Lecture 11: Cantor-Zassenhaus Algorithm

Similar documents
Lecture 8: Finite fields

Mathematics for Cryptography

Lecture 15 and 16: BCH Codes: Error Correction

Modern Algebra I. Circle the correct answer; no explanation is required. Each problem in this section counts 5 points.

NOTES ON FINITE FIELDS

Lecture 7: Polynomial rings

Math 345 Sp 07 Day 7. b. Prove that the image of a homomorphism is a subring.

ABSTRACT ALGEBRA 1, LECTURES NOTES 5: SUBGROUPS, CONJUGACY, NORMALITY, QUOTIENT GROUPS, AND EXTENSIONS.

Math 120 HW 9 Solutions

D-MATH Algebra II FS18 Prof. Marc Burger. Solution 26. Cyclotomic extensions.

Corollary 4.2 (Pepin s Test, 1877). Let F k = 2 2k + 1, the kth Fermat number, where k 1. Then F k is prime iff 3 F k 1

Definitions. Notations. Injective, Surjective and Bijective. Divides. Cartesian Product. Relations. Equivalence Relations

Course MA2C02, Hilary Term 2013 Section 9: Introduction to Number Theory and Cryptography

Number Theory Math 420 Silverman Exam #1 February 27, 2018

Math 4400, Spring 08, Sample problems Final Exam.

Name: Solutions Final Exam

The Berlekamp algorithm

MATH 113 FINAL EXAM December 14, 2012

(Rgs) Rings Math 683L (Summer 2003)

Primality Testing. 1 Introduction. 2 Brief Chronology of Primality Testing. CS265/CME309, Fall Instructor: Gregory Valiant

Algebraic structures I

MATH 3030, Abstract Algebra FALL 2012 Toby Kenney Midyear Examination Friday 7th December: 7:00-10:00 PM

Section VI.33. Finite Fields

Algebra SEP Solutions

COMP239: Mathematics for Computer Science II. Prof. Chadi Assi EV7.635

LECTURE NOTES IN CRYPTOGRAPHY

Instructor: Bobby Kleinberg Lecture Notes, 25 April The Miller-Rabin Randomized Primality Test

Course 2BA1: Trinity 2006 Section 9: Introduction to Number Theory and Cryptography

ax b mod m. has a solution if and only if d b. In this case, there is one solution, call it x 0, to the equation and there are d solutions x m d

ALGEBRA I (LECTURE NOTES 2017/2018) LECTURE 9 - CYCLIC GROUPS AND EULER S FUNCTION

Name: Solutions Final Exam

Elementary Algebra Chinese Remainder Theorem Euclidean Algorithm

Chapter 5. Modular arithmetic. 5.1 The modular ring


Lecture 10: Deterministic Factorization Over Finite Fields

= 1 2x. x 2 a ) 0 (mod p n ), (x 2 + 2a + a2. x a ) 2

Computations/Applications

5 Group theory. 5.1 Binary operations

Modern Algebra Prof. Manindra Agrawal Department of Computer Science and Engineering Indian Institute of Technology, Kanpur

Discrete Mathematics and Probability Theory Fall 2018 Alistair Sinclair and Yun Song Note 6

The group (Z/nZ) February 17, In these notes we figure out the structure of the unit group (Z/nZ) where n > 1 is an integer.

Number theory (Chapter 4)

Section 0.6: Factoring from Precalculus Prerequisites a.k.a. Chapter 0 by Carl Stitz, PhD, and Jeff Zeager, PhD, is available under a Creative

MATH 433 Applied Algebra Lecture 4: Modular arithmetic (continued). Linear congruences.

D-MATH Algebra I HS 2013 Prof. Brent Doran. Solution 3. Modular arithmetic, quotients, product groups

A Primer on Homological Algebra

1 First Theme: Sums of Squares

The number of ways to choose r elements (without replacement) from an n-element set is. = r r!(n r)!.

Math 2070BC Term 2 Weeks 1 13 Lecture Notes

ϕ : Z F : ϕ(t) = t 1 =

Introduction to finite fields

1. Algebra 1.7. Prime numbers

ALGEBRA AND NUMBER THEORY II: Solutions 3 (Michaelmas term 2008)

Modular Arithmetic and Elementary Algebra

Section 15 Factor-group computation and simple groups

Honors Algebra 4, MATH 371 Winter 2010 Assignment 3 Due Friday, February 5 at 08:35

Theoretical Cryptography, Lectures 18-20

6 Cosets & Factor Groups

Lecture 6: Finite Fields

FILTERED RINGS AND MODULES. GRADINGS AND COMPLETIONS.

Quasi-cyclic codes. Jay A. Wood. Algebra for Secure and Reliable Communications Modeling Morelia, Michoacán, Mexico October 12, 2012

Algebra Review 2. 1 Fields. A field is an extension of the concept of a group.

Algebraic number theory Revision exercises

Math 451, 01, Exam #2 Answer Key

Math 121 Homework 5: Notes on Selected Problems

Isomorphisms and Well-definedness

Math 581 Problem Set 3 Solutions

Rings. Chapter 1. Definition 1.2. A commutative ring R is a ring in which multiplication is commutative. That is, ab = ba for all a, b R.

Lecture : PSPACE IP

CYCLICITY OF (Z/(p))

Modular Arithmetic Instructor: Marizza Bailey Name:

Q 2.0.2: If it s 5:30pm now, what time will it be in 4753 hours? Q 2.0.3: Today is Wednesday. What day of the week will it be in one year from today?

FACTORIZATION OF IDEALS

MTH 346: The Chinese Remainder Theorem

Lecture Examples of problems which have randomized algorithms

Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures

Discrete Math, Fourteenth Problem Set (July 18)

AN ALGEBRA PRIMER WITH A VIEW TOWARD CURVES OVER FINITE FIELDS

To hand in: (a) Prove that a group G is abelian (= commutative) if and only if (xy) 2 = x 2 y 2 for all x, y G.

MITOCW 9ocw-6-451_ mar k_512kb-mp4

17 Galois Fields Introduction Primitive Elements Roots of Polynomials... 8

Solutions of exercise sheet 8

1 Fields and vector spaces

Lecture 6: Deterministic Primality Testing

Theoretical Cryptography, Lecture 13

Lecture 15: The Hidden Subgroup Problem

MATH ABSTRACT ALGEBRA DISCUSSIONS - WEEK 8

MATH 361: NUMBER THEORY FOURTH LECTURE

2 ALGEBRA II. Contents

Homework 10 M 373K by Mark Lindberg (mal4549)

Finite Fields: An introduction through exercises Jonathan Buss Spring 2014

Some practice problems for midterm 2

This is an auxiliary note; its goal is to prove a form of the Chinese Remainder Theorem that will be used in [2].

ALGEBRA II: RINGS AND MODULES OVER LITTLE RINGS.

1. multiplication is commutative and associative;

MATH EXAMPLES: GROUPS, SUBGROUPS, COSETS

Finite Fields. [Parts from Chapter 16. Also applications of FTGT]

Math 762 Spring h Y (Z 1 ) (1) h X (Z 2 ) h X (Z 1 ) Φ Z 1. h Y (Z 2 )

Section 18 Rings and fields

ABSTRACT ALGEBRA 1, LECTURE NOTES 5: HOMOMORPHISMS, ISOMORPHISMS, SUBGROUPS, QUOTIENT ( FACTOR ) GROUPS. ANDREW SALCH

Transcription:

CS681 Computational Number Theory Lecture 11: Cantor-Zassenhaus Algorithm Instructor: Piyush P Kurur Scribe: Ramprasad Saptharishi Overview In this class, we shall look at the Cantor-Zassenhaus randomized algorithm for factoring polynomials over F p. We shall do it for the case when p 2. The case when p = 2, which isn t too different from the other case, would be given as an exercise for the students to solve. 1 Irreducibility Testing We left off last class with a hint that the distinct degree factorization infact gives a straightforward irreducibility test. Here is the explicit answer. We are given an f and we need to check if this polynomial is irreducible or not. First check if it is square free. If it isn t, immediately reject it. Else, proceed to compute the distinct degree factors of f. If the degree of f is n, the DDF algorithm returns g 1, g 2,, g n such that each g i is the product of irreducible factors of f of degree d. Now, suppose f was irreducible, then clearly every g i = 1 for 1 i n 1 and g n = f. Thus just check if the returned g i s satisfy this condition. 1.1 Generating Irreducible Elements Suppose are given a positive integer d, we want to efficiently find an irreducible polynomial of degree d over F p. Now before we get into this, why is this important? The answer is that this is the only way we can construct the field F p d. There are lots of applications where we need to do arithmetic over a field of large size and F p would be a candidate only if the prime p is large. And finding such a large prime is hard and inefficient. Instead, we pick a small prime p and try and find an irreducible polynomial of degree d. Once we do that, we have F p [X]/(f(X)) which is isomorphic to F p d. This is precisely finding irreducible polynomials of a given 1

degree is very useful. To generate an irreducible polynomial of degree d, we shall just randomly pick a polynomial of degree d. It can be argued that the probability that this polynomial is irreducible is pretty high. And since we even have a deterministic test to check if a polynomial f is irreducible, we just repeat this procedure: Pick an f F p [X] of degree d at random and repeat this if the irreducibility test says that this polynomial is not irreducible. All we need to do is to argue that the density of irreducible polynomials is large. Theorem 1. Let I(d) be the number of irreducible polynomials of degree d over F p. Then And therefore, I(d) = pd d + O ( p) Pr [f Irr(F p, d)] f F p[x],deg(f)=d p d d + O( p) p d 1 d As for the proof of the theorem, here is a sketch of it. Proof. (sketch) We know that X pm X = Comparing the degrees on both sides, p m = d m f Irr(F p,d) d m I(d) d f(x) Equations of this kind can be inverted using the Möbius Inversion. Lemma 2 (Möbius Inversion). If we have any equation of the form f(m) = d m g(d) then g(m) = d m µ(d)f(m/d) 2

Exercise: Read up on the Möbius Inversion. With the inversion formula, once can complete the proof of the theorem by taking f(m) = p m and g(m) = I(m) m. 2 The Cantor-Zassenhaus Algorithm Now we get to factoring a polynomial over F p. Given a polynomial of degree f over F p, it is enough to get one non-trivial 1 factor of f. As we said in the last few lectures, the first thing to do is to check if f is square free. If it isn t we can just return the square-free part of f as a factor and be done. If it is square-free, we compute the distinct degree factorization of f. If f turns out to be irreducible, we just return irreducible. Else, we have to proceed to find a non-trivial factor of f. We shall factor each g i returned by the DDF algorithm separately. Hence, we now assume that we have an f F p [X] = g 1 g m such that each g i is irreducible, distinct and of the same degree d. Here enters our old friend Chinese Remaindering. Since f = g 1 g m, we know that F p [X]/(f(X)) = F p [X]/(g 1 (X)) F p [X]/(g m (X)) Now note that each g i is an irreducible polynomial of degree d. And therefore, F p [X]/(g i (X)) is isomorphic to F p d. Hence the product just looks like F p [X]/(f(X)) = F p d F p d And further, we know that (F p [X]/(f(X))) = F p d F p d Now what do zero divisors, say g, in F p [X]/(f) look like? When you take the image under the chinese remaindering, it should go to some tuple (a 1, a 2,, a m ) where some a i = 0. Further, if this zero divisor is nontrivial (0 is a trivial zero-divisor, useless), some other a j 0. What does this mean? g has a 0 in coordinate i which means that g is divisible by g i, and hence g 1. And also, g is non-zero at coordinate j and therefore g j does not divide g and hence g f. Thus, gcd(g, f) is certainly not f nor 1 and hence is a non-trivial factor of f. 1 trivial factors of f are 1 and f. Factors though they may be, are useless for us. 3

Therefore, the problem of finding factors reduces to the problem of finding zero divisors in F p [X]/(f(X)). 2.1 Finding Zero-Divisors The idea is the following. We cross our fingers and pick a polynomial a(x) of degree less than n at random. This is some element from F p [X]/(f(X)). If we are extremely lucky we might just get gcd(a, f) 1, and this already gives us a non-trivial factor of f and we are done. Hence, lets assume that a is not a zero-divisor of the ring. And therefor, a must be an element of (F p [X]/(f)), an invertible element. Note that since we do not know the factors g i, we do not know the chinese remainder map. We just know that a map exists, we don t know how to compute it. But suppose someone secretly told us that one of the coordinates of a under the chinese remainder map is 1, then what can we do? Look at the images of a(x) + 1. The images of this is just 1 added to every coordinate of the image of a(x). And since someone told us that one of the coordinates was 1, that coordinate in the image of a(x)+1 must be zero! Which means that, a(x) + 1 is a zero divisor. However it is possible that all the coordinates is 1 and that would just make a(x) + 1 = 0 which is useless. Now, how do we make sure that there is some 1 in one of the coordinates and not everywhere? Use the fact that each element of the product is F p d. We know that F p d is an abelian group of order p d 1. And therefore, for every element b in this group, b pd 1 = 1. We need a 1, and therefore we look at the square-root of it. Since we know that b pd 1 = 1, b (pd 1)/2 = 1 which can either be 1 or 1. 2 Let us just call (p d 1)/2 = M. Thus, we have a simple procedure. Pick up some random polynomial a(x) of degree less than n. Check if you are lucky by computing gcd(a, f) and checking if it is 1. Else, compute a(x) (pd 1)/2 mod f(x) using repeated squaring. Now if a was mapping to (a 1, a 2,, a m ), then a M would be mapped to (a M 1,, am m ). And we just saw that each of a M i is either 1 or 1. Claim 3. Each a M i = 1 with probability 1/2, and they are independent. 2 there can t be any other square-roots of 1. This is because square roots of 1 satisfy the equation X 2 1 = 0 and this equation can have only 2 roots in a field 4

Proof. Since the chinese remainder map is an isomorphism and each g i s are distinct, they are clearly independent. To check that the probability that b M = 1 is 1/2, we look at the following map. ψ : F p d {1, 1} b b M Note that the set {1, 1} form a group under multiplication. Infact it can be identified with the group Z/2Z. Exercise: Prove that the map ψ is indeed a group homomorphism. And therefore, the kernel of this map ψ is a subgroup of F of all elements b such that b m = 1. The other coset of this kernel is the set of el- p d ements b such that b M = 1. Since these two are cosets, they are of equal size. Hence a randomly chosen b will have b M = 1 with probability 1/2. And therefore, each a i is 1 or 1 with probability 1/2. Thus the probability that all the coordinates are 1 or all the coordinates are 1 is just 1/2 m. Thus with probability atleast 1 2 m 1, we have some vector that has 1s at certain places and 1s at the rest. Thus, now we are in the case when someone had secretly told us that some coordinate is 1. And therefore, we can pick a random polynomial a(x), raise it to the power M modulo f, and add 1 to it. With probability atleast 1 2 m 1, this will be a zero-divisor and hence gcd(a M + 1, f) will be a non-trivial factor of f. So here is the algorithm: Algorithm 1 CANTOR-ZASSENHAUS ALGORITHM FOR FACTORING Input: A polynomial f F p [X] of degree n. 1: if f is not square-free then 2: return the square-free part 3: end if 4: Compute the distinct degree factors of f. Call them {g 1, g 2,, g n }. 5: if g n 1 then 6: return IRREDUCIBLE 7: end if 8: for all g i 1 do 9: EqualDegreeFactorize(g i, d) 10: end for 5

Algorithm 2 EQUALDEGREEFACTORIZE Input: A polynomial f F p [X] of degree n all of whose m irreducible factors are of degree d. 1: Pick a random polynomial a(x) of degree less than n. 2: if gcd(a, f) 1 then 3: return gcd(a, f) 4: end if 5: Let M = (p d 1)/2. 6: Using repeated squaring, compute a (X) = a(x) M + 1. 7: if a 0 and gcd(a, f) 1 then 8: return gcd(a, f) {Happens with probability atleast 1 2 m 1 } 9: end if 10: Repeat algorithm with a different choice for a. 6

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback