Transcript Vortrag

Polynomial Factorization
Olga Sergeeva
Ferien-Akademie 2004, September 19 – October 1
Overview
Univariate Factorization
•
•
•
•
Overview of the algorithms and the required simplifications
Factoring over finite fields
Factorization based on Hensel lifting
LLL algorithm
Multivariate Factorization
• Problems overview
• The idea of the algorithm
• Analysis of correctness probability.
Univariate Factorization – algorithms
We consider factorization of polynomials over the rational
integers, Z, and different approaches to this problem.
Univariate Factorization – algorithms
We consider factorization of polynomials over the rational
integers, Z, and different approaches to this problem.
Algorithms, solving the problem for univariate polynomials:
• Kronecker, interpolation algorithm
Univariate Factorization – algorithms
We consider factorization of polynomials over the rational
integers, Z, and different approaches to this problem.
Algorithms, solving the problem for univariate polynomials:
• Kronecker, interpolation algorithm
• Algorithm, which uses Hensel lifting techniques and
factorization over finite fields
Univariate Factorization – algorithms
We consider factorization of polynomials over the rational
integers, Z, and different approaches to this problem.
Algorithms, solving the problem for univariate polynomials:
• Kronecker, interpolation algorithm
• Algorithm, which uses Hensel lifting techniques and
factorization over finite fields
• A. K. Lenstra, H. W. Lenstra and Lovasz – polynomial time
algorithm using basic reduction techniques for lattices.
Univariate Factorization – simplifications
When factoring a univariate polynomial over Z, the following
simplifications are effective:
• removing the integer content of F(Z)
Univariate Factorization – simplifications
When factoring a univariate polynomial over Z, the following
simplifications are effective:
• removing the integer content of F(Z)
• computing square free decomposition (with use of GCD
computations or modular interpolation techniques).
Univariate Factorization – simplifications
When factoring a univariate polynomial over Z, the following
simplifications are effective:
• removing the integer content of F(Z)
• computing square free decomposition (with use of GCD
computations or modular interpolation techniques).
• one could try to monicize F(Z), but this increases the size of
the coefficients of F and in most cases in not worthwhile:
f 0d 1 F ( Z )  ( f 0 Z ) d  f1 f 0 ( f 0 Z ) d 1  ...  f d f 0d 1
Examples
Factorization of polynomials over Z will not be
more fine-grained, but will only be coarser
than factorization over a Fp.
For example, x 4  1 has complex roots and thus
it is irreducible over Z. But it is factorizable
over any Fp .
For instance, x 4  1  ( x 2  2)( x 2  2)(mod 5)
Univariate Factorization – over Fp
Let f be a polynomial with coefficients from
First, we get rid of squares:
d  ( f , f ' )   fi
n p
ni 1
Fp
f
f i , so   f i

d n p
n p
ni
Univariate Factorization – over Fp
Let f be a polynomial with coefficients from
First, we get rid of squares:
d  ( f , f ' )   fi
n p
ni 1
Fp
f
f i , so   f i

d n p
n p
ni
f
f
f  d  and is free of squares
d
d
If deg d  deg f , we proceed with d
In the case 0  deg d  deg f , d   f i ni  g p , deg g  deg f ,
n p
and factorisat ion of d can be ' constructe d' out of factorisat ion of g.
Factorization over Fp - theoretical basis
Theorem. Let f  Fp x  be a monic polynomial
a) Let h  Fp x : h p  h( mod f). Then
f(x)   (f(x),h(x) a).
aFp
b) Let f  f1...f k . h satisf ies h  h( mod f) 
p
h(x)  ai( mod f i ),ai  Fp . Futhermore, there is a
one-to-one correspon dence between tuples (a1 ,..., an ) and
such polynomial s h with deg h  deg f .
Is there any use of this theorem?
Let us now understand that the equation
(h( x)) p  h( x)
is in fact equal to a system of linear equations over Fp
Indeed , let h( x)  t0  t1 x  ...  t n 1 x n 1
Due to the fact that we are over Fp,
(h( x)) p  h( x p )  t0  t1 x p  ...  t n 1 x p ( n 1)
(because almost all the binomials are divided by p).
And what?
(h( x)) p  h( x p )  t0  t1 x p  ...  t n 1 x p ( n 1)
n 1
Also,
x   qij x i (mod f )
pj
i 0
and we get a system of linear equations
n 1
t q
i 0
j
ij
 ti , i  1,..., n  1.
And what?
(h( x)) p  h( x p )  t0  t1 x p  ...  t n 1 x p ( n 1)
n 1
Also,
x   qij x i (mod f )
pj
i 0
and we get a system of linear equations
n 1
t q
i 0
j
ij
 ti , i  1,..., n  1.
The dimension of its solution space is k, where k is the number of
irreducible factors of f.
The last slide about finite fields
We now know, how many factors there are.
Let h1  1, h2 ,..., hk to be a basis. If k=1 then the f is irreducible
In the case k>1, we search for GCD( f ( x), h2 ( x)  a), for all a  F.p
As a result, we get a number of divisors of f: g1 ,..., g s
If s<k, we calculate GCD( gi ( x), h3 ( x)  a) and so on.
The last slide about finite fields
We now know, how many factors there are.
Let h1  1, h2 ,..., hk to be a basis. If k=1 then the f is irreducible
In the case k>1, we search for GCD( f ( x), h2 ( x)  a), for all a  F.p
As a result, we get a number of divisors of f: g1 ,..., g s
If s<k, we calculate GCD( gi ( x), h3 ( x)  a) and so on.
At the end, we will get all the k factors: for two different factors f1 , f 2
for a1  a2 , there is h : h( x)  a1 (mod f1 ), h( x)  a2 (mod f 2 ) 
there exists an element hi from the basis such that
hi ( x)  a1i (mod f1 ) and hi ( x)  a2i (mod f 2 ), a1i  a2i
No, this is the last one
If now instead of hi ( x)  a  hi ( x)  a  h1 ( x), we can take
H ( x)  a1h1 ( x)  ...  ak hk ( x), where a1 ,..., ak are randomly
chosen from Fp , and calculate GCD( f , H ( p 1) 2  1), with
high probabilit y we will get a nontrivial factorizat ion on the
very beginning.
Univariate Factorization over Z
Square free decomposition computing:
Let f  f1n1  ...  f knk be factorization of f
over Z.
Then f '  f1n1  ...  f knk  g . So over Z ( f , f ' )  f1n1 1  ...  f knk 1
We can divide f by ( f , f ' ) and thus get a polynomial free of
squares.
From now and on, cont(f)=1 and GCD(f,f’)=1.
Univariate Factorization algorithm (UFA)
The classical univariate factorization algorithm consists of three
steps:
1.
Choose a ‘good’ random rational prime p and factor
irreducible factors modulo p:
f ( z )  f1e1 ( z ) f 2e2 ( z )... f kek ( z ) mod p
f
into
Univariate Factorization algorithm (UFA)
The classical univariate factorization algorithm consists of three
steps:
1.
Choose a ‘good’ random rational prime p and factor
irreducible factors modulo p:
f
into
f ( z )  f1e1 ( z ) f 2e2 ( z )... f kek ( z ) mod p
2.
p
Use Newton’s iteration to lift the f i to factors modulo
l
f ( z )  f1e1 ( z )  ...  f kek ( z ) mod p l
Univariate Factorization algorithm (UFA)
The classical univariate factorization algorithm consists of three
steps:
1.
Choose a ‘good’ random rational prime p and factor
irreducible factors modulo p:
f
into
f ( z )  f1e1 ( z ) f 2e2 ( z )... f kek ( z ) mod p
2.
Use Newton’s iteration to lift the f i to factors modulo
3.
Combine the f i , as needed, into true divisors of f over Z.
f ( z )  f1e1 ( z )  ...  f kek ( z ) mod p l
p
l
UFA: step 1
Step 1, ‘choose a ‘good’ random rational prime p and factor f
into irreducible factors modulo p’:
UFA: step 1
Step 1, ‘choose a ‘good’ random rational prime p and factor f
into irreducible factors modulo p’:
The best primes in the first step are those for which the
factorization of f modulo p is as close as possible to the
factorization of f over Z. This is a reason to try several
primes and pick the one that fives the coarsest factorization.
UFA: step 1
Step 1, ‘choose a ‘good’ random rational prime p and factor f
into irreducible factors modulo p’:
The best primes in the first step are those for which the
factorization of f modulo p is as close as possible to the
factorization of f over Z. This is a reason to try several
primes and pick the one that fives the coarsest factorization.
Over these prime modulo, we compare square free
decompositions
After, apply one of the univariate finite field factorization
algorithms.
Hensel techniques reminder
f  af1... f k (mod p)
We will use this factorization to get the factorization of f
m
modulo p
Hensel techniques reminder
f  af1... f k (mod p)
We will use this factorization to get the factorization of f
m
modulo p
f  f1 f 2 (mod p m ), f , f1 , f 2  Z x ,
More precisely, if we have deg f  deg f  deg f ;
1
2
lc ( f1 )  1; GCD( f1 , f 2 )  1(mod p )
we will call Hensel continuation of this factorization a factorization
f  f 1 f 2 (mod p m1 )
f i  fi (mod p m ) and deg fi  deg fi
Hensel techniques reminder
Lemma (Hensel)
m
If m  1 then for any factorization f  f1 f 2 (mod p ) , satisfying
the above conditions, there exists its Hensel continuation
f  f 1 f 2 (mod p m1 ) , and the polynomials f1 and f 2 are
defined uniquely modulo p m 1
UFA: step 2
Step 2, ‘Use Newton’s iteration to lift the f i to factors modulo p l’.
We choose l considering the bounds on the coefficients of the
factors.
UFA: step 2
Step 2, ‘Use Newton’s iteration to lift the f i to factors modulo p l’.
We choose l considering the bounds on the coefficients of the
factors.
Theorem (Mignotte) Let
f ( x)  a0  a1 x  ...  am x m and g ( x)  b0  b1 x  ...  bn x n ,
 n  1
 n  1
 f  
 am , where
f  g. Then b i  
 j 
 j  1
f  a02  ...  am2 .
UFA: step 2
We have an upper bound for the coefficients factors of f, say M. We
then choose l such that
p l  2  lc ( f )  M
s
Let g ( x)  a1 x  ...  Z x be a factor of f.
a2  a
a1
 N , a2 g  a  f i1  ...  f id (mod p)
The polynomial a2 g can be uniquely reconstruc ted from
a  f1  ...  f k (mod p m ), because -
1 m
1
p  coeff (a2 g )   p m
2
2
UFA: step 3
Step 3, ‘Combine the f i , as needed, into true divisors of f over Z’
UFA: step 3
Step 3, ‘Combine the f i , as needed, into true divisors of f over Z’
This is the most time consuming step. We need:
• once we have a potential factor of f modulo p ,l to convert it to
a factor over Z
• do a test division to see if it is actually a factor
UFA: step 3
Step 3, ‘Combine the f i , as needed, into true divisors of f over Z’
This is the most time consuming step. We need:
• once we have a potential factor of f modulo p ,l to convert it to
a factor over Z
• do a test division to see if it is actually a factor
Trick letting not to perform excessive trial divisions:
f ( z) g ( z)  tf (t ) g (t )
If the check failed for integers, there is no need to perform it for
polynomials.
Asymptotically Good Algorithms
Lenstra, Lenstra, Lovasz. Factoring polynomials with rational
coefficients. 1982
Algorithm takes
O(n12  n9 (ln f )3 )
operations.
Asymptotically Good Algorithms: definitions
A subset L  R n is called a lattice, if there exists a
basis b1 ,..., bn in R n such, that
n

L   Z  bi   ri bi : ri  Z 
i 1
 i 1

b
Asymptotically Good Algorithms: idea
The beginning is the same with the previous algorithm: the
polynomial f is factored modulo prime number p. Then an
irreducible factor h modulo the power of p is computed, using
Hensel’s techniques.
Asymptotically Good Algorithms: idea
The beginning is the same with the previous algorithm: the
polynomial f is factored modulo prime number p. Then an
irreducible factor h modulo the power of p is computed, using
Hensel’s techniques.
After this an irreducible factor h0 of f in Z[x] such, that h0  h(mod p)
is searched for.
In our terms, h0  h will imply that the coefficients of h0 are the
points of some lattice
and f  h0 will imply that the coefficients of h0 are ‘not
too large’ (in other words, a short vector in the lattice
corresponds to the searched irreducible factor).
Lattices and factorization
Summing up, we need an algorithm for constructing an
irreducible factor h0 of f given an irreducible factor h modulo
p (with lc(h)=1).
It is convenient to generalize the problem:
k
Given an irreducible factor h modulo p of square free
polynomial f, with lc(h)=1, find irreducible h0 such that h0  h
modulo p.
Lattices and factorization
h0 (mod p)  h(mod p)  h0 (mod p k )  h(mod p k )
Let n=deg f, l=deg h. Fix some m  l and consider the set S of
polynomials over Z[x] with degree not higher than m, dividable
pk
by h modulo
Lattices and factorization
h0 (mod p)  h(mod p)  h0 (mod p k )  h(mod p k )
Let n=deg f, l=deg h. Fix some m  l and consider the set S of
polynomials over Z[x] with degree not higher than m, dividable
pk
by h modulo
If deg h0  m , h0 belongs to S.
Lattices and factorization
h0 (mod p)  h(mod p)  h0 (mod p k )  h(mod p k )
Let n=deg f, l=deg h. Fix some m  l and consider the set S of
polynomials over Z[x] with degree not higher than m, dividable
pk
by h modulo
If deg h0  m , h0 belongs to S.
We can think of polynomials of degree less than or equal to m as
of points in R m 1 ( g ( x)  a0  ...  am x m  (a0 ,..., am ))
Then the polynomials from S form a lattice L with basis
p k x i , 0  i  l; h(x)x j , 0  j  m  l
Lattices and factorization: two theorems
Theorem 1. If a polynomial b L is such that
b  f
n
m
 p kl  b  h0 (In particular , GCD( f , b)  1)
Lattices and factorization: two theorems
Theorem 1. If a polynomial b L is such that
b  f
n
m
 p kl  b  h0 (In particular , GCD( f , b)  1)
Theorem 2. Let b1 ,..., bm1 be a reduced basis of the lattice L.
Suppose that
a)
b)
kl
mn 2  2m 
p  2  
m
n2
f

m n
.


m 1n
.
Then deg h0  m  b1  p f
Suppose that for some b j b j  p kl f
largest of such j. Then
kl

m 1n
(1) Let t be the
deg h0  m  1  t , h0  GCD(b1 ,..., bt ) and (1) holds for j  1,..., t.
Auxiliary algorithm
With fixed m, the algorithm checks if
If it is, the algorithm calculates h0
Input: f of degree n; prime p; natural k; h such that lc(h)=1 and
f( mod p k )  h(mod p k ), also h(mod p)is irreducible and f(mod p) is
not divided by h 2 (mod p) ;
n2
2
m


m n
kl
mn 2


p

2
f
natural m  l  deg h such that
m


Auxiliary algorithm
With fixed m, the algorithm checks if
If it is, the algorithm calculates h0
Input: f of degree n; prime p; natural k; h such that lc(h)=1 and
f( mod p k )  h(mod p k ), also h(mod p)is irreducible and f(mod p) is
not divided by h 2 (mod p) ;
n2
2
m


m n
kl
mn 2


p

2
f
natural m  l  deg h such that
m

k i
j
p
x
,
0

i

l
;
h(x)x
, 0  j  ml
Work: For the lattice with basis
find reduced basis b1 ,..., bm1
1n
If b1  p kl f m then deg h0  m and the algorithm stops
Otherwise, deg h0  m and h0  GCD(b1 ,..., bt )


The main algorithm
Calculation of h0 .
l=deg h < deg f=n.
Work:
n2
2
m


m n
kl
mn 2


p

2
f
Calculate the least k for which
is held with
m
 
m=n-1.
For the factorization f  hg (mod p) calculate its Hensel lifting
h  h(mod p)
f  hg (mod p k ),
Let u be the greatest integer: l  (n  1) 2u
 n  1  n  1  n  1
, n 1
Run the auxiliary algorithm for m   u ,  u 1 ,..., 

 2  2   2 
until we get h0
And if we don’t get it, deg h0 > n-1 and h0 is equal to f.
Multivariate factorization
The reductions and simplifications, which were used in the case of univariate
polynomials, are not proper when dealing with multivariate ones.
F ( X 1 ,..., X v )   X in  1X in 1  1 (4v non - zero terms)
1i  v
P1  (1  X 1...  X 1n 1 )  (1  X 1...  X 1n  2 )  ...  (1  X v ...  X vn 1 )  (1  X v ...  X vn  2 )
P2  ( X 1  1)( X 2  1)...( X v  1)
F  P1P22
P1 has ( 2n)n non - zero terms, and the factorizat ion of F
has only v 2  4v non - zero terms.
Performing this type of square free decomposition before factoring F leads to
exponential intermediate expression swell.
Multivariate factorization: idea
The basic approach used to factor multivariate polynomials is
much the same as the exponential time algorithm for u.p.
Rouphly speaking, we reduce the problem of factoring a
polynomial of n variables to the case of polynomial of n-1
variables, pointing at one (or two) variables at the end.
Hilbert irreducibility theorem
Let F ( X 1 ,..., X n , Y ) be an irreducible polynomial over Q and
let R(N) denote the number of n-tuples over Z with |xi|<N such
that F ( x1 ,..., xn , Y ) is reducible. Then
R( N )  c  N n1/ 2 log N , where c depends only on the degree
of F.
Hilbert theorem: disadvantages
There is no upper bound on the number of
random points needed.
The approach can not be applied when working
over finite field.
Bertini’s theorem
Let F ( X 1 ,..., X v , Z ) be an irreducible polynomial of R[Z], where
R  A[ X 1 ,..., X v ] and A is an intergal domain. Let the degree of F
in Z be d,
F
0
Z
Let the total degree of the X 1 ,..., X v in F be D . Let L be a
subset of A of cardinality B .
Then P( F (a1  b1T ,..., av  bvT , Z )
d
4
dD
2
is irreducible over
A[T , Z ] | bi  L)  1 
B