The Frobenius endomorphism is defined as:
where p is the characteristic of the ring you’re working with. Simple, right?
If you’re working with a field with prime order, then Frobenius is actually the identity map. Since the order of the multiplicative subgroup is p, when you raise to the power of p you get back to x due to Fermat’s little theorem. Things get more interesting when you’re working with a extension field (i.e. a field which order is a prime power).
I’m studying pairings for my master’s degree and the Frobenius endomorphism appears all the time in their computation. For example, you need to do a “final exponentation” which can be split in multiple exponentiations, and some of them are to the power of p. This is good because powering to p is “easy” due to Frobenius, or at least all the papers I read said so. But for a while I couldn’t see why, and that’s the reason I’m posting this. It’s really easy; it’s just not that obvious to see why.
Why Frobenius is easy?
Say you’re working with a quadratic extension, that is, with a field where p is a prime. You can represent this group with polynomials of degree 1 which can be added the usual way and multiplied taking the result modulo a irreducible polynomial of degree 2. To understand why this makes sense, I recommend this excellent write-up at Everything2. Assume that you pick a irreducible polynomial in the form . Working modulo this polynomial is the same thing as working in a “world” where . (You could of course work with a polynomial in the form but that would complicate things.)
So every element of can be written as . What happens when you apply the Frobenius endomorphism? Let’s see:
Why is that so? That’s a known fact about the Frobenius, check the explanation at Wikipedia for more details. But basically, the expansion of has many terms, but only the first and the last survive because all others are multiples of p. Since we’re working with coefficients modulo p, they are all zero.
Let’s continue. Since , then raising to the power of p won’t change them (yep, that’s Frobenius again). So we have:
There’s only left to bother us. If p is odd (not 2), then you can rearrange this as:
Now remember that we’re working in a “world” where . Then we get:
That’s why Frobenius is easy: “a” stays the same, all you need to do is multiply “b” with . But according to Euler’s criterion, since is not a square (if it were, wouldn’t be irreducible), we have . Then the formula gets much simpler:
A concrete example
Just for the sake of concreteness, let’s work out an example. I’ll use Sage for that, but I’ll explain what each command does.
sage: K = GF(7)
We create a field with 7 elements (that’s actually integers modulo 7).
sage: K(5)^7 5
We take the element 5 and power to 7. We get 5 again. If you don’t believe it works for all elements:
sage: [(x,x^7) for x in K] [(0, 0), (1, 1), (2, 2), (3, 3), (4, 4), (5, 5), (6, 6)]
Let’s create .
sage: KR.<X> = GF(7)
This creates a polynomial ring with the X variable and coefficients in , just to allow us to specify the modulus in the next step:
sage: K2.<X> = GF(7^2, modulus=X^2+1)
We create the field using the variable X (I’m overwriting the X used in the ring, you could use other name) and modulus (so ). Let’s take an arbitrary element to the power of 7:
sage: (3*X + 2)^7 4*X + 2
Remeber when then . And modulo 7, -3 is actually 4, so the result is correct (of course!). Again, if you don’t believe it works for all elements:
sage: all(x^7 == (x.vector() - x.vector()*X) for x in K2) True
This checks, for all elements in the field K2, if the element raised to the power of 7 is equal to the element built with our special formula. The method
vector() returns the coefficients of the polynomial as a list. The
all function is a relatively unknown function of Python that returns True if all the elements of the iterable passed to it evaluate to True (there’s
Extensions of higher degree
The trick to calculate the Frobenius endomorphism also works for extensions of higher degree. When implementing them, usually using a tower of extensions is more efficient then using a direct extension. For example, when working with , you can represent it as a quadratic extension of , which can be represented as a cubic extension of , which can be represented as a quadratic extension of .
For example, for built this way, with , you just apply the same trick explained above. The only difference is that a and b to the power of p aren’t a and b themselves, but that’s not a problem, you just apply the same trick recursively.