Normal basis

In mathematics, specifically the algebraic theory of fields, a normal basis is a special kind of basis for Galois extensions of finite degree, characterised as forming a single orbit for the Galois group. The normal basis theorem states that any finite Galois extension of fields has a normal basis. In algebraic number theory, the study of the more refined question of the existence of a normal integral basis is part of Galois module theory.

Normal basis theorem

Let ${\displaystyle F\subset K}$ be a Galois extension with Galois group ${\displaystyle G}$. The classical normal basis theorem states that there is an element ${\displaystyle \beta \in K}$ such that ${\displaystyle \{g(\beta )\ {\textrm {for}}\ g\in G\}}$ forms a basis of K, considered as a vector space over F. That is, any element ${\displaystyle \alpha \in K}$ can be written uniquely as ${\displaystyle \textstyle \alpha =\sum _{g\in G}a_{g}\,g(\beta )}$ for coefficients ${\displaystyle a_{g}\in F.}$

A normal basis contrasts with a primitive element basis of the form ${\displaystyle \{1,\beta ,\beta ^{2},\ldots ,\beta ^{n-1}\}}$, where ${\displaystyle \beta \in K}$ is an element whose minimal polynomial has degree ${\displaystyle n=[K:F]}$.

Case of finite fields

For finite fields this can be stated as follows:[1] Let ${\displaystyle F=GF(q)=\mathbb {F} _{q}}$ denote the field of q elements, where q = pm is a prime power, and let ${\displaystyle K=GF(q^{n})=\mathbb {F} _{q^{n}}}$ denote its extension field of degree n ≥ 1. Here the Galois group is ${\displaystyle G={\text{Gal}}(K/F)=\{1,\Phi ,\Phi ^{2},\ldots ,\Phi ^{n-1}\}}$ with ${\displaystyle \Phi ^{n}=1,}$ a cyclic group generated by the relative Frobenius automorphism ${\displaystyle \Phi (\alpha )=\alpha ^{q},}$with ${\displaystyle \Phi ^{n}=1={\textrm {Id}}_{K}.}$ Then there exists an element βK such that

${\displaystyle \{\beta ,\Phi (\beta ),\Phi ^{2}(\beta ),\ldots ,\Phi ^{n-1}(\beta )\}\ =\ \{\beta ,\beta ^{q},\beta ^{q^{2}},\ldots ,\beta ^{q^{n-1}}\!\}}$

is a basis of K over F.

Proof for finite fields

In case the Galois group is cyclic as above, generated by ${\displaystyle \Phi }$ with ${\displaystyle \Phi ^{n}=1,}$ the Normal Basis Theorem follows from two basic facts. The first is the linear independence of characters: a multiplicative character is a mapping χ from a group H to a field K satisfying ${\displaystyle \chi (h_{1}h_{2})=\chi (h_{1})\chi (h_{2})}$; then any distinct characters ${\displaystyle \chi _{1},\chi _{2},\ldots }$ are linearly independent in the K-vector space of mappings. We apply this to the Galois group automorphisms ${\displaystyle \chi _{i}=\Phi ^{i}:K\to K,}$ thought of as mappings from the multiplicative group ${\displaystyle H=K^{\times }}$. Now ${\displaystyle K\cong F^{n}}$as an F-vector space, so we may consider ${\displaystyle \Phi :F^{n}\to F^{n}}$ as an element of the matrix algebra ${\displaystyle M_{n}(F);}$ since its powers ${\displaystyle 1,\Phi ,\ldots ,\Phi ^{n-1}}$ are linearly independent (over K and a fortiori over F), its minimal polynomial must have degree at least n, i.e. it must be ${\displaystyle X^{n}-1}$. We conclude that the group algebra of G is ${\displaystyle F[G]\cong F[X]/(X^{n}{-}\,1),}$ a quotient of the polynomial ring F[X], and the F-vector space K is a module (or representation) for this algebra.

The second basic fact is the classification of modules over a PID such as F[G]. These are just direct sums of cyclic modules of the form ${\displaystyle F[X]/(f(x)),}$ where f(x) must be divisible by Xn 1. (Here G acts by ${\displaystyle \Phi \cdot X^{i}=X^{i+1}.}$) But since ${\displaystyle \dim _{F}F[X]/(X^{n}{-}\,1)=\dim _{F}(K)=n,}$ we can only have f(x) = Xn 1, and

${\displaystyle K\ \cong \ F[X]/(X^{n}{-}\,1)}$

as F[G]-modules, namely the regular representation of G. (Note this is not an isomorphism of rings or F-algebras!) Now the basis ${\displaystyle \{1,X,X^{2},\ldots ,X^{n-1}\}}$ on the right side of this isomorphism corresponds to a normal basis ${\displaystyle \{\beta ,\Phi (\beta ),\Phi ^{2}(\beta ),\ldots ,\Phi ^{m-1}(\beta )\}}$ of K on the left.

Note that this proof would also apply in the case of a cyclic Kummer extension.

Example

Consider the field ${\displaystyle K=GF(2^{3})=\mathbb {F} _{8}}$ over ${\displaystyle F=GF(2)=\mathbb {F} _{2}}$, with Frobenius automorphism ${\displaystyle \Phi (\alpha )=\alpha ^{2}}$. The proof above clarifies the choice of normal bases in terms of the structure of K as a representation of G (or F[G]-module). The irreducible factorization

${\displaystyle X^{n}-1\ =\ X^{3}-1\ =\ (X{+}1)(X^{2}{+}X{+}1)\ \in \ F[X]}$

means we have a direct sum of F[G]-modules (by the Chinese remainder theorem):

${\displaystyle K\ \cong \ {\frac {F[X]}{(X^{3}{-}\,1)}}\ \cong \ {\frac {F[X]}{(X{+}1)}}\oplus {\frac {F[X]}{(X^{2}{+}X{+}1)}}.}$

The first component is just ${\displaystyle F\subset K}$, while the second is isomorphic as an F[G]-module to ${\displaystyle \mathbb {F} _{2^{2}}\cong \mathbb {F} _{2}[X]/(X^{2}{+}X{+}1)}$ under the action ${\displaystyle \Phi \cdot X^{i}=X^{i+1}.}$ (Thus ${\displaystyle K\cong \mathbb {F} _{2}\oplus \mathbb {F} _{4}}$ as F[G]-modules, but not as F-algebras.)

The elements ${\displaystyle \beta \in K}$ which can be used for a normal basis are precisely those outside either of the submodules, so that ${\displaystyle (\Phi {+}1)(\beta )\neq 0}$ and ${\displaystyle (\Phi ^{2}{+}\Phi {+}1)(\beta )\neq 0}$. In terms of the G-orbits of K, which correspond to the irreducible factors of:

${\displaystyle t^{2^{3}}-t\ =\ t(t{+}1)(t^{3}{+}t{+}1)(t^{3}{+}t^{2}{+}1)\ \in \ F[t],}$

the elements of ${\displaystyle F=\mathbb {F} _{2}}$ are the roots of ${\displaystyle t(t{+}1)}$, the nonzero elements of the submodule ${\displaystyle \mathbb {F} _{4}}$ are the roots of ${\displaystyle t^{3}{+}t{+}1}$, while the normal basis, which in this case is unique, is given by the roots of the remaining factor ${\displaystyle t^{3}{+}t^{2}{+}1}$.

By contrast, for the extension field ${\displaystyle L=GF(2^{4})=\mathbb {F} _{16}}$ in which n = 4 is divisible by p = 2, we have the F[G]-module isomorphism

${\displaystyle L\ \cong \ \mathbb {F} _{2}[X]/(X^{4}{-}1)\ =\ \mathbb {F} _{2}[X]/(X{+}1)^{4}.}$

Here the operator ${\displaystyle \Phi \cong X}$ is not diagonalizable, the module L has nested submodules given by generalized eigenspaces of ${\displaystyle \Phi }$, and the normal basis elements β are those outside the largest proper generalized eigenspace, the elements with ${\displaystyle (\Phi {+}1)^{3}(\beta )\neq 0}$.

Application to cryptography

The normal basis is frequently used in cryptographic applications based on the discrete logarithm problem, such as elliptic curve cryptography, since arithmetic using a normal basis is typically more computationally efficient than using other bases.

For example, in the field ${\displaystyle K=GF(2^{3})=\mathbb {F} _{8}}$ above, we may represent elements as bit-strings:

${\displaystyle \alpha \ =\ (a_{2},a_{1},a_{0})\ =\ a_{2}\Phi ^{2}(\beta )+a_{1}\Phi (\beta )+a_{0}\beta \ =\ a_{2}\beta ^{4}+a_{1}\beta ^{2}+a_{0}\beta ,}$

where the coefficients are bits ${\displaystyle a_{i}\in GF(2)=\{0,1\}.}$ Now we can square elements by doing a left circular shift, ${\displaystyle \alpha ^{2}=\Phi (a_{2},a_{1},a_{0})=(a_{1},a_{0},a_{2})}$, since squaring β4 gives β8 = β. This makes the normal basis especially attractive for cryptosystems that utilize frequent squaring.

Primitive normal basis

A primitive normal basis of an extension of finite fields E/F is a normal basis for E/F that is generated by a primitive element of E, that is a generator of the multiplicative group ${\displaystyle K^{\times }.}$ (Note that this is a more restrictive definition of primitive element than that mentioned above after the general Normal Basis Theorem: one requires powers of the element to produce every non-zero element of K, not merely a basis.) Lenstra and Schoof (1987) proved that every finite field extension possesses a primitive normal basis, the case when F is a prime field having been settled by Harold Davenport.

Free elements

If K/F is a Galois extension and x in E generates a normal basis over F, then x is free in K/F. If x has the property that for every subgroup H of the Galois group G, with fixed field KH, x is free for K/KH, then x is said to be completely free in K/F. Every Galois extension has a completely free element.[2]