Factoring Polynomials over Finite Fields using Balance Test

Symposium on Theoretical Aspects of Computer Science 2008 (Bordeaux), pp. 609-620 www .stacs-conf .org F A CTO RING POL YNOMIALS O VER FI N ITE FIELDS USING BALANCE TEST CHANDAN SAHA Department of Computer Science and Engineering, Indian Institute of T ec hnology , Kanpur E-mail addr ess : csaha@cse. iitk.ac.in Abstra ct. W e study the problem of factoring u niv ariate p olynomials o ver finite fields. Under the assumption of the Ext en ded Riemann Hy p othesis (ERH), Gao [Gao01] designed a polyn omial time algorithm that fails to factor only if the input p olynomial satisfies a strong symmetry prop erty , namely squar e b alanc e . In th is paper, we p rop ose an extension of Gao’s algorithm that fails only un der an even stronger symmetry prop erty . W e also sho w that our prop erty can b e used to impro ve the time complexity of b est determinis- tic algorithms on most inpu t p olynomials. The prop erty also yields a n ew randomized p olynomial time algorithm. 1. In tro duction W e consider the pr ob lem of d esignin g an efficien t deterministic algorithm f or factoring a univ ariate p olynomial, with co efficien ts tak en from a finite field. The problem reduces in p olynomial time to the problem of factoring a monic, sq u are-free and completely splitting p olynomial f ( x ) with co efficien ts in a prime fi eld F p (see [Ber70], [LN94]). Although there are efficien t p olynomial time randomized algo rithm s for factoring f ( x ) ([Ber70], [CZ81], [vzGS92], [KS95]), as ye t there is n o d etermin istic p olynomial time algorithm ev en u n der the assumption of the Extended Riemann Hyp othesis (ERH). In this pap er we w ill assume that ERH is true and ξ 1 , ξ 2 , . . . , ξ n are the n distinct ro o ts of the input p olynomia l f , f ( x ) = n Y i =1 ( x − ξ i ) where ξ i ∈ F p In 2001, Gao [Gao01] ga ve a d eterministic f actoring algorithm that f ails to fi n d non- trivial fa ctors of f in p olynomial t ime, if f b elongs to a restrict ed class of p olynomials, namely squar e b alanc e d p olynomials . Motiv ated b y the wo r k of Gao [Gao01], w e ha ve de- fined a prop er su b class of square b alanced p olynomial s, namely cr oss b alanc e d p olynomials , suc h that p olynomials that are not cross balanced, can b e fact ored deterministically in p olynomial time, under the assum ption of th e ERH. Our c ontribution c an b e summarized as follo ws. Let f b e a monic, s q u are-free and completely sp litting p olynomial in F p [ x ] with n ro ots ξ 1 , . . . , ξ n . Our factoring algorithm uses an arbitrary (but deterministically c hosen) collection of k = ( n log p ) O (1) ( n = deg ( f )) Key wor ds and phr ases: Algebraic Algorithms, p olynomial factorization, fi nite fi elds. c  Chandan Saha CC  Creative Commons Attribution-NoDe rivs License 610 CHANDAN SAHA small degree auxiliary p olynomials p 1 ( . ) , . . . , p k ( . ), and from eac h p l ( · ) (1 ≤ l ≤ k ) and f it implicitly constructs a simple n -v ertex digraph G l suc h that, (for l > 1) G l is a sub graph (not n ecessarily a prop er subgraph) of G l − 1 . A prop er factor of f is efficien tly retriev ed if an y one of the graphs is either n ot regular, or is regular w ith in degree and out degree of ev ery v ertex less than a c hosen constan t c . T h is condition of r egularit y of all the k graph s imp oses a tight symm etry c ondition on the ro ots of f , and we p oi nt out that th is may b e exploited to improv e the worst case time complexit y of the b est kno wn deterministic algorithms. F u rther, w e sho w that if the p olynomials p l ( · ) (1 ≤ l ≤ k ) are randomly c hosen then the symmetry breaks w ith high probabilit y and our algorithm works in rand omized p olynomial time. W e call the c hec king of th is symmetry condition a b alanc e test . W e no w p r esen t a little more details. Define the sets ∆ i for 1 ≤ i ≤ n as, ∆ i = { 1 ≤ j ≤ n : j 6 = i, σ (( ξ i − ξ j ) 2 ) = − ( ξ i − ξ j ) } where σ is the square r o ot algorithm describ ed in [Gao01] (see section 2.4). The p olynomial f is called a squar e b alanc e d p olynomial (as in [Gao01]) if #∆ 1 = . . . = #∆ n . F or l > 1, define p olynomial f l as, f l = n Y i =1 ( x − p l ( ξ i )) where p l ( . ) is an arbitrary b ut deterministically c h osen p olynomial with degree b ounded b y ( n log p ) O (1) . F u rther, p l 1 ( . ) 6 = p l 2 ( . ) for l 1 6 = l 2 , and f 1 is tak en to b e f i. e. p 1 ( y ) = y . Assume th at, for a giv en k = ( n log p ) O (1) , for ev ery l , 1 ≤ l ≤ k , p olynomial f l = ˜ f d l l , where ˜ f l is a square-free and square balanced p ol yn omial and d l > 0. Later, we sho w that, if f l is not of the ab o ve form then a p rop er factor of f can b e r etriev ed efficien tly . F or eac h p olynomial f l , 1 ≤ l ≤ k , d efine the sets ∆ ( l ) i for 1 ≤ i ≤ n as, ∆ ( l ) i = { 1 ≤ j ≤ n : p l ( ξ i ) 6 = p l ( ξ j ) , σ (( p l ( ξ i ) − p l ( ξ j )) 2 ) = − ( p l ( ξ i ) − p l ( ξ j )) } F urther, define the sets D i ( l ) iterativ ely o v er l as, D (1) i = ∆ (1) i F or l > 1, D ( l ) i = D ( l − 1) i ∩ ∆ ( l ) i If D ( l ) i = φ for all i , 1 ≤ i ≤ n , then redefine D ( l ) i as D ( l ) i = D ( l − 1) i . F or 1 ≤ l ≤ k , let G l b e a d ir ected graph with n vertices v 1 , . . . , v n , suc h that there is an edge from v i to v j if and only if j ∈ D ( l ) i . Note that, G l is a subgraph of G l − 1 for 1 < l ≤ k . Denote the in degree and out degree of a v ertex v i b y indeg ( v i ) and outdeg ( v i ), resp ectiv ely . W e sa y that the graph G l is r e gular (or t -r e gu lar ) if indeg ( v 1 ) = out deg ( v 1 ) = . . . = indeg ( v n ) = outdeg ( v n ) = t . Call t as the r e gularity of G l . The f ollo win g theorem is pro ved in this p ap er. Theorem 1.1. Polynomial f c an b e factor e d into nontrivial factors in time l · ( n log p ) O (1) if G l is not r e gular for some l , 1 ≤ l ≤ k . F urther, if G 1 , . . . , G k ar e al l r e gular and for at le ast ⌈ log 2 n ⌉ of the gr aphs we have G l 6 = G l − 1 (1 < l ≤ k ) , then f c an b e factor e d in k · ( n log p ) O (1) time. Note th at, G 1 is regular if and only if f is square balanced, as ∆ (1) i = ∆ i , for 1 ≤ i ≤ n and G 1 is in fact a regular tour namen t. F ACTORING POL YNOMIALS OVER FINITE FIELDS USING BALANCE TEST 611 Supp ose f ( y ) s plits as f ( y ) = ( y − X ) · f ′ ( y ) in th e quotient r ing R = F p [ x ] ( f ) where X = x mo d f . Our alg orithm iterativ ely tests graphs G 1 , G 2 , . . . s o on, to c h ec k if an y one of them is not regular. If at th e l th iteration graph G l turns out to b e not regular, then a prop er factor of f is obtained in p olynomial time. Ho wev er, if G l is regular, then the algorithm returns a nontrivial mon ic factor g l ( y ) of f ′ ( y ) with d egree equ al to th e regularit y of G l . Moreo ver, g l ( y ) is also a factor of (although ma y b e equal to) g l − 1 ( y ), the factor obtained at the ( l − 1) th iteration, and it ca n b e ensu red that if g l ( y ) is a p r op er f actor of g l − 1 ( y ) (whic h happ en s iff G l 6 = G l − 1 ) then deg ( g l ( y )) ≤ 1 2 · deg ( g l − 1 ( y )). Thus, if the graphs rep eatedly turn out to b e regular (wh ich in itself is a stringent condition) and for at least ⌈ log 2 n ⌉ times it happ en that G l 6 = G l − 1 , for 1 < l ≤ k , then we obtain a n ontrivial linear factor g ( y ) of f ′ ( y ). Th e elemen t − g (0) d efines a nontrivia l endomorp hism in the r ing R , an d b y using a result from [Evd 94] (Lemma 9 in [Evd94]) we can find a prop er factor of f in p olynomial time. F u rther, if for only ǫ ⌈ log 2 n ⌉ times w e ge t G l 6 = G l − 1 (1 < l ≤ k ) for some ǫ , 0 < ǫ ≤ 1, th en w e obtain a nontrivia l factor g ( y ) of f ′ ( y ) w ith degree at most n 1 − ǫ 2 . No w if we apply Evdokimo v’s algorithm ([Evd94]) on g ( y ) (instead of f ′ ( y )), w e can get a prop er factor of f in time ( n (1 − ǫ ) 2 2 log n + ǫ + c 1 log p ) c 2 ( c 1 and c 2 are constant s). F or most p olynomials ǫ > 0 (i.e. at least ab out 1 log n ) and this give s an improv ement o v er the time complexit y of ( n 1 2 log n + c 1 log p ) c 2 in [Evd94] ( c 1 , c 2 are the same constan ts). Assuming n << p , all the b est kno wn deterministic algorithms (e.g. [Evd94], [CH00]) use computations in rings w ith large d imensions o ver F p to get sm aller degree factors of f ′ ( y ). Unlik e th ese approac hes, the balance test is an attempt to exploit an asymmetry among the ro ots of the in put p olynomial to obtain smaller degree factors of f ′ ( y ) without carrying out computations in r ings with large dim en sions o ve r F p . Th is attribute of our approac h yields a b et ter time complexit y for most p olynomials in a wa y as discus s ed in the previous paragraph. It is sufficien t to c ho ose the auxiliary p olynomials p l ( y ), 1 < l ≤ k , in suc h a wa y that the graph s, if regular, are not all the same for to o long, if their regularities are large. An efficien t and deterministic construction of su ch auxiliary p olynomials will im m ediately imp ly that factorizati on of univ ariate p olynomials o ver finite fields can b e done in deterministic p olynomial time u nder ERH. In this p ap er we assu me that the auxiliary p olynomials are arbitrary but deterministically chosen p olynomials with degree b ounded b y ( n log p ) O (1) . F or example, one p o ssib ilit y is to c ho ose p l ( y ) = y l for 1 ≤ l ≤ k . (In fact, Gao [Gao01] used this choic e of auxiliary polynomials to define a restricted class of sq u are balanced p olynomials called sup er squar e b alanc e d p olynomials .) W e sho w th at, if random c hoices of auxiliary p olynomials are allo wed then our algorithm w orks in randomized p olynomial time. F or the graphs to b e all regular and equal, the r o ot s of f must satisfy a tigh t sym metry condition (giv en b y equal sizes of all the sets D ( l ) i , for 1 ≤ i ≤ n and 1 ≤ l ≤ k ) and it is only then that our algorithm fails to f actor f . Definition 1.1. A p olynomial f is called k -cr oss b alanc e d , for k > 0, if for every l , 1 ≤ l ≤ k , p olynomial f l = ˜ f d l l , w here ˜ f l is a sq u are-free, square balanced p olynomial with d l > 0, and graph G l is regular. It follo ws from the definition that, 1-cross balanced p olynomials form the class of squ are balanced p olynomials. Let k = ( n log p ) O (1) b e some fixed p olynomial in n and log p . A p olynomial f is called cr oss b alanc e d if it is k -cross b alanced and regularit y of graph G k is 612 CHANDAN SAHA greater than a fixed co n s tan t c . F rom Theorem 1.1 and [Evd94] it follo ws that, p olynomials that are not cross balanced can b e factored deterministically in p olynomial time. 2. Preliminaries Assume that f is a monic, square-free and completely splitting p olynomial o ve r F p and R = F p [ x ] ( f ) is the qu otien t r in g consisting of all p olynomials mod ulo f . 2.1. Primitiv e Idemp oten t s Elemen ts χ 1 , . . . , χ n of the ring R are called th e primitive i demp otents of R if, P n i =1 χ i = 1 and for 1 ≤ i, j ≤ n , χ i · χ j = χ i if i = j and 0 otherwise. By C hinese Remaindering theorem, R ∼ = F p ⊕ . . . ⊕ F p ( n times), such that ev ery elemen t in R can b e uniquely represent ed b y an n -tuple of elements in F p . Addition and m ultiplication b et w een t w o elemen ts in R can v iewed as comp onent wise addition and multiplica tion of the n -tuples. An y element α = ( a 1 , . . . , a n ) ∈ R can b e equated as, α = P n i =1 a i χ i where a i ∈ F p . Let g ( y ) b e a p olynomial in R [ y ] giv en by , g ( y ) = m X i =0 γ i y i where γ i ∈ R and γ i = n X j =1 g ij χ j where g ij ∈ F p for 0 ≤ i ≤ m and 1 ≤ j ≤ n . Then g ( y ) can b e alternativ ely represented as, g ( y ) = n X j =1 g j ( y ) χ j where g j ( y ) = m X i =0 g ij y i ∈ F p [ y ] for 1 ≤ j ≤ n. The usefu lness of this represen tation is that, op erations on p olynomials in R [ y ] (m ulti- plication, gcd etc.) can b e view ed as comp onent wise op erations on p olynomials in F p [ y ]. 2.2. Characteristic P olynomial Consider an elemen t α = P n i =1 a i χ i ∈ R where a i ∈ F p , 1 ≤ i ≤ n . T he elemen t α d efines a linear transformation on th e vect or space R (o ver F p ), mapping an elemen t β ∈ R to αβ ∈ R . T he c h aracteristic p ol yn omial of α (view ed as a linear transformation) is indep enden t of the c hoice of basis and is equal to c α ( y ) = n Y i =1 ( y − a i ) , In ord er to constr u ct c α one can u se 1 , X , X 2 , . . . , X n − 1 as th e b asis in R and form the matrix ( m ij ) where α · X j − 1 = P n i =1 m ij X i − 1 , m ij ∈ F p , 1 ≤ i, j ≤ n . Then c α can b e constructed b y ev aluating det ( y · I − ( m ij )) at n distinct v alues of y and solving for the n co efficien ts of c α using linear algebra. The pro cess tak es only p ol yn omial time. The notion of charac teristic p olynomial extend s ev en to higher dimensional algebras o v er F p . F ACTORING POL YNOMIALS OVER FINITE FIELDS USING BALANCE TEST 613 2.3. GCD of P olynomials Let g ( y ) = P n i =1 g i ( y ) χ i and h ( y ) = P n i =1 h i ( y ) χ i b e tw o p olynomials in R [ y ], where g i , h i ∈ F p [ y ] for 1 ≤ i ≤ n . Then, gc d of g and f is defin ed as, g cd ( g , f ) = n X i =1 g cd ( g i , h i ) χ i W e note that, the concept of gc d of p olynomials do es n ot m ak e sense in general ov er any arbitrary algebra. How ever, the fact that R is a c ompletely splitting semisimple algebr a o ver F p allo w s u s to w ork comp onen t-wise o v er F p and this mak es the notion of gc d meaningful in the con text. The follo wing lemma was sho wn by Gao [Gao01 ]. Lemma 2.1. [Gao01] Given two p olynomials g , h ∈ R [ y ] , g cd ( g , h ) c an b e c ompute d in time p olynomial in the de gr e es of the p olynomials, n and log p . 2.4. Gao’s Algorithm Let R = F p [ x ] ( f ) = F p [ X ] where X = x mo d f and supp ose that f ( y ) splits in R as, f ( y ) = ( y − X ) f ′ ( y ). Define quotient ring S as, S = R [ y ] ( f ′ ) = R [ Y ] wh ere Y = y mo d f ′ . S is an elemen tary algebra o v er F p with d imension n ′ = n ( n − 1). Gao [Gao01] describ ed an algorithm σ for taking sq u are ro ot of an element in S . I f p − 1 = 2 e w wh ere e ≥ 1 and w is o dd, and η is a primitiv e 2 e -th ro ot of unit y , then σ has the follo wing prop erties: (1) Let µ 1 , . . . , µ n ′ b e primitive idemp oten ts in S and α = P n ′ i =1 a i µ i ∈ S where a i ∈ F p . Then, σ ( α ) = P n ′ i =1 σ ( a i ) µ i . (2) Let a = η u θ where θ ∈ F p with θ w = 1 and 0 ≤ u < 2 e . Then σ ( a 2 ) = a iff u < 2 e − 1 . When p = 3 mo d 4, η = − 1 and pr op ert y 2 implies that σ ( a 2 ) = a for a ∈ F p iff a is a quadratic residu e in F p . Algorithm 1. [Gao01] Input: A p olynomial f ∈ F p [ x ]. Output: A prop er factor of f or output that “ f is squ are balanced”. 1. F orm X , Y , R , S as b efore. 2. Comp u te C = 1 2 ( X + Y + σ (( X − Y ) 2 )) ∈ S . 3. Comp u te the charact eristic p olynomial c ( y ) of C ov er R . 4. Decomp ose c ( y ) as c ( y ) = h ( y )( y − X ) t , wh ere t is the largest p ossib le. 5. If h ( X ) is a zero divisor in R then find a prop er factor of f , otherwise output that “ f is square balanced”. It was sho wn in [Gao01] that Algorithm 1 fails to fi nd a prop er factor of f if and only if f is square b alanced. Moreo ve r, it follo ws from the analysis in [Gao0 1 ] (see Theorem 3 . 1 in [Gao01]) that, when f is square balanced the p olynomia l h ( y ) tak es the form, h ( y ) = n X i =1   Y j ∈ ∆ i ( y − ξ j )   χ i where ∆ i = { j : j 6 = i, σ (( ξ i − ξ j ) 2 ) = − ( ξ i − ξ j ) } and # ∆ i = n − 1 2 for all i , 1 ≤ i ≤ n . 614 CHANDAN SAHA 3. Our Algorithm and Analysis In this section, w e describ e our algorithm for factoring p olynomial f . W e show that the algorithm f ails to factor f in k · ( n log p ) O (1) time if and only if f is k -cross b alanced and regularit y of G k is greater than c . T h e algorithm in vol ves k p olynomia ls, f = f 1 , . . . , f k , where p olynomia l f l , 1 < l ≤ k , is defined as, f l = n Y i =1 ( x − p l ( ξ i )) where p l ( . ) is an arbitrary but deterministicall y fixed p olynomial with degree b ound ed b y ( n log p ) O (1) and p l 1 ( . ) 6 = p l 2 ( . ) for l 1 6 = l 2 . The p olynomial f l can b e constructed in p olynomial time by considering the elemen t p l ( X ) in R = F p [ x ] ( f ) = F p [ X ], where X = x mo d f , and then computing its c haracteristic p olynomial o ver F p . Lemma 3.1. If f l is not of the form f l = ˜ f l d l , wher e ˜ f l is a squar e-fr e e, squar e b alanc e d p olynomial and d l > 0 , then a pr op er factor of f c an b e r etrieve d in p olynomial time. Pr o of : By definition, f l = Q n i =1 ( x − p l ( ξ i )). Define the sets E i , for 1 ≤ i ≤ n , as E i = { 1 ≤ j ≤ n : p l ( ξ j ) = p l ( ξ i ) } . Consid er the follo wing gc d in the ring R [ y ], g ( y ) = g cd ( p l ( y ) − p l ( X ) , f ( y )) = n X i =1   Y j ∈ E i ( y − ξ j )   χ i The leading co efficient of g ( y ) is a zero-divisor in R , u nless # E 1 = . . . = # E n = d l (sa y). Therefore, we can assume that, f l = m l Y j =1  x − p l ( ξ s j )  d l where p l ( ξ s 1 ) , . . . , p l ( ξ s m l ) are all d istinct and m l = n d l = ˜ f l d l where ˜ f l = m l Y j =1  x − p l ( ξ s j )  is squ are-free. If p olynomial ˜ f l (obtained by squ are-freeing f l ) is not square balanced then a prop er fact or ˜ g l of ˜ f l is returned b y Algorithm 1. But then, g cd ( ˜ g l ( p l ( x )) , f ( x )) = Y j : ˜ g l ( p l ( ξ j ))=0 ( x − ξ j ) is a p r op er factor of f . Algorithm 1 w orks with ˜ f l = Q m l j =1  x − p l ( ξ s j )  as the input p olynomial where p l ( ξ s j )’s are distinct and m l = n d l , and retur ns a p olynomial h l ( y ) suc h that, h l ( y ) = m l X j =1    Y r ∈ ˜ ∆ ( l ) j ( y − p l ( ξ s r ))    χ ( l ) j (3.1) where χ ( l ) j ’s are the p rimitiv e idemp ot ents of the ring R l = F p [ x ] ( ˜ f l ) , ˜ ∆ ( l ) j = { 1 ≤ r ≤ m l : r 6 = j, σ (( p l ( ξ s j ) − p l ( ξ s r )) 2 ) = − ( p l ( ξ s j ) − p l ( ξ s r )) } F ACTORING POL YNOMIALS OVER FINITE FIELDS USING BALANCE TEST 615 and # ˜ ∆ ( l ) j = m l − 1 2 for 1 ≤ j ≤ m l . Assume th at p > n 2 and n is o dd, as ev en d egree p olynomials can b e f actored in p olynomial time. In the follo w ing algo r ithm, parameter k is tak en to b e a fixed p ol yn omial in n and log p and c is a fixed constant. Algorithm 2. Cross Balance Input: A p olynomial f ∈ F p [ x ] of o d d degree n . Output: A prop er factor of f or “F ailure”. • Cho ose k − 1 distinct p ol yn omials p 2 ( y ) , . . . , p k ( y ) with degree greater th an unity and b oun ded by a p olynomia l in n an d log p . (W e can use an y arbitrary , efficien t mec hanism to deterministically c ho ose th e p olynomia ls.) T ak e p 1 ( y ) = y . • for l = 1 to k do [Steps (1) - (2): C on s tructing p olynomial f l and c hec king if f can b e factored using Lemma 3.1.] (1) ( Construct p olynomial f l ) Compute th e c h aracteristic p olynomial, c α ( x ), of elemen t α = p l ( X ) ∈ R , o v er F p . T hen f l = c α ( x ). (2) ( Che ck if f c an b e f actor e d ) Check if f l is of the f orm f l = ˜ f l d l , where ˜ f l is a square-free, squ are balanced p olynomial and d l > 0. If not, then find a p rop er factor of f as in Lemma 3.1. [Steps (3) - (6): C onstructing graph G l implicitly .] (3) ( Obtain the r e quir e d p olynomial fr om Algor ithm 1) Else, ˜ f l is square b alanced and Algorithm 1 returns a p olynomial h l ( y ) = y t + α 1 y t − 1 + . . . + α t (as in equation 3.1), w here t = m l − 1 2 and α u ∈ R l for 1 ≤ u ≤ t . (4) ( Change to a c ommon ring so tha t gc d is fe asible ) Eac h α u ∈ R l is a p olynomial α u ( x ) ∈ F p [ x ] of degree less than m l . C ompute α ′ u as, α ′ u = α u ( p l ( x )) mo d f , for 1 ≤ u ≤ t , and construct the p olynomial h ′ l ( y ) = y t + α ′ 1 y t − 1 + . . . + α ′ t ∈ R [ y ]. (5) ( Construct gr aph G l implicitly ) If l = 1 then assign g l ( y ) = h ′ l ( y ) ∈ R [ y ] an d con tin u e the lo op with the next v alue of l . Else, constru ct the p olynomial h ′ l ( p l ( y )) by replacing y by p l ( y ) in h l ( y ) and compute g l ( y ) as, g l ( y ) = g cd ( g l − 1 ( y ) , h ′ l ( p l ( y ))) ∈ R [ y ] . (6) ( Che ck if G l is a nul l gr aph ) Let g l ( y ) = β t ′ y t ′ + . . . + β 0 , w here t ′ is the degree of g l ( y ) and β u ∈ R for 0 ≤ u ≤ t ′ . If t ′ = 0 then mak e g l ( y ) = g l − 1 ( y ) and con tin u e the lo op with the next v alue of l . [Steps (7) - (8): C hec king for equal out d egrees of th e v ertices of graph G l .] (7) ( Che ck if out de gr e es ar e e qual ) Else, t ′ > 0. If β t ′ is a zero divisor in R , construct a p r op er factor of f fr om β t ′ and stop. (8) ( F actor if out de g r e e s ar e smal l ) Else, if t ′ ≤ c then use Evd okimov’s algorithm [Evd94] on g l ( y ) to find a prop er factor of f in ( n log p ) O (1) time. [Steps (9) - (11): Ch ec king for equal in d egrees of th e v ertices of graph G l .] 616 CHANDAN SAHA (9) ( Obtain the values of a nic e p olynomial at multiple p oints ) If t ′ > c , ev al- uate g l ( y ) ∈ R [ y ] at n · t ′ distinct p oin ts y 1 , . . . , y nt ′ tak en from F p . Find the c h aracteristic p olynomial s of elemen ts g l ( y 1 ) , . . . , g l ( y nt ′ ) ∈ R ov er F p as c 1 ( x ) , . . . , c nt ′ ( x ) ∈ F p [ x ], resp ect ively . Collect the terms c i (0) for 1 ≤ i ≤ nt ′ . (10) ( Construct the nic e p olynomial fr om the values ) Constr u ct the p olynomia l r ( x ) = x nt ′ + r 1 x nt ′ − 1 + . . . + r nt ′ ∈ F p [ x ] su c h th at r ( y i ) = − c i (0) for 1 ≤ i ≤ nt ′ . Solv e f or r i ∈ F p , 1 ≤ i ≤ nt ′ , usin g linear algebra. (11) ( Che ck if in de gr e es ar e e qual ) F or 0 ≤ i < t ′ , if f i ( x ) divides r ( x ) then compu te g cd  r ( x ) f i ( x ) , f ( x )  ∈ F p [ x ]. If a p r op er factor of f is found, stop. Else, contin u e with the next v alue of l . endfor • If a pr op er factor of f is not found in the ab o ve for lo op, return “F ailure”. Theorem 3.2. A lgorithm 2 fails to find a pr op er factor f in k · ( n log p ) O (1) time if and only if f is k - cr oss b alanc e d and r e gularity of gr aph G k is gr e ater than c . Pr o of : W e show that, Algorithm 2 fails to find a prop er factor of f at the l th iteration of the lo op iff f is l -cross balanced and regularit y of G l is greater than c . Recall the definitions of the sets ∆ ( l ) i and D ( l ) i , 1 ≤ i ≤ n , from section 1. The set ∆ ( l ) i is defi ned as, ∆ ( l ) i = { 1 ≤ j ≤ n : p l ( ξ i ) 6 = p l ( ξ j ) , σ (( p l ( ξ i ) − p l ( ξ j )) 2 ) = − ( p l ( ξ i ) − p l ( ξ j )) } And set D ( l ) i is defi ned iterativ ely o v er l as, D (1) i = ∆ (1) i F or l > 1, D ( l ) i = D ( l − 1) i ∩ ∆ ( l ) i If D ( l ) i = φ for all i , 1 ≤ i ≤ n , then D ( l ) i is redefined as D ( l ) i = D ( l − 1) i . Graph G l , with n v ertices v 1 , . . . , v n , has an edge from v i to v j iff j ∈ D ( l ) i . Algorithm 2 fails at the fir st iteration ( l = 1) if and only if f is squ are balanced. In this case, D (1) i = ∆ (1) i = ∆ i , the p olynomial g 1 ( y ) is, g 1 ( y ) = h ( y ) = n X i =1    Y j ∈ D (1) i ( y − ξ j )    χ i and G 1 is r egular with in d egree and out degree of a v ertex v i equal to # D (1) i = #∆ i = n − 1 2 . Th u s, p olynomial f is 1-cross balanced an d deg ( g 1 ( y )) = n − 1 2 . If Algorithm 2 fails at the l th iteration, then w e can assume that the p olynomials f = ˜ f 1 , . . . , ˜ f l are square fr ee and square balanced (b y Lemma 3.1). Supp ose th at, Algorithm 2 f ails at the l th iteration. T hen, ˜ f l = Q m l j =1  x − p l ( ξ s j )  is square free and square balanced, an d Algorithm 1 returns the p olynomial h l ( y ) ∈ R l [ y ] suc h that, h l ( y ) = m l X j =1    Y r ∈ ˜ ∆ ( l ) j ( y − p l ( ξ s r ))    χ ( l ) j (3.2) F ACTORING POL YNOMIALS OVER FINITE FIELDS USING BALANCE TEST 617 where χ ( l ) j ’s are the p rimitiv e idemp ot ents of the ring R l = F p [ x ] ( ˜ f l ) and, ˜ ∆ ( l ) j = { 1 ≤ r ≤ m l : r 6 = j, σ (( p l ( ξ s j ) − p l ( ξ s r )) 2 ) = − ( p l ( ξ s j ) − p l ( ξ s r )) } Let, h l ( y ) = y t + α 1 y t − 1 + . . . + α t , where t = m l − 1 2 and α u ∈ R l for 1 ≤ u ≤ t . Eac h α u ∈ R l is a p olynomial α u ( x ) ∈ F p [ x ] with d egree less than m l and if α u = P m l j =1 a uj χ ( l ) j for a uj ∈ F p , then by Chin ese Remaind ering theorem (and assuming the corresp ondence b et ween χ ( l ) j and the factor ( x − p l ( ξ s j )) of ˜ f l ) we get, α u ( x ) = q ( x )( x − p l ( ξ s j )) + a uj for some p olynomial q ( x ) ∈ F p [ x ] ⇒ α u ( p l ( x )) = q ( p l ( x ))( p l ( x ) − p l ( ξ s j )) + a uj ⇒ α u ( p l ( x )) = a uj mo d ( x − ξ ) for every ξ ∈ { ξ 1 , . . . , ξ n } such that p l ( ξ ) = p l ( ξ s j ) Supp ose that, for a giv en i (1 ≤ i ≤ n ), j ( i ) (1 ≤ j ( i ) ≤ m l ) is a un ique ind ex suc h that, p l ( ξ i ) = p l ( ξ s j ( i ) ). Th en , the p olynomial α ′ u ( x ) = α u ( p l ( x )) mo d f has the follo wing dir e ct sum (or c anonic al) repr esentati on in the ring R , α ′ u ( x ) = n X i =1 a uj ( i ) χ i This implies that the p ol yn omial h ′ l ( y ) = y t + α ′ 1 y t − 1 + . . . + α ′ t ∈ R [ y ] has th e c anonic al represent ation, h ′ l ( y ) = n X i =1    Y r ∈ ˜ ∆ ( l ) j ( i ) ( y − p l ( ξ s r ))    χ i (3.3) Inductive ly , assume that g l − 1 ( y ) has the form , g l − 1 ( y ) = n X i =1    Y j ∈ D ( l − 1) i ( y − ξ j )    χ i Then, g l ( y ) = g cd  g l − 1 ( y ) , h ′ l ( p l ( y ))  = n X i =1 g cd    Y j ∈ D ( l − 1) i ( y − ξ j ) , Y r ∈ ˜ ∆ ( l ) j ( i ) ( p l ( y ) − p l ( ξ s r ))    χ i = n X i =1    Y j ∈ D ( l − 1) i ∩ ∆ ( l ) i ( y − ξ j )    χ i (as r ∈ ˜ ∆ ( l ) j ( i ) ⇔ s r ∈ ∆ ( l ) i ) Therefore, g l ( y ) = n X i =1    Y j ∈ D ( l ) i ( y − ξ j )    χ i = β t ′ y t ′ + . . . + β 0 (sa y) 618 CHANDAN SAHA where t ′ = max i  # D ( l ) i  and β u ∈ R for 1 ≤ u ≤ t ′ ≤ n − 1 2 . Th e elemen t β t ′ is not a zero divisor in R if and only if # D ( l ) 1 = . . . = # D ( l ) n = t ′ . I f t ′ ≤ c then a factor of f can b e retrieved from g l ( y ) in p ol yn omial time u sing already known metho ds ([Evd 94]). The condition # D ( l ) i = t ′ for all i, 1 ≤ i ≤ t ′ , mak es the out degree of ev ery ve r tex in G l equal to t ′ . How ever, this may not necessarily imp ly that th e in degree of every vertex in G l is also t ′ . Checking for id en tical in degrees of the ve r tices of G l is handled in steps (9) − (11) of the algorithm. Cons ider ev aluating the p olynomia l g l ( y ) at a p oin t y s ∈ F p . g l ( y s ) = n X i =1    Y j ∈ D ( l ) i ( y s − ξ j )    χ i ∈ R The c h aracteristic p ol yn omial of g l ( y s ) o ver F p is, c s ( x ) = n Y i =1    x − Y j ∈ D ( l ) i ( y s − ξ j )    ⇒ − c s (0) = n Y j =1 ( y s − ξ j ) k j (since n is o dd) where k j is the in d egree of vertex v j in G l . Let r ( x ) = x nt ′ + r 1 x nt ′ − 1 + . . . + r nt ′ ∈ F p [ x ] b e a p olynomial of degree n t ′ , such that, r ( y s ) = − c s (0) = n Y j =1 ( y s − ξ j ) k j for n t ′ distinct p oints { y s } 1 ≤ s ≤ nt ′ tak en from F p . Since we ha ve assumed that p > n 2 > n ( n − 1) 2 ≥ nt ′ , w e can solv e f or the co efficien ts r 1 , . . . , r nt ′ using any nt ′ distinct p oints from F p . T hen, r ( x ) = n Y j =1 ( x − ξ j ) k j If k j 6 = t ′ for some j , then there is an i = min { k 1 , . . . , k n } < t ′ suc h that f i ( x ) divides r ( x ) and g cd  r ( x ) f i ( x ) , f ( x )  yields a non trivial f actor of f ( x ). This sho ws th at the graph G l is regular if the algorithm fails at the l th step. Since deg ( g l ( y )) equ als the regularit y of G l , hence if the lat ter quan tit y is less than c then we can apply E vdokimo v’s algo r ith m [Evd94] on g l ( y ) and get a non trivial factor of f in p olynomial time. Let H l (1 ≤ l ≤ k ) b e a digraph with n v ertices v 1 , . . . , v n suc h that there is an edge from v i to v j iff j ∈ ∆ ( l ) i . Then, graph G l = G l − 1 ∩ H l or G l = G l − 1 (if G l − 1 ∩ H l = Φ, where Φ is the null graph with n v ertices but no edge). Here ∩ den otes the edge inte rs ection of graphs defined on the same set of v ertices. Algorithm 2 fails to fi nd a prop er factor of f in p ol yn omial time if and only if there exists an l ≤ k su c h that G l is t -regular ( t > c ) and G l ∩ H j = G l or Φ for all j , l < j ≤ k . It is therefore imp ortan t to choose the p olynomials p j ( · ) in such a wa y that v ery qu ic kly w e get a graph H j with G l ∩ H j 6 = G l or Φ. W e say F ACTORING POL YNOMIALS OVER FINITE FIELDS USING BALANCE TEST 619 that a p olynomial p l ( · ) is go o d if either H l is not regular or G l 6 = G l − 1 (1 < l ≤ k ). W e sho w th at, only a few go o d p olynomials are r equired. Lemma 3.3. Algorithm 2 (with a slig ht mo dific ation) r e quir es at most ⌈ log 2 n ⌉ go o d auxil- iary p olynomials to find a pr op er factor of f . Pr o of : Consider the follo wing mo difi cation of Algorithm 2. A t step 5 of Algorithm 2, for l > 1, tak e g l ( y ) to b e either g cd ( g l − 1 ( y ) , h ′ l ( p l ( y ))) or g l − 1 ( y ) /g cd ( g l − 1 ( y ) , h ′ l ( p l ( y ))), whic hever has the smaller n onzero degree. Accordingly , we mo dify th e definition of graph G l . Defin e the set ¯ ∆ ( l ) i (1 ≤ i ≤ n ) as, ¯ ∆ ( l ) i = { 1 ≤ j ≤ n : j 6 = i, σ (( p l ( ξ i ) − p l ( ξ j )) 2 ) = ( p l ( ξ i ) − p l ( ξ j )) } = { 1 ≤ j ≤ n : j 6 = i }− ∆ ( l ) i and mo d ify the defin ition of the s ets D ( l ) i (1 ≤ i ≤ n ) as, D (1) i = ∆ (1) i F or l > 1, D i ( l ) = D i ( l − 1) ∩ ∆ ( l ) i if g l ( y ) = g cd ( g l − 1 ( y ) , h ′ l ( p l ( y ))) = D i ( l − 1) ∩ ¯ ∆ ( l ) i else if g l ( y ) = g l − 1 ( y ) /g cd ( g l − 1 ( y ) , h ′ l ( p l ( y ))) As b efore, an edge ( v i , v j ) is present in G l iff j ∈ D ( l ) i . This mo difi cation ensu res that, if g l ( y ) 6 = g l − 1 ( y ) has an in vertible leading co efficien t (i.e if g l ( y ) is monic) then the degree of g l ( y ) is at m ost half the degree of g l − 1 ( y ). Hence, for ev ery go o d c hoice of p ol yn omial p l ( · ) if G l − 1 and G l are t l − 1 -regular and t l -regular, resp ectiv ely , th en t l ≤ t l − 1 2 . T herefore, at most ⌈ log 2 n ⌉ go o d c hoices of p olynomials p l ( · ) are r equired by the algorithm. Theorem 1.1 follo ws as a corol lary to Theorem 3.2 and Lemma 3.3. As already p oin ted out in section 1, if only ǫ ⌈ log 2 n ⌉ go o d auxiliary p olynomials are av ailable for some ǫ , 0 < ǫ ≤ 1, then we obtain a nontrivial factor g ( y ) of f ′ ( y ) w ith d egree at most n 1 − ǫ 2 . If w e apply Evdokimo v’s algorithm on g ( y ) instead of f ′ ( y ), then the maxim um d im en sion of the rings consid ered is b o u nded b y n (1 − ǫ ) 2 2 log n + ǫ + O (1) instead of n log n 2 + O (1) (as is th e case in [Evd94]). In th e f ollo w ing discussion w e briefly analyze the p erformance of Algorithm 2 based on uniform random choic es of the auxiliary p olynomials p l ( . ) (1 < l ≤ k ). The pr o ofs are omitted. Lemma 3.4. If p = 3 mo d 4 and p ≥ n 6 2 2 n then ab out (1+ o (1)) n ( π 2 n ) n 2 fr action of al l c ompletely splitting, squar e-fr e e p olynomials of de gr e e n ar e squar e b alanc e d. Corollary 3.5. If p = 3 mo d 4 , p > n 6 2 2 n and p l ( y ) is a u niformly r andomly chosen p olynomial of de gr e e ( n − 1) then the pr ob ability that f l is either not squar e-fr e e or is a squar e-fr e e and squar e b alanc e d p olynomial is upp er b ounde d by (1+ o (1)) n ( π 2 n ) n 2 . It follo ws that, for p = 3 mo d 4 and p > n 6 2 2 n , if th e auxiliary p olynomials p l ( · )’s are u niformly randomly c h osen then Algorithm 2 works in rand omized p o lyn omial time. Ho w eve r , the arguments u sed in the pr o of of Lemma 3.4 d o not immediately apply to the case p = 1 mo d 4. Therefore, we resort to a more straightforw ard analysis, although in the pro cess we get a slightl y weak er probabilit y b oun d. 620 CHANDAN SAHA Lemma 3.6. If G l (1 ≤ l < k ) is r e gu lar and p l +1 ( y ) ∈ F p [ y ] is a uniformly r andomly chosen p olynomial of de gr e e ( n − 1) then G l +1 6 = G l with pr ob ability at le ast 1 − 1 2 0 . 9 n − 2 . Th u s, if p olynomial s p l ( y ), 1 < l ≤ ⌈ log 2 n ⌉ , are randomly c hosen, then the probabilit y that f is not factored by Algorithm 2 w ithin ⌈ log 2 n ⌉ iterations is less than ⌈ log 2 n ⌉ 2 0 . 9 n − 2 . 4. Conclusion In this pap er, w e ha ve extended the sq u are balance test b y Gao [Gao01] and sho wed a direction to wards imp r o ving the time complexit y of the b est pr eviously kno wn deterministic factoring algorithms. Using certain auxiliary p olynomials, our algorithm atte mp ts to exploit an in h eren t asymm etry among the ro ots of the inpu t p olynomial f in order to efficient ly find a prop er f actor. T h e adv antag e of using auxiliary p olynomial s is that, unlike [Evd94], it av oids th e need to ca rr y out computations in rings with large dimensions, thereb y sa vin g o v erall computation time to a significant exten t. Motiv ated b y the strin gen t symmetry requirement from the ro ots of f , we p ose the f ollo w ing question: • Is it p ossible to construct goo d auxiliary p o lyn omials in deterministic p olynomial time? An affir mativ e answer to the question will immediately imply that factoring p olynomials o v er fin ite fields can b e done in d eterministic p olynomial time under ERH. Ac knowled gemen t s The author wo uld lik e to thank Manindr a Agra wal and Piyush Kur ur for many insigh tful discussions that help ed in impro ving the r esult. The su ggestions from anon ymous referees ha ve significan tly impr o v ed the presen tation of this pap er . The author is thankful to them. References [Ber70] E. R. Berlek amp. F actoring p olynomials ov er large finite fields. Mathematics of Computation , 24(111):71 3–735, 1970. [CH00] Qi Cheng and Ming-Deh A. Huang. F actoring p olynominals over finite fields and stable colorings of tournaments. ANTS , pages 233–246, 2000. [CZ81] David G. Cantor and Hans Zassenhaus. A n ew algorithm for factoring p olynomials ov er finite fields. Mathematics of Computation , 36(154):587–5 92, 1981. [Evd94] Sergei Evd okimo v. F actorizatio n of p olyn ominals o ver finite fields in sub exp onential time under GRH. ANTS , pages 209–219 , 1994. [Gao01] Sh u h ong Gao. On the d eterministic complexity of factoring p olynomials. Journal of Symb oli c Computation , 31(1–2):19–36 , 2001. [KS95] Eric h Kaltofen and Victor Shoup. Sub qu adratic-time factoring of p olynomials ov er fi nite fields. STOC , pages 398–406, 1995. [LN94] R. Lidl and H . Niederreiter. Introduction to finite fields and their applications, revised edition. Cambridge University Pr ess , 1994. [vzGS92] Joachim von zur Gathen an d Victor Shoup. Computing frob enius maps and factoring p olyn omials. Computational Complexity , 2:187–224, 19 92. This work is licens ed un der the Cre ative Co mmons Attr ibution-No Derivs License. T o view a copy of this license, visit http ://creat ivecommons.org/licenses/by- nd/3.0/ .