Factoring univariate polynomials over the rationals

Similar documents
Factoring Polynomials with Rational Coecients. Kenneth Giuliani

Irreducible Polynomials over Finite Fields

The complexity of factoring univariate polynomials over the rationals

Chapter 4. Greatest common divisors of polynomials. 4.1 Polynomial remainder sequences

Practical polynomial factoring in polynomial time

Generating Subfields

Chinese Remainder Theorem

Basic Algorithms in Number Theory

Computer Algebra: General Principles

Basic Algorithms in Number Theory

Integral Points on Curves Defined by the Equation Y 2 = X 3 + ax 2 + bx + c

A RELATIVE VAN HOEIJ ALGORITHM OVER NUMBER FIELDS

Fast algorithms for polynomials and matrices Part 6: Polynomial factorization

TC10 / 3. Finite fields S. Xambó

Determining the Galois group of a rational polynomial

An Approach to Hensel s Lemma

M4. Lecture 3. THE LLL ALGORITHM AND COPPERSMITH S METHOD

COMP239: Mathematics for Computer Science II. Prof. Chadi Assi EV7.635

Chapter 4. Characters and Gauss sums. 4.1 Characters on finite abelian groups

Discrete Math, Fourteenth Problem Set (July 18)

P -adic root separation for quadratic and cubic polynomials

6.S897 Algebra and Computation February 27, Lecture 6

Public-key Cryptography: Theory and Practice

CS 4424 GCD, XGCD

Lecture Notes. Advanced Discrete Structures COT S

Generating Subfields. Mark van Hoeij. June 15, 2017

Real Solving on Algebraic Systems of Small Dimension

Sub-Linear Root Detection for Sparse Polynomials Over Finite Fields

LEGENDRE S THEOREM, LEGRANGE S DESCENT

Modern Computer Algebra

LECTURE NOTES IN CRYPTOGRAPHY

Algorithms for Solving Linear Differential Equations with Rational Function Coefficients

MATH 431 PART 2: POLYNOMIAL RINGS AND FACTORIZATION

Finite fields, randomness and complexity. Swastik Kopparty Rutgers University

Lecture 11: Cantor-Zassenhaus Algorithm

The Berlekamp algorithm

CDM. Finite Fields. Klaus Sutner Carnegie Mellon University. Fall 2018

Algebraic Factorization and GCD Computation

Algorithmic Factorization of Polynomials over Number Fields

1/30: Polynomials over Z/n.

Certifying solutions to overdetermined and singular polynomial systems over Q

Rational Points on Conics, and Local-Global Relations in Number Theory

Lecture Notes Math 371: Algebra (Fall 2006) by Nathanael Leedom Ackerman

NOTES ON FINITE FIELDS


Chapter 14: Divisibility and factorization

Theoretical Cryptography, Lecture 13

A Few Primality Testing Algorithms

9 Knapsack Cryptography

Polynomials. Chapter 4

Grade 11/12 Math Circles Rational Points on an Elliptic Curves Dr. Carmen Bruni November 11, Lest We Forget

Computational Number Theory. Adam O Neill Based on

Looking back at lattice-based cryptanalysis

Two Diophantine Approaches to the Irreducibility of Certain Trinomials

Lecture 8: Finite fields

Algebra Homework, Edition 2 9 September 2010

Lattice Basis Reduction and the LLL Algorithm

Algorithms for Finite Fields

Elliptic Curves Spring 2013 Lecture #12 03/19/2013

1. Algebra 1.5. Polynomial Rings

Explicit Methods in Algebraic Number Theory

φ(xy) = (xy) n = x n y n = φ(x)φ(y)

Real Solving on Bivariate Systems with Sturm Sequences and SLV Maple TM library

Profinite Groups. Hendrik Lenstra. 1. Introduction

Finite Fields: An introduction through exercises Jonathan Buss Spring 2014

Math 547, Exam 2 Information.

x mv = 1, v v M K IxI v = 1,

Finite Fields. Sophie Huczynska. Semester 2, Academic Year

Exact Arithmetic on a Computer

Distinguishing prime numbers from composite numbers: the state of the art. D. J. Bernstein University of Illinois at Chicago

1 2 3 style total. Circle the correct answer; no explanation is required. Each problem in this section counts 5 points.

MA257: INTRODUCTION TO NUMBER THEORY LECTURE NOTES

A Course in Computational Algebraic Number Theory

Linear Algebra, 3rd day, Wednesday 6/30/04 REU Info:

Computing with polynomials: Hensel constructions

2 J. Kluners and M. Pohst (993)] for calculating subelds. In this article we generalize and improve the methods of Dixon (990). The generating polynom

Finite Fields. Mike Reiter

Introduction to Arithmetic Geometry Fall 2013 Lecture #24 12/03/2013

p-adic Properites of Elliptic Divisibility Sequences Joseph H. Silverman

To Professor W. M. Schmidt on his 60th birthday

Fast Polynomial Multiplication

Chapter 4 Finite Fields

Polynomial Rings : Linear Algebra Notes

part 2: detecting smoothness part 3: the number-field sieve

CPSC 467: Cryptography and Computer Security

Elementary Algebra Chinese Remainder Theorem Euclidean Algorithm

Lecture 7: Polynomial rings

Mathematical Foundations of Cryptography

HOMEWORK 11 MATH 4753

A field F is a set of numbers that includes the two numbers 0 and 1 and satisfies the properties:

Lecture 7.5: Euclidean domains and algebraic integers

On Newton-Raphson iteration for multiplicative inverses modulo prime powers

COMPUTING AUTOMORPHISMS OF ABELIAN NUMBER FIELDS

Number Theory and Group Theoryfor Public-Key Cryptography

Elliptic Curves Spring 2013 Lecture #4 02/14/2013

Material covered: Class numbers of quadratic fields, Valuations, Completions of fields.

Homework 8 Solutions to Selected Problems

Prime Decomposition. Adam Gamzon. 1 Introduction

18. Cyclotomic polynomials II

Transcription:

Factoring univariate polynomials over the rationals Tommy Hofmann TU Kaiserslautern November 21, 2017 Tommy Hofmann Factoring polynomials over the rationals November 21, 2017 1 / 31

Factoring univariate polynomials over the rationals The problem Given f = a d X d + a d 1 X d 1 + + a 0 Q[X ], find irreducible polynomials f 1,..., f r Q[X ] such that Example f = f 1 f 2 f r. Given f = X 5 + X 4 + X 2 + X + 2, we would like to find X 5 + X 4 + X 2 + X + 2 = (X 2 + X + 1)(X 3 X + 2). Tommy Hofmann Factoring polynomials over the rationals November 21, 2017 2 / 31

An easy reduction Starting with arbitrary f = a d X d + a d 1 X d 1 + + a 0 Q[X ], we can make the following assumptions: 1 f is square-free (easy square-free factorization). 2 f is integral, that is, f Z[X ] (multiply with a common denominator). 3 f is primitive, that is, gcd(a d, a d 1,..., a 0 ) = 1 (divide by the gcd). 4 f is monic (replace f by (a d ) d 1 f (X /a d )). Thus f is a monic, square-free, primitive polynomial in Z[X ]. A lemma of Gauß Since f is monic and primitive, the unique monic irreducible factors f i Q[X ] of f are also integral, that is, f = f 1 f 2 f r with f i Z[X ] monic and irreducible in Q[X ]. Tommy Hofmann Factoring polynomials over the rationals November 21, 2017 3 / 31

Factorization of primitive, monic, polynomials in Z[X ] Good news There exists an algorithm for computing factorizations. Better news There exists a deterministic algorithm with running time polynomial in the size of the input. Most important news There exist fast implementations for computing factorizations. Tommy Hofmann Factoring polynomials over the rationals November 21, 2017 4 / 31

Act 1: Where the problem is first solved Enter: Friedrich Theodor von Schubert, De inventione divisorum, 1793 Leopold Kronecker, Grundzüge einer arithmetischen Theorie der algebraischen Grössen, 1882 Schubert (1785 1829) Kronecker (1823 1891) Tommy Hofmann Factoring polynomials over the rationals November 21, 2017 5 / 31

Factoring à la Schubert or Kronecker Underlying ideas If g Z[X ] divides f, then g(n) divides f (n) for all n Z. A polynomial g Z[X ] of degree k is uniquely determined by its values at k + 1 points. Theorem Pick distinct elements a 0,..., a k Z and compute the finite set S = {(d 0,..., d k ) Z k+1 such that d 0 f (a 0 ), d 1 f (a 1 ),..., d k f (a k )}. Then {divisors of degree k of f } {g Z[X ] g(a i ) = d i, 0 i k}. Corollary (d 0,...,d k ) S There exists an algorithm for factoring polynomials. Tommy Hofmann Factoring polynomials over the rationals November 21, 2017 6 / 31

Factoring à la Schubert or Kronecker Example Consider f = X 5 + X 4 + X 2 + X + 2, k = 3 and pick a 0 = 1, a 1 = 0 and a 2 = 1. Then f (a 0 ) = 2 = f (a 1 ) and f (a 2 ) = 6. Thus S = { 2, 1, 1, 2} { 2, 1, 1, 2} { 6, 3, 2, 1, 1, 2, 3, 6} has cardinality #S = 128. If we pick (d 0, d 1, d 2 ) = (1, 1, 3), then p = X 2 + X + 1 is a divisor of f and Problems X 5 + X 4 + X 2 + X + 2 = (X 2 + X + 1)(X 3 X + 2). Factoring integers is kind of hard and we have 2 k many things to check. (An arithmetic and a combinatorial problem.) Tommy Hofmann Factoring polynomials over the rationals November 21, 2017 7 / 31

Act 2: Where integer factorization has to go Enter: Hans Zassenhaus, On Hensel Factorization, I, 1969 Elwyn Berlekamp, Factoring Polynomials Over Large Finite Fields, 1970 Berlekamp (1940 ) Zassenhaus (1912 1991) Tommy Hofmann Factoring polynomials over the rationals November 21, 2017 8 / 31

Factoring à la Berlekamp or Zassenhaus Underlying ideas There exists an a priori bound for the size of the coefficients of possible factors. Factorization modulo primes or prime powers is unique (for properly chosen primes) and can be computed efficiently. First ingredient: A bound for the output There exists a bound C R >0, such that for any divisor g Z[X ] of f we have g max C. Moreover C can be chosen such that log(c) O(poly(d, log( f max ))) and C can be computed in polynomial time from the coefficients of f. (Collins, Knuth, Mignotte, Zassenhaus, Granville,... ) Tommy Hofmann Factoring polynomials over the rationals November 21, 2017 9 / 31

Factoring à la Berlekamp or Zassenhaus Second ingredient (Berlekamp) Fix a prime p such that p > 2C. Compute the factorization f = r i=1 g i with g i F p [X ] monic and irreducible (in polynomial time). Second ingredient (Zassenhaus) Fix a prime p and an exponent e > 0 such that f F p [X ] is squarefree and p e > 2C. Compute the factorization of f modulo p and lift it to a factorization f = r i=1 g i over Z/p e Z[X ] with g i Z[X ] monic and irreducible modulo p. In both cases we obtain an integer M > 2C and the unique factorization in Z/MZ[X ]. f = r i=1 g i Tommy Hofmann Factoring polynomials over the rationals November 21, 2017 10 / 31

Factoring à la Berlekamp or Zassenhaus Let M be as before. Third ingredient If g Z[X ] is an irreducible factor of f, then there exists a unique set {i 1,..., i s } {1,..., r} such that g = g i1 g is. Moreover, g is the unique lift of g i1 g ir ( M/2, M/2). with coefficients in Tommy Hofmann Factoring polynomials over the rationals November 21, 2017 11 / 31

Factoring à la Berlekamp or Zassenhaus Berlekamp Zassenhaus algorithm 1 Find M > 2C such that f has a unique factorization f = g 1... g r in Z/MZ[X ] with g i Z[X ] irreducible modulo M. 2 For every subset S {1,..., r} compute the unique g Z[X ] with coefficients in ( M/2, M/2) such that g = i S g i. If g divides f, restart with input f /g and g and merge the results. 3 If we do not find a suitable g, f is irreducible. Theorem The running time of the Berlekamp Zassenhaus algorithm is in O(2 r 1 poly(d, f max )). Tommy Hofmann Factoring polynomials over the rationals November 21, 2017 12 / 31

Factoring à la Berlekamp or Zassenhaus Example (Berlekamp big prime flavor) Consider f = X 4 + X 3 + 4X 2 + X + 3 Q[X ]. Then p = 577 is a big enough prime and f (X + 24) (X + 185) (X + 393) (X + 553) modpz[x ]. }{{}}{{}}{{}}{{} g 1 g 2 g 3 g 4 Thus there are 2 3 = 8 combinations to check. For S {1, 2, 3, 4} with #S = 1 we don t find a factor. If we choose S = {1, 4} we find g = X 2 + 1 with g (X + 24)(X + 553) mod pz[x ]. By testing divisibility we see that g f and f = (X 2 + 1)(X 2 + X + 3). Next step would show that f /g and g are irreducible. Tommy Hofmann Factoring polynomials over the rationals November 21, 2017 13 / 31

Factoring à la Berlekamp or Zassenhaus Remarks The factor 2 r 1 makes the running time of the algorithm exponential. The algorithm is very slow if the polynomial has lots of factors modulo p. Works quite well in practice on random input. (A random polynomial of degree d over F p has log(d) many irreducible factors). But worst case is much worse then the random case. Swinnerton-Dyer polynomials For n Z 1 denote by p n the n-th prime number. The polynomial S n = (x ± 2 ± 3 ± ± p n ) Z[X ] is irreducible of degree 2 n and factors into linear and quadratic factors modulo every prime. Tommy Hofmann Factoring polynomials over the rationals November 21, 2017 14 / 31

Act 3: Where lattices appear Enter: Arjen Lenstra, Hendrik Lenstra, László Lovász, Factoring Polynomials with Rationals Coefficients, 1982 A. Lenstra (1956 ) H. Lenstra (1949 ) Lovász (1948 ) Tommy Hofmann Factoring polynomials over the rationals November 21, 2017 15 / 31

Factoring à la Lenstra Lenstra Lovász Underlying ideas Lemma A factor of a polynomial must come from a short vector in a lattice. The approximated shortest vector problem is solvable in polynomial time. Assume that f, g Z[X ] have degree n and k and that u Z[X ] is non-constant, monic and divides both f and g modulo m for some m Z 1 with res(f, g) f k g n m. Then gcd(f, g) Z[X ] is non-constant. (If two polynomials in Z[X ] have a non-constant common divisor modulo m for some m larger then the resultant, then they must have a non-constant common factor in Z[X ]). Tommy Hofmann Factoring polynomials over the rationals November 21, 2017 16 / 31

Factoring à la Lenstra Lenstra Lovász Lattices A subgroup L R n is called a lattice, if there exists f 1,..., f k R n with { r } L = r i f i r 1,..., r n Z. i=1 An element f L \ {0} with f min g L\{0} g is called a shortest vector. If we weaken it to f 2 (n 1)/2 min g L\{0} g, f is called an approximate shortest vector. Theorem (Lenstra Lenstra Lovász) There exists a polynomial time algorithm (LLL algorithm) for computing reduced bases (LLL bases). The first element of a reduced basis is an approximate shortest vector. Tommy Hofmann Factoring polynomials over the rationals November 21, 2017 17 / 31

Factoring à la Lenstra Lenstra Lovász Let u be a divisor of f modulo m of degree d < n. We want to translate the existence of g into a lattice problem. Assume we are looking for g of degree < j. We identify {h Z[X ] deg(h) < j} Z j, i a i X i (a j 1,..., a 0 ). Consider the lattice L u Z j spanned by {ux i 0 i < j d} {mx i 0 i < d}. Then for g Z[X ] we have g L if and only if deg(g) < j and u divides g modulo m. Thus if g comes from a short element in L u, then this will give us a factor of f. Tommy Hofmann Factoring polynomials over the rationals November 21, 2017 18 / 31

Factoring à la Lenstra Lenstra Lovász 1 Fix a prime p such that f F p [X ] is squarefree and compute a factorization r f = g i in Z/p l Z[X ] i=1 with g i Z[X ] monic and irreducible modulo p and l large enough. 2 For every g i construct the lattice L gi (with j = n) and compute a LLL-basis (b 1,..., b n+1 ) of L gi. If b 1 some explicit bound, gcd(b 1, f ) is nontrivial and we continue recursively. Otherwise f is irreducible. Theorem (Lenstra Lenstra Lovász) The running time of the algorithm is in O(n 12 + n 9 (log f ) 3 ). Thus polynomials in Q[X ] can be factored in (deterministic) polynomial time. Tommy Hofmann Factoring polynomials over the rationals November 21, 2017 19 / 31

Factoring à la Lenstra Lenstra Lovász Problems In the worst case, one has to do Hensel lifting to huge precision, which is followed by LLL on matrices with large coefficients. Berlekamp Zassenhaus algorithm is much faster in practice (on average). Tommy Hofmann Factoring polynomials over the rationals November 21, 2017 20 / 31

Act 4: Where approximations appear Enter: Arnold Schönhage, Factorization of Univariate Integer Polynomials by Diophantine Approximation and an Improved Basis Reduction Algorithm, 1982 Schönhage (1934 ) Tommy Hofmann Factoring polynomials over the rationals November 21, 2017 21 / 31

Factoring à la Schönhage Underlying idea Every irreducible factor of f is the minimal polynomial of a root of f. Approximation of algebraic numbers can be done using reduced bases. Let us fix a zero α R of f and denote by g the corresponding factor of f. First ingredient: Approximation of zeros We can find an approximation ᾱ Q with α ᾱ < 2 k in polynomial time. Tommy Hofmann Factoring polynomials over the rationals November 21, 2017 22 / 31

Factoring à la Schönhage Second ingredient: Lattices Fix a precision c = 2 k and consider the lattice Λ m spanned by the columns of ᾱ 0 ᾱ 1 ᾱ m c 0 0.... Mat (m+1) (m+1)(q). 0 0 c Consider the map Φ: Z[X ] m Λ m, a i X i a i v i, where v i are the columns of the matrix. If Φ(g) is small, then g(α) = 0. If g(α) 0, then Φ(g) is big. Tommy Hofmann Factoring polynomials over the rationals November 21, 2017 23 / 31

Factoring à la Schönhage 1 Compute an approximation ᾱ of a root of f. 2 For i = 1,..., deg(f ) construct the lattice Λ m. Compute the first basis element b 1 of a reduced basis of Λ m. Let g be the corresponding polynomial and h the primitive part of g. If h is small enough, continue with f /h etc. Theorem (Schönhage) The running time of the algorithm is in O(n 8 + n 5 (log f ) 3 ). Tommy Hofmann Factoring polynomials over the rationals November 21, 2017 24 / 31

Act 5: Where we go back to the roots Enter: Mark van Hoeij, Factoring Polynomials and the Knapsack Problem, 2001 van Hoeij (1969 ) Tommy Hofmann Factoring polynomials over the rationals November 21, 2017 25 / 31

Factoring à la van Hoeij Recall At the end of the Berlekamp Zassenhaus algorithm we have the recombination problem. Which of the 2 r combinations give us the true factors of f? Lenstra Lenstra Lovász avoided this by directly reconstructing the true factors using lattice reduction. Underlying idea Solve the recombination problem using lattice reduction (Knapsack problem). Tommy Hofmann Factoring polynomials over the rationals November 21, 2017 26 / 31

Factoring à la van Hoeij We let f = g 1 g s Z[X ] and f = f 1 f r Z p [X ], where Z p are the p-adic integers. For v = (v 1,..., v r ) {0, 1} r we write g v = r i=1 f v i i. Problem For which v {0, 1} r do we have g v Z[X ]? Tommy Hofmann Factoring polynomials over the rationals November 21, 2017 27 / 31

Factoring à la van Hoeij We let f = g 1 g s Z[X ] and f = f 1 f r Z p [X ]. For v = (v 1,..., v r ) {0, 1} r we write g v = r f v i i=1 i. First ingredient: Linearization We define Φ: Q p (X ) /Q p Q p (X ), g f g g. (Multiply f with the logarithmic derivative). For v 1, v 2 Z r we have Φ(g v1 ) + Φ(g v2 ) = Φ(g v1 +v 2 ). For all v Z r we have Φ(g v ) Z p [X ]. Let w 1,..., w s Z r with g wi = g i (this is what we are looking for) and define W = w 1,..., w s Z r. Then for v Z r we have v W if and only if Φ(g v ) Z[X ]. New problem Find W (and then the canonical basis w 1,..., w s ). Tommy Hofmann Factoring polynomials over the rationals November 21, 2017 28 / 31

Factoring à la van Hoeij How to find W? Start with L = Z r and as long as W L, find L with W L L. Lattice reduction For v Z r we have v W if and only if Φ(g v ) Z p [X ] \ Z[X ]. We write Φ( f j ) n 1 i=0 b i,jx i mod p k and define Λ as the lattice spanned by the columns of ( ) b 0,1 b 0,r Ir 0 A = à p k I n where à =...... b n 1,1 b n 1,r Now use LLL on this lattice to find elements in L \ W or show that W = L. Theorem (van Hoeij) This algorithm works. Tommy Hofmann Factoring polynomials over the rationals November 21, 2017 29 / 31

Factoring à la van Hoeij Why is it better then the original algorithm of Lenstra Lenstra Lovász? Instead of computing the coefficients of the irreducible factors, lattice reduction is used only to compute the 0-1 vectors. If a try with a too small precision fails in the original algorithm, we do not gain any information. In the van Hoeij algorithm, it is very often the case that we still gain information (we can compute a smaller lattice L ). Remark Berlekamp Zassenhaus: In theory slow, in practice fast. Lenstra Lenstra Lovász: In theory fast, in practice slow. (original) van Hoeij: In theory slow (no complexity bound), in practice fast. Hart Novocin van Hoeij: In theory fast, in practice fast. Tommy Hofmann Factoring polynomials over the rationals November 21, 2017 30 / 31

Thanks! Tommy Hofmann Factoring polynomials over the rationals November 21, 2017 31 / 31

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback