Factoring Polynomials with Rational Coecients. Kenneth Giuliani

Transcription

1 Factoring Polynomials with Rational Coecients Kenneth Giuliani 17 April 1998

2 1 Introduction Factorization is a problem well-studied in mathematics. Of particular focus is factorization within unique factorization domains. In this setting, the fundamental questions asked are: given an element, what is its factorization into irreducibles and can this be done eciently? This is a very hard problem in general. However, for certain domains, this problem can be solved eciently. Consider now the problem of factoring polynomials in one variable over Q. By clearing out the denominator, we see that this is equivalent to factoring polynomials over Z. Moreover, by dividing the coecients by their greatest common denominator, we see that this is equivalent to factoring primitive polynomials over Z(i.e. the greatest common divisor of the coecients is 1). In 1967, Berlekamp [1] presented an algorithm for factoring polynomials in one variable over GF (q) where q is a prime power. This algorithm is of particular use when considering the nite eld F p where p is prime. For, one version of Hensel's lemma [6] [7] states that given a positive integer k, a monic polynomial in one variable over F p can be \lifted" to a corresponding monic polynomial over the ring Z=p k Z. Let f Z[x] be primitive. For appropriate choices of a prime p and a positive integer k, we can reduce the coecients of f modulo p and subsequently factor using Berlekamp's algorithm. On taking an irreducible factor in F p [x], we can then \lift" it using Hensel's lemma to produce a p-adic irreducible factor h of f in Z=p k Z[x]. The problem now becomes nding an irreducible factor h 0 corresponding to the given h. In 1982, Lenstra, Lenstra, and Lovasz [4] presented a polynomial-time algorithm for factoring polynomials in just such a way. Given h, they used some results from lattice theory and the famous L 3 -algorithm to recover h 0. The purpose of this paper is to present, in greater detail, this algorithm for factoring polynomials over Q. It is based on the original paper of Lenstra, Lenstra, and Lovasz [4] of the same title and on courses in algebraic number theory and the geometry of numbers, taught by Cameron Stewart at the University of Waterloo. 2 Motivation For notational purposes, for any f Z[x], let (f mod m) denote the polynomial in Z=mZ[x] whose coecients are the respective coecients of f reduced modulo m. In order for the algorithm to run correctly, we must choose choose our values of p and k very carefully so that both Berlekamp's algorithm and the application of Hensel's lemma will output a polynomial which will be of use to the L 3 - algorithm and the factorization techniques we will use. The choice of a prime p is explained in section 3 while our choice of k is explained in section 6. This section will demonstrate the criteria given by Lenstra, Lenstra, and Lovasz [4] for setting up the L 3 -algorithm. 1

3 Let f Z[x] be a primitive polynomial of degree n > 0. In using Berlekamp's algorithm and Hensel's lemma, we would like to produce a polynomial h Z[x] with the following properties: h has leading coecient 1 (1) (h mod p k ) divides (f mod p k ) inz=p k Z[x] (2) (h mod p) is irreducible inf p [x] (3) (h mod p) 2 does not divide(f mod p) inf p [x] (4) Let l = deg(h). Hence 0 < l n. The reason for nding such an h is shown in the following proposition. Proposition 1 f has an irreducible factor h 0 in Z[x], unique up to sign, for which (h mod p) divides (h 0 mod p). Further, if g Z[x] divides f, then the following are equivalent: i) (h mod p) divides (g mod p) in F p [x] ii) (h mod p k ) divides (g mod p k ) in Z=p k Z[x] iii) h 0 divides g in Z[x] In particular, (h mod p k ) divides (h 0 mod p k ) in Z=p k Z. Proof: The existence and uniqueness up to sign of h 0 follow from the fact that Z[x] is a unique factorization domain, and (2) to (4). The assertion that (h mod p k ) divides (h 0 mod p k ) follows from the equivalence of the three statements on taking g = h 0. Note that we have that both ii) and iii) imply i) immediately. Suppose i) is true. By (4), (h mod p) does not divide (f=g mod p) in F p [x]. Thus h 0 does not divide f=g in Z[x]. So h 0 divides g in Z[x] which implies iii). By (3) and (4), (h mod p) and (f=g mod p) are relatively prime in F p [x]. Hence there exist polynomials r 1 ; s 1 ; t 1 Z[x] such that in Z[x] hs 1 + (f=g)t 1 = 1? pr 1 Multiplying both sides by v 1 = 1 + pr 1 + p 2 r ::: + p k?1 r k?1 1 and by g gives hs 2 + ft 2 g (mod p k ) where s 2 = s 1 v 1 g; t 2 = t 1 v 1. Reducing both sides of the congruence to work in Z=p k Z[x], we see that (h mod p k ) divides the left hand side, hence it must divide the right-hand side (g mod p k ) which implies ii) and completes the proof. Now that this criteria has been established, we will attempt to make use of it in the following sections. 2

4 3 Choosing a Prime p Using the Resultant Let f Z[x] be a primitive polynomial of degree n > 0. Let h 0 Z[x] be an irreducible factor of f. Suppose that h 0 is a multiple factor of f i.e. f(x) = h 0 (x) m g 0 (x) for some integer m > 1 and g 0 Z[x] such that h 0 and g 0 are coprime. Notice that f 0 (x) = mh 0 (x) m?1 h 0 0(x)g 0 (x) + h 0 (x) m g 0 0(x) = h 0 (x) m?1 (mh 0 0(x)g 0 (x) + h 0 (x)g 0 0(x)) Hence, if h 0 is a factor of multiplicity m in f, then it is a factor of multiplicity m? 1 in f 0. Let g = gcd(f; f 0 ) and let f 0 = f=g. By the preceding argument, we see that f 0 has no multiple factors and every irreducible factor of f is also an irreducible factor of f 0. Hence, we may restrict our attention to factoring f 0. For, once it is factored, then we know all the irreducible factors of f and can now easily determine their multiplicities by a few trial divisions. Therefore, without loss of generality, I will establish the following convention for use in the remaining sections: Convention 1 f Z[x] is a primitive polynomial of degree n with no multiple factors. Let us now choose our prime p. Notice that although f has no multiple factors, the same is not necessarily true for (f mod p) in F p [x], since for any polynomial h in F p [x], there are many dierent polynomials h in Z[x] which would reduce to it. Thus, we must choose our prime p so that (f mod p) has no multiple factors in F p [x]. In addition, we do not want p to divide the leading coecient of f, for this would decrease the degree of (f mod p). We will use a function from algebraic number theory called the resultant. Let u(x) = u s x s +u s?1 x s?1 +:::+u 1 x+u 0 and v(x) = v t x t +v t?1 x t?1 +:::+ v 1 x+v 0 be polynomials in F[x] where F is a eld, u i ; v j F for i = 1; : : : ; s ; j = 1; : : : ; t and u s ; v t 6= 0. The resultant of u and v is dened as determinant of the following (s + t) (s + t) matrix R(u; v) = u s u s?1 u s?2 u u s u s?1 u 1 u u s u 2 u 1 u u s u s?1 u 0 v t v t?1 v t?2 v v t v t?1 v 1 v v t v 2 v 1 v v t v t?1 v 0 Theorem 1 R(u; v) = 0 if and only if u and v have a common factor. 3

5 Hence, f has a multiple factor in Z[x] if R(f; f 0 ) = 0. By our convention, R(f; f 0 ) 6= 0. Now for any prime p, we may consider the entries in the matrix of the resultant as elements in F p. Hence, (f mod p) has multiple factors in F p [x] if and only if R((f mod p); (f 0 mod p)) = 0 in F p, or equivalently that R(f; f 0 ) 0 (mod p). Thus, we establish the following convention Convention 2 p is the smallest prime number which does not divide R(f; f 0 ). Not only will this p suce in guaranteeing no multiple factors, but it also guarantees that (f mod p) maintains its degree n. To see this, notice that if f has leading coecient a n, then the only (possible) non-zero entries in rst column of the matrix of R(f; f 0 ) are a n and na n. Hence, in expanding by cofactors along the rst column, we see that this determinant must be divisible by a n, and by our choice of p, a n / 0 (mod p). We are now ready to apply Berlekamp's algorithm. 4 Berlekamp's Algorithm In 1967, Berlekamp [1] presented an algorithm for factoring polynomials over GF (q) into powers of irreducible polynomials. In this section, I will present the special case of factoring modulo a prime p as shown by Knuth [2]. Let u(x) be a non-constant polynomial inf p [x] with degree n and no multiple factors. Our goal is to nd a polynomial v(x) = v n?1 x n?1 + + v 1 x + v 0 of degree less than or equal to n?1 with the property that v(x) p? v(x) is divisible by u(x) in F p [x]. For observe that v(x) p? v(x) v(x)(v(x)? 1) (v(x)? (p? 1)) (mod p) (5) Hence, each of the irreducible factors of u must divide exactly one of the relatively prime factors on the right-hand side of (5). For i = 0; 1; : : : ; n? 1, let q i;n?1 x n?1 + + q i;1 x + q i;0 be the polynomial in F p [x] which is the remainder of x pi when divided by u(x). Form the matrix Q dened as Q = 0 B@ q 0;0 q 0;1 q 0;n?1 q 1;0 q 1;1 q 1;n?1.. q n?1;0 q n?1;1 q n?1;n?1. 1 CA (6) Notice that if (v 0 ; v 1 ; : : : ; v n?1 )Q = (v 0 ; v 1 ; : : : ; v n?1 ), i.e. it is in the null space of Q? I, then v(x) = n?1 X i=0 v i x i = XX n?1 n?1 i=0 j=0 4 v j q i;j x i = X n?1 n?1 v j j=0 X i=0 q i;j x i

6 However, P n?1 i=0 q i;jx i = x pi? u(x)w j (x) for some polynomial w j (x) F p [x]. Thus, using the identity v(x p ) = v(x) p, we get v(x) = n?1 X j=0 v j x pj? n?1 X j=0 u(x)w j (x) = v(x) p + u(x)w(x) (7) and so u(x) divides v(x) p? v(x) where w(x) =? P n?1 j=0 wi (x). Let us now consider the matrix Q? I. Let n? l be its rank. Thus we can nd l linearly independent polynomials v 1 ; : : : ; v l corresponding to vectors in the null space of Q?I. We know immediately that there are l irreducible factors of u in F p [x]. We now calculate gcd(u(x); v 1? j) for 0 j < p. If this does not split into l factors, then calculate gcd(w(x); v 2? j) for 0 j < p for each factor w(x) of u(x). Continue this process until l factors have been found. This gives the complete factorization of u in F p [x]. Note that this process will nd all of the irreducible factors h 1 ; : : : ; h l of u, since by the Chinese Remainder Theorem for polynomials, there is a unique polynomial v of degree less than n such that for a given l-tuple (t 1 ; : : : ; t l ); h i (x) divides v(x)? t i for all i = 1; : : : ; l. We now see that every irreducible factor (h mod p) of (f mod p) in F p [x] satises conditions (3) and (4). 5 Hensel's Lemma Given an irreducible factor (h mod p) of (f mod p), we can adjust its coecients so that it is monic in F p [x]. Suppose k is a given positive integer. We would like now to develop a polynomial h Z[x] which reduces to (h mod p) in F p [x] (hence, satises (3) and (4) ) and also satises (1) and (2). In other words, we would like to extend the factorization of f modulo p, to a factorization of f modulo p k while still maintaining monicity. This section will present a version of Hensel's lemma for polynomials which will give the desired factorization while still preserving monicity. In 1969, Zassenhaus [6] presented a method for such a p-adic factorization that gives the desired factorization in the sequence of moduli p 2 ; p 22 ; p 23 ; p 24 ; : : :. I will present in this section a less ecient but more intuitive method is based on the notion of extending p-adic numbers in the sequence of moduli p 2 ; p 3 ; p 4 ; p 5 ; : : : as presented by Koblitz [3]. Suppose we have a factorization of f modulo p i, i.e. f(x) h(x)g(x) (mod p i ) (8) where h Z[x] is monic has degree l and reduces to (h mod p) in F p [x]. We would like to nd polynomials u(x) = u 0 + u 1 x + u l x l and v(x) = v 0 + v 1 x + v n?l x n?l such that in Z[x] such that 5

7 f(x) (h(x) + p i u(x))(g(x) + p i v(x)) (mod p i+1 ) (9) If we nd such polynomials, then we may replace h by h + p i u and continue to the next exponent value until we reach k. Note that the new h still redueces to (h mod p) and so satises (3) and (4). To satisfy (1), we require u l = 0. If we rewrite the congruence (9) as f(x)? h(x)g(x) p i (h(x)v(x) + g(x)u(x)) (mod p i+1 ) (10) then the right-hand side and modulus of (10) are both divisible by p i and from (8), we see that the same is true for the left-hand side. Thus, (10) can be rewritten as f(x)? h(x)g(x) p i h(x)v(x) + g(x)u(x) (mod p) (11) Two polynomials are equivalent modulo p if and only if their respective coecients are equivalent modulo p. Both sides of (11) represent polynomials of degree at most n. Hence, we can form n + 1 congruences by looking at their respective coecients. Note if that the coecient of x j would produce the congruence (f j? X min(j;l) m=max(0;j?n+l) h j g m?j )=p i min(j;l) X m=max(0;j?n+l) (h j v m?j + u j g m?j ) (mod p) (12) Since we force u l = 0, we see from (12) that we have a system of n + 1 linear congruences in the n + 1 unknowns u 0 ; : : : ; u l?1 ; v 0 ; : : : ; v n?l. Thus we can now solve this system of linear congruences modulo p very eciently using any rudimentary linear congruence solving algorithm to nd the polynomials u and v, which give us our new polynomial h Z=p i+1 Z[x]. From Zassenhaus' algorithm [7], we know that such a solution always exists. We may perform this operation successively until we get the desired value of k. We can dene h Z[x] to be the polynomial with coecients between 0 and p k? 1 found by this method. Observe that the resulting polynomial satises (1) through (4). Hence by Proposition 1, we can now concentrate on nding the irreducible factor h 0 of f corresponding to h. Also, since (h mod p) equals h mod p) in F p [x], we can say without ambiguity from now on, that (h mod p) was the original irreducible factor of (f mod p) from which we started. 6 Retrieving the Factor h 0 from h This section will motivate our choice of exponent k, which comes from the construction of a special type of lattice and a result of Mignotte [5] on the 6

8 coecients of a polynomial. I will then show how, given h satisfying (1) to (4), we can use the L 3 -algorithm to determine the corresponding irreducible factor h 0 of f. This section will be using results from lattice theory taken from a course in the geometry of numbers taught by Cameron Stewart. For a reference on the L 3 -algorithm or properties of reduced bases, please see the original paper written by Lenstra, Lenstra, and Lovasz [4]. First of all, assuming we have already chosen our k, applying Berlekamp's algorithm would produce all irreducible factors of (f mod p). Notice that all such irreducible factors satisfy (3) and (4). We may adjust the coecients so that (1) is satised. Hensel's lemma produces a polynomial h(x) = a 0 + a 1 x + + a l?1 x l?1 + x l Z[x] satisfying (2) while maintaining (1). Notice that reducing coecients modulo p would produce the original (h mod p). Hence, (3) and (4) are maintained as well. Let m be a positive integer and let g(x) = g 0 + g 1 x + : : : + g m x m be a polynomial in Z[x] of degree m. To each such g we associate a vector g R m+1 corresponding to the coecients of g (i.e. g = (g 0 ; g 1 ; : : : ; g m ) ). Let L 1 be the collection of all polynomials of degree m in Z[x] which are divisible by (h mod p k ) in Z=p k Z[x] when their coecients are reduced modulo p k. Let 1 be the subset of R m+1 consisting of those vectors whose associated with polynomial is in L 1. I would like to show that 1 is a lattice in R m+1. I will make use of the following theorem, which will be stated without proof, shown to me in the aforementioned class. Theorem 2 A subset of R n is a lattice if and only if 1) For all u; v ; u v. 2) There are n linearly independent vectors in. 3) is discrete (i.e. has no limit points). Corollary 1 The given subset 1 is a lattice of R m+1. Proof of Corollary: 1) If u and v in Z[x] are divisible by (h mod p k ) when taken modulo p k, then clearly so are u + v and u? v. 2) The vectors (p k ; 0; : : : ; 0); (0; p k ; 0; : : : ; 0); : : : ; (0; : : : ; 0; p k ) are linearly independent in R m+1 and each of their corresponding polynomials reduces to the zero polynomial in Z=p k Z[x] which is clearly divisible by (h mod p k ). 3) Since every coecient of every polynomial in sight is an integer, 1 is a subset of 0, the integer lattice. Thus, it is discrete. Observe that h 0 1 if and only if deg(h 0 ) m. 1 can be generated by 7

9 the matrix p k p k p k p k a 0 a 1 a 2 a l? a 0 a 1 a l?2 a l? a 0 a 1 a l?2 a l?1 1 1 CA Observe that d( 1 ) = p kl. Given a value for m, we now execute the L 3 - algorithm for nding a short vector in a lattice starting with the basis given by the matrix above. The algorithm will return a reduced basis b 1 ; : : : ; b m+1 of 1. Lenstra, Lenstra, and Lovasz [4] give the following results in their paper. Theorem 3 Suppose that n=2 jf j m+n (13) p kl 2m > 2 mn=2 m Then deg(h 0 ) m if and only if jb j 1 < (p kl =jfj m ) 1=n (14) We now have a clear rule for selecting k. Convention 3 k is the smallest positive integer satisfying p kl > 2 (n?1)n=2 2(n? 1) n? 1 n=2 jf j 2n?1 (15) In particular, if the L 3 -algorithm is run with m = n? 1 and we nd that jb 1 j (p kl =jf j n?1 ) 1=n, then deg(h 0 ) > n? 1, hence f itself is irreducible. If f is not irreducible, then the L 3 -algorithm will eventually nd a reduced basis for which (14) is true for some value of m. Once we have this, it turns out that h 0 can be easily determined. Theorem 4 Suppose there is an index j f1; : : : ; m + 1g for which jb j j < (p kl =jfj m ) 1=n (16) Let t be the largest such j. Then (16) is true for all j f1; : : : ; tg, and deg(h 0 ) = m + 1? t; (17) h 0 = gcd(b 1 ; b 2 ; : : : ; b t ) (18) 8

10 The remainder of this section will be spent proving these two theorems. Both will make use of the following lemma. Lemma 1 Let b L 1 satisfy p kl > jfj m jbj n (19) Then b is divisible by h 0 in Z[x]. In particular, gcd(f; b) 6= 1. Proof of Lemma 1: We may suppose that b is not the zero polynomial. Let g = gcd(f; b). We would like to show that h divides g. By Proposition 1, it suces to show that (h mod p) divides (g mod p). Suppose not. Let e = deg(g) and m 0 = deg(b). There exist polynomials r 3 ; s 3 ; t 3 Z[x] such that s 3 h + t 3 g = 1? pr 3 (20) Let L 2 be the collection of all polynomials of the form sf +tb where s; t Z[x] and deg(s) < m 0? e and deg(t) < n? e. Let 2 be the subset of R n+m0?e?1 associated with L 2. Dene 3 as the subset of R n+m0?2e which is the projection of 2 eliminating the rst e? 1 coordinates (i.e. (c 1 ; : : : ; c n+m 0?e?1) 2 goes to (c e ; c e+1 ; : : : ; c n+m 0?e?1) 3 ). Claim 1 3 is a lattice. Proof of Claim 1: 1) If u; v 2, then clearly u v 2. The same is true for 3. 2) If sf + tb projects to 0, then sf + tb has degree less than e. But g divides this polynomial and has degree e. Hence sf + tb = 0. Thus s(f=g) =?t(b=g) and since gcd(f=g; b=g) = 1, f=g divides t. But deg(t) < n? e = deg(f=g), thus t = 0 and likewise s = 0. Hence, the projections of f; xf; :::; x m0?e?1 f; b; xb; :::; x n?e?1 b (21) correspond to n + m 0? 2e linearly independent vectors. 3) 3 is a subset of 0, the integer lattice. Claim 1 now follows from Theorem 2. It turns out that the vectors associated with the polynomials in (21) are actually a basis for 3. By Hadamard's inequality, d( 3 ) jf j m0?e jbj n?e jfj m jbj n < p kl (22) Claim 2 If v L 2 and deg(v) < e + l, then the coecients of v are divisible by p k. 9

11 Proof of Claim 2: g divides v. So multiply v=g and v 3 = 1 + pr 3 + p 2 r pk?1 r k?1 3 to both sides of (20) to get s 4 h + t 4 v = v=g (mod p k ) (23) where s 4 = s 3 v 3 (v=g); t 4 = t 3 v 3. Now b L 1 and v L 2, so (v mod p k ) is divisible by (h mod p k ). By assumption and the equivalence statement in Proposition 1, we see that (h mod p k ) also divides (v=g mod p k ). But (h mod p k ) has degree l while (v=g mod p k ) has degree < e + l? e = l. Thus v=g 0 (mod p k ) and so v 0 (mod p k ), proving Claim 2. By elementary lattice theory, we may choose a basis b e ; b e+1 ; : : : ; b n+m 0?e?1 of 3 such that deg(b j ) = j. We know that e + l? 1 n + m 0? e? 1 since g divides b implies e m 0 and (h mod p) divides (f=g mod p) implies l n? e. From the claim, we see that b e ; : : : ; b e+l?1 have leading coecient divisible by p k. Hence d( 3 ) p kl which contradicts (22) and so proves Lemma 1. In addition, the following result of Mignotte [5] will be useful. jwj. Theorem 5 Let u; v; w Z[x] with w = uv and suppose u(x) = u 0 + u 1 x+ + u d x d. Then ju i j d i Proof of Theorem 3: One direction follows immediately from Lemma 1. Now suppose deg(h 0 ) m, i.e. h 0 (x) = c 0 + c 1 x + + c m x m. Note that we allow c m to be 0. By Mignotte's result, jh 0 mx j 2 = jc i mx m 2 j 2 jfj 2 jf j 2 (24) i i=0 i=0 2 jf j 2 = 2m m Recall that if b 1 ; : : : ; b m+1 is a reduced basis for 1, them jb 1 j 2 2 m jgj 2 for any g 6= 0 1. Applying this fact with g = h 0 and (13) gives the desired result. Proof of Theorem 4: Recall that if b ; : : : ; b 1 m+1 is a reduced basis for 1 and g ; : : : ; g are any d 1 d j 2 ; jg j 2 ; : : : ; jg j 2 g d linearly independent vectors in 1, then jb j j 2 2 m maxfjg 1 for all j = 1; : : : ; d. Now observe that h 0 ; xh 0 ; : : : ; x m?deg(h0) h 0 are m + 1? deg(h 0 ) linearly independent vectors in 1. Also note that jh 0 j = jxh 0 j = = jx m?deg(h0) h 0 j. Hence (16) is satised for 1 j m + 1? deg(h 0 ). From the lemma, we know that h 0 divides b j for j = 1; : : : ; m + 1? deg(h 0 ). But all of the b j 's are linearly independent and have degree m. Thus h 1 = gcd(b 1 ; ::; b m+1?deg(h0) ) has degree at most m + 1? (m + 1? deg(h 0 )) = deg(h 0 ). To see this note that if h 1 had degree greater than deg(h 0 ), then 2 10

12 b 1 =h 1 ; : : : ; b m+1?deg(h0) =h 1 would have degree at most m? 1? deg(h 0 ). Since there are m + 1? deg(h 0 ) of them, from elemenatry linear algebra, this would mean they must be linearly dependent contradicting the fact that they are a part of a basis for the lattice. But h 0 divides h 1 and thus diers from it only by a constant. Also jb j j (p kl =jfj m ) 1=n for all j > m + 1? deg(h 0 ) since if this was not true then h 0 would divide gcd(b 1 ; : : : ; b + m + 1? deg(h 0 ); b j ) which is a polynomial of degree smaller than the degree of h 0, a contradiction. Thus t = m + 1? deg(h 0 ). It only remains to show that h 0 is equal to h 1 up to sign. It suces to show that h 1 is primitive. For all j = 1; : : : ; t, let d j be the greatest common divisor of the coecients of b j. Then b j =d j is divisible by h 0 and so is in the lattice. But the b j 's are a basis for the lattice. Thus d j = 1. So each of the b j 's are primitive polynomials and thus so is h 1. The result now follows. 7 Implementing the Algorithm All the pieces of the algorithm have now been presented and explained. This section will bring them all together into a clear, concise algorithm. Let [z] denote the greatest integer z. Algorithm 1 Input: A primitive polynomial f Z[x] with no multiple factors. Output: A factorization f = h 1 h 2 : : : h q where the h i 's are primitive and irreducible in Z[x]. 1. Calculate R(f; f 0 ). Note that this is non-zero. 2. Pick p to be the smallest prime number not dividing R(f; f 0 ). 3. Run Berlekamp's Algorithm on (f mod p). 4. Initialize f 1 = 1; f 2 = f; n = deg(f 2 ); i = While n > 0 do the following: A) Pick an irreducible factor (h mod p) of (f 2 mod p) with leading coecient 1 and coecients reduced modulo p. B) Let l = deg((h mod p)). If l = n then set h i = f 2 and go to step 7. C) Let k be the smallest positive integer for which (15) holds. D) Use Hensel's lemma to derive h Z[x]. E) Let u be the greatest positive integer for which l (n? 1)=2 u. F) For m = [(n?1)=2 u ]; [(n?1)=2 u?1 ]; : : : ; [(n?1)=2]; n?1 do the following: i) Dene c j (x) = p k x j?1 forj = 1; : : : ; l? 1 x j?l h forj = l; : : : ; m + 1 ii) Run the L 3 -algorithm on R m+1 starting with basis c 1 ; : : : ; c m+1 to produce a reduced basis b 1 ; : : : ; b m+1 : iii) If b 1 satises (14), then let t be the largest index for which (16) is true. Calculate h i = gcd(b 1 ; : : : ; b t ), go to step G. If not, and m = n? 1, then set h i = f 2 and go to step G. Otherwise, return to the top of this mini-loop and execute it for the next value of m. 11

13 G) Remove the factors of (f 2 mod p) which are dividisible by (h i mod p). Set f 1 = f 1 =h i ; f 2 = f 2 =h i ; i = i + 1; n = deg(f 2 ) and return to the top of the loop, checking the condition at the top. 6. Let q = i? 1. Output f = h 1 h 2 h q. I will now check to make sure that the algorithm terminates in a nite number of steps. Both calculating the resultant and executing Berlekamp's algorithm terminate nitely. Thus, step 5 is the only step to be veried. Each iteration of step 5 strictly decreases the degree of f 2 with the algorithm terminating when deg(f 2 ) = 0. Hensel's lemma terminates in a nite number of steps as does the L 3 -algorithm. Note that the L 3 -algorithm is performed a specied nite number of times each iteration. Hence, since every thing in sight is nite, the algorithm must terminate in a nite number of steps. 8 Algorithm Complexity This section will analyze the complexity of the algorithm. The resultant is simply the determinant of a special matrix and hence can be computed on O(n 3 ) time while for small primes p, Berlekamp's algorithm can be computed in O(pn 3 ) time. It turns out that these steps do not impact the complexity of the algorithm. All that is needed is to examine step 5. The L 3 -algorithm is executed for varying values of m. However, notice the starting basis has elements which are either of norm p k or correspond to polynomials with coecients reduced modulo p k. Thus, using the complexity known for the L 3 -algorithm, we can state that it uses O(m 4 log p k ) = O(m 4 k log p) arithmetic operations on integers of size O(m log p k ) = O(mk log p). However, from our choice of k, we see that p k?1 p (k?1)l 2 (n?1)n=2 2(n? 1) n? 1 n=2 jfj 2n?1 (25) Thus, k log p = (k? 1) log p + log p = O(n 2 + n log jf j + logp) = O(n 2 + n log jf j) (26) since p is relatively small. Thus the L 3 -algorithm runs in O(m 4 (n 2 + n log jf j)) arithmetic operations with integers of size O(m(n 2 + n log jfj)): Let m i = deg(h i ). Then the largest value m 0 i of m on which the L3 -algorithm is performed on the i th iteration satises P [m 0 i < 2m i]. The m's for which it is run are of the form m 0 i =2j ; j 1. Hence m 4 = O(m 4 i ). Thus, on the ith iteration, the L 3 -algorithm uses O(m 4 i (n 2 + n log jfj)) arithmetic operations on integers of size O(m i (n 2 + n log jfj)). 12

14 Using the fact that m i n, the L 3 -algorithm works in O(m i (n 5 +n 4 log jf j)) arithmetic operations. Finding the gcd of several polynomials will work within these parameters. In addition, a crude estimate will show that the same is true for a reasonable version of Hensel's lemma. Note that step 5 is run q times with P mi = n. Hence, it uses O(n 6 + n 5 log jfj) arithmetic operations on integers of size O(n 3 + n 2 log jf j). Thus, the algorithm takes a total of O(n 12 + n 9 log jfj 3 ) bit operations. 9 Concluding Remarks Notice that any choice of starting basis for the L 3 -algorithm will suce. The one used is simply chosen for its simplicity of represntation. However, special choices of a starting basis may actually speed up the algorithm. In any case the algorithm does work well in practice. There are several other ways to speed up the algorithm. See the original paper by Lenstra, Lenstra, and Lovasz [4] for further details. In the course on the geometry of numbers, the Leech lattice was studied. The matrix from which it is generated turns out to be equivalent to the generator matrix for the Golay (24; 12; 8)-code. In this paper, we indirectly see another relationship between lattice theory and coding theory. Cyclic codes and BCHcodes are constructed through a special relationship between polynomials of degree m in F[x] and vectors in F m+1 which allows one to apply a ring structure to a vector space. The relationships shown between polynomials and lattices are very similar to this. At present, there is no known polynomial-time algorithm for factoring positive integers into primes. Opinions vary as to whether or not there is one. This paper may make one suspect that such an algorithm does exist. After all, the integers and polynomials over Q share many similarities. References [1] E. R. Berlekamp. Factoring Polynomials Over Finite Fields. Bell System Technical J. 46(1967), [2] D. E. Knuth. The Art of Computer Programming. Vol. 2, Seminumerical Algorithms. Addison-Wesley. Reading, [3] N. Koblitz. p-adic Numbers, p-adic Analysis, and Zeta Functions. Springer. N. Y., [4] A. K. Lenstra, H. W. Lenstra Jr., and L. Lovasz. Factoring Polynomials With Rational Coecients. Math. Annalen. 261(1982), [5] M. Mignotte. An Inequality About Factors of Polynomials. Math. Comp. 28(1974),

15 [6] H. Zassenhaus. On Hensel Factorization. I. J. Number Theory. 1(1969), [7] H. Zassenhaus. A Remark on the Hensel Factorization Method. Math. Comp. 32(1978),