Joachim von zur Gathen. and. Igor Shparlinski. FB Mathematik-Informatik, Universitat-GH Paderborn, and

Transcription

1 JOACHIM VON ZUR GATHEN & IGOR SHPARLINSKI (998). Orders of Gauss Periods in Finite Fields. Applicable Algebra in Engineering, Communication and Computing 9(), 5 4. URL Extended abstract in Proceedings of 6th International Symposium on Algorithms and Computation ISAAC 95, Cairns, Australia (995). ing any of these documents will adhere to the terms and constraints invoked by each copyright holder, and in particular use them only for noncommercial purposes. These works may not be posted elsewhere without the explicit written permission of the copyright holder. (Last update 07//9-8 :0.) are maintained by the authors or by other copyright holders, notwithstanding that these works are posted here electronically. It is understood that all persons copy- Thisdocument isprovidedasa meanstoensuretimely disseminationofscholarly and technical work on a non-commercial basis. Copyright and all rights therein ORDERS OF GAUSS PERIODS IN FINITE FIELDS Joachim von zur Gathen and Igor Shparlinski FB Mathematik-Informatik, Universitat-GH Paderborn, Paderborn, Germany gathen@uni-paderborn.de and School of MPCE, Macquarie University, Sydney, NSW 09, Australia igor@mpce.mq.edu.au Abstract It is shown that Gauss periods of a special type give an explicit polynomial-time computation of elements of exponentially large multiplicative order in some nite elds. This can be considered as a step towards solving the celebrated problem of nding primitive roots in nite elds in polynomial time. Keywords: Finite Fields, Algorithms, Primitive Roots, Normal Bases, Artin's Conjecture. Introduction One of the most important unsolved problems in the computational theory of nite elds is to design a fast algorithm to construct primitive roots in a

2 nite eld IF q of q elements. All known algorithms for this problem work in two stages:. Find a `small' set MIF q guaranteed to contain a primitive rootof IF q.. Test all elements of M for primitivity. In many cases, wehave quite good algorithms for the rst stage, especially if one assumes the Extended Riemann Hypothesis (ERH) see Chapter 3 of []. Unfortunately, at the current state of the art, the second stage requires the integer factorization of q; which is not known to be obtainable in polynomial time. It is demonstrated in [] that we can nd a primitive root of IF q in time O(q =4+" ) for any ">0. Even the ERH cannot help too much here. On the other hand, for many applications, instead of a primitive root just an element of high multiplicative order is sucient. Such applications include but are not limited to cryptography, coding theory, pseudo random number generation and combinatorial designs. As a specic example we point out the sparse polynomials interpolation algorithms [, 4] where instead of a primitive root just an element of large order can be used (after some simple adjustments of the other parameters). Also, it is often enough to solve such a problem for some suciently `dense' sequence of elds, rather than for all elds. In this paper we design, under these two relaxations of the original problem, fast deterministic algorithms. The work was motivated by and can be considered as a continuation of [3, 4] whose key tool are special Gauss periods over nite elds which are shown to generate normal bases, see also [, 5, 6, 8, 5] about various additional useful properties and applications of Gauss periods. Experimental results [3, 4, 5] indicate that such periods often produce primitive rootsand thus generate primitive normal bases, or at least have highmultiplicative order. In Section we concentrate on the following special case of a Gauss period in IF q n. Let r =n + be a prime not dividing q, and let be a primitive rth root of unity inif q n. Then = + ; IF q n

3 where ' is the Euler function, is called a Gauss period oftype (n ) over IF q : It is, in fact, an elementofif q n.we refer [, 3, 4, 5, 6, 8, 5] for the literature on this topic. In Section 3 we consider a more general variant of these Gauss periods. If we know the minimal polynomial of over IF q (i.e., we have factored x r ; over IF q ), that of can be determined by linear algebra over IF q,in polynomial time. While a deterministic polynomial time algorithm to factor polynomials over nite elds is not known, there are many ecient (probabilistic and deterministic, unconditional and ERH{dependent) methods. We just mention that x r ; can be completely factored over IF q with the following number of arithmetic operations in IF q : (r log q) O() probabilistically, r O() q = log q deterministically, (r log q) O() deterministically under the ERH. More precise forms of these assertions and further details can be found in [], Section.. In some cases an explicit formula for the minimal polynomial of is known [7]. If q is a primitive root modulo the prime r, then the minimal polynomial of is x r; + :::+ x +. This can be used in the construction of Theorem below. In this paper we do not estimate the cost of constructing (which, as we mentioned above, is fairly small) but rather concentrate on the cost of nding n for which the corresponding is of large period. Gauss periods of type (n k) fork> can be dened similarly and are of great interest as well, but unfortunately at the moment we cannot give any lower bounds on their multiplicative order. This remains an interesting open problem. Large-order normal elements Let A be the set of all integers a IN for which Artin's conjecture holds in the following form: 9C(a) x 0 (a) 8x x 0 (a) a (x) x=(c(a) log x) () 3

4 where a (x) isthenumber of primes up to x for which a is a primitive root. It is known that A contains the odd powers of all but at most two prime numbers [9], and of all prime numbers under the ERH [0] many other relevant results can be found in [6]. For any a IN clearly a 6 A. Theorem. For any prime power q = p k A and any suciently large integer N there isaninteger n =(r ; )= with N n M, where M = 3C(q)N log N and C(q) is as in (), such that the Gauss period = + ; IF q n, where is a primitive rth root of unity over IF q generates a normal basis of IF q n over IF q and has multiplicative order at least (n)= ; : For any ">0, such an n can be found with the following number of bit operations: O(C(q)exp[( + ")log = M log = log M]) probabilistically, O(M 5=4+" ) deterministically, O(M 6=5+" ) deterministically under the ERH. Proof. Let R be the set of primes r in the interval [N + M +] for which q is a primitive root. We rst estimate #R from below. More precisely, we show that for N large enough #R q (M +); (N) > M C(q)log (M) : () Indeed, assume that N is such that M maxf4 x 0 (q)g so that M + log (M +) M log (M) ) and Then, q (M +) 3(log(N) ; 3=)log N>log (6C(q)N log N): M C(q)log (M) 3N log N log (6C(q)N log N) > N log(n) ; 3= : 4

5 We have N log (N) ; 3= (N) by [8], (3.4). Therefore q (M +);(N) 0:5 q (M +) and () follows. It follows from () that q (M +)>(N), hence R 6=. For any r [N + M +],we test whether r R as follows. First, we check ifr is prime. Then we factor r ; andcheck ifq is a primitive root modulo r by testing if q (r;)=l 6 modr for each prime divisor l of r ;. The latter can be done in polynomial time. Primality testing and nding the integer factorization of r ; can be both done, for any ">0, with the following number of bit operations: O(exp[( + ") log = M log = log M]) probabilistically [4], O(M =4+" ) deterministically [0], O(M =5+" ) deterministically under the ERH [9]. For a probabilistic algorithm, we select r uniformly at random in the interval [N + M + ], then the probability of success is at least #R #[N + M +] q(m +); (N) M C(q)log (M) by (). For a deterministic algorithm we test all numbers r [N + M +]. Now, let r R and n =(r ; )=. Then '(r) =n. Let IF q n be a primitive rth root of unity, and = + ; IF q n. It generates a normal basis for IF q n over IF q, see [, 3, 4, 5, 6, 8, 5]. Let h = br = c; H = f ::: hgif r S = find a : a Hg Z r; where we identify IF r with f0 ::: r; g, andinda is the index (or discrete logarithm) of a IF r in base q. LetU U 0 S be two dierent subsets of S, and u = X su q s u 0 = X su0 q s : We claim that u 6= u0. This implies that we have at least #S = h distinct powers of, and thus the order of is at least h (n)= ; : 5

6 We may suppose that U \ U 0 =. Assume that u = u0. Then 0 = u ; u0 = Y su = ;u Y su ( + ; ) qs ; Y su 0 ( + ; ) qs Y ( qs +); ;u0 +): su 0 ( qs Since is an rth root of unity, wemay reduce the exponents modulo r, and with E = fq s rem r : s Ug E 0 = fq s rem r : s U 0 gh where (q s rem r) IN is the positive remainder of q s on division by r, and e = X te t X e 0 = t te0 we have E \ E 0 =, and ; Y ; t + ; ;e0 t + : 0= ;e Y te We may assume that e 0 e and let f(x) =x e0 ;e Y te ; x t + ; Y te0 te0 ; x t + IF q [x]: Then f() = 0, and deg f e 0 X ih i = h(h +) r ; p r<r; : Since q is primitivemodulor, has degree r ; over IF q, and therefore the polynomial f is zero. If e 0 >e,thenf(0) = ;. Thus e 0 = e. But then the monomial x t occurs in f with nonzero coecient, where t =min(e [ E 0 ). This contradiction proves the claim. ut We note that under the ERH, from the asymptotic formula for q (x) of [0], one can get a slightly better estimate for n, namely apparently one can take M = cn log log log q, provided that N > q C with some absolute constants c and C. Unfortunately C does not seems to be eectively computable and it is not clear how to use this better bound in order to design a faster algorithm. On the other hand, all constants occurring in [9] are eective andthus lead to an eective form of () for odd powers of all but at most two prime numbers. 6

7 3 A denser sequence of large-order elements In the next theorem we eliminate the condition that q belongs to A and consider a denser sequence of n. The price we pay is losing the property of being normal and a weaker lower bound. The work [] addresses the question of whether is normal over IF q this is not the case unless r is squarefree, which never happens in our construction. Theorem. There is an absolute constant C>0 such that for any prime power q and any suciently large N there areintegers n and r with N n = ' (r) N + O(N= log C N) and such that the Gauss period = + ; IF q n, where is a primitive rth root of unity over IF q has multiplicative order at least where cqn= ;5 c q =0q ; : (3) For any ">0, suchn and r can be found with O(log +" N) bit operations. Proof. We let p be the characteristic of IF q and dene (l l )= 8 < : (3 5) if p =orp 7 (5 7) if p =3 (3 7) if p =5 q = l l '(l l ) = 8 < : If k and k are positive integers, then 5=8 if p =orp 7 35=4 if p =3 7=4 if p =5: : l k lk = q'(l k lk ): Let r 0 be the smallest integer greater than R = q N=l l of the form r 0 = l m l m, where m m are nonnegative integers. Tijdeman's result [3] on the distribution of numbers containing only a xed set of primes in their factorization implies that R r 0 R + O(N= log C N) 7

8 with some absolute constant C>0. Thus if we dene r = r 0 l l and n = '(r) = q ; r, then N n N + O(N= log C N). To estimate the cost of nding such r 0,we note that r 0 = l m lm l R. Therefore, 0 m i K i for i =, where To ndr 0, for each log(l R) K i = : log l i k f0 ::: K g we compute k = dlog(rl ;k )= log l e, so that l k l k ; R l k l k : For each k, this can be done with O(log +" N) bit operations. From the K = O(log N) numbers obtained we select the smallest one as r 0. Let t be the order of q modulo r, h = (r=) = ; t 0 r=t S = fs: 0 s<tand (q s rem r) hg where as before (q s rem r) IN is the positive remainder of q s on division by r. Let t 0 be the order of q modulo l l.we dene i as the largest power of l i which divides q t 0 ;, for i =. We need the following inequalities l l <q t 0 t 0 lcm(l ; l ; ) : Korobov [], Remark after Lemma, shows that t t 0 l ; l ; r>t 0 q ;t 0 r q ; r (see also [3], beginning of Section ). In particular, we see that h is positive for suciently large N. Korobov [], Lemma, implies that j#s ; th=rjt 0 (see also [3], Fact ). Thus we have #S th=r + t 0 t(r) ;= and h#s ((r=) = ; t 0 r=t)t(r) ;= <t: Now we recall that the degree of the minimal polynomial of a primitive rth root of unity over IF q equals t. Wedene = + ;.Sinceq n modr, we have IF q n. 8

9 Let U U 0 S be two dierent subsets and u = X su q s u 0 = X su 0 q s : If we assume that u = u0,thenasintheproofoftheoremwe dene the sets E = fq s rem r : s Ug E 0 = fq s rem r : s U 0 gf ::: hg and the numbers e = X tet e 0 = X te 0 t: If, say, e 0 e, then we nd that is a root of the non-zero polynomial f(x) =x e0 ;e Y te ; x t + ; Y te0 ; x t + IF q [x]: Furthermore, deg f h#s <t thus our assumption is false. Therefore, we have at least #S distinct powers of. The claim follows from #S th=r ; t 0 t(r) ;= ; t 0 ; t=r (35=48) = q ; n = ; 5 0q ; n = ; 5: ut 4 Concluding remarks The constants in Theorem can be easily rened. We do not do this because we believe that our subexponential lower bound can be essentially improved, perhaps up to exp(c(q)m) with some C(q) > 0. Our method can produce several more results. For example, it can be shown that if the multiplicative order q modulo r =n + with gcd(r q)= is greater than r 3=4+ with >0, then the construction of Theorem produces an element of order at least exp(c(q)n = log n): This is based on another estimate of Korobov [3] #S = th=r + O(r = log r) 9

10 (which can be extracted from the proof of Theorem 3 of that paper). Thus h can be chosenoforderr 3= t ; log r, hence #S r =. Then one can consider subsets of S with at most k = bt=hct r ;3= log ; r elements. Accordingly, the order can be estimated from below by #S k k (+o())t r ;3= log ; r In particular if r =n + is relatively prime to q and q generates a group of bounded index in the group of units modulo r, the same construction produces of order at least exp(c(q)n = = log n) (the logarithmic term can possibly be eliminated). This and several other similar statements which can be obtained within the framework of the method of this paper show that the class of pairs (q r) which generate elements of large order can be substantially extended. We also hope that exponentially large lower bounds can be obtained for almost all primes r =n + if one uses the bound of exponential sums from [] (instead of Korobov's estimate [3]) and Pappalardi's estimates [7] of the multiplicative orders of a given integer modulo almost all primes. Finally we note one more interesting question which we believe can be approached by the method of this paper. Given N>, nd a small s (say s = N O() )such that the Gauss period IF q n of type (n ) over IF q, where n = sn, has exponentially large multiplicative order. That is, instead of nding elements of large multiplicative order in a eld IF q n with n close to a given N, nowwe are looking for a such an element in a not too large extension of a given eld IF q N. Acknowledgment. This paper was essentially written during two visits by the second author to the University ofpaderborn, whose hospitality is gratefully acknowledged. The authors would like to thank Francesco Pappalardi for a useful discussion of the eective computability issues related to Artin's conjecture. The rst version of this paper appeared in the Proceeding of the 6th International Symposium on Algorithms and Computation, Cairns, 995 (Lect. Notes in Comp. Sci., 995, vol. 004, pp. 08{5). 0

11 References [] M. Clausen, A. Dress, J. Grabmeier and M. Karpinski, `On zero testing and interpolation of k-sparse multivariate polynomials over nite eld', Theor. Comp. Sci.. 84 (99), 5{64. [] S. Feisel, J. von zur Gathen and A. Shokrollahi, `Normal bases via general Gauss periods', Math. Comp., to appear. [3] S. Gao, J. von zur Gathen and D. Panario, `Gauss periods and fast exponentiation in nite elds', Proceedings LATIN '95, Springer Lecture Notes in Comp. Sci., 9 (995), 3{3. [4] S. Gao, J. von zur Gathen and D. Panario, `Gauss periods: Orders and cryptographical applications', Math. Comp., (to appear). [5] S. Gao and S. Vanstone, `On orders of optimal normal basis generators', Math. Comp., 64 (995), 7{33. [6] S. Gao and H. W. Lenstra, `Optimal normal bases' Designs, Codes and Cryptography, (99), 35{33. [7] S. Gao and G. L. Mullen, `Dickson polynomials and irreducible polynomials over nite elds ' J. Number Theory, 49 (994), 8{3. [8] J. von zur Gathen and M. J. Nocker, `Exponentiation in nite elds: Theory and practice', Proceedings AAECC'97, Springer Lecture Notes in Comp. Sci., 55 (997), 88{3. [9] D. R. Heath-Brown, `Artin's conjecture for primitive roots', Quart. J. Math., 37 (986), 7{38. [0] C. Hooley, `On Artin's conjecture', J. Reine Angew. Math., 5 (967), 09{0. [] S. V. Konyagin and I.E.Shparlinski, `On the distribution of residues of nitely generated multiplicative groups and their applications' Macquarie Math. Reports, 97/, 997, {34.

12 [] N. M. Korobov, `Trigonometriqeskie summy s pokazate nymi funkcimi i raspredelenie znakov periodiqeskih drobe$i', Matem. Zametki, 8 (970), 64{65. `Exponential sums with exponential functions and the distribution of digits in periodic fractions', Matem. Notes, 8 (970), 83{837. [3] N. M. Korobov, `O raspredelenii znakov v periodiqeskih drobh', Matem. Sbornik, 89 (97), 654{670. `On the distribution of digits in periodic fractions', Mat. USSR-Sb., 8 (97), 659{676. [4] H. W. Lenstra and C. Pomerance, `A rigorous time bound for factoring integers', J. Amer. Math. Soc., 5 (99), 483{56. [5] A. J. Menezes and I. F. Blake and X.H. Gao and R. C. Mullin and S. A. Vanstone and T. Yaghoobian, `Applications of nite elds', Kluwer Academic Publishers, Norwell MA, 993. [6] W. Narkiewicz, Classical problems in number theory, Polish Sci. Publ., Warszawa, 986. [7] F. Pappalardi, `On the Order of Finitely Generated Subgroups of Q (mod p) and Divisors of p ; ', J. Number Theory, 57 (996), 07-. [8] J.B. Rosser and L. Schoenfeld, `Approximate functions for some functions of prime numbers ', Illinois J. Math. 6 (96), 64{94. [9] R. J. Schoof, `Quadratic elds and factorization', Computational Methods in Number Theory, Amsterdam, 984, 35{79. [0] D. Shanks, `Class number, a theory of factorization and genera', Proc. Symp. in Pure Math., Amer. Math. Soc., Providence, 97, 45{40. [] I. Shparlinski Computational and algorithmic problems in nite elds, Kluwer Acad. Publ., Dordrecht, 99. [] I. Shparlinski, `On nding primitive roots in nite elds', Theor. Comp. Sci. bf 57 (996), 73{75. [3] R. Tijdeman, `On the maximal distance between integers composed of small primes', Compos. Math., 8 (974), 59{6.

13 [4] K. Werther, `The complexity of sparse polynomials interpolation over nite elds', Appl. Algebra in Engin., Commun. and Comp., 5 (994), 9{03. 3