- Email: [email protected]
Generalized riemann hypothesis and factoring polynomials over finite fields
JOURNAL
OF ALGORITHMS
12,
464-481 (1991)
Generalized Riemann Hypothesis and Factoring Polynomials over Finite Fields* MING-DEH
A. HUANG+
Department of Computer Science, Universi@ of Southern California, Los Angeles, California 90089-0782 Received September 30, 1989; revised August 1990
It is shown that, assuming the generalized Riemann hypofhesis, there exists a deterministic polynomial time algorithm, which on input of a rational prime p and a manic integral polynomial f, whose discriminant is not divisible by p and whose roots generate an Abelian extension over Q, computes all the irreducible factors of f mod p in F&x]. Q 1991 Academic press, IIIC.
1. INTRODUCTION Although efficient random polynomial time algorithms exist for factoring polynomials over finite fields [Be, RI, it is not known whether a deterministic polynomial time algorithm exists for the problem even when the polynomials being considered are of degree 2. Assuming the generalized Riemann hypothesis (GRH), however, the following cases have been shown to be solvable in deterministic polynomial time: (1) x” = a mod p, where a, n, p are integers with p prime [AMM,
HII (2) @,(x) = 0 mod p, where a,, is the nth cyclotomic
polynomial
W. The above results all depend on a result of Ankeny [An] which shows that on GRH, the least qth nonresidue mod p for p, q prime with q dividing p - 1 is bounded by c log* p, where c is an effectively computable constant. Bach [B] showed that for p 2 106, one may take c = 60. *A preliminary version of this paper appeared in [H2]. ‘Research supported by NSF through Grant CCR 8701541.
464 0196-6774/91 $3.00 Copyright All rights
Q 195’1 by Academic Press, Inc. of reproduction in any form reserved.
FACTORING
POLYNOMIALS
OVER
FINITE
FIELDS
465
The purpose of this paper is to show that a much broader class of polynomials can be factored over finite prime fields in deterministic polynomial time based on GRH. The following will be proved. THEOREM 1. Assuming GRH, time algorithm, which on input of polynomial f whose discriminant generate an Abelian extension over f mod p in F,[x].
there exists a a rational prime is not divisible Q, computes all
deterministic polynomial p and a manic integral by p and whose roots the irreducible factors of
The proof of Theorem 1 involves an elaborate reduction from factoring an Abelian polynomial of degree n modulo a prime p to the following: (i) Given a prime q dividing n, to factor @, mod p, where Q4 is the polynomial (ii) Given a prime q dividing n, an irreducible factor h of (a,(x) mod p, an element (Y in F,[ x]/hF,[x], to solve x4 = (Y in F,[x]/hF,[x].
q th cyclotomic
Problem (i) is solved by recursively applying the same reduction. In solving (ii), the first step is to generalize Ankeny’s result to the following: THEOREM 2. Assuming constant c, such that for all factors h of @, mod p, cq2 log2(pq), such that the nonresidue in F,[x]/hF,[x]. polynomial in q and log p.
GRH, there exists an effectively computable pairs of rational primes p, q, for all irreducible there exist aO, . . . , a,,, _ 1 E Z, where Iail < image of a,, + a,x + . . * +a,-lxm-l is a qth Furthermore, the a,‘s can be computed in time
With Theorem 2, Problem (ii) is then solved by an extended version of the algorithm in [AMM]. Whereas Ankeny’s result was proved by analytic methods, the nonresidues in Theorem 2 are constructed from cyclotomic fields by algebraic methods involving power reciprocity laws. A second version of Theorem 2 with the nonresidues more explicitly described can be found in Section 3. As a corollary to Theorem 1, we have THEOREM 3. Assuming GRH, there exists a deterministic polynomial time algorithm which on input of rational primes p, q finds all the irreducible factors of @, mod p in F,[x], where aq is the qth cyclotomic polynomial.
Recently L. Ronyai [Ro] applied Theorem 2 and Theorem 3 to obtain, on GRH, a deterministic polynomial time algorithm for factoring bounded degree polynomials over finite prime fields. Ronyai [Roll also extended Theorem 1 to the case where the roots of the given integral polynomial
MING-DEH
466
A. HUANG
generate a Galois extension over the rationals. Theorem 2 and Theorem 3 were also critical to this result. The rest of the paper is organized as follows. In Section 2, an extended version of the algorithm in [AMM] is presented. In Section 3, Theorem 2 is proved. Section 4 contains some technical lemmas needed in the proof of Theorem 1. Section 5 is devoted to the proof of Theorem 1.
2. SOLVING
In [AMM],
BINOMIAL
an algorithm
EQUATIONS
OVER FINITE
FIELDS
is presented for solving equations of the form
where a, p, q are integers, p, q are prime and p = l(q). The algorithm applies a method which was first introduced by A. Tonelli [Tl in the case q = 2. It can be extended in a straightforward manner to solve equations of the form ~4 = a in FPm with pm = l(q) and a E Fpm, providing FPm is already constructed and a qth nonresidue g in Fpm is given. We describe such an extension below. The construction of FPm is addressed in Section 5. The construction of the nonresidue g is the topic of Section 3. Let b be the largest integer such that qb divides p” - 1. Let p” - 1 = qbl. Let d be the smallest integer such that aqd’ = 1 in Fpm. Let G be the cyclic subgroup of F,* of order qb. Then g’ is a generator for G and u’ generates a subgroup of G of order qd: (1) If d = b then there is no solution to x4 = a in Fpm. (2) If d = 0, then ur = 1. In this case compute s such that qs = l(1), then uqs = a hence us is a solution. (3) Suppose 1 I d I b - 1. Let k = qbed. Then u’ and gki generates the same subgroup of G of order qd. Therefore there exists a A < q such that g-k’Au’ falls in the subgroup of order qd-‘. Find such a A and let a, = gek”u. Recursively find a z in FPm that solves ~4 = a,. Let i = kh/q. Then (g’z>q = a. Hence g’z is a solution to x4 = a.
3 NONRESIDUES
CONSTRUCTED
FROM CYCLOTOMIC
Throughout this section, let p and q be two distinct primes, and let m be the order of p mod q.
FIELDS
odd rational
FACTORING
POLYNOMIALS
OVER
FINITE
FIELDS
Let 5 be a primitive qth root of unity. Then the irreducible of 4’ over Q is the qth cyclotomic polynomial, aq(x) DEFINITION
not containing
= xq-l
467
polynomial
+ *. * +n + 1.
(Power residue symbol). Let R be a prime ideal in Z[[] q. For all (Y E Z[[] prime to R, define
where a Here N(R)
- 1
N(R) 4
= 5’ (mod R).
denotes the norm of R over Q.
For prime ideals R and S both prime to (Y, define
In this way, power residue symbol is extended to
for all (Y E Z[&j and ideals I in Z[&l that are prime to (Y. Let h E Z[x] such that h mod p is an irreducible factor of aq mod p. Then it is a well-known result of Kummer (see, e.g., [Nl, Theorem 4.101) that P = h(f)Z[51
+ pZ[ll
is a prime ideal over p and
For all (Y E Z[[l prime to P, x4 = CY(mod P) is solvable iff (a/P) = 1. Therefore, when (a/P) # 1, the image of (Y in Fpm is a qth nonresidue. Let h = 1 - 5. Then h generates the unique prime ideal in Z[l] over q. Let k be the completion of Q(l) at A. Let K be an Abelian extension of k. For a E k*, let (a, K/k) denote the image of a in Gal(K/k) under the local Artin map (see [CF, p. 1401 for example).
468
MING-DEH
A.
DEFINITION (Norm residue symbol).
HUANG
For ap E Q(l)*,
define
(a,P), = (Py, where CT= (a, k(P”“)/k). The following theorem states the power reciprocity law in the context of cyclotomic fields (see [AT, p. 1711; also [APR, Proposition 31): THEOREM
4.
For CY/~E Q(l)
that are relatively prime and prime to q,
(;) =($)WL. For all prime ideal R not containing
p and q, let
(1) Let 1 = pq. Let ZI be the set of ideals in Z[l] that are prime to 1. Then x can be extended to a function on Z, multiplicatively. Let K be a number field. A Hecke character of K is a character x of the group of ideals of K such that x(K*) = 1 (see [L, p. 2931; also [CF, Chap. VII]). Let m be an integral ideal of K. Then finite Hecke characters of the conductor bounded by m are in one to one correspondence with characters of the group ZJP,, where P,,, is the subset of Z, consisting of principal ideals (z) with z = 1 (mod m) (see [CF, Chap. VIII]). This fact will be used in the next lemma. LEMMA 1. x defined above induces a Hecke character tor bounded by pq. Proof
[L] of the conduc-
For z E Z[tJ] with z = 1 (mod 0, we have by Theorem
Since pq-’
= 1 (mod q)
and z = 1 (mod q), it follows from Exercise 2.13 of [CF, p. 3531 that (pq-1,+
= 1.
4,
FACTORING
POLYNOMIALS
OVER
FINITE
FIELDS
469
But
(P>z)*(Pq-l, z)* = ((A Z)Aj4 = 1. Hence
and it follows that
Since z = 1 (mod p>,
for all prime ideals P over p; hence
It follows that
(1 P -
= 1
Z
for all z E Z[J] such that z = 1 (mod 1). This shows that x defines a character on I/P,. Consequently, x induces a Hecke character of conductor bounded by 1= p4. q DEFINITION (Jacobi sum). For all prime ideals R in Z[l], not containing 4, for all integers a, b, define the Jacobi sum
J,,,(R) = $ja(T)-t where n ranges over a set of representatives mod R.
of
Z[J]/R not equal to 0 or 1
In particular, for R with norm r which is prime and r = 1 (mod 41, x can be taken to be 2,. . . , I - 1. For prime r not equal to 4, the prime ideals over R are determined by the factorization of Qq mod r which can be computed in time polynomial in 4 and I [B]. It follows that for given a, b and prime r such that r = 1 (mod 41, J,,,(R) for all prime ideals R over r can be computed in time polynomial in 4 and 1.
470
MING-DEH
A. HUANG
For all a E Z for all prime ideals R such that a and R are coprime and both prime to q,
(&) =p-F-yA proof of (2) as well as the following proposition PROPOSITION
(2)
can be found in [APR].
1. There exist integers a, b such that ab(a + b) f U(q),
and letting
(where [xl denote the largest integer not exceedingx) and
q-1 4.b= u~l%,bou-l(modu>, then 8a,b # O(q).
By Stickelberger
theorem (see, e.g., [L, p. 9811, q-1
J&R)
N n a,-‘( R)‘o*~(‘), U=l
where uU is the automorphism of Q(l) that maps l to 5”. From this and the definition of the power residue symbol, we see that
(3) The following result due to Lagarias, Montgomery, will be needed in the proof of Theorem 6.
and Odlyzko [LMO]
THEOREM 5. Assuming GRH, there exists an effectively computable constant c such that for all finite extensionsK of Q, and all Hecke characters x of K, there exists a prime ideal P of K of residue class degree 1 over Q such that x(P) # 1 and N(P) < c(log(A(~))~, whereA(X) Lsthe product of the discriminant of K over Q and the norm of the conductor of x. THEOREM 6. There exists an effectively computable constant c such that for all pairs of d-ktinct odd rational primes p and q, there exist a, b, r E Z , O with a, b < q, e,,, + O(q) (e,,, is as defined in Proposition l), r prim-e,
FACTORING
POLYNOMIALS
r 3 1 (mod q), and I I cq* log*(pq),
OVER
FINITE
FIELDS
471
such that
for some prime ideal R over r in Z[C], and consequently,
for at least one prime ideal P over p in Q(l). Proof. By lemma 1, x as defined in (1) is a Hecke character of conductor bounded by pq. The discriminant of Q(l) over Q is qq-* (see, e.g., [W, p. 91). Hence A(X) I q2q-3pq-1 and from Theorem 5 it follows that there exists a prime ideal R in Z[[] of residue degree 1 such that N(R) < 4c,q* log*(pq> and x(R) # 1, here c1 is the effectively computable constant in Theorem 5. Let r = N(R). Then r = 1 (mod q) and r < cq* log*(w) with c = 4c,. By Proposition 1, there e:ist nonnegative integers a, b less than q such that 6,,, # o(q). tit 8 = 8,,,. By (31,
(&q) =(g =x(W. Since 0 is invertible
modulo
q and x(R)
# 1, it follows that
BY (3,
(qy=(&+. Consequently
there exists a prime ideal P over p such that
Let L)! E Z[f] and let P be a prime ideal. Then
472
MING-DEH
A. HUANG
for all v in the Galois group of Q(l) over Q. Theorem 2 now follows from Theorem 6 and the fact that J,,,(R) can be computed in time polynomial in 4 and r as discussed before.
4. SOME TECHNICAL
PREPARATION
For all algebraic number fields k, 0, will denote the integral closure of Z in K. LEMMA 2. Let k be a number field. let K = k(a) be a finite Galois extension of k, where (Y is integral over k with irreducible polynomial f E klx 1. Let g be a prime ideal in 0, _ Then for all a E 0,)
f(a)
= 0 (mod@)
a (Y = a (mod P)
for someprime ideal P in K containing p. Proof; Let G be the Galois group of K over k. Then f(x) = ll,,Jx - a’?. Hence f(a) = 0 (mod@) implies that for all prime ideal P in K containing@, there exists a u E G such that a - a? E P, so a - (Y E PC-l. Conversely, if a - (Y E P for some prime ideal P in K containing k. Then f(a) = 17,,G(a - aa> is in P. But f(a) E 0,. So f(a) E 0, n P =p. Cl
Let A be a Dedekind domain with quotient field F. Let k be a finite separable extension of degree n over F. Let or,. . . , a,, be the n distinct embeddings of K into the algebraic closure of F. For (Y E K, we define the discriminant DK,F( a) = det( a,&)*, where i and j range over 1 to n. Let B be the integral closure of A in K. Let g be a prime ideal in A. Then A - @ is a multiplicatively closed subset of both A and B. We denote the ring S-IA by A, and the ring S-‘B by B Let B be’a non-zero prime ideal in A. Let
where P r, . . . , P, are distinct prime ideals in B. Then ei is the ramification index of Pi over p, and the degree fi of extension of B/P, over A/g is the residue class degree of Pi over M. In particular, when K is a Galois extension over F, the ei’s are all the same and denoted by e,(K/F), the fi’S are all the same and denoted by f,< K/F). When F is Galois over Q,
FACTORING
POLYNOMIALS
OVER
FINITE
473
FIELDS
e,(K/F) is the same for all prime ideals g over a rational prime p and denoted by e,(K/F), f,(K/F) is the same for all prime ideals p over a rational prime p and denoted by &UC/F). The following theorem of Dedekind (see [N, Theorem 4.101; also [Hl]) will be needed later on. THEOREM 7. Let A be a Dedekind ring with quotient field F. Let finite algebraic extension of F. Let B be the integral closure of A in (Y E B such that K = F(o) and let f be the irreducible polynomial of F. Let p be a non-zero prime ideal in A. Suppose M does not Dk,r(o). Let f be the reduction off module p. Let
K be a K. Let Q over divide
be the factorization of f into powers coefficients 1 over A/B. Then
leading
gB
= pl”
of irreducible
where hi E A[x]
has leading coefficient
with
. . . p,“r,
wherePI,..., P, are distinct prime ideals in B. Further, of A/p of degree equal to the degree of hi, and P,B, = gB,
factors
B/P,
is an extension
+ hi(o)Bg,
1 and its reduction mod@ is xi.
PROPOSITION 2. Let k be a number field. Let K = k(a) be a cyclic extension of k of prime degree q over k with (Y E 0,. Let u be a generator of the Galois group G of K over k. Let 5 be a primitive 4th root of unity. Let M = k(5) and L = K(S). Let 77 = C~CI,ai(ar)~i and let A = qq. Then
(1) x4 - A is irreducible over M and L = M(T) (2) for rational primes p # q, e,(K/k) = e,(L/M), f,(K/k) = f&L/M) (3) Let p be a rational prime not equal to q and let P be a prime ideal in M containing p. Let u be the valuation associated with P and let r E M with v(a) = 1. If u(A) is not divisible by q, then e,(K/k),= q. Zf u(A) = qj for some j E Z,,, then O,*r = 0,,,&31, where p = ~~‘77. Proof (1) From 1 I i I q. They are Moreover, they are ducible over M, and
the definition of 77, it follows that a’7 = 95-i for conjugate over M and easily seen to be all distinct. the roots to x Q = A. It follows that x4 - A is irreL = M(q).
474
MING-DEH
A.
(2) Since e&K/k) and e,(L/M) divide q - 1, and since
HUANG
divide
q, since e,(L/M)
and
e,(M/k)
e,WW,W/k)
= e,WW~,W/O
it follows that e,(K/k) and e,(L/M) are either both 1 or both q so they are equal. Similar argument shows that f,(L/M) = f,(K/k). (3) Suppose v(A) = +j + i with 0 I i,j and i < q. Let f? = r-j?. Then v(p4) = i. Let p be an extension of v to L. Let e = e,(L/M). Then qF( p) = p( pq) = ev(pq)
= ei.
Since e divides q and i < q, if i > 0, then e = q. Let cI~,~(/?) over M. Then
denote the difference of p relative to the extension
L
q-1
and
Since 1 - 5’ is contained only in prime ideals above q, it follows that @L/M@))
’ 0 0 4P”>
> 0.
Therefore if V(A) is divisible by q, then v(pq) = 0; hence r4DL,&3)) It follows from Theorem 7 that O,,. = 0, JpI. q
5.
PROOF
OF
MAIN
= 0.
THEOREM
This section is devoted to the proof of Theorem 1. Given a rational prime p and a manic integral Abelian polynomial f whose discriminant is not divisible by p, all the irreducible factors of f over Q are again manic, integral, Abelian, with discriminant not divisible by p. Since f can be factored over Q in deterministic polynomial time [LLL], to prove Theorem 1 we can assume without loss of generality that f is already irreducible over Q. Let (Y be a root of f. Let 0 be the ring of integers in Q(a). Let G be the Galois group for a
FACTORING
POLYNOMIALS
OVER
FINITE
475
FIELDS
Theorem 7 implies that p is unramified in Q(U). Further, since M(Y) is Abelian, D is the fixed field of the Artin symbol a- for p, the element in G characterized by u,(p)
= pp (mod P)
for all prime ideals P in Q(cu) above p and all p E 0. Since OP = Z,[a], the above condition holds iff u,(a)
= ap (mod p).
It follows that op and consequently D can be computed in time polynomial in the length of f. For all subfields K of Q(a), G, denote the subgroup of G consisting of elements that fix K, HK denote a set of distinct coset representatives for G/G,. For all subfields K, L of Q(a) with K c L, HL,K denotes a set of distinct coset representatives for GK/G,. Since p does not divide the discriminant of f, Theorem 7 implies that 0, = Z,[a]. For all CTE G, a(a) E 0, hence there exists a h, E Z,[x] of degree less than the degree of f such that g(a) = h,(a). For all g E Z,[x], let g, be the manic integral polynomial with coefficients non-negative and less than p such that gcd(goh,modp,fmodp)
f
LEMMA 3. Let g E Z[x] mod p. Then:
=g,modp.
such that g mod p is an irreducible
(1) for all t E Z,[x], t(a) is in the prime ideal g(a)O, only if t mod p is divisible by g mod p; (8
for all (Y E G, g, mod p is an irreducible factor off f=
n
factor
+ pop if and
mod p, and
g,modp;
OCH,
(3) let S be a subset of G. Let H = naESga.
Then for all 7 E G,
H, = n g,, mod P UGS and
gcd(H,modp,Hmodp)
= ,Eznsg,.
of
476
MING-DEH
A.
HUANG
Proof. (1) Since p does not divide the discriminant of f, Theorem 7 implies that each irreducible factor of f mod p uniquely determines a prime ideal in 0 above p. Let g E Z[ x] such that g mod p is an irreducible factor of f mod p. Then P = g(a)OP + PO,, is a prime ideal in OP above p. Let t E Z&x]. Suppose t mod p is divisible by g mod p, then clearly t(a) E P. Conversely suppose t(a) E P. Let w E Z&x] such that w mod p is the gcd of g mod p and t mod p. Then we see that w(cy) E P. Since g mod p is irreducible, either w = g (mod p> or w = 1 (mod p>. But since w(a) E P, it follows that w = g (mod p). This proves (1). (2) We have
From the definition
of g,, it follows that
go k(Wp
+ pop = g&lop
+ PO,.
Hence P” is the unique prime ideal over p that contains gJa). From (1) and the definition of g, it follows that g, mod p is an irreducible factor of f mod p. Since Q(a) is Abelian and p is unramified in it, P” for u E HD are the distinct prime ideals in 0,. It follows that f=
n
g,modp.
(TEHD
This proves (2). (3) Let 7 E G. Then
Since
g,Oh Acf) = g&(4) it follows that w(P) that contain H,(a). of H,. 0
= +A4>
= +++a)
= ~&w)7
for (T E S are precisely all the prime ideals above p Now (3) follows from (11, (2), and the definition
Let K be a subfield of D. Let g E Z[xl irreducible factor of f mod p. Let
such that g mod p is an
FIELDS
477
The (f,),‘s can be obtained from fK and h,. In particular, they are precisely all the irreducible factors of f mod p.
when K = D,
FACTORING
Then from Lemma
POLYNOMIALS
OVER
FINITE
3 (2) and (3) it follows that
LEMMA 4. Let K be a subfield of D. Let fK be as defined above. Then given t E Z&x] such that t(a) E K, all a E Z yO such that a < p and t(a) = ab) for some prime ideal @ in K above p, can be computed in O(mnlog2 p) time, where m = [D : K] and n = [Q(cu): Q]. Proof. Let HD,K be a set of representatives of GK,/GD. Let p be a prime ideal in K above p. Let P be a prime ideal in Q(U) above B. Then P”, u E HD,K are the distinct prime ideals in Q(a) above B. Let g E Z[xl such that g mod p is an irreducible factor of f mod p and g(a) E P. Let t E Z&x] with t(a) E K. Let a E Z. Then t(a) - a E @ ifft(a) - a E P” for all u E HD,K. And by Lemma 3 this holds iff t - a mod p is divisible by g, mod p for all v E HD,K iff t - a mod p is divisible by fK mod p, where fK is defined with respect to g. Hence to find all a E Z z O such that a < p and t(a) = a modp for some prime ideal p above p in K, it is sufficient to divide t mod p by (f,), mod p for all u E HK, and the remainders will be what we want. Then m gcd computations of pairs of polynomials of degree at most n takes 0 (nm log2 p) time. The assertion follows. 0 Let Q=k,ck,c
*--
CD
be a chain of cyclic extensions of prime degrees. Let ki = k,-i(w,) with wi integral over k,-i. Such a chain can be computed in time polynomial in the length of f. Suppose inductively that fki has been computed. Let k = ki, K = ki+l, and w = w,+~. Let q = [K : k] and let f be a primitive qth root of unity. Let M = k(l) and L = K(j). In the sequel we discuss how fK can be computed from fk. Since w E O,, a(w) E 0, c Z&a]. Let u be a generator for Gal(K/k). Then n-l
u’(w)
= C ai& j=O
with aij E Z,.
478
MING-DEH
A.
HUANG
Let m be the largest integer such that pm divides all aij. Let u = p-‘%. Then u E 2, and
It follows that there exists a prime ideal 9 over p in Q(cu, t) such that ?j e 9. Let P be the restriction of 9 to Q(cw>.Let PL, PK, PM, Pk denote the restriction of 9 to L, K, M, k, respectively. Let a be the restriction of 9 to Q(l). Then
where h E Z[x] and h mod p is an irreducible Let A = 974. Let
factor of Qq mod p.
4-l A = c A,(a)p i=O
with A,(U) E Q(U). Since A E Z&a, 51 and 1, 5,. . . , lq-’ are linearly independent over Q(a), it follows that hi(a) E Z,[a] n k. Hence there exist ai E Z such that hi(a)
= a, (mod Pk).
Let 9-l e = c UJ’. i=O
Then A = 8 (mod PM). Lemma 2 implies that x4 - A is the irreducible polynomial for n over M, e,,(L/M) = f&/M) = 1, and x4 - 6 splits completely modulo 63. By Theorem 7 there exists a y E Z[ll such that yq = 0 (mod@) and v - y determines PL over PM. Let d be the degree of h mod p. Then there exist pi E Z,[x], 0 I i 5 d - 1, with pi(~) E Z,[al n K such that d-l 77 -
Y s
igoPi(a)ii
(mod
h(l)).
FACTORING
Since pi(a) E Z,[al
POLYNOMIALS
OVER
FINITE
FIELDS
479
n K, pi(a)
= bi (mod PK),
where bi E Z. Since 77 - y E PL, it follows that plb, for all i. Hence pi(a) E PK for all i. Let g E Z[ x] such that g mod p is the irreducible factor of f mod p that determines P. Then by Lemma 3, g, mod p divide pi mod p for all i and all 1+E HD,K, since P” with u E HD,K are the distinct prime ideals in Q(a) over PK. Let
Then fK mod p divides pi mod p for all i. On the other hand, since PL is the unique ideal in L over PM that contains 11 - y and since Pg with are the distinct ideals in K over Pk, it follows that for all ~7E %,k with u # 1, there exists an i such that u E &c/k gcd(pi mod p, ( fK)c mod p) = 1. Therefore,
let
then gcd(f;modp,pimodp:O
- 1) =f,modp.
We are led to the following procedure for computing (a) Let P, be the prime ideal determined u E Hk, compute a, E Z such that
an fK: by fk mod p. For all
Ai( a) = ai (mod Py). (b) Choose a (T such that not all corresponding
ai are divisible by p.
Set q-1 e = c a&‘. i=O
(c) Factor a, mod p and find an irreducible 8 Q go, where Q = WY%‘]
+ PW.
factor h mod p such that
MING-DEH
480
A. HUANG
(d) Find a y E Z[ll such that yq = 8 (mod@). (e) Compute
pi E Z&v] such that d-l
(f) Compute fK E Z[ x 1 such that
Step (a> of the above procedure can be carried out as in Lemma 4. Since the cyclotomic field Q@,) is Abelian and since p does not divide the discriminant of Qq, the factorization of ?I?,mod p in the above procedure can be done recursively by the method of this section. With the factor h mod p of a4 mod p found in step (c) and with a 4th nonresidue in F,[x]/hF,[x] constructed as in Theorem 2, step (d) can be done applying the algorithm in Section 2. In this way we eventually compute fD and from it all the irreducible factors of f mod p. Let T(N, p> be the time complexity for computing the irreducible factors of f mod p, where f is of length N. Let a E Z ,0 such that the time for constructing D and the tower of cyclic extensions, as well as all the Galois theoretic computations involved in the algorithm, is bounded by N”. Let b,c E Z,, such that the time for applying the algorithm of Section 2 in step (d) is bounded by qb log’ p. Then T(N,
P) I N” + c T( 4, P) + qb log” P, qln
where n is the degree of f. It follows that T( N, p) _
where d = max&, b) + 1. Theorem
1 is proved.
0
REFERENCES [AL]
[AMa.
L. M. ADLEMAN AND H. W. LENSTRA, JR., Finding irreducible polynomials over finite fields, in “Proceedings, 18th Annual ACM Symposium of Theory of Computing, 1986,” pp. 350-355. M. ADLEMAN, K. MANDERS, AND G. MILLER, On taking roots in finite fields, in “‘Proceedings, 18th IEEE Symposium on Foundations of Computer Science, 1977,” pp. 175-178.
FACTORING
POLYNOMIALS
OVER
FINITE
481
FIELDS
[APRIL. M. ADLEMAN, C. POME~ANCE, AND R. S. RUMELY, On distinguishing prime numbers from composite numbers, Ann. of&fat/r. 117 (19831, 173-206. [AHUJA. V. AHO, J. E. HOPCRO~, AND J. D. ULLMAN, “The Design and Analysis of Computer Algorithms,” Addison-Wesley, Reading, MA, 1974. [An] N. C. ANKENY, The least quadratic non residue, Ann. ofMath. 55 (1952), 65-72. [AT] E. ARTIN AND J. TATE, “Class Field Theory,” Benjamin, Reading, MA, 1967. [B] E. BACH, Fast algorithms under the extended Riemann hypothesis: A concrete estimate, in “Proceedings, 14th ACM Symposium on Theory of Computing, 1982,” pp. 290-295.
[Be] [Bell [Hl]
E. R. BERLEKAMP,
Factoring polynomials over large finite fields,
Math.
Cmnp.
24
(1970),713-735. E. R. BERLEKAMP,
“Algebraic Coding Theory,” McGraw-Hill, New York, 1968. M. A. HUANG, Factorization of polynomials over finite fields and factorization of primes in algebraic number fields, in “Proceedings, 16th ACM Symposium on Theory of Computing, 1984,” pp. 175-182. [H2] M. A. HUANG, Riemann hypothesis and finding roots over finite fields, in “Proceedings, 17th ACM Symposium on Theory of Computing, 1985,” pp. 121-130. [CF] J. W. S. CASSELS AND A. FRBLICH (Eds.), Algebraic Number Theory, Academic Press, New York/London, 1967. [L] S. LANG, “Algebraic Number Theory,” Addison-Wesley Reading, MA, 1970. [LLL] A. K. LENSTRA, H. W. LENSTRA, JR., AND L. LWASZ, Factoring polynomials with rational coefficients, Math. Annul. 261 (1982), 515-535. [LMOIJ. C. LAGARIAS, H. L. MONTGOMERY, AND A. M. ODLYZKO, A bound for the least prime idea1 in the Chebotarev density theorem, Invent. Math. 54 (1979), 271-296. [N] W. NARKIEWICZ, “Elementary and Analytic Theory of Algebraic Numbers,” PWN, Warsaw, 1974. [R] M. 0. RABIN, Probabilistic algorithms in finite fields, SIAM J. Comput. 9 (1980), 273-280.
[Ro] [Roll [T] [w]
L. RONYAI, Factoring polynomials over finite fields, J. AZgorithms 9 (19881, 391-400. L. RONYAI, Galois groups and factoring polynomials over finite fields, preprint. A. TONELLI, Bemerkung iiber die Auflijsung quadratischer Congruenzen, Giittinger Nachr. (1891), 344-346. L. WASHINGTON, “Introduction to Cyclotomic Fields,” Springer-Verlag, New York, 1982.
OF ALGORITHMS
12,
464-481 (1991)
Generalized Riemann Hypothesis and Factoring Polynomials over Finite Fields* MING-DEH
A. HUANG+
Department of Computer Science, Universi@ of Southern California, Los Angeles, California 90089-0782 Received September 30, 1989; revised August 1990
It is shown that, assuming the generalized Riemann hypofhesis, there exists a deterministic polynomial time algorithm, which on input of a rational prime p and a manic integral polynomial f, whose discriminant is not divisible by p and whose roots generate an Abelian extension over Q, computes all the irreducible factors of f mod p in F&x]. Q 1991 Academic press, IIIC.
1. INTRODUCTION Although efficient random polynomial time algorithms exist for factoring polynomials over finite fields [Be, RI, it is not known whether a deterministic polynomial time algorithm exists for the problem even when the polynomials being considered are of degree 2. Assuming the generalized Riemann hypothesis (GRH), however, the following cases have been shown to be solvable in deterministic polynomial time: (1) x” = a mod p, where a, n, p are integers with p prime [AMM,
HII (2) @,(x) = 0 mod p, where a,, is the nth cyclotomic
polynomial
W. The above results all depend on a result of Ankeny [An] which shows that on GRH, the least qth nonresidue mod p for p, q prime with q dividing p - 1 is bounded by c log* p, where c is an effectively computable constant. Bach [B] showed that for p 2 106, one may take c = 60. *A preliminary version of this paper appeared in [H2]. ‘Research supported by NSF through Grant CCR 8701541.
464 0196-6774/91 $3.00 Copyright All rights
Q 195’1 by Academic Press, Inc. of reproduction in any form reserved.
FACTORING
POLYNOMIALS
OVER
FINITE
FIELDS
465
The purpose of this paper is to show that a much broader class of polynomials can be factored over finite prime fields in deterministic polynomial time based on GRH. The following will be proved. THEOREM 1. Assuming GRH, time algorithm, which on input of polynomial f whose discriminant generate an Abelian extension over f mod p in F,[x].
there exists a a rational prime is not divisible Q, computes all
deterministic polynomial p and a manic integral by p and whose roots the irreducible factors of
The proof of Theorem 1 involves an elaborate reduction from factoring an Abelian polynomial of degree n modulo a prime p to the following: (i) Given a prime q dividing n, to factor @, mod p, where Q4 is the polynomial (ii) Given a prime q dividing n, an irreducible factor h of (a,(x) mod p, an element (Y in F,[ x]/hF,[x], to solve x4 = (Y in F,[x]/hF,[x].
q th cyclotomic
Problem (i) is solved by recursively applying the same reduction. In solving (ii), the first step is to generalize Ankeny’s result to the following: THEOREM 2. Assuming constant c, such that for all factors h of @, mod p, cq2 log2(pq), such that the nonresidue in F,[x]/hF,[x]. polynomial in q and log p.
GRH, there exists an effectively computable pairs of rational primes p, q, for all irreducible there exist aO, . . . , a,,, _ 1 E Z, where Iail < image of a,, + a,x + . . * +a,-lxm-l is a qth Furthermore, the a,‘s can be computed in time
With Theorem 2, Problem (ii) is then solved by an extended version of the algorithm in [AMM]. Whereas Ankeny’s result was proved by analytic methods, the nonresidues in Theorem 2 are constructed from cyclotomic fields by algebraic methods involving power reciprocity laws. A second version of Theorem 2 with the nonresidues more explicitly described can be found in Section 3. As a corollary to Theorem 1, we have THEOREM 3. Assuming GRH, there exists a deterministic polynomial time algorithm which on input of rational primes p, q finds all the irreducible factors of @, mod p in F,[x], where aq is the qth cyclotomic polynomial.
Recently L. Ronyai [Ro] applied Theorem 2 and Theorem 3 to obtain, on GRH, a deterministic polynomial time algorithm for factoring bounded degree polynomials over finite prime fields. Ronyai [Roll also extended Theorem 1 to the case where the roots of the given integral polynomial
MING-DEH
466
A. HUANG
generate a Galois extension over the rationals. Theorem 2 and Theorem 3 were also critical to this result. The rest of the paper is organized as follows. In Section 2, an extended version of the algorithm in [AMM] is presented. In Section 3, Theorem 2 is proved. Section 4 contains some technical lemmas needed in the proof of Theorem 1. Section 5 is devoted to the proof of Theorem 1.
2. SOLVING
In [AMM],
BINOMIAL
an algorithm
EQUATIONS
OVER FINITE
FIELDS
is presented for solving equations of the form
where a, p, q are integers, p, q are prime and p = l(q). The algorithm applies a method which was first introduced by A. Tonelli [Tl in the case q = 2. It can be extended in a straightforward manner to solve equations of the form ~4 = a in FPm with pm = l(q) and a E Fpm, providing FPm is already constructed and a qth nonresidue g in Fpm is given. We describe such an extension below. The construction of FPm is addressed in Section 5. The construction of the nonresidue g is the topic of Section 3. Let b be the largest integer such that qb divides p” - 1. Let p” - 1 = qbl. Let d be the smallest integer such that aqd’ = 1 in Fpm. Let G be the cyclic subgroup of F,* of order qb. Then g’ is a generator for G and u’ generates a subgroup of G of order qd: (1) If d = b then there is no solution to x4 = a in Fpm. (2) If d = 0, then ur = 1. In this case compute s such that qs = l(1), then uqs = a hence us is a solution. (3) Suppose 1 I d I b - 1. Let k = qbed. Then u’ and gki generates the same subgroup of G of order qd. Therefore there exists a A < q such that g-k’Au’ falls in the subgroup of order qd-‘. Find such a A and let a, = gek”u. Recursively find a z in FPm that solves ~4 = a,. Let i = kh/q. Then (g’z>q = a. Hence g’z is a solution to x4 = a.
3 NONRESIDUES
CONSTRUCTED
FROM CYCLOTOMIC
Throughout this section, let p and q be two distinct primes, and let m be the order of p mod q.
FIELDS
odd rational
FACTORING
POLYNOMIALS
OVER
FINITE
FIELDS
Let 5 be a primitive qth root of unity. Then the irreducible of 4’ over Q is the qth cyclotomic polynomial, aq(x) DEFINITION
not containing
= xq-l
467
polynomial
+ *. * +n + 1.
(Power residue symbol). Let R be a prime ideal in Z[[] q. For all (Y E Z[[] prime to R, define
where a Here N(R)
- 1
N(R) 4
= 5’ (mod R).
denotes the norm of R over Q.
For prime ideals R and S both prime to (Y, define
In this way, power residue symbol is extended to
for all (Y E Z[&j and ideals I in Z[&l that are prime to (Y. Let h E Z[x] such that h mod p is an irreducible factor of aq mod p. Then it is a well-known result of Kummer (see, e.g., [Nl, Theorem 4.101) that P = h(f)Z[51
+ pZ[ll
is a prime ideal over p and
For all (Y E Z[[l prime to P, x4 = CY(mod P) is solvable iff (a/P) = 1. Therefore, when (a/P) # 1, the image of (Y in Fpm is a qth nonresidue. Let h = 1 - 5. Then h generates the unique prime ideal in Z[l] over q. Let k be the completion of Q(l) at A. Let K be an Abelian extension of k. For a E k*, let (a, K/k) denote the image of a in Gal(K/k) under the local Artin map (see [CF, p. 1401 for example).
468
MING-DEH
A.
DEFINITION (Norm residue symbol).
HUANG
For ap E Q(l)*,
define
(a,P), = (Py, where CT= (a, k(P”“)/k). The following theorem states the power reciprocity law in the context of cyclotomic fields (see [AT, p. 1711; also [APR, Proposition 31): THEOREM
4.
For CY/~E Q(l)
that are relatively prime and prime to q,
(;) =($)WL. For all prime ideal R not containing
p and q, let
(1) Let 1 = pq. Let ZI be the set of ideals in Z[l] that are prime to 1. Then x can be extended to a function on Z, multiplicatively. Let K be a number field. A Hecke character of K is a character x of the group of ideals of K such that x(K*) = 1 (see [L, p. 2931; also [CF, Chap. VII]). Let m be an integral ideal of K. Then finite Hecke characters of the conductor bounded by m are in one to one correspondence with characters of the group ZJP,, where P,,, is the subset of Z, consisting of principal ideals (z) with z = 1 (mod m) (see [CF, Chap. VIII]). This fact will be used in the next lemma. LEMMA 1. x defined above induces a Hecke character tor bounded by pq. Proof
[L] of the conduc-
For z E Z[tJ] with z = 1 (mod 0, we have by Theorem
Since pq-’
= 1 (mod q)
and z = 1 (mod q), it follows from Exercise 2.13 of [CF, p. 3531 that (pq-1,+
= 1.
4,
FACTORING
POLYNOMIALS
OVER
FINITE
FIELDS
469
But
(P>z)*(Pq-l, z)* = ((A Z)Aj4 = 1. Hence
and it follows that
Since z = 1 (mod p>,
for all prime ideals P over p; hence
It follows that
(1 P -
= 1
Z
for all z E Z[J] such that z = 1 (mod 1). This shows that x defines a character on I/P,. Consequently, x induces a Hecke character of conductor bounded by 1= p4. q DEFINITION (Jacobi sum). For all prime ideals R in Z[l], not containing 4, for all integers a, b, define the Jacobi sum
J,,,(R) = $ja(T)-t where n ranges over a set of representatives mod R.
of
Z[J]/R not equal to 0 or 1
In particular, for R with norm r which is prime and r = 1 (mod 41, x can be taken to be 2,. . . , I - 1. For prime r not equal to 4, the prime ideals over R are determined by the factorization of Qq mod r which can be computed in time polynomial in 4 and I [B]. It follows that for given a, b and prime r such that r = 1 (mod 41, J,,,(R) for all prime ideals R over r can be computed in time polynomial in 4 and 1.
470
MING-DEH
A. HUANG
For all a E Z for all prime ideals R such that a and R are coprime and both prime to q,
(&) =p-F-yA proof of (2) as well as the following proposition PROPOSITION
(2)
can be found in [APR].
1. There exist integers a, b such that ab(a + b) f U(q),
and letting
(where [xl denote the largest integer not exceedingx) and
q-1 4.b= u~l%,bou-l(modu>, then 8a,b # O(q).
By Stickelberger
theorem (see, e.g., [L, p. 9811, q-1
J&R)
N n a,-‘( R)‘o*~(‘), U=l
where uU is the automorphism of Q(l) that maps l to 5”. From this and the definition of the power residue symbol, we see that
(3) The following result due to Lagarias, Montgomery, will be needed in the proof of Theorem 6.
and Odlyzko [LMO]
THEOREM 5. Assuming GRH, there exists an effectively computable constant c such that for all finite extensionsK of Q, and all Hecke characters x of K, there exists a prime ideal P of K of residue class degree 1 over Q such that x(P) # 1 and N(P) < c(log(A(~))~, whereA(X) Lsthe product of the discriminant of K over Q and the norm of the conductor of x. THEOREM 6. There exists an effectively computable constant c such that for all pairs of d-ktinct odd rational primes p and q, there exist a, b, r E Z , O with a, b < q, e,,, + O(q) (e,,, is as defined in Proposition l), r prim-e,
FACTORING
POLYNOMIALS
r 3 1 (mod q), and I I cq* log*(pq),
OVER
FINITE
FIELDS
471
such that
for some prime ideal R over r in Z[C], and consequently,
for at least one prime ideal P over p in Q(l). Proof. By lemma 1, x as defined in (1) is a Hecke character of conductor bounded by pq. The discriminant of Q(l) over Q is qq-* (see, e.g., [W, p. 91). Hence A(X) I q2q-3pq-1 and from Theorem 5 it follows that there exists a prime ideal R in Z[[] of residue degree 1 such that N(R) < 4c,q* log*(pq> and x(R) # 1, here c1 is the effectively computable constant in Theorem 5. Let r = N(R). Then r = 1 (mod q) and r < cq* log*(w) with c = 4c,. By Proposition 1, there e:ist nonnegative integers a, b less than q such that 6,,, # o(q). tit 8 = 8,,,. By (31,
(&q) =(g =x(W. Since 0 is invertible
modulo
q and x(R)
# 1, it follows that
BY (3,
(qy=(&+. Consequently
there exists a prime ideal P over p such that
Let L)! E Z[f] and let P be a prime ideal. Then
472
MING-DEH
A. HUANG
for all v in the Galois group of Q(l) over Q. Theorem 2 now follows from Theorem 6 and the fact that J,,,(R) can be computed in time polynomial in 4 and r as discussed before.
4. SOME TECHNICAL
PREPARATION
For all algebraic number fields k, 0, will denote the integral closure of Z in K. LEMMA 2. Let k be a number field. let K = k(a) be a finite Galois extension of k, where (Y is integral over k with irreducible polynomial f E klx 1. Let g be a prime ideal in 0, _ Then for all a E 0,)
f(a)
= 0 (mod@)
a (Y = a (mod P)
for someprime ideal P in K containing p. Proof; Let G be the Galois group of K over k. Then f(x) = ll,,Jx - a’?. Hence f(a) = 0 (mod@) implies that for all prime ideal P in K containing@, there exists a u E G such that a - a? E P, so a - (Y E PC-l. Conversely, if a - (Y E P for some prime ideal P in K containing k. Then f(a) = 17,,G(a - aa> is in P. But f(a) E 0,. So f(a) E 0, n P =p. Cl
Let A be a Dedekind domain with quotient field F. Let k be a finite separable extension of degree n over F. Let or,. . . , a,, be the n distinct embeddings of K into the algebraic closure of F. For (Y E K, we define the discriminant DK,F( a) = det( a,&)*, where i and j range over 1 to n. Let B be the integral closure of A in K. Let g be a prime ideal in A. Then A - @ is a multiplicatively closed subset of both A and B. We denote the ring S-IA by A, and the ring S-‘B by B Let B be’a non-zero prime ideal in A. Let
where P r, . . . , P, are distinct prime ideals in B. Then ei is the ramification index of Pi over p, and the degree fi of extension of B/P, over A/g is the residue class degree of Pi over M. In particular, when K is a Galois extension over F, the ei’s are all the same and denoted by e,(K/F), the fi’S are all the same and denoted by f,< K/F). When F is Galois over Q,
FACTORING
POLYNOMIALS
OVER
FINITE
473
FIELDS
e,(K/F) is the same for all prime ideals g over a rational prime p and denoted by e,(K/F), f,(K/F) is the same for all prime ideals p over a rational prime p and denoted by &UC/F). The following theorem of Dedekind (see [N, Theorem 4.101; also [Hl]) will be needed later on. THEOREM 7. Let A be a Dedekind ring with quotient field F. Let finite algebraic extension of F. Let B be the integral closure of A in (Y E B such that K = F(o) and let f be the irreducible polynomial of F. Let p be a non-zero prime ideal in A. Suppose M does not Dk,r(o). Let f be the reduction off module p. Let
K be a K. Let Q over divide
be the factorization of f into powers coefficients 1 over A/B. Then
leading
gB
= pl”
of irreducible
where hi E A[x]
has leading coefficient
with
. . . p,“r,
wherePI,..., P, are distinct prime ideals in B. Further, of A/p of degree equal to the degree of hi, and P,B, = gB,
factors
B/P,
is an extension
+ hi(o)Bg,
1 and its reduction mod@ is xi.
PROPOSITION 2. Let k be a number field. Let K = k(a) be a cyclic extension of k of prime degree q over k with (Y E 0,. Let u be a generator of the Galois group G of K over k. Let 5 be a primitive 4th root of unity. Let M = k(5) and L = K(S). Let 77 = C~CI,ai(ar)~i and let A = qq. Then
(1) x4 - A is irreducible over M and L = M(T) (2) for rational primes p # q, e,(K/k) = e,(L/M), f,(K/k) = f&L/M) (3) Let p be a rational prime not equal to q and let P be a prime ideal in M containing p. Let u be the valuation associated with P and let r E M with v(a) = 1. If u(A) is not divisible by q, then e,(K/k),= q. Zf u(A) = qj for some j E Z,,, then O,*r = 0,,,&31, where p = ~~‘77. Proof (1) From 1 I i I q. They are Moreover, they are ducible over M, and
the definition of 77, it follows that a’7 = 95-i for conjugate over M and easily seen to be all distinct. the roots to x Q = A. It follows that x4 - A is irreL = M(q).
474
MING-DEH
A.
(2) Since e&K/k) and e,(L/M) divide q - 1, and since
HUANG
divide
q, since e,(L/M)
and
e,(M/k)
e,WW,W/k)
= e,WW~,W/O
it follows that e,(K/k) and e,(L/M) are either both 1 or both q so they are equal. Similar argument shows that f,(L/M) = f,(K/k). (3) Suppose v(A) = +j + i with 0 I i,j and i < q. Let f? = r-j?. Then v(p4) = i. Let p be an extension of v to L. Let e = e,(L/M). Then qF( p) = p( pq) = ev(pq)
= ei.
Since e divides q and i < q, if i > 0, then e = q. Let cI~,~(/?) over M. Then
denote the difference of p relative to the extension
L
q-1
and
Since 1 - 5’ is contained only in prime ideals above q, it follows that @L/M@))
’ 0 0 4P”>
> 0.
Therefore if V(A) is divisible by q, then v(pq) = 0; hence r4DL,&3)) It follows from Theorem 7 that O,,. = 0, JpI. q
5.
PROOF
OF
MAIN
= 0.
THEOREM
This section is devoted to the proof of Theorem 1. Given a rational prime p and a manic integral Abelian polynomial f whose discriminant is not divisible by p, all the irreducible factors of f over Q are again manic, integral, Abelian, with discriminant not divisible by p. Since f can be factored over Q in deterministic polynomial time [LLL], to prove Theorem 1 we can assume without loss of generality that f is already irreducible over Q. Let (Y be a root of f. Let 0 be the ring of integers in Q(a). Let G be the Galois group for a
FACTORING
POLYNOMIALS
OVER
FINITE
475
FIELDS
Theorem 7 implies that p is unramified in Q(U). Further, since M(Y) is Abelian, D is the fixed field of the Artin symbol a- for p, the element in G characterized by u,(p)
= pp (mod P)
for all prime ideals P in Q(cu) above p and all p E 0. Since OP = Z,[a], the above condition holds iff u,(a)
= ap (mod p).
It follows that op and consequently D can be computed in time polynomial in the length of f. For all subfields K of Q(a), G, denote the subgroup of G consisting of elements that fix K, HK denote a set of distinct coset representatives for G/G,. For all subfields K, L of Q(a) with K c L, HL,K denotes a set of distinct coset representatives for GK/G,. Since p does not divide the discriminant of f, Theorem 7 implies that 0, = Z,[a]. For all CTE G, a(a) E 0, hence there exists a h, E Z,[x] of degree less than the degree of f such that g(a) = h,(a). For all g E Z,[x], let g, be the manic integral polynomial with coefficients non-negative and less than p such that gcd(goh,modp,fmodp)
f
LEMMA 3. Let g E Z[x] mod p. Then:
=g,modp.
such that g mod p is an irreducible
(1) for all t E Z,[x], t(a) is in the prime ideal g(a)O, only if t mod p is divisible by g mod p; (8
for all (Y E G, g, mod p is an irreducible factor off f=
n
factor
+ pop if and
mod p, and
g,modp;
OCH,
(3) let S be a subset of G. Let H = naESga.
Then for all 7 E G,
H, = n g,, mod P UGS and
gcd(H,modp,Hmodp)
= ,Eznsg,.
of
476
MING-DEH
A.
HUANG
Proof. (1) Since p does not divide the discriminant of f, Theorem 7 implies that each irreducible factor of f mod p uniquely determines a prime ideal in 0 above p. Let g E Z[ x] such that g mod p is an irreducible factor of f mod p. Then P = g(a)OP + PO,, is a prime ideal in OP above p. Let t E Z&x]. Suppose t mod p is divisible by g mod p, then clearly t(a) E P. Conversely suppose t(a) E P. Let w E Z&x] such that w mod p is the gcd of g mod p and t mod p. Then we see that w(cy) E P. Since g mod p is irreducible, either w = g (mod p> or w = 1 (mod p>. But since w(a) E P, it follows that w = g (mod p). This proves (1). (2) We have
From the definition
of g,, it follows that
go k(Wp
+ pop = g&lop
+ PO,.
Hence P” is the unique prime ideal over p that contains gJa). From (1) and the definition of g, it follows that g, mod p is an irreducible factor of f mod p. Since Q(a) is Abelian and p is unramified in it, P” for u E HD are the distinct prime ideals in 0,. It follows that f=
n
g,modp.
(TEHD
This proves (2). (3) Let 7 E G. Then
Since
g,Oh Acf) = g&(4) it follows that w(P) that contain H,(a). of H,. 0
= +A4>
= +++a)
= ~&w)7
for (T E S are precisely all the prime ideals above p Now (3) follows from (11, (2), and the definition
Let K be a subfield of D. Let g E Z[xl irreducible factor of f mod p. Let
such that g mod p is an
FIELDS
477
The (f,),‘s can be obtained from fK and h,. In particular, they are precisely all the irreducible factors of f mod p.
when K = D,
FACTORING
Then from Lemma
POLYNOMIALS
OVER
FINITE
3 (2) and (3) it follows that
LEMMA 4. Let K be a subfield of D. Let fK be as defined above. Then given t E Z&x] such that t(a) E K, all a E Z yO such that a < p and t(a) = ab) for some prime ideal @ in K above p, can be computed in O(mnlog2 p) time, where m = [D : K] and n = [Q(cu): Q]. Proof. Let HD,K be a set of representatives of GK,/GD. Let p be a prime ideal in K above p. Let P be a prime ideal in Q(U) above B. Then P”, u E HD,K are the distinct prime ideals in Q(a) above B. Let g E Z[xl such that g mod p is an irreducible factor of f mod p and g(a) E P. Let t E Z&x] with t(a) E K. Let a E Z. Then t(a) - a E @ ifft(a) - a E P” for all u E HD,K. And by Lemma 3 this holds iff t - a mod p is divisible by g, mod p for all v E HD,K iff t - a mod p is divisible by fK mod p, where fK is defined with respect to g. Hence to find all a E Z z O such that a < p and t(a) = a modp for some prime ideal p above p in K, it is sufficient to divide t mod p by (f,), mod p for all u E HK, and the remainders will be what we want. Then m gcd computations of pairs of polynomials of degree at most n takes 0 (nm log2 p) time. The assertion follows. 0 Let Q=k,ck,c
*--
CD
be a chain of cyclic extensions of prime degrees. Let ki = k,-i(w,) with wi integral over k,-i. Such a chain can be computed in time polynomial in the length of f. Suppose inductively that fki has been computed. Let k = ki, K = ki+l, and w = w,+~. Let q = [K : k] and let f be a primitive qth root of unity. Let M = k(l) and L = K(j). In the sequel we discuss how fK can be computed from fk. Since w E O,, a(w) E 0, c Z&a]. Let u be a generator for Gal(K/k). Then n-l
u’(w)
= C ai& j=O
with aij E Z,.
478
MING-DEH
A.
HUANG
Let m be the largest integer such that pm divides all aij. Let u = p-‘%. Then u E 2, and
It follows that there exists a prime ideal 9 over p in Q(cu, t) such that ?j e 9. Let P be the restriction of 9 to Q(cw>.Let PL, PK, PM, Pk denote the restriction of 9 to L, K, M, k, respectively. Let a be the restriction of 9 to Q(l). Then
where h E Z[x] and h mod p is an irreducible Let A = 974. Let
factor of Qq mod p.
4-l A = c A,(a)p i=O
with A,(U) E Q(U). Since A E Z&a, 51 and 1, 5,. . . , lq-’ are linearly independent over Q(a), it follows that hi(a) E Z,[a] n k. Hence there exist ai E Z such that hi(a)
= a, (mod Pk).
Let 9-l e = c UJ’. i=O
Then A = 8 (mod PM). Lemma 2 implies that x4 - A is the irreducible polynomial for n over M, e,,(L/M) = f&/M) = 1, and x4 - 6 splits completely modulo 63. By Theorem 7 there exists a y E Z[ll such that yq = 0 (mod@) and v - y determines PL over PM. Let d be the degree of h mod p. Then there exist pi E Z,[x], 0 I i 5 d - 1, with pi(~) E Z,[al n K such that d-l 77 -
Y s
igoPi(a)ii
(mod
h(l)).
FACTORING
Since pi(a) E Z,[al
POLYNOMIALS
OVER
FINITE
FIELDS
479
n K, pi(a)
= bi (mod PK),
where bi E Z. Since 77 - y E PL, it follows that plb, for all i. Hence pi(a) E PK for all i. Let g E Z[ x] such that g mod p is the irreducible factor of f mod p that determines P. Then by Lemma 3, g, mod p divide pi mod p for all i and all 1+E HD,K, since P” with u E HD,K are the distinct prime ideals in Q(a) over PK. Let
Then fK mod p divides pi mod p for all i. On the other hand, since PL is the unique ideal in L over PM that contains 11 - y and since Pg with are the distinct ideals in K over Pk, it follows that for all ~7E %,k with u # 1, there exists an i such that u E &c/k gcd(pi mod p, ( fK)c mod p) = 1. Therefore,
let
then gcd(f;modp,pimodp:O
- 1) =f,modp.
We are led to the following procedure for computing (a) Let P, be the prime ideal determined u E Hk, compute a, E Z such that
an fK: by fk mod p. For all
Ai( a) = ai (mod Py). (b) Choose a (T such that not all corresponding
ai are divisible by p.
Set q-1 e = c a&‘. i=O
(c) Factor a, mod p and find an irreducible 8 Q go, where Q = WY%‘]
+ PW.
factor h mod p such that
MING-DEH
480
A. HUANG
(d) Find a y E Z[ll such that yq = 8 (mod@). (e) Compute
pi E Z&v] such that d-l
(f) Compute fK E Z[ x 1 such that
Step (a> of the above procedure can be carried out as in Lemma 4. Since the cyclotomic field Q@,) is Abelian and since p does not divide the discriminant of Qq, the factorization of ?I?,mod p in the above procedure can be done recursively by the method of this section. With the factor h mod p of a4 mod p found in step (c) and with a 4th nonresidue in F,[x]/hF,[x] constructed as in Theorem 2, step (d) can be done applying the algorithm in Section 2. In this way we eventually compute fD and from it all the irreducible factors of f mod p. Let T(N, p> be the time complexity for computing the irreducible factors of f mod p, where f is of length N. Let a E Z ,0 such that the time for constructing D and the tower of cyclic extensions, as well as all the Galois theoretic computations involved in the algorithm, is bounded by N”. Let b,c E Z,, such that the time for applying the algorithm of Section 2 in step (d) is bounded by qb log’ p. Then T(N,
P) I N” + c T( 4, P) + qb log” P, qln
where n is the degree of f. It follows that T( N, p) _
where d = max&, b) + 1. Theorem
1 is proved.
0
REFERENCES [AL]
[AMa.
L. M. ADLEMAN AND H. W. LENSTRA, JR., Finding irreducible polynomials over finite fields, in “Proceedings, 18th Annual ACM Symposium of Theory of Computing, 1986,” pp. 350-355. M. ADLEMAN, K. MANDERS, AND G. MILLER, On taking roots in finite fields, in “‘Proceedings, 18th IEEE Symposium on Foundations of Computer Science, 1977,” pp. 175-178.
FACTORING
POLYNOMIALS
OVER
FINITE
481
FIELDS
[APRIL. M. ADLEMAN, C. POME~ANCE, AND R. S. RUMELY, On distinguishing prime numbers from composite numbers, Ann. of&fat/r. 117 (19831, 173-206. [AHUJA. V. AHO, J. E. HOPCRO~, AND J. D. ULLMAN, “The Design and Analysis of Computer Algorithms,” Addison-Wesley, Reading, MA, 1974. [An] N. C. ANKENY, The least quadratic non residue, Ann. ofMath. 55 (1952), 65-72. [AT] E. ARTIN AND J. TATE, “Class Field Theory,” Benjamin, Reading, MA, 1967. [B] E. BACH, Fast algorithms under the extended Riemann hypothesis: A concrete estimate, in “Proceedings, 14th ACM Symposium on Theory of Computing, 1982,” pp. 290-295.
[Be] [Bell [Hl]
E. R. BERLEKAMP,
Factoring polynomials over large finite fields,
Math.
Cmnp.
24
(1970),713-735. E. R. BERLEKAMP,
“Algebraic Coding Theory,” McGraw-Hill, New York, 1968. M. A. HUANG, Factorization of polynomials over finite fields and factorization of primes in algebraic number fields, in “Proceedings, 16th ACM Symposium on Theory of Computing, 1984,” pp. 175-182. [H2] M. A. HUANG, Riemann hypothesis and finding roots over finite fields, in “Proceedings, 17th ACM Symposium on Theory of Computing, 1985,” pp. 121-130. [CF] J. W. S. CASSELS AND A. FRBLICH (Eds.), Algebraic Number Theory, Academic Press, New York/London, 1967. [L] S. LANG, “Algebraic Number Theory,” Addison-Wesley Reading, MA, 1970. [LLL] A. K. LENSTRA, H. W. LENSTRA, JR., AND L. LWASZ, Factoring polynomials with rational coefficients, Math. Annul. 261 (1982), 515-535. [LMOIJ. C. LAGARIAS, H. L. MONTGOMERY, AND A. M. ODLYZKO, A bound for the least prime idea1 in the Chebotarev density theorem, Invent. Math. 54 (1979), 271-296. [N] W. NARKIEWICZ, “Elementary and Analytic Theory of Algebraic Numbers,” PWN, Warsaw, 1974. [R] M. 0. RABIN, Probabilistic algorithms in finite fields, SIAM J. Comput. 9 (1980), 273-280.
[Ro] [Roll [T] [w]
L. RONYAI, Factoring polynomials over finite fields, J. AZgorithms 9 (19881, 391-400. L. RONYAI, Galois groups and factoring polynomials over finite fields, preprint. A. TONELLI, Bemerkung iiber die Auflijsung quadratischer Congruenzen, Giittinger Nachr. (1891), 344-346. L. WASHINGTON, “Introduction to Cyclotomic Fields,” Springer-Verlag, New York, 1982.