Fast multiplication for skew polynomials
Xavier Caruso (IRMAR), J\'er\'emy Le Borgne (ENS Rennes, IRMAR)

TL;DR
This paper introduces a new, faster algorithm for multiplying skew polynomials that leverages evaluation and interpolation techniques, achieving optimal asymptotic complexity for large degrees and improving existing methods.
Contribution
The authors develop a novel algorithm for skew polynomial multiplication based on evaluation and interpolation, improving complexity bounds and extending efficiency to small degrees.
Findings
Achieves optimal asymptotic complexity for large degree skew polynomial multiplication
Provides an efficient algorithm for small degree skew polynomial multiplication
Improves complexity bounds for various arithmetic problems involving skew polynomials
Abstract
We describe an algorithm for fast multiplication of skew polynomials. It is based on fast modular multiplication of such skew polynomials, for which we give an algorithm relying on evaluation and interpolation on normal bases. Our algorithms improve the best known complexity for these problems, and reach the optimal asymptotic complexity bound for large degree. We also give an adaptation of our algorithm for polynomials of small degree. Finally, we use our methods to improve on the best known complexities for various arithmetics problems.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsPolynomial and algebraic computation · Cryptography and Residue Arithmetic · Coding theory and cryptography
Fast multiplication for skew polynomials
Xavier Caruso
Jérémy Le Borgne
IRMAR, CNRS
Campus de Beaulieu
263 avenue du Général Leclerc
35042 RENNES Cedex
IRMAR, ENS Rennes, UBL
Campus de Ker Lann
Avenue Robert Schuman
35170 BRUZ
Abstract
We describe an algorithm for fast multiplication of skew polynomials. It is based on fast modular multiplication of such skew polynomials, for which we give an algorithm relying on evaluation and interpolation on normal bases. Our algorithms improve the best known complexity for these problems, and reach the optimal asymptotic complexity bound for large degree. We also give an adaptation of our algorithm for polynomials of small degree. Finally, we use our methods to improve on the best known complexities for various arithmetics problems.
Introduction
The present paper is dedicated to the description of algorithms for fast arithmetics in skew polynomial rings. Since they were first introduced by Ore, skew polynomials and their variants have been widely studied in several areas of mathematics. In particular, skew polynomials over finite fields have various applications in coding theory [15], cryptography see [3], for -adic Galois representations [11]. Fast arithmetics for manipulating these objects is useful for such applications, and has been improved over time since the first breakthrough paper on computational skew polynomials over finite fields, due to Giesbrecht [9].
Let be a field and let be a finite extension of , endowed with the endomorphism . We assume that has order and that . We consider the ring of skew polynomials with coefficients in . This is a non commutative ring where the relation holds for all (for more detail about the definitions, see section 1.1). The main problem addressed in this paper is the fast multiplication of elements of . The complexity of algorithms is described in terms of the number of elementary operations in with respect to the degree of the skew polynomials to be multiplied, and the degree of over .
State of the art. The naïve method for multiplication of skew polynomials of degree yields an algorithm that has complexity operations in . In [9], this complexity is improved to . Let denote the exponent of matrix multiplication. The authors of the present paper gave several algorithms for multiplication in [4], with best complexity achieved for . The most recent results by Puchinger and Wachter-Zeh [13] give a bound of operations in for multiplication in , which improves on the previous results [4] when , which is the most relevant case for applications in coding theory (see [13], §4.2). In the context of differential operators (which share many similarities with skew polynomials), Benoit, Bostan and Van der Hoeven have obtained a complexity of (see [2], Theorem 1) for multiplication in . We expect that this complexity should be doable in as well, but we have only achieved it for .
Contributions of the paper. This paper’s main algorithm improves the complexity of the best known algorithms for multiplication in to when . For , this gives a complexity of operations in . This is quasi-optimal in the sense that matrix multiplication can be reduced to skew polynomial multiplication (this is for example a consequence of Proposition 1.6 below), so that any improvement on the exponent of skew polynomial multiplication would lead to a similar improvement for matrix multiplication. We also design a new algorithm for multiplication of polynomials of small degree in , whose complexity is .
We also show that our method can be used to improve the best known complexities of various related problems, such as multi-point evaluation, minimal subspace polynomial, and interpolation which are studied in [13]. We also improve the complexities for greatest common divisors and least common multiples.
Organization of the paper. The first section of the paper focuses on elementary operations for skew polynomials with normal bases: evaluation and interpolation. More precisely, if , then is an endomorphism of the -algebra , and the map is a morphism of -algebras. In this section, we describe how we can compute efficiently using a normal basis and, conversely, how to recover (the reduction modulo of) from the datum of (see Proposition 1.6). We also look into more detail how the can solve the same evaluation/interpolation problems with of small degree at only the first elements of a normal basis.
In the second section, we present our algorithm for fast multiplication of skew polynomials. First, we study how the multiplication can be done efficiently modulo through evaluation/interpolation on a normal basis and matrix multiplication. We generalize this study to multiplication modulo for any irreducible polynomial . This allows us to give an algorithm for multiplication of skew polynomials of degree that works in operations in (where denotes the complexity of multiplication of square matrices of size ).
In the third section, we give several applications to fast arithmetics for skew polynomials. We show how we can perform general multi-point evaluation, minimal subspace polynomial, and interpolation, as well as usual operations on skew polynomials such as (extended) Euclidean division, greatest common divisor, least common multiple.
1 Fast evaluation
and interpolation
In this section, we present the notion of skew polynomials, and we study the problems of their evaluation and interpolation using normal bases.
1.1 Definitions and notations
Let be a field and let be an étale -algebra (since is a field, this just means that is isomorphic to a product of field extensions of ). Let be an automorphism of . We assume that has finite order and that . The ring of skew polynomials with coefficients in is the ring whose underlying group is and whose multiplication is determined by the relation
[TABLE]
The ring is not commutative unless .
Examples. The following situations are examples of the general setting that we are considering:
- •
, and is the shift operator ,
- •
(Extensions of finite fields) , and is the Frobenius endomorphism of ,
- •
(Cyclotomic extensions) and where is a primitive -th root of unity and is prime; is a generator of the Galois group (which is the cyclic group ).
- •
(Kummer extensions) contains a primitive -th root of , for some suitable and takes to .
The two last examples are addressed in [14] and have applications to space-time codes.
Remark 1.1**.**
Usually, is assumed to be a field extension of . We are considering the more general context of an étale -algebra because it is stable under base change: if is étale and is an extension of , then is étale over (but it is not a field in general, even if is). This feature is used mostly in Section 2.1.2, and does not make the classical results any more difficult to prove.
Definition 1.2**.**
A normal basis of is a basis of over such that (the indices being taken modulo ).
Proposition 1.3** ([6], Satz 1).**
Assuming has order and , has a normal basis.
The problem of the construction of normal bases has been widely studied, see for example [8] for the case of finite fields, and [10] for the case of number fields. In both cases of cyclotomic extensions and Kummer extensions, it is easy to exhibit a normal basis: in the cyclotomic case, the basis starting with does the job while in the Kummer case, one can take:
[TABLE]
From now on, we assume that we have fixed a normal basis of together with a working basis in which the elements of are represented. Let be the matrix of change of basis from the working basis to the normal basis. We assume that the multiplication in and the application of can be both performed in operations in in the working basis.
1.2 Evaluation and interpolation
on a normal basis
We introduce a relation between polynomials that allows to evaluate the linear map associated to a skew polynomial at the elements of the normal basis .
Lemma 1.4**.**
The map:
[TABLE]
is a homomorphism of -algebras. It induces an isomorphism of -algebras:
[TABLE]
Proof.
The first map is a homomorphism because for all , in . Since has order , lies in the kernel of this map, so is well-defined. Both and are -vector spaces of dimension , hence it suffices to prove injectivity. By Artin’s Lemma on independence of characters, is a linearly independent family over , so that if for some of degree , then . ∎
Lemma 1.4 shows that multiplication of skew polynomials modulo is essentially the same as multiplication of matrices over , assuming that the isomorphism can be computed efficiently (in both ways). We now address this question.
Notation 1.5**.**
Throughout this paper, we will denote for if and .
Let be a new (commutative) variable and consider the classical polynomial ring . Let be the polynomial whose coefficients are the elements of the normal basis.
Proposition 1.6**.**
Let and let . Let and let . Then
[TABLE]
Proof.
By linearity, it is enough to check that the relation holds when for . Let . We have , where indices are taken modulo .
On the other hand, doing the calculations modulo , . ∎
Proposition 1.6, although elementary, shows that the isomorphism of Lemma 1.4 can be computed efficiently. Moreover, it also shows how the inverse isomorphism can be computed. More precisely:
Corollary 1.7**.**
Multiplication in can be performed in operations in .
Proof.
Let . Let be the commutative polynomials with the same coefficients as respectively. Let and . Both and can be computed in operations in . Now let (resp. ) be the matrix whose -th column is the decomposition of the -th coefficient of (resp. ) in the working basis. By Proposition 1.6, (resp ) is the matrix of (resp. ) where the codomain in endowed with the normal basis and the codomain is endowed with the working basis. Set ; this product can be computed within operations in . We know that is the matrix of where again the codomain in endowed with the normal basis and the codomain is endowed with the working basis. Let
[TABLE]
and compute , which can also be computed in operations in . Then, again by Proposition 1.6, . This shows that the global complexity of this computation is . ∎
In Section 2, we will generalize this algorithm and show how it yields a fast multiplication algorithm for skew polynomials (not only in the modular case).
1.3 Evaluation and interpolation at
an incomplete normal basis
Evaluation. We shall see later how we can compute the product of two skew polynomials of small degree by determining how their product acts on elements of a normal basis. With this motivation in mind, let us describe how we can compute efficiently the image of the first few elements of a normal basis under the action of the skew polynomial . Recall that, using Proposition 1.6 with , and writing , we know that
[TABLE]
where . Let , and let of degree . We are interested in computing only for .
Lemma 1.8**.**
Let of degree and let for . Let and . Then, for :
[TABLE]
where and (the products being taken modulo ).
Proof.
Since , and for , we are left with the formula:
[TABLE]
and both sums correspond precisely to the coefficients of and respectively. ∎
Corollary 1.9**.**
Let of degree , then the collection of can be computed in operations in .
Proof.
By Lemma 1.8, the evaluation of at can be obtained by two multiplications of (classical) polynomials of degree with coefficients in , hence with complexity operations in . ∎
Interpolation. Still bearing in mind the aim of multiplying two skew polynomials by composing the corresponding linear maps, we are interested in the following question of interpolation: given values , find of degree such that for all .
Let us explain first how the solution to this problem can be computed when . In this case, the skew polynomial we are looking for is the so-called minimal subspace polynomial corresponding to the span . A generic fast algorithm for solving this problem has been proposed by Puchinger and Wachter-Zeh in [13], Theorem 26; it has complexity operations in . In the special case we are considering, we shall see that this can be improved to .
Let , so that . If is such that for , then there exists of degree such that . Of course, the converse is also true, and this equation is equivalent to:
[TABLE]
with and . The latter equation can be solved thanks to the extended Euclidean algorithm. Indeed, computing the gcd of and and stopping after the first remainder of degree , we get a relation of the form:
[TABLE]
with and , which yields a solution to the problem when . This computation can be done in operations in thanks to the half-gcd algorithm (see [7], Theorem 11.5).
In the general case, let , and let . We are looking for with degree and with degree such that . This equation is equivalent to .
Lemma 1.10**.**
Let , and for , let be the remainder of the Euclidean division of by . Then for , .
Proof.
Consider the map
[TABLE]
It is well-defined, linear, and both sides have the same dimension over . Moreover, the determinant of this map is nonzero if and only if (see [16], §4.1). Therefore, it is sufficient to prove that is injective.
Let us consider in the kernel of . By definition, , so that , where . By Proposition 1.6, the skew polynomial (whose coefficients are the coefficients of ) evaluates to [math] at . Hence, it is a left multiple of the minimal subspace polynomial of . Since is linearly independent over , has degree (it is a generator of the kernel of the -linear map mapping to ). In particular, since , , so and is injective. Hence and has the required degree. ∎
Theorem 1.11**.**
Let and . Then there exists , with , and such that
[TABLE]
Moreover, Algorithm SmallDegreeInterpolation outputs and for a cost of operations in .
Sketch of the proof.
The result follows from the correctness of Algorithm 1, but is also a theoretical consequence of Lemma 1.10. Indeed, this lemma shows that there exists a linear combination of , whose higher degree terms have coefficients , and the bounds on the degrees follow from the fact that for , with , . Algorithm 1 is an adaptation of the half-gcd algorithm, which computes simultaneously the sequence of the remainders in the extended Euclidean division or and , and the combination of and that has the given higher degree terms. ∎
Thanks to Corollary 1.9, Theorem 1.11 and Algorithm 1, we can solve the problem of evaluation and interpolation at the first elements of an incomplete normal basis in operations in .
2 Fast multiplication
In this section, we study the problem of multiplying efficiently two elements both of degree . The complexity is the number of operations in , given as a function of and .
2.1 Modular multiplication
2.1.1 Multiplication modulo
We consider the ring . Let , and let . We are now going to describe an algorithm for multiplication in modulo .
Proposition 2.1**.**
The map
[TABLE]
factors as an isomorphism .
Proof.
This maps to , thus mapping to . ∎
Corollary 2.2**.**
Multiplication in can be performed in operations in .
Proof.
By Proposition 2.1 and Proposition 1.6, it is enough to show that for , can be computed in operations in . For this we write and remark that the ’s () can be all computed within operations in thanks to the recurrence formula . Now evaluating the formula allows us to compute in operations in . ∎
We could use the proof of Corollary 2.2 directly to design an algorithm for multiplication modulo . Such an algorithm would require computing and each time we use it to compute . Alternatively, we can slightly modify the basis on which we are evaluating the corresponding maps, which can provide a gain if there are many multiplications to do modulo .
Let , and let . Let , and for , , such that is a basis of over . By construction, we have for , , and . For example, if is a normal basis of over , then and defines a suitable basis. Now, let .
Proposition 2.3**.**
Let and let . Let . Let . Then
[TABLE]
Proof.
The proof is similar to that of Proposition 1.6. By linearity, it is enough to check that the relation holds for for . Let . We have :
[TABLE]
On the other hand, doing the calculations modulo :
[TABLE]
Hence, for all , so for all . ∎
Algorithm ModMult below makes precise the algorithmical content of Proposition 2.3; it uses a primitive that takes as input a tuple and outputs the matrix whose -th column are the coordinates of is the working basis.
Proposition 2.4**.**
Algorithm ModMult computes the product in in operations in .
Proof.
Multiplication of polynomials in modulo requires operations in . Multiplication of matrices of size in requires operations in . Hence the global complexity is operations in . ∎
2.1.2 Multiplication modulo
Let be a finite extension. Define ; it is an étale -algebra endowed with the endomorphism that extends and has order .
Remark 2.5**.**
The algebra is not necessarily a field (for instance, when , it splits as a product ). It is the reason why we needed to place this paper in the more general setting of étale algebras.
Let . Set . We assume that . Let be the minimal polynomial of . We want to generalize the results of §2.1.1 to multiplication modulo (in §2.1.1, we have , and ). Note that if is a normal basis of , then is a normal basis of .
Lemma 2.6**.**
The canonical morphism : induces an isomorphism
[TABLE]
Proof.
First note that is a two-sided ideal of , and that the canonical morphism induces a morphism which maps to , hence the latter surjective. Moreover, by -linearity, lies in the kernel of this map. We then get a surjective morphism of -algebras . Since both sides have dimension over , this morphism is an isomorphism. ∎
We are now back exactly in the situation of Section 2.1.1, where has been replaced by and by : all the computations can be carried out the same way, and passing back through the isomorphism of Lemma 2.6, we can perform fast multiplication modulo . The algorithm is as follows:
Proposition 2.7**.**
Algorithm 3 computes the product in with operations in .
2.2 Reconstruction with CRT
Let be two skew polynomials. We recall that our aim is to design a fast algorithm for computing the product . We set .
Multiplication in large degree. We first assume that the polynomial has degree larger than . In this case, the idea is to evaluate the modulo various using Algorithm ModMultZ and then to reconstruct the result using a non commutative version of the Chinese Remainder Theorem. The precise result we need is given by the following Proposition.
Proposition 2.8**.**
Let be pairwise coprime polynomials, and let . Then the natural map:
[TABLE]
is an isomorphism of -algebras.
Proof.
Since the domain and the codomain have the same dimension over , it is enough to prove the surjectivity. For between and , consider and write it:
[TABLE]
where the ’s are polynomials with coefficients in . For a fixed , let be a polynomial such that the congruence holds in the commutative ring . We can therefore write for some polynomials . Noting that the inclusion , is a ring homomorphism (i.e. the multiplication on agrees with that on ), we deduce that the equality
[TABLE]
holds in . Multiplying it by on the right and summing up over , we end up with for all . Surjectivity is proved. ∎
Remark 2.9**.**
The above proof is constructive. More precisely it shows that solving the Chinese Remainder problem of degree in with central moduli reduces to solving independant Chinese Remainder problems of degree in the commutative ring and therefore can be achieved for a cost of operations in , corresponding to operations in (see [7], §10.3).
It remains now to explain how the moduli ’s can be constructed. We will do it in two different concrete contexts: first, the case of finite fields and second, the case of number fields.
The case of finite fields. We assume that and are finite fields and write for the cardinality of . We consider an auxiliary finite extension of of degree and build the compositum . We endow with the uniform measure. We assume that is chosen sufficiently large so that:
[TABLE]
Asymptotically the latest condition is fulfiled as soon as grows at least as fast as .
Lemma 2.10**.**
Let be an integer such that . Let be random independant elements of . Then the ’s all generate over and are pairwise non-conjugate over with probability at least .
Proof.
The étale algebra splits as a product where is a finite extension of of degree and is a positive integer. Moreover if decomposes as , we have:
[TABLE]
Observe that the norm map takes the value [math] only at [math]. Hence the probability that vanishes is . Therefore vanishes with probability . As for the nonzero values of , they are reached by with uniform probability because is a surjective group homomorphism, i.e.
[TABLE]
for all , . Let be the number of elements of that generate over . The probability that a fixed satisfy the requirement K\big{(}N_{L^{\prime}/K^{\prime}}(\lambda^{\prime}_{i})\big{)}=K^{\prime} is then . Assuming that this occurs, the probability that the ’s are pairwise non-conjugate is:
[TABLE]
Putting all together, we find the probability of success:
[TABLE]
which is at least:
[TABLE]
Clearly is the cardinality of the union of all strict subextensions of . Therefore:
[TABLE]
the latter inequality coming from the fact that has at most divisors. From (1), we derive . On the other hand, it follows from our assumptions that and . Combining with (2), we find that the probability of success is at least . ∎
Theorem 2.11**.**
Let of degree . Then Algorithm Mult computes the product within operations in with probability of success at least .
Proof.
Observe first that can be chosen such that . Computing the product in requires operations in . Moreover by Remark 2.9, the reconstruction (line 4) can be done for a cost of operations in . The overall cost of Mult is then as announced. The fact that the probability of success is at least follows from Lemma 2.10. ∎
The case of number fields. We assume that and are number fields. It is then known that the image of the norm map has index in . More precisely, class field theory teaches us that is canonically isomorphic to the Galois group of the abelian extension , i.e. to . In particular, the image of is infinite meaning that if we take a finite set of random elements , it is likely that the norm of the ’s will be pairwise distinct. We can then reapply the strategy used in the case of finite field without having to work with an auxiliary extension . We end up this way with a probabilistic Las Vegas algorithm whose complexity is operations in and whose probability of success is high.
Multiplication in small degree. The idea for fast multiplication in small degree is that if a skew polynomial has degree , it is determined by its values on linearly independent elements of . Hence, starting with two skew polynomials whose degrees add up to , we should be able to compute their product by composing of two -linear maps over vector spaces of dimension . However, we know some efficient algorithm for evaluating only on a subspace of which is spanned by the first vectors of a normal basis. For this reason, it order to compute , we shall need to know the whole of the linear map (because are in general nothing to do with a truncated normal basis).
The complexity of the above algorithm is given by the next Theorem whose proof is straightforward after what we have already done (the bottleneck comes from the matrix multiplication step).
Theorem 2.12**.**
Let such that . Then Algorithm 5 computes the product with operations in .
Conclusion. As a conclusion, several algorithms with different complexities are available for the multiplication of skew polynomials. Precisely, we have designed in this paper one algorithm of complexity when and an another algorithm of complexity when . Apart from that, Wachter-Zeh’s algorithm [13] performs the same computation with complexity without any assumption on . The corresponding complexity curves are represented on Figure 1.
Putting all together, we find that the product in can be performed within operations in where:
[TABLE]
As already discussed in the introduction, we expect to lower the complexity to in the range and, until now, we have not succeeded in doing so.
3 Other operations
and applications
Classically, fast multiplication algorithms can be used to speed up many other computations. This general philosophy works for skew polynomials as well and was concretized in [4], §3.2. Below, we analyze briefly the impact of the algorithms designed above in this paper.
In order to state our complexity results more elegantly, we introduce the function defined by:
[TABLE]
A direct computation shows that:
[TABLE]
The function (viewed as a function of the variable ) is the smallest function above SM whose “log-log slope” is always at least (see Figure 1). The notation comes from this interpretation.
With , we have for for larger .
Euclidean division. An algorithm that performs (right) Euclidean divisions in and takes advantage of fast multiplication algorithm is depicted in [4], §3.2.1 (Algorithm REuclideanDivision). Proposition 3.2.3 of loc. cit. extends readily to the settings of this paper and shows that the aforementioned algorithm has a complexity cost of operations in .
gcd** and lcm computation.** The classical half-gcd algorithm that we already mentioned above (see §1.3 and [7], §11) works in the same way to compute left and right gcd’s of skew polynomials. The precision corresponding algorithm is written in [4], §3.2.2 (Algorithm FastExtendedRGCD).
Proposition 3.1**.**
The algorithm FastExtendedRGCD of [4], §3.2.2 (using fast multiplication algorithms described above in this paper as primitives) runs in operations in .
Proof.
A careful look at the algorithm FastExtendedRGCD shows that its complexity in operations in is bounded by where satisfies the recurrence relation:
[TABLE]
By induction, it follows that for ,
[TABLE]
Taking , we get as expected. ∎
Remark 3.2**.**
A similar complexity is available for the computation of lcm’s.
Minimal subspace polynomial. Let be a family of elements of which is free over . We are interesting in computing the unique monic polynomial of degree such that for all .
Lemma 3.3**.**
For , , the value is the remainder in the right Euclidean division of by .
Proof.
It is a direct computation. ∎
Lemma 3.3 shows that the polynomial we are looking for is nothing but the left-lcm of the polynomials . As a consequence, can be computed for a cost of operations in using fast algorithms for lcm computation together with a “tree division strategy” [7], §10.1.
General multievaluation. We consider again a free family of elements of . The general multievaluation problem consists in evaluating a given polynomial of degree at the ’s. Thanks to Lemma 3.3, the value agrees with times the remainder of the right division of by We are then reduced to compute the reduction of a given polynomials modulo some given moduli. This can be done efficiently using the strategy of [7], §10.1 for a cost of operations in . If are have the same order of magnitude, one can preferably compute the matrix of using the formula of Proposition 1.6 and derive from it the values of the ’s thanks to a single matrix multiplication. The cost of the resulting algorithm is .
Remark 3.4**.**
If the ’s are the first vectors of a normal basis of over , one can use directly the algorithm of §1.3 which has a better complexity.
General interpolation. We keep the family and consider in addition some values . We address the question of computing a polynomial of degree at most such that for all . Thanks to Lemma 3.3, the above problem reduces to solve the following Chinese Remainder system:
[TABLE]
which again can be done for a cost of operations in .
Remark 3.5**.**
If the ’s are the first vectors of a normal basis of over , one can use directly the Algorithm SmallDegreeInterpolation which has a better complexity.
Gabulin codes. The solution sketched above to the general multievaluation problem allows us to encode messages in the framework of (generalized) Gabidulin codes [14] in complexity where is the length of the code. (Better complexities are possible when the dimension of the code is much smaller than its length.) In the similar fashion, efficient decoding is also possible using the key equation together with the half-gcd algorithm. The resulting algorithms run in operations in where and denotes the length and the dimension of the Gabidulin code respectively.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[1]
- 2[2] A. Benoit, A. Bostan, J. van der Hoeven, Quasi-optimal Multiplication of Linear Differential Operators Proceedings of the 2012 IEEE 53rd Annual Symposium on Foundations of Computer Science (2012)
- 3[3] R. Burger, A. Heinle A Diffie-Hellman-like Key Exchange Protocol Based on Multivariate Ore Polynomials, http://arxiv.org/abs/1407.1270 (preprint, 2014)
- 4[4] X. Caruso, J. Le Borgne, A new faster algorithm for factoring skew polynomials over finite fields J. Symbolic Comput. 79 (2017), 411–443
- 5[5] J.-M. Couveignes, R. Lercier, Elliptic Periods for Finite Fields , Finite Fields Appl., 15 (2009), 1–22
- 6[6] M. Deuring, Galoissche Theorie und Darstellungstheorie , Math. Ann. 107 (1932), 140–144
- 7[7] J. von zur Gathen, J. Gerhard, Modern Computer Algebra , Cambridge University Press, Cambridge (2003)
- 8[8] J. von zur Gathen, M. Giesbrecht, Constructing normal bases in finite fields , J. Symbolic Comput. 10 (1990), 547–570
