The Berlekamp algorithm

Similar documents
Basic elements of number theory

Basic elements of number theory

Commutative Rings and Fields

Discrete Mathematics and Probability Theory Summer 2014 James Cook Note 5

Math101, Sections 2 and 3, Spring 2008 Review Sheet for Exam #2:

Theorem 5.3. Let E/F, E = F (u), be a simple field extension. Then u is algebraic if and only if E/F is finite. In this case, [E : F ] = deg f u.

Lecture 7: Polynomial rings

Chapter 3. Rings. The basic commutative rings in mathematics are the integers Z, the. Examples

An integer p is prime if p > 1 and p has exactly two positive divisors, 1 and p.

CHAPTER 6. Prime Numbers. Definition and Fundamental Results

Outline. MSRI-UP 2009 Coding Theory Seminar, Week 2. The definition. Link to polynomials

Lecture 11: Cantor-Zassenhaus Algorithm

Lecture Notes Math 371: Algebra (Fall 2006) by Nathanael Leedom Ackerman

Discrete Mathematics and Probability Theory Summer 2017 Course Notes Note 6

Computations/Applications

Definition For a set F, a polynomial over F with variable x is of the form

MATH 115, SUMMER 2012 LECTURE 12

Number Theory. Introduction

22. The Quadratic Sieve and Elliptic Curves. 22.a The Quadratic Sieve

Q 2.0.2: If it s 5:30pm now, what time will it be in 4753 hours? Q 2.0.3: Today is Wednesday. What day of the week will it be in one year from today?

Partial Fractions. June 27, In this section, we will learn to integrate another class of functions: the rational functions.

Discrete Mathematics and Probability Theory Fall 2018 Alistair Sinclair and Yun Song Note 6

Chapter 9 Mathematics of Cryptography Part III: Primes and Related Congruence Equations

SECTION 2.3: LONG AND SYNTHETIC POLYNOMIAL DIVISION

11 Division Mod n, Linear Integer Equations, Random Numbers, The Fundamental Theorem of Arithmetic

Chapter 5. Number Theory. 5.1 Base b representations

1. Algebra 1.5. Polynomial Rings

Algorithmic Factorization of Polynomials over Number Fields

4. Congruence Classes

Introduction to finite fields

CDM. Finite Fields. Klaus Sutner Carnegie Mellon University. Fall 2018

2x 1 7. A linear congruence in modular arithmetic is an equation of the form. Why is the solution a set of integers rather than a unique integer?

Basic Algorithms in Number Theory

TC10 / 3. Finite fields S. Xambó

Notes on arithmetic. 1. Representation in base B

ALGEBRA. 1. Some elementary number theory 1.1. Primes and divisibility. We denote the collection of integers

Modular Arithmetic Instructor: Marizza Bailey Name:

Discrete Math, Fourteenth Problem Set (July 18)

2x 1 7. A linear congruence in modular arithmetic is an equation of the form. Why is the solution a set of integers rather than a unique integer?

Math 547, Exam 2 Information.

Definitions. Notations. Injective, Surjective and Bijective. Divides. Cartesian Product. Relations. Equivalence Relations

Algebra. Here are a couple of warnings to my students who may be here to get a copy of what happened on a day that you missed.

Fast Fraction-Integer Method for Computing Multiplicative Inverse

MATH 431 PART 2: POLYNOMIAL RINGS AND FACTORIZATION

be any ring homomorphism and let s S be any element of S. Then there is a unique ring homomorphism

ax b mod m. has a solution if and only if d b. In this case, there is one solution, call it x 0, to the equation and there are d solutions x m d

A Guide to Arithmetic

Algorithms (II) Yu Yu. Shanghai Jiaotong University

NOTES ON FINITE FIELDS

Fast Polynomial Multiplication

Math 131 notes. Jason Riedy. 6 October, Linear Diophantine equations : Likely delayed 6

The next sequence of lectures in on the topic of Arithmetic Algorithms. We shall build up to an understanding of the RSA public-key cryptosystem.

Homework 8 Solutions to Selected Problems

Computation in finite fields. John Kerl Arizona State University and Lockheed Martin Corporation

2a 2 4ac), provided there is an element r in our

LECTURE 16: TENSOR PRODUCTS

Finite Fields: An introduction through exercises Jonathan Buss Spring 2014

Galois fields/1. (M3) There is an element 1 (not equal to 0) such that a 1 = a for all a.

CHAPTER 3. Congruences. Congruence: definitions and properties

Applied Cryptography and Computer Security CSE 664 Spring 2017

Elementary Properties of the Integers

Properties of Arithmetic

1 The Fundamental Theorem of Arithmetic. A positive integer N has a unique prime power decomposition. Primality Testing. and. Integer Factorisation

2301 Assignment 1 Due Friday 19th March, 2 pm

CPSC 467b: Cryptography and Computer Security

MATH 310, REVIEW SHEET 2

CHMC: Finite Fields 9/23/17

MATH 2400 LECTURE NOTES: POLYNOMIAL AND RATIONAL FUNCTIONS. Contents 1. Polynomial Functions 1 2. Rational Functions 6

Fraction-Integer Method (FIM) for Calculating Multiplicative Inverse

Number Theory. Zachary Friggstad. Programming Club Meeting

Lecture 10: Powers of Matrices, Difference Equations

Direct Proof MAT231. Fall Transition to Higher Mathematics. MAT231 (Transition to Higher Math) Direct Proof Fall / 24

Mathematical Foundations of Cryptography

Lecture 11 - Basic Number Theory.

P-adic numbers. Rich Schwartz. October 24, 2014

= 1 2x. x 2 a ) 0 (mod p n ), (x 2 + 2a + a2. x a ) 2

MATH 196, SECTION 57 (VIPUL NAIK)

Math 312/ AMS 351 (Fall 17) Sample Questions for Final

Contribution of Problems

GALOIS THEORY: LECTURE 20

Topics in linear algebra

One-to-one functions and onto functions

Encryption: The RSA Public Key Cipher

Number Theory, Algebra and Analysis. William Yslas Vélez Department of Mathematics University of Arizona

WORKSHEET MATH 215, FALL 15, WHYTE. We begin our course with the natural numbers:

Ch. 12 Higher Degree Equations Rational Root

Example: This theorem is the easiest way to test an ideal (or an element) is prime. Z[x] (x)

Lecture 6: Finite Fields

Solving Quadratic & Higher Degree Equations

Galois Theory Overview/Example Part 1: Extension Fields. Overview:

Cool Results on Primes

Algebra Year 10. Language

[06.1] Given a 3-by-3 matrix M with integer entries, find A, B integer 3-by-3 matrices with determinant ±1 such that AMB is diagonal.

1. Given the public RSA encryption key (e, n) = (5, 35), find the corresponding decryption key (d, n).

Beautiful Mathematics

Jay Daigle Occidental College Math 401: Cryptology

CPSC 467: Cryptography and Computer Security

Chapter 4. Greatest common divisors of polynomials. 4.1 Polynomial remainder sequences

3.4. ZEROS OF POLYNOMIAL FUNCTIONS

RINGS: SUMMARY OF MATERIAL

Transcription:

The Berlekamp algorithm John Kerl University of Arizona Department of Mathematics 29 Integration Workshop August 6, 29 Abstract Integer factorization is a Hard Problem. Some cryptosystems, such as RSA, are in fact designed around the difficulty of integer factorization. For polynomials with coefficients in the finite field F q, on the other hand, we can use the Berlekamp algorithm to factor polynomials of high degree in reasonable amounts of time. In this project, you will see how the algorithm works, prove its correctness, and analyze its computational complexity. This project is aimed toward those with interests in computational algebra, finite fields, and/or linear algebra. Contents Contents 1 1 Theory 2 1.1 Definitions............................................... 2 1.2 Linear algebra............................................. 3 1.3 GCDs................................................. 3 1.4 Squarefree preparation........................................ 4 2 Practicalities 4 2.1 Pseudocode.............................................. 4 2.2 Worked example........................................... 4 2.3 Complexity analysis......................................... 5 A Background: integers 6 A.1 Integer factorization and complexity................................ 6 A.2 Modular arithmetic with integers.................................. 6 1

B Background: polynomial and modular polynomial arithmetic over F 2 7 B.1 Polynomial arithmetic........................................ 7 B.2 Modular polynomial arithmetic................................... 7 References 8 1 Theory 1.1 Definitions Definition 1.1. Let f F q [x] have degree n. Suppose f = e 1 e k be the prime factorization of f, for e i F q [x] with degrees d i = deg(e i ) 1. Suppose f is monic and that all the e i s are as well. Assume that f is squarefree, i.e. that all the e i s are distinct. (See section 1.4 to see why this restriction is not a difficulty.) Of course, we don t yet know what the e i s are, nor what k is; that is the purpose of a factorization algorithm. Definition 1.2. Let A f = F q [x]/ f. This is a vector space over F q, of degree n. In fact it is an algebra: a vector space wherein you can also multiply the vectors. Definition 1.3. Let B f = {h A f : h q h (mod f)}. This is the Berlekamp subalgebra of A f. (You will prove below that this is actually a subalgebra.) Definition 1.4. Define by a(x) a(x) q for each a A f. Q f : A f A f Proposition 1.5. This is an F q -linear map from A f to itself. Proof. Prove this. (Hint: use the freshman s dream.) Proposition 1.6. B f = ker(q f I). Proof. Prove this. (Hint: you will need the Frobenius automorphism from finite-field theory.) Proposition 1.7. B f is a subalgebra of A f. Proof. Prove this. (Hint: You can check subspace axioms, or you can use the fact that B f is the kernel of a linear map.) Remark 1.8. By the Chinese Remainder Theorem, A f = Fq [x]/ e 1 F q [x]/ e k. (Since each of the e i s is irreducible, each factor is a finite field.) 2

1.2 Linear algebra We can find a basis for the vector subspace B f of A f using linear algebra. (See section 2.2 for a worked example.) The set {x n 1, x n 2,..., x,1} (where n = deg f) is a basis for A f. The map Q f, defined above, is defined by its action on this standard basis. Let the M be the matrix of Q f, with respect to the standard basis for A f. Question: Using both the polynomial point of view and the vector-space point of view, figure out how to write down the matrix for Q. Write h(x) as a vector with respect to the standard basis; do the same for Qh = h q, where the latter is reduced mod f. (Hint: reduction mod f is a ring homomorphism, so it moves through terms.) Using row reduction, we can compute a basis for B f = ker(q f I) using row reduction on the matrix M I. This is an important part of the factorization algorithm, for the following reason. Proposition 1.9. The nullity of Q f I is the number of irreducible factors of f(x). Proof. Please flesh out the details in the following sketch. We have, by hypothesis, f = e 1 e k. By the Chinese Remainder Theorem (mapping how, precisely?), A f = F q [x]/ e 1 F q [x]/ e k. Now let h B f. The CRT map sends h to (r 1,...,r k ). Since h B f, = h q h = (r q 1 r 1,...,r q k r k). This means r q i = r i for each i, so therefore each r i is in F q. We may conclude that B f = (Fq ) k. (How does this relate to the rank and nullity of Q f I?) This means that we can already test for irreducibility, just by checking the nullity of Q f I. Going ahead and finding a non-trivial factor of f(x) takes a little more work. 1.3 GCDs Proposition 1.1. For each h B f, f(x) = c F q gcd(f, h c). Proof. Prove this. (Hint: Show that the left-hand side divides the right-hand side, and vice versa.) Corollary 1.11. For each h B f, if < deg h, there exists some c F q such that g = gcd(f, h c) 1. Such a g is a non-trivial factor of f. Proof. Prove this. 3

1.4 Squarefree preparation This section is optional. Berlekamp s algorithm requires squarefree input yet, given an input polynomial f, how do you know if it s squarefree? Isn t this the kind of thing you want a factorization algorithm to do for you? It turns out there is a trick. Given f, let f be the formal derivative of f with respect to x. Then let g = gcd(f, f ). Case 1: If g has degree, then the input f is squarefree, and is ready for Berlekamp. Question: Prove why this is true. Case 2: If f = : the input is a perfect pth power, where p is the characteristic of F q. You can find out what this is just by looking at f. Question: Use the freshman s dream to find out why. (Hint: make up a few polynomials over F 2 and square them; make up a few polynomials over F 3 and cube them. What do they look like? Looking at only the pth powers, is it easy to guess what they are the pth powers of?) (Now, if f is a pth power, its pth root might also be a pth power: e.g. if f(x) = x 4 +1 over F 2. So, you need to recursively run the pth root of f through the squarefree-preparation routine.) Case 3: Else i.e. if g has degree 1, and if f, then recursively apply the squarefree-preparation algorithm to g and f/g. 2 Practicalities 2.1 Pseudocode Question: Use the pieces of theory from the above sections to write out a pseudocode description of Berlekamp s algorithm. (You may assume the input is squarefree, or you may incorporate the information in section 1.4 and describe how non-squarefree input is handled.) The algorithm should take an input polynomial, and describe how to factor it into distinct irreducible factors. Your description should include what can happen when there are three or more factors. You need not describe row reduction in detail: you may treat this as a black-box step of the algorithm. However, you should be explicit about how each of the basis vectors are handled. Extra question: What do you choose to do if the input polynomial is non-monic? 2.2 Worked example Given squarefree f(x), we want to find polynomials h(x) such that h q h (mod f). Take f = x 5 +x 4 +1 = 111 = 111 111. The degree of f is 5. By explicit search, we can find the following polynomials h of degree < 5 such that h 2 h (mod f):, 1, 111, 1111. 4

To avoid having to do a search, we use linear algebra instead. f = x 5 + x 4 + 1 = 111 x 1 (mod f) x 2 1 (mod f) x 4 1 (mod f) x 6 111 (mod f) x 8 11111 (mod f). a 4 a 3 a 2 a 1 a h = a 4 x 4 + a 3 x 3 + a 2 x 2 + a 1 x + a h 2 = a 4 x 8 + a 3 x 6 + a 2 x 4 + a 1 x 2 + a = a 4 (x 4 + x 3 + x 2 + x + 1) + a 3 (x 4 + x + 1) + a 2 (x 4 ) + a 1 (x 2 ) + a (1) 1 1 1 a 4 = 1 1 1 1 1 a 3 a 2 a 1 1 1 1 a = 1 1 1 1 1 1 1 1 1 1 1 1 a 4 a 3 a 2 a 1 a Call the matrix M. Its (n 1 j)th column is x jq (mod f). Put M I in row-echelon form to obtain 1 1 1 1 1 with kernel basis. (1, 1, 1,, ), (,,,, 1). These are h 1 = 111 and h 2 = 1, respectively. Compute gcd(f, h 1 ) = 111 and gcd(f, h 1 + 1) = 111 to obtain non-trivial factors of f. 2.3 Complexity analysis Question: Describe the number of F q arithmetic operations needed to perform one step of Berlekamp s algorithm, i.e. to find one non-trivial factor of an input polynomial f(x). (For row reduction, you can count operations. For the GCD step, describe the complexity of a single GCD, since the number of GCDs that need to be computed may vary.) 5

A Background: integers I assume you re familiar with integer arithmetic, but perhaps not so much with polynomials over F q. Moreover, even if you have had exposure to finite fields, my experience is that many instructors teach the subject very abstractly. So, you might have been taught existence and uniqueness of finite fields, but you might never have been taught how to actually do explicit computations with them. Here we remind ourselves of some facts about the familiar integers, in order to facilitate comparison with perhaps-less-familiar polynomials over finite fields, below. A.1 Integer factorization and complexity How do you factor an integer n into primes? You don t need to find all prime factors at once. It suffices to find any non-trivial factor a. If there is no such, then n is prime. Otherwise you get b = n/a. Then, using a divide-and-conquer strategy, you can apply whatever algorithm you used for n to the integers a and b. So, how do we find a non-trivial factor of a given n? One way is to trial-divide n by all 2 a < n. If the remainder is zero for any such a, then a n. What is the computational complexity? This takes n 2 divisions; we say that this algorithm is O(n) in the number of divisions. (Note of course that division itself takes longer when n is bigger; you would get a different order of complexity if you were to count not number of divisions, but say, digit operations.) This is clearly non-optimal, though. If a n, then b = n/a n as well, and we can take a b. That is, if n has one factor greater than or equal to n, then it has another factor less than or equal to n. Given n = 11, once you ve gotten past a = 1 you can stop. Thus, a second algorithm for finding a non-trivial factor of n is to trial-divide by all 2 a n. This takes O( n) trial divisions. This is also non-optimal. Once you ve found that 2 n, it s silly to divide n by 4, 6, or any other even number. Likewise, once you know 3 n, you needn t trial-divide n by any other multiple of 3. So, a third algorithm would be to trial-divide n by all 2 p n only for primes p. (Of course, you can only do this if you have a big enough table of primes.) What s the complexity? By the prime number theorem, the number of primes less than or equal to n is approximately n/ ln( n), so the number of trial divisions is O( n/ ln( n)). There are lots of integer-factorization algorithms, some easy and some hard, and also there are quite nice primality-testing algorithms which don t produce a factorization but which tell you if you should bother. I won t describe them further; the above examples suffice to demonstrate that (a) there are different ways of doing things, and (b) one can quantify the amount of time they take. A.2 Modular arithmetic with integers Given any n 2, we can compute in the residue ring Z/nZ = Z/ n. (I happily write this Z n, although number theorists balk at this notation since it means something else to them.) The method is to reduce mod n and take remainders. E.g. if n = 1 and a = 27, we reduce 27 mod 1 to obtain the canonical representative 7 for the equivalence class containing 7. Specifically, we divide 27 by 1 and take the remainder, 7. Given equivalence-class representatives a and b, we can add, subtract, or multiply them in Z, then reduce mod n. This is because reduction mod n is a ring homomorphism from Z to Z n. If n is prime (call it p), then Z p is a field. This is how we construct finite fields of prime order p. Otherwise, 6

Z n is a ring with zero-divisors. B Background: polynomial and modular polynomial arithmetic over F 2 This project studies factorizations of polynomials in F q [x]. Since this may be less familiar than working with integers, we give some computational examples and some notation. B.1 Polynomial arithmetic Take q = 2. Then x 4 + 1 is a fourth-degree polynomial with coefficients or 1, with coefficient arithmetic done mod 2. This factors as (x 2 + 1) 2, which in turn factors as (x + 1) 4. So, x 4 + 1 is reducible. By contrast, f(x) = x 4 + x + 1 has no non-trivial factors; we say that it is irreducible. How can I be so sure of that statement? Well, since degree four is small, we can do an explicit search. If f has a non-trivial factor, i.e. a factor with degree greater than or equal to one, one factor must have degree 1, 2, or 3. There are two degree-one polynomials over F 2 : x and x + 1. There are four degree-two polynomials: x 2, x 2 + 1, x 2 + x, and x 2 + x + 1. There are eight degree-three polynomials, x 3 through x 3 + x 2 + x + 1. So, all we need to do is use long division, dividing x 4 + x + 1 by each of these fourteen possible divisors. If none of them goes into x 4 + x + 1 with a zero remainder, then x 4 + x + 1 is irreducible. This is similar to the most naive trial division for integers. As with integer division, where we need to trialdivide up to n, here too we can stop trial-dividing by polynomials with degree up to n/2 where n = deg f. For larger degree, the number of trial divisors gets large. Question: What is the number of trial divisors using the above method? You can write it as a function of n and q. Elwyn Berlekamp s algorithm (1967) is a powerful way to factor polynomials over F q. Note that we don t have such a powerful algorithm for polynomials with coefficients in Q, or for integers. For shorthand, we ll often write polynomials with their coefficients only, in descending order of degrees of terms. For example, x 4 + 1 = 11 = 11 2 = 11 4 and x 4 + x + 1 = 111. You can check that and 111 = 111 111 1111111 = 1 11 111 111 111 Likewise you can check that each of these factors is in fact irreducible. (The ring F[x], for any field F, is a unique factorization domain so irreducibility and primality are equivalent. Nonetheless, the convention is to use the words prime and composite for integers, and the words irreducible and reducible for polynomials.) B.2 Modular polynomial arithmetic Once we know how to add, subtract, and multiply polynomials in F q [x], it s not much harder to do arithmetic in the residue ring F q [x]/ f. Just as with modular arithmetic of integers, given a polynomial a(x), we divide 7

it by the modulus f(x) and take the remainder. This means in particular that deg a < deg f, where a here refers to the canonical representative. Question: Given f(x) F q [x], with deg f = n, how many elements are there in F q [x]/ f? Given two polynomials a(x) and b(x), we can add, subtract, or multiply them, then reduce the result mod f(x). For example, if f(x) = 111 F 2 [x], a(x) = 1111, and b(x) = 11, then a(x)b(x) can be found using high-school multiplication (with coefficients mod 2, i.e. you can just forget to carry): 1111 * 11 ------ 1111 1111 ------ 1111 Now to reduce mod f(x), you can do long division and keep the remainder. But, since all you need is the remainder and not the quotient, it s even easier. Just keep subtracting off multiples of f(x) until the result has degree less than the degree of f(x): 1111-111 ------ 111-111 ------ 11 So, just as 27 36 2 (mod 1) in the integers, we have 1111 11 11 (mod 111) in F 2 [x]. If f(x) is irreducible in F q [x], then F q [x]/f(x) is a field a finite field of size q n where n = deg(f). Otherwise, it s a ring with zero-divisors. References [DF] D.S. Dummit and R.M. Foote. Abstract Algebra (2nd ed.). John Wiley and Sons, 1999. [PARI] H. Cohen, K. Belebas et al. PARI/GP. pari.math.u-bordeaux.fr. [Knu] D.E. Knuth. The Art of Computer Programming, Vol. 1: Fundamental Algorithms (2nd ed.). Addison- Wesley, 1973. [Knu] D.E. Knuth. The Art of Computer Programming, Vol. 2: Seminumerical Algorithms (2nd ed.). Addison-Wesley, 1973. [LN] R. Lidl and H. Niederreiter. Finite Fields. Cambridge University Press, 1997. 8

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback