Improving the Berlekamp algorithm for binomials xn - a€¦ · Ryuichi Harasawa, Yutaka Sueyoshi,...

Overview of polynomial factorizationThe purpose of this talk

Proposed methodComparison

Future works

Improving the Berlekamp algorithm for binomialsxn − a

Ryuichi Harasawa Yutaka Sueyoshi Aichi Kudo

Nagasaki University

July 19, 2012

Ryuichi Harasawa , Yutaka Sueyoshi, Aichi Kudo Improving the Berlekamp algorithm for binomials xn − a



Future works

1 Overview of polynomial factorization

2 The purpose of this talk

3 Proposed methodIdeaExampleProcedure after applying the proposed mehod

4 ComparisonTheoretical comparisonExperimental comparison

5 Future works




Future works

1. Polynomial factorization over finite fields

Polynomial factorization

Input: f (x) ∈ Fq[x]Output: pair(s) ( f i(x), ei) with f (x) =

∏f i(x)ei

( f i(x): irreducible polynomial)

Application to cryptography

Construction of extension field:f (x): irre. poly./Fq of degree n⇒ Fqn = Fq[x]/( f (x))Index calculus for solving DLP (on Jacobian group):Check if f (x) is B-smooth (B(⊂ Fq[x]): factor base).If so, the factorization of f (x) gives a relation to solve DLP.




Future works

2. Procedure of factorization

We first perform the square-free factorization.After the procedure, we factor square-free polynomial(s).

f (x): square-freedef⇐⇒ f (x) has no repeated factors

(i.e., g(x) | f (x) (deg(g(x)) ≥ 1) ⇒ g(x)2 - f (x))

Square-free factorization

Input: f (x) ∈ Fq[x]Output: gi(x)’s: square-free (possibly gi(x) = 1)

with f (x) =∏

i≥1 gi(x)i




Future works

3. Overview of square-free factorization

p = charFq.f (x) =

∏i gi(x)i , gi(x): (unknown) square-free poly.

f ′(x): the formal derivation of f (x).

Key facts

f ′(x) = 0 ⇒ f (x) = g(x)p (∃g(x) ∈ Fq[x]),more precisely f (x) =

∑j a jpx

jp = (∑

j a(1/p)j

x j)p

gcd(f (x), f ′(x)) =∏

p- i gi(x)i−1 ·∏

p|i gi(x)i

f (x)/ gcd(f (x), f ′(x)) =∏

p- i gi(x): square-free

We compute gi(x)’s using the facts repeatedly.Especially, gcd(f (x), f ′(x)) = 1 =⇒ f (x): square-free.




Future works

4. Factorization of square-free polynomial

f (x): square-free polynomial over FqTwo popular methods to factor square-free poly.:

1. Berlekamp method:Using the kernel of the linear mapping, πq − id,defined by g(x) 7→ (g(x)q − g(x)) mod f (x).

2. Cantor/Zassenhaus method:Using Distinct-degree & Equal-degree factorizations.

We focus on the Berlekamp method in this talk.




Future works

5. Berlekamp algorithm

Assume that q is odd.

f (x) ∈ Fq[x]: square-free polynomial.We consider the linear mapping πq − id from Fq[x]/( f (x))to itself defined by g(x) 7→ (g(x)q − g(x)) mod f (x).

Step 1: Compute the kernel of πq − id, say N .Step 2: For a random element g(x) ∈ N ,

we find non-trivial factors of f (x) by computinggcd(f (x), g(x)) and gcd(f (x), g(x)(q−1)/2 − 1).

We note that #(irre. factor(s) of f (x)) = dimFqN




Future works

6. The purpose of this talk

Main theme: The computation of the kernelNfor f (x) = xn − a deined over Fq with p = charFq.

Previous work: a = 1⇒ Eugene Prange (1959)We extend the method to general a.

Assumption on f (x) = xn − a:a , 0 (otherwise, obvious)p - n (otherwise, f (x) = (xn/p − a1/p)p

and f (x) ← xn/p − a1/p).⇒ f (x): square-free (since gcd(f (x), f ′(x)) = 1)




Future works

7. The kernel N of πq − id

f (x): square-free poly. of degree n to be factored.

Q = (qi j )0≤i, j≤n−1: n × n matrix with(x j)q ≡ ∑0≤i≤n−1 qi j xi (mod f (x)).

⇓ πq − id : g(x) 7→ (g(x)q − g(x)) mod f (x)

Q− I n: the matrix representation of πq − id(I n: n × n identity matrix)

⇒N : the solution space of (Q− I n)X = 0

In order to get N ,I think we generally apply the Gaussian elimination.




Future works

IdeaExampleProcedure after applying the proposed mehod

8. The computation of N for xn − a (1/2)

Let p = charFq, f (x) = xn − a (p - n, a , 0).

Notation

For q mod n , 0, ⟨q⟩ := {qi mod n | i = 0, 1, 2, . . .}ᾱ := {αqi mod n | i = 0, 1, 2, . . .} : the orbit containingα ∈ Z/nZ with respect to ⟨q⟩. (Let ℓ = #ᾱ.)αi := αqi mod n (note that αqℓ mod n = α(= α0))

Tᾱ := {β0xα0 + β1xα1 + · · · + βℓ−1xαℓ−1 | βi ∈ Fq}for ᾱ = {α0, α1, . . . , αℓ−1}




Future works


9. The computation of N for xn − a (2/2)

Then we have

Fq[x]/( f (x)) =⊕ᾱ Tᾱ

(ᾱ runs over all orbits in Z/nZ with respect to ⟨q⟩)πq(Tᾱ) ⊆ Tᾱ (= id(Tᾱ)) (i.e., Tᾱ : πq-invariant).N = Ker(πq − id).

=⇒ N =⊕ᾱ(N ∩ Tᾱ)

That is, in order to get the karnelN of πq − id,it is sufficient to computeN ∩ Tᾱ for each ᾱ.⇒We restrict the domain of πq − id to the subspace Tᾱ.




Future works


10. The computation of N ∩ Tᾱ (1/2)

For h(x) = β0xα0 + β1xα1 + · · · + βℓ−1xαℓ−1 in Tᾱ,we consider the equation (πq − id)(h(x)) = 0(equivalently, h(x)q ≡ h(x) (mod f (x))).

⇒

βℓ−1 = aγℓ−2βℓ−2 ← coefficient of xℓ−1βℓ−2 = aγℓ−3βℓ−3 ← coefficient of xℓ−2

......

β0 = aγℓ−1βℓ−1 ← constant term,where qαi = γi n + αi+1 mod ℓ .

⇒ β0 = aγℓ−1βℓ−1 = aγℓ−1(aγℓ−2βℓ−2)= · · ·= aγ0+γ1+···+γℓ−1β0




Future works


11. The computation of N ∩ Tᾱ (2/2)

We get the relation β0 = aγ0+γ1+···+γℓ−1β0, which implies

N ∩ Tᾱ

=

{β(xα0 + aγ0 xα1 + aγ0+γ1 xα2 + · · · + aγ0+γ1+···+γℓ−2 xαℓ−1) | β ∈ Fq}

(if aγ0+γ1+···+γℓ−1 = 1),{0} (otherwise).

Complexity

O˜(n log q) bit operations + O(n log q) operations in Fq(cf. O(n2.376) operations in Fq for the improved Gaussianelimination using the Coppersmith-Winograd fast matrixmultiplication).




Future works


12. Example: f (x) = x22 − 2 defined over F5 (1/5)

We consider q = 5, f (x) = x22 − 2 (n = 22, a = 2).⇒ Z/22Z is decomposed into six orbits with respect to ⟨5⟩:0̄ = {0}, 1̄ = {1, 5, 3, 15, 9}, 2̄ = {2, 10, 6, 8, 18},4̄ = {4, 20, 12, 16, 14}, 7̄ = {7, 13, 21, 17, 19},1̄1 = {11}.

For each orbit ᾱ,we compute the subspaceN by consideringN ∩ Tᾱ(recall thatN is the kernel of the mappingg(x) 7→ (g(x)q − g(x)) mod f (x)).




Future works



[The case of 0̄ = {0} (ℓ = 1)]

(q · αi = γi · n + αi+1)5 · α0 = 5 · 0 = 0 · 22+ 0 → γ0 = 0, α1 = 0 = α0

So, we have aγ0 = 20 = 1 in F5.

⇒ N ∩ T0̄ = {βxα0 | β ∈ F5}= {β · 1 | β ∈ F5}= F5




Future works



[The case of 1̄ = {1, 5, 3, 15, 9} (ℓ = 5)]

(q · αi = γi · n + αi+1)5 · α0 = 5 · 1 = 0 · 22+ 5 → γ0 = 0, α1 = 55 · α1 = 5 · 5 = 1 · 22+ 3 → γ1 = 1, α2 = 35 · α2 = 5 · 3 = 0 · 22+ 15 → γ2 = 0, α3 = 155 · α3 = 5 · 15 = 3 · 22+ 9 → γ3 = 3, α4 = 95 · α4 = 5 · 9 = 2 · 22+ 1 → γ4 = 2, α5 = 1 = α0

So, we haveaγ0+γ1+γ2+γ3+γ4 = 20+1+0+3+2 = 26 = −1 , 1 in F5.⇒N ∩ T1̄ = {0}




Future works



[The case of 2̄ = {2, 10, 6, 8, 18} (ℓ = 5)]

5 · α0 = 5 · 2 = 0 · 22+ 10 → γ0 = 0, α1 = 105 · α1 = 5 · 10 = 2 · 22+ 6 → γ1 = 2, α2 = 65 · α2 = 5 · 6 = 1 · 22+ 8 → γ2 = 1, α3 = 85 · α3 = 5 · 8 = 1 · 22+ 18 → γ3 = 1, α4 = 185 · α4 = 5 · 18 = 4 · 22+ 2 → γ4 = 4, α5 = 2 = α0

So, we haveaγ0+γ1+γ2+γ3+γ4 = 20+2+1+1+4 = 28 = 1 in F5.

⇒ N ∩ T2̄ = {β(xα0 + aγ0 xα1 + aγ0+γ1 xα2

+ aγ0+γ1+γ2 xα3 + aγ0+γ1+γ2+γ3 xα4) | β ∈ F5}= {β(x2 + x10 + 4x6 + 3x8 + x18) | β ∈ F5}




Future works



Performing the same procedure as the previous onefor the remainder orbits, we obtain

N ∩ T4̄ = {β(x20 + 4x16 + 2x14 + x12 + x4) | β ∈ F5}N ∩ T7̄ = N ∩ T11 = {0}.

From the computations above, we obtain the results:

{1, x18 + x10 + 3x8 + 4x6 + x2, x20 + 4x16 + 2x14 + x12 + x4}forms an F5-basis of N ;#(irre. factors of f (x)) = dimF5N = 3.




Future works


17. Getting factors using the kernel N (1/2)

We assume that dimFqN ≥ 2 and that q is odd.(dimFqN = 1⇒ f (x): irreducible)g(x): random element inN⇒ g(x) · (g(x)(q−1)/2 − 1) · (g(x)(q−1)/2 + 1)= g(x)q − g(x) ≡ 0 (mod f (x))

If gcd(f (x), g(x)) , 1, f (x) or gcd(f (x), g(x)(q−1)/2 − 1) , 1, f (x)(or both), then we get a non-trivial factor of f (x).

Repeatedly we perform this procedureuntil #(our getting factors of f (x))= dimFqN .

Complexity

O˜(n log q) operations in Fq using a fast polynomial operations.




Future works


18. Getting factors using the kernel N (2/2)

Note that, for g(x) ∈ N with gcd(f (x), g(x)) = 1,Prob{getting non-trivial factors} = 1− (12)

dimFqN−1 ≥ 12

Memo: f (x) =∏

1≤i≤k f i(x): factorization of f (x).

Fq[x]/( f (x)) ≃ Fq[x]/( f1(x)) × · · · × Fq[x]/( f k(x))∪ ∪N ≃ {(a1, . . . , ak) | ai ∈ Fq}

For each i, we have g(x)(q−1)/2 ≡ ±1 mod f i(x).”not getting a non-trivial factor of f (x)⇐⇒ g(x)(q−1)/2 ↔ (1, 1, . . . , 1) or (−1,−1, . . . ,−1)”




Future works

Theoretical comparisonExperimental comparison

19. Theoretical cost (1/2)the Berlekamp method (original and ours)

11.522.533.5

0 0.5 1 1.5 2 2.5yvaluewiththerunningtimeO~(ny )

x value with log2 q = nxy = x+ 1y = 2:376proposed methodoriginal Berlekamp




Future works


20. Theoretical cost (2/2)Ours and the (improved) Cantor-Zassenhause methods

11.522.533.544.5


x value with log2 q = nxy = x+ 1y = 2y = 0:416x+ 1:806y = x+ 2y = x+ 2proposed methodGathen-ShoupKaltofen-ShoupCantor-Zassenhaus




Future works


21. Experimental results (1/9)

For f (x) = xn − a over Fq, we implement the original/ourBerlekamp methods and the Cantor-Zassenhaus method with noimprovement.

2.8 GHz Pentium G6950 with 1.6 GB RAM;

The language is C with gcc 4.1.2 compiler;

We do not use any mathematical library;

We apply classical methods for polynomial operations;

We do not perform the square-free factorization.⇐We assume binomials to be square-free (i.e., charFq - n).




Future works



Berlekamp method (original / ours)

For the computation of the kernelN of the mapg(x) 7→ g(x)p − g(x) mod f (x),

original: apply the Gaussian elimination.ours: apply orbits in Z/nZ w.r.t. ⟨q⟩.

After getting the kernelN , the both methods perform thesame procedure:g(x) ∈ N ⇒ gcd(f (x), g(x)) and gcd(g(x)(q−1)/2 − 1, f (x))




Future works



Cantor-Zassenhaus method

Distinct-degree factorization: separate irre. factors of differingdegree

g1(x) ← gcd(f (x), xq − x):the product of irre. factors of degree 1;g2(x) ← gcd(f (x)/g1(x), xq

2 − x):the product of irre. factors of degree 2;g3(x) ← gcd(f (x)/(g1(x)g2(x)), xq

3 − x):the product of irre. factors of degree 3;And so on.

Equal-degree factorization: separate irre. factors of samedegree

h(x): a random polynomial⇒ gcd(h(x), gi(x)) and gcd(h(x)(q

i−1)/2, gi(x))(deggi(x) = iℓ ⇒ Fq[x]/(gi(x)) ≃ ⊕1≤ j≤ℓ Fqi ).




Future works


24. Experimental results (4/9)Search test polynomials (1/2)

For f (x) = xn − a over Fq, the factorization pattern depends on thenumber of roots of xn − a in Fqi (i ≥ 1), say δi . Then we see

δi =

{di (a(q

i−1)/di = 1 with di = gcd(qi − 1, n)),0 (otherwise).

⇒ the values δi ’s is determined by q, n and the multiplicative orderof a (rather than the value of a).

Based on the facts above, we choose test polynomials to befactord.




Future works


25. Experimental results (5/9)Search test polynomials (2/2)

Test polynomial(s) xn − a over Fp with p = 2053:⇒ p− 1 = 2052= 22 × 32 × 19

a = 29⇒ #⟨a⟩ = 171= 32 × 19.n = 1083⇒ gcd(n, p− 1) > 1 and #⟨a⟩ - p−1gcd(n,p−1)There exists no linear factor in f (x) in the case.

n = 1091⇒ gcd(n, p− 1) = 1n = 1110⇒ gcd(n, p− 1) > 1 and #⟨a⟩ | p−1gcd(n,p−1)There exist some linear factors in f (x) in the two cases above.

a = 1, n = 4104(= 2(p− 1))⇐ To characterize the Berlekamp method

and Cantor-Zassenhaus method




Future works



Running time for factorning x1083− 29 over F2053mehods running time (s)

Berlekamp original 0.075ours 0.005

(original) Cantor-Zassenhaus 92.368

the pattern of factorization3 irreducible factors of degree 361.

(ours)≪ (original) for the Berlekamp method.⇐ (procedure after gettingN )≪ (procedure for gettingN ).(Berlekamp)≪ (Cantor-Zassenhause)⇐ x1083− 29 has irre. factors of large degree.

((procedure for gettingN ))≪ (distict-degree factorization))




Future works





(original) Cantor-Zassenhaus 223.654the pattern of factorization

3 irreducible factors. More precisely,1 linear factor;2 irreducible factors of degree 545.

(ours) ≈ (original) for the Berlekamp method.⇐ (procedure for gettingN )≪ (procedure after gettingN ).(Berlekamp)≪ (Cantor-Zassenhause)⇐ x1091− 29 has irre. factors of large degree.

((procedure for gettingN ))≪ (distict-degree factorization))Ryuichi Harasawa , Yutaka Sueyoshi, Aichi Kudo Improving the Berlekamp algorithm for binomials xn − a



Future works






42 irreducible factors. More precisely,6 linear factors;6 irreducible factors of degree 4;30 irreducible factors of degree 36.

(ours) ≈ (original) for the Berlekamp method.⇐ (procedure for gettingN )≪ (procedure after gettingN ).(Berlekamp) < (Cantor-Zassenhause) (, not≪)⇐ each irre. factor of it does not have so large degree.




Future works






3078 irreducible factors. More precisely,2052 (= p− 1) linear factors;1026 (= p−12 ) irreducible factors of degree 2.

(Cantor-Zassenhause) < (Berlekamp)⇐ each irre. factor of x4104− 1 has small degree.(original) < (ours) for the Berlekamp method.⇐ ? (I guess I am not good at programing: It is possible not to

omit some oblivious procedure(s), for example 1× α.)Ryuichi Harasawa , Yutaka Sueyoshi, Aichi Kudo Improving the Berlekamp algorithm for binomials xn − a



Future works

30. Future works

Analysis of other methods for binomials;(How much is the complexity reduced ?)

Combination with other methods;(e.g., improved Cantor-Zassenhaus method)

Extension to more general cases;(e.g., trinomial polynomials and large size of base field)

Does there exist a deterministic polynomial factorizationalgorithm ?




Future works

Thank you!




Future works

Theoretical cost

11.522.533.544.5


x value with log2 q = nxy = x+ 1y = 2:376y = 2y = 0:416x+ 1:806y = x+ 2proposed methodBerlekamp [4℄Gathen-Shoup [9℄Kaltofen-Shoup [13℄Cantor-Zassenhaus [6℄


Overview of polynomial factorizationThe purpose of this talkProposed methodIdeaExampleProcedure after applying the proposed mehod

ComparisonTheoretical comparisonExperimental comparison

Future works

Date post:	21-Oct-2020
Category:	Documents
Upload:	others
View:	2 times
Download:	0 times

Improving the Berlekamp algorithm for binomials xn - a€¦ · Ryuichi Harasawa, Yutaka Sueyoshi,...

Documents