Normal basis

Let F\subset K be a Galois extension with Galois group G. The classical normal basis theorem states that there is an element \beta\in K such that \{g(\beta) : g\in G\} forms a basis of K, considered as a vector space over F. That is, any element \alpha \in K can be written uniquely as \alpha = \sum_{g\in G} a_g\, g(\beta) for some elements a_g\in F. A normal basis contrasts with a primitive element basis of the form \{1,\beta,\beta^2,\ldots,\beta^{n-1}\}, where \beta\in K is an element whose minimal polynomial has degree n=[K:F]. == Group representation point of view ==

A field extension with Galois group G can be naturally viewed as a representation of the group G over the field F in which each automorphism is represented by itself. Representations of G over the field F can be viewed as left modules for the group algebra F[G]. Every homomorphism of left F[G]-modules \phi:F[G]\rightarrow K is of form \phi(r) = r\beta for some \beta \in K. Since \{1\cdot \sigma| \sigma \in G\} is a linear basis of F[G] over F, it follows easily that \phi is bijective iff \beta generates a normal basis of K over F. The normal basis theorem therefore amounts to the statement saying that if is finite Galois extension, then K \cong F[G] as a left F[G]-module. In terms of representations of G over F, this means that K is isomorphic to the regular representation. == Case of finite fields ==

For finite fields this can be stated as follows: Let F = \mathrm{GF}(q)=\mathbb{F}_q denote the field of q elements, where is a prime power, and let K= \mathrm{GF}(q^n)=\mathbb{F}_{q^n} denote its extension field of degree . Here the Galois group is G = \text{Gal}(K/F) = \{1,\Phi,\Phi^2,\ldots,\Phi^{n-1}\} with \Phi^n = 1, a cyclic group generated by the q-power Frobenius automorphism \Phi(\alpha)=\alpha^q,with \Phi^n = 1 =\mathrm{Id}_K. Then there exists an element such that \{\beta, \Phi(\beta), \Phi^2(\beta),\ldots,\Phi^{n-1}(\beta)\} \ = \ \{\beta, \beta^q, \beta^{q^2}, \ldots,\beta^{q^{n-1}}\!\} is a basis of K over F. Proof for finite fields In case the Galois group is cyclic as above, generated by \Phi with \Phi^n=1, the normal basis theorem follows from two basic facts. The first is the linear independence of characters: a multiplicative character is a mapping χ from a group H to a field K satisfying \chi(h_1h_2)=\chi(h_1)\chi(h_2); then any distinct characters \chi_1,\chi_2,\ldots are linearly independent in the K-vector space of mappings. We apply this to the Galois group automorphisms \chi_i=\Phi^i: K \to K, thought of as mappings from the multiplicative group H=K^\times. Now K\cong F^nas an F-vector space, so we may consider \Phi : F^n\to F^n as an element of the matrix algebra Mn(F); since its powers 1,\Phi,\ldots,\Phi^{n-1} are linearly independent (over K and a fortiori over F), its minimal polynomial must have degree at least n, i.e. it must be X^n-1. The second basic fact is the classification of finitely generated modules over a PID such as F[X]. Every such module M can be represented as M \cong\bigoplus_{i=1}^k \frac{F[X]}{(f_i(X))}, where f_i(X) may be chosen so that they are monic polynomials or zero and f_{i+1}(X) is a multiple of f_i(X). f_k(X) is the monic polynomial of smallest degree annihilating the module, or zero if no such non-zero polynomial exists. In the first case \dim_F M = \sum_{i=1}^k \deg f_i, in the second case \dim_F M = \infty. In our case of cyclic G of size n generated by \Phi we have an F-algebra isomorphism F[G]\cong \frac {F[X]}{(X^n-1)} where X corresponds to 1 \cdot \Phi, so every F[G]-module may be viewed as an F[X]-module with multiplication by X being multiplication by 1\cdot\Phi. In case of K this means X\alpha = \Phi(\alpha), so the monic polynomial of smallest degree annihilating K is the minimal polynomial of \Phi. Since K is a finite dimensional F-space, the representation above is possible with f_k(X)=X^n-1. Since \dim_F(K) = n, we can only have k=1, and K \cong \frac{F[X]}{(X^n{-}\,1)} as F[X]-modules. (Note this is an isomorphism of F-linear spaces, but not of rings or F-algebras.) This gives isomorphism of F[G]-modules K\cong F[G] that we talked about above, and under it the basis \{1,X,X^2,\ldots,X^{n-1}\} on the right side corresponds to a normal basis \{\beta, \Phi(\beta),\Phi^2(\beta),\ldots,\Phi^{n-1}(\beta)\} of K on the left. Note that this proof would also apply in the case of a cyclic Kummer extension. Example Consider the field K=\mathrm{GF}(2^3)=\mathbb{F}_{8} over F=\mathrm{GF}(2)=\mathbb{F}_{2}, with Frobenius automorphism \Phi(\alpha)=\alpha^2. The proof above clarifies the choice of normal bases in terms of the structure of K as a representation of G (or F[G]-module). The irreducible factorization X^n-1 \ =\ X^3-1\ = \ (X{-}1)(X^2{+}X{+}1) \ \in\ F[X] means we have a direct sum of F[G]-modules (by the Chinese remainder theorem):K\ \cong\ \frac{F[X]}{(X^3{-}\,1)} \ \cong\ \frac{F[X]}{(X{+}1)} \oplus \frac{F[X]}{(X^2{+}X{+}1)}. The first component is just F\subset K, while the second is isomorphic as an F[G]-module to \mathbb{F}_{2^2} \cong \mathbb{F}_2[X]/(X^2{+}X{+}1) under the action \Phi\cdot X^i = X^{i+1}. (Thus K \cong \mathbb F_2\oplus \mathbb F_4 as F[G]-modules, but not as F-algebras.) The elements \beta\in K which can be used for a normal basis are precisely those outside either of the submodules, so that (\Phi{+}1)(\beta)\neq 0 and (\Phi^2{+}\Phi{+}1)(\beta)\neq 0. In terms of the G-orbits of K, which correspond to the irreducible factors of: t^{2^3}-t \ = \ t(t{+}1)\left(t^3 + t + 1\right)\left(t^3 + t^2 + 1\right)\ \in\ F[t], the elements of F=\mathbb{F}_2 are the roots of t(t{+}1), the nonzero elements of the submodule \mathbb{F}_4 are the roots of t^3+t+1, while the normal basis, which in this case is unique, is given by the roots of the remaining factor t^3{+}t^2{+}1. By contrast, for the extension field L = \mathrm{GF}(2^4)=\mathbb{F}_{16} in which is divisible by , we have the F[G]-module isomorphism L \ \cong\ \mathbb{F}_2[X]/(X^4{-}1)\ =\ \mathbb{F}_2[X]/(X{+}1)^4. Here the operator \Phi\cong X is not diagonalizable, the module L has nested submodules given by generalized eigenspaces of \Phi, and the normal basis elements β are those outside the largest proper generalized eigenspace, the elements with (\Phi{+}1)^3(\beta)\neq 0. Application to cryptography The normal basis is frequently used in cryptographic applications based on the discrete logarithm problem, such as elliptic curve cryptography, since arithmetic using a normal basis is typically more computationally efficient than using other bases. For example, in the field K=\mathrm{GF}(2^3)=\mathbb{F}_{8} above, we may represent elements as bit-strings: \alpha \ =\ (a_2,a_1,a_0)\ =\ a_2\Phi^2(\beta) + a_1\Phi(\beta)+a_0\beta\ =\ a_2\beta^4 + a_1\beta^2 +a_0\beta, where the coefficients are bits a_i\in \mathrm{GF}(2)=\{0,1\}. Now we can square elements by doing a left circular shift, \alpha^2=\Phi(a_2,a_1,a_0) = (a_1,a_0,a_2), since squaring β4 gives . This makes the normal basis especially attractive for cryptosystems that utilize frequent squaring. == Proof for the case of infinite fields ==

Suppose K/F is a finite Galois extension of the infinite field F. Let , \text{Gal}(K/F) = G =\{\sigma_1...\sigma_n\}, where \sigma_1 = \text{Id}. By the primitive element theorem there exists \alpha \in K such i\ne j\implies \sigma_i(\alpha)\ne\sigma_j(\alpha) and K=F[\alpha]. Let us write \alpha_i = \sigma_i(\alpha). \alpha's (monic) minimal polynomial f over K is the irreducible degree n polynomial given by the formula \begin {align} f(X) &= \prod_{i=1}^n(X - \alpha_i) \end {align} Since f is separable (it has simple roots) we may define \begin {align} g(X) &= \ \frac{f(X)}{(X-\alpha)f'(\alpha)}\\ g_i(X) &= \ \frac{f(X)}{(X-\alpha_i) f'(\alpha_i)} =\ \sigma_i(g(X)). \end {align} In other words, \begin {align} g_i(X)&= \prod_{\begin {array}{c}1 \le j \le n \\ j\ne i\end {array}}\frac{X-\alpha_j}{\alpha_i - \alpha_j}\\ g(X)&= g_1(X). \end {align} Note that g(\alpha)=1 and g_i(\alpha)=0 for i \ne 1. Next, define an n \times n matrix A of polynomials over K and a polynomial D by \begin {align} A_{ij}(X) &= \sigma_i(\sigma_j(g(X)) = \sigma_i(g_j(X))\\ D(X) &= \det A(X). \end {align} Observe that A_{ij}(X) = g_k(X), where k is determined by \sigma_k = \sigma_i \cdot \sigma_j; in particular k=1 iff \sigma_i = \sigma_j^{-1}. It follows that A(\alpha) is the permutation matrix corresponding to the permutation of G which sends each \sigma_i to \sigma_i^{-1}. (We denote by A(\alpha) the matrix obtained by evaluating A(X) at x=\alpha.) Therefore, D(\alpha) = \det A(\alpha) = \pm 1. We see that D is a non-zero polynomial, and therefore it has only a finite number of roots. Since we assumed F is infinite, we can find a\in F such that D(a)\ne 0. Define \begin {align} \beta &= g(a) \\ \beta_i &= g_i(a) = \sigma_i(\beta). \end {align} We claim that \{\beta_1, \ldots, \beta_n\} is a normal basis. We only have to show that \beta_1, \ldots,\beta_n are linearly independent over F, so suppose \sum_{j=1}^n x_j \beta_j = 0 for some x_1...x_n\in F. Applying the automorphism \sigma_i yields \sum_{j=1}^n x_j \sigma_i(g_j(a)) = 0 for all i. In other words, A(a) \cdot \overline {x} = \overline {0}. Since \det A(a) = D(a) \ne 0, we conclude that \overline x = \overline 0, which completes the proof. It is tempting to take a=\alpha because D(\alpha)\neq0. But this is impermissible because we used the fact that a \in F to conclude that for any F-automorphism \sigma and polynomial h(X) over K the value of the polynomial \sigma(h(X)) at a equals \sigma(h(a)). == Primitive normal basis ==

A primitive normal basis of an extension of finite fields is a normal basis for that is generated by a primitive element of E, that is a generator of the multiplicative group K×. (Note that this is a more restrictive definition of primitive element than that mentioned above after the general normal basis theorem: one requires powers of the element to produce every non-zero element of K, not merely a basis.) Lenstra and Schoof (1987) proved that every extension of finite fields possesses a primitive normal basis, the case when F is a prime field having been settled by Harold Davenport. == Free elements ==

If is a Galois extension and x in K generates a normal basis over F, then x is free in . If x has the property that for every subgroup H of the Galois group G, with fixed field KH, x is free for , then x is said to be completely free in . Every Galois extension has a completely free element. == See also ==