4.3 Factoring polynomials over number fields
4.3.2 Factor Combination
In this section we solve the question of factor combination using lattice reductions introduced in Section 4.2.2 for a suitable lattice, similar to the one for factorization over
Q, in such a way that every true combination of the modular factors corresponds to a
vector in the lattice.
Since the definition of trace is independent of the choice of the underlying field, so we will use all notations and definitions regarding to traces given in Section 4.2.2. It is also obvious that the recursive relation between the coefficients of a polynomial and its traces over a field F is independent of the choice of F and it holds over any field. Now we want to state the equivalent version of all lemmas given in Section 4.2.2 for the case of number field.
In the following, let Kp =Zp[t1,· · · , tq]/hH˜1∗,· · · ,H˜
∗
qi, where Zp is the ring of p-adic
integers, and ˜Hi∗ is the p-adic approximation of an irreducible factor of Hi such that
˜
Hi∗ = ˜Hi modulo p.
The following lemma which is an extension of Lemma 30 to the case of number fields, is indeed a direct conclusion of the recursive relation between the coefficients of f and its traces.
Lemma 45. Let g ∈ K˜p[x] be a monic p-adic factor of f over K˜p and deg(g) =d. The
monic polynomial g has coefficients in K if and only if T ri(g)∈K for all 1≤i≤d.
Lemma 47, which is the main lemma of this section, claims the same statement as Lemma 45 over the ring of algebraic integers OK instead of over K, with an extra
assumption f ∈ 1
λOK[x]. For the proof we need the following lemma from [51]. Lemma 46. Let f ∈ 1
λOK[x] be a monic polynomial, where 0 6= λ ∈ Z, and suppose f(x) = g(x)h(x)∈K[x], where g, h are monic. Then g, h∈ 1
λOK[x]. Lemma 47. Let f ∈ 1
λOK[x] be a monic polynomial of degree n, where 0 6=λ ∈Z, and g ∈K˜p[x] be a monic p-adic factor of f overK˜p and deg(g) = d. The monic polynomial
g of degree d has coefficients in 1λOK if and only if T ri(g)∈(1λ)nOK for all 1≤i≤d.
Proof. If the monic polynomialgof degreedhas coefficients in 1λOK, then the recursive
relation between the coefficients of g and its traces implies T ri(g) ∈ (λ1)iOK ⊆ ( 1
λ) nO
K
for all 1≤i≤d. Now assume that all traces ofg are in (1λ)nOK. Then lemma 45 implies
g ∈K[x], since (λ1)nOK ⊂K. Then Lemma 46 implies g ∈ 1
λOK[x], since f ∈ 1
λOK[x].
Next lemma is a weaker version of Lemma 47, concerning with only the necessary condition for g to be in 1λOK[x]. This lemma can be useful in practice, as it says rather than taking all traces of g, taking only a linear combination of them might be enough. So it reduces the number of information added to the lattice, resulting in applying LLL algorithm [42] on a smaller matrix which in turn can significantly improve the running time of the LLL algorithm, specially when g has a large degree.
Lemma 48. Let f ∈ 1
λOK[x] be a monic polynomial of degree n, where 0 6=λ ∈Z, and g ∈K˜p[x] be a monic p-adic factor of f over K˜p and deg(g) =d.
g ∈ 1 λOK[x] =⇒T rA(g)∈(( 1 λ) nO K) s
Proof. A direct application of Newton identities, and the fact that thes×dmatrix A
is an integer matrix.
Following Section 4.3.4, there exists an integer D such that
Z[t1,· · · , tq]⊆ OK ⊆
1
DZ[t1,· · · , tq]
Then Lemma 47 and 48 still hold if we replace OK with D1Z[t1,· · ·, tq]. On the other
hand, since K is the field of fractions of OK, so every coefficient of f ∈ K[x] can be written as a fraction with numerator and denominator in OK. So then Cnf ∈ OK[x],
where Cn ∈ OK is the least common divisor of the denominators of the coefficients of f. Hence we can always assume that f is a polynomial over OK, but not necessarily monic. From now on, for simplicity of the following discussion, we will assume that
f ∈ OK[x] is a monic polynomial. The non-monic case can be dealt in the same way as it was explained in Remark 1. More precisely, we assume that f ∈ 1
DZ[t1,· · · , tq][x]
for some D ∈ Z. So then , using Lemma 46, each monic factor g of f over K is in
1
DZ[t1,· · · , tq][x], and Lemma 48 implies that T rA(g)∈((
1
D) n
Z[t1,· · · , tq])s.
Now let S ⊂ Kp[x] be a subset of p-adic factors {f1,· · ·, fr} of f and let g be the
product of the polynomials in S, and deg(g) = d. Then
TA(g) =
X
fi∈S
TA(fi)
or equivalently, if we encode the set S as 0−1 vector v = (v1,· · · , vr), wherevi = 1
if fi ∈S and vi = 0 otherwise, then
TA(g) = r
X
i=1
viTA(fi)
Following Lemma 48, a necessary condition for g to be in D1Z[t1,· · · , tq][x] is that the
sum of TA(fi)’s,fi ∈S, has entries in (D1)nZ[t1,· · · , tq]. However, the TA(fi) is inKp[x],
so they can only be determined up to some finite precision. Let Bi be a bound on the
norm ofT ri(g) for any factorg of f inK[x], which can be computed using Section 4.3.3.
This allows us to compute an upper bound for the entries of TA(g). Now, a necessary
condition for g to be a polynomial in D1Z[t1,· · · , tq][x] is that TA(g) satisfies the bound
in each row.
From now on, we want to solve the problem of factor combination using the result of Lemma 48 and following the same approach as in Section 4.2.2. So we need to build a lattice such that each solution of the factor combination problem be an element of the lattice and can be obtained as a short vector in the lattice.
Following the notations in Theorem 6, let W be the set of all vectors
v = (v1,· · · , vr) ∈ Zr for which
Qr
i=1f
vi
a,i corresponds to a true factor of f over
K. Note that if g1,· · · , gt are the monic irreducible factors of f over K, then
vector (vj,1,· · · , vj,r) for which Qri=1f vj,i
a,i corresponds to the true factor gj of f over
K. Note that reconstruction of gj, for 1 ≤ j ≤ t, from its modular image Qri=1f vj,i
a,i
can be done using Section 4.3.1. Finding this reduced basis is the same as solving the combinatorial problem in the algorithm of Zassenhaus [69], that is, finding a partition of the set of all modular factors {fa,i}ri=1 of f into t distinct subsets, each of which,
corresponds to one of the true factors{g1,· · · , gt}.
Let L ⊆ Zr be a lattice, then B
L denotes a basis forL. The matrix whose rows are
the elements of BL is denoted by (BL) and rref(BL) denotes its row echelon form. If
we can compute any basis BW of W, then the combinatorial problem is solved because
{w1,· · · , wt} are the rows of rref(BW).
Lemma 49. Let L be a lattice such that W ⊆L ⊆Zr and R = rref(B
L). Then L=W
if and only if the following two conditions hold:
(a) Each column of R contains precisely one 1, all other entries are 0
(b) if (v1,· · · , vr) is a row of R then g ∈ OK, where g is a true factor of f overK.
Proof. If L=W then {w1,· · · , wt} must be the rows ofR because of the uniqueness
of row echelon form, and thus both conditions hold. Conversely, assume that both
conditions hold. Since each row of R corresponds to a true factor of f and OK has unique factorization, so each row of R is a linear combination of w1,· · · , wt. But then
(a) and the properties of row echelon form imply that the rows of R are actually the vectors w1,· · · , wt. Hence L⊆W, and soL=W.
Lemma 49 gives us a sufficient condition forL to be the desired latticeW. So, like in the van Hoeij algorithm [63], we start from L =Zr and at each step we test whether L
is equal to W or not. This test can be done using Lemma 49. Now suppose that L6=W. Then the algorithm tries to find a new lattice L0 with
W ⊆L0 ⊆L
Then L replaced by L0. The algorithm keeps repeating this until we finally obtain
L = W, i.e., both conditions of Lemma 49 are satisfied. Like any other algorithm, we need to address the questions of correctness and termination of the process.
Assume that we have chosen an s ×d matrix A and all modular factors {fa,i}ri=1
have been computed to the precision 2a. We will now show how to compute the new
solutions of the factor combination problem. Note that the new lattice L0 would depend on the size of the matrix A and the precisions 2a; if we can not find a new lattice L0
satisfying the required conditions using the following process, then we should change these parameters.
Let BL be a basis for L. Initially L =Zr and BL is the standard basis of Zr. Now
we will construct a new lattice ∆ such that the vector
vS = (Cv1,· · · , Cvr, TA(ˆg)11,· · · , TA(ˆg)s1)
is an element of ∆ for every solution S of the factor combination problem, where
ˆ
g = Qr
i=1f
vi
a,i and C is a constant described below. Note that vi = 1 if fa,i ∈ S and
vi = 0 otherwise.
The lattice ∆ is given by
CIr×r S 0 Q ! where • S = lift(DnS Kp) and SKp = TA(f1)11 · · · TA(f1)s1 .. . . .. ... TA(fr)1r · · · TA(fr)sr
and lift(x) =xmodp2a,Hˆa
1,· · · ,Hˆqa.
• Q is a N s×N s block diagonal matrix, with blocks equal to M on the diagonal, whereM is aN×N matrix obtained from the basisB mentioned in Section 4.3.1. To any true factor of f corresponds u ∈ {0,1}r and v ∈
ZN s such that the image of
(u v) has squared L2 norm bounded by
C2r+kSu+Qv k22
and we can bound k Su+Qv k2≤Btrace using Section 4.3.3. The constant C is chosen
so that C2r≈Btrace. It is not necessary at this point that M be LLL-reduced, nor that
So any factor of f overKcorresponds to a µ-short vector of the new lattice ∆, where
µ is an upper bound on the square root of C2r+ k Su+Qv k2
2, and can be computed
using Section 4.3.3.
Now we are ready to present our new algorithm for factoring polynomials over num- ber fields using multivariate representation. Let K be the algebraic number field, as before. For a given square-free monic polynomial f ∈K[x], this algorithm computes the irreducible factors of f over K using the following steps:
1. Determine D ∈N, such that f and its factors are in D1Z[t1,· · · , tq][x]
2. Choose a suitable primep6 |D, satisfying the conditions explained at the beginning of the section
3. Compute the modular factors fa,1,· · · , fa,r using Theorem 6, up to some precision
2a, where a should be at least dlog(µ)/log(p)eand µis obtained in the next step.
4. Choose a matrix A. Compute the upper boundµ, as explained above
5. Compute the lattice ∆ as above, if the entries of S are already small, that is, all vectors in the basis of ∆ are already µ-short, go back to step 4 and choose another matrix A.
6. Apply the LLL algorithm to compute a reduced basis V1,· · · , Vr of the lattice ∆.
Do a floating point Gram-Schmidt computation to determine an as small as possible integer t such that allµ-short vectors of ∆ are in ∆0 :=ZV1+· · ·+ZVt. Let L0 be
1/C times the projection of ∆0 on the first r coordinates with the basisBL0. If the
dimension of L0 did not decrease then return to step 3 and increase the precision.
7. If t= 1 thenf must be irreducible and the computation ends. Otherwise continue.
8. ComputeR = rref(BL0). IfR does not satisfy the first condition of Lemma 49 then
go to step 4, otherwise proceed to the next step.
9. Check the second condition of Lemma 49 by executing step 10 for k ∈ {1,· · · , t}
10. Let (v1,· · · , vr) be thek’th row of R. Then check if gk divides f over K, where gk
is the reconstructed polynomial from its modular image Qr
i=1f
vi
i (Section 4.3.1).
Otherwise go back to step 4. 11. Now f =g1· · ·gt
The correctness of the algorithm is clear, since the output satisfies the conditions of Lemma 49 in steps 8-10. Indeed, in step 10, each output polynomial gj is checked
whether it is a true factor off or not.
Finally we need to prove that the algorithm terminates. Since the termination of the algorithm depends only on the lattice ∆ and the way that we generate the new lattice
L0, and in this sense, it is the same as van Hoeij’s algorithm [63], so the proof is similar to the one given for Lemma 8 in [63]. But for more clearness, we give the first part of the proof which is different
Lemma 50. The algorithm terminates.
Proof. Since in each round of the algorithm, the main goal is to find a new lattice
L0, such that W ⊆ L0 ⊆ L and dim(L0) < dim(L) if L 6= W, so we have to show that if L 6= W then eventually dim(L0) < dim(L), so that after finitely many steps the algorithm reaches L=W.
Without loss of generality, we assume that the matrix A has only one row, with the
ith entries equal to one and other entries zero. So then s = 1 and TA(fj) = T ri(fj).
Denote U(v) = r X j=1 vjT ri(fj)∈Zp[t1,· · · , tq] : v = (v1,· · · , vr)∈L
where Zp is the ring of p-adic integers and define U(v, a1) as the image of DU(v)
modulo pa1. Denote ˜µ = r2r/2µ, Sol
i(L) := {v ∈ L : DU(v) ∈ Z[t1,· · · , tq]}, and
B(L, a1) := {v ∈ L : |Cv|2 +|U(v, a1)|2 ≤ µ˜2}. Since ˜µ > µ, then it follows that W is
contained in the span of B(L, a1). The rest of the proof is exactly the same as the one
given in [63] for Lemma 38.
Truncation As we said in Section 4.2.2, truncating the value of TA(g) can have a
significant effect on the efficiency of the van Hoeij factorization algorithm overZin prac- tice. Now we want to extend a similar idea to the case of factorization over number fields.
For t >1 any integer, and any x∈K˜a
p, we define the truncation
Now write S =S0+tS1, kS0 k∞≤t/2 Q=Q0+tQ1, kQ0 k∞≤t/2 Hence kS0 k2 ≤ √ rN s t 2 kQ0 k2≤ √ s Nt 2
From the previous section, there exists u∈ {0,1}r and v ∈
ZN s such that kSu+Qv k2≤Btrace whence kS1u+Q1v k2 ≤Btrace/t+kS0u+Q0v k2 /t ≤Btrace/t + √ rN s 2 kuk2 + √ sN 2 kv k2
Note that in the case of van Hoeij algorithm, Q0 = 0, since Q is divisible by t =pb.
So it is not important to control v, which is necessary in this case. For the purpose, we have to make the following two assumptions.
• the precision a is so large that we can apply Lemma 41 to the matrix M. From this we deduce that v =−bQ−1Sue.
• the specified lift is chosen forS, such that kQ−1S k
∞≤1/2 If x∈RN, we have bxe=x+ε, where kεk ∞≤1/2, hence k bxe k2≤kxk2 + √ N /2
From which we have
kv k2≤kQ−1Suk2 + √ N /2≤ √ rN s 2 kuk2 + √ N /2 since kuk2≤ √ r, we obtain kS1u+Q1v k2≤Bhigh :=Btrace/t + r√N s 2 (1 +N √ s/2) + N √ N s 4
So our final knapsack lattice is given by
CIt×r S1
0 Q1
!
where C ≥1 is chosen so that C2r≈B2
high.
Note that if t is a power of p and pdivides Q, then Q0 = 0, in which case the bound
becomes Btrace/t +r
√
N s
2 . Here we essentially recover van Hoeij’s bound ofr
√
s/2 in the case N = 1, since K =Q, provided we can take t Btrace, i.e., provided that modular
factors have been sufficiently lifted.