Alice and Bob in Cryptoland » sage http://alicebob.cryptoland.net Mon, 14 Feb 2011 13:29:59 +0000 en hourly 1 http://wordpress.org/?v=3.3.1 The Frobenius endomorphism with finite fields http://alicebob.cryptoland.net/the-frobenius-endomorphism-with-finite-fields/ http://alicebob.cryptoland.net/the-frobenius-endomorphism-with-finite-fields/#comments Mon, 09 Feb 2009 03:17:29 +0000 Conrado http://alicebob.cryptoland.net/?p=153 The Frobenius endomorphism is defined as:

\Phi(x)=x^p

where p is the characteristic of the ring you’re working with. Simple, right?

If you’re working with a field with prime order, then Frobenius is actually the identity map. Since the order of the multiplicative subgroup is p, when you raise to the power of p you get back to x due to Fermat’s little theorem. Things get more interesting when you’re working with a extension field (i.e. a field which order is a prime power).

I’m studying pairings for my master’s degree and the Frobenius endomorphism appears all the time in their computation. For example, you need to do a “final exponentation” which can be split in multiple exponentiations, and some of them are to the power of p. This is good because powering to p is “easy” due to Frobenius, or at least all the papers I read said so. But for a while I couldn’t see why, and that’s the reason I’m posting this. It’s really easy; it’s just not that obvious to see why.

Why Frobenius is easy?

Say you’re working with a quadratic extension, that is, with a field GF(p^2) where p is a prime. You can represent this group with polynomials of degree 1 which can be added the usual way and multiplied taking the result modulo a irreducible polynomial of degree 2. To understand why this makes sense, I recommend this excellent write-up at Everything2. Assume that you pick a irreducible polynomial in the form X^2-\beta. Working modulo this polynomial is the same thing as working in a “world” where X^2 = \beta. (You could of course work with a polynomial in the form X^2 + aX + b but that would complicate things.)

So every element of GF(p^2) can be written as a + bX. What happens when you apply the Frobenius endomorphism? Let’s see:

(a + bX)^p = (a^p + b^pX^p)

Why is that so? That’s a known fact about the Frobenius, check the explanation at Wikipedia for more details. But basically, the expansion of (a + bX)^p has many terms, but only the first (a^p) and the last (b^pX^p) survive because all others are multiples of p. Since we’re working with coefficients modulo p, they are all zero.

Let’s continue. Since a, b \in GF(p), then raising to the power of p won’t change them (yep, that’s Frobenius again). So we have:

(a + bX)^p = (a^p + b^pX^p) = (a + bX^p)

There’s only X^p left to bother us. If p is odd (not 2), then you can rearrange this as:

(a + bX)^p = (a + bX^p) = (a + b(X^2)^{(p-1)/2}X)

Now remember that we’re working in a “world” where X^2 = \beta. Then we get:

(a + bX)^p = (a + b(X^2)^{(p-1)/2}X^p) = (a + b\beta^{(p-1)/2}X)

That’s why Frobenius is easy: “a” stays the same, all you need to do is multiply “b” with \beta^{(p-1)/2}. But according to Euler’s criterion, since \beta is not a square (if it were, X^2-\beta wouldn’t be irreducible), we have \beta^{(p-1)/2} \equiv -1 \pmod{p}. Then the formula gets much simpler:

(a + bX)^p = (a-bX)

A concrete example

Just for the sake of concreteness, let’s work out an example. I’ll use Sage for that, but I’ll explain what each command does.

sage: K = GF(7)

We create a field with 7 elements (that’s actually integers modulo 7).

sage: K(5)^7
5

We take the element 5 and power to 7. We get 5 again. If you don’t believe it works for all elements:

sage: [(x,x^7) for x in K]
[(0, 0), (1, 1), (2, 2), (3, 3), (4, 4), (5, 5), (6, 6)]

Let’s create GF(7^2).

sage: KR. = GF(7)[]

This creates a polynomial ring with the X variable and coefficients in GF(7), just to allow us to specify the modulus in the next step:

sage: K2. = GF(7^2, modulus=X^2+1)

We create the GF(7^2) field using the variable X (I’m overwriting the X used in the ring, you could use other name) and modulus X^2+1 (so \beta = -1). Let’s take an arbitrary element to the power of 7:

sage: (3*X + 2)^7
4*X + 2

Remeber when \beta = -1 then (a + bX)^p = (a-bX). And modulo 7, -3 is actually 4, so the result is correct (of course!). Again, if you don’t believe it works for all elements:

sage: all(x^7 == (x.vector()[0] - x.vector()[1]*X) for x in K2)
True

This checks, for all elements in the field K2, if the element raised to the power of 7 is equal to the element built with our special formula. The method vector() returns the coefficients of the polynomial as a list. The all function is a relatively unknown function of Python that returns True if all the elements of the iterable passed to it evaluate to True (there’s any(iter) too).

Extensions of higher degree

The trick to calculate the Frobenius endomorphism also works for extensions of higher degree. When implementing them, usually using a tower of extensions is more efficient then using a direct extension. For example, when working with GF(p^{12}), you can represent it as a quadratic extension of GF(p^6), which can be represented as a cubic extension of GF(p^2), which can be represented as a quadratic extension of GF(p).

For example, for (a + bX) \in GF(p^{12}) built this way, with a, b \in GF(p^6), you just apply the same trick explained above. The only difference is that a and b to the power of p aren’t a and b themselves, but that’s not a problem, you just apply the same trick recursively.

]]> http://alicebob.cryptoland.net/the-frobenius-endomorphism-with-finite-fields/feed/ 3