1

I'm going through some code that implements finite field arithmetic. There for a fixed prime $p$ the extensions fields $\mathbb{F}_{p^2}$ and $\mathbb{F}_{p^{12}}$ are implemented by forming the quotient ring of $\mathbb{F}_p$ modulo certain polynomials. This only works when the polynomials are irreducible over $\mathbb{F}_p$. Let $p \equiv 3 \pmod{4}$, then I know that the polynomial $x^2 + 1$ is irreducible over the finite field $\mathbb{F}_p$, so we can form the quadratic extension $\mathbb{F}_{p^2} = \mathbb{F}_p/(x^2 +1)$. This part I understand. Now, with $p$ being the same prime number how can we deduce that $x^{12} - 18x^6 + 82$ is irreducible over $\mathbb{F}_p$? I already figured out that $x^{12} - 18x^6 + 82 = (x^6 - 9)^2 + 1$ So by setting $u := x^6 - 9$ we can write the polynomial as $u^2 + 1$. Can we deduce from this that it is irreducible in the same way as $x^2 + 1$?

jazzinsilhouette
  • 1,218
  • 4
    We can't. For $p=3$, the polynomial $x^{12}$ $-$ $18x^6$ $+$ $82$ $\equiv$ $x^{12}$ $+$ $1$ $\equiv$ $(x^{4} + 1)^3$ is reducible. – Matthé van der Lee Aug 28 '22 at 14:46
  • @MatthévanderLee: Good catch. Then I suppose there must be additional requirements on $p$ for this to work out. Unfortunately, they didn't state them. – jazzinsilhouette Aug 28 '22 at 14:49
  • 1
    The title claim is also false for $p=2,3,5,11,13,17,19,23,29,31,37,41,43$, but is correct for $p=7$. What is the source of this problem? Can you give a link? Something seems not right. – Dietrich Burde Aug 28 '22 at 15:16
  • @DietrichBurde: I was hoping the claim is an easy consequence of the stated facts. In reality it only needs to work for a particular prime, which is $p = 21888242871839275222246405745257275088696311157297823662689037894645226208583$. However, I was hoping to understand the general idea behind choosing this polynomial... – jazzinsilhouette Aug 28 '22 at 15:23
  • @DietrichBurde: To give some more context. This particular prime $p$ is used as the modulus for the base field in certain elliptic curve cryptography applications using pairing functions. – jazzinsilhouette Aug 28 '22 at 15:26
  • Have you computed the splitting field over $\mathbb{Q})$? – hunter Aug 28 '22 at 16:29
  • What is the order of $9+x$ in $\Bbb{F}_p[x]/(x^2+1)$ with $p$ your large prime? – reuns Aug 28 '22 at 16:53
  • @reuns: I tried to compute it, but i stopped after I realised that brute-forcing the order is unfeasible and trying to figure out the divisors of $p^2-1$ would require me to calculate the prime factorization (also unfeasible). Can you elaborate why you think this element in particular is interesting? – jazzinsilhouette Aug 28 '22 at 18:25
  • 2
    Because a root of your polynomial is a root of $T^6-9-x$. If $6$ divides the order of $9+x$ and if it divides neither $(p^2-1)/3$ nor $(p^2-1)/2$ then it is irreducible over $\Bbb{F}_{p^2}$ and $(T^6-9-x)(T^6-9+x)= (T^6-9)^2+1$ is irreducible over $\Bbb{F}_p$. – reuns Aug 28 '22 at 19:40
  • @reuns: Thank you very much. Judging from the context I think you are spot on. The last two requirements you give can also be stated as saying that the root should not be a square or a cube in $\mathbb{F}_{p^2}$, if I understand correctly. I also just verified that $p^2 - 1 \equiv 0 \pmod{6}$. So my guess ist that $9+x$ has order $p^2-1$. But I don't understand why it's important that $6$ divides the order of $9+x$. – jazzinsilhouette Aug 28 '22 at 20:27
  • 1
    Sorry we just need that $6| p^2-1$ and that $9+x$ is not a $k$-th power in $\Bbb{F}_{p^2}$ with $k=2$ or $3$ (ie. $(9+x)^{(p^2-1)/k} \ne 1$) – reuns Aug 28 '22 at 21:11
  • @reuns: Thank you. Maybe one last question: I cannot really make out what goes wrong when $9+x$ is, say a $3$-th power. Can you give a hint on why this is needed? – jazzinsilhouette Aug 28 '22 at 23:58
  • 1
    Let $a^3=9+x$ then $T^2-a$ divides $T^6-a^3$ which is not irreducible over $\Bbb{F}_{p^2}(a)$ – reuns Aug 29 '22 at 08:25
  • 1
    Is there a reason, for example one coming from the pairing you mentione, to use this particular polynomial to construct the extension field. In the case of an elliptic curve there is usually a lot of extra information available. For example the Weil pairing takes values in a certain cyclic group of the extension field, and the properties of the curve then prescibe a certain extension. Alas, I'm very rusty on all that (and never became fully conversant with the theory in the first place). Just considering the possibility that something extra may be coming from the EC side. – Jyrki Lahtonen Aug 29 '22 at 11:12
  • 1
    @JyrkiLahtonen: Thanks for your comment. Yes, i just found some more info on the curve involved and in this case the prime $p$, as well as the degree of the elliptic curve are algorithmically selected to produce a curve that can be implemented efficiently with respect to some pairing function. In particular we have $p \equiv 1 \pmod{6}$ which is enough to guarantee the existence of some $\zeta \in \mathbb{F}_{p^2}$ such that $X^6 - \zeta$ is irreducible, which implies the irreducibility of some degree 12 polynomial over $\mathbb{F}_p$ as reuns showed. – jazzinsilhouette Aug 29 '22 at 17:25
  • 1
    @JyrkiLahtonen: In case you are interested: the curves are called BN curves after their inventors Barreto and Naehrig. – jazzinsilhouette Aug 29 '22 at 17:27
  • 1
    Ok. So then the pairing you want to study strongly suggests to look for exactly this kind of an extension field of degree $12$. I mean, there is only one degree $12$ extension, but this way of constructing it meshes well with the pairing or something. – Jyrki Lahtonen Aug 29 '22 at 19:22
  • @reuns: is it obvious that only powers $k = 2,3$ are not allowed? what if $T^6 - a^4 = (T^3 - a^2)(T^3 + a^2)$?, i.e. $k=4$? – jazzinsilhouette Aug 29 '22 at 20:34

2 Answers2

3

Let $p\ne 3$ be a prime $\equiv 3\bmod 4$.

Let $i$ be a root of $x^2+1$ in $\Bbb{F}_{p^2}$. We get $$(x^6-9)^2+1=(x^6-9-i)(x^6-9+i)$$

Let $\zeta_6$ be a primitive $6$-th root of unity in $\Bbb{F}_{p^2}$.

$x^6-9-i$ is irreducible over $\Bbb{F}_{p^2}$ iff $(9+i)^{(p^2-1)/2}\ne 1,(9+i)^{(p^2-1)/3}\ne 1$

(This condition is not hard to check even for your very large prime)

Proof: let $a$ be a root of $x^6-9-i$ so that $$x^6-9-i=\prod_{m=1}^6 (x-a \zeta_6^m)$$ An irreducible factor of is of the form $f(x)=\prod_{l=1}^L (x-a\zeta_6^{c_l})$ its constant coefficient is $f(0)=a^L (-1)^L \prod_{l=1}^L \zeta_6^{c_l}$.

So $a^L\in\Bbb{F}_{p^2}$. As $a^6\in \Bbb{F}_{p^2}$ we get $a^{\gcd(6,L)}\in \Bbb{F}_{p^2}$, which implies that $(9+i)^{(p^2-1)/(6/\gcd(6,L))}=1$.

If $x^6-9-i$ is irreducible over $\Bbb{F}_{p^2}$ then $(x^6-9-i)(x^6-9+i)$ is irreducible over $\Bbb{F}_p$.

reuns
  • 77,999
  • Thank you for your answer. I have a few questions: 1) Is this polymomial decomposition using the $6$-th primitive root some sort of standard procedure i can read up on elsewhere? 2) Why is the constant coefficient relevant? 3) Since $a \in \mathbb{F}{p^2}$ why are only the $\gcd(6,L)$ powers in $\mathbb{F}{p^2}$? This is probably referencing some Theorem I don't know of? – jazzinsilhouette Aug 29 '22 at 21:37
  • 1
    @jazzinsilhouette Essentially this answer (+1) is going through the checklist in this result (while also proving this instance of the result). Here $6\mid p-1$, so the sixth root of unity is in the prime field. By the linked result all we need to do is to check that $9+i$ is neither a square nor a cube in $\Bbb{F}_{p^2}$. We don't need the full power of the linked result (in finite fields we have a number of trick substitutes). – Jyrki Lahtonen Aug 30 '22 at 05:25
  • 1
    @jazzinsilhouette Your query about $\gcd(6,L)$ can be answered by observing that the set of integers $m$ such that $a^m\in\Bbb{F}_{p^2}$ is an additive subgroup of $\Bbb{Z}$, call if $G$. By Bezout's identity, if $x\in G$ and $y\in G$ then $\gcd(x,y)\in G$. This is because $\gcd(x,y)=ux+vy$ for some integers $u,v$. – Jyrki Lahtonen Aug 30 '22 at 05:28
  • @JyrkiLahtonen: Thank you for you enlightening comments! :) – jazzinsilhouette Aug 30 '22 at 09:43
1

A counterexample.-I'm afraid it's not true for all prime $p\equiv3\pmod4$. In fact we have $$x^{12}-18x^6+82=(x^6+2x^3+4)(x^6+9x^3+4)\pmod{11}$$ Proof:$(x^6+2x^3+4)(x^6+9x^3+4)=x^{12}+11x^9+26x^6+44x^3+16$ which is obviously equivalent modulo $11$ to $$x^{12}+4x^6+5$$ so we have $$x^{12}-18x^6+82\equiv x^{12}+4x^6+5\pmod{11}$$

Piquito
  • 29,594