Normal Basis

In mathematics, specifically the algebraic theory of fields, a normal basis is a special kind of basis for Galois extensions of finite degree, characterised as forming a single orbit for the Galois group. The normal basis theorem states that any finite Galois extension of fields has a normal basis. In algebraic number theory, the study of the more refined question of the existence of a normal integral basis is part of Galois module theory.

Normal basis theorem

Let $F\subset K$ be a Galois extension with Galois group $G$. The classical normal basis theorem states that there is an element $\beta\in K$ such that $\$ forms a basis of ''K'', considered as a vector space over ''F''. That is, any element $\alpha \in K$ can be written uniquely as $\alpha = \sum_ a_g\, g(\beta)$ for some elements $a_g\in F.$

A normal basis contrasts with a primitive element basis of the form $\$, where $\beta\in K$ is an element whose minimal polynomial has degree n= :F/math>.

Group representation point of view

A field extension $K/F$ with Galois group ''G'' can be naturally viewed as a representation of the group ''G'' over the field ''F'' in which each automorphism is represented by itself. Representations of ''G'' over the field ''F'' can be viewed as left modules for the group algebra F /math>. Every homomorphism of left F /math>-modules \phi:F rightarrow K is of form $\phi(r) = r\beta$ for some $\beta \in K$. Since $\$ is a linear basis of F /math> over ''F'', it follows easily that $\phi$ is bijective iff $\beta$ generates a normal basis of ''K'' over ''F''. The normal basis theorem therefore amounts to the statement saying that if $K/F$ is finite Galois extension, then K \cong F /math> as left F /math>-module. In terms of representations of ''G'' over ''F'', this means that ''K'' is isomorphic to the regular representation.

Case of finite fields

For finite fields this can be stated as follows: Let $F = \mathrm(q)=\mathbb_q$ denote the field of ''q'' elements, where ''q = p^m'' is a prime power, and let $K= \mathrm(q^n)=\mathbb_$ denote its extension field of degree ''n'' ≥ 1. Here the Galois group is $G = \text(K/F) = \$ with $\Phi^n = 1,$ a cyclic group generated by the ''q''-power Frobenius automorphism $\Phi(\alpha)=\alpha^q,$with $\Phi^n = 1 =\mathrm_K.$ Then there exists an element such that
$\ \ = \ \$
is a basis of ''K'' over ''F''.

Proof for finite fields

In case the Galois group is cyclic as above, generated by $\Phi$ with $\Phi^n=1,$ the Normal Basis Theorem follows from two basic facts. The first is the linear independence of characters: a ''multiplicative'' ''character'' is a mapping ''χ'' from a group ''H'' to a field ''K'' satisfying $\chi(h_1h_2)=\chi(h_1)\chi(h_2)$; then any distinct characters $\chi_1,\chi_2,\ldots$ are linearly independent in the ''K''-vector space of mappings. We apply this to the Galois group automorphisms $\chi_i=\Phi^i: K \to K,$ thought of as mappings from the multiplicative group $H=K^\times$. Now $K\cong F^n$as an ''F''-vector space, so we may consider $\Phi : F^n\to F^n$ as an element of the matrix algebra $M_n(F);$ since its powers $1,\Phi,\ldots,\Phi^$ are linearly independent (over ''K'' and a fortiori over ''F''), its minimal polynomial must have degree at least ''n'', i.e. it must be $X^n-1$.

The second basic fact is the classification of finitely generated modules over a PID such as F /math>. Every such module ''M'' can be represented as $M \cong\bigoplus_^k \frac$, where $f_i(X)$ may be chosen so that they are monic polynomials or zero and $f_(X)$ is a multiple of $f_i(X)$. $f_k(X)$ is the monic polynomial of smallest degree annihilating the module, or zero if no such non-zero polynomial exists. In the first case $\dim_F M = \sum_^k \deg f_i$, in the second case $\dim_F M = \infty$. In our case of cyclic ''G'' of size ''n'' generated by $\Phi$ we have an ''F''-algebra isomorphism F cong \frac where ''X'' corresponds to $1 \cdot \Phi$, so every F /math>-module may be viewed as an F /math>-module with multiplication by ''X'' being multiplication by $1\cdot\Phi$. In case of ''K'' this means $X\alpha = \Phi(\alpha)$, so the monic polynomial of smallest degree annihilating ''K'' is the minimal polynomial of $\Phi$. Since ''K'' is a finite dimensional ''F''-space, the representation above is possible with $f_k(X)=X^n-1$. Since $\dim_F(K) = n,$ we can only have $k=1$, and $K \cong \frac$ as F /math>-modules. (Note this is an isomorphism of ''F''-linear spaces, but ''not'' of rings or ''F''-algebras!) This gives isomorphism of F /math>-modules K\cong F /math> that we talked about above, and under it the basis $\$ on the right side corresponds to a normal basis $\$ of ''K'' on the left.

Note that this proof would also apply in the case of a cyclic Kummer extension.

Example

Consider the field $K=\mathrm(2^3)=\mathbb_$ over $F=\mathrm(2)=\mathbb_$, with Frobenius automorphism $\Phi(\alpha)=\alpha^2$. The proof above clarifies the choice of normal bases in terms of the structure of ''K'' as a representation of ''G'' (or ''F'' 'G''module). The irreducible factorization
X^n-1 \ =\ X^3-1\ = \ (X1)(X^2X1) \ \in\ F /math> means we have a direct sum of ''F'' 'G''modules (by the Chinese remainder theorem):$K\ \cong\ \frac \ \cong\ \frac \oplus \frac.$
The first component is just $F\subset K$, while the second is isomorphic as an ''F'' 'G''module to \mathbb_ \cong \mathbb_2 (X^2X1) under the action $\Phi\cdot X^i = X^.$ (Thus $K \cong \mathbb F_2\oplus \mathbb F_4$ as ''F'' 'G''modules, but ''not'' as ''F''-algebras.)

The elements $\beta\in K$ which can be used for a normal basis are precisely those outside either of the submodules, so that $(\Phi1)(\beta)\neq 0$ and $(\Phi^2\Phi1)(\beta)\neq 0$. In terms of the ''G''-orbits of ''K'', which correspond to the irreducible factors of:
t^-t \ = \ t(t1)\left(t^3 + t + 1\right)\left(t^3 + t^2 + 1\right)\ \in\ F
the elements of $F=\mathbb_2$ are the roots of $t(t1)$, the nonzero elements of the submodule $\mathbb_4$ are the roots of $t^3+t+1$, while the normal basis, which in this case is unique, is given by the roots of the remaining factor $t^3t^21$.

By contrast, for the extension field $L = \mathrm(2^4)=\mathbb_$ in which ''n'' = 4 is divisible by ''p'' = 2, we have the ''F'' 'G''module isomorphism
L \ \cong\ \mathbb_2 (X^41)\ =\ \mathbb_2 (X1)^4.
Here the operator $\Phi\cong X$ is not diagonalizable, the module ''L'' has nested submodules given by generalized eigenspaces of $\Phi$, and the normal basis elements ''β'' are those outside the largest proper generalized eigenspace, the elements with $(\Phi1)^3(\beta)\neq 0$.

Application to cryptography

The normal basis is frequently used in cryptographic applications based on the discrete logarithm problem, such as elliptic curve cryptography, since arithmetic using a normal basis is typically more computationally efficient than using other bases.

For example, in the field $K=\mathrm(2^3)=\mathbb_$ above, we may represent elements as bit-strings:
$\alpha \ =\ (a_2,a_1,a_0)\ =\ a_2\Phi^2(\beta) + a_1\Phi(\beta)+a_0\beta\ =\ a_2\beta^4 + a_1\beta^2 +a_0\beta,$
where the coefficients are bits $a_i\in \mathrm(2)=\.$ Now we can square elements by doing a left circular shift, $\alpha^2=\Phi(a_2,a_1,a_0) = (a_1,a_0,a_2)$, since squaring ''β''⁴ gives ''β''⁸ = ''β''. This makes the normal basis especially attractive for cryptosystems that utilize frequent squaring.

Proof for the case of infinite fields

Suppose $K/F$ is a finite Galois extension of the infinite field ''F''. Let :F= n, $\text(K/F) = G =\$, where $\sigma_1 = \text$. By the primitive element theorem there exists $\alpha \in K$ such $i\ne j\implies \sigma_i(\alpha)\ne\sigma_j(\alpha)$ and $K=F$alpha/math>. Let us write $\alpha_i = \sigma_i(\alpha)$. $\alpha$'s (monic) minimal polynomial ''f'' over ''K'' is the irreducible degree ''n'' polynomial given by the formula$\begin f(X) &= \prod_^n(X - \alpha_i) \end$
Since ''f'' is separable (it has simple roots) we may define
$\begin g(X) &= \ \frac\\ g_i(X) &= \ \frac =\ \sigma_i(g(X)). \end$
In other words,
$\begin g_i(X)&= \prod_\frac\\ g(X)&= g_1(X). \end$
Note that $g(\alpha)=1$ and $g_i(\alpha)=0$ for $i \ne 1$. Next, define an $n \times n$ matrix ''A'' of polynomials over ''K'' and a polynomial ''D'' by
$\begin A_(X) &= \sigma_i(\sigma_j(g(X)) = \sigma_i(g_j(X))\\ D(X) &= \det A(X). \end$
Observe that $A_(X) = g_k(X)$, where ''k'' is determined by $\sigma_k = \sigma_i \cdot \sigma_j$; in particular $k=1$ iff $\sigma_i = \sigma_j^$. It follows that $A(\alpha)$ is the permutation matrix corresponding to the permutation of ''G'' which sends each $\sigma_i$ to $\sigma_i^$. (We denote by $A(\alpha)$ the matrix obtained by evaluating $A(X)$ at $x=\alpha$.) Therefore, $D(\alpha) = \det A(\alpha) = \pm 1$. We see that ''D'' is a non-zero polynomial, and therefore it has only a finite number of roots. Since we assumed ''F'' is infinite, we can find $a\in F$ such that $D(a)\ne 0$. Define
$\begin \beta &= g(a) \\ \beta_i &= g_i(a) = \sigma_i(\beta). \end$
We claim that $\$ is a normal basis. We only have to show that $\beta_1, \ldots,\beta_n$ are linearly independent over ''F'', so suppose $\sum_^n x_j \beta_j = 0$ for some $x_1...x_n\in F$. Applying the automorphism $\sigma_i$ yields $\sum_^n x_j \sigma_i(g_j(a)) = 0$ for all ''i''. In other words, $A(a) \cdot \overline = \overline$. Since $\det A(a) = D(a) \ne 0$, we conclude that $\overline x = \overline 0$, which completes the proof.

It is tempting to take $a=\alpha$ because $D(\alpha)\neq0$. But this is impermissible because we used the fact that $a \in F$ to conclude that for any ''F''-automorphism $\sigma$ and polynomial $h(X)$ over $K$ the value of the polynomial $\sigma(h(X))$ at $a$ equals $\sigma(h(a))$.

Primitive normal basis

A primitive normal basis of an extension of finite fields ''E''/''F'' is a normal basis for ''E''/''F'' that is generated by a primitive element of ''E'', that is a generator of the multiplicative group $K^\times$. (Note that this is a more restrictive definition of primitive element than that mentioned above after the general Normal Basis Theorem: one requires powers of the element to produce every non-zero element of ''K'', not merely a basis.) Lenstra and Schoof (1987) proved that every finite field extension possesses a primitive normal basis, the case when ''F'' is a prime field having been settled by Harold Davenport.

Free elements

If ''K''/''F'' is a Galois extension and ''x'' in ''K'' generates a normal basis over ''F'', then ''x'' is free in ''K''/''F''. If ''x'' has the property that for every subgroup ''H'' of the Galois group ''G'', with fixed field ''K''^''H'', ''x'' is free for ''K''/''K''^''H'', then ''x'' is said to be completely free in ''K''/''F''. Every Galois extension has a completely free element.Dirk Hachenberger, ''Completely free elements'', in Cohen & Niederreiter (1996) pp.97-107

See also

* Dual basis in a field extension
*Polynomial basis
*Zech's logarithm

References

*
*
*

{{Authority control

Linear algebra
Field (mathematics)
Abstract algebra
Cryptography