- Email: [email protected]
Factorization of polynomials over finite fields and decomposition of primes in algebraic number fields
JOURNAL
OF ALGORITHMS
12, 482-489 (19%)
Factorization of Polynomials over Finite Fields and Decomposition of Primes in Algebraic Number Fields* MING-DEH A. HUANG+ Department of Computer Science, Uniuersi@ of Southern California, Los Angeles, California 90089-0782 Received September 30,1989; revised August 1990
It is shown that factoring polynomials over finite prime fields is polynomial-time equivalent to decomposing primes in algebraic number fields whose generating polynomials have discriminants not divisible by the given primes. The reduction from polynomial factorization to prime decomposition suggests a number-theoretic approach to the former problem. Along this line, two results will be shown based on the generalized Riemann hypothesis (GRH): (1) Given p,n E Z,, with p prime, all the solutions to a,(x) = O(p) can be found in time polynomial in n and log p, where @,, denotes the nth cyclotomic polynomial. (2) Given p,n,a E Z,, with p prime, all the solutions to x” = a(p) can be found in time polynomial in n, log p, and log a. B 1991 Academic PKSS, IX.
1. INTRoD~JCTI~N In this paper, we study the deterministic computational complexity of polynomial factorization over finite prime fields in relation to the decomposition of primes in number fields. For all rational primes p, let FP denote the finite prime fields with p elements. The problem of polynomial factorization over finite prime fields is, given a rational prime p and a polynomial f E F,[ xl, to express f as a product of irreducible polynomials in F,[x]. The problem of prime decomposition in number fields is, given a rational prime p and a number field K (specified by a manic integral and irreducible polynomial), to express the ideal generated by p in K as a product of prime ideals in K. *A preliminary version of this paper appeared in [Hl]. ‘Research supported by NSF through Grant CCR 8701541
482 0196-6774/91 $3.00 Copyright B 1991 by Academic Press, Inc. AU rights of reproduction in any form reserved.
POLYNOMIAL
FACTORIZATION
483
It will be shown that factoring polynomials over finite prime fields is polynomial-time equivalent to decomposing primes in algebraic number fields whose generating polynomials have discriminants not divisible by the given primes. A precise statement of this result can be found in Section 3. The reduction from polynomial factorization to prime decomposition suggests a number-theoretic approach to the former problem. Along this line, two results will be shown based on the generalized Riemann hypothesis (GRH): (1) Givenp,n E Z,, with p prime, all the solutions to @,Jx> = O(p) can be found in time polynomial in II and log p, where @,, denotes the nth cyclotomic polynomial. (2) Given p,n,a E Z ,,with p prime, all the solutions to x” = a(p) can be found in time polynomial in it, log p, and log a. The second result extends a result by Adleman, Manders, and Miller [AAM] which finds a solution to the same equation when it exists. It will be interesting to prove (1) and (2) without any hypothesis. There has been partial success along this direction. Recently, Schoof [Sl proved that for a fiied a E Z, there exists a deterministic algorithm which on input primes p, solves x2 = a (mod p> in time polynomial in log p. Pila [PI proved that for a fixed IZ, there exists a deterministic algorithm which on input primes p, solves Q,(x) = 0 (mod p) in time polynomial in log p. Both results were proved without any hypothesis. However, their time complexity is exponential in the length of a and in n, respectively. In a subsequent paper [H3] (see also [H2]), we will show that on GRH a wider class of polynomials than those in (1) and (2) can be factored in deterministic polynomial time over finite prime fields. This class includes for primes p the reduction mod p of integral Abelian polynomials whose discriminants are not divisible by p. More recently, Ronyai [Ro] has applied the results in [H2] to obtain, on GRH, a deterministic polynomial time algorithm for factoring polynomials of bounded degree over finite prime fields. Despite the fact that very efficient randomized algorithms for factoring polynomials over finite fields have been known for a long time [RI (see also [B]), it remains an open question whether the problem admits the deterministic polynomial-time solution. It will be interesting to settle this issue even on GRH. 2. EQUIVALENCE
BETWEEN
THE Two DECOMPOSITION
PROBLEMS
Let A be a Dedekind domain with quotient field F. Let K be a finite separable extension of degree n over F. Let ui, . . . , a, be the n distinct
484 embeddings
MING-DEH
A.
HUANG
of K into the algebraic closure of F. For LYE K, we define
the discriminant
DK/F( a) = det( qcu’)2, where i and j range over 1 to IZ. If K = F(a) and f is the irreducible polynomial of 1y over F, then we also denote DK,F(~) by &/r(f), and call it the discriminant of f over F. When F = Q, Dk,,Af) is simply called the discriminant of f and is denoted by D(f). Let B be the integral closure of A in K. Let p be a prime ideal in A. Then A - @ is a multiplicatively closed subset of both A and B. We denote the ring S-‘A by A, and the ring S-‘B by B,. The study of the relation between prime decomposition and polynomial factorization goes back to Kummer in the case of cyclotomic fields, and to Dedekind in full generality for algebraic number fields. The following result is due to Dedekind: THEOREM 1. Let A be a Dedekind domain with quotient field F. Let K be a finite algebraic extension of F. Let B be the integral closure of A in K. Let a E B such that K = F(o) and let f be the irreducible polynomial of (Y over F. Let 63 be a non-zero prime ideal in A. Suppose @ does not divide D,,r(o). Let f be the reduction off module Q. Let
be the factotization of f into powers coefficients 1 over A/B. Then
of irreducible
factors
with
leading
p B = P;’ . . . P:, where P ,, . . . , P, are distinct prime ideals in B. Further, of A/Q of degree equal to the degree of hi, and
B/P,
is an extension
&BP = ~78, + hi(o)Bg, where hi E A[x I has leading coefficient
1 and its reduction mod p is hi.
Proof. See IN], Theorem 4.101, noting that Dk,r(a) is divisible by the norm, from K of F, of the conductor of A[(Y] (cf. [N], Proposition 4.111). q
Let K = be a number field. Let g be an irreducible integral polynomial with leading coefficient 1. We say that g is an generating polynomial for K if K = Q(a), where (Y is a root to g. Let B be the integral closure of 2 in K. Let p be a rational prime number and let P be a prime ideal in K
POLYNOMIAL
FACTORIZATION
485
above p. We say that a manic integral polynomial h is a representative for P with respect to g if PB, = pB, + h(a)B, and the degree of h is less than the degree of g. From Theorem 1 it follows that if the discriminant of a generating polynomial of K is not divisible by a rational prime p, then a representative exists for every prime ideal above p in K. THEOREM
2. The following two problems are polynomial time equivalent :
(1) Given a prime p, a polynomial factors off in F,[x].
f
E F,[ x I, to find all the irreducible
(2) Given a rotational prime p, a manic integral irreducible polynomial G with D(G) not divisible by p, to find a representative for every prime ideal above p with respect to G in the field generated by a root of G. Proof That (2) is polynomial time reducible to (1) follows immediately from Theorem 1 with A = Z. We are left to show that (1) is polynomial time reducible to (2). Let d = f/< f, f ‘), where (f, f’) denote the gcd of f and f ‘. Then d is the product of all the irreducible factors of f. Let e be the largest number such that d” divides f. Then e is the minimum of the multiplicities of the irreducible factors of f. Hence Cd,f/d’) is the product of all the irreducible factors of f of multiplicity greater than e. The following procedure applies this idea repeatedly to decompose f into polynomials consisting of product of the irreducible factors of f of the same multiplicity. PROCEDURE. On input g E F&xl, compute d = g/(g, the following unit g = 1: find the largest m such that d” divides g;
g’) and repeat
g := g/dm; gm := d/Cd, g); d := Cd, g>.
Given a polynomial g E F,[x] all of whose irreducible factor have multiplicity 1, for all k, (g, xpk - x) is the product of all the irreducible factors of g of degree dividing k. Let m be the smallest number so that (g, xpm - x) # 1, then all the irreducible factors of (g, xpm - x) have the same degree m. The following procedure applies this idea repeatedly to factor g into polynomials consisting of product of irreducible factors of the same degree. On input g E F,[x] all of whose irreducible PROCEDURE. multiplicity 1, repeat the following until g = 1: find the smallest m such that (g, xPm - x) f 1; h, := (g, xPm -x); g := g/h,,,.
factors have
486
MING-DEH
A.
HUANG
After applying the second procedure to the output polynomials of the first procedure, f is decomposed into polynomials h which have no multiple roots and consist of product of irreducible factors of the same degree. For each h, multiply all the coefficients by the inverse of the leading coefficient; then lift the resulting polynomial to an integral polynomial H with leading coefficient 1 whose reduction mod p has the same roots as h. Factor every such H into irreducible factors over Z by applying the deterministic polynomial time algorithm in [LLLI. We obtain a collection of integral irreducible polynomials G whose reduction mod p have their product equal to f up to multiplication by a constant. Each G satisfies the property that G mod p has no root of multiplicity greater than 1, which implies that the discriminant of G is not divisible by p. Hence p is regular with respect to G. By Theorem 1, all the irreducible factors of G mod p can be found by finding the representatives for the prime ideals containing p in the field generated by a root of G. We have proved that (1) is polynomial time reducible to (2). 0 Consider solving G(x)
= 0 (mod p)
where p is prime and G E Z[x]. When G is manic, integral, and irreducible, and further suppose that the discriminant of G is not divisible by p, the equation has a solution iff it has degree(G) many solutions, in which case p splits completely into degree(G) many prime ideals in the Galois extension of Q generated by the roots of G over Q. The following proposition shows that in this situation one solution yields all the solutions in deterministic polynomial time. PROPOSITION 1. Let G be an integral irreducible polynomial with leading coefficient 1. Let K = Q(o), where (Y is a root of G. Let p be a prime. Suppose K is a Galois extension over Q. Suppose G(a) = 0 (mod p) for some integer a, and suppose p does not divide D(G). Then all the other roots of G(x) = 0 (mod p) can be found in time polynomial in log p and the length of G.
Proof. Let g be the Galois group of K over Q. Then G(x) = n 0 E ,(x - aa). From G(a) = 0 (mod p) it follows that cy = a (mod P) for some prime ideal P in K containing p. Let B be the integral closure of Z in K. Since p does not divide D(G), by Proposition 16 in [L, p. 671, B,, = Z,[a]. Hence for all (T E G, there exists an h, E Z,[x] such that (Ye = h,(a). Hence LYE= h,(a) (mod PB,), and h,(a) mod p are all the roots to G(x) = 0 (mod p). The h,‘s can be found by factoring G over Q(a) which can be done in deterministic polynomial time [La], [Le]. The assertion follows. q
POLYNOMIAL
As an application
FACTORIZATION
of Proposition an(x)
487
1, consider solving = 0 (mod p)
for n,g E Z,. with p prime. If it has a solution a mod p, then Proposition 1 implies that u’ mod p, for all i less than and prime to n, are all the solutions to the congruence equation. Hence from one solution we easily obtain all the others. This fact will be used in the next section.
3. FINDING
SOLUTIONS AND
X”
TO Q,(x) =
a
= 0 (modp)
(mod p)
This section is devoted to proving the following: THEOREM
3.
Assuming GRH,
(1) there exists a deterministic algorithm which on input p, n E Z, 0 with p prime, finds all x E Z r 0 lessthan p such that an(x)
= 0 (mod p)
in time polynomial in n and log p; (2) there exists a deterministic algorithm which on input n, a, p E Z , ,, with p prime, fina3 all x E Z L ,, lessthan p such that
x” = a (mod p) in time polynomial in n, log a, and log p.
Theorem
3(2) extends the following result in [AMM]:
THEOREM 4. Assuming GRH, there exists a deterministic algorithm with time complexity O(n log’ p) for sume constant c > 0 such that on input a,n,p E Z,O with p prime a
with p prime. Suppose b” = a (mod p). LEMMA 1. Let a,b,p E Z,, Then (by Jy” = 1 (modp), y E Z,, and y < p} is the set of solutions to x” = a (mod p).
Proof. When b 3 0 (mod p), the assertion is obviously true. Suppose bf0 (modp). For XEZ>,,, ~“=a (modp)=x”=b” (modpla (xb-l)” = 1 (mod p>. 0 Lemma 1 together with Theorem 4 reduces solving x” = a (mod p) to solving x” = 1 (mod p). For n = 4 with 4 prime, x4 - 1 = (x - l)@,&x);
488
MING-DEH
A.
HUANG
hence solving x4 = 1 (mod p) is reduced to solving Q,(x) = 0 (mod p). It is well known that for q, p prime, Q,(x) = 0 (mod p) is solvable * p = 1 (mod q) in which case there are q - 1 solutions. When q = 2 the only solution is - 1. By a result of Wang [WI, there exists, under Riemann hypothesis, a primitive root mod p which is less than c log’ p for some constant c. Let g be a primitive root mod p. Then g(p-l)/q is a solution to a,(x) = 0 (mod p>. Hence all solutions to @, 1. We have @qW
xqe - 1 = X4e-1 _ 1 = @q(Y),
where y = x@-‘. It follows that (1) Solving ~4’ = 1 (mod p) is reduced to solving a&) = 0 (mod p) and x9’-’ = 1 (mod p). (2)e_Solving aqc = 0 (mod p) is reduced to solving Q,(x) = 0 (mod p) and x4 = y (mod p) for all y such that Q,(y) = 0 (mod p). And ;o,lving the latter is by Theorem 4 and Lemma 1 reduced to solving x4 E 1 (mod ~1.
From (1) and (2) we have a recursive procedure which solves x4’ = 1 (mod p) and and 0,$x) = 0 (mod p>. Factor IZ into a product of distinct prime powers
From m E Z , 0, let G,,, = (x E Fplx” = 1 (mod p)}. Then G, is a subgroup of F,*. Further, G, is the direct product of GqP and GqCi is the set of solutions to x4? = 1 (mod p). It follows that x” = 1 (mod p) can be solved completely in time O(n log’ p> for some constant c. Finally, @,&x) = 0 (mod p> can be solved by simply trying all the solutions in G,. The theorem is proved. 0
POLYNOMIAL
FACTORIZATION
489
REFERENCES [AMM]
m-KJl L4d LB1 Ml [I-I11 WI B31
[Ll La1 D-4 NJ-1 [Nl PI [RI [Rol KY WI WI
L. M. ADLEMAN, K. MANDERS, AND G. MILLER, On taking roots in finite fields, in “Proceedings, 18th IEEE Symposium on Foundations of Computer Science, 1977,” pp. 175-178. A. V. AHO, J. E. HOPCROFT, AND J. D. ULLMAN, “The Design and Analysis of Computer Algorithms,” Addison-Wesley, Reading, MA, 1974. N. C. ANKE~, The least quadratic non residue, Ann. ofMu#r. 55 (1952), 65-72. E. R. BER LEKAMP, Factoring polynomials over large finite fields, Math. Camp. 24 (1970), 713-735. E. R. BERLEKAMP, “Algebraic Coding Theory,” McGraw-Hill, New York, 1968. M. A. HUANG, Factorization of polynomials over finite fields and factorization of primes in algebraic number fields, in “Proceedings, 16th ACM Symposium on Theory of Computing, 1984,” pp. 175-182. M. A. HUANG, Riemann hypothesis and finding roots over finite fields, in “Proceedings, 17th ACM Symposium on Theory of Computing, 1985,” pp. 121-130. M. A. HUANG, Generalized Riemann hypothesis and factoring polynomials over finite fields, preprint, 1989. S. LANG, “Algebraic Number Theory,” Addison-Wesley, Reading, MA, 1970. S. LANDAU, Factoring polynomials over algebraic number fields, SLAM J. Comput. 14,No. 1 (1985), 184-195. A. K. LENATRA, Factoring polynomials over algebraic number fields, in “Proceedings, Eurocal,” Lecture Notes in Computer Science, Vol. 162, pp. 458-465, Springer-Verlag, New York/Berlin, 1983. A. K. LENSTRA, H. W. LENSTRA, JR., AND L. LOVASZ, Factoring polynomials with rational coefficients, Math. Ann. 261 (1982), 515-535. W. NARKIEWICZ, “Elementary and Analytic Theory of Algebraic Numbers,” PWN, Warsaw, 1974. J. PILA, Counting points on curves in polynomial time, preliminary version, 1987. M. 0. RABIN, Probabilistic algorithms in finite fields, SL4M J. Comput. 9 (1980),
273-280. L. RONYAI, Factoring polynomials over finite fields, J. Algorithms 9 (1988), 391-400. R. SCHOOF,Elliptic curves over finite fields and the computation of square roots mod P, Math. Camp. 44 (1985),483-494. Y. WANG, On the least primitive root of a prime, Sci. Sinica 10(1960, l-14. L. WASHINGTON, “Introduction to Cyclotomic Fields,” Springer-Verlag, New York,
1982.
OF ALGORITHMS
12, 482-489 (19%)
Factorization of Polynomials over Finite Fields and Decomposition of Primes in Algebraic Number Fields* MING-DEH A. HUANG+ Department of Computer Science, Uniuersi@ of Southern California, Los Angeles, California 90089-0782 Received September 30,1989; revised August 1990
It is shown that factoring polynomials over finite prime fields is polynomial-time equivalent to decomposing primes in algebraic number fields whose generating polynomials have discriminants not divisible by the given primes. The reduction from polynomial factorization to prime decomposition suggests a number-theoretic approach to the former problem. Along this line, two results will be shown based on the generalized Riemann hypothesis (GRH): (1) Given p,n E Z,, with p prime, all the solutions to a,(x) = O(p) can be found in time polynomial in n and log p, where @,, denotes the nth cyclotomic polynomial. (2) Given p,n,a E Z,, with p prime, all the solutions to x” = a(p) can be found in time polynomial in n, log p, and log a. B 1991 Academic PKSS, IX.
1. INTRoD~JCTI~N In this paper, we study the deterministic computational complexity of polynomial factorization over finite prime fields in relation to the decomposition of primes in number fields. For all rational primes p, let FP denote the finite prime fields with p elements. The problem of polynomial factorization over finite prime fields is, given a rational prime p and a polynomial f E F,[ xl, to express f as a product of irreducible polynomials in F,[x]. The problem of prime decomposition in number fields is, given a rational prime p and a number field K (specified by a manic integral and irreducible polynomial), to express the ideal generated by p in K as a product of prime ideals in K. *A preliminary version of this paper appeared in [Hl]. ‘Research supported by NSF through Grant CCR 8701541
482 0196-6774/91 $3.00 Copyright B 1991 by Academic Press, Inc. AU rights of reproduction in any form reserved.
POLYNOMIAL
FACTORIZATION
483
It will be shown that factoring polynomials over finite prime fields is polynomial-time equivalent to decomposing primes in algebraic number fields whose generating polynomials have discriminants not divisible by the given primes. A precise statement of this result can be found in Section 3. The reduction from polynomial factorization to prime decomposition suggests a number-theoretic approach to the former problem. Along this line, two results will be shown based on the generalized Riemann hypothesis (GRH): (1) Givenp,n E Z,, with p prime, all the solutions to @,Jx> = O(p) can be found in time polynomial in II and log p, where @,, denotes the nth cyclotomic polynomial. (2) Given p,n,a E Z ,,with p prime, all the solutions to x” = a(p) can be found in time polynomial in it, log p, and log a. The second result extends a result by Adleman, Manders, and Miller [AAM] which finds a solution to the same equation when it exists. It will be interesting to prove (1) and (2) without any hypothesis. There has been partial success along this direction. Recently, Schoof [Sl proved that for a fiied a E Z, there exists a deterministic algorithm which on input primes p, solves x2 = a (mod p> in time polynomial in log p. Pila [PI proved that for a fixed IZ, there exists a deterministic algorithm which on input primes p, solves Q,(x) = 0 (mod p) in time polynomial in log p. Both results were proved without any hypothesis. However, their time complexity is exponential in the length of a and in n, respectively. In a subsequent paper [H3] (see also [H2]), we will show that on GRH a wider class of polynomials than those in (1) and (2) can be factored in deterministic polynomial time over finite prime fields. This class includes for primes p the reduction mod p of integral Abelian polynomials whose discriminants are not divisible by p. More recently, Ronyai [Ro] has applied the results in [H2] to obtain, on GRH, a deterministic polynomial time algorithm for factoring polynomials of bounded degree over finite prime fields. Despite the fact that very efficient randomized algorithms for factoring polynomials over finite fields have been known for a long time [RI (see also [B]), it remains an open question whether the problem admits the deterministic polynomial-time solution. It will be interesting to settle this issue even on GRH. 2. EQUIVALENCE
BETWEEN
THE Two DECOMPOSITION
PROBLEMS
Let A be a Dedekind domain with quotient field F. Let K be a finite separable extension of degree n over F. Let ui, . . . , a, be the n distinct
484 embeddings
MING-DEH
A.
HUANG
of K into the algebraic closure of F. For LYE K, we define
the discriminant
DK/F( a) = det( qcu’)2, where i and j range over 1 to IZ. If K = F(a) and f is the irreducible polynomial of 1y over F, then we also denote DK,F(~) by &/r(f), and call it the discriminant of f over F. When F = Q, Dk,,Af) is simply called the discriminant of f and is denoted by D(f). Let B be the integral closure of A in K. Let p be a prime ideal in A. Then A - @ is a multiplicatively closed subset of both A and B. We denote the ring S-‘A by A, and the ring S-‘B by B,. The study of the relation between prime decomposition and polynomial factorization goes back to Kummer in the case of cyclotomic fields, and to Dedekind in full generality for algebraic number fields. The following result is due to Dedekind: THEOREM 1. Let A be a Dedekind domain with quotient field F. Let K be a finite algebraic extension of F. Let B be the integral closure of A in K. Let a E B such that K = F(o) and let f be the irreducible polynomial of (Y over F. Let 63 be a non-zero prime ideal in A. Suppose @ does not divide D,,r(o). Let f be the reduction off module Q. Let
be the factotization of f into powers coefficients 1 over A/B. Then
of irreducible
factors
with
leading
p B = P;’ . . . P:, where P ,, . . . , P, are distinct prime ideals in B. Further, of A/Q of degree equal to the degree of hi, and
B/P,
is an extension
&BP = ~78, + hi(o)Bg, where hi E A[x I has leading coefficient
1 and its reduction mod p is hi.
Proof. See IN], Theorem 4.101, noting that Dk,r(a) is divisible by the norm, from K of F, of the conductor of A[(Y] (cf. [N], Proposition 4.111). q
Let K = be a number field. Let g be an irreducible integral polynomial with leading coefficient 1. We say that g is an generating polynomial for K if K = Q(a), where (Y is a root to g. Let B be the integral closure of 2 in K. Let p be a rational prime number and let P be a prime ideal in K
POLYNOMIAL
FACTORIZATION
485
above p. We say that a manic integral polynomial h is a representative for P with respect to g if PB, = pB, + h(a)B, and the degree of h is less than the degree of g. From Theorem 1 it follows that if the discriminant of a generating polynomial of K is not divisible by a rational prime p, then a representative exists for every prime ideal above p in K. THEOREM
2. The following two problems are polynomial time equivalent :
(1) Given a prime p, a polynomial factors off in F,[x].
f
E F,[ x I, to find all the irreducible
(2) Given a rotational prime p, a manic integral irreducible polynomial G with D(G) not divisible by p, to find a representative for every prime ideal above p with respect to G in the field generated by a root of G. Proof That (2) is polynomial time reducible to (1) follows immediately from Theorem 1 with A = Z. We are left to show that (1) is polynomial time reducible to (2). Let d = f/< f, f ‘), where (f, f’) denote the gcd of f and f ‘. Then d is the product of all the irreducible factors of f. Let e be the largest number such that d” divides f. Then e is the minimum of the multiplicities of the irreducible factors of f. Hence Cd,f/d’) is the product of all the irreducible factors of f of multiplicity greater than e. The following procedure applies this idea repeatedly to decompose f into polynomials consisting of product of the irreducible factors of f of the same multiplicity. PROCEDURE. On input g E F&xl, compute d = g/(g, the following unit g = 1: find the largest m such that d” divides g;
g’) and repeat
g := g/dm; gm := d/Cd, g); d := Cd, g>.
Given a polynomial g E F,[x] all of whose irreducible factor have multiplicity 1, for all k, (g, xpk - x) is the product of all the irreducible factors of g of degree dividing k. Let m be the smallest number so that (g, xpm - x) # 1, then all the irreducible factors of (g, xpm - x) have the same degree m. The following procedure applies this idea repeatedly to factor g into polynomials consisting of product of irreducible factors of the same degree. On input g E F,[x] all of whose irreducible PROCEDURE. multiplicity 1, repeat the following until g = 1: find the smallest m such that (g, xPm - x) f 1; h, := (g, xPm -x); g := g/h,,,.
factors have
486
MING-DEH
A.
HUANG
After applying the second procedure to the output polynomials of the first procedure, f is decomposed into polynomials h which have no multiple roots and consist of product of irreducible factors of the same degree. For each h, multiply all the coefficients by the inverse of the leading coefficient; then lift the resulting polynomial to an integral polynomial H with leading coefficient 1 whose reduction mod p has the same roots as h. Factor every such H into irreducible factors over Z by applying the deterministic polynomial time algorithm in [LLLI. We obtain a collection of integral irreducible polynomials G whose reduction mod p have their product equal to f up to multiplication by a constant. Each G satisfies the property that G mod p has no root of multiplicity greater than 1, which implies that the discriminant of G is not divisible by p. Hence p is regular with respect to G. By Theorem 1, all the irreducible factors of G mod p can be found by finding the representatives for the prime ideals containing p in the field generated by a root of G. We have proved that (1) is polynomial time reducible to (2). 0 Consider solving G(x)
= 0 (mod p)
where p is prime and G E Z[x]. When G is manic, integral, and irreducible, and further suppose that the discriminant of G is not divisible by p, the equation has a solution iff it has degree(G) many solutions, in which case p splits completely into degree(G) many prime ideals in the Galois extension of Q generated by the roots of G over Q. The following proposition shows that in this situation one solution yields all the solutions in deterministic polynomial time. PROPOSITION 1. Let G be an integral irreducible polynomial with leading coefficient 1. Let K = Q(o), where (Y is a root of G. Let p be a prime. Suppose K is a Galois extension over Q. Suppose G(a) = 0 (mod p) for some integer a, and suppose p does not divide D(G). Then all the other roots of G(x) = 0 (mod p) can be found in time polynomial in log p and the length of G.
Proof. Let g be the Galois group of K over Q. Then G(x) = n 0 E ,(x - aa). From G(a) = 0 (mod p) it follows that cy = a (mod P) for some prime ideal P in K containing p. Let B be the integral closure of Z in K. Since p does not divide D(G), by Proposition 16 in [L, p. 671, B,, = Z,[a]. Hence for all (T E G, there exists an h, E Z,[x] such that (Ye = h,(a). Hence LYE= h,(a) (mod PB,), and h,(a) mod p are all the roots to G(x) = 0 (mod p). The h,‘s can be found by factoring G over Q(a) which can be done in deterministic polynomial time [La], [Le]. The assertion follows. q
POLYNOMIAL
As an application
FACTORIZATION
of Proposition an(x)
487
1, consider solving = 0 (mod p)
for n,g E Z,. with p prime. If it has a solution a mod p, then Proposition 1 implies that u’ mod p, for all i less than and prime to n, are all the solutions to the congruence equation. Hence from one solution we easily obtain all the others. This fact will be used in the next section.
3. FINDING
SOLUTIONS AND
X”
TO Q,(x) =
a
= 0 (modp)
(mod p)
This section is devoted to proving the following: THEOREM
3.
Assuming GRH,
(1) there exists a deterministic algorithm which on input p, n E Z, 0 with p prime, finds all x E Z r 0 lessthan p such that an(x)
= 0 (mod p)
in time polynomial in n and log p; (2) there exists a deterministic algorithm which on input n, a, p E Z , ,, with p prime, fina3 all x E Z L ,, lessthan p such that
x” = a (mod p) in time polynomial in n, log a, and log p.
Theorem
3(2) extends the following result in [AMM]:
THEOREM 4. Assuming GRH, there exists a deterministic algorithm with time complexity O(n log’ p) for sume constant c > 0 such that on input a,n,p E Z,O with p prime a
with p prime. Suppose b” = a (mod p). LEMMA 1. Let a,b,p E Z,, Then (by Jy” = 1 (modp), y E Z,, and y < p} is the set of solutions to x” = a (mod p).
Proof. When b 3 0 (mod p), the assertion is obviously true. Suppose bf0 (modp). For XEZ>,,, ~“=a (modp)=x”=b” (modpla (xb-l)” = 1 (mod p>. 0 Lemma 1 together with Theorem 4 reduces solving x” = a (mod p) to solving x” = 1 (mod p). For n = 4 with 4 prime, x4 - 1 = (x - l)@,&x);
488
MING-DEH
A.
HUANG
hence solving x4 = 1 (mod p) is reduced to solving Q,(x) = 0 (mod p). It is well known that for q, p prime, Q,(x) = 0 (mod p) is solvable * p = 1 (mod q) in which case there are q - 1 solutions. When q = 2 the only solution is - 1. By a result of Wang [WI, there exists, under Riemann hypothesis, a primitive root mod p which is less than c log’ p for some constant c. Let g be a primitive root mod p. Then g(p-l)/q is a solution to a,(x) = 0 (mod p>. Hence all solutions to @,
xqe - 1 = X4e-1 _ 1 = @q(Y),
where y = x@-‘. It follows that (1) Solving ~4’ = 1 (mod p) is reduced to solving a&) = 0 (mod p) and x9’-’ = 1 (mod p). (2)e_Solving aqc = 0 (mod p) is reduced to solving Q,(x) = 0 (mod p) and x4 = y (mod p) for all y such that Q,(y) = 0 (mod p). And ;o,lving the latter is by Theorem 4 and Lemma 1 reduced to solving x4 E 1 (mod ~1.
From (1) and (2) we have a recursive procedure which solves x4’ = 1 (mod p) and
From m E Z , 0, let G,,, = (x E Fplx” = 1 (mod p)}. Then G, is a subgroup of F,*. Further, G, is the direct product of GqP and GqCi is the set of solutions to x4? = 1 (mod p). It follows that x” = 1 (mod p) can be solved completely in time O(n log’ p> for some constant c. Finally, @,&x) = 0 (mod p> can be solved by simply trying all the solutions in G,. The theorem is proved. 0
POLYNOMIAL
FACTORIZATION
489
REFERENCES [AMM]
m-KJl L4d LB1 Ml [I-I11 WI B31
[Ll La1 D-4 NJ-1 [Nl PI [RI [Rol KY WI WI
L. M. ADLEMAN, K. MANDERS, AND G. MILLER, On taking roots in finite fields, in “Proceedings, 18th IEEE Symposium on Foundations of Computer Science, 1977,” pp. 175-178. A. V. AHO, J. E. HOPCROFT, AND J. D. ULLMAN, “The Design and Analysis of Computer Algorithms,” Addison-Wesley, Reading, MA, 1974. N. C. ANKE~, The least quadratic non residue, Ann. ofMu#r. 55 (1952), 65-72. E. R. BER LEKAMP, Factoring polynomials over large finite fields, Math. Camp. 24 (1970), 713-735. E. R. BERLEKAMP, “Algebraic Coding Theory,” McGraw-Hill, New York, 1968. M. A. HUANG, Factorization of polynomials over finite fields and factorization of primes in algebraic number fields, in “Proceedings, 16th ACM Symposium on Theory of Computing, 1984,” pp. 175-182. M. A. HUANG, Riemann hypothesis and finding roots over finite fields, in “Proceedings, 17th ACM Symposium on Theory of Computing, 1985,” pp. 121-130. M. A. HUANG, Generalized Riemann hypothesis and factoring polynomials over finite fields, preprint, 1989. S. LANG, “Algebraic Number Theory,” Addison-Wesley, Reading, MA, 1970. S. LANDAU, Factoring polynomials over algebraic number fields, SLAM J. Comput. 14,No. 1 (1985), 184-195. A. K. LENATRA, Factoring polynomials over algebraic number fields, in “Proceedings, Eurocal,” Lecture Notes in Computer Science, Vol. 162, pp. 458-465, Springer-Verlag, New York/Berlin, 1983. A. K. LENSTRA, H. W. LENSTRA, JR., AND L. LOVASZ, Factoring polynomials with rational coefficients, Math. Ann. 261 (1982), 515-535. W. NARKIEWICZ, “Elementary and Analytic Theory of Algebraic Numbers,” PWN, Warsaw, 1974. J. PILA, Counting points on curves in polynomial time, preliminary version, 1987. M. 0. RABIN, Probabilistic algorithms in finite fields, SL4M J. Comput. 9 (1980),
273-280. L. RONYAI, Factoring polynomials over finite fields, J. Algorithms 9 (1988), 391-400. R. SCHOOF,Elliptic curves over finite fields and the computation of square roots mod P, Math. Camp. 44 (1985),483-494. Y. WANG, On the least primitive root of a prime, Sci. Sinica 10(1960, l-14. L. WASHINGTON, “Introduction to Cyclotomic Fields,” Springer-Verlag, New York,
1982.