4.5.3 Primitive polynomials

Primitive polynomials were introduced at the beginning of §4.5. Let f(x) ∈ Z p [x] be an irreducible polynomial of degree m. If the factorization of the integer p m −1 is known, then Fact 4.76 yields an efficient algorithm (Algorithm 4.77) for testing whether or not f (x) is

a primitive polynomial. If the factorization of p m − 1 is unknown, there is no efficient algorithm known for performing this test.

4.76 Fact Let p be a prime and let the distinct prime factors of p m − 1 be r 1 ,r 2 ,...,r t . Then an irreducible polynomial f (x) ∈Z p [x] is primitive if and only if for each i, 1 ≤ i ≤ t:

x (p m −1)/r i ≡ 1 (mod f(x)).

(That is, x is an element of order p m − 1 in the field Z p [x]/(f (x)).)

4.77 Algorithm Testing whether an irreducible polynomial is primitive INPUT: a prime p, a positive integer m, the distinct prime factors r 1 ,r 2 ,...,r t of p m − 1,

and a monic irreducible polynomial f (x) of degree m in Z p [x]. OUTPUT: an answer to the question: “Is f (x) a primitive polynomial?”

1. For i from 1 to t do the following:

1.1 Compute l(x) = x (p m −1)/r i mod f (x) (using Algorithm 2.227).

1.2 If l(x) = 1 then return(“not primitive”).

2. Return(“primitive”). There are precisely φ(p m − 1)/m monic primitive polynomials of degree m in Z p [x]

(Fact 2.230), where φ is the Euler phi function (Definition 2.100). Since the number of monic irreducible polynomials of degree m in Z p [x] is roughly p m /m (Fact 4.67(ii)), it fol- lows that the probability of a random monic irreducible polynomial of degree m in Z p [x]

Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone.

158 Ch. 4 Public-Key Parameters

Table 4.6: Irreducible trinomials k x +x + 1 over Z 2 . For each m, 1 ≤ m ≤ 722, for which an irreducible trinomial of degree

m in Z k 2 [x] exists, the table lists the smallest k for which x +x +1

is irreducible over Z 2 .

§ 4.5 Irreducible polynomials over Z p 159

Table 4.7: Irreducible trinomials k x +x +1 over Z 2 . For each m, 723 ≤ m ≤ 1478, for which an irreducible trinomial of degree

m in Z k 2 [x] exists, the table gives the smallest k for which x +x +1

is irreducible over Z 2 .

Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone.

160 Ch. 4 Public-Key Parameters

being primitive is approximately φ(p m − 1)/p m . Using the lower bound for the Euler phi function (Fact 2.102), this probability can be seen to be at least 1/(6 ln ln p m ). This sug-

gests the following algorithm for generating primitive polynomials.

4.78 Algorithm Generating a random monic primitive polynomial over Z p

INPUT: a prime p, integer m ≥ 1, and the distinct prime factors r 1 ,r 2 ,...,r t of p m − 1. OUTPUT: a monic primitive polynomial f (x) of degree m in Z p [x].

1. Repeat the following:

1.1 Use Algorithm 4.70 to generate a random monic irreducible polynomial f (x) of degree m in Z p [x].

1.2 Use Algorithm 4.77 to test whether f (x) is primitive. Until f (x) is primitive.

2. Return( f (x)). For each m, 1 ≤ m ≤ 229, Table 4.8 lists a polynomial of degree m that is primitive

over Z 2 . If there exists a primitive trinomial f (x) = x m +x k + 1, then the trinomial with the smallest k is listed. If no primitive trinomial exists, then a primitive pentanomial of the

form f (x) = x m +x k 1 +x k 2 +x k 3 + 1 is listed.

If p m − 1 is prime, then Fact 4.76 implies that every irreducible polynomial of de- gree m in Z p [x] is also primitive. Table 4.9 gives either a primitive trinomial or a primitive pentanomial of degree m over Z 2 where m is an exponent of one of the first 27 Mersenne primes (Definition 4.35).