:Berlekamp–Rabin algorithm

File:Elwyn_R_Berlekamp_2005.jpg]]

In number theory, Berlekamp's root finding algorithm, also called the Berlekamp–Rabin algorithm, is the probabilistic method of finding roots of polynomials over the field $\mathbb F_p$ with $p$ elements. The method was discovered by Elwyn Berlekamp in 1970{{cite journal |url= https://www.ams.org/mcom/1970-24-111/S0025-5718-1970-0276200-X/ |title= Factoring polynomials over large finite fields |journal= Mathematics of Computation |year= 1970 |volume= 24 |issue= 111 |pages = 713–735 |issn = 0025-5718 |doi = 10.1090/S0025-5718-1970-0276200-X |language= en |last1= Berlekamp|first1= E. R.|doi-access= free|url-access= subscription }} as an auxiliary to the algorithm for polynomial factorization over finite fields. The algorithm was later modified by Rabin for arbitrary finite fields in 1979.{{cite journal |author = M. Rabin |title= Probabilistic Algorithms in Finite Fields |journal= SIAM Journal on Computing |year= 1980 |volume= 9 |issue= 2 |pages = 273–280 |issn = 0097-5397 |doi = 10.1137/0209024 |citeseerx= 10.1.1.17.5653 }} The method was also independently discovered before Berlekamp by other researchers.{{cite book| author = Donald E Knuth | author-link = Donald E Knuth | title = The art of computer programming. Vol. 2 Vol. 2 |date = 1998 | publisher = Addison-Wesley | isbn = 978-0201896848| oclc = 900627019 }}

History

The method was proposed by Elwyn Berlekamp in his 1970 work on polynomial factorization over finite fields. His original work lacked a formal correctness proof and was later refined and modified for arbitrary finite fields by Michael Rabin. In 1986 René Peralta proposed a similar algorithm{{cite journal |author = Tsz-Wo Sze |title= On taking square roots without quadratic nonresidues over finite fields |journal= Mathematics of Computation|year= 2011 |volume= 80 |issue= 275 |pages = 1797–1811 |issn = 0025-5718 |doi = 10.1090/s0025-5718-2011-02419-1 |arxiv =0812.2591 |s2cid= 10249895 }} for finding square roots in $\mathbb F_p$ .{{cite journal |author = R. Peralta |title= A simple and fast probabilistic algorithm for computing square roots modulo a prime number (Corresp.) |journal= IEEE Transactions on Information Theory |date=November 1986 |volume= 32 |issue= 6 |pages = 846–847 |issn = 0018-9448 |doi = 10.1109/TIT.1986.1057236 }} In 2000 Peralta's method was generalized for cubic equations.{{cite journal |author = C Padró, G Sáez |title= Taking cube roots in Zm |journal= Applied Mathematics Letters |date=August 2002 |volume= 15 |issue= 6 |pages = 703–708 |issn = 0893-9659 |doi = 10.1016/s0893-9659(02)00031-9 |doi-access= }}

Statement of problem

Let $p$ be an odd prime number. Consider the polynomial $f(x) = a_0 + a_1 x + \cdots + a_n x^n$ over the field $\mathbb F_p\simeq \mathbb Z/p\mathbb Z$ of remainders modulo $p$ . The algorithm should find all $\lambda$ in $\mathbb F_p$ such that $f(\lambda)= 0$ in $\mathbb F_p$ .{{cite book| author = Alfred J. Menezes, Ian F. Blake, XuHong Gao, Ronald C. Mullin, Scott A. Vanstone | url = https://www.springer.com/gp/book/9780792392828 | title = Applications of Finite Fields |date = 1993 |publisher= Springer US | series = The Springer International Series in Engineering and Computer Science | isbn = 9780792392828}}

Algorithm

= Randomization =

Let $f(x) = (x-\lambda_1)(x-\lambda_2)\cdots(x-\lambda_n)$ . Finding all roots of this polynomial is equivalent to finding its factorization into linear factors. To find such factorization it is sufficient to split the polynomial into any two non-trivial divisors and factorize them recursively. To do this, consider the polynomial $f_z(x)=f(x-z) = (x-\lambda_1 - z)(x-\lambda_2 - z) \cdots (x-\lambda_n-z)$ where $z$ is some element of $\mathbb F_p$ . If one can represent this polynomial as the product $f_z(x)=p_0(x)p_1(x)$ then in terms of the initial polynomial it means that $f(x) =p_0(x+z)p_1(x+z)$ , which provides needed factorization of $f(x)$ .

= Classification of <math>\mathbb F_p</math> elements =

Due to Euler's criterion, for every monomial $(x-\lambda)$ exactly one of following properties holds:

The monomial is equal to $x$ if $\lambda = 0$ ,
The monomial divides $g_0(x)=(x^{(p-1)/2}-1)$ if $\lambda$ is quadratic residue modulo $p$ ,
The monomial divides $g_1(x)=(x^{(p-1)/2}+1)$ if $\lambda$ is quadratic non-residual modulo $p$ .

Thus if $f_z(x)$ is not divisible by $x$ , which may be checked separately, then $f_z(x)$ is equal to the product of greatest common divisors $\gcd(f_z(x);g_0(x))$ and $\gcd(f_z(x);g_1(x))$ .

= Berlekamp's method =

The property above leads to the following algorithm:

Explicitly calculate coefficients of $f_z(x) = f(x-z)$ ,
Calculate remainders of $x,x^2, x^{2^2},x^{2^3}, x^{2^4}, \ldots, x^{2^{\lfloor \log_2 p \rfloor}}$ modulo $f_z(x)$ by squaring the current polynomial and taking remainder modulo $f_z(x)$ ,
Using exponentiation by squaring and polynomials calculated on the previous steps calculate the remainder of $x^{(p-1)/2}$ modulo $f_z(x)$ ,
If $x^{(p-1)/2} \not \equiv \pm 1 \pmod{f_z(x)}$ then $\gcd$ mentioned below provide a non-trivial factorization of $f_z(x)$ ,
Otherwise all roots of $f_z(x)$ are either residues or non-residues simultaneously and one has to choose another $z$ .

If $f(x)$ is divisible by some non-linear primitive polynomial $g(x)$ over $\mathbb F_p$ then when calculating $\gcd$ with $g_0(x)$ and $g_1(x)$ one will obtain a non-trivial factorization of $f_z(x)/g_z(x)$ , thus algorithm allows to find all roots of arbitrary polynomials over $\mathbb F_p$ .

= Modular square root =

Consider equation $x^2 \equiv a \pmod{p}$ having elements $\beta$ and $-\beta$ as its roots. Solution of this equation is equivalent to factorization of polynomial $f(x) = x^2-a=(x-\beta)(x+\beta)$ over $\mathbb F_p$ . In this particular case problem it is sufficient to calculate only $\gcd(f_z(x); g_0(x))$ . For this polynomial exactly one of the following properties will hold:

GCD is equal to $1$ which means that $z+\beta$ and $z-\beta$ are both quadratic non-residues,
GCD is equal to $f_z(x)$ which means that both numbers are quadratic residues,
GCD is equal to $(x-t)$ which means that exactly one of these numbers is quadratic residue.

In the third case GCD is equal to either $(x-z-\beta)$ or $(x-z+\beta)$ . It allows to write the solution as $\beta = (t - z) \pmod{p}$ .

= Example =

Assume we need to solve the equation $x^2 \equiv 5\pmod{11}$ . For this we need to factorize $f(x)=x^2-5=(x-\beta)(x+\beta)$ . Consider some possible values of $z$ :

Let $z=3$ . Then $f_z(x) = (x-3)^2 - 5 = x^2 - 6x + 4$ , thus $\gcd(x^2 - 6x + 4 ; x^5 - 1) = 1$ . Both numbers $3 \pm \beta$ are quadratic non-residues, so we need to take some other $z$ .

Let $z=2$ . Then $f_z(x) = (x-2)^2 - 5 = x^2 - 4x - 1$ , thus $\gcd( x^2 - 4x - 1 ; x^5 - 1)\equiv x - 9 \pmod{11}$ . From this follows $x - 9 = x - 2 - \beta$ , so $\beta \equiv 7 \pmod{11}$ and $-\beta \equiv -7 \equiv 4 \pmod{11}$ .

A manual check shows that, indeed, $7^2 \equiv 49 \equiv 5\pmod{11}$ and $4^2\equiv 16 \equiv 5\pmod{11}$ .

Correctness proof

The algorithm finds factorization of $f_z(x)$ in all cases except for ones when all numbers $z+\lambda_1, z+\lambda_2, \ldots, z+\lambda_n$ are quadratic residues or non-residues simultaneously. According to theory of cyclotomy,{{cite book| author = Marshall Hall | url = https://books.google.com/books?id=__JCiiCfu2EC&q=Combinatorial+Theory+hall&pg=PA1 | title = Combinatorial Theory |date = 1998 |publisher= John Wiley & Sons | isbn = 9780471315186}} the probability of such an event for the case when $\lambda_1, \ldots, \lambda_n$ are all residues or non-residues simultaneously (that is, when $z=0$ would fail) may be estimated as $2^{-k}$ where $k$ is the number of distinct values in $\lambda_1, \ldots, \lambda_n$ . In this way even for the worst case of $k=1$ and $f(x)=(x-\lambda)^n$ , the probability of error may be estimated as $1/2$ and for modular square root case error probability is at most $1/4$ .

Complexity

Let a polynomial have degree $n$ . We derive the algorithm's complexity as follows:

Due to the binomial theorem $(x-z)^k = \sum\limits_{i=0}^k \binom{k}{i} (-z)^{k-i}x^i$ , we may transition from $f(x)$ to $f(x-z)$ in $O(n^2)$ time.
Polynomial multiplication and taking remainder of one polynomial modulo another one may be done in $O(n^2)$ , thus calculation of $x^{2^k} \bmod f_z(x)$ is done in $O(n^2 \log p)$ .
Binary exponentiation works in $O(n^2 \log p)$ .
Taking the $\gcd$ of two polynomials via Euclidean algorithm works in $O(n^2)$ .

Thus the whole procedure may be done in $O(n^2 \log p)$ . Using the fast Fourier transform and Half-GCD algorithm,{{cite book | author = Aho, Alfred V. | url = https://archive.org/details/designanalysisof00ahoarich | title = The design and analysis of computer algorithms | date = 1974 | publisher = Addison-Wesley Pub. Co | isbn = 0201000296 | url-access = registration }} the algorithm's complexity may be improved to $O(n \log n \log pn)$ . For the modular square root case, the degree is $n = 2$ , thus the whole complexity of algorithm in such case is bounded by $O(\log p)$ per iteration.

References

Category:Algorithms

Category:Algebra

Category:Number theoretic algorithms

Category:Polynomials