3

Suppose I have $p_1(x), p_2(x) \in GF(2)[x]$ and fields $F_1 = GF(2)[x]/p_1(x), F_2 = GF(2)[x]/p_2(x)$ where both are isomorphic to $GF(2^n)$.

I know that if $p_1(x) \neq p_2(x)$ then it is possible to show that $\operatorname{Tr}_{F_1}(x^k) = \operatorname{Tr}_{F_2}(\beta x^{jk})$ for some value of $j$ (an integer) and $\beta \in F_2$, where $j \nmid 2^n-1$. (Essentially the sequences $y_1[k] = \operatorname{Tr}_{F_1}(x^k)$ and $y_2[k] = \operatorname{Tr}_{F_2}(x^k)$ can be derived from each other by decimations and shifts.)

Is there any way to compute $j$, given $p_1$ and $p_2$, aside from trial and error? (The value of $\beta$ is easy to compute once you know $j$; I know how to do it in computer code by running an LFSR backwards given $n$ consecutive samples of $y_1[k]$ and $y_2[k]$ but not sure how to express it in math)

Note that $j$ is not unique and can be multiplied by any power of 2, yielding identical results with an appropriate change in $\beta$ — in particular $\operatorname{Tr}_{F_2}(\beta x^{jk}) = \operatorname{Tr}_{F_2}((\beta x^{jk})^d)$ with $d = 2^m$, if I did my math correctly, so a substitution of $j \mapsto dj$ and $\beta \mapsto \beta^d$ should leave the trace unchanged.

Jason S
  • 3,179
  • Presumably $p_1(x)$ and $p_2(x)$ are both primitive. For otherwise no such $j$ necessarily exists. But, your actual question may be difficult. Factoring $p_2(x)$ over $F_1$ would still leave us an instance of a discrete logarithm problem. Can you give a ballpark range for the value of $n$? – Jyrki Lahtonen Oct 19 '17 at 15:18
  • I can deal with discrete logarithms, I'm familiar with the basic methods out there (like Silver-Pohlig-Hellman). The ones I would be using are probably in the $n=32$ to $n=72$ range, and they are of the smooth variety... but I'm interested if there's a general answer. Yes, the polynomials are primitive. I guess I forgot to note that factors of 2 in $j$ are indistinguishable (e.g. you can't distinguish $j=1$ from $j=2, 4, 8$, etc.) – Jason S Oct 20 '17 at 02:38
  • If I can reshape this from a weird trace problem to a discrete logarithm problem, I can take it from there, I just don't know how to do it. – Jason S Oct 20 '17 at 02:51
  • also posted (with more LFSR-oriented details) on https://dsp.stackexchange.com/questions/44920/computing-the-decimation-ratio-between-two-m-sequences – Jason S Nov 03 '17 at 15:30

1 Answers1

1

I finally asked this question on mathoverflow.net and got a very helpful answer.

The short answer is to follow essentially the following procedure:

  • Find any root $y_1 \in F_1$ of $p_2(y)$ in the polynomial ring $F_1[y]$ --- these are the polynomials $p(y)$ which have coefficients that are elements in $F_1$ and are themselves polynomials.

  • Take the discrete logarithm to determine $j$ such that $x^j = y_1$

  • Any decimation ratio in the cyclotomic coset of $j$ is a valid decimation ratio.

I've written up a longer description in my blog post which includes the use of a factoring method that partitions $p(y)$ as $p(y) = \gcd(p(y),S(x^ky))\gcd(p(y),S(x^ky)-1)$ where $S(u) = u + u^2 + u^4 + u^8 + \ldots + u^{2^N-1}$, which is mentioned in Lidl + Niederreiter and also in http://blog.fkraiem.org/2013/12/01/polynomial-factorisation-over-finite-fields-part-3-final-splitting-cantor-zassenhaus-in-odd-characteristic/.

Jason S
  • 3,179