Defining a Galois Field based on primitive element versus polynomial?

Question

Normally I see $GF(p^n)$ defined in terms of a reducing polynomial $P(x)$ of degree n, where the coefficients are elements of $GF(p)$. For example, $GF(2)[x]/\langle x^4+x+1 \rangle$ or $GF(2)[x]/\langle x^8+x^4+x^3+x+1 \rangle$. The number of primitive elements (multiplicative generators) for $GF(p^n) = ϕ(p^n-1)$ (where $ϕ$ is the totient function). For $GF(2^4)$, there are 8 generators, for $GF(2^8)$ there are 128 generators, and typically one of the generators is specified. If $P(x)$ is primitive, then one of the generators is $x$. There are algorithms to create a complete list of all generators for any $P(x)$ if needed.

I sometimes see an alternative based definition based on a polynomial of primitive elements | multiplicative generators. Let $A(\alpha)$ represent such a polynomial, where the coefficients are elements of $GF(p^n)$. For example, $A(\alpha) = ^4 + + 1 = 0$. The actual wording is typically similar to: let $$ be a primitive element (multiplicative generator) of $GF(2^4)$ such that $^4 + + 1 = 0$.

If $A(\alpha)$ is a primitive polynomial, its $n$ roots are generators for any $GF(p^n)$ . For example:

$A(\alpha) = ^4 + + 1 = 0$
$GF(2)[x]/\langle x^4+x+1 \rangle$ : $(x)=\{x, x+1, x^2, x^2+1\}$.
$GF(2)[x]/\langle x^4+x^3+1 \rangle$ : $(x) = \{x^2+x, x^2+x+1, x^3+x^2, x^3+x^2+1\}$
$GF(2)[x]/\langle x^4+x^3+x^2+x+1 \rangle$ : $(x) = \{x^2+x, x^2+x+1, x^3+x, x^3+x+1\}$

If $A(\alpha)$ is not primitive, then the roots of $A(\alpha)$ will not be generators of $GF(p^n)$.

$A(\alpha)$ has $n$ roots, which is only a sub-set of the generators. For $GF(2^8)$, $A(\alpha)$ has 8 roots, while $GF(2^8)$ has 128 generators.

Since the second definition has limitations, what is the purpose of using the second definition?

Here is a link to an online document that uses the second definition, which is sufficient for determining minimum polynomials for BCH code, but then follows that with a table on page 6 that is specific to $GF(2)[x]/\langle x^4+x+1 \rangle$

https://web.ntpu.edu.tw/~yshan/BCH_code.pdf

What fails? In $GF(2)[x]/\langle x^4 +x +1\rangle$ if we take $a=x+\langle x^4 +x +1\rangle$ then $a,a+1,a^2, a^2+1$ are the four roots of $x^4+x+1$, and the other four primitive elements are $a^{-1}, a^{-1}+1,a^{-2}, a^{-2}+1$ - or as you have listed them $a^3+1,a^3+1+1, a^3+a^2+1, a^3+a^2+1$ - are the roots of $x^4+x^3+1$. What's wrong with that? — ancient mathematician, Oct 17 '21 at 07:13
I can't read this I'm afraid. My $\alpha$ is certainly a primitive element. — ancient mathematician, Oct 17 '21 at 11:02
In standard mathematical treatments, 10 is an element of GF(7), which is equal to 3. More precisely, both 3 and 10 are elements of the same equivalence class of integers congruent to 3 (or 10) mod 7. When working in modular arithmetic (with either numbers or polynomials), it is much cleaner to regard the elements of the ring or field as equivalence classes, rather than insisting on choosing particular representatives. — Ted, Oct 17 '21 at 20:51
You cannot in a field have $8$ roots for a quartic equation! Once again, let me say it: four are roots of $X^4+X+1$ and the other four (being their inverses) are roots of $X^4+X^3+1$. — ancient mathematician, Oct 18 '21 at 13:55
When working modulo $X^4+X^3+X^2+X+1$ the cosets of the primitive elements are the costets of $a+bX+cX^2+dX^3$ except $1$, $X,X^2,X^3, 1+X+X^2+X^3$ (the four 5th rou), $X^2 +X^3, 1+X^2+X^3$ (the two 3rd-rou). — ancient mathematician, Oct 18 '21 at 14:16
@JyrkiLahtonen - for $GF(2)[x]/\langle x^4+x^3+x^2+x+1 \rangle$, the zeroes of $x^4+x+1$ are ${x^2+x,x^2+x+1,x^3+x,x^3+x+1}$ and the zeroes of $x^4+x^3+1$ are ${x+1,x^2+1,x^3+1,x^3+x^2+x}$, all 8 of which are primitive elements of $GF(2)[x]/ \langle x^4+x^3+x^2+x+1 \rangle$ . Since all 3 $GF(2^4)$ fields are isomorphic, they can be mapped to each other. Let $\alpha$ be some primitive element of one field, and $\beta$ some primitive element of the other field, then $\beta^j = map(\alpha)^j = map(\alpha^j)$, so I would expect similar results between the 3 fields based on mapping. — rcgldr, Oct 19 '21 at 03:38
Correct, I didn't check yours, but isomorphisms between the three quotient rings exist and all three quartic polynomials all have four zeros in each of them. What is the remaining question actually? — Jyrki Lahtonen, Oct 19 '21 at 04:14
@Ted I wondered that but the OP seems to know there are only $8$ primitive elements, so must (?) be using the "generator of the multiplicative group" sense. — ancient mathematician, Oct 19 '21 at 06:27
You say "So the two definitions are not equivalent." I can't understand what you mean. Both definitions define a field of $16$ elements and there is only one such. Given such a field defined by a polynomial (there are exactly three such) we have given you the appropriate $\alpha$ to use in definition 2 (actually four possibilities each time). Starting with definition 2 we need an $\alpha$ and its minimal polynomial so trivially we see that recipe 1 applies. So what are you asking? — ancient mathematician, Oct 19 '21 at 06:35
@ancientmathematician - "not equivalent" the first definition specifies a specific reducing polynomial, $x^4+x+1$. The second definition applies to 4 possible primitive elements for each of 3 possible $GF(2^4)$ reducing polynomials. In my case, the focus is to explain an actual implementation (software and|or hardware) to some other people as opposed to theory. — rcgldr, Oct 19 '21 at 08:55
No. The second definition is only really a definition if you specify the minimal polynomial for $\alpha$. It's true ( a theorem!) that you'll get isomorphic fields in all cases, but without that theorem it's not a definition. If definition 2 is meant to be applied to primitive elements as you say then it doesn't apply to the $X^4+X^3+X^2+X+1$ roots, so there are only two relevant irreducible quartics. But the question has changed so often I now give up. — ancient mathematician, Oct 19 '21 at 09:20
@ancientmathematician - so without a minimum polynomial for $\alpha$, it's not a definition at all? Wouldn't that make it different than the first definition? Even if $\alpha$ is defined, such as $\alpha(x) = x$, the second definition would still apply to two different instances of GF(2^4), with reducing polynomials $x^4+x+1$ or $x^4+x^3+1$, while the first definition explicitly states $x^4+x+1$. The wiki article uses the first definition: Wiki BCH Code . — rcgldr, Oct 19 '21 at 17:06
What do you mean by $\alpha(x)$? That is very confusing. Similarly, why would you call $A(\alpha)$ a polynomial when it is just an element of the field? I (more or less systematically) use $x$ as an indeterminate of polynomials, and $\alpha$ denotes a zero of a given irreducible polynomial $f(x)$. More precisely, $\alpha$ is the coset $x+\langle f(x)\rangle$. Automatically implying that $f(\alpha)=0$. It is important to make this distinction because when dealing with codes you run into polynomials with coefficients in $GF(16)$. Such as $(x-\alpha)(x-\alpha^2)(x-\alpha^3)$. — Jyrki Lahtonen, Oct 23 '21 at 02:53
@JyrkiLahtonen - consider a Galois Field, $GF(2^n)$. In my post, the reducing polynomial $P(x)$ has 1 bit coefficients, while the polynomial $A(α)$ has n bit coefficients. My post considers the more generic case where $A(α)$ is defined independently of $P(x)$, for example, $P(x) = x^4+x^3+x^2+x+1$, which is not primitive, and $A(α) = α^4 + α + 1$, which is primitive. The 4 roots of $A(α)$ are generators of $GF(2)[x]/ \langle x^4+x^3+x^2+x+1 \rangle$ as listed in my OP. — rcgldr, Oct 23 '21 at 07:11
@JyrkiLahtonen - continuing, one situation where this could be used is for isomorphic mapping: $P0(x) = x^4 + x + 1$, $P1(x) = x^4+x^3+x^2+x+1$, $A(α) = α^4+α+1$ (same as $P0$). $r0$ = any root of $A(α)$ in $GF(2)[x] / P0(x)$, $r1$ = any root of $A(α)$ in $GF(2)[x] / P1(x)$. $e0$ = any element of $GF(2)[x] / P0(x)$. $e1$ = any element of $GF(2)[x] / P1(x)$. To map $e0$ to $e1$: $e1$ = $r1$ raised to the power log$_{r0}(e0)$. (text too small to exponentiate the log). — rcgldr, Oct 23 '21 at 07:28
@JyrkiLahtonen - that isomorphic mapping only works if $A(α$) is primitive. A more generic method of isomorphic mapping chooses a generator of $GF(2)[x]/P1(x)$, then does a brute force search for any generator of $GF(2)[x]/P0(x)$, where the mapping works. The same principle can be used to map to composite fields, such as $GF(2^8)$ to $GF(((2^2)^2)^2)$, which is common for AES multiplicative inverse step. — rcgldr, Oct 23 '21 at 07:36
@JyrkiLahtonen - so it seems that usage of $A(α)$ is limited and unneeded, since other methods are more generic (don't require primitive polynomials), and depending on the situation, simpler and|or faster, which gets back to my question what was the purpose of $A(α)$ in the first place? Most coding theory textbooks or articles don't bother with $A(α)$. — rcgldr, Oct 23 '21 at 07:44
One last time $A(\alpha)$ is not a polynomial. In all the examples we have seen here $A(\alpha)$ is the zero element of the field. Yes. I have seen people discuss implementing the Rijndael field as an iterated extension on a device that cannot spare 512 bytes of memory for log tables. Typically you then run into exactly the type of tricks I described, of releasing and rereleasing $x$. — Jyrki Lahtonen, Oct 23 '21 at 08:08
But I'm still clueless about what your question is? And what is the meaning of $\alpha(x)$? — Jyrki Lahtonen, Oct 23 '21 at 08:08
@JyrkiLahtonen - "meaning of α(x)" - I would just use α = x or α = z, but someone with a mathematics background recommended α(x) = x or α(z) = z, which is used in Wiki BCH Code article, where α(z) = z is used, since $x$ is used for the minimum polynomials that follow and has a different meaning. — rcgldr, Oct 23 '21 at 18:41
@JyrkiLahtonen - "$A(α)$ is not a polynomial". It is a shorthand notation for the polynomial as used in my OP. For example $A(α) = α^4+α+1$ where the coefficients are $0$ and $1$ elements in the field $GF(2)[x]/P(x)$. Note that in a non-primitive field, such as $GF(2)[x]/ \langle x^8 + x^7 + x^3 + x + 1 \rangle$, the minimum value for $(α) = x^3+x+1 = 1011_2$. Then $A(α)$ could be a polynomial in that field, perhaps $A(α) = α^8 + α^4 + α^3 + α^2 + 1$ (which is primitive). used to map to|from $GF(2)[x]/ \langle x^8 + x^4 + x^3 + x^2 + 1 \rangle$ — rcgldr, Oct 23 '21 at 18:55
@JyrkiLahtonen- Rijndael field - the issue is the multiplicative inverse. In software, a 256 byte lookup table is normally used. In hardware, such as an AES S-Box, there could be 10 to 20 or so encoders and decoders on a single chip, so minimizing gate count is important, so mapping to a composite field | sub-field is used. — rcgldr, Oct 23 '21 at 19:03
@JyrkiLahtonen - "what your question is" - I have yet to see a case where using the second definition is better than alternative methods based on the first definition, which typically will be simpler | faster for $GF(2^8)$ or larger fields. Given that, other than it's an interesting fact, the second definition doesn't seem to have any practical purpose. — rcgldr, Oct 23 '21 at 19:06
@JyrkiLahtonen - $A(α)$ as a polynomial. $P(x) = \langle x^4+x^3+x^2+x+1 \rangle$ In $GF(2)[x] / P(x)$, $A(α) = 0001_2 α^4 + 0111_2 a^3 + 0100_2 a^2 + 1001_2$ : $α = {0011_2, 0101_2, 0110_2, 0111_2}$ 4 of the 8 generators of $GF(2)[x] / P(x)$. $A(α) =0001_2 α^8+0001_2 α^7+0001_2 α^5+0001_2 a^4+0001_2 a^3+0001_2 α+0001_2 $ : $α = {0011_2, 0101_2, 0110_2, 0111_2, 1001_2, 1010_2, 1011_2, 1110_2}$, all 8 generators of $GF(2)[x] / P(x)$ . — rcgldr, Oct 23 '21 at 20:21
Can you please describe the process that leads to your table. I understand that if $\alpha$ satisfies the equation $\alpha^4+\alpha+1=0$ then the zeros of $x^4+x+1$ are $\alpha$, $\alpha^2$, $\alpha+1$ and $\alpha^2+1$, which is probably what the entry about $GF(2)[x]/\langle x^4+x+1\rangle$ is trying to convey. But, if instead $\alpha$ satisfies the equation $\alpha^4+\alpha^3+1$, then the zeros of $x^4+x^3+1$ are $\alpha$, $\alpha^2$, $\alpha^3+1$ and $\alpha+\alpha^2+\alpha^3$, which is nowhere to be seen??? — Jyrki Lahtonen, Oct 23 '21 at 22:04
(cont'd) and with the last table entry. If $\alpha$ is a root of $x^4+x^3+x^2+x+1$, the other roots are $\alpha^2$, $\alpha^3$ and $\alpha^4=\alpha^3+\alpha^2+\alpha+1$. Again something totally different from you $\alpha(x)$? — Jyrki Lahtonen, Oct 23 '21 at 22:06
My background is on coding theory side, where we need primtitive elements for many constructs. The fields are usually larger than the Rijndael field. But not as large as those in use in EC crypto. Discrete log table are not feasible there :-) — Jyrki Lahtonen, Oct 23 '21 at 22:16
For example the Gold sequences used in identifying and getting a time synch with GPS satellites need the field $GF(1024)$. The sequences are best studied using a description in terms of traces and powers $\alpha^j, j=0,1,2,\ldots,1022$, where $\alpha$ is some chosen primitive element. I'm not sure Rijndael needs primitive roots that much. But in coding theory the fields are almost invaribly defined using a primitive element and its minimal polynomial. — Jyrki Lahtonen, Oct 23 '21 at 22:20
@JyrkiLahtonen - thanks for all the replies. Let $P(x) = x^4+x^3+x^2+x+1 $ For $GF(2)[x] / P(x)$, the 8 generators are ${0011_2, 0101_2, 0110_2, 0111_2, 1001_2, 1010_2, 1011_2, 1110_2}$. Let α = any of 1 of the 8 generators, such as $α = 0011_2$ . In $GF(2)[x] / P(x)$: $α^4+α^3+α^2+α+1 \neq 0$. This is because the second approach in the OP doesn't work for non-primitive polynomials, such as the one use for AES inverse step: $P(x) = x^8+x^4+x^3+x+1$ . — rcgldr, Oct 23 '21 at 23:11
@JyrkiLahtonen - "describe the process that leads to your table." Example for $GF(2^8)$. The prime factors of $2^8-1 = 255$ are {3, 5, 17}. The product of the combinations of those $3$ factors taken $3-1=2$ a time = ${15, 51, 85}$. Then all possible $α$ of $GF(2^8)$ are tested to see if $α^{15} \neq 1$, $α^{51} \neq 1$, $α^{85} \neq 1$, 3 tests per candidate. If all 3 tests are true, then $α$ is a generator of the field. For larger fields, it is usually done the other way, a generator is chosen, such as $α = 10_2$, and a set of tests done to find a primitive $P(x)$. — rcgldr, Oct 23 '21 at 23:27
@JyrkiLahtonen - for $GF(2^{1024})$, the prime factors of 1024-1 = 1023 are {3, 11, 31}. The tests are $α^{33} \neq 1$, $α^{93} \neq 1$, $α^{341} \neq 1$. exponentiation by squaring can be used to speed up the process. — rcgldr, Oct 23 '21 at 23:54
I know how the primitive roots are tested. I was not asking about that. I asked about the process of going from $GF(2)[x]/\langle x^4+x^3+1\rangle$ to $\alpha(x)={x^2+x,x^2+x+1,x^3+x^2,x^3+x^2+1}$? The same about $GF(2)[x]/\langle x^4+x^3+x^2+x+1\rangle$. The content of $\alpha(x)$ here is a total mystery to me. What is the signifigance of those four polynomials. That is one of the reasons why I don't have a clue about why you think there are issues in using $GF(2)(\alpha)$, $\alpha^8+\alpha^4+\alpha^3+\alpha+1=0$. What are those issues, why are they important? — Jyrki Lahtonen, Oct 24 '21 at 05:06
$\alpha(x)$ cannot consist of the primitive elements because there are 8 of them. Why would we ever need the complete list of primitive elements, when having just one is all we need? — Jyrki Lahtonen, Oct 24 '21 at 05:09
@JyrkiLahtonen - "why the need for the complete list". To minimize gate count for inversion via isomorphic mapping, fixed parameters for the field being mapped to are chosen, and a search for all generators for the field being mapped from are tried, and the one that works and minimizes gate count is chosen. The process may involve trying combinations of all parameters. Do a web search for "compact s-box" for examples of this. — rcgldr, Oct 24 '21 at 06:04
Are you saying that $\alpha(x)$ lists the zeros of $x^4+x+1$ in the prescribed field as opposed to the zeros of whichever polynomial we chose to define the field with? Let me check.... — Jyrki Lahtonen, Oct 24 '21 at 06:30
@JyrkiLahtonen - "$α(x)$ lists ..." - yes. Using $GF(2)[x]/ \langle x^4+x^3+1 \rangle $, solve $α^4 + α + 1 = 0$, the result is ${x^2+x, x^2+x+1, x^3+x^2, x^3+x^2+1}$, 4 of the generators. Solve $α^4+α^3+1 = 0$ for the other 4. — rcgldr, Oct 24 '21 at 06:31
Ok. At least now I understand the meaning of that table. So the tables are used to convert one presentation to the other while looking for the best way? — Jyrki Lahtonen, Oct 24 '21 at 06:34
@JyrkiLahtonen - yes - in the case of AES s-box, where there are 10 or more sets of encoders | decoders on a single chip, they took optimization for isomorphic mapping to an extreme. In the case of hard drives Reed Solomon code, generally there is only one or two instances of encoder | decoder, and typically $GF(2^{12})$ is mapped to $GF(((2^3)^2)^2$., but without the exhaustive search for the absolute minimum gate count. — rcgldr, Oct 24 '21 at 06:38
@JyrkiLahtonen- yes, but somewhat annoying is all of the articles I've found show the 8 by 8 matrices, without explaining how they are generated, so I created a supplemental document for an example document. This document shows the mapping matrices on pages 4 and 5: https://github.com/bpdegnan/aes/blob/master/aes-sbox/documentation/aessbox.pdf . My supplement: https://github.com/jeffareid/finite-field/blob/master/Composite%20Field%20Mapping%20Example.pdf. — rcgldr, Oct 24 '21 at 06:42
In many applications to coding theory using a primitive element is very convenient because we need to, in some sense, go through the elements of the field in a cyclic order. Using for example a linear feedback shift register (a very efficient piece of hardware, I think). I have never designed related harware, so cannot tell for sure, but I have a strong impression that the algorithms in use don't have any issues with using a log table for inversion (if needed at all). True, the tables for $GF(2^{16})$ are probably at the approximate point where you would rather not. May be $2^{12}$ already? — Jyrki Lahtonen, Oct 24 '21 at 06:47
The crypto side implementation problems I found more interesting revolve around implementing outrageously large fields, like $GF(2^{162})$, using normal bases and such. Anyway, I now understand a bit better the need for these conversions. Thanks. — Jyrki Lahtonen, Oct 24 '21 at 06:53
@JyrkiLahtonen - Inversion for $GF(2^8)$ only requires a 256 byte lookup table, but the AES isomorphic mapping in hardware uses far fewer gates. For software, on a typical PC, tables for $GF(2^16)$ aren't an issue. — rcgldr, Oct 24 '21 at 06:53
If/when Dilip Sarwate shows up, he may be able to say more about why coding theory people find using primitive polynomials efficient from the hardware side as well. I guess that LFSRs are the reason. A very low gate count device implementing multiplication by a chosen primitive element. People do work on optimizing that as well by searching for primitive elements with minimal polynomials containing as few terms as possible, resulting in as small an LFSR as possible. — Jyrki Lahtonen, Oct 24 '21 at 06:56
@JyrkiLahtonen - once you get to $GF(2^{64})$ or larger fields, there isn't any reasonable way to find parameters for actual mapping (which is part of the point of making those fields difficult to hack). If you need multiplicative inverses extended Euclid algorithm can be used. In some cases, a sub-field is used instead, such as $GF((2^{16})^4)$, knowing that it could be mapped to some $GF(2^{64})$, but never actually mapping from or back to any actual $GF(2^{64})$ field. — rcgldr, Oct 24 '21 at 06:57
I want to apologize for one thing. My knee-jerk reaction is that anyone who writes elements of $GF(16)$ as polynomials in $x$ is a total noob who has never heard of quotient rings. That's why my early comments were misguided. — Jyrki Lahtonen, Oct 24 '21 at 06:58
@JyrkiLahtonen - the main purpose of isomorphic mapping is for multiplicative inverse. Multiplication can use LFSR's as you commented. Intel X86 processors have a carryless multiply for XMM registers, called PCLMULQDQ, which can help with implementing finite field math. — rcgldr, Oct 24 '21 at 07:02
@JyrkiLahtonen - my background is mostly with Reed Solomon error correction code, going back in the late 1980's, and the textbooks and papers date back to the early 1960's. Those books and papers from back then just specified reducing polynomials. Over time the syntax and terminology has changed. Back then, the term "sub-field" mapping was used instead of "composite" mapping, and $α$ or other greek letters were used to refer to any generator of a field. — rcgldr, Oct 24 '21 at 07:08
The reason why $2^{16}$ is a tipping point for me is that at the time I was doing heavy duty calculations with these, it was still DOS era. At least for the purposes of my programming. And, try as I may, I could not fit that log table into a single 64kbyte segment :-) — Jyrki Lahtonen, Oct 24 '21 at 07:22
@JyrkiLahtonen - $GF(2^{16})$ - that would have been a case where mapping to $GF((2^8)^2)$ would have helped. It would need two 16 by 16 one bit matrices to map to and from $GF((2^8)^2)$. — rcgldr, Oct 24 '21 at 17:51

Ted · Answer 1 · 2021-10-20T16:04:12.697

3

When you say:

What I was unaware of is defining $\alpha$ to be the sum of a primitive element plus the reducing polynomial, such as $\alpha = x + (x^4 + x + 1) = x^4 + 1$.

I believe that you are not reading the notation correctly. The notation $x + (x^4+x+1)$ here does not mean the sum of the polynomials $x$ and $x^4 + x + 1$. The $(x^4 + x + 1)$ in parentheses here means the ideal generated by $x^4 + x + 1$ in the ring $GF(2)[x]$, and $x + (x^4 + x + 1)$ means the coset of this ideal containing $x$. In other words, $x + (x^4 + x + 1)$ denotes the equivalence class of $x$ modulo $x^4 + x + 1$ in the quotient ring $GF(2)[x] / (x^4 + x + 1)$.

Granted, it would probably have been a little clearer to use a different symbol than ordinary parentheses for this purpose (for example, some people write it with angle brackets like $\langle x^4 + x + 1 \rangle$), but the parentheses notation is pretty standard in this context.

Answer to edited question:

I sometimes see an alternative based definition based on a primitive element, such as: let $\alpha$ be a primitive element of $GF(2^4)$ such that $\alpha^4+\alpha+1=0$.

I think the confusion here may be that there are two different uses of the term "primitive element" for an extension $K/F$ of fields. The first definition applies only to finite fields, and means a generator of the multiplicative group of the field. The second applies to any field extension, and refers to an element $\alpha \in K$ such that $K = F(\alpha)$, i.e., $\alpha$ generates $K$ over $F$ as a field. These are two totally different concepts.

One more point. In this statement that you quoted above:

Let $\alpha$ be a primitive element (multiplicative generator) of $GF(2^4)$ such that $\alpha^4+\alpha+1=0$.

we are still considering polynomials in $GF(2)[x]$ modulo $x^4 + x + 1$. A statement like the one above is really shorthand for 2 statements: The author wants to consider $GF(2^4)$ in the form $GF(2)[x] / \langle x^4 + x + 1 \rangle$, and is simultaneously claiming that $\alpha = x + \langle x^4 + x + 1 \rangle$ is a multiplicative generator of $GF(2)[x] / (x^4 + x + 1)$. We have to check this claim (which is not an automatic fact and needs to be checked - not all choices of polynomials would give $\alpha$ as a multiplicative generator).

I don't understand when you keep saying that there are 4 vs 8 multiplicative generators. We are not saying that all the multiplicative generators satisfy $x^4 + x + 1 = 0$. In the statement above, we are only saying that $\alpha$ does. $GF(2^4)$ is unique up to isomorphism and has 8 multiplicative generators, no matter how you define it.

edited Oct 20 '21 at 16:04

answered Oct 18 '21 at 02:37

Ted

33,788

1

This seems to be the OP's source of confusion. +1 – Jyrki Lahtonen Oct 18 '21 at 03:25
Yes, I have no idea why in editing the question after my comment the OP changed my $\langle x^4+x+1\rangle$ into $(x^4+x+1)$. – ancient mathematician Oct 18 '21 at 06:32
The wikipedia article uses the "first definition" and is easier to follow than the document I posted a link to: Wiki BCH Code Example. – rcgldr Oct 19 '21 at 16:18
Because if you define $\alpha$ to satisfy an equation $g(\alpha)=0$ (where $g$ is irreducible over a base field $F$), then the elements of the extension field $F(\alpha)$ are polynomials in $\alpha$ with coefficients in $F$, modulo $g$. It is clear how to add and multiply polynomials in $\alpha$. If you just choose $\alpha$ to be a multiplicative generator, then you have only defined the multiplication operation. You don't know the value of $\alpha + \alpha^2$ (for example) without some additional information, so you haven't really defined the field at all. – Ted Oct 20 '21 at 03:34
I am not really understanding your point of confusion but I have edited my answer to make one more attempt – Ted Oct 20 '21 at 15:36
@rcgldr Can you explain what you think the difference between the two approaches is? They look exactly the same to me. What is called $x$ in one approach is called $\alpha$ in the other. The reducing polynomial must be specified in either case. When they say to choose a primitive element $\alpha$ to satisfy $\alpha^4 + \alpha + 1 =0$ they are implicitly saying that the reducing polynomial is $x^4 + x + 1$. – Ted Oct 20 '21 at 18:34
Let us continue this discussion in chat. – rcgldr Oct 20 '21 at 23:47
@Ted - mathjax doesn't work in chat. So I'll continue here. One issue is that the second approach doesn't work for non-primitive fields, such as $GF(2)[x]/ \langle x^4+x^3+x^2+x+1 \rangle$, or AES inversion step field, $GF(2)[x]/ \langle x^8+x^4+x^3+x+1 \rangle$. For both of these one of the generators is $x+1$. For isomorphic mapping to optimize AES inversion step $x+1$ doesn't work, and a common choice is $x^4+x^3+x^2+x+1$. Even for a primitive field in $GF(2^8)$, the polynomial in $\alpha$ only defines 8 of 128 generators, what about the other 120 generators? – rcgldr Oct 21 '21 at 00:00
The mathematical theory doesn't distinguish between "primitive" and "non-primitive" fields. All finite fields of a given size are isomorphic. This sounds like some software implementation issue where certain polynomials are better to work with than others, I guess. And I don't know what you mean by "what about the other 120 generators?" If $\alpha$ is a generator, then $\alpha^i$ is a generator for all $i$ relatively prime to $q-1$, where $q$ is the size of the field ($2^8$ in your example). There are 128 (= $\phi(255)$) such $i$ from 1 to 255 so there are 128 generators as expected. – Ted Oct 21 '21 at 02:17
@Ted - I'm not sure why AES chose to choose a non-primitive polynomial for $GF(2^8)$ inversion step. It isn't "better" to work with. Maybe it was a better choice for encryption purposes. My point is that the polynomial is $x^8+x^4+x^3+x+1$, and the roots of $α^8+α^4+α^3+α+1$, are not generators. The second "definition" approach doesn't work in this case. You could use any of the 16 primitive polynomials for $GF(2^8)$, such as $α^8+α^4+α^3+α^2+1$, to get 8 of the generators for $GF(2)[x]/ \langle x^8+x^4+x^3+x+1 \rangle$, but it's not clear to me what the benefit of this would be. – rcgldr Oct 21 '21 at 03:09
@Ted - continuing. It seems it would be simpler to find the 128 generators by testing all 255 non-zero elements with 3 tests per potential generator: $\alpha^{15} \bmod (x^8+x^4+x^3+x+1) \neq 1$, $\alpha^{51} \bmod (x^8+x^4+x^3+x+1) \neq 1$, $\alpha^{85} \bmod (x^8+x^4+x^3+x+1) \neq 1$. The 3 test exponents are the product of combinations of the prime factors of $2^8-1 = 255$, {3, 5, 17}. – rcgldr Oct 21 '21 at 03:16
It sounds you're in the situation where you can't choose the polynomial because it is fixed for you by some standard like AES. In that case, it's either "primitive" (i.e. $x$ is a generator) or it isn't, there is nothing you can do about it. The only difference I see between the two approaches is that the second one is specifying that $x$ has to be a generator while the first approach isn't. If the polynomial has been chosen for you and $x$ isn't a generator then of course the second approach doesn't work. Is that all you're saying? – Ted Oct 21 '21 at 04:30
@Ted - "If the polynomial has been chosen for you and x isn't a generator then of course the second approach doesn't work. Is that all you're saying?" That is one issue. The other issue is that the second approach may be interesting, but it isn't very useful. If the inference is that the second approach's polynomial is the same as the field reducing polynomial, and since the second approach only works for primitive polynomials, then it is already known that $x$ is a generator, and there are other means to determine the other generators if needed, that are simpler or more efficient. – rcgldr Oct 21 '21 at 06:37
@Ted - If the second approach polynomial is not the same as the field polynomial, and both polynomials are primitive, then it could be used for isomorphic mapping, but this doesn't work if either polynomial is not primitive, and generally the parameters of the field being mapped to are specified, to optimize operations in the field being mapped to, and instead of the second approach, a brute force search is done for any generator of the field being mapped from to implement isomorphic mapping. Another case of interesting, but not very useful. – rcgldr Oct 22 '21 at 00:05

Defining a Galois Field based on primitive element versus polynomial?

1 Answers1