Normal basis

In mathematics, specifically the algebraic theory of fields, a normal basis is a special kind of basis for Galois extensions of finite degree, characterised as forming a single orbit for the Galois group. The normal basis theorem states that any finite Galois extension of fields has a normal basis. In algebraic number theory, the study of the more refined question of the existence of a normal integral basis is part of Galois module theory.

Let ${\displaystyle F\subset K}$ be a Galois extension with Galois group ${\displaystyle G}$. The classical normal basis theorem states that there is an element ${\displaystyle \beta \in K}$ such that ${\displaystyle \{g(\beta ):g\in G\}}$ forms a basis of K, considered as a vector space over F. That is, any element ${\displaystyle \alpha \in K}$ can be written uniquely as $\alpha =\sum _{g\in G}{a}_{g}g(\beta )$ for some elements ${\displaystyle a_g\in F.}$

A normal basis contrasts with a primitive element basis of the form ${\displaystyle \{1,\beta ,{\beta }^2,\dots ,{\beta }^{n-1}\}}$, where ${\displaystyle \beta \in K}$ is an element whose minimal polynomial has degree ${\displaystyle n=[K:F]}$.

A field extension Template:Nowrap with Galois group G can be naturally viewed as a representation of the group G over the field F in which each automorphism is represented by itself. Representations of G over the field F can be viewed as left modules for the group algebra F[G]. Every homomorphism of left F[G]-modules ${\displaystyle \varphi :F[G]\to K}$ is of form ${\displaystyle \varphi (r)=r\beta }$ for some ${\displaystyle \beta \in K}$. Since ${\displaystyle \{1\cdot \sigma |\sigma \in G\}}$ is a linear basis of F[G] over F, it follows easily that ${\displaystyle \varphi }$ is bijective iff ${\displaystyle \beta }$ generates a normal basis of K over F. The normal basis theorem therefore amounts to the statement saying that if Template:Nowrap is finite Galois extension, then ${\displaystyle K\cong F[G]}$ as a left ${\displaystyle F[G]}$-module. In terms of representations of G over F, this means that K is isomorphic to the regular representation.

For finite fields this can be stated as follows:^[1] Let ${\displaystyle F=\mathrm{G}\mathrm{F}(q)={𝔽}_q}$ denote the field of q elements, where Template:Nowrap is a prime power, and let ${\displaystyle K=\mathrm{G}\mathrm{F}(q^n)={𝔽}_{q^n}}$ denote its extension field of degree Template:Nowrap. Here the Galois group is ${\displaystyle G=\text{Gal}(K/F)=\{1,\mathrm{\Phi },{\mathrm{\Phi }}^2,\dots ,{\mathrm{\Phi }}^{n-1}\}}$ with ${\displaystyle {\mathrm{\Phi }}^n=1,}$ a cyclic group generated by the q-power Frobenius automorphism ${\displaystyle \mathrm{\Phi }(\alpha )={\alpha }^q,}$with ${\displaystyle {\mathrm{\Phi }}^n=1={\mathrm{I}\mathrm{d}}_K.}$ Then there exists an element Template:Nowrap such that $${\displaystyle \{\beta ,\mathrm{\Phi }(\beta ),{\mathrm{\Phi }}^2(\beta ),\dots ,{\mathrm{\Phi }}^{n-1}(\beta )\}=\{\beta ,{\beta }^q,{\beta }^{q^2},\dots ,{\beta }^{q^{n-1}}\}}$$ is a basis of K over F.

In case the Galois group is cyclic as above, generated by ${\displaystyle \mathrm{\Phi }}$ with ${\displaystyle {\mathrm{\Phi }}^n=1,}$ the normal basis theorem follows from two basic facts. The first is the linear independence of characters: a multiplicative character is a mapping χ from a group H to a field K satisfying ${\displaystyle \chi (h_1{h}_2)=\chi (h_1)\chi (h_2)}$; then any distinct characters ${\displaystyle {\chi }_1,{\chi }_2,\dots }$ are linearly independent in the K-vector space of mappings. We apply this to the Galois group automorphisms ${\displaystyle {\chi }_i={\mathrm{\Phi }}^i:K\to K,}$ thought of as mappings from the multiplicative group ${\displaystyle H=K^{\times }}$. Now ${\displaystyle K\cong F^n}$as an F-vector space, so we may consider ${\displaystyle \mathrm{\Phi }:F^n\to F^n}$ as an element of the matrix algebra M_n(F); since its powers ${\displaystyle 1,\mathrm{\Phi },\dots ,{\mathrm{\Phi }}^{n-1}}$ are linearly independent (over K and a fortiori over F), its minimal polynomial must have degree at least n, i.e. it must be ${\displaystyle X^n-1}$.

The second basic fact is the classification of finitely generated modules over a PID such as ${\displaystyle F[X]}$. Every such module M can be represented as $M\cong {⨁}_{i=1}^k\frac{F[X]}{(f_i(X))}$, where ${\displaystyle f_i(X)}$ may be chosen so that they are monic polynomials or zero and ${\displaystyle f_{i+1}(X)}$ is a multiple of ${\displaystyle f_i(X)}$. ${\displaystyle f_k(X)}$ is the monic polynomial of smallest degree annihilating the module, or zero if no such non-zero polynomial exists. In the first case ${\dim }_{F}M={\sum }_{i=1}^k\mathrm{deg}{f}_i$, in the second case ${\displaystyle {\dim }_{F}M=\mathrm{\infty }}$. In our case of cyclic G of size n generated by ${\displaystyle \mathrm{\Phi }}$ we have an F-algebra isomorphism $F[G]\cong \frac{F[X]}{(X^n-1)}$ where X corresponds to ${\displaystyle 1\cdot \mathrm{\Phi }}$, so every ${\displaystyle F[G]}$-module may be viewed as an ${\displaystyle F[X]}$-module with multiplication by X being multiplication by ${\displaystyle 1\cdot \mathrm{\Phi }}$. In case of K this means ${\displaystyle X\alpha =\mathrm{\Phi }(\alpha )}$, so the monic polynomial of smallest degree annihilating K is the minimal polynomial of ${\displaystyle \mathrm{\Phi }}$. Since K is a finite dimensional F-space, the representation above is possible with ${\displaystyle f_k(X)=X^n-1}$. Since ${\displaystyle {\dim }_F(K)=n,}$ we can only have ${\displaystyle k=1}$, and $K\cong \frac{F[X]}{(X^n-1)}$ as F[X]-modules. (Note this is an isomorphism of F-linear spaces, but not of rings or F-algebras.) This gives isomorphism of ${\displaystyle F[G]}$-modules ${\displaystyle K\cong F[G]}$ that we talked about above, and under it the basis ${\displaystyle \{1,X,X^2,\dots ,X^{n-1}\}}$ on the right side corresponds to a normal basis ${\displaystyle \{\beta ,\mathrm{\Phi }(\beta ),{\mathrm{\Phi }}^2(\beta ),\dots ,{\mathrm{\Phi }}^{n-1}(\beta )\}}$ of K on the left.

Note that this proof would also apply in the case of a cyclic Kummer extension.

Consider the field ${\displaystyle K=\mathrm{G}\mathrm{F}(2^3)={𝔽}_8}$ over ${\displaystyle F=\mathrm{G}\mathrm{F}(2)={𝔽}_2}$, with Frobenius automorphism ${\displaystyle \mathrm{\Phi }(\alpha )={\alpha }^2}$. The proof above clarifies the choice of normal bases in terms of the structure of K as a representation of G (or F[G]-module). The irreducible factorization $${\displaystyle X^n-1=X^3-1=(X-1)(X^2+X+1)\in F[X]}$$ means we have a direct sum of F[G]-modules (by the Chinese remainder theorem):$${\displaystyle K\cong \frac{F[X]}{(X^3-1)}\cong \frac{F[X]}{(X+1)}\oplus \frac{F[X]}{(X^2+X+1)}.}$$ The first component is just ${\displaystyle F\subset K}$, while the second is isomorphic as an F[G]-module to ${\displaystyle {𝔽}_{2^2}\cong {𝔽}_2[X]/(X^2+X+1)}$ under the action ${\displaystyle \mathrm{\Phi }\cdot X^i=X^{i+1}.}$ (Thus ${\displaystyle K\cong {𝔽}_2\oplus {𝔽}_4}$ as F[G]-modules, but not as F-algebras.)

The elements ${\displaystyle \beta \in K}$ which can be used for a normal basis are precisely those outside either of the submodules, so that ${\displaystyle (\mathrm{\Phi }+1)(\beta )\ne 0}$ and ${\displaystyle ({\mathrm{\Phi }}^2+\mathrm{\Phi }+1)(\beta )\ne 0}$. In terms of the G-orbits of K, which correspond to the irreducible factors of: $${\displaystyle t^{2^3}-t=t(t+1)(t^3+t+1)(t^3+t^2+1)\in F[t],}$$ the elements of ${\displaystyle F={𝔽}_2}$ are the roots of ${\displaystyle t(t+1)}$, the nonzero elements of the submodule ${\displaystyle {𝔽}_4}$ are the roots of ${\displaystyle t^3+t+1}$, while the normal basis, which in this case is unique, is given by the roots of the remaining factor ${\displaystyle t^3+t^2+1}$.

By contrast, for the extension field ${\displaystyle L=\mathrm{G}\mathrm{F}(2^4)={𝔽}_{16}}$ in which Template:Nowrap is divisible by Template:Nowrap, we have the F[G]-module isomorphism $${\displaystyle L\cong {𝔽}_2[X]/(X^4-1)={𝔽}_2[X]/(X+1{)}^4.}$$ Here the operator ${\displaystyle \mathrm{\Phi }\cong X}$ is not diagonalizable, the module L has nested submodules given by generalized eigenspaces of ${\displaystyle \mathrm{\Phi }}$, and the normal basis elements β are those outside the largest proper generalized eigenspace, the elements with ${\displaystyle (\mathrm{\Phi }+1{)}^3(\beta )\ne 0}$.

The normal basis is frequently used in cryptographic applications based on the discrete logarithm problem, such as elliptic curve cryptography, since arithmetic using a normal basis is typically more computationally efficient than using other bases.

For example, in the field ${\displaystyle K=\mathrm{G}\mathrm{F}(2^3)={𝔽}_8}$ above, we may represent elements as bit-strings: $${\displaystyle \alpha =(a_2,a_1,a_0)=a_2{\mathrm{\Phi }}^2(\beta )+a_1\mathrm{\Phi }(\beta )+a_0\beta =a_2{\beta }^4+a_1{\beta }^2+a_0\beta ,}$$ where the coefficients are bits ${\displaystyle a_i\in \mathrm{G}\mathrm{F}(2)=\{0,1\}.}$ Now we can square elements by doing a left circular shift, ${\displaystyle {\alpha }^2=\mathrm{\Phi }(a_2,a_1,a_0)=(a_1,a_0,a_2)}$, since squaring β⁴ gives Template:Nowrap. This makes the normal basis especially attractive for cryptosystems that utilize frequent squaring.

Suppose ${\displaystyle K/F}$ is a finite Galois extension of the infinite field F. Let Template:Nowrap, ${\displaystyle \text{Gal}(K/F)=G=\{{\sigma }_1...{\sigma }_n\}}$, where ${\displaystyle {\sigma }_1=\text{Id}}$. By the primitive element theorem there exists ${\displaystyle \alpha \in K}$ such ${\displaystyle i\ne j⟹{\sigma }_i(\alpha )\ne {\sigma }_j(\alpha )}$ and ${\displaystyle K=F[\alpha ]}$. Let us write ${\displaystyle {\alpha }_i={\sigma }_i(\alpha )}$. ${\displaystyle \alpha }$'s (monic) minimal polynomial f over K is the irreducible degree n polynomial given by the formula $${\displaystyle \begin{array}{cc}f(X)& ={\displaystyle \prod _{i=1}^n}(X-{\alpha }_i)\end{array}}$$ Since f is separable (it has simple roots) we may define $${\displaystyle \begin{array}{cc}g(X)& =\frac{f(X)}{(X-\alpha )f^{\prime }(\alpha )}\\ g_i(X)& =\frac{f(X)}{(X-{\alpha }_i)f^{\prime }({\alpha }_i)}={\sigma }_i(g(X)).\end{array}}$$ In other words, $${\displaystyle \begin{array}{cc}{g}_i(X)& =\prod _{\begin{array}{c}1\le j\le n\\ j\ne i\end{array}}\frac{X-{\alpha }_j}{{\alpha }_i-{\alpha }_j}\\ g(X)& =g_1(X).\end{array}}$$ Note that ${\displaystyle g(\alpha )=1}$ and ${\displaystyle g_i(\alpha )=0}$ for ${\displaystyle i\ne 1}$. Next, define an ${\displaystyle n\times n}$ matrix A of polynomials over K and a polynomial D by $${\displaystyle \begin{array}{cc}{A}_{ij}(X)& ={\sigma }_i({\sigma }_j(g(X))={\sigma }_i(g_j(X))\\ D(X)& =\det A(X).\end{array}}$$ Observe that ${\displaystyle A_{ij}(X)=g_k(X)}$, where k is determined by ${\displaystyle {\sigma }_k={\sigma }_i\cdot {\sigma }_j}$; in particular ${\displaystyle k=1}$ iff ${\displaystyle {\sigma }_i={\sigma }_j^{-1}}$. It follows that ${\displaystyle A(\alpha )}$ is the permutation matrix corresponding to the permutation of G which sends each ${\displaystyle {\sigma }_i}$ to ${\displaystyle {\sigma }_i^{-1}}$. (We denote by ${\displaystyle A(\alpha )}$ the matrix obtained by evaluating ${\displaystyle A(X)}$ at ${\displaystyle x=\alpha }$.) Therefore, ${\displaystyle D(\alpha )=\det A(\alpha )=\pm 1}$. We see that D is a non-zero polynomial, and therefore it has only a finite number of roots. Since we assumed F is infinite, we can find ${\displaystyle a\in F}$ such that ${\displaystyle D(a)\ne 0}$. Define $${\displaystyle \begin{array}{cc}\beta & =g(a)\\ {\beta }_i& =g_i(a)={\sigma }_i(\beta ).\end{array}}$$ We claim that ${\displaystyle \{{\beta }_1,\dots ,{\beta }_n\}}$ is a normal basis. We only have to show that ${\displaystyle {\beta }_1,\dots ,{\beta }_n}$ are linearly independent over F, so suppose ${\sum }_{j=1}^n{x}_j{\beta }_j=0$ for some ${\displaystyle x_1...x_n\in F}$. Applying the automorphism ${\displaystyle {\sigma }_i}$ yields ${\sum }_{j=1}^n{x}_j{\sigma }_i(g_j(a))=0$ for all i. In other words, ${\displaystyle A(a)\cdot \bar{x}=\bar{0}}$. Since ${\displaystyle \det A(a)=D(a)\ne 0}$, we conclude that ${\displaystyle \bar{x}=\bar{0}}$, which completes the proof.

It is tempting to take ${\displaystyle a=\alpha }$ because ${\displaystyle D(\alpha )\ne 0}$. But this is impermissible because we used the fact that ${\displaystyle a\in F}$ to conclude that for any F-automorphism ${\displaystyle \sigma }$ and polynomial ${\displaystyle h(X)}$ over ${\displaystyle K}$ the value of the polynomial ${\displaystyle \sigma (h(X))}$ at a equals ${\displaystyle \sigma (h(a))}$.

A primitive normal basis of an extension of finite fields Template:Nowrap is a normal basis for Template:Nowrap that is generated by a primitive element of E, that is a generator of the multiplicative group K^×. (Note that this is a more restrictive definition of primitive element than that mentioned above after the general normal basis theorem: one requires powers of the element to produce every non-zero element of K, not merely a basis.) Lenstra and Schoof (1987) proved that every extension of finite fields possesses a primitive normal basis, the case when F is a prime field having been settled by Harold Davenport.

If Template:Nowrap is a Galois extension and x in K generates a normal basis over F, then x is free in Template:Nowrap. If x has the property that for every subgroup H of the Galois group G, with fixed field K^H, x is free for Template:Nowrap, then x is said to be completely free in Template:Nowrap. Every Galois extension has a completely free element.^[2]

• Dual basis in a field extension
• Polynomial basis
• Zech's logarithm

Template:Reflist

• Template:Cite book
• Template:Cite journal
• Template:Cite book

Template:Authority control