Interest in normal bases over finite fields stems both from mathematical theory and practical applications. There has been a lot of literature dealing with various properties of normal bases (for finite fields and for Galois extension of arbitrary fields). The advantage of using normal bases to represent finite fields was noted by Hensel in 1888. With the introduction of optimal normal bases, large finite fields, that can be used in secure and e#cient implementation of several cryptosystems, have recently been realized in hardware. The present thesis studies various theoretical and practical aspects of normal bases in finite fields. We first give some characterizations of normal bases. Then by using linear algebra, we prove that F q n has a basis over F q such that any element in F q represented in this basis generates a normal basis if and only if some groups of coordinates are not simultaneously zero. We show how to construct an irreducible polynomial of degree 2 n with linearly i...

This paper is the first part of a larger project which will give a comprehensive view of the history around the Riemann hypothesis for function fields. (A preliminary version has appeared 1997/98.) This Part 1 is dealing with the development before Hasse's contributions to the Riemann hypothesis. We are trying to explain what he could build upon. The time

This paper addresses the question: how can we find a normal element efficiently? More generally, we consider how to find an element of any given additive order. Hensel (1888) pioneered the study of normal bases for finite fields and proved that they always exist. We use his algorithm in Section 2. Eisenstein (1850) had already noted that normal bases always exist. Hensel, and also Ore (1934), determine exactly the number of these bases, and Ore develops the more general concept of additive order. Ore's approach is developed into more constructive proofs of the normal basis theorem in several textbooks (for example, van der Waerden 1966, Section 67, and Albert 1956, Section 4.15); these all use some linear algebra calculations. Schwarz (1988) has given a new proof along these lines, and several recent papers have translated this approach into algorithms. Sidel'nikov (1988) deals with the case where n divides one of p (the characteristic of F q ), q + 1, or

The HFE (Hidden Field Equations) cryptosystem is one of the most interesting public-key multivariate scheme. It has been proposed more than 10 years ago by Patarin and seems to withstand the attacks that break many other multivariate schemes, since only subexponential ones have been proposed. The public key is a system of quadratic equations in many variables. These equations are generated from the composition of the secret elements: two linear mappings and a polynomial of small degree over an extension field. In this paper we show that there exist weak keys in HFE when the coefficients of the internal polynomial are defined in the ground field. In this case, we reduce the secret key recovery problem to an instance of the Isomorphism of Polynomials (IP) problem between the equations of the public key and themselves. Even though for schemes such as SFLASH or C ∗ the hardness of key-recovery relies on the hardness of the IP problem, this is normally not the case for HFE, since the internal polynomial is kept secret. However, when a weak key is used, we show how to recover all the components of the secret key in practical time, given a solution to an instance of the IP problem. This breaks in particular a variant of HFE proposed by Patarin to reduce the size of the public key and called the “subfield variant”.

Dispersers and extractors for affine sources of dimension d in Fn p — where Fp denotes the finite field of prime size p — are functions f: Fn p → Fp that behave pseudorandomly when their domain is restricted to any particular affine space S ⊆ Fn p of dimension at least d. For dispersers, “pseudorandom behavior ” means that f is nonconstant over S, i.e., |{f(s) | s ∈ S} |> 1. For extractors, it means that f(s) is distributed almost uniformly over Fp when s is distributed uniformly over S. Dispersers and extractors for affine sources have been considered in the context of deterministic extraction of randomness from structured sources of imperfect randomness. Previously, explicit constructions of affine dispersers were known for every d = Ω(n), due to Barak, Kindler, Shaltiel, Sudakov, and Wigderson [2005] and explicit affine extractors for the same dimension were obtained by Bourgain [2007]. The main result of this paper is an efficient deterministic construction of affine dispersers for sublinear dimension d = Ω(n4/5). Additional results include a new and simple affine extractor for dimension d> 2n/5, and a simple disperser for multiple independent affine sources. The main novelty in this paper lies in the method of proof, which makes use of classical algebraic objects called subspace polynomials. In contrast, the papers mentioned above relied on the sum-product theorem for finite fields and other recent results from additive combinatorics.

If g and h are functions over some field, we can consider their composition f = g(h). The inverse problem is decomposition: given f, determine the existence of such functions g and h. In this thesis we consider functional decompositions of univariate and multivariate polynomials, and rational functions over a field F of characteristic p. In the polynomial case, “wild” behaviour occurs in both the mathematical and computational theory of the problem if p divides the degree of g. We consider the wild case in some depth, and deal with those polynomials whose decompositions are in some sense the “wildest”: the additive polynomials. We determine the maximum number of decompositions and show some polynomial time algorithms for certain classes of polynomials with wild decompositions. For the rational function case we present a definition of the problem, a normalised version of the problem to which the general problem reduces, and an exponential time solution to the normal problem.

Summary A method of using polynomials to describe objects in finite geometries is outlined and the problems where this method has led to a solution are surveyed. These problems concern nuclei, affine blocking sets, maximal arcs and unitals. In the case of nuclei these methods give lower bounds on the number of nuclei to a set of points in PG(n, q), usually dependent on some binomial coefficient not vanishing modulo the characteristic of the field. These lower bounds on nuclei lead directly to lower bounds on affine blocking sets with respect to lines. A short description of how linear polynomials can be used to construct maximal arcs in certain translation planes is included. A proof of the non-existence of maximal arcs in PG(2, q) when q is odd is outlined and some bounds are given as to when a (k, n)-arc can be extended to a maximal arc in PG(2, q). These methods can also be applied to unitals embedded in PG(2, q). One implication of this is that when q is the square of a prime a non-classical unital has a limited amount of Baer sublines amongst its secants. 1

In this paper we give several families of specific irreducible polynomials with the following property: if f(x) is one of the given polynomials of degree n over a finite field F q and # is a root of it, then # # F q n is normal over every intermediate field between F q n and F q . Here by # # F q n being normal over a subfield F q we mean that the algebraic conjugates #, # are linearly independent over F q . The degrees of the given polynomials are of the form 2 i where r 1 , r 2 , ...,r u are distinct odd prime factors of q - 1 and k, l 1 ,...,l u are arbitrary positive integers. For example, we prove that, for a prime p # 3 mod 4, if x - bx - 1 # F p [x]is irreducible with b #= 2 then the polynomial - x has the described property over F p for every integer k # 0. We will also show how to e#ciently compute the required b # F p .

Let f 2 F q [x] be a monic polynomial of degree n, and let \Phi(f ) denote the number of polynomials in F q [x] of degree ! n that are relatively prime to f . Let (f) = \Phi(f )=q . We slightly improve the previous known lower bounds of (f ). The density of normal elements in F q n over F q is (x . We prove that (x where p i are any fixed primes, e i vary, and C is a constant independent of e i 's. Unfortunately, this is not true for general n. Indeed, we show an upper bound on (x \Gamma 1) for infinitely many values of n that goes to 0 as n approaches infinity. This upper bound is almost tight with our lower bound for a general polynomial f . 3 1

The present paper is interested in a family of normal bases, considered by V. M. Sidel'nikov, with the property that all the elements in a basis can be obtained from one element by repeatedly applying to it a linear fractional function of the form #(x)=(ax + b)/(cx + d), a, b, c, d # F q . Sidel'nikov proved that the cross products for such a basis {# i } are of the form # i # j = e i-j # i + e j-i # j +#, i #= j, where e k ,##F q . We will show that every such basis can be formed by the roots of an irreducible factor of F (x)=cx - ax - b. We will construct: (a) a normal basis of F q n over F q with complexity at most 3n - 2 for each divisor n of q - 1 and for n = p where p is the characteristic of F q ; (b) a self-dual normal basis of F q n over F q for n = p and for each odd divisor n of q - 1orq+ 1. When n = p, the self-dual normal basis constructed of F q p over F q also has complexity at most 3p - 2. In all cases, we will give the irreducible polynomials and the multiplication tables explicitly. Abbreviated title: Normal Bases. 1991 Mathematics subject classification: 11T30, 11T06. Key words: finite field, irreducible polynomial, normal basis. 1