On the Number of Trace-One Elements in Polynomial Bases for F 2

Size: px

Start display at page:

Download "On the Number of Trace-One Elements in Polynomial Bases for F 2"

Frederick Waters
5 years ago
Views:

1 On the Number of Trace-One Elements in Polynomial Bases for F 2 n Omran Ahmadi and Alfred Menezes Department of Combinatorics & Optimization University of Waterloo, Canada {oahmadid,ajmeneze}@uwaterloo.ca Abstract. This paper investigates the number of trace-one elements in a polynomial basis for F 2 n. A polynomial basis with a small number of trace-one elements is desirable because it results in an efficient and lowcost implementation of the trace function. We focus on the case where the reduction polynomial is a trinomial or a pentanomial, in which case field multiplication can also be efficiently implemented. 1 Introduction Let f(x) be an irreducible polynomial of degree n over F 2. Then F 2 [x]/(f) is a finite field of order 2 n, denoted F 2 n, and f(x) is called the reduction polynomial for this representation of F 2 n. The element α = x is a root of f in F 2 n, and {1, α, α 2,..., α } is a basis for F 2 n over F 2, called a polynomial basis. Multiplication of field elements represented with respect to a polynomial basis is faster if the reduction polynomial has a small number of non-zero coefficients (e.g., see Section of [8]). If f(x) has only three non-zero coefficients then f(x) is called a trinomial and the corresponding polynomial basis is called a trinomial basis. Similarly, if f(x) has only five non-zero coefficients then f(x) is called a pentanomial and the corresponding polynomial basis is called a pentanomial basis. Public-key cryptographic protocols using elliptic curves over finite fields F 2 n have been widely standardized, for example in ANSI X9.62 [1], ANSI X9.63 [2] and FIPS [4]. ANSI X9.62 and ANSI X9.63 allow for either a polynomial or a normal basis representation for the elements of F 2 n. If a polynomial basis is desired, then the reduction polynomial must be an irreducible trinomial, if one exists, and an irreducible pentanomial otherwise. Suppose now that a F 2 n has polynomial basis representation a = j=0 a jα j, where each a j F 2. The trace of a is Tr(a) = a 2i = a j α j i=0 = j=0 a j i=0 j=0 a j (α j ) 2i 2i = (α j ) 2i = a j Tr(α j ). i=0 j=0 i=0 j=0

2 Thus, Tr(a) can be computed by adding modulo 2 those coefficients a j for which Tr(α j ) = 1. This operation is faster in software if the number of basis elements α j for which Tr(α j ) = 1 is small. Also, the circuit to implement this operation in hardware is simpler if the number of trace-one basis elements is small. For example, if Tr(α j ) = 0 for 1 j n 1 and Tr(α 0 ) = 1, then Tr(a) = a 0 ; in this case, the trace function is especially easy to evaluate. A fast and low-cost implementation of the trace operation is beneficial, for example, when halving a point on an elliptic curve over F 2 n (see [9, 12, 5]), or when generating pseudorandom sequences using elliptic curves [6] or the Welch-Gong transformation sequence generator [7]. Thus it is of interest to find irreducible trinomials and pentanomials whose corresponding bases have the smallest possible number of trace-one elements. It is well known that every finite field F 2 n has a normal basis N = {α, α 2, α 22,..., α 2 }. The element α of such a basis must satisfy Tr(α) = 1 (since otherwise the elements of N are linearly dependent over F 2 ), and hence all basis elements have trace one. Adding α to n k other basis elements yields a new basis for F 2 n in which exactly k elements have trace one. Hence, for each k [1, n], there exists a basis for F 2 n in which exactly k elements have trace one. A natural question, which we will also pursue in this paper, is whether there exists a polynomial basis with this property. The remainder of this paper is organized as follows. Some standard results are collected in 2. The traces of elements of trinomial and pentanomial bases are determined in 3. Some observations about the traces of elements of general polynomial bases are presented in 4. In 5, we generalize some of our results to finite fields of any characteristic. We draw our conclusions in 6. 2 Preliminary Results There are well-known formulas and estimates for the number of monic irreducible polynomials over a finite field. Theorem 1 Let q be a prime power and let n be a positive integer. (i) [10, Theorem 3.25] The number N q (n) of monic irreducible polynomials of degree n over F q is N q (n) = 1 µ(d)q n/d, n where µ( ) is the Möbius function. (ii) [11, Lemma 2] The probability that a random monic polynomial of degree n over F q is irreducible over F q is roughly 1 n. More specifically, d n 1 2n N q(n) q n 1 n.

3 Let f(x) be an irreducible polynomial of degree n over F 2, and let α be a root of f(x) in F 2 n = F 2 [x]/(f). Then it is well known that the roots of f(x) in F 2 n are precisely α, α 2, α 22,..., α 2. Now, define s k = Tr(α k ) for 0 k n 1. Then we have s k = (α k ) 2i = (α 2i ) k. i=0 This relates the traces of elements of the polynomial basis {1, α, α 2,..., α } to the sum of the kth powers of the roots of f(x). The following two results yield a procedure for deriving expressions for s k in terms of the coefficients of f(x). Theorem 2 [10, Theorem 1.75] Let x 0, x 1,..., x F q, where F q denotes the finite field of order q. Let σ k = σ k (x 0, x 1,..., x ) = s 0 = n, and s k = i=0 xk i i=0 x i1 x i2 x ik, for 1 k n, 0 i 1<i 2< <i k <n for 1 k n. Then s k s k 1 σ 1 + s k 2 σ ( 1) m 1 s k m+1 σ m 1 + ( 1) m m n s k mσ m = 0 (1) where k 1 and m = min(k, n). Lemma 3 Let f(x) = x n +a x + +a 1 x+a 0 be an irreducible polynomial over F q, and let x 0, x 1,..., x be its roots in F q n. Let σ k be as defined in Theorem 2. Then a n k = ( 1) k σ k for 1 k n. Proof. The result follows from the expression x n + a x + + a 1 x + a 0 = (x x 0 )(x x 1 ) (x x ) by equating coefficients of x n k. 3 Irreducible Trinomials and Pentanomials We first determine the traces of the elements of a trinomial basis. Theorem 4 Let f(x) = x n + x n m + 1 be an irreducible polynomial over F 2, and let α be a root of f(x) in F 2 n = F 2 [x]/(f). Then for 0 k n 1 we have n mod 2, if k = 0, Tr(α k ) = 0, if m k, m mod 2, otherwise.

4 Proof. Let x k = α 2k for 0 k n 1, and let s k and σ k be as defined in Theorem 2. Since char(f 2 n) = 2 and we are interested in s k for 1 k n 1, equation (1) can be rewritten as s k + s k 1 σ 1 + s k 2 σ s 1 σ k 1 + kσ k = 0, for 1 k n 1. (2) Now by Lemma 3 we have σ m = 1, and σ i = 0 for 1 i and i m. Thus from (2) we deduce that s k = 0 for 1 k m 1 and hence Tr(α k ) = 0 for 1 k m 1. Now, equation (2) for k = m is s m + mσ m = 0, and so s m = 1 if m is odd and s m = 0 if m is even. Finally, for m + 1 k n 1, equation (2) is s k +s k m σ m = 0, and so s k = s k m. Using this relation we obtain s k = s k mod m if m k and s k = s m otherwise, which in turn means that s k = 0 if m k and s k = (m mod 2) if m k. The following result is an immediate consequence of Theorem 4. Corollary 5 Let f(x) = x n + x n m + 1 be an irreducible polynomial over F 2, and let α be a root of f(x) in F 2 n = F 2 [x]/(f). (i) If m is even (and hence n is odd), then all elements of the basis {1, α,..., α } except for 1 have trace zero. (ii) If m is odd, then exactly (n 1)/m of the basis elements {α,..., α } have trace one. (iii) If m = 1 and n is odd, then all elements of the basis {1, α,..., α } have trace one. Notice that if x n + x n m + 1 is irreducible over F 2 then so is its reciprocal x n + x m + 1. If n is even then both m and n m must be odd. If we let k = max(m, n m), then k n 2 and we can conclude from Theorem 4 that exactly one element of the polynomial basis corresponding to x n + x n k + 1 has trace one. If n is odd then one of m and n m must be odd; let k be this number. Then by Corollary 5(i), exactly one element of the polynomial basis corresponding to x n + x k + 1 has trace one. This proves the following result. Theorem 6 Suppose that there exists an irreducible trinomial of degree n over F 2. Then there exists a trinomial basis for F 2 n exactly one of whose elements has trace one. For each n [2, 1000] for which an irreducible trinomial of degree n exists, Table 1 lists one such polynomial whose corresponding basis has exactly one trace-one element. Next, we determine the traces of elements of some pentanomial bases. Theorem 7 Let f(x) = x n + x n m1 + x n m2 + x n m3 + 1 be an irreducible polynomial over F 2 with m 3 > m 2 > m 1 > n 2, and let α be a root of f(x) in F 2 n = F 2 [x]/(f). Then for 0 k n 1 we have n mod 2, if k = 0, Tr(α k ) = k mod 2, if k {m 1, m 2, m 3 }, 0, otherwise.

5 n m n m n m n m n m n m n m n m n m n m Table 1. For each n [2, 1000] for which an irreducible trinomial exists, one such polynomial x n + x m + 1 is listed whose corresponding basis has exactly one trace-one element.

6 Proof. Let x k = α 2k for 0 k n 1, and let s k and σ k be as defined in Theorem 2. By Lemma 3 we have σ m1 = σ m2 = σ m3 = 1, and σ i = 0 for other i [1, ]. From equation (2) we deduce that s k = 0 for 1 k < m 1 and hence Tr(α k ) = 0 for 1 k < m 1. Now, equation (2) for k = m 1 is s m1 + m 1 σ m1 = 0, whence s m1 = 1 if m 1 is odd and s m1 = 0 if m is even. For m 1 < k < m 2, equation (2) is s k + s k m1 σ m1 = 0. But since n > k > m 1 > n/2, we have k m 1 < m 1. Hence s k m1 = 0 which yields s k = 0. Similar arguments show that s m2 = (m 2 mod 2), s m3 = (m 3 mod 2), and s k = 0 for m 2 < k < m 3 and m 2 < k < n. The FIPS standard [4] for the Elliptic Curve Digital Signature Algorithm (ECDSA) recommends elliptic curves over the characteristic two finite fields F 2 163, F 2 233, F 2 283, F and F The recommended reduction polynomials for these fields are f 1 (x) = x 163 +x 7 +x 6 +x 3 +1, f 2 (x) = x 233 +x 74 +1, f 3 (x) = x 283 +x 12 +x 7 +x 5 +1, f 4 (x) = x 409 +x 87 +1, and f 5 (x) = x 571 +x 10 +x 5 +x 2 +1, respectively. From Theorems 4 and 7, we see that the elements of the corresponding polynomial bases for these fields that have trace one are {1, α 157 }, {1, α 159 }, {1, α 271 }, {1}, and {1, α 561, α 569 }, respectively. Theorems 4 and 7 can be used to prove the existence for all finite fields F 2 n, n [2, 10000], of polynomial bases with a small number of trace-one elements. Lemma 8 For each n [2, 10000] there exists a trinomial or pentanomial basis for F 2 n having at most four elements of trace one. Proof. If for some n there exists an irreducible trinomial of degree n, then by Theorem 6 there exists a trinomial basis for F 2 n exactly one of whose elements has trace one. Seroussi [13] (see also [3]) lists for each n [2, 10000] an irreducible trinomial of degree n (if one exists) or an irreducible pentanomial x n + x m1 + x m2 + x m3 + 1 where m 1 > m 2 > m 3. All the pentanomials satisfy the condition m 1 < n 2 except for x8 +x 4 +x 3 +x+1 whose polynomial basis has two trace-one elements. The result now follows from Theorem 7. We verified by computer search that for each n [6, 3000] there exists an irreducible pentanomial of degree n over F 2 whose corresponding pentanomial basis has exactly one element of trace one. (There is no irreducible pentanomial of degree 4 or 5 with this property.) The tables in the Appendix list one such irreducible pentanomial for each n [6, 809]. Proving that such pentanomials exist for all n 6 is certainly difficult since it remains open to prove the existence of an irreducible pentanomial of degree n over F 2 for all n 4. Nevertheless, the results of our search motivate the following conjecture. Conjecture 9 Let n 6, and suppose that there exists an irreducible pentanomial of degree n over F 2. Then there exists a pentanomial basis for F 2 n exactly one of whose elements has trace one. A classification of the number of trace-one elements in general pentanomial bases seems harder. Let x n + x n m1 + x n m2 + x n m3 + 1 be irreducible over

7 F 2 with m 3 > m 2 > m 1 (and without the restriction m 1 > n 2 ). A proof similar to that of Theorem 7 shows that if m 1, m 2, m 3 are even then all elements of the corresponding pentanomial basis except 1 have trace zero (cf. Theorem 11). Suppose now that m 1, m 2 are even and m 3 is odd. (Similar statements can be made for the other cases where at least one of {m 1, m 2, m 3 } is odd.) Similar to the proof of Theorem 7 we have Tr(α k ) = 0 for 1 k < m 3 and Tr(α m3 ) = 1. Also, equation (2) can be written as s k = s k m1 + s k m2 + s k m3 for k > m 3. This equation gives a fast method for computing the traces of basis elements. Let S n be the set of integers t [1, n] for which F 2 n has a pentanomial basis exactly t of whose elements have trace one. Since Tr(1) = (n mod 2), we have n S n if n is even. An interesting problem is to determine the odd integers n for which S n = [1, n], and the even integers n for which S n = [1, ]. By Theorem 1 there are approximately 2n n irreducible polynomials of degree n over F 2. There are exactly 3 2 n 2 binary polynomials of degree n that have a zero constant term or have an even number of non-zero terms (and so are reducible). Thus, the probability that a random degree-n binary polynomial having an odd number of non-zero terms and non-zero constant term is irreducible is approximately 4 n. If the proportion of irreducibles among pentanomials is also 4 n, then the ( expected number of irreducible binary pentanomials is approximately 4 ) n 3 2n 2 3. Consequently, for large n we expect that there are many irreducible binary pentanomials and so it would be reasonable to conjecture that S n = [1, n] (or S n = [1, n 1]). Table 2 provides some evidence that this conjecture is likely to be false. For example, there are exactly 2734 irreducible binary pentanomials of degree 77. However, none of the corresponding polynomial bases have exactly 48, 54, 55, 57, 59, 60, 61, 62, 65 or 73 elements of trace one. 4 Irreducible Polynomials of Arbitrary Weight Theorem 7 can be generalized to polynomials of arbitrary weight. Theorem 10 Let f(x) = x n +x n m1 +x n m2 + +x n m l +1 be an irreducible polynomial over F 2 with m l > > m 2 > m 1 > n 2, and let α be a root of f(x) in F 2 n = F 2 [x]/(f). Then for 0 k n 1 we have n mod 2, if k = 0, Tr(α k ) = k mod 2, if k {m 1, m 2,..., m l }, 0, otherwise. Theorem 7 implies that if m 1, m 2, m 3 are even (and hence n is odd), then all elements of the polynomial basis corresponding to the irreducible polynomial x n + x n m1 + x n m2 + x n m3 + 1 have trace zero except for the element 1. The following results characterize, for the cases of odd and even n, the polynomial bases of F 2 n that have the minimum possible number of trace-one elements. Theorem 11 Let n be odd and let f(x) = x n +x n m1 +x n m2 + +x n m l +1 be an irreducible polynomial over F 2. Let α be a root of f(x) in F 2 n = F 2 [x]/(f),

8 n T n n T n n T n 4 {1,2} {49,53,55} 5 {1,3} 37 {37} 69 {51,53,57,58,62,63,69} 6 {2} 38 {28} 70 7 {3} 39 {30} 71 {51} 8 40 {28,30} 72 {55,56,57,63,71} {56,59,60,73} {32,33} 74 {53,56,72,73} {37} 75 {56,58,59,62,64} 12 {5} {33,34,35} 77 {48,54,55,57,59,60,61,62,65,73} {39} 78 {56,57,70} {40} 79 {59} 16 {13,15} 48 {33,34,38,41,47} 80 {53,58,63,71,79} {68} 18 {14} 50 {38} 82 {61,62,64,66,80,81} 19 {15, 19} 51 {43,51} 83 {63,68,83} {38} {17,19,21} 53 {51,53} 85 {63,65,73,85} {46} 86 {67,70} {42} {23} 56 {47,49,55} 88 {69,87} 25 {20} 57 {42,46} {21} 58 {44,53} 90 {63,67,68} 27 {21} 59 {48,52} 91 {74,78,91} {54} 92 {68} 29 {27} 61 {58,61} 93 {67,68,73,93} {49,52,55} 94 {71,79} {75,82} {51,55,59,63} 96 {65,71,72,73,85,95} {24} 66 {59} 98 {57,67,76,77,85,92} {67} 99 {77,84,99} Table 2. Listing of T n for each 4 n 99. Here, T n is the set of integers t [1, n 1] (t [1, n] if n is odd) for which F 2 n does not have a pentanomial basis exactly t of whose elements have trace one.

9 and let B = {1, α, α 2,..., α }. Then B has only one trace-one element if and only if m i is even for all 1 i l. Proof. Suppose that B has only one trace-one element; this element must be 1 since n is odd. Assume that at least one of the m i s is odd, and let m j be the smallest such number. From equation (2) we see that Tr(α k ) = 0 for all k < m j. Now for k = m j equation (2) becomes s mj +m j σ mj = 0, or equivalently s mj + m j = 0. But since m j is odd this means that s mj = 1 so Tr(α mj ) = 1, which is a contradiction. Conversely, suppose that each m i is even. Then for k < m 1, equation (2) is s k = 0 so Tr(α k ) = 0. For k = m 1, equation (2) is s m1 + m 1 σ m1 = 0 which yields s m1 = 0 since m 1 is even. Similar arguments show that Tr(α k ) = 0 for all k > m 1. Theorem 12 Let n be even and let f(x) = x n +x n m1 +x n m2 + +x n m l +1 be an irreducible polynomial over F 2. Let M = {m 1, m 2,..., m l } and let p be the smallest odd number in M. Define M + p = {m 1 + p,..., m l + p} and N(M + p) = {x M + p x < n}. Then the polynomial basis corresponding to f(x) has exactly one trace-one element if and only if p > 1 and N(M + p) = {x M x > p and x is odd}. (3) Proof. First we prove the sufficiency part. Using equation (2), we see that Tr(α k ) = 0 if k < p and Tr(α p ) = 1. We show by induction that Tr(α k ) = 0 for k > p. Equation (2) for k = p + 1 is s p+1 + s p σ 1 + (p + 1)σ p+1 = 0. Since p is odd and p > 1, we have σ 1 = 0 and p (mod 2); hence s p+1 = 0. Suppose that for k > p we have Tr(α i ) = 0 for all i < k with i p. Then we have s k + s p σ k p + kσ k = 0 or s k + σ k p + kσ p = 0. If k is even then we have s k +σ k p = 0. But k p is odd and from (3) we have k p M. Hence σ k p = 0 yielding s k = 0. On the other hand if k is odd, then we have s k + σ k p + σ k = 0. Now if σ k = 1, then from (3) we have k p M and hence σ k p = 1. This yields s k = 0. If σ k = 0, then from (3) we have k p M and hence σ k p = 0, which in turn implies that s k = 0. It remains to prove necessity. If p = 1 then from (2) we have s 1 = 1 and s 2 = 1; hence we must have p > 1. Again we have s k = 0 for k < p, and s p = 1 and s p+1 = 0. Now let x > p. Then s x = 0 and from (2) we must have σ x p +xσ x = 0. If x is odd then we have σ x p + σ x = 0. This means that x M iff x p M, which in turn means that x M iff x M + p. Now if x is even then we have σ x p = 0. This means that the odd number x p is not in M, or equivalently that x M + p. This completes the proof. The next result, whose proof we omit, characterizes the irreducible polynomials for which all elements (except possibly 1) of the corresponding polynomial basis have trace one. One example of such a polynomial is x x x 39 + x 38 + x 23 + x

10 Theorem 13 Let f(x) = x n + x m1 + x m2 + + x m l + 1 be an irreducible polynomial over F 2, and let α be a root of f(x) in F 2 n = F 2 [x]/(f). Then Tr(α k ) = 1 for all 1 k n 1 if and only if the following conditions are satisfied: (i) m 1 = n 1, (ii) m j+1 = m j 1 for j = 2, 4, 6,..., l 1, and (iii) n m 2 m 4 m 6 m l 1 (mod 2). Let n [2, 6], and let t [1, n] if n is odd and t [1, n 1] if n is even. It can easily be verified that F 2 n has a polynomial basis exactly t of whose elements have trace one, except for the following values of (n, t): (3, 2), (4, 2), (5, 3), (6, 2). We verified by computer search that for each n [7, 100] and each t [1, n 1] (t [1, n] if n is odd), F 2 n has a heptanomial basis exactly t of whose elements have trace one. This motivates the following conjecture. Conjecture 14 Let n 7, and let t [1, n] if n is odd and t [1, n 1] if n is even. Then F 2 n has a polynomial basis exactly t of whose elements have trace one. 5 Generalizations to arbitrary finite fields If a F q n, then the trace of a relative to F q is Tr(a) = i=0 aqi. Theorems 4, 10 and 11 can be readily generalized to finite fields of any characteristic p. We state these results here and omit their proofs. We do not know of any (natural) generalizations of Theorems 12 and 13. Theorem 15 Let f(x) = x n + ax n m + b be an irreducible polynomial over F q = F p r, and let α be a root of f(x) in F q n = F q [x]/(f). Then for 0 k n 1 we have n mod p, if k = 0, Tr(α k ) = 0, if m k, ( a) k/m m, otherwise. Theorem 16 Let f(x) = x n + a m1 x n m1 + a m2 x n m2 + + a ml x n m l + a n be an irreducible polynomial over F q = F p r with m l > > m 2 > m 1 > n 2, and let α be a root of f(x) in F q n = F q [x]/(f). Then for 0 k n 1 we have n mod p, if k = 0, Tr(α k ) = ka k, if k {m 1, m 2,..., m l }, 0, otherwise. Theorem 17 Suppose that n 0 (mod p), and let f(x) = x n + a m1 x n m1 + a m2 x n m2 + + a ml x n m l + a n be an irreducible polynomial over F q = F p r. Let α be a root of f(x) in F q n = F q [x]/(f), and let B = {1, α, α 2,..., α }. Then B has only one element of nonzero trace if and only if m i 0 (mod p) for all 1 i l.

11 6 Conclusions We derived simple expressions for the number of trace-one elements in trinomial and pentanomial bases. These expressions allowed us to conclude that for each n [2, 10000] there exists a trinomial or polynomial basis for F 2 n having at most four trace-one elements. We also characterized the irreducible polynomials having the minimum and maximum possible number of trace-one elements. An outstanding open problem is to determine whether for any n 7 and t [1, ] (t [1, n] if n is odd) there exists a polynomial basis for F 2 n having exactly t trace-one elements. 7 Acknowledgements We thank Ian Blake and Guang Gong for their very helpful comments on an earlier draft of this paper. References 1. ANSI X9.62, Public Key Cryptography for the Financial Services Industry: The Elliptic Curve Digital Signature Algorithm (ECDSA), American National Standards Institute, ANSI X9.63, Public Key Cryptography for the Financial Services Industry: Key Agreement and Key Transport Using Elliptic Curve Cryptography, American National Standards Institute, I. Blake, S. Gao and R. Lambert, Constructive problems for irreducible polynomials over finite fields, Information Theory and Applications, Lecture Notes in Computer Science 793 (1994), FIPS 186-2, Digital Signature Standard (DSS), Federal Information Processing Standards Publication 186-2, National Institute of Standards and Technology, K. Fong, D. Hankerson, J. López and A. Menezes, Field inversion and point halving revisited, IEEE Transactions on Computers, to appear. 6. G. Gong, T. Berson and D. Stinson, Elliptic curve pseudorandom sequence generators, Selected Areas in Cryptography SAC 99, Lecture Notes in Computer Science 1758 (2000), G. Gong and A. Youssef, Cryptographic properties of the Welch-Gong transformation sequence generators, IEEE Transactions on Information Theory, 48 (2002), D. Hankerson, A. Menezes and S. Vanstone, Guide to Elliptic Curve Cryptography, Springer, E. Knudsen, Elliptic scalar multiplication using point halving, Advances in Cryptology ASIACRYPT 99, Lecture Notes in Computer Science 1716 (1999), R. Lidl and H. Niederreiter, Finite Fields, Cambridge University Press, M. Rabin, Probabilistic algorithms in finite fields, SIAM Journal on Computing, 9 (1980),

12 12. R. Schroeppel, Elliptic curve point halving wins big, 2nd Midwest Arithmetical Geometry in Cryptography Workshop, Urbana, Illinois, November G. Seroussi, Table of low-weight binary irreducible polynomials, Hewlett- Packard Technical Report HPL , A Table of irreducible pentanomials The following tables list for each n [6, 809] an irreducible pentanomial f(x) = x n + x m1 + x m2 + x m3 + 1 over F 2 whose corresponding polynomial basis has exactly one element of trace one. Among all such polynomials, the one listed is that for which (a) m 1 is the smallest possible; (b) for this particular value of m 1, m 2 is the largest possible and < m 1 ; and (c) for these particular values of m 1 and m 2, m 3 is the largest possible and < m 2. This selection criteria (hopefully) ensures that the middle order terms x m1, x m2, x m3 are all of relatively low degree and are close to each other, which in turns facilitates efficient multiplication of polynomials modulo f(x) (e.g., see Section of [8]). Observe that m 1 n 3 if n 3, 5 (mod 8), and m 1 n 3 otherwise. We are unable to explain this phenomenon, and do not know if it has any significance to the existence or distribution of irreducible pentanomials over F 2.

13 n m 1 m 2 m 3 n m 1 m 2 m 3 n m 1 m 2 m 3 n m 1 m 2 m 3 n m 1 m 2 m 3 n m 1 m 2 m

14 n m 1 m 2 m 3 n m 1 m 2 m 3 n m 1 m 2 m 3 n m 1 m 2 m 3 n m 1 m 2 m 3 n m 1 m 2 m

Formulas for cube roots in F 3 m

Discrete Applied Mathematics 155 (2007) 260 270 www.elsevier.com/locate/dam Formulas for cube roots in F 3 m Omran Ahmadi a, Darrel Hankerson b, Alfred Menezes a a Department of Combinatorics and Optimization,