How To Find A Proper Factor Of A Polynomial Over Prime Fields

(1)

On the deterministic complexity

of factoring polynomials

†

Shuhong Gao

Department of Mathematical Sciences Clemson University

(March 17, 1999)

The paper focuses on the deterministic complexity of factoring polynomials over finite fields assuming the extended Riemann hypothesis (ERH). By the works of Berlekamp (1967, 1970) and Zassenhaus (1969), the general problem reduces deterministically in polynomial time to finding a proper factor of any squarefree and completely splitting polynomial over a prime fieldFp. Algorithms are designed to split such polynomials. It is

proved that a proper factor of a polynomial can be found deterministically in polynomial time, under ERH, if its roots do not satisfy some stringent condition, calledsuper square balanced. It is conjectured that super square balanced polynomials do not exist.

1. Introduction

We consider the problem of factoring polynomials over finite fields. This problem can be solved in probabilistic polynomial time (Berlekamp 1970, Cantor and Zassenhaus 1981, von zur Gathen and Shoup 1992, Kaltofen and Shoup 1998), but it is still open whether it has a deterministic polynomial time algorithm, even if the extended Riemann hypothesis (ERH) is assumed. We are interested in the deterministic complexity of the problem under ERH.

Various authors have given under ERH efficient algorithms for special classes of poly-nomials or for polypoly-nomials over special fields. R´onyai (1992) showed under ERH that any polynomial with integer coefficients that generates a Galois number field can be factored modpin deterministic polynomial time, except for finitely many primesp, which extends previous results by Huang (1991), Adleman, Mander & Miller (1977), and Evdokimov (1989). If the number of irreducible factors of a polynomial is bounded, R´onyai (1988) showed under ERH that it can be factored deterministically in polynomial time. On spe-cial fields, Bach, von zur Gathen & Lenstra (1995) showed that polynomials over finite fields of characteristicpcan be factored in polynomial time if Φk(p) is smooth for some integerkwhere Φk(x) denotes thek-th cyclotomic polynomial, which extends the works of von zur Gathen (1987), Moenck (1977), Camion (1983), Mignotte & Schnorr (1988), † _{Part of the work was done while the author was an NSERC Postdoctoral Fellow at the University of} Toronto and a Visiting Assistant Professor at the University of Waterloo; their hospitality and support are gratefully acknowledged.

(2)

and R´onyai (1989). Recently, Evdokimov (1994) proved that every polynomial overFq

of degreencan be factored deterministically in time polynomial innlogn _{and log}_q_. In this paper, we continue this line of research for deterministic polynomial time algo-rithms under ERH. By the algoalgo-rithms of Berlekamp (1967, 1970) and Zassenhaus (1969), the general problem can be reduced to finding proper factors of polynomials that split completely over prime fields. To be precise, we focus on the following problem. For any given primepand a polynomialf ∈Fp[x] that is squarefree and splits completely over Fp, find a proper factor off. Under ERH, R´onyai (1988) proves that, for any completely

splitting polynomialf ∈Fp[x] of degreenand any prime divisorr|n, a proper factor of

f can be found in time polynomial innrand logp. In particular, ifr= 2 this means that any completely splitting polynomialf ∈Fp[x] of even degree can be split in polynomial

time under ERH. However, whennhas no small divisors, saynis a prime, then R´onyai’s time is exponential in n. That is where the current paper contributes. We design algo-rithms that terminate in polynomial time under ERH. It is proven that if f does not satisfy some stringent conditions then our algorithms will always find a proper factor of

f. For simplicity, we state our result here only for the case p≡ 3 mod 4. The general statement can be found in Theorem 3.7.

Suppose thatp≡3 mod 4 is a prime. LetF be a subset ofFp with cardinalityn >1.

We say thatF is square balancedif, for eachξ∈F,

#{ζ∈F:ζ=6 ξ, ξ−ζ is a square inFp}=

n−1 2 .

Two sets F1, F2 ⊂ Fq, each with cardinality at least two, are called mutually square

balancedif, for eachξ∈F1,

#{ζ∈F2:ξ−ζis a square inFp}

is the same for allξ∈F1, and similarly for eachξ∈F2withζ∈F1. For a subsetF ⊂Fp

and an integerk, defineFk ={ak :a∈F}, the set ofk-th powers of the elements inF. We call a subsetF ⊂Fp of cardinalityn >1super square balancedif the following three

conditions are satisfied:

(i) For each 1≤k≤(nlogp)6,Fk has cardinalitynand is square balanced; (ii) All the setsFk, 1≤k≤(nlogp)6, are pairwise disjoint;

(iii) All the setsFk, 1≤k≤(nlogp)6_{, are pairwise mutually square balanced.}

Note that a squarefree and completely splitting polynomial f ∈ Fp[x] factors as Qn

i=1(x−ξi) where ξ1, . . . , ξn are different elements in Fp. Thus squarefree and

com-pletely splitting polynomials in Fp[x] are in 1-1 correspondence to the subsets of Fp.

We call a squarefree and completely splitting polynomialf ∈ Fp[x] square balancedor

super square balancedif the set of its roots is square balanced or super square balanced, respectively. We prove the following theorem.

Theorem 1.1. Given any prime p≡3 mod 4 andf ∈Fp[x] squarefree and completely

splitting, we can find a proper factor off in deterministic polynomial time provided that ERH holds and f is not super square balanced.

R´onyai’s result for r= 2 follows from the above theorem immediately, since iff has even degree thenf can not even be square balanced!

(3)

Theorem 1.1 puts stringent conditions on the roots of polynomials that can not be split in polynomial time by our algorithms under ERH. An interesting number theory problem arises here, that is, whether there exists any super square balanced set inFp.

We believe that the conditions(i), (ii)and(iii)are so strong that no subset inFp can

satisfy them all. We conjecture that for any primepand any positive integern, there is no super square balanced subset inFp of cardinalityn >1. A confirmation to the conjecture

implies that, under ERH, polynomials over finite fields can be factored deterministically in polynomial time.

We should point out that our results are purely theoretical. They bear on an issue in theoretical computer science about derandomization, namely, if a problem can be solved efficiently by randomized algorithms, can it also be solved efficiently by algorithms with-out using randomness? In our case, the goal is to decide whether there is a deterministic polynomial time algorithm to factor polynomials over finite fields. For such a purpose, it is satisfactory when an algorithm runs in polynomial time and thus we do not attempt to implement our algorithms in the most efficient fashion. For practical purposes, it suffices to use the randomized algorithms of Berlekamp (1970), Cantor and Zassenhaus (1981), von zur Gathen and Shoup (1992), Kaltofen and Shoup (1998).

The rest of the paper is organized as follows. In Section 2, we discuss the arithmetic of polynomials over algebras. In the current paper, we work mainly with semisimple algebras overFpthat split completely. We show how to adapt the gcd concept for polynomials over

a field to polynomials over an algebra and modify the Euclidean algorithm to compute gcd. We examine the zero structure of a completely splitting polynomial over an algebra and answer such questions as how many roots it has, how many decompositions it has, and which set of roots form a decomposition. We also define the characteristic polynomial of an element in an algebra over a subalgebra and show a simple formula under an orthogonal basis. These properties are used in Section 3 in algorithm design and analysis. They are also of independent interest and may be useful elsewhere. Interestingly, Wan (1996) uses characteristic polynomials in a different fashion to factor polynomials over finite fields. In Section 2.4, we review a method for computingk-th roots of elements in a semisimple algebra and define the concept of square balanced and super square balanced polynomials over an arbitrary finite field Fq. In Section 3, we describe our algorithms

and their analysis, our main results are proved there.

2. Arithmetic of polynomials over algebras

When computing in an algebra Rof dimensionn over Fp, by “polynomial time” we

mean that the number ofFp-operations used is bounded above by a polynomial innand

logp, i.e., (nlogp)O(1)_{. We also say “efficient” to mean “polynomial time”.}

We say that an algebraRis explicitly given if we know a basis ofRand the product of any two basis elements expressed under the same basis. Thus addition and multiplication inRcan be done in polynomial time. Identity element and inverse of an invertible element inRcan also be computed efficiently by solving a system of linear equations overFp.

When factoring polynomials over Fp, we work in the algebra R = Fp[x]/(f) where

f ∈Fp[x] is squarefree and completely splitting. In this paper, we also work in extension

algebras ofR. These algebras are special cases of semisimple commutative algebras. In general, letFbe any field. We call an algebraRoverFan elementary algebraif there are

(4)

a unique basis overF such that addition and multiplication are computed componentwise

under this basis. Note that primitive idempotents ofRare unique.

A monic polynomialg∈ R[x] of degreenis called completely splitting ifg=Qn_i₌₁(x− Ci) for someCi∈ R, andgis called separable ifCi−Cj is not a zero divisor inRfor all

i6=j. For any elementary algebraRand anyg∈ R[x] monic, separable and completely splitting, it is easy to prove thatR[x]/(g) is an elementary algebra.

2.1. GCD of polynomials

In this section, we discuss the gcd concept of polynomials over an elementary algebra. At the surface, this does not seem to make any sense, since the polynomial ring over an elementary algebra is not an integral domain, not to mention a unique factorization domain. Due to the presence of zero divisors, a polynomial of degreenover an elementary algebra can be written as a product of polynomials of degrees greater thann. Hence one has to be very careful when dealing with the concept of gcd. It turns out that we can still use the usual definition of gcd and the Euclidean algorithm can be adapted to compute gcd of polynomials over an elementary algebra.

We need some terminology. LetR be an elementary algebra of dimension n over a fieldF with primitive idempotentsµ1, . . . , µn. For any elementA∈ R, there exist unique

elementsa1, . . . , an∈F such that

A= n

X

i=1

aiµi.

We callai theith canonical projection ofAinto F, denoted byAi. For any polynomial

f ∈ R[x],fi denotes the polynomial inF[x] with each coefficient being theith projection

of the corresponding coefficient off. Thusf =Pn_i₌₁fiµi.

Lemma 2.1. Let f, g∈ R[x]. Then

(a) (f+g)i=fi+gi,(f g)i=figi, for1≤i≤n; (b) f|g ifffi|gi for all 1≤i≤n;

(c) degfi= degf,1≤i≤n, iff the leading coefficient of f is invertible in R.

Proof.They follow directly from the fact thatPni=1µi= 1, and that, for anyA, B∈ R, (A+B)i=Ai+Bi, (AB)i=AiBi, 1≤i≤n.

(Addition and multiplication inRare computed componentwise.) 2

A direct consequence of this lemma is that one can characterize all the zero divisors in

R[x]: a polynomial is a zero divisor if and only if at least one of its canonical projections is zero.

We can now define gcd as follows. Letf, g ∈ R[x]. Any common divisor of f, g that is divisible by every common divisor is called a gcd off andg. We call a polynomial in

R[x]pseudo-monicif each of its canonical projections is either monic or 0.

Theorem 2.2. _{For any} _{f, g}∈ R_[_x_]_{, there is a unique pseudo-monic gcd of}_{f, g}_.

(5)

f, g, respectively. Let gcd(fi, gi) denote the conventional gcd, thus monic or zero. Then it is easy to check that the polynomial

n

X

i=1

gcd(fi, gi)µi. (2.1)

is a gcd off, gand is pseudo-monic (here we assume that gcd(0,0) = 0).

To prove the uniqueness, suppose thathis any gcd off, gwith all canonical projections monic or zero. We prove that thei-th projectionhiofhis equal to gcd(fi, gi), 1≤i≤n. As h|f and h|g, we have hi|fi and hi|gi andhi|gcd(fi, gi). Now let di be any common factor offi andgi, and let

d=µ1+· · ·µi₋1+diµi+µi+1+· · ·+µn.

Then d∈ R[x] divides both f and g. Thusd|hand consequently di|hi. Thereforehi = gcd(fi, gi). (Iffi=gi= 0 then we can take any polynomial asdi, sohi must be 0.) 2

We use gcd(f, g) to denote the unique pseudo-monic gcd off and g. By the above proof, gcd(f, g) is given by (2.1). Hence gcd(f, g) is monic iff the degree of gcd(fi, gi) is the same for all 1≤i≤n.

The next question is how to compute gcd(f, g) for any givenf, g∈ R[x]. If the primitive idempotents ofRare known then this is trivial, just using the Euclidean algorithm and the formula (2.1). In practice, we do not know them, andRis represented by some other basis. This does not present any difficulty at all. We can modify the Euclidean algorithm as follows.

Suppose thatf, g∈ R[x] with degf ≥deggand we want to compute gcd(f, g). If the leading coefficient ofg is invertible inR, then division byg can be carried out as usual without any trouble. Suppose that the leading coefficient, saya, ofg is a zero divisor in

R. We can first compute the identity elementsI1, I2 of the two subalgebras: R1={ra:r∈ R}, R2={r∈ R:ra= 0}.

Explicit bases for the two subalgebras can be computed by solving linear systems of equations overF. IfRis represented under the basis of primitive idempotentsµi’s and

a = a1µ1+· · ·+anµn, then R1 is generated by all the µi’s where ai’s are not zero,

andR2is generated by thoseµi’s whereai’s are zero. HenceR1 andR2 are orthogonal

complements inR, that is,R=R1⊕ R2 andr1r2= 0 for allr1∈ R1,r2∈ R2. Let

f1=f I1, g1=gI1∈ R1[x], f2=f I2, g2=gI2∈ R2[x].

Then

gcd(f, g) = gcd(f1, g1) + gcd(f2, g2).

Apply the algorithm recursively in the subalgebras to compute gcd(f1, g1) and gcd(f2, g2).

Note that the leading coefficient ofg1isaI1 and is invertible inR1and the degree ofg2

is smaller than the degree ofg, as aI2 = 0. When Ris an elementary algebra overFp,

(6)

2.2. Zero structure of polynomials

LetRbe an elementary algebra of dimension nover a fieldF with primitive

idempo-tentsµ1, . . . , µn. Letg∈ R[x] be completely splitting overR, i.e.,

g= m

Y

i=1

(x−Ci), Ci∈ R. (2.2)

We want to know how many zeroesghas inR, which set of zeroes form a decomposition (2.2) and how many different decompositionsghas.

Asµ1, . . . , µn form a basis forRoverF, there are unique elementscij∈F such that

Ci= n X j=1 cijµj, 1≤i≤m. For 1≤j≤n, define C[j] = {c1j, . . . , cmj}, gj = m Y i=1 (x−cij)∈F[x]. Lemma 2.3. _{An element}_A₌Pn j=1ajµj,aj ∈F, is a zero ofg iffaj∈C [j] for 1≤j≤ n. Hence g hasQn_j₌₁|C[j]_| _{different zeroes in}_R_.

Proof.Note that (x−A)|g iff (x−aj)|gj, 1≤j ≤n, and the latter is true iffaj∈C[j],

1≤j≤n. 2

Lemma 2.4. For1≤i≤m, letA_i=Pn

j=1aijµj ∈ Rwhereaij ∈F. Theng= Qm

i=1(x−

Ai)iff each column of them×nmatrix(aij)is a permutation of the corresponding column

of (cij). Therefore g has Q_jn₌₁kj different decompositions (2.2) over Rwhere kj is the

number of different permutations of thejth column of (cij). Proof.Note that

m Y i=1 (x−Ai) = n X j=1 m Y i=1 (x−aij) ! µj, and g= m Y i=1 (x−Ai) iff m Y i=1 (x−aij) =gj, 1≤j≤n.

AsQm_i₌₁(x−aij) andgj are polynomials over a field,a1j, . . . , amjmust be a permutation ofc1j, . . . , cmj, the roots ofgj. The lemma follows immediately. 2

Theorem 2.5. Let Rbe an elementary algebra of dimensionnover a field F with

prim-itive idempotents µ1, . . . , µn. Suppose that g=Q m

i=1(x−ci)∈F[x] wherec1, . . . , cm are

different elements inF. Then

(7)

(b) For1≤i≤m, letAi=

Pn

j=1aijµj ∈ Rwhereaij ∈F. Then g= Qm

i=1(x−Ai)iff

each column of them×nmatrix(aij)is a permutation of c1, . . . , cm.

Proof. It follows from Lemmas 2.3 and 2.4 and the fact that, for any element a ∈ F,

a=Pn_j₌₁aµj inR. 2

2.3. Characteristic polynomials

LetT be a commutative algebra of dimensionnover an elementary algebraR. For any

α∈ T, the characteristic polynomial ofαover Ris defined to be that of the mapping:

ξ 7→ αξ, ξ ∈ T, which is an R-module homomorphism. The characteristic polynomial of an element is invariant with respect to different bases. It can be computed with any explicitly given basis (α1, . . . , αn) ofT overRas follows. Compute

α·αi= n

X

j=1

mijαj, mij ∈ R, 1≤i≤n.

Then det(Inx−(mij)) is the characteristic polynomial ofα. The determinant can be computed in polynomial time (again, go to subalgebras when necessary).

Characteristic polynomials have a very simple formula under an orthogonal basis. By an orthogonal basis of T over R, we mean some elements µ1, . . . , µn such that T =

Rµ1⊕ · · · ⊕ Rµn andµiµj = 0 fori6=j andµ2i = 1 for all i. For anyα∈ T, there are unique elementsai∈ Rsuch thatα=

Pn

i=1aiµi. Note thatα·µi=aiµi, 1≤i≤n. We see that the characteristic polynomial ofαis

α(x) = n

Y

i=1

(x−ai)∈ R[x]. (2.3)

T may have many orthogonal bases overR, but the formula (2.3) is true for any of them. We will use this formula in Section 3 when analyzing our algorithms. As noted above, the polynomial in (2.3) can be computed in polynomial time by using any explicitly given basis, without knowing an orthogonal basis.

2.4. Finding roots and square balanced polynomials

LetRbe an elementary algebra of dimensionnover a finite fieldFq whereqis a prime

power. We need to efficiently computek-th roots of elements inRfor various integersk. Evdokimov (1994) shows that this can be done under ERH in (nklogq)O(1)operations in

Fq, where ERH is used only to construct anr-th power nonresidue inFq for every prime

divisorrof gcd(k, q−1). Evdokimov’s algorithm is a direct generalization of Adleman, Manders and Miller (1977) and Pohlig and Hellman (1978).

We describe a slightly modified version of Evdokimov’s algorithm here so that we can observe some of its properties. These properties will be useful later in analyzing the algorithms in Section 3. It suffices to show how to find an r-th root of an arbitrary element inRfor any primer. Ifris coprime toq−1 thenAs_{is an}_r_{-th root of}_A_where

sr≡1 modq−1. So we assume henceforth thatris a prime andr|(q−1). Suppose that

q−1 =re_w_where_r

-w. Letηbe a fixed primitiver

e_{-th root of unity in}

Fq. We remark

thatη can be taken asξw _{for any primitive root or}_r_{-th nonresidue}_ξ_in

Fq andξcan be

(8)

Note that an elementa∈Fq has anr-th root in Fq iff a= 0 or a

(q−1)/r _{= 1. When}

a6= 0, writeaas

a=ηu_θ for some integer u with 0 ≤ u < re _and _θ _∈

Fq with θ

w _{= 1. Then} _a(q−1)/r _{= 1 iff}

r|u. To see what happens inR, letµ1, . . . , µn be the primitive idempotents of R over

Fq and A = Pn

i=1aiµi where ai ∈Fq. For any B = Pn

i=1biµi where bi ∈ Fq, we have

br₌Pn

i=1briµi. SoBr=Aiffbri =ai for 1≤i≤n. The latter is true iffa

(q₋1)/r i = 0 or 1 for 1≤i≤n, i.e.,A(q−1)/r is an idempotent inR(each component is 0 or 1).

Now we show how to find roots of A. If ai = 0 for some i then certainly bi = 0. So we only need to work with the nonzero components of A. Consider the subalgebra

RA ={CA: C∈ R}. LetI be the identity element of RA. Then A·I is invertible in

RA and anr-th root ofA·I inRAis anr-th root ofAin R.

Henceforth we assume that A ∈ R is invertible. We assume that an r-th root of A

exists inR, which means thatA(q₋1)/r _{is the identity element 1 in} _R_{. Find integers} _s andtsuch thatsre₊_tw_{= 1. Then}

A=Atw(Asre−1)r.

It suffices to find an r-th root of Atw_{. Denote ¯}_A ₌_Atw_{. Note that ¯}_Are _{= (}_Aq−1₎t_{= 1.} Find the smallest integerk≥0 such that ¯Ark

∈Fq. Then ¯A

rk

is a power ofη. Use Pohlig and Hellman’s algorithm to find an integerusuch that

¯

Ark=ηu.

SinceAhas anr-th root inR,umust be divisible byr. Ifk= 0 thenηu/r_{is an}_r_{-th root} of ¯A. Ifk > 0, then find a zero divisor inRas follows. Let B = ¯Ark−1 _and _ζ ₌_ηre−1_. ThenB6∈Fq andζ is a primitiver-th root of unity. Note that

Bη−u/r6∈Fq and (Bη

−u/r )r= 1.

We have r+ 1 distinct r-th roots of unity in R, i.e., 1, ζ, . . . , ζr−1 _and _Bη−u/r_{. So}

Bη−u/r₋_ζi _{is a zero divisor in} _R_{for some 0}_≤_{i < r}_{. We find this} _i _{by an exhaustive} search. LetD=Bη−u/r₋_ζi _and

R1=RD={DC:C∈ R}, R2={C∈ R:DC= 0}.

ThenR1 and R2 are nontrivial subalgebras of RandR=R1⊕ R2. Explicit bases for R1 and R2 can be computed by solving systems of linear equations. We next compute

¯

A = A1+A2 where A1 ∈ R1 and A2 ∈ R2, and proceed recursively in R1 and R2,

respectively, to computer-th roots ofA1 andA2. The whole process can be finished in

time polynomial inr, nand logq.

Let σr denote the above algorithm for computing r-th roots by using η ∈ Fq as a

primitive re_{-th root of unity. Denote by} _σ_r(_A₎ _{∈ R}_{the output of} _σ

r on input A∈ R. Then (σr(A))r₌_A_if_A_{has an}_r_{-th root in}_R_{. When}_q_≡_{3 mod 4,}_η _{has only one choice,} namely,η=−1. In this case,σ2 is nothing but the formula:σ2(A) =A(q+1)/4 provided

thatAhas a quadratic root inR. In general, observe that the only operations inσronA are powering and canonical projections into subalgebras. We see thatσracts individually to each component under the primitive idempotent basis overFq.

Lemma 2.6. Given a primitive re-th rootη of unity inFq whereq−1 =r

(9)

r-w, the algorithm σr runs in polynomial time inr,logqandn= dimR. Furthermore,

σr has the following properties:

(a) σr(aA) =σr(a)A for a∈Fq, ifA∈ Ris idempotent, i.e.,A 2

=A.

(b) σr(A+B) =σr(A) +σr(B), if A, B∈ Rare orthogonal, i.e., AB= 0.

(c) Letµ1, . . . , µn be primitive idempotents inRandA=P n i=1aiµi ∈ Rwhereai∈Fq. Then σr(A) = n X i=1 σr(ai)µi. (d) Let a = ηuθ where θ ∈ Fq with θ

w

= 1 and 0 ≤ u < re. Then σr(ar) = a iff

u < re−1.

(e) Supposeqis odd and a∈Fq\ {0}. Then σ2(a

2_{) =}_±_a_.

Proof. Properties (a) and (b) follow from the fact that σr acts individually to each primitive component of Rover Fq. (c) follows from (a) and (b). To see (d), writeu=

u0re−1+u1where 0≤u1< re−1 and 0≤u0≤r−1. As

ar=ηu0re+ru1_θr₌_ηru1_θr_,

we see thatσr(ar) =ηu1_θ_{, which is equal to}_a_iff_u₌_u

1, i.e.,u < re−1. This proves (d).

Whenr= 2, we haveη2e−1 ₌₋_{1, so}_ηu02e−1 _{= (}−₁₎u0 ₌±_{1 depending on}_u

0= 0 or 1.

Henceσ2(a2) =ηu1θ=±a, which is part (e). 2

Whenq≡3 mod 4,η =−1 and the property (e) reads as:σ2(a2) =afora∈Fq iffa

is a square inFq, and σ2(a 2

) =−aiffais not a square in Fq.

This leads to the concept of square balanced and mutually square balanced sets for generalqmentioned in the introduction. Letσ2be the above deterministic algorithm for

computing quadratic roots using a primitive 2e-th rootη of unity inFq where 2

e divides

q−1 exactly. A subsetF ⊂Fq of cardinalityn >1 is calledsquare balanced with respect

toη if, for eachξ∈F,

#ζ∈F :ζ=6 ξ, σ2 (ξ−ζ)2

=ξ−ζ =n−1 2 .

Two sets F1, F2 ⊂ Fq, each with cardinality at least two, are called mutually square

balanced with respect toη if for eachξ∈F1,

#ζ∈F2:σ2 (ξ−ζ)2

=ξ−ζ

is the same for allξ∈F1, and similarly for ξ∈F2and ζ∈F1.

Whenq≡3 mod 4, this definition agrees with the one given in the introduction. When

q≡1 mod 4, however,σ2 (ξ−ζ)2

=ξ−ζ does not imply thatξ−ζ is a square inFq.

Also, there are many choices forηand it is possible that a subset ofFqis square balanced

with respect to one choice but not to another. For example,q = 17 and F ={1,4,5}. Then F is square balanced with respect toη = 3 but not to η = 6. We often omit the reference toη when it is fixed or clear from the context.

As squarefree and completely splitting polynomials inFq[x] are in 1-1 correspondence

to subsets of Fq, we also say that a squarefree and completely splitting polynomial is

square balancedif the set of its roots is square balanced. We construct an infinite family of square balanced polynomials.

(10)

Lemma 2.7. Let n > 1 be an odd factor of q−1. Then the polynomial f =xn −1 is

always square balanced (with respect to any η).

Proof.Letξbe a primitiven-th root of unity inFq. Then

f=xn−1 = nY−1

i=0

(x−ξi).

Letq−1 = 2e_w_where _w_{is odd and}_η _{a 2}e_{-th primitive root of unity in}

Fq. Define

D=0≤j≤n−1 :j6= 0, σ2 (1−ξj)2

= 1−ξj .

For anyi6=j, suppose that 1−ξj−i ₌_ηu_θ_where _θ_∈

Fq withθ

w_{= 1. As the order}_n_of

ξis an odd factor ofq−1, we haven|wand soξw_{= 1. Hence}

ξi−ξj=ξi(1−ξj−i) =ηu(ξiθ) with (ξi_θ₎w_{= 1. By Lemma 2.6 (d),} σ2 (1−ξj−i)2 = 1−ξj−i iff σ2 (ξi−ξj)2 =ξi−ξj,

as each of which holds iffu <2e−1_{. For 0}_≤_i_≤_n₋_1,

Di = 0≤j≤n−1 :j6=i, σ2 (ξi−ξj)2 =ξi−ξj = 0≤j≤n−1 :j=6 i, σ2 (1−ξj−i)2 = 1−ξj−i = {j:j−i∈D}=D+i.

Therefore|D|=|D1|=· · ·=|Dn−1|. Lett=|D|. Note that, fori6=j, σ2 (ξi−ξj)2

=

ξi−ξj iffσ2 (ξj−ξi)2

=−(ξj−ξi), soj∈Diiffi6∈Dj. By counting the pairsj∈Di, we havent=n(n−1)/2 and thust= (n−1)/2. This proves the theorem. 2

Finally, letc >1 be a constant andF a subset of Fq with cardinalityn >1. We say

thatF isc-super square balancedif the following three conditions are satisfied: (i) For each 1≤k≤(nlogq)c_,_F

k has cardinalitynand is square balanced; (ii) The setsFk, 1≤k≤(nlogq)c, are pairwise disjoint;

(iii) The setsFk, 1≤k≤(nlogq)c, are pairwise mutually square balanced.

A squarefree and completely splitting polynomial inFq[x] is calledc-super square balanced

if its set of roots inFq isc-super square balanced. The polynomialx

n₋_{1 above is square} balanced but not 2-super square balanced, as (ii) is violated fork= 1 and 2.

3. Algorithms and Analysis

Suppose that we want to factorf ∈Fp[x] of degreenwheref hasndifferent roots in Fp, say f = n Y i=1 (x−ξi), ξi∈Fp. Let R=Fp[x]/(f) =Fp[A]

(11)

whereA=xmodf. Then 1, A, . . . , An−1 _{form an explicit basis for}_R_over

Fp. Define

f∗(y) =f(y)/(y−A)∈ R[y] andT =R[y]/(f∗) =R[B]

where B = ymodf∗. Then 1, B, . . . , Bn−2 form an explicit basis for T over R, and

AiBj, 0≤i≤n−1, 0≤j≤n−2, form an explicit basis forT overFp.

Letη be a fixed 2e-th primitive root of unity inFp where 2

e

dividesp−1 exactly, and letσbe the deterministic algorithmσ2from Section 2.4 for computing quadratic roots in T. That is, ifC∈ T is a square thenσ(C) is the output of the algorithm which satisfies (σ(C))2=C. The main idea of our algorithms is to employ the property ofσas stated in Lemma 2.6 (c). This property says that, when applied to an elementC ∈ T, σ acts individually to the coordinates ofC under the primitive idempotent basis ofT overFp,

and so σ (A−B)2₆₌_±₍_A₋_B_{) in general. Such a case usually enables one to find a}

zero divisor inRand thus a proper factor off, via the characteristic polynomial and gcd techniques discussed in Section 2. The construction ofC in Step 1 below was motivated by Evdokimov (1994).

Algorithm 3.1

Input:f ∈Fp[x] squarefree and completely splitting overFp wherepis an odd prime,

Output: a proper factor off or “Failure”. 0. FormA,B,R,T as described above.

1. ComputeC= 1₂ A+B+σ((A−B)2)∈ T.

2. Compute the characteristic polynomialc(z) ofCoverR.

3. Decomposec(z) asc(z) =h(z)(z−A)t_where_t _{is the largest possible.} SetH =h(A)∈ R. ThenH 6= 0.

4. IfH is a zero divisor inRthen find a proper factor off, otherwise output “Failure”.

Theorem 3.1. Algorithm 3.1 terminates in polynomial time under ERH, and outputs

“Failure” if and only iff is square balanced.

Proof.Consider the running time first. By Lemma 2.6,σfinds a quadratic root of (A−B)2

in polynomial time provided thatη is given. But η can be constructed efficiently under ERH. So Step 1 can be done in polynomial time under ERH. Steps 2 and 3 can also be finished in polynomial time. For Step 4, one just viewsH ∈ R as a polynomial inFp[x]

and computes gcd(H, f). Note that gcd(H, f) is a proper factor off if and only ifH is a zero divisor in R. So this step can be done in polynomial time too. Hence the whole algorithm runs in polynomial time under ERH. (ERH was used only to constructη.)

To prove the other statement, define

ti= #

1≤j≤n:j 6=i, σ (ξi−ξj)2

=ξi−ξj ,1≤i≤n. (3.1) We prove that theH in step 3 is not a zero divisor inRif and only ift1=· · ·=tn, and

this common value ofti must equal (n−1)/2.

For this purpose, we examine the elementC ∈ T obtained in Step 1 and characterize the set of zeroes of the polynomialc(z) inR. Order the primitive idempotentsµ1, . . . , µn ofRsuch that A= n X i=1 ξiµi.

(12)

For 1≤j≤n−1, let Bj = n X i=1 bjiµi∈ R,

wherebji∈ {ξ1, . . . , ξn}such that (ξi, b1i, . . . , bn−1i) is a permutation of (ξ1, ξ2, . . . , ξn)

for each 1≤i≤n. Then, by Theorem 2.5,

f(y) = (y−A) nY−1 j=1 (y−Bj), f∗(y) = nY−1 j=1 (y−Bj). Define νj= Y k6=j (B−Bk)/Y k6=j (Bj−Bk), 1≤j≤n−1. Then B = n₋1 X j=1 Bjνj, and n−1 X i=1 νi= 1, νiνj= νi, ifi=j, 0, otherwise. Thusν1, . . . , νn₋1 form an orthogonal basis forT overR. Note that

A±B= n₋1 X j=1 (A±Bj)νj, and C= n₋1 X j=1 1 2 (A+Bj) +σ (A−Bj) 2 νj. By (2.3), the characteristic polynomial ofC overRis

c(z) = n_Y−1 j=1 z−1 2 A+Bj+σ (A−Bj) 2 ! = n_Y−1 j=1 z−1 2 n X i=1 (ξi+bji)µi+σ _Xn i=1 (ξi−bji)2µi !! = n_Y−1 j=1 n X i=1 z−1 2 ξi+bji+σ (ξi−bji)2 µi = n X i=1 n_Y−1 j=1 z−1 2 ξi+bji+σ (ξi−bji)2 µi = n X i=1 Y j6=i z−1 2 ξi+ξj+σ (ξi−ξj)2 µi,

(13)

since (ξi, b1i, . . . , bn−1i) is a permutation of (ξ1, ξ2, . . . , ξn). Note that 1 2 ξi+ξj+σ (ξi−ξj)2 = ξi, ifσ (ξi−ξj)2 =ξi−ξj, ξj, ifσ (ξi−ξj)2 =−(ξi−ξj). For 1≤i≤n, define ∆i = 1≤j≤n:j6=i, σ (ξi−ξj)2 =−(ξi−ξj) , ¯ ∆i = 1≤j≤n:j6=i, σ (ξi−ξj)2 =ξi−ξj . Thenti= # ¯∆i and

c(z) = n X i=1 (z−ξi)ti Y j∈∆i (z−ξj)µi. (3.2) Since z−A= n X i=1 (z−ξi)µi,

we see from Lemma 2.1 (b) that theein step 3 is equal to min{t1, . . . , tn}and

h(z) = n X i=1 (z−ξi)ti−t Y j∈∆i (z−ξj)µi, H=h(A) = n X i=1 (ξi−ξi)ti−t Y j∈∆i (ξi−ξj)µi. Ifti> tfor someithen the coefficient ofµiis zero, soH is a zero divisor inR. Obviously,

H is not a zero divisor inRif and only ifti=t for 1≤i≤n.

It remains to prove that ift1=· · ·=tn=t thent= (n−1)/2. Note that

σ (ξi−ξj)2

=ξi−ξj iff σ (ξj−ξi)2

=−(ξj−ξi) for all i6=j.

Each pair (i, j), 1≤i < j≤n, contributes to either ti ortj but not both. This implies that nt= n X i=1 ti=n(n−1)/2. Thereforet= (n−1)/2. 2

Corollary 3.2. (R´onyai 1992) _{If the degree}_n_of _f _{is even, then Algorithm 3.1 finds}

a proper factor off.

When theti’s are not equal, we can refine Algorithm 3.1 to get more proper factors of

f. The polynomialc(z) from Step 2 contains enough information to separate ξi from ξj wheneverti6=tj. More precisely, we have the following algorithm and theorem.

Algorithm 3.2

Input:f ∈Fp[x] squarefree and completely splitting overFp.

Output: a list of factors off.

0. FormA,B,R,T as described above.

1. ComputeC= 1₂ A+B+σ((A−B)2₎_{∈ T}_.

2. Compute the characteristic polynomialc(z) ofCoverR. 3. Computed(z) = gcd(c(z),(z−A)n₎_{∈ R}_[_z_].

(14)

Setdn=f.

Forkfrom n−1 down to 0 do

Computedk= gcd(Dk, dk+1) (Dk is viewed as a polynomial inFp[x]).

Setfk =dk+1/dk.

Returnf0, f1, . . . , fn₋1.

Theorem 3.3. Under ERH, Algorithm 3.2 factors f asf =f₀f₁· · ·f_n₋₁ in polynomial

time with

fk(x) =

Y 1≤i≤n,ti=k

(x−ξi)∈Fp[x],0≤k≤n−1, (3.3)

where theti’s are defined as in (3.1) and an empty product is assumed to be1.

Proof.Obviously Step 3 can be finished in polynomial time. By the proof of Theorem 3.1, Steps 1 and 2 can be done in polynomial time under ERH. Therefore Algorithm 3.2 runs in polynomial time under ERH.

We prove that the fk computed by Algorithm 3.2 is the same as in (3.3). Use the notations in the proof of Theorem 3.1. Since

(z−A)n= n

X

i=1

(z−ξi)nµi, it follows from (2.1) and (3.2) that

d(z) = n X k=0 Dkzk= gcd c(z),(z−A)n = n X i=1 (z−ξi)ti_µ i. Write Dk = n X i=1 dikµi, dik∈Fp.

Since thei-th canonical projection ofd(z) has degreeti, we see that

dik= 0, ifk > ti. For any D =Pn_i₌₁diµi ∈ R, di ∈ Fp, gcd(D, f) =

Q

di=0(z−ξi). By induction onk

(fromn−1 down to 0), we have

dk+1 = Y 1≤i≤n,ti≤k (z−ξi), dk = gcd(Dk, dk+1) = Y 1≤i≤n,ti<k (z−ξi). Therefore fk =dk+1/dk = Y 1≤i≤n,ti=k (z−ξi).

This completes the proof. 2

Next we apply Algorithms 3.1 and 3.2 to many polynomials related tof to obtain a much stronger result. For any integer k >0, define f(k) _∈

Fp[x] to be the polynomial

(15)

splitf(k)_{. If a proper factor of}_f(k)_{is found then use it to get a proper factor of}_f_{. We show}

that this can be done in polynomial time whenkis small. We can apply this for many, even all values ofksuch thatk≤(nlogp)O(1)_{, and the total running time is still polynomial.}

We also apply Algorithm 3.2 to polynomialsf(k)_·_f(`)_{for 0}_{< k, `}_≤₍_n_log_p₎O(1)_{. Since}

f(k)_·_f(`)_{has even degree 2}_n_{, Algorithm 3.2 will output some proper factors of}_f(k)_·_f(`)_.

If for some pair ofk and `, there is one factor not equal to f(k) _nor _f(`)_{, then we can}

compute a proper factor of f(k) or f(`), thus a proper factor of f. To materialize this scheme, we need to show how to computef(k)efficiently and how to get a proper factor off when given a proper factor off(k).

First note thatf(k)(x) = resy(f(y), x−yk) where resy denotes the resultant of poly-nomials with respect to the variabley. Sof(k) can be computed in time polynomial in

k, nand logp.

Lemma 3.4. Given a proper factor of f(k), we can find a proper factor of f in time

polynomial ink, n andlogpassuming ERH.

Proof.Lethbe a given proper factor off(k)_{. Without loss of generality, we may assume}

thathis squarefree and

h= `

Y

i=1

(x−ξik). LetK⊂Fp be the subset

K={β∈Fp :β

k = 1}.

The setKcan be computed in time polynomial inkand logpby factoring the polynomial

xk₋_{1 under ERH (Huang 1991). Form}_T ₌

Fp[x]/(h), andA=xmodh. Compute ak-th

rootH ofAinT by the algorithm in Section 2.4. Letg be the characteristic polynomial ofH in T overFp. Then there existai∈K such that

g= `

Y

i=1

(x−aiξi). For eacha∈K, compute

f0= gcd f(x), g(ax)

.

Ifa=ai then (x−ξi)|f0. Sinceghas degree` < n, thisf0is a proper factor off. Under

ERH, all these can be done in time (knlogp)O(1)_.

2

Lemma 3.5. Supposef ∈Fp[x]is squarefree and completely splitting. LetR=Fp[x]/(f)

andA=xmodf. For an integerk, if Ak ₆₌_A_{and the characteristic polynomial of} _Ak

overFp is equal tof then A7→A

k _{induces a nontrivial endomorphism of}_R_.

Proof. Since f is the minimal polynomial of A overFp, we just need to check whether

f(Ak_{) = 0, but it is true as}_f _{is equal to the characteristic polynomial of}_Ak _over

Fp by

our assumption. 2

We also need the following result:

(16)

square-free and completely splitting, together with a nontrivial endomorphism of the algebra

Fp[x]/(f), a proper factor off can be found in polynomial time under ERH.

We are now ready to describe our next algorithm. Algorithm 3.3

Input:f ∈Fp[x] of degreen, squarefree and completely splitting overFp,

and a constantc >1.

Output: a proper factor off or “Failure”. 0. FormR=Fp[A] whereA=xmodf.

Apply Algorithm 3.1 tof. If a proper factor of f is found then halt. 1. For each integer 1< k≤(nlogp)c, computeAk ∈ R.

1.1. If Ak=Athenf is a factor of xk−1−1; factorf (by factoring xk−1−1) and halt. Otherwise, compute the characteristic polynomialf(k)_of_Ak _over

Fp.

1.2. If f(k)_{is not squarefree, find a proper factor of} _f(k)_{and then}

Find a proper factor off and halt.

1.3. Computed= gcd(f, f(k)_{). If}_d₆_{= 1 or}_f _{then output}_d_{and halt.}

Ifd=f thenf =f(k) _{and, by Lemma 3.5,}_A_7→_Ak _induces

a nontrivial endomorphism ofR; find a proper factor of f and halt. 1.4. Apply Algorithm 3.1 to the polynomial f(k). If it outputs a proper factor

off(k)_{then find a proper factor of}_f _{and halt.}

2. For each integer pair 0< k < `≤(nlogp)c _{do the following:} 2.1. Computed= gcd(f(k)_{, f}(`)_).

Ifdis a proper factor then use it to find a proper factor off and halt. Ifd=f(k)=f(`)then eitherAk =A` (so the roots off are (`−k)-th roots of unity inFp) orA

k _7→

A` induces a nontrivial automorphism ofR; in both cases, find a proper factor off and halt.

2.2. Apply Algorithm 3.2 to g=f(k)_·_f(`)_∈

Fp[x] to get a list of factors ofg.

2.3. For each factorhin the list, computeu= gcd(h, f(k)_{) and}_v_{= gcd(}_{h, f}(`)_).

Ifuorv is a proper factor off(k) orf(`), respectively, then use it to find a proper factor off and halt. Otherwise, output “Failure”.

Theorem 3.7. Algorithm 3.3 runs in polynomial time under ERH, and outputs

“Fail-ure” if and only iff isc-super square balanced.

Proof.Consider first the running time under ERH. Step 0 can be done in polynomial time by Theorem 3.1. For eachk, all the other steps can be finished in polynomial time: 1.1 by Huang (1991), 1.2 by Lemma 3.4, 1.3 by Lemma 3.6, 1.4 by Theorem 3.1 and Lemma 3.4, 2.1 by Huang (1991) and Lemma 3.6, 2.2 by Theorem 3.3, and 2.3 by Lemma 3.4. These steps are repeated for polynomially many values ofk. Therefore Algorithm 3.3 runs in polynomial time under ERH.

Now suppose that Algorithm 3.3 outputs “Failure”. We prove thatf isc-super square balanced, i.e., the three conditions(i), (ii)and(iii)at the end of Section 2.4 are satisfied. Note thatFk is the set of the roots off(k). The algorithm does not halt at Step 0 means thatF1is square balanced. For eachk >1, Steps 1.1, 1.2, 1.3 make sure thatf(k)has no

(17)

disjoint fromF1 for allk >1. To pass Step 1.4,Fk has to be square balanced. Hence the condition(i) is satisfied. Step 2.1 makes sure that thatf(k) _and _f(`) _{have no common}

roots, i.e.,Fk is disjoint fromF`, hence (ii)holds. Note that both Ak andA` generate the ring Rover Fp, as their minimal polynomials f

(k) _and _f(`) _over

Fp have degree n.

Hence Ak _7→_A` _{induces an automorphism of} _R_{. In the following, we prove that if Step} 2.3 does not find a proper factor off then(iii)must be satisfied.

At the start of Step 2.2,g is squarefree and completely splitting overFp. Fk ∪F` is

the set of roots of g. Also,Fk andF` are both square balanced. We need to determine when the u and v computed in Step 2.2 are both trivial factors. Order the roots of

g=f(k)·f(`)asη1, η2, . . . , η2nwhereηi =ξi`for 1≤i≤nandηi=ξki−n forn < i≤2n. For 1≤i≤2n, let ti= # 1≤j≤2n:j =6 i, σ (ηi−ηj)2 =ηi−ηj . For 1≤i≤n, define ui = # 1≤j ≤n:σ (ξi`−ξ k j) 2 =ξi`−ξ k j , vi = # 1≤j ≤n:σ (ξik−ξ ` j) 2 =ξik−ξ ` j . Then, for 1≤i≤n, ti = # 1≤j ≤n:j6=i, σ (ξ`i−ξj)` 2 =ξi`−ξj` + #1≤j≤n:σ (ξi`−ξ k j) 2 =ξ`i−ξ k j = n−1 2 +ui, and ti+n = # 1≤j≤n:σ (ξki −ξ ` j) 2 =ξik−ξ ` j + #1≤j≤n:j6=i, σ (ξik−ξ k j) 2 =ξik−ξ k j = vi+ n−1 2 , sinceFk andF` are square balanced.

Suppose thatu1, . . . , un are not equal. Thent1, . . . , tn are not equal. By Theorem 3.3, the rootsη1 =ξ1`, . . . , ηn=ξn` of g, and off(`), are separated. That is, there is a factor

hin the list from Step 2.2 such that gcd(h, f(`)_{) is a proper factor of} _f(`)_{. Similarly, if}

v1, . . . , vn are not equal then Step 2.3 will find a proper factor off(k)for some hin the list. Therefore if no proper factor off(`)_or_f(k)_{is found at Step 2.3 then}_u

1=· · ·=un andv1=· · ·=vn, that is,Fk andF` are mutually square balanced. Hence(iii)holds.

Conversely, if (i), (ii)and (iii)are satisfied, then one can see from the above proof that Algorithm 3.3 will not be able to find an proper factor off, thus output “Failure”.

2

If we takec= 6, then Theorem 3.7 gives the result in the introduction forp≡3 mod 4. The theorem suggests an interesting number theory problem on the existence ofc-super square balanced subsets in Fp. Ifc is large enough, then it is very likely that there are

no such subsets inFp. We believe thatc= 6 suffices.

Conjecture.For any primepand any integern >1, there are no super square balanced subsets in Fp of cardinalityn.

(18)

A confirmation to the conjecture implies that, under ERH, polynomials over finite fields can be factored deterministically in polynomial time.

Finally, we remark that it is possible to apply Algorithm 3.2 to extensions of R =

Fp[x]/(f) and obtain an interesting connection of the problem of factoring polynomials to

a combinatorial structure called Hadamard designs. It may be possible that this approach will render the problem to combinatorial attacks. The details will be given elsewhere.

Acknowledgement. The author would like to thank Professor Joachim von zur Gathen for his encouragement and insightful discussions. Thanks also go to Professors Andrew Granville and Carl Pomerance for helpful suggestions and comments on the paper, particularly, Professor Pomerance suggested the use of super square balanced sets. Finally, the detailed comments and questions from an anonymous referee greatly improved the presentation of the paper.

References

Adleman, L., Manders, K., Miller, G. (1977). On taking roots in finite fields. InProc. 18th IEEE Symp. Foundations of Computer Science(Providence, R.I., 1977) :175–178.

Bach, E. (1997). Comments on search procedures for primitive roots.Math. Comp.,66:1719–1727. Bach, E., von zur Gathen, J., Lenstra, H. (1995). Deterministic factorization of polynomials over special

finite fields. Preprint.

Berlekamp, E. R. (1967). Factoring polynomials over finite fields. Bell System Tech. J.,46:1853–1859. Berlekamp, E. R. (1970). Factoring polynomials over large finite fields. Math. Comp.,24:713–735. Camion, P. (1983). A deterministic algorithm for factorizing polynomials ofFq[x]. Ann. Discr. Math.,

17:149–157.

Evdokimov, S. A. (1989). Factorization of a solvable polynomial over finite fields and the generalized Riemann hypothesis. Zapiski Nauchnyck Seminarov LOMI,176:104–117.

Evdokimov, S. A. (1994). Factorization of polynomials over finite fields in subexponential time under GRH. InProceedings of the 1994 Algorithmic Number Theory Symposium(Adleman, L. M., Huang, M.-D., editors), Ithaca, New York. Lecture Notes in Computer Science, Berlin, Springer-Verlag, 1994 :209–219.

von zur Gathen, J. (1987). Factoring polynomials and primitive elements for special primes. Theoret. Computer Science,52:77–89.

von zur Gathen, J., Shoup, V. (1992). Computing Frobenius maps and factoring polynomials.Comput. Complexity,2:187–224.

Huang, M. A. (1991). Generalized Riemann hypothesis and factoring polynomials over finite fields. J. Algorithms,12:464–481.

Kaltofen, E., Shoup, V. (1998). Subquadratic-time factoring of polynomials over finite fields. Math. Comp.,67:1179–1197.

Mignotte, M., Schnorr, C.-P. (1988). Calcul déterministe des racines d’un polynôme dans un corps fini. Comptes Rendus Académie des Sciences (Paris),306:467–472.

Moenck, R. T. (1977). On the efficiency of algorithms for polynomial factoring.Math. Comp.,31:235– 250.

Pohlig, S. C., Hellman, M. E. (1978). An improved algorithm for computing logarithms overGF(p) and its cryptographic significance.IEEE-IT,IT-24:106–110.

Rónyai, L. (1988). Factoring polynomials over finite fields. J. Algorithms,9:391–400. Rónyai, L. (1989). Factoring polynomials modulo special primes. Combinatorica,9:199–206. Rónyai, L. (1992). Galois groups and factoring over finite fields.SIAM J. Discrete Math.,5:345–365. Wan, D. (1996). Notes on factoring polynomials and zeta functions over finite fields. Preprint. Wang, Y. (1959). On the least primitive root of a prime. Acta. Math. Sinica, 9:432–441 (Chinese).

Scientia Sinica,10(1961) :1–14 (English translation).