Quadratic Equations in Finite Fields of Characteristic 2

Klaus Pommerening

May 2000 – english version February 2012

Quadratic equations over fields of characteristic 6= 2 are solved by the well known
quadratic formula that up to rational operations reduces the general case to the square
root function, the inverse of the square map x 7→ x2 . The solvability of a quadratic
equation can be decided by looking at the discriminant—essentially the argument of the
square root in the formula.
The situation in characteristic 2 is somewhat different.

1 The general solution

Let K be a field of characteristic 2. We want to study the roots of a quadratic
polynomial
f = aT 2 + bT + c ∈ K[T ] with a 6= 0.
The case b = 0—the degenerate case—is very simple. We have

a · f = (aT )2 + ac = g(aT ) with g = T 2 + ac ∈ K[T ].

The squaring map x 7→ x2 is an F2 -linear monomorphism of K, an automorphism if K is

perfect, for example finite. Therefore ac has at most one square root in K, and exactly
one square root in the algebraic closure K̄. Let ac = d2 . Then g has exactly the one
root d, and f has exactly the one root ad in K̄. For an explicit determination we have to
extract the square root from ac in K or in an extension field L of degree 2 of K, i. e. to
invert the square map in K or L. Remember that the square map is linear over F2 . For
examples see Section 3 below.
Now let b 6= 0. Because the derivative f 0 = b is constant 6= 0, f has two distinct
(simple) roots in the algebraic closure K̄. The transformation
a a a ac a ac
· f = ( T )2 + T + 2 = g( T ) with g = T 2 + T + d, d = ∈ K,
b2 b b b b b2
reduces our task to the roots of the polynomial g. Let u be a root of g in K̄. Then u + 1
is the other root by Vieta’s formula, and u(u + 1) = d, that is d = u2 + u. Therefore
the problem for the general quadratic polynomial is reduced to the Artin-Schreier
polynomial T 2 + T + d, and thereby to inverting the Artin-Schreier map K −→ K,
x 7→ x2 + x. Note that this map also is linear. However in general it is neither injective

1
nor surjective. Its kernel is the set of elements x with x2 = x, that is the prime field
F2 inside of K. The preimages u and u + 1 of a given element d ∈ K may be found
in K or in a quadratic extension L = K(u) of K. To get the roots of f we set d = ac b2
and determine a preimage u of d under the Artin-Schreier map. Then a root of f is
x = bu b
a ; the other root is x + a .

2 The case of a finite field

Now we consider the case where K is finite. Then K has 2n elements for some n, and
coincides with the field F2n up to isomorphism. The trace of an element x ∈ K is given
by the formula
n−1
Tr(x) = x + x2 + · · · + x2 .
It is an element of the prime field F2 , i. e, 0 or 1, and Tr(x2 ) = Tr(x).

Lemma 1 Let K be a finite field with 2n elements. Then the polynomial

g = T 2 + T + d ∈ K[T ] has a root u in K, if and only if Tr(d) = 0. In this case
g = h(T + u) with h = T 2 + T .

Proof. “=⇒”: If u ∈ K, then Tr(d) = Tr(u2 ) + Tr(u) = 0.

“⇐=”: For the converse let Tr(d) = 0. Then
n−1
0 = Tr(d) = d + d2 + · · · + d2
n n−1
= (u2 + u) + (u4 + u2 ) + · · · + (u2 + u2 )
2n
= u+u ,
n
hence u2 = u, and therefore u ∈ K.
The addendum is trivial. 3

Remark Let L be a quadratic extension of K, and T̃r : L −→ F2 its trace function.

Then L ∼
= F22n and
n−1 n 2n−1
T̃r(x) = x + x2 + · · · + x2 + x2 + · · · + x2 .
n
For x ∈ K we have x2 = x, hence T̃r(x) = 0. This is consistent with the statement
of the lemma that g = T 2 + T + d ∈ K[T ] has a root in L.

Corollary 1 g = T 2 + T + d ∈ K[T ] is irreducible, if and only if Tr(d) = 1. If this is

the case, then g = h(T + r) with h = T 2 + T + e, where e is an arbitrarily chosen element
of K with Trace Tr(e) = 1, and r ∈ K is a solution of r2 + r = d + e.

Proof. g is irreducible in K[T ], if and only if it has no root in K. The addendum follows
because d + e has trace 0, hence has the form r2 + r. 3

2
Note 1. The lemma is a special case of Hilbert’s Theorem 90, additive form.

Note 2. The Artin-Schreier Theorem generalizes these results to arbitrary finite

base fields Fq instead of F2 , and to polynomials T q − T − d. It characterizes the
cyclic field extensions of degree q.

We have shown:

Proposition 1 (Roots) Let K be a finite field of characteristic 2, and let

f = aT 2 + bT + c ∈ K[T ] be a polynomial of degree 2. Then:
(i) f has exactly one root in K ⇐⇒ b = 0.

(ii) f has exactly two roots in K ⇐⇒ b 6= 0 and Tr( ac

b2
) = 0.

(iii) f has no root in K ⇐⇒ b 6= 0 and Tr( ac

b2
) = 1.

Proposition 2 (Normal form) Let K be a finite field of characteristic 2, and f =

aT 2 + bT + c ∈ K[T ] be a polynomial of degree 2 i. e. a 6= 0. Then there is a k ∈ K ×
and an affine transformation α : K −→ K, α(x) = rx + s with r ∈ K × and s ∈ K, such
that
k · f ◦ α = T 2 , T 2 + T, or T 2 + T + e,
where e ∈ K is a fixed (but arbitrarily chosen) element of Trace Tr(e) = 1. In the case
of odd n = dim K we may chose e = 1.

3 Examples
As we have seen the key to solving quadratic equations in characteristic 2 is solving
systems of linear equations whose coefficient matrix is the matrix of the Artin-Schreier
map, or the square map in the degenerate case. To explicitly solve quadratic equations
over a finite field K of characteristic 2 we first have to fix a basis of K over F2 . There are
several options, and none of them is canonical. One option is to build a basis successively
along a chain of intermediate fields between F2 and K.
For this we first consider a field extension L of K of degree 2. If K has 2n elements,
then the cardinality of L is 22n , and we may construct L from K by adjoining a root t
of an irreducible degree 2 polynomial T 2 + T + d ∈ K[T ] where Tr(d) = 1, see Lemma 1.
Then a basis of L over K is {1, t}, and if {u1 , . . . , un } is a basis of K over F2 , then
{u1 , . . . , un , tu1 , . . . , tun } is a basis of L over F2 .
Now the square map has the same effect on the ui in L as in K, and

(tui )2 = t2 u2i = (t + d)u2i = t · u2i + d · u2i .

If we denote by Qn resp. Q2n the matrices of the square maps of K or L with respect
to the chosen bases, then  
Qn Ld Qn
Q2n = ,
0 Qn

3
where Ld is the matrix of the left multiplication by d in P
K. The QnPin the right lower
2
corner of the matrix comes from the fact that t · ui = t · qij uj = qij tuj where the
qij are the matrix coefficients of Qn .
Note that for odd n we may choose d = 1, hence Ld = 1n , the n × n unit matrix.
The matrix An of the Artin-Schreier map is 1n + Qn , this means that in Qn we
simply have to complement the diagonal entries, i. e. interchange 0 and 1.

The case n = 1
Let us first consider the simplest case K = F2 . Its F2 -basis is {1}, and the matrices
are the 1 × 1-matrices Qn = (1) and An = (0). Solving quadratic equations is trivial.

The case n = 2
The field F4 is an extension of F2 of degree 2. An F2 -basis is {1, t} where t2 = t + 1.
The general consideration above gives
   
1 1 0 1
Q2 = , A2 = .
0 1 0 0

Solving quadratic equations (in the nondegenerate case) amounts to finding a preimage
x = (x1 , x2 ) of b = (b1 , b2 ) in the 2-dimensional vectorspace F22 under A2 . This gives a
system of 2 linear equations over F2 :
     
x2 x1 b
= A2 = 1 .
0 x2 b2

This is solvable if and only if b2 = 0, and all (in fact two) solutions are

x1 arbitrary (i. e. 0 or 1) and x2 = b1 .

For later use we note that Tr(t) = t + t2 = 1 and

 
0 1
Lt = .
1 1

The case n = 3
The field F8 has an F2 -basis {1, s, s2 } where s3 + s = 1. The square map maps 1 7→ 1,
s 7→ s2 , s2 7→ s2 + s. We have the matrices
   
1 0 0 0 0 0
Q3 = 0 0 1 , A3 = 0 1 1 .
0 1 1 0 1 0

4
For preimages under the Artin-Schreier map we have the system of 3 linear equations
A3 x = b, or    
0 b1
x2 + x3  = b2  .
x2 b3
It has a solution if and only if b1 = 0, and then its two solutions are

x1 arbitrary, x2 = b3 , x3 = b2 + b3 .

The case n = 4
The field F16 is an extension of F4 of degree 2 and has an F2 -basis {1, t, u, tu} where
u2 + u = t. We have
   
  1 1 0 1 0 1 0 1
Q2 Lt Q2 0 1 1 0 0 0 1 0
Q4 = = , A4 =  .
0 Q2 0 0 1 1 0 0 0 1
0 0 0 1 0 0 0 0

The system of 4 linear equations to solve becomes A4 x = b, or

   
x2 + x4 b1
 x3  b2 
 x4  = b3  .
   

0 b4

It is solvable if and only if b4 = 0, and then its two solutions are

x1 arbitrary, x2 = b1 + b3 , x3 = b2 , x4 = b3 .

For use with F256 we note that Tr(tu) = 1 and

   
0 0 1 1 0 0 1 0
0 0 1 0 0 0 1 1
Ltu = 
0 1 0 1 , Ltu Q4 = 0
  .
1 1 1
1 1 1 1 1 0 0 1

The case n = 5
The field F32 has an F2 -basis {1, t, t2 , t3 , t4 } with t5 = t2 + 1. Squaring maps 1 7→ 1,
t 7→ t2 , t2 7→ t4 , t3 7→ t3 + t, t4 7→ t3 + t2 + 1. Therefore
   
1 0 0 0 1 0 0 0 0 1
0 0 0 1 0 0 1 0 1 0
   
Q5 =   0 1 0 0 1  , A5 = 0 1 1 0
  1.
0 0 0 1 1 0 0 0 0 1
0 0 1 0 0 0 0 1 0 1

5
The system A5 x = b of 5 linear equations is
   
x5 b1
 x2 + x4  b2 
   
x2 + x3 + x5  = b3  .
   
 x5  b4 
x3 + x5 b5

It has a solution if and only if b1 = b4 , and then its two solutions are

x1 arbitrary, x2 = b3 + b5 , x3 = b1 + b5 , x4 = b2 + b3 + b5 , x5 = b1 .

The case n = 6
The field F64 is an extension of F8 of degree 2. Therefore—after choosing a suitable
basis—we have
   
1 0 0 1 0 0 0 0 0 1 0 0
0 0 1 0 0 1 0 1 1 0 0 1
     
Q3 Q3 0 1 1 0 1 1 0 1 0 0 1 1
Q6 = = , A6 =  .
0 Q3 0 0 0 1
 0 0
0
 0 0 0 0 0
0 0 0 0 0 1 0 0 0 0 1 1
0 0 0 0 1 1 0 0 0 0 1 0

The system of 6 linear equations to solve becomes A6 x = b, or

   
x4 b1
x2 + x3 + x6  b2 
   
x2 + x5 + x6  b3 
 = .

 0  b4 
  
 x5 + x6  b5 
x5 b6

It is solvable if and only if b4 = 0, and then its two solutions are

x1 arbitrary, x2 = b3 + b5 , x3 = b2 + b3 + b6 , x4 = b1 , x5 = b6 , x6 = b5 + b6 .

The case n = 8
As a final example we consider F256 , a quadratic extension of F16 . It has a basis
{1, t, u, tu, v, tv, uv, tuv} with t and u as in F16 and v 2 = v + tu. By the general principle

6
and knowing Ltu we have
   
1 1 0 1 0 0 1 0 0 1 0 1 0 0 1 0
0 1 1 0 0 0 1 1 0 0 1 0 0 0 1 1
   
0 0 1 1 0 1 1 1 0 0 0 1 0 1 1 1
   
0 0 0 1 1 0 0 1 0 0 0 0 1 0 0 1
Q8 = 0
, A8 =  .
 0 0 0 1 1 0 1

0
 0 0 0 0 1 0 1

0 0 0 0 0 1 1 0 0 0 0 0 0 0 1 0
   
0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 1
0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0

Solving for preimages of A8 runs as before.