From 612adfade2a89cc50af50a6027581c12a2b7c492 Mon Sep 17 00:00:00 2001
From: Tim Daly
Date: Mon, 24 Oct 2016 14:22:45 -0400
Subject: [PATCH] books/bookvol10.1 Finite Fields in Axiom by
Grabmeier/Scheerhorn
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Goal: Axiom Literate Programming
\section{Finite Fields} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\index{Ash, D.W.}
\index{Black, I.F.}
\index{Vanstone, S.A.}
\begin{chunk}{axiom.bib}
@article{Ashx89,
author = "Ash, D.W. and Black, I.F. and Vanstone, S.A.",
title = "Low Complexity Normal Bases",
journal = "Discrete Applied Mathematics",
volume = "25",
pages = "191-210",
year = "1989"
}
\end{chunk}
\index{Beth, T.}
\index{Geiselmann, W.}
\index{Meyer, F.}
\begin{chunk}{axiom.bib}
@article{Beth91,
author = "Beth, T. and Geiselmann, W. and Meyer, F.",
title = "Finding (Good) Normal Bases in Finite Fields",
journal = "Proc. ISSAC '91",
year = "1991"
}
\end{chunk}
\index{Gathen, J. von zur}
\index{Giesbrecht, M.}
\begin{chunk}{axiom.bib}
@article{Gath90,
author = "Gathen, J. von zur and Giesbrecht, M.",
title = "Constructing normal bases in finite fields",
journal = "J. Symb. Comp.",
volume = "10",
pages = "547-570",
year = "1990"
}
\end{chunk}
\index{Geiselmann, W.}
\index{Gollmann, D.}
\begin{chunk}{axiom.bib}
@article{Geis89,
author = "Geiselmann, W. and Gollmann, D.",
title = "Symmetry and Duality in Normal Basis Multiplication",
journal = "Proc. AAECC-6, LNCS",
volume = "357",
year = "1989"
}
\end{chunk}
\index{Huber, K.}
\begin{chunk}{axiom.bib}
@article{Hube90,
author = "Huber, K.",
title = "Some Comments on Zech's Logarithm",
journal = "IEEE Trans. Information Theory",
volume = "IT-36",
pages = "946-950",
year = "1990"
}
\end{chunk}
\index{InnerNormalBasisFieldFunctions}
\index{Itoh, T.}
\index{Tsujii, S.}
\begin{chunk}{axiom.bib}
@article{Itoh88,
author = "Itoh, T. and Tsujii, S.",
title = "A fast algorithm for computing multiplicative inverses in
$GF(2^m)$ using normal bases",
journal = "Inf. and Comp.",
volume = "78",
pages = "171-177",
year = "1988",
algebra = "\newline\refto{package INBFF InnerNormalBasisFieldFunctions}",
abstract =
"This paper proposes a fast algorithm for computing multiplicative
inverses in $GF(2^m)$ using normal bases. Normal bases have the
following useful property: In the case that an element $x$ in
$GF(2^m)$ is represented by normal bases, $2^k$ power operation of an
element $x$ in $GF(2^m)$ can be carried out by $k$ times cyclic shift
of its vector representation. C.C. Wang et al. proposed an algorithm
for computing multiplicative inverses using normal bases, which
requires $(m-2)$ multiplications in $GF(2^m)$ and $(m-1)$ cyclic
shifts. The fast algorithm proposed in this paper also uses normal
bases, and computes multiplicative inverses iterating multiplications
in $GF(2^m)$. It requires at most $2[log_2(m-1)]$ multiplications in
$GF(2^m)$ and $(m-1)$ cyclic shifts, which are much less than those
required in Wang's method. The same idea of the proposed fast
algorithm is applicable to the general power operation in $GF(2^m)$
and the computation of multiplicative inverses in $GF(q^m)$
$(q=2^n)$.",
paper = "Itoh88.pdf"
}
\end{chunk}
\index{Jacobson, N.}
\begin{chunk}{axiom.bib}
@book{Jaco85,
author = "Jacobson, N.",
title = "Basic Algebra I, 2nd ed.",
publisher = "W.H. Freeman and Co.",
year = "1985"
}
\end{chunk}
\index{Lenstra, A.K.}
\begin{chunk}{axiom.bib}
@article{Lens82,
author = "Lenstra, A.K.",
title = "Factorization of Polynomials, Comp. Methods in Number Theory
(part 1)",
journal = "Math. Centre Tracts",
volume = "154",
year = "1982"
}
\end{chunk}
\index{Lenstra Jr., H.W.}
\begin{chunk}{axiom.bib}
@article{Lens91,
author = "Lenstra Jr., H.W.",
title = "Finding Isomorphisms between Finite Fields",
journal = "Math. of Comp.",
volume = "56",
number = "193",
pages = "329-347",
year = "1991"
}
\end{chunk}
\index{Lenstra Jr., H.W.}
\index{Schoof, R.J.}
\begin{chunk}{axiom.bib}
@article{Lens87,
author = "Lenstra Jr., H.W. and Schoof, R.J.",
title = "Primitive Normal Bases for Finite Fields",
journal = "Math. of Comp.",
volume = "48",
number = "177",
pages = "217-231",
year = "1987"
}
\end{chunk}
\index{Lidl, R.}
\index{Niederreiter, H.}
\begin{chunk}{axiom.bib}
@book{Lidl83,
author = "Lidl, R. and Niederreiter, H.",
title = "Finite Fields",
publisher = "Addison-Wesley",
volume = "20",
year = "1983"
}
\end{chunk}
\index{FiniteFieldCategory}
\index{Lipson, John D.}
\begin{chunk}{axiom.bib}
@book{Lips81,
author = "Lipson, John D.",
title = "Elements of Algebra and Algebraic Computing",
publisher = "Addison-Wesley Educational Publishers",
year = "1981",
isbn = "978-0201041156",
algebra = "\newline\refto{category FFIELDC FiniteFieldCategory}"
}
\end{chunk}
\index{L\"uneburg, H}
\begin{chunk}{axiom.bib}
@misc{Lune87,
author = {L\"uneburg, H},
title = "On the Rational Normal Form of Endomorphisms",
comment = "BI-Wissenschaftsverlag",
year = "1987"
}
\end{chunk}
\index{CharacteristicNonZero}
\index{FieldOfPrimeCharacteristic}
\index{ExtensionField}
\index{FiniteFieldCategory}
\index{FiniteAlgebraicExtensionField}
\index{SimpleAlgebraicExtension}
\index{InnerPrimeField}
\index{PrimeField}
\index{FiniteFieldExtensionByPolynomial}
\index{FiniteFieldCyclicGroupExtensionByPolynomial}
\index{FiniteFieldNormalBasisExtensionByPolynomial}
\index{FiniteFieldExtension}
\index{FiniteFieldCyclicGroupExtension}
\index{FiniteFieldNormalBasisExtension}
\index{InnerFiniteField}
\index{FiniteField}
\index{FiniteFieldCyclicGroup}
\index{FiniteFieldNormalBasis}
\index{DiscreteLogarithmPackage}
\index{FiniteFieldFunctions}
\index{InnerNormalBasisFieldFunctions}
\index{FiniteFieldPolynomialPackage}
\index{FiniteFieldPolynomialPackage2}
\index{FiniteFieldHomomorphisms}
\index{FiniteFieldFactorizationWithSizeParseBySideEffect}
\index{Grabmeier, Johannes}
\index{Scheerhorn, Alfred}
\begin{chunk}{axiom.bib}
@techreport{Grab92,
author = "Grabmeier, Johannes and Scheerhorn, Alfred",
title = "Finite fields in Axiom",
type = "technical report",
number = "AXIOM Technical Report TR7/92 (ATR/5)(NP2522)",
institution = "Numerical Algorithms Group, Inc.",
address = "Downer's Grove, IL, USA and Oxford, UK",
year = "1992",
url = "http://www.nag.co.uk/doc/TechRep/axiomtr.html",
algebra =
"\newline\refto{category CHARNZ CharacteristicNonZero}
\newline\refto{category FPC FieldOfPrimeCharacteristic}
\newline\refto{category XF ExtensionField}
\newline\refto{category FFIELDC FiniteFieldCategory}
\newline\refto{category FAXF FiniteAlgebraicExtensionField}
\newline\refto{domain SAE SimpleAlgebraicExtension}
\newline\refto{domain IPF InnerPrimeField}
\newline\refto{domain PF PrimeField}
\newline\refto{domain FFP FiniteFieldExtensionByPolynomial}
\newline\refto{domain FFCGP FiniteFieldCyclicGroupExtensionByPolynomial}
\newline\refto{domain FFNBP FiniteFieldNormalBasisExtensionByPolynomial}
\newline\refto{domain FFX FiniteFieldExtension}
\newline\refto{domain FFCGX FiniteFieldCyclicGroupExtension}
\newline\refto{domain FFNBX FiniteFieldNormalBasisExtension}
\newline\refto{domain IFF InnerFiniteField}
\newline\refto{domain FF FiniteField}
\newline\refto{domain FFCG FiniteFieldCyclicGroup}
\newline\refto{domain FFNB FiniteFieldNormalBasis}
\newline\refto{package DLP DiscreteLogarithmPackage}
\newline\refto{package FFF FiniteFieldFunctions}
\newline\refto{package INBFF InnerNormalBasisFieldFunctions}
\newline\refto{package FFPOLY FiniteFieldPolynomialPackage}
\newline\refto{package FFPOLY2 FiniteFieldPolynomialPackage2}
\newline\refto{package FFHOM FiniteFieldHomomorphisms}
\newline\refto
{package FFFACTSE FiniteFieldFactorizationWithSizeParseBySideEffect}",
abstract =
"Finite fields play an important role for many applications (e.g. coding
theory, cryptograpy). There are different ways to construct a finite
field for a given prime power. The paper describes the different
constructions implemented in AXIOM. These are {\sl polynomial basis
representation}, {\sl cyclic group representation}, and {\sl normal
basis representation}. Furthermore, the concept of the implementation,
the used algorithms and the various datatype coercions between these
representations are discussed.",
paper = "Grab92.pdf",
keywords = "axiomref",
beebe = "Grabmeier:1992:FFA"
}
\end{chunk}
\begin{chunk}{Grabmeier:1992:FFA}
@TechReport{Grabmeier:1992:FFA,
author = "J. Grabmeier and A. Scheerhorn",
title = "Finite Fields in {AXIOM}",
type = "AXIOM Technical Report",
number = "TR7/92 (ATR/5) (NP2522)",
institution = inst-NAG,
address = inst-NAG:adr,
pages = "??",
month = dec,
year = "1992",
bibdate = "Fri Dec 29 16:31:49 1995",
bibsource = "/usr/local/src/bib/bibliography/Theory/Comp.Alg.bib;
http://www.math.utah.edu/pub/tex/bib/axiom.bib",
URL = "http://www.nag.co.uk/doc/TechRep/axiomtr.html",
acknowledgement = ack-nhfb,
}
\end{chunk}
\index{Mullin, R.C.}
\index{Onyszchuk, I.M.}
\index{Vanstone, S.A.}
\begin{chunk}{axiom.bib}
@article{Mull88,
author = "Mullin, R.C. and Onyszchuk, I.M. and Vanstone, S.A.",
title = {Optimal Normal Bases in $GF(p^n)},
journal = "Discrete Applied Mathematics",
volume = "22",
pages = "149-161",
year = "1988"
}
\end{chunk}
\index{Nickel, W.}
\begin{chunk}{axiom.bib}
@misc{Nick88,
author = "Nickel, W.",
title = {Endliche K\"orper in dem gruppentheoretischen Programmsystem GAP},
comment = "Diplomarbeit, RWTH Aachen",
year = "1988"
}
\end{chunk}
\index{Odlyzko, A.M.}
\begin{chunk}{axiom.bib}
@article{Odly85,
author = "Odlyzko, A.M.",
title = "Discrete logarithms in finite fields and their cryptographic
significance",
journal = "Proc. Eurocrypt '84, LNCS",
volume = "209",
publisher = "Springer-Verlag",
pages = "224-314",
year = "1985"
}
\end{chunk}
\index{Pincin, A}
\begin{chunk}{axiom.bib}
@article{Pinc89,
author = "Pincin, A",
title = "Bases for finite fields and a canonical decomposition for a
normal basis generator",
journal = "Communications in Algebra",
volume = "17",
number = "6",
pages = "1337-1352",
year = "1989"
}
\end{chunk}
\index{Pohlig, S.C.}
\index{Hellman, M.}
\begin{chunk}{axiom.bib}
@article{Pohl78,
author = "Pohlig, S.C. and Hellman, M.",
title = {An improved algorith for computing logarithms over $GF(p)$
and its cryptographic significance},
journal = "IEEE Trans Information Theory",
volume = "IT-24",
pages = "106-110",
year = "1978"
}
\end{chunk}
\index{Rybowicz, M}
\begin{chunk}{axiom.bib}
@article{Rybo89,
author = "Rybowicz, M",
title = "Search of primitive polynomials over finite fields",
journal = "J. Pure Appl.",
volume = "65",
pages = "139-151",
year = "1989"
}
\end{chunk}
\index{Scheerhorn, A.}
\begin{chunk}{axiom.bib}
@misc{Sche92,
author = "Scheerhorn, A.",
title = "Trace- and Norm-Compatible Extensions of Finite Fields",
journal = "Appl. Alg. in Eng., Comm. and Comp.",
year = "1992"
}
\end{chunk}
\index{Scheerhorn, Alfred}
\begin{chunk}{axiom.bib}
@misc{Sche93,
author = "Scheerhorn, Alfred",
title = "Presentation of the algebraic closure of finite fields and
trace-compatible polynomial sequences",
comment = "Darstellungen des algebraischen Abschlusses endlicher Korper
und spur-kompatible Polynomfolgen",
year = "1993",
abstract =
"For numerical experiments concerning various problems in a finite
field $\mathbb{F}_q$ it is useful to have an explicit data
presentation $\mathbb{F}_{q^m}$ of for large $m$, and a method for the
construction of towers
\[\mathbb{F}_q \subset \mathbb{F}_{q^{d_1}} \subset \cdots \subset
\mathbb{F}_{q^{d_k}} = \mathbb{F}_{q^m}\]
In order to avoid the identification problem it is advantageous to
have all fields in the tower presented by properly chosen normal bases,
whereby the embedding
$\mathbb{F}_{q^{d_i}} \subset \mathbb{F}_{q^{d_{i+1}}}$
is given by the trace function.
The following notion is introduced: A sequence of polynomials
$\{f_n | n \ge 1\}$ with degree$(f_n)=n$ called trace-compatible over
$\mathbb{F}_q$ if (1) $f_n$ is a normal polynomial over $\mathbb{F}_q$,
(2) if $\alpha_n \in \mathbb{F}_{q^n}$ is a root of $f_n$, then for any
proper divisor $d$ of $n$ the trace of $\alpha_n$ over $\mathbb{F}_{q^d}$
is a root of $f_d$.
The main goal of the dissertation is to give algorithms for
construction of sequences of trace-compatible polynomials and to
present explicit numerical data. An analogous notion of
norm-compatible sequences is also introduced and studied.
The dissertation consists of four chapters and a supplement, as
follows: (1) Basic notions (1-31). (2) Presentation of the algebraic
closure of a finite field (32-59). (3) Sequences of polynomials and
sequences of elements (60-115). (4) Implementations (118-139). (5)
Supplement (142-171).
In chapters (1)–(3) various known results and algorithms are
collected, and new results are added and compared with those
previously used.
The numerical results in the supplement contain sequences of
trace-compatible polynomials of degree $n$, where $n \le 100$, and
$q=2,3,5,7,11,13$. For implementation, the computer-algebra system
AXIOM has been used. The details contained in this dissertation are
not readily describable in a short review.",
keywords = "axiomref"
}
\end{chunk}
\index{Shoup, V.}
\begin{chunk}{axiom.bib}
@article{Shou92,
author = "Shoup, V.",
title = "Searching for Primitive Roots in Finite Fields",
journal = "Math. of Comp.",
volume = "58",
number = "197",
pages = "369-380",
year = "1992"
}
\end{chunk}
\index{Stinson, D.R.}
\begin{chunk}{axiom.bib}
@article{Stin90,
author = "Stinson, D.R.",
title = {Some oberservations on parallel algorithms for fast exponentiation
in $GF(2^n)$},
journal = "SIAM J. Comp.",
volume = "19",
number = "4",
pages = "711-717",
year = "1990"
}
\end{chunk}
\index{Varshamov, Gamkrelidze}
\begin{chunk}{axiom.bib}
@article{Vars81,
author = "Varshamov, Gamkrelidze",
title = "Method of construction of primitive polynomials over finite fields",
journal = "Soobsheh. Akad. Nauk Gruzin.",
volume = "99",
pages = "61-64",
year = "1981"
}
\end{chunk}
\index{Wassermann, A.}
\begin{chunk}{axiom.bib}
@article{Wass89,
author = "Wassermann, A.",
title = "Konstruktion von Normalbasen",
journal = "Bayreuther Math. Schriften",
volume = "31",
pages = "1-9",
year = "1989"
}
\end{chunk}
---
books/axiom.sty | 6 +
books/bookvol10.1.pamphlet | 1761 ++++++++++++++++++++++++++++++++++++++++
changelog | 2 +
patch | 505 +++++++++++-
src/axiom-website/patches.html | 2 +
5 files changed, 2267 insertions(+), 9 deletions(-)
diff --git a/books/axiom.sty b/books/axiom.sty
index 0dbf48d..8634d79 100644
--- a/books/axiom.sty
+++ b/books/axiom.sty
@@ -42,6 +42,12 @@
\mathchardef\bigslash="232C
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%% implement the ceiling and floor functions
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\providecommand{\ceiling}[1]{\left\lceil #1\right\rceil}
+\providecommand{\floor}[1]{\left\lfloor #1\right\rfloor}
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% This is used to put underscores into the index
%% e.g. \index{abc\uscore{}def}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
diff --git a/books/bookvol10.1.pamphlet b/books/bookvol10.1.pamphlet
index b44f914..6274c7f 100644
--- a/books/bookvol10.1.pamphlet
+++ b/books/bookvol10.1.pamphlet
@@ -8544,6 +8544,1767 @@ If we zigzag properly, we can get Gauss' formula for interpolation:
\[y(u)=y_0+u\Delta{}y_0+\frac{u(u-1)}{2}\Delta^2y(-1)+
\frac{u(u^2-1)}{3!}\Delta^3y(-1)+\cdots\]
+\chapter{Finite Fields in Axiom (Grabmeier/Scheerhorn)}
+
+This was written by Johannes Grabmeier and Alfred Scheerhorn.
+
+Finite fields play an important role in mathematics and in many
+applications as coding theory or factorizing polynomials in computer
+algebra systems. They are the finite sets which have a computational
+structure as the classical fields of rational or complex numbers,
+i.e. addition + and multiplication with inverses and the usual group
+axioms as commutativity and associativity laws and their interaction
+via the distributivity laws. For further details see any book on
+algebra or our preferred reference for finite fields \cite{Lidl83}.
+
+The finite fields are classified: For each prime power $q=p^n$ there
+is up to isomorphism exactly one finite field of these size and there
+are no more. So far this looks nice, easy and complete. However, there
+are different constructions of a finite field of a given size $q$,
+each having different advantages and disadvantages. This paper deals
+with such constructions and implementations in the computer algebra
+system Axiom, various isomorphims and embeddings. We have three
+different kinds of constructions, namely polynomial basis
+representation, normal basis representation, and cyclic group
+representation.
+
+The various advantages and disadvantages which will be discussed along
+with the special implementations of the representations in the
+respective sections. All are strongly connected with the construction
+of irreducible polynomials which have additional properties. The user
+of Axiom may choose the representation which best meets the needs for
+his applications. For each type we have provided automatic choices as
+well as the liberty to use a favourite polynomial. In addition there
+are implementations for mechanisms to convert the data from one
+representation to the other.
+
+The paper is organized as follows: For convenience of the readers we
+first recall some basic facts from the theory of finite fields. Then
+we introduce our category design of the finite field world in
+Axiom. Next comes the description of all the functions which are valid
+and useful for every finite field. We employ the abstract datatype
+concepts of Axiom, which allows to implement such functions in the
+default packages of these categories. This makes an implementation in
+the different domains superfluous. Using a special kind of
+representation the implementation of many functions can be improved in
+order to have a more effcient computation. We describe these improved,
+additional domain implementations in the sections according to the
+special representations. Section \ref{section10} is devoted to the various
+constructions of polynomials. In section \ref{section12}
+we finally give results of
+time comparison of the various representations.
+
+\section{Basic theory and notations}
+\label{section2}
+
+\href{http://axiom-developer.org/axiom-website/GroupTheoryII/Salomone.html}
+{Salomone's lectures}
+provide background material for this section.
+
+We denote a finite field with $q=p^r$ elements, $p$ a prime and
+$r \in \mathbb{N}$, by $GF(q)$. The {\sl prime field GF(p)} can be
+constructed as $\mathbb{Z}/p\mathbb{Z} = \{0,1,\ldots,p-1\}$.
+The finite field $GF(q)$ is an algebraic extension of the field $GF(p)$
+and isomorphic to the splitting field of $X^q-X$ over $GF(p)$.
+Let $\alpha,\beta \in GF(q)$ and $c \in GF(p)$, then we have
+$(\alpha+\beta)^p=\alpha^p+\beta^p$ and $c\alpha^p=(c\alpha)^p$.
+Therefore powering with $p$ or powers of $p$ is a linear operation
+over $GF(p)$. Let $E=GF(q^n)$ be an extension of $F=GF(q)$ of degree
+$n \in \mathbb{N}$. The automorphism group of $E$ over $F$ is cyclic of
+order $n$ and generated by
+\[\sigma : \alpha \rightarrow \alpha^q\]
+which is called a {\sl Frobenius automorphism}.
+
+Let $f \in F[X]$ be a monic, irreducible polynomial of degree $n$. Then
+\[E \simeq F[X]/(f)\]
+where $(f)=f\cdot F[X]$ denotes the principal ideal generated by $f$, and
+the isomorphism is given by
+$\alpha \mapsto (X {\rm\ mod\ }f)$, where $\alpha$
+is a root of $f$ in $E$. $\alpha$ generates a {\sl polynomial basis}
+$\{1,\alpha,\ldots,\alpha^{n-1}\}$ of $E$ over $F$. Every element
+$\beta \in E$ can be expressed uniquely in the form
+\[\beta=\sum_{i=0}^{n-1}{b_i\alpha^i}\]
+This kinds of representing elements of $E$ is called {\sl polynomial basis
+representation}.
+
+Let $\alpha \in E$, the monic, irreducible polynomial $f \in F[X]$ with
+$f(\alpha)=0$ is called the {\sl minimal polynomial} of $\alpha$ over $F$.
+All the roots of $f$ are given by the set of {\sl conjugates}
+\[\{\alpha,\alpha^q,\ldots,\alpha^{q^n}\}\]
+of $\alpha$ of $F$. Therefore
+\[f=\prod_{i=0}^{n-1}{(X-\alpha^{q^i})}\]
+
+The {\sl trace} $T_{E/F}(\alpha)$ and the {\sl norm} $N_{E/F}(\alpha)$ of
+$\alpha$ over $F$ are defined by the sum and the product of the conjugates
+of $\alpha$, respectively,
+\[T_{E/F}(\alpha)=\sum_{i=0}^{n-1}{\alpha^{q^i}},\quad
+N_{E/F}(\alpha)=\prod_{i=0}^{n-1}{\alpha^{q^i}}=
+\alpha^{\frac{q^n-1}{q-1}}\eqno{(1)}\]
+These values can be read off from the minimal polynomial
+\[f=\sum_{i=0}^n{f_iX^i} \in F[X]\] of $\alpha$ over $F$:
+\[T_{E/F}(\alpha)=-f_{n-1},\quad N_{E/F}(\alpha)=(-1)^n f_0\]
+The {\sl degree} of $\alpha$ over $F$ is the degree of the smallest
+subfield of $E$ over $F$, which contains $\alpha$, i.e. the minimal
+integer $d>0$ for which
+\[\alpha^{q^d}=\alpha\]
+If $\alpha$ has degree $d$ over $F$, the minimal polynomial
+$m_\alpha(X)$ of $\alpha$ then has degree $d$, too.
+
+The multiplicative group $E^*$ of $E$ is cyclic of order $q^n-1$. A
+generator of this group is called a {\sl primitive element} of $E$
+and the minimal polynomial of such an element is called a
+{\sl primitive polynomial}. Every nonzero element $\beta \in E$ can be
+expressed as a power of $\alpha$:
+\[\beta=\alpha^e\]
+where $0\le e < q^n-1$ is uniquely determined. This kind of representing
+the elements of $E$ is called {\sl cyclic group representation} of $E$.
+The exponent $e$ is called the {\sl discrete logarithm} of $\beta$ to
+base $\alpha$ denoted by $e=log_\alpha(\beta)$. Note, that exponentiaion
+\[\mathbb{Z}\times E \rightarrow E:(e,\alpha)\mapsto \alpha^e\]
+defined a $\mathbb{Z}$-module structure on the multiplicative group $E^*$.
+
+Analogically one can define a module structure on the additive group
+of $E$ in the following way.
+
+Let $\circ : F[X] \times E \rightarrow E$ be defined by
+\[\sum_i{a_iX^i} \circ \alpha := \sum_i{a_i\alpha^{q^i}}\]
+Then we get for $\alpha \in E$,
+$g=\sum_i{g_iX^i}$,
+$f=\sum_j{f_jX^j} \in F[X]$,
+\[g\circ(f\circ\alpha)=g\circ(\sum_j{f_j\alpha^{q^j}})=
+\sum_i{g_i(\sum_j{f_j\alpha^{q^j}})^{q^i}}=
+\sum_{i,j}{g_if_j\alpha^{q^{i+j}}}=
+(g\cdot f)\circ\alpha\]
+This proves that the operation $\circ$ defines an $F[X]$-module
+structure on the additive group of $E$.
+
+For $\alpha\in E$ the annihilator ideal
+$Ann_\alpha=\{f\in F[X] : f\circ\alpha=0\}$ of $\alpha$ is
+generated by a single polynomial of $F[X]$, since $F[X]$ is a principle
+ideal domain. We call the unique, monic generator of $Ann_\alpha$ the
+{\sl linear associated order} of $\alpha$ over $F$, denoted by
+${\rm Ord}_q(\alpha)$:
+\[\{f\in F[X] : f\circ\alpha=0\}={\rm Ord}_q(\alpha)F[X]\]
+Since $(X^n-1)\circ\alpha=\alpha^{q^n}-\alpha=0$ for all $\alpha\in E$,
+${\rm Ord}_q(\alpha)$ divides $(X^n-1)$.
+
+If ${\rm Ord}_q(\alpha)=(X^n-1)$ then there exists no polynomial of
+degree less $n$ in F[X] annihilating $\alpha$, i.e. if $f\in F[X]$ is
+of degree ${\rm deg}(f)
+ Union(NonNegativeInteger,"failed")
+\end{verbatim}
+in the package {\tt DiscreteLogarithmPackage(M)} and {\tt M} has to be
+of type {\tt Join(Monoid,Finite)}, i.e. a finite multiplicative Monoid.
+\begin{verbatim}
+ shanksDiscLogAlgorithm(b,a,p)
+\end{verbatim}
+computes $e$ with $b^e=a$ assuming that $b$ and $a$ are elements of a
+finite cyclic group of order $p$. If no such $e$ exists, it returns
+{\tt "failed"}.
+
+Here is a brief description of the algorithm: Let $\tilde{p}$ be an
+integer close to $\sqrt{p}$. First we create a key-access table with
+entries $(b^k,k)$. Then we look whether the table contains an entry
+with key $a\cdot b^{-j\tilde{p}}$ and get $k$ with
+$a\cdot b^{-j\tilde{p}}=b^k$ for the smallest $j=0,1,\ldots,
+\ceiling{p/\tilde{p}}-1$ or {\tt "failed"}. In the first case the result
+is $e=k+j\tilde{p}$.
+
+In the Silver-Pohlig-Hellman algorithm for a given base $\beta\in E$,
+the first argument $b$ when calling {\tt shanksDiscLogAlgorithm(b,.,.)}
+is for a fixed prime factor $p$ of $(q^n-1)$ always the same. To compute
+logarithms to the base given by {\tt primitiveElement()\$E} efficiently,
+the tables needed by Shanks algorithm are precomputed and stored in the
+global variable
+\begin{verbatim}
+ discLogTable : Table(PI,Table(PI,NNI))
+\end{verbatim}
+in {\tt E}. It is initialized at the first call of the function
+{\tt discreteLog}. Here {\tt PI} abbreviates {\tt PositiveInteger}
+and {\tt NNI} abbreviates {\tt NonNegativeInteger}.
+
+To implement the discrete logarithm function on category level in
+{\tt FiniteFieldCategory}, we have to make this data available to the
+category. This is done by exporting the function
+\begin{verbatim}
+ tableForDiscreteLogarithm: Integer -> Table(PI,NNI)
+\end{verbatim}
+Called with a prime divisor $p$ of $q^n-1$ as argument, it returns a
+table of size roughly $\tilde{p}\approx\sqrt{p}$, whose $k$-th entry for
+$0 \le k < \tilde{p}$ is of the form
+\begin{verbatim}
+ [lookup(a**k),k) : Record(key:PI,entry:PI)
+\end{verbatim}
+where $a=\alpha^{(q^n-1)/p}$
+
+We implemented two functions for discrete logarithms:
+\begin{verbatim}
+ discreteLog: E -> NonNegativeInteger
+ discreteLog: (E,E) -> Unioin(NonNegativeInteger,"failed")
+\end{verbatim}
+The first one computes discrete logarithms to the base
+{\tt primitiveElement()\$E} using the precomputed tables.
+{\tt discreteLog(b,a)} computes ${\rm log}_b(a)$ if $a$ belongs
+to the cyclic group generated by $b$ and fails otherwise. This function
+does not use the table {\tt discLogTable}. No initialization of this
+table is performed using the second function.
+
+\subsection{Elements of maximal order}
+\label{section4.5}
+
+The functions
+\begin{verbatim}
+ primitiveElement()$E
+ normalElement()$E
+\end{verbatim}
+yields a primitive element of $E$ and a generator of a normal basis of
+$E$ over $F$, respectively. The first having maximal multiplicative order
+$(q^n-1)$, the second maximal linear associated order $(X^n-1)$.
+
+To compute elements of maximal order there exist algorithms which construct
+elements of high order from elements of low order. For a unifying module
+theoretic approach see L\"uneburg\cite{Lune87} chap.IV. For the construction of
+primitive elements see \cite{Rybo89} where an algorithm is described which is
+originally given in \cite{Vars81}.
+Algorithms for finding generators of normal basis
+are described in \cite{Gath90}, \cite{Lens91}, or \cite{Pinc89}.
+
+Experiments have shown that in practice it is more efficient to simply run
+through the field and test until an element of maximal order is found.
+However, not very many theoretical results are known on deterministic
+search procedures. In some situations there are results depending on the
+Extended Riemann Hypothesis, see \cite{Shou92}.
+
+To aviod searching a second time for the same element, we store the results
+after the first computation of such an element using the helper functions
+\begin{verbatim}
+ createPrimitiveElement()$E
+ createNormalElement()$E
+\end{verbatim}
+
+The functions
+\begin{verbatim}
+ primitive?
+ normal?
+\end{verbatim}
+check whether the multiplicative resp. linear associated order of an
+element is maximal.
+
+The primitivity of an $\alpha$ in $E$ is tested using the fact that
+$\alpha$ is primitive in $E$ if and only if for all prime factors $p$
+of $(q^n-1)$ holds:
+\[\alpha^{(q^n-1)/p} \ne 1\]
+see e.g. Theorem 2 of chap. I.X.1.3 in \cite{Lips81}.
+
+For testing whether a given element $\alpha$ generates a normal basis
+of $E$ over $F$ we use Theorem 2.39 of \cite{Lidl83}: $\alpha\in E$ generates a
+normal basis of $E$ over $F$ if and only if $(X^n-1)$ and
+$\sum_{i=0}^{n-1}{\alpha^{q^i}X^{n-1-i}}$ are relatively prime in $E[X]$
+
+\subsection{Enumeration of elements of $E$}
+\label{section4.6}
+
+The number of elements of $E$ can be found out by calling {\tt size()\$E}.
+The elements of {\tt E} are enumerated by
+\begin{verbatim}
+ index: PositiveInteger -> E
+\end{verbatim}
+with inverse
+\begin{verbatim}
+ lookup: E -> PositiveInteger
+\end{verbatim}
+
+These functions implement a bijection between {\tt E} and the set of
+positive integers $\{1,2,\ldots,q^n\}$. They allow iterating over all
+field elements. {\tt lookup} can be used to store field elements in a
+variable of type {\tt PositiveInteger}. This is often less memory
+expensive than storing the field element which may be represented in a
+complicated way. For time efficiency reasons these functions have different
+implementations according to the different representations. ALl of them have
+in common that {\tt index}$(q^n)=0\$E$ and {\tt lookup}$(0\$E)=q^n$.
+
+\subsection{Conversion between elements of the field and its groundfield}
+\label{section4.7}
+
+To check whether a given element $\alpha$, representation by {\tt a} in
+the field {\tt E}, belongs to its groundfield $F$ use
+{\tt inGroundField?(a)}. If $\alpha$ belongs of $F$, datatype conversion
+is provided by {\tt retract(a)}.
+
+Embedding from {\tt F} to {\tt E} is done using {\tt coerce} abbreviated
+by {\tt ::} in Axiom. If {\tt a} is the representation of $\alpha$ in
+{\tt F}, then {\tt (a::E)} is the element of {\tt E} representing $\alpha$.
+
+All these functions depend on the representation used and are explained in
+the sections according to the special representations.
+
+\section{Prime field}
+\label{section5}
+
+Let $p$ be a prime number. Since $GF(p)\simeq\mathbb{Z}/p\mathbb{Z}$
+in Axiom the internal representation of elements of the domains
+\begin{verbatim}
+ IPF(p) InnerPrimeField(p)
+ PF(p) PrimeField(p)
+\end{verbatim}
+is {\tt IntegerMod(p)}, from which most functions are inherited. The
+only difference between {\tt IPF} and {\tt PF} is, that in {\tt PF} it
+is checked whether the parameter $p$ is prime while this is not checked
+in {\tt IPF}.
+
+Many functions as {\tt trace} or {\tt inGroundField?} are trivial for
+a prime field. For a human being there is no problem to consider a
+prime field as an extension of degree 1 of itself. For recursions
+depending e.g. on the extension degree and simply for completeness,
+we have decided to make {\tt PrimeField} an {\tt FiniteAlgebraicExtensionField}
+of itself. The trivial implementations include
+\begin{verbatim}
+ normalElement() == 1
+ inGroundField?(a) == true
+ generator() == 1
+\end{verbatim}
+
+Since the value returned by {\tt generator()} should be a root of the
+defining polynomial of the field extension, we had to code
+{\tt definingPolynomial} to be $X-1$ and not e.g. $X$.
+
+\subsection{Extension Constructors of Finite Fields}
+\label{section5.1}
+
+There are three choices to make when one wants to construct a
+finite field as an extension of a ground field in Axiom.
+
+The first choice is the type of representation. It can be remainder
+classes of polynomials,
+see section \ref{section6}, exponents of a primitive element,
+see section \ref{section7}, or a normal basis representation,
+see section \ref{section8}. The part of the
+abbreviation of the corresponding domain constructors are
+{\tt FF}, {\tt FFCG}, and {\tt FFNB}, respectively.
+
+Secondly, we have to decide which ground field we choose, either the
+prime field or any other subfield. In the first case the first parameter
+of all domain constructors is just a prime number and one has to use
+the names above. In the other case the first parameter is the domain
+constructed recursively to represent the chosen subfield.
+
+The second parameter governs the extension. All constructions depend on an
+irreducible polynomial, whose degree is the extension degree and has, if
+necessary, additional properties. If one doesn't care about this polynomial,
+one has to give the degree as the second parameter and the polynomial will
+be chosen approximately by Axiom. In the case where we define the prime
+field by supplying a prime number, this is the only choice. In the other
+case one has to append the letter {\tt X} to the receive the domain
+constructors {\tt FFX}, {\tt FFCGX}, and {\tt FFNBX}, respectively. If
+one wants to supply one's favorite polynomial as the second parameter we
+have to substitute the letter {\tt X} by {\tt P}.
+
+Here are a few datatype constructions for these nine possibilities:
+{\tt FF(2,10)} implements an extension of the prime field {\tt PF 2}
+of degree 10. Axiom chooses an irreducible polynomial of degree 10 for
+this polynomial basis representation.
+
+{\tt FFNBX(FFCGP(3,f),5)} implements an extension of the field with $3^n$
+elements, represented as exponents of a primitive element, where $f$ is a
+primitive polynomial of degree $n$. The extension of degree 5 is realized
+by Axiom by choosing a normal polynomial of degree 5 with coefficients in
+{\tt FFCGP(3,f)}.
+
+As overloading of constructor names is not supported by the current
+compiler, we had to create all these different names as explained above.
+As soon as the new compiler will support this we may consider to unify
+these domain domain names, see section \ref{section11}.
+
+\section{Polynomial basis representation}
+\label{section6}
+
+Let $E=GF(q^n)$ be an extension of degree $n$ over $F=GF(q)$. Then
+\[E\simeq F[X]/(f)\]
+where $f\in F[X]$ is an arbitrary monic irreducible polynomial
+of degree $n$.
+If $\alpha$ is a root of $f$ in $E$, then $\{1,\alpha,\ldots,\alpha^{n-1}\}$
+constitutes a basis of $E$ over $F$ and we can write all elements
+$\beta\in E$ uniquely in the form:
+\[\beta=\sum_{i=0}^{n-1}{b_i\alpha^i},\quad b_i\in F\]
+
+This kind of representation is used in the domains
+\begin{verbatim}
+ FFP FiniteFieldExtensionByPolynomial
+ FFX FiniteFieldExtension
+ IFF InnerFiniteField
+ FF FiniteField
+\end{verbatim}
+
+The only difference between these domains are the different natures of
+their parameterization,
+see section \ref{section5.1}. The datatype {\tt InnerFiniteField}
+extends the prime field {\tt InnerPrimeField},
+see section \ref{section5}. Let {\tt F}
+be the domain representing $F$ and {\tt E:=FFP(F,f)} the extension of $F$
+defined by $f$.
+
+For the internal representation of elements of $E$ we use polynomials
+modulo $f$. This structure is in Axiom implemented by the domain
+\begin{verbatim}
+ SAE(F,SUP(F),f) SimpleAlgebraicExtension(F,SUP(F),f)
+\end{verbatim}
+Here {\tt SUP(F)} abbreviates {\tt SparseUnivariatePolynomial(F)} a
+domain representing polynomials over $F$. Most arithmetic operations are
+inherited from this domain. There are only a few functions which have a
+special implementation.
+
+The imbedding of {\tt F} in {\tt E} is obvious:
+$\sum_{i=0}^{n-1}{a_i\alpha^i}$ is in $F$ if and only if
+$a_1,a_2,\ldots,a_{n-1}=0$. Using this, the functions
+\begin{verbatim}
+ retract: E -> F
+ coerce: F -> E
+ inGroundfield? E -> Boolean
+\end{verbatim}
+are implemented in the obvious way.
+
+To check whether $\beta$ is normal in $E$ over $F$ we proceed as follows.
+Let $M \in F^{n\times n}$ be the matrix, whose $i$-th column is the
+coordinate vector of $\beta^{q^i}$ with respect to the polynomial basis
+for $0 \le i < n$. The element $\beta$ is normal if and only if the rank
+of $M$ equals $n$.
+
+The coordinates of $\beta\alpha^i$ collected in a matrix similar as before
+give the {\sl regular matrix representation}
+(see e.g. chap.7.3 in \cite{Jaco85}) of
+$\beta$. The functions {\tt trace} and {\tt norm} compute the trace and
+norm of $\beta$ over $F$ by computing the trace and determinant of this
+matrix, respectively.
+
+\section{Cyclic group representation}
+\label{section7}
+
+In this section we make use of the fact, that the multiplicative group of
+a finite Field $E$ with $q^n$ Elements is cyclic of order $q^n-1$. Therefore
+it is isomorphic to $\mathbb{Z}/(q^n-1)\mathbb{Z}$. Once a primitive
+element $\alpha$ of $E$ is fixed (i.e. a generator of the multiplicative
+group), ever nonzero element $\beta$ of $E$ is uniquely determined by
+its discrete logarithm $e$ to $\alpha$, i.e. the element
+$0 \le e \le q^n-1$ with $\alpha^e=\beta$.
+
+In the three domains
+\begin{verbatim}
+ FFCGP FiniteFieldCyclicGroupExtensionByPolynomial
+ FFCGX FiniteFieldCyclicGroupExtension
+ FFCG FiniteFieldCyclicGroup
+\end{verbatim}
+the nonzero field elements are represented by powers of a fixed primitive
+element. Let {\tt F} be a finite field domain representing $F$, $E$ the
+extension of $F$ defined by the monic, irreducible polynomial $f(x) \in F[X]$
+with root $\alpha \in E$. Let $\alpha$ be primitive in $E$ and
+{\tt E:=FFCGP(F,f)} be the domain representing $E$.
+
+As the fixed primitive element used for the representation, we take the root
+$\alpha$ of $f$. It is returned by calling {\tt generator()\$E}, which is
+equal to the function {\tt primitiveElement()\$E} in this representation.
+
+The aim of a cyclic group representation of finite fields is to offer
+a very fast field arithmetic. All operation concerning the multiplicative
+structure of the field are quite easy to compute. To have a quick addition
+one has to store a Zech (Jacobi) logarithm table in memory, see setion 7.2.
+This table is of size about $q^n/2$. For efficiency reasons we also want
+to use {\tt SmallInteger} and not {\tt Integer} as the internal
+representation of the field elements. Therefore we restricted ourself
+to a field size of maximal $2^{20}$ elements:
+\begin{verbatim}
+ if sizeFF > 2**20 then
+ error "field too large for cyclic group representation"
+\end{verbatim}
+
+A nonzero element $\beta\in E$ is represented by the unique
+$n \in \{0,1,\ldots,q^n-2\}$ of type {\tt SmallInteger} with
+$\alpha^n=\beta$ and $0\in E$ is represented by the {\tt SmallInteger} $-1$.
+
+\subsection{Operations of multiplicative nature}
+\label{section7.1}
+
+The implementation of the operations concerning the multiplicative group
+is very easy. Since $\alpha^n\cdot \alpha^m=\alpha^{n+m}$, multiplication
+of nonzero elements becomes a {\tt SmallInteger} addition modulo $q^n-1$.
+Similarly the exponentiation of field elements and the norm function are
+done by a modular {\tt SmallInteger} multiplication. Inversion is nothing
+more than changing the sign of the representing {\tt SmallInteger} module
+$q^n-1$. Discrete logarithms to base $\alpha$ can be read off directly
+from the representation and for computing the discrete logarithm to a
+arbitrary base one has to perform the extended euclidean algorithm in
+$\mathbb{Z}$.
+
+If we want to compute the discrete logarithms $d$ of $\gamma=\alpha^m$
+to base $\beta=\alpha^b$ we have to solve:
+\[(\alpha^b)^d=\alpha^m\]
+
+This is solvable if and only if $m$ is divisible by
+\[g:={\rm gcd}(b,q^n-1)=rb+s(q^n-1)\]. In this case we set
+\[d=\frac{rm}{g}{\rm mod}(q^n-1)\]
+
+Computing the multiplicative order of elements is done by
+\[{\rm ord}(\alpha^e)=\frac{{\rm ord}(\alpha)}{{\rm gcd}(e,{\rm ord}(\alpha))}
+=\frac{q^n-1}{{\rm gcd}(e,q^n-1)}\]
+
+Therefore an element $\beta$ is primitive in $E$ if and only if its
+representation is relatively prime to $q^n-1$.
+
+\subsection{Addition and Zech logarithm}
+\label{section7.2}
+
+Addition is performed via the Zech (or Jacobi) logarithm $Z(k)$ which is
+defined by
+\[\alpha^{Z(k)}=\alpha^k+1\]
+
+In the domain {\tt E} the Zech logarithm array is stored in the global
+variable
+\begin{verbatim}
+ zechlog : PrimitiveArray(SmallInteger)
+\end{verbatim}
+of the datatype of length $(q^n+1)/2$. Its $k$-th entry
+corresponds to $Z(k)$. $Z(k)$ is undefined, if $\alpha^k+1=0$.
+This exception appears in characteristic 2 if $k=0$ and in odd
+characteristic if $k=(q^n-1)/2$. To indicate this we define
+{\tt zechlog.k=-1} in these cases. Now the sum of $\alpha^i$ and
+$\alpha^j$ is computed in the following way:
+
+Let $k$ be the smaller one of $\{(i-j){\rm\ mod\ }(q^n-1)$,
+$(j-i){\rm\ mod\ }(q^n-1)\}$. Notice that $k\le(q^n-1)/2$. Then
+\[\alpha^i+\alpha^j:=
+\begin{cases}
+0 & {\rm if}~Z(k)~{\rm undefined}\\
+\alpha^{i+Z(k)} & {\rm if}~k=(j-i)~{\rm mod}~(q^n-1)\\
+\alpha^{j+Z(k)} & {\rm if}~k=(j-i)~{\rm mod}~(q^n-1)
+\end{cases}
+\]
+
+In addition to some {\tt SmallInteger} operatoins there is only
+one access to the Jacobi logarithm array. Therefore addition is
+very fast too.
+
+Since $-1=\alpha^{(q^n-1)/2}$ in odd characteristic, $-\alpha^n$
+can be computed by
+\[-\alpha^n:=
+\begin{cases}
+\alpha^n & {\rm if\ char}(E)=2\\
+\alpha^{n+(q^n-1)/2} & {\rm otherwise}
+\end{cases}
+\]
+
+The Jacobi logarithm array is initialized at the first time when
+it is needed. This procedure may last some time. The initialization
+is done by calling the function {\tt createZechTable(f)} parameterized
+with the defining polynomial of the field in the package
+{\tt FiniteFieldFunctions(F)}. The user gets access to this table
+by calling {\tt getZechTable()\$E}.
+
+In K. Huber\cite{Hube90} explains how to reduce the size of the table needed
+to compute all Jacobi logarithms. These observations are useful for
+high extension degree, but the times for addition are increased,
+therefore these ideas were not implemented.
+
+To check if a given element belongs to $F$ is quite easy. It depends
+on whether the representation $e$ of $\alpha^e$ is divisible by
+$(q^n-1)/(q-1)$ or not. If $e=k(q^n-1)/(q-1)$ we have
+\[(\alpha^e)^{q-1}=\alpha^{k(q^n-1)}=1\]
+and therefore $\alpha^e$ belongs to $F$. The degree of $\alpha^e$
+over $F$ is given by the minimal integer $d>0$ for which
+$eq^d\equiv e{\rm\ mod\ }(q^n-1)$. The trace and the norm function
+are computed directly using (1) on page 6.
+
+\subsection{Time expensive operations}
+\label{section7.3}
+
+But there remain some operations, which are quite time expensive.
+That are those operations, which change the representation of the
+field elements:
+\begin{verbatim}
+ coerce: F -> E
+ retract: E -> F
+ represents: Vector F -> E
+ coordinates: E -> Vector F
+\end{verbatim}
+
+Let $\beta=N_{E/F}(\alpha)$ be the norm of $\alpha$ over $F$.
+Since $\beta$ is primitive in $F$, every nonzero element $\gamma$
+of $F$ can be expressed by a power of $\beta$. We get
+\[\gamma=\beta^e=\alpha^{e\frac{q^n-1}{q-1}}\]
+for a suitable value $0 \le e \le q-1$. This $\beta$ is stored
+in the global variable {\tt primEltGF} in {\tt E}. The function
+{\tt retract} applied to $(\alpha^e)$ first checks if the element
+$\alpha^e$ belongs to $F$. In this case $e$ is divisible by
+$(q^n-1)/(q-1)$ and {\tt retract} can raise {\tt primEltGF} in
+{\tt F} to the power $e(q-1)/(q^n-1)$.
+
+{\tt coerce} applied to $\gamma\in F$, $\gamma \ne 0$, computes
+the discrete logarithm of $\gamma$ to the base {\tt primEltGF} in
+{\tt F} and multiples this value by $(q^n-1)/(q-1)$ to get the
+desired representation of $\gamma$ in {\tt E}.
+
+{\tt coordinates} applied to $(\alpha^e)$ raises the residue
+class $(X{\rm\ mod\ }f)$ to the power $e$. This is performed in a
+{\tt SimpleAlgebraicExtension} of the {\tt F} by {\tt f}. The
+returned vector is the coordinate vector of $\alpha^e$ to the
+polynomial basis generated by $\alpha$.
+
+{\tt represents} considers the given vector as coordinate vector of
+an element $\beta$ in {\tt FiniteFieldExtensionByPolynomial(F,f)}
+and computes its discrete logarithm to base $\alpha$ in that domain.
+This logarithm is the representation of $\beta$ in {\tt E}.
+
+\section{Normal basis representation}
+\label{section8}
+
+Let $E=GF(q^n)$ be an extension of degree $n$ over the finite
+field $F=GF(q)$ and $f\in F[X]$ be the polynomial which defines
+the extension. Assume further that the roots
+$\{\alpha,\alpha^q,\ldots,\alpha^{q^{n-1}}\}$ of $f$ in $E$ are
+linearly independent over $F$. Then $\alpha$ is normal in $E$
+over $F$ and every element of $E$ can be expressed in the form
+\[\beta=\sum_{i=0}^{n-1}{b_i\alpha^{q^i}}\]
+with $b_i\in F$. This kind of representation is used in the domains
+\begin{verbatim}
+ FFNBP FiniteFieldNormalBasisExtensionByPolynomial
+ FFNBX FiniteFieldNormalBasisExtension
+ FFNB FiniteFieldNormalBasis
+\end{verbatim}
+
+Let {\tt F} be a finite field domain representing $F$ and
+{\tt E:=FFNBP(F,f)} the normal basis extension of $F$ by $f$.
+
+We get the root $\alpha$ of $f$ in $E$ by calling {\tt generator()\$E}
+which in this representation is equal to {\tt normalElement()\$E}.
+
+The internal representation of the elements of {\tt E} is
+{\tt Vector F}. The element $\beta=\sum_{i=0}^{n-1}{b_i\alpha^{q^i}}$
+is represented by the coordinate vector
+$(b_0,b_1,\ldots,b_{n-1})$ of $\beta$ w.r.t. the normal basis
+generated by $\alpha$ and computed by {\tt coordinates}$(\beta)$.
+The normal basis is returned by {\tt basis()\$E}. In the sequel we
+identify coordinate vectors $(b_0,b_1,\ldots,b_{n-1})$
+representing $\sum_{i=0}^{n-1}{b_i\alpha^{q^i}}$ with the
+corresponding polynomial
+$b=\sum_{i=0}^{n-1}{b_iX^i}\in F[X]/(X^n-1)$, since
+\[b\circ\alpha=\sum_{i=0}^{n-1}{b_i\alpha^{q^i}}\]
+
+The lengthy code for the arithmetic is shared by the three different
+versions of normal basis representations and the package
+{\tt FiniteFieldFunctions}. Hence, we decide to have a
+parameterized package
+\begin{verbatim}
+ INBFF InnerNormalBasisFieldFunctions(F)
+\end{verbatim}
+where most of the arithmetic in {\tt E} is performed.
+
+\subsection{Operations of additive nature}
+\label{section8.1}
+
+All field functions concerning the cyclic $F[X]$-module structure
+of the additive group of $E$ are very easy to implement and to
+compute. Since
+\[\beta^q=\sum_{i=0}^{n-1}{b_{(i-1){\rm\ mod\ }n}\alpha^{q^i}}\]
+the Frobenius automorphism becomes a simple cyclic shift of the
+coordinate vector. The linear associated logarithm of $\beta$ to
+base $\alpha$ can be directly read off from the representation of
+$\beta$
+\[Log_\alpha(\beta)=\sum_{i=0}^{n-1}{b_iX^i=b}\]
+To compute the linear associated logarithm $a$ of $\beta$ to
+another logarithm base $\gamma=c\circ\alpha$, one has to perform
+an extended euclidean algorithm in $F[X]$:
+\[a\circ\gamma=\beta \Longleftrightarrow (ac)\circ\alpha=b\circ\alpha\]
+This is solvable if and only if $b$ is divisible by
+$g:={\rm gcd}(c,X^n-1)=rc+s(x^n-1)$. In this case we get
+\[a=\frac{rb}{g}{\rm\ mod\ }(X^n-1)\]
+
+The operation $\circ$ becomes a modular polynomial multiplication
+\[h\circ\beta=(hb)\circ\alpha\]
+for $h\in F[X]$. The linear associated order of $\beta$ can be
+computed using
+\[{\rm Ord}_q(b\circ\alpha)=
+\frac{{\rm Ord}_q(\alpha)}{{\rm gcd}(b,{\rm Ord}_q(\alpha))}=
+\frac{(X^n-1)}{{\rm gcd}(b,X^n-1)}\]
+Therefore $\beta$ is normal in $E$ over $F$ if and only if
+gcd$(b,X^n-1)=1$, which is quite easy to check. The degree of
+$\beta$ over $F$ is given by the minimal integer $d>0$ which satisfies
+\[bX^d\equiv b{\rm\ mod\ }(X^n-1)\]
+
+The embedding of {\tt F} into {\tt E} is determined by the trace of
+$\alpha$: Let $a=T_{E/F}(\alpha)$, then
+$1-T_{E/F}(a^{-1}\alpha)=\sum_{i=0}^{n-1}{a^{-1}\alpha^{q^i}}$
+and we get for $d\in F$
+\[d=\sum_{i=0}^{n-1}{(a^{-1}d)\alpha^{q^i}}\]
+which gives as representation of $d$ in {\tt E} the vector
+consisting of equal entries $a^{-1}d$. Since the value
+$T_{E/F}(\alpha)$ is needed quite often, it is stored in the global
+variable {\tt traceAlpha} in {\tt E}. The trace $T_{E/F}(\beta)$ of
+$\beta=\sum_{i=0}^{n-1}{b_i\alpha^{q^i}}$ is simply computed by
+\[T_{E/F}(\beta)=\sum_{i,j=1}^{n-1}{b_i\alpha^{q^{i+j}}}=
+\sum_{j=0}^{n-1}{(\sum_{i=0}^{n-1}{b_i})\alpha^{q^i}}\]
+Traces onto intermediate fields of $F \le E$ are computed in a
+similar fashion.
+
+\subsection{Multiplication and normal basis complexity}
+\label{section8.2}
+
+In the contrary to the {\sl additive} functions, the operations
+concerning the multiplicative structure of the field are more
+difficult to compute. Actually the multiplication of field elements
+is somewhat complicated and hence slow.
+
+To multiply field elements we use the representing matrix
+$M_\alpha=(m_{i,j})\in F^{n\times n}$ of the left multiplication
+by $\alpha$ w.r.t. the distinguished normal basis, which is called
+{\sl multiplication matrix} in Geiselmann/Gollmann \cite{Geis89}:
+\[\alpha\alpha^{q^i}=\sum_{j=0}^{n-1}{m_{i,j}\alpha^{q^j}}\]
+
+Knowing this matrix the product of
+$\beta=\sum_{i=0}^{n-1}{b_i\alpha^{q^i}}$ and
+$\gamma=\sum_{j=0}^{n-1}{c_j\alpha^{q^j}}$ is given by
+\[\beta\gamma=\sum_{i,j=0}^{n-1}{b_ic_j(\alpha^{q^{i-j}+1})^{q^j}}=
+\sum_{i,j,k=0}^{n-1}{b_ic_jm_{i-j,k-j}\alpha^{q^k}}\]
+with indices module $n$. This shows immediately that multiplication
+in this representation needs $O(n^3)$ $F$-operations.
+
+Recently there has been much interest in so called {\sl low
+complexity} and {\sl optimal} normal bases: By choosing the normal
+element $\alpha\in E$ carefully one tries to minimize the number of
+nonzero entries in $M_\alpha$, which is called the {\sl complexity}
+of the normal basis. This obviously reduces the multiplication time.
+In the best case one can reduce the number of entries to $2n-1$.
+For special pairs $(q,n)$ a direct construction of a normal base
+of low complexity $O(kn)$, $k\ll n$, is possible (see Wassermann \cite{Wass89},
+Beth/Geiselmann/Meyer\cite{Beth91}, Mullin/Onyszchuk/Vanstone\cite{Mull88}
+or Ash/Blake/Vanstone\cite{Ashx89}). The problem of efficiently computing
+the minimal normal basis complexity or even a generator of such
+a base for given $(q,n)$ is unsolved.
+
+The algorithm described by A. Wassermann in \cite{Wass89} is implemented
+in the function
+\begin{verbatim}
+ createLowComplexityNormalBasis(n)
+\end{verbatim}
+in the package {\tt FiniteFieldFunctions(F)}. If for the given
+$(q,n)$ a direct construction of a low complexity normal basis
+is possible, the algorithm computes the multiplication matrix of
+this base and the function returns this matrix in form of a
+variable of type
+{\tt Vector List Record(value:F,index:SmallInteger)} (see below).
+If such a construction is not possible for $(q,n)$ the function
+\begin{verbatim}
+ createNormalPoly(n)$FiniteFieldPolynomialPackage(F)
+\end{verbatim}
+is called to produce a normal polynomial of degree $n$. To have the
+nice embedding $d\mapsto(d,d,\ldots,d)$ of {\tt F} in {\tt E},
+the computed normal basis has in both cases the property that its
+generator has trace 1 over $F$. The constructors {\tt FFNBX} and
+{\tt FFNB} makes use of this function and use, if possible,
+automatically a low complexity normal basis.
+
+If we would store the multiplication Matrix $M_\alpha$ in a variable
+of type {\tt Matrix F}, everytime we multiply we would have to inspect
+all $n^2$ entries of $M_\alpha$. In this case a low complexity basis
+would hardly speed up the multiplication time.
+
+This is why we store $M_\alpha$ in the domain $E$ in a global
+variable of the form
+\begin{verbatim}
+ multTable : Vector List Record(value:F,index:SmallInteger)
+\end{verbatim}
+
+The entry $m_{i,j}$ of $M_\alpha$ corresponds to the element of
+{\tt multTable.i} with {\tt index} $j-1$ and {\tt value} $m_{i,j}$.
+Of course only the nonzero entries of $M_\alpha$ are stored in
+{\tt multTable}. When multiplying now we are inspecting only the
+nonzero entries of $M_\alpha$ and get time advantages using bases
+of low complexity.
+
+The first time when the multiplication matrix $M_\alpha$ is needed,
+it is initialized by an automatic call of the function
+{\tt createMultiplicationTable(f)} in the package
+{\tt FinitFieldFunctions(F)}.
+
+The user has access to the multiplication matrix of the field by
+\begin{verbatim}
+ getMultiplicationTable: () ->
+ Vector List Record(value:F,index:SmallInteger)
+ ++ getMultiplicationTable() returns the multiplication
+ ++ table for the normal basis of the field
+ getMultiplicationMatrix: () -> Matrix F
+ ++ getMultiplicationMatrix() returns the multiplication
+ ++ table in the form of a matrix
+\end{verbatim}
+
+The complexity of the normal basis can be found out by calling
+\begin{verbatim}
+ sizeMultiplication:() -> NonNegativeInteger
+\end{verbatim}
+
+\subsection{Norm and multiplicative inverse}
+\label{section8.3}
+
+The functions {\tt norm} and {\tt inv} are the power functions with
+exponents $(q^n-1)/(q-1)$ and $(q^n-2)$, respectively. We do not use
+the default repeated squaring algorithm, as we can do better: The
+algorithm due to Itoh and Tsujii\cite{Itoh88} uses a clever partitioning of
+these special exponents and the following help function {\tt expPot}.
+It computes
+\[expPot(\beta,k,d)=\prod_{i=0}^{k-1}{\beta^{q^{id}}}\]
+for $\beta\in E$ and integers $k,d>0$ is computed by the (slightly
+simplified) algorithm
+\begin{verbatim}
+ expPot(beta,k,d) ==
+ e:Integer:=0
+ gamma:E:=1
+ for i in 0..length(k) repeat
+ if bit?(k,i) then gamma:=gamma * beta**(q**e); e:=e+d
+ beta:=beta * beta**(q**d); d:=2*d
+ return(gamma)
+\end{verbatim}
+where {\tt length(k)} denotes the number of bits of $k$, i.e.
+$\ceiling{log_2(k+1)}$, and {\tt bit?(k,i)} tests whether the
+$i$-th bit of $k$, binary represented, is set or not. The average
+number of $E$-multiplications of this algorithm is about
+$3/2\ceiling{log_2(k)}$
+
+Let $d$ be a divisor of $n$ and $K$ and extension of degree $d$
+over $F$. With the above algorithm we can compute the norm of
+$\beta\in E$ over $K$ by
+\[N_{E/K}(\beta)={\rm expPot}(\beta,n/d,d)\]
+using about $3/2\ceiling{log_2(n/d)}$ multiplications in $E$.
+
+For computing the inverse $\beta^{-1}=\beta^{q^n-2}$ of $\beta\in E$
+notice that
+\[q^n-2=(q-2)(\frac{q^n-1}{q-1})+q(\frac{q^{n-1}-1}{q-1})\]
+therefore
+\[\beta^{-1}=N_{E/F}(\beta)^{-1}\cdot(\beta^{\frac{q^{m-1}-1}{q-1}})^q\]
+
+Now we get $\beta^{-1}$ by computing first
+\[\gamma={\rm expPot}(\beta,n-1,1)^q=(\beta^{\frac{q^{m-1}-1}{q-1}})^q\]
+and then $\beta^{-1}=(\beta\gamma)^{-1}\cdot\gamma$. Notice that the
+inversion of $\beta\gamma$ is performed in $F$. Altogether we used
+$3/2\ceiling{log_2(n)}+2$ multiplications in $E$.
+
+\subsection{Exponentiation}
+\label{section8.4}
+
+Next we show how we have implemented the function
+\[(\beta,e)\rightarrow \beta^e\]
+
+For a $1 \le k < n$ we can write
+\[\beta^e=\prod_i{(\beta^{e_i})^{q^{ki}}}\]
+if $e=\sum_i{e_iq^{ik}}$ is the $q^k$-adic expansion of $e$.
+
+An obvious implementation of this formula first of all has to
+initialize the array $[\beta,\beta^2,\ldots,\beta^{q^k-1}]$.
+This costs $(q-1)q^{k-1}-1$ (expensive) field multiplications.
+Taking $q^{ki}$-powers is cheap while multiplying the results
+together costs another $\ceiling{(log_q(e)/k)}-1$ field
+multiplications, altogether this algorithm requires
+\[M(q,k,e):=(q-1)q^{k-1}+\ceiling{\frac{log_q(e)}{k}}-2\]
+multiplications.
+
+Depending on $k$ there is a tradeoff between slow multiplication
+and fast powering. Therefore we adaptively choose a good $k$
+depending on $e$ and $q$ to minimize the number of multiplications.
+
+The computation of such
+$k\sim log_q log_q(e)-log_q log_q log_q(e)$ is performed using
+exclusively {\tt SmallInteger} arithmetic to minimize the decision
+time. It is supported by the two global variables
+\begin{verbatim}
+ logq:List SmallInteger
+ expTable:List List SmallInteger
+\end{verbatim}
+which contain some precomputed auxiliary values.
+
+Then the actual number of multiplications is compared with the
+number $3/2\ceiling{log_2(e)}$ of multiplications needed by the
+standard repeated squaring algorithm and the better method is
+chosen.
+
+The ideas of this divide and conquer algorithm are due to Stinson,
+see \cite{Stin90}, for the case $q=2$.
+
+\section{Homomorphisms between finite fields}
+\label{section9}
+
+Changing an object from one finite field to another can be necessary
+in three cases. The first case is that we have two different defining
+polynomials for the same field in the same type of representations. In
+order to consider one object in the other data type we have to
+implement a field isomorphism. A generalization thereof is when one
+field is isomorphic to a subfield of another field in the same type of
+representation. The most complicated case is when in addition to the
+last situation we also change the representation.
+
+These data type conversions - called {\sl coercions} in Axiom, and
+hence are under the control of the interpreter - are realized by the
+package
+\begin{verbatim}
+ FFHOM FiniteFieldHomomorphisms
+\end{verbatim}
+
+It is parameterized by three parameters: a source field $K_1$
+represented by {\tt K1}, a target field $K_2$ represented by {\tt K2}
+and a common groundfield $F$ of $K_1$ and $K_2$, represented by {\tt
+F}. Note, that due to the symmetry of the provided functions, the
+order of the parameters can either be $(K1,F,K2)$ or $(K2,F,K1)$. The
+order comes from arranging the situation in a lattice.
+
+However, this package cannot be used for the general situation as this
+settings suggests. We had to restrict ourselves to the case where both
+{\tt K1} and {\tt K2} are realized as simple extensions of {\tt F},
+i.e. of type
+\begin{verbatim}
+ FiniteAlgebraicExtensionField(F)
+\end{verbatim}
+
+To implement the general case also, it would be necessary to have a
+function
+\begin{verbatim}
+ groundfield: () -> FiniteFieldCategory
+\end{verbatim}
+
+Its result could be used for package calling functions of that
+subfield. Using such a function it would be possible to build a
+recursive coercion algorithm between different towers of finite field
+extensions. As the old compiler does not support functions whose
+values are domains, this idea will be possible when the new compiler
+will be available.
+
+The source field and the destination field may appear in arbitrary
+order in the parametrization of {\tt FFHOM}, since {\tt FFHOM}
+supports coercions in both directions:
+\begin{verbatim}
+ coerce: K1 -> K2
+ coerce: K2 -> K1
+\end{verbatim}
+
+Restricted to $K_1 \cap K_2$ these two mappings are inverses of each
+other, i.e. for $\alpha \in K_1 \cap K_2$ and $a$ being a
+representation of $\alpha$ in {\tt K1} or in {\tt K2} holds:
+\begin{verbatim}
+ coerce(coerce(a)$FFHOM(K1,F,K2))$FFHOM(K1,F,K2)=a
+\end{verbatim}
+
+To be independent of the ordering of the arguments we have ordered the
+fields inside the package by comparing the defining polynomials of the
+fields lexicographically using the local function {\tt compare}.
+
+To explain the details of the implementation let $\beta\in K_1$ and
+{\tt b} be the representation of $\beta$ in {\tt K1}. We have to
+distinguish between some cases:
+
+First check whether $\beta$ is in $F$. In this case
+\begin{verbatim}
+ retract(b)@F$K1::K2
+\end{verbatim}
+is used.
+
+The next case is that {\tt K1} and {\tt K2} are constructed using the
+same defining polynomial $f$. If furthermore {\tt K1} and {\tt K2} are
+represented in the same say, the elements of {\tt K1} and {\tt K2} are
+represented completely identical. Therefore the coercion may be
+performed by
+\begin{verbatim}
+ b pretend K2
+\end{verbatim}
+
+Now assume that one of {\tt K1} and {\tt K2} is represented using
+cyclic groups and the other one represented by a polynomial basis.
+
+If {\tt K1} is cyclically represented, we coerce by
+\begin{verbatim}
+ represents(coordinates(b)$K1)$K2
+\end{verbatim}
+and vice versa, if {\tt K2} is cyclically represented.
+
+All remaining cases are treated in the same way which we explain
+now. Denote by {\tt degree1} and {\tt degree2} the extension degrees
+of $K_1$ and $K_2$ over $F$, respectively. The first time a coercion
+from {\tt K1} into {\tt K2}, or vice versa, is called, two conversion
+matrices stored in global variables
+\begin{verbatim}
+ conMat1to2:Matrix F
+ -- conversion Matrix for the conversion direction K1 -> K2
+ conMat2to1:Matrix F
+ -- conversion Matrix for the conversion direction K2 -> K1
+\end{verbatim}
+in the package are initialized. Once these
+matrices are initialized, the coercion is performed by
+\begin{verbatim}
+ represents(conMat1to2 * coordinates(b)$K1)$K2
+\end{verbatim}
+
+Notice, that we do not have to care about the coercion between cyclic
+representation and polynomial representation as above, since this step
+is implicitly performed by the function calls to {\tt represents} and
+{\tt coordinates} (see section \ref{section7.3}).
+
+The rest of this section describes the initialization of the conversion
+matrices.
+
+\subsection{Basis change between normal and polynomial basis
+representation}
+\label{section9.1}
+
+We first consider the case of equal defining polynomials. We can
+assume without loss of
+generality that $E=K_1=K_2$ and the root $\alpha\in E$ of this
+polynomial both generates a polynomial and a normal basis. To
+convert $\beta=\sum_{i=0}^{n-1}{b_i\alpha^i}$ into
+$\beta=\sum_{j=0}^{n-1}{c_j\alpha^{q^j}}$ we have to set up the
+basis change matrix $M=(m_{i,j})$, defined by
+\[\alpha^{q^j}=\sum_{i=0}^{n-1}{m_{i,j}\alpha^i,\quad 0\le j
20161004.01.tpd.patch
books/bookvolbib Case16 General Number Field Sieve

20161008.01.tpd.patch
+20161024.01.tpd.patch
+books/bookvol10.1 Finite Fields in Axiom by Grabmeier

--
1.7.5.4