This action might not be possible to undo. Are you sure you want to continue?

Welcome to Scribd! Start your free trial and access books, documents and more.Find out more

)

doi.10.1006/!ta.2000.0306, available online at http://www.idealibrary.com on

Factoring Polynomials over Special Finite Fields

Eric Bach

Computer Sciences Department, University of Wisconsin, Madison, Wisconsin 53706

E-mail: bach@cs.wisc.edu

Joachim von zur Gathen

Fachbereich Mathematik-Informatik, UniversitaK t Paderborn, 33095 Paderborn, Germany

E-mail: gathen@uni-paderborn.de

and

Hendrik W. Lenstra, Jr.

Department of Mathematics C3840, University of California, Berkeley, California 94720-3840 and

Mathematisch Instituut, Universiteit Leiden, Postbus 9512, 2300 RA Leiden, The Netherlands

E-mail: hwl@math.berkeley.edu, hwl@math.leidenuniv.nl

Communicated by Igor Shparlinski

Received September 18, 1997; revised June 14, 2000; accepted August 23, 2000;

published online November 29, 2000

DEDICATED TO CHAO KO FOR HIS 90TH BIRTHDAY

We exhibit a deterministic algorithm for factoring polynomials in one variable over

"nite "elds. It is e$cient only if a positive integer k is known for which u

I

(p) is built up

from small prime factors; here u

I

denotes the kth cyclotomic polynomial, and p is the

characteristic of the "eld. In the case k"1, when u

I

(p)"p!1, such an algorithm

was known, and its analysis required the generalized Riemann hypothesis. Our

algorithm depends on a similar, but weaker, assumption; speci"cally, the algorithm

requires the availability of an irreducible polynomial of degree r over Z/pZ for each

prime number r for which u

I

(p) has a prime factor l with l,1 mod r. An auxiliary

procedure is devoted to the construction of roots of unity by means of Gauss sums.

We do not claim that our algorithm has any practical value. 2000 Academic Press

Key =ords: "nite "eld; algorithm; factoring polynomials; Gauss sum.

5

1071-5797/00 $35.00

Copyright 2000 by Academic Press

All rights of reproduction in any form reserved.

1. INTRODUCTION

We present a theoretical result on the deterministic complexity of factoring

polynomials over large "nite "elds. Let p be a prime number, k a positive

integer, and q"pI. We denote by F

O

a "nite "eld of cardinality q, and by u

I

the kth cyclotomic polynomial. Let S(q) be the set of prime numbers dividing

u

I

(p), and s(q) the largest element of S(q), with s(2)"1. We let R(q)"¦r : r is

prime, and r divides l!1 for some prime number l3S(q)¦.

THEOREM 1. ¹here is a deterministic algorithm that, for some positive real

number c, has the following property: given a prime number p, positive integers

n and k, explicit data for F

N

L

, a non-zero polynomial f 3F

N

L

[X], and for each

prime number r3R(pI) that does not divide n an irreducible polynomial g

P

of

degree r in F

N

[X], the algorithm ,nds in time at most (s(pI)#deg f#n log p)A

the factorization of f into irreducible factors in F

N

L

[X].

The number k in Theorem 1 has no relation to n or f, and its role is purely

auxiliary. It enters the run time estimate only through the number s( pI),

which by (6.1) is at least k/2. For the de"nition of explicit data we refer to

[12]. Time is measured in bit operations. Elements of explicitly given "nite

"elds*such as the coe$cients of f and its factors, in Theorem 1*are required

to be represented in the given model. Our proof of Theorem 1 is not merely

existential, but allows for the e!ective construction of an algorithm with the

listed properties.

COROLLARY. ¹here is a deterministic polynomial-time algorithm that fac-

tors polynomials in one variable over ,nite ,elds whose characteristic is

a Fermat prime or a Mersenne prime.

To deduce this from Theorem 1, we take k"1 if p"2K#1 is a Fermat

prime and k"2 if p"2K!1 is a Mersenne prime; then we have

u

I

(p)"pG1"2K and S(pI)"¦2¦, so that R( pI) is empty, and the result

follows.

Generally, Theorem 1 establishes a relation between the deterministic

complexity of the following two problems. The "rst is the problem of

constructing an irreducible polynomial of given degree over a given "nite

"eld. The second is the problem of factoring polynomials over "nite "elds.

V. Shoup [18] has shown that there is a deterministic polynomial-time

&&Turing'' reduction of the "rst problem to the second. Theorem 1 shows that

there is a similar reduction of the second problem to the "rst, provided that

the characteristic p of the "nite "eld has a special property; namely, a positive

integer k should be available for which u

I

(p) is built up from small prime

factors. The same condition has been encountered in di!erent circumstances

(see [4; 13]), and not much is known about the distribution of prime numbers

6 BACH, VON ZUR GATHEN, AND LENSTRA

p for which a suitable k exists. The data of C. Pomerance and J. Sorenson [15]

suggest that for large p and k"1 or 2, the number u

I

(p) is built up from small

prime factors with roughly the same probability as a random number of the

same size.

If the generalized Riemann hypothesis (GRH) is true, then Theorem

1 remains true even if the polynomials g

P

are not given, since these can in that

case be constructed by a deterministic polynomial-time algorithm [1]. Thus,

Theorem 1 adds to the long list of special cases in which factoring poly-

nomials over "nite "elds can be done deterministically in polynomial time, if

GRH is granted; see [5, Notes on 7.8].

The case k"1 of our result, with the g

P

replaced by the assumption of

GRH, was obtained by the second author [8] and independently by M.

Mignotte and C. Schnorr [14]. Their method makes use of an F

N

-algebra all

of whose units have order dividing u

¹

(p)"p!1, and those units are con-

trolled by the availability*guaranteed through GRH*of lth power non-

residues in F

N

, for each prime number l dividing p!1. In extending this

method to a proof of Theorem 1 one encounters several problems. The "rst is

that one now needs to construct, for general k, a su$cient supply of units of

order dividing u

I

(p), in some algebra over F

N

. We solve this problem by

means of a pretty formula, which is given in Proposition (5.2). Secondly, there

is the problem of constructing the analogues of lth power non-residues. The

natural way of doing this (cf. [9]) would require an irreducible rth degree

polynomial g

P

3F

N

[X] to be known for each prime number r dividing the

product _

m50

K(u

I

( p)), where K denotes the mth iterate of the Euler -

function; this includes the primes in R( pI), which all divide (u

I

(p)). The fact

that Theorem 1 economizes on the g

P

, and requires them only for r3R( pI),

makes the construction somewhat laborious. Two auxiliary results that we

need in this context can be formulated as follows.

THEOREM 2. ¹here is a deterministic algorithm that, for some positive real

number c, has the following property: given two prime numbers p and l, a positive

integer h for which pF,1 mod l, explicit data for F

pF

, and, for each prime

number r dividing l!1 but not dividing h, an irreducible polynomial g

P

of degree

r in F

N

[X], the algorithm constructs in time at most (l#h log p)A a primitive lth

root of unity in F

N

F

.

The proof of Theorem 2 makes use of Gauss sums in a certain algebra over

F

pF

.

THEOREM 3. ¹here is a deterministic algorithm that, for some positive real

number c, has the following property: given a prime number p, a positive integer

k, explicit data for F

N

I

, and, for each l 3S(pI), a primitive lth root of unity in F

N

I

,

the algorithm constructs, in time at most (s( pI)#k log p)A, for each l 3S(pI) an

element of F

N

I

that is not an lth power in F

N

I

.

FACTORING POLYNOMIALS OVER SPECIAL FINITE FIELDS 7

The case k"1 of Theorem 3 is due to L. RoH nyai [16]. Our proof of the

general case depends, again, on our method of constructing elements of order

dividing u

I

(p) in certain algebras.

In Section 2 we assemble a few theoretical and algorithmic results about

roots of unity in rings. Section 3 is devoted to Gauss sums and Jacobi sums.

In Sections 4, 5, and 6 we prove Theorems 2, 3, and 1, respectively.

At several points in the paper we shall refer to Berlekamp1s algorithm. By

this we shall always mean an algorithm that factors any non-zero f in F

O

[X]

in time (p#deg f#log q)-'¹', see [6; 5, Exercise 7.17]. Berlekamp's algo-

rithm shows that Theorem 1 is of interest only for &&large'' p.

Whenever we assert that an algorithm with certain properties exists, such

an algorithmis actually exhibited, explicitly or implicitly, in the paper itself or

in the papers that we refer to. Any algorithmic choices and recommendations

that we make are inspired by the desire to give a valid and quick proof of our

results, and no e!ort has been made to optimize the e$ciency of the algo-

rithms; in fact, we would be surprised if our results had any implication for

the practical problem of factoring polynomials over "nite "elds.

Rings are supposed to be commutative with 1, and the unit element is

supposed to be preserved by ring homomorphisms. The group of units of

a ring R is denoted by R*, and for u3R* we write ¸u, for the subgroup of R*

generated by u. If K is a "eld, a K-algebra is a ring R equipped with a ring

homomorphism KPR.

2. STRICT ROOTS OF UNITY

Let R be a ring. If n is a positive integer, then we call an element ¸3R

a strict nth root of unity if ¸L"1 and ¸LP!13R* for each prime number

r dividing n. Obviously, if R is a "eld, then a strict nth root of unity is the same

as a primitive nth root of unity.

PROPOSITION (2.1). Suppose that ¸3R is a strict nth root of unity. ¹hen we

have:

(a) if R is non-zero, then ¸ has multiplicative order n;

(b) if f : RPR' is a ring homomorphism, then f (¸) is a strict nth root of

unity in R';

(c) ¸G!¸H 3R* whenever i, j are integers with iIj mod n;

(d) _

L¹

G¯"

(X!¸G)"XL!1 in the polynomial ring R[X];

(e) if n' is a positive integer all of whose prime factors divide n, and c3R

satis,es c

n'

"¸, then c is a strict n'nth root of unity;

(f ) if n' is a positive integer with gcd(n', n)"1, and c3R is a strict n'th

root of unity, then c¸ is a strict n'nth root of unity;

8 BACH, VON ZUR GATHEN, AND LENSTRA

(g) ¸G is a strict n/gcd(n, i)th root of unity for each integer i;

(h) if vL¸¸, is any subgroup of order greater than 1, then

c3v

c"0.

Proof. Parts (a) and (b) are obvious.

(c) The image ¸ of ¸ in the ring RM"R/(¸G!¸H)R satis"es ¸G"¸H and has

therefore order less than n. By (b), it is a strict nth root of unity, so (a) implies

that RM is the zero ring. Therefore we have ¸G!¸H3R*.

(d) If R is a "eld, and a polynomial f3R[X] has pairwise distinct zeroes

a

G

3R, then f is divisible by _

G

(X!a

G

) (see [10, Chap. IV, Theorem 1.4 and

proof]). The same proof shows that this remains true if R is a ring and

a

G

!a

H

3R* for all iOj. Applying this to f"XL!1 and a

G

"¸G one obtains

(d).

Part (e) is immediate from the de"nition, and (f) and (g) are easy conse-

quences of (c).

(h) Let p3v, pO1. We have pv"v, so the sum

c3v

c is unchanged

under multiplication by p, and therefore annihilated by p!1. Since the latter

element is a unit, this implies that the sum vanishes.

This proves (2.1).

PROPOSITION (2.2). ¸et ¸3R, and let n be a positive integer. ¹hen ¸ is

a strict nth root of unity in R if and only if u

L

(¸)"0 and n

)

13R*.

Proof. If. Suppose that u

L

(¸)"0 and n

)

13R*. Since u

L

divides XL!1

in Z[X] we have ¸L"1. Next let r be a prime number dividing n. Since u

L

divides the polynomial (XL!1)/(XLP!1)"

P¹

G¯"

XGLP, we have

P¹

G¯"

¸GLP

"0. Take this modulo ¸LP!1; by ¸GLP,1 mod (¸LP!1) this gives r

)

1,0

mod (¸LP!1), and therefore n

)

1,0 mod (¸LP!1). Since n

)

1 is a unit, this

implies that ¸LP!1 is a unit as well.

Only if. Suppose that ¸ is a strict nth root of unity in R. Since XL!1

divides u

L

) _

P

(XLP!1), the product ranging over the primes r dividing n, we

have u

L

(¸)

)

_

P

(¸LP!1)"0. The factors ¸LP!1 are units, so it follows that

u

L

(¸)"0. Dividing the identity in (2.1) (d) by X!1 (which is not a zero-

divisor in R[X]) and substituting 1 for X we "nd that _

L¹

G¯¹

(1!¸G )"n ) 1.

By (2.1)(c), this shows that n ) 13R*. This proves (2.2).

An element e3R is called an idempotent if e`"e. An idempotent e is said

to be trivial if e"0 or e"1.

PROPOSITION (2.3). Suppose that ¸3R is a strict nth root of unity, and that

:3R satis,es :L"1. ¹hen there is a non-trivial idempotent in R or there exists

i (mod n) with :"¸G.

Proof. Substituting : for X in the identity from (2.1)(d) we "nd that

_

L¹

G¯"

(:!¸G )"0. Hence, if we put I

G

"(:!¸G )R, then the product of the

FACTORING POLYNOMIALS OVER SPECIAL FINITE FIELDS 9

ideals I

G

is zero. Also, the I

G

are pairwise coprime, since I

G

#I

H

contains the

element !(:!¸G )#(:!¸H)"¸G!¸H, which by (2.1)(c) is a unit if iOj. The

Chinese remainder theorem [3, Proposition 1.10] now implies that the

natural map RP_

L¹

G¯"

R/I

G

is an isomorphism. If at least two of the rings

R/I

G

are non-zero*one of which is R/I

F

, say*then the unique element e3R

that is congruent to 1 modulo I

F

and to 0 modulo all other I

G

is a non-trivial

idempotent. If at most one of the rings R/I

G

is non-zero, then all but at most

one of the :!¸G are units; in that case the :!¸G that was excluded is zero.

This proves (2.3).

PROPOSITION (2.4). ¸et m and n be positive integers, and let :, ¸3R.

Suppose that :K"1 and that ¸K is a strict nth root of unity. ¹hen there exists

[3R* with [L":.

Proof. Write m"m'n', where m' is the largest divisor of m that is coprime

to n. Then each prime dividing n' divides n, so (2.1)(e) implies that ¸

m'

is a strict

n'nth root of unity and (2.1) (g) that ¸KL is a strict n'th root of unity. By (2.1)(d)

we have _

n'!1

G¯"

(X!¸

im'n

)"X

n'

!1. Substituting :

m'

for X we "nd that

_

n'!1

G¯"

(:

m'

!¸

im'n

)"0. Thus, if we now put I

G

"(:

m'

!¸

im'n

)R, then as in the

proof of (2.3) we deduce that the natural map RP_

n'!1

G¯"

R/I

G

is an isomor-

phism. Let o be the element of R that maps to (¸

im'

)

G

3_

n'!1

G¯"

R/I

G

. Since

:

m'

,¸

im'n

mod I

G

it follows that :

m'

"oL. To "nish the proof, let u, v be integers

satisfying um'#vn"1, and put ["oS:T; then we have [L"oSL:TL"

:SK>TL":, as required. This proves (2.4).

The proofs of (2.3) and (2.4) provide fairly explicit constructions of the

elements that are asserted to exist. However, for algorithmic purposes the

product over all n or n' values of i may be too large. Thus, in the algorithmic

versions of (2.3) and (2.4) that follow, we replace n and n' by a prime factor,

and we proceed recursively.

Let p be a prime number, and let R be an F

N

-algebra of "nite vector space

dimension d over F

N

; then the order of R equals pB. By explicit data for R we

mean a system (a

FGH

)

14h, i, j4d

of d` elements of F

N

such that for some vector

space basis (e

G

)B

G¯¹

of R over F

N

one has e

F

e

G

"

H

a

FGH

e

H

for all h, i; when R is

given by means of explicit data, then elements of R are supposed to be

speci"ed by means of their coe$cients on the same basis, these coe$cients as

well as the a

FGH

being represented as integers modulo p in the conventional

way (cf. [12, Sect. 2; 7, Sect. 2]).

PROPOSITION (2.5). ¹here is a deterministic algorithm that, for some positive

real number c, has the following property: given a prime number p, explicit data

for a non-zero F

N

-algebra R of order pB, an integer n'1, and elements :, ¸3R

as in (2.3), the algorithm computes in time at most (s#d log p)A either a non-

10 BACH, VON ZUR GATHEN, AND LENSTRA

trivial idempotent e3R or an integer i (mod n) with :"¸G; here s denotes the

largest prime factor of n.

Proof. The algorithm begins by factoring n completely, which can be

done in time (s#log n)-'¹'; note that, since R contains a strict nth root of

unity, we have n(CR and therefore log n(d log p. Once n is factored, one

proceeds in the following recursive fashion, replacing n by a proper divisor in

every step.

If n"1 then one can clearly take i"0. Suppose now that n'1, and let

r be a prime factor of n. As in the proof of (2.3), with :LP, ¸LP, and r in the roles

of :, ¸, and n, one has _

P¹

G¯"

(:LP!¸GLP)"0. With I

G

"(:LP!¸GLP)R, the

natural map RP_

P¹

G¯"

R/I

G

is an isomorphism. Using linear algebra over

F

N

one determines which of the elements :LP!¸GLP are non-units or, equiva-

lently, which of the rings R/I

G

are non-zero. This occurs for at least one of the

rings, say for R/I

F

. If it occurs for at least one other ring R/I

G

, then one uses

linear algebra to determine the unique element e3R with e,1 mod I

F

and

e,0 mod I

G

for all iOh; this is a non-trivial idempotent, and the algorithm

stops in this case. If R/I

F

is the only non-zero ring among the R/I

G

, then one

actually has R"R/I

F

, so I

F

"¦0¦ and :LP"¸FLP. In this case one calls the

algorithm recursively on :¸F, ¸P, and n/r in the roles of :, ¸, and n. Then one

obtains either a non-trivial idempotent e in R or an integer j (mod n/r) with

:¸F"¸HP; in the latter case one computes i"jr#h, which does satisfy

:"¸G, and the algorithm stops.

It is clear that this algorithm has the stated properties. This proves (2.5).

PROPOSITION (2.6). ¹here is a deterministic algorithm that, for some positive

real number c, has the following property: given a prime number p, explicit data

for a non-zero F

N

-algebra R of order pB, integers m'0 and n'1, and elements

:, ¸3R as in (2.4), the algorithm computes in time at most (s#log m#d log p)A

an element [3R* with [L":; here s denotes the largest prime factor of n.

Proof. Again, one starts by factoring n completely. Next, one proceeds

recursively, replacing m by a proper divisor in every step.

If m is divisible by none of the primes dividing n, then one computes v

with vn,1 mod m, and one puts [":T; we have indeed [L":, since :K"1.

In the other case, let r be a prime factor of n that divides m. Then we have

_

P¹

G¯"

(:KP!¸GKLP)"0. With I

G

"(:KP!¸GKLP)R, the natural map RP

_

P¹

G¯"

R/I

G

is an isomorphism, so using linear algebra over F

N

one can "nd the

unique element o3R that for each i"0, 1,

2

, r!1 satis"es o,¸G mod I

G

;

then we have :KP"oLKP, so for :` ":/oL and mJ "m/r we have :`

mJ

"1. Now

one calls the algorithm recursively on :` , mJ , and ¸` "¸P. Then one "nds [I3R

with [IL":` , and one puts ["[Io.

Again, the veri"cation that the algorithm just described has the asserted

properties is completely straightforward. This proves (2.6).

FACTORING POLYNOMIALS OVER SPECIAL FINITE FIELDS 11

The algorithm of (2.6) can, in substance, be found in [7, Proposition 7]. It

can also be used for other rings that are su$ciently explicitly given (cf. [11,

Section 2]).

3. GAUSS SUMS

In this section we let K be a "eld.

(3.1) ¹he ¹eichmuKller Subgroup. Let r be a prime number di!erent from

the characteristic of K. We write K[¸

P

] for the ring K[X]/(

P¹

G¯"

XG), and we

let ¸

P

denote the residue class of X. For each a3F*

P

, the ring K[¸

P

] has

a unique automorphism j

?

that is the identity on K and satis"es j

?

¸

P

"¸?

P

.

The set of all j

?

's forms a group, which we denote by A

P

; the map assigning

j

?

to a establishes a group isomorphism F*

P

:A

P

, so A

P

is cyclic with

generator j

E

, where g is a primitive root modulo r. Denote by Z

P

the ring of

r-adic integers, and de"ne the ¹eichmuKller character c: F*

P

PZ*

P

by c(b mod r)"

lim

I`

b

rI

. Following [12, Section 4], we de"ne the ¹eichmuK ller subgroup ¹

P

of

K[¸

P

]* to be the set of those c3K[¸

P

]* that have r-power order and satisfy

j

?

c"cS'?' for all a3F*

P

. We have ¸

P

3¹

P

.

PROPOSITION (3.2). (a) Every ,nite subgroup of ¹

P

is cyclic.

(b) Every non-trivial subgroup of ¹

P

contains ¸

P

.

(c) Every c3¹

P

is a strict nth root of unity, for n"order c.

(d) Suppose that K is ,nite, of order q, and let m

P

be the multiplicative

order of (q mod r) in F*

P

. ¹hen each element of K[¸

P

]* has order dividing

q

m

P!1, and ¹

P

is cyclic of order equal to the largest power of r dividing q

m

P!1.

Proof. For (a), see [12, (4.2) ]. Every non-trivial subgroup of ¹

P

has

a subgroup of order r, and since ¹

P

has at most one subgroup of order r, by (a),

it must be ¸¸

P

,. This proves (b). From (2.2) it follows that ¸

P

is a strict rth root

of unity. By (2.1)(g), the other elements of ¸¸

P

, are strict roots of unity as well,

and by (b) and (2.1)(e) the same is true for all c3¹

P

. This proves (c). If K is

"nite of order q, then the ring homomorphism from K[¸

P

] to itself that raises

each element to the power q

m

P is the identity both on Kand on ¸¸

P

,, so it is the

identity; hence each u3K[¸

P

]* has order dividing q

m

P!1. The last assertion

of (d) is in [12, (5.1) ]. This proves (3.2).

The following technical lemma will be needed later.

LEMMA (3.3). ¸et g be a primitive root modulo r. ¹hen the element

:"(1!r)¹

)

P`

G¯¹

ic(g)G jG¹

E

of the group ring Z

P

[A

P

] satis,es :

)

(j

E

!c(g))`"j

E

!c(g).

12 BACH, VON ZUR GATHEN, AND LENSTRA

Remark. This lemma expresses in an explicit manner the existence of an

idempotent : ) (j

E

!c(g)) in Z

P

[A

P

] that generates the kernel of the ring

homomorphism Z

P

[A

P

]PZ

P

induced by c.

Proof. The element c(g)3Z

P

is a zero of the polynomial f

"

"XP¹!1,

and if we write f

"

"f

¹

)

(X!c(g)) then we have f

¹

(c(g))"f '

"

(c(g))"

(r!1)c(g)P`"(r!1)c(g)¹. Hence we can perform a division with

remainder (

*

) f

¹

"f

`

)

(X!c(g))#(r!1)c(g)¹, and an explicit long

division shows that f

`

"

P`

G¯¹

ic(g)G¹XP`G. Multiplying (

*

) by

(1!r)¹

)

c(g)

)

(X!c(g)) we "nd that

(1!r)¹

)

c(g)

)

f

`

)

(X!c(g))`,X!c(g) mod (XP¹!1).

Substituting j

E

for X we obtain the lemma.

(3.4) A ¸arger Ring. In the rest of this section, we let l be a prime number,

and we suppose that K contains a primitive lth root of unity p; then it

contains l!1 of them. We make the further assumptions that l!1 is not

divisible by the characteristic of K and that for each prime number r dividing

l!1 the group ¹

P

contains a subgroup of order equal to the largest power of

r dividing l!1; we write j

'P'

for this subgroup. By (3.2)(c), all elements of

j

'P'

are strict roots of unity.

We write A for the tensor product, over K, of the rings K[¸

P

], with

r ranging over the primes dividing l!1. Explicitly, if these primes are

r

¹

,

2

, r

R

(without repetition), then A is the ring K[X

¹

,

2

, X

R

]/

(

r

¹

!1

i"0

XG

¹

,

2

,

r

R

!1

i"0

XG

R

); as a vector space over K, it has dimension

_

R

G¯¹

(r

G

!1). Each of the rings K[¸

P

] embeds in a natural way in A. The

groups j

'P'

generate a subgroup of A*, which we denote by j; it is cyclic of

order l!1, and it is, by (2.1)(f), generated by a strict (l!1)th root of unity.

Thus from (2.1)(h) we obtain

c3v

c"0 for each subgroup vO¦1¦ of j, (3.5)

a fact that will be used repeatedly below.

(3.6) Jacobi Sums and Gauss Sums. We denote by + the group of group

homomorphisms F*

J

Pj; then + is cyclic of order l!1. We denote the unit

element of + simply by 1. For ,, ç3+, we de"ne the Jacobi sumj (,, ç)3A by

j(,, ç)"

!

x, y3F*

J

, x#y"1

,(x)ç(y)

,(!1)

)

l

1

if ,O1, çO1, ,çO1,

if ,O1, ,ç"1,

if ,"1 or ç"1.

FACTORING POLYNOMIALS OVER SPECIAL FINITE FIELDS 13

For ,3+ and a primitive lth root of unity p3K, we de"ne the Gauss sum

t(,, p) 3A by

t(,, p)"!

x3F*

J

,(x)pV.

We list the basic properties of these sums that we shall need.

PROPOSITION (3.7). ¸et p3K be a primitive lth root of unity. ¹hen we have:

(a) t(1, p)"1;

(b) t(,, p)t(ç, p)"j(,, ç)t(,ç, p) for all ,, ç3+;

(c) j (,, ç) 3A*, t(,, p) 3A* for all ,, ç3+;

(d) p"(1!l )¹

,3+

t(,, p);

(e) t(,, pW)",(y)¹t(,, p) for all ,3+ and y3F*

J

;

(f ) if r is a prime dividing l!1, and ,3+ has r-power order, then t(,, p)

belongs to the subring K[¸

P

] of A, and one has j

?

(t(,, p))"t(,S'?', p) for all

a3F*

P

.

Proof. (a) We have t(1, p)"!

J¹

G¯¹

pG"1.

(b) This is clear from (a) if ,"1 or ç"1. Next suppose that ,O1 and

çO1. We have

t(,, p) t(ç, p)"

x, y3F*

J

,(x)ç(y)pV>W"

z3F

J

x, y3F*

J

, x#y"z

,(x)ç(y)

pX

"

x, y3F*

J

, x#y"0

,(x)ç(y)#

z3F*

J

x, y3F*

J

, x#y"1

,(xz) ç(yz)

pX

",(!1)

y3F*

J

,ç(y)!

x, y3F*

J

, x#y"1

,(x)ç(y)

t(,ç, p).

If ,çO1 then from (3.5), with v equal to the image of ,ç, we see that

y3F*

J

,ç(y)"0. In that case we obtain (b), as required. If ,ç"1, then we "nd

that

t(,, p) t(ç, p)",(!1)(l!1)!

x3F*

J

, xO1

,(x/(1!x))

t(1, p)

",(!1)(l!1)!

z3F*

J

, zO!1

,(z)",(!1)(l!1)#,(!1)

",(!1)

)

l"j (,, ç),

where we use that

z3F*

J

,(z)"0, which again follows from (3.5).

14 BACH, VON ZUR GATHEN, AND LENSTRA

(c) Since l is not divisible by the characteristic of K, it is a unit in A, so

j(,, ç) 3A* whenever at least one of ,, ç, and ,ç equals 1. Applying (b) to

ç",¹ we now see, using (a), that t(,, p)3A* for all ,. Next we see from (b)

that j (,, ç)3A* for all ,, ç.

(d) We have

,3+

t(,, p)"

x3F*

J

(!

,3+

,(x)) pV. By (3.5), the sum in

parentheses vanishes for every xO1, and we are left with the contribution for

x"1, which is (1!l )p.

(e) We have ,(y)t(,, pW)"!

x3F*

J

,(yx)pWV"t(,, p), using yx as a new

summation variable.

(f ) Under the hypotheses of (f ), the image of , is in j

'P'

, so that

t(,, p) 3K[¸

P

]. The equality in (f ) follows from the fact that j

?

"xes the

elements pV of K and raises the elements ,(x) of ¹

P

to the power c(a).

This proves (3.7).

The following lemma will be our main tool in computing Gauss sums.

LEMMA (3.8). ¸et r be a prime number dividing l!1, let t be a non-negative

integer, let g be a primitive root modulo r, and let G be a positive integer that is

congruent to c(g) modulo rR. Suppose that ,3+, ,O1, is of order rR, and that

v3K[¸

P

] is such that v

rR

"t(,, p)

rR

for some primitive lth root of unity p3K.

De,ne

c"

v%

j

E

(v)

)

t(,%, p)

t(,, p)%

, "

P`

_

G¯¹

jG¹

E

(c)

iGG (1!rR )/(1!r)

.

¹hen there exists a primitive lth root of unity p' 3K such that

)

v"t(,, p').

Remark. The following may serve to explain what is happening in this

lemma and its proof. If the rRth root of unity o with ov"t(,, p) belongs to

¹

P

*which occurs, for example, if K[¸

P

] is a "eld*then (3.7)(e) readily implies

that v itself is of the form t(,, p'); in this case, one has c"1 and "1. In

general, o must be replaced by its projection o/ to ¹

P

, which is to be

computed with the help of the idempotent :

)

(j

E

!c(g)) from Lemma (3.3).

However, since o is just as unavailable as t(,, p), the required computation

cannot be done directly, and this necessitates the detour over c.

Proof. The action of A

P

on K[¸

P

]* makes the latter group into a module

over the group ring Z[A

P

]. We write the action of this group ring exponenti-

ally. For example, in this notation we can rewrite the de"nition of c as

c"v

G!j

E

)

t(,, p)

j

E

!G

(applying (3.7)(f ) to a"g).

From t(,, p)3K[¸

P

]* and v

rR

"t(,, p)

rR

we "nd that ov"t(,, p) for some

o3K[¸

P

]* with o

rR

"1. Applying j

E

!G we "nd that

o

j

E

!G

"v

G!j

E

)

t(,, p)

j

E

!G

"c.

FACTORING POLYNOMIALS OVER SPECIAL FINITE FIELDS 15

This shows that c

rR

"1, so that both o and c belong to the group of elements of

K[¸

P

]* of r-power order. That group is a Z

P

[A

P

]-module. In the de"nition of

, the exponent iGG (1!rR)/(1!r) matters only modulo rR, so we may rewrite

that de"nition as "c?, where :3Z

P

[A

P

] is as in Lemma (3.3). Using (3.3)

and applying :(j

E

!c(g)) to the equality o

j

E

!c(g)

"c we now "nd that

o

j

E

!c(g)

"o

:(j

E

!c(g))`

"c

:(j

E

!c(g))

"

j

E

!c(g)

.

Therefore the element o/, which has order dividing rR, satis"es j

E

(o/)"

(o/)S'E'. Since g generates F*

P

it follows, by the de"nition of ¹

P

, that o/

belongs to ¹

P

. In fact, it belongs to the image ,(F*

J

) of ,; to prove this, it

su$ces to observe that ¹

P

is cyclic and that the order of o/ divides the order

rR of the subgroup ,(F*

J

) of ¹

P

. Thus we can write o/",(y), with y3F*

J

. Now

we have

)

v"(/o)

)

t(,, p)",(y)¹t(,, p)"t(,, pW),

using (3.7)(e). This proves (3.8), with p'"pW.

LEMMA (3.9). ¸et ,

¹

,

2

, ,

R

3+ be characters whose orders are pairwise

relatively prime, and let p

¹

,

2

, p

R

3K be primitive lth roots of unity. ¹hen there

exists a primitive lth root of unity p3K such that for each i"1,

2

, t one has

t(,

G

, p)"t(,

G

, p

G

).

Proof. We may assume that t'0. Write p

G

"pX'G'

¹

for each i, with z(i)3F*

J

(and z(1)"1). Since the orders of the ,

G

are pairwise coprime, the Chinese

remainder theorem implies that the map F*

J

P_

R

G¯¹

,

G

(F*

J

) sending y to

(,

G

(y))R

G¯¹

is surjective. Choose y3F*

J

mapping to (,

G

(z(i)))R

G¯¹

. By (3.7)(e), we

have

t(,

G

, pW

¹

)",

G

(y)¹

)

t(,

G

, p

¹

)",

G

(z(i))¹

)

t(,

G

, p

¹

)"t(,

G

, pX'G'

¹

)"t(,

G

, p

G

)

for each i"1,

2

, t, which proves the lemma, with p"pW

¹

.

4. CONSTRUCTING ROOTS OF UNITY

In this section we describe the algorithm that proves Theorem 2.

We are given two prime numbers p and l, a positive integer h for which

l divides pF!1, explicit data for F

pF

, and for each prime number r dividing

l!1 but not dividing h, an irreducible polynomial g

P

of degree r in F

N

[X]. It

is our purpose to construct a primitive lth root of unity in F

N

F

, in time

(l#h log p)-'¹'.

If p divides l!1, then it su$ces to apply Berlekamp's algorithm (see Sect.

1) for "nding a zero of

J¹

G¯"

XG in F

pF

. Each zero is a primitive lth root of unity.

16 BACH, VON ZUR GATHEN, AND LENSTRA

Note that Berlekamp's algorithm is fast enough for our purpose if p divides

l!1. Let it henceforth be assumed that p does not divide l!1, and write

l!1"_

P

r?'P',

with r ranging over the prime numbers dividing l!1 and each a(r) being

a positive integer. We shall construct a primitive lth root of unity by means of

formula (3.7)(d). For this we construct the objects from the previous section

one after the other.

(4.1) ¹he Field K. For the "eld K we shall take a "eld extension F

O

of

F

N

F

satisfying the conditions stated in (3.4). The "rst condition, that K contain

a primitive lth root of unity, is satis"ed by any extension of F

pF

, since pF,1

mod l. We just took care of the second condition, that l!1 not be divisible

by p. The third condition is that for each prime number r dividing l!1 the

group ¹

P

has an element of order r?'P'; by (3.2)(d), this is equivalent to the

requirement that q

m

P,1 mod r?'P', where m

P

denotes the multiplicative order

of q modulo r.

Let m'

P

be the multiplicative order of pF modulo r, and let b(r) be the

multiplicative order of p

hm'

P modulo r?'P'; from p

hm'

P,1 mod r it follows that

b(r) divides r?'P'¹. Now one readily veri"es that the number

q"p

h_

P

b(r)

,

with r ranging over the primes dividing l!1, has the required properties (and

in fact, that it is the least power of pF having these properties). To construct F

O

,

it su$ces to construct an extension of F

pF

of degree _

P

b(r). By [12, Theorem

(9.1)], this can be done within the time bound stated in Theorem 2, provided

that for each r with b(r)'1 and r not dividing h, an rth degree irreducible

polynomial in F

pF

[X] is available; and this is indeed the case, since the given

irreducible polynomials g

P

in F

N

[X] remain irreducible over F

pF

.

(4.2) ¹he Ring A. We shall work in the ring A constructed in (3.4), with

K"F

O

, and in the subrings F

O

[¸

P

] of A. The _

P

(r!1) elements _

P

¸G'P'

P

, with

04i(r)(r!1, form a basis of A over F

O

, the products ranging over the

primes dividing l!1. Elements of A are represented on this basis. To

multiply two basis elements one uses the relations

P¹

G¯"

¸G

P

"0 (and ¸P

P

"1).

The F

O

-dimension of A is at most l!1, and the degree of F

O

over F

N

divides

h(l!1); so arithmetic in A can be done within the time bound stated in

Theorem 2, and the same is true for its subrings F

O

[¸

P

] and for F

O

itself.

(4.3) ¹he ¹eichmuKller Groups ¹

P

. For every prime number r dividing

l!1, one uses [12, Theorem (9.1)] and our hypothesis on the g

P

to construct,

FACTORING POLYNOMIALS OVER SPECIAL FINITE FIELDS 17

as above, a "eld extension of F

O

of degree r; having this "eld extension, one

applies [12, Theorem (5.2)] (with E"F

O

) in order to "nd a generator of ¹

P

.

We shall denote it by ¸

P

; by (3.2), it is a strict root of unity of order equal to the

largest power of r that divides q

m

P!1.

(4.4) ¹he Group j. Raising ¸

P

to a suitable power one "nds an element of

¹

P

of order r?'P', for each r. Taking the product over r one obtains a strict

(l!1)th root of unity ¸3A*. It generates the group that in (3.4) was denoted

by j.

(4.5) ¹he Characters ,. One next computes an (l!1);(l!1) table that

for each ,3+ and each x3F*

J

gives the value of ,(x); so each entry in the

table belongs to j. To do this, one "rst determines, by trial and error,

a primitive root d modulo l; then the characters , can be numbered by the

integers j modulo l!1, the value of the jth character at dG being ¸GH, with ¸ as

computed in (4.4).

(4.6) ¹he Jacobi Sums j(,, ç). One computes a second (l!1);(l!1)

table, giving the Jacobi sums j (,, ç) as elements of A for all ,, ç3+. This

table is computed directly from the de"nition of Jacobi sums.

(4.7) Products of Gauss Sums. It is, naturally, not possible to compute the

Gauss sums directly from their de"nition, since p is not available. Instead one

proceeds in several steps. In each of these steps one will need to compute

certain expressions of the form

_

,3+

t(,, p)

n(,)

,

where the n(,) are integers satisfying _

,

,

n(,)

"1 (in +). We claim that each

such expression can be computed by means of O(

,, n(,)O0

log( ¦ n(,)¦#1))

table look-ups and multiplications and divisions in A* and +. To prove this,

we "rst show how to compute an expression of the form t(,, p)L/t(,L, p),

where n is an integer. If n"0 or 1 this equals 1. If n is greater than 1, one sets

m"Wn/2 X and uses the formula

t(,, p)L

t(,L, p)

"j (,K, ,LK)

)

t(,, p)K

t(,K, p)

)

t(,, p)LK

t(,LK, p)

(which, as all formulas in (4.7), is obtained from (3.7)(b)) to proceed by

recursion. To deal with negative n one uses that

t(,, p)L

t(,L, p)

)

t(,, p)L

t(,L, p)

"j(,L, ,L)¹.

18 BACH, VON ZUR GATHEN, AND LENSTRA

A general product _

,3+

t(,, p)

n(,)

with _

Q

,

n(,)

"1 is now computed from

_

,3+

t(,, p)

n(,)

"

_

,3+

t(,, p)

n(,)

t(,

n(,)

, p)

)

_

,3+

t(,

n(,)

, p),

the value of the last product being obtained from the formula

R

_

G¯¹

t(,

G

, p)"

R

_

G¯`

j(,

¹

2

,

G¹

, ,

G

),

which is valid whenever _

R

G¯¹

,

G

"1.

The computation shows that the computed products are independent of

the choice of p. This can be seen directly from (3.7)(e).

(4.8) Gauss Sums for Characters of Prime Power Order. Let ,3+ be

a character of order rR, where r is a prime number and t is a positive integer.

We describe how one can compute an element of F

O

[¸

P

] that is of the form

t(,, p'), with p' 3F

O

a primitive lth root of unity.

First one computes the element t(,, p)

rR

of F

O

[¸

P

] using the method of (4.7),

which applies because ,

rR

"1. We note that rR divides r?'P', which in turn

divides q

m

P!1. One now applies the algorithm from (2.6) to the element

:"t(,, p)

rR

of the ring R"F

O

[¸

P

], with m"(q

m

P!1)/rR and n"rR, and with

¸ equal to the generator ¸

P

of ¹

P

constructed in (4.3). The condition :K"1

from(2.4) is satis"ed because of (3.7)(f ) and (3.2)(d); and to verify the condition

that ¸K be a strict nth root of unity we combine (2.1)(g) with the fact that the

order of ¸

P

is the largest power of r dividing q

m

P!1. Thus, from the algorithm

of (2.6) one obtains an element v3F

O

[¸

P

]* with v

rR

"t(,, p)

rR

. Next one

computes the element c de"ned in (3.8); one can take G to be the least positive

integer with G,g

rR¹

mod rR, and the factor t(,%, p)/t(,, p)% in the de"nition

of c can be obtained from (4.7). Using c, one computes the element from (3.8)

as well; as was noted in the proof of (3.8), the exponents in the de"nition of

can be taken modulo rR. By (3.8), the element

)

v is now of the desired form

t(,, p').

(4.9) ¹he Gauss Sums t(,, p). For each prime r dividing l!1, choose

,

P

3+ of order r?'P', and use (4.8) to compute an element of F

O

[¸

P

] of the form

t(,

P

, p); in principle p may depend on r, but Lemma (3.9) shows that there

exists a single p that works for all r. Next one puts ,

"

"_

P

,

P

, and one

computes t(,

"

, p) from _

P

t(,

P

, p) by observing that the quotient of these two

expressions is computable from (4.7). Starting from t(,

"

, p) one computes

t(,G

"

, p) for all i (modulo l!1) in succession, using that

t(,G

"

, p)"

t(,G¹

"

, p)

)

t(,

"

, p)

j(,G¹

"

, ,

"

)

.

Since ,

"

has order _

P

r?'P'"l!1, this gives t(,, p) for all , and a single p.

FACTORING POLYNOMIALS OVER SPECIAL FINITE FIELDS 19

(4.10) ¹he Primitive lth Root of ;nity p. To conclude the algorithm, one

adds up the t(,, p), for ,3+, and divides the result by 1!l. By (3.7)(d), that

gives p. It belongs to the sub"eld F

pF

of F

O

, because l divides pF!1.

This completes our description of the algorithm. The correctness of the

algorithm has been proved along the way, and it is straightforward to show

that the run time is (l#h log p)-'¹'. This proves Theorem 2.

5. CONSTRUCTING NON-RESIDUES

In the present section we construct, under suitable conditions, elements of

given "nite "elds that do not belong to certain multiplicative subgroups. In

particular, we shall prove Theorem 3. We shall make use of the following

result, which is similar to Theorem 3 but much easier to prove.

THEOREM (5.1). ¹here is a deterministic algorithm that, for some positive

real number c, has the following property: given two prime numbers p and l,

a positive integer k, explicit data for F

pI

, a primitive lth root of unity p in F

pI

, and

if l does not divide k, an irreducible polynomial g

J

of degree l in F

N

[X], the

algorithm constructs, in time at most (l#k log p)A, an element of F

pI

that is not

an lth power in F

pI

.

Proof. We shall write q"pI. As in (4.1), we can use the hypothesis on

g

J

and [12, Theorem (9.1)] to construct a "eld extension F of F

O

of degree l.

The F

O

-linear map f : FPF de"ned by f (x)"

J¹

G¯"

pGx

qG

is non-zero, since

f (x) may be viewed as a polynomial of degree (CF)/q in x. Hence, trying the

elements of a vector space basis of F over F

O

one by one, one can "nd an

element :3F with f (:)O0. A direct computation shows that f (:)O"p

)

f (:).

This is di!erent from f (:), so we have f (:) , F

O

and F"F

O

( f (:)). The element

["f (:)J satis"es [O"pJ["[, so [3F

O

. Thus, adjoining the lth root f (:) of

[ to F

O

one obtains the lth degree extension F of F

O

. This implies that XJ![ is

irreducible over F

O

, so that [ is not an lth power in F

O

. This proves (5.1).

The rest of this section is devoted to the proof of Theorem 3. Note the

di!erence between Theorem 3 and Theorem (5.1): in Theorem 3 no poly-

nomial g

J

is supposed to be given; instead, one requires a primitive lth root of

unity in F

pI

to be given not just for a single l, but for all primes l dividing u

I

(p);

and the largest of these enters the run time estimate, even when a non-lth

power is constructed only for the smallest.

An important role will be played by elements of order dividing u

I

(p) in

certain algebras. We begin with a method for constructing such elements,

which will also be used in Section 6.

PROPOSITION (5.2). ¸et p be a prime number and let k be a positive integer.

¸et R be an F

N

-algebra with the property that the F

N

-algebra homomorphism

20 BACH, VON ZUR GATHEN, AND LENSTRA

o: RPR that raises every element of R to the power p satis,es oI"id

0

. For

each squarefree divisor d of k, write o

B

"_

r¦ d

oIP, the product being computed

in the group of automorphisms of R, and r ranging over the primes dividing d.

Denote by j the MoK bius function. ¹hen for each ¸3R* the element

o"¸

_

P

(1!pIP)

,

the product ranging over the squarefree divisors of k, satis,es o

u

I

(p)

"1.

Proof. The de"nition of o can be rewritten as

o"¸

_

P

(1!pIP)

,

the product ranging over the primes dividing k. Since u

I

(p) _

P

(1!pIP) is

divisible by pI!1 it follows that o

u

I

(p)

is a power of ¸

pI!1

, which equals

oI(¸)/¸"1. This proves (5.2).

Remark. The condition oI"id

0

in (5.2) is satis"ed if R is the product of

a collection of "elds of cardinality pI. One can show that, in that case,

conversely every o3R with o

u

I

(p)

"1 is given by the formula in (5.2), for some

¸3R*.

We describe the algorithm that proves Theorem 3. Let p be a prime

number, k a positive integer, and write q"pI. We suppose that explicit data

for F

O

are given, and that for each prime number l dividing u

I

(p) a primitive

lth root of unity p

J

3F

O

is given. Next we let l be one of these prime numbers. It

is our purpose to construct an element of F

O

that is not an lth power in F

O

. If

l divides k then we can do this by Theorem (5.1). Let it henceforth be assumed

that l does not divide k. We claim that in the notation of (5.2) we have

_

B

o

B

(p

J

)I'B'O1. (5.3)

As we saw in the proof of (5.2), this is the same as saying that the

_

P

(1!pIP)th power of p

J

is di!erent from 1, i.e., that _

P

(1!pIP) is not

divisible by l. Indeed, from u

I

(p),0 mod l and kI0 mod l we see, using

(2.2), that (p mod l) is a strict kth root of unity in F

J

, so that _

P

(1!pIP)I0

mod l. This proves (5.3).

(5.4) A Reduction. An element a3F*

O

is an lth power in F

O

if and only if

a'O¹'J"1. We claim that it su$ces to describe an algorithm that given an

element a3F*

O

with a'O¹'J"1 computes an lth root of a in F

O

, within time

(s(q)#log q)-'¹'. Namely, if starting from p

J

we repeatedly take lth roots, we

will, after O(log q) steps, "nd a root of unity in F

O

whose order is the largest

FACTORING POLYNOMIALS OVER SPECIAL FINITE FIELDS 21

power of l dividing q!1, and this root of unity is not an lth power in F

O

.

Thus, for the rest of the algorithm, we assume that an element a3F

O

with

a'O¹'J"1 is given. It is our purpose to "nd an lth root of a in F

O

.

We shall denote by k' the number of squarefree divisors of k; obviously, we

have 14k'4k. If p(k'l then Berlekamp's algorithm for "nding a zero of

XJ!a is fast enough. Let it now be assumed that p5k'l.

(5.5) ¹he Ring R. We shall work in the ring R"F

O

[X]/(XJ!a). Let

:3R denote the residue class of X, so that the elements 1, :,

2

, :J¹ form an

F

O

-basis for R, and :J"a. We have :O¹"a'O¹'J"1, so the map RPR

that maps each x to xO is the identity on both F

O

and :, and is therefore the

identity; that is, R satis"es the hypothesis of (5.2). Hence all elements of R*

have order dividing q!1.

The ring R has a unique automorphism that is the identity on F

O

and maps

: to p

J

:; we denote this automorphism by t. We have tJ"id

0

, and t com-

mutes with the pth power map o from (5.2) and its powers o

B

. For ¸3R*,

write ¸O¹"t(¸)/¸. For example, we have :O¹"p

J

. We claim that:

if ¸3R* is such that ¸O¹3F*

O

, then ¸O¹3¸p

J

,. (5.6)

This follows from (¸O¹)J"_

J¹

G¯"

¸O¹"_

J¹

G¯"

tG (¸O¹)"tJ (¸)/¸"1.

(5.7) A Special Element of R. The next step is to construct an element

[3R that is either a zero-divisor or satis"es

[

u

I

(p)

"1, [O¹ , F*

O

. (5.8)

If k"1 one can take ["1#:, as a simple computation shows. In the

general case one "nds [ by means of a search procedure. First one tests

whether there is a zero-divisor among the elements :#i, i"1, 2,

2

, k'l!1,

of R. If so, one is done, so suppose not. Then all these elements are units, and

one tries the elements _

B

o

B

(:#i)I'B' for the same values of i, the product

being as in (5.2). All of these elements have order dividing u

I

(p), by (5.2), and

we claim that at least one of them satis"es the second condition in (5.8).

Suppose not. Then by (5.6) we have

_

B

o

B

(t:)#i

o

B

(:)#i

JI'B'

"1

for all these values of i. Apply the ring homomorphism RPF

O

that maps : to

some lth root b of a; it commutes with the pth power map o and its powers, so

we "nd that the rational function

f"_

B

o

B

(p

J

b)#>

o

B

(b)#>

I'B'

3F

O

(>)

22 BACH, VON ZUR GATHEN, AND LENSTRA

satis"es f (i)J"1 for 14i(k'l, and the same is in fact true for i"0. Since f J

is a quotient of two monic polynomials of degree k'l, and since all these values

of i are pairwise distinct in F

N

, it follows that f J"1 in F

O

(>), so f is constant.

However, we have f (R)"1 and f (0)O1, by (5.3). This contradiction proves

that the search procedure will be successful.

(5.9) An Auxiliary Procedure. We claim that one can construct a zero-

divisor in R if an element ¸3R* is known for which the order of ¸O¹ is

a prime l' dividing u

I

(p), but ¸O¹,¸p

J

,; notice that the latter condition is

automatic if l'Ol.

To do this, one applies the algorithm of Proposition (2.5) with ¸O¹ and

p

J

in the roles of : and ¸, and n"l'. This algorithm cannot give rise to an

integer i with ¸O¹"pG

J

, since ¸O¹ does by (5.6) not belong to F

O

; hence one

obtains a non-trivial idempotent e in R, which is the desired zero-divisor.

(5.10) Constructing a Zero-Divisor. If in (5.7) one has not yet been success-

ful in constructing a zero-divisor in R, then one constructs one now. From

(5.7) one knows an element [3R* as in (5.8). We have ([O¹)

u

I

(p)

"1, and

since the prime factors of u

I

(p) are known one can determine the order of

[O¹. If it is divisible by some prime l'Ol, then one "nds a suitable power ¸ of

[ for which ¸O¹ has order l', and one applies (5.9) in order to "nd a zero-

divisor. Hence assume that [O¹ has order lK for some integer m50. By (5.8)

we have mO0, and if m"1 then by (5.8) one can apply (5.9) to ¸"[. Nowlet

m52. In this case, one computes ¸"([O¹)

lK`

; this is an element of order l`,

and one has ¸"oO¹ with o"[

lK`

. We may assume that ¸J 3¸p

J

,, since

otherwise one can apply (5.9) to ¸"oJ. From ¸J 3¸p

J

, we see that c"¸O¹

satis"es cJ"1, so again by (5.9) we may assume that c3¸p

J

,LF

O

. From

t(o)"¸o, t(¸)"c¸, and t(c)"c one obtains tG (o)"c

( G

`

)

¸Go by induction on i.

Since t has order l it follows that o"tJ (o)"c

( J

`

)

¸Jo, so ¸J"c

!( J

`

)

. By ¸JO1

and c3¸p

J

, this implies that l"2 and c"p

`

"!1. Therefore we have

¸`"!1 and t(¸)"!¸.

Since all elements of R* have order dividing q!1, and ¸ has order 4, we

have pI"q,1 mod 4. We assumed that k is not divisible by l, and l"2, so

k is odd and we have p,pI,1 mod 4. Hence one can use Schoof 's

algorithm[17] to "nd 3F*

N

with `"!1. Now (¸!) (¸#)"0, and by

t(¸)"!¸ neither factor is 0. Thus ¸! is a zero-divisor in R.

(5.11) An lth Root of a. Let

J¹

G¯"

c

G

:G, with c

G

3F

O

, be a zero-divisor in R,

as computed in (5.7) or in (5.10). Then one applies Euclid's algorithm to

compute g"gcd(

J¹

G¯"

c

G

XG, XJ!a) in F

O

[X], which is a polynomial of

degree n for some n with 0(n(l. Each root of g is an lth root of a, so their

product, which equals (!1)L g(0), is an lth root of aL. Since l is prime, one can

"nd integers u, v with un#vl"1, and then ((!1)Lg(0))SaT is an lth root of

a in F

O

.

FACTORING POLYNOMIALS OVER SPECIAL FINITE FIELDS 23

This concludes the description of the algorithm underlying Theorem3. The

correctness has been proved along the way, and it is straightforward to prove

the run time bound asserted in the statement of the theorem. This proves

Theorem 3.

6. FACTORING POLYNOMIALS

In this section we prove Theorem 1. We begin with three auxiliary results.

Let p be a prime number and k a positive integer. We write q"pI.

LEMMA (6.1). ¹he number u

I

(p) has a prime divisor l with l,1 mod k,

unless one is in one of the following cases:

p"2, and k"1 or 6;

p"2K!1 for some integer m52, and k"2.

In all cases one has s(pI)5k/2.

Proof. If k"1 then u

I

(p)"p!1, and if k"2 then u

I

(p)"p#1; in

both cases the lemma is easy to check. Next let k'2. If we except the single

case p"2, k"6, then by [2, Sect. 1, Corollary 2] there is a prime number

l dividing pI!1 but not dividing pG!1 for any positive integer i(k. Then

l divides u

I

(p), and since the multiplicative order of p (mod l ) equals k, the

order l!1 of the group F*

J

is divisible by k. The "rst statement follows, and

the second is an immediate consequence. This proves (6.1).

In the proof of the following lemma, and in (6.3), we let o

B

be as de"ned in

Proposition (5.2), with R"F

O

; the order of o

B

in the automorphism group

G of F

O

equals d. By j we denote the MoK bius function.

LEMMA (6.2). Any vector space basis of F

O

over F

N

contains an element

a with F

O

"F

N

(a).

Proof. Consider the F

N

-linear map g : F

O

PF

O

de"ned by g(x)"

B

j(d)o

B

(x), with d ranging over the squarefree divisors of k. If x belongs to

a normal basis of F

O

over F

N

, then g(x)O0, since the o

B

are pairwise distinct.

Hence g is non-zero, and any basis of F

O

over F

N

contains an element a with

g(a)O0. We can write g(a)"(_

P

(1!o

P

))a, with r ranging over the prime

divisors of k; the product belongs to the group ring F

N

[G], which naturally

acts on the additive group of F

O

. Since 1!o

P

annihilates the sub"eld F

pIP

of

F

O

, and any proper sub"eld is contained in one of the F

pIP

, the product

_

P

(1!o

P

) annihilates all proper sub"elds. Hence from g(a)O0 it follows

that a does not belong to any proper sub"eld of F

O

, so that F

O

"F

N

(a). This

proves (6.2).

24 BACH, VON ZUR GATHEN, AND LENSTRA

The expression used in the proof of (6.2) is the additive analogue of the

expression that appears in (5.2).

One can prove, more precisely, that any basis of F

O

over F

N

contains at least

(k) elements a with F

O

"F

N

(a), where denotes the Euler function, and that

there is a basis containing exactly (k) such a1s.

LEMMA (6.3). ¸et a3F

O

be such that F

O

"F

N

(a), and let t, u3F

N

. Suppose

that in the ,eld F

O

(>) of rational functions one has

_

B

(o

B

(a)>#t)I'B'"_

B

(o

B

(a)>#u)I'B',

with d ranging over the squarefree divisors of k. ¹hen we have t"u.

Proof. If both t and u are 0 we are done. So suppose that tO0. We have

_

d, j(d)"1

(o

B

(a)>#t)

)

_

d, j(d)"!1

(o

B

(a)>#u)

"

_

d, j(d)"1

(o

B

(a)>#u)

)

_

d, j(d)"!1

(o

B

(a)>#t)

.

By unique factorization in F

O

[>], the factor a>#t on the left is proportional

to one of the factors on the right. From F

O

"F

N

(a) it follows that the elements

o

B

(a) are pairwise distinct, so a>#t is not proportional to any of the factors

o

B

(a)>#t with j(d)"!1. Hence there exists d with j(d)"1 such that

a>#t is proportional to o

B

(a)>#u, so that o

B

(a)"(u/t)a. Applying o

B

we

see that o`

B

(a)"(u/t)o

B

(a). Also the factor o

B

(a)>#t on the left is propor-

tional to a factor on the right, so the same argument shows that there exists d'

with j(d')"1 and o

d'

(a)"(u/t) o

B

(a). Then we have o

d'

"o`

B

. Since o

d'

and o

B

have orders d' and d, respectively, it follows that d'"d/gcd(d, 2). If d is even

then we have d"2d', which contradicts j(d)"j(d')"1. Hence d is odd, and

we have d'"d. From o

d'

(a)"(u/t) o

B

(a) we now see that u"t. This proves

(6.3).

We turn to the description of the algorithm that proves Theorem 1. Let, for

some prime number p and positive integers n and k, a polynomial f over F

pL

be

given, as well as an irreducible rth degree polynomial g

P

in F

N

[X] for each

r3R(pI) that does not divide n. It is our purpose to factor f into irreducible

factors in F

pL

[X].

The algorithm starts by factoring u

I

(p) completely by means of trial

division. From u

I

(p)(pI and (6.1) it follows that this can be done in time

(s(pI)#log p)-'¹'.

FACTORING POLYNOMIALS OVER SPECIAL FINITE FIELDS 25

(6.4) Preliminary Reductions. Using [5, Sect. 7.5 and Theorem 7.8.1], one

reduces to the case in which f is known to be a product of deg f pairwise

distinct linear factors in F

N

[X], with deg f'1. We shall assume that this is

the case, so that XN,X mod f. Also, we assume that f is monic. Then the

coe$cients of f and of all of its monic factors belong to F

N

.

As in (5.4), we denote by k' the number of squarefree divisors of k. If p(k'

or p"2 then Berlekamp's algorithm is fast enough. We shall assume that

p5k' and that pO2.

The algorithm that we describe "nds a non-trivial factor of f. Applying the

algorithm recursively one obtains the complete factorization of f.

(6.5) ¹he Field F

O

. Let q"pI. If we have k"2 and p"2K!1 for some

integer m52, then F

N

[X]/(X`#1) is an explicit model for F

O

. In the other

case one constructs F

O

as follows. Since explicit data for F

pL

are given, one can

use [12, Theorem (9.1)] (with E"F

N

) to compute an irreducible rth degree

polynomial g

P

3F

N

[X] for each prime divisor r of n. Then one knows, with the

g

P

that were given, an rth degree irreducible polynomial g

P

3F

N

[X] for each

r3R(pI). From the de"nition of R(pI) (see Sect. 1) and Lemma (6.1) it follows

that each prime dividing k belongs to R(pI). By [12, Theorem (9.1)] one can

use the g

P

with r dividing k to construct explicit data for F

O

.

(6.6) Special Elements of F

O

. One constructs an element a3F

O

with

F

O

"F

N

(a). Such an element may be a byproduct of the construction of F

O

in

(6.5) (cf. [12, Theorem (9.1)(b)]); but in any case one can be found among the

elements of a basis of F

O

over F

N

, by Lemma (6.2). Note that a3F

O

satis"es

F

O

"F

N

(a) if and only if the elements a, o(a),

2

, oI¹(a) are pairwise distinct,

where o(x)"xN.

One also constructs an element ¸3F*

O

of order u

I

(p). To do this, one "rst

applies Theorem 2 to h"k in order to "nd, for each prime number l 3S(q),

a primitive lth root of unity in F*

O

. Next, using Theorem 3, one "nds for each

such l an element ¸

J

of F

O

that is not an lth power in F

O

. A suitable power o

J

of

¸

J

has order equal to the largest power of l dividing u

I

(p). One can now take

¸"_

J

o

J

, the product ranging over the primes l dividing u

I

(p).

(6.7) ¹he Ring R. The rest of the algorithm works in the ring

R"F

O

[X]/( f ). If one knows a zero-divisor in R, then as in (5.11) one can

use it in order to "nd a non-trivial factor g of f in F

O

[X]; and as we

saw in (6.4), the coe$cients of g are in F

N

. Thus, it su$ces to "nd a zero-

divisor in R.

Let o: RPR denote the pth power map and let :3R be the residue class of

X. We have o(:)": (see (6.4)), and therefore o satis"es the condition oI"id

0

of Proposition (5.2). Let o

B

be as in (5.2). For each d we have o

B

(:)":.

If : is a zero-divisor then one is done, so suppose it is not.

26 BACH, VON ZUR GATHEN, AND LENSTRA

(6.8) A Special Element of R. One constructs an element o of R* satisfying

o

u

I

(p)

"1, o , F*

O

. (6.9)

If k"1 then one simply takes o":. Let k'1. None of the elements !ia of

F

O

, with 14i4k'!1, belongs to F

N

, so none of them is a zero of f ; hence for

each of these values of i the elements ia#: is a unit of R. To "nd o, one

searches among the elements

_

B

(o

B

(ia)#:)I'B', 14i4k'!1.

By (5.2), each of these elements is a unit of R of order dividing u

I

(p). Hence, to

prove that the search is successful, it su$ces to prove that at least one of these

elements is outside F*

O

. Suppose not; then for each i there exists c

G

3F*

O

with

_

B

(o

B

(ia)#:)I'B'"c

G

.

Applying, to this equality, two F

O

-algebra homomorphisms RPF

O

that map

: to two distinct zeroes t, u3F

N

of f, we "nd that

_

B

(o

B

(a)i#t)I'B'"_

B

(o

B

(a)i#u)I'B',

because both sides are equal to c

G

. Thus, the two rational functions occurring

in Lemma (6.3) assume the same value at each of k'!1 elements of F*

O

. They

also assume the same value at Rand at 0, and since each of the two rational

functions is the quotient of two polynomials of degrees k'/2 they must be the

same; but this contradicts (6.3).

We have k'!1"1 if k is a prime power, so that in that case no search is

necessary.

(6.10) A Zero-Divisor. Finally, one applies (2.5) to n"u

I

(p), with o in the

role of : and ¸ as constructed in (6.6). The condition oL"1 from (2.3) is

satis"ed by (6.9), and ¸ is a strict nth root of unity in R because it is a primitive

nth root of unity in F

O

. The algorithm of (2.5) cannot give rise to an integer

i (mod u

I

(p)) with o"¸G, because o , F*

O

; hence one obtains a non-trivial

idempotent e in R, which is the desired zero-divisor.

This concludes the description of the algorithm underlying Theorem 1. We

proved the correctness along the way. The proof of the run time estimate is

straightforward; it is useful to note that k4s(q) if p'2, by (6.1). This

completes the proof of Theorem 1.

FACTORING POLYNOMIALS OVER SPECIAL FINITE FIELDS 27

ACKNOWLEDGMENTS

This research was supported by NSF Grants DCR-92-08639 [EB] and DMS-92-24205

[HWL], by NSERC Grant 3-650-126-40, and by FundacioH n Andes Grant C-10246 [JvzG]. Part

of the research was carried out while the second author was in the Department of Computer

Science of the University of Toronto. The "rst author thanks the Information Technology

Research Centre, Province of Ontario, for sponsoring a visit to the University of Toronto in

1988, during which a "rst version of this paper was written.

REFERENCES

1. L. M. Adleman and H. W. Lenstra, Jr., Finding irreducible polynomials over "nite "elds, in

00Proceedings of the 18th Annual ACM Symposium on Theory of Computing (STOC),

Berkeley, 1986,'' pp. 350}355.

2. E. Artin, The orders of the linear groups, Comm. Pure Appl. Math. 8 (1955), 355}365.

3. M. F. Atiyah and I. G. Macdonald, &&Introduction to Commutative Algebra,'' Addison}

Wesley, Reading, MA, 1969.

4. E. Bach and J. Shallit, Factoring with cyclotomic polynomials, Math. Comput. 52 (1989),

201}219.

5. E. Bach and J. Shallit, &&Algorithmic Number Theory,'' Vol. I, MIT Press, Cambridge, MA,

1996.

6. E. R. Berlekamp, Factoring polynomials over large "nite "elds, Math. Comput. 24 (1970),

713}735.

7. S. Evdokimov, Factorization of polynomials over "nite "elds in subexponential time under

GRH, in &&Algorithmic Number Theory (ANTS-I),'' (L. M. Adleman and M.-D. Huang, Eds.),

Lecture Notes in Computer Science, Vol. 877, pp. 209}219, Springer}Verlag, Berlin, 1994.

8. J. von zur Gathen, Factoring polynomials and primitive elements for special primes,

¹heoret. Comput. Sci. 52 (1987), 77}89.

9. M.-D. Huang, Generalized Riemann hypothesis and factoring polynomials over "nite "elds,

J. Algorithms 12 (1991), 464}481.

10. S. Lang, &&Algebra,'' 3rd ed. Addison}Wesley, Reading, MA, 1993.

11. H. W. Lenstra, Jr., Algorithms in algebraic number theory, Bull. Amer. Math. Soc. 26 (1992),

211}244.

12. H. W. Lenstra, Jr., Finding isomorphisms between "nite "elds, Math. Comput. 56 (1991),

329}347.

13. U. M. Maurer and S. Wolf, The relationship between breaking the Di$e}Hellman protocol

and computing discrete logarithms, SIAM J. Comput. 28 (1999), 1689}1721.

14. M. Mignotte and C. Schnorr, Calcul deH terministe des racines d'un polyno( me dans un corps

"ni, C. R. Acad. Sci. Paris SeH r. I Math. 306 (1988), 467}472.

15. C. Pomerance and J. Sorenson, Counting the numbers factorable via cyclotomic methods,

J. Algorithms 19 (1995), 250}265.

16. L. RoH nyai, Factoring polynomials modulo special primes, Combinatorica 9 (1989), 199}206.

17. R. Schoof, Elliptic curves over "nite "elds and the computation of square roots mod p, Math.

Comput. 44 (1985), 483}494.

18. V. Shoup, New algorithms for "nding irreducible polynomials over "nite "elds, Math.

Comput. 54 (1990), 435}447.

28 BACH, VON ZUR GATHEN, AND LENSTRA

6

BACH, VON ZUR GATHEN, AND LENSTRA

1. INTRODUCTION We present a theoretical result on the deterministic complexity of factoring polynomials over large "nite "elds. Let p be a prime number, k a positive integer, and q"pI. We denote by F a "nite "eld of cardinality q, and by O I the kth cyclotomic polynomial. Let S(q) be the set of prime numbers dividing (p), and s(q) the largest element of S(q), with s(2)"1. We let R(q)"+r : r is I prime, and r divides l!1 for some prime number l3S(q),. THEOREM 1. ¹here is a deterministic algorithm that, for some positive real number c, has the following property: given a prime number p, positive integers n and k, explicit data for F L, a non-zero polynomial f3F L [X], and for each N N prime number r3R(pI) that does not divide n an irreducible polynomial g of P degree r in F [X], the algorithm ,nds in time at most (s(pI)#deg f#n log p)A N the factorization of f into irreducible factors in F L [X]. N The number k in Theorem 1 has no relation to n or f, and its role is purely auxiliary. It enters the run time estimate only through the number s(pI), which by (6.1) is at least k/2. For the de"nition of explicit data we refer to [12]. Time is measured in bit operations. Elements of explicitly given "nite "elds*such as the coe$cients of f and its factors, in Theorem 1*are required to be represented in the given model. Our proof of Theorem 1 is not merely existential, but allows for the e!ective construction of an algorithm with the listed properties. COROLLARY. ¹here is a deterministic polynomial-time algorithm that factors polynomials in one variable over ,nite ,elds whose characteristic is a Fermat prime or a Mersenne prime. To deduce this from Theorem 1, we take k"1 if p"2K#1 is a Fermat prime and k"2 if p"2K!1 is a Mersenne prime; then we have (p)"pG1"2K and S(pI)"+2,, so that R(pI) is empty, and the result I follows. Generally, Theorem 1 establishes a relation between the deterministic complexity of the following two problems. The "rst is the problem of constructing an irreducible polynomial of given degree over a given "nite "eld. The second is the problem of factoring polynomials over "nite "elds. V. Shoup [18] has shown that there is a deterministic polynomial-time &&Turing'' reduction of the "rst problem to the second. Theorem 1 shows that there is a similar reduction of the second problem to the "rst, provided that the characteristic p of the "nite "eld has a special property; namely, a positive integer k should be available for which (p) is built up from small prime I factors. The same condition has been encountered in di!erent circumstances (see [4; 13]), and not much is known about the distribution of prime numbers

for each l3S(pI) an element of F I that is not an lth power in F I. and requires them only for r3R(pI). THEOREM 2. [9]) would require an irreducible rth degree polynomial g 3F [X] to be known for each prime number r dividing the P N product m50 K( (p)). a su$cient supply of units of order dividing (p). if GRH is granted. and. see [5. an irreducible polynomial g of degree P r in F [X]. for some positive real number c. Sorenson [15] suggest that for large p and k"1 or 2. ¹here is a deterministic algorithm that. for some positive real number c. then Theorem 1 remains true even if the polynomials g are not given. there is the problem of constructing the analogues of lth power non-residues. the number (p) is built up from small I prime factors with roughly the same probability as a random number of the same size. The "rst is that one now needs to construct. Thus. N N . Two auxiliary results that we need in this context can be formulated as follows. and. N The proof of Theorem 2 makes use of Gauss sums in a certain algebra over FpF. If the generalized Riemann hypothesis (GRH) is true. and those units are con trolled by the availability*guaranteed through GRH*of lth power nonresidues in F . Notes on 7. P makes the construction somewhat laborious. The case k"1 of our result. The natural way of doing this (cf.2). the algorithm constructs in time at most (l#h log p)A a primitive lth N root of unity in F F. in some algebra over F . was obtained by the second author [8] and independently by M. for each prime number r dividing l!1 but not dividing h. for each prime number l dividing p!1. explicit data for F I. Schnorr [14]. with the g replaced by the assumption of P GRH. ¹here is a deterministic algorithm that. a positive integer h for which pF.FACTORING POLYNOMIALS OVER SPECIAL FINITE FIELDS 7 p for which a suitable k exists. since these can in that P case be constructed by a deterministic polynomial-time algorithm [1]. Their method makes use of an F -algebra all N of whose units have order dividing (p)"p!1. in time at most (s(pI)#k log p)A. which all divide ( (p)).8]. In extending this N method to a proof of Theorem 1 one encounters several problems. The data of C. THEOREM 3. We solve this problem by I N means of a pretty formula. Theorem 1 adds to the long list of special cases in which factoring polynomials over "nite "elds can be done deterministically in polynomial time. Mignotte and C. Secondly. The fact I that Theorem 1 economizes on the g . for each l3S(pI). Pomerance and J. a primitive lth root of unity in F I. for general k. has the following property: given a prime number p. which is given in Proposition (5. has the following property: given two prime numbers p and l. a positive integer k. where K denotes the mth iterate of the Euler I function. explicit data for FpF. N N the algorithm constructs. this includes the primes in R(pI).1 mod l.

At several points in the paper we shall refer to Berlekamp1s algorithm. Berlekamp's algorithm shows that Theorem 1 is of interest only for &&large'' p. 2. then a strict nth root of unity is the same as a primitive nth root of unity. . Ronyai [16]. STRICT ROOTS OF UNITY Let R be a ring. and no e!ort has been made to optimize the e$ciency of the algorithms. and 6 we prove Theorems 2. and 3R is a strict nth root of unity. then we call an element 3R a strict nth root of unity if L"1 and LP!13R* for each prime number r dividing n. Any algorithmic choices and recommendations that we make are inspired by the desire to give a valid and quick proof of our results. VON ZUR GATHEN. again. If n is a positive integer. then has multiplicative order n. Suppose that 3R is a strict nth root of unity.es " . Whenever we assert that an algorithm with certain properties exists. and 3R n satis. then is a strict nnth root of unity. on our method of constructing elements of order dividing (p) in certain algebras. 5. if R is a "eld. and 1. 5.8 BACH. AND LENSTRA The case k"1 of Theorem 3 is due to L. n)"1. explicitly or implicitly. j are integers with iIj mod n. (c) G! H3R* whenever i. PROPOSITION (2. If K is a "eld. a K-algebra is a ring R equipped with a ring homomorphism KPR. in the paper itself or in the papers that we refer to. Section 3 is devoted to Gauss sums and Jacobi sums. (d) L\ (X! G)"XL!1 in the polynomial ring R[X]. and for u3R* we write 1u2 for the subgroup of R* generated by u. (b) if f: RPR is a ring homomorphism. In Sections 4. respectively. ¹hen we have: (a) if R is non-zero. By this we shall always mean an algorithm that factors any non-zero f in F [X] O in time (p#deg f#log q). then f ( ) is a strict nth root of unity in R. 3. The group of units of a ring R is denoted by R*.1). Obviously.17]. see [6. Exercise 7. . and the unit element is supposed to be preserved by ring homomorphisms. we would be surprised if our results had any implication for the practical problem of factoring polynomials over "nite "elds. (f) if n is a positive integer with gcd(n. then is a strict nnth root of unity. in fact. G (e) if n is a positive integer all of whose prime factors divide n. Our proof of the H general case depends. I In Section 2 we assemble a few theoretical and algorithmic results about roots of unity in rings. Rings are supposed to be commutative with 1. such an algorithm is actually exhibited.

we have P\ GLP G G "0. Suppose that is a strict nth root of unity in R. Parts (a) and (b) are obvious.1 mod ( LP!1) this gives r ) 1. Proof.2). Theorem 1. O1. so the sum 3 is unchanged under multiplication by .0 mod ( LP!1). Take this modulo LP!1. Since the latter element is a unit. Since L divides the polynomial (XL!1)/(XLP!1)" P\ XGLP. An element e3R is called an idempotent if e"e. Hence. and therefore annihilated by !1. Dividing the identity in (2.FACTORING POLYNOMIALS OVER SPECIAL FINITE FIELDS 9 (g) G is a strict n/gcd(n. if we put I "( ! G)R. The same proof shows that this remains true if R is a ring and a !a 3R* for all iOj. so (a) implies that R is the zero ring. Part (e) is immediate from the de"nition. Applying this to f"XL!1 and a " G one obtains G H G (d).1)(d) by X!1 (which is not a zeroL divisor in R[X]) and substituting 1 for X we "nd that L\ (1! G)"n ) 1. Next let r be a prime number dividing n. the product ranging over the primes r dividing n. Chap. (h) Let 3 . Therefore we have G! H3R*. G By (2. Since n ) 1 is a unit. Since divides XL!1 L L in Z[X] we have L"1. Since XL!1 divides ) (XLP!1). then the product of the G G . M (d) If R is a "eld.1)(c). ¹hen there is a non-trivial idempotent in R or there exists i (mod n) with " G. ¸et 3R. then 3 "0. and a polynomial f3R[X] has pairwise distinct zeroes a 3R. this implies that the sum vanishes. L\ Proof. it is a strict nth root of unity. Only if. so it follows that L P ( )"0. and let n be a positive integer. We have " . IV. An idempotent e is said to be trivial if e"0 or e"1. (h) if L1 2 is any subgroup of order greater than 1. PROPOSITION (2. This proves (2. L is Proof. and that 3R satis.0 mod ( LP!1).4 and G G G proof]).es L"1. this implies that LP!1 is a unit as well. ¹hen a strict nth root of unity in R if and only if ( )"0 and n ) 13R*. By (b).3). The factors LP!1 are units. If. i)th root of unity for each integer i. and therefore n ) 1. PROPOSITION (2. and (f) and (g) are easy consequences of (c).2). This proves (2. (c) The image of in the ring R"R/( G! H)R satis"es G" H and has M therefore order less than n.1). this shows that n ) 13R*. Suppose that 3R is a strict nth root of unity. then f is divisible by (X!a ) (see [10. Substituting for X in the identity from (2. Suppose that ( )"0 and n ) 13R*. we L P have ( ) ) ( LP!1)"0.1)(d) we "nd that ( ! G)"0. by GLP.

Then each prime dividing n divides n. and let . If at least two of the rings G G R/I are non-zero*one of which is R/I . say*then the unique element e3R G F that is congruent to 1 modulo I and to 0 modulo all other I is a non-trivial F G idempotent. then the order of R equals pB. 7. then we have L" SL TL" SKY>TL" . in the algorithmic versions of (2. Substituting m for X we "nd that we have G n!1 m imn ( ! )"0. and elements . these coe$cients as well as the a being represented as integers modulo p in the conventional FGH way (cf.3). Let p be a prime number.3) and (2.1)(e) implies that m is a strict nnth root of unity and (2. By (2. explicit data for a non-zero F -algebra R of order pB.1)(c) is a unit if iOj. Also. if we now put I "( m! imn)R. then all but at most G one of the ! G are units. The proofs of (2. Sect. then elements of R are supposed to be speci"ed by means of their coe$cients on the same basis.4). PROPOSITION (2. AND LENSTRA ideals I is zero. ¹here is a deterministic algorithm that. as required. j4d of d elements of F such that for some vector FGH N space basis (e )B of R over F one has e e " a e for all h. v be integers G satisfying um#vn"1. Since G G G m imn m .4). [12. for algorithmic purposes the product over all n or n values of i may be too large. Proposition 1.4) provide fairly explicit constructions of the elements that are asserted to exist. and put " S T. Proof.5). since I #I contains the G G G H element !( ! G)#( ! H)" G! H. Thus. which by (2. However. has the following property: given a prime number p. where m is the largest divisor of m that is coprime to n. This proves (2. 3R N as in (2. VON ZUR GATHEN. so (2.3) and (2. then as in the G G n!1 R/I is an isomorproof of (2. PROPOSITION (2. the algorithm computes in time at most (s#d log p)A either a non- . ¸et m and n be positive integers. By explicit data for R we N mean a system (a )14h.3). If at most one of the rings R/I is non-zero.3) we deduce that the natural map RP G G n!1 im phism. the I are pairwise coprime.1)(d) n!1 (X! imn)"Xn!1. Thus. The Chinese remainder theorem [3. mod I it follows that " L.i. This proves (2. i. in that case the ! G that was excluded is zero.4) that follow. Sect. and we proceed recursively. when R is G G N F G H FGH H given by means of explicit data. ¹hen there exists 3R* with L" . Suppose that K"1 and that K is a strict nth root of unity. 2]). Let be the element of R that maps to ( ) 3 R/I . and let R be an F -algebra of "nite vector space N dimension d over F . 3R. To "nish the proof. an integer n'1. for some positive real number c.1)(g) that KYL is a strict nth root of unity. we replace n and n by a prime factor.10 BACH. let u. Write m"mn. 2.10] now implies that the natural map RP L\ R/I is an isomorphism.

and n.6). and the algorithm G stops in this case. Again. G mod I . P. and elements N . 2 . and the algorithm stops. for some positive real number c. one proceeds recursively. and r in the roles of . so using linear algebra over F one can "nd the G N G unique element 3R that for each i"0. Again.4). 3R as in (2. G J then we have KP" LKP.0 mod I for all iOh. and n/r in the roles of . we have indeed L" .5). This proves (2. which does satisfy " G.FACTORING POLYNOMIALS OVER SPECIAL FINITE FIELDS 11 trivial idempotent e3R or an integer i (mod n) with " G. replacing n by a proper divisor in every step. which can be done in time (s#log n). we have n(CR and therefore log n(d log p. The algorithm begins by factoring n completely. and one puts " T. the G G natural map RP P\ R/I is an isomorphism. since R contains a strict nth root of unity. and n. Using linear algebra over G G F one determines which of the elements LP! GLP are non-units or. in the latter case one computes i"jr#h. Suppose now that n'1. one starts by factoring n completely. equivaN lently. the algorithm computes in time at most (s#log m#d log p)A an element 3R* with L" . has the following property: given a prime number p. If n"1 then one can clearly take i"0. Then one obtains either a non-trivial idempotent e in R or an integer j (mod n/r) with \F" HP. one has P\ ( LP! GLP)"0. m. Next. Once n is factored. replacing m by a proper divisor in every step. . This occurs for at least one of the G rings. If m is divisible by none of the primes dividing n. and one puts " I . the natural map RP G G P\ R/I is an isomorphism. since K"1. let r be a prime factor of n that divides m. say for R/I . . integers m'0 and n'1. Proof. If it occurs for at least one other ring R/I .1 mod m. this is a non-trivial idempotent. In the other case. 1. note that. Proof. This proves (2. It is clear that this algorithm has the stated properties. so I "+0. here s denotes the largest prime factor of n. Then we have P\ ( KP! GKLP)"0. With I "( LP! GLP)R. r!1 satis"es . which of the rings R/I are non-zero. LP.1 mod I and F e. here s denotes the largest prime factor of n. and let r be a prime factor of n. then one computes v with vn. one proceeds in the following recursive fashion. As in the proof of (2. Now J one calls the algorithm recursively on . and LP" FLP.6). then one uses F G linear algebra to determine the unique element e3R with e. . ¹here is a deterministic algorithm that. . so for " / L and m"m/r we have m"1. and " P. With I "( KP! GKLP)R. then one F G actually has R"R/I . If R/I is the only non-zero ring among the R/I . with LP. PROPOSITION (2. the veri"cation that the algorithm just described has the asserted properties is completely straightforward. explicit data for a non-zero F -algebra R of order pB. Then one "nds I 3R J with I L" .3). In this case one calls the F F algorithm recursively on \F.

¸et g be a primitive root modulo r. P (d) Suppose that K is .2)]. The last assertion P of (d) is in [12. and we P G let denote the residue class of X. [11. Denote by Z the ring of E P r-adic integers. ? ? P P The set of all 's forms a group. P (b) Every non-trivial subgroup of ¹ contains . (3. by (a). ? P P P PROPOSITION (3. Following [12. for n"order . VON ZUR GATHEN. For (a). For each a3F*. so is cyclic with P P P ? generator . hence each u3K[ ]* has order dividing q P!1. Every non-trivial subgroup of ¹ has P a subgroup of order r. so it is the P m identity.1)(e) the same is true for all 3¹ .1)]. ¹hen the element i (g)G \G\ E G of the group ring Z [ ] satis. which we denote by . P P E E "(1!r)\ ) P\ . (4. It can also be used for other rings that are su$ciently explicitly given (cf. we de"ne the ¹eichmuller subgroup ¹ of K I P K[ ]* to be the set of those 3K[ ]* that have r-power order and satisfy P P " S ? for all a3F*. and since ¹ has at most one subgroup of order r. ¹hen each element of K[ ]* has order dividing P P qmP!1. Proposition 7].3). By (2. P Proof. then the ring homomorphism from K[ ] to itself that raises P m each element to the power q P is the identity both on K and on 1 2.es ) ( ! (g))" ! (g). 3. If K is P "nite of order q. in substance. of order q. AND LENSTRA The algorithm of (2. the ring K[ ] has P P P a unique automorphism that is the identity on K and satis"es " ?. We write K[ ] for the ring K[X]/( P\ XG). GAUSS SUMS In this section we let K be a "eld.2) it follows that is a strict rth root P P of unity. P and by (b) and (2.nite subgroup of ¹ is cyclic. and de"ne the ¹eichmuK ller character : F*PZ* by (b mod r)" P P rI lim b .2). Section 2]). This proves (c).2). (5. (a) Every . the other elements of 1 2 are strict roots of unity as well.1)(g).12 BACH. The following technical lemma will be needed later. From (2. where g is a primitive root modulo r. LEMMA (3. and let m be the multiplicative P order of (q mod r) in F*. P P (c) Every 3¹ is a strict nth root of unity. Let r be a prime number di!erent from the characteristic of K. and ¹ is cyclic of order equal to the largest power of r dividing qmP!1. P it must be 1 2. This proves (3.1) ¹he ¹eichmuK ller Subgroup. be found in [7. the map assigning ? P to a establishes a group isomorphism F*: . see [12. We have 3¹ .nite. This proves (b). Section 4].6) can.

P We write A for the tensor product. "1.X! (g) mod (XP\!1). as a vector space over K. 2 . We denote by the group of group homomorphisms F*P .FACTORING POLYNOMIALS OVER SPECIAL FINITE FIELDS 13 Remark. we let l be a prime number. if O1.4) A ¸arger Ring. generated by a strict (l!1)th root of unity. Substituting E for X we obtain the lemma. (3. i"0 XG ). which we denote by . In the rest of this section. )3A by ! 1 x. j( . The element (g)3Z is a zero of the polynomial f "XP\!1. By (3. of . This lemma expresses in an explicit manner the existence of an idempotent ) ( ! (g)) in Z [ ] that generates the kernel of the ring E P P homomorphism Z [ ]PZ induced by . all elements of P are strict roots of unity. )" (!1) ) l if "1 or .6) Jacobi Sums and Gauss Sums. J (x) (y) if O1. we write for this subgroup. then it contains l!1 of them.2)(c). and we suppose that K contains a primitive lth root of unity . of the rings K[ ]. over K. X ]/ r!1 R R r !1 R ( i"0 XG . For . P and if we write f "f ) (X! (g)) then we have f ( (g))"f ( (g))" (r!1) (g)P\"(r!1) (g)\. Explicitly. if these primes are r . Multiplying (*) by G (1!r)\ ) (g) ) (X! (g)) we "nd that (1!r)\ ) (g) ) f ) (X! (g)). and it is. then A is the ring K[X . (3. r (without repetition). Hence we can perform a division with remainder (*) f "f ) (X! (g))#(r!1) (g)\. P P P Proof.5) a fact that will be used repeatedly below. y3F* x#y"1 . with P r ranging over the primes dividing l!1. "1. 3 . 2 . Each of the rings K[ ] embeds in a natural way in A. O1.1)(f). we de"ne the Jacobi sum j( . The R P G G groups generate a subgroup of A*. (3.1)(h) we obtain "0 3 for each subgroup O+1. O1. by (2. it has dimension R (r !1). Thus from (2. We denote the unit J element of simply by 1. and an explicit long division shows that f " P\ i (g)G\XP\\G. it is cyclic of P order l!1. then is cyclic of order l!1. 2 . We make the further assumptions that l!1 is not divisible by the characteristic of K and that for each prime number r dividing l!1 the group ¹ contains a subgroup of order equal to the largest power of P r dividing l!1.

) for all P ? Proof. J (x/(1!x)) (1. which again follows from (3. J (x) (y) ( . G (b) This is clear from (a) if "1 or "1. y3F* x#y"1 . y 3F*. then we "nd ( . )"1. x#y"z J (x) (y) X X " x. ( . ( . and one has ( ( . we see that (y)"0. ). and 3 has r-power order. ) ( . zO !1 J (z)" (!1)(l!1)# (!1) " (!1) ) l"j( . 3 . as required. PROPOSITION (3. with equal to the image of . ) ( . If "1. P ¸et 3K be a primitive lth root of unity. ) to the subring K[ ] of A. 3 . ) ( . )" ! J\ G"1. ). Next suppose that O1 and O1. ) for all .5). If that y3F* J O1 then from (3. . "(1!l)\ 3 ( . y3F*. W)" (y)\ ( . (a) We have (1. ). )"j( .14 BACH. )3A* for all . )3A*. ) " (!1)(l!1)! z3F*. AND LENSTRA For 3 and a primitive lth root of unity 3K. J if r is a prime dividing l!1. We list the basic properties of these sums that we shall need. )" ! x3F* J (x) V. ( . )3A by ( . )" (!1)(l!1)! x3F* xO1 . y 3F*. ) ( . We have ( . ))" ( S ? . ) for all 3 and y3F*. we de"ne the Gauss sum ( . y 3F* J (x) (y) V>W" z3F J x.7).5). j( . VON ZUR GATHEN. ¹hen we have: (1. x#y"1 J (xz) (yz) " (!1) y3F* J (y)! x. where we use that z3F* J (z)"0. )" x. x#y"0 J (x) (y)# z3F* J x. then ( . (a) (b) (c) (d) (e) (f ) belongs a3F*. In that case we obtain (b).

and let G be a positive integer that is congruent to (g) modulo rR. )" x3F* (! 3 (x)) V. The following lemma will be our main tool in computing Gauss sums. using yx as a new J summation variable. Suppose that 3 . )rR we "nd that v" ( .ne " v% ( %. the required computation cannot be done directly. ) E !G ". in this notation we can rewrite the de"nition of as "vG! E ) ( . let t be a non-negative integer. P This proves (3. so j( . In general.8). P De. if K[ ] is a "eld*then (3. )3A* whenever at least one of . using (a). O1. . ¹hen there exists a primitive lth root of unity 3K such that Remark. E G ) v" ( . Proof. that ( . Applying (b) to " \ we now see. For example. in this case. )% E P\ " \G\ ( )iGG(1!rR)/(1!r) . ¸et r be a prime number dividing l!1.FACTORING POLYNOMIALS OVER SPECIAL FINITE FIELDS 15 (c) Since l is not divisible by the characteristic of K. and this necessitates the detour over . and equals 1. By (3. )3A* for all . ). W)" ! x3F* (yx) WV" ( . and that v3K[ ] is such that vrR" ( . . (d) We have 3 ( .3). LEMMA (3. which is to be P computed with the help of the idempotent ) ( ! (g)) from Lemma (3. )3A* for all . Next we see from (b) that j( . The equality in (f ) follows from the fact that "xes the P ? elements V of K and raises the elements (x) of ¹ to the power (a). ). The following may serve to explain what is happening in this lemma and its proof. ) for some P 3K[ ]* with rR"1. )3K[ ]. E However. ) E!G (applying (3.5). )rR for some primitive lth root of unity 3K. ) belongs to ¹ *which occurs. let g be a primitive root modulo r. one has "1 and "1. ). (e) We have (y) ( . so that P ( .7). and we are left with the contribution for x"1. which is (1!l) . for example. )3K[ ]* and vrR" ( . ) (v) ( . is of order rR. We write the action of this group ring exponentiP ally. ). since is just as unavailable as ( . Applying !G we "nd that P E !G E "vG! E ) ( . the image of is in . it is a unit in A. must be replaced by its projection / to ¹ . If the rRth root of unity with v" ( . The action of on K[ ]* makes the latter group into a module P P over the group ring Z[ ]. ) . (f ) Under the hypotheses of (f ). the sum in J parentheses vanishes for every xO1. From ( . .7)(e) readily implies P P that v itself is of the form ( .7)(f ) to a"g).

8). for each i"1. LEMMA (3. 2 . with " W. AND LENSTRA This shows that rR"1. with z(i)3F* J G (and z(1)"1). VON ZUR GATHEN. Each zero is a primitive lth root of unity. we G G J G G have ( . the exponent iGG(1!rR)/(1!r) matters only modulo rR. G . an irreducible polynomial g of degree r in F [X]. Choose y3F* mapping to ( (z(i)))R .16 BACH. 3 be characters whose orders are pairwise R relatively prime. to prove this. and for each prime number r dividing l!1 but not dividing h. X G )" ( . We may assume that t'0.3) P P and applying ( ! (g)) to the equality E! (g)" we now "nd that E E ! (g) " ( ! (g)) E " ( ! (g)) E " ! (g) E . In fact. a positive integer h for which l divides pF!1. Now J P J we have ) v"( / ) ) ( . Thus we can write / " (y). )" (z(i))\ ) ( .9). )" (y)\ ( . ). Therefore the element / . This proves (3. We are given two prime numbers p and l. CONSTRUCTING ROOTS OF UNITY In this section we describe the algorithm that proves Theorem 2. If p divides l!1. then it su$ces to apply Berlekamp's algorithm (see Sect. so that both and belong to the group of elements of K[ ]* of r-power order. 2 . it belongs to the image (F*) of . t one has ( . by the de"nition of ¹ . 2 . . and let . Using (3. with y3F*. using (3. G G G Proof. so we may rewrite that de"nition as " ?. )" ( . 2 . it P J su$ces to observe that ¹ is cyclic and that the order of / divides the order P rR of the subgroup (F*) of ¹ .3). satis"es ( / )" E ( / )S E . In the de"nition of P P P . explicit data for FpF. 1) for "nding a zero of J\ XG in FpF . That group is a Z [ ]-module. Since the orders of the are pairwise coprime. ) G G G G G G G G W. that / P P belongs to ¹ . the Chinese G remainder theorem implies that the map F*P R (F*) sending y to J G G J ( (y))R is surjective. Since g generates F* it follows. which has order dividing rR. Write " X G for each i. t. )" ( . 3K be primitive lth roots of unity. in time N (l#h log p). with " 4.7)(e). W). It P N is our purpose to construct a primitive lth root of unity in F F . where 3Z [ ] is as in Lemma (3. which proves the lemma. W )" (y)\ ) ( . )" ( .7)(e). ¹hen there R exists a primitive lth root of unity 3K such that for each i"1. By (3. ¸et .

7)(d). that it is the least power of pF having these properties). We just took care of the second condition. By [12. Theorem P (9.1)] and our hypothesis on the g to construct. the products ranging over the O primes dividing l!1. and let b(r) be the P multiplicative order of phmP modulo r? P . an rth degree irreducible polynomial in FpF [X] is available. form a basis of A over F .3) ¹he ¹eichmuK ller Groups ¹ .1)]. from phmP. (4. so arithmetic in A can be done within the time bound stated in Theorem 2. For every prime number r dividing P l!1. since the given irreducible polynomials g in F [X] remain irreducible over FpF.FACTORING POLYNOMIALS OVER SPECIAL FINITE FIELDS 17 Note that Berlekamp's algorithm is fast enough for our purpose if p divides l!1. To multiply two basis elements one uses the relations P\ G "0 (and P"1). O it su$ces to construct an extension of FpF of degree b(r). For the "eld K we shall take a "eld extension F of O F F satisfying the conditions stated in (3. We shall construct a primitive lth root of unity by means of formula (3. Elements of A are represented on this basis. and the same is true for its subrings F [ ] and for F itself. Let it henceforth be assumed that p does not divide l!1. has the required properties (and in fact.2) ¹he Ring A. is satis"ed by any extension of FpF . To construct F . with K"F . Theorem (9. and in the subrings F [ ] of A. where m denotes the multiplicative order P of q modulo r.1 mod l. with r ranging over the primes dividing l!1. and the degree of F over F divides O O N h(l!1).2)(d). P with r ranging over the prime numbers dividing l!1 and each a(r) being a positive integer. The "rst condition. For this we construct the objects from the previous section one after the other. Let m be the multiplicative order of pF modulo r. that K contain N a primitive lth root of unity. P N (4. since pF.4). provided that for each r with b(r)'1 and r not dividing h. and write l!1" r? P . by (3.1 mod r it follows that b(r) divides r? P \. this is equivalent to the P requirement that qmP. and this is indeed the case. that l!1 not be divisible by p.4). The third condition is that for each prime number r dividing l!1 the group ¹ has an element of order r? P . We shall work in the ring A constructed in (3. P .1) ¹he Field K.1 mod r? P . O P O (4. P G P The F -dimension of A is at most l!1. this can be done within the time bound stated in Theorem 2. Now one readily veri"es that the number q"p hP b(r). The (r!1) elements G P . with O O P P P P 04i(r)(r!1. one uses [12.

4) ¹he Group . Taking the product over r one obtains a strict P (l!1)th root of unity 3A*. (4. )\L "j( L. This table is computed directly from the de"nition of Jacobi sums.4) was denoted by . L\K) ) ) ( L. by (3.n( )O0 log("n( )"#1)) table look-ups and multiplications and divisions in A* and .6) ¹he Jacobi Sums j( . (4.(l!1) table that for each 3 and each x3F* gives the value of (x). )L\K "j( K. AND LENSTRA as above. for each r. In each of these steps one will need to compute certain expressions of the form ( . by trial and error. Raising to a suitable power one "nds an element of P ¹ of order r? P . If n"0 or 1 this equals 1. (4. giving the Jacobi sums j( .2). VON ZUR GATHEN. where n is an integer. )n ( ). it is a strict root of unity of order equal to the P largest power of r that divides qmP!1. To do this. a primitive root d modulo l. One computes a second (l!1).7)(b)) to proceed by recursion. the value of the jth character at dG being GH. naturally. Instead one proceeds in several steps. )L/ ( L. ).7).(l!1) table. ) as elements of A for all . 3 where the n( ) are integers satisfying n ( )"1 (in ). ) ( L\K. one O applies [12.4). one sets m"W X and uses the formula n/2 ( . we "rst show how to compute an expression of the form ( . To prove this.5) ¹he Characters . One next computes an (l!1). one "rst determines. a "eld extension of F of degree r.18 BACH. as all formulas in (4. not possible to compute the Gauss sums directly from their de"nition. It generates the group that in (3. having this "eld extension. ) ( K. \L)\. )K ( . ) ( \L. To deal with negative n one uses that ( . then the characters can be numbered by the integers j modulo l!1. is obtained from (3. (4. ). )L ( . so each entry in the J table belongs to .2)] (with E"F ) in order to "nd a generator of ¹ . ) (which. It is. If n is greater than 1. )L ( . ) ( L. ) . Theorem (5. We claim that each such expression can be computed by means of O( .7) Products of Gauss Sums. 3 . with as computed in (4. since is not available. O P We shall denote it by .

and with O P equal to the generator of ¹ constructed in (4.6) to the element " ( .6) one obtains an element v3F [ ]* with vrR" ( .9) ¹he Gauss Sums ( .7)(e). )rR of the ring R"F [ ]. O P which applies because rR"1.g mod rR. (4. using that ( G\.8). the element ) v is now of the desired form ( . ). the exponents in the de"nition of can be taken modulo rR. with m"(qmP!1)/rR and n"rR. this gives ( . ). which in turn m divides q P!1. P . but Lemma (3. and to verify the condition that K be a strict nth root of unity we combine (2. ). Using . By (3. )rR of F [ ] using the method of (4. in principle may depend on r.1)(g) with the fact that the order of is the largest power of r dividing qmP!1. which is valid whenever R G G The computation shows that the computed products are independent of the choice of . Starting from ( . )/ ( . ). one computes the element from (3. ) from ( . ) for all and a single . ) one computes ( G .3). choose 3 of order r? P .2)(d).7). G G\ G G G "1. Next one puts " . ). )n( ) with the value of the last product being obtained from the formula R R ( . Let 3 be a character of order rR. and the factor ( %.4) is satis"ed because of (3. with 3F a primitive lth root of unity. Thus. )rR. ) 3 3 3 3 ( . ) ( . The condition K"1 P P from (2. ( n( ). )% in the de"nition of can be obtained from (4. one can take G to be the least positive rR\ integer with G. )" j( 2 . ) for all i (modulo l!1) in succession. This can be seen directly from (3. We describe how one can compute an element of F [ ] that is of the form O P ( .8) to compute an element of F [ ] of the form P O P ( . )" j( G\.8).8) as well. where r is a prime number and t is a positive integer. ). We note that rR divides r? P . as was noted in the proof of (3.9) shows that there P exists a single that works for all r.8) Gauss Sums for Characters of Prime Power Order. One now applies the algorithm from (2. (4. from the algorithm P of (2. ) . Next one O P computes the element de"ned in (3. O First one computes the element ( . and one P P computes ( .7).FACTORING POLYNOMIALS OVER SPECIAL FINITE FIELDS 19 A general product n( ) "1 is now computed from Q n( ) ( . ( G . )n( )" ) ( n( ). ) Since has order r? P "l!1.7). ) by observing that the quotient of these two P P expressions is computable from (4.8).7)(f ) and (3. For each prime r dividing l!1. ) ) ( . and use (4.

In particular. even when a non-lth power is constructed only for the smallest. elements of given "nite "elds that do not belong to certain multiplicative subgroups. This proves Theorem 2. explicit data for FpI. in time at most (l#k log p)A. one requires a primitive lth root of J unity in FpI to be given not just for a single l. 5. O This completes our description of the algorithm. THEOREM (5. has the following property: given two prime numbers p and l. which will also be used in Section 6. which is similar to Theorem 3 but much easier to prove. so that is not an lth power in F . I and the largest of these enters the run time estimate. because l divides pF!1. under suitable conditions. and it is straightforward to show that the run time is (l#h log p). but for all primes l dividing (p). This is di!erent from f ( ).10) ¹he Primitive lth Root of . Thus. an element of FpI that is not an lth power in FpI. one adds up the ( .nity . F and F"F ( f ( )). the J N algorithm constructs. we can use the hypothesis on g and [12. A direct computation shows that f ( )O" ) f ( ). O O The rest of this section is devoted to the proof of Theorem 3. We shall make use of the following result.1). To conclude the algorithm. An important role will be played by elements of order dividing (p) in I certain algebras. a primitive lth root of unity in FpI.1). PROPOSITION (5. ¹here is a deterministic algorithm that. This proves (5. we shall prove Theorem 3. AND LENSTRA (4.1). VON ZUR GATHEN. J O The F -linear map f : FPF de"ned by f (x)" J\ \GxqG is non-zero. one can "nd an O element 3F with f ( )O0. that gives . By (3. so 3F . a positive integer k.1): in Theorem 3 no polynomial g is supposed to be given. Proof. an irreducible polynomial g of degree l in F [X]. Hence.20 BACH. Note the di!erence between Theorem 3 and Theorem (5. The element O O "f ( )J satis"es O" J " . This implies that XJ! is O O irreducible over F . The correctness of the algorithm has been proved along the way. adjoining the lth root f ( ) of O to F one obtains the lth degree extension F of F . .2). ). trying the elements of a vector space basis of F over F one by one. We begin with a method for constructing such elements. As in (4. since O G f (x) may be viewed as a polynomial of degree (CF)/q in x.7)(d). and divides the result by 1!l. CONSTRUCTING NON-RESIDUES In the present section we construct. for 3 .1)] to construct a "eld extension F of F of degree l. Theorem (9. It belongs to the sub"eld FpF of F . and if l does not divide k. so we have f ( ) . We shall write q"pI. ¸et p be a prime number and let k be a positive integer. instead. for some positive real number c. ¸et R be an F -algebra with the property that the F -algebra homomorphism N N .

Namely. for some 3R*.2). This proves (5. We suppose that explicit data for F are given. We claim that in the notation of (5. Next we let l be one of these prime numbers.2). (p) conversely every 3R with I "1 is given by the formula in (5.2) is satis"ed if R is the product of 0 a collection of "elds of cardinality pI. It J O is our purpose to construct an element of F that is not an lth power in F . The de"nition of can be rewritten as "1.e. Indeed. this is the same as saying that the (1!pIP)th power of is di!erent from 1. pI!1 I (p) (1!pIP) is P . If O O l divides k then we can do this by Theorem (5. Denote by the Mobius function. which equals Remark.2) we have ( )I B O1. in that case. and that for each prime number l dividing (p) a primitive O I lth root of unity 3F is given. using I (2. . We claim that it su$ces to describe an algorithm that given an element a3F* with a O\ J"1 computes an lth root of a in F . The condition I"id in (5.es Proof.4) A Reduction. and write q"pI. Let p be a prime number. satis. if starting from we repeatedly take lth roots. within time O O (s(q)#log q). (5. that (1!pIP) is not J P P divisible by l. "nd a root of unity in F whose order is the largest O . " P (1!pIP).FACTORING POLYNOMIALS OVER SPECIAL FINITE FIELDS 21 :RPR that raises every element of R to the power p satis.3) As we saw in the proof of (5.es I"id . We describe the algorithm that proves Theorem 3. and r ranging over the primes dividing d. i. so that (1!pIP)I0 J P mod l. An element a3F* is an lth power in F if and only if O O a O\ J"1.2). I (p) the product ranging over the squarefree divisors of k. Since divisible by pI!1 it follows that I (p) is a power of I( )/ "1. B J B (5.1). after O(log q) steps. Let it henceforth be assumed that l does not divide k. One can show that. For 0 each squarefree divisor d of k. that (p mod l) is a strict kth root of unity in F ..3). the product ranging over the primes dividing k. from (p). we J will. k a positive integer.2).0 mod l and kI0 mod l we see. the product being computed B in the group of automorphisms of R. This proves (5. write " r"d IP. ¹hen for each 3R* the element K " pIP) (1! P .

one is done.2). For example. so suppose not. We claim that: J if 3R* is such that O\3F*. that is. For 3R*. O Thus. The ring R has a unique automorphism that is the identity on F and maps O to . We have J"id . R satis"es the hypothesis of (5. Let it now be assumed that p5kl. of R. If p(kl then Berlekamp's algorithm for "nding a zero of XJ!a is fast enough. O (5. so we "nd that the rational function f" B ( b)#> I B B J 3F (>) O (b)#> B . and is therefore the O identity.5) ¹he Ring R. G G (5. so the map RPR O that maps each x to xO is the identity on both F and . VON ZUR GATHEN. We shall work in the ring R"F [X]/(XJ!a). All of these elements have order dividing (p). kl!1. it commutes with the pth power map and its powers. obviously. Then all these elements are units. It is our purpose to "nd an lth root of a in F . Hence all elements of R* have order dividing q!1. for the rest of the algorithm. We have O\"a O\ J"1. 2. O\ .22 BACH.2).7) A Special Element of R. (5. we have O\" . i"1. O We shall denote by k the number of squarefree divisors of k. we have 14k4k. and I we claim that at least one of them satis"es the second condition in (5. First one tests whether there is a zero-divisor among the elements #i. . Apply the ring homomorphism RPF that maps to O some lth root b of a. In the general case one "nds by means of a search procedure. and comJ 0 mutes with the pth power map from (5.8) If k"1 one can take "1# . as a simple computation shows.2).2) and its powers . and J"a. Then by (5. J\ form an F -basis for R. The next step is to construct an element 3R that is either a zero-divisor or satis"es I (p) "1. If so. by (5. so that the elements 1. F* . we assume that an element a3F with O a O\ J"1 is given. and this root of unity is not an lth power in F .6) we have ( )#i JI B B "1 ( )#i B B for all these values of i. AND LENSTRA power of l dividing q!1. 2 .6) O J This follows from ( O\)J" J\ O\" J\ G( O\)" J( )/ "1. B write O\" ( )/ . Let O 3R denote the residue class of X. we denote this automorphism by . and one tries the elements ( #i)I B for the same values of i. then O\31 2. (5.8). 2 . the product B B being as in (5. Suppose not.

we have pI"q. Each root of g is an lth root of a. We may assume that J31 2.1 2.5) with O\ and in the roles of and . but O\. If in (5. and if m"1 then by (5. and since the prime factors of (p) are known one can determine the order of I O\.FACTORING POLYNOMIALS OVER SPECIAL FINITE FIELDS 23 satis"es f (i)J"1 for 14i(kl. this is an element of order l.7) one has not yet been successful in constructing a zero-divisor in R. notice that the latter condition is I J automatic if lOl. one applies the algorithm of Proposition (2. If it is divisible by some prime lOl. XJ!a) in F [X].8) we have mO0. To do this.1 mod 4. ( )" . and by N ( )" ! neither factor is 0. (5. be a zero-divisor in R. we have f (R)"1 and f (0)O1.1 mod 4.9) in order to "nd a zerodivisor. Since f J is a quotient of two monic polynomials of degree kl. and then ((!1)Lg(0))SaT is an lth root of a in F . one can "nd integers u. N O However.10) Constructing a Zero-Divisor.11) An lth Root of a. We assumed that k is not divisible by l.3). G O G G as computed in (5. and since all these values of i are pairwise distinct in F . (5. which equals (!1)L g(0). This contradiction proves that the search procedure will be successful. and one applies (5. Then one applies Euclid's algorithm to compute g"gcd( J\ c XG. hence one JY O obtains a non-trivial idempotent e in R.6) not belong to F . since J otherwise one can apply (5. which is the desired zero-divisor. is an lth root of aL. so their product. so k is odd and we have p.9) we may assume that 31 2LF . and has order 4. Therefore we have J " !1 and ( )" ! . Since l is prime. so J" !( J ). Since all elements of R* have order dividing q!1. Hence one can use Schoof 's algorithm [17] to "nd 3F* with " !1. We have ( O\) I (p)"1. with c 3F . By JO1 Since has order l it follows that " J ( )" and 31 2 this implies that l"2 and " " !1. so again by (5. Thus ! is a zero-divisor in R.10). then one constructs one now. By (5. and one has " O\ with " lK\. ( J ) J . In this case.8).9) to " . it follows that f J"1 in F (>). (5. and l"2. so f is constant. and ( )" one obtains G( )" ( ) G by induction on i. Hence assume that O\ has order lK for some integer m50. This algorithm cannot give rise to an JY integer i with O\" G . v with un#vl"1. O . since O\ does by (5.pI. which is a polynomial of O G G degree n for some n with 0(n(l.8) one can apply (5. one computes "( O\)lK\. From J31 2 we see that " O\ J satis"es J"1. and the same is in fact true for i"0. Now ( ! )( # )"0.7) one knows an element 3R* as in (5. From J O G ( )" .9) An Auxiliary Procedure. Let J\ c G. then one "nds a suitable power of for which O\ has order l.9) to " J. and n"l. Now let m52. We claim that one can construct a zerodivisor in R if an element 3R* is known for which the order of O\ is a prime l dividing (p).7) or in (5. by (5. From (5.

AND LENSTRA This concludes the description of the algorithm underlying Theorem 3.3). we let be as de"ned in B Proposition (5. and k"2. In all cases one has s(pI)5k/2. and any basis of F over F contains an element a with O N g(a)O0. then by [2. p"2K!1 for some integer m52. Then l divides (p). and k"1 or 6.1).1). By we denote the Mobius function. Hence from g(a)O0 it follows P P that a does not belong to any proper sub"eld of F . with R"F .2). O N B Hence g is non-zero. ¹he number (p) has a prime divisor l with l. with d ranging over the squarefree divisors of k.2). Proof.24 BACH. I unless one is in one of the following cases: p"2.1 mod k. Any vector space basis of F over F contains an element O N a with F "F (a). the product O (1! ) annihilates all proper sub"elds. This O O N proves (6. We write q"pI. then g(x)O0. 6. If k"1 then (p)"p!1. and in (6. The correctness has been proved along the way. and since the multiplicative order of p (mod l ) equals k. K O LEMMA (6. the product belongs to the group ring F [G]. in I I both cases the lemma is easy to check. LEMMA (6. This proves Theorem 3. 1. k"6. which naturally N acts on the additive group of F . Consider the F -linear map g : F PF de"ned by g(x)" N O O (d) (x). Let p be a prime number and k a positive integer. FACTORING POLYNOMIALS In this section we prove Theorem 1. This proves (6. Since 1! annihilates the sub"eld FpIP of O P F . We can write g(a)"( (1! ))a. and it is straightforward to prove the run time bound asserted in the statement of the theorem. In the proof of the following lemma. since the are pairwise distinct. The "rst statement follows. the I order l!1 of the group F* is divisible by k. Next let k'2. Sect. We begin with three auxiliary results. with r ranging over the prime P P divisors of k. so that F "F (a).2). and J the second is an immediate consequence. Corollary 2] there is a prime number l dividing pI!1 but not dividing pG!1 for any positive integer i(k. VON ZUR GATHEN. and if k"2 then (p)"p#1. the order of in the automorphism group O B G of F equals d. If we except the single case p"2. If x belongs to B B a normal basis of F over F . O N Proof. . and any proper sub"eld is contained in one of the FpIP .

Proof. (d)"1 ( (a)>#t) ) B ( (a)>#u) ) B d.1) it follows that this can be done in time I (s(pI)#log p). So suppose that tO0. We have d. . B B B B with d ranging over the squarefree divisors of k. (d)" !1 By unique factorization in F [>]. Hence there exists d with (d)"1 such that B a>#t is proportional to (a)>#u. Also the factor (a)>#t on the left is proporB B B tional to a factor on the right. for some prime number p and positive integers n and k. so a>#t is not proportional to any of the factors B (a)>#t with (d)" !1. it follows that d"d/gcd(d. One can prove. Since d and B B B have orders d and d. From (p)(pI and (6.3). From d(a)"(u/t) (a) we now see that u"t. We turn to the description of the algorithm that proves Theorem 1. Applying we B B B see that (a)"(u/t) (a). Hence d is odd.2) is the additive analogue of the expression that appears in (5. Let. and we have d"d. Then we have d" . and let t. where denotes the Euler function. (d)"1 d. that any basis of F over F contains at least O N (k) elements a with F "F (a). From F "F (a) it follows that the elements O N (a) are pairwise distinct. If d is even then we have d"2d. more precisely.2). It is our purpose to factor f into irreducible factors in FpL [X]. a polynomial f over FpL be given. ¸et a3F be such that F "F (a). u3F . respectively. The algorithm starts by factoring (p) completely by means of trial I division.FACTORING POLYNOMIALS OVER SPECIAL FINITE FIELDS 25 The expression used in the proof of (6. Suppose O O N N that in the . (d)" !1 ( (a)>#u) B ( (a)>#t) . . B " d. 2). as well as an irreducible rth degree polynomial g in F [X] for each P N r3R(pI) that does not divide n. and that O N there is a basis containing exactly (k) such a1s. so the same argument shows that there exists d with (d)"1 and d(a)"(u/t) (a). the factor a>#t on the left is proportional O to one of the factors on the right. This proves B (6. If both t and u are 0 we are done. LEMMA (6.eld F (>) of rational functions one has O ( (a)>#t)I B " ( (a)>#u)I B . so that (a)"(u/t)a.3). ¹hen we have t"u. which contradicts (d)" (d)"1.

. one reduces to the case in which f is known to be a product of deg f pairwise distinct linear factors in F [X]. with deg f'1.8. For each d we have ( )" .5 and Theorem 7. Since explicit data for FpL are given.4).11) one can O use it in order to "nd a non-trivial factor g of f in F [X]. Let be as in (5. 2 . O N where (x)"xN. I\(a) are pairwise distinct. Theorem (9. N As in (5. By [12. (a). Note that a3F satis"es O N O F "F (a) if and only if the elements a. Let q"pI. VON ZUR GATHEN. One constructs an element a3F with O O F "F (a). If we have k"2 and p"2K!1 for some O integer m52. Theorem (9.6) Special Elements of F .1)] one can use the g with r dividing k to construct explicit data for F . we assume that f is monic. Sect. with the P N g that were given. a primitive lth root of unity in F*. Next.1].4)). Then the coe$cients of f and of all of its monic factors belong to F . the product ranging over the primes l dividing (p). Using [5.2). Then one knows. Let : RPR denote the pth power map and let 3R be the residue class of X. one "rst O I applies Theorem 2 to h"k in order to "nd.1)] (with E"F ) to compute an irreducible rth degree N polynomial g 3F [X] for each prime divisor r of n. From the de"nition of R(pI) (see Sect.X mod f. an rth degree irreducible polynomial g 3F [X] for each P P N r3R(pI). so that XN. using Theorem 3. To do this. and as we O saw in (6. We shall assume that this is N the case. B B If is a zero-divisor then one is done.1)(b)]).4).2). then as in (5. One can now take J I " . then F [X]/(X#1) is an explicit model for F . we denote by k the number of squarefree divisors of k. In the other N O case one constructs F as follows. the coe$cients of g are in F . one can O use [12. P O (6. for each prime number l3S(q). (6. 7. but in any case one can be found among the elements of a basis of F over F . Also. 1) and Lemma (6. If one knows a zero-divisor in R. by Lemma (6. Applying the algorithm recursively one obtains the complete factorization of f. Theorem (9. Such an element may be a byproduct of the construction of F in O N O (6. AND LENSTRA (6. [12. The rest of the algorithm works in the ring R"F [X]/( f ).5) ¹he Field F . so suppose it is not. We shall assume that p5k and that pO2. A suitable power of J O O J has order equal to the largest power of l dividing (p).5) (cf. Thus. and therefore satis"es the condition I"id 0 of Proposition (5. one "nds for each O such l an element of F that is not an lth power in F . We have ( )" (see (6. If p(k or p"2 then Berlekamp's algorithm is fast enough. it su$ces to "nd a zeroN divisor in R.1) it follows that each prime dividing k belongs to R(pI). The algorithm that we describe "nds a non-trivial factor of f.26 BACH.2).4) Preliminary Reductions. One also constructs an element 3F* of order (p). I J J (6.7) ¹he Ring R.

8) A Special Element of R. (6. Thus. We have k!1"1 if k is a prime power. by (6. Suppose not. to this equality. B B B B because both sides are equal to c .3) assume the same value at each of k!1 elements of F*. with 14i4k!1. the two rational functions occurring G in Lemma (6. so none of them is a zero of f.3) is satis"ed by (6. we "nd that N ( (a)i#t)I B " ( (a)i#u)I B . but this contradicts (6. then for each i there exists c 3F* with O G O ( (ia)# )I B "c . hence for O N each of these values of i the elements ia# is a unit of R. so that in that case no search is necessary. hence one obtains a non-trivial I O idempotent e in R. The algorithm of (2.5) cannot give rise to an integer O i (mod (p)) with " G.5) to n" (p). which is the desired zero-divisor. O If k"1 then one simply takes " . .10) A Zero-Divisor. B B 14i4k!1. because .2). with in the I role of and as constructed in (6. it is useful to note that k4s(q) if p'2. We proved the correctness along the way. two F -algebra homomorphisms RPF that map O O to two distinct zeroes t.9) "1.6). one searches among the elements ( (ia)# )I B . and since each of the two rational functions is the quotient of two polynomials of degrees k/2 they must be the same. This completes the proof of Theorem 1. . to I prove that the search is successful. one applies (2.FACTORING POLYNOMIALS OVER SPECIAL FINITE FIELDS 27 (6. Finally. belongs to F . and is a strict nth root of unity in R because it is a primitive nth root of unity in F .9). Hence. F* . By (5. Let k'1. One constructs an element I (p) of R* satisfying (6. F*. None of the elements !ia of F .3). each of these elements is a unit of R of order dividing (p). They O also assume the same value at R and at 0.1). To "nd . u3F of f. The condition L"1 from (2. This concludes the description of the algorithm underlying Theorem 1. The proof of the run time estimate is straightforward. it su$ces to prove that at least one of these elements is outside F*. B G B Applying.

Shallit. 713}735.'' 3rd ed. Comput. Comput. C. &&Introduction to Commutative Algebra. Comput. Springer}Verlag.'' Addison} Wesley. MA. 1993. Adleman and M. M. Lenstra. Macdonald. Factorization of polynomials over "nite "elds in subexponential time under GRH. H 15. G. 209}219. 350}355. Paris Ser. M. L. Berlin. The relationship between breaking the Di$e}Hellman protocol and computing discrete logarithms. Acad. Sci. Math. 6. Province of Ontario. Mignotte and C. 2. Factoring with cyclotomic polynomials. I Math. Reading. &&Algebra. Comput. Eds. Jr. Evdokimov. C. 199}206. 7. MA. Counting the numbers factorable via cyclotomic methods. 1986. Math. J. I. 8. Ronyai. Combinatorica 9 (1989). 9. J. 1996.'' pp. 877. 483}494. Finding isomorphisms between "nite "elds. Comput. 24 (1970). W. Reading. 8 (1955). M... Artin. 355}365. 12. 250}265. for sponsoring a visit to the University of Toronto in 1988. 13. Math. M. REFERENCES 1. 306 (1988).. Addison}Wesley. 77}89. 201}219. Berkeley. 54 (1990). by NSERC Grant 3-650-126-40. 1689}1721.'' Vol. Lenstra. MA. 464}481. U. Elliptic curves over "nite "elds and the computation of square roots mod p. 28 (1999). 18. 329}347. Berlekamp. M. during which a "rst version of this paper was written. Factoring polynomials modulo special primes. in &&Algorithmic Number Theory (ANTS-I). R. Shallit. R. 14. Comput.'' (L. H. S. 52 (1989). . Schoof. V. E. 26 (1992). Math. von zur Gathen. 11.). L. Finding irreducible polynomials over "nite "elds. Algorithms 19 (1995). 5. Huang. F. Cambridge. VON ZUR GATHEN. Calcul deterministe des racines d'un polynome dans un corps H ( "ni. AND LENSTRA ACKNOWLEDGMENTS This research was supported by NSF Grants DCR-92-08639 [EB] and DMS-92-24205 [HWL]. Schnorr. pp. Lenstra. Vol. Factoring polynomials and primitive elements for special primes. H 17. 3. 467}472. Jr. &&Algorithmic Number Theory. Factoring polynomials over large "nite "elds. 44 (1985). 4. 52 (1987). 211}244. Comm. Atiyah and I. 435}447. The orders of the linear groups. Part H of the research was carried out while the second author was in the Department of Computer Science of the University of Toronto. M. MIT Press. Amer. 56 (1991). 1969. Jr. Soc.-D. Algorithms in algebraic number theory. and by Fundacion Andes Grant C-10246 [JvzG]. Pure Appl. Adleman and H. 1994. S.-D. Bull. Sci. 16. Bach and J. W. Lang. Math. Wolf. Math. J. Huang.28 BACH. H. W. New algorithms for "nding irreducible polynomials over "nite "elds. Algorithms 12 (1991). E. Lecture Notes in Computer Science. Math. Generalized Riemann hypothesis and factoring polynomials over "nite "elds. Maurer and S. 10. E. R. in 00Proceedings of the 18th Annual ACM Symposium on Theory of Computing (STOC). Sorenson. E. Bach and J. Comput. The "rst author thanks the Information Technology Research Centre. SIAM J. ¹heoret. Pomerance and J. Shoup.

- Bulgarian Mathematical Olympiads (Third and Fourth Rounds From 1995 to 2000) (More Than 300 Problems With Solutions) - 260p[1]by André Luiz Aulas Matemática Física

- ZpZ - Gabriel Carroll, 2010 MOP
- Prime Numbers Public Key Cryptography 969
- Type of Numbers
- Riemann Zeta Function and History
- M328KsyllabusS14(1)
- Lecture 16
- As Protect En
- Prime Gaps
- Pier Francesco Roggero, Michele Nardelli, Francesco Di Noto - Universal Rule to find all the Prime Numbers
- Cat Preparation
- Number Theory
- Quran.and
- 8059D3C7d01
- tmpDD73
- Omega1_Bennet
- Balady
- Loops
- Cap05
- QQAD, Practice Test 5
- Important Algorithms
- venezia intermedio
- Week 1
- Lecture 10 Taylor's Theorem.pdf
- Bulgarian Mathematical Olympiads (Third and Fourth Rounds From 1995 to 2000) (More Than 300 Problems With Solutions) - 260p[1]
- Theory
- AutoSync.pdf
- GLSL Specification 1.30.10.Full
- Baker's Dozen
- Least Squares
- 200S Practice CS143 Midterm Solutions

Are you sure?

This action might not be possible to undo. Are you sure you want to continue?

We've moved you to where you read on your other device.

Get the full title to continue

Get the full title to continue reading from where you left off, or restart the preview.

scribd