## Subquadratic-time factoring of polynomials over finite fields (1998)

### Cached

### Download Links

- [cr.yp.to]
- [www.ams.org]
- [www.ams.org]
- [www.shoup.net]
- [www.shoup.net]
- [www4.ncsu.edu]
- [www.math.ncsu.edu]
- [www4.ncsu.edu]
- [ftp.cs.rpi.edu]
- [www4.ncsu.edu]
- [www.math.ncsu.edu]
- DBLP

### Other Repositories/Bibliography

Venue: | Math. Comp |

Citations: | 70 - 11 self |

### BibTeX

@INPROCEEDINGS{Kaltofen98subquadratic-timefactoring,

author = {Erich Kaltofen and Victor Shoup},

title = {Subquadratic-time factoring of polynomials over finite fields},

booktitle = {Math. Comp},

year = {1998},

pages = {398--406}

}

### Years of Citing Articles

### OpenURL

### Abstract

Abstract. New probabilistic algorithms are presented for factoring univariate polynomials over finite fields. The algorithms factor a polynomial of degree n over a finite field of constant cardinality in time O(n 1.815). Previous algorithms required time Θ(n 2+o(1)). The new algorithms rely on fast matrix multiplication techniques. More generally, to factor a polynomial of degree n over the finite field Fq with q elements, the algorithms use O(n 1.815 log q) arithmetic operations in Fq. The new “baby step/giant step ” techniques used in our algorithms also yield new fast practical algorithms at super-quadratic asymptotic running time, and subquadratic-time methods for manipulating normal bases of finite fields. 1.

### Citations

2544 |
The Design and Analysis of Computer Algorithms
- AHO, IIOPCROFT, et al.
- 1974
(Show Context)
Citation Context ... f ∈ Fq[x] of degree n. The output is f1,... ,fn∈Fq[x] such that f = f1 · f 2 2 ·····fn n . Distinct-degree factorization: The input is a square-free polynomial f ∈ Fq[x] of degree n. The output is f =-=[1]-=-,... ,f[n] ∈Fq[x] such that for 1 ≤ d ≤ n, f [d] is the product of the monic irreducible factors of f of degree d. Equal-degree factorization: The input is a polynomial f ∈ Fq[x] of degree n andaninte... |

2328 |
The Art of Computer Programming
- Knuth
- 1997
(Show Context)
Citation Context ... stage are fed into equal-degree factorizers. The square-free factorization problem can be solved on degree n inputs using O(n1+o(1) + n log q) operations in Fq, using the algorithm of Yun (see Knuth =-=[23]-=-). The equal-degree factorization problem can be solved on degree n inputs with the probabilistic algorithm of von zur Gathen and Shoup [17] using an expected number of or O(n (ω+1)/2+o(1) + n 1+o(1) ... |

830 |
Matrix multiplication via arithmetic progressions
- Coppersmith, Winograd
- 1990
(Show Context)
Citation Context ...ent of matrix multiplication; that is, ω is chosen so that we can multiply two n × n matrices using O(n ω ) arithmetic operations (we assume that 2 <ω≤3). Using the result of Coppersmith and Winograd =-=[11]-=-, we can take ω<2.375477. More generally, we prove the following: Theorem 1. For any 0 ≤ β ≤ 1, there exists a probabilistic algorithm for factoring a univariate polynomial of degree n over a finite f... |

562 |
Finite Fields
- Lidl, Niederreiter
- 1997
(Show Context)
Citation Context ...om the factorization of xqk − x, which consists ofSUBQUADRATIC-TIME FACTORING OF POLYNOMIALS OVER FINITE FIELDS 1183 all irreducible factors whose degree is a divisor of k (see Lidl and Niederreiter =-=[24]-=-, Theorem 3.20). We first present a high-level description of our distinct-degree factorization algorithm. The details of how each step is to be implemented are deferred until later. Algorithm D. This... |

325 | An improved algorithm for computing logarithms over GF(p) and its cryptographic significance - Pohlig, Hellman - 1978 |

291 |
Shift-Register Synthesis and BCH Decoding
- Massey
- 1969
(Show Context)
Citation Context ...: Fq[x]/(f) → Fq, and compute the minimum polynomial of the linearly generated sequence {ai : ai = u(σi (α)) and i ≥ 0}. Using an asymptotically fast version of the Berlekamp-Massey algorithm (Massey =-=[27]-=-, Dornstetter [12]), given the first 2n terms of the sequence {ai : i ≥ 0}, we can determine the minimum polynomial φα,u ∈ Fq[λ] of this sequence using O(n1+o(1) ) operations in Fq. In general, φα,u d... |

189 |
Algebraic Complexity Theory
- Bürgisser, Clausen, et al.
- 1997
(Show Context)
Citation Context ... would require about twice as much space. Therefore, at the moment, for practical purposes, Fast Cantor/Zassenhaus appears preferable to Fast Black Box Berlekamp. Note added in proof Bürgisser et al. =-=[37]-=- have traced the transposition principle discussed in §3.2 to Tellegen’s theorem of control theory. By use of the new exponents for rectangular matrix multiplication [38] the asymptotic complexity of ... |

187 |
Solving sparse linear equations over Finite Fields
- Wiedemann
- 1986
(Show Context)
Citation Context ... point of view this method is closely related to Berlekamp’s original algorithm (Fleischmann [15] Niederreiter and Göttfert [29]). Kaltofen and Lobo [20] adapted the linear system solver of Wiedemann =-=[36]-=- to Berlekamp’s algorithm. Utilizing techniques from von zur Gathen and Shoup, they show how their Black Box Berlekamp algorithm can be implemented so as to use an expected number of O(n 2+o(1) + n 1+... |

161 |
Factoring polynomials over large finite fields
- Berlekamp
- 1970
(Show Context)
Citation Context ...osing ω<2.375477 and minimizing the exponent of n, we get O(n 1.815 log q) operations in Fq. Relation to Previous Work. The first random polynomial-time algorithm for this problem is due to Berlekamp =-=[4]-=-. Berlekamp’s algorithm reduces the problem to that of finding elements in the null space of an n×n matrix over Fq. Using standard techniques from linear algebra, Berlekamp’s algorithm can be implemen... |

156 | Fast multiplication of polynomials over arbitrary algebras
- Cantor, Kaltofen
- 1991
(Show Context)
Citation Context ...egree l, where H(Y)= ∏ (Y − (hi mod f)). 0≤i<l Then we evaluate H(Y )atthempoints (H1 mod f),... ,(Hm mod f) ∈ R. Using fast algorithms for multiplication of polynomials in R[Y ] (Cantor and Kaltofen =-=[8]-=-) Step D3 can be implemented so as to use O(n 1+β+o(1) + n 2−β+o(1) ) operations in Fq (Aho et al. [1]). In Step D4, we need to compute O(m) GCD’s and divisions, requiring O(n 2−β+o(1) ) operations in... |

130 | Fast solution of Toeplitz systems of equations and computation of Padé approximants
- Brent, Gustavson, et al.
- 1980
(Show Context)
Citation Context ... in the Hankel matrix, while the left side elements u(γqj ) are computed again by automorphism projection. The Hankel system is finally solved for the ci in O(n1+o(1) ) arithmetic steps (Brent et al. =-=[5]-=-). 5. Practical algorithms In this section, we describe how the methods developed in this paper can be used to obtain practical algorithms, without relying on fast matrix multiplication. Consider our ... |

128 |
The complexity of partial derivatives
- Baur, Strassen
- 1983
(Show Context)
Citation Context ...principle is a direct consequence of the so-called reverse mode in automatic differentiation, see Canny et al. [7]; for reverse mode see also Ostrowski et al. [30], Linnainmaa [25], Baur and Strassen =-=[2]-=-, and Griewank [19]. Thus, to prove our theorem, it will suffice to prove the required bound for just one of these problems. We prove it for the automorphism evaluation problem. The following algorith... |

122 | Achieving logarithmic growth of temporal and spatial complexity in reverse automatic dierentiation
- Griewank
- 1992
(Show Context)
Citation Context ...ect consequence of the so-called reverse mode in automatic differentiation, see Canny et al. [7]; for reverse mode see also Ostrowski et al. [30], Linnainmaa [25], Baur and Strassen [2], and Griewank =-=[19]-=-. Thus, to prove our theorem, it will suffice to prove the required bound for just one of these problems. We prove it for the automorphism evaluation problem. The following algorithm for automorphism ... |

107 | Fast algorithms for manipulating formal power series
- Brent, Kung
- 1978
(Show Context)
Citation Context ...y n, compute g(h) modf ∈Fq[x]. Recently, this so-called modular polynomial composition problem has arisen in many contexts (von zur Gathen and Shoup [17], Shoup [34]). The algorithm of Brent and Kung =-=[6]-=- solves this problem using O(n (ω+1)/2 ) operations in Fq. Any improvement in the complexity of this problem would yield an improvement in the complexity of factoring. Indeed, if this problem could be... |

102 |
A new algorithm for factoring polynomials over finite fields
- Cantor, Zassenhaus
- 1981
(Show Context)
Citation Context ... running time, but Rabin completes the mathematical justification for the expected running time of the probabilistic Berlekamp method. A very different algorithm is described by Cantor and Zassenhaus =-=[9]-=- (see also Ben-Or [3], especially for the case where the characteristic is 2). Starting with a square-free polynomial, that algorithm first separates the irreducible factors of distinct degree (distin... |

91 |
Efficient Parallel Solution of Linear Systems
- Pan, J
- 1985
(Show Context)
Citation Context ...e, ⎧ ⎪⎨ 6 if q =2, 4 if q =3, ρ(n, q) = ⎪⎩ 3 if 4 ≤ q ≤ 9, 2 if q ≥ 11. Then the probability that φ∗ = φ is at least 1/2. Proof. If q ≥ 4n, then the result follows by the analysis of Kaltofen and Pan =-=[21]-=-. Otherwise we argue along the same lines as Wiedemann [36, §VI]. Suppose φ = ψ η1 1 ···ψηs s is the factorization of φ into irreducibles. Suppose α ∈ Fq[x]/(f) and u: Fq[x]/(f) → Fq are chosen at ran... |

85 | Probabilistie Algorithms in Finite Fields
- Rabin
- 1980
(Show Context)
Citation Context .... Using standard techniques from linear algebra, Berlekamp’s algorithm can be implemented so as to use an expected number of O(n ω + n 1+o(1) log q) operations in Fq. Note that the algorithm by Rabin =-=[31]-=- has an inferior running time, but Rabin completes the mathematical justification for the expected running time of the probabilistic Berlekamp method. A very different algorithm is described by Cantor... |

75 | Theorems on factorization and primality testing - Pollard - 1974 |

64 | A new polynomial factorization algorithm and its implementation
- Shoup
- 1995
(Show Context)
Citation Context ...er algorithms. This is briefly discussed in §5; a more complete discussion, including a description of an implementation of this algorithm as well as the results of empirical tests, is given in Shoup =-=[35]-=-.1182 ERICH KALTOFEN AND VICTOR SHOUP To attain a subquadratic running time, our algorithms rely on randomization. Even if we restrict ourselves to the field F2, the asymptotically fastest known dete... |

55 | Nearly Optimal Algorithms For Canonical Matrix Forms - Giesbrecht - 1995 |

51 | Fast construction of irreducible polynomials over finite fields
- Shoup
- 1994
(Show Context)
Citation Context ... f, g, andhin Fq[x] of degree bounded by n, compute g(h) modf ∈Fq[x]. Recently, this so-called modular polynomial composition problem has arisen in many contexts (von zur Gathen and Shoup [17], Shoup =-=[34]-=-). The algorithm of Brent and Kung [6] solves this problem using O(n (ω+1)/2 ) operations in Fq. Any improvement in the complexity of this problem would yield an improvement in the complexity of facto... |

45 |
Probabilistic algorithms in finite fields
- Ben-Or
- 1981
(Show Context)
Citation Context ...bin completes the mathematical justification for the expected running time of the probabilistic Berlekamp method. A very different algorithm is described by Cantor and Zassenhaus [9] (see also Ben-Or =-=[3]-=-, especially for the case where the characteristic is 2). Starting with a square-free polynomial, that algorithm first separates the irreducible factors of distinct degree (distinct-degree factorizati... |

39 | Searching for primitive roots in finite fields - Shoup - 1992 |

36 | On taking roots in finite fields - Adleman, Manders, et al. - 1977 |

33 | The least quadratic non residue - Ankeny - 1952 |

28 | Computing Frobenius maps and factoring polynomials
- Gathen, Shoup
(Show Context)
Citation Context ... the resulting factors (equal-degree factorization). The Cantor/Zassenhaus algorithm can be implemented so as to use an expected number of O(n 2+o(1) log q) operations in Fq. Von zur Gathen and Shoup =-=[17]-=- developed new algorithmic techniques that essentially allow one to implement the Cantor/Zassenhaus algorithm so that it uses an expected number of O(n2+o(1) + n1+o(1) log q) operations in Fq. Their t... |

26 |
On the equivalence between Berlekamp’s and Euclid’s algorithms
- Dornstetter
- 1987
(Show Context)
Citation Context ...and compute the minimum polynomial of the linearly generated sequence {ai : ai = u(σi (α)) and i ≥ 0}. Using an asymptotically fast version of the Berlekamp-Massey algorithm (Massey [27], Dornstetter =-=[12]-=-), given the first 2n terms of the sequence {ai : i ≥ 0}, we can determine the minimum polynomial φα,u ∈ Fq[λ] of this sequence using O(n1+o(1) ) operations in Fq. In general, φα,u divides φ, but the ... |

22 | Fast polynomial factorization over high algebraic extensions of finite fields
- Kaltofen, Shoup
- 1997
(Show Context)
Citation Context ...og q) running time of Theorem 1 can be lowered to O(n 1.8054 log q). For large q and small characteristic p it is possible to improve the binary running time of the von zur Gathen/Shoup algorithm. In =-=[39]-=- we show, for example, that for q =2 k with k =Ω(n 1.46 ) one may factor a polynomial of degree n with coefficients in Fq in O(n(log q) 1.67 ) fixed precision operations. Here the field Fq is represen... |

21 | On the deterministic complexity of factoring polynomials over finite fields
- Shoup
- 1990
(Show Context)
Citation Context ...ICTOR SHOUP To attain a subquadratic running time, our algorithms rely on randomization. Even if we restrict ourselves to the field F2, the asymptotically fastest known deterministic algorithm (Shoup =-=[33]-=-) runs in time O(n 2+o(1) ), and it remains an open problem to find a subquadratic deterministic algorithm. 2. The fast Cantor/Zassenhaus algorithm Like the original Cantor/Zassenhaus algorithm, our a... |

19 | Shifted primes without large prime factors - Friedlander - 1989 |

19 | Addition requirements for matrix and transposed matrix products
- Bshouty, Kaminski, et al.
- 1988
(Show Context)
Citation Context ...cia [14], Theorem 2 for multiplications (see also Fiduccia [13], Theorem 4) and Theorem 5 for additions and subtractions. The additive version with a similar proof is rediscovered in (Kaminski et al. =-=[22]-=-). Furthermore, we remark that the transposition principle is a direct consequence of the so-called reverse mode in automatic differentiation, see Canny et al. [7]; for reverse mode see also Ostrowski... |

17 | Einige Resultate über Berechnungskomplexität - Strassen - 1976 |

15 |
Factoring high-degree polynomials by the black box Berlekamp algorithm
- Kaltofen, Lobo
- 1994
(Show Context)
Citation Context ...ials over finite fields. However, from a complexity point of view this method is closely related to Berlekamp’s original algorithm (Fleischmann [15] Niederreiter and Göttfert [29]). Kaltofen and Lobo =-=[20]-=- adapted the linear system solver of Wiedemann [36] to Berlekamp’s algorithm. Utilizing techniques from von zur Gathen and Shoup, they show how their Black Box Berlekamp algorithm can be implemented s... |

12 |
Rapid multiplication of rectangular matrices
- Coppersmith
- 1982
(Show Context)
Citation Context ...e β ≥ 2/3 and in particular that t>m. Techniques for fast rectangular matrix multiplication allow us to multiply a bδ ×b matrix by a b × b matrix with O(b2+o(1) ) operations for some δ>0 (Coppersmith =-=[10]-=-, Lotti and Romani [26]). With the construction yielding ω < 2.375477 by Coppersmith and Winograd [11], we may chose δ =0.29 (Coppersmith, private communication). The needed m × n × t matrix product i... |

12 |
A new efficient factorization algorithm for polynomials over small finite fields
- Niederreiter
- 1993
(Show Context)
Citation Context ...) operations in Fq. Their techniques allow one to solve the special problem of equal-degree factorization using an expected number of O(n (ω+1)/2+o(1) + n 1+o(1) log q) operations in Fq. Niederreiter =-=[28]-=- developed an alternate approach to factoring polynomials over finite fields. However, from a complexity point of view this method is closely related to Berlekamp’s original algorithm (Fleischmann [15... |

12 |
Fast rectangular matrix multiplications and improving parallel matrix computations
- Huang, Pan
- 1997
(Show Context)
Citation Context ...ded in proof Bürgisser et al. [37] have traced the transposition principle discussed in §3.2 to Tellegen’s theorem of control theory. By use of the new exponents for rectangular matrix multiplication =-=[38]-=- the asymptotic complexity of modular polynomial composition and hence of our factorization algorithms can be lowered a little bit. For example, the O(n 1.815 log q) running time of Theorem 1 can be l... |

11 | zur Gathen, Factoring polynomials and primitive elements for special primes - von - 1987 |

10 |
expansion of the accumulated rounding error
- Linnainmaa, Taylor
- 1976
(Show Context)
Citation Context ... that the transposition principle is a direct consequence of the so-called reverse mode in automatic differentiation, see Canny et al. [7]; for reverse mode see also Ostrowski et al. [30], Linnainmaa =-=[25]-=-, Baur and Strassen [2], and Griewank [19]. Thus, to prove our theorem, it will suffice to prove the required bound for just one of these problems. We prove it for the automorphism evaluation problem.... |

8 |
On obtaining upper bounds on the complexity of matrix multiplication, Complexity of Computer Computations
- Fiduccia
- 1972
(Show Context)
Citation Context ... are computationally equivalent within a constant factor. The discovery of the transposition principle goes back to the Ph.D. thesis of Fiduccia [14], Theorem 2 for multiplications (see also Fiduccia =-=[13]-=-, Theorem 4) and Theorem 5 for additions and subtractions. The additive version with a similar proof is rediscovered in (Kaminski et al. [22]). Furthermore, we remark that the transposition principle ... |

7 | Factorization of a solvable polynomial over finite fields and the generalized - Evdokimov |

7 | Factoring polynomials modulo special primes - Rónyai - 1989 |

6 | Galois Groups and Factoring Polynomials over Finite Fields - Rónyai - 1989 |

6 |
On the Algebraic Complexity of Matrix Multiplication
- Fiduccia
- 1973
(Show Context)
Citation Context ...ple, in Algorithm 1 in Wiedemann [36] step 4 and step 6 are computationally equivalent within a constant factor. The discovery of the transposition principle goes back to the Ph.D. thesis of Fiduccia =-=[14]-=-, Theorem 2 for multiplications (see also Fiduccia [13], Theorem 4) and Theorem 5 for additions and subtractions. The additive version with a similar proof is rediscovered in (Kaminski et al. [22]). F... |

6 |
On the asymptotic complexity of rectangular matrix multiplication
- Lotti, Romani
- 1983
(Show Context)
Citation Context ...ular that t>m. Techniques for fast rectangular matrix multiplication allow us to multiply a bδ ×b matrix by a b × b matrix with O(b2+o(1) ) operations for some δ>0 (Coppersmith [10], Lotti and Romani =-=[26]-=-). With the construction yielding ω < 2.375477 by Coppersmith and Winograd [11], we may chose δ =0.29 (Coppersmith, private communication). The needed m × n × t matrix product is done with O(n/t) prod... |

5 | Connections between the algorithms of Berlekamp and Niederreiter for factoring polynomials over Fq
- Fleischmann
- 1993
(Show Context)
Citation Context ...28] developed an alternate approach to factoring polynomials over finite fields. However, from a complexity point of view this method is closely related to Berlekamp’s original algorithm (Fleischmann =-=[15]-=- Niederreiter and Göttfert [29]). Kaltofen and Lobo [20] adapted the linear system solver of Wiedemann [36] to Berlekamp’s algorithm. Utilizing techniques from von zur Gathen and Shoup, they show how ... |

5 | Constructing normal bases in finite fields
- Gathen, G
- 1989
(Show Context)
Citation Context ... arithmetic in Fq n, in particular exponentiation, if one finds a normal element α ∈ Fq n with the property that α, α q ,... ,α qn−1 is a Fq-vector space basis for Fq n. Von zur Gathen and Giesbrecht =-=[16]-=- give a randomized algorithm for finding a normal element α ∈ Fq[x]/(f(x)) in O(n2+o(1) log q) arithmetic operations in Fq. The running time of their algorithm is reduced in (von zur Gathen and Shoup ... |

5 |
On a class of polynomials over a finite field
- Schwarz
- 1960
(Show Context)
Citation Context ...m. We describe one here. Let Q be the n × n matrix representing the q-th power map σ on Fq[x]/(f), with respect to the natural power basis. The matrix Q is the transpose of Petr’s matrix (see Schwarz =-=[32]-=-) computed in the classical Berlekamp algorithm. We represent the projection map u as a row vector ⃗u T , and we let ⃗α be the column vector consisting of the coordinates of α. We want to compute the ... |

4 |
Lakshman Yagati, Solving systems of nonlinear polynomial equations faster
- Canny, Kaltofen
- 1989
(Show Context)
Citation Context ...is rediscovered in (Kaminski et al. [22]). Furthermore, we remark that the transposition principle is a direct consequence of the so-called reverse mode in automatic differentiation, see Canny et al. =-=[7]-=-; for reverse mode see also Ostrowski et al. [30], Linnainmaa [25], Baur and Strassen [2], and Griewank [19]. Thus, to prove our theorem, it will suffice to prove the required bound for just one of th... |

3 | zur Gathen. Deterministic factorization of polynomials over special finite fields - Bach, von - 1988 |

3 |
Factorization of polynomials over finite fields and characteristic sequences
- Niederreiter, Göttfert
- 1993
(Show Context)
Citation Context ...oach to factoring polynomials over finite fields. However, from a complexity point of view this method is closely related to Berlekamp’s original algorithm (Fleischmann [15] Niederreiter and Göttfert =-=[29]-=-). Kaltofen and Lobo [20] adapted the linear system solver of Wiedemann [36] to Berlekamp’s algorithm. Utilizing techniques from von zur Gathen and Shoup, they show how their Black Box Berlekamp algor... |