Berlekamp's algorithm

Last updated September 03, 2023

In mathematics, particularly computational algebra, Berlekamp's algorithm is a well-known method for factoring polynomials over finite fields (also known as Galois fields). The algorithm consists mainly of matrix reduction and polynomial GCD computations. It was invented by Elwyn Berlekamp in 1967. It was the dominant algorithm for solving the problem until the Cantor–Zassenhaus algorithm of 1981. It is currently implemented in many well-known computer algebra systems.

Overview

Berlekamp's algorithm takes as input a square-free polynomial $f(x)$ (i.e. one with no repeated factors) of degree $n$ with coefficients in a finite field $\mathbb {F} _{q}$ and gives as output a polynomial $g(x)$ with coefficients in the same field such that $g(x)$ divides $f(x)$ . The algorithm may then be applied recursively to these and subsequent divisors, until we find the decomposition of $f(x)$ into powers of irreducible polynomials (recalling that the ring of polynomials over a finite field is a unique factorization domain).

All possible factors of $f(x)$ are contained within the factor ring

R={\frac {\mathbb {F} _{q}[x]}{\langle f(x)\rangle }}.

The algorithm focuses on polynomials $g(x)\in R$ which satisfy the congruence:

g(x)^{q}\equiv g(x){\pmod {f(x)}}.\,

These polynomials form a subalgebra of R (which can be considered as an $n$ -dimensional vector space over $\mathbb {F} _{q}$ ), called the Berlekamp subalgebra. The Berlekamp subalgebra is of interest because the polynomials $g(x)$ it contains satisfy

f(x)=\prod _{s\in \mathbb {F} _{q}}\gcd(f(x),g(x)-s).

In general, not every GCD in the above product will be a non-trivial factor of $f(x)$ , but some are, providing the factors we seek.

Berlekamp's algorithm finds polynomials $g(x)$ suitable for use with the above result by computing a basis for the Berlekamp subalgebra. This is achieved via the observation that Berlekamp subalgebra is in fact the kernel of a certain $n\times n$ matrix over $\mathbb {F} _{q}$ , which is derived from the so-called Berlekamp matrix of the polynomial, denoted ${\mathcal {Q}}$ . If ${\mathcal {Q}}=[q_{i,j}]$ then $q_{i,j}$ is the coefficient of the $j$ -th power term in the reduction of $x^{iq}$ modulo $f(x)$ , i.e.:

x^{iq}\equiv q_{i,n-1}x^{n-1}+q_{i,n-2}x^{n-2}+\ldots +q_{i,0}{\pmod {f(x)}}.\,

With a certain polynomial $g(x)\in R$ , say:

g(x)=g_{n-1}x^{n-1}+g_{n-2}x^{n-2}+\ldots +g_{0},\,

we may associate the row vector:

g=(g_{0},g_{1},\ldots ,g_{n-1}).\,

It is relatively straightforward to see that the row vector $g{\mathcal {Q}}$ corresponds, in the same way, to the reduction of $g(x)^{q}$ modulo $f(x)$ . Consequently, a polynomial $g(x)\in R$ is in the Berlekamp subalgebra if and only if $g({\mathcal {Q}}-I)=0$ (where $I$ is the $n\times n$ identity matrix), i.e. if and only if it is in the null space of ${\mathcal {Q}}-I$ .

By computing the matrix ${\mathcal {Q}}-I$ and reducing it to reduced row echelon form and then easily reading off a basis for the null space, we may find a basis for the Berlekamp subalgebra and hence construct polynomials $g(x)$ in it. We then need to successively compute GCDs of the form above until we find a non-trivial factor. Since the ring of polynomials over a field is a Euclidean domain, we may compute these GCDs using the Euclidean algorithm.

Conceptual algebraic explanation

With some abstract algebra, the idea behind Berlekamp's algorithm becomes conceptually clear. We represent a finite field ${\textstyle \mathbb {F} _{q}}$ , where ${\textstyle q=p^{m}}$ for some prime ${\textstyle p}$ , as ${\textstyle \mathbb {F} _{p}[y]/(g(y))}$ . We can assume that ${\textstyle f(x)\in \mathbb {F} _{q}[x]}$ is square free, by taking all possible pth roots and then computing the gcd with its derivative.

Now, suppose that ${\textstyle f(x)=f_{1}(x)\ldots f_{n}(x)}$ is the factorization into irreducibles. Then we have a ring isomorphism, ${\textstyle \sigma$ , given by the Chinese remainder theorem. The crucial observation is that the Frobenius automorphism ${\textstyle x\to x^{p}}$ commutes with ${\textstyle \sigma }$ , so that if we denote ${\textstyle {\text{Fix}}_{p}(R)=\{f\in R:f^{p}=f\}}$ , then ${\textstyle \sigma }$ restricts to an isomorphism ${\textstyle {\text{Fix}}_{p}(\mathbb {F} _{q}[x]/(f(x)))\to \prod _{i=1}^{n}{\text{Fix}}_{p}(\mathbb {F} _{q}[x]/(f_{i}(x)))}$ . By finite field theory, ${\textstyle {\text{Fix}}_{p}(\mathbb {F} _{q}[x]/(f_{i}(x)))}$ is always the prime subfield of that field extension. Thus, ${\textstyle {\text{Fix}}_{p}(\mathbb {F} _{q}[x]/(f(x)))}$ has ${\textstyle p}$ elements if and only if ${\textstyle f(x)}$ is irreducible.

Moreover, we can use the fact that the Frobenius automorphism is ${\textstyle \mathbb {F} _{p}}$ -linear to calculate the fixed set. That is, we note that ${\textstyle {\text{Fix}}_{p}(\mathbb {F} _{q}[x]/(f(x)))}$ is a ${\textstyle \mathbb {F} _{p}}$ -subspace, and an explicit basis for it can be calculated in the polynomial ring ${\textstyle \mathbb {F} _{p}[x,y]/(f,g)}$ by computing ${\textstyle (x^{i}y^{j})^{p}}$ and establishing the linear equations on the coefficients of ${\textstyle x,y}$ polynomials that are satisfied iff it is fixed by Frobenius. We note that at this point we have an efficiently computable irreducibility criterion, and the remaining analysis shows how to use this to find factors.

The algorithm now breaks down into two cases:

In the case of small ${\textstyle p}$ we can construct any ${\textstyle g\in {\text{Fix}}_{p}(\mathbb {F} _{q}[x]/(f(x)))\setminus \mathbb {F} _{p}}$ , and then observe that for some ${\textstyle a\in \mathbb {F} _{p}}$ there are ${\textstyle i,j}$ so that ${\textstyle g-a=0\mod f_{i}}$ and ${\textstyle g-a\not =0\mod f_{j}}$ . Such a ${\textstyle g-a}$ has a nontrivial factor in common with ${\textstyle f(x)}$ , which can be computed via the gcd. As ${\textstyle p}$ is small, we can cycle through all possible ${\textstyle a}$ .
For the case of large primes, which are necessarily odd, one can exploit the fact that a random nonzero element of ${\textstyle \mathbb {F} _{p}^{*}}$ is a square with probability ${\textstyle 1/2}$ , and that the map ${\textstyle x\to x^{\frac {p-1}{2}}}$ maps the set of non-zero squares to ${\textstyle 1}$ , and the set of non-squares to ${\textstyle -1}$ . Thus, if we take a random element ${\textstyle g\in {\text{Fix}}_{p}(\mathbb {F} _{q}[x]/f(x))}$ , then with good probability ${\textstyle g^{\frac {p-1}{2}}-1}$ will have a non-trivial factor in common with ${\textstyle f(x)}$ .

For further details one can consult.^[1]

Applications

One important application of Berlekamp's algorithm is in computing discrete logarithms over finite fields $\mathbb {F} _{p^{n}}$ , where $p$ is prime and $n\geq 2$ . Computing discrete logarithms is an important problem in public key cryptography and error-control coding. For a finite field, the fastest known method is the index calculus method, which involves the factorisation of field elements. If we represent the field $\mathbb {F} _{p^{n}}$ in the usual way - that is, as polynomials over the base field $\mathbb {F} _{p}$ , reduced modulo an irreducible polynomial of degree $n$ - then this is simply polynomial factorisation, as provided by Berlekamp's algorithm.

Implementation in computer algebra systems

Berlekamp's algorithm may be accessed in the PARI/GP package using the factormod command, and the WolframAlpha website.

Related Research Articles

In mathematics, a finite field or Galois field is a field that contains a finite number of elements. As with any field, a finite field is a set on which the operations of multiplication, addition, subtraction and division are defined and satisfy certain basic rules. The most common examples of finite fields are given by the integers mod $p$ when $p$ is a prime number.

In mathematics, in the area of abstract algebra known as Galois theory, the Galois group of a certain type of field extension is a specific group associated with the field extension. The study of field extensions and their relationship to the polynomials that give rise to them via Galois groups is called Galois theory, so named in honor of Évariste Galois who first discovered them.

In mathematics, specifically abstract algebra, an integral domain is a nonzero commutative ring in which the product of any two nonzero elements is nonzero. Integral domains are generalizations of the ring of integers and provide a natural setting for studying divisibility. In an integral domain, every nonzero element a has the cancellation property, that is, if a ≠ 0, an equality ab = ac implies b = c.

Shor's algorithm is a quantum algorithm for finding the prime factors of an integer. It was developed in 1994 by the American mathematician Peter Shor. It is one of the few known quantum algorithms with compelling potential applications and strong evidence of superpolynomial speedup compared to best known classical algorithms. On the other hand, factoring numbers of practical significance requires far more qubits than available in the near future. Another concern is that noise in quantum circuits may undermine results, requiring additional qubits for quantum error correction.

In mathematics, Hilbert's Nullstellensatz is a theorem that establishes a fundamental relationship between geometry and algebra. This relationship is the basis of algebraic geometry. It relates algebraic sets to ideals in polynomial rings over algebraically closed fields. This relationship was discovered by David Hilbert, who proved the Nullstellensatz in his second major paper on invariant theory in 1893.

In mathematics, an irreducible polynomial is, roughly speaking, a polynomial that cannot be factored into the product of two non-constant polynomials. The property of irreducibility depends on the nature of the coefficients that are accepted for the possible factors, that is, the field to which the coefficients of the polynomial and its possible factors are supposed to belong. For example, the polynomial $x 2 - 2$ is a polynomial with integer coefficients, but, as every integer is also a real number, it is also a polynomial with real coefficients. It is irreducible if it is considered as a polynomial with integer coefficients, but it factors as $if it is considered as a polynomial with real coefficients. One says that the polynomial x 2 - 2 is irreducible over the integers but not over the reals.$

In mathematics, an affine algebraic plane curve is the zero set of a polynomial in two variables. A projective algebraic plane curve is the zero set in a projective plane of a homogeneous polynomial in three variables. An affine algebraic plane curve can be completed in a projective algebraic plane curve by homogenizing its defining polynomial. Conversely, a projective algebraic plane curve of homogeneous equation $h (x, y, t) = 0$ can be restricted to the affine algebraic plane curve of equation $h (x, y, 1) = 0$ . These two operations are each inverse to the other; therefore, the phrase algebraic plane curve is often used without specifying explicitly whether it is the affine or the projective case that is considered.

In mathematics, and more specifically in computer algebra, computational algebraic geometry, and computational commutative algebra, a Gröbner basis is a particular kind of generating set of an ideal in a polynomial ring $K [x 1, ..., x n]$ over a field $K$ . A Gröbner basis allows many important properties of the ideal and the associated algebraic variety to be deduced easily, such as the dimension and the number of zeros when it is finite. Gröbner basis computation is one of the main practical tools for solving systems of polynomial equations and computing the images of algebraic varieties under projections or rational maps.

In mathematics, especially in the field of algebra, a polynomial ring or polynomial algebra is a ring formed from the set of polynomials in one or more indeterminates with coefficients in another ring, often a field.

In mathematics, differential algebra is, broadly speaking, the area of mathematics consisting in the study of differential equations and differential operators as algebraic objects in view of deriving properties of differential equations and operators without computing the solutions, similarly as polynomial algebras are used for the study of algebraic varieties, which are solution sets of systems of polynomial equations. Weyl algebras and Lie algebras may be considered as belonging to differential algebra.

In algebra, Gauss's lemma, named after Carl Friedrich Gauss, is a statement about polynomials over the integers, or, more generally, over a unique factorization domain. Gauss's lemma underlies all the theory of factorization and greatest common divisors of such polynomials.

In mathematics and computer algebra, factorization of polynomials or polynomial factorization expresses a polynomial with coefficients in a given field or in the integers as the product of irreducible factors with coefficients in the same domain. Polynomial factorization is one of the fundamental components of computer algebra systems.

In computational algebra, the Cantor–Zassenhaus algorithm is a method for factoring polynomials over finite fields.

In algebra, the greatest common divisor of two polynomials is a polynomial, of the highest possible degree, that is a factor of both the two original polynomials. This concept is analogous to the greatest common divisor of two integers.

A hyperelliptic curve is a particular kind of algebraic curve. There exist hyperelliptic curves of every genus $. If the genus of a hyperelliptic curve equals 1, we simply call the curve an elliptic curve. Hence we can see hyperelliptic curves as generalizations of elliptic curves. There is a well-known group structure on the set of points lying on an elliptic curve over some field, which we can describe geometrically with chords and tangents. Generalizing this group structure to the hyperelliptic case is not straightforward. We cannot define the same group law on the set of points lying on a hyperelliptic curve, instead a group structure can be defined on the so-called Jacobian of a hyperelliptic curve. The computations differ depending on the number of points at infinity. Imaginary hyperelliptic curves are hyperelliptic curves with exactly 1 point at infinity: real hyperelliptic curves have two points at infinity.$

In mathematics the Function Field Sieve is one of the most efficient algorithms to solve the Discrete Logarithm Problem (DLP) in a finite field. It has heuristic subexponential complexity. Leonard Adleman developed it in 1994 and then elaborated it together with M. D. Huang in 1999. Previous work includes the work of D. Coppersmith about the DLP in fields of characteristic two.

In mathematics, an algebraic number field is an extension field $of the field of rational numbers such that the field extension has finite degree . Thus is a field that contains and has finite dimension when considered as a vector space over .$

In mathematics and computer algebra the factorization of a polynomial consists of decomposing it into a product of irreducible factors. This decomposition is theoretically possible and is unique for polynomials with coefficients in any field, but rather strong restrictions on the field of the coefficients are needed to allow the computation of the factorization by means of an algorithm. In practice, algorithms have been designed only for polynomials with coefficients in a finite field, in the field of rationals or in a finitely generated field extension of one of them.

In number theory, Berlekamp's root finding algorithm, also called the Berlekamp–Rabin algorithm, is the probabilistic method of finding roots of polynomials over a field $. The method was discovered by Elwyn Berlekamp in 1970 as an auxiliary to the algorithm for polynomial factorization over finite fields. The algorithm was later modified by Rabin for arbitrary finite fields in 1979. The method was also independently discovered before Berlekamp by other researchers.$

In algebraic number theory, the Dedekind–Kummer theorem describes how a prime ideal in a Dedekind domain factors over the domain's integral closure.

References

↑ Theory of Computation - Dexter Kozen. Springer. Retrieved 2020-09-19.

Berlekamp, Elwyn R. (1967). "Factoring Polynomials Over Finite Fields". Bell System Technical Journal . 46 (8): 1853–1859. doi:10.1002/j.1538-7305.1967.tb03174.x. MR 0219231. BSTJ Later republished in: Berlekamp, Elwyn R. (1968). Algebraic Coding Theory. McGraw Hill. ISBN 0-89412-063-8.
Knuth, Donald E (1997). "4.6.2 Factorization of Polynomials". Seminumerical Algorithms. The Art of Computer Programming. Vol. 2 (Third ed.). Reading, Massachusetts: Addison-Wesley. pp. 439–461, 678–691. ISBN 0-201-89684-2.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[Springer-1] Theory of Computation - Dexter Kozen. Springer. Retrieved 2020-09-19.

[1]