Normal and Self-dual Normal Bases from Factorization of cx q+1 + dx q ax b

Transcription

1 Normal and Self-dual Normal Bases from Factorization of cx q+ + dx q ax b Ian F. Blake Department of Electrical and Computer Engineering University of Waterloo Waterloo, Ontario, N2L 3G, Canada ifblake@claude2.uwaterloo.can Shuhong Gao, Ronald C. Mullin Department of Combinatorics and Optimization University of Waterloo Waterloo, Ontario, N2L 3G, Canada sgao@violet.uwaterloo.can, rcmullin@watmath.uwaterloo.can September 4, 992 Abstract. The present paper is interested in a family of normal bases, considered by V. M. Sidel nikov, with the property that all the elements in a basis can be obtained from one element by repeatedly applying to it a linear fractional function of the form ϕ(x) =(ax + b)/(cx + d), a, b, c, d F q. Sidel nikov proved that the cross products for such a basis {α i } are of the form α i α j = e i j α i + e j i α j + γ, i j, where e k,γ F q. We will show that every such basis can be formed by the roots of an irreducible factor of F (x) =cx q+ + dx q ax b. We will construct: (a) a normal basis of F q n over F q with complexity at most 3n 2 for each divisor n of q and for n = p where p is the characteristic of F q ; (b) a self-dual normal basis of F q n over F q for n = p and for each odd divisor n of q orq+. When n = p, the self-dual normal basis constructed of F q p over F q also has complexity at most 3p 2. In all cases, we will give the irreducible polynomials and the multiplication tables explicitly. Abbreviated title: Normal Bases. 99 Mathematics subject classification: T30, T06. Key words: finite field, irreducible polynomial, normal basis.

2 Introduction Let N = {α 0,α,,α n } be a normal basis of F q n over F q with α i = α qi, 0 i n, where q is a prime power p m with p a prime and m. The multiplication of elements in F q n is uniquely determined by the n cross products α 0 α i = n j=0 t ijα j,t ij F q. The n n matrix T =(t ij ) is called the multiplication table of N. As in [6], the number of nonzero elements in T is called the complexity of the normal basis N, denoted by C N. In hardware and software implementations of finite field arithmetic, normal bases of low complexity offer considerable advantages. In [6] it is proved that C N 2n. When the lower bound is reached N is called an optimal normal basis of F q n over F q. Two families of optimal normal bases are constructed in [6], and in [3] it is proved that these two families are essentially all the optimal normal bases in finite fields. Some normal bases of low complexity are constructed in []. A normal basis with the smallest complexity, if no optimal normal bases exist, is called a minimal normal basis. The present paper is interested in a family of normal bases, considered by Sidel nikov [8], with the property that all the elements in a basis can be obtained from one element by repeatedly applying to it a linear fractional function of the form ϕ(x) =(ax + b)/(cx + d), a, b, c, d F q. Sidel nikov proved that the cross products for such a basis {α i } are of the form α i α j = e i j α i + e j i α j + γ, i j, where e k,γ F q. We will show that every such basis can be formed by the roots of an irreducible factor of F (x) =cx q+ + dx q ax b. We will construct a normal basis of F q n over F q with complexity at most 3n 2 for each divisor n of q and for n = p where p is the characteristic of F q, and a self-dual normal basis of F q n over F q for n = p and for each odd divisor n of q orq+. When n = p, the self-dual normal basis constructed of F q p over F q also has complexity at most 3p 2. In all cases, we will give the irreducible polynomials and the multiplication tables explicitly. For this purpose, some properties of linear fractional functions and the complete factorization of F (x) are discussed in sections 2 and 3, respectively. 2 On Linear Fractional Functions In this section, we discuss some properties of the linear fractional function ϕ(x) =(ax + b)/(cx + d) with a, b, c, d F q and ad bc 0. It is easy to see that ϕ(x) defines a 2

3 permutation on F q { }, where a + b c + d := a, if c 0, c a +b c +d :=, if ad 0,c=0, a :=, if a 0. 0 Actually, ϕ(x) induces a permutation on F q n { }, for any n. The inverse of ϕ(x) is ϕ (x)=( dx + b)/(cx a). For any two linear fractional functions ϕ and ψ, the composition ϕψ, defined as ϕψ(x) = ϕ(ψ(x)), is still a linear fractional function. It is well known that all the linear fractional functions over F q form a group under composition and is isomorphic to the projective general linear group PGL(2,q). The order of ϕ is the smallest positive integer t such that ϕ t (x) =x, i.e., ϕ t is the identity map. For our purpose, we will deal with a linear fractional function ϕ(x) =(ax + b)/(cx + d) with c 0. The fixed points of ϕ(x) satisfy The following two lemmas are easily checked. cx 2 (a d)x b =0. (2.) Lemma 2. Let ϕ(x) =ax + b with a 0,, be a linear mapping. Then where ψ(x) =ax and h(x) =x+b/(a ). ϕ = h ψh, Lemma 2.2 Let ϕ(x) =(ax+b)/(cx+d) with c 0and ad bc 0.Let =(a d) 2 +4bc. Then ϕ = h ψh, where h(x) and ψ(x) are defined as follows: (a) When =0, let x 0 be the only solution of (2.) in F q, that is, x 0 satisfies cx 2 0 = b and 2cx 0 = a d. Then h(x) =(a/c x 0 )/(x x 0 ) and ψ(x) =x+. 3

4 (b) When 0, let x 0,x be the two solutions of (2.) in F q 2 and let ξ =(a cx 0 )/(a cx ). Then h(x) = x x 0, ψ(x)=xξ. x x The order of ϕ is now easy to determine. The order of ϕ is equal to the order of ψ. If ψ is of the form x + then the order of ψ is equal to the additive order p of in F q, where p is the characteristic of F q. If ψ is of the form ξx, then the order of ψ is equal to the multiplicative order of ξ. In case (b) of Lemma 2.2, if is a quadratic residue in F q, then x 0,x F q, and ξ F q. Hence ξ q = and the order of ξ is a divisor of q. If is a quadratic nonresidue in F q, then x 0,x F q 2 \F q and x q 0 = x,x q = x 0. Thus ξ q =((a cx 0 )/(a cx )) q =(a cx q 0 )/(a cxq )=(a cx )/(a cx 0 )=/ξ. Soξ q+ = and the order of ξ divides q +. Therefore the order of ϕ is always a divisor of p, q or q+. Lemma 2.3 Let a, b, c, d F q with c 0and ad bc 0. Let ϕ(x)=(ax + b)/(cx + d) with order t. Then, for i t, ϕ i (x) = e ix+b/c, e i +e t i = a d (2.2) x e t i c where e = a/c and e i+ = ϕ(e i ) for i =,...,t 2. Proof: It is routine to prove by induction on i that there exist e i,f i F q with e = a/c, f = d/c such that ϕ i (x) = e ix+b/c, x + f i and e i f i = a d, e i = ϕ(e i ) c for i =,...,t, where e 0 =. Note that e t i x + b/c = ϕ t i (x) =ϕ i (x)=(ϕ i ) (x)= f ix+b/c. x + f t i x e i We see that f i = e t i. This completes the proof. 2 Lemma 2.4 With the same notation as in Lemma 2.3, we have (t )(a d)/(2c), if p 2, t a/c = d/c, if p =2and t =2, e j = (a d)/c, if p =2and t 3mod4, j= 0, if p =2and t mod4, (2.3) 4

5 where p is the characteristic of F q. Proof: We consider two cases according to the type of ϕ(x). Case I =(a d) 2 +4bc = 0. Then t = p and, by Lemma 2.2, ϕ(x) =h ψh(x) where ψ(x) =x+, h(x)= a/c x 0, h (x)=x 0 + a/c x 0, x x 0 x with x 0 satisfying 2cx 0 = a d and cx 2 0 = b. Note that ψi (x) =x+i. We have ϕ i (x) = h ψ i h(x) ( a/c = h x0 x x 0 ) + i = (a/c x 0 ix 0 )x ix 2 0 ix +(a/c x 0 ix 0 ). So Therefore p e i = a/c x 0 i + x 0, for i t. p e i = (p )x 0 +(a/c x 0 ) = (p )x 0 +(a/c x 0 ) = i p { (p )x0 =(t )(a d)/(2c), if p 2, a/c = d/c, if p =2. i Case II =(a d) 2 +4bc 0. In this case, the order t of ϕ(x) is a factor of q or q+. Sot Fq. By Lemma 2.2, ϕ(x) =h ψh(x) where h(x) = x x 0 x x, ψ(x)=ξx, ξ = a/c x 0 a/c x, with x 0 + x =(a d)/c and x 0 x = b/c. Note that h (x) =(x x x 0 )/(x ) and ψ i (x) =ξ i x,wehave ϕ i (x) = h ψ i h(x) ( = h ξ ix x ) 0 x x = (x ξ i x 0 )x x 0 x (ξ i ) (ξ i )x + x x 0 ξ i. 5

6 So and e i = x ξ i x 0 ξ i t = x + x x 0 ξ i, for i t, t e i =(t )x +(x 0 x ) As ξ is a t-th primitive root of unity, we have t ξ i. (x ξ i )=(x t )/(x ) = x t + x t 2 + +x+. (2.4) Letting x = in equation (2.4), we get t ( ξ i )=t. (2.5) Taking derivatives with respect to x on both sides of (2.4), we have t t (x ξ i )( Letting x = in (2.6), we see that t x ξ i )=(t )xt 2 +(t 2)x t x+. (2.6) t ξ i =( i)/t = (t )/2, if p 2,, if p = 2 and t 3mod4, 0, if p = 2 and t mod4, (Note that t is odd when p = 2.) Therefore t ((t )/2)(x 0 + x )=(t )(a d)/(2c), if p 2, e i = x 0 x =(a d)/c, if p = 2 and t 3mod4, 0, if p = 2 and t mod4. This completes the proof. 2 The following theorem is proved by Sidel nikov [8, Theorem 2]: Theorem 2.5 Let a, b, c, d F q with c 0and ad bc 0. Let θ be a root of F (x) = cx q+ + dx q ax b in some extension field of F q, not fixed by ϕ(x) =(ax + b)/(cx + d) whose order is assumed to be t. Then θ, ϕ(θ),,ϕ t (θ) are linearly independent over F q,if t i=0 ϕi (θ) 0. This theorem indicates that if we can factor F (x) then we will obtain normal bases over F q. The factorization of F (x) is discussed in the next section. 6

7 3 Factorization of cx q+ + dx q ax b The complete factorization of F (x) =cx q+ + dx q ax b, a, b, c, d F q, into irreducible factors was established by Ore [7, pp ] by using his theory of linearized polynomials. In this section, we briefly discuss how this can be done without resorting to linearized polynomials. For the detail, the reader is referred to [2]. To exclude the trivial cases, we assume that ad bc 0. Let ϕ(x) =(ax + b)/(cx + d) be the linear fractional function associated with F (x). As noted in section 2, ϕ(x) induces a permutation on F q n { }, for any n. We assume that the order of ϕ is t in this section. Let θ be a root of F(x) =(cx + d)x q (ax + b). Then θ q = aθ + b cθ + d = ϕ(θ). Note that θ q2 =(ϕ(θ)) q = ϕ(θ q )=ϕ(ϕ(θ)) = ϕ 2 (θ). By induction we see that θ qi = ϕ i (θ), i 0. So θ, ϕ(θ),,ϕ t (θ) (3.) are all the conjugates of θ over F q. If θ is a fixed point of ϕ(x) then θ F q, and x θ is a factor of F (x). If θ is not a fixed point of ϕ(x), then, by Theorem 2.5, the elements of (3.) are distinct and θ is of degree t over F q. In the latter case, the minimal polynomial of θ over F q is an irreducible factor of F (x) of degree t. So an irreducible factor of F (x) is either linear or of degree t. We first deal with two special cases. Theorem 3. Let ξ F q \{0} with multiplicative order t. Then the following factorization over F q is complete: x q ξ = (q )/t j= (x t β j ), where β j are all the (q )/t distinct roots of x (q )/t ξ in F q. Proof: Let θ bearootofx q ξin some extension field of F q. Then θ qi = θξ i,i. All the distinct conjugates of θ over F q are θ,θξ,...,θξ t. The minimal polynomial of θ over 7

8 F q is t i=0 (x θξ i )=x t θ t, which divides x q ξ. This means that any irreducible factor of x q ξ is of the form x t β where β F q. One can prove that x t β divides x q ξ if and only if β isaroot of x (q )/t ξ. This completes the proof. 2 Theorem 3.2 For x q (x + b) with b F q, the following factorization over F q is complete: q/p x q (x + b) = (x p b p x b p β j ) (3.2) j= where β j are the distinct elements of F q with Tr q/p (β j )=and p is the characteristic of F q. Proof: Let θ bearootoff(x)=x q (x+b). Then θ qi = θ + ib, i. So the conjugates of θ over F q are θ, θ + b,...,θ+(p )b. The minimal polynomial of θ over F q is p p [x (θ + ib)] = b p [ x θ i] b i=0 i=0 = b p [( x θ ) p x θ ] b b = x p b p x + θ(b p θ p ). Hence an irreducible factor of x q (x + b) is of the form x p b p x β, β F q. (3.3) Let γ be a root of (3.3) in some extension field of F q. Then we have where q = p m. Summing (3.4) yields ( γ b )pi ( γ b )pi =( β b p)pi, i m, (3.4) γ pm γ = btr q/p ( β b p ). Consequently (3.3) divides F (x) =x pm x bif and only if Tr q/p (β/b p ) =. Note that there are q/p = p m elements β in F q with trace, and the proof is completed. 2 8

9 In general we show that the factorization of F (x) can be reduced to factoring x q x, x q ξ or x q+ ξ. Let ϕ = h ψh as in Lemmas 2. and 2.2. For any root θ of F (x) that is not fixed by ϕ, we have h(θ q )=ψ(h(θ)). (3.5) If is a quadratic residue in F q, then h(θ q )=(h(θ)) q.thusη=h(θ)isarootofx q x or x q ξx = x(x q ξ) according as ψ(x) =x+ or ψ(x)=ξx,ξ F q. So by the factorization of x q x and x q ξ as in Theorems 3. and 3.2 we obtain the factorization of F (x) as follows. Theorem 3.3 For a, b F q with a 0,, the following factorization over F q is complete: x q (ax + b) =(x b (q )/t a ) ((x b a )t β j ), where t is the multiplicative order of a and β j are all the (q )/t distinct roots of x (q )/t a. j= Theorem 3.4 For a, b, c, d F q with c 0, ad bc 0and =(a d) 2 +4bc =0, the following factorization over F q is complete: (cx + d)x q (ax + b) q/p =(x x 0 ) [(x x 0 ) p + (a/c x 0 )(x x 0 ) p (a/c x 0 ) p ] β j β j j= where x 0 F q is the unique solution of (2.) and β j are all the q/p distinct elements of F q with Tr q/p (β j )=. Theorem 3.5 For a, b, c, d F q with c 0, ad bc 0and =(a d) 2 +4bc 0being a quadratic residue in F q, the following factorization over F q is complete: (cx + d)x q (ax + b) (q )/t =(x x 0 )(x x ) [(x x 0 ) t β j (x x ) t ] β j= j where x 0,x F q are the two distinct roots of (2.), t is the multiplicative order of ξ = (a cx 0 )/(a cx ) and β j are all the (q )/t distinct roots of x (q )/t ξ in F q. 9

10 If is not a quadratic residue in F q, the situation is a little more complicated, as in this case x 0,x,ξ F q. Noting that x q 0 = x and x q = x 0, we have h(θ q )=(/h(θ)) q. The equation (3.5) implies that η =/h(θ) is a root of x q+ ξ. So by factoring x q+ ξ over F q 2 we can obtain the factorization of F (x) over F q 2. Then by combining these factors we get the factorization of F (x) over F q as in Theorem 3.6. Theorem 3.6 For a, b, c, d F q with c 0, ad bc 0and =(a d) 2 +4bc 0being a quadratic nonresidue in F q, the following factorization over F q is complete: F (x) = (cx + d)x q (ax + b) = (q+)/t j= β j [(x x 0 ) t β j (x x ) t ] (3.6) where x 0,x F q 2 are the two distinct roots of (2.), t is the multiplicative order of ξ = (a cx )/(a cx 0 ) and β j are all the (q +)/t distinct roots of x (q+)/t ξ in F q 2. Let f(x) be any nonlinear irreducible factor of F (x) of degree t and let α be a root of f(x). From the discussion at the beginning of this section, we see that ϕ i (α),i =0,,...,t are all the roots of f(x) and, by Theorem 2.5, they are linearly independent over F q if Tr(α) 0. But Tr(α) is just the negative of the coefficient of x t in f(x). By examining the factors in the above explicit factorizations, we have Theorem 3.7 Let F (x) =(cx + d)x q (ax + b) with a, b, c, d F q, c 0and ad bc 0. Then a monic nonlinear irreducible factor f(x) of F (x) of degree t has linearly dependent roots over F q if and only if the coefficient of x t in f(x) is zero. The latter happens only if =(a d) 2 +4bc 0and f(x) is of the form where x 0 and x are solutions of (2.). x x 0 [x (x x 0 ) t x 0 (x x ) t ], This shows that every nonlinear irreducible factor of F (x), except for possibly one, has linearly independent roots. 0

11 4 Normal Bases As Theorem 3.7 shows, when c 0 the roots of an irreducible nonlinear factor of F (x) form a normal basis over F q (except possibly for one factor). This section is devoted to discussing the properties of these bases. We will show how to construct a normal basis of F q n over F q with complexity at most 3n 2 for n = p and for each divisor n of q. For this purpose we first compute the multiplication tables of the normal bases formed by the roots of an irreducible factor of F (x). Without loss of generality, we assume that F (x) =x q+ + dx q ax b with a, b, d F q and b ad. Assume that ϕ(x) =(ax + b)/(x + d) has order n and that, by Lemma 2.3, ϕ i (x) =(e i x+b)/(x e n i ) with e i = ϕ i (a), i n. Let f(x) be any irreducible nonlinear factor of F (x) and α arootoff(x). Then f(x) has degree n and its roots are α i = α qi = ϕ i (α), i =0,,,n, and they form a normal basis of F q n over F q if the coefficient of x n in f(x) is not zero (or Tr(α) 0), by Theorem 3.7. Theorem 4. Let F (x) =x q+ + dx q (ax + b) with a, b, d F q and b ad. Letf(x)be an irreducible factor of F (x) of degree n>and let α be a root of it. Then all the roots of f(x) are α i = α qi = ϕ i (α), i =0,,,n, (4.) where ϕ(x) =(ax + b)/(x + d). If τ = n i=0 α i, the negative of the coefficient of x n in f(x), is not zero, then (4.) form a normal basis of F q n over F q such that α 0 α α 2 α 0. α n τ e n e n 2... e e e n = e 2 e n e n e α 0 α α 2. α n + where e = a, e i+ = ϕ(e i )(i ), b = b(n ) and τ = τ ɛ with (n )(a d)/2, if p 2, n a=d, if p = n =2, ɛ = e i = a d, if p =2and n 3mod4, 0, if p =2and n mod4. b b ḅ. b (4.2)

12 Proof: We just need to prove (4.2). By Lemma 2.3, for i, So For i =0,wehave n α 0 α 0 =α 0 (τ j= α i = ϕ i (α) = e iα 0 +b α 0 e n i. α 0 α i = e i α 0 + e n i α i + b. n α j )=(τ j= n e j )α 0 j= e n j α j b(n ). The theorem follows from Lemma The next theorem can be viewed as the converse of Theorem 4.. Theorem 4.2 Let n>2and α i = α qi for 0 i n. Suppose that {α i } is a normal basis of F q n over F q and satisfies α i α j = a ij α i + b ij α j + γ ij, for all 0 i j n, (4.3) where a ij,b ij,γ ij F q. Then there are constants γ,e,e 2,...,e n F q such that (a) e i = ϕ(e i ), for 2 i n, and a ij = e j i,b ij = e i j,γ ij = γ, for all i j, where ϕ(x) =(e x+γ)/(x e n )and the subscripts of e are calculated modulo n; (b) the minimal polynomial of α is a factor of F (x) =x q+ e n x q (e x + γ), and thus n must be a factor of p, q or q +. Proof: Let e k = a 0k and γ k = γ 0k for k =,2,,n. Then α 0 α k = e k α 0 + b 0k α k + γ k. (4.4) Raising (4.4) to the q n k -th power on both sides, we have α 0 α n k = b 0k α 0 + e k α n k + γ k. (4.5) 2

13 Subtracting (4.5) from (4.4), with the k in (4.4) replaced by n k, gives (e n k b 0k )α 0 +(b 0n k e k )α n k +γ n k γ k =0. (4.6) As n>2 and the α i s are linearly independent over F q, the equation (4.6) implies that b 0k = e n k, γ k = γ n k, k n Therefore α 0 α k = e k α 0 + e n k α k + γ k, k n. (4.7) Now for any i j, raising (4.7) to the q i -th power and letting k = j i, we have α i α j = e j i α i + e i j α j + γ j i. (4.8) Comparing (4.8) and (4.3) gives a ij = e j i, b ij = e i j, γ ij = γ j i, (4.9) which proves part of (a). We shall prove the remaining part of (a) together with (b). To this purpose, note that a special case of (4.8) is α i α i+ = e n α i+ + e α i + γ, 0 i<n, or α i+ = e α i + γ = ϕ(α i ), 0 i<n, (4.0) α i e n where ϕ(x) = (e x + γ)/(x e n ) with γ = γ. So, by induction on i, we see that α i = ϕ i (α 0 )=ϕ i (α),0 i n.we know, by Lemma 2.3, that ϕ i (x) =(a i x+γ)/(x a n i ), 0 i n where a i = ϕ(a i ), for i, and a = e. Thus (4.0) implies that α i = a iα 0 + γ α 0 a n i, i.e., α 0 α i = a i α 0 + a n i α i + γ. (4.) 3

14 Comparing (4.) to (4.7), we have e i = a i, e n i = a n i, γ i = γ. This proves (a). For (b), note that α = α q and that (4.7) with k = means α isaroot of F (x) =x q+ e n x q e x γ. Therefore the minimal polynomial of α divides F (x). This completes the proof. 2 Theorem 4.3 For every a, β Fq with Tr q/p (β) =, x p β axp β ap, (4.2) is irreducible over F q and its roots form a normal basis of F q p over F q with complexity at most 3p 2. The multiplication table is τ e p e p 2... e e e p e 2 e p 2 (4.3).... e p e where e = a, e i+ = ϕ(e i ) fori, ϕ(x) =ax/(x + a), and τ = a/β if p 2or a/β a if p =2. Proof: Let F (x) =(x+a)x q ax and ϕ(x) =ax/(x+a). Then F (x) satisfies the conditions of Theorem 3.4 with b =0,c =,d = a, = 0, and x 0 = 0. So (4.2) is an irreducible factor of F (x). As the coefficient of x p in (4.2) is a/β 0, by Theorem 4., the roots of (4.2) form a normal basis and its multiplication table is (4.3). The complexity is obviously at most 3p 2. 2 Theorem 4.4 Let n be any factor of q. Letβ F q with multiplicative order t such that gcd(n, (q )/t) =and let a = β (q )/n. Then x n β(x a +) n (4.4) is irreducible over F q and its roots form a normal basis of F q n over F q of complexity at most 3n 2. The multiplication table is τ e n e n 2... e e e n e 2 e n 2 (4.5).... e n e 4

15 where e = a, e i+ = ϕ(e i )(i ), ϕ(x) =ax/(x +) and τ = n(a )β/( β) ɛ with ɛ specified as in Theorem 4. (with d =). Proof: It is easy to see that a has multiplicative order n. Then ϕ(x) =ax/(x + ) has x 0 = 0 and x = a as fixed points, and ξ =(a x 0 )/(a x )=ahas order n. Soϕhas order n. Note that β isarootofx (q )/n a. By Theorem 3.5, the polynomial (4.4) is an irreducible factor of F (x) =x q+ + x q ax. Note that the coefficient of x n in (4.4) is n(a ) 0. By Theorem 4. (with b =0,d = ), the roots of (4.4) form a normal basis of F q n over F q and its multiplication table is (4.5). The complexity is obviously at most 3n 2. 2 The following table is the result of a computer search for the minimal complexity of normal bases. It indicates that when n (q ) the minimal complexity is often 3n 3or 3n 2. This indicates that the normal bases constructed in Theorems 4.3 and 4.4 often have complexity very close to the minimal complexity. In the table, indicates that the minimal q n min complexity is 3n 2 and indicates optimal complexity, i. e., 2n. Other minimal values are of the form 3n 3. 5 Self-dual Normal Bases A basis B = {β 0,β,,β n } is called a dual basis of A = {α 0,α,,α n } if Tr(α i β j ) = δ ij = 0 for i j, and for i = j, where Tr is the trace function of F q n into F q defined as Tr(α)=α+α q + +α qn F q, α F q n. One can prove that, for each basis A of F q n over F q, there is a unique dual basis. Also, if A is normal then so is its dual. If the dual basis of A coincides with A, then A is called a self-dual basis, that is, a basis A = {α i } is called self-dual if Tr(α i α j )=δ ij. Lempel and Weinberger [5] proved Theorem 5. A self-dual normal basis of F q n over F q exists if and only if one of the following conditions is satisfied 5

16 (a) q is even and n is not a multiple of 4, (b) both q and n are odd. Later, Jungnickel, Menezes and Vanstone [4] determined the total number of self-dual bases and self-dual normal bases of F q n over F q. However the proofs of these results are not constructive. In this section, we will construct a self-dual normal basis of F q n over F q for every n in the following cases: (a) n = p, the characteristic of F q, (b) n (q ) and n is odd, (c) n (q + ) and n is odd. One can check that the conditions in Theorem 5. are satisfied by each of the three cases. Theorem 5.2 Let N = {α 0,α,,α n } with α i = α qi be a normal basis of F q n over F q satisfying α i α j = e j i α i + e i j α j + γ,for all i j, where e,e 2,,e n,γ F q.letτ=tr q n /q(α) and λ = (e + e n ) nγ/τ. Then { τ(τ + nλ) (α i + λ) : i=0,,,n } is the dual basis of N. Proof: Note that, for i j, Tr q n /q(α i (α j + λ)) = Tr q n /q(λα i + e j i α i + e i j α j + γ) = λτ + e j i τ + e i j τ + nγ = τ(λ + e + e n )+nγ = 0, and Tr q n /q(α i (α i + λ)) = Tr(α i (τ +λ j )) j iα 6

17 = Tr(α i (τ +nλ j + λ))) j i(α = Tr(α i )(τ + nλ) Tr(α i (α j + λ)) j i = τ(τ + nλ). The result is proved. 2 We now proceed to determine when the roots of an irreducible factor of F (x) =x q+ + dx q ax b form a self-dual normal basis. Let {α 0,α,...,α n }be a normal basis generated byarootαof F (x) with α i = α qi and let τ =Tr q n q(α). By Theorem 4. and Lemma 2.3, we have, for i 0, Tr q n /q(α 0 α i ) = e i Tr(α 0 )+e n i Tr(α i )+nb = τ(e i + e n i )+nb = τ(a d)+nb, (5.) and Tr q n /q(α 0 α 0 ) = τ(τ ɛ) τɛ nb(n ) { τ = 2, if p =2, τ 2 (n )(τ(a d)+nb), if p 2. (5.2) Therefore α generates a self-dual normal basis if τ =Tr(α) = and (a d) +nb =0. By examining the irreducible factors in Theorems 3.4, 3.5 and 3.6, we find that these two conditions can be satisfied. More explicitly, we have the following three results. Theorem 5.3 For any β Fq with Tr q/p (β) =, x p x p β p (5.3) is irreducible over F q and its roots form a self-dual normal basis of F q p over F q with complexity at most 3p 2. The multiplication table is (4.3) where e = β, e i+ = ϕ(e i )(i ), ϕ(x) =βx/(x + β), and τ =if p 2or τ = β if p =2. Proof: Let F (x) =(x+β)x q βx. Then, by Theorem 3.4, the polynomial (5.3) is an irreducible factor of F (x) (where b =0,c=,d=a=β,x 0 = 0 and β j = β). Since a d = b = 0 and τ = in (5.) and (5.2), the roots of (5.3) form a self-dual normal basis. Its multiplication table is (4.3), by Theorem

18 Theorem 5.4 Let n be an odd factor of q and ξ F q of multiplicative order n. Then there exists u F q such that (u 2 ) (q )/n = ξ. Let x 0 =(+u)/n and x =(+u)/(nu). Then the monic polynomial u 2 [(x x 0) n u 2 (x x ) n ] (5.4) is irreducible over F q and its roots form a self-dual normal basis of F q n over F q. The multiplication table is (4.2) with a =(x 0 ξx )/( ξ), b = x 0 x, d = a (x 0 + x ) and τ =. Proof: We first prove that there exists at least one root of x (q )/n ξ that is a quadratic residue in F q. Let ζ be a primitive element in F q. Let t be an odd factor of q such that n t and gcd(n, (q )/t) =. Then ζ 0 = ζ (q )/t is a t-th primitive root of unity. Since t is odd, ζ0 2 is also a t-th primitive root of unity. Let d = t/n. Then there is an integer i such that (ζ0 2)id = ξ, that is, (ζ (q )/t ) 2id =(ζ 2i ) (q )/n = ξ. So ζ 2i isarootofx (q )/n ξ and is a quadratic residue in F q. Therefore we can take u = ζ i. Now by applying Theorem 3.5, we see that (5.4) is an irreducible factor of F (x) = (x+d)x q (ax + b). The negative of the coefficient of x n in (5.4) is τ = n(x 0 u 2 x ) u 2 =. By Theorem 4., the roots of (5.4) form a normal basis of F q n multiplication table. Note that over F q with the claimed a d = x 0 + x = (u +) n + u+ nu = (u +)2 nu = nx 0 x = nb, that is, τ(a d) +nb = 0. It follows from (5.) and (5.2) that the roots of (5.4) form a self-dual normal basis. 2 Theorem 5.5 Let n be an odd factor of q + and let ξ F q 2 be a root of x q+ with multiplicative order n. Then there is a root u of x q+ such that (u 2 ) (q+)/n = ξ. Let x 0 =(+u)/n and x =(+u)/(nu). Then u 2 [(x x 0) n u 2 (x x ) n ] (5.5) 8

19 is in F q [x] and is irreducible over F q with its roots forming a self-dual normal basis of F q n over F q. The multiplication table is (4.2) with a =(x ξx 0 )/( ξ), b = x 0 x, d = a (x 0 + x ) and τ =. Proof: The proof of the existence of u is similar to that in the proof of Theorem 5.4 by taking ζ to be a (q + )th primitive root of unity in F q 2. We next prove that a, b, d F q and (5.5) is in F q [x]. Note that ξ,u and u 2 are all (q + )th roots of unity and we have ξ q =/ξ, u q =/u and (u 2 ) q =/u 2. Thus x q 0 = x and x q = x 0. So a q = a, b q = b and d q = d, that is, a, b, d F q. Denote the polynomial (5.5) by φ(x) and note that (φ(x)) q = (u 2 ) q [(xq x q 0 )n (u 2 ) q (x q x q )n ] = /u 2 [(xq x ) n /u 2 (x q x 0 ) n ] = φ(x q ). We see that the coefficients of φ(x) are in F q. To prove that (5.5) is irreducible over F q, we apply Theorem 3.6. It is easy to check that, with a, b, d as defined in Theorem 5.5, x 0 and x are the two distinct solutions of (2.) with c = and (a x )/(a x 0 )=ξwhich is of order n. Now since u 2 is assumed to be a solution of x (q+)/q ξ, it follows from Theorem 3.6 that (5.5) is an irreducible factor of F (x) =(x+d)x q (ax + b). As the coefficient of x n in (5.5) is ( nx 0 + nu 2 x )/( u 2 )=, the trace of any root of (5.5) is τ =. It is easy to check that τ(a d)+nb = 0. It follows from (5.) and (5.2) that the roots of (5.5) form a self-dual normal basis. The multiplication table follows from Theorem

20 References [] D.W. Ash, I.F. Blake, and S.A. Vanstone, Low complexity normal bases, Discrete Applied Math. 25 (989), [2] I.F. Blake, S. Gao and R.C. Mullin, Factorization of cx q+ + dx q ax b and normal bases over GF (q), Research report CORR9-26, Faculty of Mathematics, University of Waterloo, 99. [3] S. Gao and H.W. Lenstra, Optimal normal bases, to appear in Designs, Codes and Cryptography, 992. [4] D. Jungnickel, A. J. Menezes and S. A. Vanstone, On the number of self-dual bases of GF (q m ) over GF (q), Proc. Amer. Math. Soc. 09 (990), [5] A. Lempel and M. J. Weinberger, Self-complementary normal bases in finite fields, SIAM J Discr. Math. (988), [6] R.C. Mullin, I.M. Onyszchuk, S.A. Vanstone and R.M. Wilson, Optimal normal bases in GF (p n ), Discrete Applied Math., 22 (988/89), [7] O. Ore, Contributions to the theory of finite fields, Trans. Amer. Math. Soc. 36 (934), [8] V.M. Sidel nikov, On normal bases of a finite field, Math. USSR Sbornik 6(988),