* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Factorization of Polynomials over Finite Fields
Euclidean space wikipedia , lookup
History of algebra wikipedia , lookup
Gröbner basis wikipedia , lookup
Non-negative matrix factorization wikipedia , lookup
Modular representation theory wikipedia , lookup
Commutative ring wikipedia , lookup
Horner's method wikipedia , lookup
Cayley–Hamilton theorem wikipedia , lookup
System of polynomial equations wikipedia , lookup
Field (mathematics) wikipedia , lookup
Fundamental theorem of algebra wikipedia , lookup
Eisenstein's criterion wikipedia , lookup
Polynomial ring wikipedia , lookup
Polynomial greatest common divisor wikipedia , lookup
Algebraic number field wikipedia , lookup
Factorization wikipedia , lookup
Factorization of polynomials over finite fields wikipedia , lookup
Factorization of Polynomials over Finite Fields April 2004 Mathematisches Forum Rudolf Schürer University of Salzburg Email: [email protected] Prime-Power Decomposition Fundamental Theorem of Arithmetic: Every integer a 6= 0 has a representation in the form e e a = u · p11 p22 · · · penn , where u is ±1 and p1, . . . , pn are (zero or more) distinct positive primes. The representation is unique, except for the order in which the primes occur. Prime-Power Decomposition Fundamental Theorem of Arithmetic: Every integer a 6= 0 has a representation in the form e e a = u · p11 p22 · · · penn , where u is ±1 and p1, . . . , pn are (zero or more) distinct positive primes. The representation is unique, except for the order in which the primes occur. ✯ Determining whether a given 1000-digit integer is prime is (in general) a difficult task. Prime-Power Decomposition Fundamental Theorem of Arithmetic: Every integer a 6= 0 has a representation in the form e e a = u · p11 p22 · · · penn , where u is ±1 and p1, . . . , pn are (zero or more) distinct positive primes. The representation is unique, except for the order in which the primes occur. ✯ Determining whether a given 1000-digit integer is prime is (in general) a difficult task. ✯ Determining the prime-power decomposition of a given 1000-digit integer is (in general) an impossible task. Algebra Revision: Rings An algebraic structure (R, +, ×) is a ring, if ✯ (R, +) is an Abelian group ✯ Multiplication × is associative ✯ Distributive laws hold Algebra Revision: Rings An algebraic structure (R, +, ×) is a ring, if ✯ (R, +) is an Abelian group ✯ Multiplication × is associative ✯ Distributive laws hold Usually we need more: ✯ Existence of One-element: 1 × a = a ✯ Commutativity of ×: a × b = b × a Algebra Revision: Fields Fields are rings, where each non-zero element has a multiplicative inverse. ✯ (R \ {0}, ×) is an Abelian group ✯ Linear algebra can be done Algebra Revision: Fields Fields are rings, where each non-zero element has a multiplicative inverse. ✯ (R \ {0}, ×) is an Abelian group ✯ Linear algebra can be done Due to the fact that every element has an inverse (i.e. is a unit), fields have hardly any interesting structure and are slightly boring. Algebra Revision: Fields Fields are rings, where each non-zero element has a multiplicative inverse. ✯ (R \ {0}, ×) is an Abelian group ✯ Linear algebra can be done Due to the fact that every element has an inverse (i.e. is a unit), fields have hardly any interesting structure and are slightly boring. We are interested in structures between rings and fields. Algebra Revision: Between Rings and Fields Integrity domains ✯ a, b 6= 0 implies a × b 6= 0 Algebra Revision: Between Rings and Fields Integrity domains ✯ a, b 6= 0 implies a × b 6= 0 ✯ Linear algebra can be done to a certain extent Algebra Revision: Between Rings and Fields Integrity domains ✯ a, b 6= 0 implies a × b 6= 0 ✯ Linear algebra can be done to a certain extent ✯ Quotient field exists Algebra Revision: Between Rings and Fields Integrity domains ✯ a, b 6= 0 implies a × b 6= 0 ✯ Linear algebra can be done to a certain extent ✯ Quotient field exists ✯ Can distinguish units, primes and composites UFDs ✯ Every a ∈ R \ {0} has a representation in the form e e a = p11 p22 · · · perr , where p1, . . . , pr are (zero or more) distinct prime elements of R. The representation is unique, except for multiplication with units and the order in which the primes occur. UFDs ✯ Every a ∈ R \ {0} has a representation in the form e e a = p11 p22 · · · perr , where p1, . . . , pr are (zero or more) distinct prime elements of R. The representation is unique, except for multiplication with units and the order in which the primes occur. Euclidean domains ✯ Euclidean division (i.e. division with remainder) ✯ GCD can be calculated easily using Euclidean algorithm ✯ Congruences Finite Fields A well-known class of finite fields are factor fields of p prime. Z, i.e. Zp := Z/pZ with Finite Fields A well-known class of finite fields are factor fields of p prime. Z, i.e. Zp := Z/pZ with However, finite fields can also be constructed as finite algebraic extension of p. Any finite field q has the following properties: Z F Finite Fields A well-known class of finite fields are factor fields of p prime. Z, i.e. Zp := Z/pZ with However, finite fields can also be constructed as finite algebraic extension of p. Any finite field q has the following properties: Z ✯ ✯ F Fq has q elements. The structure of Fq is completely determined by q . Finite Fields A well-known class of finite fields are factor fields of p prime. Z, i.e. Zp := Z/pZ with However, finite fields can also be constructed as finite algebraic extension of p. Any finite field q has the following properties: Z ✯ ✯ F Fq has q elements. The structure of Fq is completely determined by q . ✯ q = pe with p prime and e a positive integer. Finite Fields A well-known class of finite fields are factor fields of p prime. Z, i.e. Zp := Z/pZ with However, finite fields can also be constructed as finite algebraic extension of p. Any finite field q has the following properties: Z ✯ ✯ F Fq has q elements. The structure of Fq is completely determined by q . ✯ q = pe with p prime and e a positive integer. ✯ Fq contains Zp as its smallest subfield. Finite Fields A well-known class of finite fields are factor fields of p prime. Z, i.e. Zp := Z/pZ with However, finite fields can also be constructed as finite algebraic extension of p. Any finite field q has the following properties: Z ✯ ✯ F Fq has q elements. The structure of Fq is completely determined by q . ✯ q = pe with p prime and e a positive integer. ✯ ✯ Fq contains Zp as its smallest subfield. char(Fq ) = p, i.e. for a ∈ Fq \ {0} we have Pp i=1 a = 0 and Pn i=1 a 6= 0 for n = 1, . . . , p − 1. Finite Fields A well-known class of finite fields are factor fields of p prime. Z, i.e. Zp := Z/pZ with However, finite fields can also be constructed as finite algebraic extension of p. Any finite field q has the following properties: Z ✯ ✯ F Fq has q elements. The structure of Fq is completely determined by q . ✯ q = pe with p prime and e a positive integer. ✯ ✯ Fq contains Zp as its smallest subfield. char(Fq ) = p, i.e. for a ∈ Fq \ {0} we have Pp i=1 a = 0 ✯ and Pn i=1 a 6= 0 Fq = Zq if and only if q is prime. for n = 1, . . . , p − 1. Polynomials Polynomials over a ring R are sequences (a0, a1, a2, . . .) with ai ∈ R and almost all ai = 0. The common notation is a n xn + · · · + a 1 x + a 0 . Zero-element: (0, 0, . . .) One-element: (1, 0, 0, . . .) Addition: (a0, a1, . . .) + (b0, b1, . . .) := (a0 + b0, a1 + b1, . . .) Multiplication: (a0, a1, . . .) × (b0, b1, . . .) := (c0, c1, . . .) with ck := k X i=0 aibk−i. Algebraic Properties of Polynomial Rings R R[x] Algebraic Properties of Polynomial Rings R R[x] Ring Ring Algebraic Properties of Polynomial Rings R R[x] Ring Ring Domain Domain Algebraic Properties of Polynomial Rings R R[x] Ring Ring Domain Domain UFD UFD Algebraic Properties of Polynomial Rings R R[x] Ring Ring Domain Domain UFD UFD Field Algebraic Properties of Polynomial Rings R R[x] Ring Ring Domain Domain UFD UFD Field Euclidean domain Important UFDs ✯ Any field (However: Factorization is trivial) Important UFDs ✯ Any field (However: Factorization is trivial) ✯ Z Important UFDs ✯ Any field (However: Factorization is trivial) ✯ ✯ ✯ ✯ ✯ ✯ Z C[x], R[x] Q[x] √ √ Q( −1)[x], Q( 2)[x] A[x] Zp[x], Fq [x] Important UFDs ✯ Any field (However: Factorization is trivial) ✯ ✯ ✯ ✯ ✯ ✯ ✯ Z C[x], R[x] Q[x] √ √ Q( −1)[x], Q( 2)[x] A[x] Zp[x], Fq [x] Z[x] Important UFDs ✯ Any field (However: Factorization is trivial) ✯ ✯ ✯ ✯ ✯ ✯ ✯ ✯ Z C[x], R[x] Q[x] √ √ Q( −1)[x], Q( 2)[x] A[x] Zp[x], Fq [x] Z[x] Z[x, y, z], Fq [x, y, z] Examples for Factorization: Consider the polynomial p(x) = 2x4 − 6x3 + 10x2 + 12x − 28. Examples for Factorization: Consider the polynomial p(x) = 2x4 − 6x3 + 10x2 + 12x − 28. Factorization over . . . Q (x2 − 2)(2x2 − 6x + 14) Examples for Factorization: Consider the polynomial p(x) = 2x4 − 6x3 + 10x2 + 12x − 28. Factorization over . . . Q Z (x2 − 2)(2x2 − 6x + 14) 2(x2 − 2)(x2 − 3x + 7) Examples for Factorization: Consider the polynomial p(x) = 2x4 − 6x3 + 10x2 + 12x − 28. Factorization over . . . Q Z Z2 (x2 − 2)(2x2 − 6x + 14) 2(x2 − 2)(x2 − 3x + 7) 0 Examples for Factorization: Consider the polynomial p(x) = 2x4 − 6x3 + 10x2 + 12x − 28. Factorization over . . . Q Z Z2 Z7 (x2 − 2)(2x2 − 6x + 14) 2(x2 − 2)(x2 − 3x + 7) 0 (x − 3)(x + 3) · (2x)(x − 3) = (2x)(x + 3)(x − 3)2 Examples for Factorization: Consider the polynomial p(x) = 2x4 − 6x3 + 10x2 + 12x − 28. Factorization over . . . Q Z Z2 Z7 Z5 (x2 − 2)(2x2 − 6x + 14) 2(x2 − 2)(x2 − 3x + 7) 0 (x − 3)(x + 3) · (2x)(x − 3) = (2x)(x + 3)(x − 3)2 (x2 − 2) · (x − 2)(2x − 2) Examples for Factorization: Consider the polynomial p(x) = 2x4 − 6x3 + 10x2 + 12x − 28. Factorization over . . . Q( Q Z Z2 Z7 Z5 √ 2) or (x2 − 2)(2x2 − 6x + 14) 2(x2 − 2)(x2 − 3x + 7) 0 (x − 3)(x + 3) · (2x)(x − 3) = (2x)(x + 3)(x − 3)2 R (x2 − 2) · (x − 2)(2x − 2) √ √ (x − 2)(x + 2) · (2x2 − 6x + 14) Examples for Factorization: Consider the polynomial p(x) = 2x4 − 6x3 + 10x2 + 12x − 28. Factorization over . . . Q Z Z2 Z7 Z5 √ Q( 2) or R A or C (x2 − 2)(2x2 − 6x + 14) 2(x2 − 2)(x2 − 3x + 7) 0 (x − 3)(x + 3) · (2x)(x − 3) = (2x)(x + 3)(x − 3)2 (x2 − 2) · (x − 2)(2x − 2) √ √ (x − 2)(x + 2) · (2x2 − 6x + 14) √ √ √ √ (x − 2)(x + 2) · (x − 3+i2 19 )(x − 3−i2 19 ) Arithmetic Operations Z F [x] R[x] Arithmetic Operations Z Additive Operations F [x] R[x] Arithmetic Operations Additive Operations Z F [x] R[x] ✔ ✔ ✔ Arithmetic Operations Additive Operations Multiplication Z F [x] R[x] ✔ ✔ ✔ Arithmetic Operations Additive Operations Multiplication Z F [x] R[x] ✔ ✔ ✔ ✔ ✔ ✔ Arithmetic Operations Additive Operations Multiplication Euclidean Division Z F [x] R[x] ✔ ✔ ✔ ✔ ✔ ✔ Arithmetic Operations Z Additive Operations Multiplication Euclidean Division ✔ ✔ ✔ F [x] R[x] ✔ ✔ ✔ ✔ Arithmetic Operations Z Additive Operations Multiplication Euclidean Division ✔ ✔ ✔ F [x] R[x] ✔ ✔ ✔ ✔ Polynomial Division Arithmetic Operations Z Additive Operations Multiplication Euclidean Division ✔ ✔ ✔ F [x] R[x] ✔ ✔ ✔ ✔ Polynomial Division “Pseudo Division” Arithmetic Operations Z Additive Operations Multiplication Euclidean Division GCD ✔ ✔ ✔ F [x] R[x] ✔ ✔ ✔ ✔ Polynomial Division “Pseudo Division” Arithmetic Operations Z Additive Operations Multiplication Euclidean Division GCD ✔ ✔ ✔ EA F [x] R[x] ✔ ✔ ✔ ✔ Polynomial Division “Pseudo Division” EA Arithmetic Operations Z Additive Operations Multiplication Euclidean Division GCD ✔ ✔ ✔ EA F [x] R[x] ✔ ✔ ✔ ✔ Polynomial Division “Pseudo Division” EA Sub-resultant Algo Arithmetic Operations Z Additive Operations Multiplication Euclidean Division GCD Factorization ✔ ✔ ✔ EA F [x] R[x] ✔ ✔ ✔ ✔ Polynomial Division “Pseudo Division” EA Sub-resultant Algo Arithmetic Operations Z Additive Operations Multiplication Euclidean Division GCD Factorization ✔ ✔ ✔ EA F [x] R[x] ✔ ✔ ✔ ✔ Polynomial Division “Pseudo Division” EA Sub-resultant Algo ??? Factorization of Polynomials over a Field Over a field F , each polynomial p ∈ F [x] can be written as p = u · p̄, where u ∈ F (i.e. u is a unit in F[x]) and p̄ ∈ F [x] is a monic polynomial. Therefore, it is sufficient to consider only the factorization of monic polynomials into monic irreducible factors. Factorization into Squarefree Factors Instead of trying to determine the complete factorization e e u = p11 · · · pkk into prime factors pi, we try to find the factorization 2 · · · An u = A1 A n 1 2 into (pairwise coprime) squarefree factors Ai. Factorization into Squarefree Factors Instead of trying to determine the complete factorization e e u = p11 · · · pkk into prime factors pi, we try to find the factorization 2 · · · An u = A1 A n 1 2 into (pairwise coprime) squarefree factors Ai. Based thereupon, it is sufficient to factor Ai = p1p2 · · · pri into distinct prime factors pj . Factorization into Squarefree Factors Instead of trying to determine the complete factorization e e u = p11 · · · pkk into prime factors pi, we try to find the factorization 2 · · · An u = A1 A n 1 2 into (pairwise coprime) squarefree factors Ai. Based thereupon, it is sufficient to factor Ai = p1p2 · · · pri into distinct prime factors pj . This is often much simpler, consider, for instance, the factorization in C[x] using Newton’s method. Derivatives Definition: Let F be a field and u = (u0, u1, u2, . . .) a polynomial over F . The derivative of u is defined as u0 := (1u1, 2u2, 3u3, . . .) Derivatives Definition: Let F be a field and u = (u0, u1, u2, . . .) a polynomial over F . The derivative of u is defined as u0 := (1u1, 2u2, 3u3, . . .) with na := for n ∈ N and a ∈ F. n X i=1 a Derivatives Definition: Let F be a field and u = (u0, u1, u2, . . .) a polynomial over F . The derivative of u is defined as u0 := (1u1, 2u2, 3u3, . . .) with na := for n ∈ N and a ∈ F. ✯ (u + v)0 = u0 + v 0 ✯ (uv)0 = u0v + uv 0 n X i=1 a Factorization into Squarefree Factors Given a monic polynomial u over a field F , the factorization into squarefree, monic factors can be determined using the following algorithm: Factorization into Squarefree Factors Given a monic polynomial u over a field F with p = char(F ), determine the factorization into squarefree, monic factors: T ← gcd(u, u0) if deg T = 0 then M ← {u1} else if 0 < deg T < deg u then M ← {sff (T ), (u/T )1} else 1/p 1/p 1/p M ← {sff (v)p} with v = (u0 , up , u2p , . . .) end if Arithmetic Operations Z Additive Operations Multiplication Euclidean Division GCD ✔ ✔ ✔ EA F [x] R[x] ✔ ✔ ✔ ✔ Polynomial Division “Pseudo Division” EA Sub-resultant Algo Arithmetic Operations Z Additive Operations Multiplication Euclidean Division GCD Squarefree Factorization ✔ ✔ ✔ EA F [x] R[x] ✔ ✔ ✔ ✔ Polynomial Division “Pseudo Division” EA Sub-resultant Algo Arithmetic Operations Z Additive Operations Multiplication Euclidean Division GCD Squarefree Factorization F [x] R[x] ✔ ✔ ✔ ✔ Polynomial Division “Pseudo Division” EA EA Sub-resultant Algo ✔ ✔ ✔ ✔ ✔ Arithmetic Operations Z Additive Operations Multiplication Euclidean Division GCD Squarefree Factorization F [x] R[x] ✔ ✔ ✔ ✔ Polynomial Division “Pseudo Division” EA EA Sub-resultant Algo ✔ ✔ ✔ ✔ ✔ ✔ Arithmetic Operations Z Additive Operations Multiplication Euclidean Division GCD Squarefree Factorization Factorization F [x] R[x] ✔ ✔ ✔ ✔ Polynomial Division “Pseudo Division” EA EA Sub-resultant Algo ✔ ✔ ✔ ✔ ✔ ✔ Arithmetic Operations Z Additive Operations Multiplication Euclidean Division GCD Squarefree Factorization Factorization F [x] R[x] ✔ ✔ ✔ ✔ Polynomial Division “Pseudo Division” EA EA Sub-resultant Algo ✔ ✔ ✔ ✔ ✔ ✔ ??? Factorization Methods UFD Factorization Method Factorization Methods UFD C[x], R[x] Factorization Method Factorization Methods UFD Factorization Method C[x], R[x] Root finding (numerical analysis) Factorization Methods UFD C[x], R[x] Fq [x] Factorization Method Root finding (numerical analysis) Factorization Methods UFD C[x], R[x] Fq [x] Factorization Method Root finding (numerical analysis) Berlekamp’s Algorithm, Cantor–Zassenhaus split Factorization Methods UFD C[x], R[x] Fq [x] Q[x], Z[x] Factorization Method Root finding (numerical analysis) Berlekamp’s Algorithm, Cantor–Zassenhaus split Hensel Lift (based on factorization over Zq ) Factorization Methods UFD C[x], R[x] Fq [x] Q[x], Z[x] Q(α)[x] Factorization Method Root finding (numerical analysis) Berlekamp’s Algorithm, Cantor–Zassenhaus split Hensel Lift (based on factorization over Based on factorization over Z[x] Zq ) Factorization Methods UFD C[x], R[x] Fq [x] Q[x], Z[x] Q(α)[x] Z Factorization Method Root finding (numerical analysis) Berlekamp’s Algorithm, Cantor–Zassenhaus split Hensel Lift (based on factorization over Based on factorization over Z[x] Zq ) Number Field Sieve, Elliptic Curve, Class Group Factorization Methods UFD C[x], R[x] Fq [x] Q[x], Z[x] Q(α)[x] Z Multivariate polynomials Factorization Method Root finding (numerical analysis) Berlekamp’s Algorithm, Cantor–Zassenhaus split Hensel Lift (based on factorization over Based on factorization over Z[x] Zq ) Number Field Sieve, Elliptic Curve, Class Group Generalized versions of Hensel Lift Berlekamp’s Algorithm Let u= r Y pi i=1 be a polynomial over Fq with p1, . . . , pr distinct, monic, irreducible polynomi- als. How can we be clever enough to discover r and the pi’s when only u is given? Berlekamp’s Algorithm Let u= r Y pi i=1 be a polynomial over Fq with p1, . . . , pr distinct, monic, irreducible polynomi- als. How can we be clever enough to discover r and the pi’s when only u is given? Chinese Remainder Theorem Let p1, . . . , pr ∈ F [x] be pairwise coprime and s1, . . . , sr ∈ F [x]. Then there is a unique polynomial v ∈ F [x] such that v ≡ si mod pi for i = 1, . . . , r and deg v < deg r Y pi. i=1 The polynomial v can be found easily using the extended Euclidean algorithm. Chinese Remainder Theorem Let p1, . . . , pr ∈ F [x] be pairwise coprime and s1, . . . , sr ∈ F [x]. Then there is a unique polynomial v ∈ F [x] such that v ≡ si mod pi for i = 1, . . . , r and deg v < deg r Y pi. i=1 The polynomial v can be found easily using the extended Euclidean algorithm. Chinese Remainder Theorem Let p1, . . . , pr ∈ F [x] be pairwise coprime and s1, . . . , sr ∈ F [x]. Then there is a unique polynomial v ∈ F [x] such that v ≡ si mod pi for i = 1, . . . , r and deg v < deg r Y pi. i=1 The polynomial v can be found easily using the extended Euclidean algorithm. How does this Help Us? Choose s1, . . . , sr ∈ Find polynomial v . Fq ⊂ Fq [x], s1 6= s2. How does this Help Us? Choose s1, . . . , sr ∈ Fq ⊂ Fq [x], s1 6= s2. Find polynomial v . Consider gcd(u, v − s1). How does this Help Us? Choose s1, . . . , sr ∈ Fq ⊂ Fq [x], s1 6= s2. Find polynomial v . Consider gcd(u, v − s1). ✯ p1 | gcd(u, v − s1) because p1 | u and v ≡ s1 mod p1 ✯ p2 - gcd(u, v − s1) because v ≡ s2 mod p2, therefore p2 | v −s2, therefore p2 - v −s1. How does this Help Us? Choose s1, . . . , sr ∈ Fq ⊂ Fq [x], s1 6= s2. Find polynomial v . Consider gcd(u, v − s1). ✯ p1 | gcd(u, v − s1) because p1 | u and v ≡ s1 mod p1 ✯ p2 - gcd(u, v − s1) because v ≡ s2 mod p2, therefore p2 | v −s2, therefore p2 - v −s1. ✯ Therefore gcd(u, v − s1) is a non-trivial factor of u! How does this Help Us? Choose s1, . . . , sr ∈ Fq ⊂ Fq [x], s1 6= s2. Find polynomial v . Consider gcd(u, v − s1). ✯ p1 | gcd(u, v − s1) because p1 | u and v ≡ s1 mod p1 ✯ p2 - gcd(u, v − s1) because v ≡ s2 mod p2, therefore p2 | v −s2, therefore p2 - v −s1. ✯ Therefore gcd(u, v − s1) is a non-trivial factor of u! Problem: How can we find v without knowing p1, . . . , pr ? Another Way for Finding the v’s? Let V be the set of all polynomials v ∈ Fq [x] with ✯ deg v < deg u, and ✯ there exist s1, . . . , sr ∈ Fq with v ≡ si mod pi for i = 1, . . . , r . Another Way for Finding the v’s? Let V be the set of all polynomials v ∈ Fq [x] with ✯ deg v < deg u, and ✯ there exist s1, . . . , sr ∈ Fq with v ≡ si mod pi for i = 1, . . . , r . Then V is identical to the set of all polynomials v ∈ ✯ deg v < deg u and ✯ v q ≡ v mod u and we have |V | = q r . Fq [x] with How can we find all v ’s with v q ≡ v mod u? How can we find all v ’s with v q ≡ v mod u? Let v(x) = with n = deg u and ti ∈ Fq . X 0≤i<n tixi How can we find all v ’s with v q ≡ v mod u? Let v(x) = X 0≤i<n with n = deg u and ti ∈ Fq . We have v(x)q tixi How can we find all v ’s with v q ≡ v mod u? Let X v(x) = 0≤i<n with n = deg u and ti ∈ Fq . We have v(x)q = v(xq ) tixi How can we find all v ’s with v q ≡ v mod u? Let v(x) = X tixi 0≤i<n with n = deg u and ti ∈ Fq . We have v(x)q = v(xq ) = X 0≤j<n tj xqj , How can we find all v ’s with v q ≡ v mod u? Let v(x) = X tixi 0≤i<n with n = deg u and ti ∈ Fq . We have X v(x)q = v(xq ) = tj xqj , 0≤j<n and can express xqj as xqj ≡ X 0≤i<n with qi,j ∈ Fq easily computable. qi,j xi mod u. How can we find all v ’s with v q ≡ v mod u? Let v(x) = X tixi 0≤i<n with n = deg u and ti ∈ Fq . We have X v(x)q = v(xq ) = tj xqj , 0≤j<n and can express xqj as xqj ≡ X 0≤i<n with qi,j ∈ qi,j xi mod u. Fq easily computable. Hence we have v(x)q ≡ X 0≤j<n tj X 0≤i<n qi,j xi How can we find all v ’s with v q ≡ v mod u? Let X v(x) = tixi 0≤i<n with n = deg u and ti ∈ Fq . We have X v(x)q = v(xq ) = tj xqj , 0≤j<n and can express xqj as xqj ≡ X qi,j xi mod u. 0≤i<n with qi,j ∈ Fq easily computable. Hence we have v(x)q ≡ X 0≤j<n tj X 0≤i<n qi,j xi ≡ X 0≤i<n xi X 0≤j<n tj qi,j mod u. Therefore the congruence v q ≡ v mod u is equivalent to X 0≤j<n tj qi,j = ti for 0 ≤ i < n. Therefore the congruence v q ≡ v mod u is equivalent to X tj qi,j = ti for 0 ≤ i < n. 0≤j<n If, in matrix terms, we set Q = (qi,j ) and v = (ti), we have Qv = v or (Q − I)v = 0. Therefore the congruence v q ≡ v mod u is equivalent to X tj qi,j = ti for 0 ≤ i < n. 0≤j<n If, in matrix terms, we set Q = (qi,j ) and v = (ti), we have Qv = v or (Q − I)v = 0. Therefore, V is a vector space, the kernel of the matrix Q − I ! Therefore the congruence v q ≡ v mod u is equivalent to X tj qi,j = ti for 0 ≤ i < n. 0≤j<n If, in matrix terms, we set Q = (qi,j ) and v = (ti), we have Qv = v or (Q − I)v = 0. Therefore, V is a vector space, the kernel of the matrix Q − I ! Since V has q r elements, dim V = r and the rank of Q − I is n − r . Berlekamp’s Algorithm Given a monic, squarefree polynomial u over into primes factors: Fq , determine the factorization M ← {u}. n = deg u Calculate x0, xq , x2q , . . . , x(n−1)q modulo u Build the matrix Q based on the coefficients of these polynomials Calculate a base (v1, . . . , vr ) of the kernel V of Q − I . for v = v2, . . . , vr do for all w ∈ M do M ← M \ {w} for s = 1, . . . , q with s ∈ q do v ← gcd(w, v − s) if deg v > 0 then M ← M ∪ {v} F end if if #M = r then Exit! end if end for end for end for Two Remarks 1. If u ∈ Fq [x] is monic and v ∈ Fq [x] is such that vq ≡ v u= Y s∈Fq gcd(u, v − s). mod u, then Two Remarks 1. If u ∈ Fq [x] is monic and v ∈ Fq [x] is such that vq ≡ v u= Y mod u, then gcd(u, v − s). s∈Fq 2. Using only the r base vectors of V is sufficient to find all irreducible factors. Execution Time We assume that q is small compared to n = deg u and that all basic operations in Fq can be performed in constant time (e.g. using lookup tables). Task Complexity Execution Time We assume that q is small compared to n = deg u and that all basic operations in Fq can be performed in constant time (e.g. using lookup tables). Task Complexity Squarefree factorization O(n2) Execution Time We assume that q is small compared to n = deg u and that all basic operations in Fq can be performed in constant time (e.g. using lookup tables). Task Complexity Squarefree factorization O(n2) Building Q O(qn2) or O(n2 log q + n3) Execution Time We assume that q is small compared to n = deg u and that all basic operations in Fq can be performed in constant time (e.g. using lookup tables). Task Complexity Squarefree factorization O(n2) Building Q O(qn2) or O(n2 log q + n3) Null space O(n3) Execution Time We assume that q is small compared to n = deg u and that all basic operations in Fq can be performed in constant time (e.g. using lookup tables). Task Complexity Squarefree factorization O(n2) Building Q O(qn2) or O(n2 log q + n3) Null space O(n3) Splitting O(qr 2n2) Execution Time We assume that q is small compared to n = deg u and that all basic operations in Fq can be performed in constant time (e.g. using lookup tables). Task Complexity Squarefree factorization O(n2) Building Q O(qn2) or O(n2 log q + n3) Null space O(n3) Splitting O(qr 2n2) Total O(qr 2n3) Total (assuming r = log n) O(qn3 log2 n) Using a Random Split In 1980, Cantor and Zassenhaus showed that if r ≥ 2, q is an odd prime and v is randomly chosen from V , then gcd(u, v (p−1)/2) is a non-trivial factor of u with probability ≥ 4/9. Using a Random Split In 1980, Cantor and Zassenhaus showed that if r ≥ 2, q is an odd prime and v is randomly chosen from V , then gcd(u, v (p−1)/2) is a non-trivial factor of u with probability ≥ 4/9. Strategy: Create random linear combinations of v1, . . . , vr and use them for splitting until r factors are found.