Algebraic Background

2.1 Elementary algebraic structures

Groups•Rings•Fields•Vector spaces

2.2 Introduction to number theory 24

Extension of fields•Algebraic closure•Galois theory•Number fields

2.3 Finite fields 31

First properties•Algebraic extensions of a finite field•Finite field representations•Finite field characters

In the first part we state definitions and simple properties of the algebraic structures we shall use constantly in the remainder of the book. More details can be found in [LAN 2002a].

The next section deals with number theory. We shall give at this occasion an introduction to extension of fields, including the algebraic closure, Galois theory, and number fields. We refer mainly to [LAN2002a] and [FRTA1991] for this part.

Finally, we conclude with an elementary theory of finite fields that are of crucial importance for elliptic and hyperelliptic curve cryptography. Finite fields are extensively discussed in [LINI1997].

2.1 Elementary algebraic structures

We shall recall here basic properties of groups, rings, fields, and vector spaces.

2.1.1 Groups

Definition 2.1 Given a setS, acomposition law×ofSinto itself is a mapping from the Cartesian productS×StoS. Common notations for the image of(x, y)under this mapping arex×y,x.y or simplyxy. When the law iscommutative, i.e., when the images of(x, y)and(y, x)under the composition law are the same for allx, y∈S, it is customary to denote it by+.

Definition 2.2 AgroupGis a set with a composition law×such that 19

20 Ch. 2 Algebraic Background

• ×isassociative, that is for allx, y, z∈Gwe have(xy)z=x(yz)

• ×has aunit elemente, i.e., for allx∈Gwe havexe=ex=x

• for everyx∈Gthere existsy, aninverseofxsuch thatxy=yx=e.

Remarks 2.3

(i) The groupGis said to becommutativeorabelian, if the composition law is commuta- tive. As previously mentioned, the law is often denoted by+or⊕and the unit element by0in this case.

(ii) The unit of a groupGis necessarily unique as well as the inverse of an elementxthat is denoted byx⁻¹. IfGis commutative the inverse ofxis usually denoted by−x.

(iii) The cardinality of a groupGis also called itsorder. The groupGisfiniteif its order is finite.

Definition 2.4 LetGbe a group. AsubgroupH ofGis a subset ofGcontaining the unit element eand such that

• for allx, y∈H one hasxy∈H

• ifx∈Hthen alsox⁻¹∈H.

Example 2.5 Letx∈G. The set{xⁿ|n∈Z}is thesubgroup ofGgenerated byx. It is denoted byx.

Definition 2.6 LetGbe a group. An elementx∈Gis offinite orderifxis finite. In this case, theorder ofxis|x|, that is, the smallest positive integernsuch thatxⁿ =e. Otherwise,xis of infinite order.

Definition 2.7 A groupGiscyclicif there isx∈Gsuch thatx=G. If such an elementxexists, it is called ageneratorofG.

Remark 2.8 Every subgroup of a cyclic groupGis also cyclic. More precisely, if the order ofGis n, then for each divisordofn,Gcontains exactly one cyclic subgroup of orderd.

Definition 2.9 Let G be a group and H be a subgroup of G. For all x, y ∈ G, the relation x∼y∈H, if and only ifx⁻¹y∈H, respectivelyx∼yif and only ifyx⁻¹∈H, is an equivalence relation. An equivalence class for this relation is denoted byxH ={xh | h∈ H}, respectively Hx={hx|h∈H}and are called respectively left and right cosets ofH. The numbers of classes for both relations are the same. This invariant is called theindexofH inG and is denoted by [G:H].

Theorem 2.10 (Lagrange) LetGbe a finite group andHbe a subgroup ofG. Then the order ofH divides the order ofG. As a consequence, the order of every element also divides the order ofG.

Since all the classes moduloH have the same cardinality|H|and form a partition ofG, we have the more precise result|G|= [G:H]|H|.

Definition 2.11 LetGbe a group. A subgroupH isnormalif for allx∈G,xH =Hx. In this caseG/Hcan be endowed with a group structure such that(xH)(yH) =xyH.

For example, the groupG = (Z,+)is abelian. Hence the group of multiples ofn, callednZis a normal subgroup ofG for every integern, and one can consider the quotient groupZ/nZ = {x+nZ|x∈Z}. An element ofZ/nZis aclass modulon. Two integersxandyarecongruent

§ 2.1 Elementary algebraic structures 21

modulonif they belong to the same class modulon, i.e., if and only ifx−y∈nZ. In this case, we writex≡y (mod n).

For every integerx, there is a unique integerrin the interval[0, n−1], which belongs to the class ofx. This integerris called thecanonical representative ofxand we writer =xmodn.

Therefore we have

Z/nZ =

r+nZ|r∈[0, n−1]

.

But other choices are possible. For example, to minimize the absolute value of the representatives, we writexmodsnfor the unique integer in[−n/2+ 1,n/2]congruent toxmodulon.

Definition 2.12 LetGandGbe two groups with respective laws×and⊗and unitseande.

• Agroup homomorphismψbetweenGandG is a map fromGtoGsuch that for all x, y∈G,ψ(x×y) =ψ(x)⊗ψ(y).

• Thekernel ofψiskerψ={x∈G|ψ(x) =e}.

Remark 2.13 The kernel ofψis never empty as it is easy to see thatψ(e) =e. In addition,kerψ is always a subgroup ofG, which is in addition normal.

Definition 2.14 LetS be a set andGbe a group. The groupGacts onSif there is a mapσfrom G×SintoSsuch that

• σ(e, t) =t, for allt∈S

• σ

x, σ(y, t)

=σ(xy, t), for allt∈Sand for allx, y∈G.

2.1.2 Rings

Definition 2.15 AringRis a set together with two composition laws+and×such that

• Ris a commutative group with respect to+

• ×is associative and has a unit element1, which is different from0, the unit of+

• ×isdistributive over+, that is for allx, y, z∈R,x(y+z) =xy+xzand(y+z)x= yx+zx.

Remarks 2.16

(i) The ringRis said to becommutative, if the law×is commutative.

(ii) A commutative ringRsuch that for allx, y∈R, the equalityxy= 0implies thatx= 0 ory= 0is called anintegral domain.

Example 2.17 The setZof integers together with the usual addition and multiplication is a ring.

The setZ[X]of polynomials with coefficients inZtogether with the addition and multiplication of polynomials is a ring.

Definition 2.18 LetRandR be two rings with the respective operations+,×and⊕,⊗. A ring homomorphismψis an application fromRtoRsuch that for allx, y∈R

• ψ(x+y) =ψ(x)⊕ψ(y)

• ψ(x×y) =ψ(x)⊗ψ(y)

• ψ(1) = 1.

Definition 2.19 LetRbe a ring,Iis anideal ofRif it is a nonempty subset ofRsuch that

22 Ch. 2 Algebraic Background

• Iis a subgroup ofRwith respect to the law+

• for allx∈Rand ally∈I,xy∈Iandyx∈I.

The idealIRisprimeif for allx, y ∈Rwithxy∈Ione obtainsx∈Iory∈I.

The idealIRismaximalif for any idealJ ofRthe inclusionI⊂J impliesJ=IorJ =R.

Two idealsIandJofRarecoprimeifI+J ={i+j|i∈Iandj∈J}is equal toR.

Remark 2.20 It is easy to prove that a maximal ideal is also prime. The converse is not true in general.

Definition 2.21 An idealIof a ringRisfinitely generatedif there are elementsa1, . . . , an such that everyx∈Ican be writtenx=x1a1+· · ·+xnanwithx1, . . . , xn∈R.

The idealIisprincipalifI = aRandRis aprincipal ideal domain (PID)if it is an integral domain and if every ideal ofRis principal.

Example 2.22 The integer ringZand the polynomial ringK[X]whereKis a field are principal ideal domains.

Theorem 2.23 (Chinese remainder theorem) LetI1, . . . , Ikbe pairwise coprime ideals ofR.

Then

R/

k i=1

Ii k i=1

R/Ii.

Corollary 2.24 Letn1, . . . , nk be pairwise coprime integers, i.e., such thatgcd(ni, nj) = 1for i=j. Then, for any integersx_i, there exists an integerxsuch that

⎧⎪

⎪⎪

⎨

⎪⎪

⎪⎩

x ≡ x1 (mod n1) x ≡ x2 (mod n2)

...

x ≡ x_k (modn_k).

Furthermore,xis unique modulo k i=1

ni.

Remark 2.25 See Algorithm 10.52 for an efficient method to computexgiven thex_i’s.

Next we define an important arithmetic invariant. LetRbe a ring and let ψ be the natural ring homomorphism fromZtoR. So

ψ(n) =

1 +· · ·+ 1 ntimes ifn0

−(1 +· · ·+ 1) −ntimes otherwise. (2.1) The kernel ofψ is an ideal of Z and if the multiples of1 are all different then kerψ = {0}.

Otherwise, for example ifRis finite, some multiples of1must be zero. In other words, the kernel ofψis generated by a positive integerm.

Definition 2.26 LetRbe a ring andψdefined as above. The kernel ofψis of the formmZ, for some nonnegative integerm, which is called thecharacteristic ofRand is denoted bychar(R).

Remark 2.27 In a commutative ringRof prime characteristicp, the binomial formula simplifies to (α+β)^pn=α^pn+β^pn for allα, β∈Randn∈N. (2.2)

§ 2.1 Elementary algebraic structures 23

Definition 2.28 LetRbe a ring. An elementx∈Ris said to beinvertibleif there is an elementy satisfyingxy=yx= 1. Such aninversey, also called aunit, is necessarily unique and is denoted byx⁻¹. The set of all the invertible elements is a group under multiplication denoted byR^∗. Example 2.29 Take a positive integerN and consider the ringZ/NZobtained as the quotient of the usual integer ringZ by the idealNZ. The invertible elements of Z/NZare in one-to-one correspondence with the canonical representatives coprime withN. The inverse of an element is given by an extendedgcdcomputation, cf. Section 10.6.

Definition 2.30 LetN 1 and let us denote|(Z/NZ)^∗|byϕ(N). The functionϕis called the Euler totient functionand one hasϕ(N) =|{x|1xN,gcd(x, N) = 1}|.

From Lagrange’s Theorem 2.10, it is easy to prove the following.

Theorem 2.31 (Euler) LetNandxbe integers such thatxis coprime toN, then x^ϕ(N)≡1 (modN).

This result was first proved by Fermat when the modulusNis a primep. In this case, Theorem 2.31 reduces tox^p−1≡1 (modp)forxprime top. Therefore this restricted version if often referred to asFermat’s little theorem.

The ringZ/pZhas many other marvelous properties. In particular, every nonzero element has an inverse, which means thatZ/pZis a field.

2.1.3 Fields

Definition 2.32 AfieldKis a commutative ring such that every nonzero element is invertible.

Example 2.33 The set of rational numbersQwith the usual addition and multiplication law is a field. The quotient setZ/pZwith the induced integer addition and multiplication is also a field for any prime numberp.

An easy consequence of Definition 2.32 is that a field is an integral domain. Now, quotientingK by the kernel ofψas defined by (2.1), we see thatKcontains a field isomorphic toZ/char(K)Z.

These two facts imply the following result.

Proposition 2.34 The characteristic of a field is either0or a prime numberp.

As a corollary, a fieldKcontains a subfield which is isomorphic toQorZ/pZ.

Given an integral domainR, a common way to obtain a field is to add toRthe formal inverses of all the elements ofR. The set obtained is thefield of fractions ofR. For instance,K(X)is the field of fractions of the polynomial ringK[X]. Next proposition is also very much used in practice to construct fields.

Proposition 2.35 LetRbe a ring andIan ideal ofR. Then the quotient setR/Iis a field if and only ifIis maximal.

Definition 2.36 LetKandLbe fields. Ahomomorphism of fieldsis a ring homomorphism between KandL.

We remark that a homomorphism of fields is always injective, for it is immediate that its kernel is reduced to{0}.

24 Ch. 2 Algebraic Background

2.1.4 Vector spaces

In the remainder of this part,Kwill denote a field.

Definition 2.37 Avector spaceV overKis an abelian group for a first operation denoted by+, together with ascalar multiplicationfromK×V intoV, which sends(λ, x)onλxand such that for allx, y∈V, for allλ, µ∈Kwe have

• λ(x+y) =λx+λy

• (λ+µ)x=λx+µx

• (λµ)x=λ(µx)

• 1x=x.

An elementxofV is avectorwhereas an elementλofKis called ascalar.

Definition 2.38 AK-basisof a vector spaceV is a subsetS⊂V which

• islinearly independent over K, i.e., for any finite subset{x1, . . . , xn} ⊂ S and any λ1, . . . , λn∈K, one has that

n i=1

λixi= 0 implies that λi = 0 for alli

• generatesV overK, i.e., for allx∈V there exist finitely many vectorsx₁, . . . , x_nand scalarsλ₁, . . . , λ_nsuch that

x= n i=1

λ_ix_i.

Theorem 2.39 LetV be a vector space overK. IfV is different from{0}thenV has aK-basis.

Definition 2.40 Two bases of a vector spaceV overKhave the same cardinality. This invariant is called theK-dimension of V or simply thedimension of V. Note that the dimension is allowed to be infinite.

Example 2.41 The set of complex numbersCtogether with the usual addition and coefficient wise multiplication with elements ofRis a vector space overR of dimension2. A real basis is for instance{1, i}.

Example 2.42 The setK[X]of polynomials in one variable over a fieldKis an infinite dimensional vector space with the usual addition of polynomials and multiplications with elements fromK. A basis is given by{1, X, X², . . . , Xⁿ, . . .}

Remark 2.43 When the fieldKis replaced by a ringR, the axioms of Definition 2.37 give rise to a module over the ringR.