Zassenhaus LLL vH Belabas BHKS vH&N Complexity of factoring polynomials with rational number coefficients Mark van Hoeij Florida State University JA’2007 Edinburgh July 6, 2007
Zassenhaus LLL vH Belabas BHKS vH&N Papers discussed in this talk [Zassenhaus 1969]. Algorithm that is usually very fast, but can take exponential time for certain types of polynomial. [LLL 1982]. Lattice reduction (LLL algorithm) = key tool for solving combinatorial problems. [LLL 1982]. First polynomial-time factoring algorithm, though Zassenhaus is usually faster. [vH 2002]. New algorithm, outperforms prior algorithms on all tests, but no complexity bound is given. [Belabas 2004] Gave the best-tuned version of [vH 2002]. [Belabas, vH, Kl¨ uners, Steel 2004] (in the JA’2007 notes). Gave poly-time bound for the slowest version of [vH 2002], however, gave a worse bound for the best tuned version! [vH and Andrew Novocin, 2007] An asymptotically sharp bound for the fastest version.
Zassenhaus LLL vH Belabas BHKS vH&N Zassenhaus’ algorithm Let f ∈ Z [ x ] separable and monic. Goal: the factors of f in Z [ x ]. Idea 1: If g ∈ Z [ x ] divides f then the coefficients of g are smaller than some bound L that we can compute. Idea 2: If g ∈ Z [ x ] divides f then g can be reconstructed when g mod p a is known for some p a > 2 L . Idea 3: Factor f = f 1 · · · f r over Z p (the p -adic integers). There are only finitely many monic factors of f in Z p [ x ]. Each is of the form � f v i g v := i for some 0–1 vector v = ( v 1 , . . . , v r ). Idea 4: f 1 , . . . , f r (and hence g v ) are not known exactly, but are only known mod p a . That’s enough using idea 2.
Zassenhaus LLL vH Belabas BHKS vH&N Features of Zassenhaus’ algorithm Let L = bound for coefficients of factors in Z [ x ]. Let f 1 , . . . , f r ∈ Z p [ x ] be the p -adic factors. Compute the p -adic factors mod p a for some p a > 2 L (first compute the f i mod p , and then mod p a by Hensel lifting). 1 Given some 0–1 vector v ∈ { 0 , 1 } r then one can rapidly decide if g v := � f v i is in Z [ x ] or not. i 2 A factor in Z [ x ] can be computed efficiently if its 0–1 vector v is known: Take the f i with v i = 1 and multiply them mod p a . If f is irreducible we end up trying 2 r (actually 2 r − 1 ) cases. Then the CPU time will be roughly: Cost(factoring f mod p ) + Cost(Hensel lifting) + 2 r · tiny.
Zassenhaus LLL vH Belabas BHKS vH&N Complexity of Zassenhaus’ algorithm Cost(factoring f mod p ) + Cost(Hensel lifting) + 2 r · tiny 1 Cost(factoring mod p ) depends polynomially on the degree N . 2 Cost(Hensel lifting) depends polynomially on N , log ( � f � ∞ ) where � f � ∞ = largest absolute value of coefficients of f . 3 With some tricks, testing one v ∈ { 0 , 1 } r usually takes only a tiny amount of CPU time, regardless N and log ( � f � ∞ ) Given some polynomial f ∈ Z [ x ] of degree N , the algorithm tries several primes p , and then chooses the one for which f has the fewest p -adic factors f 1 · · · f r . Usually r << N and Zassenhaus’ algorithm is fast, with Hensel lifting dominating the CPU time. But for polynomials that have large r at each p the algorithm suddenly takes exponential time.
Zassenhaus LLL vH Belabas BHKS vH&N Timings on an example Cost � Polynomial( N , log ( � f � ∞ )) + 2 r · tiny Suppose for example f has degree N ≈ 200, and each coefficient has about 200 digits. For the best implementations of Zassenhaus’ algorithm, as long as r < 20 then the precise value of r has little impact on the CPU time, it will take about a second either way. Make examples with larger r , and the CPU time suddenly starts to go up exponentially. Zassenhaus’ algorithm is usually much faster than [LLL 1982] (for such N , H one second instead of a day, if r < 20). However, if say r = 64 then [LLL 1982] is much faster (a day instead of an estimated 100,000 years for Zassenhaus).
Zassenhaus LLL vH Belabas BHKS vH&N The goal Suppose f has degree N ≈ 200, with ≈ 200 digit coefficients, and say r = 64 p -adic factors f = f 1 · · · f 64 . For such a polynomials [LLL 1982] takes about 1 day. Although that is much better than Zassenhaus, keep in mind that if we somehow knew which subset(s) of f 1 , . . . , f 64 to take, then Zassenhaus would only take 1 second which is much better than 1 day! Thus, the only thing that stands in the way to reduce CPU time from 1 day to 1 second are objects with only 64 bits of data (namely the v ∈ { 0 , 1 } r that encode the right subsets of f 1 , . . . , f r ). The goal in [vH 2002] is a quick way to compute this data.
Zassenhaus LLL vH Belabas BHKS vH&N LLL In [LLL 1982] Lenstra, Lenstra and Lov´ asz gave a lattice reduction algorithm (the LLL algorithm), as well as a polynomial time factoring algorithm for Q [ x ] based on the LLL algorithm. Suppose L ⊆ Z n is a Z -module. The input of the LLL algorithm is an arbitrary basis of L . The output is a new basis b 1 , . . . , b m of the same lattice L , but this basis has some very useful properties.
Zassenhaus LLL vH Belabas BHKS vH&N LLL separates short from long vectors if gap is big enough Let n = dim ( L ) and let B be some positive number. Let L B be the sublattice of L spanned by the B -short vectors L B := SPAN { v ∈ L : � v � � B } Suppose furthermore that all vectors outside of L B are sufficiently much longer than B , i.e. suppose n 2 B for all v ∈ L \ L B . Big Gap Condition : � v � > 2 Then LLL allows us to compute a basis for L B (compute an LLL basis b 1 , . . . , b n for L , and as long as the Gram-Schmidt length of the last vector is > B remove it). If the Big Gap Condition does not hold, then instead of a basis of L B we would get a basis of some lattice L ′ for which L B ⊆ L ′ ⊆ L .
Zassenhaus LLL vH Belabas BHKS vH&N Factoring with LLL Suppose f ∈ Z [ x ] has a non-trivial factor g = c 0 + c 1 x + · · · ∈ Z [ x ]. How to find g with LLL? Idea: Construct a lattice L with these properties: 1 w := ( c 0 , c 1 , . . . ) ∈ L . 2 Big Gap Condition: All vectors �∈ SPAN ( { w } ) are sufficiently much longer than than w . Then compute an LLL reduced basis b 1 , . . . , b m of L , and find w = ± b 1 . Read off g from w . This way one can find a factor g (or prove f is irreducible) in polynomial time, see [LLL 1982].
Zassenhaus LLL vH Belabas BHKS vH&N Back to the example Suppose f has degree N ≈ 200, with ≈ 200 digit coefficients, and say r = 64 p -adic factors f = f 1 · · · f 64 . To construct an irreducible factor g ∈ Z [ x ] (worst case: g = f if f is irreducible) with [LLL 1982] means finding w = vector( g ) with lattice reduction. This vector could contain as much as 200 · log 2 10 200 ≈ 132 , 000 bits of data, and LLL could take a day. However, if we had r = 64 bits of data, v = ( v 1 , . . . , v r ) ∈ { 0 , 1 } r then we could compute the corresponding factor � f v i g = i in 1 second. Main idea in [vH 2002]: Use LLL to compute ( v 1 , . . . , v r ) in a way that avoids computing any bits of information about the coefficients of g .
Zassenhaus LLL vH Belabas BHKS vH&N van Hoeij, 2002 Let f = f 1 · · · f r ∈ Z p [ x ]. The map � f v i v �→ g v = i that sends a 0–1 vector v = ( v 1 , . . . , v r ) to the corresponding factor of f turns additions into multiplications. For lattice reduction we need something that is linear, so we have to turn multiplications back into additions. One way to do that is using the following map: g �→ Tr 1 ( g ) where Tr 1 ( g ) is the sum of the roots (with multiplicity) of g . So we get an additive map � φ : v �→ Tr 1 ( g v ) = v i Tr 1 ( f i ) from Z r to the p -adic integers Z p .
Zassenhaus LLL vH Belabas BHKS vH&N van Hoeij, 2002 So lets take t i := Tr 1 ( f i ) ∈ Z p for i = 1 , . . . , r and look at this map φ : v = ( v 1 , . . . , v r ) �→ Tr 1 ( g v ) = v 1 t 1 + · · · + v r t r from Z r to Z p . If g v ∈ Z [ x ] then Tr 1 ( g v ) is a integer bounded by some b (assume for now that f is monic. For b we can take N times a bound for the absolute values of the complex roots of f ). Set t i := ( t i mod p a ) ∈ Z ˜ Then Tr 1 ( g v ) = v 1 ˜ t 1 + · · · + v r ˜ t r + small multiple of p a for any of our target v ’s (the v ’s for which g v ∈ Z [ x ]).
Zassenhaus LLL vH Belabas BHKS vH&N van Hoeij, 2002 For any of our target v ’s (i.e. g v ∈ Z [ x ]) we have: Tr 1 ( g v ) = v 1 ˜ t 1 + · · · + v r ˜ t r + small multiple of p a . Now Tr 1 ( g v ) is a coefficient of the factor g v , but for efficiency we want to compute ( v 1 , . . . , v r ) without computing any coefficients of factors of f . So we take ˜ t i s i := b ∈ Q (the implementation rounds this to an integer for efficiency, but we’ll skip that for simplicity). Now let L be the lattice generated by: (1 , 0 , . . . , 0 , s 1 ) , (0 , 1 , . . . , 0 , s 2 ) , . . . (0 , 0 , . . . , 1 , s r ) and (0 , 0 , . . . , 0 , p a b ) .
Recommend
More recommend