Standard Generators of Finite Fields and their

Cyclic Subgroups
Frank Lübeck
arXiv:2107.02257v1 [math.AC] 5 Jul 2021

July 7, 2021

Abstract
We define standardized constructions of finite fields, and standard-
ized generators of (multiplicative) cyclic subgroups in these fields.
The motivation is to provide a substitute for Conway polynomials
which can be used by various software packages and in collections of
mathematical data which involve finite fields.

1 Introduction
For each prime number p and n ∈ Z>0 there exists a unique finite field Fpn
of order pn , up to isomorphism. A standard way to compute with such a
field is to specify an irreducible polynomial f ∈ Fp [X] ∼= Z/pZ[X] of degree
n and to use Fpn = Fp [X]/(f ) where each element of the field is represented
by a unique polynomial of degree < n. Roughly (1/n)-th of all polynomials
of degree n over Fp are irreducible, so there are many ways to realize Fpn in
this way.
The first goal of this paper is to define a standardized construction of all
finite fields which fulfills a list of conditions:
(A) it is easy to understand knowing the standard facts about finite fields,
(B) it is easy to (re)-implement (say, given a basic polynomial arithmetic),

(C) it is iterative; that is the construction of a new field makes use of pre-
vious constructions of proper subfields, and all subfields are naturally
and effectively embedded in the new field,
Funded by the Deutsche Forschungsgemeinschaft (DFG, German Research Founda-
∗

tion) – Project-ID 286237555 – TRR 195

1
 (D) it is reasonably efficient in practice when implemented with straight
forward algorithms.

The condition (C) means that we construct the algebraic closure F̄p of Fp
by constructing all its finite subfields together with natural embeddings.
The range we have in mind in (D) is n up to a few thousand for smaller
primes, larger for very small primes, and smaller for very large primes.
Our motivation is to provide a reference that could be used in computer
algebra systems, other software packages or in collections of mathematical
data which involve finite fields. A unified description of the field elements
significantly simplifies the exchange and reuse of data.
[This version of this article is meant for discussions and com-
ments are welcome! I’m interested in proposals for improvements
which still fulfill the conditions mentioned above.]
Before getting to the second goal of this paper let us consider three pre-
vious approaches in this direction.
In the classical article [Ste10] Steinitz described (in 1910) the theory of
field extensions as it is taught nowadays in an algebra course. And in §16
he gives a very explicit construction of F̄p (and any of its subfields) which
fulfills our conditions (A) , (B) and (C) above. Here is a sketch. Steinitz
introduces a natural numbering of all polynomials over Fp . For m ∈ Z>1
let fm ∈ Fp [X] be the irreducible polynomial of degree m! with the smallest
number. Then Km = Fp [X]/(fm ) ∼ = Fpm! . It remains for Km ≤ Km+1 to
define the embedding uniquely. Steinitz maps X + (fm ) to the zero of fm
in Km+1 with the smallest number (elements in Km+1 are represented by
unique polynomials of degree < (m + 1)!). Obviously, this definition is not
very practical, because the computations of the polynomials and embeddings
can only be done for very few small m; and fields of moderate size may be only
contained in astronomically big Km . In this article we will extend Steinitz’
definition of numbering and use it in places where certain choices need to be
done.
As second approach to define standardized models for finite fields we
mention the work of Lenstra and de Smit [LS08; Mul13]. A main goal for
them was a variant of our condition (D) , namely to give a description with
good (polynomial time) asymptotic behaviour, but the emphasis was not on
practical implementation. Their construction fulfills (C) and yields a natural
Fp -basis for each finite field which contains the corresponding bases of all
subfields as subsets (which defines natural embeddings). Our construction
will also have this property. Understanding and implementing their construc-
tion needs a background in (algorithmic) number theory (computations in
number fields of characteristic zero).

2
 Finally we mention the approach given by Conway polynomials. Origi-
nally defined by Richard Parker these are currently used and available in a
number of computer algebra systems with good support for finite fields like
GAP [Gap], SageMath [Sag], MAGMA [Mag], Macaulay2 [GS] and various
more specialized programs, for example the C-MeatAxe [Rin15]. The Con-
way polynomial Cp,n (X) ∈ Fp [X] is a monic irreducible polynomial of degree
n which is primitive and respects a certain compatibility with the Conway
polynomials which define proper subfields. Primitive means that the residue
class of X in Fp [X]/(Cp,n(X)) ∼ = Fpn generates the multiplicative group of
n
the field, that is it is of order p − 1. The compatibility means that for any
n m
divisor m of n the residue class of X (p −1)/(p −1) is a zero of the Conway
polynomial Cp,m . This also defines the embeddings of the subfields. There
are many sets of polynomials fulfilling these conditions. To get a well defined
set of polynomials there is a further (recursive) condition, namely Cp,n must
be the smallest polynomial with the mentioned properties with respect to
some ordering of polynomials (which we do not define here). We refer to the
introduction of [Jan+95] for more details.
The construction of Conway polynomials somehow fulfills our conditions
(A) (one has to show the existence) and (B) (one needs to compute roots).
Condition (C) is fine for the embeddings, but the constructions of subfields
only give extra constraints for the next polynomial. Unfortunately, condi-
tion (D) is a problem here. There are two basic methods to compute a new
Conway polynomial: either enumerate all monic polynomials of the right
degree and check the conditions, or enumerate all compatible and primitive
polynomials to find the smallest one. Even for moderate parameters both
enumerations can be very time consuming. All systems mentioned above
use a list of precomputed Conway polynomials [Lü09] whose generation took
many years of CPU time. It is almost impossible to compute any further
Conway polynomial Cp,n when n > 1 is not prime.
And there is another fundamental problem: Primitivity can only be
checked if all prime factors of the order pn − 1 of the multiplicative group
are known. These factors are known in many cases thanks to decades long
enormous computational efforts [Cro], but not for the majority of fields we
would like to cover in practice.
A motivation for the definition of Conway polynomials comes from the
following fact: There exist group isomorphisms, which we will call a lift, from
the multiplicative group F̄× ×
p to the subgroup of C consisting of all roots of
unity whose order is not divisible by p. A well defined such lift is explicitly
determined by the Conway polynomials, its restriction to Fpn = Fp [X]/(Cp,n)
is given by X + (Cp,n) 7→ exp( p2πin −1 ).

This explicit lift is for example often used in the modular representation

3
theory of finite groups where the definition of Brauer characters depends on
such a lift. There exists a large collection of highly non-trivial representation
theoretical data in the character table library [Bre20], which includes all the
data from the Atlas of Brauer characters [Jan+95]. These data are stored
with respect to the lift defined by Conway polynomials.
The inverse of a lift is also used in this context, namely for the reduction
of characters in characteristic 0 modulo p. The choice of a lift is equivalent to
the choice of a p-modular system. The Atlas [Jan+95, Appendix 1] contains
tables which describe this map on common irrational numbers with respect
to the lift defined by Conway polynomials.
Another application we are interested in comes from Deligne-Lusztig the-
ory where elements in a torus over a finite field are interpreted as complex
characters of a dual torus via a lift, see [Car93, 3.1].
Now we can describe the second goal of this paper: We want to specify a
well defined lift F̄× ×
p → C for the elements in our standardized finite subfields.
We do this by defining for m ∈ Z>0 with gcd(m, p) = 1 the element ym in a
finite subfield of F̄p which is mapped to exp( 2πim
). Our definition will enable
us to compute ym in practice whenever we know the prime factors of m and
we can construct a field of order pn which contains an element of order m.
(Note that pn − 1 may be much larger than m and that we do not need to
know all prime divisors of pn − 1.)
Content of this article. In Section 2 we recall some basic facts about
finite fields. In Section 3 we define towers of finite fields and explain how to
use them to describe an algebraic closure of Fp . We will extend Steinitz’ idea
to enumerate polynomials and finite field elements. In Section 4 we explain
in more detail how we describe a lift F̄× p → C
×
by specifying appropriate
elements in our standardized fields. The core of the paper is in Section 5
where we define explicit irreducible polynomials of prime degree on which
the setup in Section 3 depends. (In this version of the paper we include
two constructions of the ”generic case”. The one in Subsection 5.4 occurs
in various places in the literature (e.g., [Sho90]) but we did not get this
fast enough in practice; the other in Subsection 5.5 is much simpler and
performs well in the range we tested. We may remove 5.4 in the final version
of this paper.) Section 6 contains the explicit construction of standardized
elements of given order (which define a lift). We have also written a software
package [Lü21], based on GAP [Gap], which implements the constructions
in this paper and which we used to verify (and improve) the practicality
of our descriptions. In Section 7 we collect some remarks concerning this
implementation. Finally, in Section 8 we discuss the question of translating
the values of Brauer characters from one lift to another one.
Complexity considerations. There is a lot of literature which is rele-

4
vant in the context of this article, e.g., on efficient arithmetic in field exten-
sions, irreducibility tests, computation of minimal polynomials, construction
of irreducible polynomials, embeddings of fields. While working on this ar-
ticle and the reference implementation [Lü21] we got the impression that
sophisticated algorithms with good asymptotic complexity do not give vast
improvements in the range we want to consider in practice, say degrees up to
a few thousands. Therefore we do not include statements about asymptotic
complexity here, but just mention what works sufficiently well in our straight
forward implementation.
It will be interesting to see how our definitions can be combined with
other frameworks for lattices of finite fields, e.g., those described in [BCS97]
or in [DFRR19].
Acknowledgements. First I wish to thank Hendrik Lenstra for very
interesting discussions about the standardization of finite fields. In particular
Lenstra convinced me not to publish an article which I had prepared some
years ago. In that draft I proposed a variant of Conway polynomials which
can be computed in practice for all fields Fpn for which the factorization of
pn − 1 is known. But it is much better to separate the construction of the
fields and the definition of standard generators of cyclic subgroups, as we do
in the present article.
Furthermore I thank Wilhelm Plesken for sending me his lecture notes
[Ple15] and for his permission to freely reuse his ideas for this article (e.g.,
our definition of Steinitz numbers, and a sketch of our Section 6 can be found
in these notes).
Finally, I thank Thomas Breuer for useful discussions about Brauer char-
acter values, and for helpful comments on earlier versions of this paper and
the related GAP package.

2 Notation and basic facts about finite fields

Let p be a prime, we will use q, q ′ for powers of p.
We start with recalling some elementary facts about finite fields which
can be found in many algebra text books, e.g., [Lan02, V.5]. These will be
used in the sequel without further reference.

Remark 2.1. (a) For every prime power q there exists up to isomorphism
exactly one finite field Fq with q elements. It is the splitting field of
the polynomial X q − X over its prime field Fp .

(b) Let q ′ = pa , q = pb . The field Fq′ is isomorphic to a subfield of Fq if

and only if q is a power of q ′ , that is a | b. In that case this subfield is

5
 ′
unique and consists of the zeroes of the polynomial X q − X.

(c) Let Fq′ ≤ Fq be a subfield. This field extension is Galois, the Galois
′
group is cyclic and generated by the map σq′ : Fq → Fq , x 7→ xq (and
of order d if q = (q ′ )d ).

(d) The multiplicative group F×

q is cyclic of order q − 1.

(e) The field Fq is perfect, that is every irreducible polynomial in Fq [X]

has pairwise distinct roots.

We use the following terminology.

Definition 2.2. Let Fq be a finite field with prime field Fp .

(a) We call an element x ∈ Fq a primitive element if it generates the field

over its prime field, that is Fq = Fp [x].

(b) We call an element x ∈ Fq a primitive root if it generates the multi-

plicative group F×
q .

Remark 2.3. (a) All finite fields have a primitive root, and a primitive
root is a primitive element.

(b) Let m, n ∈ Z>1 with gcd(m, n) = 1 and let K, L ≤ F̄q (an algebraic
closure of Fq ) be algebraic extensions of Fq of degree m and n with
primitive elements x, y, respectively. Then KL := K[y] = Fq [x][y] =
Fq [y][x] = L[x] is of degree mn and xy is a primitive element, that is
KL = Fq [xy].

Proof. Assume that xy is not a generator. Then it is contained in a proper

maximal subfield F ≤ KL of prime index. Since gcd(m, n) = 1 we have
K ≤ F or L ≤ F and so x ∈ F or y ∈ F . But with xy ∈ F we get that both,
x ∈ F and y ∈ F , a contradiction.
Remark: the same argument shows that x + y is also a primitive element
of KL.
We describe algebraic field extensions via irreducible polynomials. These
are considered in the following lemmas.

Lemma 2.4. Let q be a prime power and r be a prime.

(a) There exist (q r − q)/r monic irreducible polynomials of degree r in

Fq [X].

6
 r
(b) Assume that r ∤ (q−1). Then for any c ∈ F×q there are (q −q)/(r(q−1))
monic irreducible polynomials of degree r in Fq [X] with constant term
c.
Proof. (a) Each monic irreducible polynomial f ∈ Fq [X] of degree r gen-
erates the field Fqr ∼ = Fq [X]/(f ). Since r is prime, all q r − q elements of
Fqr \ Fq generate Fqr over Fq . So, their minimal polynomials have degree
r and r distinct roots (more precisely, for x ∈ Fqr \ Fq the set of conju-
gates {x, σq (x), . . . , σqr−1(x)} has size r and these all have the same minimal
Qr−1
polynomial i=0 (X − σqi (x))).
Qr−1 i 1+q+q 2 +...+q r−1
(b) The norm map Nqr /q : F× q r → Fq , x 7→ i=0 σq (x) = x
is a surjective homomorphism (the image of a primitive root has order q − 1
because q r − 1 = (q − 1)(1 + q + q 2 + . . . + q r−1 )). The restriction of the
r
norm map to F× q is x 7→ x , hence an automorphism because r ∤ (q − 1).
Therefore, every c ∈ Fq has the same number of preimages under the norm
map in Fqr \ Fq . This shows (b) because the constant term of the minimal
polynomial of x ∈ Fqr \ Fq is (−1)r Nqr /q (x).
Lemma 2.5. (a) Let K be a field of characteristic p. For any a ∈ K the
polynomial X p −X −a ∈ K[X] either has a root in K or it is irreducible.
(b) Let r be a prime and let K be a field. For any a ∈ K the polynomial
X r − a ∈ K[X] either has a zero in K or it is irreducible.
Proof. (a) (Artin-Schreier extensions) Let b be a zero of the polynomial X p −
X −a in a splitting field of this polynomial over K. Since Fp ≤ K (the zeroes
p p
Q
of X − X) we have X − X − a = i∈Fp (X − b − i). The minimal polynomial
Q
of b over K is a partial product i∈I (X − b − i) ∈ K[X], with I ⊆ Fp , say of
size k. Then the coefficient of X k−1 , which is of the form kb + j with j ∈ Fp ,
shows that k = p or b ∈ K and so k = 1.
(b) Let b1 be a zero of X r − a in a splitting field L of this polynomial over
K. Let b2 , . . . , bk ∈ L be the other zeroes of the minimal polynomial of b1
over K. Then we have for b′ := b1 b2 · · · bk ∈ K that (b′ )r = br1 br2 · · · brk = ak .
If k < r then k is prime to r and there exist l, k ′ ∈ Z>0 with kl = 1 + k ′ r.
′
So (b′ )rl = akl = a · ak r . This shows that a has an r-th root in K.
The following observation will be useful for finding elements which do
not have an r-th root in finite fields. For a prime r and integers t ∈ Z≥0 ,
m ∈ Z>0 we write r t ||m, if r t divides m but r t+1 does not divide m.
Lemma 2.6. Let q be a power of a prime p and r 6= p another prime.
(a) The smallest power n such that q n − 1 is divisible by r is the order of
q modulo r. It is a divisor of r − 1.

7
 (b) Let r be an odd divisor of q − 1, say r t ||(q − 1). For any n with r i ||n
we have r t+i ||(q n − 1).

(c) Let r = 2 (and so q odd) and 2t ||(q 2 − 1). For any n with 2i ||n we have
2t+i ||(q 2n − 1).
Proof. (a) We have r|(q n − 1) if and only if q n ≡ 1 mod r; and (Z/rZ)× is
cyclic of order r − 1.
(b) Write q n −1 = (q −1)(1+q +q 2 +. . .+q n−1). Since q ≡ 1 mod r we see
that the second factor is ≡ n mod r. This shows the case i = 0, that is r ∤ n.
We now assume that n = r and write q = 1 + rs. Then q j = 1 + j(rs) + cj · r 2
for some integer cj . And so 1 + q + q 2 + . . . + q r−1 ≡ r + r(r−1)
2
rs mod r 2 ≡
r mod r 2 . This shows r||(1 + q + q 2 + . . . + q r−1 ). The general case follows
by induction.
(c) The argument for odd n is the same as in (b). The case n = 2,
q − 1 = (q 2 − 1)(q 2 + 1) is clear because q 2 ≡ 1 mod 4. The general case
4

follows by induction.

3 Towers of finite fields

Definition 3.1. Let F be a field and {Xi | i = 1, . . . , l} be independent com-
muting indeterminates over F . For i = 1, . . . , l let fi ∈ F [X1 , . . . , Xi−1 ][Xi ]
be monic in the variable Xi . We assume that for i = 1, . . . , l the residue class
of fi in

F [X1 , . . . , Xi−1 ][Xi ]/(f1 , . . . , fi−1 ) = (F [X1 , . . . , Xi−1 ]/(f1 , . . . , fi−1 ))[Xi ]

is irreducible.
Then the sequence ((Xi , fi ), i = 1, . . . , l) defines a tower of (algebraic)
field extensions over F , that is F = F0 ≤ F1 ≤ . . . ≤ Fl where Fi =
F [X1 , . . . , Xi ]/(f1 , . . . , fi ).
The degree di = [Fi : Fi−1 ] is the degree of the polynomial fi in the
indeterminate Xi .
Remark 3.2. Let ((Xi , fi ), i = 1, . . . , l) be a tower of field extensions for
a sequence of fields F = F0 ≤ F1 ≤ . . . ≤ Fl as in Definition 3.1. Then
the residue class of any polynomial g̃ ∈ F [X1 , . . . , Xl ] modulo (f1 , . . . , fl )
has a unique representative g ∈ F [X1 , . . . , Xl ] where the degree of g in each
variable Xi is smaller than di .
This representative g can be constructed recursively: First consider g̃
as polynomial in Xl and reduce it using the monic polynomial fl until the
degree of g̃ in Xl is smaller than dl . Then proceed in the same way with

8
Xl−1 , . . . , X1 . Since fi ∈ F [X1 , . . . , Xi ], the reductions of powers of Xi will
not enlarge the degree in the previously considered variables Xj , j > i. (The
{fi } form a Gröbner basis of the ideal they generate with respect to the
reverse lexicographic monomial ordering, and we just described the standard
reduction with this Gröbner basis.)

Definition 3.3. Let ((Xi , fi ), i = 1, . . . , l) be a tower of field extensions for

a sequence of fields F = F0 ≤ F1 ≤ . . . ≤ Fl . We define the tower basis of
each Fi , 0 ≤ i ≤ l recursively, it is an ordered F -basis whose elements are
represented by the reduced monomials in {X1 , . . . , Xi }.
For i = 0, F0 = F , the basis is (1). Let i > 0 and (b0 , . . . , bm ) be
the already defined basis for Fi−1 . The we define the concatenation of
(b0 Xij , b1 Xij , . . . , bm Xij ) for j = 0, 1, . . . , di − 1 as representatives of the tower
basis of Fi (where as before di is the degree of fi in Xi ).

Following Plesken [Ple15] we now define a numbering of field elements in

towers over a finite prime field Fp . This extends a definition of Steinitz [Ste10,
§16].

Definition 3.4 (Steinitz number). Let p be a prime and let ((Xi , fi ), i =

1, . . . , l) define a tower of field extensions
Q over Fp = F0 ≤ . . . ≤ Fl , where di
is the degree of Fi over Fi−1 and ai = ij=1 dj the degree of Fi over F0 .
We define an injective map s : Fl → Z, such that s(Fi ) = {m ∈ Z | 0 ≤
m ≤ |Fi | − 1 = pai − 1} for all i. For x ∈ Fl we call s(x) the Steinitz number
of x.
If i = 0 we identify Fp = Z/pZ and define s(x) = k when x = k + pZ
with 0 ≤ k < p. For i > 0 assume that s is already defined on Fi−1 . Each
x ∈ Fi = Fi−1 [Xi ]/(fi ) has a unique representative g = c0 + Pcdi1−1
Xi + . . . +
j
cdi −1 Xidi −1 ∈ Fi−1 [Xi ] of degree < di . We define s(x) = j=0 s(cj )qi−1
where qi−1 = |Fi−1 | = pai−1 .
We also define the Steinitz number s(f ) of a polynomial f = kj=0 cj X j ∈
P

Fl [X] using the Steinitz numbers on Fl by s(f ) = kj=0 s(cj )qlj .

P

Using Remark 3.2 it is easy to compute the Steinitz number of an element

in the tower of field extensions represented by a polynomial in Fp [Xi , i =
1, . . . , l]. And vice versa, given a Steinitz number m, it is easy to write down
a polynomial representing the element x with s(x) = m by computing the ql -
adic decomposition of m, then the ql−1 -adic decomposition of the coefficients
and so on.
Also note the connection to the tower basis (b0 , . . . , bn−1 ) of Fl defined
in 3.3: Let x ∈ Fl with Steinitz number s(x) = m. Consider the p-adic
expansion m = m0 + m1 p + . . . + mn−1 pn−1 , where 0 ≤ mi < p for all i. Then

9
 Pn−1
x = i=0 (mi mod p)bi . (So, the p-adic expansion of m yields the coefficients
of x with respect to the tower basis.)

Let p be a prime, n ∈ Z>0 and n = r1l1 · · · rklk be the prime factorization

of n with r1 < . . . < rk .
We want to describe and construct the finite field Fpn . Since for every
divisor m | n there is a unique subfield Fpm ≤ Fpn there exists a unique
sequence of field extensions Fp ≤ Fpr1 ≤ . . . ≤ Fpn/rk ≤ Fpn of non-decreasing
prime degrees.
li
Let qi := p(ri ) , i = 1, . . . , k. Then the field extensions Fp ≤ Fqi are of
prime power degree rili and Fpn is the compositum Fpn = Fq1 · · · Fqk , where
any factor only intersects with the product of the others in the prime field Fp
(see Remark 2.3(b)). This shows that Fpn can be constructed using extensions
of prime power degree r l of Fp .
So let r be a prime (equal to p or not) and l ∈ Z>0 . We will construct
the field Fp(rl ) via a sequence of extensions of degree r:

Fp ≤ Fpr = Fp [xr,1 ] ≤ . . . ≤ Fp(rl ) = Fp(rl−1 ) [xr,l ].

For this we need to construct recursively monic irreducible polynomials
f¯r,i (Xr,i ) ∈ Fp(ri−1 ) [Xr,i ] = Fp [xr,1 , . . . , xr,i−1 ][Xr,i ]
of degree r (for i = 1, . . . , l) where we write xr,i for the residue class of Xr,i
in Fp [xr,1 , . . . , xr,i−1 ][Xr,i ]/(f¯r,i ). It is clear that xr,i is of degree r i over the
prime field Fp .
An Fp -basis of Fp [xr,1 , . . . , xr,i−1 ] consists of the elements
j
{xjr,1
1 i−1
· · · xr,i−1 | 0 ≤ j1 , . . . , ji−1 ≤ r − 1}.
j1 i−1 j
Lifting such basis elements to monomials Xr,1 · · · Xr,i−1 we can lift the coef-
¯
ficients of fr,i to get a polynomial fr,i ∈ Fp [Xr,1 , . . . , Xr,i ].
Then we have Fp(ri ) = Fp [Xr,1 , . . . , Xr,i ]/(fr,1, . . . , fr,i ), that is the se-
quence
((Xr,i , fr,i ), i = 1, . . . , l),
defines a tower of field extensions over Fp , each of degree di = r, as in
Definition 3.1.

3.1 Construction of an algebraic closure F̄p

If we define polynomials fr,i as above for all primes r and i ∈ Z>0 we get
an explicit description of an algebraic closure F̄p of Fp , because each element
f¯ ∈ F̄p is contained in some finite subfield Fpn .

10
Remark 3.5. This construction has a number of nice properties:

(a) Each f¯ ∈ Fpn ⊂ F̄p has a unique polynomial

f ∈ Fp [Xr,i | r prime, i ∈ Z>0 , r i | n],

which has degree < r in each variable Xr,i , as standard representative.

(b) The representation in (a) does not depend on n. The smallest possible
n has r-part r i if Xr,i occurs in a non-zero monomial of f , but not Xr,j
with j > i.

(c) Each element x ∈ F̄p can be identified by its Steinitz pair (n, m) where
n is the degree of x over Fp and m is the Steinitz number of x as element
of Fpn (see 3.4, note that we use the tower which has the prime divisors
of n in non-decreasing order as relative degrees).

(d) In particular, the representatives in (a) yield explicit natural embed-

dings Fpm ֒→ Fpn whenever m | n. In that case the monomials repre-
senting the tower basis of Fpm are a subset of the monomials represent-
ing the tower basis of Fpn .

(e) If n = r1l1 · · · rklk , then xn := xr1 ,l1 · · · xrk ,lk is a primitive element of
Fpn = Fp [xn ], see 2.3(b).

(f) We can perform arithmetic in F̄p : Let f¯, ḡ ∈ F̄p with standard repre-
sentatives f, g as in (a). Then f ± g is the standard representative of
f¯ ± ḡ. We get the standard representative of f¯ḡ from f g by reducing it
with the fr,i , starting with the lexicographically largest (r, i), see 3.2.
If f¯ ∈ F×pn the inverse can be computed as f
¯−1 = f¯pn −2 (via repeated
squaring). In large fields it is more efficient to use the extended Eu-
clidean algorithm for the representative f and fr,i , when Xr,i is the
variable with lexicographically largest (r, i) occuring in f (this may
involve further inversions in the coefficient field).

4 Embedding F̄×
p into C
×

Proposition 4.1. Let p be a prime. Let F̄p be an algebraic closure of the

finite prime field Fp and F̄×
p its multiplicative group. Let Qp′ be the addi-
tive group of rational numbers whose denominator is not divisible by p, the
additive group of Z is a subgroup. Finally, let µp′ ≤ C× be the subgroup of
complex roots of unity whose order is not divisible by p.

11
 (a) The exponential map
r r
Q+ → C× , 7→ e2πi s ,
s
induces an isomorphism e : Qp′ /Z → µp′ .

(b) There exists an isomorphism

ℓ : F̄×
p → Qp′ /Z.

Proof. Part (a) is clear.

For part (b) we show the existence of such a map by induction. Let
Km = Fpm! , then Km ≤ Kk if m ≤ k and F̄p = ∪m∈Z>0 Km . For m = 1 the
multiplicative group K1× is cyclic of order p − 1 and generated by a primitive
root x1 . We define ℓ on K1× by x1 7→ 1/(p − 1) mod Z. Now assume that
ℓ is defined on Km ×
by mapping a primitive root xm 7→ 1/(pm! − 1). Let y
(m+1)! −1)/(pm! −1)
be a primitive root of Km+1 . Then y ′ = y (p is a primitive root
of Km and there exists a k ∈ Z with (y ) = xm . Then set xm+1 = y k and
′ k
×
define ℓ on Km+1 by xm+1 7→ 1/(p(m+1)! − 1) mod Z, this extends the map
previously defined on Km .
The injectivity of ℓ is clear by construction. Let a ∈ Z be not divisible
by p, then p is prime to a and there is a j ∈ Z>0 with pj ≡ 1 mod a, that is
a | (pj − 1) | (pj! − 1). This shows that 1/a mod Z is in the image of ℓ, so ℓ
is surjective. 
We are interested in an explicit computable description of such a map ℓ
and so the induced lift e ◦ ℓ : F̄× ×
p → C as in the proposition in terms of an
explicit description of F̄p .

Remark 4.2. The cyclic group F× pn is the direct product of its (cyclic) Sylow
subgroups. A homomorphism ℓ : F× pn → Qp′ /Z is uniquely determined by
specifying an arbitrary generator yn,r of the Sylow r-subgroup of F× pn such
1 t n
that ℓ(yn,r ) = rt mod Z for each prime r with r ||(p − 1).
Having fixed these yn,r it is easy to compute for each divisor m of pn − 1
1
the element ym ∈ F× pn with ℓ(ym ) = m , provided the prime factorization of
m is known.
For example, for m = pn − 1 = r r tr the element ym ′
Q Q
= P r yn,r (product
over all prime divisors r of m) is a primitive root with ℓ(ym ) = r r1tr mod Z =
′
a
m
mod Z for some a ∈ Z. Let b ∈ Z be the inverse of a mod (pn − 1). Then
ym := (ym ) is the element with ℓ(ym ) = m1 mod Z.
′ b

Note that in the analogous construction for arbitrary divisors m|(pn − 1)

only appropriate powers of yr,n for prime divisors r of m are needed.

12
5 Definition of standard extensions of prime
degree
As before let p be a fixed prime. We now define polynomials fr,i ∈ Fp [Xr,j |
1 ≤ j ≤ i] for each prime r and i ∈ Z>0 as explained in Section 3.1. We
distinguish four cases:

• r = p,

• r | (p − 1) and in case r = 2 also 4 | (p − 1),

• r = 2 and 4 | (p + 1)

• other r (that is r 6= 2, p and r ∤ (p − 1)).

In the last case we give two different definitions (in 5.4 and 5.5).
The constructions in 5.1– 5.4 use the ideas of Shoup in [Sho90], and
in addition we follow Plesken [Ple15] and use Steinitz numbers to describe
explicit choices in certain steps.

5.1 Case r = p
In this case we use Artin-Schreier polynomials.

Proposition 5.1. Let

p
fp,1 := Xp,1 − Xp,1 − 1
fp,i := Xp,i − Xp,i − ( i−1
p p−1
Q
j=1 Xp,j ) for i ≥ 2.

For each l ∈ Z>0 the sequence ((Xp,i , fp,i ), 1 ≤ i ≤ l) defines a tower of field
extensions of degree p over Fp .

Proof. We use Lemma 2.5(a) and induction. It is clear that fp,1 has no zero
in Fp , so fp,1 is irreducible over Fp .
We write Ii for the ideal generated by {fp,j | 1 ≤ j ≤ i} and xp,i for the
residue class of Xp,i in Fi := Fp [Xp,j | 1 ≤ j ≤ i]/Ii .
Now assume i > 1 and that we have shown for 1 ≤ j ≤ i − 1 that fp,j
modulo Ij−1 is irreducible over Fj−1 . We need to show that fp,i modulo Ii−1
has no zero in Fi−1 .
Set y := xp,i−1 and a := ( i−2 p−1
, so that y p − y − a = 0 and
Q
j=1 xp,j )
p p−1
fp,i mod Ii−1 = Xp,i − Xp,i − ay . Each element of Fi−1 has the form

x = c0 + c1 y + . . . + cp−1 y p−1, with unique ck ∈ Fi−2 .

13
 We evaluate fp,i mod Ii−1 at x,

z = xp − x − ay p−1 ∈ Fi−1 ,

and use y p = y + a to see that the coefficient of y p−1 in z is cpp−1 − cp−1 − a.

p
So z 6= 0 because by assumption Xp,i−1 − Xp,i−1 − a ∈ Fi−2 [Xp,i−1] has no
zero in Fi−2 .

5.2 Case r | (p − 1) and 4 | (p − 1) if r = 2

The assumption means that F× p contains primitive r-th roots of unity. Equiv-
alently, Fp contains an element a which is no r-th power. (Note that x 7→ xr
×

is an automorphism of F× p if r ∤ (p − 1).) Once we have specified such an

a ∈ F×p it is again very easy to define polynomials we are looking for.
t
We define t ∈ Z>0 by r ||(p − 1). We will use the definition of the Steinitz
number s(x) for x ∈ Fp from 3.4.
More generally, in the following definition and algorithm let q = pf be a
power of p, let Fq be defined by a tower of field extensions over Fp and let s
be the corresponding Steinitz numbering of Fq .

Definition 5.2. Let r t ||(q − 1). Let a, b ∈ F× t

q be two elements of order r .
We call a lexicographically Steinitz-smaller than b if there is a j ∈ Z with
1 ≤ j ≤ t and
t−k t−k
s(ar ) = s(br ) for 0 ≤ k < j and
t−j t−j
s(ar ) < s(br ).

Algorithm 5.3. Input: a prime r dividing q − 1.

Output: for t with r t ||(q − 1) the lexicographically Steinitz-smallest ele-
t
ment a ∈ F×
q of order r .

(a) Choose random elements x ∈ Fq until x(q−1)/r 6= 1, then set a :=

t
x(q−1)/r ; so a has order r t .
t−1
(b) Set z := ar and find j with 1 ≤ j ≤ r − 1 and s(z j ) minimal. Then
reset a := aj and z := z j .

(c) For i = t − 2, t − 3, . . . , 0 do:

i
Set b := ar and find j with 0 ≤ j ≤ r − 1 and s(bz j ) minimal. Then
t−1−i
reset a := a1+jr .

(d) Return a.

14
Proof and Remarks. The proportion of suitable x in step (a) is (r−1)/r. If
the powering is done with the repeated squaring method this needs O(log q)
multiplications in Fq . This step yields an element a is of order r t .
In step (b) the element a is changed to a primitive power such that z =
t−1
ar is the primitive r-th root of unity with smallest Steinitz number. This
step needs O(r + log q) multiplications in Fq .
Only when t > 1 further adjustments are done in step (c). For each
i+1
i the considered elements bz j are precisely the r-th roots of ar , we find
that one with the smallest Steinitz number and change a accordingly. Note
t−1
that all the time z = ar still holds. Here we need O((t − 2)(r + log q))
multiplications in Fq .
Note that for t > 1 we can find the lexicographically Steinitz-smallest
primitive r t -th root of unity by comparing tr Steinitz numbers which is more
efficient than comparing the Steinitz numbers of r t (1 − 1/r) elements to find
the primitive r t -th root of unity with smallest Steinitz number. 

Proposition 5.4. Let r be odd with r | (p − 1), say r t ||(p − 1). Let a ∈
Fp be the lexicographically Steinitz-smallest element of order r t . We define
polynomials in Fp [Xr,i | i ∈ Z>0 ]:
r
fr,1 := Xr,1 −a
r
fr,i := Xr,i − Xr,i−1 for i ≥ 2.

For each l ∈ Z>0 the sequence ((Xr,i , fr,i ), 1 ≤ i ≤ l) defines a tower of field
extensions of degree r over Fp .
Proof. First assume that r is odd.
An r-th root of a has order r t+1 , so it cannot be contained in Fp . There-
fore, by Lemma 2.5(b) the polynomial fr,1 is irreducible over Fp .
Now let Ii be the ideal generated by fr,j with j ≤ i and Fi = Fp [Xr,j |
j ≤ i]/Ii . Let xr,i be the residue class of Xr,i in Fi . Then xr,i has order
r t+i . Since by Lemma 2.6(b) we have r t+i || |Fi − 1| we see by induction and
Lemma 2.5(b) that all polynomials fr,i+1 modulo Ii are irreducible.
In the case r = 2 we assume 4|(p − 1) and so 2||(p + 1). In this case
Lemma 2.6(c) shows that the statement in 2.6(b) remains correct for r = 2.
So, our proof also holds in this case.

5.3 Case r = 2 and 4|(p + 1)

In this case we have 2||(p − 1) and −1 ∈ Fp has no square root in Fp , that
2
is X2,1 + 1 ∈ Fp [X2,1 ] is irreducible. We construct Fp2 as extension of Fp via
this polynomial and call s the corresponding Steinitz numbering of Fp2 . Let

15
2t ||(p2 − 1) and a ∈ F×
p2 be the lexicographically Steinitz-smallest element of
t
order 2 in Fp2 (which can be computed by Algorithm 5.3).

Proposition 5.5. Recall 4|(p + 1). We define polynomials in Fp [X2,i | i ∈

Z>0 ]:
2
f2,1 := X2,1 +1
2
f2,2 := X2,2 − a
2
f2,i := X2,i − X2,i−1 for i ≥ 3.
For each l ∈ Z>0 the sequence ((X2,i , f2,i ), 1 ≤ i ≤ l) defines a tower of field
extensions of degree 2 over Fp .

Proof. The proof is similar as for Proposition 5.4, now using Lemma 2.6(c).

5.4 Variant 1 for case r 6= p, r ∤ (p − 1)

This is the generic case. In this section we describe the construction used
in [Sho90] and [Ple15]. The idea is to generate an intermediate field that
does contain r-th roots of unity, to extend this field as in Proposition 5.4,
and to take traces to find generators of r-power degree.
The degree of the intermediate extension is a (often large) divisor of r − 1
which makes this method slow in practice already for r < 100 and very
slow and memory consuming for r > 1000. [We keep the description in this
version of this article in the hope that someone has a hint how to improve
the performance.] In the next Section 5.5 we give an alternative construction
which is mathematically less satisfying but seems to work better in practice.
Let e ∈ Z>0 be minimal with r|pe − 1, that is e is the order of p modulo r.
Then e|(r−1) and the polynomial g̃ := (Y r −1)/(Y −1) = 1+Y +. . .+Y r−1 ∈
Fp [Y ] factorizes into (r − 1)/e irreducible factors of degree e. Let g ∈ Fp [Y ]
be the factor with smallest Steinitz number.
A practical possibility to find the factors of g̃ if e Q 6= r − 1 is to use
the Cantor-Zassenhaus algorithm: We have Fp [Y ]/g̃ ∼
(r−1)/e
= k=1 Fpe and so
powering random polynomials in Fp [Y ] to their (pe − 1)/2-th power modulo
Y r − 1 yields polynomials h such that h ± 1 is likely to have non-trivial gcd
with g̃ or any of its non-irreducible factors already found.
We construct K = Fpe := Fp [Y ]/(g) and call s the corresponding Steinitz
numbering (see 3.4) of K. Let r t ||(pe − 1) and a ∈ K be the lexicographically
Steinitz-smallest element of order r t (which can be found with Algorithm 5.3).

16
Proposition 5.6. With a as above we define polynomials in K[Xr,i | i ∈
Z>0 ]:
f˜r,1 := Xr,1
r
−a
˜ r
fr,i := Xr,i − Xr,i−1 for i ≥ 2.
For each l ∈ Z>0 the sequence ((Xr,i , f˜r,i ), 1 ≤ i ≤ l) defines a tower of field
extensions of degree r over K.
Proof. The proof is the same as for Proposition 5.4.
Let Ki be the field defined by the tower of field extensions over Fp
((Y, g), (Xr,1, f˜r,1 ), . . . , (Xr,i , f˜r,i )),
so Ki is of degree er i over Fp . We write zj for the residue class of Xr,j
in Ki , and y for the residue class of Y . Furthermore, we write Li for the
subfield of index e in Ki , so Li is of degree r i over Fp . Let Ti : Ki → Li ,
e−1 i
x 7→ x + xq + . . . + xq with q = pr be the trace map.
Proposition 5.7. The element xr,i := Ti (zi ) ∈ Li is a primitive element of
Li (and so it also generates Li over Li−1 if i > 1).
Proof. We have c := zi−1 = zir ∈ Ki−1 if i > 1 or c := a = z1r ∈ K. Let
i
q = pr = |Li |, then σ : Ki → Ki , x 7→ xq generates the Galois group of Ki
over Li . For 0 ≤ j ≤ e − 1 let q j = sj r + tj with sj , tj ∈ Z and 0 ≤ tj < r.
t
Then σ j (zi ) = csj zi j . Note that the order of p modulo r, and so the order of
q modulo r, is e which shows that the tj , 0 ≤ j ≤ e−1, are pairwise different.
We get an equation
e−1
t
X
xr,i = σ j (zi ) = zi + cs1 zit1 + . . . + cse−1 zi e−1 ,
j=0

where the summands on the right hand side are linearly independent over
Ki−1 , in particular xr,i 6= 0. If xr,i was not a primitive element, then xr,i ∈
Li−1 ⊆ Ki−1 and the equation shows that zi is a zero of a polynomial of
degree < r over Ki−1 . But zi has degree r over Ki−1 and so xr,i is a primitive
element.
We remark that in practical computations of xr,i we can use that the
′
order of c is r t+i−1 , so that csj = csj if s′j ≡ sj mod r t+i−1 . 

Algorithm 5.8. We construct for i > 0 the field Ki via a tower of field
extensions over Fp leading to the chain Fp ≤ L1 ≤ . . . ≤ Li ≤ Ki . Assume
that we have already constructed the tower of field extensions
((Xr,1 , fr,1), . . . , (Xr,i−1 , fr,i−1), (Y, g))

17
for Ki−1 (this is just ((Y, g)) for i = 1), and that we know the element
zi−1 ∈ Ki−1 written as element with respect to this tower (setting z0 = a in
case i = 1). We construct the tower for Ki .

(a) First describe Ki as a tower of field extensions over Li−1 as follows:

r
((Y, g), (Xr,i, Xr,i − zi−1 )),

where the residue class of Xr,i in this tower is zi .

(b) Compute in this tower the trace xr,i = Ti (zi ) as described in the proof
of 5.7.
(c) Compute the powers xjr,i for 0 ≤ j ≤ r − 1; these form a Ki−1 -basis of
Ki .
(d) Write xrr,i as linear combination of the smaller powers in (c) to find the
minimal polynomial f¯r,i (Xr,i ) of xr,i over Ki−1 , the coefficients are in
Li−1 . Lift f¯r,i to a polynomial fr,i in Fp [Xr,j | 1 ≤ j ≤ i].
(e) Write zi as linear combination of the powers of xr,i in (c) over Ki−1 =
Li−1 [y].
(f) Rewrite Ki as tower of field extensions over Li−1 by

((Xr,i , fr,i ), (Y, g)).

Step (e) expresses zi with respect to this tower.

(g) Extend this tower to a tower of Ki over Fp :

((Xr,1, fr,1 ), . . . , (Xr,i , fr,i ), (Y, g)).

Proof. The correctness of this algorithm is clear from Proposition 5.7. 

Remark 5.9. The critical steps in Algorithm 5.8 are (c), (d) and (e). Say, if
r > 1000 is a prime then for many p the index e will be r −1 or a large divisor
of it. So, the mentioned steps for i = 1 involve computations in an Fp -vector
space of dimension > 106 . Shoup [Sho94] describes an asymptotically fast
method to compute the minimal polynomial of xr,i . But is remains unclear
to the author how practical it would be in the range we want to handle. It
is also not clear how to do the rewriting of the elements zi in our step (e)
more efficiently (this is needed for the iteration).
The minimal polynomials fr,i of the xr,i in Algorithm 5.8 look like pretty
random dense polynomials and the xr,i usually have a large order.

18
5.5 Variant 2 for case r 6= p, r ∤ (p − 1)
In this subsection we decribe an alternative to the construction in 5.4 which
avoids the computations in large fields as Ki in Algorithm 5.8. It is also
easier to describe and to implement.
The idea is simply to construct relatively sparse random polynomials and
to check them for irreduciblity. From Lemma 2.4 we know that about 1/r of
all monic polynomials of degree r are irreducible. Of course, we cannot use
truly random polynomials because we want to define a set of recomputable
polynomials. We define a pseudo random number generator which is very
easy to implement and which in practice seems to produce suffiently random
polynomials for our purposes.
Our random number generator SimpleRandomRange(b, s) uses the prime
number m = 232 − 5 and that a = 1347244577 + mZ is a primitive root of
Z/mZ. Its input is an (often large multiprecision) positive integer b and a
seed s in the range 1 ≤ s ≤ m − 1. It returns a (close to uniformly dis-
tributed) integer c in the range 0 ≤ c < b and a new seed. Here is the
pseudo code.

Algorithm 5.10.
SimpleRandomRange(b, s)
m = 4294967291
a = 1347244577
bnd = 100 * b
c = 0
t = 1
while t < bnd
t = t * (m-1)
s = (a * s) mod m
c = c * (m-1) + s -j1 k
c = (b * c) div t (= btc )
return c, s

In the next algorithm FindIrreduciblePolynomial(K, r, a, X) we as-

sume that the argument K is a finite field which has a Steinitz numbering, and
that there is a function SteinitzElement(K, m) available which returns the
element x ∈ K with Steinitz number m. The argument r is a positive integer,
a is a nonzero element of K and X is an indeterminate over K. The function
returns an irreducible monic polynomial of degree r in the variable X over K
with constant term a. We assume that a function IsIrreducible(K, f) is

19
available that checks if the monic polynomial f over K is irreducible. Here is
the pseudo code:
Algorithm 5.11.
FindIrreduciblePolynomial(K, r, a, X)
q = |K|
inc = minimal integer with qinc ≥ 2r
d = 0 (random coeffs up to Xd )
seed = 1 (fix initial seed for reproducible result)
r
f = X + X + a (first polynomial to try)
count = 0
while not IsIrreducible(K, f)
if count modulo r = 0 then
(after any r trials we allow inc more non-zero coefficients)
d = minimum(d+inc, r-1)
f = Xr + a
for j from 1 to d
m, seed = SimpleRandomRange(q, seed)
f = f + SteinitzElement(K, m) Xj
count = count + 1
return f

We sketch a practical way to check wether a polynomial f ∈ K[X] of

degree r, where |K| = q, is irreducible. The polynomial f contains an irre-
t
ducible factor of degree dividing t if and only if gcd(f, X q − X) has positive
t t
degree. We have gcd(f, X q − X) = gcd(f, h − X) where h ≡ X q mod f
can be computed by repeated squaring modulo f . So, f is irreducible if and
t
only if gcd(f, X q − X) = 1 for 1 ≤ t ≤ r/2. Many non-irreducible random
polynomials contain a factor of small degree which is quickly detected by this
method (see comments on Ben-Or’s test in [GP97]).
For a speedup we precompute (X 0 )q , X q , . . . , (X r−1 )q mod f and use that
j
x 7→ xq is a K-linear map to compute X q mod f for j > 1.
Now we define a tower of field extensions of degree r over Fp , this is an
alternative to Algorithm 5.8.
Definition 5.12. Set fr,1 =FindIrreduciblePolynomial(Fp , r, −1, Xr,1 ).
Assume that a tower of field extensions of degree r,
((Xr,1, fr,1 ), . . . , (Xr,i−1, fr,i−1 ))
is already defined and set Fi−1 = Fp [Xr,j | 1 ≤ j ≤ i − 1]/(fr,1 , . . . , fr,i−1),
and write xr,i−1 for the residue class of Xr,i−1 in Fi−1 . Then define fr,i as lift
of the polynomial FindIrreduciblePolynomial(Fi−1 , r, −xr,i−1 , Xr,i ).

20
 Note that the norm of xr,1 over Fp is 1 ∈ Fp and for i > 1 the norm of
xr,i over Fi−1 is xr,i−1 .

Remark 5.13. We have tried various modifications of this variant in prac-

tice. Any more systematic searches for an irreducible sparse polynomial
(for example trying polynomials with growing Steinitz number) lead to some
examples which took a very long time or did not give any result within
reasonable time (e.g., we did not find an irreducible polynomial of form
X 107 + bX + a ∈ F2107 [X]). This does not happen with the pseudo random
sequence of polynomials we use in Algorithm 5.11. In experiments we used
several random number generators (including some with advanced statistical
properties), but could not detect performance differences in our application.
So, we chose Algorithm 5.10 because it is easy to describe and implement.

6 Definition of standard generators of cyclic

subgroups
In this section we define explicit generators yn,r of cyclic subgroups of order
r t where r is prime with r t ||(pn − 1) as described in Remark 4.2.
The construction is relative to some standardized construction of F̄p where
we can identify each element in any finite subfield by a Steinitz number.
In the base case of the following algorithm we use again the pseudo ran-
dom numbers from SimpleRandomRange described in Algorithm 5.10.

Algorithm 6.1. StandardCyclicGeneratorPrimePower(p, n, r)

Input: a prime p, a degree n and a prime r with r|(pn − 1).
t t n
Output: an element yn,r ∈ F×pn of order r where r ||(p − 1).

(a) Find minimal divisor k|n such that r t ||(pk −1). If k < n then return the
result of StandardCyclicGeneratorPrimePower(p, k, r) as element of
Fp n .

(b) Find minimal divisor l|n with r|(pl − 1).

(c) Case l = n:

(c1) seed = 1
(c2) c, seed = SimpleRandomRange(pn , seed)
(c3) Let x ∈ Fpn be the element with Steinitz number c.
n −1)/r
(c4) If x = 0 or x(p = 1 go back to step (c2).

21
 n −1)/r t
(c5) Return yn,p = x(p .

(d) Case l < n:

We need to find a generator which is compatible with the choice in a
proper subfield.

(d1) Subcase n = 2, r = 2 and p = 3 mod 4:

Return the lexicographically Steinitz-smallest element of order 2t ,
see Algorithm 5.3.
(d2) Otherwise r|n and r t−1 ||(pn/r − 1), see 2.6.
Return the Steinitz-smallest r-th root of yn/r,r .

Remark 6.2. The time critical case in this algorithm is step (d2). A practi-
cal method for this step is to first power random elements to find an element
y of order r t . Then compute the discrete logarithm b such that (y r )b = yn/r,r .
This can be done by the Pohlig-Hellman algorithm [PH78] which involves
t − 2 searches through r elements (which can be optimized via Shanks’ al-
gorithm). Now y b is an r-th root of yn/r,r . Finally multiply y b with all r-th
t−1
roots of one (these are the elements (y r )i , 0 ≤ i < r) to find the r-th root
with the smallest Steinitz number. Note that the primes r for which this
case occurs are divisors of the degree of the field over its prime field, and so
loops of length r are acceptable.
We considered modifications of the base case (c) in practice where we
looked for more systematic (not pseudo random) candidate elements x for
step (c4). But similar to our Remark 5.13 we ran into examples where we
had to try many elements or did not find an appropriate element at all in
reasonable time. This problem vanished with our choice of pseudo random
elements.

7 Remarks on implementation
The main purpose of this article is to describe a standardized construction
of finite fields and standardized generators of their cyclic subgroups which
works in practice and could be adopted by various software packages dealing
with finite fields.
Therefore, we publish at the same time as this article an implemention
of the constructions as a GAP [Gap] package called StandardFF [Lü21].
The package allows to construct the finite fields as towers and also as sin-
gle extensions with respect to the standardized primitive elements xn defined
in 3.5(e). The package provides various representations of finite field elements

22
with conversions into each other: representing polynomials (in tower and in
single extension), Steinitz numbers, vectors with respect to the tower basis,
and Steinitz pairs (a pair (d, k) if the element has degree d over the prime
field Fp and its Steinitz number as element of Fpd is k). There are functions
to compute our standardized generators of cyclic subgroups and embeddings
of fields.
The implementation only uses arithmetic of univariate polynomials (rep-
resented as coefficient lists) and contains an irreducibility test as mentioned
after 5.11. We compute minimal polynomials of a field element by computing
its action on some basis and the minimal polynomial of the corresponding
matrix.
For testing purposes we have implemented both variants of the generic
case given in Sections 5.4 and 5.5. We give two examples for Remark 5.9: To
2
construct the fields of order 2107 and 2(107 ) with variant 1 from Section 5.4
our programs needed 8 seconds and 29 hours, respectively. With variant 2
from 5.5 they needed 17 milliseconds and 42 minutes. To construct the field
with 711009 elements with variant 1 took more than one week while variant
2 finished in 24 seconds. From now we only consider the construction with
variant 2.
In further systematic tests we considered the finite fields of order pn in
the following ranges:

• 1 ≤ n ≤ 2000 for p = 2, 3, 5, 7

• 1 ≤ n ≤ 500 for 10 < p < 100

• 1 ≤ n ≤ 100 for 100 < p < 10000

This includes all 10800 cases for which we know the Conway polynomial.
Due to decades long enormous computational resources used to find factors
of numbers of the form an ± 1, see [Cro], we know the factorization of pn − 1
for 112519 fields in the considered range. These are the only fields for which
we can hope to find (standardized) primitive roots (otherwise we cannot
determine the order of an element in the field).
Our programs can construct all of these 112519 fields Fpn in about 20
hours and it can find all the standardized primitive roots ym ∈ Fpn as de-
scribed in Remark 4.2 in additional 36 hours. (The minimal polynomials of
these ym over their prime field form a substitute for the Conway polynomi-
als with the same compatibility properties.) Computing the ym and their
minimal polynomials just for the fields where we know the Conway polyno-
mial takes less than 5 minutes (while the original computations of the known
Conway polynomials involved many years of CPU time).

23
 It is also possible to construct many fields outside the mentioned range
(larger degree or much larger characteristic). The hard cases are when a
large prime divides the degree. And the effort to compute minimal poly-
nomials of the primitive elements xn ∈ Fpn grows like n3 for fixed p in our
implementation.

7.1 Reimplementation of the standardized extensions

in other programs
We sketch how to reconstruct for n = r1l1 · · · rklk our extension Fp [xn ] =
Fp [X]/(fn ) provided the irreducible polynomials fri ,j , 1 ≤ j ≤ li of prime
degreeQri are known (precomputed). Our standardized primitive element
xn = ki=1 xri ,li is an element of the tower basis. The matrix M of the action
of xn on the tower basis is very sparse. Multiply xn with each element of the
tower basis and reduce with the fri ,j , see 3.2; in most cases the product is
again an element of the tower basis and no reduction is needed. The minimal
polynomial of M is the minimal polynomial fn of xn over Fp , so we can con-
struct Fp [X]/(fn ). Starting with the vector (1, 0, 0, . . .) representing 1 ∈ Fpn
in the tower basis, multiply with M repeatedly. This yields the powers xjn ,
0 ≤ j ≤ n − 1 expressed in the tower basis. Write these vectors as rows
in a matrix Q and compute its inverse P . Then the j-th row of P contains
the coefficients of the j-th element of the tower basis in the monomial basis
(xin | 0 ≤ i < n). So, using P we can compute for any element in Fp [xn ] its
representation in the tower basis and so its Steinitz number, and vice versa
using Q.

7.2 Computing embeddings

Embeddings are easily computed via the tower bases, see 3.3. The ordered
tower basis of Fpn contains the tower basis of each subfield as subsequence.
The list of degrees (over the prime field) of the tower basis elements can be
generated as follows:
If n = 1 it is (1). For 1 < n = r1l1 · · · rklk let (d′1 , . . . , d′n/rk ) be the list of
degrees of the tower basis of Fpn/rk . (these are the first n/rk elements of the
tower basis of Fpn ). Then we get the degrees for the tower basis of Fpn by
appending (r − 1) times (lcm(d′1 , rklk ), . . . , lcm(d′n/rk , rklk )).
Let (b1 , . . . , bn ) be the tower basis of Fpn with degrees (d1 , . . . , dn ). Let
m | n. ThenP the subsequence (bj | dj |m) is the tower basis of Fpm .
Let x = ni=1 ai bi ∈ Fpn (ai ∈ Fp ), written in the tower basis. Then the
degree of x over Fp is lcm{dj | aj 6= 0}.

24
8 Application to Brauer character tables
Let G be a finite group, K be an algebraically closed field and n ∈ Z>0 . A
group homomorphism ρ : G → GLn (K) is called a representation. If K has
characteristic 0 then much information about ρ is encoded in its character
χ : G → K, g 7→ Trace(ρ(g)), a function which is constant on conjugacy
classes. The Trace is the sum of the eigenvalues of the matrix in K.
If K has finite characteristic p then the character as defined above con-
tains much less information about ρ (for example in characteristic 0 we have
χ(1) = n but in characteristic p only χ(1) = n mod p ∈ Fp ). Instead we use
Brauer characters χ̃ which are defined on the elements g ∈ G of order not
divisible by p. Here, χ̃(g) is the sum of the lift of the eigenvalues of ρ(g) to
complex roots of unity. Such a lift is an isomorphism e◦ℓ : F̄× ×
p → µp′ ⊆ C as
we have considered in Section 4. In general the values of a Brauer character
depend on the chosen lift.
A large collection of Brauer characters is contained in the GAP [Gap]
character table library CTblLib [Bre20] which includes all Brauer characters
from the Modular Atlas [Jan+95]. The values are given with respect to a
lift defined by the Conway polynomials: if f (X) ∈ Fp [X] is the Conway
polynomial defining the field with pn elements then the lift restricted to
Fp n ∼= Fp [X]/(f ) is defined by X +(f ) 7→ exp(2πi/(pn −1)). More details can
be found in the Introduction and Appendix 1 of the Modular Atlas [Jan+95].
Our definition of standard generators ym of cyclic groups of order m
in 4.2 and 6.1 yields another lift, where ym is mapped to exp(2πi/m) for all
m ∈ Z>0 .
How can we recompute the values of known Brauer characters with re-
spect to the new lift defined here? The first step is to compute the lifted
eigenvalues from the character tables. This can be done because the men-
tioned Brauer character tables contain the power maps of the group (for each
element one knows the conjugacy class of all its powers) and this yields a Van-
dermonde type system of equations for the multiplicities of the eigenvalues.
If the relevant Conway polynomial is known we can derive the correspond-
ing eigenvalues in characteristic p as elements in the finite fields defined by
Conway polynomials.
The missing step to compute the image of these eigenvalues under our
new lift is an identification of the elements in Conway polynomial generated
fields with elements in the algebraic closure F̄p constructed in 3.1.
Let n|m and f, g ∈ Fp [X] be the Conway polynomials of degrees n and
m, respectively. Then Fp [X]/(f ) is considered as subfield of Fp [X]/(g) by
mapping X + (f ) to (X + (g))a with a = (pm − 1)/(pn − 1). We define
embeddings of the fields Fp [X]/(f ) into our F̄p which commute with these

25
inclusion relations:
Definition 8.1. We define the embedding by induction over the degree of
the field.
Since any field homomorphism maps 1 7→ 1 it is clear how to identify the
zero z1 of a Conway polynomial of degree 1 in the prime field. Now let n > 1
and f ∈ Fp [X] be the Conway polynomial of degree n. Assume that for any
proper divisor m|n we have already defined the image zm ∈ F̄p of the residue
class X + (g) for the Conway polynomial g of degree m.
Then we map X + (f ) to the zero zn of f in our standard field of order pn
which has the smallest Steinitz number among the zeros z which fulfill the
n m
compatibility conditions z (p −1)/(p −1) = zm for all proper divisors m of n.
Our software package StandardFF [Lü21] contains a function Steinitz-
PairConwayGenerator which computes the Steinitz pairs decribing the ele-
ments zn in Definition 8.1.
To compute the image of zn under our new lift we have to find the discrete
logarithm e such that ypen −1 = zn . This can be challenging in large fields,
but in practice we usually only need the image of powers of zn of small order
which can be found much easier.
Our package StandardFF [Lü21] also has a function StandardValues-
BrauerCharacter which recomputes values of Brauer characters with respect
to our new lift, provided the relevant Conway polynomials are known.
We consider two explicit examples: The Brauer character table of the
largest sporadic simple group, the Monster, in characteristic 19 contains sev-
eral Brauer characters for which our function to recompute their values ac-
cording to our new lift fails (because some needed Conway polynomials are
not known and essentially impossible to compute). But in this case one can
check that with any irreducible Brauer character all its Galois conjugate class
functions are also irreducible Brauer characters. In such a case the Brauer
characters are the same for any lift, only the map from a set of concrete
representations to their Brauer character depends on the lift (and here we
cannot compute the permutation of Brauer characters caused by the different
lifts).
Thomas Breuer systematically determined all cases in the CTblLib [Bre20]
library where we cannot recompute the Brauer character values for our new
lift because of missing Conway polynomials, or where a complex character
value cannot be reduced modulo a prime dividing the group order. This
concerns about 50 finite fields for which the Conway polynomial would be
needed. With the construction described in this paper our software only
needs 3 seconds to construct these fields including our standardized primi-
tive roots.

26
 As second explicit example we mention the Brauer character table of
the alternating group A18 in characteristic 7. In this case we are able to
recompute all values with respect to our new lift. It turns out that there
are two characters of degree 745459 where the new lift yields class functions
which are not contained in the original table. So, the two different lifts
actually lead to different Brauer character tables.
Finally, we want to illustrate another interesting feature of the construc-
tions in this paper. Say, we have a group element of order 523 and we want to
lift 523-th roots of unity in characteristic 13. Then the smallest field contain-
ing such roots of unity is F13261 . The factorization of 13261 − 1 is not known
and so probably very hard to compute. So, even with our new definition
we have no chance to compute our standardized primitive root of this field.
Nevertheless, for our purpose we only need to construct the field of order
13261 and our standard generator of order 523 in this field. Our programs
can do this in 0.4 seconds.

References
[BCS97] W. Bosma, J. Cannon, and A. Steel. “Lattices of compatibly
embedded finite fields”. In: J. Symbolic Comput. 24.3-4 (1997).
Computational algebra and number theory (London, 1993), pp. 351–
369.
[Bre20] T. Breuer. CTblLib, The GAP Character Table Library, Version
1.3.1.
http://www.math.rwth-aachen.de/~Thomas.Breuer/ctbllib.
GAP package. 2020.
[Car93] R. W. Carter. Finite groups of Lie type. Wiley Classics Library.
Conjugacy classes and complex characters, Reprint of the 1985
original, A Wiley-Interscience Publication. John Wiley & Sons,
Ltd., Chichester, 1993, pp. xii+544.
[Cro] J. Crombie. Factor collection an ± 1.
http://myfactorcollection.mooo.com:8090/.
[DFRR19] L. De Feo, H. Randriam, and E. Rousseau. “Standard lattices of
compatibly embedded finite fields”. In: ISSAC’19—Proceedings
of the 2019 ACM International Symposium on Symbolic and Al-
gebraic Computation. ACM, New York, 2019, pp. 122–130.
[Gap] GAP – Groups, Algorithms, and Programming, Version 4.11.1.
https://www.gap-system.org. The GAP Group, 2021.

27
[GP97] S. Gao and D. Panario. “Tests and Constructions of Irreducible
Polynomials over Finite Fields”. In: Foundations of Computa-
tional Mathematics. Ed. by F. Cucker and M. Shub. Berlin, Hei-
delberg: Springer Berlin Heidelberg, 1997, pp. 346–361.
[GS] D. R. Grayson and M. E. Stillman. Macaulay2, a software system
for research in algebraic geometry.
http://www.math.uiuc.edu/Macaulay2/.
[Jan+95] C. Jansen et al. An atlas of Brauer characters. Vol. 11. Lon-
don Mathematical Society Monographs. New Series. Appendix
2 by T. Breuer and S. Norton, Oxford Science Publications.
The Clarendon Press, Oxford University Press, New York, 1995,
pp. xviii+327.
[Lan02] S. Lang. Algebra. third. Vol. 211. Graduate Texts in Mathemat-
ics. Springer-Verlag, New York, 2002, pp. xvi+914.
[LS08] H. Lenstra and B. de Smit. Standard Models for Finite Fields.
http://damtp.cam.ac.uk/user/na/FoCM/FoCM08/Talks/
Lenstra.pdf. (see also 11.7 in [Mul13]). 2008.
[Lü09] F. Lübeck. Tables of Conway polynomials of finite fields.
http://www.math.rwth-aachen.de/~Frank.Luebeck/data/
ConwayPol/. Lehrstuhl D für Mathematik, RWTH Aachen, 2009.
[Lü21] F. Lübeck. StandardFF: A GAP package for constructing fi-
nite fields. https://github.com/frankluebeck/StandardFF/.
2021.
[Mag] MAGMA – a computational algebra system, Version 2.24.
http://magma.maths.usyd.edu.au/magma/. The Computational
Algebra Group, 2019.
[Mul13] G. L. Mullen, ed. Handbook of finite fields. Discrete Mathematics
and its Applications (Boca Raton). CRC Press, Boca Raton, FL,
2013, pp. xxxvi+1033.
[PH78] S. C. Pohlig and M. E. Hellman. “An improved algorithm for
computing logarithms over GF(p) and its cryptographic signifi-
cance”. In: IEEE Trans. Inform. Theory IT-24.1 (1978), pp. 106–
110.
[Ple15] W. Plesken. Höhere algorithmische Algebra I. Vorlesungsskript
RWTH Aachen. 2015.

28
[Rin15] M. Ringe. The C-MeatAxe, Version 2.4.X.
https://www.math.rwth-aachen.de/~MTX/. Lehrstuhl D für Math-
ematik, RWTH Aachen, 2015.
[Sag] SageMath, the Sage Mathematics Software System, Version 9.0.
https://www.sagemath.org. The Sage Developers, 2020.
[Sho90] V. Shoup. “New algorithms for finding irreducible polynomials
over finite fields”. In: Math. Comp. 54.189 (1990), pp. 435–447.
[Sho94] V. Shoup. “Fast construction of irreducible polynomials over fi-
nite fields”. In: J. Symbolic Comput. 17.5 (1994), pp. 371–391.
[Ste10] E. Steinitz. “Algebraische Theorie der Körper”. In: J. Reine
Angew. Math. 137 (1910), pp. 167–309.

29