Finite Fields

You already know one family of finite fields: \mathbb{F}_p = \mathbb{Z}/p\mathbb{Z}, the integers modulo a prime p. There you can add, subtract, multiply, and — because p is prime — divide by anything nonzero. But is that all the finite fields there are? Could there be a field with exactly 6 elements? With 4? With 100?

The answer is one of the cleanest classification theorems in all of algebra. A finite field can only have p^n elements — a prime power — and for each such size there is exactly one field, up to isomorphism. No more, no fewer. This unique object is the Galois field \mathrm{GF}(p^n) = \mathbb{F}_{p^n}, named for Galois, who died at twenty in a duel having already rewritten the subject. So there is no field of order 6 or 100 (neither is a prime power), but there is a unique field of order 4, of order 8, of order 9, of order 27, and so on.

This one page pins down that classification: why the size must be a prime power, how to build \mathbb{F}_{p^n}, and the single most useful fact about it — that its nonzero elements form a cyclic group, generated by a single "primitive" element whose powers sweep out the whole field.

Why the size must be a prime power

Take any finite field \mathbb{F}. Its prime subfield — the copy of \{0, 1, 1+1, \dots\} you generate by adding 1 to itself — must loop back to 0 after finitely many steps (the field is finite), and it must loop after a prime number of steps p, because otherwise there would be zero divisors. So \mathbb{F} contains a copy of \mathbb{F}_p, and it has characteristic p.

Now view \mathbb{F} as a vector space over that base field \mathbb{F}_p — exactly the field-extension viewpoint. It is finite, so it has a finite dimension, say n. A vector space of dimension n over a field with p elements has exactly p^n vectors — pick each of the n coordinates independently from p choices. That is the whole argument:

\lvert \mathbb{F} \rvert = p^{\,[\mathbb{F} : \mathbb{F}_p]} = p^n.

There is no room for a field of order 6 = 2 \cdot 3: six is not p^n. The very same counting forbids 10, 12, 15, 100 and every other non-prime-power.

Building the fields

Existence is the other half. For n = 1 we already have \mathbb{F}_p = \mathbb{Z}/p\mathbb{Z}. For larger n, the field \mathbb{F}_{p^n} is the splitting field of the polynomial

x^{\,p^n} - x \quad \text{over } \mathbb{F}_p.

Its p^n distinct roots are the elements of the field — they form a subfield, and there are exactly p^n of them. Equivalently, and more usefully for hand computation, you adjoin a root of an irreducible polynomial of degree n over \mathbb{F}_p: \mathbb{F}_{p^n} = \mathbb{F}_p[x]/(f) for any such f. Different irreducible f of the same degree give the same field up to isomorphism — that is the uniqueness half of the theorem.

Worked example: the field of four elements

Build \mathbb{F}_4. Over \mathbb{F}_2 = \{0, 1\} the polynomial x^2 + x + 1 is irreducible: it has no root in \mathbb{F}_2 (test 0 \mapsto 1, 1 \mapsto 1, neither is 0). Adjoin a root \alpha, so \alpha^2 + \alpha + 1 = 0, i.e. \alpha^2 = \alpha + 1 (signs don't matter in characteristic 2). The four elements are

\mathbb{F}_4 = \{\, 0,\ 1,\ \alpha,\ \alpha + 1 \,\}.

Addition is componentwise mod 2: for instance \alpha + (\alpha + 1) = 2\alpha + 1 = 1, and every element is its own negative. Multiplication uses the relation \alpha^2 = \alpha + 1 to fold high powers back down:

\alpha \cdot \alpha = \alpha^2 = \alpha + 1, \qquad \alpha \cdot (\alpha + 1) = \alpha^2 + \alpha = (\alpha + 1) + \alpha = 1.

That last line says \alpha and \alpha + 1 are multiplicative inverses — every nonzero element has an inverse inside the set, so \mathbb{F}_4 really is a field. Notice the three nonzero elements 1, \alpha, \alpha + 1 are just \alpha^3 = 1, \alpha^1, \alpha^2 — the powers of \alpha cycle through all of them.

The multiplicative group is cyclic

That last observation is the deepest structural fact about a finite field, and it is worth stating precisely. The nonzero elements \mathbb{F}_q^{\times} (where q = p^n) form a group under multiplication of order q - 1 — and that group is always cyclic.

Being cyclic means multiplication becomes addition of exponents. Fix a primitive element g; then every nonzero element is a power g^k, and g^i \cdot g^j = g^{\,i + j \bmod (q-1)}. Lay the powers evenly around a circle and multiplication is just rotation — exactly the picture of the (q-1)th roots of unity. The figure below shows \mathbb{F}_8^{\times}, cyclic of order 7: seven powers of a generator spaced around a circle.

The Frobenius map \phi(x) = x^p is the other structural gift. In characteristic p the "freshman's dream" (a + b)^p = a^p + b^p is true (the binomial coefficients in between are all divisible by p), so \phi respects both operations — it is an automorphism. Its fixed points are exactly the solutions of x^p = x, which is \mathbb{F}_p itself. Frobenius is the engine that drives the entire Galois theory of finite fields.

The single most common error is to think the field of order 4 is the clock ring \mathbb{Z}/4\mathbb{Z} = \{0, 1, 2, 3\}. It is not — and \mathbb{Z}/4\mathbb{Z} is not even a field. In it, 2 \cdot 2 = 4 \equiv 0: two nonzero elements multiply to zero, so 2 is a zero divisor and can never have a multiplicative inverse. A field has no zero divisors, so \mathbb{Z}/4\mathbb{Z} is out.

The general rule: \mathbb{Z}/n\mathbb{Z} is a field if and only if n is prime. When n is composite, some factor of n is a zero divisor. So for n = p^k with k > 1, the ring \mathbb{Z}/p^k\mathbb{Z} and the field \mathbb{F}_{p^k} are completely different objects of the same size. The genuine field \mathbb{F}_4 is \mathbb{F}_2[x]/(x^2 + x + 1) — built by adjoining a root, not by counting mod 4.

Knowing a generator exists is not the same as knowing which element it is. In \mathbb{F}_8^{\times} (order 7, prime) every nonzero element except 1 is a generator, so it is easy. But in a field where q - 1 has many factors, an element g is primitive exactly when g^{(q-1)/\ell} \neq 1 for every prime \ell dividing q - 1. There is no known fast deterministic algorithm that always writes one down, yet primitive elements are plentiful — a \varphi(q-1)/(q-1) fraction of the group generates it — so picking at random and testing works beautifully in practice. This is precisely why finite fields power real cryptography: cyclic structure that is easy to compute forward and hard to invert.