generalizations of the normal basis theorem of finite fields

SIAM J. Disc. MATH.Vol. 3, No. 3, pp. 330-337, August 1990

(C) 1990 Society for Industrial and Applied Mathematics003

GENERALIZATIONS OF THE NORMAL BASIS THEOREMOF FINITE FIELDS*

NADER H. BSHOUTYf AND GADIEL SEROUSSI:I:

Abstract A combinatorial characterization of sets of integers to, r, , rn- }, with 0 =< r _-< qn 2,such that ar, art, ..., a rn-’ form a basis of GF(qn) over GF(q) for some a GF(qn) is presented. Thischaracterization is used to prove the following generalization of the normal basis theorem for finite fields ofcharacteristic two: Let ,0, ),l, , ,n- be integers in the range 0

_), < q, with at most one , equal to zero.

Then, there exists an element a GF(qn) such that ax, ax’q, a x2q2, axn-tqn- form a bais of GF(qn)over GF(q). This result, which includes the normal basis theorem as a particular case when Xo ,)n- 1, is proved for all choices of M, Al, An- satisfying the above conditions when n is odd, and formore restricted sets of values ,. when n is even.

Key words finite fields, normal bases

AMS(MOS) subject classification. 12

1. Introduction. Let q pt for some prime integer p and integer >_- 1, let FGF(q) denote the finite field of q elements, and let K GF(qn), n >-_ 1, denote the nthdegree extension of F. The classical normal basis theorem for finite fields can be statedas follows (see, for instance, l, p. 60 ], 2, p. 122 )"

qn-ITHEOREM There exists an element a K such that { a, aq, a q2 a } isa basis ofK over F.

The basis referred to in Theorem is called a normal basis. Normal bases haverecently received special attention in the literature due to their application to the designof efficient multipliers for finite fields ([ 3]-[6]).

In this paper we conjecture and partially prove the following generalization of thenormal basis theorem: Let ,0, ,, X2, , )n- be integers in the range 0 _-< , < q, withat most one of the X equal to zero. Then, there exists an element a e K such that axa hlq, a x2q2, Ol

hn-lqn-I form a basis of K over F. We call this a generalized normalbasis theorem. Notice that the normal basis theorem is a particular case ofthe generalizednormal basis theorem, with ,0 X X2 Xn- 1.

Our generalization of the normal basis theorem is based on a combinatorial char-acterization of sets of integers { r0, rl, r,_ l} such that a, a, ..., a r"- form abasis of K over F for some a e K. This characterization is presented in 2, while itsapplication to the generalized normal basis theorem is presented in 3, where we provethe theorem in full generality for q even and n odd, and in a more restricted form for qand n even. Finally, in the concluding 4 we present other potential applications of theresults of 2, conjecture that the generalized normal basis theorem is true for all finitefields, and present evidence to the validity of the conjecture.

The following notation is used throughout the paper: for integers or polynomials aand b, a b denotes "a does not divide b," a mod b is the least positive (or least degree)residue ofa modulo b, det (M) denotes the determinant ofa matrix M, and AI denotesthe cardinality of a set A.

Received by the editors April 10, 1989; accepted for publication (in revised form) August 18, 1989.Department of Computer Science, Technion-Israel Institute of Technology, Haifa 32000, Israel.Hevlett-Packard Laboratories, 1501 Page Mill Road, Palo Alto, California 94304. Part ofthis work was

done while the author was with the Department ofComputer Science, Technion-Israel Institute of Technologyand with Cyclotomics Incorporated, Berkeley, California.

330

Dow

nloa

ded

11/1

5/14

to 1

29.4

9.23

.145

. Red

istr

ibut

ion

subj

ect t

o SI

AM

lice

nse

or c

opyr

ight

; see

http

://w

ww

.sia

m.o

rg/jo

urna

ls/o

jsa.

php

GENERALIZATIONS OF THE NORMAL BASIS THEOREM 331

2. A combinatorial characterization of bases. Let x0, xt, 3(,2, Xn be indeter-minates, and define the polynomial

Xo x

( ) A(Xo, xl, x, det

Xl

Xn--xqn-

qn-Xn--

The following is a well-known characterization of bases of K over F (see, for instance,[1, p. 62]).

LEMMA 1. A set ofn elements 3o, 3, 32, 3,_ Kform a basis ofK over Fifand only if

Let R { r0, r, , rn_ } be a set of integers in the range 0 =< r =< q" 2, 0 -<=< n 1. We say that c K satisfies R if a to, c r,, a r"-’ form a basis ofK over F.We say that R is satisfiable if there exists an element a e K such that c satisfies R. (Ofcourse, satisfiability is relative to the particular choice of field K and subfield F. In thesequel, we assume that these fields are well defined in the context.)

LEMMA 2. Let DR(x) A(xO, Xr’ Xrn-I ). Then, R is satisfiable ifand onlyif(xa"- )X DR(x).

Proof. Assume that a eKsatisfies R. Obviously, a must be nonzero. By the definitionof DR(x), and by Lemma 1,

DR(a) A(a,a’, ,ar,-,)4:0.

Hence, a is not a root of Dn(x). Since a is a root of (x"- (all nonzero elementsofKare), it follows that (xq"- )DR(x). The proofofthe "if" part is a straightforwardreversion of the above argument. El

The main results of this paper are based on the following theorem.THEOREM 2. Let R { ro, r, ..., rn- be a set ofintegers in the range 0 <= ri <=

qn 2, and let s be an arbitrary integer. Consider the congruencen-I

(2) , riq’(i)=-s mod (q"- 1),i=0

where dp denotes a permutation on {0, 1, n 1}. Let Ne(s) (respectively, No(s))denote the number ofeven (respectively, odd) permutations ck satisfying (2). Then, R issatisfiable ifand only ifthere exists an integer s such that

(3) Ne(s)PNo(s) mod p.

Proof. Consider the polynomial DR(X) defined in Lemma 2. By straightforwardapplication of the determinant formula, we obtain

X r’q(i)(4) DR(X) A(Xr,xr’ ,Xrn-l) X’ sg(qb) xXiriq*(i) sg(dp).Sn i=0 e Sn

Here, Sn denotes the symmetric group on { 0, 1, n }, and sg (4) denotes thesign of 4 S,,. Let

qn-2

(5) /SR(x) ] Dsxs=O

Dow

nloa

ded

11/1

5/14

to 1

29.4

9.23

.145

. Red

istr

ibut

ion

subj

ect t

o SI

AM

lice

nse

or c

opyr

ight

; see

http

://w

ww

.sia

m.o

rg/jo

urna

ls/o

jsa.

php

332 N. H. BSHOUTY AND G. SEROUSSI

denote the least degree residue ofDn(x) modulo (x"- ). By Lemma 2, R is satisfiableif and only if Dn(x) O, that is, if and only if Ds 4:0 for some 0 =< s =< q" 2. Anexplicit expression for the coefficients Ds can be obtained by grouping together the con-tributions of terms at the fight-hand side of (4) whose exponents are congruent tos modulo (qn ). Hence, we obtain

(6) Ds

where

(7) (s) [46Sn -’ }, riqo i) =_ s mod (qni=0

Since (s) is the set of solutions to (2), it follows from (6) and from the defini-tions of Ne(s) and No(s) that Ds Ne(s) No(s). The latter is an operation on fieldintegers, and thus it is carded out modulo p. Therefore, Ds 4:0 if and only if Ne(s)No(s) mod p. [2]

3. Generalization of the normal basis theorem for fields of characteristic two. Inthis section, we consider finite fields of characteristic 2, i.e., F GF(q), with q 2 t. Westart with a series of lemmas leading to the main results of the section.

The following lemma is a generalization ofthe uniqueness of radix-q representationof numbers. Its proof is deferred to the Appendix.

LEMMA 3. Let n and m be integers with <- m <= n, and let o, , km-1, ko,kl, km- 1, j0, jl, jm-1, be integers satisfying thefollowing conditions:

(8)

(9)

0<0, kl, ,m-l<q,

O <=ko, kl, ,km_ <=rt 1,

O) 0 <--jo <j <"" <jm <= n 1,

m-1 m-I

11 Xiqki ,iqji mod (q"- ).i=o i=o

Then,

(12) { ko, kl, ,km- } {j0,jl, ,jm- }.

In the following, all arithmetic operations on indices from the set { 0, 1, n }are carried out modulo n, unless noted otherwise. Also, we decompose n (the extensiondegree ofK over F) as n 2 kin, with k >- 0 and m odd.

Let B denote the set of permutations 6 S satisfying the following properties:

(P1) ’( i) ’( + m) + m, O <= <= n-1,(P2) {i+’(i)lO<=i<=m-1}={O,2, ,2(m- 1)}.

Note that if property (P1) is satisfied, then (i) + (i + m) + (i + m), 0 _-<_-< n 1. It follows that when (P is true, (P2) is equivalent to

(P2’) {i+’(i)lO<-i<=n-1}={O,2, ,2(m- 1)}.

Note also that the set at the right-hand side of(P2) and (P2’) contains exactly m elements,even though its members are computed modulo n.

Dow

nloa

ded

11/1

5/14

to 1

29.4

9.23

.145

. Red

istr

ibut

ion

subj

ect t

o SI

AM

lice

nse

or c

opyr

ight

; see

http

://w

ww

.sia

m.o

rg/jo

urna

ls/o

jsa.

php


LEMMA 4. (i) If B., then - Bn.(ii) There is one and only one permutation o in Bn such that ’o 1. The

permutation o is defined by

(13) 90(i)[i O<_i<=m 1,

o(i-m)-m mi<-n 1.

(iii) B, is odd.Proof. (i) Assume e Bn. Let e { 0, 1, n }, and let j -1 (i + m). By

property (P1) of, we have (j + m) (j) m. Substituting -(i + m) for j, weobtain (-l(i + m) + m) i, which implies that -(i + m) + m -(i). Hence,- satisfies (P1). To show that 9- satisfies (P2), notice that if 9 satisfies (P2’) thenso does -1. Since (P2’) is equivalent to (P2) once (P1) is established, -1 satisfies (P2).

(ii) It can be readily verified that 90 Bn, and that 0 . Assume that eBn, and -. Furthermore, assume that 4: 0. By property (P ), is uniquelydetermined by its values at 0, 1, m 1. Therefbre, we must have (h) 4: 0(h)h for some h, 0 =< h =< m 1, and we can write

(14) (h)=j+wm, O<=j<=m -1, O=<w<2 k,

where either j 4: h or w > 0. Ifj 4: h, then, since q-, (14) implies

(15) h (j+ wm).

By property (P of, it follows from 15 that h (j) wm, which, combined with(14) implies

(16) (h)+h=(j)+j.

This contradicts (P2), since we have 0 -< h, j <- m 1, and the set

{i+(i)lO<-i<=m-1)

must contain exactly m elements. Hence, we cannot have j 4: h. Assume j h and w >0. Since w < 2 k n/m, we must have m < n, and n must be even. Equation (14) cannow be rewritten as

(17) (h)+h=2h+wm, O<w<2’.

From (17) and property (P2), it follows that 2h + wm 2i mod n for some 0 =< =<m 1. Since n is even and m is odd, w must be even, and, therefore, we must have 2 -<-w =< 2 k 2. But then, since 0 =< h <- m 1, it follows from 17 that 2m =< (h) + h <n, which, again, contradicts property (P2). Therefore, we must have 0.

(iii) This part follows directly from parts (i) and (ii), since Bn consists of q0 andpossibly other permutations in pairs of distinct inverses. []

Let A X0, X, X_ be a vector of integers in the range 0 =< X; < q, with atmost one Xi equal to zero. We say that A is m-periodic if X; / m ki, 0 -<- --< n 1. Inthe following discussion, we assume that such an m-periodic vector A is given. For anarbitrary permutation e Sm, let

n-1

(18) S(O’)-- iq2a(imdm)

i=0

Dow

nloa

ded

11/1

5/14

to 1

29.4

9.23

.145

. Red

istr

ibut

ion

subj

ect t

o SI

AM

lice

nse

or c

opyr

ight

; see

http

://w

ww

.sia

m.o

rg/jo

urna

ls/o

jsa.

php


Consider the set of congruencesn-l

(19) , ,iqi+(i)-s(tr) mod (qn_ 1),i=0

for all a e Sm, with 4 e Sn. Let denote the set of solutions of (19) for a given tr, andlet t-J,Sm .

LEMMA 5. Consider the transformation T: Sn S, defined by

(20) (cbT)(i)=4(i+m)+m, 4S, O<=i<-n 1.

If ck - bfor some a, then 4T .Proof. Since e ,, satisfies (19). Substituting + rn for in the sum at the left-

hand side of (19), and recalling that indices are taken modulo n, we obtainn-I

(21) ] ki+mqi+m+O(i+m)-’S() mod (q"- 1).i=0

Using the definition of T, and recalling that i+ m )ki, 0 ----< n 1, it follows from(21 that

n-I

(22) ] Xiq + r)i)-= s(r) mod (qn ).i=0

Hence,LEMMn 6. For any 4 S,, let Go { 4, 4T, 4T2, }. Then, GI 2 hfor some

integer h, 0 <= h <= k.Proof. From the definition of T in (20), and from the fact that n 2km, it follows

that bT2k b for all Sn. Therefore, by a standard group-theoretic argument, the leastpositive integer g0 satisfying Tg must divide 2 k. Hence, GI g 2 h for someO<=h<=k.

LEMMn 7. I’1 is odd.Proof. It follows from the result of Lemma 5 and from the arguments in the proof

ofLemma 6 that the transformation T induces a partition of into disjoint orbits oftheform Go { 4, 4T, 4T2, 4Tg- }. If 4T 4: 4, then by Lemma 6 go is a nontrivialpower of two, and Go contributes an even number of permutations to . Hence, itremains to show that there is an odd number of permutations in that satisfy bT

(i.e., go ). We claim that the set of all such is precisely Bn. Since by Lemma4(iii) Bn is odd, this would suffice to prove Lemma 7. To prove the claim, we firstnotice that if T= then 4 satisfies property (P1). Hence, b(i)+ (i + m)+(i + m), and, since k k + m, 0 =< n 1, we have

n-I m-1

(23) , iqi+O(i)= 2 k , ,iqi+O(i),i=0 i=0

andn-1 m-I

(24) s(tr)= kiqE(imdm)--2k iq2(i)

i=0 i=0

for all r e Sm. Now, since b e , b satisfies (19) for some a. Using (23) and (24), andnoting that 2 k has an inverse modulo q" 1, we can rewrite (19) as

m-I m-1

(25) ,iqi+ o(i)__ Z ’iq2a(i) mod (q’- ).i=0 i=0

Dow

nloa

ded

11/1

5/14

to 1

29.4

9.23

.145

. Red

istr

ibut

ion

subj

ect t

o SI

AM

lice

nse

or c

opyr

ight

; see

http

://w

ww

.sia

m.o

rg/jo

urna

ls/o

jsa.

php


If ,i : 0 for all 0 -< -< m 1, then by Lemma 3, (25) implies that

(26) {i+cb(i)[O<=i<-m 1} {0,2, ,2(m- 1)}.Thus, satisfies (P2), and, hence, e Bn. If ka 0 for some 0 -< a =< m then wemust have m n, since A is m-periodic and at most one element of A can be zero.Therefore, n must be odd. Let b 2a(a) mod n. Then, it follows from (25) and Lemma3 that

(27) {i+dp(i)[O<=i<=n-l,ia}={O, 1, ,n- 1}-{b}.We claim that a + (a) b. This follows immediately from (27) and from the fact that,for odd n we have ’_--0 ’0 (i) i--0 (i + b(i)) 0 modn. Hence, (26) alsoholds in this case, and b e Bn. On the other hand, if e Bn, then by (P ), xI,T , andby (P2), e , with a defined by

i+ xY(i)(28) o-(i) , O<=i<=m 1.

2

Hence, xI, , and the claim is established.The following theorem presents the main result of this section.THEOREM 3. Let q 2t, and let n 2kin with 2 m. Let o, , kn- 1) be an

m-periodic vector of integers in the range 0 <= k < q, with at most one ki equal to zero.Then, there exists an element a K such that a xo, a ,lq, Ol x2q2, a X,_ ’q"-’ form a basisofGF(q" over GF(q

Proof. Consider the set of congruences (19), for all a Sin. By Lemma 7, the totalnumber of solutions to (19) is odd. Hence, for some r0 Sin, I01 must be odd. Letri iq’, 0 _-< =< n 1. Then, the number of solutions to

rt--I

(29) , riqoi) s(o) mod (qn

i=0

is odd. Therefore,

(30)

and

(31)

Ne(s(ao))+No(s(ao)) mod 2,

N(s(ro))PNo(s(ao)) mod 2.

By Theorem 2, this implies that { ,0, klq, n-lqn- } is satisfiable. [2]

Theorem 3 is strongest when n is odd (i.e., m n). In this case, the m-periodicityrestriction on (Xo, X, ),-1) is removed, and we obtain the following full-fledgedgeneralization of the normal basis theorem.

COROLLARY. Let q 2 t, and let n be an oddpositive integer. Let o, Xn-be any integers in the range 0 <- i < q, with at most one Xi equal to zero. Then, thereexists an element a K such that a x, a xq, axu, a x"- q"- form a basis ofGF(q)over GF( q).

On the other hand, when n 2 k, the m-periodicity requirement implies that _-<o , ,n-1 < q. In this case, Theorem 3 is weakest, but it still generalizes thenormal basis theorem.

4. Conclusion. We have presented a combinatorial characterization ofsets ofintegers{ ro, r, r_ } such that a r, a, a r"-’ form a basis of GF(q") over GF(q) forsome a GF(q"). Although the characterization of such sets was applied in this paperspecifically to the generalization of the normal basis theorem, it has also arisen in other

Dow

nloa

ded

11/1

5/14

to 1

29.4

9.23

.145

. Red

istr

ibut

ion

subj

ect t

o SI

AM

lice

nse

or c

opyr

ight

; see

http

://w

ww

.sia

m.o

rg/jo

urna

ls/o

jsa.

php


contexts, namely in the study of the use of maximum-length shift register sequences(M-sequences) for testing of logic circuits 7 ]. In that context, it is interesting to deter-mine whether there exist sets { ro, rl, rn- } that are not satisfiable. For example,{ 0, 2, 5, 7, 9 } is such a set for q 2 and n 5 [7]. These sets are not "testable" by M-sequences with characteristic polynomials of degree n. The existence of such sets forarbitrary q and n is an open question when n is prime (the answer is known to be positivewhen n is composite 7 ).

We have generalized the normal basis theorem for finite fields of characteristic two.Our proof is valid for all choices X0, Xl, , Xn_ in the range 0 _-< Xi < q (with at mostone Xi equal to zero) when n is odd, and for more restricted choices of the X when n iseven. We conjecture that the generalized normal basis theorem holds, without additionalrestrictions on the values , for all values ofq and n. For odd values ofn, we can establishthat the conjecture is "almost always" true in the following sense: given n, the conjectureis true for all but a finite number of values p of the field characteristic. This follows byobserving that Theorem 2, and the lemmas leading to Theorem 3 and its corollary, arevalid for fields ofany characteristic. In the proofofTheorem 3, we establish the existenceofan integer s s(a0) such that Ne(s) No(s) is odd. This suffices to prove the theoremwhen p 2. For p 4: 2, we observe that Ne(s) No(s) being odd, it must be nonzero,and upperbounded in absolute value by n!. Hence, there is only a finite number ofpotential prime divisors of the difference, and the theorem holds for all other primes.

Appendix.ProofofLemma 3. Let A 7=- Xiqki, and B l XiqJi. By the conditions at

(8) and (10), we have m < B =< q 1. If all the ki are distinct, then we also have m <A <= qn 1, and congruence 11 implies A B. By the uniqueness of radix-q represen-tation of integers, we must have { ko, kl, km- } { A, jl j }.

NOW assume that the ki are not all distinct. Apply the following symbolic simplifi-cation procedure to the sum 7l Xqki.

Step 1. Let a and b be indices such that ka kb, 0 =< a < b =< m 1. Do thefollowing substitution: if Xa + Xb < q, replace Xaqk" + Xbqk in the sum by the singlesummand XqG, where X (Xa + Xb) and k’ ka (this decreases the number of sum-mands by one). If Xa + Xb >-- q, replace aqkad Xbqk in the sum by XqG +X,qk;, where

(A1) X=()taq- Xb) mod q,

(A2) X [ ka -1- kb ],q

(A3) k, ka,

(A4) k,=(ka+ 1) mod n.

(Notice that X + X < Xa -- kb).m’- X}q;. If all k} are distinct, stop. Else, goStep 2. Step produces a new sum i= 0

to Step 1.After executing Step 1, we have

m’-I m-I

(A5) m’+ X}<m+ Xi.i=O i=0

Dow

nloa

ded

11/1

5/14

to 1

29.4

9.23

.145

. Red

istr

ibut

ion

subj

ect t

o SI

AM

lice

nse

or c

opyr

ight

; see

http

://w

ww

.sia

m.o

rg/jo

urna

ls/o

jsa.

php


Hence, Step can only be executed a finite number oftimes, and the procedure eventuallystops with all k distinct, and the new sum satisfying

(A6)

(A7)

and

0 -< k, k’, ..., k,,_ =< n- 1,

m’-I m-l

(A8) Xqk[ m kiqki mod (qn- 1).i=0 i=0

Together with congruence 11 ), this impliesm’-I m-I

(A9) ,qk[ ,iqii mod (qn- ).i=0 i=0

Since all k are distinct, uniqueness of radix-q representation applies again, and we musthave m’ m, { k’o, k’ ..., k’m,- } { jo, j, "’", jm- }, and { Xb, ,’, "’", ,,’- }{ ,0, ,, hm- } (by an abuse of notation, the latter set equality allows for elementmultiplicity). This contradicts (A5), implying that Step ofthe simplification procedurecould not have been applied and that the original ki were all distinct. U]

REFERENCES

R. LIDL AND H. NIEDERREITER, Finite Fields, Addison-Wesley, Reading, MA, 1983.[2] F. J. MACWILLIAMS AND N. J. A. SLOANE, The Theory ofError-Correcting Codes, North-Holland, New

York, 1977.[3] J. L. MASSEY AND J. K. OMURA, Computational method and apparatus for finite field arithmetic, U.S.

patent application, 198 I.4 R.C. MULLIN, I. M. ONYSZCHUK, S. A. VANSTONE, AND R. M. WILSON, Optimal normal bases in GF(pn),

Discrete Applied Math., 22 1988 89), pp. 149-16 I.5 D. W. ASH, I. F. BLAKE, AND S. A. VANSTONE, Low complexity normal bases, Research report CORR 86-

2 l, Faculty of Mathematics, University of Waterloo, November 1986.[6 A. LEMPEL AND M. J. WEINBERGER, Self-complementary normal bases in finite fields, SIAM J. Discrete

Math., (1988), pp. 193-198.[7] A. LEMPEL AND M. COHN, Design ofuniversal test sequencesfor VLSI, IEEE Trans. Inform. Theory, IT-

31 (1985), pp. 10-17.

Dow

nloa

ded

11/1

5/14

to 1

29.4

9.23

.145

. Red

istr

ibut

ion

subj

ect t

o SI

AM

lice

nse

or c

opyr

ight

; see

http

://w

ww

.sia

m.o

rg/jo

urna

ls/o

jsa.

php

generalizations of the normal basis theorem of finite fields

Documents