Download Factorization of Polynomials over Finite Fields

Factorization of Polynomials
over Finite Fields
April 2004
Mathematisches Forum
Rudolf Schürer
University of Salzburg
Email: [email protected]
Prime-Power Decomposition
Fundamental Theorem of Arithmetic:
Every integer a 6= 0 has a representation in the form
e
e
a = u · p11 p22 · · · penn ,
where u is ±1 and p1, . . . , pn are (zero or more) distinct positive primes.
The representation is unique, except for the order in which the primes occur.
Prime-Power Decomposition
Fundamental Theorem of Arithmetic:
Every integer a 6= 0 has a representation in the form
e
e
a = u · p11 p22 · · · penn ,
where u is ±1 and p1, . . . , pn are (zero or more) distinct positive primes.
The representation is unique, except for the order in which the primes occur.
✯ Determining whether a given 1000-digit integer is prime is (in general) a
difficult task.
Prime-Power Decomposition
Fundamental Theorem of Arithmetic:
Every integer a 6= 0 has a representation in the form
e
e
a = u · p11 p22 · · · penn ,
where u is ±1 and p1, . . . , pn are (zero or more) distinct positive primes.
The representation is unique, except for the order in which the primes occur.
✯ Determining whether a given 1000-digit integer is prime is (in general) a
difficult task.
✯ Determining the prime-power decomposition of a given 1000-digit integer
is (in general) an impossible task.
Algebra Revision: Rings
An algebraic structure (R, +, ×) is a ring, if
✯ (R, +) is an Abelian group
✯ Multiplication × is associative
✯ Distributive laws hold
Algebra Revision: Rings
An algebraic structure (R, +, ×) is a ring, if
✯ (R, +) is an Abelian group
✯ Multiplication × is associative
✯ Distributive laws hold
Usually we need more:
✯ Existence of One-element: 1 × a = a
✯ Commutativity of ×: a × b = b × a
Algebra Revision: Fields
Fields are rings, where each non-zero element has a multiplicative inverse.
✯ (R \ {0}, ×) is an Abelian group
✯ Linear algebra can be done
Algebra Revision: Fields
Fields are rings, where each non-zero element has a multiplicative inverse.
✯ (R \ {0}, ×) is an Abelian group
✯ Linear algebra can be done
Due to the fact that every element has an inverse (i.e. is a unit), fields have
hardly any interesting structure and are slightly boring.
Algebra Revision: Fields
Fields are rings, where each non-zero element has a multiplicative inverse.
✯ (R \ {0}, ×) is an Abelian group
✯ Linear algebra can be done
Due to the fact that every element has an inverse (i.e. is a unit), fields have
hardly any interesting structure and are slightly boring.
We are interested in structures between rings and fields.
Algebra Revision: Between Rings and Fields
Integrity domains
✯ a, b 6= 0 implies a × b 6= 0
Algebra Revision: Between Rings and Fields
Integrity domains
✯ a, b 6= 0 implies a × b 6= 0
✯ Linear algebra can be done to a certain extent
Algebra Revision: Between Rings and Fields
Integrity domains
✯ a, b 6= 0 implies a × b 6= 0
✯ Linear algebra can be done to a certain extent
✯ Quotient field exists
Algebra Revision: Between Rings and Fields
Integrity domains
✯ a, b 6= 0 implies a × b 6= 0
✯ Linear algebra can be done to a certain extent
✯ Quotient field exists
✯ Can distinguish units, primes and composites
UFDs
✯ Every a ∈ R \ {0} has a representation in the form
e
e
a = p11 p22 · · · perr ,
where p1, . . . , pr are (zero or more) distinct prime elements of R.
The representation is unique, except for multiplication with units and the
order in which the primes occur.
UFDs
✯ Every a ∈ R \ {0} has a representation in the form
e
e
a = p11 p22 · · · perr ,
where p1, . . . , pr are (zero or more) distinct prime elements of R.
The representation is unique, except for multiplication with units and the
order in which the primes occur.
Euclidean domains
✯ Euclidean division (i.e. division with remainder)
✯ GCD can be calculated easily using Euclidean algorithm
✯ Congruences
Finite Fields
A well-known class of finite fields are factor fields of
p prime.
Z, i.e. Zp := Z/pZ with
Finite Fields
A well-known class of finite fields are factor fields of
p prime.
Z, i.e. Zp := Z/pZ with
However, finite fields can also be constructed as finite algebraic extension of
p. Any finite field q has the following properties:
Z
F
Finite Fields
A well-known class of finite fields are factor fields of
p prime.
Z, i.e. Zp := Z/pZ with
However, finite fields can also be constructed as finite algebraic extension of
p. Any finite field q has the following properties:
Z
✯
✯
F
Fq has q elements.
The structure of Fq is completely determined by q .
Finite Fields
A well-known class of finite fields are factor fields of
p prime.
Z, i.e. Zp := Z/pZ with
However, finite fields can also be constructed as finite algebraic extension of
p. Any finite field q has the following properties:
Z
✯
✯
F
Fq has q elements.
The structure of Fq is completely determined by q .
✯ q = pe with p prime and e a positive integer.
Finite Fields
A well-known class of finite fields are factor fields of
p prime.
Z, i.e. Zp := Z/pZ with
However, finite fields can also be constructed as finite algebraic extension of
p. Any finite field q has the following properties:
Z
✯
✯
F
Fq has q elements.
The structure of Fq is completely determined by q .
✯ q = pe with p prime and e a positive integer.
✯
Fq contains Zp as its smallest subfield.
Finite Fields
A well-known class of finite fields are factor fields of
p prime.
Z, i.e. Zp := Z/pZ with
However, finite fields can also be constructed as finite algebraic extension of
p. Any finite field q has the following properties:
Z
✯
✯
F
Fq has q elements.
The structure of Fq is completely determined by q .
✯ q = pe with p prime and e a positive integer.
✯
✯
Fq contains Zp as its smallest subfield.
char(Fq ) = p, i.e. for a ∈ Fq \ {0} we have
Pp
i=1 a = 0
and
Pn
i=1 a 6= 0
for n = 1, . . . , p − 1.
Finite Fields
A well-known class of finite fields are factor fields of
p prime.
Z, i.e. Zp := Z/pZ with
However, finite fields can also be constructed as finite algebraic extension of
p. Any finite field q has the following properties:
Z
✯
✯
F
Fq has q elements.
The structure of Fq is completely determined by q .
✯ q = pe with p prime and e a positive integer.
✯
✯
Fq contains Zp as its smallest subfield.
char(Fq ) = p, i.e. for a ∈ Fq \ {0} we have
Pp
i=1 a = 0
✯
and
Pn
i=1 a 6= 0
Fq = Zq if and only if q is prime.
for n = 1, . . . , p − 1.
Polynomials
Polynomials over a ring R are sequences
(a0, a1, a2, . . .)
with ai ∈ R and almost all ai = 0.
The common notation is
a n xn + · · · + a 1 x + a 0 .
Zero-element: (0, 0, . . .)
One-element: (1, 0, 0, . . .)
Addition:
(a0, a1, . . .) + (b0, b1, . . .) := (a0 + b0, a1 + b1, . . .)
Multiplication:
(a0, a1, . . .) × (b0, b1, . . .) := (c0, c1, . . .)
with
ck :=
k
X
i=0
aibk−i.
Algebraic Properties of Polynomial Rings
R
R[x]
Algebraic Properties of Polynomial Rings
R
R[x]
Ring
Ring
Algebraic Properties of Polynomial Rings
R
R[x]
Ring
Ring
Domain
Domain
Algebraic Properties of Polynomial Rings
R
R[x]
Ring
Ring
Domain
Domain
UFD
UFD
Algebraic Properties of Polynomial Rings
R
R[x]
Ring
Ring
Domain
Domain
UFD
UFD
Field
Algebraic Properties of Polynomial Rings
R
R[x]
Ring
Ring
Domain
Domain
UFD
UFD
Field
Euclidean domain
Important UFDs
✯ Any field (However: Factorization is trivial)
Important UFDs
✯ Any field (However: Factorization is trivial)
✯
Z
Important UFDs
✯ Any field (However: Factorization is trivial)
✯
✯
✯
✯
✯
✯
Z
C[x], R[x]
Q[x]
√
√
Q( −1)[x], Q( 2)[x]
A[x]
Zp[x], Fq [x]
Important UFDs
✯ Any field (However: Factorization is trivial)
✯
✯
✯
✯
✯
✯
✯
Z
C[x], R[x]
Q[x]
√
√
Q( −1)[x], Q( 2)[x]
A[x]
Zp[x], Fq [x]
Z[x]
Important UFDs
✯ Any field (However: Factorization is trivial)
✯
✯
✯
✯
✯
✯
✯
✯
Z
C[x], R[x]
Q[x]
√
√
Q( −1)[x], Q( 2)[x]
A[x]
Zp[x], Fq [x]
Z[x]
Z[x, y, z], Fq [x, y, z]
Examples for Factorization:
Consider the polynomial p(x) = 2x4 − 6x3 + 10x2 + 12x − 28.
Examples for Factorization:
Consider the polynomial p(x) = 2x4 − 6x3 + 10x2 + 12x − 28.
Factorization over . . .
Q
(x2 − 2)(2x2 − 6x + 14)
Examples for Factorization:
Consider the polynomial p(x) = 2x4 − 6x3 + 10x2 + 12x − 28.
Factorization over . . .
Q
Z
(x2 − 2)(2x2 − 6x + 14)
2(x2 − 2)(x2 − 3x + 7)
Examples for Factorization:
Consider the polynomial p(x) = 2x4 − 6x3 + 10x2 + 12x − 28.
Factorization over . . .
Q
Z
Z2
(x2 − 2)(2x2 − 6x + 14)
2(x2 − 2)(x2 − 3x + 7)
0
Examples for Factorization:
Consider the polynomial p(x) = 2x4 − 6x3 + 10x2 + 12x − 28.
Factorization over . . .
Q
Z
Z2
Z7
(x2 − 2)(2x2 − 6x + 14)
2(x2 − 2)(x2 − 3x + 7)
0
(x − 3)(x + 3) · (2x)(x − 3) = (2x)(x + 3)(x − 3)2
Examples for Factorization:
Consider the polynomial p(x) = 2x4 − 6x3 + 10x2 + 12x − 28.
Factorization over . . .
Q
Z
Z2
Z7
Z5
(x2 − 2)(2x2 − 6x + 14)
2(x2 − 2)(x2 − 3x + 7)
0
(x − 3)(x + 3) · (2x)(x − 3) = (2x)(x + 3)(x − 3)2
(x2 − 2) · (x − 2)(2x − 2)
Examples for Factorization:
Consider the polynomial p(x) = 2x4 − 6x3 + 10x2 + 12x − 28.
Factorization over . . .
Q(
Q
Z
Z2
Z7
Z5
√
2) or
(x2 − 2)(2x2 − 6x + 14)
2(x2 − 2)(x2 − 3x + 7)
0
(x − 3)(x + 3) · (2x)(x − 3) = (2x)(x + 3)(x − 3)2
R
(x2 − 2) · (x − 2)(2x − 2)
√
√
(x − 2)(x + 2) · (2x2 − 6x + 14)
Examples for Factorization:
Consider the polynomial p(x) = 2x4 − 6x3 + 10x2 + 12x − 28.
Factorization over . . .
Q
Z
Z2
Z7
Z5
√
Q( 2) or R
A or C
(x2 − 2)(2x2 − 6x + 14)
2(x2 − 2)(x2 − 3x + 7)
0
(x − 3)(x + 3) · (2x)(x − 3) = (2x)(x + 3)(x − 3)2
(x2 − 2) · (x − 2)(2x − 2)
√
√
(x − 2)(x + 2) · (2x2 − 6x + 14)
√
√
√
√
(x − 2)(x + 2) · (x − 3+i2 19 )(x − 3−i2 19 )
Arithmetic Operations
Z
F [x]
R[x]
Arithmetic Operations
Z
Additive Operations
F [x]
R[x]
Arithmetic Operations
Additive Operations
Z
F [x]
R[x]
✔
✔
✔
Arithmetic Operations
Additive Operations
Multiplication
Z
F [x]
R[x]
✔
✔
✔
Arithmetic Operations
Additive Operations
Multiplication
Z
F [x]
R[x]
✔
✔
✔
✔
✔
✔
Arithmetic Operations
Additive Operations
Multiplication
Euclidean Division
Z
F [x]
R[x]
✔
✔
✔
✔
✔
✔
Arithmetic Operations
Z
Additive Operations
Multiplication
Euclidean Division
✔
✔
✔
F [x]
R[x]
✔
✔
✔
✔
Arithmetic Operations
Z
Additive Operations
Multiplication
Euclidean Division
✔
✔
✔
F [x]
R[x]
✔
✔
✔
✔
Polynomial Division
Arithmetic Operations
Z
Additive Operations
Multiplication
Euclidean Division
✔
✔
✔
F [x]
R[x]
✔
✔
✔
✔
Polynomial Division
“Pseudo Division”
Arithmetic Operations
Z
Additive Operations
Multiplication
Euclidean Division
GCD
✔
✔
✔
F [x]
R[x]
✔
✔
✔
✔
Polynomial Division
“Pseudo Division”
Arithmetic Operations
Z
Additive Operations
Multiplication
Euclidean Division
GCD
✔
✔
✔
EA
F [x]
R[x]
✔
✔
✔
✔
Polynomial Division
“Pseudo Division”
EA
Arithmetic Operations
Z
Additive Operations
Multiplication
Euclidean Division
GCD
✔
✔
✔
EA
F [x]
R[x]
✔
✔
✔
✔
Polynomial Division
“Pseudo Division”
EA
Sub-resultant Algo
Arithmetic Operations
Z
Additive Operations
Multiplication
Euclidean Division
GCD
Factorization
✔
✔
✔
EA
F [x]
R[x]
✔
✔
✔
✔
Polynomial Division
“Pseudo Division”
EA
Sub-resultant Algo
Arithmetic Operations
Z
Additive Operations
Multiplication
Euclidean Division
GCD
Factorization
✔
✔
✔
EA
F [x]
R[x]
✔
✔
✔
✔
Polynomial Division
“Pseudo Division”
EA
Sub-resultant Algo
???
Factorization of Polynomials over a Field
Over a field F , each polynomial p ∈ F [x] can be written as
p = u · p̄,
where u ∈ F (i.e. u is a unit in
F[x]) and p̄ ∈ F [x] is a monic polynomial.
Therefore, it is sufficient to consider only the factorization of monic polynomials
into monic irreducible factors.
Factorization into Squarefree Factors
Instead of trying to determine the complete factorization
e
e
u = p11 · · · pkk
into prime factors pi, we try to find the factorization
2 · · · An
u = A1
A
n
1 2
into (pairwise coprime) squarefree factors Ai.
Factorization into Squarefree Factors
Instead of trying to determine the complete factorization
e
e
u = p11 · · · pkk
into prime factors pi, we try to find the factorization
2 · · · An
u = A1
A
n
1 2
into (pairwise coprime) squarefree factors Ai.
Based thereupon, it is sufficient to factor
Ai = p1p2 · · · pri
into distinct prime factors pj .
Factorization into Squarefree Factors
Instead of trying to determine the complete factorization
e
e
u = p11 · · · pkk
into prime factors pi, we try to find the factorization
2 · · · An
u = A1
A
n
1 2
into (pairwise coprime) squarefree factors Ai.
Based thereupon, it is sufficient to factor
Ai = p1p2 · · · pri
into distinct prime factors pj . This is often much simpler, consider, for instance,
the factorization in
C[x] using Newton’s method.
Derivatives
Definition: Let F be a field and u = (u0, u1, u2, . . .) a polynomial over F .
The derivative of u is defined as
u0 := (1u1, 2u2, 3u3, . . .)
Derivatives
Definition: Let F be a field and u = (u0, u1, u2, . . .) a polynomial over F .
The derivative of u is defined as
u0 := (1u1, 2u2, 3u3, . . .)
with
na :=
for n ∈
N and a ∈ F.
n
X
i=1
a
Derivatives
Definition: Let F be a field and u = (u0, u1, u2, . . .) a polynomial over F .
The derivative of u is defined as
u0 := (1u1, 2u2, 3u3, . . .)
with
na :=
for n ∈
N and a ∈ F.
✯ (u + v)0 = u0 + v 0
✯ (uv)0 = u0v + uv 0
n
X
i=1
a
Factorization into Squarefree Factors
Given a monic polynomial u over a field F , the factorization into squarefree,
monic factors can be determined using the following algorithm:
Factorization into Squarefree Factors
Given a monic polynomial u over a field F with p = char(F ), determine the
factorization into squarefree, monic factors:
T ← gcd(u, u0)
if deg T = 0 then
M ← {u1}
else if 0 < deg T < deg u then
M ← {sff (T ), (u/T )1}
else
1/p
1/p
1/p
M ← {sff (v)p} with v = (u0 , up , u2p , . . .)
end if
Arithmetic Operations
Z
Additive Operations
Multiplication
Euclidean Division
GCD
✔
✔
✔
EA
F [x]
R[x]
✔
✔
✔
✔
Polynomial Division
“Pseudo Division”
EA
Sub-resultant Algo
Arithmetic Operations
Z
Additive Operations
Multiplication
Euclidean Division
GCD
Squarefree Factorization
✔
✔
✔
EA
F [x]
R[x]
✔
✔
✔
✔
Polynomial Division
“Pseudo Division”
EA
Sub-resultant Algo
Arithmetic Operations
Z
Additive Operations
Multiplication
Euclidean Division
GCD
Squarefree Factorization
F [x]
R[x]
✔
✔
✔
✔
Polynomial Division
“Pseudo Division”
EA
EA
Sub-resultant Algo
✔
✔
✔
✔
✔
Arithmetic Operations
Z
Additive Operations
Multiplication
Euclidean Division
GCD
Squarefree Factorization
F [x]
R[x]
✔
✔
✔
✔
Polynomial Division
“Pseudo Division”
EA
EA
Sub-resultant Algo
✔
✔
✔
✔
✔
✔
Arithmetic Operations
Z
Additive Operations
Multiplication
Euclidean Division
GCD
Squarefree Factorization
Factorization
F [x]
R[x]
✔
✔
✔
✔
Polynomial Division
“Pseudo Division”
EA
EA
Sub-resultant Algo
✔
✔
✔
✔
✔
✔
Arithmetic Operations
Z
Additive Operations
Multiplication
Euclidean Division
GCD
Squarefree Factorization
Factorization
F [x]
R[x]
✔
✔
✔
✔
Polynomial Division
“Pseudo Division”
EA
EA
Sub-resultant Algo
✔
✔
✔
✔
✔
✔
???
Factorization Methods
UFD
Factorization Method
Factorization Methods
UFD
C[x], R[x]
Factorization Method
Factorization Methods
UFD
Factorization Method
C[x], R[x]
Root finding (numerical analysis)
Factorization Methods
UFD
C[x], R[x]
Fq [x]
Factorization Method
Root finding (numerical analysis)
Factorization Methods
UFD
C[x], R[x]
Fq [x]
Factorization Method
Root finding (numerical analysis)
Berlekamp’s Algorithm, Cantor–Zassenhaus split
Factorization Methods
UFD
C[x], R[x]
Fq [x]
Q[x], Z[x]
Factorization Method
Root finding (numerical analysis)
Berlekamp’s Algorithm, Cantor–Zassenhaus split
Hensel Lift (based on factorization over
Zq )
Factorization Methods
UFD
C[x], R[x]
Fq [x]
Q[x], Z[x]
Q(α)[x]
Factorization Method
Root finding (numerical analysis)
Berlekamp’s Algorithm, Cantor–Zassenhaus split
Hensel Lift (based on factorization over
Based on factorization over
Z[x]
Zq )
Factorization Methods
UFD
C[x], R[x]
Fq [x]
Q[x], Z[x]
Q(α)[x]
Z
Factorization Method
Root finding (numerical analysis)
Berlekamp’s Algorithm, Cantor–Zassenhaus split
Hensel Lift (based on factorization over
Based on factorization over
Z[x]
Zq )
Number Field Sieve, Elliptic Curve, Class Group
Factorization Methods
UFD
C[x], R[x]
Fq [x]
Q[x], Z[x]
Q(α)[x]
Z
Multivariate polynomials
Factorization Method
Root finding (numerical analysis)
Berlekamp’s Algorithm, Cantor–Zassenhaus split
Hensel Lift (based on factorization over
Based on factorization over
Z[x]
Zq )
Number Field Sieve, Elliptic Curve, Class Group
Generalized versions of Hensel Lift
Berlekamp’s Algorithm
Let
u=
r
Y
pi
i=1
be a polynomial over
Fq with p1, . . . , pr distinct, monic, irreducible polynomi-
als.
How can we be clever enough to discover r and the pi’s when only u is given?
Berlekamp’s Algorithm
Let
u=
r
Y
pi
i=1
be a polynomial over
Fq with p1, . . . , pr distinct, monic, irreducible polynomi-
als.
How can we be clever enough to discover r and the pi’s when only u is given?
Chinese Remainder Theorem
Let p1, . . . , pr ∈ F [x] be pairwise coprime and s1, . . . , sr ∈ F [x].
Then there is a unique polynomial v ∈ F [x] such that
v ≡ si
mod pi
for i = 1, . . . , r
and
deg v < deg
r
Y
pi.
i=1
The polynomial v can be found easily using the extended Euclidean algorithm.
Chinese Remainder Theorem
Let p1, . . . , pr ∈ F [x] be pairwise coprime and s1, . . . , sr ∈ F [x].
Then there is a unique polynomial v ∈ F [x] such that
v ≡ si
mod pi
for i = 1, . . . , r
and
deg v < deg
r
Y
pi.
i=1
The polynomial v can be found easily using the extended Euclidean algorithm.
Chinese Remainder Theorem
Let p1, . . . , pr ∈ F [x] be pairwise coprime and s1, . . . , sr ∈ F [x].
Then there is a unique polynomial v ∈ F [x] such that
v ≡ si
mod pi
for i = 1, . . . , r
and
deg v < deg
r
Y
pi.
i=1
The polynomial v can be found easily using the extended Euclidean algorithm.
How does this Help Us?
Choose s1, . . . , sr ∈
Find polynomial v .
Fq ⊂ Fq [x], s1 6= s2.
How does this Help Us?
Choose s1, . . . , sr ∈
Fq ⊂ Fq [x], s1 6= s2.
Find polynomial v .
Consider gcd(u, v − s1).
How does this Help Us?
Choose s1, . . . , sr ∈
Fq ⊂ Fq [x], s1 6= s2.
Find polynomial v .
Consider gcd(u, v − s1).
✯ p1 | gcd(u, v − s1)
because p1 | u and v ≡ s1 mod p1
✯ p2 - gcd(u, v − s1)
because v ≡ s2 mod p2, therefore p2 | v −s2, therefore p2 - v −s1.
How does this Help Us?
Choose s1, . . . , sr ∈
Fq ⊂ Fq [x], s1 6= s2.
Find polynomial v .
Consider gcd(u, v − s1).
✯ p1 | gcd(u, v − s1)
because p1 | u and v ≡ s1 mod p1
✯ p2 - gcd(u, v − s1)
because v ≡ s2 mod p2, therefore p2 | v −s2, therefore p2 - v −s1.
✯ Therefore gcd(u, v − s1) is a non-trivial factor of u!
How does this Help Us?
Choose s1, . . . , sr ∈
Fq ⊂ Fq [x], s1 6= s2.
Find polynomial v .
Consider gcd(u, v − s1).
✯ p1 | gcd(u, v − s1)
because p1 | u and v ≡ s1 mod p1
✯ p2 - gcd(u, v − s1)
because v ≡ s2 mod p2, therefore p2 | v −s2, therefore p2 - v −s1.
✯ Therefore gcd(u, v − s1) is a non-trivial factor of u!
Problem: How can we find v without knowing p1, . . . , pr ?
Another Way for Finding the v’s?
Let V be the set of all polynomials v ∈
Fq [x] with
✯ deg v < deg u, and
✯ there exist s1, . . . , sr ∈
Fq with v ≡ si
mod pi for i = 1, . . . , r .
Another Way for Finding the v’s?
Let V be the set of all polynomials v ∈
Fq [x] with
✯ deg v < deg u, and
✯ there exist s1, . . . , sr ∈
Fq with v ≡ si
mod pi for i = 1, . . . , r .
Then V is identical to the set of all polynomials v ∈
✯ deg v < deg u and
✯ v q ≡ v mod u
and we have |V | = q r .
Fq [x] with
How can we find all v ’s with v q ≡ v mod u?
How can we find all v ’s with v q ≡ v mod u?
Let
v(x) =
with n = deg u and ti ∈
Fq .
X
0≤i<n
tixi
How can we find all v ’s with v q ≡ v mod u?
Let
v(x) =
X
0≤i<n
with n = deg u and ti ∈
Fq . We have
v(x)q
tixi
How can we find all v ’s with v q ≡ v mod u?
Let
X
v(x) =
0≤i<n
with n = deg u and ti ∈
Fq . We have
v(x)q = v(xq )
tixi
How can we find all v ’s with v q ≡ v mod u?
Let
v(x) =
X
tixi
0≤i<n
with n = deg u and ti ∈
Fq . We have
v(x)q = v(xq ) =
X
0≤j<n
tj xqj ,
How can we find all v ’s with v q ≡ v mod u?
Let
v(x) =
X
tixi
0≤i<n
with n = deg u and ti ∈
Fq . We have
X
v(x)q = v(xq ) =
tj xqj ,
0≤j<n
and can express xqj as
xqj ≡
X
0≤i<n
with qi,j ∈
Fq easily computable.
qi,j xi
mod u.
How can we find all v ’s with v q ≡ v mod u?
Let
v(x) =
X
tixi
0≤i<n
with n = deg u and ti ∈
Fq . We have
X
v(x)q = v(xq ) =
tj xqj ,
0≤j<n
and can express xqj as
xqj ≡
X
0≤i<n
with qi,j ∈
qi,j xi
mod u.
Fq easily computable. Hence we have
v(x)q ≡
X
0≤j<n
tj
X
0≤i<n
qi,j xi
How can we find all v ’s with v q ≡ v mod u?
Let
X
v(x) =
tixi
0≤i<n
with n = deg u and ti ∈
Fq . We have
X
v(x)q = v(xq ) =
tj xqj ,
0≤j<n
and can express xqj as
xqj ≡
X
qi,j xi
mod u.
0≤i<n
with qi,j ∈
Fq easily computable. Hence we have
v(x)q ≡
X
0≤j<n
tj
X
0≤i<n
qi,j xi ≡
X
0≤i<n
xi
X
0≤j<n
tj qi,j
mod u.
Therefore the congruence v q ≡ v mod u is equivalent to
X
0≤j<n
tj qi,j = ti
for 0 ≤ i < n.
Therefore the congruence v q ≡ v mod u is equivalent to
X
tj qi,j = ti
for 0 ≤ i < n.
0≤j<n
If, in matrix terms, we set Q = (qi,j ) and v = (ti), we have
Qv = v
or
(Q − I)v = 0.
Therefore the congruence v q ≡ v mod u is equivalent to
X
tj qi,j = ti
for 0 ≤ i < n.
0≤j<n
If, in matrix terms, we set Q = (qi,j ) and v = (ti), we have
Qv = v
or
(Q − I)v = 0.
Therefore, V is a vector space, the kernel of the matrix Q − I !
Therefore the congruence v q ≡ v mod u is equivalent to
X
tj qi,j = ti
for 0 ≤ i < n.
0≤j<n
If, in matrix terms, we set Q = (qi,j ) and v = (ti), we have
Qv = v
or
(Q − I)v = 0.
Therefore, V is a vector space, the kernel of the matrix Q − I !
Since V has q r elements, dim V = r and the rank of Q − I is n − r .
Berlekamp’s Algorithm
Given a monic, squarefree polynomial u over
into primes factors:
Fq , determine the factorization
M ← {u}. n = deg u
Calculate x0, xq , x2q , . . . , x(n−1)q modulo u
Build the matrix Q based on the coefficients of these polynomials
Calculate a base (v1, . . . , vr ) of the kernel V of Q − I .
for v = v2, . . . , vr do
for all w ∈ M do
M ← M \ {w}
for s = 1, . . . , q with s ∈ q do
v ← gcd(w, v − s)
if deg v > 0 then
M ← M ∪ {v}
F
end if
if #M = r then
Exit!
end if
end for
end for
end for
Two Remarks
1. If u ∈
Fq [x] is monic and v ∈ Fq [x] is such that vq ≡ v
u=
Y
s∈Fq
gcd(u, v − s).
mod u, then
Two Remarks
1. If u ∈
Fq [x] is monic and v ∈ Fq [x] is such that vq ≡ v
u=
Y
mod u, then
gcd(u, v − s).
s∈Fq
2. Using only the r base vectors of V is sufficient to find all irreducible factors.
Execution Time
We assume that q is small compared to n = deg u and that all basic operations in
Fq can be performed in constant time (e.g. using lookup tables).
Task
Complexity
Execution Time
We assume that q is small compared to n = deg u and that all basic operations in
Fq can be performed in constant time (e.g. using lookup tables).
Task
Complexity
Squarefree factorization
O(n2)
Execution Time
We assume that q is small compared to n = deg u and that all basic operations in
Fq can be performed in constant time (e.g. using lookup tables).
Task
Complexity
Squarefree factorization
O(n2)
Building Q
O(qn2) or O(n2 log q + n3)
Execution Time
We assume that q is small compared to n = deg u and that all basic operations in
Fq can be performed in constant time (e.g. using lookup tables).
Task
Complexity
Squarefree factorization
O(n2)
Building Q
O(qn2) or O(n2 log q + n3)
Null space
O(n3)
Execution Time
We assume that q is small compared to n = deg u and that all basic operations in
Fq can be performed in constant time (e.g. using lookup tables).
Task
Complexity
Squarefree factorization
O(n2)
Building Q
O(qn2) or O(n2 log q + n3)
Null space
O(n3)
Splitting
O(qr 2n2)
Execution Time
We assume that q is small compared to n = deg u and that all basic operations in
Fq can be performed in constant time (e.g. using lookup tables).
Task
Complexity
Squarefree factorization
O(n2)
Building Q
O(qn2) or O(n2 log q + n3)
Null space
O(n3)
Splitting
O(qr 2n2)
Total
O(qr 2n3)
Total (assuming r = log n)
O(qn3 log2 n)
Using a Random Split
In 1980, Cantor and Zassenhaus showed that if r ≥ 2, q is an odd prime and
v is randomly chosen from V , then
gcd(u, v (p−1)/2)
is a non-trivial factor of u with probability ≥ 4/9.
Using a Random Split
In 1980, Cantor and Zassenhaus showed that if r ≥ 2, q is an odd prime and
v is randomly chosen from V , then
gcd(u, v (p−1)/2)
is a non-trivial factor of u with probability ≥ 4/9.
Strategy: Create random linear combinations of v1, . . . , vr and use them for
splitting until r factors are found.