43、Polynomials, Finite Fields, and Quadratic Residues: A Comprehensive Guide

Polynomials, Finite Fields, and Quadratic Residues: A Comprehensive Guide

1. Polynomials and Irreducibility

In the realm of polynomial mathematics, irreducibility is a fundamental concept. A polynomial (P \in k[X]), where (P \notin k), is considered irreducible (or prime) if its only divisors are elements (c \in k^ ) and (c \cdot P) with (c \in k^ ). In other words, if (P = F \cdot G) for (F, G \in k[X]), then either (F \in k^ ) or (G \in k^ ). A polynomial that is not irreducible is called reducible or composite.

Just like the ring of integers (Z), the ring of polynomials (k[X]) is factorial. This means that every non - zero polynomial (F \in k[X]) has a unique decomposition into irreducible elements. Specifically, there exist pairwise distinct irreducible polynomials (P_1, \ldots, P_r) ((r \geq 0)), exponents (e_1, \ldots, e_r \in N) with (e_i \geq 1) for (i = 1, \ldots, r), and a unit (u \in k^ ) such that (F = u\prod_{i = 1}^{r}P_{i}^{e_i}). This factorization is unique in the sense that if (F = v\prod_{i = 1}^{s}Q_{i}^{f_i}) is another factorization, then (r = s), and after a permutation of the indices (i), we have (Q_i = u_iP_i) with (u_i \in k^ ) and (e_i = f_i) for (1 \leq i \leq r).

2. Residue Class Rings

Similar to the ring of integers, we can define residue classes in (k[X]). Given a polynomial (P \in k[X]) of degree (\geq 1):
- Two polynomials (F, G \in k[X]) are congruent modulo (P), written as (F \equiv G \mod P), if (P) divides (F - G). This implies that (F) and (G) have the same remainder when divided by (P), i.e., (F \mod P = G \mod P).
- The residue class of (F) modulo (P) is defined as ([F] := {G \in k[X] | G \equiv F \mod P}).

“Congruent modulo” is an equivalence relation, and the set of residue classes (k[X]/Pk[X] := {[F] | F \in k[X]}) forms a ring. Residue classes are added and multiplied by operating on a representative: ([F] + [G] := [F + G]) and ([F] \cdot [G] := [F \cdot G]). The natural representative of ([F]) is the remainder (F \mod P), and we have ([F] = [F \mod P]).

The set of all remainders modulo (P) consists of polynomials with degree (< \deg(P)). Thus, there is a one - to - one correspondence between (k[X]/Pk[X]) and the set ({F \in k[X] | \deg(F) < \deg(P)}). We often identify these two sets.

When adding or multiplying two residues (F) and (G), we first perform the operation as polynomials and then take the residue modulo (P). The sum of two residues (F) and (G) has degree (< \deg(P)), so it is already a residue. After multiplication, we usually need to take the remainder.

If (n := \deg(P)), the residue class ring (k[X]/Pk[X]) is an (n) - dimensional vector space over (k), with a basis given by the elements ([1], [X], [X^2], \ldots, [X^{n - 1}]). If (k) is a finite field with (q) elements, then (k[X]/Pk[X]) consists of (q^n) elements.

Example

Let (k = F_2 = Z_2 = {0, 1}) and (P := X^8 + X^4 + X^3 + X + 1 \in k[X]). The elements of (k[X]/Pk[X]) can be identified with binary polynomials (b_7X^7 + b_6X^6 + \ldots + b_1X + b_0) ((b_i \in {0, 1}), (0 \leq i \leq 7)) of degree (\leq 7). The ring (k[X]/Pk[X]) contains (2^8 = 256) elements. For instance, ((X^6 + X^3 + X^2 + 1) \cdot (X^5 + X^2 + 1)=X^{11}+X^7 + X^6+X^4 + X^3 + 1=X^3 \cdot (X^8 + X^4 + X^3 + X + 1)+1\equiv 1 \mod (X^8 + X^4 + X^3 + X + 1)). So, (X^6 + X^3 + X^2 + 1) is a unit in (k[X]/Pk[X]), and its inverse is (X^5 + X^2 + 1).

An element ([F] \in k[X]/Pk[X]) is a unit if and only if (F) is prime to (P). The multiplicative inverse ([F]^{-1}) of a unit ([F]) can be computed using the extended Euclidean algorithm. If (P) is irreducible, then every non - zero residue class ([F] \neq [0]) in (k[X]/Pk[X]) is a unit, and (k[X]/Pk[X]) is a field.

The following table summarizes the properties of residue class rings:
| Property | Description |
| — | — |
| Addition | ([F]+[G]=[F + G]) |
| Multiplication | ([F]\cdot[G]=[F\cdot G]) |
| Representative | ([F]=[F\mod P]) |
| Dimension | (n=\deg(P)) (vector space over (k)) |
| Number of elements | (q^n) (if (k) has (q) elements) |

The mermaid flowchart below shows the process of adding and multiplying elements in a residue class ring:

graph TD;
    A[Input F, G and P] --> B[Add F and G as polynomials];
    B --> C[Take remainder modulo P for addition result];
    D[Multiply F and G as polynomials] --> E[Take remainder modulo P for multiplication result];
    A --> D;

3. Finite Fields

Let (k = Z_p = F_p) be the prime field of residues modulo a prime number (p), and (P \in F_p[X]) be an irreducible polynomial of degree (n). Then (k[X]/Pk[X]=F_p[X]/PF_p[X]) is an extension field of (F_p). It is an (n) - dimensional vector space over (F_p) and contains (p^n) elements.

There can be multiple irreducible polynomials of degree (n) over (F_p), resulting in multiple finite fields with (p^n) elements. However, all finite fields with (p^n) elements are isomorphic to each other. Up to canonical isomorphism, there is only one finite field with (p^n) elements, denoted by (F_{p^n}) or (GF(p^n)).

If a concrete representation of (F_{p^n}) is needed, we choose an irreducible polynomial (P \in F_p[X]) of degree (n), and (F_{p^n}=F_p[X]/PF_p[X]).

In cryptography, finite fields play a crucial role. For example, the classical ElGamal cryptosystems are based on the discrete logarithm problem in a finite prime field, elliptic curves used in cryptography are defined over finite fields, and the Advanced Encryption Standard (AES) involves algebraic operations in the field (F_{2^8}).

Binary Finite Fields (F_{2^n})

We identify (F_2 = Z_2 = {0, 1}). Let (P = X^n + a_{n - 1}X^{n - 1}+\ldots+a_1X + a_0) ((a_i \in {0, 1}), (0 \leq i \leq n - 1)) be a binary irreducible polynomial of degree (n). Then (F_{2^n}=F_p[X]/PF_p[X]), and the elements of (F_{2^n}) can be considered as binary polynomials (A = b_{n - 1}X^{n - 1}+b_{n - 2}X^{n - 2}+\ldots+b_1X + b_0) ((b_i \in {0, 1}), (0 \leq i \leq n - 1)) of degree (\leq n - 1).

Adding two elements in (F_{2^n}) is equivalent to adding them as polynomials. Multiplying two elements involves multiplying them as polynomials and then taking the remainder modulo (P). We can represent the polynomial (A) by the (n) - dimensional vector (b_{n - 1}b_{n - 2}\ldots b_1b_0) of its coefficients. In this way, the elements of (F_{2^n}) are bit strings of length (n). Adding two bit strings is done bit - wise modulo 2 (bit - wise XOR).

In AES, the irreducible binary polynomial (P := X^8 + X^4 + X^3 + X + 1) is used to represent (F_{2^8}) as (F_2[X]/PF_2[X]). A byte is an element of (F_{2^8}) and vice versa. One of the core operations of AES is the S - Box, which maps a byte (x) to its inverse (x^{-1}) in (F_{2^8}) and then modifies the result by an (F_2) - affine transformation.

Here are some examples of operations in (F_{2^8}):
- (01001101+00100101 = 01101000)
- (10111101\cdot01101001 = 11111100)
- (01001101\cdot00100101 = 00000001)
- (01001101^{-1}=00100101)

When represented in hexadecimal, these examples are:
- (4D + 25 = 68)
- (BD\cdot69 = FC)
- (4D\cdot25 = 01)
- (4D^{-1}=25)

4. Solving Quadratic Equations in Binary Fields

The traditional method of solving quadratic equations (X^2 + aX + b = 0) by completing the square involves division by 2, which is not applicable in binary fields (F_{2^n}). Instead, the trace and half - trace functions can be used.

Trace Function

Let (x \in F_{2^n}). The trace (Tr(x)) of (x) is defined as (Tr(x)=\sum_{j = 0}^{n - 1}x^{2^j}=x + x^2 + x^{2^2}+\ldots+x^{2^{n - 1}}). In a binary field, ((a + b)^2=a^2 + b^2), and for (x\in F_{2^n},x\neq0), we have (x^{2^n}=x\cdot x^{2^{n - 1}}=x\cdot1 = x).

We can prove that (Tr(x)^2 = Tr(x^2)=Tr(x)). Since the solutions of (X^2 = X) in a binary field are 0 and 1, (Tr(x)\in F_2\subseteq F_{2^n}). The trace map (Tr:F_{2^n}\to F_2,x\to Tr(x)) is linear over (F_2), i.e., (Tr(x + y)=Tr(x)+Tr(y)).

The number of elements (x) in (F_{2^n}) with (Tr(x) = 1) equals the number of elements with (Tr(x)=0). To show this, we consider the polynomial (f(X)=X + X^2 + X^{2^2}+\ldots+X^{2^{n - 1}}) with degree (2^{n - 1}). Not all (2^n) elements of (F_{2^n}) can be roots of (f(X)), so there exists an element (d) with (Tr(d) = 1). The translation (\tau_d:{x\in F_{2^n}|Tr(x)=1}\to{x\in F_{2^n}|Tr(x)=0},x\to x + d) is bijective.

Solving Quadratic Equations

We want to solve the quadratic equation (X^2 + aX + b = 0) in (F_{2^n}). In (F_{2^n}), every element (x) is a square since ((x^{2^{n - 1}})^2=x^{2^n}=x).
- If (a = 0), then (b^{2^{n - 1}}) is a solution (of multiplicity 2) of (X^2 = b).
- If (a\neq0), we substitute (X = aX’) and get the equation (X’^2+X’+\frac{b}{a^2}=0). If (x’) is a solution to this equation, then (ax’) is a solution to the original equation. So, we focus on equations of the form (X^2 + X + b = 0).

If (x) is a solution to (X^2 + X + b = 0), then (x + 1) is the second solution, and (0 = Tr(x^2 + x + b)=Tr(x^2)+Tr(x)+Tr(b)=2Tr(x)+Tr(b)=Tr(b)). The condition (Tr(b) = 0) is also sufficient for the existence of a solution.
- Case 1: (n) is odd
The half - trace (\tau(b)) is a solution, where (\tau(x)=\sum_{j = 0}^{\frac{n - 1}{2}}x^{2^{2j}}=x + x^{2^2}+x^{2^4}+\ldots+x^{2^{n - 1}}). We can show that (\tau(x)^2+\tau(x)=x + Tr(x)), so (\tau(b)^2+\tau(b)+b = 0) when (Tr(b) = 0). The roots of (X^2 + X + b = 0) are (\tau(b)) and (\tau(b)+1).
- Case 2: (n) is even
Let (d\in F_{2^n}) with (Tr(d) = 1), and (x=\sum_{i = 0}^{n - 2}(\sum_{j = i + 1}^{n - 1}d^{2^j})b^{2^i}). Then (x^2 + x=d\cdot Tr(b)+b). So, when (Tr(b) = 0), (x) and (x + 1) are the solutions of (X^2 + X + b = 0). An element (d) with (Tr(d) = 1) can be found by repeatedly choosing a random element until one with trace 1 is found, and we expect success after two trials.

The following table summarizes the solutions of quadratic equations in binary fields:
| Condition | Solution |
| — | — |
| (a = 0) | (X=b^{2^{n - 1}}) (multiplicity 2) |
| (a\neq0), (Tr(b)=0), (n) odd | (X=\tau(b),\tau(b)+1) |
| (a\neq0), (Tr(b)=0), (n) even | (X=\sum_{i = 0}^{n - 2}(\sum_{j = i + 1}^{n - 1}d^{2^j})b^{2^i},\sum_{i = 0}^{n - 2}(\sum_{j = i + 1}^{n - 1}d^{2^j})b^{2^i}+1) |

The mermaid flowchart below shows the process of solving quadratic equations in binary fields:

graph TD;
    A[Given \(X^2 + aX + b = 0\) in \(F_{2^n}\)] --> B{a = 0?};
    B -- Yes --> C[Solution: \(X=b^{2^{n - 1}}\)];
    B -- No --> D[Substitute \(X = aX'\) to get \(X'^2+X'+\frac{b}{a^2}=0\)];
    D --> E{Tr\((\frac{b}{a^2})\) = 0?};
    E -- No --> F[No solution];
    E -- Yes --> G{n is odd?};
    G -- Yes --> H[Solutions: \(\tau(\frac{b}{a^2})\) and \(\tau(\frac{b}{a^2})+1\)];
    G -- No --> I[Find \(d\) with Tr\((d)=1\)];
    I --> J[Solutions: \(x,x + 1\) where \(x=\sum_{i = 0}^{n - 2}(\sum_{j = i + 1}^{n - 1}d^{2^j})(\frac{b}{a^2})^{2^i}\)];

5. Quadratic Residues

Definitions

Let (n\in N) and (x\in Z). We say that (x) is a quadratic residue modulo (n) if there exists an element (y\in Z) such that (x\equiv y^2\mod n). Otherwise, (x) is called a quadratic non - residue modulo (n). The property of being a quadratic residue depends only on the residue class ([x]\in Z_n) of (x) modulo (n).

The subgroup of (Z_n^ ) consisting of residue classes represented by quadratic residues is denoted by (QR_n={[x]\in Z_n^ |\text{There is a }[y]\in Z_n^ \text{ with }[x]=[y]^2}). The complement of (QR_n) is (QNR_n = Z_n^ \setminus QR_n).

Quadratic Residues Modulo a Prime

Let (p) be a prime (> 2) and (g\in Z_p^ ) be a primitive root of (Z_p^ ). An element (x\in Z_p^ ) is in (QR_p) if and only if (x = g^t) for some even number (t), (0\leq t\leq p - 2). Since (Z_p^ ) is a cyclic group generated by (g), if (x\in QR_p), then (x = y^2) and (y = g^s) for some (s), so (x = g^{2s}=g^t) with (t = 2s\mod(p - 1)) and (0\leq t\leq p - 2). Since (p - 1) is even, (t) is even. Conversely, if (t) is even, (x=(g^{\frac{t}{2}})^2), so (x\in QR_p).

Exactly half of the elements of (Z_p^*) are squares, i.e., (|QR_p|=\frac{p - 1}{2}).

Legendre Symbol

The Legendre symbol ((\frac{x}{p})) for a prime (p>2) and (x\in Z) is defined as ((\frac{x}{p})=\begin{cases}+1, &\text{if }[x]\in QR_p\-1, &\text{if }[x]\notin QR_p\0, &\text{if }p|x\end{cases}).

Euler’s criterion states that ((\frac{x}{p})\equiv x^{\frac{p - 1}{2}}\mod p). If (p) divides (x), both sides are congruent to 0 modulo (p). If (p) does not divide (x), let ([g]\in Z_p^*) be a primitive element. We know that (g^{\frac{p - 1}{2}}\equiv - 1\mod p). If (x = g^t), then (x^{\frac{p - 1}{2}}\equiv g^{\frac{t(p - 1)}{2}}\mod p), and ((\frac{x}{p})) is 1 if and only if (t) is even.

The Legendre symbol has the following properties:
- It is multiplicative in (x), i.e., ((\frac{xy}{p})=(\frac{x}{p})\cdot(\frac{y}{p})).
- It depends only on (x\mod p), and the map (Z_p^*\to{1,-1},x\to(\frac{x}{p})) is a homomorphism of groups.

Quadratic Reciprocity Laws

• For a prime (p>2), ((\frac{-1}{p})=(-1)^{\frac{p - 1}{2}}=\begin{cases}+1, &\text{if }p\equiv1\mod4\-1, &\text{if }p\equiv3\mod4\end{cases}) and ((\frac{2}{p})=(-1)^{\frac{p^2 - 1}{8}}=\begin{cases}+1, &\text{if }p\equiv\pm1\mod8\-1, &\text{if }p\equiv\pm3\mod8\end{cases}).
• The Law of Quadratic Reciprocity: Let (p) and (q) be primes (> 2), (p\neq q). Then ((\frac{p}{q})(\frac{q}{p})=(-1)^{\frac{(p - 1)(q - 1)}{4}}).

Jacobi Symbol

The Jacobi symbol ((\frac{x}{n})) for a positive odd number (n=\prod_{i = 1}^{r}p_i^{e_i}) (prime decomposition) and (x\in Z) is defined as ((\frac{x}{n})=\prod_{i = 1}^{r}(\frac{x}{p_i})^{e_i}).
- The value of ((\frac{x}{n})) only depends on the residue class ([x]\in Z_n).
- If ([x]\in QR_n), then ((\frac{x}{n}) = 1), but the converse is not true in general.
- The Jacobi symbol is multiplicative in both arguments: ((\frac{xy}{n})=(\frac{x}{n})\cdot(\frac{y}{n})) and ((\frac{x}{mn})=(\frac{x}{m})\cdot(\frac{x}{n})).
- The map (Z_n^ \to{1,-1},[x]\to(\frac{x}{n})) is a homomorphism of groups.
- (J_n^{+1}={[x]\in Z_n^ |(\frac{x}{n}) = 1}) is a subgroup of (Z_n^*).

If (n\geq3) is an odd integer, if (n) is a square, then ((\frac{x}{n}) = 1) for all (x). Otherwise, half of the elements of (Z_n^*) have a Jacobi symbol of 1, i.e., (|J_n^{+1}|=\frac{\varphi(n)}{2}).

The following table summarizes the properties of Legendre and Jacobi symbols:
| Symbol | Definition | Properties |
| — | — | — |
| Legendre ((\frac{x}{p})) | (p) prime (>2), ((\frac{x}{p})=\begin{cases}+1, &[x]\in QR_p\-1, &[x]\notin QR_p\0, &p|x\end{cases}) | Multiplicative in (x), ((\frac{x}{p})\equiv x^{\frac{p - 1}{2}}\mod p) |
| Jacobi ((\frac{x}{n})) | (n) positive odd, (n=\prod_{i = 1}^{r}p_i^{e_i}), ((\frac{x}{n})=\prod_{i = 1}^{r}(\frac{x}{p_i})^{e_i}) | Multiplicative in (x) and (n), depends on ([x]\in Z_n) |

We can compute the Jacobi symbol ((\frac{m}{n})) efficiently using the following algorithm:

def Jac(m, n):
    m = m % n
    if m == 0:
        return 0
    j = 1
    t = 0
    while m % 2 == 0:
        m = m // 2
        t = t + 1
        if n % 8 in [3, 5] and t % 2 == 1:
            j = -1
    if m == 1:
        return j
    else:
        return j * (-1) ** (((m - 1) * (n - 1)) // 4) * Jac(n, m)

The mermaid flowchart below shows the process of computing the Jacobi symbol:

graph TD;
    A[Input m, n] --> B[m = m mod n];
    B --> C{m = 0?};
    C -- Yes --> D[Return 0];
    C -- No --> E[j = 1, t = 0];
    E --> F{Is m even?};
    F -- Yes --> G[m = m div 2, t = t + 1];
    G --> H{n ≡ ±3 mod 8 and t is odd?};
    H -- Yes --> I[j = -1];
    H -- No --> F;
    F -- No --> J{m = 1?};
    J -- Yes --> K[Return j];
    J -- No --> L[Return j * (-1)^((m - 1)(n - 1)/4) * Jac(n, m)];

In conclusion, polynomials, finite fields, and quadratic residues are fundamental concepts in algebra with wide - ranging applications in cryptography and other fields. Understanding these concepts and their associated algorithms is crucial for solving complex problems in these areas.