 I) 'i~J ,'CK'

I{

'iLl

erA"

If w~ con~idt:r the re~triction \f.;' of 'if- to K*. then the inner sum may he viewed as a Gau"ian sum in K with an additive character Ab(e) ~ A'(hc) for e C K. Thus.

L(b) ~ ':. + ( ; 'I

'1'1

) L y(O)G(,J",I\)G(Ii',A b)·

I "~J

(6.41)

:O/-' is trivial. in which case (d ';". A;,) ~ q - I. Consequently. it suffices to extend the sum in (6.41) over the set A of characters y for which Ii(a) ~ I and y' is trivial, so that r

(q-I)r

\'

'I

'1('1 -I)

"<-A

() 70~-"

,

(--

L.Y(O)Gy,A).

244

Tho trivial multiplicative character contributes - I to the sum. hence we get

7(0)- (q','-I)r q -I

~ (q~l)r

[*>/-(O)G(f.;\). q(q -I)"~A

where the ",terisk indicates that the trivial multiplicative character is deleted from the range of summation. Since Ais nontrivial. we have IG( f. X)I = q'/2'

for evcry nontrivial J/t. and so 7(0)- (q' ,'-I)ri~ (q ~ I)r (IAI-I)qk/2 q - I , q( q .. I) 1

(6.42)

Let l/ be the smallest subgroup of F* containing a and K*. The clement a has order r in the cyclic group F*. therefore IHI ~ h. the least common multiple of rand q - 1. Furthermore. we have>/- E A if and only if >/-(/3) ~ 1 for all f3 E n. In other words. A is the annihilator of H in (F*)' (see p. 165), and so

IF* I q' - I IAI ~1-iIT ~ - h -

(6.43)

by Theorem 5.6. The inequality (6.37) follows now from (6.42) and (6.43). For h ~ O. we go back to (6.41) and note first that the additive

character i\~ i1:i thcn nontrivial. Therefore, the trivial multiplicative character contributes I to the sum in (6.41), so that we can write ,

I

7(h)-~~ ---(q

I

- [*";'(O)G(>/-.X)GWA~). q( q - I) c cJ

Now G( >/-'. A~) ~ - I if";" is trivial and IG( ";". A~) I ~ q'/7 if >/-' is nontrivial, which implies

. q' 'r 1 ~--(IAI-l+(IJI-IAI)qll2)q('/2' r :7(b)--I. q' - I q' - 1

I

Since J is the annihilator in (F*)' of the subgroup of F* generatod b)' a. we have IJI ~ (qk -I)/r by Theorem 5.6. This is combined with (6.43) to complete the proof of (6.3R). [J

One can also ohtain rC1:iUlb about the distrihution of element1:i in parts of the period. Let so' 51 •... be an arbitrary linear recurring 1:icquenee in ~ q with least period rand preperiod " 0 , For h" IF", for No" no and I ~ N ~ r, let Z(h; No, N) he the number of n. Nil" II ~ No -+- N -1. with sn

h.

6.85. Theorem. Ler so. St •... he a krh-order linear recurring sequence in IF If with least period rand preperiod Ill). and let R be as in Theorem 6.7R. '!'hen. for any h E IF q we hace

245

1:.Xl·rt'i~l·'"

IZ(h;

NO' N)-

jor No ;:: no alld I Proof

~

~I" (I-~)( ~ (' q'12(~log,o lc5 _ N) ,

N.:s;,; r.

Proceeding as in the proof of Theorcm 6.82 and using the

same notation as there. we arrivc at the identity

On the basis of Theorem 6.81 we obtain then

" sincc thac ar~ q

2 + -;:N) . R q / - ;: log, . 5" (I- q1)(')'/),,(2

I nontrivial additive characters of IF 'I .

n

The method in the proof of Thcorem 6.84 ean alw be adapted to produce rcsults on the distrihution of elements in parts of the period (compare with Exercises 6.69. 6.70. and 6.71).

EXERCISES

6.1. 6.2. 6.3.

6.4.

Design a feedback shift register implementing the linear recurrence reiationslj_s=slj.4-SIj.3-.'n,l+slj.n=0,I. ... , inlF.~. Design a feedhaek shift register implementing the linear recurrence re!ations,/.7..:::3sn_s-2slj.4+sn.d+2sn+l.n=0,1, inlF 7 · l.et, he a period of the ultimately periodic sequence so. 5, and let flf) he the least nonnegativc integer such that Sn t r'= slj for all n ~ flO' Prove that no is equal to the preperiod of the sequence. Determine the order of the matrix

A=

6.5. 6.6.

6.7.

(~

o o o o I o o I

in the general linear group CL(4.1F,). Obtain the results of Example 6.1 R by the methods of Section 5. Usc (6. R) to give an explicit formula for the terms of the linear recurring sequence in IF.~ with So ="1 = I, !J'2 = 0, and sn-+ 3 =- Sn I l + sn for fl = 0, I..... Lse the result in Remark 6.13 10 give an explicit formula for the

I.lne<.lT Rccurr:ng, S~4uencf;:'~

24(;

terms of the linear recurring sequence in IF 4 with So = SI = S:! = 0, = I, and Sn' 4 - as n . .'1 + Sn' 1 + as/i for n = 0, 1, .... where a is a primitive element of IF 4' Prove that the terms s" given hy the formula in Remark 6.23 satisfy the homogeneous linear recurrence relation with characteristic polynomial f (x ). Prove the result in Remark 6.23 for the case where e, '" 2 for ; ~ 1,2, ... ,m and e, ~ I if a; ~ O. Represent the elements of the linear recurring sequence in IF, with So = 0, SI ....:. s:! ,~ Land .'In I 3 = .'In +- 2. + sn for n =- O. 1.... in terms of a :-,uitable trace function. Prove I.emma 6.26 hy using linear recurring sequences. Determine the least period of the impulse response sequence in IF, satisfying the linear rccurrence relation sn 1·/ -- sn 11 I sn' ::; -+ .'if/I I + s'/ forn~O,I, .... Caleulate the least period of the impulse response sequence assoeiatcd with the linear recurrence relation .}Il ~ 10 = .'In' ./ -r Sn' 2. + Sn' 1 ~.

s.'. 6.R.

6.9. 6.10.

6.11. 6.12.

t

6.13.

sninlF1' 6.14. 6.15. 6.16. 6.17.

6.IR. 6.19,

6.20. 6.21. 6.22.

Prove Theorem 6.27 hy using generating functions. Find a linear recurring sequence of Icast order in IF 2. whose least period is 21. hnd a linear recurring sequence of least order m IF, whose least period is 24. Let r be the least period of the J-ihvnucc; sequence in IF q that is, of the sequence with So O..\1 -= I. and s'l_ ~ = "'n' 1 - sn for n - 0, I, .... I.et p he the characteristic of IF q' Prove that r ~ 20 if p ~ 5, that r divides p - I if p " + I mod 5, and that r divides p'" I in all other cases_ Construct a maximal peri"d sequence in IF) of least period 80. 1\n (m. k ) de Bruijn sequence is a finite sequence .'i o, .'1 1,,,, ,.'iJv I with N = m k terms from a ~ct of In elements such that the k-tuples (s'l.sn.\ ..... jn.k I)' f1 O.L .... N-L with subscripts considered modulo N arc all different. Prove that if do, d" ... is a k th-order impulse response sequence and maximal period sequence in IF", then so:....O,sn=d n _ 1 for l~n~qk-1 yields a (q.k) de Bruijn se~ quence. Construct a (2,5) de Bruijn sequence. l.et B(x) ~ 2 - x + x) Eo IF ,Ix J. Caleulate the first six nonzero terms of the formal power series I! R( x). Let

;1(x)'

I-x+x·'.

R(x)~

L n· \)

(-I)"X"EIF)[[x]].

247

Ext'rci~l':-

Calculate th~ first five n0n7~ro terms of the formal power series

A(x)jR(x). 6.23.

Consiuer the linear r~curring ~equence in IF.~ with S(l = SI = 51""' I. 5 4 =-1. and sn_~=sn1~"""s,,_1-sn_l+5n for n=O,I .....

Sl

6.24.

6.25.

Represent the generating function of the sequence in the form (6.15). Calculate the first eight terms of the impulse response sequence associated with the linear recurrence rdation S'I_ 5 =-= Sf/I 3 + Sn_2" sn in IF 2 by long division. Let

so' Sl.···

he a homogeneous linear recurring sequence in IF 4'

Prove that the set of all polynomials fIx) ~ a,x' -/ .,. + G,X + a o E:U-:q[xl ~uch that u"s".!<+ ... -UtSnll+UOsll=O for n=0,1, ... forms an ideal of IF ql x]. Thus show the existence of a uniquely determined minimal polynomial of the sequence.

6.26.

Consider the linear recurring sequence in IF::! with Su = S3 = 5"4 -- 5~ = \"0 = 0, .'II = S2 = S7 = Land 5 n I l'. 51/ _ 7 - Sn _ f> I '~'I _.~ + Sil for n = O. L .... Lse the method in the proof of Theorem 6.42 to determine

6.27.

Consider the linear recurring sequence in IF~ with So - 51 = \"~ = l. S3=-1. and sll~4=3snl::!-s'l~l+sn for n=O,I, .... Cse th~

the minimal polynomial of the sequence.

6.28.

method in the proof of Theorem 6.42 to detcrmine the minimal polynomial of the sequence. Prove that a homogeneou, linear recurring sequence in a finite field is periodic if and only if its minimal polynomial mIx) satisfies m(O) ~ O.

6.29.

(liven a homogeneous linear recurring sequence in a finite field with

6.30. 6.31.

minimal polynomial m( xl. prove that the preperiod of the sequence i, equal to the multiplicity of 0 as a root of mIx). Prove Corollary 6.52 hy using the construction of the minimal polynomial in the proof of Theorem 6.42. Usc the criterion in Theorem 6.51 to determine the minimal polynomial of the linear recurring sequence in IF; with S1l16:"" S'! _ 3 + sn+2+sn_l+Sn for 11=0, I, ... and initial state vector (1,1. I.

0,0, I). 6.32. 6.33. 6.34.

Find the least period of the linear recurring sequence m Exercise 6.26. Find the least period of the linear recurring sequence m Exercise 6.27. hnd the least period of the linear recurring sequence in IF,

6.35.

with .fO " .'II = s;; = sf> = S7 -= O. s.~ -:.- .'1 4 = 55 = s~ '"'" 1, and SfI _ 'J = 5n~7+Sn'4+SIl+I+_f"forn=O.I. .... Find the least p~ri()d of the linear recurring ~equence in IF ~ with So - sl=l, S2"'"""S\ -0, S4=-1. and sn~.~=S'I_4-SIl_3· 5 n _ 2 -S>,/ for n = 0, 1. ....

6.36.

find the kast period of the linear recurring sequence in IF; with

Linl,.'ar Recurring Scqu('nc('s

24R

'~n' 4

.'in. 3 -i- Sn' 1 .. .'in .-

I for n = O. 1. ... and initial state vector

(0, - 1.1,0). 6.37.

Prov~

that a k th-unkr

lin~ar recurring :-.cqucncc

so- SI'''' in IF" has

least period q' exactly in the following cases: (a) k ~ I, If prime, S"., ~ So - a for n ~ 0, I. with a (h) k~2,q~2,s"_,~s"~1 forll~O.I. . 6.38.

6.39.

6.41.

f;:

Given a homogeneous linear recurring sequence in IF" with a nonconstant minimal polynomial mIx) E fq[x] whose roots are nonl.ero and simple, prove that the least period of the sequence is equal to the least positive integer r such that a' ~ I for all roots a of mIx). Prove: if the homogeneous linear recurring sequence 0" in IF 1/ has minimal polynomial fIx) Eo f .[xl with deg(j(x)) = n ;> I, then every sequence in S(j(x)) can be expressed uniquely as a linear combina-

tion of 6.40.

E

a/oJ and the shifted sequences o(l),o(2) ..... o(n

a""""

with

I)

coefficients in f q' Let fl(x) .... Jk(x) bc nonconstant monic polynomials over f q that are pairwise relatively prime. Prove that S(jl (x)· .. f, (x)) is the direct sum of thc linear suhspaces S(jI(X)).... ,S(j,(x)).

Let

SUo SI" ..

be a homogeneous linear recurring sequence in K

=

IF II

with characteristic polynomial f(x) ~ f,(x)' .. f,( x), where the j,(x) arc distinct monic irreducible polynomials over K. For i ~ I ... .,r, let a; be a fixed root of j,(x) in its splitting field F; over K. Prove that there exist uniquely determined clements 0, E FI, .... O, f' f; such that s"~Trr./.(Olail+ ... +Trr./K(O,a~) forn~O,I,....

6.42.

6.43.

With the notation of Exercise 6.41, prove that the sequence so' 51 .... has f(x) as its minimal polynomial if and only if 0, "" for I '" i '" r. Thus show that the number of sequences in S(j(x)) that have fIx) as minimal polynomial is given by (qk, -I)··· (q" -I), where k, ~ deg(j,(x)) for I", i '" r. Let 01 and 0, be the impulse response sequences in f, associated with

°

the linear recurrence relations.'i n I 6 ~

6.44.

=

sn

I ]

+ .'in ( n ' :; 0.1, ... ) and

.\" . , I .\"( n ~ 0, I, ... ), respectively. I'i nd the least period of

Let S".

a I b~ I -

the linear recurring sequence in IF] with

°

I

sn I 3

+ 0,.

.'in I ] = .'In ~ 2 -

So for n ~ 0, I, ... and initial state vector (0, I, 0), and let a, be

the linear recurring

sequenc~

in 1F 3 with.'i n . ."

-" -

sn. , - sn

I 2 ......

sn

for

n ~ 0, I, ... and initial state vector (1, I, 1,0, I). Lse the method of Example 6.58 to determine the minimal polynomial of the sum

sequence

a I + a.'..

6.45.

l'ind the least period of the sum sequence in Exercise 6.44.

6.46.

Given a homogeneous linear recurring sequence in IF 2 with minimal

6.47.

polynomial x' ~ x' ~ x 4 + I E f,.[x I, determine the minimal polynomial of its binary complement. Let fIx) ~ x' + x' ~ x 4 + x' ~ x' + x + I," f,lxJ. Determine the le:tlSI nl~riod" of ,fXlllence:" from Sf ff :.: n :.ino the: nllmher of se-

249

6.48.

6.49.

quem:t::-. attaining t:ach pO!'lsihle lc.:ast paiod. Let/(x)~(x 1 I)'(x'-x' 1)r=f,lxl. Determine the least periods of sequences from S(/(X») and the number of sequences attaining

each possihle least period. Let I(x) ~ x' - 2x' - x' - I r: I'.,[xl. Determine the least periods of . . . cquenct:s from S( f(

6.50.

x))

and the numbt:r of sequt:nccs uttaining cach

possihle least period. hnd a monic polynomial g(x) Co f

31xl

such that

S(x+I)5(x'+x-I)5(x"-x-l)

6.51.

Find a monic polyn()mial g(x)f'fi',I_\1 such that S(\'+X-II)S(.\'+x 4

6.52.

,

I)-S(g(x)).

For odd q determine a monic g(x) f' fi',,[x 1 for which S((\

6.5}.

5(g(x)).

1)')S((x

I)') ~S(g(x)).

What i~ the situation for even £I? Prove that f v (gh) (/ V g)(/ v h) for nonconstant polynomials f. g. h" II'qlxJ. provided the two factors on, the right-hand side are

relatively prime. 6.54.

6.55.

6.56.

6.57.

Consider the impulse n:~ponse sequt.:nce in !F 1 associated with the lint:ar recurrence relation -"1/.4 --, '\n I ) - '\fI' n 0, L and the linear recurring ~equencc in !F.l with sn' ~ "'1/' 11 = O. 1, and initial .,tate vector (0. I. I. 1). Usc these st:quenee~ t{l ~how that thert: is no analog of Theorem 6.:')9 for multiplication of se4uence~. For r " Nand 1'= f ,I x 1with deg( /) > O. let (J,(/) he the sum ()f the

r th power; of the di;tinct roots of f. Prove that (J,ff v g)(J,(j )(J,( g) for noneonstant polyn()mials I. g r: fi',,[x I. provided that the numher of distinct roots of 1 V g is equal to the product of the numhers of distinct roots of I and g. respeetively. Let SO' 51"" he an arbitrary sequence in IF", and let JI ~ 0 and r ~ 1 he integers. Prove that if both Ihmkel determinants [),:~)"2 and J)~" I) arc 0, then also n,::ll "'" O. Prove that the sequence su' -"I •... in 11-1{ is u homogenc()us linear recurring sequence with minim<.ll polynomial of degree A. if and only if D;'· I, ~ 0 for all II ;, 0 and k -I is the least po.sitive integer for

6.59. 6.60. 6.61. 6.62.

whieh this holds. Give a complete proof for the second inequality in (6.23). Prove the inequalities in (6.24). Give a complete proof for (6.26). Prove (6.27). The first 10 tt.:rms of a hOlllogC'nt.:ou:-. linear recurring :-'C'<.jUence in !F) of order" 5 arc given hy O.I. I.o.n.o.n. I. I. I. Determine it> minimal polynomial hy the Ikrlekamp-Massey algorithm.

6.63.

Thf' fir...' R Ij'rm, nf:.J

6.5~.

h/Hnoo/'np()l1 ... tin,"lr rP('lIrrino ~I'''''''>'''''' ;n q:

.,f

250

Lincar RCl:urring Sequenccs

order" 4 are given hy 2. I. O. I. .. 2. O. -·2. - I. Determine its minimal polynomial by the Berlekamp-Ma"ey algorithm. 6.64.

6.65. 6.66.

The first 10 tcrms of a homogcneous linear recurring st:quence in }

I"·f. 'x(s,,)',,(j)'/\q'

for all U;;O O.

r)'/2

I

n- u

Note that b - 0 ean he excluded in (6.33).) Suppose the conditions of Theorem 6.84 hold, let r be a multiple of (q' - I )/( q - I) and let (q' .. III rand k he relatively prime. Prove that Z(O) ~ (q' '- I)r I( q' - 1). Suppose the conditions of Theorem 6.84 hold. let q he odd and h ~ (q' -1)/2. Prove that equality holds in (6.37). Let Z(h: No- N) he as in Theorem 6.85. Under the conditions of Theorem 6.84 and using the notation in the proof of this theorem. show that

(Him:

6.67.

6.68. 6.69.

Z(h: No, N)

N

~-Z(bH

r

7'\'

1

(k ) q q -I

.'.(O)G( I iI)G(" A' )",(a)'\o'.v _>/-(a)V" 'I' 'i', 'i', h y(a)-I

l!-(ft) .... l

6.70.

Deduce from the result of Exercise 6.69 that Z(O:No,N)-

I

(q' ,'-I)NI"(I_l)(~ q -I

q

I 6.71.

3

of order" 5 are given hy I. - 1.0. -1.0.0.0,0, 1,0. Determine its minimal polynomial by the Berlekamp-Massey algorithm. Find the homogeneous linear recurring sequence in F, of least order whose first 10 terms are 2,0, - I. .. 2,0, O. 2,2. -- I. - 2. Suppose the conditions of Theorem 6.78 hold and assume in addition that the characteristic polynomial fix) of the sequence "'o.s" ... satisfies frO) '" O. Establish the following improvement of (6.31):

I

- qt-_)q'/2 -I

1(~IOg_h_+f)' 'IT q ... I II

q"I2J

where f h ~ 0 for h ~ q - I and f h .• ; for h > q - I. Deduce from the result of Exercise 6.69 that 'N I IZ(h - : No' N) - q' q' _ I "

(2;: Iog r + "52.•. N(hhr

+( for h =t-

n

N _ _N

h

q'

.)q
r) I

)q"-O/2

Chapter 7

Theoretical Applications of Finite Fields

Finite fields play a fundamental role in some of the most fascinating applications of modern algehra to the real world. These applications occur in the general area of datu communication, a vital concern in our information

society. Technological breakthroughs like space and satellite communications and mundane malters like guarding the privacy of information in data banks all depend in one way or another on the usc of finite fields. Heeause of the importance of these applications to communication and information theory,

we will present them in greater derail in the following chapters. Chapter 8 discusses applications of finite fields to coding theory, the science of reliahle transmission of messages. and Chapter 9 deals with applications to cryptology, the art of enciphering and deciphering secret messages. This chapter is devoted to applications offinite fields within mathematics. These applications arc indeed numerous, so we can only offer a selection of possible topics. Section I contains some results on the use of finite fields in affine and projective geometry and illustrates in particular their role in the

construction of projective planes with a finite numher of points and lines. Section 2 on comhinatorics dcmonstrat~s the variety of applications offinitc fields to this subject and points out their usefulness in problems of design of statistical experiments. In Section 3 we give the definition of a linear modular system and show how finite fields arc involved in this theory. II system is regarded as a structure into which something (matter, energy. or information) may be put at certain

'"

Theoretical Applil:flrions of Finite Field..

252

times and that itsclfputs out something at certain times. For instance, we may visualize a system as an electrical circuit whose input is a voltage signal and whose output is a current reading. Or we may think ofa system as a network of switching elements whose input is an on/ofT setting of a numher of input switches and whose output is the on/off pattern of an array of lights. Some applications of finite fields to the simulation of randomness arc discussed in Section 4. In particular, we show how certain linear recurring

sequences can be used to simulate random sequences of bits. In numerical analysis one often has to simulate nmdom sequences of real numbers; it is perhaps surprising that linear recurring sequences in finite fields can also he instrumental in this t<-lsk. We emphasize that the applications are only deserihed to give example; for the use of various properties of finite fields. Therefore. the

examples contain rather the algehraic and comhinatorial a~pccts. without regard to their practkal application or indeed other usefulness. for instance. we arc not going to discuss the analysis of experimental design or the analysis or synthesis of linear modular systems. nor do we explain geometric

properties that are not directly connected with finite fields.

I.

!'I"IITE GlO"'IETRllS

In this section we describe the usc of finite fields in geometric problems. II projective plane consists of a set of points and a set of lines together with an incidence relation that allows us to state for every point and for every line eitherthat the point is on the line or is not on the line. In order to have a proper definition, ITrtain axioms have to be satisfied.

7.1.

I>cfinition.

II projective plane is defined as a set of clements. called

pvil1/'). together with distinguished sets llf pl)illt...,. called Ime'i. as well as a relation I. called intidence. hetween points and lines suhject to the following c(mditions: (i)

(ii)


every pair of diMinct lines is incident with a uniquc point (i.e.. to c\'ery pair of distinct lines tht.'re is one point contained in hl1th lines, called their iwer,H'cTiol/); every pair of distinct points is incident with a unique line (i.e.. W every pair of distinct points there is exat.'tly one line which contuin~ hoth points); there exist four point~ <.,uch that no three of them arc incident

with a single line (i.e.. there exist four points such that no three of them are on the same line).

It follows that each line contain~ at Ica::.t thrce points and that through each point there must be at least three lines. If the set of points is finite. we spea'" of ajilliTe projecTir.e plane. from the three axioms ahove one

l.

l-"init~ Geomclric~

253

deduee, that (iii) holds abo with the eoncepts of "'point" and "'line"' interchanged. Thi.'i e:--tablishes a principle of duality between points and lines. from which one can derive the following result.

7.1. (i)

(ii)

Theorem.

Let

n he a finite

projecti"e plane. [hen:

[/wre i'l WI /nteKer In ~ 2 such that erery point (line) oj II is incidell1 with exa('f~v In -!- I lines ( points) of rr; J J (amains exuu~r m'!. + In I ] points (lines).

7.3.

Example. The simplest finite projeetive plane is that with III = 2;
The integer 111 in Theorem 7.2 is ealled the order of the finite projective plane. We will sec that finite projedive planes of order m exist for every inleger m of the form m = p'l. where p is a prime. It is known that there is no plane for m 6, hut it is not known whether a plane exists for '" ~ 10. Many plane,s have been found for 111 "9. but no plane has yet been f~)uI}(j for whieh m i" not a power of a prime. III ordinary analytic geometry we represent points of the plane as ordcreJ pairs (:c y) of real numbers and Jines arc sets of points that satisfy real e4uation, of the form ax , Ii, - (' ~ 0 with a and Ii not both O. "'oW tlte field of real numbers ean be replaced by any other field. in particular a finite field. Tltis type Df geometry is known as affine geometry (or euelidean geometry) and Icad~ to the concept of an affine plane. 7.4. Definition. An aillll" plane j, a triple (':I" C. I) eonsisting of a set ':' of poinh. a set C of lines. and an incidence relation f such that:

., FI<;LRE 7.1

H

The Fano plane.

254

Theorcfieall\pplic:llions of I:illite l-ic1ds

(i) (ii)

(iii)

every pair of distinct points is incident with a unique line; every point P ~ .:,i' not on a line L E: lies on a unique line M c i:: which does not int~rsect I.: there exist four points such that no three of them are incident with a single line.

e

The pfllof of the following theorem is straightforward. Lei K he any Jie/d. Lei ."1 denille Ihe set (!!' ordered of Those subsets I. 0/ <:!) which .\<J1i.lj\' linear equ<J1ions. i.e.. I. EO:~ iJ Jor 10me a. h.c EO K willr (a. h) ~ (0.0) we hare L -= {( x. y): ax + bv - c = O}. A point P E (.;1' i... incident with a line I. EO ': if and onll' iJ f' 0- L 711en «:I.!~. I) iI an aJJine plane. denO/ed hy 7.5.

pllln (x.

Theorem.

y) with .\:. Y L K. and leT (~' consist

A(;(2. K).

It can be shown readily that if IKI ~ m. then each line of AG(2. K) contain.., eX<.H..'tly m points. We can construct a projective plane from AG(2. K) hy adding a line to it (and. conversely. we can obtain an affine plane from any projective plane hy deleting one line and all the points on it). We change the notation in AG(2. K) and rename all the points as I.e r. I). that is. (x. r. :) "ith z ~ I. and use the equation ax , hy i c: 0 with (a. h) -. (0.0) as the equation of a line. I\ow add the set of points f. x ~ {(1.0.0)}U{(x.I.0):xo- K)

to? III form a new :,ct ,~;' = :)' '-.." Lx. The points of Lx can he represented hy the e4uation =-,. 0 and so can he interpreted as a line. Let this new line Lx he adLled 10 I: to form the set I:' I: v{/.~J. With the natural extended notion of incidence. it can he verified that (':v'. C. 1') satisfies all the axioms for a projective plane. 7.6.

Theorem.

l.er I1G(2. K) ~ (':".c'./) and lei

". ~ oJ' u {( I, O. O)};) {( x. I. 0) : x e'~;:

0-

K } ~ '.'I' U Lx'

v{l.x}.

and ler The eXTended incidence relaTion he denOled hy 1'. "IIlell (~'l1'. i~', 1') is projecti"e plane. denoled hv PG(2. K).

II

7.7. Example. The plane PG(2. I ,j-that is. the projective plane over the field IF.,.-ha, seven points: (0.0.1). (1.0.1). (0.1,1), and (1.1.1) with =~ 0 and the three distinct points on the line =~ O. namely. (I. O. 0). (0. 1.0). and (I. 1.0). It can he verified that PG(2.1F,) also contains seven lines and that this projective plane is the Fano plane of Example 7.3. 0 In constructing PG(2. K). every line of AG(2. K) must meet the new line I.'X. so there will he an additional point on each line; abn I.x. contains

2.55

I. r"illitc Geometries

o

p

8, HGL'RE 7.2

l>esl:lr~ucs's

theorem.

+ I points if K contains In clements. Since for every prime power m - p" ~ q there are finite fidds ~ 4' we haw the following theorem.

In

7.R. Theorem. For ecery prime power q -= I'", P prime. llE'\J, there t'),:ists a finite projective plane of order q name~v. P(j (2, IF q)'

The additional line I. x added to an affine plane to obtain a projee, tive plane is sometimes called the line at infinity. If two lines intersect on I. x ' they arc called pllrallel. "'ext we present without proof two inh.:resting th~()rem~. which hold in all projective planes that can he represented analytically in terms of fields. Two triangles 6A,B,C, and 6A,B,C, arc said to he in per>pectiGe from a point 0 if the lines A,A), R,B" and (',c, pass through O. Points on the same line are said to be collinear.

7.9. are in

Theorem (Desargues'sTheorem).

perspectll~e

IJ6A,B,C,lIlIdl!.A,R,C,

from O. then tlze intersections of the lines A I Bland A::! 8 2 , of

A,C, lind A,(',. lind oj B,C, and

Hi~,

lire collinear.

The theorem i~ illustrated in Figure 7.2; the intersections of corresponding lines arc P, Q, and R and arc collinear. 7.10.

lheorem (Theorem of Pappus).

c.:

If A,. B"C, are poil/l' oj a

lint' and A 2,8:.. are poillls vf another line in the same plane. and if A I B2 and A 2 B 1 intfrs/;,('( in P. A l 2 and A:?C I intenec[ in Q, and B/'2 and R~"CI imersect in R. [hen P. Q, and Rare cvllinear.

e

The theorem is illustrated in Figure 7.3. Both theorems play an important role in projective geometry. If Desargues's theorem holds in some projective plane. then coordinates can be defined in terms of clements from a division ring. Here we define a point as an ordered triple (x o, XI' x 2 ) of three homogeneous coordillales, where the x, are elements of a division ring R. not all of them simultaneously O. The triples (axo. IIX" ax 2)' 0 -" a E R.

Thcon:licall\pplic;'.tions ()f

256

rinil~

hchh

c,

HC;LRJ:: 7.3

The theorl,'m of I"appus.

shall denote the same point. Thus each point is represented in m - I ways if I R I - tn, and because there are m', I possihle triples of coordinates, the total numher of different points is

A line is defined as the set of all those points whose coordinates satisfy an equation of the form X o -I- alx l + a/x) = 0, or of the form Xl + a 2 x 2 = O. or of the form x 2

=

O. where a , (::; R. There arc m 2

;

m -I I such linc:s in the

plane and it is straightforward to show that the points and lines thus defined satisfy the axioms of a finite projective plane. !'rom Theorem 2.55-that is, Wedderburn's theorem-we know that any finite division ring is a field, a finite field IF q • In that case the equation of any line can be written as aox o + a1x 1+ u)x). - O. where the at are not simultaneously 0, a"d (aao)x o t (aa,)x,-(aa,)x, ~O with aCIF: is the same line. The line connecting the points (Yo' Y" Y',) and (z". ," z,) may then also be defined as the set of all points with coordinates

(ay" - bz". ay, + hz ay, ~ bz,), " where a and h are in If' q' not both equallO 0. There are q' I such triples, and since :,imultam:ous multiplication of a and h hy the same oonzero clement produces the same point, they yield q I I different points. In PG(2.IF·q ) Desargues's theorem and its converse h"ld, and the proof relics on commutativity of multiplication in IF 4' In gc:neral. Desargue~'s theorem and its converse dc) not hoth apply if the coordin'.Ilii'ing ring Joe~ not have commutativity of multiplication. Thus WedJerburn'~ theorem plays an important role in thi . . context.

;\ projective plane in which Iksargucs\ theorem holds is called Ih'sargut'silln: otherwise it is called non-De)arxuesiull. Desarguesian planes of order m exist only if m is the power of a prime. and up to isomorphism there exi~ts only one J)c:,arguesiun plane for any given prime power m = p".

1. Finite

G~omClrics

257

1\ finite De:-.argue:-.ian plan~ can always be cuordinatil.ed by a finite field.

Since such fields exi."t only when the order is a prime power, a projective plane with exactly m . I points on each line, m not a prime power, will have {() he non-Desarguesian. It i." not known whether such planes for m not a prime power exist. If it can he proved that up to isomorphism there exi~ts only one finite projective plane of order m. and if m is a prime power. then

thi' plane mu,t he I)esarguesian. This is the case for m ~ 2, 3,4,5,7, and X. For m prime, only Desarguesian planes are known. Rut it has heen shown that for all prime power.., In = pn. n ~ 2. except for 4 and X. there exist non-J)es<.Irgucsian plan~s of order m. The theorem of Pappus implies the theorem of Dcsargues. If the theorem of Pappuf, holds in some projective plane, then the multiplication in the coordinati"ing ring is nece."sarily commutative. The theorem of Pappus holds in {'C(2, '.,) for any prime power q. i\ finite Desargue,ian plane also satisfies the theorem of Pappus.

A remarkable distinction between the properties llf a {'C (2.1' q) with q even and a {,G(2,lf q ) with q odd is given in the following theorem.

7.11. lneorem. The dUl!!.vnal poillls of PG (2.1F '/) are collinear if and on(\' if q is et~en.

f1

comp/e{(' ljuadrangle in

Proof We assume. without loss of generality, that the vertices of the 4uadrangle arc (I. 0, 0), (0. I. 0). (0,0, I), and (I. I. I). Its six sides arc "".' =

O.

Xl =

O.

XI

- X.l =

O.

Xu =

o.

X o -'>"2

O. and

XII -

'\'1 =

O. while the

three diagonal points are (I. 1.0), <1.0,1), and (0,1,1). The line through the first t-wo points contains all pnints with coordinates (a + h, a, h). where (il, h) , (0.0), and the third point is one of these if and only if a - hand a I h....:. 0. In a finite field :F'f this i:-. only possihlc if th~ characleristic b 2. J The latter case is illu'trated in Example 7,.1. Let the vertices of the complete quadrangle be C, D, E. C. In this case, the diagonal points are A, F, B, and they are collinear. We introduce now concepts analogous to those with which we are familiar in analytic geometry, and we restrict ourselves to Desarguesian planes. eoordinatized by a finite field I' q' Let the equations of two distinct lines be (J01XO

a(12 x n

I-

+

0 11 );'1

~

a l2 x I •

a 2l x 2 =- O. a)~x2

=

O.

(7.1 )

I.et the point of intersection of these two lines be P. All lines through P form a pencil anu each line in this pencil has an equation of the form (ra o, + "'02)x O +(ra" , sa,,)x,+(ra2l+sa21)x2~0. ",here r, S (' If" arc not both O. There are q + I lines in the pencil: the two lines (7.1) given above corresponding to S ~. 0 and r ~ 0, respectively, and

Thl.:urctical Applicatioll" of Finite held!';

25X

those corresponding to q I different ralios rs" ! with r::t- 0 and s another pencil through a point Q = P be given by

(rh", tsh,,)x,,+(rh ll -rsb 12 )x,+(rb 21

I

sh,,)x,

""'1=

O. Let

~O.

A projeetive correspondenee hetween the lines of the two pencils is defined hy letting a line of the first, given by a pair (r, s), correspond to the line of the second pencil that belongs to the same pair. Two corresponding lines meet in a unique point, except when the line PQ corresponds to itself, and the coordinates of all the points satisfy the equation (aO!x O -t £11\_X",

+

(l21X2

)(hmxo.J. h l2 X l -l- b 22 X.J

-(a",x,, ' a 12 x,+a"x,)(ho,x o

I

h ll x,+h 2l x,)=O,

(7.2)

ohtained hy eliminating rand s from the equati,m, of the two pencils. 7.12. Definition. The set of points whose coordinales satisfy equation (7.2) is called a conic. If the line PQ corresponds to itself under the correspondence ahove. then the conic is called degeneraIe. It consists then of the 2q + I points of two intersecting lines. 1\ nondegenerml' conic consists of the q + 1 points of intersection of corresponding lines. A line that has precisely one point in common with a conic is called a langem of it; a line that has two points in common is a secanl. The equation of a nondcgen~rate conic is quadratic. therefore it cannot h(.lve more than two points in common with any line. Take one point of a nondegenerate conic and connect it by lines to the other q points. Then the resulting lines are sel.:ants and the remaining one of the q + 1 lines through that poi"t must he a tangent. The q -l- I points of a nondegenerate conic thus have the property that no three of them are collinear. It can he shown that any sd of lJ - I points in a PG(2,IFJ, q odd. such that no three of them are collinear is a nondegenerate conic The following theorem. which we prove only in part, exhibits a differem:e between conics in Desarguesian planes of odd and of even order.

7.13. ,wo or

I/O

Theorem,

fcmgenfS

(i) 111 a Desarxuesiall plalle of odd order fhere pass

nf a nondegenerafe conic ,hrough a {Joim nO( on ,he conic.

(ii) In a Dt'sarguesiall plall£' of £'[t:'11 order all ,he fl1ngCI1!S of {[ nondegener(Jfe conic meef in a sin:t!,1e {Joilll.

Proof We prove (ii) as an example of how properties of finite fields arc used in the theory of finit~ projective planc:'l. Assume without los~ of generality that three points on (l nonuegencmte conic in a plane of eVt,,'n order are A( 1.0.0), 8(0.1.0), C(O.O, I) and that the tangent' through these three points arc. respectively. Xl - 1\0,'(,1. O. x 2 - k IXll .- O. Xl) h 2 X 1 = O. Let PUll' fl' (2) be anoth~r pt,)int of the cpnic. :"Jone of the 'i can he O.

1. Finitc Cic(lmctric.. .

259

hecause then f woulLl bc on a line through two of the points iI. R. and C, contradicting the fact that no three points of the conic are collinear. Therefore we can write x, - ':'2 IX,:: 0 for fA. x.~. - '.~'o IXO = 0 for PH, and x(l\'1 = 0 for PC. Consider the e.:quatioll for the line.: PA. As we choo:"\e f\)r P the various points of the conic. leaving out A. R. and C. the ratio 'I'l I runs through the dements of iF lt apart from 0 and k n. Since

'0'1

("

n, (,~

c)

x' '-I.

q•

the product of all non7cro element:... of IF" is ( - I )
when.' the product ex tenus over all point.-; l,)f the conic except A. H. and C. \t1ultiplying the three product:... ahovc we get kok Ik2""'1. Therefore.: the point, (L k"k" k, j, (k ,. I, k ,k, j, and (kok" k o. I) are identical. The three tangents at A. R. and C pass through this point; and hecause these points were arhitrary. any three tangent:... mcet in the same point. U

Analogs of the coneept of a projective plane can be defined for dimensions higher than 2. 7.14. Definition. A projective "pace. or a projective Keometry, or an m"plice is a set of points. together with distinguished sets of points, called lines. subject to the following conditions: (i) (ii) (iii) (iv)

(v)

There is a unique line through any pair of distinct points. A line that intersects two lines of a triangle intersects the third line as well. Every line contains at least three points. Define a k-space as follows. A O-spaee is a point. If An .. ... ,1, arc points not all in the same (k - I)-spaee. then all points collinear with .1 0 and any point in the (k - Ii-space defined by ,1, ..... ,1, form a k-spaee. Thus a line is a I-space, and all the \)ther spaces are defined recursively. Axiom (iv) demands: If k < m. then not all points I.:onsidercu arc in the same k-space. There exi,t; no (m + I)-spaee in the set of points eon;idered.

We say that an m-spaee has m dimensions, and if we refcr to a k-spacc as a subspace of a projective space of higher dimension, we call it a k-fllil. An (In - I )-fiat in a projective space of m dimensions is called a Izyperpfww. A 2-spaee is a projective plane in the sense of Definition 7.1. It can be proved that in any 2-fiat in a projective space of at least three

The\)f~tical

260

Applil.\llions 01" Finite

Fidd~

dimensions the theorem of [)esargues (Theorem 7.9) is always valid. f)esargue~'s theorem can only fail to be truc in projectivc planc~ that cannot be cmbedded in a projective ~paee of at least three dimensions. A projective space containing only finitely many points is called a [inile projeClite space (or finite projeclh;e geometry. or finite m-space). In analogy with Ni(2.1F.). we can construct the finite m-space Ni(m,lF q ). Define a point as an ordered (m+I)-tupie (xo.x" .... x n ,). where the coordinates Xi (' IF. arc not simultaneously O. The (m I 1)-tuples (aA w G.\.·j •... ,a.\.·m) with a E= IF; dcfine the same point. There are therefore (I/m"-I)/II/ I) points in Ni(m,lF q ). A k-flut in PG( m.1f <j) is th~ set of all those points whose l,;oordinatcs ~atisfy m - k linearly indcpendent homogencous linear equations

with coefficients a'i r IF/I' Alternatively. a k-flat consists of all those points with l'oon.linates

with the a

l

\

IF q not

simultancou~ly 0

( x l\(J' •••• X Om)"

and the k - I given points •. , ( X", • .... x, m )

heing. linearly independent: that is. the matrix XOI!

X nm

X ill

X lm

has rank k + I. The numher of points in a k-Oat is (q'" -1)/(1/ I); there arc 4 -I points on a line and 4' + 4 I 1 on a plane. That ['G(III,IF.) satisfie:-. the five axiom:'! for an m-space is easily verified. We know that in IF qr». all powers of a primitive dement {\ can be represented as polynomials in a of degree at most m with coefficients in IF <{. If

we may consider a i as representing a point in PG(m,1F q} with l'oordinates

(a", .... a m ). Two powers a',a 1 represent the same point if and only if a i ~ aa l for some a E IF: -that is, if and only if i= imod(am-'-I)/(a-IL

I.

261

Finit~ (Jeomelri~~

!I. k-flat 5 through k + I linearly independent points represented by a'''..... cl~

will contain all points represented hy L;_oara ar E IF 1/ not simultaneously 0. For each h = 0, 1, ... , v - I with v = (qm' , - I )/( q - I), the points L~~o a,a" . h, a, ElF, not simultaneously 0. form k-flats, and we denote the k-flat with given h by 5 h • We have 5, = So = S heeause a" E IF,. Let} he the least positive integer for which 51 = 5. Then from 5ul = S for all n E f\,J it follows that} divides ", say v = lj. We call} the
,

do' do + } .... , do + (I - I)},

heeause !>~i = S for II = 0.1, .... 1-1, Further points on 5 can he wntlen with the following exponents of a:

d,.

d,-t}

.... ,d,+(t-I)j

d" "d" ,+}, ... ,d" ,+(1-1»). where d, - d,. is not divisible hy} for " '" ',. The number of all these distinct points is IU = (q' • , - I)I( q - I). If lj = (q'" '-I)I(q -I) and IU = (q'" -I) (q -I) arc relatively prime. then 1 = I, } = v, and all k-flats have cycle v. Thi' is the case for k .~ In - I, and for k = I when In is even. 7.15. Example. Consider PG(3,IF,) with IS points, 35 lines, IS planes, and qm. , = 16. Lsing a root a ElF" of the primitive polynomial x 4 + x + I over IF,. we can estahlish a correspondence between the powers of a and the points of PG(3,1F.,,l. We obtain:

F(O, I, 1,0)· .. a'

K(I,O,I,l)"'a 13

a'

G(O, I, I, I)· .. a"

L(I, 1,0,O)"'a

qo,O. I, I) ... a 6

H(I,O,O,O)"'aO

M(I,l,O,I)"'a l

a'

1(I,O,O,I)"'a 14

."1(1, I, 1,0)··· a'O

J(I,O.I,O)···a'

0(1, I, 1,1)",,,"

A(O,O,O, I) .. ·a 3

B(O,O, 1,0)···

D(O. I, 0, 0)· ..

F(O.I,O.I) .. ·a'

4

rhe plane S = S{l =- {aua n + alaI + il.,CX 2 .

Un' U 1 - 02 E IF).

not all O}

IS the same as the plane "'3 = 0. It contains the points S, D. F. H. J, I., and N. It has cycle IS. as has any other hyperplane. The plane

5 1 -= {(Jual.r-

a l a':'·1

is the same as the plane x o and (j; and so on. The line

tI.:.a·":

°

{al,a·' t (ilil:

(io,tll,a.,

ElF . . not allO}

and contains the points A. tin_ at

F

IF, not hoth O},

n, c.

D. L. F.

Theoretical Applk;nion<; of Finite Fiekls

262

that is, the line AJK, has cycle 5, the lines ARC and AD/;, hoth have cycle 15, and this accounts for all the 5 + 15 + 15 .. 35 lines. 0 A finile affille (or euclideall) gcomelrr, denoted hv A G( m, 0' q l. is the set of nats that remain when a hyperplane "ith all its nats is removed from l'(i( 1>1. 0',). Those nats that were removed arc called jlurs ur infinilv. Those remaining Oats that intersect in a Oat at infinity arc called parallel. It is

convenient to consider the excluded hyperplane as the one whose equation is xI/I -= O. Then we may fix -'<""I for all points in AG(m.IF,,) at I. and consider only the remaining coordinates as those of a point in AC(m'O'q). Since there arc qm _ ... - q -I points in 1'(i(I>I'O'q)' and the q"' '-,- ... - q + I points l)f a hyperplane were removed, there remain qn1 point:-. in A
L. .. ,I>I

k,

where the coefficient matrix has rank m - k. In partieul",. a hyperplane is defined hy

where

£11) .... ,0"1 .. I

arc not all O. If aw,,·,ill/l

runs thmugh all elements of 0'" hyperplanes.

2,

1

are kept constant and

£1 m

then we ohtain a pencil of parallel

COMBII\ATORICS

In thi:- ~ection we Jescrihe :-.omc of the useful aspect~ of finite field~ in comhinatorics. There is a close connection between finite geometric., and designs. The de:-,ign~ we wish to consider con~ist of two nonempty seb of ohjed~. with an incidence relation between ohjects of different sets. For instance, the ohjects may he points and line.." with a given point lying or not lying on a given line. The terminologv that i~ normally used in this area has ih origin in the applications in statistics. in connection with the design of experiment;. The two lypes of ohjects are called varieties (in early applications these were plants or fertili7ers) and blocks. The numher of varieties will. as a rule, he denoted hy L and the number of blocks hy h. A design for which every hlock is incident with the same number k of

varieties and every variety is incident with the same number r of blocks is called a wClical configura/ion. Clearly cr

~

bk.

(7.3)

If ,; = h, and hence r· k, the tactical configuration i~ called symmetric. For instance, the points and lines (If a /,(i(2,O',,) form a symmetric tactical

2.

~63

CombinalUrk~

configuration with v - b ~ q' I q -r I and r ~ k ~ q ~ 1. The property of a finite projective plane that every pair of distinct points is incident with a unique line may serve to motivate the following definition. 7.16. Uefinition. 1\ tactical configuration is called aha/awed il/camp/ele hlock design (BI BD). or (v. k. A) hlock de>ign. if" ;;, k ? 2 and evcry pair of distinct varieties is incident with thc same number A of blocks. If for a fixed variety

a,

we count in two ways all the ordered pairs B incident with we obtain

0,.0,.

(a,. R)with a varietya2~0, anda block

tbe identity 1)~A(v

r(k

I)

(7.4)

for any (v, k, A) block design. Thus, the parameters hand r of a BIBD are determined by v. k. and A because of (7.3) and (7.4). 7.17. Example. I.ct the set of varicties be {O, 1,2,3.4.5,6} and Ict the blocks be the subsets (O.I,3), {1.2.4}. {2,3,5}. {3.4.6}, {4.5,O}. {5.6, I}, and {6. O. 2}. with the obvious incidence relation between varieties and blocks. This is a symmetric HI HI) with v ~ h ~ 7, r ~ k ~ 3. and A ~ 1. It is equivalent to the Fano plane in Example 7.3. 1\ BIBD with k ~ 3 and i. = I is called a .\'teiner [ripl!' .~vs[em. 0 7.111. Example. 'vIore generally. a BIBD is obtained by taking the points of a projective geometry I'G(m.~q) or of an affine geometry AG(m,lF q ) as varieties and its {-flats for som~ fixed (, I ~ 1 < rn. as hlocks. In the projective case. the parameters of the resulting BIRD arc as follows:

qm-l -1

"

q

I

qt·, -I n --q' 1

[·1

h-

/

m

r~

I

1-1-1 n qm.q'-I , t

/=

I

, 'q. m t·'-1

11

A-

1-1

q'_]

where the la>! product is inteopreted to be I if 1- 1. The Bllll) is symmetric in ca"'e [ In -1·-- that i:-,. if the hlocks ar~ the hyperpbnes of P(;(m.IF'1). In the affine case, the parameters of the resulting BIBD are as follows: r- -,. q»l,

h

=

qftl

[rl qm i-I

k ~q',

-=- 1

[-I

q' - I

A~

--.

t

qm /·'_1

1-1

q'-I

r~n-

n q ql -- I_

{

1

m

[Ii

2.

/- I

with the same convention for symmetriC'.

I ~

I as above. Such a BIBD is never U

A tactical configuration can be descrihed by its incidence matrix.

Thcorclicall\pplicaliotl~

264

of I-inite fields

This is a matrix A of v rows and h columns. where the rows correspond to

the varieties and the columns to the hloeks. We numher the varieties and hlocks. and if the ith variety is incident with the jth hloek, we define the (i. j) entry of A to he the integer I. otherwise O. The sum of entries in any row is r and that in any column is k. If A is the incidence matrix of a (c, k. A) block design, then the inner product of two different rows of A is A. Thus, if A'I denotes the transpose of A, then

AA T ~

r

A

A

r

A A

IA

A

r

~(r-A)i

IAJ.

where I is the [! X r identity matrix and J is the (; x v matrix with all entries equal to I. We compute the determinant of AA T by subtracting the first column from the others and then adding to the first row the sum of the others. The result is 0

rk

det( AA

T

)

A ~ A

I~

0 ()

0 0 0

0 0

A

r

A

r

0

1- rk (r

A)"-I.

r - AI

where we have used (7.4). If v = k, the design is trivial, since each block is incident with all l' varieties. If v> k, then r >;, hy (7.4), and so A AT is of rank D. The matrix A cannot have !olmallcr rank. hence we obtain h",

10.

(7.5)

By (7.3). we must abo have r '" k. for a svmlnelric ( c, k. A) block design we have r ~ k, hence AJ ~ JA. and so A commutes with (r - A) 1+ AJ ~ A AI. Since A is nonsingulal' if c>k. we get AIA- AA I -·(r A)/- AJ. It follows that any lwn dislinC! h/ocks h£ll~e exactly A varieties in common. This holds trivially if v...::. k. We have seen that the conditions (7.3) and (7.4), and furthermore (7.5) in the nontrivial case. are necess3l'y for the existence of a B1BD with parameters c, h. r. f,;, A. These conditions are. however. not sufficient for the existence of such a design. For instance. a BIBD with c ~ h ~ 43. r = k ~ 7, and A ~ I is known to he impossihle. The varieties and hloeks of a symmetric (c, k. A) hloek design with k '" 3 and A ~ I satisfy the conditions for points and lines of a finite projective plane. The converse is also true. Thus. the COllcepl:i of a s)'mm(,lric (c. k. I) hlock design wilh k ?' 3 and of a finile projel'tiGe pla"e are equipatent. ('on . . idcr the BIRD in F.xamnle 7.17 and intcmret the varieties

2.

Combinatork:~

205

O. I. 2. 3. 4. 5,6 as integers modulo 7. Each hlock of this design has the property that the differences hetween its distinct elements yield all nonzero residues modulo 7. This suggests the following definition. Definition. .. set D ~ (d, ..... d,) of k" 2 distinct residues modulo " is called a (r. k. A) difference sel if for every d '" 0 mod ,. there are exactly A ordered pairs (d,. d,) with d,. d, <= D such that d, - d, '" dmod ".

7.19.

The following results provide a connection hctwcen difference sets. designs. and finite projective planes. 7.20. Theorem. willI all residues modulo

l'

B," (d,

LeI (d, ..... d,) he a (e,k.A) differem'e sel. Then as rarielies. the block')

+ I ..... d,

-I).

I

~

O. I. .... e - I,

form a symmetric (L k. i\) hlock desifl,n under The ohvious incidence relalion.

Proof A residue a modulo v occurs exactly in the hlocks with suhscripts a - d" .... a·· d, modulo v. thus every variety is incident with the same numher k of hlocks. I:or a pair of distinct residues G. c modulo G. we have a. c<= Bt if and only if a '" d, + Imod e and c'" d, + Imod v for some d,. dj' Consequently. a - c" d, - d;mod ", and conversely. for every solu" tion (d,. d,) of the last congruence. both a and c occur in the hloek with subscript a - d, modulo L By hypothesis. there arc exactly A solutions (d,. d,) of this congruence. and so all the conditions for a symmetric (". k. A) block design arc satisfied. U 7.21. Corollary. LeI {d" .... d,i he a (e.k.l) difference sel wilh k " 3. I1lell Ihe residues modulo t.· and Ihe blocks R,. I ~ O. I. .... c I, from lheorem 7.20 .\Gtisfy the condilions (or poinls and line.\ of a ftnite projective plane of order k - I.

Proo! This follows fmm Theorem 7.20 and the ohservation ahove that symmetric (l'. k. I) hloek designs with k '3 3 arc finite projective planes.

r::: It follows from Theorem 7.20 and (7.4) that the parameters I'. k, i. of a difference set arc linked hy the identity k(k I)· Alv" I). This can abo he seen directly from the definition of a difference set. 7.22. Example. The scI (O. 1,2.4.5.8.10) of residues modulo 15 is a (15.7.3) difference set. The blocks B,'" (1.1' 1.1-2,1+4.1+5.1+8,1+10).

1~0.1 .....

14.

form a symmetric (15. 7. 3) block design according to Theorem 7.20. The hlocks of this design can be interpreted as the 15 planes of the projective geometry PG(3.~}). with the 15 residues representing the points. Each plane is

:l

hlno nlane P(;(2.1F ~). The lines of the: hlock H can

hl~

oht:linl'd hv

Thcnrctieu\l\pplications of

l-"init~ I-icld~

cyclically permuting tlie point> of the line I'I

HI r,; Br _ 4

=

{(, ( -+-

=

I. (

-+-

4}

in the plane IJr according to the permutation ('[¥1 .[12

.(14 .......

[+5-[+10-[+8-·[.

For instancc. the lines in the plane Ro '- {O.I,2A5, IO,S} arc

{O, IA}, {U.S}. {2A.IO}. {4,5.S}. {5.IO,O}, {I0,S, I}. {8,0,2},

::J

Exampks of differ~ncc s~ts can be obtaineu from finite projective geometries, As in the discussion preceding Example 7.15. we identify points of (,G(m.IF,,) with powers of ", where" is a primitive element of IF q ", and the exponent> of " are considered modulo v ~ (qm ' , - 1)/( q - I), Let S he any hyperplane of PG(m,F q ), Then S has cycle c, and so the hyperplanes S" ~ ,,"5, h O. I."., C - I, arc distinct. These are already all hyperplanes of PG(m.lF q ), since c is also the total number of hyperplanes. Thus, thc following is the completc list of hyperplanes of PG(m,F q }, with the points contained in them indicated by the corresponding cxponents of ,,: ~~)

8,

d] d, I I

Sc

:d,-'-v

d2 d, - I

d" d,

d,+c-I

d,-'-v-I

+I

lIere k ~ (qm ,I )/( q - I), the number of points in a hyperplane. If we look for those rows that contain a particular value, say 0, then we ohtain the k hypcrplanes through ,,0 These k rows are givcn by:

d,"'d, d, - d,

d,-d, d, - d,

d, - d, d, - d,

d,' d,

d, -d,

d, -d,

Any point aO appears in as many of thn~e k hyperplanes as there are hyperplanes through two distinct points that is. A' (qm" - I )/( q - I) of them-so that the off-diagonal entric.' repeat each nonzero resiJue modulo v precisely A times. Hcnce id, ..... dd is a (t·,k.A) difference sct. We summaril'.~ thi~ re~ult as follows. ::;l::

7.23.

Theorem.

The p"i"',1 ill allr /npap/ane of PG(m,1F q) de-

termine a (e. k, A) difference qrn'

I _

.\('f

l

c~----

I{I'

with parameters q»1

1

k~--

I{-I'

q"l

A~-

°

I

q-I

7.24. Example. C,'nsider ,he hyperplane x, ~ of PG(3.",,) ill Example 7.15. It contains the points 4. R.C. H. J. J. K. and so the corresponding

2.

Combinawrjl.:~

267

exponent> of n yield the (15.7. .1) difference set (0.2. .1,(,.0.13.14).

n

!\nnther hrant:h of comhinatoric:-- in which finite fields are useful the theory of orthl)glmal latin square:--.

IS

7.25.

Oefinition.

An array

I.

(a" )

a"

(il.'

(i i 1/

u.' I

U .'./

i l l . II

ani

(11/ .'.

UI/'I

~

;

i:-- called a !min square of order n if each row and each column contains every dement of a set of n elements exactly once. Two latin squares «(11/) and (h l / ) of order n are ~aid to he Orl!z0Kona! if the n'2 ordcfI.::d pairs (ll". h ii ) arc all different.

7.26. integer

Theorem.

II

!min squure of order

11

exists for

('I.·C(I"

pmirire

fl.

Proof Consider (all) with u i /:.::. i - }mod n. I ~ (/'1 ~ n. Then ill/ = implies i + ) == i - k mod n. and so j == k mod n. which means} = k sincc I ~ i. j. k :s;;; n. Similarly. a ii "'" (l;./ impli~s i = k. Thus the elements of each D row and each column arc distinct.

(1lk

Orthogonal latin squares were first studied ~y Fuler. He conjectured that there did not exist pairs of orthogonal latin squares of order n if II is twice an odd integer. This was disproved in 1959 by the construction of a pair of orthogonallalin squares of order 22. It is now known thaI the values of n for which there exists a pair of orthogonal latin squares of order II arc precisely all n> 2 with n # 6. for some values of n, more than t\\l(.) latin :--quare:-- \)f order 11 exi~t that are mutually orthogonal (i.e.. orthogonal in pairs). We shall :--how that if 11 q. a prime power. then there exist q - I mutually orthogonal latin s4uares of order q. by u:--ing the existence \)f finite fidd~ of l)rder (I.

7.27. Theorem. Then lhe arrays

I.,

~

Lei

ao

al

ll;. a l

+01 0J..U~ + 0 1

a,,(l?

UkU q

00

I

I

he the elemenTs of IF".

aq

(1k(l]

uAa q

= O. a],a 2 ••• .,a ll

-r a]

aq

a;.a]

I

at<.a 2

+ all

°kalJ

1+ a q

I

k

I

,

form a sel of q - I mUlually orihogonallGiin squares of order q.

~

l, .... q

I.

T]Il,;ordil.:al Applications of l:initc Fields

20R

Proof Each L k is clearly a latin square. l.et a~~) = the (i. j) entry nf L,. For k "" m. suppose

~

uJ

llm(u1_I-UJ!_I)=uh_l-a,

]'

0,,0,

I

I

be

Then

and so a/Jo, I-ag

d=Oh-l-U,-I'

Since oJ... =1= am' it follows that a/ 1'- ax l' a h 1 = ilJ 1- hem:c i ;"'- g. j.= h. Thus the ordered pairs of corresponding entries from L, and I' m arc all different. and so L, and I' m arc orthogonal. 0

7.28. Example. A set of four mutually orthogonal latin squares of order 5 is given below. using the construction in Theorem 7.27:

0 I 2 3 4 (0 3 1 4

2

I 2 3

I., 2 3

4 0

4 0 I

I

I., 2

4 2 0 3

0 3 I

4

L, 3 4 0 I 2

4 0

3 1 4 2 0

4 2 0 3

i0

I 3

2 4

2 4 0 I 2 3. 4

I 2 3

I 3

3 0 2 4

0

I

4 I 3 0 2

I

1'4

I

r

1

2 1 I; \ I

0 4 3 2

2 I 0 4 3

3 2 I 0 4

4' 3 2

0

I ()

:

The following result. which also yields information for the case where the order 11 of the latin squares is not a prime power. is proved in the same way as Theorem 7.27. Note that Theorem 7.29 shows, in particular, the existence of a pair of orthogonal latin squares of order" for any n> I with " t: 2 mod 4.

7.29.

Theorem.

Let q, ..... q, he prime powers a1lJ let

he [he e1enw1I[S of ~ ;.' Define [he s-wples

h;..={al'l ..... ai>l)

!orO~k~r=

min (If/-l). 1,,;;

I:S;.\

and let br . I"'" hn I with n = q I . . . q~ be the remainill/{ s-lUples that cun he formed hy laking in the ilh coordinate an element of IF If: These s-Iup/es are

269

2. Comhinatoric..

added and mulriplred h)' adding alld nlUllip/villg Iheir coordinales. Th('// Ihe arrays

f.,

ho h,h, b,b,

~

\ h"bn form a set of r

,

h, b,h, + h, b,h,+h,

b" bAb l +hll b, h, + b"

b,hn • , + h,

h~ h'l 1+ b'l

mUl/la/~v

, k

I .... .r.

, 1 ;

orthogonal latin squares of order n.

T aetical configurations and latin square~ are of use in the design of stwistical experiments. for example. suppose that n varieties of wheat arc to he compared as to their mean yield on a certain type of soil. At our disposal is a rectangular field subdivided inw n 2 plots. Ilowcver. even if we are

careFul in the selection of our Field. diFFerences in soil fertility will occur on it. Thus. if all the plots of the first row are occupied by the first variety. it may very well be that the first row is of high fertility and we might ohtain a high yield for the first variety although it is not superior to the other varieties. We shall he less likely to vitiate our comparisons if we set every variety onee in every row and once in every column. In other words. the

varieties should be planted on the II' plots in such a way that a latin square of order

/l

is formed.

It is often desirable to teM at the same time other factors influencing the yield. I'or instance. we might want to apply n diFFercnt fertili/.ers and evaluate their effectiveness. We will then arrange fertiliLers and varieties on

the

n'

plots in such a way that hoth the arrangement of Fertilizers and the

arrangement of varieties form a latin ~quare of order n. and such that every Fertili,er is applied exactly once to every variety. Thus. in the language of comhinatorics. the latin squares of fertilizer and v<.lriety arrangements

should be orthogonal. Similar applications exist for halanced incomplete block designs. As another example For a combinatorial concept allowing applications of finite fields, we introduce s0-calleJ Hadamard matrices. The:-.e matrices are useful in coding theory. in communication theory. and phy."iL:s

because of Hadamard transforms. and also in problems of determination of weights. resistances. voltages, and so on.

7.30. Definition. A /Jadamard malrix If" is an n x entries ± I that satisfies

/I

matrix with integer

HnH/=nl.

Since H,;' = (I/n)JI,,'. we also have H"'/J,, ~ /If. Thus. any two distinct rows and any two distinct columns of 11" are orthogonal. The

ThcOfdical ApplicUliolls of hnitc (-"icltls

270

determinant of a Hadamard matrix attains a bound due to Hadamard. We have det(I"",;)~I1". and so Idet(H")I~n"/'. while Hadamard's result ~tates that \det(M)i ~ tl n /"!. for any real n x n matrix M with entries of absolute value ~ I. Changing the signs of rows or columns leaves the defining property unaltered. so we may assume that Hn is normalized "that is, that all entries in the first row and first column arc + I. It is easily seen that the order II of a Hadamard matrix (a'/) can only be I. 2. or a multiple of 4. For we have

L I

L"

+ a,,)(a,,' a'/)~

(a'i I

/

aij~1I I

for n ~ J and c\'~ry term in the first sum is either 0 or 4, hence the result follows. It is conjectured that a Hadamard matrix II" exists for all those n. 7.31.

Example.

I/,~(I).

Hadamard matrices of the lowest orders arc:

Ii,_

-: ).

~(:

4

11

l: (1

~

I -I I I

I I . I I

I -I -I I

[J

We descrihc now a construction method for Hadamard matrices using finite fields.

732.

Li'l a" .... a q he Ihe elemellls of Fq , q" 3mod4,

Theorem.

and /('( 1/ he [he quadrl1lic characTer of IF,,. Then The malrix

1/.

~'jlh hl/ = 1]( 0: -

(11)

jor

I -I

hi?

hp

hili

1>.'.1

-I

h2~

h.l. q h'q

- 1

h,j

/)])

-I

h,,-

h'/2

h,,3

l~i.}.::;:;q.i"=l=j.

i-> a lIadamard matrix of order

q' I. Proof Since all c.::ntric.::s arc . I. it "ufflce~ to ~hov. that the mner product of any twO di~tinct rows i~ O. The inner product of the first row with the (i '" I)st row, I ,,; i " q, is

L

1+(-1)+ Lh'/~ L~(a,-(/,)J

to

I

I " I

by (5.12). The inner product of the (i I ~ i < /.. :( 4- b

..

~

~«()-O

E-Ii,;

l)st row with the (k -I)st row.

271

3. l.im:ur Muuultcms

L

1- bAI - htf.. ~

hi/b/..)

II" I,"

~1-1/(a,

L

ak) "~(a,-a;)+ }

1/(a,-a,l11(aJ -a,) f..

' I.

L

~1-ll+1/(-l)h(a,-a,)+

1/((('

a,)(ca,»)-O.

("",-[='{

since ~( I)"~ - I for q = 3mod4 by Rcmark 5J3 and the last sum is -I by Theorcm 5.1 R" :J If II, is a lIadamard matrix of ordcr

II.

then

II, \ -III ,

.

is one of order 2n. Therefore. Hadamard matrices of orders 2'( q + I) with II" 0 and prime powers q '" 3 mod4 can be obtained in this manner. Ily starting from the lIadamard matrix H, in Example 7.31. one can also obtain Hadamard matrices of orders 2". II" O.

3.

LINEAR MODULAR SYSTEMS

System theory is a discipline that aims at providing a common abstract basis and unified conceptual framcwork for studying thc behavior of various types and forms of systems. It is a collection of methods as well as spccial tcchniques and algorithms for dealing with problems in system analysis. synthesis. identification. optimization. and other areas. It is mainly the mathematical structure of a system that is of interest to a system theorist. and not its physical form or area of applications. or whether a system is electrical. mechanical. economic. biological. chemical. and so on. What mattcrs to the theorist is whether it is linear or nonlinear. discrete-time or continuous-time. deterministic or stochastic. discrete-state or continuousstate, and so on. In the introduction to this chaptcr we gave an informal dcscription of systems. We present now a rigorous definition of finitc-state systems. which provide an ideali7ed model for a large number of physical devices and phenomena. Ideas and techniques developed for finite~state system..; have also heen founq useful in such diverse prohlcms as thc investigation of human nervous activity. the analysis of English syntax. and the design of digital computers. 7.33. Definition. A (complete. deterministic) finilc-slale syslem fincd by the following: (I)

en is de-

A finite. nonempty set U " {a,.o·" .... a,,}, called the inpul

272

Theoretical Application..; of Finite Fields

(2) (3) (4) (5)

alphabel of ':'1. An element of () is called an input ,ymhol. A finite. nonempty set Y ~ (#,. 13, ..... 13,). called the outpUI alphahel of ~)1t. An element of Y is called an output symhol. A finite. nonempty set S - {a,. a, a,}. called the stale sel of ~"'R. An element of S is called a slale. A nexl-Slale function f that maps the set of all ordered pairs (a,. "I) into S. An OUlpUI funclion I' that maps the set of all ordered pairs (a,. "I) into Y.

A finite-state system ':'R can be interpreted as a device whose input. output. and state at time I are denoted by u( I). y( I). and ,( I). respectively. where these variables are defined for integers I only and assume values taken from U. Y. and S. respectively. Given the state and input of ':1lL at time 1./ specifies the state at time I + I and I' the output at time I: s (I + I)

~

f( s( I ). U ( t) ).

y(t}

~

g(s(t}. U(I)).

Linear modular systems (,:onstitute a special c1as.., of finite-Mate systems. where the input and output alphahets and the state set carry the structure of a vector space over a finite fidd IF q and the next-state and output functions are linear. Linear modular system~ have found wide applications in computer control circuitry. implementation of error-correcting codes. random numher generation. and other digital tasks. 7.34. Definition. A linear modular ,y>tem (LMS) -Jfl of order II over IF q is defined hy the following: (I)

(2)

(3)

(4)

A k-dimensional vector space U over ~ q' called illput 'pace of 0:L, the clements of whieh arc I:alled inpUls and are written as column vectors. An m-dimensional vector space Y over IF". called output space of ':J11.. the elements of whieh are called olllputs and are written as t:'olumn vectors. An n-dimensional vector spat:'e S over IF 1./' called slUt£' space of ::)R, the clements of which are called states and are written as column vector~. Four characterizillf{ matrices over IF 1./: A= (a1j)nrll'

R= (hl')nx!<'

c= (c1/)nl-
D= (d1j)mxA.

The matrix A is called the characteristic matrix of (:)TL.

.1. l.int:ar

~odu]ar

(5)

273

Sy!>feTllS

A rule rolating the stato at time [ ~ I and output at time [ to the state and input at time l: s([+I)~

As([)+Bu([),

y([) - Cs([)+ Du([).

An LMS over ~ q can be simulated by a switching circuit incorporating adders. constant multipliers, and delay clements (compare with Chapter 6, Section I). It i... convenient here to use adders summing also more than two field elements. Thus, an adder has two or more inputs

II, ([), II, (t),. . .,11,( tl E ~ q and a single output y,(T) -11,([)1 II,([)+ .. ,

t

II,([).

A comilanl mU/lip/ier with a constant a ElF/{ has a single input u 1( 1} E IF q and a si ngle outputv, (I ) ~ all, (I). A delay elemen[ has a single input u ,(I ) E IFq and a single output y,(1) ~ 11,([ -I). Symbolically, these components arc represented as shown in rigure 7.4. We describe now how we can obtain a realization of an LMS 01l. as a circuit simulating the operations of ')T(,; I.

2. 3.

Draw k input terminals labelled II",..,U" m output terminals labelled y,,.,.,Ym' and n delay clements, where the output of the ith delay element is s, ~ s,(I) and its input is s; - s,(1 + I). Insert an adder in front of each output terminal Y, and each delay element. The inputs to the adder associated with the ith delay clement are the si' each applied via a constant multiplier with constant a,;, I ,,; i, j,,; n, and the ul ' each applied via a constant multiplier with constant b,l , 1 ~ j :s; k.

Adder

UllllyIh(t)-:.

I

.... YI(t)

ll,(r) - .

Comlant

~1ultiplier

[)e1ay E]('mcnt

ul(l) _. - - - { ] - - - . YI(f)=u1(t-lj

F1GLKI::7.4 The building blocks of Iim.'ar modular

~y!\tem!\.

Thl:orClical Applil:<Jtions of Finitl: Ficlcb

274

The inputs to the adder associated with the output terminal y,. t ~ i ~ m, arc the 5)' each applied via a constant multiplier with constant cii • I ~ j ~ n. and the ui ' each applied via a constant multiplier with constant d j ; , I ~ j ~ k.

4.

If we define u(l)~

(

Ull : .

y(t)~

U~J

(YI) : •

s(t)=

(51) : •

Ym

51)

S(t+l)~:,' "'1'/

Sn

then the operation of the circuit represented in Figure 7.5 dc,eriheJ in Dcfinition 7.34(5). 7.35. Example. over IF 1 he:

A

'0

2

11\

II I II

\2

i~ prc(;i~ely

that

Let the characterizing matrices of a fourth-order I.:vIS

0 2 I I

0\

61· I;

R

l~ ).

c~ (~

II

2

2

II

6) .

I)~m·

Then its realiLuti"m as a circuit i~ shown in Figure 7.6. 'fl~-.-·~--~J~

l:'

r-

t--

--.--

c6 ) -_ _ - -

II'

~I

---.. Ym

-_ ..

.- ,.'

•

-_.

- - - - ' - - - .- !,

--_.-," FIC L R F 7.5 The realization of an I."IS

a~

a s\\itching rircuil.

275

3. Linear Modular Systems

-----+i- - - -----FIGURE 7.6 The s"itrhing rirruit for Example 7.35.

Conversely. we can describe an arbitrary switching circuit with a finite number of adders, constant multipliers, and delay elements over IF q as an LMS over IF q as follows (provided every e10sed loop contains at least one delay element): I.

2_

3.

Loeatc in the given circuit all dclay elements and all external input and output termina", and label them as in Figure 75_ Trace the paths from Sj to and computc the product of the multiplicr constants encountered along eaeh path and add the products. l.et ai, denote this sum. Lct b" dcnote the corresponding sum for the paths from ", to s;. (If for the paths from si to YI • d for the paths from 11; to Y,.

s;

"

Then the circuit is the realization of an LMS over IF q with characterizing matrices A, S, C, D. Thc states and the outputS of an LMS depend on thc initial state s(O) and the sequence of inputs u(l), t = 0, I,. ... Thc dependence on these data can be exprcsscd cxplicitly. 7.36. Theorem (Gcncral Response Formula). characterizing matrices A, B, C, D we have:

Ii)

sit} =

, , A's(O)+ L A'-'-'Bu(l)

For an LMS with

fort ~ 1.2.... ,

1=0

(ii)

y(t}~CA's(O)-

L 1=0

Il(t-i)u(l) f{/rt~O,I, ... ,

276

"I

heorctbll\pplil:alion.~

of l-"initc I-icld!>

where 1/

Proof

(i) Let

I ~

I

I ~

~

i! I

~

0,

i!l:;' I.

0 in Definition 7.34(5), then s( I)

which proves (i) for

D

-

( ) - { CA' 'B

~

As(O) + Hu(O),

I. Assume (i) is true for some

I:

A"'s(O)+ ,

I :;,

I, Ihcn

A' ;Bu(i)

0

proves (i) for I + I. (ii) By (i) and Definition 734(5) we have

~CA's(O)+

I:

FI(I-i)u(i),

1=0

where H(t - i) ~ CA' , 'B when

1-

i:;, 1 and H(I - i) ~ D when

t -

i ~ O. ::J

By Theorem 7.36(ii) we can decompose the output of an L'-'1S into two components, the free component

y( t )r", ohlained in case u(t)

~

~

CA's(O)

0 for all t :;, 0, and the !or<'ed component y(tlf""'d~

I:

lI(t-i)u(i)

i - 0

ohtained by setting s(O) ~ O. Given any input sequence u(t), I = 0, I. .. ., and an initial state s(O), these two components can be found separately and then added up. In Ihe remainder of this section we study the states of an I.MS in the inpul-!ree case that is. when u(1) ~ 0 for all I ; ' O. Some simple graph-

J. Linear Modular

Sysl~ms

277

theorelic language will be useful. Given an LMS ':)T( of order 11 over IF q with characteristic matrix A, the stale graph of 011., or of A. is an oriented graph with q" vertices. one for each possible state of 0l1l., An arrow points from state s, to state 52 if and only if S2 ~ As,. In this case we say that 5, leads 10 52' A parh of length r in a state graph is a sequence of r arrows b,.h2 ..... b, and r..;..l vertices tJ1.C1' .... l',._1 such that hI points from [I to V'l]' i = 1.2..... r, If the G, arc distinct except v" ,~v,. the path is called a cycle of length r. If Gj is the only vertex leading to G" ,. i ~ 1.2.... .r -I. and the only vertex leading to v, is v,. then the cycle is called a pure cvcle. For example. a pure cycle of length 8 is given as shown in Figure 7,7. The order of a given state s is the least positive integer t such that A'5 ~ s, Thus. the order of 5 is the length of the cycle which inciudes s. In the following. let A be nonsingular -that is. det( A) "" O. It is clear that in this case the corresponding state graph consists of pure cycles only. The order of the characteristic matrix A is the least positive integer I such that A' ~ I. the n X n identity matrix. 7.37. I.emma. If I, .... ,IK are Ihe orders of Ihe pos"ihle "Iales of an I.MS with nonsingular characteristic matrix A. then the order of A is Iem(r,.· .. ,IK ).

Proof I.et I be the order of A and 1'~lcm(r,..... IK)' SinceA'5~5 for every s, I must be a multiple of I'. Also. (A' - /)s = 0 for all s. hence A" ~ /. Thus r';, I. and therefore I ~ I'. D 7.38.

Lemma.

/f A has Ihe form

A

~ (~, ~,)

with square matrices A I and A 7.' and (~ ) and (:,) are two states. partitioned according 10 Ihe partilion of A. wilh orden and respectivelv. then Ihe order of s

~ (;',)

Proof

and only if A~s]

I,

I,.

i" Iem(I,.t 2)·

This follows immediately from the fact that A'(:,) ~ (:;) if I = SI and A 2 S 2 = S2' 0

F'IGLRJ:: 7.7

A pure cycle of length S.

27X

ThcofdicalApplications of Finite Fickb

Let vJl1. bc an LMS with nomingular characteristic matrix A. Up to isomorphisms (i.e.. one-to-one and onlO mappings 7 such that 7(S,) leads to 7(S,) whcnevcr s, leads to ',) the statc graph of·J1l. is characterized hy the formal sum L~(",.I,)+(",.I,)-'-"· +("R.rR),

which indicates that ", is the numher of cycles of length

1,. L is called the

cycle sum of 'Jll. or of A. and each ordercd pair (";' 1,) is called a cycle lerm.

Cycle tcrms are assumed to commutc with respect to convention (,,',1)+(,,", 1) ~ (,,' + ,,".1). Con,ider a matrix A of the form

+, and we observe the

with square matriecs A, and A,. and suppose the state graph of A; has ", cydcs of length 1" i ~ 1,2. Hencc there arc ",I, state, of thc form (~) of

(:,j

of ordcr I,. By Lcmma 7.38 thc ordcr I,. and ",I, states of the form state graph of A must contain ",",1,1, states of order lcm(l" I,) and hence ",",I h jlcm( I, ' I, ) ~ "'''' ged( I, ' 1, ) cycles of length lcm(l" I, ). Thc product of two cycle terms is the cycle term defined by

(""1,)·(,,,,1,) ~ ("'''' ged(I,.I,), lcm(l"I,)). The product of two eyclc sums i, dcfincd as the formal sum of all possible products of cyclc term, from the two givcn cyclc sums. In other words, the product is calculated by the distrihutive law. 739.

Theorem.

If A

' A, ( o

o. A

,I

and the (yde sums oj A 1 and A 2 are L 1 and L2' respeclirefr. [hell the (veil! sum of A is L,L,.

OUf aim is to give a procedure for computing the cycle sum of an I.MS over IF q with nonsingular characteristic matrix A. We need some hasic facb :.thout matrices. The charaCierislic polynomial of a square matrix M over I'q is dcfined hy det(xl- M). The mi"imal polv"omial m(x) of M is the monic polynomial over 1'" of least degree such that m( M) - 0, the I.ero matrix. for a monic polynomial

g(x) "x' + a,

.1. I.inc
279

over IF If' its companion matrix is given by

i0

0

I

0 0

0

I

0 0

,0

0

0

M(g(x))~

0 0 0

- 00

a, - a, - a,

I J

Then g(x) is the characteristic polynomial and the minimal polynomial of M(g(x)).

Let M he a square matrix over IF I{ with the monic elementary di\'i~ors 1<, (x), .. , ,g. (x). Then the product I<,(x)' .. gw( x) is equal to the characteristic polynomial of M. and M is similar to

o

M(g,(x»

M*=

o

M(g,(x»)

o

o

o o

that is. M - P-' M'P for some nonsingular matrix P over IF q • The matrix M* is called the rational canonicolform of M and the suhmatrices M(g,(x)) are called the elememary hlocks of M*. ~ow let the nonsingular matrix A be the characteristic matrix of an LMS over IF q' For the purpose of computing its cycle sum, A can he replaced hy a similar matrix. Thus. we consider the rational canonical form A' of A. Extending Theorem 7.39 hy induction, we obtain the following. Let g,(x) ..... g •.(x) he the monic elementary divisors of A and let L, be the cycle sum of the companion matrix M(g.(x)); then the cycle sum L of A*. and so of A. is given by

Let the characteristic polynomial f( x) of A have the canonical factorization f(x) ~

n p,(x)'"'.

J = I

where the Pj( x) are distinct monic irrcducihle polynomials over IF q' Then the elementary divisors of A are of the form p,(x)'··'. p,(xr· ...... ,p,(x)"". j ~ 1,2 ..... r,

where

"I hCOfdi<:al

2RO

Applk~liol1s

of Filljll: l-ic1us

'I he minimal polynomial of A is equal to

n P, (x )"(

m(x) ~

I

1

It remains to consider the question of determining the cycle sum of a typical elementary block M(g,(x)) of A'. where g,(x) is of the form p(x)' for some monic irreducible factor p(x) of f(x). The following result provide,; the required information. 7.40. Theorem. 1£1 P (x) be a monic irreducible polynomial oeer IF 4 of dexree d and leI I h ~ ord( p(X)h), Then Ihe cycle sum of M( p( x r) is xieen hv

(1.1)+

qd _ I ). (qU _qd) . (q"d _q" "d ') (-1-,-.1,; 1,"-.1, _ ... - -- 1;--.1, '

In summary. we obtain the following procedure for de1ermining Ihe 9'c!e sum of an LMS 0)1 over IF If with nonsingular charu<':lcristic matrix A:

CI. C2.

C3,

C4, C5.

7.41.

find the elementary divisors of A. say g,(x)..... gw(x). Let g,(x) ~ f,(x)"". where fix) is monic and irreducible over IF q • find the orders ord(f(x)). Evaluate the orders Ih') ~ ord(j,(x)h) for i ~ 1,2.... , wand h ~ I. 2, ... ,1», by the formula [hi) = di1p'\ where p is the characteristic of IF q and Ch is the least integer such that p(h ~ h (sec Theorem 3.8), Determine the cycle sum L,of M(g,(x») for i ~ 1,2..... .according to Theorem 7.40, The cycle sum L of 0~ is given by L ~ L ,L, ' ,. L "

Example.

I:"

I.et the characteristic matrix of an LYlS ':lR. over IF: he

given a." [0 I 0

0 0 I

I I I

0 0 0

0

0

0

,()

()

0

0 I

I A~

o, 0 0 I

I;

llere

XI(X)~X" +x' +x+1 ~ (x+ I)'. l,(x)~x+ I. X",(X)~X2+X+1. f,(x)~x'+x+1.

Steps C2 and C3 yield I!" - I.

Ii"

2.

t\"

nI,

~3.

m,-1.

4. I:') ~ 3. Hence by Theorem

2RI

4. Pseudorandom Seq ucm:es

7.40,

L, - (!,I) I (I, 1)+(I,2)+(1,4)~ (2,1)-;' (1,2)+(1,4), L, ~ (I, 1)+(1,3), and so

L- L,L, ~ [(2, 1)~(1,2)+(1,4)Jl(I,1)+(1,3)] ~

(2, 1)+(1,2)+(2,3) ~ (1,4)+(1,6)-;'(1, 12).

Thus the state graph of ')ft consists of two cycles of length I, one cycle of length 2, two cycles of length 3, and one cycle each of length 4, 6, and 12. n From CS it follows that the state orders realizahle by ':JlL are given by

km(t{\) 1(2) 1("») hi' II)····' hM' for every combination of integers h 1•••• ,h ... , 0.:( hi ~ mi. If one wishes to compute all possihle state orders fealizable by ')lL, without computing its cycle sum, one uses the following theorem. 7.42. Theorem. LeI GJlL he an LMS wilh nunsingular characlerislic malrix A. LeI Ihe cununical faclOrizalion of Ihe minimal polynomial of A he m(x)~p,(X)h···p,(X)b.

and lei Ih i ' ~ ord( p'(X)h). Then Ihe slale orders realizable hy ')lL are gicen hy all Ihe inTegers of Ihe furm Wilh 0 .:( h)

4.

~ b,

for I .:( j.:s;; r.

PSEUDORA:"DOM SEQLE:"CES

The notion of a random sequence of events is basic in probability theory and statistics. I.et us take a standard model for the description of this notion. Consider an experiment in which an unhiased coin is flipped repeatedly. Mark down 0 for heads and I for tails. The result of this experiment is then a sequence of binary digits (or hilS in the parlance of computer science) which will display typical features of randomness. For instance, the relative frequency ofeach hit will approach -l- in the long run, and the relative frequency of two successive O's (or of two successive l's) will approach l in the long run. More generally, for any given hloek of III bits the relative frequency of this block among all the blocks of III successive bits in the sequence will approach

2R2

Th~oreticall\pplil:ations

of FinIte fields

2' m in the long run. In short, the sequence can be expected to have all the statistical properties satisfied by a sequence of independent random variables which attain each value 0 and I with prohahility ). Flipping coins is thus not just an idle pastime, hut can serve as a method for generating random sequences of bits. Since there is no guarantee that our coin is truly unbiased, the generated sequence should be subjected to tests for randomness. For instance. we may check the statistical quantities

mentioned ahove namely, the relative frequency of each bit (dislrihulioIlIeSI) and the relative frequency of blocks of bits (serial lest). Another popular test for randomness is the corrdalion leSI, which is based on the calculation of the correlation coefficients ."I-I

C,(h)~

l: (-I)'''

·'t, • h

(7.6)

,-0

of the given sequence so' S 1'''' of bits for positive integers Nand h. The correlation coefficient C,,(h) can be interpreted as follows: write the shifted sequence

Sh,Shl 1""

underneath the original sequence and count the agree-

ments and disagreements among the first N corresponding terms; then C,(h) is equal to the number of agreements minus the number of disagreements. For a random sequence of hits C.s(h) should be relatively small compared to N. Random sequences of bits are used frequently for simulation purposes, for various applications in elcctrical engineering, and also in cryptography (see Chapter 9, Section 2). In practice, the generation of such sequences hy coin flipping or similar physical means is prohlematic. First of all, the practical applications require long strings of hits, and the physical generation of all those bits may simply take too long. Furthermore, it is an estahlished principle that scientific calculations have to be reproduciblc and verifiahle, and this means that all the bits used in a calculation must be stored for later recall. This may tie up a lot of the computer's memory capacity. In many applications it is therefore preferahle to work with sequences of bits that can be generated directly in the computer. Since the computer only responds to deterministic programs, the resulting sequences will not he random. I Iowevcr, we can try to generate deterministic sequences of bits that pass various tests for randomness. Such deterministic sequences arc called pseudorandom sequences

of hits. A commonly employed method of generating pseudorandom sequences of bits is based on the usc ofsuitablc linear recurrence relations in the finite field 1,. The sequences that one generates are the maximal period sequences introduced in Chapter 6. We will show that with certain qualifications-maximal period sequences in", pass the tests for randomness descrihed above-namely, the distribution test, the serial test, and the correlation test. Since there is no extra effort involved, we will establish the relcvant facts for maximal period sequences in an arbitrary finite field} q' We are thus dealing with pseudorandom sequences of clements of Tq'

4.

Ps~udorandom

2RJ

Sequences

We recall from Chapter 6 that a kth-ordcr maximal period se,/liellCe in Fq generated hy a linear recurrence

r- q is a sequence 5 0 ,5 1,,,, of clements of

relation for

S'l_I.-Uk_1SnH_l+···+UOS'l

for which the characteristic polynomial xl,. -

n=O,I, ... ,

Uk _IXk

1 -'"

-

(7.7)

a o is a primitive

polynomial over Uq and not all initial values So,. .. ,s,_, arc O. II kth-order maximal period sequence is periodic with least period r = q' 1 (sec Theorem 6.33). II requirement we have to impose is that r be very large, say at least as large as the total number of pseudorandom elements of~ q to be used in the specific application. In this way the periodicity ofthc sequenee·-which is a distinctly nonrandom feature-will not come into play. With this proviso we will now investigate the performance of maximal period sequences under tests

for randomness. The distribution test and the serial test can be treated simultaneously. For b=(h" .... hrn)cE; let Z(b) be the number of II. O~n~r-" l,suchthatS'lI;.1 =h;for I ~i~rn.Theeasem-l corresponds

to the distribution test and was already dealt with on p. 240. The case of an 2 corresponds to the serial test for hlocks of length m. The following result shows that Z(b) is close to the ideal numher "/ m provided that m is

111 '"

not too large.

7.43. Them·em. ~(l·~ rn pe/'iod sequence in [Il we !lure

~

k Gnd bFr;, r!lenfn/' uny klh-ordt:!/' ftwximal

jiJr b = 0, for b "'0. Pro~r Since r=tl-l, the state vectors 51)' sl •...• sr-.l of the sequence run exactly through all nonzcro vectors in tf~. Thercfore Z(b) is equal

to the number of non/.ero vectors SEC: that have b as the m-tuple of their first m cOI)rdinates. For bi=O we can have all possihle combinations of clements of Fq in the remaining k - m coordinates of s. so that Z(b) = q' -m.

°

For b ~ we have to exclude the possibility that all the remaining k coordinates of s are O. hence L(b) = 'I' m - I.

m

Theorem 6.85 shows that parts of the period of a maximal period sequence also perform well under the distribution test. We now turn to the correlation test for a maximal period sequence

so. S I' ... in

r- q'

We first extend

the definition of eorrclation coefficients in (7.6) to the general case. Let X be a fixed nontrivial additive character of Fq (compare with Chapter 5. Section I) and set ,..

C.,(II) =

L

I

X(·'.

.'•. h)

.-0

for positive integers N and II. For q - 2 this definition reduces to (7.6) since

Thcorclicall\pplicalion~

of I"inilc I-"iclds

there is only one nontrivial additive character of J 2 and it is gh'en by 1.(0) = 1,1.( I) - - I. In the case .'II .. r we can give explicit formulas for the

correlation coefficients. period

7.44. Theorem. we har;e

For any maximal period sequence in

l'

(',(h) =

{r

r- q

wilh leasl

if II '" 0 mod r,

if

-I

II

t

0

mod

r.

Proo( If I, '" 0 mod r. then.l, = .I,., for all n;" 0 and the result follows immediatdy from (7.R). If h;tOmodr, then ",-.I"" n=O, I, .... defines a sequence satisfying the same linear recurrence relation as 5 0 ,5 1 _ .... By Lemma 6.4, Uf)' II I " " cannot bc the zcro sequence, and so it is again a maximal period sequence in) q' Applying Theorem 7.43 with m = 1 to this sequence. we get

, (',(II) =

,

L 1.(.1, , 0

.I" ,) -

,-, L 1.(",) ~ (4'

' - 1)1.(0)+ qk -,

11-0

1 + qk -,

L 1.(iI) I>l-J:

L 1.(b) -

- I,

n

where we used (5.9) in the last step. 7.45.

Example.

Consider thc linear recurring sequence '\0' 5\, ... in It.:? with for fl - O. I,... and initial valucs So = s.:? = S4 = I, 5 SI = S3 = O. Sincc x - Xl - 1 is a primitive polynomial ovcr ~ 2' this sequcnec is a maximal period scqucncc in [ .:? with least period r = 2 5 - I - ~ 1. Write down the 31 bits making up the period of the sequence and underneath the first 31 terms of the sequence shifted by II ~ 3 terms to the left: .';11')

= .'.;1112 + SII

10101000000101001111000101 01000010001100

II

100011011101

The number of agreements of corresponding tenns is 15, the numher of disagreements is 16, hence C 31 (3) = 15 - 16 = .. I, in accordance with Theorem 7.44. If we consider the pairs (.s" s, 1 1)' n = 0, 1, ... ,30. then there are 7 of type (0,0) and R each of type (0, I), (1,0), and (I, I). in accordance with Theorem 7.43. [-i For .'II < r we ean give bounds for the correlation coefficients (,\(11), and in the trivial case h = 0 mod r we have an explicit formula. 7.46. Theorem. For WI).-' krll-order maximal period sequence in J q and I ~ IV < r = II I \\."t' IIlwe '.,(iI) =

N

if h '" 0 mod r

4.

P~eudoralldom

285

Sequences

and

if h t- 0 mod Proof

then

r.

We proceed as in the proof of Theorem 7.44. If h '" 0 mod r.

Un :- Sn _. Sn

I

h=

0 for all

fl ~

0 and so S

eN(h) =

If II =f=. 0 mod r. then and so

U(h U\" ...

Jo I

i C,.(h)1 - v-,

1

L X(II,)" ,-0

N.

is a kth-order maximal period sequence in f q

(2

I

1

X(II,) < qki2 ;, log r + ;

by Theorem 6.81, since no = 0 and R

~

+ IV) r

o

r in this case.

If we take every second term ofa random sequence of clements of] ,. we would expect that the resulting subsequence has again randomness properties. More generally, the property of heing a random sequence should be invariant under the operations of decimarion defined as follows. If rr is a given sequence S",5,,5, .... of clements of ~q and d? 1 and h?O arc integers. then the

decimated sequence (T~h/ has the terms Sh'~h' d' Sh+2d." .. . In other words, (J~hl is obtained by taking every dth term of (J. starting from 5 h . The following result shows that the property ofbcing a maximal period sequence in Fq is invariant

under many decimations. This can he viewed as further cvidence that maximal period scquences are good candidates for pseudorandom scquenccs. 7.47. Theorem. LeI (J he a given kth-order maximal period sequence in Fw "fhell (T~hl is a kth-order maximal period sequence in U: q if and only (I' gcd (d, qk - 1) = I, and (J~h) is a maximal period sequence in F'I sllti~rJin{j the sanle linear recurrence relation as 0'(01', equilialently, (T~hl is a shijied f:l!rsioll of (J) (j' lind ollly if d = qi mod (qk - I) .I{". some.l wirh () ~j ~ k - 1. Proof. Denote the terms of (J and (J~h' hy S, and II,. respectively. The minimal polynomial of" is a primitive polynomial fix) over K = J q of degree k. If ~ is a fixed root of fiX) in F ~ Fq" then ~ is a primitive element of F (see Definition 3.15). Ry Theorem 6.24 there is a unique OE F* such that S,

= Tr";K(e~')

for all

n? O.

It follows that II,

~ Sh+,d = Tr'IK(fI(~d)')

for all

II?

O.

where II ~ &ahE F*. I.et l~(x) be the minimal polynomial of ~d over K. Then the calculation in the proof of Theorem 6.24 .hows that (J~" is a linear recurring sequence with characteristic polynomial lAx). If ged(d, q' I) = I, then ~d is a

Theoretical

2i6

Applil.:dtion~

of 1- initc I-"iclcls

primitive element of f, and so .f'(x) is a primitive polynomial Over K of degree k. Since (I # 0, not all", arc 0, thus O'~h) is a kth-order maximal period sequence in l'q' If ged(d, q' I) > I, then xd is not a primitive element of T, and so O'~h) cannot be a kth-order maximal period sequence in [- q' The first part of the theorem is thus shown. furthermore, (J~h) is a maximal period sequence in rq satisfying the same linear recurrence relation as 0' if and only if fAx) = f(x), By Theorem 2.14, this identity holds if and only if x d = x q ', hence d '= qi mod(q' I), for some j with 0 .; j .; k . I. Since the state vectors of" run through all nonzero vectors in ~~, the maximal period sequences in Jq satisfying the same linear recurrcm:c relation as G are exactly the shifted versions of (T. n ->

'VIaximal period sequences possess a universality property, in the sense that a much larger class of linear recurring sequences can he derived from them by applying decimations. 7.48. Theorem. 1.et a he a gif;ell kIll-order maxima! period sequence in } q' "J'hen every linear recurring sequence in ~ q /zaring an irreducihle minimal polynomial ~(x) with ~(O) -f 0 and deg(x(x)) di,'iding k can he obtained from 0' hy applying a suitahle decimation. I'ro(!f. If the terms of" arc denoted by Theorem 7.47 we have

s, = Tr"'K(Ux')

for all

SO'

then as in the proof of

n '" 0,

where:x is a primitive element of r - Fq~' DE F*. and K = Fq' Let uo, u1.". he a linear recurring sequence in ~ q with irreducible minimal polynomial g{x). where g(O) #0 and III = deg(g(x)) divides k. Then g(x) has a root yF E = J q." and y;" 0 since g(O)" O. Furthermore, Ii is a subficld of F by Theorem 2.6. It follows that there exists an integer d '" I such that y = ad, Ry Theorem 6.24 we have ", = TrE,K({Jy') for all n '" 0, where lie P. Let bEl"" be such that Tr"db) = (I, and choose an integer i> '" 0 with 6U-\ = ah Then by the transitivity of the trace (sec Theorem 2.26) we have 'h' ,d = Tr"/K(U~h . 'd) = T r"'K(b/)

= Tr!:'KCrr",,:(6y'))

= TrE/K(ji-;") = ",

for all n '" O. and so the sequence U","\, ... is equal to the decimated sequence ~),

0

The condition g(O) # 0 in Theorem 7.4~ rules out the case g(x) - x in which the sequence has the form f, O. 0.... with cd:. Such a sequence has pre period I, and thus it cannot be derived from" hy a decimation since every decimatcd scquencc a~hl is periodic.

287

4. Pseudorandom Sequences

In the special case d -=- I we write a\h l = a(hl, which is the sequence obtained by shifting (J hy h tenns. Maximal period scquences can be eharactcri/.cd in tcnns of a structural property of the set of all shifted sequences. We use again the termwise operations for sequences introduced in Chapter 6, Section 5. 7.49. Theorem. Jf a is a nonzero periodic sequence of elemems of} q' sequences a(M, Ii = 0, 1, .. . ,togeTher with The zero sequenceform a lJ(!CWr space over!J- q under termwise operations for sequences if and only (f a is a maximal period sequence in } q' l hen l he shifted

Proof If (J is a kth-ordcr maximal period sequence in Fq , then the initial state vectors of the sequences (J'h), h = 0, I, ... , q' 2, and of the lero sequence run exactly through all vectors in };. From this it follows easily that these sequences form a vector space over I q' Note also that any shiftcd sequence (J
qr

*

7.50. Example. Let (J be the linear recurring sequence -'0.-'1"" in J, with Sn 4 = Sn_l + Sn for n = 0, I, ... and initial values Su = St = S2 - O. S3 -=- 1. Since x 4 - x-I is a primitive polynomial over] 2' a is a maximal period sequence in F, with least period r = 24 - I = 15. The 15 bits making up the pcriod of (J are I

000

o

0

o

o

l.

As an illustration of Theorem 7.48 we derive all the linear recurring seq uences in IF, having an irreducihle minimal polynomial g(x) x with deg(g(x») - I or 2 hy applying a suitable decimation to (J. The constant sequence I. I. I. .

*

(J'id) has minimal polynomial x - I, and the pcriodic sequcnces O. I, I, . (=(J\,I'), 1,0.1, ... (~(J~").and 1, 1.0.... (-(J\,61)withleastperiod3represent all the linear recurring sequences in W, with minimal polynomial x' -x - I. As an illustration of Theorem 7.49 we note that (i + (JI" must hc cithcr a shifted

(=

21Sg

Theoretical Applications of Finite Fickh.

version of (J or the zero sequence. and in fact (J + (1'(3) (1'0 4 ). On the other hand. if r i~ the linenr recurring sequence to, t\, ... in F! with in t 4 = t n t J -;" t n -.2 t rn 1 + t n for JJ - 0, 1, ... and initial values [(l = [1 = 1 2 = O. t 3 -=- I, then r is the periodic sequence 0, 0, 0, I, I , ... with least period 5 and r + r'3 1is neither a ~hifted version of r nor the zero sequence. This is again in accordance with Theorem 7.49 since r is not a maximal period sequence in ~-2' 0 ::7

oj-

For many simulation purposes, and especially for applications in numerical analysis, one needs random sequences of real numbers. These numbers should all belong to a given interval on the real line, which for simplicity we may take to be the interval [0, I]. The generation of a random sequence of numbers in [0, I] can again be described by a statistical experiment. Pick a number from ro, 11 at random, where the probability that the number belongs to a specific subinterval of [0, IJ should be equal 10 the length of the subinterval. Repeat this procedure indefinitely, with each selection being statistically independent of all the previous ones. Since we arc using here a special probability distribution giving equal likelihood to subintervals of the same length, one often speaks of the resuiting sequence as a sequence of uniform randum numhers. The notion of a sequence of uniform random numbers is an idealized concept, and in practice one works with a deterministic analog called a sequence of uniform pseudorandom numbers. Such a sequence is generated by a deterministic method and should pass various tests for randomness. The advantages ofsuch a sequence arc similar to those of a pseudorandom sequence of bits described earlier. Maximal period sequences in finite fields can be used to generate sequences of uniform pseudorandom numbers. Let Fp be a finite prime field that is, p is prime- ·and let s", s" ... be a kth-order maximal period sequence in Jp' In the following we view the terms Sn of the sequence as integers with 0 ~."in < p. The integers s, have to be transformed into numbers in LO, I]. One method of doing this is the normalization methud, in which one chooses p to be a large prime and normalizes s, by setting ~

w,

s, -E[O, 11

for all

p

n? 0.

Then W o , WI"" is taken as a sequence of uniform pseudorandom numbers. Clearly, this sequence is periodic with least period r = p' I. Since the sequence WI)' Wi .... differs from the sequence So' 51 .... only by a constant factor, the statistical properties of the two sequences will essentially be the same. Thus it suffices to refer to our earlier discussion of statistical properties of maximal period sequences. A second method of transforming the integers s, into numbers in LO, IJ is the digital (or Tausworthe) method. Here we let p be a small prime and we choose an integer m;:::' I. Then we set m

Wn =

,

L ."i mn 1

I j

,p

-,

for all

n :;: n,

(7.9)

4. Pseudorandom

289

Seyu~nces

and we use ""0' WI"" as a sequence of uniform pseudorandom numbers. The formula (7.9) means that the ,equenee SO,s\, ••• is split up into blocks oflcngth m, and each hlock is interpreted as the digital representation in the base p of a number in [0, 1]. In practice one usually works with the prime p ~ 2, since this facilitates the calculation of the terms s" by the relation (7.7) and since in this case we get the numbers W n in their binary representation whieh is well suited for computer calculations.

7.51. Lemma. rhe sequellce w o, w\, ... of IIl1mhers periodic with (east period p'- I

r=-- "

d~filled

hy (7.9) is

,-

gcd(m. p' - I j"

Proof Since mr is a multiple of p' .. I and thus a period of the maximal pcriod sequence SO'Sl .... ' we have m

L Smn'i

Wn - r -

m

l+mrp-i

=

L Smn_ti_lp-i=wn

for all

n;:::O.

i-I

i-I

Therefore WOo w\, ... is periodic with period r. Now Ict u be an arhitrary period of this sequence. Then w n I u - Wn for all 11 ~ 0, hence m "'

L Smn I i i-' 1

m I I mu P

i",

=

L

i-I

Smn - i - 1 P

-,

for all

n ;:::0.

The uniqueness of digital representation, implies that Smn-i-l,mu=Smnli-\

for

1 ~i~m

and all n;;::O.

Now 11111 I i-I runs through all nonnegative integers ifi and integers with I ~ i ~ m and n ~ 0, thus Sn-mu - Sn

for all

II

run through all

11.?= 0.

This means that mu is a period of the sequence SO,s" ... , and so p'. I divides mu. It follow, that rdivides u, and therefore r is the least period of the sequence W O , WI""

.

10]

In order to make the Icast period of the sequence WOo w" ... as large as possible, we will choose the block length III in ,ueh a way that ged(lIl, p' - I) = I. The least period of the sequence is then equal to p' - I by Lemma 7.51. If we want to make this least period large for p ~ 2, then k should not he chosen too 'mall. We note also that if Ill> h. then the last m - k digits of any IV" depend on the first k digits on account of the relation (7.7). Therefore we impose the condition m : :; : k in order to prevent such obvious dependencies. An important test for randomness for a sequence W o , WI"" of uniform pseudorandom numbers is the uniformity [est. We start from the observation thai in the ideal case ofa sequence XO,X\ , ••• of uniform random numbers the

Thl:orctkul Applica:iom. of I-irlitc I-"iclds

290

probability that the inequality x,,';; 1 i, satisfied for a given 1 E. ro, 11 is equal to We compare this with the elementary probability P,(t) that the inequality ~\JIl ~, is satisfied among the first IV terms of the given sequence W o. WI'" , that is, p . . . (l) is !V I times the numher of 11, 0 ~ II < S, with \1'/1 -:s; l. The hHgcst deviation

1.

D,. -- sup 11\.(1) "11

(7.10)

between these two prohabilities provides a way of measuring the extent to which W O,w 1 , ••• differs from a sequence of uniform random numbers. For a "good" sequence of uniform pseudorandom numbcr~ the value of D,IIi should

he ,mall for large N. When applying the uniformity test to a periodic sequence W o, WI"" with least period r, it suffices to consider the case I ~ N ::;; r since the behavior of the sequence repeats itself heyond the period.

7.51. \V(j, \\';, ...

Dr

Theorem.

of

If m';; k and ged(m,p'- I) = I, lhen Ihe se'luene" JllI/l1f,('r,\ Mc!flL'l'U1ed hy (7.9) satisjll'.~

uni/imn [J'ieudorando111

p-m wilh r=p"-l.

l'ruof The least period of "'0' WI"" is r = p' - I by I.emma 7.51. The seq uenee of m-tuples S>1-(SIl"~'l-l, ... ,.'inln!

I)'

n =0, 1.... ,

also has least period r; in nther words, Sn just depends on the residue class of n modulo r. From ged("" r) = I it follows then that the finite sequence s"w' n - n, 1.... ,r - 1, is a rearrangement of the linite sequence Sn. n -"- O. 1" .. ,1'-1. In particular, for any bF{O,I. ... ,p-l}m tbe numher of 11, o~ II ~ r 1. with SI'l'l = b is the same as the number of n, 0 ~ 11 ~ r - 1, with s, ~ b. The latter number is given by Theorem 7.43. Together with (7.9) this yields the following information: the number of fl, 0,;; n';; r - I. with ~1'n 0 is equul to pI.. m 1, and for any rational numher cp m with CEff, 1 ~ (' < "n!. the numher of n. 0 ~ n ~ r - I, with ~V>1 - C" m is equal to ,," m; this exhausts all possible values of tv n . For (JEff, 0 ~ a < "m, consider a real 1 with ap- m ,;; c < (a + I)p m. Then

and so 11',(1)-

,(a I liP'

cl=, '-, p

c)--'-· ("-I)P::'~I. p' - I

4. Pseudorandom

291

SetlUl.:nr..:~!'

and

o~

I-(a-I)p

,

P -I

hcnce tl~

, P,(l)

Since

and

1',(1- I)

p,II)=

pm

I

pm .

(I_~)I_ pm

I

pm

I, it follow, from (7.10) that D,=p-m.

Theorem 7.52 show, that if m is chosen sufficiently large, then the \\.'0, w 1•· .. passes the uniformity test when considered over the full period. For parts of the period that is, for I ~ IV < r-we can establish an upper hound for the quantity 1)" in (7.10). I.et IV O, IV,,. .. he a ,equenee of clements of [0, 11 whose terms arc given by finite digital representations

scquence

m

Wn

=

L \1.'~)p

i,

II =

O. I, ... ,

(7.11)

;·1

where the digits l1':i) belong to the set {O. I, .... P - I} and m is independent of 11. For ilEIL we define cr(iI) - dilip), where ell) is the complex exponential function used in Chapter 6, Section 7, 7.53. I. emma. Let \\"0' \\"l,'" he u seqw~n(:e vj' "femews of roo IJ .(Iiven hy (7.1 ') und Jet /V he a positire illleyer. LeI U h~ a cOllsLQnt such thm for allY h 1 ... ··h m E{O, l. ... ,p-l~ thar are nOl allD l .... e Iwce

I

I

I ,\" , e III 11'(1), "'+11 w1m ))
!\

(7.12)

n-()

rilel1til" quantity D, in (7.10) satisfies

I

(2

7)

D, ~ - - Rm log p' . pm n 5 Proot:

For 0

~ t

< I let

be the Jigital representation of I in the base p. with (jc{O.!, ... ,p - I} for all i?: 1 <.lnll the usual condition that t i < P 1 for infinitely many i, Then we have wn ::;:{ if and only if \r~l)=II, .... w~l-ll_ri_l' W~)<{i for some i with 1 :::;: i ~ 111 - 1 (for i = 1 the condition reduces to w~1J < t d or w:/ I t; .... ,W:;n 11=/ 111 ], W~ml:::;; 'm' Thus, if we put Ui=li-! for 1 :::;;'i~m·

292

and

Tlicon:tit;.ll Applj..:a(ion~ of I"initt: hdds

Urn -,1 m

and interpret empty sums to he equal to 0, then 1

m

U,

1

....

. .

I' .V (1)= \f " (,r'"n I')d.(w''') L " L " L d f. (W''')'''(d II :,-1 j II' ;

where d}w) ]\jow

=I

i-tj-On-O

for j = IV and d;fIV) = 0 for j -t IV with j, WE{O, 1, .. " p .. I}.

and so 1

m

N

!I,

1

,\"

J

(>

I 1 I 0 I 0 P, I

I'v(l)--

i "

j

-e p ( -

I

h ..... h.

II

hill -'"

-

hi

l'i

1-

hjj).

Separating the c.;ontrihution from the choice hi ='" = hi =- 0 in the inner :;um and denoting by an asterisk the deletion of the corresponding term. we get

1 ,\'

1

.

ll,

'-. . ' "L e p (ilI n W(I'+···~It.IV''')'' 1 L ep (-ItJ"). /I

:'InO

j-O

Lsing

and the condition (7.12), we obtain W,(t) -

1 ;m + JI ~j "I.:.-ol it =

By Lemma

6.~O

p-I

I

m

P

e,(ItJ)1

II ",

m P I I I I e,lltj). Pi-lh-OjO

+H

we have

I ",

I I h-O

B

<;

I

2

;

IT

2

ep(lt.iJ <-plogp+SP+u,+ 1 <;

j-O

2 n:

7 plogp , sp·

and so 11\(r)-

1<; pmI _ Bm(~IOgp + 7) rr 5

Since 1',( I) - I, the desired result follows.

for

00(1 < I.

293

4. Psr.:udorandom Sequences

7.54. Theorem. Lei m ,;: k and gcd(m, p' - I) - I, I1nd let '''0' IV 1 ' ' ' ' he lhe seqlU.'llce of unifofm pseudorandom nwnhers g('I/{'fQfed hy (7.9). Then/Of I ,;: tv < r = p' - I Ihe qUilIltity J)" in (7.1 0) sari~fies

I'roo! Thc bound for Us is obtained from l.emma 7.53 by determining a suitable constant H such that (7.12) holds. Ifthc IV. are given by (7.9), thcn we have W~il - Smn I i - I for 1 ~ i ~ m and all n ? O. Thus

We notc that for any hEE we have ep(h) ~ Xl(h), where X, is the canonical additive character of J p (sec Chapter 5, Section I) and on the right-hand side we identify Iz with the corresponding element of Fp -namely, with the residue class of h modulo p. If we now identify all h, and s. with the corresponding clements of Fp and define m

[orall

l:n= IhiSmIlTi-1EF" i-1

n?O.

then we can write lSI

IV Since

SO'''t' ...

L

n' I)

e (11

(7.13)

Will

pIn

is a kth-order maximal period sequence in K - 1 p' we get as in

the proof of Theorem 7.47

'." Tr"K(O,·)

n ~ O.

for all

where'Y.. is a primitive clement of F =- Fpk and Uc: F*. Suppose Ii:, .... lIm E [-" are not all O. Then

for all n ~ 0, where m

IJ - f}

L lI 'Y.. i

i-I

i-

and

1

;' _

~rn.

:x 2 , ... , 'Y.. k - 1]. is a biisis of }. over K, we have fi -f O. Furthermore. the condition ged(lIl,p'- I) ~ I implies that " is a primitive element of F. Theorem 6.24 and its proof show then that r", I'" ... is a kthorder maximal period sequence in K. Thus Sinee m ~ k and [1,

I

J:,

P"(" tv

I'" , I I,k.) I< . 'Iogr

r\ n ()

1:.

I

2 I 'tV) for .

5

1

I ,;: :V < r

(7.14)

294

Thcorcticall\rplieation~

of !-mitt.: I:ic!t.!:,

by Theorem 6.81, since no -', 0 and f? = r in this ca~e. Taking into account (7.1 :1). we can therefore use the expression on the right-hand side of(7.14) as a possihlc value of H in condition (7.12). The rest follows from Lemma 7.5:1. ~

In the proof of Theorem 7.52 we have (lhtaincd the exact distrihution of values in the least period of the sequence Woo If 1"" generated by (7.9), under the conditions m';;" and ged(m,p' I)-I. With these hypotheses we can show an analogous result for higher dimensions d as long as d ~ kIm. For such a d we consider the J-tuplcs

where r - pt.: - 1 is the least period of the sequence tuple or the form

\\:0' H'1""

.

Each

WI/

is a d(7.15)

with ('jEll and 0 ~ tuples

"j

< pm for 1 ~ j ~ d. Consider abo the :;equcncc of mel-

Sn=(SII'S'I.\ •... 'SI1.md

I)'

n=O,I, ....

which has again least period r. The ~amc argument as in the proof of

Theorem 7.52 shows that for any bE~O. 1.... , pI] 'lid the number of fl, 0 :s; n ~ r - I, with Smn = b is the same as the numher of 11. 0 ~ n ~ r - I, with SII - b. The lattcr number can be ohtained from Thcorem 7.43 since the condition on d yields md ~ k. In this way we arrive at the following result: the numher of n. O:s; n:S; r- I, with \\'11=0 is equal to pI.. md - 1. and for any c I 0 of the form (7.15) the numher of fl, 0,;; fl ,;; r I, with w. ~ c is equal to 1" md Thus the druples w. show a very regular distribution behavior. The study of the distribution of the ""II amounts to performing an analog of the serial tcst for random sequences of hits dcscrihed e<:lrlier in this section. Wc can therefore S<:lY that a sequencc W u, WI •... of uniform pseudorandom numhers genemted by (7.9) passes the serial test for dimensions d,;; "illl, at least \\'hen it is considered over the full period. Results ror pans of the period can be ohtained hy an extension of the method in the proof of Theorem 7.54. EXERCISES 7.1.

7.2.

7.3.

List the points and lines of PU(2,".,). Draw a diagram showing all the intersections. Enumerate the pointt' on I.'Y.; and the families of parallcllines in AG(2,IF,). In PU(2,1F,) consider the quadrangle A(I, 1.1 1/1), R(O,I.,8). C11, 1,,8), D(1.1 + ,8./3). where (3 is a primitive clement or 11-,. find its diagonal points and verify that they arc collinear. There arc six points in PG(2.1F,), no three or which are collinear.

Fxcn:isc~

295

Four of them are the points 11, R, C, D of bercise 7.2. Find the other two points.

7.4.

7.5. 7.6.

7.7.

Find the equation of the conic consisting of the points A. R, C. D of Exercise 7.2 and E( I. I + p, I + {i), determine all its tangents and the point where they meet. Show that for a nondegenerate conic in PG(2,1',) the tangents do not all meet in the same point. Prove: if L is a set of points of PG(2,1' q) such that every line of PG(2,l'q) contains a point of I., then 11.1;, q + I with equality if and only if L is a line. Prove that among any m"";'" 3 points of a finite projective plane of order m one can find three collinear ones.

7.8.

Determine the number of points, lines, planes. and hyperplanes of

7.9.

PG(4,I',}. How many planes arc there through a given line? In PG(4,I'J} determine the 3-nats through the plane given by

7.10.

(1,0,0,0,0), (0,0, I,O,O), and (0,0,0,0, I). Prove that the number of k-nats of PG(m.l'q}' I ~ k < m, or also within a fixed m-nat of a projective geometry over I' q of higher dimension, is equal to

(qm'I-I)(qm_~L·.:1'i~:"I_I)

(q' + I 7.11.

7.12.

7.13.

7.14.

_

1)( q' - I)· .. (q - I)

Show that the following system of blocks forms a BI BD and evaluate the parameters c, b, r, k, and A: (1,2,3)

(1.4,7)

(1,5,9}

(I, 6, 8)

(4.5.6}

(2,5,8)

(2,6,7)

(2,4,9}

(7,8,9)

(3,6,9)

(3,4,8)

(3,5,7)

Solve the following special case of the Kirkman Schoolgirl Prohlem. A schoolmistress takes 9 girls for a daily walk, the girls arranged in rows of 3 girls. Plan the walk for 4 consecutive days so that no girl walks with any of her classmates in any triplet more than once. In a school of h boys, I athletics teams of k boys each arc formed in such a way that every boy plays on the same number of teams. Also, the arrangement is such that each pair of boys plays together the same number of times. On how many teams does a boy play and how often do two boys play on the same team? Prove: if c is even for a symmetric (c, k, A) block design, then k A is a square.

7.15. 7.16.

Verify that (0,1,2.3.5,7,12,13, 16) is a difference set of residues modulo 19. Determine the parameters c. k, and A. Show that (0,4.5,7)'is a difference set of residues modulo 13 which yields PG(2.1',).

Tht.:orcti~al

296

7.17.

Applications of

~inil~ fie1J.~

Prove the following generalization of Theorem 7.20. I.et (d", .... d,,),

i ~ 1. .... .1',

he a system of (v, k. A) difference sets. Then with all residues modulo vas' varic.:tic.:s. the cs hlocks (d,,+l .... ,d,,+l),

7.18.

7.19.

7.20.

I-O.I, .... "-landi~I,.... s,

form a (r. k, AS) hloek design. where a'Ai '" i + J·k mod 9 0,;: " i . J' Let L'" ~ (a"·') IJ • I f ' "'" a'" II < 9 for 1 -..;:: ~ 9. Which of the arrays 1.1"'). k = 1. 2..... R. are latin squares? Are V 11 and L (5) orthogonal? A latin square of order II is said to be in Ilormali=ed form if the first row and the first column are hoth the ordered set {1.2..... 1I}. How many normalized latin squares of each order 11 .:;;;;: 4 arc there? Let L be a latin square of order m with entries in (1.2.... ,m) and M a latin square of order II with entries in (1.2,. ... n). From I. and M construct a latin square of order mn with entries in {1,2..... m}x (1,2,. ... II).

7.21. 7.22.

Construct three mutually orthogonal latin squares of order 4. Prove that for n ;;, 2 there can he at most n - I mutually orthogonal latin squares of order n.

7.23.

A magic square of order

Il

'.:onsists of the integers 1 to n l. arranged in

an II X n array sw..:h that the sums of entries in rows. columns. and diagonals arc all the same. I.et A ~ (a'l) and B ~ (b i ;) be two orthogonal latin squares of order II with entries in {O.I ..... n - I} such that the sum of entries in each of the diagonals of A and B is n(lI- 1)/2. Show that M ~ (lIa,; + h,; -I) is a magic square of order n. Construct a magic square of order 4 from two orthogonal latin

7.24. 7.25. 7.26. 7.27. 7.28.

7.29.

7.30.

squares ohtained in Exercise 7.21. Determine Hadamard matrices of orders 8 and 12. If II", and lin arc Hadamard matrices. show that there exists a Hadamard matrix JIm 1/" Show that from a normalized Hadamard matrix of order 41.1 ;;, 2. one can construct a symmetric (41 - 1.21 -1.1- I) block design. Prove that the stale graph of an L\1S over IF q with nonsingular characteristic matrix consists of pure cycles only. Prove that the state graphs of similar charal.:teristic matrices over 0=" are isomorphic. (NOle: Two matrices A. B over IF q arc simi/at if there exists a nonsingular matrix P over IF q such that B ~ PAP '.) Suppose the characteristic matrix A of an L\1S 'n over IF 2 has the minimal polynomial (x';' I )5(x ' -1 x + 1)3 What arc the state orders realizable by GJ1L? Determine the orders of all states in the I.\1S '''R of Example 7.41.

Excn.:isc~

7.31.

297

Suppose the characteristic matrix A of an L\1S .:'1[ over IF q is nonderogawry; that is. its minimal polynomial is equal to its characteristic polynomial. Let thc minimal polynomial of A bc of the form pi x i", where p( X) is a monic irreducible polynomial over f q of degrcc d. Without using Theorem 7.40, prove that the cyclc sum of

0R. 7.32.

7.337.34.

is given

hy the

expre~sion in that theorem.

Calculate thc cyele sum of the LMS ")1(. over IF, given in Example 7.35. Prove Thcorem 7.42. Let '-;()"~l"" he a kth-order maxim<:ll period ~equcnce in r 1/ and let N = d(4' - t 1/('1 - 1I for some positivc integer d. If %,(01 Jenotes the numbcr of n. 0,,; no( N .- 1. such that '" - O. prove that

<1(4'-'-11

7. v (OI= 7.35.

'I .. 1

s" ... hc a kth-order maximal period sequence in F" for k, I 0( N < r = q' - I, and b - (h" .... hmlc): let L,(bl he thc numher of n. 0.:::;; 11 ~ N - 1. such that Sn II I - hi for 1 ~ i ~ m. Prove Ld I ,,;

'0'

III 0(

that

be a periodic sequence of clements of J 'I with k<:lst period r.

7.16.

Let

7..17.

wc say that a run of c of length III ~ I occurs if s" i- c, i.:::;; m, and Sn I m-l =f:. (.' for some n with 0 ~ n ~ l' I. Prove that for a kth-order maximal period sequence in Jq with r = qk 1 ~ 2 exactly the following runs occur. For 1 ~ Ill':::;; k - ~ ;Jnd any tEl k can occur. Prove: If (f is a pcriodic sequcncc with period r, thcn the decimated

7.3R.

sequence II in Example 7,50 to show that this result docs not hold in gcneral if "period" is replaced hy "Ieast period". Provc the following converse of Theorem 7.4R: any decimated sequence

So, S 1....

for fixed

CE I q

.'in ~ i = (. for 1 ~

°

sequence (J~hl has period

rigcd(d. r). Lse a suitable decimation of the

ofa kth-ordcr maximal period sequence in F
7.39.

I.et (j he a given kth-order maximal period sequence in [q. Prove that every kth-order maximal period sequence in } q i, equal to a shifted version of (J~OI for some

7.40.

d.

Let (f he a nonzero periodicsequenee of clements ofl' 2 with least period

29S

7.41. 7.42.

Thl:0fctkal

Applko::(ion~

of I"inite field!'

r. Prove that if for every h with 1 ~ h.:::; ,. - I the sequence a ~ a(h) is a shifted version of a, then (J is a maximal period sequence in r- 2' Prove that for any maximal period sequence in F, there exists a shifted version a of the sequence such that a~O) = rJ. l.et '\0' .\\ .... he a kth-order maximal period sequence in the linite prime field Tf' and view the terms .'111 of the sequen(;e as integers with 0 ~,'i11 < p. For positive integers In and d define m

\\.'11=

L

Sdllli

lP-i

fnr

n=O.I, ....

i-1

Provc that if gcd(d,P" - I} - I. then the scquence with least period p' - I.

H' ll , 1r 1 , •••

is periodic

Chapter 8

Algebraic Coding Theory

One orthe major applications offinite fields is coding thcllry. Thb theory has its origin in a famous theorem of Shannon that guarantees the existence of codes that can transmit information at rates dose to the capacity of a communic.:ation channel with an arhitrarily small. probahility of error. One purpose of algehraic coding theory the theory of error-correci ing. and crrordetecting codes- is to ucvi.,c methods for the constrw.:tion of such codes.

During the last two decades more and more ab~tract algehraic tools such as the theory of finite lields and the theory of polynomials oler finite fields have influenced coding. In particular. the description of redundant codes hy polynomials over -F<j is a milestone in this development. The fact that one can use shift registers for coding and decoding estahlishes a connection with linear recurring sequences. In our discussion of algebraic coding theory we do not consider any of the prohlems of the implementation or technical realiLation of the codes. We restrict ourselves to the study of hasie properties of hloek codes and the description of some interesting classes of hloek codes. Section 1 contains some background 011 algebraic coding theory and discusses the important class of linear codes in which encoding is performed hy a linear transformation. A particularly interesting type of linear code is a cyclic code that is, a linear code invariant under cyclic shifts. Our study of cyclic codes in Section 2 includes a description of what is possihly the most widcly known family of codes, the BCH codes named after Bose. Ray-Chaudhuri. and Hoequenghem. BCH codes can be implemented easily and permit a fast decoding algorithm. The Goppa codes discussed in Section .\ can he viewed as 200

Algcoraie Coding Theory

300

generuli/ed HCH codes. Goppa codes allow a mueh wider ehoice of parameters than HCH codes. but ean still be decoded efficiently. If the decoding algorithm for Goppa codes is speciali7ed to BCII codes, one obtains a second way of decoding BCII codes. L

LINEAR CODES

The problem of the <.:ommuni<.:ation of information-in particular the

coding and decoding of information for the reliable transmission over a "noisy" channel··· is of great importance today. Typically, one has to

transmit a message which consists of a finite string of symhols that are elements of some finite alphahet. For instance, if this alphahet consists simply of 0 and L the message can he described as a hinary number. Generally the alphahet is assumed to be a finite field. :\OW the transmission of finite strings of clements of the alphabet over a communieation channel need not be perfeet in the sense that each hit of information is transmitted unaltered over this channel. As there is no ideal channel without "noise," the receiver of the transmitted message may obtain distorted information and may make errors in interpreting the transmitted signal.

One of the main problems of coding theory is to makc the errors, which occur for instance heeause of noisy ehannels, extremely improhahle. The methods to improve the reliability of transmission depend on properties of finite fields. A hasie idea in algehraie coding theory is to transmit redundant information together with the message onc wants to communicate; that is.

one extends the string of message symbols to a longer string in a systematic manner.

A simple model of a communication system is shown in Figure 8.1. We assume that the symhols of the message and of the coded me,"age are elements of the same finite field IF., Coding means to encode a block of k

message symbols

G 1G 2 "'Qk'

G/ElF q • into a code word

c1c.:'··(n

of n

> k. We r~gaf(..1 th~ code word as an lH.limcn~ional row vector (' in IF;. Thus/in l-"igurc X.I is a function from IFI~ into IF;. called a coding scheme. and g: IF; ·.... IF; is a de('(}ding scheme. ~'ymhols

{'j

E::

11-", where

11

~·~~lrd \-l~~~ar.e a

I, l)(:co(\\'(\ .i....k.s~at'.'-'-," rI

_

C

]

_." '!rnn,mIS,I011 (liannd

~~~\'~~d Ml..,~~...----_J

CIC a FtGI:RE ~.1 A communication system.

--

~---L.-_---, ...---

.....--- "'\oiq~"

301

I. Linear Cot.ks

J\. simpk typ~ of coding scheme arises when each hlock a Ji.: ... 'llc~~age :-:'ylllhois i~

Uk

of

encoded into a code word of the form

where the first II. symhols arc the original messuf!.l' symhols and the additional 11 k symhols in iF'l arc cOn/rol .\ymhols. Sueh coding ~chemes arc (\ften presented in the following way. Let /I he a givcn (n - k)x II matrix with entries in IF/I that is of the special form

wheTC A is an (Il A..)X k matrix and 1'1 /.. is the identity matrix of order k. The ~(mtr()1 symhob ck t 1•••• 'C n can then he.: calculated from the system ()f equations 11

He' for c\)de cl/uatiof/.\. 8.1.

word~

Example.

~O

c. The clluations of this syste.:m arc called parity-check

I.el /I he the following 3 X 7 matrix over 1',: /I

: I

o

I ,I

I I

i

I 0 I

I I 0

o

I 0 0

0'

I 0). o I,

Then the control ~.vlllhois can he calculated hy solving Hc r = O. give.:n l'1' ('2' ('!' ('4:

'"

~O

+C;';('4IC~

~O

-C n

-","0 + c.; ('~

..-- (:

C;=C 1

c, C)

-

I

("4

-r

l'4

<3

Thu~ the cooing schem~ in this case is the linear map from !I-.~ into IF{ given

bv (al.U2.U'l'U4)' ~(al.(J,.u.~,a4,ul+u., I (14.0)-1 U 2 +U ... U!+U.: 1-(13).

L

In g~neral. we usc the following terminology codinl:!, schemes that an.:: given by linear maps.

III

connection with

.~02

Algl'hraic Coding Theory

8.2. III

f)('finition. L:t If he an (n - k.) x 17 matrix of r<.lnk II - k with entrie'" 11{' The . . et (. of all n-dimen.. . ional vector;,> C' r IF,; such that He I = 0 is

c1\IIL'd a IllIt'(Ar (11. A ) ((Ide ()Va r.. . 'I: 11 is cullcd the lenglh and k the dimension of the coue. The eh.:mellts l)f C are called cod(' wurds (or code ocetors). the malrix /I i:-- a p(Jnl)'~("he('k nUJlrix of C. If q 2. C is called a hinmy cude. If II i.'i of the form (11.1'1 k.)' t!ll..m Cis c<.Itkd a s)'stemmic code. WI..' Ilnte that the :-;el C of ~olutions of the system 11c T 0 of linear equation:-- i:-. a ... ub~puce of Jimension k of the vector space IF,;. Since the cdde w\)rd~ f\)rm an additive group. C is also called a ,~roup code. \1oreover. C ean he regardeJ <.IS the null space of the matrix 11. K3. E,ample (PUrL/I"Check Cude). Let q ~ 2 and let the given message he (II'" 11 4 , then the coding .'ichclIlefis defined hy 1:£1 ···(l~""' .. hl···bA'l'

\\hc-re hi

u; for i ' 1..... A and

llence It fothm ... Ihat the :-.UIll of digits of any epue word h\···!Jk. I is O. If Ihc StUll or digih \)1' fhe rccci\'cu w{)rd i., I, thell the receiver knows that a Ir.1n ... mi . . :--iIHl L'rrnr 1l1ll:--t have occurred. I.et 11 = k + L then Ihb code is a hinar.\ linear (1/. !l - I) COUL' \\'ith JXHit.v-dILck matrix II ... ( t 1 ... I). [] x'4.

Examplt· (Repelilioll Cl)de). In J. repetition c()(k each code word (\nl: \)lll' mC.'Silg..e ..:.ymh()l {[I and n .- 1 c(Hltrol :'l,vmhol.. . ('~ = . • • . ('r.
The parity-check equation, IleT ~O with I'~(A, '" ,) imply , I

.

<'=1; - 'A la" I

where a = a. · .. a~ i~ thL mc:-,~age and (' to the following definition.

la(ik.~A')]'. I; '''C n

b the codc word. This leads

8.5. Definition. The k x II matrix C ~ (I,. ~ A') i, called the canulI;m' generalor millrix of <.I linear (n, k) code with parity-check matrix 1/-' (A. '" ,).

from IJc ' ~ 0 and e ~ aU it follow, that Hand C are related by (8.1)

The c()de C is cqual tn the row space of the canonical generator matrix G. More generallv. any k x II matrix G whose row space is equal to C is called

303

1. Linear Coue':>

a generator matrix of C. /I generator matrix G of C can he used for eneodingnamely, a message a is encoded hy c = aGE C. 8.6. Example. The canonical generator matrix for the code defined by H in Example R. I is given hy

o o o I I o I o o o I o o I o I o :1 o o o I I I 0;

I I

8.7. Ilefinition. If c is a code word and y is the received word after communication through a .. noisy" channel. then e = y - (' = e 1 ••• e fl is called the error word or the error vector. 8.8.

Definition. (i) (ii)

Let x,y be two vectors in IF~I. Then:

the Hamming distance d(x,y) between x and y is the number of coordinates in which x and y differ; the (flmmning) weight w(x) of x is the number of nonzero coordinates of x.

Thus d(x,)') gives the number of errors if x is the transmitted code word and y is the received word, It follows immediately that w(x) ~ d(x,O) and d(x.y) ~ w(x" y). The proof of the following lemma is left as an exercise. 8.9. I. emma. The JJamming distance is a metri!' on IF;: thai all x.y,1. €::::: IF~' we have: (i) (ii) (iii)

d(x,y) ~ 0 if and only if x d(x,y) ~ dry. x); d(x,l) " d(x,yH d(y,z).

~

i.~.

for

y;

In decoding received words y. one usually tries to find the code \I.:ord such that ~f(Y - c) b as small as pos~ihlc. that is. one assumes that it is more likely that few errors have occurred rather than many. Thu~ in decoding \'ve are looking for a code word c that is dose:-,t to y according to the Hamming distance. This rule is called nearest neighbor decoding.

C

8.10. Ilefinition. for 1 E' N a code C c 0=; is called l-error-correCling if f(>[ any y EO 0=,; there is at most one c E C such that d(y', c) "I. If c E:: C is transmitted and at most [ error~ occur, then we have d(y,c)" 1 for the reccived word y. If Cis I-error-correeting. then for all other code words 1 '" C we have d(y,l) > I, which means that c is elosest to yand nearest neighhor decoding gives the correct result. Therefore. one aim in coding theory is to construct codes with code words "far apart." On the other hand, one tries to transmit as much information as possihle. To reconcile these two aims is one of the problems of coding.

Algebraic Coding. I henry

304

8.11.

Definition.

The numher

d(

~

~

min d(u.v) U.V~(·

min w(e) 07Cr(

u "'

is called the minimum disTance of the linear code C. 8./2.

Theorem.

A ('ode C Wilh minimum di.uallce d( can corree{ up

{() (error.\ if de ~ 21 • I.

F;'

Proof. A ball B,(x) of radius I and center x E con,ists (If all vectors y" F; sueh that d(x.y) '" I. The nearest neighhor decoding rule ~nsures that each received word with I or fewer errors must be in a hall of radius I and center the transmitted code word. To correct I errors. the halb with code words x as eenters must not overlap. If u E B,(x) and u eo R,(Y). x. y F C. X =t= y, then d(x.~)"

d(x.ul

i

d(u.y)" 21.

.-,

a contradiction to de ~ 2/ - I.

8.13. Example. The code of Example g.1 has minimum distanee d, and therefore can corrct:l one error.

~:J

.J

The following lemma is often useful in determining the mtnlmum distance of a code. 8.14. Lemma. A linear code C will! parizv-check mQ/rix /I has minimum distance de ~ s - I if lInd only if any s columns of H are Iinear~r independent.

Prouf Assume.: there an: ~. linearly dt:p~ndt:nt columns of II, then Ilc To 0 and "'(c) " s for suitahle c (' C. C ~ O. hence de'" ,. Similarly, if any' columns of II are linearly independent. then there is no c (' C. C ~ 0, of weight ~ S, hence de ~ s .- I. '1ext we describe a simple decoding algorithm for linear codes. I.et C be a linear (Il, k) code over Fq • The vector space F,;/C consists of all coset' a I C" (al e: e '" C) with a E F;. Fach coset contains q' vectors and F,; can be regarded as being partitioned into eosets of C - namely.

F"q

~ (a""

+C)u (a(\' + C)u ... u(a'" + C),

where a(O) = 0 and s =- qf/ i< - I. A received vector y must be in one of the eosets, say in a',) + C. If the code word c was transmitted. then the error is given by e = y - e ~ a',) +z E: a,n + C for suitable z E C. This leads to the following decoding scheme. 8.15.

Decoding of Linear Codes.

All possible error vectors c of a received

305

I. Lmear Codes

vector yare the vectors in the coset of y. The most likely error vector is the vector e with minimum weight in the coset of y. Thus we decode y as x ~ y -e. The implementation of this procedure can be facilitated by the cosel-leader algorilhm for error correction of linear codes. 8.16. Definition. Let C <;: IF; be a linear (n, k) code and let IF;/C be the factor space. An clement of minimum weight in a coset a + C is called a C(iSel leader of a + C. If several vectors in a + C have minimum weight, we choose one of them as coset leader. Let a' I), ... , a") be the coset leaders of the cosets "" C and let

e'I) ~

0,

e'OI.... ,e'q'l be all code words in C. Consider the following array: Cll)

C(2)

a(1) +c(l)

a(1) +C(2)

c(l) } row of code words

all)

:I

+c(q~)

1

remaining cosets

a(~) +C(l)

a(~) -f'C(2)

a

h ) +c(q~)

column of coset leaders If a word y = ali) . . . c lJl is received, then the decoder decides that the error c i, the corresponding coset leader aId and decode, y as the code word x ~ y - e ~ e lil : that is. y i, decoded as the code word in the column of y. The coset of y can he determined hy evaluating the so-called syndrome of y. 8.17. Definition. Let H be the parity-check matrix of a linear (n, k) code C. Then the vector S(y)~, Hy T of length n - k is called the syndrome of y.

8.18. (i)

(ii)

\":F '1'1

\.1:(>

o If alld IInlv if y r

C;

Theorem.

Sly) Sly)

For

S(1)

)",z

har;e:

if alld ollly if y -i- C

~ Z,o

C.

P((illf (i) follows immediately from the definition of C in terms of II. I.'or (ii) note that Sly) S(Z) if and only if lIyT ~ IIZT if and only if H(y" ZIT ~ 0 if and only If y-z <= C if and only if yo C" z ) C. D If e

y -e, e

F

C, Y c: IF;. then

S(y)

S(e-e)~S(e)' S(e)~S(e)

(R.2)

and y ,tnd (' are in the ~amc co:-.et. Th~ co~et leader of that coset also same ,"'yndrOlne. We h<.lve the following decoding algorithm. 8.19.

Cnsct-I.eader Algorithm.

Let C r..

no"'I

he a linear

(n.

ha~

the

k) code and let

Alp.cbrail.: Coding Theory

JOn

y he the received vector. To correct crror~ in y, calculate S(y) and find the coset leader, say c, with syndrome equal to S(y). Then decode y as x = y -e. Here x is the code word with minimum distance to y. 8.20. Example. I.et C be a binary linear (4.2) code with generator matrix G' and rarity-check matrix 1/: G

The

~ C\

corre~ronding

~ J.

0 I

11

~ (~

I 0

n

array (If eosets is:

Illt,;'ssagc row

00

10

01

II

code word . .

0000

1010

0111

1101

(~)

r 1000 0010

I1II

0101

(~ )

(:)

(It

her co~('ts I

,

0100

1110

0011

1001

0001

10\1

0110

1100

--------coset

m

sYii'dromes

leaders If Y - 1110 is received. we could !Ol)" where in the array y occurs. Hut for large arrays this is ver~ time consuming. Therefore we find S(y)

first--namely. S(~,) - H~,T . (: )-and decide that the error is equal to the co,et leader 0100 that al,o has syndrome (:). The original code word was most likelv the word 1010 and the original message was 10. U In large linear codes it is practically impossible to find coset leaders with minimum weight: for example. a linear (50.20) code over F, has some 10' cosets. Therefore it is necessary to construct special codes in order to overcome such difficulties. First we note the following.

8.21. Theorem. In a binary iiI/ear (1/. k) code with parity-check matrix H the "YI/drnme is the sum of those columl/s of H that corre"pond 10 posilions where errors hare occurred. Proof Let yEO', be the received vector. y ~ x+e, x E C: then from (R.2) we have SlY) = He l • I.el i l • ;2 .... be the error coordinates in e. say e ~ O· . ·01,0' .. 01,,0' .. , then S(y) ~ h" + h" + .. '. where h; denotes the ith column of 1I. 0 If all columns of H arc different. then a single error in the ith

307

1. I.inear Codes

posillon of the transmitted word yields SIll ~ h,. thus one error can be corrected. To simplify the process of error location. the following class of codes is useful. 8.22. Definition. A binary code C;" of lengtb n ~ 2m - I. m", 2. witb an m 111 X (2 - I) parity-check matrix H is called a binary Hamming code if tbc columns of H arc tbc binary representations of the intcgers I.2..... 2 m - I. 8.23. Lemma.

em

is a l-error-correcling code of dimension 2m

-

111-1.

Proof By definition of the parity-check matrix II of Cm' the rank of // is n/. Also. any two columns of }f are linearly indepcndent. Sincc /l contains with any two of its columns also their sum, the minimum distance of C;" cquals 3 by Lemma 8.14. Tbus Cm is I-error-corrccting by Theorem R.12. 0

8.24. Example. matrix

I.ct C, be tbe (7.4) Hamming codc witb parity-check

11

~ (~

0 I 0

0 I I

1 0 0

1 0 1

1 1 0

q. ],

If the syndrome of a received word y is. say. SlY) ~ (I 0 I) T. tben we know that an error must have occurred in the fifth position. since 10 I is the binary reprcsentation of 5. 0 Hamming codes can also be defined in tbc nonbinary case· tbat is. over arbitrary finite ficlds I' q' Here the parity-ebeck matrix 11 is an In X(q'" .. l)j(q -I) matrix that has pairwisc Iincarly independent columns. Sucb a matrix defines a linear « q'" - l)j( q - I). (q'" - 1)/( q - \) - m) code of minimum distance 3. "lext we descrihe some relationships hetwcen the length Il of code \Vords. the number k of information or message symhols, and the minimum distance d( of a linear code over IF <{. 8.25. Theorem (Hamming Bound). LeI C he code ODer I' q of len15111 n wil" M code words. Then

M(I+(~)(q-I)+'"

'(';)(q

11

l-error-curreCling

I)') qn.

Pron! There arc (:)( q - l)nI vector~ with 11 coordinates in IF <{ of weight In. Thc balls of radius I ccntercd at the code words arc all pairwise disjoint and each of the M balls contains

I-'-(~)(q-I)- ... -(';)(q-I)' vectors of all the qn

vector~

in IF;'.

o

30~

AlgdJrait: Coding ThcflTy

8.26. Theorem (Plotkin Hound). of minimum diSlance de we have dc

~

fii,.

a linear

(II,

k) ('ode C (ica I'q

nq' '(q I) --'-----,:-'-'----'q' -I

Proof Let 1 ~ i ~ n he such that C contains a code word with non7ero ith component. Let V be tbe subspace of C consisting of all code words witb ith component zero. In CIV therc are q elements which correspond to q choices for the ith component of a code word. Thus ICl/IDi' ICIDI implies iVI ~ q' -'. By counting along the componcnts, the sum of the weights of the code words in C is then seen to he ~ nq' '(q -I). The minimum distance de of the code is the minimum nonzero weight and therefore must satisfy the inequality given in the theorem since thc total number of code words of non7ero weight is q' - L :::J (11.

8.27. Theorem (Gilbert-Varshamov !l(lund). There exists a Iillear k) ('ode over IF" wiTh minimum disTance ::3 d wlzenet~er d

q'

,

'> L I

0

(n - :- 1)( q _ I)'. I

Proo]. We prove this theorem by constructing an (n - k) X II parity-check matrix H for such a code. We choosc the first column of /I as any nonzero (n _. k )-tuplc over I' q' The sccond column is any (n - k )-tuplc ovcr I' q that is not a scalar multi pic of the first column. In general. suppose .i - I columns have becn chosen so that any d - I of them arc linearly independent. There arc at most

~~,: (.i ~ I ) (q_ I)' vector... ohtaincd hy linear (om hi nations of d - 2 ()f fewer of the~c j - 1 columns. If the inequality of the theorcm holds, then it will be possible to choose a jth column that is linearly independent l)f any d - 2 of the first .i - I columns. The construction can be carried out in such a way that H has rank II - k. Thc rcsulting code has minimum distance ~ d by Lemma 8.14.

o We define the dual code of a given linear code C by means of the following concepts. Let U=(II" .... II,), .=(v, .... ,c,,)E:I';, then u·.~ II, v, + ... + II,c, denotes thc dot prodllct of u and v. If u·. ~ 0, then u and • are called orthogonal.

8.28. I>efinilion. Let C be a linear (11, k) code over I'q. Then its dllal (or orthogonal) ('ode C' is defined as C" ~{UEI';:U'v'~O forall.ECl. The code C is a k-dimensional subspace of the dimension of (' ,

1';,

1. Linear Codes

JOY

is n _. k. C J is a linear (n, n - k) code. It is easy to show that C ~ has generator matrix H if C has parity-check matrix 1/ and that C ~ has parity-check matrix G if C has generator matrix G. Considerahle information on a code is obtained from the weight enumeration. For instance. to determine decoding error prohabilitics or in certain decoding algorithms it is important to know the distribution of the weights of code words. There is a fundamental connection between the weight distribution of a linear code and of its dual code. This will be derived in the following theorem. 8.29. Definition. Let A; denote the number of code words c E C of weight i. 0 " i " n. Then the polynomial

L:"

A(x,y)=

1"-

A,x;y""

0

in the indeterminates x and y over the complex numbers is called the weight enumeralor of C. We shall need characters of finite fields. as discussed in Chapter 5. 8.30. Definition. l.et X be a nontrivial additive character of 0: q and let v· U denote the dot product of '·.U E 0:;. We define for fixed v EO:; the mapping X,,:IF~' -~C by X,(u) = X(v'u) for u E 0:;.

f

If V is a vector space over C and define g/: 0:; --. V hy

gf(u)

L: ·x,(u)f(v)

=

0:;

a mapping from

into V, then we

for u EO:;.

v EF;

8.31. I.emma. l.et E be a subspace of 0:;, E" its orthogonal complement, f: IF; - V a mapping from IF; into a vector space V over C and X a nOflirivial additive character of IF q. Then

1:

L:

gr(u) ~ lEI

ufo-I-."

f(v).

\,1;-

Proof

L:

gr(u)

urI:

L: L:

=

x,(u)f(v)

ur.L"E'-n~·

. ·IEI

L:

I • U F.:

L:

!(v)+

L: L:

x(c)f(v).

\.f/./;'. (E:IF
t: --+ v· U i~ a

r.:.

nontrivial linear functional on

L: \
hy using (5.9).

x(v'u)f(")

\C[=.;Uf'"1.

\c· r.

For fixed v fE. L'

L: L:

=

r:

f(v) I

L:

X(c)

=

11:'1

L: , fo- F

thus

f(v). I

D

Algebraic Coding Theory

310

We apply this lemma with V as the space of polynomials in two indeterminates x and y over C and the mapping f defined as f(v) ~ x"·(~lyn - ""h),

where w(v) denotes the weight of v 0" IF!;.

8.31. Theorem (MacWilliams Identity). Lef C be a lillear (II. k) ende OGer ~ q alld C' ifS dual code. If A(x. v) is fhe weig/ll ellllmeralDr of C alld A ' (x. y) is fhe weil'.hf ellllmeraWr of C ". fhell A"(x.y}~q-'A(y

Proof Let f: ~;' ~ enumerator of C J is

qx. y]

-x.y+(q-I)x}.

he as given above. then the weight

L

A'(X.y}~

f(v}.

Let 1'.1 be as in Definition 8.30 and for v E IF q define

IVI~{I

°

L

I'.r(U} ~

X(v'u)x""y"

ifG"'O. ifv~O.

">l

H-O=;

"

L PI

,

~

. .•

n

n[X(u,t.,}x""y'

,',]

1.~,r"I-1

L

[x(u,G)x" y'

1=1 t,;"=:IF,,

"'I·

h" u, ~ 0 we have X(u,G) ~ X(O) - I. hence the corresponding factor in the product i:-. (q - T)x + y. For li l I 0 the corre~ponding factor i~

L

y-x

X(,,)

Y

x.

1·(""1.;

'I herefore. g/ (u) ~ (y - x) ''"'( r - (q - I) x)"

I.emma 8.31 implies IC:A'(x.y}~'C1

L

f(v)

\ (. C

I'inally. 'C, - q' hy hypothesis.

L

gl(u)~A(r-x.y+(q-l)x}.

u~(·

CJ

8.33. Corollary. Lei x = z and y . . I in the weif!,lll enumerQ/Ors A ( x. r) alld A - (x. y) alld del/Of(' fhe re.IUIlillg polYllomial, by A(z) and

J \1

2. Cydir..: Codl:s

A : (;:-). respectively. Then thl! MacWilliams identity can he wrillen in the jorm

,1"(z)~q 8.34.

Example.

and dimt:nsion

'(I+(q-I)Z)",1(

1_-:-_=_). I) =

I ' (q

I.et Cm be Ihe binary Hamming code of length

11 -

m over IF J.' Tht: dual codt:

('.n

l

II

=

2m

-

I

has as its generator matrix

the parity-check matrix If of Cm • which consists of all nonzero column vector.., of length In over lF 2 • Cm.1 consists of the 7.ero vector and 2 m - 1 vectors of weight 2"1 I. Thus the weight enumerator of Cm.1 IS

y" I (2 m

..

I )xJ"' 'y"

Ily Theorem R.32 the weight enumerator for C,,, is given by I [( y+x )" A ( x.y ) =n+l

';"11

( y-x )'». 1>/'( y+x )'"

I.el ,11')-- ,1I=.I)·-that is. Alz)-L:;'_oA,='

11/'1 .

then one can verify that

;1(:) satisfies the differential cquation ( I - z')

dAd~z) + (I ,

with initial condition A(O}

i,1,

=

liZ)

A (=)

~ ( I + z)"

Ao = I. This is equivalent to

L~I)-,1, ,-(n-i+2),1,_, fori-2.3 .... ,1I

with initial c{mdition:-. A o = 1. ;11 =- O.

2.

CYCLIC COOES

Cyclic cpdcs arc a special c1a::,s of linear codes that can he implemented

fairlv simply and whose mathematical structure is reasonably well known. 8.35.

Oefinition.

(GO.GI ..... G n

A linear (n. k) code C over IF" is called
1)E:Cimplies(a n \.a o.···.a n _ 2 )EC.

From now on we impose the restriction ged(n, q) ~ 1 and let (x" - I) he the ideal generated by x" - I Elf qlx]. Then all clements of IF q[x l!(x" - I) can he represented hy polynomials of degree less than n and clearly this residue class ring is isomorphic to IF; as a vector space over IF q' An

isomorphism is given by x"

1

1

Because of this isomorphism, we denote the elements of IFqlxl!(x" -1) either as polynomials of degree < n modulo x" - I or as vectors or words over IF", We introduce multiplication of polynomials modulo x" -I in the

312

Algehraic Coding 'I heory

usual way; that is, if f co: IF qlx JI( x" - I), g" g, ElF qlx], then g,g, = f means that gig, cc fmod(x" - 1). A cyclic (n, k) code C can be obtained by multiplying each message of k coordinates (identified with a polynomial of degree < k) by a fixed polynomial g(x) of degree n -- k with g(x) a divisor of x" - I. The polynomials g(x), xg(x), .. .,x'- 'g(x) correspond to code words of C. A gcnerator matrix of C is givcn by I

go

gl

0

go

g,

0

0

0

0 gn-k

0 0

0 0

go

gl

g" ,

g" ,

G=

0

where g(x) = go - g,x + ... - 8,,_,X" '. The rows of G arc obviously linearly independent and rank (G) = k, the dimension of C. If

h(x)- (x" -I)jg(x)=h o +h,x+ ... + /z"x". thcn we see that thc matrix

0 0

0 0

0 0

h,

h, h,

/z(\

0

1/= \ h,

h,

h, I

, ho

hi> 0

0

is a parity-check matrix for C. The code with generator matrix /I is the dual code of C, which is again cyclic. Since wc are using the tcrminologies of vectors (u o . u 1 .···.a ll 1) and polynomials a o - u 1 x + ... + a" \x n I ovcr IF
8.36. Theorem. id<'lllofFqlxJl(x" - I). Prool

Th" linear (,lid" (' is ,:rdic if Ulld ollly if C IS

1/1'

If C is an ideal and (u O.u 1..... a n _ I )EC. then also

Conversdy. if (uo.al ..... ull_I)EC implies (a n _ 1.u O..... a., ))EC. then for evcry u(x) Eo C wc have xu(x) F C. hence also x'a(x) E:. C. x'u(x) E C. and so on. Therefore also h(x la( x l C (' for any polvnomial h(x); that is. ('

is an ideal. Every ideal of IFqlxl/(x"

0 I) is principal; in particular. every non-

zero id~al C i:-, generated by the monic polynomial of lowest degree in the ideal. say g( x). where g(x) divides x" - I.

·,~':--::'::::S/,,.,

/

. 313'

2. Cyc1il: Coucs

.r;.

.

'..-",1

_>,l~\

,"~'

~'.

':

,.

\(1.\ 1'1';)'

'N:')!

/9'

8.37. Urfin!ti..n. Let C (g(x» he a cyclic code. Then g(x) is called th~.:· generulOr pol)'nonllal of C and h(x) ~ (x" - I )/g( x) is called the paril:~,rhe'ik:.::<}' r1()~I'lIomi£11 ()f

('.

. •

"~_.

Let x" I !,(x)!,(.\)···!",(x) be the decomposition of x"-I into monic irreducihle factor~ over IF". Sinct: we assume gcd( n. q) = I. there are no multiple factors. If j,(x) is irreducible over f,. then (f,(x)) is a maximal ideal and the cyclic code generated hy /,( x) is called a maximal (.'"ehe codi'. The code generated hy (x" ···I)//,(x) is called an irreducible qclic code. We can find all cyclic codes of length n over !F't hy factoring x n - ] as above and taking any of tht: 2"1 - 2 nontrivial monic factors of x n I as a gt:nerator polynomial. If h( x) is the parity-check polynomial of a cyclic code C c:; [-qlx1l(x"-I) and t:(x)Ff"lxl!(x" I). then v(x)Ee if and only if t'(x)h(x)" Omod(x"·- I). A message polynomial a(x) . a o i a,x I ... 1 a k : x' 'is encoded by C into w( x) ~ a(x )g( x). where g(x) is the generator polynomial of C. If we divide the received polynomial v(x) by g(x). and if there is a nonLero remainder, we know that (.In error occurs. The canonical generator matrix of C can be obtained as follows. Let deg«g(x» ~ 11 . k. Then there arc unique polynomial, a,(x) and r,(x) with deg
x'

~

a,(>' )g(x)+r,(x).

Xl - rj(x) i:,> a code polynomial. und :'>0 is ,\;~).\") = considered modulo x" I. The. polynomials g,(x). j ~ 1, arc linearly independent and form the canonical generator

Con:,>t:quently. x'(x' 11

r;lx»

k .... ,11

matrix

(I(.

R).

where I k i~ the k x k identity matrix and R i:, the k x ith row is the vector of cocfficienb of r'l ~ l ' I(X),

IU8.

Exampl<'.

l.et

Ii ~

7. q

~

(II -

k) matrix whose

2. Then

,"'-I~(x-I)(x··· x II)(x·<x'41).

Thu, g( X) ~ x' x· 1 I generales a cyclic (7.4) code with parily-chec~ po]ynlHnial h( x) .X <1._ x'< - ,...-2 + I. The corresponding canonical generator matrix and parity-cht:ck matrix is. r~:-.pectively.

(, =

( ]

0

0

III II 'II

I II II

0 I 0

0

I I II

0 I I

f] II,

III , I

0

0 I

I I I 0

0

1\

I I I

(I)

I 0

0 I 0

0

I.

I;

0' 01· I;

u

,:'"'

Algehraic Coding. Theory

314

We recall from Chapter (, that if f (' iFqlxl is a polynomial of the form

f(x)~fo' f,x I · · ·

+ k",

fo~O,J, . I.

then the solution~ of the linear recurrence relation k

L

i~O.I. ....

fia",-O,

j - 0

are periodic of period n. The set of the II-tuples of the fiN II tams of each possihle solution. considered as polynomials modulo .'('1 - I. is the ideal generated hy K(xl in IF)xll(x" I). where K(x) is the reciprocal polynomial of (x" - 1)/f(x) of degree n - k. Thus linear recurrence relations CUll he used [() !!.cnerllle code words of (velie codes, and this generation process can he implemented on feedback shift registers.

8.39. Example. Let/(x)~xJ-x+l, a factor of x'-I over IF .... The associated linear recurrence rclation is £1 , ~;I -r G I ! I "t. u i 0, which gives risc to a (7,3l cyclic code. which encodes I I I. say. as I 1100 I O. rhe generator polynomial is the reciprocal polynomial of (x' I)/I(x); that is, K(x) ~ x 4 +X'tx 2 /1.

0

Cyclic codes can also he described by prescribing certain roots of all code polynomials in a suitable extension field of IF q' The requirement that all code polynomials are multiples of g(x), a generator polynomial. simply means that they are all at the roots of g(x). Let ", .... ,".. be clements of a finite extension ficld of IF, and p,(xl he the minimal polynomial of ", over IF q for i ~ 1.2..... s. Let n E N he such that ,,;, ~ I, i ~ 1.2......1, and define g(xl' Icm(p,(x).... ,p,(x)). Thus g(x) divides x" -I. If CelF;' is the cyclic wde with generator polynomial K(xl, then wc have "(xl" C if and only if v( "i) ~ 0, i ~ 1. 2, .....1. As an example of the concurrence of the description of a cyclic code by a generator polynomial or by roots of code polynomials we prove the following result, which uses the concept of equivalence of code~ in Exercise 8.10.

°

8.40. Theorem. The billarv ,yc/ic code 01 {cIIK/h II ~ 2 m - I lor which the J!,eneralOr po~vnomi(J1 is {hi! minimal po~vnomial over IF 2 (l a primitive elemenl of If J.m is equi!:a!clll to [he billary (n. /l - HI) /Jamming code. Proof

Let a denote.: a primitive clement of IF 2'"' and let

p ( x ) - ( , - ,,)( , - ,,' ) ... (x

"r)

be the minimal polynomial of a over If 2" W(: now consider th(: cyclic code C m III x(2 I) matrix H for which thejth

gcneratcd hy pIx). We construct an column is(co,cl .... ,{'m 1)1 if tn-I

L

(Xl .j -

,

0

('{ai,

j

=

1,2 ..... 2tn -1.

2. Cyc1il: Coucs

315

where (', C IF.).. If a = (au' ill" ... a n I) and a{x) = a o I a1x - ... + an Ixn 1 r.1F 2lx}. then the vector liar corresponds to the clement a{a)

expressed in the basi, (L a.... .,," '). Consequently. JlaT •• 0 holds exactly when p(x) divides ([(x). so H is a parity-check matrix of C. Since the columns of II are a permutl:ltion of the binary representations of the numhers 1,2..... 2m

8.41.

Example.

I. the proof is complete.

The polynomial x" + x

0

+ I is primitive over 0=" and thus

of IF 10 as a root. If we use vector notation for the 15 clements (YJ
has a primitive dement

0:

parity-check matrix of a wde equivalent to the (15. II) Hamming code. A message

(liO' (Jl •...• l1lO)

is encoJed into a code polynomial

([(x)(x 4 I x+ I),

k'(X)

wher~ a{x) Go 1 G I .\" I· ... + alO.\·:o. l\ow ~upp()se the received polynomial ,,:ontains one error; that is. \1'(x). x c - 1 is received when w(x) is transmitted. Then the ."'yndrome is w(Ct) I a"-I = Ct" I and the decoder is led to the (.'ondu~ion that there is an error in the eth position. 0

Lei C C O=,,[xlI(x" - I) hv a cyetii' ('Ode wil" ,~('ner­ kh(,lhero01sof~. Then!E::.lFqf.l,.·lI(x'l -I) is 11 code polynomial ~r (lnd o1/~r if the coeffiL'iem nector (fo .. · . ./n_ I) off is i1/ the 1/ull spac£' of the mutrix 8.42.

Theorem.

afVrpo~nwmUllgwltllt'{O:l ..... O:n

!I

a,

0'

u,

, ,

,

0:"

1\ (8.3)

fI

I, I ,

,

(Y'

a~

Proof Let/(x)=I,,'-/,x +f., ,x" '; then l(lX,) ~ /" • l,lX j - ... - fn !Ct~1 I = 0 for 1 :E; i ~ n .. k. that i,. (I,a, ..... a;' if and only if //(/"./"

'){fo./, .... ./, ,)'-0 ... ./,,_,)T ~O.

for ki<;n-k, D

We recall from Section I that for error correction we have to

determine the syndrome of the received word ). In the case of cyclic codes, the syndrome. which is a column vector of length n - k. can often be replaced by a simpler entity serving the same purpose. rOT instance. let lX be a primitive 11th root of unity in O=q"' and let the generator polynomial g he the minimal polynomial of Ci uver 0=,1' Since g divides 1 '= 0= q[ x 1I( x" - I) if and only if/(lX)~ O. it suffices to replace the matrix // in (8.3) by // =

(I

Ci

lX'

The., the role of the syndrome is played hy S(yl ~ lly', and S(y) ," y( lX) since..: \. (\.-~\. v, ..... v.. ,) can he regarded as a Dolvnomial v( x) with

Algl.:bruic (\uJing Theory

316

coefficients;-> In the following we usc the notation w for a transmitted word and '" for a received word, and we write w(x) and tI(x), rcsp~ctivdy, for the corrc~p()nding polynomials. Suppose e( il(x) = Xl I with I ~ j::;; 11 is an error polynomial with a single error, and let v = w+e1J! he the received word. Then

d ,,) ~ w(,,) , e' n ( ,,) ~ e'" ( ,,) ~ " I -

I.

e( I l( a) is called the error-location numher. S(v)::o.: oj I indicates the error uniquely, since e(ll(a) = t'(j)(o:) for 1:s;;; i:Sc; II with i =F j. Before describing a general class of eyclie codes and their decoding, we consider a special example to motivate the theory.

,

R.43. Example. Let" E ~ I. be a root of x" . x· I E f, rx]. then" and "J have the minimal polynomials m'''(x) ~ x 4 + X + I and m(1)(x) ~ x 4 + x' I x·'· - X T lover IF:!. respectively. Roth mtll(x) and mOJ(x) are divisors of x" I. lienee we can define a binary cyclic code C with generator polynomial g ~ m"'m(3). Since K divides f E ~"rxll(xl5 -I) if and only if j I ,,) ~ f( "J) ~ 0, it suffices to replace the matrix II in (8.3) by

We shall show (see Theorem 8,45 and Example X,47) that the minimum distance of C is ;, 5, therefore C can correct up to 2 errors. C is a cyclic (15.7) code. I.ct

'4

L

SI

"

,

G,a '

S.l =

and

'4 L

f-/o:

31

/"'"'"<1

1/,,'

be the components of SI\') ~ I/"T Then '" '= C if and only if S(,,) ~ ~0 if and only if 51 ",\'1 = O. If we u~c hinary notation to represent dements of ~ Ib' then II attain' the form

II

~

I 0 0 0 I 0 ()

0

0 I 0 0 0 0 0 I

0 0 I 0 0 0 I I

0 0 0 I 0 I 0 I

I I 0 0 I I I I

0 I I 0 I 0 0 0

0 0 I I 0 0 0 I

I I 0 I 0 0 I I

I 0 I 0 0 I 0 I

0 I 0 I I I I I

I I I 0 I 0 0 0

0 I I I 0 0 0 I

I I I I 0 0 I I

I 0 I I 0 I 0 I

I 0 0 I I I I I

The columns of /I arc cakulatcd a~ follow~: the first four entries of the fir~t column an.~ the coefficients in I-I-oY -l-O'a l 10'0: 2 -0-0.\, the fir~t fOUf cntrie~ of the ~c::cond column are the coefficients in a (). aO _. I . cr 1 I 0 'u '. - (). 0: \ and so on: the la~t four cnlrie~ of the fir~t column arc the codficicnt~ in 1 = 1. al) + O· 0 1 - O· 0,2 + O· Cf 3 • the la~t four entries nf the

2. Cyclic

317

Cod~s

~econd

column are the coefficients in
s,

~,- ~."

therefore

hence I-S,~ '+(S~-S,S, ')~I:~O,

If two error:-- l)L'L'Urrcu. thcn 171

1

and 17.'

=

",

are rnob of the polynomial

(sf -

s( x) - I - S,x If l)n1.v llnc error occurred. then.)1

I

S,S, . )x',

171 and '\'.l

= 11~,

hcnce .\"

(RA) 1.)1

0: thaI

s( ,) ~ I + S,x,

(R.5)

It' no error OL'curreu. then '\'1 = .)1, • 0 anu the correct coue word 'W ha<;; been received. ro summarii'.c, wc first t,.'yaluate the ~yndrome S(lo") H,,·I of the nxcivL'd \-cctor "'. then determine s(.\) and finu the error~ via the root:-: of ,( x). The polynomial in (X-5) has a root in IF" whenever S, '" 0, If s( x) in n::.4} ha:-. no rOllts in Flo' then we know that the aror l:'(x) ha:-- morc than two error location~ and therefore cannot he eorreL'tcu by the given (15.7) code, 'vlore specifically. suppose

\ - 100 I I 1000000000

i, the received word, Then Sly) -(, ,\' , ,'
SI .-

I

+ (1"1, +

0'4

+ O's =

) is given hy

0: 2 _ 0: 1.

ror the polynomial sIx) in (SA) we ohtain .I(X)- I-(a' + a')x + ~ I - (,,'

ll- n+ ,,0 - ".; +(1 + ,,')(,,' I a') "]x

2

+ ".' ) x + ( I + " + ,,') x '.

We determinc thc roots of .\(x) hy trial and error and find a and 0'7 as roots. lienee we have 171,"1 - 0:, 172 1 '-'- 0- 7• thus 111 = 0'~4. 112 = tY~. Therefore, we

Algebraic Coding Theory

know that errors mu~t hav~ occurred in the positions corresponding to Xli and X '4 , that is, in the 9th and 15th position of v. The transmitted code word must have been

w ~ 100 I I 100 I00000 1. The code word w is decoded by dividing the corresponding polynomial by the generator polynomial g. This gives I I x' I x' - XO with remainder O. Hence the original message was 100 101 1. D 8.44, Definition, Let h he a nonnegative integer and let 0< E IF q" he a primitive nth root of unity, where m is the multiplieative order of q modulo /I. A BeJJ code over IF q of length n and designed dislance d, 2", d '" n, is a cyclic code defined by the roots

of the generator polynomial.

If mlil(x) denotes the minimal polynomial of 0<' over IF., then the generator polynomial g(x) of a BCH code is of the form g(x) ~ lem( m'b'(x), mlb-ll(x),. ... m"" d "(x)).

Some special cases of the general Definition 8.44 are also important. If h ~ 1. the corresponding BCH codes arc called /larrow-sense BCII codes. If n ~ q"' - 1. the llCH codes are called primi!i"e. If n ~ q - I, a RCH code of length /I over IF. is called a Reed-Solomon code.

8.45.

Theorem.

,he minimum dislance of a BeH ('(Ide of designed

disllUlCf d i.~ ar leas! d.

Proof.

The BCII code is contained in the null space of the matrix ah

a2"

aUl - Ill>

ab·1

a2Ih.1)

al'l-l}(hlll

\

H=

We show that any d - I columns of this matrix arc linearly independent. Take the determinant of any d I distinct columns of II, then we obtain

I, a hl : alli'llIl

alii.

a!)lJ

a(b..- Ill);

afv· Ili"

1

2, Cyclic

319

Cotlt:~

= ab(tl

'12- ... -Id

,I

,,'

,,"

"

a'lf J

,,"

(i;,(d-2)

n

·' a I)

=ab(lI'I.'.

,,', ,

,

(all

l",k<j""d

,Id

2J

"alJ,)=t:O.

I

Therefore the minimum distance of the code is at least d.

D

8.46. Example. Let m fll (x) = x 4 + x -\ 1 be the minimal polynomial over IF 2. of a primitive clement a E IF 10' We represent the powers ai, 0 ~ i ~ 14. as linear combinations of I, ". ,,', ,,3 and thus obtain a parity-chcck matrix II of a code equivalent to the (15. II) Hamming code:

H~

~

0 I 0 0

I 0 0 0 (I

"

0 0 I 0 a~·

0 0 0 I

I I 0 0

,,'

,,4

0 I I 0

0 0 I I

I I 0 I

,

I 0 I 0

0 I 0 I

,,' ,," " ,,' ,,'

0 I I I

I I

I 0

,,'0

"II

I 0 I I

~)

"I'

"I)

,,14) .

This code can also be regarded as a narrow-sense Bell code of designed distance d ~ 3 over 1', (note that ,,' is also a root of m'l'(x)). Its minimum distance is also 3, and it can therefore correct one error. In order to decode a received vector v E G'!'. we have to find the syndrome flv T For this cyclic (15.11) code the syndrome is given as "(a) in the basis (1.",,,'.,,3). It is obtained by dividing v(x) by mtl,(x). say v(x) = a(x)mtll(x)+ r(x) witb deg(r(x)) < 4. for then vIa) ~ r(a); that is. the components of the syndrome are equal to the coefficients of r(x). For instance. let v~OIOIIOOOIOIIIOI.

then r(x)

~

I + x. hence

Hv T ", (IIOO)T ~I~a. Next we have to find the error e with weight w(e) " I and having the same syndrome. Thus we must determine the exponent). 0"),, 14, such that "I ~ Hv T. In our numerical cxample) ~ 4, thus in thc rcceived vector v the fifth position is in error and the transmitted word was w~OIOIOOOOIOIIIOI.

D

8.47. Example. I.et q = 2. n ~ IS, and d ~ 4. Then x 4 + x + I is irreducible over 1', and its roots are primitive elemcnts of I' \6' If" is such a root, then a 2 is a root, and a J is then a root of x 4 + x 3 + x:! + X + I. Thus a

Algl:orail.: Corling. Theory

.120

narrow-,en,e HClI code with d

~

4 is generated hy

4

g(x)- (x +x-l-l)(x 4 +k'-1-X'+x

ell.

Thi' i, also a generator for a BCII code with d ~ 5, ,inee a 4 is a root of x 4 - x i I. The dimension of thi, code is IS - deg( g(x)) = 7. Thi, code was considered in greater detail in hample RA3. D

HCII codes arc very powerful since for any positive integer d we can construct a HCII code of minimum distance;, d. To find a BCH code for a larger minimum distance. we have to incrca::ic the length n _and hence increase the numher m· that is, the degree of IF." over IF q • A HCH code of designed distance d;, 2t + I will correct t or fewer errors, hut at the same tim~. in order to achieve the desired minimum distance. we musf use code words of great length. We deserihe now a general decoding algorithm for Bell code,. Let us denote by w(x). c(x). and e(x) the transmitted code polynomial. the received polynomial, and the error polynomial, respectively. so that v(x) ~ "·(x)' e(x). First we have to ohtain the syndrome of v. S( v) ~ ll,· r ~ (5 b. 56, ,.... , Sb' d ..

,) T,

where S, - ,;(a')

If r

~ I

= ".("i)+e("')~e(a')

errors occur. then

forb~j~b_d-2.

, e(x)

'\' C XU,

=

£...., ,-,

•

where £1 1" ••• a are distinct dements of {O. 1. .... 11 I}. The ch:mc.::nts 1/, - all, e 1F '1 ,", are callcd errorw/ocmion numhers. the clements (, l: IF; arc c.:allcd error f

'~l1lw's. Thus we

ohwin for the syndrome of \.

S,=e(",)~

Lc,·q:

,-,

Ikcau.'.:.c of the computational rule..., in

, [ ~>,~: i ;

J

I

.

[J-(I~'

-

,

'\' 'I

2.

we have

,

' q

r

I

S"

forh,;j,;h· d

(,'-In!'!","", 1'//

'"" (' nlll....,- ") '-

1"1

'/fl'

(R.6)

I i I

The unknown quanti tie.'" arc the pair~ ("1/, ('/), i = 1. ... ,r, the coordinates S~ of the syndrome S(v) arc known since they can he calculated from the received vector v. In the hinary case any error is completely characterized lIy the 11 1 alone, since in this ca:-.e all ('/ are 1. In the neXl stage of the dccpding algorithm we tktermine the

.l~l

2. Cyclic Code"

coefficient:-.

0,

defined hy the polynomial identity

,n, (~,

I: ( "

x)

,

'" (Jr .- (Jr

,.,

I)' a,

,

,x

... -(-·I)'a"x'.

I

Thus 0ll I and 01' ... ,(J, are the elementary ~ymmetric polynomiab in 111, .... l1r. Suhstituting 11, for x gives

(-I)'a,_I(-I)' 'a, ,~,+'"

I(-I)a,~;"+~;

0

fori~I. .... r.

Multiplying hy c, T// and :-.umming these cquation~ for i-I. ... ,r yields

f)' a,S, + (

I j'

Ia, 1-\ . , + ... + (

I ) a, .'I, . ,_ , + S, . ,

h.;,+I. .... hlr-1.

for) lt4X.

Lemma.

II

lIze sy.\lem of equalions

I: (',~!'

S,. J ~ h. h • I. .. .. h - r

I,

,...., 1

in the l:lIlknowns c, is so/vahle if The 11 1 are disTincT e/emenn of IF;",. The determinant of the sy.,tem is

Proof

~~ b, ,

~2

h· r ~)

8.49.

1

nUl .~vslem

I.emma.

( - 1)'a'l-(-I)' r' I

'ar

5

1 /. 1

of equaliollll

-;- ... +(

I) (J 1 S/ )

I )'a, , i

in fhe unknowns errof'i occur.

Proof

~

~

r

I _ :

+ .\ . r

-

O.

h. ;, + 1, .... h - r - I,

I. 2, .... r, is solwhle IIl1iquelv if "lid ollly if r

The matrix of the system can be decomp(lsed as follows: f 5" Sb_

\

Se_ ,

,

'\ - ,

Sp.,.

Sb, )

Sb!

Sh.r

5 h • 2r- 2 i

I

r

~ VDV

r.

Algchraic Coding Thl:ory

322

where

~I

~2

V~

,.

~,

,

~2

I

and

D~

cjrlr

0

0

(' 21J~

0

0

o o

The matrix of the given system of equations is nonsingular if and only if V and Dare nonsingular. Vas a Vandermonde matrix is nonsingular if and only if the ~i' i = I, ... ,r. are distinct and D is nonsingular if and only if all the 'rJi and Cj arc non7.ero. Both conditions arc satisfied if and only if r errors occur.

C

We introduce the error-loralOr polynomial that is closely related to the considerations above:

~,x) ~

s(x)=n(I

, -,

L: (- I) i a,x'. 1=

U

where the OJ are as above. The roots of s(x) arc 711 1, 7li· ', .... 'lJr I. In order to find these roots. we can use a search method due to Chien. first we want to know if an I is an error-location number-that is. if a -=- a-In 1) is a root of sIx). To test this we form -Ota+o2a2+ ...

If this is equal to - L then an -

+(-lrorar .

is an error-location numhcr since then m ~ 1.2, .... n in the same way. In the hi nary case, the discovery of error locations is equivalent to correcting errors. We summarize the BCIl decoding algorithm. writing now T, for I

s( a) ~ O. More generally, an - m is tested for

( - I )ia"

8.50. Bell Decoding. Suppose at most I errors occur in transmitting a code word w. using a BCII code of designed distance d ;;, 21" I.

Slep I.

Determine the syndrome of the received word v.

S(v)~ (Sb.Sh.' .... 'Sh.d ,)'.

2. Cydir..: Codes

.12.1

Let

51 =

L c/T/(,

h~ j~h

i

d-2.

/"...1

Step 2.

Determine the maximum number r of equations ,\';.r'l Sj.r

1'T 1

+ ...

I

~ 1 such

that the

sy~tem

b~j~h+r-l.

,\jTr'-=-O.

in the T has a nonsingular coefficient matrix. thus ohtaining the number r of errors that have occurred. Then set up the error-locator polynomial 1

r

-,(x)·" n(I-'l,X)~ LV'· / = 1

/-,-0

Find the coefficients T; from the S,. Slep J. Solve s(x)~O hy suhstituting the powers of ex into -,(x). Thus find the error-location numbers 'I, (Chien search). Slep 4. Introduce the 'I, in the first r equations of Step I to

determine the error values c/" Then find the transmitted word w from w(x) ~ G(x)- e(x). 8.51. Remark. We note that the difficult step in this algorithm is Step 2. There arc various methods to perform this step. one possihility is to usc the Berlekamp-Massey algorithm of Chapter 6 to· determine the unknown coefficients'T/ in the linear recurrence relation for the S,. [J 8.52. Example. Consider a BCIl code with designed distance d = 5 that is ahle to correct any single or double error. In this case. let h - I. n' IS. q 2. If m"'(x) denotes the minimal polynomial of ex' over IF,. where the primitive clement (~("" IF](. is a root of x 4 - x .... I, then m"'(x) m"'(x)

m"'(x) ~ m'41(x) ~ m'''(x) '. I

+ x - x4•

m"'(x) .m'I2'(x)~m'"'(x)~I! x· x'+x.\-x 4 .

Therefore a generator polynomial of the Bell code will be g(x)=m"'(xjm"'(xj

I· x 4 ··X"_x 7 +x'.

The code is a (15.7) code. with parity-check polynomial h (x) ~ (x" - I )/g( x) ~ 1 + x 4 + x'

+ x·I •

We take the vectors corresponding to g( x j. xg( x). x'g( x). X 'g( x). x 4g(x), x'g( x), xhg( x)

Algebraic Coding Theory

324

a" the hasis of the (15.7) Bell code and ohtain the generator matrix I 0 ()

G=

0 0 0 0

0 I 0 0 0 0 0

0 () ]

0 0 0 0

0 0 0 I 0 0 0

]

0

]

]

]

0 0 0 I 0 0

]

0

]

I 0 I 0 0 0

]

1

0 I 0 0 0

0 0 0

I 0

1

0 I I

0 0

]

I I 0

0 I 0

0 0

]

]

0 0 0 ]

0 0 0 0

I I 0

]

I I

0 0 0 0 0 I I

0 () ()

0 0 () ]

Suppose no\\ that tht.: rcccived word \' is

1001001 10000]0 11. l)r

LIS

a polynnmiLiI.

1-1 x 3 +XI>+X 7 +xJ:!.

t'(x)

We calculate the ,yndfl'me according to Step L using (8.6) to simplify the work:

s,

v(,,)~L

da)

S,

~

do.')

~

S,

~

do.') ~ r (0.') ~ a 4

v( 0.,2)

S, ,. d a' ) ~ r ( ,,' )

~

~

I.

L

The IJrgc~t po~sihk "ystcm of liocar equations in the unknowns thcn l)f thc f()rm S~TI

+ SJT! =

.'' IT, . S:.T2

T1 (Step

2) is

S.l'

S.. '

or a 4T

J

•

T.:: - 1.

I his S"<.,{em clearly ha:-. a llon:-.ingulLir cocffident matrix. Therefore two arors must have occurred- that is. r 2. We solve this system of equations and \)htain 'I 1." 0:. Suhstituting thesc values into 5(X) and rt.:calling TO = 1 gi\'t.:~ .I' (

,x)

,

I fiX.',

lf As f(ll)ts in r 1(, we find 111 0".11.: ar" hence 111 - c/o 112· a • Thacforc, \l.C kno\A- th<.tl crror<.; must havc occurred in positions g and 10 of thc (Otle word. We corrcct these crr()r~ in thc rcccivt.:u polynomial and ohtain

'v( x) - r(x)-e(.\') (I ......

\.1...,...X(,-X I

1 . xJ

XV _

_X,2)_(X'+x'))

>;<) -]- Xl:.

.1. Ciorra Code,,"

The (orn:spolldmg cnJe w(lrd is

I (I (I I I) II I 0 0 I 0 0 I (I O. The initial message can he recovered h.\· dividing the corrected polynomial Ihal j~. the transmittcJ code p\)lynomialw(x) hy g(x). This give~ ,,·(.\)/g(x)~I+x' I

which yidds the 3.

corrc~ponding

x'.

mcs.. . age wnrJ 1001 100.

GOPPA CODES

\Ve gcnerali,-:c the narrow-sense Hell code~ introduced in Section 1: to obtain an important class of linear codes which still allow an efficient decoding algorithm and which arc also useful for applications in cryptography (see Chapter 9, Section 4). These codes meet thc Gilbert-Varshamov hound in Theorem R.27 at least asymptotically. To motivate the definition of this class of codes. we first go back to narrow-sense BCH codes and present another characterization of their code words. We recall that narrow-sense BCH codes correspond to the special case h = I of Definition ~.44. A narrow-sense flCH code over cq of length n and designed distance d is thus the cyclic code defined hy the roots ~, d ;X2 •... , y" - 1 of the generator polynomial. where ;XE~ q'" is a primitive nth root of unity. We charaeteri'e the code words of this codc by using an identity in the polynomial ring ~ qm[XJ.

8.53. Lemma. (co,cl"",c n dEF= is a code word of the narrmr-sense Hell code OI'er Cq defined hy the rOOIS~. a', ... , ~d-' ofthe gellerator polynomio/ il' and olily if 1)~

d

I _

a

x-a I)/'()(~(

By dcfinitioll. (co. C I ..... ("/1

:)

i(d-l)

.-,-=0.

(8.7)

is a code word of the gi\'cn code jf

and only if

.-, ij L Ciy" = 0

l~.i ~ d - I.

for

i-O

On the other hand. we have ild -~ X_):-i

d - ,

d-l

1l~

I)

L

;t.-i{d-2-j)Xi

j-O

=

L' ( .L' C/i ii ) xi

d

j-I

1.

i-O

and so (co,!", .... , c. _,) is a code word ifand only if the identity (8.7) holds. :J This result provides the motivation for the following definition of Gonna L\,)(.fe:, (\\L'r c. . .

Algebraic Coding Theory

326

8.54. Definition. Let g(x) he a polynomial of degree 1, J .; 1 < n, over an extension nqm on q' and let L~ {Yo, "", .. ", ,} he a set of n distinct clements of I,m such that g(y,) '" 0 for 0.; i'; n .- I. The Gappa code r(L, g) over Fq with Gappa polynomial I((x) is the set of all (co,c""" c,_,)EF; such that the identity (8.8) holds in the polynomial ring L' ,,,,[x]. If g(x) is irreducible over IF ,m, then nL, g) is called an irreducihle Goppa code. 8.55. Example. Iflrtx)=xd 1 andL={a-Li=O,1, ... ,n-l},whereaEF,m is a primitive nth root of unity, then l(L,g) is a narrow-sense BCH code over IF, of length n and designed distance d. 0

It is clear that r(L,g) is a linear code, since the condition (8.8) defines a subspace of the vector space ';. We want to find a matrix such that the intersection of its null space with IF; is equal to r(L,I(). If

,

I((x) =

L: gjX j ,

j=O

then g(x) - g(y)

x

I

xi

"j

L g ' -f

('

j"',o) x -

/-1 (

-

L ~-l)

,

i

L~·1 Iii/

Putting h,=Irt,,)-' for O';I';n·· I, it follows that (co,c" .... C,_I)El'; satisfies (8.8) if and only if

Therefore I "(L,g) is the intersection of IF; with the null space of the matrix

hog, hO(g",;+g,yo) ( \

ho "L. Kilo .rl )-1

h,_,g, h,_,(g,_::+g,."

) I) .

h " 9/'in-l " , niL. j-I

Since g, '" 0, we can use row operations to transform this into the matrix g(,'II)-1 g('O).-l yo

H=

(

\1((Yo)~ l,~-I

g(y, tl ' ) g(y, 1).-"'-' ,

(8.9)

I(("-I)-Iy~~'t

for which the intersection ofits null space with F; is again r(L,I(). The entries of H arc clements of IF q ",. Each clement of J ,m has a unique representation in a fixed basis ofFq ", over [",./\ matrix H' with ent,.ies in F, having r(L,g) as its null

.1. (Joppa

327

Cuuc~

space can thus be obtained hy replacing each entry of H by the column veetor over n q of length m that we get from the coefficients in that representation. 8.56. Theorem. fl·

The dimension of Ihe Goppa code r(1.,X) is or lease + 1.

ml and iIS minimum disIance is at least I

Proof. The matrix 11' described above is an me x II matrix with entries Since 1'(L,g) is the null space of 11', the dimension of I(L,g) is at least II ml. For the second part consider the determinant of any 1 distinct columns of the matrix 11 in (R.9). Aftcr taking out obvious constant factors, such a determinant reduces to a Vandermonde determinant which is nonzero in view of the condition that the clements fO. (1"'" Yn I arc distinct. Therefore any r columns of H arc linearly independent, and so the minimum distance of r(l.,g) is at least 1 + I. rJ

in

e

q•

In mo;t applications one works with binary Goppa codes ,that is, Goppa codes over f,. In this case the following improvement on the lower bound of the minimum distanee can bc obtained. 8.57. Theurem.

For a biliary Gappa code whose Gappa polYllomial has + 1.

flO mulliple roOlS, the minimum dislance is at least 2t

Proof If O in thc binary Goppa eodc r(L,X), then c i , ~ ('i. ='" = Ci " = I with 0';; i, < i, < ... < iw ';; II - 1 and all other C i = O. If 1.= {,·o./, .... , ,',_ de [',m, define w

fIx)

= jfl- (x - ,'i )EF,m[x]. I

hom

(~.~)

we obtain

, 0= f(x) =

)

I"

I

,

;-0

("~(;'i)

".

g("i,) '(x(x)

/?(,'i))

j - 1

fl (x -I',). h- , h.J-j

Considering thc last polynomial modulo xix). we get 0= -

"

w

j- I

I h-'"j

I h-II (x -

"i,) '" -j'(x) mod xix),

and so X(x) divides the derivative F(x). Since we arc working in characteristic 2, I'(x) contains only cvcn powers and is thus the square of a polynomial in c,mrxl :'
21,

and so any nonzero code word. has weight at least 21

+ I.

o

1\1J;cbrail' Coding Theory

M.58. Example. We describe the hinary irreducible Gappa code ,(i .. g) with Gappa polynomial !!lx) = x' + x + I and /..- [, = :0, I,~, ... ,,"}, where' is a primitive clement of [, satisfying -I , + 1 .. O. hom Theorems 8.56 and 8.57 lVe get the following information on the parameters of this code: length 11 --= X, dimension k ~ n - mI - 2, and minimum distance d ~ 21 + 1 = 5. .... urthermon.\ r(/.,g) is the intersection of ~ ~ with the null space of the matrix

,J

,

11 ~ (gIO)

g( I)

,

gl,6);

I 1

=G,

",-'

)

g(,") . ',6

g(0) '(l glWI

, , ,4 ) " ," " " ," ,.' ,4

ohtained from (8.9). Using the hasis : I",,'; of I, over - wc get the " corresponding hinary matrix

t

11' =

~

\0

I 0 0

I 0 0

0 0 0 I I I I I I 0 0 I

0 0

I I I I

0 I 0

0 I 0 1

I I 0 1 I

()'

I 1 I I 0,

having '(L,g) as its null space. Since If' has rank 6, we have k = 2. and H' is a parity-check matrix of liL,g). The linear (8,1) code I "II.. g) consists of the following four code 1V0rds:

o0

0 0 0 0 0 0, I I 0 0 I 0 I I,

0 0 I I I I I I. I 1 I I 0 I 0 O.

Thus it has minimum distance d = 5. A generator matrix of this code is (i =

(I I 0 0 I 0 I I).

u

00 I I I I I I

We discuss now a decoding alyorillllnfor (;oppa codes. We note that if this algorithm is applied in the special case of a narrow-sense Rell code, then it yields an algorithm that is different from the Rell decoding algorithm described in Section 1. Let liL-g) he a Gappa code ovcr Fq with Goppa polynomial g(x) of degree r ~ 2. We suppose for simplicity that I.e that is. ;', -t 0 for 0,;; i,;;" - I. By hample 8.55, this condition is in particular satisfied for narrow-sense BCH codes. It follows from Theorems 8.11 and 8.56 that I(L,g) can correct up to LI/2J errors, To correct errors, we taJ,;e the received word, and the matrix 11 in (8.9) and calculate the syndrome

tim

S(,)=Hv T =(So,S" .. .,S,_"'.

(8.10)

If S(v) = 0, then v is a eodc word and no error correction is needed. If S(v) I- 0, we assume that r errors have occurred, where 1 ~ r:-S; LI/2J. Let the distinct

.1. (jOppa Corle.. .

of {O.I, .... 1l-1} denote the error locations and let error values. We define the error-location numbers 11; = '('a;CG qt» for 1 ::s; i ~ r. Decoding means determining the pairs (11;,C i ), I ~ i ~ r, given the compo-

clements

01 .... 'a r

Cl·.··' CrEr..:: be the corresponding

nents Sj'

°

-:(j -:(

I -

I, of the syndrome. From (R.IO) we get

,

Sj=

I

c,g(~,l-'~{

for

I.

O-:(j-:(I -

i-I

With these Sj we set up the syndrume polynomial ,

fiX) ~

1

L

Si xj •

j-()

l--"urthcrmore, we need the error-locator polynomial

,

,'Ix) -

II (I

I"X)

i-I

and the error-evaluuror pol.rnomial

,

II(X) =

I

,

",g(I],]

1

II (I

h-I

i-I

h+i

As nsual. an empty product is identified with the constant I. We note that u(xl and ,(x) are relatively prime since

,

U(~i ') - Cig(~il 1

II (I

~h'li I).,L 0

h-I

I -:( i -:( r.

for

(R.I I)

h+i

8.59. Lemma.

The conyruence II(X) '" s(x)f(x) mod x'

holds in rhe riny of polynomials ora Jlj""

I' ,.'O[

Proof. Since ,,(0) - I, s(x) has a multiplicative inverse in the ring of formal power series over [q," hy Theorem (,,]7. Then

f x11

,

L c/,d1l

i-I

for some B(x)" J q.. ,rrx

n

,

i'-"

L ll!x

J-

J

(l

and so I1(X)

,(x)f(x) - x'BdxJ

for some B I(XJEt q."f fx 11- II comparison of terms of sufficiently large degrees

Alg.cbrail.: Coding Theory

))1)

shows that H,(x) is actually a polynomial, and this yields the desired congruence. ~ The congruence in Lemma R.59 can be solved by using the Euclidean algorithm (see p. 22) with the polynomials r ,(x) = x' and ro(x) = fix). This algorithm yields

r, .Ix) = if,. :(x)r,(x) ~ r"..Ix).

deg(r" ,(x)) < deg(,·,(x)), for h=O, I. ... ,s-I,

r,_,(x) = q" ,(x)r,(x). We define recursively the polynomials

,

,(x) = 0,

,,(x)=z,_,.(x)

zo(x) = I,

if,(X)", ,(x)

for

h~

I, 2, ... ,5.

The following properties arc shown by straightforward induction: ",(x) '" z,(x)f(x) mod x'

h = - 1,0

for

deg(,,(x))=t-deg(r,_,(x))

for

, s,

h=O,I,

(R.12)

,s.

(8.13)

The polynomials .'(x) and u(x) arc now determined by the following result. 8.6/i. I.emma.

rhe error-locator polynomial six) and the error-

el'uluuwr I'o{ynomiu{ u(x} ure yicen by 5(X) =

u(x)

,,(0)-' ",(x).

= ",(0)

: r,(x).

where b is ,I", leas I index such Ihal deg(r,(x)) < t/2. We have dcg(s(.\)) = rand deg(u(x))'; r I. If d(x) = Ih)). then ,/I,) divides u(x) by I.emma ~.59 and so deg(r,(x))degll/lx)),; deg(u(xiJ. It follo\\s that there exists an index h. 0.; h.; s, such I'root".

~edl.\'.

that deg(1',lx))" deg(u(,·)). degt1', ,(x)).;> deg(u(x)) From

(~.13)

I.

we ohtain de~(.",(x)) = I -

Lemma

+

R.'i~

and

(~.12)

deg(1',,_ .(x)),;

1-

deg(lI(x))

I.

yield

u(x) = ,,(x)/I.')

mod x',

"(X):I,(X) =

1',,(x) = ",Ix)/Ix)

1',(xb(.x)

mod x',

mod x'.

The polynomial on the left-hand side has degree'; I I, and the one on the right-hand side has degree '" de~(u(x)) + r '" 21' I '" 211121- I .; I I. Thus we have in fact the id~Iltity

(8.14)

33]

3. (joppa Codes

Consequently, II(X) divides 1',(X)5(X), and since IIlxl and ,I(X) arc relatively prime, II(X) divides I',(x), But 0 ';;deg(I',(xl)';; deg(lIlx)). hence II(X) = /il',,(xi for some {JE":.". It follows Ihen from (R.14) thai ,llx) = {Jz,(x), and from slO) - I we gel {J = z,(O)-'. It remains to show Ihat h. Sillee deg(I',(xl) = deg(u(x)1 < li2, il is clear that"" b. If we had" > ", then

,,=

and so by (R.13), ll/2J" deg(s(x)) - deg(z,(x)) - I - dCg(l'h_ ,(xl) > 1,2.

a contradiction. We may summari,e this decoding algorithm for Gappa codes in the following way. 8.61. Decoding of Goppa Codes. Suppose al mOSI 1l/2J errors occur in transmitting a code word w. using a Gappa code ['(1.. g) over I, wilh Gappa polynomial of degree I " 2 and J.e:: I:..,. Slep I.

Determine the syndrome S(v)=(SO,Sl' ... 'S/

1)1

of the received word v by (8.10) and set up the syndrome polynomial

f(x)-

, , L S/ i'·dl

Slep

2.

If fix) = 0, no errors have occurred. so w = ". If fix) l' 0, proceed to Slep 2. Carry out the Euclidean algorithm with l' ,(x) and stop as soon as deg(I',,(x)) < 1/2. Put 5(X) =

SEep 3. Slep

4.

z,,(Oj 'z,,(x),

~

x' and 1'0(x) = fix)

II(X) = z,,(O) - '1',,(x).

Determine the error-location numbers 'li as the multiplicative inverscs of the roots of sIx). Determine the error values (', from (R.II )-thal is, c, = u(ry,-' )y(ry,)

,

n (I h-:

'M,-') - '.

h-:'l

Subtract c, from the component of v indicated by the error-location number "Ii to obtain the transmitted word w. 8,62. Example, We solve the decoding prohlem in r,ample R.52 by the decoding algorithm for Gappa codes. According 10 Example R.55, thc narrowsense BCH code in Example R.52 is equal to thc binary Goppa code nL,g) withg(x) = x 4 and L= {Yo, fl"··' 'f'J4}' where --;i = o:-i forO::; i ~ 14 and ~E[ 16

Algehraic Coding Theory

.312

is a root of x 4 + x t 1. Let the received word v he

I 0 0 I 0 0 I I 0 0 () 0 I () O. Using the 4 x 15 matrix H ohtained from S(v)~

fl,·'

(~.9),

we get the ,yndrome

~(50,5"5,,S,)r

with

5 0 = I.

5,

=~',

5,= I,

S,c-1.

This Icads to the syndrome polynomial I(x) =

x' \. x' + ~4X + I.

:-;ow carry out the Euclidean algorithm with r _ ,(x) = x 4 and ro(x) =I(x) and stop as soon as deg(r,(x)) < 2. This yields

x4

= (x

+ I )(x-' + x' + ~4X + I) + (ax'

-i-

ax -'- I).

x 3 -1 x 2 + ~4X + I == J: I~X(~X2 ..1- ~x ...L. 1) + (a<)x + 1). Thus h = 2 and sIx) = z,(O) 'z,(x). Since q,(x) = x + I and q,(x) = ~I4X, we calculate recursively z ,(x) -'-

0, "o(x) = I,

2,(X) ~

2

z,(x) =

2 0(X) -

,(x) - q,(x)zo(x) = x

+ I,

q,(x)z ,(x) = ~ 14 x'

+ a 14X -'- I.

Therefore . . (x):::-

X

14

X

2

+ X l4X + I.

The roots of s(x) arc x 7 and x"', henee YJ 1 == ':J.'- '7 = ~''7 and YJ2 = x - q = (q. It follows that the errors have occurred in positions 8 and 10 of the transmitted code word. Ily observing that for a binary code the corresponding error values I, or by a direct calculation of c, and c, from the formula can only be c, in Step 4 of 8.61 with u(x) -'- z,(O) . 'r,(x) =,9 X + I, we find the transmitted code word

=", =

I 0 0 I 0 0 I 0 0 I 0 0 I () 0 in accordance with the result in Example 8.52.

EXERCISES 8.1.

Determine all code worus, the minimum distance, and a parity-check matrix of the binary linear (5.3) wde tbat is defined by the generator matrix 10 0 ,1

(i = (

I

o o

0 I

o o

0

I

:). I'

8.2. 8.~.

XA.

K5. 8.6.

K7.

Prove: a linear code can detect s or fewer errors if and only if its minimum distance i~ ~ S -i- I. Prove that the Hamming distance is a metric on 0-:;1. Let H be a parity-check matrix of a linear code. Prove that the code has minimum distance d if and only if any d - I columns of /I are linearly independent and there exist d linearly dependent columns. If a linear (II. k) code has minimum diqanee d. prove that II k I I ~ d (Singleton hound). Let C, and C, he generator matrices for a linear (1I,.k) code and (II,. k) code with minimum distance d, and d). respectively. Show that the linear codes with generator matrices

I C,

o'

\ 0

C, )

and

G,)

arc (II, +II,.2k) codes and (II, +1I,.k) codes. respectively. with minimum distances mined,. d,) and d;, d, ~ d,. respectively. Prove: given k and d. then for a binary linear (II. k) code to have

minimum distance d

=

do we must have

n;' do+d,

KR.

((;,.

I ...

+ d, ,.

where d", = lId; t 1)/2J for i~O.1. .... k -2. Here lxJ denotes the largest integer" x. A code C ~ IF,; is called pafecl if for some integer 1 the halls 8,(e) of

radius ( centered at code words c arc pairwisc di:-,joint and "fill" the space iF;l-that is.

U 8,(e) - ';. CE,..("

R.9. 8.10.

8.11.

Prove that in the hinary case all Hamming codes and all repetition codes of odd length arc perfect codes. Lsing the definition of Exercise KR. prove that all Hamming codes

ovcr iF/I are perfect. Two linear (II. k) codes C, and C" over IF" arc called equiwlelll if the code words of C: can be obtained from the code words of C, hy applying a fixed permutation to the coordinate places of all words in C,. l.et C he a generator matrix for a linear code C. Show that any permutation of the rows of (i or any permutation of the columns of G gives a genaator matrix of a linear code ~-hich is cquivalcnt to C. U.. . e the definition of e4ui\-a]ent codes in Exen.:ise ~:UO to show that the hinary linear code.. . with generator matrices , I

(" -I

0 ,0

I I 0

0' 01 I;

respectively. arc equivalent.

and

G,

~ (6 ,I

0 I 0

I I 0

:1· I'

334

X.12.

Algebraic Coding Theory

I.et C be a linear (/I.k) code. Prove tbat the dimension of C· is 1/ -

X.13. K14.

X.I). X.lb.

R.17.

X.IR.

R.i9.

J.:..

Prove that (C . )' . C for any linear code C. Prove (C, . C,) L ~ C,· "C,· for any linear codes C" C. over IF q of the ,ame length. If C is the binary (n, i) repetition code. prove that C 1 is the ( /I. /I - I) pari ty-eheek code. Determine a generator matrix and all code words of the (7,3) code which is dual to the binary Hamming code C1 • Determine the dual code C l to the code given in Exercise 8.1. Find the tahk: of eosels of IF] modulo C J. determine the coset leaders and syndromes. If y ~ OiOOi is a received word, which message was probably ,ent" Apply Theorem X.32 to the binary linear code C ~ {000,011. 101, 110); that is, find its dual code, determine the weight enumerators, and verify the MacWilliams identity. I.et C be a binary linear (n. k) code with weight enumerator

L"

A(x. r) i

A,x'y" ()

and let n

II

I

(x. y)

L

=

1'-'

AI-x1yn

I

0

be the weight enumerator of the dual code C L. Show the following identity for r 0, 1, ... :

[i'A,~

,_II

[(-I)'A; ,d

S(r.I)~-\

t

1. I"'" 0

i" a Stirling numha of

X.20.

8.21.

t

,~U

lh~ ~~c()nd

I!S(r,I)2'

(-i)'

,(n-i), n-I

1(1)1' J

kind and the binomial coefficient

\';/1) i.. defined to he 0 whenever h > In or h < O. Write down the identity f\)r r -: 0, Land 2. I.et /I . (qff. II/(i' I) and fJ a primitive /lth root of unity in IF q _, m ~ 2. Prove that the null 'pace of the matrix H .. (I f3 f3' ... 1ft \ ) i..; a <.:oue ovcr:}- l.q -I)~ I. Let 0: he a primitivc clement of IF 9 with minimal polynomial x 2 - x - I 0\'Cf IF;. rind a generator polynomial for it IlCH code of length 8 <.lnd uimcn~ion 4 over F). Determine thc minimum distance of this <':'l)dc.

335

I-:xcn.:iscs

R.22. 8.2.1

R.24.

Find a generator polynomial for a I3CH code of dimension 12 and designed distance d ~ 5 over if 2' Determine the dimen~ion of a 5-error-correcting I3CH code over 1F.l of length RO. Find the generator polynomial for a 3-error-eorrecting binary BCH code of length 15 by using the primitive element ex of n:" with 0'4=0"+1.

0.25.

R.26.

Determine a generator polynomial !( for a (31,31 deg(!(» binary Bell code with designed distance d - 9. I.ct m and 1 he any Iwo positive integers. Show that there exists a binary Bell code of length 2m I which correCb all com hi nations of lor fewer errors using not more than ml control symbob.

n:"

R.27.

by determining its generator polynomial and the number of errors it will correct.

8.28.

Prove that the minimum distance of generator polynomial

Describe a Reed-Solomon (15. U) code over


g(x) ~

R.29.

(.I

Reed-Solomon cooe with

I

n (.\ - ex') , ,

i.s equal to d. Determine if the dual of an arbitrarv BCII code is a BCII code. Is the uual of an arbitrary Reed-Solomon code a Reed-Splnmon code?

R.30.

hnd the error locations in Example 0,43, given thai the syndrome
R.31.

I.ct a hi nary 2-error-correeting Bet! code of Icngth 31 be defined hy 2 S X • x + I in 11-.12 , Suppose the received word ha'i the syndrome (I I 100 I I 10 I)T Find the error polynomial. l.cI a be a primitive element (If "" with a 4 ~ a I I. and let !( x) ~ sJU . . . . .\"~ - x'" + x 4 + x·~ I x t 1 he the generator polynomial <)t a hinary (15.5) Bell code. Suppose the word ,. 000 I 0 I 100 I 000 I 1 the root a of

8.32.

is receiveu. Determine the corrected coue word and the message \\"ord.

R.33.

A code C is called (",,""sible if (11 0 .11, ..... 11" ,)'=< implies , .... ,11,.110V(". (a) Prove that a cyclic code C~(,d.\» is

(11"

8.14.

reversible if and only if with l,.· .. l<.:h root of g(.\) <.d~l) the rL'cipr(K'al value of that root is <.I root of g(x). (0) Pw\-t: that :lily e~Llic l'llJe over IF
"l~6

X.35.

8.36.

Aigehrair Coding Theory

I.ct J"(L, K) he a Gorra code ovcr i."q with J. ~ :'(). 1"1·""·· {"I 1: ,- J fI'''. Prove that (c'", C\, ... ,c, \ )F[': is a code word offH.,g) if and only if the congruencc

holds, where I/(x i'i) is interpn.:ted as the multiplicative inverse of x ;', in the residue class ring} q".LxJ,(g). I.et I {L,g) be a Goppa code over F, whose Goppa polynomial of degree I has I distinct roots fI\, ... ,fI, in a suitable extension of: q"" and let 1.= {/(),t!, ... ,ttl !}:;; J q ",. Prove that f(L,g) is the intersection of [: with the null space of the r x n matrix whose entry in thejth row and ('i_lllforl~j~r,l~i~lI.

ithcolumnis(fJj K37.

8.38.

Prove that the minimum distance of a binary irreducible Goppa code with Goppa polynomial of degree 1 is at least 21 I I. Determine the dimension of the binary Goppa code I H.. g) with

1.- ~f(,. g(x) 8.39.

8.40. 8.41. 8.42. 8.43.

= x

2

-

X -:-

~c\

and

a primitive element of"F In'

-"1.

Determine the dimension of the binary Goppa code fll.,g) with l.~" \6 and g(x) = x 3 + X + I. Find also a generator matrix for tbis code. Determine the transmitted code word in Fxereise 8.32 by the algorithm in Section 3. Determine the transmitted code word 10 ham pie 8.43 by the algorithm in Section 3. Determine the transmitted code word 10 Example 8.46 by the algorithm in Section 3. Let I' \(x) and I'o(x) be two nonzero polynomials over a field F with deg(1' _\(x)):;, deg(I',,(x)). The Euclidean algorithm yields 1',,-\(-,) - '1".\(-')1',,(-')

+ I'".\(x).

deg(l'l., \(x)) < deg(I',,(x)), for" = 0, 1... .,.<·- I,

1', dX)

~

4, . \ (x)I',(x).

Define recursively the ro1ynomials z

\(x) = 0,

"o(x) = I.

z,,(x) - z,,_ ,(x) - 4"(x)z,, \(x)

for h = 1,2. .,., s.

Prove the following propertie" (a) I',,(x) '= ",,(x)l'c,(-') mod I' _ \(x) for h = 1,0,.., . .<: (b) ""(xII',, \(x)-:" . c(x)I',,(x) =( 1)"I'.\(X) for h=O,I. ,.<: (el deg(z,,(x))=deg(r_:(x))-deg(l'h \(x)) for h=0,1. ,5.

8.44.

An "[lemill11 code A over F, is defined as follows. Let "\" . .,h, be arbitrary clements of _~ 'n aHd let 'X 1- ... ' "1. n bc distinct clements of Fqrn, Fix an integer r with I ~ 1< 11. Then 11 consists of all vectors in }~ that arc in the null space of the r x 11 matrix

337

[xereisc~

I.':;'

h, hn'ln hn:t;

h2a~

II 1''1~

h ]::l]

h, h2 :t 2

1

h2?:'2f -

J

).

IInY..~ - I}

Show that any Goppa code is an altcrnant code. Prove that the dimension of ,:1 is at least n - ml and that its minimum distance is at least 1+ l.

Chapter 9

Cryptology

In this chaptcr wc consider some aspects of cryptology that have received considerable attention over the last fcw years. Cryptology is conccrned with thc dcsigning and the breaking of systems for the communication of sccret information. Such ~ystcms arc called cryptosystems or ciphcr systems or ciphcrs. The dcsigning aspect is called cryptography. thc breaking is rcferrcd to as cryptanalysis. The rapid development of computers. thc electronic transmission of information. and the advent of electronic transfer of funds all contributed to the evolution of cryptology from a govcrnment monopoly that deals with military and diplomatic communications to a major concern of business. The conccpts have changed from conventional (private-kcy) cryptosystems to public-key cryptosystems that provide privacy and authenticity in communication via transfer of messages. Cryptology as a science is in its infancy sincc it is still searching for appropriate criteria for sccurity and mcasurcs of complexity of cryptosystems. Conventional cryptosystems date back to the aneicnt Spartans and Romans. One elementary cipher, thc Caesar cipher, was used by Julius Caesar and con~ists of a single key K = 3 such that a message M is transformed into M + 3 modulo 26, whcre the integers O. 1, ... ,25 reprcsent thc letters A. B,. .. , 7 of thc alphabet. An obvious generalization of this cipher leads to the suhstitution ciphers often named after de Vigen"re, a French cryptographer of the 16th century. \1eehanical cipher devices based on such cryptosystems started to appear in the 19th century and werc widely used in hoth World Wars. 33~

I. BUL'kgwulld

Significant advances in cryptanalysis, for instance the breaking of the German FNiGMA cipher in World War II, have led to the necessity of developing more sophisticated eryptosystems, some of which will be deseribcd in this chapter. In Section I a gencral background on cryptology is given and thc distinction hetween convcntional and public-key cryptosystems is discussed. The most securc eryptosystcm is the one-time pad in which a random string of bits is addcd modulo 2 to a binary message. Since this rcquires very long keys, one has come up with the notion of a stream cipher in which a shortcr key generates long strings of bits. This concept is studied in more detail in Section 2. Some very recent developments in cryptography are based on the use of discrete exponentiation in finitc fields. A scrutiny of these cipher systems from the viewpoint of the cryptanalyst leads to a study of the inverse funetion- that is, the index or discrete logarithm in finite fields. In particular, it becomes necessary to analyze the computational complexity of the discrete logarithm. Various applications of discrete exponentiation and discrete logarithms to cryptology and scveral algorithms for the calculation of discrete logarithms are presented in Section 3. Two more cryptosystems, one hased on Goppa codes and one on polynomial interpolation in finite fields, are discussed in Section 4.

I. RACKGROLND

Cryptosystems arc designcd to transform plaintext messages into eiphertexts. The particular transformations applied at any given time arc controlled by the key of the cryptosystem used at that time. In conventional cryptosystems this key is supposed to be known to both the legitimate sender and the legitimate receiver, but not to the attackcr (or cryptanalyst) who wants to break the eryplOsystem. The general structure ofa cryptosy"tem can be describcd as follows. The main ingredients arc an enciphering scheme E (for encryption), a deciphering scheme D (for decryption), a key K, the plaimext message (or simply plaintext or message) M, and thc ciphertext C. Given a plaintext message M and a key K, the enciphering scheme produces the ciphertext C = EK(M) which is transmitted. The deciphering scheme recovers M by Dde) = M. One basic requirement is that I:' K be injective-that is, E K should transform distinct messages into distinct ciphcrtcxts. In this notation the parameter K remains fixed for a considerable number of messages. If only one key K is involved, the system is called a com;emional (or single-key) cryptosystem. An attacker is assumed to have full knowledge of the general form of the enciphering and deeiphcring schemes, has access to a number of plaintextciphertext pairs produced by the cryptosystem, and has additional inform-

Cryptology

j4u

FIGURE 9.1

A cryptosy!!ltcm.

alion such as languagc statistics (letter frequencies and so on) and an idea ahout the general context of thc communication. The attacker does not knnw the key K and has the ta~k to produce the best estimate ,\1' of A1. Hreaking a system means determining the key K. As most current data arc stored. transmitted. and processed in binary form. eryptosystems over the binary alphabet ~ 2 = {D. I} arc of particular importance. but other alphahets such as r" arc also possihle. Thus both plaintext and ciphertext arc often given in the form ofa string of D's and 1'.1 (or hils). If the plaintext string is broken into blocks of fixed length and then enciphered on a bloek-by-bloek basis. the eorrespondi;Jg scheme is called :l Mock cipher. In this c.:hapter a~ in this whole hook- we arc mainly

interested in material directly connected with finite ficlds, and ac.:c.:ordingly we will he concentrating on certain types of c.:ryptosystems. Ilowe\'cr, wc mention aile of the commercially widely used hloek ciphers. the Dr.S (Data Encryption Standard). which is the official system adopted by the I"ational Bureau of Standards of the United States and used hy m"'tlJ.s. Federal Departments. It is a eryptosysrem with M-hit data hloeks and a 64-bit key; 56 bits of the key arc true key bits. the remaining R hits arc used for error detection. The main disadvantage of conventional eryptosystems is that they require the advance estahlishment of a secret (or private) key between every pair of correspondents. This makes proper management of the keys a crucial prohlem for the security of the system. Key management is increasingly

difficult if a large number of correspondents are involved in a communication system. heeause then it will be even harderlo ensure key secrecy. In 1976 Diffie and Ilellman suggested how to overcome some of these prohlems by introducing puhlic-key cryptosystems. Public-key eryptosystems ensure that

suhscrihers who have never met or communicated hefore could have instant secure c.:ommunic.:ation. In general terms, each suhscriber places an enciphering procedure I, into a public directory to be used by other subscrihers while keeping secret his corresponding deciphering procedure D. These procedures. applied to message M or ciphertext C. must have the following properties: (i) If C ~ rfM). then M = D(e); hence D(I:(M)) = M for each M.

(ii) I: and D must be fast and easy to apply. (iii) IC can be made puhlie without revealing D . that is. deriving D from f; must be computationally infeasihle. For instance. if A wants to send a message M to R. he looks up B's puhlie

341

1. Background

enciphering method L" and transmits C = L"IM) to Il in the open. Only Bean decipher C. since only B knows the secret deciphering method D" to apply to C. Privacy or security of messages i~ not Ihe only problem area in LryplOlogy. It is <:lbo important that the correspondents or suhscribers can he authenticated. For example, A has to be able to convince B that it is reaily

from II the message came. The log-on procedure on computers is also an obviolls example of uU1henriclitiol1. The problem area of authentication or of 'iigJ1tl1/lI"('S is increa~ingly important a~ computer Ilel\'.:orks, electronic mail, and ~imilar Lomm unication system~ grO\.... Digitnl signature fe<.ltures can hc attaincd hy public-key cryptosystems if wc add a fourth property:

Ji{/ilUl

(iv)

f)

can he applied to every '\1, and if S - D(M). then M

~

1-:(5); hence

LID(M)) ~ M for each M. With this property. subscriher A Lan sign his message to R by first forming his message-dependent signature S ~ D,( M) and then computing C -- ER(S). Only

R can recover Shy applying the secret deciphering method DB to C. Then Il computes /:'·,\(S). 1':,(D,(.11)) =M. hy using II's puhlieenciphering method 1-:,. ",ow R can he ~atisfied that M came from 1\ since no other person would have used A's secret deciphering method f), to compute S = D,(M). Public-key eryptosystems can be implemented by using trapdoor onew<.Iy function:-i. A function f is said to be one-wa.v if f is easy to compute and invertible, but it is Lomputationally infeasihlc to compute the inverse function

f - , from a complete description off. II function f

is trapdoor O/le-way if f

-I

is easy to Lompute once certain private trapdoor information is known. hut

wit haUl this information f would be one-way. lin example ofa trapdoor oneway funetilm is contained in the RSA eryptosystem (see Section 3); it is based on exponentiation and the difficulty of t"etoriLation of integers. Another tr<:lpdoor one-way funLtion is based on the difficulty of the general d~codillg prohlem for linear error-correcting codes (see the Goppa-code cryptosystem

in Section 4). II major problem area in cryptology is to find appropriate criteria for the complexity of a eryptosystem that will replace the present unsatisfactory method of "certifying" a cryptosystem as secure through heuristics or concentrated man/computer ycars or effort~ rather than rigorous proof. Computational complexity theory seems to offer a suitable framework for

doing that. since there one can cla;sify problems as "hard". A pro hi em is said to belong to the cia" P (for polynomial time) if tbere exists a deterministic algorithm that will solve cvery instance of the prohlem in a running time

bounded hy some polynomial in the numher of bits needed for the hinary representation of the problem parameters. Problems that can he solved in polynomial time hy a nondeterministic algorithm that is. by an algoritbm in which random ehl)iees arc allowed in each step make up the class :-Jp (for

Cryptology

342

nondeterministic polynomial time). Clearly, P is a subclass of NP. It is a fundamemal open question of complexity theory whether P = N P. Particularly interesting problems in the class" P from the viewpoint of complexity theory arc the N P-complere problems, which have the property that if anyone problem of the NP-complete class is found to be in P, tl1en all ofNP belongs to P. Examples of NP-complete prohlems are the graph coloring prohlem, the traveling salesman prohlem, and the knapsack packing prohlem. The security of public-key eryptosystems is based on the computational infeasibility of performing certain tasks such as factoring integers, decoding linear codes, or finding discrete logarithms in finite fields with the best algorithms and the best hardware publicly available. Of course, there may be secret advances in software or hardware W~ do not know ahout.

2, STREi\VI CIPHERS

The simplest and most secure of all eryplOsystems is the one-rime pad. Suppose the message is given as a string of bits that is, of elemems of [' ,. Then a long random string of hits is formed; this is the key which is known to sender and receiver. The sender adds this key to the message, using addition in F,. At the receiving end the key is again added in, ,to the enciphered message to recover the original message. The key string must be at least as long as the message string and is used only once. This is a perfect. unhreakable cipher since all the different key strings and all possible messages are equally likcly. The major disadvantage of this cryptosystem is that it requires as much key as there is data to be scnt. So it is restricted to sending only important messages. In a stream cipher one uses a much smaller key as the seed to produce longer key strings or even infinite key sequences-which arc then added to the message string. One possihility is to usc feedback shift registers where

certain initial values suffice to produce infinite linear recurring ~cqucnccs in F2 (compare with Chapter 6. Section I). Before we consider a specific cryptosystem, we list some general properties a stream cipher should have: (i)

The number ofpossihle keys must be large enough so that an exhaustive search f{H the key is not feasihle.

(ii) The infinite sequences must have a guaranteed minimum length for their periods which exceeds the length of the message strings. (iii) The ciphertext must appear to he random. There arc a number of properties a random sequence of hits should satisfy. We refer to Chapter 7, Section 4, for more details. On first glance it would seem that certain homogeneous linear recurring sequences (J in [ , are good candidates for key sequences. We know from Theorem 6..'3 that if the characteristic polynomial of (J is primitive over of degree k and (J is not the zero sequence. then (J has least period 2' -I, which can be made arbitrarily large as k varies. There arc many such primitive

'2

.143

2. Stream Ciphers

polynomials a vailahle. namely (2' l)/k. These maximal period sequences (J (sec Definition 6.32) of least pcriod 2' 1 satisfy the basic randomness

requirements imposed on sequences. as we have shown in Chapter 7, Section 4. ,"everthcless, linear recurring sequenees are not suitable for eonstrueting sccure cryptosystems, since it follows from the discussion on p. 231 that if we know that such a sequence has a charactcristic polynomial of degree ~ k. then any 2k consecutive terms determine a characteristic polynomial and thus the entire sequence. In spite of thc proven insccurity of this eryptosystem, it is quite popular. perhaps bceause thc largc pcriods 2'-1 create an illusion of strength. Heeauseof this wcaknc~s of linear recurring sequences, we have to consider pseudorandom gcncrators of higher complexity. Onc possibility is to increase complexity by appropriatcly combining linear recurring sequences. Wc shall only describe one such approach, namely the construction of multiplexed sequences which may be used as building blocks in a cryptosystem in the category of stream ciphers. Here a multiplexer, which is a many-inputone-output system, is used to produce a multiplexed sequence from two given linear recurring sequences. The construction can be carried out over any finite prime field ~ p' 9.1. Ucfinitiun. follows:

t\ multiplexed sequence

II/),

u1, ...

in iF p is constructed as

(iJ Let ''>0' -'"l····he a kth-order and 10' 'l,"'an mth-ordcr maximal period sequence in Jp' (ii) Choose an integer h in the range I ,; h,; k such that ph ,; In if h < k and ph I,; In if" - k. (iii) Choose integersj1 ,···,.h with O~.il <;2 < ... <jh::::;:k- I. I' or n = O. I. ... considerthe h-tuple (s, , i . "',5, . j,) ofelemcnts ofU p and interpret it as the digital representation in the hase r of an integer hnE 1h' where I h = : O. I, Jh

--,

(1. 2,

I}

if h < k,

, ph - I }

if h = k.

ph -

liv) Choose an injectivc mapping I/; from f h into {O, I, ... ,m -- I:·. (v) With these choices of h.i, . ... .Jh' and J/J wc sct Un = ttl

10(1-,,1

for n = 0, 1, ....

Some comments on this definition are in order. We note that, if h < k, thell all clements of -F~ appear among the II-tuples (sn; j.' "', 5 n. jJ as n varies from 0 to p' 2, and so h, runs exaetly through the values in f h' If h ~ k, then necessarily j; = ; 1 for 1 ,; i ,; k. and the k-tuplcs Cs" "', S, 1k 1) arc just the state vectors of the :;equence So- '\1""; the fact that hn runs exactly through the values in I, follows therefore from Theorcm 7.43. We notc also

.~44

CryptO!OfY

that the e.xistenc~ oran injection lj; in (iv) is guaranteed by tht: condition on 111 in (ii). The definition in (v) ,ay' that we obtain the multiplexed ,equenee hy 'icrambling the term~ of the ~~qucncc lo, II' ... in a way that is controlled by the seq ucncc .'/1' '): .....

9.2. Example. reriod

Let I' - 2, and let in ['2 with

'\1' '"'"

and to. t I'

...

...

he the maximal

~equences

1>1 ·.t

. tlll.~ I ["

for

/I

= O. I.

.

for

/I

= O. I.

.

and initial ,tate vectors (I, 0, 0) and (I, 0, 0, OJ, respectively. The first sequence ha, least period 7 and the terms in the period are

o

o

0

1.

The second ,equenee has least period 15 and the terms in the period are

o

000 '\ow ehoo,e ,,- 2. J: - 0, ;0. I. .2. Jl into itself by

J2

~

O.

I, and define the injective mapping rj; from

1jJ(1) ~ 2,

1jJ(0) = I,

o

o

rj;(2) = 3,

1jJ(3) = O.

The sequence ho , h, ... · of integers in Definition 9.I(iii) has least period 7 and the terms in the period arc 2

2

0

3 3.

Comequently. the first few terms of the multiplexed sequence "0' "I'''' arc

o

0

o

°

0

o

0 0 .. ·.

The diagrammatic representation of the two feedback shift registers and the multiplexer i, given in Fig. 9.2. The delay elements of the first feedback shift register are labeled by ,10. A,. A, and those of the ,eeond feedback ,hift register arc laheled by Un' HI' H1 , HJ . I'

\lultipl~... -:r

GUlpUI

FJ(a RI·: 9.2

Un

I ht, 'inil('hing l'in:uit fur h.amplt, 9.2.

2. Strl:am (

i!>!";<.:r~

34.:'

9.3. Theorem. Fhe l1Iulliplt l."((IJ sequellce kast period diride.1 Icm(p' - I, pm - I).

Proof Put r-lcm(I" of So' S I ' ... , we ha ve

[11..

11 ~

and so hn = hn , r for all lo,t l .···, we ohtain

U(h 1/ 1 , ...

i.') periodic and

it.'i

I). Since r is" multiplcofthcperiod

J.p"

O. Since r

i~

a multiple of the period

pIll

1 uf

Ii" all n;;' O. The rest follows from I.emmas 6.4 and 6.6.

The following property of certain decimations of multiplexed sequences can be applied to ohtain further information on the least period. We use again the notation for decimation" introduced in Chapter 7, Section 4 that i~, if (f is a sequence with terms So' Sl' "., then the decimated sequence 6~) is ohtained by taking every dth term of <1, starting from 5,.

9.4. I.emma.

If " dellotes the multiplexed sequellce Uo, in DeJiniliofl 9.I{i), then

den()l('s the seqUt'llce

U 1 ,'"

alld r

[(I' f l ,'"

for i=O, I, .. ·. where d - p'

I alld j(i)

=i

i


Pro(!{ The tcrms of v~) arc the clements U nd - i , 11=0.1, .... Since I is the least period of the sequence S" ..'I'''· in Definition 9.1(1), we have h", , - h, by the construction in Definition 9.1 (iii), and so

d = 1"

for all

11 '"

0, which is the desired result.

.J

For an)' integers a ~ 2, k?' I, llnd m?= 1 - 1.

9.5. l.emma.

H'e

JUJ/i('

gcd(ah - I, am . I) = d~cdlk.m)

Proof.

If h '-- ged (k, Ill), then it is dear that a' - I divides 1). Now write k = dill - e with integers d;;, 0 and 0", e

c = ged (a' - I, am <

Ill.

Then

a'

I =(aJrn_l)a"+(a'

I).

and so c divides a' . I. Continuing this process in analogy with the Euclidean l. algorithm for k and Ill, we find that c divides ab - I, hence (' = ab I.

9.6. Theorem. Ifged (k, m) = I, rhen rhe/easr period ofthe mulriplexed se'luem'e U o, u 1 ,'" is a lIlultiple of (pm - I )!(p - I). Proof We apply Lemma 9.4 with i = O. Then vlo, = ry' with d = p' I and j =j(O). Put K = }p and F = J /'. Since r is an mth-order maximal period sequence in K, it follows from Theorem 6.24 that there exists a primitive pl"rrH"nt

ty

"f J.'

-.:an/l

'..I

nc:. r*

cilroh 1h'll

Cryptology

.146

The terms

Wn

of r~J arc thus given hy IV,

= t,d' j = TrFIK(,II')

for 11=0, I, "',

(9.1)

where /I=,'EF* and ;'=O,jEF*. By Theorem 1.15(ii), the orderof/i in the multiplicative group F* is pm _ I

pm_I

ged(pk-I,p~

p-I'

where we used Lemma 9.5 and the hypothesis ged (h. m) = I in the last step. Let fIx) he the minimal polynomial of fJ over K. Then it follows from (9.1) and the calculation in the proof of Theorem 6.24 that f(x) is a characteristic

polynomial of the linear recurring sequence

r~).

We claim that

ryJ is not the

/.cro sequence. We have

Pm p-

I J

~ '11-1 rP .

(9.2)

Furthermore, the elements ,f3', 0,,;; II < (pm I )/(p - I). arc (pm. I)/(p - I) distinct elements of F*. Since there arc just pm-' . I elements ~EF* with TrF,k(~)=O by Theorem 2.23(iii), it follows from (9.1) and (9.2) that W n -:- Tr l /KL'W) -t 0 for some n. Thus, indeed. ryl is not the zero sequence, and since fIx) is irreducible over K by Theorem 3.33(i), the least period of r'j' is equal to ord (f(x)) = (pm. I )/(p I) according to Theorems 6.2R and 3.3. If r is the least period of "","" ... , then r is a period of the decimated sequence v~o, = r~j', and so I.emma 6.4 shows that r is divisible hy (pm 1)/(p - I). [' It can he proved that if p = 2, gcd (h, Ill) - I, and m> I. then the least period of the multiplexed sequence "0' ",,'" is equal to (2' 1)(2 m - I). For instance. the least period of the multiplexed sequence in Example 9.2 is equal to (2' _1)(2 4 _1)= 105. As to the application of multiplexed sequences in stream ciphers, it appears that such sequences may be quite complex, but further research will he needed in order to establish that their complexity is sufficiently high. 3. DISCRETE LOGARITHMS Let h be a primitive element of T" and let u be a nonzero element of r q' Then the illdex of a with respect to the hase h is the uniquely determined integer r, 0,,;; r < 4 - I, for which a = h'. We usc the notation r = indh(a), or simply r = ind (a) if h is kept fixed. The index of a is also called the discrete logarithm of a. The diserete exponential function eXPb(r) = exp(r) = h' and the discrete logarithm form a pair of inverse functions of each other; compare also with Chapter 10. Section 1. Their use for cryptography depends on the apparent one-way nature of the discrete exponential function: it is easy to compute, but appears hard to invert.

J Discrete I.ogarithm:,

.147

The discrete exponential function exp (r) ~ b' in L" q can he calculated for I '" r < 'I I hy an analog of the repeated sq uaring technique discussed after Theorem 4.13, which is often called the square and mlliliply technique in the present context. In detail, we first compute the clements h, b', b4 , " ' , h" hy repeated squaring, where Y is the largest power of 2 that is ,,;; r. Then h' is obtained by multiplying together an appropriate combination of these clements. For instance, to get h" one would multiply together the clements b, h', hS , and h'"' /\ simplc analysis shows that the calculation of h' requires at most 2Llog, qJ multiplications in [. q' where log, denotes the real logarithm to the base 2. Lntil rc(;'cmly, the inverse prohlem or (;'omputing discrete logarithms in Fq was believed to be much harder, since for one of the best algorithms available then the required number of arithmetic operations in Fq was of the order of magnitude q"'. If q is sufficiently large, say q > 2'00, exponentiation in If q might justly have been regarded as a one-way function. However, great progress has recently heen achieved in the computation ofdiscrete logarithms, whieh makes it necessary to (;'onstruct eryptosystcms hascd on discrete exponentiation in a careful manner in order to protect them against attacks by these recent algorithms. We now describe some cryptographic applications of discrete exptmentiation and then present some discrete logarithm algorithms. 9,7, Example. The following is a eryptosystem for me"age transmission in } q' Let .11, K, and C denote the plaintext me"age. the key, and the ciphertext, respectively. whcre M, Cc K is an integer with 1 ~ K ~ q 2 and gcd (K, q - 11- I, and q is a large prime power. The last condition on K make, it possible to solve the congrucn(;'(:

J:.

(9.3)

KD= I mod(q-I)

for the integer D. We encipher by computing C- .11 K

(9.4)

C"=M.

(9.5)

and decipher by

Both operations arc easily performed. To find the key, however, is as hard as finding discrete logarithms since (9.4) is equivalent to K ind(Ai) '" ind(e) mod(q

I).

(9.6)

Even if we know a plaintext ciphertext pair At and C, computing K can be expected to be difficult for large q. From (9.6) we see that M must be a primitive clement of} q so that M and C determine K uniquely. We also observe that there i, a wide choice for the key K since for q > 2 there are
14~

Cryptology

system. For primes q we may view M and C as integers with I '" M, C '" q - 1, and then (9.4) and (9.5) arc replaced by the congruences C =' MKmodq,

C" = M mod q.

':l

The eryptosystem in Example 9.7 can he made into a new system by replacing congruences modulo a large prime q by congruences modulo a product II of two large primes rand q. Such a cryptosystem was proposed hy Rivest, Shamir, and Adlcman and is now known as the RSA cryr1osyslem. Instead of using (9.3). we now find D from

K De::I mod
(9.7)

in this generalized system, where we assume gcd(K,
attention.lr is generated hy the primitive trinomial X 127 ....;.. x + J over r 2 and is used to implement a cryptosystcm with discrete exponentiation. Tbis particular system has recently been shown to be totally insecure; compare also with tbc discussion following Fxample 9.13. 9.8. Example. An application of discrete exponentiation to computer systems is the following. In sucb systems users' passwords are stored in specially protected files so that only authorized users have access to them. This can be acbieved by utilizing discrete exponentiation as a candidate for a one-way functionJby creating a public file of pairs (iJIP,)), where i denotes the user's lng-on name and Pi is the user"s password.

~

9.9. Example. Discrete exponentiation can be used to create a well-known key-exchange system, the DifJie-HelinHIIl scheme. Suppose users A and B wisb to communicate hy using a standard high-speed eryptosystem such as DES, but they do not have a common key. They choose random integers hand k, respectively, where 2 '" h, k '" q - 2. Let b be a primitive element of Ii' q' Tben A sends b' to B, while B transmits b' to A. Both take b" as their common key, which can be computed by A as(b')' and by Bas (b')'. It is an unsolved problem to generate b" from knowledge of bl< and b' only, without computing either h or k. The public-key cryptosystems that arc known today have the disadvan-

.1. 1)1'><:n:!l.:

349

Logarilhl1l.~

tage that they arc rather slo\\'. Therefore their main usc is for the distribution of keys for conventional cryptosystcms. J

9.10. Example. Consider the following conventional system for message transmission. Lser t\ wishes to send a message m regarded as a nonzero element of the publicly known licld F, to user Il. Then A chooses a random integer II, where I .,;, h .,;, q - I and ged(II, q - I) - I, and transmits x - m" to B. Uscr R chooses a random intcgcr k, where I .,;, k.,;, q - 1 and ged(k,1I - I) = I, and sends y - x' = mhO to II. :"ow A forms z = l', where 1111' '" I mod(q - 1l, and sends z to R. Then Honly has to compute z" to rccover m, whcre kk' = I mod(q - I), since

This three-pass proecdure betwccn A and R is also known as the nn-key II/yorirhm, where users II and H kecp their own respective key pairs (h,h') and (k, k') secret.

0

9.11. I::xample. Consider the following public-key eryptosystem for messagc transmission. Let h be a primitive element of}
The integer r is generated from a random integcr k with gcd (k,p - I) = I by computing r h' mod p. Thcn s has to satisfy

=

hfll = hhry.,:= hhr I /(.; mod p, which is equivalent to /II '"

ill' + ks mod(p - I).

·I'he unique solution s of this congruence is easily obtained hy A since he knows il, r, and k. If an attacker could compute h from c by using a discrete logarithm algorithm. this digital signature scheme would be insecure. Hcfore we descrihe several discrete logarithm algorithms for} q' we

Cryptology

350

make a few general observations. As above, we repeatedly usc the fact thaI arithmetic in the exponents is done modulo 'i -- I since hq - , ~ h O ~ I for any primitivc element b of I'q. In the case ofa prime field Fpit is often convenient to identify elements of J p with integers, so that identities in I p arc also written as congruences modulo p. ~ext we observe that it is not difficult to find the discrete logaritbms of arbitrary elements of F: under tbe assumption that discrete logarithms arc "easy" to calculate (or known) for a relatively small portion of all the clements of Fi. For suppose it is easy to compute ind,(a) = indIa) for a set r: of c(q - I) special elements aE F:, where D< f, < I. If a given a"E'r: is not in r:, take a uniform random sample 11 from {a, 1. ... , q . - 2} and define a I ..." (loh l :. If a,EE, so that ind(a,) is easy to compute, then ind(a u)

=india,) -

t, mod(q - 1).

',,1,,'"

Otherwise, take independent and uniform random samples from 2} until an ai = aoh" in r:isfound. Then ind(ao)can becalculared by subtraction. Note that the probability that all the clements a",a" ... , a k arc outside of E is (I -,:)'-', which rapidly becomes small. As an illustration consider the casc of a prime field ~. p' If thc discrete logarithms in [- p of the first n primes 2 = 1', < ... < 1', < I' arc known and if an integer a satisfies

{D, I. ... , q

,

a =:

II p? mod 1', i ,. 1

then

" ind(a):= L

i-I

Cj

ind(p) mod(p - )).

Integers which factor completcly into small primes are called "smooth". In the case described here it is easy to compute ind(a) if a is smooth and the values ind(p) are known. The sct of smooth integers is then an example ofa set f; from above. The dcnsity of smooth integers is crucial in the analysis of scveral discrete logarithm algorithms. We first prcsent the Sih-er-Pohlig-llellman 0/1I0I'i1l1l11 for computing discrete logarithms in I'q. The main point to be made here is to show that if q I factors into small primes, then the disercte logarithms can be calculated rather cffieiently, and so cryptosystems based on discrete exponcntiation in Fq arc insecure for such q. Let

npf' k

1/-1 =

i-I

be the prime factor decomposition of q - I. where 1', < 1', < ... < 1', arc the distinct prime factors. We wish to find the valuc I' = indb(a) such that a = b', where b is a primitive clement of Fq' Thc value of r will be determincd modulo

3. Discrete

Logarilhm~

351

p;' for i = 1,2,"',k and the results will then he eomhined by the Chinese Remainder Theorem for integers (see Exercise 1.13) to ohtain r modulo q - I, which completely determines r since 0,,:; r < l} - I. Suppose

r=

, Ij-a .\jp{ mod pr'

'.

(9.8)

In order to determine Su we form

where Ci = h(q : lip; is a primitive Pith root of unity in Jq' Therefore there are only Pi possible values for d
d = ah - Sf,

=h

e,

r1

•

where

'1 = I

,

Sj/'j.

j=1

Then

uniquely determines 5,. This method is continued to find all the Sj in (9.8). It can be shown that this algorithm has a running time of order at most pll2(iogq)', where p, is the largest prime factor of q - I. Therefore the algorithm is most efficient if q - 1 only has small prime factors. 9.13. Example. Letl} = 17, thenh = -' isaprimitiveelementofF 17 • We wish to find r = ind}a) for a = 2 hy the Silver-rohlig-Hellman algorithm. Sineeq I = 24 , weonlyhave to work with theprimefaetor p, = 2. We calculate C =h(q"!1;2 _ _.1. Write 1

and so

So

= O. Then d = aho

= -2 and

d(q - l)i4

= (_

2)4

=

I=

C~l •

and so s, = I. Then e=ah-'= -4 and e(q

and so s, = I. !\iow J ~ ah

l)fH=(_4)2=U

-1-=-=cY.

= I, hence u ~ hO, and so ind,( -2)" 6.

0

The fact that the Silver-Pohlig-Hellman algorithm is less efficient if I has a large prime factor has led to the idea that fields" 2" be employed. where 2" - I is a Mersenne prime. Such fields arc also easy to implement. 1\ t the time oftbis writing 29 Mersenne primes arc known, the largest one being

l} -

Cryptology

·1.')2

21.1204 Y _

2

127

I, but the case of 2' " -- I is of particular intcrest since thefield with

elements has been used in prat.:tical hardware implementations. Unfortu-

nately_ the resulting eryptosystcm is completely unsafe since the discrete logarithm algorithms given below can he carried out rapidly. Ifone uses f '" for a erypwsystem based on discrete exponentiation, an attacker would need

access to a modern supt:n,;omputer in order to hreak a system based on such finite fields for 11;?:

11 '"

800 or even

400. Within the next ten years it is recommended to choose

n;3

2000 if one wisht:s to take into account developments in

large special-purpose machines or improvements of algorithms. Another disadvantage of fields F 2" for cryptographic applications is that there arc few

fields of this type, in the

sem;~

that there is only onc field of order 2/1, hut there

arc many prime fields} pol' comparahle order since there are many primes p with 2" '< P < 2". This also lessens the security of a cryplOsystem. For large primes p it appears that fields of the form I p" do not otTer increased security over fields J p' If we take a system whose main ohjeetive is key exchange and which is hased on discrete exponentiation in t- P' such as the Diflie-lleliman scheme in Example 9.9. and compare it with a puhlie-key eryptosystem like RSA. then the former seems preferahle since one can use keys that arc ahout half as long for the same level of security. We now discuss another discrete logarithm algorithm for ) 4' the indexcalculus alflorithm, one variant of which is due to Blake, Fuji-llara, :v1ullin, and Vanstone. This algorithm works hest for 'I = 2", hut it can also be carried out 1'01"1 = p" with p prime and 11 '" 2. I.et ) q with q = p" be defined by the irreducible polynomial/(x) over J p of degree 11. Since) q is isomorphic to the residue class ring t pfxJ/(f), all elements of f q can be uniquely represented as polynomials over Tp of degree < 11, with the arithmetic being polynomial arithmetic modulof(x); compare with Chapter I, Section 3. This identification will he used throughout the rest of this section. Suppose Nx) is a primitive clement 01'[- q' The algorithm to find the discrete logarithm ind(a(x» to the hase h(x) of an arbitrary non/.ero clement a(x) of 1 q consists of two stages. In the initial stage we compute the discrete logarithms to the base h(x) of all clements of a chosen subset Vol' ) q' The set V usually consists of all the

monic irreducible polynomials over [- r of degree ~ m, where the integer n is Jetermined a(,;(,;ording to certain probability (,;omputations described

m<

later. We suppose that ind(d) is known for all dEF:. This is trivially satisfied for p = 2 sioee the only possibility is d = I and then indid) ~ ind( I) = O. For r> 2 we usc the obsavation that h = h(x){q I l'lp 1l is a primitive clement of J p and

.

mdhl"ld) =

q- I . . mdb(d)

p-I

for all

dEW:.

For small values of 1', indb!d) can he obtained by direct calculation. For large

r we may usc, for instance, the Silver-Pohlig-Hcllman algorithm to t.:ompute theo,e discrete logarithms.

3. I)i~crt'h: L()f!.'lrirllllls

35.1

9.14 Index-Calrulux Algorithm: Initial Stagl-. Choose a random integer, T, I" T" '1-- 2. and form the polynomial c(x)crplx] determined by dx) = "Ix)' mod j'(x)_

deg(c(x)) <

IT.

Theil factor c(x) into irreducible rolynomiab over J [1' using techniques of Chapter 4 if necessary. If all the monic irreducible factors are dements of V, so that c(x)- dllc(x)"'" nV

with del; is the canonical factori/utioll in J [Jxl, then 1

= ind(d) - 2: n.

v

e)c)ind(r(x))mod(q

I).

I\s -..;oon as we obtain more than: V independent congruences ofthi~ typl:. we expect that the corresponding system in the unknowm ind(r;(x)), rE V, will determine these discrete logarithms uniqudy nl0dulo (1- I for all rEo V. The initial stage depends on the possihility to Il,etor c(x) in the way stated ahove and to ohtain sufficiently many independent congruences. This stage is independent of (1L\") and can he used for other computations in J'r The second :;tage of the algorithm is hased on the principle::' dcscrihcd in the discussion following Example 9.12. In the earlier illustra'ion the set I, of clements with easily computable discrete logarithms was formed hy the snll"'th integers. The role of the smooth integers is now played by those polynomials over J p all of whose irredueihle factors arc clements of V that is, all of whose irreducible factors have degree" m. Note thot the discrete logarithms of the elements of V are known from the preenmputation in the initial stage. These discrete logarithms serve thus as a data base for the second stage of the algorithm, and as mentioned earlier this data base should also include the discrete logarithms of all clements of Ft. 9.15. Indrx-Calrnlns '\I~orithm: Serond Sta~e. To ""mpu,e ind(a(xl) t" the h(\:,c lJ(x). choose :1 random integer t. 0 ~ 1::::; ({ -,·2, and form thl: rn1ynomial ",I 'IE f pi x I determined by a,(x) '" u(x)h(x!, mod /(x),

deg(u,(x)) < n.

Then factor lll(.X) into irreducible polynomials over i; p' usin.g techniques of Chapter 4 if neet:ssary. If illllhc monic irrcdueihle factors arc clements of V, sO thai U I (x)

= d

II

!'(x)'""'" ,

nV

with dd ~ is theeononieal !"etorization in J pf xl, then ind(u(x))isdetermined hy ind(a(x)) = ind(
L ".(u,) ind(l'(x)) ..- 1 m"d(q -

,.v

I).

Cryptology

3.\4

If a J (x) does not have the desired type offaetorilation, choose other values of I until this type of factorization is obtained. For the analysis ofhoth stages of the algorithm it is important to study the probability Pin, m) that a nonlero polynomial over" p of degree < n has all its irreducible factors in Fp[xJ of degree <:; m. We have I

"J

P(II,m).- - , -

I

1 k-O

p

N(k,m),

where N(k,m) is the numher of polynomials over Fp of degree k that have all their irreducible factors in [lxl of degree <:; m. A recurrence rclation for evaluating N(k,m) is given in Excrcise 9.14. For p ~ 2 this leads after lengthy caleulations to the formula

m)Hln.mJntm P(n,m) = !l(n,m) (

where A(n, /tI) and H(n,m) tend to 1 for n we will need roughly 1'(II,m)-

J '"

11

--)0

'

u:: and n 111 00

~ In ~ n99 ;: 00.

(:Jrn

Thus

(9.9)

choices ofintegers 1 before the second stageofthealgorithm can find the discrete logarithm of a(x). It is clear that m cannot he chosen too small, for otherwisc the running time of the second stage would be exorhitantly long. On the other hand, if m is chosen too large, then the initial stage will require a very long running time. Thus one has to find a middle ground between these two extremes. For instance, in the important special casc p ~ 2 and n ~ 127 the choice m = 17 is recommended: then 16510 discrete logarithms have to be precomputed in the initial stage since there arc that many irreducible polynomials over F, of degree <:; 17. 9.16, Example, To illustrate how the initial stage is carried out, we consider "64 defined by J(x) ~ x 6 + X + IE' ,fxl SineeJ(x) is a primitive polynomial over ~" we can take b(x) = x as a primitive clement of F04' Suppose the maximum degrcc In ofirredueihle polynomials in the set V is 2. So we have to find the discrete logarithms of X,x -t I, and x' ~ x + I to the base x. Clearly ind(x) = l. Now we choose integers t with 1 <:; r <:; 62. /\ good choice is I = 6, sinec then c(x) = x" == x + 1 modJ(x), hcnce ind(x

+ I) = 6. Another good ehoiec is X

64

'"

x

== x 6

-I-

I=

(X"

I =

32, since

+ I)' modJ(x)

implies c(x) '"

x" == x'

-,

1 == Ix -I I )(x' -I x

+

I) modJ(x).

3. Disnete Logarithms

355

This yield' 320= index hence ind(.x'

+ I) + index' + x

-'- I) 0= 6 + index' -;- x

+ I)mod 63,

+ x + I) = 26.

[j

9.17. Example. To demonstrate a simple case for the sccond stage, let '., again be defined by f(x) = XU + X + 1EF ,f x] and let hex) = x. Suppose m = 2, so that the discrete logarithms of the e1cmcnts of V are known from Example 9.16. These valucs constitutc our data base. Wc wish to find the discrete logarithm of a(x) = x'" x' -'- x' t x + I to the basc x. We form a,(x) 0= a(x)x' modf(x)

with a suitable

l.

The choice t = 2 yields

a,(x)==a(x)x'=x'+x'-x'+x'+x+ I =(x'+x+ l)'(x-'-I)modf(x),

hence all the irreducible factors arc in V. Therefore ind(a(x)) 0= 2 index'

+x +

I) + ind(x

+ I) - 2

'" 2·26 + 6 - 2 0= 56mod63. and so ind(x'

+ x"' + x' + x + I)

= 56.

The second stage of the index-calculus algorithm can be speeded up by using the Euclidean algorithm. Consider again the nonzero polynomial a,(x)EWlxl determincd by a ,(x) 0= u(x)h(x)' mod f(x),

deg(a ,(x)) < n.

(9.10)

The metbod in 9.15 is successful only if u,(x) has all its irreduciblc factors in [= pEx] of degree ";m. The main idea is to rcplace this now by the following condition: therc exist non/cro polynomials w,(x) and w,(x) ovcr Fp with 1V,(x)a,(x) 0= IV,(X) mod f(x)

(9.11)

and deg(w,(x))";11/2 for;= 1,2 such that cach \V,(x) has all its irreducible factors in :: pEx1 of degree,,; m. If such polynomials IV,(X) can be found. then thcir canonical factorization in nlx] is of the form w,(x) = d,

n

v(xj""'w,} for ; = I, 2 (9.12) "v with d,EF':;. It follows thcn from (9.10) and (9.11) tbat the discrcte logaritbm of a(x) is determincd by ind(a(x)) '" ind(d,d, ') +

L (e,.(wd "v

e..{IV,))ind(v(x)) - I mod(q

1).

(9.13)

Polynomials \v, (x) and w,(x) satisfying (9.11) and thc dcgree restriction above can be calculated by an application of the Euclidcan algorithm that is

Crypwlogy

356

similar to the procedure for decoding Goppa codes (see Chapter 8, Section 3). In detail, we usc the Euclidean algorithm with the polynomials r _ .lx) = fIx) and ro(x) = a,(x). This yields r,_ .lx) = q,_ .lx)r,(x) + r,+ ,(x). for

deg(r,_,(xj) < deg(r,(x)),

h = O. I, .. . ,S - I,

r, ,(x) = q" ,(x)r,(x). Since 0';; deg(u,(xj) < II = deg(.f(xj) and fIx) is irredueihle over [. p' we have ged(.f(x). a, (x)) = I and so deg(r,(x)) = O. Consequently, there exists a least index j. 0 -S;;j -:;;; s, such that dcg(r}x)) ~ n/2. Now calculate recursively the polynomials z ,(x) = 0,

zo(x) = I,

z,(X)=Z'_2(X)

4,(X)Z, ,(x)

for

h= 1.2•... ,j.

By the generalizations of(8.12) and (8. J 3) shown in Exercises 8.43(a) and 8.43(e)

we have

and deg(z/x)) = deg(.f(x)) . deg(rj_' (x)) =

II -

deg(fj_,(x)).

From the minimality of j we get deg(fj _, (x)) > 11/2, and so deg(z j(x)) < n1 2. It follows that lV,(X) = rj(x) and lV,(X) = z/x) are polynomials satisfying (9.11) and deg(lV.lx))';; nil., deg(w,(x)) < n/2. V1oreover, lV,(X) and lV,(X) can be calculated very quickly. The condition about the irreducible factors ofw, (x) and \\',(x) cannot be guaranteed by the algorithm above. However, we may heuristically estimate the probability that both 'v, (x) and lV,(X) have the desired type of factorization in (9.12). Let I'(n, m) again denote the probabj/ity that a nonzero polynomial over ~ p of degree < n has all its irreducible factors in F,[x] of degree';; m. If we make the reasonable assumption that w, (x) and w,(x) behave like independently chosen random polynomials of degree < Lnl2J + J, then the probability that lV, (x) and lV,(X) have all their irreducible factors in } p[x] ofdegree 0;; mwill be approximately l'(ln121 + I,m)'. Using the approximation (9.9) in the case p ~ 2, we obtain that we will now need roughly

l'([n/21 + I,m)

2

~ (~)",m 2m

choices of integers 1 in the second stage of the algorithm. This is a saving by a factor ofapproximatcly 2 ··"m over the corresponding expression in (9.9). Thus we can expect that this version of the second stage of the index-calculus algorithm will be significantly faster than the earlier one. We summarize this

357

3. Oj~crdl: Logarithms

method as follows, assummg again that we already have a data hase and of all elements of containing the discrete logarithms of all elements of the set V consisting of the monic irredueiblc polynomials over of degree';;; m.

F:

'p

9.18. Index-Calculus AI~orithm: Improved Version of Second Stage. To compute ind(a(x)) to the base b(x), choose a random integer t. 0,;;; t ,;;; q - 2, and form the polynomial a,(x)Ell p[xl determined by il,

(x) '" a(x)b(x)' mod !lxi,

deg(", (x)) <

ll.

Then carry out the Euclidean algorithm with I" _ ,(x) = fix) and I"o(x) = a, (x) and stop as soon as deg(l"ix)),;;; n12. Put w,(x) = I"j(x) and w,(x) = Zj(x) and factor these polynomials into irreducible polynomials over Fp' using techniques of Chapter 4 if necessary. If all the monic irreducible factors arc elements of V, so tbat w, (x) and w,(x) arc of the form (9.12), then ind(a(x)) is determined by (9.13). !fthis condition on the monic irreducible factors ofw, (x) and w,(x) is not satisfied, choose other values of t until this condition holds. In the case p = 2 further improvements on the construction of the data base and on the speeding up of the second stage of the index-calculus algorithm were recently achieved by Coppersmith. 9.19. Example. We give a simple illustration of the algorithm in 9.18. Consider the finite field F32' so that p = 2 and n = 5. Let ~ 3' be defined by the primitive polynomial fiX) ~ x' + x' I- lover F,. Then we can take b(x) = x as a primitive clement of r3" We wish to find the discrete logarithm of a(x) = x 3 ~ X + 1 to the base x. Suppose the data base consists of the discrete logarithms of all irreducible polynomials over r, of degree';;; 2: ind(x) = I,

ind(x + I) = 18,

ind(x' + x + I) = 11.

Choose the integer t = 0, so that a, (x) ~ a(x), and carry out the Euclidean algorithm with 1"_, (x) = x' -I x' + I and I"o(x) = x 3 + X + I. This yields x' + x' + 1 = (x' + I)(x J + x -t I) + x.

Since I",(xi -x satisfies deg(I",(x))';;;n/2. we can already stop. Thus w: (x)- 1", (x) = x and w,(x) = z, (x) = x' + J = (x - I)'. It follows then from (9.13) that ind(x 3 +x+ I)=ind(x)

and so ind(x-' t- x + I) ~ 27.

2ind(x+ 1)= 1- 2·18=27mod31.

n

These discrete logarithm algorithms have diminished the security of cryptosystems hased on discrcle exponentiation. It is therefore of interest to design eryptosystems that usc similar principles, but employ more complex operations than discrete exponentiation. This is carried out in the recent proposal of FSR el"ypwsyslems by Niederreiter, where rSI{ stands for

J5~

<:ryptology

"feedback shifl registcr". In these cryptosyslems, discrete exponentiation is replaced by the operalion of decimation for linear recurring sequences in finite fields (comparc with Chapter 7, Section 4). The ciphertexts are strings of consecutive terms of linear recurring sequences that arc obtained by decimation from message-dependent linear recurring sequences. The cryptanalysis amounts to infcrring the valuc of the integer k from the knowledge of the polynomials f(x) = r!j-,(x - ~j) and f,(x) = TIj-,lx - ~j) over r q , where both factoritations arc in thc splitting ficlds of the polynomials ovcr Fq • This problem is more difficult than determining diserctc logarithms. Wenow describe a public-key eryptosystem in which discrete logarithms arc used for encryption. This cryptosystcm due to Char and Rivest is of the knllpsllck type-that is, it is bascd on the difficulty of recovering the summands from the value of their sum. The following auxiliary result is crucial.

9.20. Lemma. I.et p he II prime and n ? 2 an integer. Then there exist imeyers aQ _ Q\, ...• Qp-l with 1 ~ uj ~ pn - 2for 0 ~ i:::::; p. 1 such that for any tlVO distillcr vectors (ho,h, ..... hp_tl and (ko,k, •...• k p ,) lVith nonnegative inregral cuordinates sazisfying p- ,

I

lllld

k, < n

(9.14)

i-O

we have pip- 1

I

I

h,ll,"$.

i-O

k,ll, mod (P" - I).

i-' 0

Proof. Consider thc finile field cq with q = p" and identify it as before with the residuc class ring]. p[x]/(f), whcre fIx) is an irreducible polynomial ovcr Fp of degree n. Relative to a fixed primitivc clcment of r q set a,=ind(x-i)

i=O.l, ... ,p· 1.

for

Lach ", satisfies I <;a,<;q-2. Now suppose (ho,h, •...• h p_,) and (k o• k, .... , k p ,) are two vectors with nonnegative integral coordinates satisfying (9.14) and P

p-\

1

I h,ll, =i-O I k,a, mod (q i-O

I).

Then ind

.II (x ( P-' '-a

i)h,

) = ind (P-' .II (x -

i)"

) mod(q -

I).

,-0

and so p

,

II (x i-O ~ow

p

i)h,

,

= 11 (x -

i)" mod fIx).

i-O

(9.14) shows that on each side we have a polynomial over) p of degree

< n. hence P

p-l

11 (x -

j-O

i)h, =

1

II (x -

j,-O

i)".

.159

J. Dlsl.:rl.:!\.' Logarithms

Unique factoriLation in fi- ,[x] implies h, = k, for 0", i '" P result is established.

I, and the desired []

The cryptosystem is implemented as follows. Take a publicly known finite field F, with q = p', p prime, II;' 2, in which discrete logaritbms can be efficiently computed, Choose a random irreducible polynomial fIx) over; p of degree II and a random primitive clement h(x) of 1q' Relative to the base h(x) compute a, = ind(x - i) for i = 0, I,,,,,p'- I as in the proof of Lemma 9,20, Scramble the a, by selecting a random permutation 1/1 of (O,J",,,p I} and putting Ci -' a'iJ/i1

for

i -:- 0, 1,.,., P

1.

Then puhlish 1'0' ('""" c, ,as the public key and keep f(x), h(x), and,p secret. With this eryptosystem we can encipher binary messages M = mom,,,,m,_, of length p for which the number tv of I's is less than II, In detail. let m,. =", = m, = I and all other m, = 0, Then encipher M as the integer }-;(M) with 0", L(M) '" p' 2 and

L(MI=C"+'''+c,,

mod(p"

II,

lt follows from Lemma 9,20 that distinct messages arc enciphered as distinct ciphertexts, To decipher the ciphertext s = L(M), we ealeulate the uniquely determined polynomial g(x)c lAx] with deg(g(x)) < II and g(x) = h(x)' modf(x),

From the definition of the g(x) '" b(x)'" • '"

Ci

and

"'S '"

Qj

we obtain

(x -,p(i, ))" ,(x -l/t(i.,)) mod fIx),

Since f\i < n ~ deg(f(x)), we have g(x) - (x

l/t(i J1)'" (x

r}; (iN)) ,

Therefore l/tU,)"", l/tUN) can be determined as the roots of ~(x) in F" which arc ohtained either by successive substitution of clements of l, or by one of the root-finding algorithms in Chapter 4, Section 3, By applying the inverse permutation of ljJ, we recover the positions i1 .... ,(v where the original message "'I has the bit 1.

9.21. Example. We illustrate the procedure with an example involving small parameters, Let p = 5 and II = 3, so that we arc working in the finite field F, 'S' Choose I(x) - x J - x' - 2. which is a primitive polynomial over l'" Therefore h(x) = x is a primitive element of F, 'S' The part of Table II in Chapter 10 pertaining to [ '25 - (;}-,(5') refers precisely to this situation, Thus we can read off the values of the ", from this tahle, This yields

"0=1,

a,=X4,

",=80. ",=99,

a.=29,

(~ryptology

)(\0

Let the permutation rJ; of {O, 1,2,3,4:, he given by 1/1(0)=2,1/1(1)=4,

,,1(2)=1,

1/1(3)·-0,

1/1(4)=3,

so that Co

=

gO,

c: -

19,

=

('2

g4.

Cj

=

1.

('4

=

99.

If we wish to encipher the hinary message M = 10)00, then E(M)

== Co + c, '" 80 -i- 84mod 124,

and so I:(M) = 40. To decipher s R(Y) '"

x 40

'"

= 40,

we calculate

+ 2 mod (x' " x'

x',· 2x

r 2)

from Tahle A, hencc g(Y) = x'

+ 2x + 2 =

lJ(x - 2).

(x

Therefore N = 2, rJ;(ir) -, l. and if/(i,) = 2, yielding i r = 2 and i, = 0, and wc recover the original message M. LJ

4. FURTHER CRYPTOSYSTEMS We first descrihe a public-key eryptosystem that is hascd on binary irreducible Goppa eodcs (sec Chapter 8, Scction 3). This eryptosystem falls into the category of block ciphers. Wc recall from Theorems ~.56 and 8.57 that for any irreducible polynomial g(x) over r:: 2"' of degree ( and any integer II, where 2 ~ t < n ~ 2m, there exists a binary irreducible Goppa code f(Lg) of length nand dimension k ~

11

1111

that is capable of correcting any pattern of! or fewer

errors. All one has to do is to choose 1. as a suhset of F2 ". of cardinality 11. We note also that Goppa endes allow a fast decoding algorithm discussed in Chapter 8, Section 3.

The Goppa-code cryprosystem is set up as follows. W.: choose integers I and n with 2 ~ 1< 11 ~ 2m and then randomly select a monic irreducihle polynomial R(Y) over ",~ of degree that


l.

This is easy to do since the prohahility

monic polynomial over F 2'" of degree l is irreducible is N ).",(1)2

mt

=

I

Lfl (,) 2

111d

ml

2

I

_lit

d

~ I

[

according to Theorem .'.25. The irreducibility of a randomly chosen polynomial may be tested by applying one of the factoritation algorithms in Chaptcr 4 to it. We consider now a ,-error-eorrccting binary irreducihle Goppa code 1'(L,g) of length II and dimension k '" 1l /Ill. This code has a binary (II - k) x n parity-check matrix II. From H we can derive a binary k x II generator matrix (; of r(L,g); compare with Chapter 8, Sections I and 3. This generator matrix is seramhled hy selecting at random a hinary invcrtible k x k matrix ,)' and an n x fl permutation matrix p." that is. a matrix obtained from

4. Further

Cryp!(l:';Y"lem~

,161

the identity matrix hy exchanging rows matrix

and forming the new generahlr

G' - SCiI'.

This k x 11 matrix (i' generate;; a hinary linear code with the same length. dimension, and minimum distance as the (joppa code [(/ .. R), The matrices G, S, and I' arc kepr secret, whereas G' is made public, Let z denote a random binary vector of length 11 and weight ~ r chosen by rbe sender. Then rhe eryptosystem is implemented as follows, 9,22, Coppa-Code Cryptosystem. f;",:ipherillf!: The plaintext data. given as k-bit blocks x, are enciphered as vectors y =:- x(i' I- z. -, J)pcipheriflY: On rcceirt ofy we compute y' yl' ,which will be at:.l H<Jmming di,lanee at most r from the code word xSG 0f the Gappa code [(/"R), Occoding y' gives the corresponding mes~agc x' - xS. and the plaintext is recovered hy computing x = x'S ;. 9,23. ~:xample. We present an example with very small parameters to <.klllnnstrate the rwceuurc. However, Ihe crypto<.;y<.;tem in this examrle uoes of course not offer any security. We choose In -,-,-1, n - : " 8.1 = 2, and use the Goppa code of dimension k = 2 in Example R.5R. with G being the generator matrix given there, Furthermore, let I

0 0 P=I'_'_ 0 I ' 0 0 0 0

'C I)

S ~ ()

0 0 0 0 I 0 I 0 0 0 0 I 0 () 0 () 0 0 0 0 0 0 0 0

0 0 0 0

0 0 0 0 I 0 0 0 0 I 0 ()

0

0

0 0 0 0 0 1 0 0

0 0 0 0 0 0 0 I

Then the public key is 'I

G' = SCi I' = (()

0 I

I

0

I

I

I)

1 '

Lei z, = I () 0 0 0 0 () 0 Then the pla;ntext x· 0 I. say, is enciphered as y = 1 I 0 I 1 I 1 1, On receipt of y the authorized receiver computes y' .- yl'-I - I 0 I 1 1 I I I and decodes this to the code word 001 I I I I I with corresponding me,,,age x' = 0 I. The plaintext isreeovercd as x . x'S : - 0 1. In this example decoding is performed merely as nearest neighbor decoding-that is, by comparing Ihe received word y' with the nearest code word of Example R.5R relative to the Hamming distance, For large parameters this approach will be infeasible. hut then the efficient 'l decoding algorithm for Goppa codes can do the job for us,

.102

Cryptology

In order to break thi~ cryptosystem, an attacker would have to determine (j from (it or he might try to rer.::ovcr x from y without knowing G.

To find G seems to be a hopebs task if 11 and t are large enough, since there are so many possibilities for G, S. and 1'. If the attacker wants to find x from y, this amounts to decoding a random looking linear (11, k) code in the presence of up to t errors. Such an attack is expected to be infeasible for large enough code parameters. since the general decoding problem for linear codes has been shown to be NP-complete. For example, if m = 10, 11 ~ 2' 0 = 1024, and t = 50, then there will be about 10 140 possible Goppa polynomials and a gigantic number of choices for Sand P. The dimension of the code will be at least 524 and will make brute-force attacks based on comparisons of y with code words or hased on coset leaders impossible. This eryptosystem is not suitable for use in authentication, but it~ fast communication rate makes it attractive for data communication. We now discuss another scheme for the r.::ommunir.::ation of secret information. Suppose the secret is some data V for instance, the key for a eryptosystem or a bank safe combination. Then V is divided into 11 pieces

0" ... ,0, in such a way that for some k <

11:

(i) knowledge of any k or more pieces D, makes computing 0 easy; (ii) knowledge of any k - I or fewer pieces Vi makes determining V impossible hecause of insufficient information.

Such a scheme is called a (k, 11) threshold scheme. It can be helpful in a variety of situations. For instance, if 11-- 2k 1, the original data 0 can be recovered even when 111/2J = k - I of the 11 pieces Vi are destroyed or lost, but an opponent cannot reconstruct V even when security breaches expose k - I of the remaining k pieces. Other advantages are that a hierarchical scheme is possible where the number of pieces Di given to each user is proportional to the user's importance. Threshold schemes arc well suited to situations where a group of mutually suspicious individuals with eonnieting interests must cooperate. By choosing the parameters nand k properly, any sufficiently large majority can be given the authority to take some action, while any sufficiently large minority can be given the power to hloek it. We describe a (k,l1) threshold scheme that was originated by Shamir and by R1akley for Fp and} "" respectively. First we identify D with an element of a suitable finite field [q. The pieces 0i are derived- in a way to be specified· from a random polynomial

f(x) = u,.,x": -\ , .. of degree II. - I whose constant term

+ ",X + uoEFqLxJ

{II} is D. Here q is a prime power larger than 11 and the number of possibilities for D. If one knows the polynomial f(x). then it is easy to eompule D by V = flO). The pieces 0i are ohtained by evaluating f(x) at n distinct clements c.' ... '('IlEJ<j that is. D j = ffri)for ; - 1,2.... , n. These "i could be clements of I q which do not have to

163

lxcn;is~!>

be secret; they could be user identifiers. Since any k pairs (c" D,) uniquely determine a polynomial of degree", k . I, the polynomial fIx) and tberefore the secret data V can be reconstructed from k pieces, but not from fewer pieces. If the k pieces arc denoted by /)", ... ,V". then fIx) can be computed by the Lagrange interpolation formula in Theorem 1.71, which yields k

,

n (c" -

LV"

fIx) =

s"'- 1

9.24. Example.

Let q = R,

Ii

=

c,,) '(x - c,,).

(- 1

,"

3, and k ~ 2. Suppose we know that

D, =f(I)=~+~2, D2 =

where ~ EI, is a root ofx

J

-'-

x .,. I. Then fIx) can be reconstructed as follows:

nx)=(~·' ~2)(1

-'- ~(x = (I

f(~) =~,

~)-:IX--Y)+~I~-I)

+ ~)+ (I + ~ + a

2

'Ix

I)

)(x -\ I)

+ a 2 ) x + I +~.

Therefore the secret data is V = flO) = I + ~_

D

EXERCISES 9.1.

9.2.

Let So- 5\, ... and [0' L\, ... be the impulse response sequences with characteristic polynomial X4~. x + I and x'i + x 2 + lover 1;=2' respec-

tively. Let 11=2, j,=0.j2=1, and 1jt:{0.1,2,3} .{O,I,2.3,4} be defined by IjtU) =; + I. Find the first 16 terms of the resulting multiplexed sequence. Ifx\.'i /'X H '/'X 7 tx 2 t landx\h+xl.'i+x4+x+larecharacteristie polynomials of two maximal period sequences in J 2' respectively, what can you say about the least period of a multiplexed sequence based on these

9.3.

9.4.

tWO

sequences'!

Suppose we know that a feedback shift register with 5 delay elements has been used to construct a binary sequence "0' "" ... and that the first 10 values of", are O. 1,0, 1,0, I, I, 1,0, I. Find a characteristic polynomial of the sequence and determine the first 20 terms of the sequence. In the notation of Definition 9.1, let so.

51"" be a kth-order maximal period sequence in C2 with k> I and let I", h < k. For n = 0, I, ... let P,(n), ;=0. 1, ... ,2 h -l, he the 2h Boolean monomials formed by taking all 2h possible products of the terms 5,'j" ... ,5"j,' Let r be

a maximal period sequence in ll=2 with terms t u, t 1, ... and minimal polynomial q(x)Ef 2[x], and let "0' II" ... he the resulting multiplexed

3M

Cryptology

sequence. Prove that 2"-1 Un =

L

Pj(n)tll'

:\"H)

for

tl =-

O. J, ... ,

1-0

where thc integers N(O), N( I), ... , N(2 h - I) arc completely determined by 1/1(0), 1/1(1).... ,1/1(2h -I). Moreover, prove that the 2h shifted sequences ,"''''', i = 0, I.... , 2h . I, arc linearly independent in the vector space S(g(x)) over r 2 defined on p. 215. 9.5. In the proof of Theorem 9.0 it is shown that if , is an IIlth-order maximal period sequence in the finite prime field t- r' then the decimated sequence ,~' with d = p' - I and ged(k, Ill) = 1 ha' least period (pm - 1)1 Ip- I). Prove more generally that if, is an mth-order linear recurring sequence in an arhitrary finite field c, with least period r and irreducible minimal polynomial, then for j;;' 0 and d;;, I we have: (a) the decimated sequence ,~' is either the zero sequence or it has least period r/ged(d, r); (b) if ged(d,r) ~ rq' m, then ,y' has lea't period r/ged(d,r). 9.6. How many possible enciphering keys K are there in the eryptosystem in Example 9.7 if lJ = 1997? 9.7. Let p = 47, q = 59, and K = 157 be parameters of an RSA eryptosy'tem. Find the deciphering parameter D. 9X Let 'I ~ P = 13 and h ~ 2. Demonstrate by a numerical example how each of the schemes in Examples 9.9, 9.10, 9.11, and 9.12 works. 9.9. Show that in the public-key eryptosystem in Example 9.11 it is not advisahle to usc the same value of k for enciphering more than one message hloek. 9.10. Usc the Silver-Pohlig-Ilcllman algorithm for q = 73 and h - 5 to find the discrete logarithm of a = 7. 9.11. In Example 9.161et III = 3. Find the discrete logarithms to the hase x for all polynomials in V. 9.12. Refer to bample 9.17 and find the discrete logarithm of a(x) = x' + x' (. x' + I to the base x. 9. U. Suppose l", is defined by fIx) = x' + x' -'- I over ~ 2 and a data base for the second stage of the index-ealeulus algorithm is given as in Example 9.19, so that 111-- 2. Compute the discrete logarithm of a(x) = x' + x + I to the base x. Repeat the ealeulation under the assumption that m = I. 9.14. For an arbitrary finite field r, let N(k, Ill) he the number of polynomials over F, of degree k all of whose irreducible factors in ",[x] arc of degree ~ Ill. Define N(k,O) = lJ - I if k = 0, N(k, 0) = 0 if k 0, and N(k, m) = 0 if k < 0 and m;;' O. Let ;\' ,In) he the numher of monic irreducible polynomials over f, of degree n (sec Theorem 3.25). For k, m ~ t prove the recurrence

*

."-Ilk, Ill) =

L L N(k m

n-\

1",1

.,'n,11 _1)(i_N,(,.n)-I) .

hr.:n.:iscs

9.15.

9.16.

:~o5

Let r ,(x) and r,,(x) he two nonlero polynomials over a field F with deg(r _,(x))?o deg(ro(x)) and d(x) = ged(r ,(x), ra(x)), and let k be an integer with deg(d(x))"; k < deg(r ,(x)). In the notation of F'xercise 8.43, prove that there exists a unique index j, O,,;j,,; s, such that deg(ri(x))"; k and deg(z/x)) ~ deg(r ,(x)) - k - I. In se\'cral cryptosystems over F" involving discrete exponentiation it

is necessary W generate enciphering keys e and deeiphering keys d with e, dEl!' and cd 0= I mod(q - I). Show that such keys can be generated in the following way. Let IIh", I mod(q - I), where II has the largest possihle multiplicative order N modulo q - I, and let r he randomly chosen from {O, 1, .... N I}. Then e:;:s: £{mod(q - 1) and d = b' mod(q - I) arc multiplicative inverses of each other modulo

9.17.

q I. Prove that a polynomial x m f x m - ' + ... + x - I is irreducible over f 2 and its roots J: 2 ', i = 0, 1, ... ,111 - I. form a normal basis of F 2'" over F 2 if and only if 111 - I is prime and 2 is a primitive clement of Jm- j' (Note: Such all-one polynomials permit an attractive implementation of discrett.:: exponentiation in a normal basis of }2"" over r-2')

9.18.

Let h he a primitive element of the finite prime field} p' p> 2, and let Prove that ind,(a) is determined as an clement of 'F p by the formula a~[:;.

ind,(a)=

9.19.

P

2

i

,

1-

L(h- i

W'u l

(Hilll: Lse the Lagrange Interpolation Formula in Theorem J.71.) Prove that the formula in Fxereise 9.18 reduces to p'2

indbla) -

L (I

-

I>J)

'a i

j- 1

provided that II '" I. (Note: The formulas for discrete logarithms in Exercises 9.18 and 9.19 arc of theoretical interest, but useless for computational purposes.)

9.20.

I.et fIx) be an irreducible polynomial over J q of degree n and let K(X) be an arbitrary polynomial over ~- q' Prove that the degree of any non.lero divisor of flglx)) in i ,[xl is a mUltiple of n. (Note: This property is

9.22. 9.23.

useful in the initial stage of the index-ealeulus algorithm.) Let p. 11. fIx), and Ij; he as in Example 9.21 and choose the primitive clement h(x) ~ 4x' + 3 of [=, ". Encipher the hinary message M = 01010 and then decipher it again. Prove that Lemma 9.20 holds also if p is a prime power. Show by a eounterexample that Lemma 9.20 does not hold in general if

9.24.

(Hint: Consider 11 = 2 and p - 2 or 3.) In Example 9.23 usc as the matrix l' the matrix obtained from the

9.21.

(9.14) is replaccd hy the condition that Lf~6hi~n and Lr~6ki~'1.

Joo

Cryptology

identity matrix by exchanging rows one and eight, let S = (:

9.25. 9.26.

9.27.

9.2~.

9.29.

~)

and z = I 1 0 0 0 0 0 O. Encipher the plaintext x = 0 I with the Goppa-eode eryptosystem and decipher the result by using nearestneighhor decoding and Example 8.58. Explain why the Goppa-eode eryptosystem cannot be used for digital signatures. Let k = 3 and II = 5 be the parameters of a threshold scheme hased on }, as in Example 9.24. Suppose the following pairs (Oi' D i ) arc known: (1,0), (~,O), (~2, I +a). Reconstruct the polynomial f(x) over J, and thus find the secret data D. A threshold scheme is given by the parameters q = 17, n = 5, and k = 3. Suppose f( I) = 8, f(2) = 7, and f(3) = 10 are three known pairs (Ci' Di ). Find the secret D. Show how discrete exponentiation can be used in a threshold scheme. Also design a scheme in which 11;;.2 mutually suspicious users are all needed to encipher a common secret (for instance, a classified document), but each individual user should be able to gain access to the secret (read the document) and decipher individually. A eryptosystem due to L. S. Hill is based on linear transformations of the residue class ring R, = j' j(n). The plaintext is represented as a ktuple in R~. enciphering is a nonsingular linear transformation and deciphering is its inverse. (a) Suppose II - 29. k = 2, and the linear transformation is p~ AP(mou 29), where PERl, and

A=G ~). Encipher the message "CRYPTOGRAPHY IS FUI'<." under the assumption that the letters A to Z are denoted by 0 to 25, a period hy 26, a ""mma by 27, and a blank space by 28. (h) This eryptosyslem can also be based on linear transformations of 1 q' Let q = 27. k = 3, choose a nonsingular 3 x 3 matrix with emries in; " and encipher the message "CIPHER", where A ~ 0, R = ,,0, C,.,.. ::xl .... for a primitive clement:::l of F27 . (c) Let A be ;lJll1l x til matrix with integer entries, let b, XEZ m, and let n he a po:;itivc integ.er. Prove that Ax..':::::. b mod n has a unique snlution :II: modulo n (where }l congruence hetween vectors is

interpreted ellordinatcwise) if and only if ged(del(A). n) = I. Find a similar condition for the existence of a unique solution of the equation I1x...:.: b {)vcr 1;=1/"

Chapter 10

Tables

In this chapter we collect tables that facilitate the computation in finite fields and tables of irreduciblc and primitive polynomials. The dcscripti<>n of these tables is given in Sections 1 and 2, respectively.

1.

COMPUTATION IN FINITE FlEI.J)S

Multiplication and division of nonzero elements of 11-" can he performed using a notion analogous to logarithms. We speak of the index or di,\l'rC'l£.' logarithm. If b is a primitive clement of tit. then for any (1(.1: there exi:-,ts 11 unique integer r with 0.::.::;; r < lJ I such that a = hr. We write r .,. . . indb(uJ. ()f

simply r = ind(u) if b is kept fixed. The index function s:ltisfie; the following basic rules: inu(ur) ~ ind(u)\ ind(r)mou(lj - I). ind(uc ')c-ind(a)-ind(c)mod(lj

I).

The inverse function of the index functioIl. corre~p()nt.ling. Ii) lakil\~ aillllogarithms, is denoted hy ex Ph O[ simply expo and we have:: exp(r)~b',

exp(ind(a))~u.

ind(exp(r))~r.

Given <.I table of the inti and cxp function, it is easy to carry OU! Jdditioll. subtraction. multiplication, and division in IF", Addition and subtraction an:

Tabks

p~rform~Li

h.\' w.,ing th~ veCl0r space structure of F" over its prim~ suhfi~IJ and di\"i::..ioll are performed hy using th~ rule:'. for th~ index function and the ~xp anL! inL! tahlc to conven from on!.?' notati~)Il tl) the Nher. Tah\<..' A pro\"ide~ a complete list of the n()nl.~r() clements and their indice" for the finite fields F<{ with 4 cnmposile and q ~ 12~( In the exp column the rarenthe.. . c~ and commas of the vector notation for the f{)llo\\'ing eknlL'nt of Ir" with q = 1'" ha\e heen dropp~L!: fl"

mu1tiplicati~m

In Tahlo A wo usc GF(p") 10 denote tho linite lield with p" elements.

to.l.

Example.

A~

an

~xample

u~e

for the

of Tahle /\

r(h / 1)/ (2h· 2)h](h' 2)

W~

c.J.lculau..'

h

ill the fielL! F<j' Working with the portion of the tahle pertaining to we get ind( (2h - 2)h) '" ind(2h

+ 2) -

(2h / 2)h

thi~

fil,.'IJ.

ind( h) '" 3 ~ I '" 4 mod X.

exp(4)

2.

Thus. (h t 1)+(2h . 2)h ... hand ind(l(h / I)· (2h+2)hl(h+2)

l(h/I)'(2h The final ,o.sult i, (2h

') '" ind(h)-ind(h+2)~1-6= 3mod~.

2)hl(h

+ 2)T h ~

I

2)

e,p(3)

2h/2.

2.

IJ

T<.thle H afford., another pos."ihjiity of doing arithmetic in finite field .... In the firsl two column~ it proviJes a tahle of Jacobi' 'i /o8arirJun L (II ) for the fidds J- 2 , with 2 ~ k ~ 0 (comp<.lf~ with Lx~n.:is~ 2)<). '1 h~ ~ymh()1 n -.. . S means that I.( II) = s with respect to (l fixed rrimitiv~ clement h. In characteristic 2 the value L(O) i." undefined. The elements h arc multiplied ill th~ oh\"iou~ ¥
hl71thn-:-=h'"'/Il(

m)

glvt:n In Lxt:rci:-.c 2.~. The :-.ymhol .. +" pre<.:eding the \'<.tltlt: of that h n is a primitive element. 10.2.

Example.

1/ illdicatt.:~

We use Tahle B to calculate (h" , h"

I

h"')( 1

I

h")

in the field IF M' We havc hf: I h''') /)7'2. Since I f. h 3)::o.: hl.L~':» h'd. we get

hto , I (14) ._ hr.l)

(h" ~ h" + /i44)(

IT

h")

1

. h'"

:md h1(;

h"/i

.;1

h1-:.

h4\\

. 1(4)

=

~ /i".

furthermore. sinct: the argument of the function I. unJ the exponent of h are cnnsidered modulo 63. we ohtain h 41 I h Y.!! ~ h 41 . /,1 Il). h 41 , l.(~{);

I.

(\)lllp..Il:l1l011

in

f-'irlllc

I "k!u:.

h 'OI ~ b". which i, the final re,ult and happens to he a primitive element of FM . D The remainder of Tahle IJ provides information ahout minimal and characterislil- polynomials and about dual bases. We take the Jines +20 ~ 26[100001J 21·' 42[10101 I]

26

6

49

29

9

46: 19

[ I I]

from the tahle for IF" over IF, as illustrations. The symbol [a, a,'" amI indicates that x rn + atx m I + G2X»l 2 + .. , + am is the characteristic polynomial of the element with respect to the given field extension. Thus, xO"1

x~

+ J is the characteristic polynomial of b 20 over lF 1 and

x

6

+ XS + x3

i X + I is that of h" ovcr IF,. If b" is a dcfining clement of the extension, then the set of integers between the characteristic polynomial and the colon deserihes the dual basis of the polynomial basis determined hy b'. If h" is not a defining clement, then the minimal polynomial of h" with respect to the given extension is listed in the hracket notation explained ahove. For instance. b'o is a defining clement of IF., over IF, and the dual basis of the polynomial hasis (I, h 2o , b40 , h60 , b'o. h"]o) is (h", b', h 49 , h'-'. b~, b"). On the other hand, h" is not a defining element of IF" over IF, and the minimal polynomial of h" over IF, is x 2 + X -I, so that h" E IF,. If b" is not only a defining clement. hut also determines a normal hasis of the given extension, then the integer aftef the colon deserihes the element determining the dual normal basis. For instance. b 20 determines the normal hasis

{h'o , (h'O )' , ( b'o )'. ( b'O)'. (h'O )", ( h'o )") of IF" over IF" and it; dual basis is given hy

{hi', (b")', (h" )', (h")', (b") 16, (b" )"}. Elements in suhfields except IF, are denoted in the tahle by capital letter; whose meaning becomes clear upon inspection of the data for minimal polynomials. For example. in the tahle for 1F'4 the letter X stands for h" c:: IF 4 and D stands for b" Elf,.

r;).hlc~

.l.70

TABLE A

exp

ind

01 10 II

0 I 2

0F(2))

0 I 2 3 4 5 6

0F(2')

0001 0010 0100 1000 1001 lOll 1111 0111 1110 0101 1010 1101 0011 OlIO 1100

0 I 2 3 4 5 6 7 X 9 10 II 12

13 14

GF(2~)

00001 00010 00100 01000 10000 01001 lOUIO o I 101 11010 11101 10011 01111 I I 110 10101

md

(;F{2~)

GF(2')

001 010 100 101 III Oil 110

exp

0 I 2 3 4 5 0 7 X 9 10 II 12 13

00011 00110 01100 11000 11001 11011 11111 10111 00111 01110 11100 10001 01011 10110 00101 01010 10100

eXfI

md

GF{21:-) 14 15 10 17 18 19 20 21 22 23 24 25 20

27 2X 29 30

(if (21:-)

000001 000010 000100 001000 010000 100000 100001 100011 100111 101111 11I1II 011111 111110 011101 111010 010101 101010 110101 001011 010110 101100

0 I 2 3 4 5 6 7 R 9 10 II 12

13 14 15 16 17 18 19 20

111001 010011 100110 101101 111011 010111

21 22 23 24 25 26

----ind

(iF(2')

101110 111101 011011 IlOIlO 001101 011010 110100 001001 010010 100100 101001 110011 000111 001110 011100

27 28 29 30 ]1 32

111000 010001 100010 I()()IOI 101011 110111 001111 011110 111100 011001 110010 000101 001010 010100 101000 110001 000011 000110 001100 011000 110000

42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62

))

34 35 36 37 3X 39 40 41

0f"(2' )

0000001 0000010 0000100 ()()()Iooo 0010000 0100000 I ()(J(J{)()() 0000011

exp

0 I 2 3 4 5 6 7

0000110 0001100 0011000 0110000 1100000 1000011 0000101 0001010 0010100 0101000 1010000 0100011 1000110 0001111 0011110 0111100 1111000 1110011 1100101 1001001 0010001 0100010 1000100 0001011 0010110 0101100 1011000 0110011 1100110 1001 I I I 0011101 0111010 1110100 11010 II 1010101 0101001 1010010 0100111 1001110 00 I IIII 0111110 1111100 I I 110 I I 1110101 1101001 1010001

~

9 10 II 12 13 14 15 16 17 I~

19 20 21

22 23 24 25 26

27 2~

29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 4~

49 50 51 52 53

I. (·01;:r,.laliul: 11: llll~t~

('rr (,1'(2

/lid 1

I·kld...

J'JI

mJ

ex"

oloQ(m 10000 III 0000111 0001110 OD I 1100 0111000

54

IIIOOI~I

(,{)

11000 I I 1000101 0001001 0010010 0100100 100 I 000 0010011 0100110 IODIIOO 0011011 0110110 I l() 1100 lUll0ll 0110101 1101010 1010111 0101101 1011010 (\IIOIII 1101110 1011111 0111101 1111010

01 02 01

IIIUIII 1101101 1011001 0110001 11000lli 100011\ 0001101 0011010 0110Wu 1101000 101l"l(1I I 01001tll IODIOIO 0010111 0101110 10111(J() 0111011

~4

5.~

Sf 57 5:-; 59

64 (,5 (,(,

07

oX 09 70 71

"l2 ·0 74

"

7(,

77

·/x 7') W xl

11 10i 10 1101111 1011101 011 ]{HII 1110010 1100111 1001101 OOIIQ()1 0110010 IIIKIIOO 1001011 0010101 0101010 101O!UO 0101011 1010110 0101111 1011110 0111111 1111110 IIIIII1 I I I I 101 1111001 1110001 I IO(J(KII IOOOKII

101 102 10.1 104 105 10' 107 lOx 10') 110 III 112 11.1, 114 11 ~ 110 117 II' 119 120 121 1.1.' 12':1. 124 I i5 17.6

(iF(."/)

R:

01 III 21

Il

:-:5

22

XI' X7

07 21l 12 II

1 4 5

Xl

xx x'J

<.)0 91

I

2

(,

('/-'(3; )

<)::;

9h 47 '!X l)l)

100

00] 010 100 liP 122 022 22\) 101

PI 012 120 002 0:0 200 201 211 Oil I iO 202 221 III 212 02 I 7. 111

Il

I 2 1 4

; (,

7

, 9 10 II 12

1.1 14 1:'10 17 I~

19 20 21

P 2.1 24

:5

(,"I-"( 1"j

0001 0010 01110 1000 20()! 1012 2121 2212 0122 1220 1201 lUll 2111 2112 ?122 022.1. 2220 0202 :020 1.'02 HPI 2211 0112 I ! 7.0 0201 2010

/!/d

(iF(J4)

112

222

22.1.:

'11 9 ' 44

eXj)

(iF/:;')

(,'1"(:'. ' 1

)

ind

eXfI

110~

0021 0210 2100 2OU2 1022

2221 (l212 212(l 2202 0022 0220 2200 0002 0020 OlOo 2(\()() 1(0) 2021 I~

0 I 2 J 4

5 (,

7

X » 10 II 12 1.1

:4 1\ 1(· J)

12

1121 0211 2110 2102

:w:n. 1222 1221 1211 i III oI I I 1110 0101 1010 2101 2012 1122

onl 2210 (10),

27 2X 24 .10 31 .j2 J3 .14 .15 )6 37

3x 34 40 41 42 41 44 45 4(, 47 4x 49 SO j I 52 .\3 54

55 )(-

57 5x .l,1)

fO (>\ f,.~

ol 64

65 66

~ ')

IU20 2201

::0

OOll

OX

21

I~

1>7

22

0120 12(H)

n

1001

0» 70 71

24

lOll

"12

2~

1112 0121

n

)6

74

Tahlc..

J 7~

TAHLF

(Cont.)

"

/lid

"p

1210 1101 0011 OlIO

1100

75 "/6

77 7< 79


01 10 4,1 42

0

I 2 ,1 4

J:':

44 02 20 ,11 )4 14 D 04 40 12 IJ

5

6 7 H 9 10 II 12 IJ 14 15 16 17 IX 19

23

II OJ ::10 7,4 21 41 27

np

ind

0'FI5')

(,/-"(3 4 )

?O

21 22 2J

(iI'(5 1 ) 001 010 100 4()J H2 22::1

()

{l"~

I

(,

110

7

.~04

R

244 241 211 411

9 10 II 12

I 2 3 4 5

212 421 317 .124 444 04} 420 302 224 041 410 202 321 414 242 221 01 I 110 00,1

/!·\P

0'F(5

wd 3

)

13 14 15 16 17 IH 1<) 20 21 22 23 24 25 26

DO 004 040 400 102 423

61 62 63

::In

67 6H 69 70 71

27

34.~

024 240 201 311 .114 344 144 134

64

65 66

72

73 74 75 76

2R 29 )0 31

24.~

77

231 III

0.10

12

OP

100 204 ::141 114

33 34

()43

,17

4.10 402 122 123

3H 39 40 41 42 4J 44 45 46 47 4< 49 50 51 52 53 54

130 203 3.11 014 140 )03 234 141 313 ::134 044

7H 79 HO RI H2 HJ H4 <5 R6 i7 HR H9 90 91

44()

92

002 020 200 JOI 214 441

9) 94 95

l.1.~

23.1 13 I 213 4.11 412 222 il21 210 401 117 O~3

230 101 413 2J.1. 121 11 ] OJ'

JS

36

120

97 9R 99 IllO

1O"~

lUI

102 103 104 10:10(, lil7 10,

01~

S~

4" 4.12 422 322 424

59

342

60

124

:'i5

56 57

96

exp

ind

---,----en;l)

143 333 034 )40 104 443 032 320 404 142 323 434 442 022 220

109 110 III 112 113 114 115 116 117 1lR

119 120 121 122 123

0'1-'(72)

01 10

30

0 I 2 3 4 5 6 7 i 9

4,1 12 14 ,14 15 44 02 20 51 36

10 II 12 13 14 1,1 16 17 IH 19

35 25 ,11 55 06

20 21 22 23 24 25 26

64

53 56 16 54 66 03

60

I,

rn

. - ._.

"p

ind

- - --/lui t;'.~p

(if (II")

(,'/"(7.> )

24 21 61

2"1

07

.1.x

·!O

2"

4e 2:-

2'

30 3I '2 J3 34 35 36

3X 51

12 13 14 15 16 1"1

./4

I>

26

19

II 04 40 12

05 61 4' 1.2 3.1

05 50

20 41 42 52 4(.

22

l!

"

05 50

58 3()

101 02

01

(I

III

I

02 20 'IX

..

'.1

",y

63

00

X2

"I

49

S5

Il'

6U

'0

01

09 <)(1 13

<)4 95 <)0

17 104

(l~

IX

63

Y.'

M

"14

4.;

05

XC

'5 1.7

(,6

Y'

IOU lUI 102

67

I'

103

l'

12

oX

13 .14 35 .10

14

6<)

24 iX

104 IO:'i

(I~

100

)4 11 04 40

70

22

107

71

OK

72 7, '14 75 71.

XO

1U' lOY

!. 71

111

56 1<) 84

113 114

3(:

110

.~

I

117

YI .i3

119

)U

"

)"1

3X .i l)

J 4 5

47 35

411 41

I.

J.l

42

7

'X 97 9.1 '3 9Y OJ

43 44 45 46 47 4X

11

'.'

94

."13

59

44

III

54 55

"I'

:'il\

2' 2Y

7~

87

1"1

5~

Xo ,7

xx

'I

<)

51

;.<"

.')1

4.1.

2"1

X

.)(;

,4

O(l

().\

43

be

2Y 78 16 54 '9 '7

XI 4' 1>5 '2

Ue

5'

2·!

45

4Y

ind

(;1"(11 2 )

)1.)

)i

(;F( 11 ~ )

57

30

('.~p

57

M

40 4)

/11(/

_. -(,F( -Ii·')

.'){;

~(j

21 22 2.1

44

_- -

X' 2'

4x

45 15

40 41 42

'4

{'''{1

41

:.4 25 26

1'>

--

. _ - ..

._-'

75

%

Tht: "ylllhol • l,kn()It'~ the ck'fllt'nt lOin n II

"o'41

71

78

9:-

'"

"70 '(:

XO 81 82

77

xJ

,.

.)7

9x YY

:10 il~

115

I"

over iF ~

1r 4

o .' [Ol! IiI . I··· 2[11120: I +2~1[11]l0:2

IF:-,

over IF )

IiI

O~'[III[

~ 1~5[10Ij435:1

,2·3[IOIJl63:2 13-.2[0 11 1063:-4~6[10Ij256:4 t

5~110III035:­

. 6-·4[0111056:over iF ~ O~ " [0001 [ [I] ' I · 4[0011]142 10:'2~ S[OOII]13 4 20: 3.141111111410 12:11 ~4~ 1[0011]11 8 40: 5 ·10 [0101[ [II] 6~13[IIIIJl3 5 24: 7 t 7 .9[100119 2101: 6 +8~ 2[0011]7 I 80:9 7[1111[7 581:13

10 ·5[01011 [II] . II ·12[1001[12 I 58: 3 12-.11[1111]1110 48:14 t J)~ 6[1001]6 8104: 9 '14·· 311001[.1 4 52:12

over g.: <;

[01] [IXI 4 II Yj S I YI[ 2 [IX] I [OY[ I XI] 4 IXX[S [I Y] 2 [XI[ I

[II 0: ! 0: 2 5:13 0: 4 [X] 10:11 10:12 0: S 10:14

[OX[

IY]

[YYI45:6 [YI] 8 5: 7 I XX]2 10: 3 I YY]I 5: 9

n ,~ () • [IOOII[ [I] +1-1911011IjI6 3 6 517: I 12· 7[1011111 61210 3: 2 '3-11[01001]02825 6 3: ·4 .14 [1011112'122420 6: 4 ~5-2910111Ij4 28 514 9:. 6 --. 22 [011lO1] 0 25 1912 6: -7- 2[00101]27201710 3: ·8 .28[10111[42417 912: 8 '9~15101111] I 7 91910: -10~27[01111]8

25102818:'·11 ~ 3 [11101[2312 7 6 3:15 '12 .13[01001101972412:-1)~12111101]3017282412:29 ·14 - 4[00101123 9 320 6: 1 15 ' 9 [11011]26 20 5 19 10: II

.n)

-

,,-"

--

-----

over IF.,

-16·~ 25[IOIIIJ R 17 3 I~ 24:16

'17-21 [OIOOIJO 142R 3 17: - I R - 30 [01111 J 2 14 I ~ 7 20: . +19- 1[001011291024517:. ·20-23[01111]16192025 5:. +21- 17 11110 1127 619 317:23 122 - 6 [11101]15 241412 6:30 ~23-.20111011113101~25 5:21 , 24 - 26[01001J 71417 24: • -25-16100 101 130 5121~ 24:. I 26-24[IIIOIJ29 32517 24:27 +27-10 111011122 5 92R 1~:26 +2R· ~ [00101Jl5 I~ 6 9 12: • '29- 5[11011]IIIR20 14 9:13

°

130-IR[1101I]21

910 720:22 o\"o:r IF 4

0- • 10101011

'II

1 -" H ~101101J44 4.1 Slot 54 53 45: 2. ·16 ;101101"25 2.1 53454.127:

3 .• 531010111,6047464.1 3 0: 4 - 32 1101101150 46 43 27 21 54: 5·' 3~ lIUiIOUI]3X .1.1 2X 2) IX 41:52 6 ·4.1101011115731 292) 6 0: 7··621001001142352R 05641): , - 11101101]372923544045: ') ..... 4)~OlO001: :IOlj -IO-131100001jl~

J 5(,46 3h23:41

,"-511"°0"])714 );5 164X:II Ii. - 2) 10101111;1 62 5X 46 12 0:· I I) • 1111100111\10 75946 JJ 2.1:17 14 - 611001001121 756 II 49 )5: 15-44;IIOI0I,51.16463147.U; ,In' 2flOl101111 511.46452':127:~17-411100001J41 24 753 36 :'i~U3

IX··27 10100(lil

11011

I 1<,1 •.14 [100111134 4lJ 62 4.1 24 53:20 ~2(\""'2611000(jlP:6

21--42:1010111

64':129 946:10.) 'II"

In .• J9;110011:,11211 647 ')33:22 . 2.~ .. 12 1000011 ;40;'9 c 41' 2.1 0: 24 - 46101011 IJ3HI 53 2Y 24 0: . ·25 -- 30 [110011144 49 24 62 36 t::2~

I" I:

.11

I XX>: 147 54 '27:

H

I YY}'31 4554:16 10YII 6 .1:. I \(XXlfl2 17 45:.\2 Ixn 123 56 49: 10XI1 012 6: III()XI05641): I YYY,61 S427: I 1101: 362745: <)

°

,01: II. IIA: x 0: I II fil16 0: 2 I FDI42 1X:10 IIC[.12 ,): 4 I,FI427:5') INTI 36:15 I Fll

7. \):2':;

IIA 1 I 0: R lOBI I,ll

IYXXI46 49 35: I XII'IS.S 4X 24:25 10Yil n 24 12: I XYXI41 49 35: . 100lYI 04915:. I Yilil IX .1 3);5'1 I XXXI51) 45 54: 2 r l(t Y iS3 14 2H: _ 110 11 95427:IX I XHI5S 2X 56: .

I4 f) I I .'4:1<2 IOC[ I Hi I HFI R 45:40

IX}'}")2':!)S

18/:16 4;:47

IXYII

7;

IXI I Y I ,\'",47 ).1 4X:50 IIXYI11 2412:;S IIIYIIO 4g 24: . I YlX62 6 3:11

iAn.

X54:~.')

IACJlo ;4:;0 [FF]42 \.):30 : A1:"".17. SJ:S:-<

,FIJ 4 IB:50 ;( .-1]21 2"1: ()

[IHI 2 0: It

.11" 42

0:21 4S:4Y : FHI 4 0:41 ,FJ>1211X:60

I HA ::'1,':2

14CI2.'4: ,

l'ABLF

n

(CUnI,)

:

O\'t'f

('';

,20 ·20 11001 I Ij!:O14 5."1 24

27-IX[OOOIOII

J -

OWf

34f:34

1011:

2H •.)4 IOOIOOlj4:! 1449 035

7:

· 29 - 4H 10000 11]34 5.1 '4 5H 2<) 0, 30 .251110101;34 9 2\} 62 ~I 6:30 '31-35[011011115291>102456, +32 • 41101101]22532927.W 54: 33 -- SR IOlOlllj30 S5 V 53 3.'1. 0: - 34 -·I\}! 100001114 4X 1443 95.1:26

35-.111(01001)14<)1402'56, .16·S4[OI00011 [101. . .rI .,711100111;0 73.' .'911 2U7 · 3/)-- 5[100111]53561 2.l 4l:l43:40 19--22 fIIO\OIIS7 IX 2J 4"1 55 33:39 · 40 •.)2 1100001]52 12 .1."1 51i I X 29: .IX

'41- 17 1100111117;6315 1 125,,10 42--21 :101011) Illj 4.'1. • (, 1000011]20 46 .1 4.~ .44--1511100111225612.11 IX

n

~

4;- 9[0001011 ·4f j j7 4X 4<,)

n'Y]23

.~:'i

7:

1011' 054 n [OU,'I 03; 7, IIX}'](>! 3.14HA3 [XOII.,h

f

3:51

IAH:47,54:12 36:40 IIC] 4 0,.1, [/:F]21 Y:51 'HFJ 245:61 IDI] 1.16,44

i 101 IX 45 ."l4:36 1YI X:)l) :!4 12:44

leRI

IVHI51 ;649, [XOI I 9 .1J 4,,60

I BCJ4145, 3

I HXI;~

7 14, [YXYi2') 14 2x: [HII I YI !IYXj47 12

.'1.:44

,XI}'I.ll 333,.17 [1)11, U 27 4,,-

[0111

'-:;lJ . 60 ; I !OOI1 j2~ .\." 4/'.

(,J \} 12:50 S\··11\\WlOI·f10 <,)43.":~:'\l4}(:"il ·"i2 ·40110011114(J2/'.)75~ 629:.) .).1 • 3 !OOOOlljlO 23 ~J 43 5~ 0: :'>4 .')f1 lOOOIUl, :0111 1:'i:'--Sh[()11011:222331 0614:

0:29

11 L\": (12 41\ 24:53

[IIVI2.1142H, :OYI[

03.~4X:

r f)f))2

IOAI

In ~ 2n~

'C/)III> 27:2'1

[CF 132 27,3 I IM'I 4,4:23 ; II: 21 0:42 lOA I 2 .16,52 ICH] 1 27:35 10DI IFI [Fej x 11(11) ;FFl16 1~,20 1 n!::42

36:5"/

[I)OXI 0 142',

l"I.12IX,V

!XIY)61 12

6:22

IHA.445:14

,YIJII 10 4~ 24,.1U I Yl'X146 714, IIX}'155 I> N6 10 III I) 45 54:

IARI21 ;4,.1.1

;:'Y-·2KIOIIOII]11434"1 U 3 7:-

iIXI4.1 714: !OO}' I 0 7 14: IAOI, 182412:15 IIYXJ 59 .\ .13:23 . II \' I .53.15 'I,

to ·"i0']IOIOljI5 I~."ix{ll f2 1:::60 · (,; -. 14 .011011'.<75355 0 B .l":: · 112 ... 'i 101 1011 j50 5l-i .';9 () 41) 49:

Itl)I)\} 111.'C5:-: ~ II Y 129

;6 ·55 [001001121 2H 35 I) 7 14, 5"1 ·37'lHllOll)n.~ft53 596124:)"1 · 5' • 3110UOOII. 543 4H ,J 5' 0,

I HI' I I 45,5.1 lOCI I/)I 101) R .11>'.17 10AIII> j(d1

,IIXI46 "56, [YYY155 27 45, 4 10' lJ 0 3 n I VXA·'4.1 2B 56, IIJ()}' I 02, 56,

0:-

·24 l(llllHlIIIJ7 SS 122<,)4(: 0: ..... 49 '(ll 1011 )44 4() (,2 () I:: 2/'.: '29i()IUlll_l~5')435x4R 0: -- 4'/I0010lll 142 ."l6 '/ () 14 2X:

ill>

126:31)

[Cf) I 2 17:43 ; FC; 1 IX:26 [OF:

Ie

[f.F; 8 '1,10 If:1J 10 9,11

:,AI 4 22'1:48 IEHj i 2 9:13 10 014)(",

4\}3~:­

: BC).I 4S:24 [UI 2 11,34

."16 49:

1f.F. I

l):

17

377

2. Tahlcs of Irrcdw:ibk Polynomials

2.

TABLES OF IRREDUCIBLE POLYNOMIALS

Tabk C lists all monic irreducible polynomials of degree n over prime fields I'r for small values of nand p. The extent of the table may be summarized 11, p ~ 3 and 7. p = 5 and 5, p ~ 7 and as follows: p ~ 2 and n 11 ~ 4. The polynomial aux + QIXn-1 + .......... an is ahhreviated in the form a" a, ... a" with a o ~ 1. The left-hand column, headed by the value of n. lists all monic irreducible polynomials f for the degree n and the modulus p concerned. The right-hand column, headed bye. contains the corresponding value of ord( /).

n"

Table

f)

n"

n"

lists one primitive polynomial over IF) for

~ach

degree

100. In this tabk only the degrees of the separate terms in the polynomial arc given; thus 610 stands for x' + x-I. Table E lbt::, all primitive polynomial." :co I G1X + a.' of degree 2 over IFr for 11 ~ P ~ 31. For smaller primes all quadratic primitive polynomials can be obtained from Table C by locating the polynomials f (lver I'r with ord(j) . p'-1. n';;

Tahlc F lists one primitive polynomial of degree 11 over IF p for all values of fl?3: 2 and p with p < 50 and p'l < 10 9 . The polynomial x n 1 aix" 1 n -+- u?x 2 I .•• + (In is listed in the form u 1 u 2 '" an'

37~

Table,;;

TABLE C

n= 1 10 II

e III

3

n-J

e

1011 1101

7 7

,

n=4 10011 11001 11111

15 15 5

e

n=5 100101 101001 101111 110111 111011 111101

31 3I 31 31 31 31

e

n'"'"6 1‫סס‬oo11

63 9 21 63 63 63 1 63 63 21

1001001 1010111 1011011 11‫סס‬oo1

1100111 1101101 1110011 1110101

"

!

I I

2

n

Irrt'du('lh/e Po/}'nonJwI5 for the Modulus 2

,

7

1110110011 10001001 10001111 100111001 10011101 101110111 10101011

1

e 127 127 127

127 10111001 10111111 ' 127 11000001 127 11001011 127 11010011 127 11010101 127 11100101 127 11101111 127 11110001 127 11110111 127 11111101 127

n-

~

In 127

I

e

IpoPl,lOll 100011101 100101011 100101101 100111001 100111111 101001101 101011111 101100011 101100101 1011010011 101110001 (101110111 101111011

51 255 255 255 17 H5 255 255 255 255

11‫סס‬oo111

255

255 255

:

H5

110001011 H5 110001101 255 110011111 51 110100011 ~5 110101001 : 255 110110001 ' 51 110111101 H5 111‫סס‬oo11

n=9 1l1OOOO00 II 10000111001 11100010111

!

255

111001111 255 111010111 17 111011101 H5 111100111 255 111110011, 5\ 111110101 , 255 111111001 H5

,

,

,

~5

,

i

,

117

127

I I

1000011011 ' 511 : 1111100011 511 10001‫סס‬oo1 511 1111101001 511 1000101101 511 1111111011 511 1000110011 511 1001001011 71 n = 10 1001011001 I 511 1001011111 511 I (J(J(J(J(J(J I00 I 1023 1001100101 73 1000ooo1111 341 1001101001 511 10‫סס‬oo11011 1023 1001101111 511 10‫סס‬oo11101 341 1001110111 511 I 1‫סס‬oo100111 1023 1001111101 511 10000101101 1023 101‫סס‬oo111 511 1‫סס‬oo110101 93 1010010101 i 511 I0001000 III 341 1010011001 ' 73 100010 I00 II 341 1010100011 511 10001100011 341 1010100101 511 10001100101 1023 1010101111 511 10001101111 1023 1010110111 511 100 I ‫סס‬oo00 I 1023 1010111101 511 10010001011 1023 1011001111 511 10010011001 341 1011010001 511 10010101001 JJ 1011011011 I 511 10010101111 341 1011110101 511 10011000101 1023 1011111001 511 10011001001 341 11‫סס‬oo0001 73 10011010111 1023 1100010011 511 10011100111 10D , 10011101101 341 1100010101 511 1100011111 511 I 10011110011 1023 1100100011 511 10011111111 1023 1100110001 I 511 10100001011 93 1100111011 511 101‫סס‬oo1101 1023 1101001001 ' 73 10100011001 1023 1101001111 511 10100011111 341 1101011011 511 10100100011 , 102.3 11111100001 511 10100110001 ' 11123 1101101011 511 10100111101 I 1023 1101101101 511 10101000011 11123 1101110011 511 10101010111 1023 1101111111 511 10101100001 93 511 1110000101 10101100111 341 1110001111 511 10101101011 1023 11101‫סס‬oo1 73 i 1111111000101 1023 1110110101 511 I 10110001111 1023 1110111001 511 101100111111 1023 1111000111 511 10110011011 341 1111001011 511 10110100001 1023 1111001101 51\ 10110101011 341 1111010101 511 10110111001' 341 1111011001 511 10111000001 .'41

73 511 73

II

I

2.

TabJc~

of Irreducihlc Polynon1ials

379

--------JrrC'duciMe Pn/ynnmiah {nr the MndulUs J 10111000111 10111100101 10111110111 10111111011 11‫סס‬oo10011

11‫סס‬oo10101

11000100011 11000100101 I 1000 I 100m

102.1 1023 1023 1023 1023 1023 .13

1023 341

1023 1023 II

e

n -11

1023

341 1023 11001‫סס‬oo11 1023 11001001111 1023 11001010001 341 11001011011 1023 11001111001 1023 11001111111' 1023 1101‫סס‬oo101 93 11010001001 1023 11010100111 93 11010101101 341 11010110101 1023 11010111111 341 102) 110110‫סס‬oo1 11011001101 341 11011010011 1023 11011011111 1023 11011110111 341 11011111101 1023 111‫סס‬oo1111 341 lI1000100!)\ 341 11100010111 1023 11100011101 102~ 111001‫סס‬oo1 1023 11100101011 93 11100110101 341 11100111001 1023 11101000111 1023 11101001101 1023 11101010101 1023 1II010IlOOI 1023 11101100011 1023 11101111011 341 11101111101 1023 1111000ooo1 341 1111‫סס‬oo111 341 11110001101 1023 11110010011 1023 11110101001 341 11110110001 102J[ 11111000101 341

11000110111

11111011011 11111101011 11111110011 11111111001 11111111111,

10‫ס‬0ooooo

101 2047

1000ooo10\1\ ;2047 10‫סס‬oo101011

2047 2047

10‫סס‬oo101101

2047 1047

1‫סס‬oo1000111 1‫סס‬oo1100011

IfHlOO I 100101

i 2047

1‫סס‬oo1110001

2047 2047 100010001101 2047 100010010101 2047 100010011111 2047 100010101001 2047 100010110001 2047 100011000011 K9 100011001111 2047 100011010001 2047 1000111‫סס‬oo1 2047 100011100111 2047 100011101011 2047 100011110101 2047 1001‫סס‬oo1101 2047 100100010011 2047 100100100101 2047 100100101001 2047 K9 100100110111 100100111011 2047 IWloo111101 2047 100101000101 2047 100101001001 2047 100101010001 2047 100101011011 2047 100101110011 2047 100101110101 2047 100101111111 2047 100110‫סס‬oo11 2047 100110001111 2047 100110101011 2047 100110101101 2047 100110111001 2047 100111000111 2047 100111011001 2047 1‫סס‬oo1111011

i

100111100101 2047 100111101111 &9 100111110111 2047 2047 1010‫ס‬0ooooo1 101000ooo111 2047 2047 101‫סס‬oo10011 101‫סס‬oo10101 2047 101000101001 2047 101001001001 2047 1010011‫סס‬oo1

2047

101001111111 101010000101 101010010001 101010011101 101010100111 101010101011 101010110011 101010110101 101011010101 101011011111 101011100011 101011101001 101011101111 101011110001 101011111011 1011000ooo11

2047 2047 2047 : 2047

' 2047 I 101001101101 101001111001 2047

1011‫סס‬oo1001

101100010001 101100110011 101100111111 1011010‫סס‬oo1

101101001011 101101011001 101101011111 101101100101 101101101111 101101111101 10111‫סס‬oo1 I I 101110001011 101110010011 101110010101 101110101111 101110110111 101110111101 lOll 11001001 101111011011 101111011101 101111100111

2047 2047 2047

2047 2047 :2047 23 2047

101111101101 2047 11000ooo1011 2047 11000ooo1101 2047 110‫סס‬oo11001 2047 110‫סס‬oo11111 2047 11‫סס‬oo110001 &9 110001010111 2047 1100011‫סס‬oo1 2047 110001101011 2047 110001110011 2047 110001110101 2J 11001‫סס‬oo101 2047 110010001001 2047 110010010111 2047 110010011011 2047 1i00iCOIlIOI 2047 110010110011 2047 110010111111 2047 110011000111 2047 110011001101 12047 110011010011 2047 110011010101 2047 110011100011 2047 110011101001 2047

2047

110011110111 J 2047

2047 2047 2047 2047 2047 2047 2047 2047 2047

1101000ooo11

2047 2047 2047 2047 2047 2047 2047 2047 2047 2047 2047 2047 2047 2047 2047 12047

1101‫סס‬oo1111

2047 2047

110100011101 2047 110100100111 2047 110100101101 ' 2047

1101010‫סס‬oo1

110101000111 IIOWIOIOIOI 110101011001 110101100011 110101101111 110101110001 110110010011 110110011111 \ 101 10101001 110110111011 110110111101 110111001001 110111010111 110111011011

[2047 2047 ,2047 '2047 2047 2047 2047 2047 '2047 2047 2047 2047 .2047 2047

1047 2047 110111100111 :2047 110111110101 2047 1101111‫סס‬oo1

110111111111 111000ooo101

89 2047

3M)

TARLE C

«('unl.)

IrrcJunNe

l'rJ/Yf/(imial~

2~~iol-1

M/)Julu~

jor thf'

2

iliOOOOIIIOI111000100001 III()(HIIIHIIII 111000101011 111000110011 111000111001 II 100lOOJII I 111001001011 111001010101

2047 2047 2047 2047 2047 2047 2047 2047

111001011111

1047

111011011101

11001

111001110001

2047

111011110011

10011 2047

I_

'1001 204711-11110010001- 2047 0000101112047,111110010111 2041 1001 2047 ~ 111110011011 2047 0001 2047 I 111110100111 2047 0111 ' 2047' 111110101101 2047 1101 1.047 111110110101 7,047 01011 2047 1111111001101 - 2047 01101 2047 1I1111010UII, 2047 10101 2047 111111100101 12047

111001111101 111010000001 111010010011 111010011111 111010100011 11 1010111011 111011001001 111011001111

Irredunbft' I'olynomial;o, jor t!le MoJuhl,\ /I-I

10 ' II 12 ' n=2

I 2 I

1011 122 : ~

10:1 1022

1102 1112 1121 1201

1211 1222 n

4 10012

,26 I) I) 13 26 20 20 13

10111 , 10121 10202 IliHI2 ! 11l2l

20

11101 11111

40 5 80 80 ,0

11122 11.~21

12002

i

,i

i ,I , ,

120011

120022 120202 120212 120221

100021

100022

242 121

121112

1011112 100211

121 242

121222 122002

101011

242

122021

101012

121

122101 122102

1011021 121 101122, 121

I

I

102112 102122

121 II

102202 102211 102221 IliHHI2

121

242 22

111212 111001 112022 112102

121

121 242 121

II I 12111 242 112201 : 241

II

~

6

~ 1000012 i

1000022 i 1000111 : 1()()(1121

,

242 242 121 121 121

122212

,

121 121 121

121111

! 242

i 242

242 242

121012

122201

242

121 110012. 121 110021 242 110101 242 110111 242 110122 121 111011 242 111121 242 111211 242

I

120001

e

102101

,

i

:

5

101201 101221

<'

80 80 10 40 40 16 80

10022 11 10 !Il2

12121 12212

, 'I =

4 8 8

112

n -'

j!

,-

40 80 10 80

12101 12112

e

IOOll201 1001012 IOOW21

1001101 1001122 1001221

1012021

3M

1012112

I

1020001 1020101

728 52 52 728

1020112

1020122 1021021

,

.~M

3M 52

,1M

'"

104 182

1002112 1002211

104

10107.01 101021:: -- JOI0222 1011001

52 728 72H 91

'128 I x2

'"

1111112 1111222 1112011 1112201

1112222 1120102 117.0121 1120122 1121012 1121102 Ilnl22 1121212

ng

3M 56 728 "I

1021102 10211P 1021121 1022011· 3M

nx

3M

I,

, ,

---j ,-

It:l02011 1002022 1002101

,

1012012

,

I ,I

1022102 1022111 IOW22 I I(JO()(12

56 182 728

8"

728

nH "I 1

IXl 72H 12X

"I 728 72l'1 728 104 nx

1111221 1122001

304

1122002 1122122 1122202

104 104 728 3M 728 56

1122211 12(J(Hi02 1200022

72g

'"

IIU0012

50

1100111 1101002 1101011 1101101 1101112

)04

1200121

3M

728 28 3M '12K 728 364

120liHII 1201111 1201121 1201201 1201202 1202002

3M IX2 IX2

'"

1202021

728 728 28

1202101

,104

364

WOOOI 121()(11.1

IIOl212

1I020Ul 11021111 1102121 "I I 1102201 3M I 11022U2 "12K I 1l100u1 .104

I

I

2047

---.

721'

728 182 728

121 22 121

12X

111111101001

111111111011,

j

10 I 1022 1011122 1012001

242 242

728

g~

l II()(JI I 1110122

III 0202

1202122 1 728 1202222 728

728 '128

1110nl 1111012

721

1111021

IX2

364

11'.2

Ii

121011? 1210202 1210211 1211021 1)11201

304 3M "/2R

7J.8 "I Ixl

91

,1XI

2. Tahle.. of Irreducible P01Yllomiab

Irr('dunh/£' Ilv(~I/(lm/Q/5Ior rhe

12120~ 1212022

~ "l2H

1212121\14

1212122 72~ 1212212 72t{ 1220102,' 72R 1220111, 182

Modulus 3

11201222 1093 10022021 21H611 10202012 1093 , 1102\122 109J 21~(, , 10210001 21R6 11021201 :21~o 11202002 10':13 10210121,21H6 11021212 \093 11202121 2186 10022212\1093 ,,'\ 10100011 21~6 10210202 1093 11022101 2186 112022t t 2tR6 I, 10211101 21H6 11022122 109,1 11202212 1093 101([{1012 1093 10lODI02 1093 , 10211111 2186 1102221 I 2186 11210002' 1093 J 10100122 11093 ' 10211122 1093 11022221 2181> 1121001 I 21&> 111‫סס‬oo2 101.J3 II 11210021 21RI> 10100201!21HI> ' 10211221 2181> 10100221 21H6 ' 10212011 2186 11100022 1093 11210101 2186 ~ IOIUIIOI ;21R6 10212022 I09~ ; 11100121 2ll:!tl 112l tOOl, 21R6 10212101 '21H6 ,[I I 100212 1093 11211022 109J [ 10101112' 1093 11101012 1093 11211122 1093 101012021109.1 102l2112\101.J3 10101211 21R6 10212212 1093 I I 10\022 109J I t211212 tOy3

I

1 10022101

I

I

I

1220212172~ li'{2 II

1221001 12~1002

104

1221112

104

1221202 1221211

'1728 3M

1222()~2 n~ : 10102102 1093 10102201 ; 21~6 12n 102" 728 12221121041' 10110022110':13 17.222 I r 364. 10110101 21HI>

10210002 1093 . 11101102 1 1093 10220101,21R6 " 1110111 I' 21HI> 10220222: 1093 11101121 21HI> 111021102 1093 10221127.1 1093 10221202 1093 1 11102111 21X6

I

1:2~:22 ~28 'I

1OII021121HI> 10111([{JI'21H6 11,111102 '1093

10221212 \(l93

10221221 101111212186 10222012 WOOD 102 J09.1 102220~ I 10111201 121H{1 IIHIOOl21 ,21H6 , 101121102'1093 : 10222111 10000201,2186 10112012 109! 10222202

I

10000222 (/)o.}J 10001011 21HI>

10001012 1093 1000 \ 102 IOI.P 1([{1{)1111 ,2181,

101 12021

21~

10121J()),1

'21~6

'I

I

10011101\2186

10122221 21Rt1

102000m 2I 86 11011202 109:'\ 102(J(){){)2' 1093 11012002 1 109.1 1(l200101121~6 11012102 1091 102(1()\\2 109) 11012212 1093 10200202 1093 , 11020021 21Rti 10200211 2186 11020022 1093 1020\021 21Hb 11020102 1093 10201022 1093 11020112 1091 10201121 2186 11020201 21HI> 10201222 1093 11020222 1093 10202011 21HI> 11021111 ~21Ro

1([{1I0m 109J

IIH1I2001 21H6 10012022: 109,1

100\2\\\

2}~(,

1([{,12202 1093 100201)1 2186

\H02022 \ 21 go l002100I,21R6 10021112\1093 10021202 1093 10022002 109,1

11011111 21H6

112210221 109J

11110111 21Xti

11221102 1093

11110112 1091

11221112, 1093 1122112121X6

11111011 21X6

11111021 21~6 11111201
1101\1022 1093

100\ 12\ \ 2\Y-6

10002221 21 ~o

21~6

11110012 1093

111[0211 '21~o I \I \0222 IM:'\

,\ 1022221 I 2186

tOO 10222 IWB 10011002; 1093

1([{101212 109) 1011{)2112 1093 IIHX12 122 '1093 100<)2211 21~6

1[110001

10112111 21Xfi /" 11000101 21HI> 1011212:2 1093 111100222 1093 109 1100111211093 10120112'1 ) 10120202 1093 110012112181> 1012HH\2 1093 ' 11002012 109J 10121102: 1093 11002022,1093 10121201 '21R6 \ 1101'2121 2181> \ 1002202 1093 101212221 1\l')) 11010001 21H6 10122001 21HI> 'II 1 10122011,21R6 11010022,1093 10122022 W93 1}010121 ,21~6 10121212 109,1 11010221 [21R6

l0001~OI12186

'111102222 109J

21R6 IOYJ 21 H6 21R6 109.1

11211221 2186 11212012 109.1 1\2\2112 1093 11212202 109) 11220001 211'6 112201\2; W<.)?' 11220211 1 21Rh

11222011

21~6

11222102 1093 11222122 1093 11222201; 2180

11222221121x()

11112011 2186 121)(}0121 21~o I \I 12221 21X6 , 12000202 109) 1200102I,2IX(, 11120102 1093 1112011121X6 12001112 1091 12(1)1211 2186 11\20122 101.):'\ 21~6

11120212 1093

1200201 1

11120221 21 ~I> 1I121001'21Rh

12002021 21X6

1200210 t 21 X6

11121101121X6 , 12002222 1093 11121202 1093 12010021 21H6 , \1122021 2181> 12010022 1093 12010102 1093 1\122112' 109J 12010121 21X6 '\111222012IHI> ', 11122222 IOI.J3 12010201 2186 11200201 21Hfl 12010211 2186 1 I 1200202 1093 1201 t 102 109.1 120111112186 '111201012 109,1 12011212 10':1) 11201021 2186 11201101 21XI> 12011221 21X6

,I

I

11201111 21XI> 'II 12012112110y.1 11201221 i21H6 12012122 1093

Tabks

TABLE C

(Cont.)

Irrt;'duCib/e

P()lvnumlO/~ '(II'

th(' Modulu\ 3

1093 21X6

11101201 21R6 12101212 1093 12101222 1093 12102001 21X6 12102121 2186 12102212 109) 12110111 21R6 12110122 1093 12110201 21X6

12112211 21X61112201121 : 2186 121200D2 109.1 12201122 1093 12120011 21~6 ; 12201202 1093 12120112 1093 12201212 109.1 12120121 21X6 12202001 2186 1212021 J 21X6 12202111 2186 12120212 1093 , 12202112 1093 12121012 1093 12202222 109.1 12121022 109.1 I 12210001 1093

12022111 21B6

12110212 lO9J

12121102 1093

12210112- 1093

12022201 21X6 12110221 2186 12121121 21X6 121‫סס‬oo1 21X6 I 12111002 109.1 12122012 109.1 1 12100D21 21X6 ! 12111101 2186 12122122 109.1 12100111 2186 12111202 1093 12200101 2186 12100222 109.1 12112022 1093 12200102 109.1 12101011 2186 12112102 109.1 12201011 21X6 12101021 2186 12112121 21X6 12201022 1093

12210211 21X6 12211021 211{6 12211201 21X6 12211211121X6 12211222 1 1093 122120121109.1

12012202 12012221 12020002 12020021 12020122 12020222 12021101 12021212 12022001

109.1

21R6

,,

109.1 2186 1093 1093 2186

---

.

i

I I

12212102; 1093

..

--,--"-'.

"

12212122 109.1 12212201 2186 12212221 2186 12220001 2186 12220012 1093 12220022 1093 12220202 1093 12221002 109.1 12221021 21X6

I, I 12222011 I

12221111 211\6 12221122 1093 12221221 21X6

I

IIX6

12222101 2186 12222211 21g6

I

Irr('Ju(,lb/e Polynomials jor the Mouulu,' 5 n= 1

---

10 II 12 1.1 14 2

"

,. 8 X

.1 24 24 12 24 12 6 24

124 1.1~

134 141 142 =

3 :

101\! 1014 1021 1

I.'

IO"l21

62 31 62 .11 124

I(PJ

12.4

1024i

1042 124 1043 1 124 II0ti 62 110); , '4

11~1r

I

I 2 4 4 I

102 lO:t III 112 123

n

~

c

I I

1'/."...4

c

I 114 I IJ I I 134 I 141

124 .11

I 143

124

10024

I201 I203 I21.J I214 I222 I223 I242 I244 I.102 I )04 I J 11 I.112 I322 I.323 I341 I 343 I403 I 4\\4 I411 I412 I4.11 I434 I442 I444

62 124

10034 10044

312

124

10102

.11 124

101\ I 10122

4X 7R

, 10002 10003 10014

62

.11 62

1(, 16 312 312 312

12042

IIOJ2

624 52 624

12102 11121

12123

624

624 312

PI31 111.14

52 312

12201

.19

104 20X

12203 12211

624 156

20X 67.4

12222 12224 12302 I)JII

624 .~ 12 024 )<)

l.l.l.~4

12.312 12.124

20g ) 12

12))2

024

1.1341 1)342 13401

12333

20X 104 156 104

11041 11042

11101 I 11\.1 11114 11124

7X

11142 11202 11212 1121 ~

10233 10)0) 10311 10313 10341 10343

20X

I IJOI

4g 156 20K 156

11.10.1 1\ 321'

624

11342,

6:'.4

11~44\

20X

1040:'.

4R

11402: 1141 I

312 20g I)

10412 10413

624

11414i

312

024

124 I 10421 3 I ! 10431

156 156

114411 I1443! 12004! 120 I)~

1:!4

02 124 124

31 62 124 62 3I

i

Ii

104421 624 10443 624 111104

11)

.~

104

624 624 20X 13

624 624 624 124 101411 39 -,Ij 10203 4H 62 10221 J9 124 10223 20X 1 7R 124 10231 IOI2Ji 10132· 10133;

13124

12022 12OJ3

11133

124

)08

624 624

624

124 .11

I) \02 1.1121

I \0 IJ 1102J 11024

11221 11222 11234 11244

120141 1 1 nJl:

624 20X 156 20X 104 .112 156

12.144 12401 12414 12422

39

12413 12434

12443 \.1004

52

1.1012

(,24

13023 13031

312

624

I

1(,

,

104

624

20X

614 .112 20g ) 12 624 024

:"2 12

2(,

1.11.11 1.11.13 I)20 I 1.120.1

7X 624

132.12 1.J134

024 312

1.1241 1.1.102 I)) 14

156 624 104

1332:1. 13313

624

1341.1 13423 1.1424

13432 13444 141~)4

14011 14017-

14022 1403.1 14OJ4

624

20X ) II. 78 20H 156 208 624 312

208 104 312 52 624 624 (>24

104

14043

624

13043

1.1 624 624

14101 14112

20l:<

11(144

l(l4

IA 111

"H\1l

1.1032

39

2. Tahlc5 of Irrt:duciblc Polynomials

3H3

irreduCible Polynomials jor lht' Modulw 5 141341 14143 14144 14202 14214 14224 14231 14232-1 14242 14243 \ 43\}\ \43OJ 14312. \4:\\4 14331 14402 \44\ \ 14413 14441 14444 II =

5

104 624 312 624 1\2 104 156 2il8 624 20~

156 624 624 3\2 78 208 52 624 26 3\2

c

IOO()41 1562 100042 3124 W0043 3124 \00044 78 I 100102 3124 l1lO114: 7SI 100124 71 [(RIl32 1124 IOilI4.1 3124 100201 1562 100212,3124 100222 2X4 lIlO23 I 1'\62 100244 781 100.104 7~1 100313 .1124 100321, 284 100334: 7~1 100.141 1562 l0040J 3124 100411 1502 100421' 142 100433 .1124

I00442[ 101022 101023 1010,12 1

3124 3124 3124 2x4

101014 \03022 103023 103101 \03\04 1031111 101112 101204\ m 10\2\2 31::!4 103141' 101213 2H4 10.1144 I01301i 1562 103211 Wll02 3\24 1\\\212lillJI2 2~4 IOJ 22\ 10UlJ 3124 10322.1 IO\4()1. 1=,h2 \03232 101402 3124 103233 101443 3124 103311 1 10\444 78\ 103314 .]02001 1562 IO:t122 102004 7XI 103324 \02012' 3\24 \ 03332 1020lJ 3124 lO3?>33 102021 1562 IOJ401 102024 7HI 103404 \021123124 1034lJ 102114 781 103414 102121 1562 103441 102122 3\24 IOJ442' 102lli 1562 104021 102114 7S I 104024 102202, 3124 104031 102203 .1124 104034 10221 I 1562 104101: 102213 31241104103 102242. 284 104111 102244' 7~1 104114 102302' 3124 104202 102303 3124 104204' 102312 3124 104241 102314 104243 102341: 1562 104301 102343 2H4 10430.1· 102411 1562 104342 102413 ~124 104344 102423 3124 104402 102424' 7~1 104404' 102431, 1502 104411, 1024,14 7XI 1044141 10.1002 3124 110Il04 10,1003 3124 110014 10JOIII IS62 1100411 IOl03il \0\ \03 101104 101141 101142 101203

,H4 3124 7RI 1562 3124 3124

m

7RI 110113 .1124 3\24 1\\0\.\\. \56, .1 \24 110\42 3124 1562 \ 10144: 7RI 7H\ , \ \020'1 ,~4 \562 110213 3\24 3124 110232 3124 3124 \ \0243 3124 7\ 110244 7SI 1502 110:101 1562 :\124 1\0303 ~124 1562 110.122 3124 3124 IIODI 1562 :\124 \\0333 31"4 3124 110.14) 3124 3124 11040.1.3124 781 ' 110411 1562 3124 110421 1562 781 110432 3124 1124 1\0441 1562 .1124 110442 3124 1562 110444 m 7SI 11100.1 2~4 1\24 IIIOD .1124 7XI 111021 1562 142 111022 .1124 3124 111024 m 1562 111032 3124 7SI 111044 7~1 142 111102 3124 71 111114' 7~1 1562 11112J 3124 3124 111212 44 142 111224 781 7~1 111231· 1562 3124 1112.14 7~1 111301 1562 15621 IIDII 1'\62 3124 111312 3124 1562 111.124: 71 3124 1113341 7XI 3124 1114ill 142 7Rl 111404, m 3124 11142Y.1124 "J}<:I, 11143 I 1562 1562 111433 3124 71 111442 1124 , 7Rl 112012 3124 7HI 112023\3124j 1562 i 1120.12 3124

m

i

m

112034! \\2104 m 112113 3124 112133 .1124 \\2\42 3\24

1121431 1\2201 \\2212 112214 112234 112241 112243 112101 1123 II 1l2J 13 112314 112321 112334 112342 \ \2422 1\2433 112441 113002 113il04 \ 11OJ4 113044 111103' 113111 113 I34 113142 11314.1 113211' 113222 113224 11.12.1l 113241 113243 I m04 IlJ312 I ]J.121 113323 11.1324 I ll332 113342 113412; 113422 113434 114001 1140!1 114012]

2M 1562 3\24 781 7S1 1562 3124 1562 1562 3124 7H1 .1\24 71 3124 1124 .1\24 1562 3124 781

7Rl 7S\ 3124 1562

m 284 .1124 1562 3124 71 1562 1562 284 7XI 3124 1562 3124

7Rl 3124 ~124

3124 3124 7XI 1562 l562 3124

1140141 781 1140241 7~1 \ 14013 3124 114044 781 114102 3124 114132 3124 \\4141 1562 1\4201 \562 71 114204 114n.1 3124 114242 3124 114314 781 114321 1562 114322 3124 \ 1431\ 1562 \ \4343 3124 114401 1562 114403,3124 114424 781 11443\ 22 114434 7S\ 114442 3124 120003 .1124 120013 3124 \20042 3124 120104 71 120111 1562 120134' 7HI 120141 1562 120143 1124 120201 1562 120212, 3124 120222 1 3124 120234 781 120242 3124 120243 3124 120244 781 120321 1562 120332 3124 120343 31"4 120344' 1S1 120401 1562 120402 3124 120424 m 1204.11: 1562

12043~

120441 121002 121m )'1 12101.1

3124 1562 3124 1 \ 24 3124

3X4

TARLE

1 ahlc~

C

(Cont.)

Jrrl'dliuNt' fn/'jnl.J>ntaf:, fur (hI' '\JUJU/lie> .'l

121014 l210B 121031 12[043 12\\U2' 1.1.1103 121131 \21144 121201

1~1202

\21223 121232 121233 12\244. 121304 121334 \2U42 121413 121422

7«.1 1')3u.~Z--7~JlTi1()10-j~I:~2()42 'I J:.4022 1124·\ 141023 31.'.4 317.4 \21\07, ~\l4!IU(}\04. 7~1 ;:1 112102 ~124 , 1.~40:?:), 3124 141024 '181 15f2 12.1113 312411301.'.1 1';'(-'2[/32111' 15f.2 1 134031 15h211410.1.:d 3124 3124! 12311417151,13111.133124., I 37.l22 1 11.'.4: 134042 .1!24 141041 1:'(,: 3124! \231.1.' ;'124'II]OI7>411X1 . 11212.1,124 \ 17>4103 3124 141101 1:'(-,2 2X4 12.1141,15h2 110144 7R.1 132114 tkl 1.'4111. 1561 141104 71 1502 123142 3P4 110224! "lxl D2nl 15h2 1:41l.1 :.124 141122 1124 78\ 12327.4 "l1'1 IUll2.B 31:'4 132141 1)07. 1.14122, 21"4 141132,1 .1124 12.1231 1562 ~131)24[ IS(\,~ 112204 7Xl ,1341J2[3124 141134 "lxl 1562 3124 123242 3124 ~'\O)42I.lI)4 ,1.12213 .~124! 134201 [562 14114,1; 3124 3124 123303 1124'\U0104 '}~I j 132232 3124[134212.' 3124; 141204'1 7XI 44 12.1111 151">2 11 130311,1174 1.17.:.41 14~ Iq224 7Hl' 141213 3124 3124 123331'1 15n2· 1.l0323 3124: 132244 71"1 ,134.102,3124 141214 7xI 78\ 123341 142\1:\\).\\1, 15621137.311 1)6211114:'031 2X4 1412)1 14) 71;1 12.1344 781111()34111."62 1.'12321, 15(',1 1.14.124 7l{1 1412.11 1562 7k1 1)34U2, 3124!1.10147. 3124 1.12.112 3124 :134.13.;: 1124 jI141313:j 44 ;'124 lD41l 15(,2.l:·().~43 "11)4 ,1124P 3114.1134334 7Xl' 141321 ISh2 3124, P3412\1 3124: 110401 142: 1.l2421 151">2 134.141 ' l~n21·1 141331. 1562 13 i:422 , 2X4 1.134411 22 141.134 "lxl 3124 12.1413 3124 IJU414 7HI

31i4

121424 n1 1214323124 121441 1562

123421 1562 H043111.~()7. 123433, 2l<.4 1.1044:: 3i24 123444 781 1.1 (\444 7~1

122003 122004 1220.1Y 12204:1 122112 122123

124001,: 142 IJl003' 124011 1562 131flll 124022 .1124 1.'11 ()12\ 124023 .1124 13101 1 1240)4 "lSI 131022 1240341' 7l:!1 ;J.l1034

1])4,: 15('11 3124 3124 3124 7n-l

I.

142013 .11.24 142022, ~124 1420.,11156.2 142031 3124 14212j 3i24 1421.12 3124

12404.1 124114 1241n, 1:.4l.12 124133 124202

3114 .1.1.1113,3124 :'1'14013.1 •. 3124.; ~P4 1331141 ?XI 114()141' 1562' 1562 1.1.1124 7Bl 140143 3124 ~i 3124 ·13.11.12 2X4 ,i 140144; 7XI .1124 !ID.1141 1562 '1140:':021.'1:24 ·'Xl 1.1 120) 3124' l40204 7l{1

142144[ "J 142204 71"1 142211 !%2 142212 3124 142214, nl 142222131.24

3124 7RI 3124 3124 3124 2X4

122124 7Xl 1 1221.12 3124 122141 142 122142 3124 122214 7«.1 122224'1 7Rl

I

11)4 il.l1(4)' II \131112 3124'1,11121 .1124 131113 .1124 1311.,3 )~4 !l.l1144·

1.12433, .112411134422 3124.,14140.1 3124 1 13244.113124 1.14432' ?1::4 ,'/4141111.5(\2 13:'.444 71; 1.14433 3124114142.~ 3124

i

133011 1.')6) 'II' 140UOI[1561 1.1.1()24 ?HI ~40011 1)62 1.1.10.11 1 1562 :140044 ?iiI; 1.330.,21.117.41114UI02' .1124 133103 31:.4 .140114, 7g1 I.Ull? .1124 ,140124\ ?Xl

122233 3124 1242(13 .1124i!1.11201jlsn2 .,13.1214'1 781 .140223 122301 1562 124221 15h211312:1 1562 '133234. 71\1 ! 1402J2 In.11:: 3124 12423( 156) Ilf24.1: 3114111.1.1241 15f>2 ;1401.14\ In:U1 .1124 124:..~2 .1124;il.'I.lO.l, .1124. 133244 71 I 140.'.42 122341 1562 124244 1 781 '11113041.. 781 ,\1333)[ 1:"(',2' 140.,0) 127.J44( 71\124304 7}!.1 1311J.2 .1124\ 13.1334[ ·IKI 140312\ 122403, 3124 12431.~1..1124 !131.1l2 .1 1.24 13.1.14.1' .1124 140.133 122414 hn '112437.10 1%211131.131 1 44 I 1.334031 11:.4 l140341 122421 156i:\124402 .1124 ..131341 1562· 1.J341 1 140342\ 122422 3124 1244121"74ll.iI402 21)4 1.\.l41J. 3124 140422 122423, .11241124414 ·/1"ll1.ll411113124 13.14,12: :'124!140434 1224.14, 78111244;':3 21;4 1314.14 7i1.1 ! 13.1441\3124 . 1404411 122444 7Kl ,1144 1 ,\ 3124 :11 j1441 1562 i 1J3444 7t:i ,.14044.1 123014 7!l.1 '\13lJ002·131J41132001. 1:"(,2 1."i41)04· 71 .[141002: 123021 15621' 130012 1])4"Li2007. J124 1.14014 ?XI \,l4l()\2· 12303313124 i30QJ3 .n24:1l.l,)p.213124 13402lj 1562 ,:14102I

I

1.~62

j

3124.142231. 142 3114 : 142243 .1124 7XI 1423U4 7111 .11)41142311.11:"(\2 2:-:4 142.l13 3124 3124 142.131 1562 1.1~4.: 14?3421 3124 15(>:. '142344 7l-!1 3124 '1·\142.411l .1:'62 3124 14241213124 ;~1 '1424.12 ;124 1562 '1.142442 2.84 .1/241142443: 3124 2R4 l4300111502 .1124 '.,\14.1(\(.\)., 151'2! 1430.11· 15c2

~\24

1. Tabks

-

llf

-

3~5

Irrcdudhlc Pol}nomials

-,

-

,- -

-,-

Irr('dwlhl{' P/llynomial\ for

-14J04d 1)t.2~TiI14.~·~rI43344: \43\ 13 .'\241114:'23) 3124 143402

7~1

Modulus :i

! 144131~ 144301 1

~124

144013 3124 144014 7S1

_14.'431! 1562

1440323124

1502

14.U14

7~!

',,432U' ' 1;62

'4D21,

142 1\'4"442 '"24,

143111

-' - - -

--fht'

14,21.' .l124 1 1433231.1124 143443, 143221-I 1:1021143.1.14 7Xl 1440041

2114

1~:1

144,0,41 1562

144102- 3124 11441041 781

1441J4

11

1442\1

\502

1

IrredUCIble Polyntirlllul.\ lor the

'n--:J",-;- Io2il

Ji\'liJ04]

10 II 12 I)

1u"61 1~ 1 I 11))2 'I )42 1 2 ' 1035 171, " _\'04', 114 3 104" 57

14

(I

15 I"

3 I

"

2 101 102

104 11.1 114 116

i

c

I

4 12

I

I05~.

I

342

'44,22.'13,'24 , 14,4403\' 3124

144224 1442.14

u

7Xl 71S1

Modulu~

l·

10145\"400 10151 200 10161 '1400 10162 600 10203 %

I.lB

[0205

\)6

1054312400

1334 3421 16061 57 10211 1200 1.1J5 '1'7' 1612 342 '1'02'4 1200 1336 1~ 1615 171 10224, 600 1341 3R /'621 '1"4 1023" ROO 134) 171 1(,23 171, 10246 ROO

10546 ROil 10554,1200 10555!24OO 10565 2400 10"OJ 96

1112 342 1115 - 171

1352 1154

1060fli 32 I0613 2400

/1'

1004 - 342

II

I

I

342 342

1632, 342 16361 14

10254 600 1026l12OO

4~

I

I

155

I

10)4,1 2400 10344' "40 IOJ4,!2400 10)52 1200 10356' ROO, 10366 [ ROO

4l':

10405

IlO3\

II II

121t. -

57 ;11455:

171 110025 - 4HO

I

I

4RI'223- 171 '1'4611"4[10026: '4 1226 5') 146; 171 111053 'b~;6!'23) 171' 1504 342 '\'()('55 1',15, 171 '1'50"1 19\10056

__

II ~ 12421 --~-ll'24' t'

lOll) 11104

100~

1011

10621 \400 1062,1 2400 10632 2411 1(6)5' 2400

1(,: 11541 342 'I, 1432' 3421'~'4 c H 116' 171 '4),1\'71 4B ,11(,; 171' 14'4 ,1421'0011 400 'I, 1(, 12U1' 3' '11444 342 10012 1200 ' 24 121l3'1171 1144('1 19'110014 1).00' 4'1' 1214342, 145) 171I,II)()'314RO

1(,' 164

10112

1200 96 32 ROO '200

10636! ROO 10642 240 1064512400 10646 HOO 10651 400 10653 1 2400 1066) 2400 11001 400 11003 \4RO 1101) 2400 1102(,

I

1

i

I'

1200 10525 2400 10531 XO 10533 12400 1053" ~OO 10541, ~O

105.1, 171 106" \,142 1065 171 1101 114 '10,11 '7'

I

136 141 145 146 1<), 1.'3

.--J_

~15sz:-J42-~0IJ5 : 2400n i0524

12, 11241342 1362 342 1641 114 10264 1 "2" 57 1366 57' 1644' 342 103051 24 11,11 3R 1401 1 1141 '65,1!'7' 1030(, 16 1135 \ 171 14!13 171' 1654 '421' 10316 1655, '171 \'0322 '1 \).2 1 24 1 1143 171 :[ 1413 1 171 123 4~ 1146 57 '11416 19, 16561 57 10326 125 4R 11511114 1422 34211662 342 10)33 1)1 H '1"52 342' '4251'71 I 1664' 342' 10334 '\ 1)5 48\ 115) 171, 1431 )H ,L_ 10335 I'

144433 :1124 144444 7~1

7

)42 130(, 57" 1556\ 57 1.111 [ )R - 1563 171 1314 )42,\1564, 342 ' 1322 3421 '5651'7' 13251171, 1561< 57 171

142

7~1

144343 3124

, 141m ;1)4, _'43342~4 '440"~2~'~62 1'4~'24

l

144304-

342

151 \

96

160,104116 32 4RO, '04'2\'200 4'0 '[ 10414 600 160 10422 600

1\4, 100t.1! 400 _ 10433

1202

' 1,13, 171 1'00("

2400 240 2400

.1421

15.14 \ 342.1

-f

342:

I~~ Ii ~:6·:i ~~!

1~4~1

1200

'I 24(;(}

t0452~

I

11063' 2400

11101

lI\O~

1'

400 2400

11105'2400 11111\ 5

400)1

10503'

96.

11112

IOl12j oOOd

105051

\)(,1

11124

10111,

~1l0

400

11042175 11054,)00 110561' 800 11062 1200

10443 2400 18 12S1 11411521 t14!10lJ64'\200 { 600 ~ 112051'71' 1524134" 1010,1\' % 1'0462'1'2001 '81'26' 114 '11532 342, 10106 32 10464 600 I)

171

ROO

1200 1

75

lR6

Tahle!'

TABU: C

(COnt.)

Irreducible PvlyrlOmials for the Modulus 7

11136 11\41 11152 11153 11161 11\63 11166 11201 11204 11213 11223 11225 11232 11233 1\236 11241 1\244 11245 11252 11254 11266 11321 11323 11324 11331 11332 11334 11351 11355 11356 11362 11364 11365 11405 11406 11412 11415 11422 11423 11434 11443 11455 11463 11504 11511 11523 11533 1\542 11545 11551

ROO 400 1200 2400 100 480 ROO 200 600 2400 2400 2400 60 2400 800 400 1200 2400 240 300 160 200 2400 150 400 300 600 200 2400 160 120 1200 2400 2400 800 1200 480 1200 2400 1200 2400 2400 2400 1200 50 2400 2400 75 2400 400

11556 1\562 11566 11602 11605 1\614 11625 11626 11631 11643 11646 1\652 1\653 1\654 11664 11665 11666 12002 12006 12016 12025 12032 12044 12051 12055 12064 12066 12101 12102 12116 12123 12126 12134 12lJ5 12136 12141 12142 12143 12151 12154 12165 12203 12205 12213 12214 12224 12226 12231 12246 12253

800 1200 160 240 2400 600 2400 800 40 2400 160 600 2400 300 600 2400 800 1200 160 800 2400 1200 75 100 2400 1200 800 200 600 800 2400 ROO 60 2400 800 400 1200 2400 100 240 480 2400 2400 480 1200 1200 ROO 400 800 2400

12260 12303 12304 12311 12323 12325 12332 12345 12346 12351 12354 12356 12361 12363 12365 12402 12403 12406 12412 12414 12421 12431 12435 12442 12454 12456 12462 12465 12466 12521 12522 12526 12531 12532 12534 12552 12553 12555 12561 12563 12564 12601 12612 12626 12636 12643 12644 12652 12655 12664

800 2400 240 200 2400 2400 120 480 ROO 100 600 800 200 2400 2400 1200 2400 ROO 15 1200 25 80 2400 1200 1200 800 300 2400 160 50 600 ROO 200 1200 300 600 2400 4RO 400 2400 120 400 150 ROO ROO 2400

75 1200 2400 1200

12665 13004 13005 13011 13015 13022 13023 13031 13044 13053 13065 13103 13106 131\5 13126 13135 13142 13151 13155 13161 13166 1)204 13205 13206 13213 13214 13215 13221 lJ225 13234 13242 lJ243 13252 13261 lJ264 13302 13311 13313 lJ323 13324 13331 13336 13345 13155 13364 13402 13404 13413 13421 13422

4RO 1200 4RO 400 2400 300 2400 50 1200 2400 2400 2400

800 2400 800 2400 1200 400 2400 400 160 1200 2400 ROO 2400 300 480 400 2400 1200 240 2400 150 400 30 1200 400 480 2400 1200 50 800 2400 2400 75 600 600 480 80 300

13432 13434 13436 13441 13443 13445 13455 13456 13465 1350\ 13506 13512 13513 13516 13521 13522 13525 13533 13535 13544 13553 13556 13562 13611 13612 13616 13623 13624 13626 13641 13642 13644 13652 lJ654 13655 14004 14005 14015 14023 14034 14041 14052 14053 14061 14065 14103 14106 14111 14116 14121

1200 1200 800 20 2400 2400 2400 800 2400 80 ROO 000 2400 800 200 300 2400 480 2400 120 2400 800 600 40 1200

800 480 (\00 ROO 100 600 1100

75 (\00 2400 1200

480 2400 2400 1200 25 300 2400 400 2400 2400 800

400 160 400

14125 14132 14145 14156 14165 14204 14205 14206 14211

2400 1200 2400 800 2400 1200 2400 800 400

14214

IS

14222 75 14232 240 14233 2400 14244 1200 14251 400 14255 2400 14263 2400 14264 300 14265 4RO 14302 1200 14314 150 14325 2400 14335 2400 14341 25 14346 ROO 14353 2400 14354 1200 14361 I 400 14363' 480 14402 600 14404 600 14415 2400 14425 2400 14426 800 14431 20 14433 2400 14435 2400 14442 1200 14444 1200 14446 ROO 14451 80 14452 300 14463 480 14501 RO 14506 800 14512 600 14523 2400 14526 800 14534 120 14543 480

387

2. Tables of Irreducible Polynomials

Irreducihle PolYllormal,\ for the ModulWj 7

[4545 14551 14552 14555 14562 14563 14566 14622 1462' 14625

14631 14632 14634 14653 14654 14656 14661 14662 14666 15002 15006 15014 15016 15021 15025 15034 15042 15055 15066 15101 15102 15" 5

2400 200 300 2400 600 2400 800 ISO

600 24DO 100 600 1200 480 600 800 40 1200 800 1200 160 1200 800 100 2400 150 1200 2400

ROO 200 600 480

1512[ 15124 15131 15132 15133 15144 15145 15146 15153 15156 15166 15203 15205 15216 15223 15236 15241 15254 15256 15263 15264 15303 15304 15311 15313 15315 15321 15324 15326 15335 15336 15342

100 24() 400 1200 2400 60 2400 800 2400 800 800 2400 2400 800

2400 800 400 1200 800 480 1200 2400 240 200 2400 2400 100 600 800 480

ROO 120

15353 15355 15361 15402 15403 15406 15412 15415 15416 15424

15426 15432 15441 15445 15451 15462 15464 155 " 15513 15514 15522 15523 15525 15541 15542 15544 15551 15552 15556 15601 15614 15615

2400 24(]() 200 1200 2400 800 300 24DO 160 1200 800 1200 80 2400 50 30 1200 400 2400 120 600 2400 480 200 1200 300 25 600 800 400 1200 480

15622 1200 15625 2400 15633 2400 15634 150 15646 800 15656 800 15662 75 16DO1 400 16003 480 16012 1200 16013 2400 16024 300 16026 ROO 16032 150 16041 400 16056 800 16063 2400 16101 400 16103 2400 16105 2400 16111 100 16113 480 16116 800 16122 1200 16123 2400 16131 400 16144 240 16146 800 16154 150 16161 10 16162 1200 16201 200

16204 16216 16222 16224 16231 16234 16235 16242 16243 16246 16253 16255 16263 16312 16314 16315 16321 16325 16326 16341 16342 16344 16351 16353 16354 16405 16406 16413 16425 16433 16444 16452

600 160 240 300 400 1200 2400 60 2400

ROO 2400 2400 2400 120 1200 2400 200 2400 16{) 400 300 600 200 2400 75 2400 800 2400 2400 2400 1200 1200

16453 16462 16465 16504 16512 16516 16521 16526 16532 16535 16543 16553 16561 16602 16605 16614 16615 16616 16622 16623 16624 16633 16636 16641 16655 16656 16664

2400 1200 480 1200 1200 16{) 400 800 150 2400 2400 2400 25 240 2400 600 2400 800 6\lO

2400 300 2400 160 40 2400 800 600

labb..

.1HH

TABLE

n

I 2

0 I I I 2

0 0 0 0

51 52 53 54 55

6 3 6 6 6

3 0 2 5 2

I I 4 4 3

0 0 3 0 0

56 57 5R 5Y 60

7 5 6 6 I

14 15

2 6 4 5 I

0 4 3 3 0

61 62 63 64 65

16 17 IX IY 20

5 3 5 5 3

21 22 23 24 25

2 I 5 4 3

26 27

6 5

2

(]

2

0

)

4 5 (.

7 X Y 10 II 12 J.'

3

0 4

)I 32 33 34 35

3 7 6 7 2

0 5 4 6 0

36 )7 3X 3Y 40

I>

5 4 5 0 4

46 47 4X 4Y 50

R

5 7 6 4

0 0

0 3 0

0

6 4

0

0

2 6

I>

2

0

)

3 ;

0 0 0

2 2 0

2~

41 42 43 44 45

0

0

29 )0

5 6 4 5

2

0 4 4 5 3 5 0 5 5 3

0

0 3 I 5 4 3 I

2 0 2 2 2 0

0

0

I 4 I

0 3 0

4 3 5 5 0

2 2 I 4

0 0 0 3

5 6 I 4 4

2 5 0 3 3

I 3

0 0

66 67 6R 69 70

R 5 7 6 5

6 2 5 5 3

5 I I 2 I

71 72 73 74 75

5 6 4 7 6

3 4 3 4 3

I 3 2 3 I

76 77 78 79 RO

5 6 7 4 7

4 5 2 3 5

~I

4 R 7

0

X2 83 84 R5

0

~6

0

8,

0

3 3 2 I

2 0 0

3

2

0

4 4 2

2 0 0

0

0

0

~

X 6 7 8

3 0 0 0

2

0

2

0 0

I 2 3

I 4

0 2

7 6 2 6 6

6 5 0 5 5

96 97 98 99 I(]()

7 6 7 7 R

6 0 4

5 7

0

0

0 2

3 0

91 92 Y3 Y4 Y5

2

0 0

5 2

5

0

0 2 0

2 I 4 3 2

I>

0

0

6 2 5 I

R9 90

2

0 0

7 4 7 2 5 5 5 5 3

RR

3

0

0

4 0 3

0

0

0 0

0 0

3 0 0

4

3

3 4 2

2 0 0

2

0

0 2

0 0

2. Tabk:s of Irreducibk Polynomials

JX9

TARLE E

P ~ II

n-2

120 .... 23.3 5

q -121

¢(l201/2· 16

",

a,

a,

4 5 6 7

2 2 2 2

2

a,

a,

a,

",

",

a,

I 4 0 7 9 12

2 2 2 2 2 2

2

0 0 6 6 6 6

2 .1 0 7 10 II

7 7 7 7 7 7

]

R 9 n - 2

P -]J

]

4 9 10 II

P -- 17

a,

a,

I 0 7 10 II 16

)

n-2

) )

) )

.1 5 5 5 5 5

)

5 S 9 12 14

5 p_19

I 4 7 X II 12 15 IS I 7 X 9

2 2 2 2 2 2 2 2

10 II 12 IR 2 4 6 9 10 13 15 17 ~

n.,...2

2)

a,

a,

a,

a,

2 4 5 8 15 18

5 5 5 5

2

10 10 10 10 10 10

5

)

I>

10 I) 17

",

I

X X R R

16~-2.l·3·7

q -169

X 10

",

",

4 5 6 7 R 9

¢(2R8)/2

~

II II II II II II

48

",

a,

a,

a,

I

10 10 10 10 10

2

12 12 12 12 12 12 14 14 14 14 14 14

)

4 I) 14 16 2 7 R 9 10 15

)

5 12 14 15 4 6 7 10 II I)

](I

II II II 11 II II

360 - 23 .3 2 .5

q- )01

)

¢{ 16!l)/2 -" 14

2RR ..... 25 .3 2

q - 289

6 0 6 6 6 6 7 7 7 7 7 7

a,

p

a,

7 7 7 7

2 6 R 9 II 15 I 4 5 12 I) 16

",

] ]

a,

I 4 7 10

a,

a,

3

a,

6 6 6 6

a,

n-2

)

a,

48

¢1)OOI/2

a,

a,

a,

a,

a,

] ] ]

J 4 6 9 10 I) 15 16 I

]J ]J

II 12

14 14 14 14 15 15 15 15 15 15 15 15

3 10 10 10 10 10 10 10 10

I>

7 8 52!l

q - 529

=

I) 13 13 ]J

I) I) 14 14 14 14

24 .1· II

",

a,

I

14 14 14 14 14 14

)

5 10 I) IX

]J

14 15 ¢15281/2

a,

)

]J

18 4 5 0 9 10

4 I>

II 12 17

~

80

")

",

",

17 17 17 17 17 17

4 7 8 10 1.1 15

20 20 20 20 20 20

)90

Tahles

TABLE E

(Cont.) p

~

23

n=2

528 ~ 2',),11

q ~ 529

(528)/2

~

XO

a,

a,

a,

a,

a,

a,

a,

a,

a,

a,

19 21 1 2 4 9 14 19 21 22

5 5 7 7 7 7 7 7 7 7

20 21 3 7 8 9 14 15 II> 20

10 10

20 22 5 9

14

19 20 1 2 7 11 12 16 21

17 17 19 19 19 19 19 19 19 19

II> 19 5 6 7 9 14 16 17 1M

20 20 21 21 21 21 21 21 21 21

., 5 7 11

14 15 18 22

24 1 2 9 14 15 20 27 2M

.,

p~

2 2 2 2 2 2 2 2

29

10

14 15 19 22 2X 3 5 9 10 19 20 24 26

3 3 3 3 3 )

3

10

14 15 16 17

21 23 24 25 26 29

3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3

X X 8 8 M M 8 8 10 10 10

10 10 10 10 10

., .,

P ~.31

n=2

2 3 4 5 6 9 11 15 16 20 22 25 26 27 2M 29

1 12 3 12 4 12 10 12 11 12 12 12 14 12 15 12 16 12 17 12 19 12 20 12 21 12 27 12 28 12 30 12

., ., ., ., 2 5 6 7 X

n=2

., ., 1 7

)

11 11 11 11 11 11 11 11

11 11 11 11 11 11 11 11

11 11 11 11 11 11 11 11

10

11 12 13 14 18 q ~ 841

., ., 6 9 10 11

18 19 20 2) 1 3 R 13 16 21 26 28

14

15 15 15 15 15 15 15 15 840 ~ 23 .3.5.7

.,

11 11 11 11 11 11 11 11 14 14 14 14 14 14 14

7 9 11 12 17 18 20 22 4 8 13 14 15 16 21 25

14

q~961

22

1 4 6 R 9

13 13 13 13 13 10 13 12 13 13 13 18 13 19 13 21 13 22 13 23 13 25 13 27 13 30 13

., .,

15 15 15 15 15 15 15 15 IX IX 18 1M IX IX IX IX

2 19 4 19 7 19 M 19 21 19 22 19 25 19 27 19 3 21 4 21 6 21 12 21 17 21 23 21 25 2L 26 21

960 ~ 26 .3.5

., ., ., ., 1 2 3 6 7 8 9 11 20 22

23 24 25 2M 29 30

17 17 17 17 17 17 17 17 17 17 17 17 17 17 17 17

';(M40)/2

a,

., .,

';(960)/2

2 5 7 X 11 12 13 15 16 IX 19 20 23 24 26 29

21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21

~

~

91>

., ., 5 6 8 12 17 21 2) 24 2

26 26 26 26 26 26 26 26 27

)

27

6 13 16 23 26 27

27 27

12R

., ., ., 1 4 5 7 9

22 22 22 22 22 10 22 14 22 15 22 16 22 17 22 21 22 22 22 22

24 26 27 30

27 27 27 27

22 22 22

1 3 4 5 7 X 12 13 18 19 23 24 26

a,

24 24 24 24 24 24 24 24 24 24 24 24 24 27 24 2X 24 30 24

2. Tahlcs of Irrcdut:ible Polynomials

391

TARLE F p' 2' 2·' 2' 2' 2' 2' 2' 2'

ala2 a l" "

II 101 1001 01001 1‫סס‬oo1

0‫סס‬oo11 11‫סס‬oo11

0001‫סס‬oo1

2'0

001000ooo1

211 2 12 2 13 2" 2" 2" 217 2" 2" 2" 2" 2" 2 21 2 24 2 25 2" 2" 228 2"

010‫ס‬0ooooo

J2

I I 100000 I000 I 1100 I000‫סס‬oo I 11‫סס‬0ooooooI0 I IOOOOOOOOOOOOO I 10I0‫ס‬0ooooo I000 I 00 IOOOOOOOOOOOOO I o00ooo I0000000tHl0 I 1100 I‫ס‬0ooooo= I 00 I000000000000tHl00 I 01 ‫ס‬0oooooo00ooo0‫סס‬oo I IOOOOOOOOOOOOOOOI 0000 IOOOOOOOOOOOOOOO I II ‫סס‬oo IOOOOOOOOOOOOOOO I OOIOOOOOOOOOOOOOOOI 11000 Ioooooooooooooooooo I IltHll oooooooooooooooo I 00 IOOOOOOOOOOOOOOO I oIOOOOOOOOOOOOOOO I

3' 3' l'

0101‫סס‬oo1

3~

),

310 3" 3u 3" 1" 3" 3" 3" 3"

101‫סס‬oo002

"----"

p'

a 1a 2 o., . "" Un

p"

0l

5' 53 5' 5' 5' 5·' 5' 5' 510 5" 5"

12 102 1013 00102

19' 19' 19' 19' 19' 19'

12 1016 100 2 0001 16 ‫סס‬oo1 3 01‫סס‬oo 9

23'

23'

17 1016 001 II IOtHl IR 1‫סס‬oo 7

29' 2y3 29 4 29' 29'

I3 01 IR 100 2 010026 ‫סס‬oo1 3

3 I'

I 12 012R ItHl 13 0100 20 10000 12

7' 7' 74 7' 7' 7' 7' 7' 7 'u

1‫סס‬oo2 10‫סס‬oo2

11"

11 4 11 ~

0110‫סס‬oo3 1010‫סס‬oo01 1‫סס‬0oooooo2 ‫סס‬oo I00 I0003

13 112 1103 10004 110003

23 3

23 4 23~

01‫סס‬oo4

1000ooo3 1‫סס‬oo1002 11‫ס‬0ooooo3

31 ~

31 4

17 105 0012 01109 100017

JI'

10‫סס‬oo5

37 4 37'

0012

41' 41' 41'

I 12 0135 001 17 1000 35

00010012

13 2 12 13' 107 13 4 1012 13' 0101 II 13' 101006 13' 001000 6 1.1 8 011‫סס‬oo 2

10‫סס‬oo I000 I

1000 Io00ooo2 10‫סס‬oo I 0‫סס‬oo I 100000Q0000002 1000ooo000 10001 o00ooo I0‫ס‬0ooooo2 I‫ס‬0ooooo I‫ס‬0ooooo I Iooooooooooo I00002

a 2 "" "Un_Ian

00101003

31 ~

II'

II' II' II' 12 201 1002 10101 100002 1010001 00100002

3) 34

. ",

17 2 I 3 17' 01 14 17 4 100 5 17' 1000 14 17' 1‫סס‬oo 3 17' 000100 14

3"1 2 37"

41~

43' 43 3 4

43 43' 47' 47.1

47 4 47'

I5 1024 0001 32

I3 0140 00120 100040 I 13 1042 100 5 000142

BIBLIOGRAPHY

Nv!e. W~ lis.t only h.:xtbooks suggested for further reading and ~omc basic research article':>. J\ more detailed hihliography can be found in: I.idl, R.. and Niedcrrcitcr, II.: FinitE" fields, Encyclopedia of Math. and Its Appl., vo!. 20, Addison-Wesley, Reading, \1ass., 19X3: now published by Cambridge University Press.

Chapter I Hooks Oil Abslrw.:r Aloehra: Rirkhoff, G., and Macl.anc, S.: /I Survey of Modern illxehra. 4th cd.. Macmillan, ;'\!cw York, 1977. Fraleigh. J. B.: A Firsr Course in AhslrucI Algehra. AddisonwWcslcy, Reading. \1ass., 19R2. Hcrstcin, I. :"J.: Topics ill Algehra. 2nd cd., Xerox College Puh!., I.exington. Mass.,

Ins. Lang. S.: Algebra. Addison-Wesley, Reading. Mass.. 1971. I{cdci, 1..: Algehra. Pergamon Press, I.ondon. 1967. van def War.:rden, B. L: A1xehra. vol. I. 7th cd., Springer-Verlag, Berlin, 1966.

Hook ., on Applied Afyehra: Birkhoff, G., and Bartee, T. C.: Modern Applit>d Alwehra. \1cGraw~lIill. ~ew York, 1970. Dornhoff. L. L., and Hohn, L L: Applied Modern Algehra. Macmillan. :'\lew York, 197R. Lidl. R., and PilL, G.: Applied Abstract Alyehra, Springer-Verlag, t'ew York. 19S4. .N2

.19~

Chapter 2 Dickson, L. L: Linear (;rollp.~ wilh an r~xposi(iOIl of the Galoi8 Field "lheory, Teubner, I.eipzig. 1901; Dover, New York. 195R. Ih;r~lcin. LN.: i'iOll('ommutatil:e Rings, Carus Math. Monographs, no. 15, \'lath. Assoc. of America, Washington, D.C.. 196K HolTman, K .. and Kunze. R.: Linear IIlgehra, 2nd ed., PrenticewHall, Englewood ClifTs, N.J., 1971. Jacobson. 1'\.: LRctures in IIh.~tract Algehra, vol. 3: Theory q{ Fields and Galois Theory, Springer-Verlag, New York, 19HO: originally puhlish~d by Van :--.Jostrand. l'\cw York. 1964. Chapter 3 Alberl, A. A.: Fundamental Concepts of Hjgher 1I1~('hra, lJniv. of Chicago Press, Chicago, 1956. Herkkamp, F.~.: A1xehraic Codinq Theory. McGraw-Hill, ~ew York. 196R. MacWilliams. 1'".1. and Sloane, X J. A.: "J"Ile Theory (~r Error-(.'orrectinq Codes, ~orth-Holland. Amsterdam, 1977. Ore. 0.: On a special class of polynomials. Trans. IImer. Math. So/:. 35, 559 5R4 (1933); [rrata, ihid. 36, 275 (1934). Ore. 0.: Contrihutions to the theory of finite fields, Trulls. Amer. Math. Soc. 36. 243-274 (1934). Chapter 4 Herlekamp. E. R.: AJ.gehrait Codinq "J"Ileory, McGraw-Hili, ~ew York, 196K Berlckamp, L R.: I;acloring polynomials over large finite fields, Math. Compo 24. 71.1 735 (1970). Cantor, D. G., and Zassenhaus. II.: A new algorithm for factoring polynomials over finite fields, ·\;falh. Compo 36. 5R7 59~ (ISlSl). Knuth. D.E.: rile Arl o.{CompUTer l)roqramminK, vol. 2: Seminumerical Alfjarithms. 2nd cd., Addison-Wesky. Reading, Mass., 19XI. Md-:liece, l{. J.: Facwrii'ation of polynomials over finite fields, MUlh. Compo 23, g(, I Xc. 7 (1%9). Rahin. M. 0.: Prohahilistic algorithms in finite fields. SIAM J. ComplUinfj 9. 27J 2XO (I nO). Zas~enhalls. H.: On Hensel factorii'ation I. J. :'\ulIlher Theory 1, 291 311 (1969). Chapter 5 lIass~,

II.: Vorh'.\ulIqen iiher /.ahlemheorie, 2nd ed.. Springer-Verlag, Berlin, 1964. Ireland. K.. and Ros~n, YI.: II Classicallntroductioll to Modern Numher Theory. Springer-Verlag. New York. 19R2.

Bihliography

Chapter 6 Berlekamp, L R.: Illgehrak Codilll! "] h~ory, McGraw-Hill, New York, 1968. l-"illmor~. 1. P.. and \!l,Hl>, M.L.: Linear recursive sequences, SIAM ReI;. 10,342.153 (196~). Golomb, S. W.: Sh~fl Regisu:r Sequence.,. Aegean Park Press, Laguna Hills, Cal., 19~2.

Massey. J. 1..: Shift~regi~ter synthe~is anu HCI! decoding, IEJ-~F: Trans. Information Theory 15, 122-127 (1969). Niederreiter. II.: On the cycle structure of linear recurring sequences, Math. Scand. 3R, 53- 77 (1976). Zi~r1er, r\.: l.inear recurring 5equenccs, J. Soc. Indus1. IIppI. Math. 7, 31-48 (1959).

Chapler 7 Fil1ite

(ieo/l/etrie.,:

I\ll1ert, A.A., and Sandler. R.: An ImrodllL'liulI Tn Finite Proje<':lil/e Plunes, 1I01t, Rinehart .:lnu Winston, 'ew York, 196~L D~mhowski, P.: Fil1i/C' (;e()m('trie.~, 2nd cd., Springer-Verlag, Berlin, 1977. Ilir~chfeld. J. W. P.: J'rojectire (jc(!metrie.~ orer Finite Fields, Clarendon Press, Oxford, 1979. Hughes, D. R.. and Pip~r, r·. C: PrujeL'til'e I)lwi~s, Springer-Verlag, New York, 197.1.

Cllmhilluwril's: Beth, "1".. JUIl!lllickel, 1>., and

I.CIl/. II.: VesiY/l Fhl!ory., Bibliographisches 1nstituL 'v1annheim, IIJX5. Hrualdi, R.I\.: Imrol!llctory ComhiIlQtoril'.\, I\l)rlh-llolianu, I\msterdam, 1977. Denes, 1., and KceuwlJ1L A. D.: l..utin Squw'I!' lI/l(} Their Applications, Al:ademic Pres". ~t.:W York, 1974. Hall, \1., Jr.: Comhillatorial1 !Ieory. Blaisdell, Waltham, Mass.. 1967. Raghavara(l, D.: COII,trucrioll'i and Com!Jinmorhll Prohfem8 jn Desigll of Experime/lt,~. Wiley. ~ew York, 1971. Ryser. H. J.: ('omhilluwriu{ MU1I1eI/lUlil·.~, Carus ;vIath. Monographs, no. 14, Math. I\ssoc. of Americt.l. \lew York, 1963. Storer, T.: (ydOlO/1/Y wilL VijJere/U'(' Sc/.\, Markham. Chicago, 1967.

I.ill('r/I"

;\lodll/a( Snlel/l":

I\rbih, M. 1\., Falb, P. I... dnd Kalman, R. L: Fopic.~ in Muthematical System 1heo'y, McGraw-Hill. :'\Jew York. 196K Dornhoff. I.. L., and Hohn, F. E.: Applied Modern Aigehra, Macmillan, !Sew York, 197R. Zadeh. I .. ;\., and Polak, 1-..: Sj"i/t'1/1 Theory, McGraw-Jlill, :'\lew York, 1969.

Jlselldurant/()m Seqlwlll·e.,: Golomh, S. W.: Sh!ft Nt'gl\ll!/' Se411ellce8, I\egean Park Press, Laguna Hills, Cal., 19~~.

Knuth, D. L: "I hI! IIrt I!f Computer J'rowalllmill{j. vol. 2: Seminllmerical Algorithms, 2nd cd., Addison-Wesley. Reading, \1ass.. 19RI. ~ieuerreiter. 11.: The performance of k-stcp pseudorandom number generators

Bibliography

395

under thc uniformity tcst, SIAM J. Sci. Slal;s/. Compwin{J 5, 79~ SIO (ltJH4). I\iederreiter, H.: Distribution properties of feeuback shift reg:i~lcr Sl.:<.juences. Prohlems of ("rmtral and I,ljormarion Thenr)". to appear. Tausworthe. R. c.: Random numbers generatt:d by linear recurrl.:nce modulo two, Marl1. Compo 19,201-209 (1965). Zicrlcr, N.: Linear recurring sequences, J. Soc. Indu.~T. ApfJl. Math. 7, 31 4S (1959). Chapter K Berlekamp, r..R.: AhJl!hraic Codill.lJ Theory. \ldlraw-llill, :'\!e\\" York. 196N. Blake, I. r .. and \1ullin. R. C.: rile Mathenuuical rheor.v nf Codiny. Academic Press, !'lew York, 1975. MacWilliams, F. J., and Sloane, )oJ. 1. A.: 'l"he Theory of t:rror-Corrl'Clino Codes. '!'\lorth-Holland, Amsterdam, 1977. McEliecc, R. J.: 'l"he "fheory of Inforlllatio1l anJ Cotlinf!,. EnL:ydopl.:dia of Math. and Its App!., vol. 3. Addison-Wesley, Reading, \!lass .. 1977; nov. puhlished hy Cambridge Cniversity Press. PeIerson, W. W., and Weldon. L J., Jr.: J-:rror-CorreCfiny Codes. 2nd cd.. M.I.T. Press, Cambridge, Mass., 1972. Pless, Y.: Introduction co lhe Theory of /-jror-Correuillg Codes, Wiky. New York, 1982. van Lint, J. H.: Ililrodutlioll to Codiluj "fheol'r, Springl.:r-Ver!(Ig, ~cw York, IIJH2. Chapter 9

Rooks: Beker, H., and Piper, F.: Cipher SP{(,III~. '1 he l)rOlel'lion (~fClII'lIInufJh:([tions, ~orthwood Hooks, London, 1982. Denning, D. E. R.: Crypcography and Datu SecuriTy. Addison-Wesley, Reading. Mass., 1983. Kahn, D.: '/IJe CoJehreakers. Weidenfdd & i\il.:holson, l.ondon. 1967. Konheim, A. G.: Cryptowaphy. II Primer, Wiley. I\cw York. 19X1. Meyer, C. Il., and Matyas, S. M.: CrYPIV}!,fuphy. A ;\I!\~ Dillwn\ion il1 Computer Data Security. Wiley, ;\lew York. 19R2.

Arlicles: Blake, I. F., Fuji-Hara. R.. Mullin, R. C, and Vanstone, S.A.: Computing logarithms in finite fidds of characteris.tic two. SI A.vI J. Algehraic Discrete Mechods 5, 276 285 (1984). Chor, 8., and Rivest, R. L.: A knapsack typc public kcy cryptosystem based on arithmetic in finite fidds, Proc. eN Y pro 'N4. 1\) appl.::tr. Coppersmith, D.: Fast evaluation of logarithm" in field .. of characteristic two, IEEE Tra"s. Inf<"macian Tileor)' 30. 587-594 (19X4). Diffie, W., and Hellman, M. E: Kew dire<.:tions in cryptography. I t."l:./~ rram. lrifurmariun ·/heory 22, 644 654 (1976). ElGamal, T.: A puhlic key cryptosystcm and a signatufl.: scheme based on discrete logarithms. IEEE Tra1J.~. Informatio1l 7heory, to appear. Jennings, S. M.: Multiplexcd sequences: Some properties of the minimum polynomial. Cryptography (I". Reth, cd.). Le<.:turl.: I\otcs in Com pUler Science,

396

Bihliography

vol. 149, pp. 189-206, Springer-Verlag, Rerlin, 19R3. I.cmpd, A.: Cryptology in transition, ACM Computing Survey!) II, 2}sS-303 (1979). McFticcc, R. J.: A pUblic-key cryptosystern hased on algebraic coding theory, DS:;\J

Progress Report 42-44, Jet Propulsion I.ah., Pasadena. CaL. 197R. I\icctcrreiler. H.: A

public~kcy

cryptosystcm based on shift register sequences, Proc.

IT ROCR Y P,{ '85. to appear Odlyzko, A. M.: Discrete logarithms in finite fidds and their cryptographic significance, Prof. f;UJ
logarithms over GF(pl and its cryptographic significance, JEEE Trans. In{ormation ,{hevry 24.106 110 (197R). Hivest, R. L, Shamir. A., and Adlcman, 1..: A method for obtaining digital signatures and public-key eryptosystems, Comm. ACM 21. 120-126 (1978). Cbapter 10 Alanen, J. D., and Knuth, D. E.: Tahb of finite fidds, Svnkhyii Ser. A 26.305-328 (1964). Church, R.: Tables of irreducible polynomiab for thc first four prime moduli, Alln. of lvIarli. (2) 36.198-209 (1935). Conway. J. H.: A tahulation of some information concerning finite fields, ComplUers in Malhemarical Re.'iear('h (R. r. Churchhouse and J.-c. lIerz, cds.). pp.37 50, Korth-Holland. Amsterdam. 1968. Marsh, R. W.: Table of Irreducihle I'olynomials over GF(2) rhrollyh Deqree 19. Office of Techn. Serv., U.S. Dept. of Commerce, Washington, D.C.. 1957. Stahnke. W.: Primitive binary polynomials, Marh. C/lmp. 27. 977-nO (1973). Watson, F. J.: Primitive polynomials (mod 2), Marh. Camp. 16,368 369 (1962).

List of Symbols

:VOle.

Symhols that appear only in a restricted context arc not listed. Wherever

appropriate, a page reference is given.

:\J f

the set of natural numhers ( = positive inu.:gers)

(J

the the the the the the the

the set of integer,;

R

1: S~x···x.)·'l

S" S

[.\J

log: e(T)

ITI

max(k" min (I, , gcd(k" lem (I, ,

C)

set of rational numbers set of real numbers set of complex numbers set of all n-tuples (.1', .1',,) with .I',~S, for I ,;; i';; n set of all II-tuples (.1', .1',,) with -',E!>' for I,;;i';;n cardinality ( - numher of elements) of the finite set 5 e4uivalence class of s, 4

the complex conjugate of: the ahsolute value of: the natural logarithm of: e'2l!ir for IE H the greatest integer::::; Te: .hi ,k,,) the maximum of k 1-··.· k n I,,,J the minimum of

k I' . . . . kn

,k,,) the greatest common divisor of k 1'···. k n 1,,,) the least common multiple of k l'···. /.:'1 hinomial cocflicient

List of Symbols

congruent to h modulo 11. 4 Euler's function of n, 7 Moehius function of 11, ~D

= b 1110un (n)

(j

(J

p(n)

(~)

I.egendre symbol. 167

AT

the transpose of the matrix A

det (A)

the determinant of the matrix A

Tr(A) rank (A)

the trace of the matrix A

I)~l

the rank of the matrix A Hankel determinant. 22Y

dim (V)

the dimension of the vector space V

Cil

the order of the linite group G. 5 the cyclic group generated by a, 4, 6 the left coset of the group element a modulo the subgroup H, 6 the factor group of the group G modulo the normal subgroup II. 9 the normali/er of the nonempty subset S of a group, 10 the kernel of the homomorphism f, Y, 14 the principal ideal generated by G, 13 the residue class of the ring element G modulo the ideal J, 13 congruence of ring elements G, b modulo the ideal J, 13 tbe residue class ring of the ring II. modulo the ideal J, 13 the group of integers modulo n, 5 the ring of integers modulo 11. 14 the general linear group of nonsingular k x k matrices over Tq , IY I


N(S)

ker f

(a)

[al" I j a=-hmodJ

NiJ If" j'1(n)

GL(k.' ,)

Nlxl Rrxl.····x"J

.t:

deg(f) J)U)

ordU)

/' I* RU.Ii) gedU,,···

J.)

Icm!fl .... ..f,,) I,(x)v'"

the polynomial ring over the ring R, 19 Ihe ring of polynomials over the ring R in n indeterminates. 2R

v/lxl

the degree of the polynomial 20. 29 the discriminant of the polynomial j~ 35 the order of the polynomial f, 75 the derivative of the polynomial f, 27 the reciprocal polynomial of f, 79 the resultant of the polynomials f and g, 36 the greate;! common divisor of the polynomials fl···. J •. 22 the least common multiple of the polynomials 11""./.' 23 224

I.isl of

SYT11bul~

Q,(x) O",(X l '

... ,

X,)

K(M)

[L :K]

K'" £0"

e"

G1<\q)

}*

"

Tr"'K(a) Tr,.(a) NFlK(a) AF,K(::>:l.···':xm ) indb(a)

.W9

symbolic multiplication oflineari/cd polynomials L,(x) and I.,(x). 105 thc nth cyclotomic polynomial. 60 the krh elementary symmetric polynomial in fl indetermi~ nates. 29 thc extension of K obtained hy adjoining M, 30 the dcgree of the field Lover K, 32 the IIlh cyclotomic lield over K, 59 thc sct of nth roots of unity over K. 59 thc finite lield of order q. 45 the multiplicativc group of nonlcro elements of Fq' 46 the traec of aEF over K. 50 thc absolute trace of ~EF, 50 thc norm of aE F ovcr K, 53 the discriminant of::>:J ..... y.mEFover K. 57 the index (or discrete logarithm) ofa with rcspcct to the hase

h. 346 eXPh(r) N,(d)

1('1, n; X)

,(f)

J .rrxll S(f(x))

the discrctc exponcntial function to the basc h. 346 the numhcr of monic irreducible polynomials in F,lxl of degree d. 82 the product of all monic irreducible polynomials in } ,[x] of degree n, 85 the number of polynomials in [q[x] whose degree is less than deg(f) and which are relatively prime to fEFqlx]. 113 the ring of formal powcr scries over [- q' 204 the set of all homogeneous linear recurring sequences in :Fq with characteristic polynomial I(x), 215 sequence obtained hy dccimation of the scquence 0", 2R5 sequence ohtained by shifting the sequence 0", 2R7

G(IjJ,x)

the set of characters of the finite abelian group C, 163 the conjugate of the character /., 163 the trivial additive character of [" 166 the canonical additive character of Fq , 166 the trivial multiplicative character of }q. 167 the quadractic character of Fq (q odd). 167 Gaussian sum. 16R

AG(2. K) PU(2, K) AU(m, F,) PO(m, F,)

the amne plane over the field K, 254 thc projectivc plane over the ficld K, 254 affmc gcomctry over Fq" 262 projective geometry over [q. 260

-

/. /.0 !.J

ljJo '/

List

400

IV(X)

the Hamming distance between x and y. 3m the Hamming weight of x. 3m

d,-

the minimum distanc~ of the linear code C, 304

e'

the dual code of G. 30~ the syndrome of y. 305 Goppa code. 326

"(x. y)

SlY)

I(L.q)

.J

end of proof, end of eX<.Imple. ~nd of r~mark

Index

<.ldd..::r. IXh. [WI, 27.~ allinc g,comdry, 26:'., 263 affinl: multipll:. 103 aOin..:: plan..::. 25.1 2.'):'0 nflinc polynomial. HU. 1o.~. 120. 12x :>('(' al.HI q-po!ynominl(s) Clflioe suhspace. 105 algehraie strw.:turc, 2 alg.chraic syst~m. t. ~ alt~rnam

Ikrkkamp':; algorithm,!3U 134.140 HIHI). sc/:' balam:~u im:omp1l:w blod d~:.igll hinary .:omplement
code. 3J6. ]37

annihilating polynomial. 56 annihilator. 165. un

Awn kmma. 55 q-a~sot:iut..::.

106 109

canonical faClOril
Jilicari/.ccL 106, 126 :1uthcntkalion..141 3ulomorphi..;m. X. 49..')0. 70 inner. R

halanced incomplete hInd dL'si!!-u. 263-265. 209.295.29(1 hnsis. SO, 54-S9, "11. 1[4.115 complementary. 54 dual, ~l'e duul ba~j~ normal. sec normal ba:-is

polynomial. 5:1 self·dual. 54. 71 RCH endC'. 299•.11 g" 320..1.15 narrow-sense. 31lt 325..~26 primitive..11 R 13cr!ckump-Masscy algorithm. 231

C
101 16B

additive. 106 annihilating.. 105 t'anonit'al additivl'. 160 cunjug.ak. [fo] lifting of. 173. If:2 rnultiplicati\-~.

n5.

J.~3

167

nontrivial. 163 orthogonalit) n:lutiOlb. 165, 167, lfo1\ Pf\\UUI..:t. [63 yuauratic. 107

401

40~

Inde>;

trivial. 163 trivial additive, 166 trivial multiplicative. 167 charactcr group, 163, 182 characteristic, 16 characteristic matrix, 272 characteristic polynomial of element, 50, 70. 91 -93, 369, 374-376 for linear operator, 56 of matrix, see malrix reciprocal. 207 of sequence. see linear rer.:urring sequenc(s) r.:haracteri7ing matrice~, 272 character sum, 162. 180, un, 2]6-240. 250 Chien search, 322, 323 Chinese remainder theorem. 38. 40 cipher, 338

block, 340 Caesar.33R stream, 342 substitution. 338

see also

cryptosy~tem

cipher system, 338 ,,('e also cryptosystem ciphertext, 339 class equation. 10. 66 code, 300,301 alternant. 3.16, 337 BCH, M't' BCH code binary, 302 cydir.:, s('(' cyclic code dimension of. 302 dual. see dual code equiv
forccd. 276

free, 276 congruence. 4, 0, U left,6 cOllir.:. 258 degenerate, 25R non degenerate, 25R tangent of. 258 conjugacy class. 10 conjugate, 49. 50 of sd, R constant adder. 186, 187 constant multiplier, 186. 187. 27.~ eonStanl term, 20 control symhol. 301 l'0m'cntional cryplu~ystem, .138 340. 349 correlation coelTir..:icnt. 2R2 2S5 r.:orrdation test. 2S2 co~ct, 6, 7 kft,6 right. 6 l'oset leader. 305 co~dwleader algorithm, 305. .10h cryptanalysi ... 338 cryptography. 3.1R cryptology, 3.~R cryptosystem, .l~g .140 conventional. 33R .140, 349 DES, 340

rSR. 357. 35M (ioppa-code.360-362

Hill,31>6 knapsaek-1YPc. _~58- 360 puhlir.:-key..140. 341 RSA, .14R single-key, B9 cycle, 277 length of. 277 pure, 277 cvck ~um, 27R 2R I l"vc!e term, 27X cydic code, 311-325 irredudble, 313 maximal. 313 shortened. 335 cyclic group, see group cyclic vector. 56 cyclotomi<.: field, 59, hI. h2, 72 cyclotomic polynomial. 60 62.64, M. 72. 73,M4··M6,96,97, 124. 12M, 13R, 1.19 Davenport ,lIas~~ theorem. 173 de Rruijn sequem:e, 246 decimated sequence, 2R5 287,297,2%.345,

364 decim
401

Imt~x

for linear code. 304 306 scheme. 300 degree of algehraic clement. 31 of ext~nsion, 32 formal. 36 of polynomial. 20. 19 delay clement. 186. no. 273 derivative. 27. 40. 41, 70 Desarguesian plane. 256 259 Desargues's theorem. 255-257, 200 DES cryptosystem. 340 design, 262 design of ~l\pcrim~nts. 169 diagonali:.mtion algorithm, 145-147 difference equation. SI!t! linear recurr~nee relation difference ,<;CI. 26::i 267.2% Diffie Hellman scheme. 34l:1 digital method. 288 digital signature. ,141. ,149 discrete exponential fum.'tion. 340 349. .107 discrete logarithm, ,140. 347. .1:')R. .1,')9. 30,~. 367 discrete logarithm algorithm, ,149 3:')7 discriminant of elements. 57. SR. 71, 72 of polynomial, ,15 .17.122 distribution test, 2R2. 2R3 distributive laws, II. 12 divison algorithm, 10 divison ring. 12. 65-69 divisor. 17 dot prodm:t. 30g dual ba~is. 54. 71, 369, .174-.176 dU
element algehraic. associate. '7 hinary. 15 conjugate. R d~fining. 30 identity, 2 inverse. 2 multiple of. 3 order of. fl. 7 power of. .1. 09. 1X1 prime. 17 primitiw. ,w(' primitive element unity. 2 zero. 11 enciphering scheme. 339 endomorphism. ~ epimorphism. 8 equivalence class. 4 equivalence relaliorl. 4 error-correcting code. ,~03 see also code

.1,

error-e\'illuiltor polynomiaL 329. 330 l::rror~location number. 316. 320. 329 error-IOl..:ator polynomial. 322. 329•.130 error value. 320. 329 error vector. 303 error word. .103 Euclideiw algorithm. 12. 3g, 3.10. 336. 355, 350 Euler's function. 7. 37 exponential sum, 102 1M. 230 240,250 exponent of polynomiaL S(,C' order extension (field), 30- 35 algebraic, 31 degree of. 32 finite. 31 simple. 30. 33. 34 factor group. 9 factorization of integers. 7R of polynomials. 23, 24. 29. 39. 97. 98. lOR.

116 l1g. 120. 129 150 symbolic. 108. 109 factor ring, 1J Fano plane, 25.1. 254. 263 feedbat:k shift register. Ig6-UH~, 193.314 Fermat's little theorem. 37 Fihonacci sequence. 246 field, 12 cyclotomic. SP(, cyclotomic field finite. SC'P finite Held prime, 30 Sl!l' also exh.:nsion
fidd. IS. 45

sel! also finite field

[nrle~

404

sum. 168-180. 182. un. 2.~X. 242 244.250 gen~r
Hadamard matrix. 26';) 271, 2';)6 II0nnali"l..:J. 270. 2Y6 1I<1111ming hound. 307 Hamming corle, .107..111, 314, 315. hinary ..107. 311, 314, 315. 333 Hamming distance..10.1 Hamming. w~ighL .10.1 Ilankel d~terminant. 229 231, 249 Hill <:rypto~ystem..~60 homomorphism. R. [4 hom(lTnorphism theorem f\lr group!>. [0 for rings. 14. I.' hypcrplan~, 259. 262. 266 id~al,

3.~.~

1.1 maximal. 17 prime. l7 principal, 13 identity clement, 2 impul~e response sequ('m:e. [93-1C).~. 19\.}. 21.) incidence maTri\. 263, 264 in..:idcnce relation. 252 254.262 ind~l~rminate. 19 index-..:akulus algorithm. 352 357 index funetion ..146. .167 \(If' a/w) discrete log
input space. 272 input ~ymboL 272 integrill domain, 12 interpol:lIioll. 2R. 41. 363 imerse clement. 2 . irrl.:ducible polynomial. 23-25. 2R, .11. 47. 4S, 75, 71>. R2 91,97, 9R. liS, IIg 12X. 160, Ig.1,.177 .1X7 isomorphism. R. 14 3M~,

Jacohi'" logarithm. 6l).

374· .170

kl.:rnd of homomorphism g.rollp.9 ring. 11\ key. 339. 340 key-l.:xt:hange <;ystem. 34S knapsack-type cryptosy:,tem, Kronct:kl.:r's method ..19

.~5k-360

I.agrangl.: interpol~tion formula. 2X. 41 ..16.1 I.atin squards). 267 269.296 mutually orthogonal. 267 269.290 Tlormalii'ed. 290 orthoJ:!.onal. 207-269. 296 law of quadratic reciprocity. 179, IR.1 I.<:r,endrc symho1. 107. 179 linl.:(s) at infinity, 255 p,tralld, 255 linl.:arizl:d polynomi
[Ro

ord~r.

I R6 lillc<.lr n:curring sequenl:('{s). IRo aJdition. 2 [5. 2 IH 221 hinary t:ompl~OlCnr:llinll. 221 charat:1l'ristic polynomial. 195-201. 207 211. 214, 215, 226 228 charadcri/ation.22X-231 dCl'imaTion. sct'decimation distrihurion propcrtks, 2.15 245. 250 families of. 21.) 228 homl1genl:ow:;. 186 illhoml1geneou!'., 1l.:6 ka~l periorl. 1R9 1\)5. 19'), 200. 212. 213. 220 223,227,247. 24X minimal polynomi~l, 211 215.21g 223.

230 235,247 249 multiplit:ati{ln. 224

22~

405

Ind..::x on.kr.

1~6

n.'t:iJ1nl~all:haracteristil: p,)lynomial.

207

~l:alar multipli..::ation. 215 I.VlS• .' I!C linear modular syst~m

MacWilliams itk'ntit)'. 310. 311 magic squarc. 296 matri\ associated with scquenee. 191 195, 199 characteristic polynomial of. 93. 160. 27ft 27~

ckm..::ntury hlock of. ':279. 2~U Hadamard, 1'('(' Hadamard matrix minimal polynomial of. 278 280 rational canonieal form of. 279 matrix of polyllomials. 14.1· 147 diagonnli/ation. 145-147 equivakncc. 144 non~ingular, 144 normalized. 146 unil1lodular. 144 m;.p,imal idcal, 17 maximal perioo Sl'qucmx, ':201. 240. 241. 246. 2X2· 2RX. 297. 2~g. J43 Vlersenne prime• .14R. 35 I. 35':2 Illc-;sagl' symbol, 300. .101 rllinirr:al polynomial of clement. 31. 86, R7. 91- 97. .1M. .174 370 for linear operalUr. 56 of matrix. 27X 280 of ~eLluenc..::. w'(' lin~ar r..::eurring scqUl:nec(~)

minimum di~tancl'. 304• .W~. 11~. 31(). 327. 32X. ))J JJ7 q-modulus. lOY. 110, I 14 \!1oehius function. X3, 124 \1o~hillS inversion formula. ~n. X4 multiplexed . . ~qlleTll:e. 34.l-340. .1f13. .1M multipl~xer •.141 n..'ar..::st n~ighrh'r det:Oding. 303 :'\,,::",ton's formula. 2\.). 30 n..::xt-state funcri,)n, 272 no-key alg.orithm. 349 non-Desarguesian plane. ':256. 257 norm. 53. S4. 70. 71 transitivity of. 54 normal basis. 55 59.71. 115. 127,365..loC), 174-376 ..;elf-duaL 71. 127 rrormal ba~is theorem. 56. 57. 5Y. 115 normalization method. 2l
"Iperation. ~(,I! Uinary operation onkr ..If character. 170. IX2 of ek'ml'nt. 0. 7 of group. 5. 7 of linl'
permutation maTrix. 360, 361 plaintext. 33<) plflintexl m.:s~ag.e •.l.19 Plotkin hound. 30~ polynominl(s). 19.28 affine. S(,f' allinl' polynomial affine multiple of. 103 ~anonil:al faclori/rttion of. 24 I:hara~teristil: •.'('f' char
homogeneous. :Y irrl.:duciblc. ~I!l' irrcducih1c polynomial kast I:ornmon mU~lipk' ot. 22. n. J9

lnu~x

400

lineari/.eu . .;I!(' lincari7cd polynomial matrix of. sec matrix of polynomiab

quotient group. 9

minimal . .~l'1! minimal polynomial

ranuom ~equellcc of hits, 2~ L 2R2, .142 of rC
monic. 20

order of.

scc'

order

pairwise relatively prime. 22 period of. SCI:' on.h:r primitive. see primitive polynomial

produd of. 19 n:l.:iprocal. 79. 1B nx:iprocal characteristic. 207 n:duciblc. 23

(-reducing. 131-137 rclati\'dy prime. 22 r~sultant of. see resultant root of. sce root(s) self-reciprocal. 12:1. [21$ splitting of. 34. 35 <;urn of. 19

symmctril.:. 2Y Lero. 19 /I-polynomial(s). 99. IO[-IO.~. J06 114.126 "mne. 103. 105.126. 12g grctllcst common symboJi<: divisor of. 109

minimal. 111-113. 126 symbolit:ully irn:ducihlc. 1m;. 110 symbolil: division of. 106. 107 symbolie multiplication of. 105. 106 .~l'e also q-associate. lincari/.ed polynomial polynomiiJl hasis..''is polynomial ring. 19.28. 204 preperiod of sequ~nl:e. [1\9. 245. 247 prime element. 17 prim~ lield. 30 prime idt:al. 17 primitive clement. 47. 49..'i9. 6.1. gO. 90. 97. 1~2.

16g

primitive polYllomial. RO 1\2. R7. 90-91\.121.

123.377•.'RR 191 q-primilivc rool. 110 [[4 prim:ipal ideaL 1.1 prim:ipal ideal domain. 17 principle of suhstitution. 27 probnhilisTic rO{lt-finding iJlgorilhm. lSI projective corn::sponu..::nt:e. 25g projecTive !!.t:ometry. .\1:'(' projeCTive . . p,tce pro.iccrive plane. 252 259. 262 ·26). 2()5 Desarguesian. 256-259 finite. 252· 259. 262 205.21)5 non-Desarguesian. 256. 257 order of. 253-257 projective space. 2W-263. 266. 2Y5 finite. 260 263. 260. 295 pseudorandom sequence of hits, 282 puhlic-key crypwsystem. 340..141 quadratit: rcciprot:ity. .Iel:' ll'lw of quadratic reciprocity

secant. 25k ~e4uence

decimated, SI:'I:' uet:imated sequence impulse rc~ponse. SI:'I:' impulse re..;pon~e ~cquencc

least periou of, HN maximal period, sC't' maximal period sequence multiplexed, 343-346. 363. 364 periodit:. 189,247 period of, Ig9-1 () I preperiod of. tg9. 245, 147 pseudorandom, 2R2 random. see random sequence shifted. 197. 2RR. 197. 19R ultimately periodic. 1R9 of uniform pseudorandom numhers. 2~1\-294

407

Inde»

of uniform random numhers. 2~HI zero. 21.~ see also linear recurring scquencc(s) serial test, 2R2, 294 Shannon's theorem, 299 sniftcd sequence. 2R7, 2SK 297, 29R Silvcr·-Pohlig-Hellman algorithm. 350-352 single-key cryptosystem. 33I.J Singleton bound. 333 skew field. sl!e division ring smootn integer. 350 m-spacc. see projective space splitting field, 35. 480 134 ~xistence and uniqueness. 35 square and multiply technique, 347 state. 272. 273 order of. 277. 27S. 2S I state graph, 177. 278. 196 path in. 277 state set, 272 state spurx, 272 state ver.:tor. ISK 191, 193-195.214.215 initial. ISS modifu:d. 192 Steiner triple system. 263 Stickelherger's theorem. 177 17I.J ~tream dpher, 342 subfickl.30 r.:riterion for, 45. 46 maximal. 67. 6g prime. 30 proper..10 subgroup, 6 generated by c1cmr.:nt, (, generated by subset. 6 index of. 7 nontrivial, (, nonnal. 9 trivial. 6 subring. 13 substitution ciphcr, 33R symmetric polynomial, 29

elementary. 29 symmdry of relation. 4 syndrome, 305, 306. 315 syndrome polynomial, 329 tactical configuration. 262. 263 symmetric, 262 tangent. 25R Tuusworthc method, 2R8 tcnn of polynomial. 29 tcst for randomness, 2R2. 2RR, 289 thcorcm of Pappus, 255-257 threshold sr.:heme. 362, 36.l trace. 50-53. 70. 71 absolutc, 50 transitivity of, 52. 53 transitivity of relation, 4 trapdoor one-way function, 341 trinomial. 118-122. 127, 12R irreducible. lIS, 119, 121. 122, 127, 128 primitivc. 121 uniformity test. 2S9. 290 uniform pseudorandom numbcrs. 2SS-294 uniform random numbers. 2SS unique factorization, 2.1 24. 29 unit. 17 unity clement. 2 Waring's formula, 30 Weddcrhurn's theorem. 65 69.256 weight. 303 weight enumerator. 309-311, 334 Wilson's theorem. 37 Zassenhaus algorithm. 142. 143 L:ero divisor, 12 :lefO clement, 11 :lero of polynomial, 27. 42 see also rOO1(s) zero polynomial, 19 /.ero sr.:q uenee, 21 5