I understand there are already some questions (A, B) on primitive polynomials. But none of these clears my confusion.
In page 84 of Handbook of Applied Cryptography, primitive polynomial has been defined as,
Now, if I try to understand the definition by dissecting the parts,
- This is an irreducible polynomial, that means, it cannot be factored into the product of two or more non-trivial polynomials.
- The polynomial $f(x) \in \mathbb{Z}_p[x]$. So, the polynomial belongs to the polynomial ring $\mathbb{Z}_p [x]$, where, $\mathbb{Z}_p [x]$ is the ring formed by the set of all polynomials in the indeterminate $x$ having coefficients from $\mathbb{Z}_p$. Here $\mathbb{Z}_p$, will be the integers modulo $p$, set of (equivalence classes of) integers $\{0, 1, 2, . . . , p − 1\}$.
- $x$ is a generator of $\mathbb{F}^*_{p^m}$: I am coming to this part regarding $x$ later on. $\mathbb{F}^*_{p^m}$, is the multiplicative group of $\mathbb{F}_{p^m}$ such that $ \{a \in \mathbb{F}_{p^m} | \gcd(a, p) = 1\}$.
- $\mathbb{F}_{p^m} = \mathbb{Z}_p[x]/(f(x))$, denotes the set of (equivalence classes of) polynomials in $\mathbb{Z}_p[x]$ of degree less than $n = \deg f (x)$. Addition and multiplication are performed modulo $f (x)$.
Now, coming back to the point of $x$, I began to realize that I must have some serious flaw in my understanding above. So far, I have seen that generators have always been numbers. Here the generator is $x$, which is an indeterminate.
Could you please point out the where I have gone off the track?
Perhaps the best way to salvage me will be to simply rewrite my points 1-4. Adding an example will make things perfect.
The notation in the book is not one I would have chosen. All the $m$ roots of the irreducible polynomial $f(x) \in \mathbb F[x]$ are generators of the multiplicative group of $\mathbb F_{p^m}$; this group is a cyclic group. In particular, if $\alpha$ is a root of $f(x)$, then $$\mathbb F_{p^m}^{\star} = \{1, \alpha, \alpha^2, \ldots, \alpha^{p^m-2}; \times\,\}.$$ The other roots of $f(x)$ are $\alpha^p, \alpha^{p^2},\cdots,\alpha^{p^{m-1}}$ which are also called conjugates of $\alpha$. An alternative representation of $\mathbb F_{p^m}$ is the collection of polynomials of degree less than $m$ in $\mathbb F_p[x]$. The two representations are connected via the following table: $$\begin{matrix}1&=&1\\ \alpha&=& & \alpha\\ \alpha^2&= &&&\alpha^2\\ \vdots& \vdots&\ddots\\ \alpha^{m-1}&= &&&&&\alpha^{m-1}\\ \alpha^{m}&= &-f_0&-f_1\alpha&-f_2\alpha^2&\cdots&-f_{m-1}\alpha^{m-1}\\ \vdots&\vdots&\ddots \end{matrix}$$ where we assume that $f(x)$ is monic, and use the fact that $$f(\alpha) = 0 = f_0 + f_1\alpha + f_2\alpha^2 + \cdots + f_{m-1}\alpha^{m-1} + \alpha^m \tag{1}$$ in writing $\alpha^m$ as a polynomial in $\alpha$ of degree smaller than $m$. To find the next line in the above table, we use $$\begin{align} \alpha^{m+1} &= \alpha^m\cdot\alpha\\ &= (-f_0-f_1\alpha-f_2\alpha^2\cdots -f_{m-1}\alpha^{m-1})\alpha\\ &= 0-f_0\alpha -f_1\alpha^2-f_2\alpha^3\cdots - f_{m-2}\alpha^{m-1}-f_{m-1}\alpha^{m} \end{align}$$ and replace $f_{m-1}\alpha^m$ by $f_{m-1}(-f_0-f_1\alpha-f_2\alpha^2\cdots -f_{m-1}\alpha^{m-1})$ to once again get a polynomial of degree less than $m$ in $\alpha$. Repeating this process creates the entire table which is often referred to as a logarithm table but in fact is an antilogarithm table. For each $i$, the table gives the representation of $\alpha^i$ as a polynomial in $\alpha$ -- very convenient for addition -- while multiplication of two polynomials in $\alpha$ and subsequent reduction using $(1)$ repeatedly is harder than computing $\alpha^i\times\alpha^j = \alpha^{i+j \bmod p^m-1}$, that is, by adding the logarithms.
Finally, all this works exactly the same way and gives the same results if we replace $\alpha$ by $x$ and say that $\mathbb F_{p^m} = \mathbb F_p[x]/f(x)$ etc., but this always creates confusion amongst beginners.