## A New Polynomial Factorization Algorithm and its Implementation (1996)

Venue: | Journal of Symbolic Computation |

Citations: | 63 - 5 self |

### BibTeX

@ARTICLE{Shoup96anew,

author = {Victor Shoup},

title = {A New Polynomial Factorization Algorithm and its Implementation},

journal = {Journal of Symbolic Computation},

year = {1996},

volume = {20},

pages = {363--397}

}

### Years of Citing Articles

### OpenURL

### Abstract

We consider the problem of factoring univariate polynomials over a finite field. We demonstrate that the new baby step/giant step factoring method, recently developed by Kaltofen & Shoup, can be made into a very practical algorithm. We describe an implementation of this algorithm, and present the results of empirical tests comparing this new algorithm with others. When factoring polynomials modulo large primes, the algorithm allows much larger polynomials to be factored using a reasonable amount of time and space than was previously possible. For example, this new software has been used to factor a "generic" polynomial of degree 2048 modulo a 2048-bit prime in under 12 days on a Sun SPARC-station 10, using 68 MB of main memory. 1 Introduction We consider the problem of factoring a univariate polynomial of degree n over the field F p of p elements, where p is prime. This problem has been well-studied, and many algorithms for its solution have been proposed. In general, the running tim...

### Citations

8557 | Introduction to Algorithms - Cormen, Leiserson, et al. - 2001 |

2447 |
The Design and Analysis of Computer Algorithms
- Aho, Hopcroft, et al.
- 1974
(Show Context)
Citation Context ... shall assume that multiplication of two degree d polynomials uses O(M(d)) scalar operations, where M(d) = d log d loglog d. This running-time bound is attained using the Fast Fourier Transform (FFT) =-=[1]-=-, and (as we shall later see) is quite realistic in practice. To measure the space complexity of factoring algorithms, we will count the number of scalars (elements of F p ) that need to be stored. Be... |

527 | Finite Fields - Lidl, Niederreiter - 1984 |

430 |
zur Gathen and
- von
- 1999
(Show Context)
Citation Context ...he large p case, this method is in theory and in practice much slower than the null-space method; however, it is uses much less space. Von zur Gathen and Shoup introduced a fast conjugation technique =-=[21]-=- to speed up the degreeseparation method. This technique yields new and asymptotically fast algorithms for computing successive pth powers in polynomial quotient rings over F p . With the fast conjuga... |

155 |
Factoring polynomials over large finite fields
- Berlekamp
- 1970
(Show Context)
Citation Context ...) is quite realistic in practice. To measure the space complexity of factoring algorithms, we will count the number of scalars (elements of F p ) that need to be stored. Berlekamp's null-space method =-=[2]-=- reduces the factoring problem to that of finding elements in the null space of a certain linear map defined on a vector space of dimension n over F p . Using standard elimination techniques, it can b... |

103 | Fast algorithms for manipulating formal power series
- Brent, Kung
- 1978
(Show Context)
Citation Context ...d f . Moreover, note that f and h remain fixed throughout many instances of the problem, which we can use to our advantage. To solve the modular-composition problem, we use the method of Brent & Kung =-=[4], wh-=-ich is itself a baby step/giant step technique. We first choose a parameter t (1stsn), and build a table of powers h i mod f for 0sist using �� t multiplications by h modulo f . Then we express g ... |

96 |
A new algorithm for factoring polynomials over finite fields
- Cantor, Zassenhaus
- 1981
(Show Context)
Citation Context ... space for O(n 2 ) scalars. The exponent 3 in the running time can be reduced using asymptotically fast (but generally impractical) matrix techniques. Cantor and Zassenhaus's degree-separation method =-=[5]-=- works by first partially factoring the polynomial so as to separate irreducible factors of differing degree, and then completing the factorization (if necessary) by separating irreducible factors of ... |

90 |
Efficient parallel solution of linear systems
- Pan, Reif
- 1985
(Show Context)
Citation Context ...ices made in the first step. The "success" probability that the algorithm correctly outputs the polynomial h can be bounded from below in two different ways: this probability is at least 1 \=-=Gamma m=p [10]-=-, which is a useful bound when p is large with respect to m; for small p, this probability is bounded from below by a constant times 1=dlog p me [22]. The Berlekamp-Massey step can be carried out with... |

67 | Subquadratic-time factoring of polynomials over finite fields
- Kaltofen, Shoup
- 1988
(Show Context)
Citation Context ...2, the algorithmic issues are quite different from those in the case we are considering here. We demonstrate that the new baby step/giant step factoring method, recently developed by Kaltofen & Shoup =-=[11]-=-, can be made into a very practical algorithm. We describe an implementation of this algorithm, and present the results of empirical tests comparing this new algorithm with others. When factoring poly... |

48 | Fast construction of irreducible polynomials over finite fields
- Shoup
- 1994
(Show Context)
Citation Context ...limination. For large m this is quite costly, requiring O(mM(n) +m 2 n) scalar operations and space for O(nm) scalars. An asymptotically faster and more space-efficient approach is described in Shoup =-=[19]-=-, using O(m 1=2 M(n) + mn) scalar operations and space for O(m 1=2 n) scalars. However, the techniques used there prove only the existence of an algorithm, and do not give an explicit algorithm. We gi... |

40 |
An FFT Extension of the Elliptic Curve Method of Factorization
- Montgomery
- 1992
(Show Context)
Citation Context ...entation details of long-integer arithmetic and related problems. We certainly do not claim that all of the techniques in xx6-8 are original. Similar work has also been done by others (see Montgomery =-=[17]-=- in the context of integer factorization, and Morain [18] in the context of counting points on elliptic curves). In x9, we discuss the results of timing experiments with our software, including a prec... |

25 |
On the Equivalence Between Berlekamp’s and Euclid’s Algorithms
- Dornstetter
- 1987
(Show Context)
Citation Context ...p, this probability is bounded from below by a constant times 1=dlog p me [22]. The Berlekamp-Massey step can be carried out with essentially a GCD computation, taking O(M(m) log m) scalar operations =-=[8]-=-. If the resulting polynomial has degree less than m, we can test if it actually annihilates h using the modular-composition algorithm. 4.1 Power Projection It remains to discuss the implementation of... |

25 |
On square-free decomposition algorithms
- Yun
- 1976
(Show Context)
Citation Context ...e output). equal-degree factorization Given a square-free polynomial whose irreducible factors all have the same degree, along with that degree, factor it into irreducibles. Using an algorithm of Yun =-=[23], the squa-=-re-free factorization stage can be accomplished essentially in the time to compute a GCD. Using the recursive "Half-GCD" method (see [1, Chapter 8]), this takes O(M(n) log n) scalar operatio... |

19 | Addition requirements for matrix and transposed matrix products
- Bshouty, Kaminski, et al.
- 1988
(Show Context)
Citation Context ... i=0 : The transpose of this matrix represents the linear map g 7! g(h) mod f; where g 2 F p [x] has degree less than k. This is just the modular-composition problem. By the "transposition princi=-=ple" [12]-=-, under certain technical restrictions, an algorithm for modular composition can be transformed into one with the same time complexity for power projection. Thus, the power projection problem might al... |

16 | Counting the number of points on elliptic curves over finite fields of characteristic greater than three, Algorithmic Number Theory Symposium–ANTS
- Lehmann, Maurer, et al.
- 1994
(Show Context)
Citation Context ...paper, we shall concentrate on the case where p is large; for concreteness, say log 2 p = \Omega\Gamma n). This case arises, for example, in algorithms for counting points on elliptic curves over F p =-=[13]-=-. In the case where p is very small, especially the extreme case where p = 2, the algorithmic issues are quite different from those in the case we are considering here. We demonstrate that the new bab... |

15 |
Factoring high-degree polynomials by the black box Berlekamp algorithm
- Kaltofen, Lobo
- 1994
(Show Context)
Citation Context ...tical, and our experience indicates that it will be slower than the null-space method for n up to at least several thousands. Kaltofen and Lobo introduced a black-box variant of the null-space method =-=[9]-=- by applying Wiedemann's linear system solving techniques [22] to the null-space method. The black-box variant can be implemented in a variety of ways, achieving a variety of simultaneous time/space b... |

8 |
Solving sparse linear systems over finite fields
- Wiedemann
- 1986
(Show Context)
Citation Context ...an the null-space method for n up to at least several thousands. Kaltofen and Lobo introduced a black-box variant of the null-space method [9] by applying Wiedemann's linear system solving techniques =-=[22]-=- to the null-space method. The black-box variant can be implemented in a variety of ways, achieving a variety of simultaneous time/space bounds (including those of the above three methods). Kaltofen a... |

4 |
von zur Gathen’s factorization challenge
- Monagan
- 1993
(Show Context)
Citation Context ...ulo an (n + 2)-bit prime. The benchmarks are chosen so that they are easy to describe and to generate, but yet appear to behave as "generic" inputs. In response to von zur Gathen's challenge=-=, Monagan [16]-=- implemented the null-space method in Maple on a DEC station 3100. The largest of von zur Gathen's benchmarks reported to be factored in [16] was the n = 200 benchmark, which took approximately 27 hou... |

3 |
Implantation de l'algorithme de Schoof-Elkies-Atkin
- Morain
- 1994
(Show Context)
Citation Context ...roblems. We certainly do not claim that all of the techniques in xx6-8 are original. Similar work has also been done by others (see Montgomery [17] in the context of integer factorization, and Morain =-=[18]-=- in the context of counting points on elliptic curves). In x9, we discuss the results of timing experiments with our software, including a precise description of our factoring benchmarks. In x10, we m... |

2 |
Solving problems with MAGMA
- Bosma, Cannon, et al.
- 1994
(Show Context)
Citation Context ... 8.3 minutes with the baby step/giant step method, and 10.2 minutes using our implementation of the null-space method. Also, the MAGMA computer algebra system was used to factor the n = 300 benchmark =-=[3]-=-. This was done using an implementation of the null-space method on a Sun MP670, which is somewhat faster than our SPARC-station ELC. The total running time was 110 hours. On our SPARC-station ELC, th... |

1 |
The libI software library. Available via anonymous FTP from ftp.iwr.uni-heidelberg.de in pub/IntArith
- Dentzer
- 1994
(Show Context)
Citation Context ...on the SPARC-ELC must be done in software. The MIPS processor also has an integer multiply instruction. For the assembly-code, we used the software library libI (version 2.1), written by Ralf Dentzer =-=[7]-=-. This library is written in C, but contains highly optimized assembly-language code for the equivalent of our AddMul routine. For multi-precision integer multiplication, on these machines, libI is as... |

1 |
Documentation of LIP. Available via anonymous FTP from flash.bellcore.com in pub/lenstra
- Lenstra
- 1994
(Show Context)
Citation Context ... performance. 8.1 Multi-precision arithmetic To implement multi-precision arithmetic, we used a customized version of LIP, a C software library for multi-precision arithmetic written by Arjen Lenstra =-=[14]-=-. The default version of LIP is highly portable. However, by setting a flag at compile time, an alternative set of routines is used that is a bit less portable than the default, but on many machines i... |

1 |
zur Gathen. A polynomial factorization challenge
- von
- 1992
(Show Context)
Citation Context ...h 46 0 -- 48 MB 1024 16 h 45 0 -- 18 MB 2048 272 h 09 0 -- 68 MB 1.2 Empirical results We briefly summarize here our empirical results; more details are to be found later in the paper. Von zur Gathen =-=[20] has sugge-=-sted a "polynomial factorization challenge" consisting of a family of benchmarks for polynomial factorization algorithms. For each n, von zur Gathen's nth benchmark consists of a degree n po... |