Chapter 1

Finite Fields

This chapter aims at giving the main definitions and properties of finite fields which will be
needed in the rest of the document. Much more details can be found in [McE87] and [LN83].

1.1 Definitions
Definition 1.1 (Field). A field is a set F with two operations + and × satisfying the following
properties:

• F is an Abelian group under + with identity element 0;

• The nonzero elements of F form an Abelian group under ×, with identity element 1;

• × distributes over +, i.e., a × (b + c) = a × b + a × c for any a, b, c ∈ F.

The number of elements in a field F is called the order of F. The field is finite if it has
a finite number of elements. Infinite fields include the real numbers, the rational numbers or
the complex numbers. For any prime number p, the set of integers modulo p, Z/pZ is a finite
field.

Definition 1.2 (Characteristic). Let F be a multiplicative field. The characteristic of F is, if

it exists, the smallest nonzero integer c such that

1 {z· · · + 1} = 0 .
|+1+
c times

If there is no such integer, the characteristic is zero.

Clearly, a finite field F with q elements involves two groups: the additive group F of order q
and the multiplicative group F∗ = F\{0} of order (q −1). The following notions are important
when the multiplicative subgroup is considered.

Definition 1.3 (Order of an element in a group). Let G be a finite Abelian multiplicative

group. For any fixed a ∈ G, the subgroup generated by a, denoted by hai consists of all powers
of a. Its order is called the order of a, i.e.,

order(a) = |hai| = min{i > 0 : ai = 1} .

3
4 Chapter 1. Finite Fields

Proposition 1.4. Let G be a finite Abelian multiplicative group. For any a ∈ G, the order
of a divides the order of G. In particular, a|G| = 1.

Proof. Let a be a fixed element in G. We define the following relation on G:

bRc ⇔ ∃i : ai × b = c .

This is clearly an equivalence relation since it is reflexive, symmetric and transitive. All
equivalence classes have size order(a) and they form a partition of G. This implies that
order(a) divides the size of G. 

As a direct corollary, we get that the order of any nonzero element in a field with q elements
divides (q − 1), leading to the following analogous of Fermat’s little theorem.

Corollary 1.5. Any element x in a finite field of order q satisfies xq = x.

1.2 Existence and uniqueness of finite fields

Now, we prove that the number of elements in a finite field must be a power of prime. Indeed,
any finite field can be defined as a finite dimensional vector space over the field of integers
modulo p, for some prime p.

Theorem 1.6. Let F be a finite field with q elements. Then, q = pm for some prime p.
Indeed, the following properties hold:

• F has characteristic p;

• F is a vector space over Fp of dimension m.

Proof. Let γi denote the sum of i 1s:

γi = |1 + ·{z
· · + 1}
i times

All γi belong to Fq and since Fq is finite, there exist i and j, i < j such that γi = γj , implying
that γj−i = 0. It follows that the characteristic of Fq is a nonzero integer c.
Suppose that c is not a prime, i.e., c = ab. Since multiplication distributes over addition

γa × γb = γc = 0 .

Because F is a field, either γa or γb is zero, which contradicts the fact that F has characteristic c.
Then, the characteristic of F is a prime p.
Moreover, F contains the set {0, 1, γ2 , . . . , γp−1 } which corresponds to the field of integers
modulo p, Fp . Now, we can show that (F, +) is a vector space over Fp where the scalar
multiplication · is defined by:

∀λ ∈ Fp , ∀x ∈ Fq , λ · x = x
| + ·{z
· · + x} .
λ times
Error-Correcting Codes and Symmetric Cryptography - A. Canteaut 5

Indeed, λ · x = x × γλ . Using that γλ × γµ = γλ×µ andγλ + γµ = γλ+µ , we can check that

(λ + µ) · x = x × γλ+µ = x × (γλ + γµ ) = λ · x + µ · x
(λ × µ) · x = x × γλ×µ = x × (γλ × γµ ) = λ · (µ × x)
λ · (x + y) = (x + y) × γλ = x × γλ + y × γλ = λ · x + λ · y
1·x = x×1=x.

It follows that F is a vector space over Fp , implying that its size q is equal to pm for some
m > 0. 

A common terminology is that a field with pm elements is an extension field of Fp of

degree m. Similarly, the field of complex numbers is an extension field of R of degree 2.
Using that the characteristic of a finite field is a prime, we deduce the following useful
proposition.
Proposition 1.7. Let F be a field of characteristic p. Then, for any a, b ∈ F and any integer
i > 0, we have
i i i i i i
(a + b)p = ap + bp and (a − b)p = ap − bp .
Proof. The second formula is a direct consequence of the first one by using that
i i i i
ap = ((a − b) + b)p = (a − b)p + bp .

The first formula is proved by induction on i. For i = 1, we write

p−1  
p p
X
p p i p−i
(a + b) = a + b + ab = ap + bp
i
i=1

where the second equality comes from the fact that, for 1 ≤ i ≤ p − 1,
 
p (p − i + 1) . . . (p − 1)p
= ≡ 0 mod p .
i i!
Indeed, p is a prime (from Theorem 1.6) and divides the numerator, while it cannot divide
the denominator which is composed of integers smaller than p.
Then, the induction step consists in observing that
i i−1 i−1 i i
(a + b)p = ((a + b)p )p = (ap + bp )p = ap + bp .

Now, it can be proved that, for any q = pm where p is a prime, there exists a finite
field with q elements. Moreover, this field is unique up to isomorphism. This motivates the
following notation: Fq denotes the field with q elements. Another common notation is GF (q),
which stands for Galois field.
The next theorem uses the notion of splitting field of a univariate polynomial: for a given
field F, we consider a polynomial P ∈ F[X], i.e., a polynomial in X with coefficients in F. The
splitting field of P over F is then the smallest field which contains all roots of P . Such a field
exists, is an extension of F and is unique up to an isomorphism which keeps the elements of F
fixed [LN83, Theorem 1.91]. For instance, the splitting field of X 2 + 1 over R is the field of
complex numbers.
6 Chapter 1. Finite Fields

Theorem 1.8. For any prime p and any nonzero integer m, there exists a finite field of
order pm . Any finite field of order pm is isomorphic to the splitting field of the polynomial
m
X p − X over Fp .

Proof.

m
• Existence: We want to show that the splitting field F of P (X) = X p − X over Fp is a
field with pm elements. First, all roots of P are distinct. Indeed, a is a multiple root of
a polynomial P if and only if it is a root of P and of its derivative P 0 . This comes from
the fact that, for P (X) = (X − a)k Q(X) with k > 0, P 0 (X) = k(X − a)k−1 Q(X) +
m
(X − a)k Q0 (X). For P (X) = X p − X, we get P 0 (X) = −1 over Fp , implying that P
m
has no multiple root. Now, the set S of all roots of P , i.e., of all a such that ap = a,
is a subfield of F since it satisfies the following three conditions:

– S contains 0 and 1 since P (0) = P (1) = 0.

– For any a, b ∈ S, (a − b) belongs to S: indeed, from Proposition 1.7
m m m
(a − b)p = ap − bp = a − b .

– For any nonzero a, b ∈ S, (a × b−1 ) belongs to S: we use that

m m m
(a × b−1 )p = ap × (bp )−1 = a × b−1 .

Then, by definition of the splitting field, S = F and it has cardinality q m .

• Uniqueness: Let F be a field of order pm . Then, from Theorem 1.6, F has characteristic p.
It follows from Proposition 1.4 that the order of any nonzero element in the multiplicative
m
group F∗ divides (pm −1). Thus, any nonzero element a ∈ F satisfies ap −1 = 1, implying
m
that any a ∈ F satisfies P (a) = ap − a = 0. In other words, any element in F is a root
of P . Since P has exactly pm roots, F is the splitting field of P over Fp , which is unique
up to an isomorphism which keeps the elements of F fixed.

As a direct corollary, we get a necessary and sufficient condition for belonging to a field
with q elements.

Corollary 1.9. An element x belongs to a field with q elements, q = pm for some prime p, if
and only if xq = x.

1.3 Multiplicative group of a finite field

Since Fq with q = pm is a vector space over Fp , every element in Fq can be represented as an
m-tuple of integers modulo p. Adding two elements then consists in adding the two tuples
coordinate-wise. But, this representation is not appropriate for multiplying elements. Instead,
efficient multiplication exploits the structure of the multiplicative group (F∗q , ×).
Error-Correcting Codes and Symmetric Cryptography - A. Canteaut 7

Definition 1.10. Let G be a finite Abelian multiplicative group. An element a in G is called

a generator of G if its order is equal to the size of G. The group G is said to be cyclic if it
contains a generator, i.e., if there exists g such that
G = hgi = {g i , 0 ≤ i < |G|} .
The number of generators in a cyclic group is determined by the Euler φ-function.
Proposition 1.11. The Euler φ-function is defined over the set of integers by
φ(n) = |{i, 1 ≤ i ≤ n : gcd(i, n) = 1}| .
Then, the number of generators in any finite cyclic group of order n is equal to φ(n).
Proof. Let G be a cyclic group of order n and g be a generator of G, i.e.,
G = {g i , 0 ≤ i < n} .
Then, the number of generators of G is the number of integers i such that order(g i ) = n, i.e.,
n is the smallest integer r such that g ir = 1. Since g is a generator, g ir = 1 if and only if n
divides ir. Then, there is no r < n such that n|ir if and only if i is coprime with n. 
It is well-known that the Euler φ-function satisfies the following property (see e.g. [McE87,
Page 35] for a proof): X
φ(d) = n .
d|n

By inverting this formula (see [McE87, Pages 60-65]), we get

• If p is a prime, then φ(p) = p − 1;
• If gcd(n, m) = 1, then φ(nm) = φ(n)φ(m);
Q  
• If n = i pm 1
Q
i
i
, then φ(n) = n i 1 − pi ;

We know that, if r does not divide (q − 1), there is no element of order r in F∗q . Using the
Euler φ-function, we can now determine the number of elements of order r when r divides (q −
1).
Theorem 1.12. For any integer r such that r|(q − 1), the number of elements of order r in
the multiplicative group F∗q is equal to φ(r) and F∗q has a unique subgroup of order r.
Proof. By definition, the elements of order r in F∗q correspond to the roots of X r − 1 in F∗q .
Let a ∈ F∗q be an element of order r. Then, the cyclic group generated by a corresponds
to the set of all roots of X r − 1. Indeed, any element in hai is a root of X r − 1, and hai
has order r while X r − 1 has at most r roots. Therefore, the elements of order r in F∗q
correspond to the multiplicative subgroup hai. Moreover, we know from Proposition 1.11 that
hai contains φ(r) elements of order r, implying that, if there exists an element of order r in
F∗q , then there are exactly φ(r) such
P elements. Using that the order of an element divides
(q − 1) (Proposition 1.4) and that r|(q−1) φ(r) = q − 1, we get that there exist φ(r) elements
of order r for any r|(q − 1). 
An immediate consequence of the previous theorem is that the number of generators of
the multiplicative group F∗q is φ(q − 1) which is nonzero.
Corollary 1.13. The multiplicative group F∗q is a cyclic group of order (q −1). Each generator
of F∗q is called a primitive element of Fq .
8 Chapter 1. Finite Fields

1.4 Constructing finite fields

We now need to link the additive structure of a finite field coming from the vector space
interpretation and the multiplicative structure coming from the representation of all nonzero
elements by the powers of a primitive element.

Theorem 1.14. Let p be a prime and P be an irreducible polynomial of degree m with coef-
ficients in Fp . Then, the set of all residue classes modulo P is a field with pm elements.

Proof. We consider the set F of all polynomials in Fp [X] with degree at most (m − 1), since
it is a set of representatives of the residue classes modulo P . It is clear that this set F is an
Abelian group under addition modulo P in Fp [X] with identity element 0. If × denotes the
multiplication modulo P in Fp [X], we get that the product of two elements in F lie in F. Also,
× is commutative and distributes over addition. Therefore, we only have to prove that, for any
element A in F there exists a B ∈ F such that A × B = 1. By definition of the multiplicative
law, this means that the two polynomials satisfy

A(X)B(X) ≡ 1 mod P (X) .

This can be directly deduced from the Bezout’s identity: since P is irreducible, then any
polynomial A with degree at most (m − 1) is coprime with P implying that there exist two
polynomials U and V in Fp [X] such that

A(X)U (X) + P (X)V (X) = 1 .

Thus, we get that B(X) = U (X) mod P (X) is the multiplicative inverse of A. 

The field with pm elements can then be constructed from any irreducible polynomial of
degree m.

Example 1.1. Constructing F8 . The polynomial P (X) = X 3 + X + 1 is irreducible over

F2 , otherwise it would have a factor of degree 1, i.e., a root in F2 , while P (0) = P (1) = 1.
Then, F23 can be represented by all triples (a, b, c) of elements in F2 , or equivalently by all
polynomials of the form aX 2 + bX + c in F2 [X]. Then, addition and multiplication correspond
to the addition and multiplication modulo P (X) of (aX 2 + bX + c) in F2 [X]. For instance,

(1, 1, 0) + (0, 1, 1) = (X 2 + X) + (X + 1) = (1, 0, 1)

(1, 1, 0) × (0, 1, 1) = (X 2 + X)(X + 1) mod P (X) = (X 3 + X) mod P (X) = (0, 0, 1) .

The notation is usual simplified by denoting by α the residue class of X, which corresponds to
the element (0, 1, 0). Since by construction P (α) = 0, we then say that F23 is obtained from
F2 by adjoining a root of P . With this notation, the elements of F8 can be seen as quadratic
polynomials in α. They are then added and multiplied in the ordinary way and we use that
P (α) = 0, i.e., α3 = α + 1, to reduce powers of α of degree greater than or equal to 3. For
instance,
α4 = α3 α = (α + 1)α = α2 + α .
By computing the successive powers of α, we can check that α is a primitive element of F8 as
shown in the following table. Indeed, we know from Theorem 1.12 that F∗8 contains φ(1) =
Error-Correcting Codes and Symmetric Cryptography - A. Canteaut 9

1 element of order 1 and φ(7) = 6 elements of order 7, implying that all elements different
from 1 are generators of F∗8 .

powers of α − α0 α α2 α3 α4 α5 α6
polynomials in α 0 1 α α2 α + 1 α2 + α α2 + α + 1 α2 + 1

We observe that this correspondence leads to efficient multiplication. For instance, we check
with this table that (α2 + α)(α + 1) corresponds to α4 · α3 = α7 = 1, as previously computed.


1.5 Minimal polynomials

m
We know that any element a ∈ Fpm is a root of X p − X. But a given a ∈ Fpm may also
satisfy a lower-degree equation with coefficients in Fp .
Definition 1.15. The minimal polynomial over Fp of an element a ∈ Fpm is the lowest-degree
monic polynomial Ma with coefficients in Fp such that Ma (a) = 0.
Proposition 1.16. Let a ∈ Fpm and Ma be its minimal polynomial over Fp . Then
1. Ma is irreducible over Fp ;

2. deg Ma ≤ m;
m
3. If a is a root of P ∈ Fp [X], then Ma divides P . In particular, Ma divides X p − X.
i
4. Ma is the minimal polynomial of all ap for 1 ≤ i ≤ m.
Proof.

1. If Ma is not irreducible, there exist two monic polynomials P and Q in Fp [X] of degree
less than deg Ma such that Ma = P Q. Since Ma (a) = 0, we have P (a)Q(a) = 0,
implying that one of these two polynomials, for instance P , satisfies P (a) = 0 and
deg P < deg Ma . This contradicts the fact that Ma is the lowest-degree polynomial in
Fp [X] with a as a root.

2. Since Fpm is a vector space of dimension m over Fp , the (m + 1) elements 1, a, a2 , . . . , am

cannot be linearly independent, i.e., there exist λ0 , . . . , λm ∈ Fp such that
m
X
λi ai = 0 .
i=0
Pm i.
Then, a is a root of P (X) = i=0 λi X It follows that the degree of Ma is at most m.

3. If P (a) = 0, we write
P (X) = Q(X)Ma (X) + R(X)
with 0 ≤ deg R < deg Ma . Then, R(a) = 0, leading to R = 0 since there is no polynomial
in Fp [X] with a as a root of degree less than deg Ma . It follows that Ma divides P . In
m
particular, Ma divides X p − X from Corollary 1.5.
10 Chapter 1. Finite Fields

i
P
4. Obviously, we need to prove the assertion for i = 1 only. Let P (X) = i cP i X be a
p ip
polynomial with coefficients in Fp . Then, from Proposition 1.7, P (X)p = i ci X .
Moreover, since all ci are in Fp , we deduce from Corollary 1.5 that P (X)p = P (X p ). It
follows that the minimal polynomial of ap is the lowest-degree polynomial P such that
P (ap ) = 0, or equivalently P (a) = 0. Then P is the minimal polynomial of a.

i
The elements of the form ap are called the conjugates of a with respect to Fp .
Proposition 1.17. Let a ∈ Fpm and d be the smallest integer r such that
r
ap = a ,

or equivalently the smallest integer r such that

pr ≡ 1 mod order(a) .

Then, d divides m and it corresponds to the number of distinct conjugates of a with respect
to Fp . Moreover, the minimal polynomial of a over Fp is
d−1
i
Y
Ma (X) = (X − ap ) .
i=0

pr
Proof. We first observe that a = a implies that the order of a divides (pr −1), or equivalently
r
that pr ≡ 1 mod order(a). Conversely, if pr ≡ 1 mod order(a), then ap = a. Therefore the
two definitions of d are equivalent. Also, d divides m: if we write m = cd + r with 0 ≤ r < d,
we get that
m cd r
 cd pr r
a = ap = ap p = ap = ap ,
which contradicts the fact that d is the smallest integer satisfying this property.
i
Now, we show that the set {ap , 0 ≤ i < m} has size d. Since this set is finite, we denote
j +r j j r
by (j0 , r) the pair of indices with the lowest r such that ap 0 = ap 0 . Then, ap 0 (p −1) = 1,
implying that the order of a divides pj0 (pr −1). However, order(a) is a divisor of (pm −1) (from
Prop 1.4), and then it is coprime with pj0 . We then deduce that order(a) divides (pr − 1). As
r
a consequence, r is the smallest integer such that ap = a, which corresponds to the definition
i
of d. Thus, the set {ap , 0 ≤ i ≤ m} has cardinality d.
i pi
Since all ap have the same minimal polynomial as a, we deduce that P (X) = d−1
Q
i=0 (X−a )
divides Ma (X). Moreover, all coefficients P of P are in Fp . Indeed, we have that P (X p ) =
p
(P (X)) . But for any polynomial Q(X) = i ci X i , Q(X)p = Q(X p ) is equivalent to
X p X X p
ci X ip = ci X ip ⇔ (ci − ci )X ip = 0 .
i i i

Then, i (cpi − ci )X ip is the zero polynomial, that means that all its coefficients are zero, i.e.,
P
cpi = ci . Using Corollary 1.9, we obtain that all coefficients lie in Fp . Then, P is the minimal
polynomial of a. 

A consequence of Proposition 1.17 together with Theorem 1.8 is that the product of all
distinct minimal polynomials of elements of Fq is equal to X q − X.
A natural notion for describing the conjugates of an element is the following.
Error-Correcting Codes and Symmetric Cryptography - A. Canteaut 11

Definition 1.18. For any integer i, the cyclotomic coset of i modulo (pm − 1) is the set

{i, pi, p2 i, p3 i, . . . , pd−1 i}

where d is the smallest integer such that pd ≡ 1 mod pm − 1.

Example 1.2. Minimal polynomials of the elements of F8 . We come back to the
construction of F8 by adjoining to F2 a root P (X) = X 3 + X + 1, as in Example 1.1. We
can now compute the minimal polynomials of all elements in F8 . We compute all cyclotomic
cosets, namely all sets C(i) = {i2j mod 7, 0 ≤ j < 3}. We then get C(1) = {1, 2, 4} and
C(3) = {3, 6, 5}. We deduce the conjugacy classes of all elements in F∗8 .

cyclotomic coset conjugate elements minimal polynomial

{0} 1 X +1
{1, 2, 4} α, α2 , α4 X3 + X + 1
{3, 5, 6} α3 , α5 , α6 X3 + X2 + 1

By construction, Mα (X) = X 3 + X + 1. The minimal polynomial of α3 can be computed

in several ways, e.g., by searching for a linear combination of α3 , α5 and α6 which vanishes
or by expanding (X + α3 )(X + α5 )(X + α6 ). Also, we only need to observe that Mα3 has
degree 3 and that the coefficient of X 2 is the sum of the three roots, namely α3 + α5 + α6 = 1.
Since Mα3 is irreducible over F2 , it has an odd number of nonzero coefficients, implying that
Mα3 (X) = X 3 + X 2 + 1.
We can check that factoring X 8 +X over F2 leads to the product of all minimal polynomials:

X 8 + X = X(X + 1)(X 3 + X + 1)(X 3 + X 2 + 1) .


For any primitive element α ∈ Fpm , the minimal polynomial of αi is the product of all
(X − αs ) where s varies in the cyclotomic coset of i modulo (pm − 1). Clearly, any primitive
element in Fpm has m conjugates, implying that its minimal polynomial has maximal degree.
Corollary 1.19. If a is a primitive element of Fpm then Ma has degree m. Such a polynomial
is called a primitive polynomial.
Constructing Fpm from two different irreducible polynomials P of degree m leads to two
isomorphic versions of the field. However, choosing P to be a primitive polynomial has the
advantage that any nonzero element can also be written as a power of α where α is a root
of P . A table of all monic irreducible polynomials (and their orders) of small degree over Fp
for p ∈ {2, 3, 5, 7} can be found in [LN83, Pages 553-562]. Also, Table D in [LN83, Page 563]
provides a primitive polynomial of degree m over F2 for 1 ≤ m ≤ 100. This last table is then
very helpful for constructing finite fields of characteristic 2.
Example 1.3. Constructing F9 . For constructing F9 , we choose an irreducible polynomial
of degree 2 with coefficients in F3 . For instance, P (X) = X 2 + X + 2 since it can be easily
checked that P has no root in F3 . Then, F9 is obtained from F3 by adjoining a root of P .
With this notation, the elements of F9 can be seen as polynomials of degree 1 in α where
α2 = 2α + 1. For instance,

α3 = α2 α = (2α + 1)α = 2(2α + 1) + α = 2α + 2 .

12 Chapter 1. Finite Fields

We then get the following correspondence between the representation of the elements by powers
of α, and the representation by affine polynomials in α, showing that α is a primitive element
of F9 .

powers of α − α0 α α2 α3 α4 α5 α6 α7
affine polynomials in α 0 1 α 2α + 1 2α + 2 2 2α α + 2 α + 1

We can also construct F9 by adjoining a root β of another irreducible polynomial of degree 2

over F3 , for instance Q(X) = X 2 + 1. Then, by definition, β 2 = −1 = 2. We can then easily
check that β 3 = 2β, and β 4 = 1. Therefore, β has order 4 and does not generate the
multiplicative group F∗9 : the multiplicative subgroup generated by β is {1, 2, β, 2β}. However,
since F9 contains φ(8) = 4 generators, we deduce that any of the other four elements of F9 ,
i.e., (β + 1), (β + 2), (2β + 1) and (2β + 2), generates F∗9 . For instance, the following table
shows that (β + 1) is a generator of F9 :

powers of (β + 1) β + 1 (β + 1)2 (β + 1)3 (β + 1)4 (β + 1)5 (β + 1)6 (β + 1)7

affine polys in β β+1 2β 2β + 1 2 2β + 2 β β+2

We have then constructed two versions of F9 , from two different irreducible polynomials.
However, these two versions are isomorphic since we can check that the function ψ of F9
defined by
ψ(aα + b) = a(β + 1) + b
for any a and b in F3 is a field isomorphism. Indeed, for x = (aα + b) and y = (cα + d), we
have ψ(x + y) = ψ(x) + ψ(y). Moreover,

ψ(α)2 = (β + 1)2 = 2β = 2(β + 1) + 1 = ψ(2α + 1) = ψ(α2 ) .

We then deduce that, for x = aα + b and y = cα + d,

ψ(xy) = acψ(α2 ) + (ad + bc)ψ(α) + bd = acψ(α)2 + (ad + bc)ψ(α) + bd = ψ(x)ψ(y) .

We can also compute the minimal polynomials over F3 of all elements (β + 1)i in F9 . We
observe that there are 3 cyclotomic cosets of size 2 and two of size 1. The sizes of the cyclotomic
cosets correspond to the degrees of the minimal polynomials. The constant coefficient of any
minimal polynomial is equal to the product of its roots, which is easily determined from the
previous table. For minimal polynomials of degree 2, the coefficient of X is equal to the sum of
the two conjugate elements. For instance, the minimal polynomial of (β+1)2 has degree 2 since
its roots are (β +1)2 and (β +1)6 . The coefficient of X is then (β +1)2 +(β +1)6 = 2β +β = 0,
and the constant coefficient is (β + 1)8 = 1. We directly deduce that the minimal polynomial
of (β + 1)2 is X 2 + 1.

cyclotomic coset conjugate elements minimal polynomial

{0} 1 X +2
{1, 3} (β + 1), (β + 1)3 X 2 + 2X + 2
{2, 6} (β + 1)2 , (β + 1)6 X2 + 1
{4} (β + 1)4 X +1
{5, 7} (β + 1)5 , (β + 1)7 X2 + X + 2
Error-Correcting Codes and Symmetric Cryptography - A. Canteaut 13

Again, we can check that the product of all minimal polynomials corresponds to the factori-
sation of X 9 − X over F3 :

X 9 − X = X(X + 1)(X + 2)(X 2 + 2X + 2)(X 2 + 1)(X 2 + X + 2) .

1.6 Subfields
We have seen that the multiplicative group Fpm contains some multiplicative subgroups which
correspond to the cyclic groups generated by the elements of order r with r|m. We can also
characterise the subfields of Fq . We first need the following useful lemma.

Lemma 1.20. Let n be an integer n ≥ 2, and i and j be two nonzero integers. Then

(ni − 1)|(nj − 1) if and only if i|j .

Proof. Using that, for any k and any x,

xk − 1 = (x − 1)(xk−1 + xk−2 + . . . + 1) ,

we deduce that, if j = ik, then (ni − 1) divides (nik − 1).

Conversely, we write j = qi + r with 0 ≤ r < i. Then,

nj − 1 = nr (nqi − 1) + (nr − 1) .

If (ni − 1) divides the left-hand term, then it divides (nr − 1) since we have proved that it
divides (nqi − 1). This is impossible unless r = 0 because r < i. 

Now, we can prove the following.

Theorem 1.21. Every subfield of Fpm has order pd where d is a positive divisor of m. Con-
versely, if d is a positive divisor of m, then there exists exactly one subfield of Fpm with
pd elements.

Proof. We first show that any subfield of Fpm has size pd with d|m. Let F be a subfield of
Fpm . Obviously, F is a finite field with characteristic p implying that it has order pd for some
integer d. From Corollary 1.13, there exists some α which generates F. This element has then
order (pd − 1). From Proposition 1.4, we deduce that (pd − 1) divides (pm − 1), which implies
from Lemma 1.20 that d is a divisor of m.
Conversely, we now consider a positive divisor d of m. Using Lemma 1.20, (pd − 1) is
a divisor of (pm − 1). It follows from Theorem 1.12 that Fpm contains some element of
order (pd − 1). Let
d
F = {x ∈ Fpm : xp = x} .
d d d
Then, we can easily check that F is a field since for any x, y ∈ F, (x − y)p = xp − y p = x − y
d d d
and (xy −1 )p = xp (y p )−1 = xy −1 . Moreover, it contains at least an element of order (pd −1).
Therefore, F has size pd . Clearly, there is only one subfield of Fpm of order (pd − 1), otherwise
d
the polynomial xp − x would have more than pd roots. 
14 Bibliography

Example 1.4. Subfields of F26 . From the previous theorem, F26 has three (nontrivial)
subfields of order 2, 22 and 23 respectively. Indeed, if we consider a primitive element α in
F26 , we can check that, for any d|6,
63
{0} ∪ hα 2d −1 i
63
is a subfield of order 2d since α 2d −1 is an element of order (2d − 1). The three subfields of F26
are then:
{0, 1}, {0, 1, α21 , α42 } and {0, 1, α9 , α18 , α27 , α36 , α45 , α54 } .
If we now focus on the multiplicative subgroups of F∗26 , we get the subgroups of order 3
and 7 derived from the previous subfields, and two additional subgroups of respective orders 9
and 21, namely
hα7 i and hα3 i .


Exercises
Exercise 1.1. Prove that the integers modulo n do not form a field if n is not prime.
Exercise 1.2. If q 6= 2, show that X
x=0.
x∈Fq

Exercise 1.3. Without factoring X 63 + X over F2 , determine how many irreducible factors
it has over F2 and their degrees.
Exercise 1.4. Construction of F16 .
1. Let α be a root of X 4 + X + 1. Compute all successive powers of α. Is α a primitive
element in F16 ?

2. Compute α7 × α11 and α7 + α11 in F16 .

3. Determine all non-trivial multiplicative subgroups of F∗16 .

4. Determine the order of each element in F16 .

5. Compute the minimal polynomial of α, of α5 , of α3 and of α7 .

6. Let β be a root of X 4 + X 3 + X 2 + X + 1. Is the set {1, β, β 2 , β 3 } a basis of F16 over

F2 ?

Bibliography
[LN83] R. Lidl and H. Niederreiter. Finite Fields. Cambridge University Press, 1983.

[McE87] Robert J. McEliece. Finite Fields for Computer Scientists and Engineers. Kluwer
Academic Publishers, 1987.