Some Results on Linearized Trinomials that Split Completely
Gary McGuire, Daniela Mueller

TL;DR
This paper investigates the properties of linearized polynomials over finite fields, focusing on calculating their rank and nullity, and characterizes certain trinomials that split completely for specific field sizes.
Contribution
It provides a new method to determine the nullity of linearized polynomials using associated matrices and characterizes splitting trinomials for certain parameters.
Findings
Nullity of linearized polynomials can be computed via associated matrices.
Characterization of splitting trinomials for field sizes up to d^2 - d + 1.
Connections established between polynomial properties and finite geometry.
Abstract
Linearized polynomials over finite fields have been much studied over the last several decades. Recently there has been a renewed interest in linearized polynomials because of new connections to coding theory and finite geometry. We consider the problem of calculating the rank or nullity of a linearized polynomial (where ) from the coefficients . The rank and nullity of are the rank and nullity of the associated -linear map . McGuire and Sheekey defined a matrix with the property that We present some consequences of this result for some trinomials that split completely, i.e., trinomials that have nullity . We give a full characterization of these trinomials for…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsCoding theory and cryptography · Cryptography and Residue Arithmetic · graph theory and CDMA systems
Some Results on Linearized Trinomials that Split Completely
Gary McGuire
School of Mathematics and Statistics, University College Dublin, Ireland
Daniela Mueller
School of Mathematics and Statistics, University College Dublin, Ireland
Abstract
Linearized polynomials over finite fields have been much studied over the last several decades. Recently there has been a renewed interest in linearized polynomials because of new connections to coding theory and finite geometry. We consider the problem of calculating the rank or nullity of a linearized polynomial (where ) from the coefficients . The rank and nullity of are the rank and nullity of the associated -linear map . McGuire and Sheekey [MS19] defined a matrix with the property that
[TABLE]
We present some consequences of this result for some trinomials that split completely, i.e., trinomials that have nullity . We give a full characterization of these trinomials for .
1 Introduction
Let be the finite field with elements, where is a prime power. Let
[TABLE]
be a -linearized polynomial with coefficients in . The roots of that lie in the field form an -vector space, which can have dimension anywhere between 0 and .
The dimension of the space of roots of that lie in is equal to the nullity of considered as an -linear map from to . McGuire and Sheekey [MS19] defined a matrix with the property that
[TABLE]
The entries of can be computed directly from the coefficients of .
In this paper we focus on the case of largest possible nullity, i.e., the case that has all its roots in . In this case, , and so has rank 0 and is therefore the zero matrix. Thus we will be studying when . This case of largest possible nullity was also obtained in [CMPZ19].
We also restrict to trinomials. When computing the rank or nullity, we may assume without loss of generality that is monic. We will study polynomials of the form
[TABLE]
where is a prime power and . We want to find such that splits completely over , i.e., has roots in . Thus, the problem becomes finding such that . We will provide a full characterization of this situation for . Our results are summarized and stated in the following theorem.
Theorem 1.1.
If and does not divide , then there is no polynomial with that splits completely over . 2. 2.
Let with . Let . Then has roots in if and only if and . 3. 3.
Let . Let . Then has roots in if and only if all the following hold:
where
is a power of the characteristic of
where .
We will prove part 1 in Section 2, part 2 in Section 3 and part 3 in Sections 4 and 5. In Section 6 we present a possible application to elliptic curve cryptography.
Our result generalizes a a result of Csajbok et al [CMPZ18] which states that (where ) cannot have roots in if is odd. This is the case of our theorem. Also in that paper, the authors give one example of a trinomial that does split completely when , , and . Our theorem characterizes fully the trinomials that split completely and allows us to count their number (for each nonzero of norm 1 there is one polynomial, so there are such trinomials).
One can trivially obtain some results by taking -th powers. For example, when , the trinomial cannot have roots in . This follows by taking the power of the trinomial. Our theorem extends this to a larger range of values of .
One recent application of calculating the rank of linearized polynomials concerns rank metric codes and MRD codes, see [She19]. In particular, we would obtain an -linear MRD code from a space of linearized polynomials of dimension over , with the property that every nonzero element has rank at least . For example, in the case , we would obtain an MRD code from the set of all trinomials () if all of them have nullity 0 or 1 or 2.
Finally, we set the scene for our results. We are seeking and such that splits over . The companion matrix of as defined in [MS19] is the matrix
[TABLE]
We define , where means raising every matrix entry to the power of . As stated above, splits completely over if and only if .
2 Fixed not dividing and
In this section we will prove the first part of Theorem 1.1.
Theorem 2.1.
If and does not divide , then there is no polynomial with that splits completely over .
- Proof.
We will write instead of as is fixed throughout the proof.
If then . Indeed, if then the entry of is [math], so .
Note that . But the 1st column of is . Thus, the entry of is the entry of . If then the entry of is also the entry of .
Let denote the entry of . Then , and for , since .
Set . Then for , we have a recursive formula, which follows directly from matrix multiplication:
[TABLE]
Claim: for and .
Proof of Claim: We prove the claim by induction on . The base case was done above. Note that if then . So if the claim is true for , then we have , i.e. the claim is true for . This completes the proof of the claim.
Note that when , then , so the claim is not true for .
For the remaining not divisible by , we will show that the entry of cannot be 1 if the entry is 0 for some , and thus cannot be the identity matrix. Note that the entry of is .
For , we have and thus
[TABLE]
Since , we have . But is the entry of for . If then the entry must be [math], so we must have , and thus .
Recall that the entry of is . But must be either 0 or a power of , since all initial values of the recursive formula are either or [math]. Therefore, if , we have and so . ∎
Remark 2.1.
The proof is not valid when divides . If with , the entry of is for , and so we have the equation and cannot deduce that .
The recursive formula (1) established in the proof of Theorem 2.1 is valid in greater generality: Set , and for and . For and , let
[TABLE]
Then is the entry of . Furthermore, the entry of is .
3 Fixed dividing and
In the case that divides , we have a solution, namely and , i.e., the polynomial splits completely because has a subfield . We now characterize exactly which polynomials split completely.
Theorem 3.1.
Let with . Let . Then has roots in if and only if and .
- Proof.
By Remark 2.1, if splits completely, we have . Now the entry of is . For , this is . For , we have . But by the claim in the proof of Theorem 2.1, we have for . Thus
[TABLE]
But if then , and since , we must have .
To show the converse, assume that and . Then the entry of is
[TABLE]
By [CMPZ19, Corollary 3.2], this implies that . ∎
4 Fixed and
In this section we will prove some preliminary results which are part of the proof of Theorem 1.1 part 3.
4.1 Assuming splits completely
If , then, the entry of is (where ). So to get , the following system of equations has to be satisfied for
[TABLE]
Lemma 4.1.
where .
- Proof.
By the recursive formula (2), . But it follows from the claim in the proof of Theorem 2.1 that for . Thus
[TABLE]
∎
Lemma 4.2.
where and .
- Proof.
By the recursive formula (2),
[TABLE]
By Lemma 4.1, . Also as established in the proof of Theorem 2.1.
Therefore
[TABLE]
∎
Theorem 4.1.
Let . Let . If has roots in then
2. 2.
3. 3.
where and .
- Proof.
If , then equation (3) has to be satisfied. By Lemma 4.1, we have (the entry of ), and by Lemma 4.2, we have (the entry of ). But if , then , and thus we have . Raising both sides to the power of gives us . Since is a prime power, in . Thus, which proves the third conclusion.
Lemma 4.1 says which now implies
[TABLE]
and so . (Note that since .)
Recall that . So if is even, then is even. If is odd, then is odd for all . So if is even, then is an even sum of odd numbers and thus even, and if is odd, then is an odd sum of odd numbers and thus odd. Thus, . Since in we have .
By [MS19, Corollary 1], if splits, then , where is the norm function over . So we have the additional condition or . But , so is always odd. Consequently, .
Hence, satisfies the equations
[TABLE]
∎
In the next section we will show that conclusion 1 of this theorem actually implies conclusion 2.
4.2 GCD of and
The GCD of and is well known to be , but we are interested in the GCD of and . The following is surely well known, but we include a proof.
Theorem 4.2.
The GCD of and is if and are both odd, and otherwise.
- Proof.
Let and let be Bézout Coefficients for and , i.e. . Let . Then and . Thus . So divides . We need to check if divides and .
Let and . Then and similarly, . So we need to have and , i.e. all need to be odd. But implies , so odd implies odd. Thus if are odd, then . ∎
Remark 4.1.
Similarly, one can show that if is even and is odd.
Lemma 4.3.
Let and let and . Then
[TABLE]
- Proof.
We first show that . Recall that and . Then
[TABLE]
We claim that with and gives us exactly the numbers . Assuming the truth of this claim, . Since divides , divides and thus and the result is proved.
It remains to prove the claim. To see this, we will show that the sets
[TABLE]
and
[TABLE]
are equal, and it is easy to see that all values in the second set are distinct.
Fixing and varying gives us the numbers
[TABLE]
When then and all these numbers are of the form where and .
When , then and we subtract to get . Now since , and thus is not of the above form with . ∎
Corollary 4.1.
Let and let and . Then
[TABLE]
- Proof.
If is even, then both and are odd. Recall that . So if is odd, then is odd if is odd, and even if is even. But is always odd, so is odd. We have already established in the proof of Theorem 4.1 that if is odd, then is odd if is odd, and even if is even. Now is odd if and are odd and even if is odd but is even. But either or is always even, so is even. Thus is odd. Consequently, by Theorem 4.2
[TABLE]
for any . ∎
Corollary 4.2.
In the conclusions of Theorem 4.1, conclusion 1 implies conclusion 2.
5 The Main Result
In this section, we will prove the third part of the main theorem as stated in the introduction. The following Lemma is surely well known but we include a short proof.
Lemma 5.1.
for all if and only if is a power of .
- Proof.
If is a power of , then the above binomial coefficients are divisible by . On the other hand, we claim that if , where , and , then is not divisible by . First note that . Thus . Now write with . Then which is not divisible by . ∎
Finally, we present the last part of the proof of the main theorem.
Theorem 5.1.
Let and . Let . Then has roots in if and only if each of the following holds:
2. 2.
3. 3.
is a power of the characteristic of .
- Proof.
Recall that the entry of is . We will first show that
[TABLE]
whenever the three conditions of the theorem are fulfilled. By [CMPZ19, Corollary 3.2], this implies that .
Let . By the recursion (2),
[TABLE]
Since (condition 2 in the statement of the theorem) we have
[TABLE]
So the coefficient of in (5) that comes from expanding is the same as the coefficient that comes from expanding .
\Tree
[. [. [. ] ][. ] ]
Let , , and . Thus (5) is saying that
[TABLE]
One can see Pascal's triangle emerging. We claim that
[TABLE]
for all , where are expressions in and , determined by the following recursion:
[TABLE]
We have shown the statement for . Assume that the statement is true for any index less than . Then
[TABLE]
Let . Then , i.e.
[TABLE]
and hence
[TABLE]
Then
[TABLE]
and
[TABLE]
and by (6), these two expressions are equal.
Thus
[TABLE]
as desired. This completes the proof of the claim.
We now have
[TABLE]
since when .
As before, let and .
Then
[TABLE]
Also
[TABLE]
Thus
[TABLE]
since (condition 1 in the statement of the theorem).
Hence,
[TABLE]
since and when and .
So far we have only used conditions 1 and 2 in the statement of the theorem (so note for later that conditions 1 and 2 imply (7)). Assume now that condition 3 holds. By Lemma 5.1, for all because . This completes the proof that if the three conditions in the statement hold, then splits completely.
Now we complete the proof of the theorem by showing the converse, i.e. we show that if splits completely then the three conditions in the statement hold. Theorem 4.1 and Corollary 4.2 show that if splits completely, then conditions 1 and 2 of the theorem hold. Because conditions 1 and 2 hold, we know that (7) holds.
On the other hand, since splits completely, for all . Therefore for all . We now use the fact that is a power of , and is therefore nonzero because is nonzero. We are forced to conclude that for all . This implies that is a power of the characteristic of by Lemma 5.1. ∎
6 Possible Application to Cryptography
6.1 Quasi-Subfield Polynomials
The recent work [HKP*+*18] explored the use of quasi-subfield polynomials to solve the Elliptic Curve Discrete Logarithm Problem (ECDLP). They define quasi-subfield polynomials as polynomials of the form which divide and where . For appropriate choices of and , linearized polynomials have a chance of being quasi-subfield polynomials. We first observe that the polynomials in Theorem 5.1 are quasi-subfield polynomials.
Lemma 6.1.
The linearized polynomial is a quasi-subfield polynomial when all the following conditions are satisfied.
2. 2.
3. 3.
is a power of the characteristic of .
- Proof.
Here, and so the condition is satisfied. By Theorem 5.1, divides . ∎
6.2 The ECDLP
Let be an elliptic curve over a finite field , where is a prime power. In practice, is often a prime number or a large power of 2. Let and be -rational points on . The Elliptic Curve Discrete Logarithm Problem (ECDLP) is finding an integer (if it exists) such that . The integer is called the discrete logarithm of to base .
The ECDLP is a hard problem that underlies many cryptographic schemes and is thus an area of active research. The introduction of summation polynomials by [Sem04] has led to algorithms that resemble the index calculus algorithm of the DLP over finite fields.
The algorithm to solve the ECDLP in [HKP*+*18] also uses summation polynomials, so we recall their definition.
Definition 6.1.
[Sem04] Let be an elliptic curve over a field . For , we define the summation polynomial of by the following property. Let , then if and only if there exist such that and , where is the identity element of .
The summation polynomials have many terms and have only been computed for .
[HKP*+*18] develop an algorithm to solve the ECDLP over the field using a quasi-subfield polynomial and the summation polynomial . By [HKP*+*18, Theorem 3.2] (see also Appendix A1) their algorithm has complexity
[TABLE]
6.3 Linearized Quasi-Subfield Polynomials
One of the problems outlined in [HKP*+*18] is to find suitable quasi-subfield polynomials that give optimal complexity in their algorithm. So in this section, we will investigate whether the linearized polynomials in this paper are a suitable choice.
In our notation the field is so brute force algorithms have complexity and generic algorithms (Pollard Rho or Baby-Step-Giant-Step) have complexity.
If and we use as in Lemma 6.1 as our quasi-subfield polynomial, then we get complexity
[TABLE]
for the algorithm in [HKP*+*18]. However, since for any , this will not beat generic discrete log algorithms. Thus it appears that the polynomials of Theorem 5.1 will not lead to an ECDLP algorithm that beats generic algorithms, although they can beat brute force algorithms.
Remark 6.1.
We briefly discuss adding another term of small degree, for example, an term. Suppose we have a linearized polynomial which splits completely and with (so is a quasi-subfield polynomial). Then the algorithm of [HKP*+*18] has complexity
[TABLE]
To beat generic discrete log algorithms, we require at least and , which implies and therefore . As an example, if we choose and then we have inside the . This means that the overall complexity can beat generic algorithms over (for sufficiently large). For example, a choice of around when , , would give a complexity for .
To obtain an estimate for smaller field sizes we may try , which implies that . These choices would give us complexity
[TABLE]
which is not better than generic algorithms. One example of a linearized polynomial which splits completely and matches these choices (, ) is .
7 Conclusion and open questions
We have provided necessary and sufficient conditions for to have all roots in .
The recursive formula that we found for trinomial linearized polynomials is valid for more general linearized polynomials too: Let .
Set , and for and . For and , let
[TABLE]
Then is the entry of . Furthermore, the entry of is .
We are currently working on extending these results to this more general case, for example, to polynomials of the form .
@noitemerr
We thank Christophe Petit and John Sheekey for helpful conversations.
@noitemerr
This research was supported by a Postgraduate Government of Ireland Scholarship from the Irish Research Council.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[CMPZ 18] Bence Csajbok, Giuseppe Marino, Olga Polverino, and Yue Zhou. Maximum rank-distance codes with maximum left and right idealisers, 2018.
- 2[CMPZ 19] Bence Csajbók, Giuseppe Marino, Olga Polverino, and Ferdinando Zullo. A characterization of linearized polynomials with maximum kernel. Finite Fields and Their Applications , 56:109 – 130, 2019.
- 3[HKP + 18] Ming-Deh A. Huang, Michiel Kosters, Christophe Petit, Sze Ling Yeo, and Yang Yun. Quasi-subfield polynomials and the elliptic curve discrete logarithm problem. Math Crypt 2018, 2018.
- 4[MS 19] Gary Mc Guire and John Sheekey. A characterization of the number of roots of linearized and projective polynomials in the field of coefficients. Finite Fields and Their Applications , 57:68 – 91, 2019.
- 5[Sem 04] Igor Semaev. Summation polynomials and the discrete logarithm problem on elliptic curves. Cryptology e Print Archive, Report 2004/031, 2004. http://eprint.iacr.org/2004/031 .
- 6[She 19] John Sheekey. Mrd codes: Constructions and connections. ar Xiv, 2019. https://arxiv.org/abs/1904.05813 .
