Tests and Constructions of Irreducible Polynomials Over Finite Fields

Tests and Constructions of

Irreducible Polynomials over Finite Fields

1 2

Shuhong Gao and Daniel Panario

Department of Mathematical Sciences, Clemson University,

Clemson, South Carolina 29634-1907, USA

E-mail: [email protected]

Department of Computer Science, UniversityofToronto,

Toronto, Canada M5S-1A4

E-mail: [email protected]

Abstract. In this pap er we fo cus on tests and constructions of irre-

ducible p olynomials over nite elds. We revisit Rabin's 1980 algo-

rithm providing a variant of it that improves Rabin's cost estimate by

a log n factor. We give a precise analysis of the probability that a ran-

dom p olynomial of degree n contains no irreducible factors of degree less

than O log n. This probability is naturally related to Ben-Or's 1981

algorithm for testing irreducibility of p olynomials over nite elds. We

also compute the probability of a p olynomial b eing irreducible when it

has no irreducible factors of low degree. This probability is useful in the

analysis of various algorithms for factoring p olynomials over nite elds.

We present an exp erimental comparison of these irreducibility metho ds

when testing random p olynomials.

1 Motivation and results

For a prime power q and an integer n 2, let IF be a nite eld with q

elements, and IF be its extension of degree n. Extensions of nite elds are

imp ortant in implementing cryptosystems and error correcting co des. One way

of constructing extensions of nite elds is via an irreducible p olynomial over

the ground eld with degree equal to the degree of the extension. Therefore,

nding irreducible p olynomials and testing the irreducibility of p olynomials are

fundamental problems in nite elds.

A probabilistic algorithm for nding irreducible p olynomials that works well

in practice is presented in [26]. The central idea is to take p olynomials at random

and test them for irreducibility. Let I b e the numb er of irreducible p olynomials

of degree n over a nite eld IF .Itiswell-known see [21], p. 142, Ex. 3.26 &

3.27 that

n=2 n n

q q 1 q q q

I : 1

n q 1n n

This means that a fraction 1=n of the p olynomials of degree n are irreducible, and

so we nd on average one irreducible p olynomial of degree n after n tries. In order

to transform this idea into an algorithm one has to consider irreducibility tests.

In sections 2 and 3, we fo cus on tests for irreducibility. Let f 2 IF [x], deg f = n,

be a p olynomial to b e tested for irreducibility. Assume that p ;:::;p are the

1 k

distinct prime divisors of n. In practice, there are two general approaches for

this problem:

{ Butler 1954: f is irreducible if and only if dim ker I = 1, where is the

Frob enius map on IF [x]=f that sends h 2 IF [x]=f to h 2 IF [x]=f ,

q q q

and I is the identity map on IF [x]=f see [4];

n=p

x = 1 for all { Rabin 1980: f is irreducible if and only if gcdf; x

1 i k , and x x 0mod f see [26].

Other irreducibility tests can b e found in [14], [31], and [12].

In this pap er, we concentrate on Rabin's test, and a variant presented in [1].

In section 2, we review Rabin's and Ben-Or's irreducibility algorithms. We state

a variant of Rabin's algorithm that allows a log n factor saving. In section 3,

we fo cus on Ben-Or's algorithm. This leads us to study the b ehavior of rough

p olynomials, i.e., p olynomials without irreducible factors of low degrees. The

analysis is expressed as an asymptotic form in n, the degree of the p olynomial

to b e tested for irreducibility. First, we x a nite eld IF , and then we study

asymptotics on q . As was noted in [7], probabilistic prop erties of p olynomials

over nite elds frequently have a shap e that resembles corresp onding prop er-

ties of the cycle decomp osition of p ermutations to which they reduce when the

size of the eld go es to in nity. An instance of this is derived for the proba-

bility that a p olynomial of degree n over IF contains no factors of degree m,

1 m O log n, when q ! +1. This probability relates naturally with Ben-

Or's algorithm. The probability of a p olynomial b eing irreducible when it has no

irreducible factors of low degree provides useful information for factoring p oly-

nomials over nite elds see for instance [12], x6. We provide the probability

of a p olynomial b eing irreducible when it has no irreducible factors of degree at

most O log n.

In section 4, we give an exp erimental comparison on the algorithms discussed

in section 2. We provide tables of running times of the algorithms for various

elds and p olynomial degrees. These results suggest that Ben-Or's algorithm

has a much b etter average time b ehavior than others, even though its worst-case

complexity is the worst.

Very sparse irreducible p olynomials are useful for several applications: pseu-

dorandom numb er generators using feedback shift registers [15], discrete loga-

rithm over IF [6], [23], and ecient arithmetic in nite elds Shoup private

communication, 1994. However, few results are known ab out these p olynomials

beyond binomials and trinomials see [22], Chapter 3, and the references there.

In section 5, we present a construction of irreducible p olynomials over IF of

degree n with up to O 1 nonzero terms not necessarily the lowest co ecients,

for in nitely many degrees n.

We assume that arithmetic in IF is given. The cost measure of an algorithm

will b e the numb er of op erations in IF . The algorithms in this pap er use basic

p olynomial op erations like pro ducts and gcds. We consider in this pap er exclu-

sively FFT based arithmetic; similar results hold for classical arithmetic. Let 2

M n = n log n log log n. For constants and , the cost of multiplying two

1 2

p olynomials of degree at most n using \fast" arithmetic [28], [27], [5] can b e

taken as M n, and the cost of a gcd b etween two p olynomials of degree at

most n can b e taken as log nM n op erations in IF . The numberofmultipli-

2 q

cations needed to compute h mo d f by means of the classical repeated squaring

metho d see [20], p. 441{442, where h is a p olynomial over IF of degree less

than n, is C = blog q c + q , with q the number of ones in the binary

representation of q . Therefore, the cost of computing h mo d f by this metho d

is C M n op erations in IF using FFT based metho ds.

1 q q

2 Irreducibility tests

In this section, we review Rabin's and Ben-Or's tests, and we presentavariant

of Rabin's metho d.

2.1 Rabin irreducibility test and an improvement

Algorithm: Rabin IrreducibilityTest

Input: A monic p olynomial f 2 IF [x] of degree n,

and p ;:::;p all the distinct prime divisors of n .

1 k

Output: Either \f is irreducible" or \f is reducible".

for j := 1 to k do

n := n=p ;

j j

for i := 1 to k do

g := gcdf , x x mod f ;

if g 6=1, then `f is reducible' and STOP;

endfor;

g := x x mod f ;

if g =0, then `f is irreducible'

else `f is reducible';

The correctness of Rabin's algorithm is based on the following fact see [26],

p. 275, Lemma 1.

Fact 2.1 Let p ;:::;p be al l the prime divisors of n, and denote n=p = n ,

1 k i i

for 1 i k .Apolynomial f 2 IF [x] of degree n is irreducible in IF [x] if and

q q

n n

q q

only if gcdf; x x mod f =1, for 1 i k , and f divides x x.

The basic idea of this algorithm is to compute x mo d f indep endently for each

value n ;:::;n by rep eated squaring, and then to take the corresp ondent gcd.

1 k

The worst-case analysis given in [26]isOnM n log n log q op erations in IF .

However, it can b e shown that O nM n log log n log q is an upp er b ound of the 3

numb er of op erations in IF for this algorithm. Indeed, rst note that the number

of distinct prime factors of n is at most log n. The cost of k exp onentiations is

log n

X X

n 1

log qMn nM n log q nM n log qH ;

log n

p p

i i

i=1 i=1

1=k is the harmonic sum. Using the well-known approxima- where H =

k =1

tion of the harmonic sum [16], p. 452, H = log log n + + O , we obtain

log n

O nM n log log n log q , which dominates the cost O M n log n of computing

k gcd's. Therefore, the total cost of Rabin's algorithm is O nM n log log n log q .

As an improvement, we prop ose the following variant for the computation of

x mo d f , for 1 i k . x

Algorithm: Variant of Rabin IrreducibilityTest

Input: A monic p olynomial f 2 IF [x] of degree n,

and p ;:::;p all the distinct prime divisors of n .

1 k

Output: Either \f is irreducible" or \f is reducible".

n := 0; h := x;

0 0

for j := 1 to k do

n := n=p ;

j j

sortn ;:::;n ; * Assume n

1 k 1 2 k

for i := 1 to k do

n n

i i1

h := h mod f ;

g := gcdf , h x;

if g 6=1, then `f is reducible' and STOP;

endfor;

g := h x mod f ;

if g =0, then `f is irreducible'

else `f is reducible';

Theorem 2.2 The above variant of Rabin's algorithm correctly tests for poly-

nomial irreducibility, and uses O nM n log q operations in IF .

Proof. The correctness of the algorithm follows from the correctness of the p ower

computations. We prove that h = x mo d f ,1ik,by induction on k .

Basis: when k =1,

n n

1 0

n n

n n n n

1 0

1 0 1 0

q q q q

mo d f: x x h h x

Inductive step: for some k , h = x mo d f ,1ik. Then,

n n

k +1 k

n n

n n n

n n

k +1 k

k +1 k k +1

k k

q q q q

x h h x x mo d f:

k +1

k 4

With this variant, in the worst-case, the numb er of p olynomial multiplications

in Rabin's algorithm to compute all p owers using rep eated squaring is

n log q +n n log q + +n n log q = n log q:

1 2 1 k

Hence the cost of k exp onentiations is O nM n log q . Since the number of

distinct prime factors of n is at most log n, the cost of taking all the gcd's

in the algorithm is O M n log n. Therefore the total cost of this variant is

O nM n log q . 2

2.2 Ben-Or irreducibility test

Algorithm: Ben-Or IrreducibilityTest

Input: A monic p olynomial f 2 IF [x] of degree n.

Output: Either \f is irreducible" or \f is reducible".

for i := 1 to n=2 do

begin

g := gcdf , x x mod f ;

if g 6=1, then `f is reducible' and STOP;

end;

`f is irreducible';

The correctness of Ben-Or's pro cedure is based on the following fact see [21],

p. 91, Theorem 3.20.

Fact 2.3 For i 1, the polynomial x x 2 IF [x] is the product of al l monic

irreducible polynomials in IF [x] whose degree divides i.

i i

q q

Indeed, Ben-Or's algorithm computes x mo d f , and gcdf; x x for i =

1;:::; . The p olynomial is reducible if and only if one of the gcd's is di erent

from 1.

In the worst case, this algorithm computes times a q th p ower and a gcd

of p olynomials of degree at most n. Recalling the cost of these op erations from

section 1, the worst-case b ehavior of Ben-Or's algorithm is O nM n logqn

using FFT based multiplication algorithms, and therefore, it is worse than our

Rabin's variant. However, as can b e seen from our theoretical and exp erimental

results in Sections 3 and 4, Ben-Or's algorithm is very ecient. The main reason

for the eciency of this algorithm is that random p olynomials of large degree are

very likely to have an irreducible factor of small degree, and Ben-Or's algorithm

quickly discards these p olynomials see also [19].

We should p oint out that the average cases of Rabin and our variant are

not known. Ben-Or's average-case analysis is only known when q go es to in nity

in the following sense. Let sf be the exp ected value of the smallest degree 5

among the irreducible factors of f ; then the exp ected cost of Ben-Or's algorithm

is O sf M n log qn. Ben-Or [1], Theorem 2 derives an O log n estimate

for sf . In fact, he relates the factorial decomp osition of p olynomials with the

cyclic decomp osition of p ermutations. The result follows from the study of the

exp ected length of the shortest cycle in a random p ermutation [30]. However,

this relation b etween irreducible factors of p olynomials and cycles of p ermuta-

tions just holds when the size of the eld is large, as it was observed in [7].

3 Distribution of rough p olynomials

Polynomials without irreducible factors of low degree make Ben-Or's irreducibil-

ity test to execute a large numb er of iterations. The probability that a random

p olynomial of degree n contains no factors of low degree gives meaningful infor-

mation on the b ehavior of Ben-Or's algorithm. We call a p olynomial m-rough if

it has no irreducible factors of degrees m. In this section we are interested in

the distribution of rough p olynomials.

The following theorem is proved in [2] when m is xed.

Theorem 3.1 Denote by P n; m the probability of a random monic polynomial

of degree n over IF being m-rough. Then when n !1,

P n; m= 1 1 + o1;

k=1

uniformly for q and 1 m O log n.

Proof. Let I b e the collection of all monic irreducible p olynomials in IF .For-

mally, the summation of all monic p olynomials with all irreducible factors with

degree >m is

Y Y

1 2

1 ! : 1 + ! + ! + = P =

!2I ; j! j>m ! 2I ; j! j>m

Let z b e a formal variable, and j! j the degree of ! 2I. The substitution ! 7!

j! j

z pro duces the generating function P z of p olynomials with all irreducible

factors having degrees >m

Y Y Y

j! j k k I

1 z 1 z = P z= = 1 z :

1 qz

k>m k=1

!2I ; j! j>m

Note that m mayvary when n ! +1, and thus we can not apply the transfer

lemmas in [8, 24].

n n

As usual, [z ]P z represents the co ecientof z in P z , and observe that

m m

n n

P n; m=[z ]P z=q . In order to estimate P n; m, we apply Theorem 10.8

q m q

in [24]. P z presents a p ole of order 1 at z = with residue

k I

1 q :

k =1 6

k I

1 q . Supp ose that m c log n for Denote by g m the pro duct

k =1

1=c

some constant c > 0. Let b be a constant such that 1 < b < e , and take

b 1

r = > . By Odlyzko [24], Theorem 10.8,

q q

n1 1

1 1 1 1

n n n

[z ]P z + g m wr + r r g m;

m q q

q q q q

where w = max jP z j. Therefore,

jz j=r

1 1

g m rq jP n; m g mj w+ r

q q q

q q

1 1

n n

= w + g m =b w + =b ;

b 1 b 1

as 0 g m 1. Since b > 1 is a constant indep endent of m; q and n, we

only need to estimate w in term of n. When jz j = r = , j1 qz jb1, and

k k k k k k

j1 z j1+r . Considering that I r q r = b ,we obtain

m m

Y Y

1 1

k I k I

k k

jP z j = j1 z j 1 + r

j1 qz j b 1

k=1 k =1

m m

Y Y

1 1

k k

= exp I log1 + r expI r

k k

b 1 b 1

k =1 k =1

m m

m+1

Y X

1 1 b 1

k k

expb = exp b exp

b 1 b1 b 1 b 1

k =1 k =1

1 b b 1

c log n c log b

exp b exp n = :

b 1 b 1 b 1 b 1

b 1

c log b

exp n , and Hence, w

b1 b1

1 b 2

n c log b

w + =b exp n log b n :

b 1 b 1 b 1

By Theorem 3.2 b elow,

1 1

: g m

em ec log n

Therefore,

P n; m 2 b

c log b

1 ec log n exp n log b n : 2

g m b 1 b 1

As log b>0 and c log b<1, the right-hand of 2 approaches to 0 as n !1.

Since the quantity on the right-hand of 2 is indep endentofq and m,we see that

P n; m=g m approaches to 1 uniformly for q and m c log n when n !1.

q q

This completes the pro of. 2 7

1 In the next theorem we estimate the function g m= .

k=1

Theorem 3.2 For any prime power q and positive integer m, we have

! !

m m m

q 1

X Y X

1 1 1 1

k I

exp 1 q 1 : exp

em k q k

k =1 k =1 k =1

When q !1, we have

1 e

g m= 1 ! e ;

q m

k=1

where is the Euler's constant, and e =0:56416 :::

1 1

= log 1 Proof. Note that log1 + x x for x>1, and .

k=2

k =1

By 1, wehave

g m= exp I log 1

q k

k=1

0 1

k=2

q q 1

m m m

Y X X

I I

k q 1k

k k

@ A

exp = exp exp

k k k

q q q

k =1 k =1 k =1

! !

m m

k=2

X X

q 1 q 1

exp exp

k q 1 kq

k =1 k =1

! !!

q 1

m 1

X X

1 1

exp exp

k=2

k =1 k =1

q 1

1 1

= 1 exp :

q k

k =1

We have derived the upp er b ound for g m. The lower b ound was derived

by the authors when studying lower b ounds for the Euler totient function for

p olynomials and for the density of normal elements see [11]. Since it is simple,

k k

we repro duce it here. As I q 1=k and 0 < 1 1=q < 1, wehave

q 1

m m

Y Y

1 1

g m= 1 1

k k

q q

k=1 k =1

! !

m m m

q 1

Y Y X

1 1 1

= 1+ exp = exp :

q 1 k k

k =1 k=1 k =1 8

1=k . Then H 1+ 1=x dx = Let H b e the harmonic sum, i.e., H =

m m m

k =1

1 + log m, and thus e 1=em. When q !1

g m= 1 e :

k=1

Using the well-known approximation of the harmonic sum H = log m + +

O , wehave

e ; m!1: 3

Finally, this result is in accordance with the corresp ondent one of p ermutations

with no cycles of length m or less see [29]. 2

We provide in Table 1 b elow the values of g m, P n; m and their ratio,

q q

when m = log n and q =2 for several n<1000. This shows that the conver-

gence of P n; mtog misvery fast. Moreover, as n grows, P n; m quickly

q q q

decreases. For instance, for a random p olynomial of degree 900, there is a prob-

ability of more than 0.9 of having a factor of degree at most 9. This is another

explanation for the eciency of Ben-Or's algorithm. Indeed, it is enough to

search for irreducible p olynomials of degree at most O log n in order to havea

high probability of nding a factor.

For the remaining of this section we concentrate on the probability that a

p olynomial b e irreducible if it has no irreducible factors of low degree. Many al-

gorithms for factoring p olynomials over nite elds comprise the following three

stages: squarefree factorization replace a p olynomial by a squarefree one which

contains all the irreducible factors of the original p olynomial with exp onents

reduced to 1; distinct-degree factorization split a squarefree p olynomial into a

pro duct of p olynomials whose irreducible factors have all the same degree; and

equal-degree factorization factor a p olynomial whose irreducible factors have the

same degree.

As things now stand, distinct-degree factorization is the b ottleneck of the

p olynomial factorization problem see [14], [18], [13]. This step of the factoriza-

tion pro cess works as follows: at any p oint k , all the irreducible factors of degree

up to k have b een found, and all the irreducible factors of degree greater than k

remain to b e determined from a factor g .

A natural way of improving the distinct-degree factorization step is by testing

the irreducibility of the remaining factor g . Unfortunately, in the worst-case

asymptotic scenario, the cost of the irreducibility test is ab out the same as the

distinct-degree factorization algorithm. An alternativetoovercome this problem

is given in [12] x6. The central idea is to run the irreducibility test and the

distinct-degree factorization algorithm in parallel, feeding the former with partial

information obtained by the latter see the details in [12].

It is clear that the probability of a monic p olynomial b eing irreducible when it

has no irreducible factors of low degree provides useful information in the ab ove

pro cess. In the following, we derive an asymptotic formula for this probability. 9

n m P n; m g m P/g

q q

2 1 .250000000000000 000 00 000 000 .25000000000000000 00 000 00 00 1.0000

3 1 .250000000000000 000 00 000 000 .25000000000000000 00 000 00 00 1.0000

4 2 .187500000000000 000 00 000 000 .18750000000000000 00 000 00 00 1.0000

5 2 .187500000000000 000 00 000 000 .18750000000000000 00 000 00 00 1.0000

6 2 .187500000000000 000 00 000 000 .18750000000000000 00 000 00 00 1.0000

7 2 .187500000000000 000 00 000 000 .18750000000000000 00 000 00 00 1.0000

8 3 .140625000000000 000 00 000 000 .14355468750000000 00 000 00 00 .97963

9 3 .144531250000000 000 00 000 000 .14355468750000000 00 000 00 00 1.0068

10 3 .143554687500000 000 00 000 000 .14355468750000000 00 000 00 00 .99997

20 4 .118286132812500 000 00 000 000 .11828541755676269 53 125 00 00 1.0000

30 4 .118285417556762 695 31 250 000 .11828541755676269 53 125 00 00 1.0000

40 5 .097769073676317 930 22 155 762 .09776907366723652 79 247 28 76 1.0000

50 5 .097769073667237 194 05 854 354 .09776907366723652 79 247 28 76 1.0000

60 5 .097769073667236 527 92 472 876 .09776907366723652 79 247 28 76 1.0000

70 6 .084848990500392 783 56 888 779 .08484899050039278 17 581 48 54 1.0000

80 6 .084848990500392 781 75 860 054 .08484899050039278 17 581 48 54 1.0000

90 6 .084848990500392 781 75 814 857 .08484899050039278 17 581 48 54 1.0000

100 6 .084848990500392 781 75 814 854 .08484899050039278 17 581 48 54 1.0000

200 7 .073677384988659 273 51 164 168 .07367738498865927 35 116 41 68 .99999

300 8 .065514986645349 589 36 373 162 .06551498664534958 93 637 31 62 1.0000

400 8 .065514986645349 589 36 373 162 .06551498664534958 93 637 31 62 1.0000

500 8 .065514986645349 589 36 373 162 .06551498664534958 93 637 31 62 1.0000

600 9 .058720973885392 759 26 570 230 .05872097388539275 92 657 02 30 1.0000

700 9 .058720973885392 759 26 570 230 .05872097388539275 92 657 02 30 1.0000

800 9 .058720973885392 759 26 570 230 .05872097388539275 92 657 02 30 1.0000

900 9 .058720973885392 759 26 570 230 .05872097388539275 92 657 02 30 1.0000

Table 1. Values of P n; m and g m, with m = log n and q =2.

q q

Theorem 3.3 Let P n; m be the probability that a polynomial of degree n

over IF be irreducible if it has no factors of degree less than or equal to m,

1 m O log n. Then, as n, m and q approach to in nity,

P n; m e ;

where is the Euler's constant.

Proof. This probability can be estimated considering the subset of irreducible

p olynomials of degree n over IF inside the set of p olynomials of degree n over IF

q q

without irreducible factors of degree less than or equal to m,1mOlog n.

Using 1, Theorems 3.1 and 3.2, when n, m and q approach to in nity,we obtain

I m

n; m= P = e :

q P n; m n

m 10

4 Exp erimental results

In this section, we describ e an implementation of the algorithms discussed in

Section 2. We provide a running time comparison of the algorithms for random

p olynomials on a Sun Sparc 20 computer. The algorithms were implemented on

a C++ software due to Shoup. This package contains classes for nite elds and

p olynomials over nite elds with implementations for basic op erations suchas

multiplication, taking gcd, and so on for a description of the software see [32].

We tested all algorithms with the same random p olynomials. A summary

table for the average time in seconds of CPU in the case IF is presented in

Table 2 and Table 3. The degrees n in Table 2 and in Table 3 were chosen such

that n has many prime divisors and few prime divisors, resp ectively. The number

of p olynomials tested was 10 n for Table 2 and 5 n for Table 3, where n is

the degree of the p olynomials b eing tested for irreducibility. It can b e seen from

the Tables that even in the case of n with few prime divisors Ben-Or has the

b est b ehavior among the three algorithms. The worst-case scenario for these

algorithms happ ens when testing irreducible p olynomials. We include a column

with the numb er of irreducible p olynomials that were tested for each degree.

n Rabin Rabin's Ben-Or Number of

Variant Irreducible

105 0.7990 0.6133 0.2000 9

210 2.7652 2.6942 0.9938 14

330 10.5672 17.4147 2.3443 8

420 10.5702 4.3971 1.5189 7

Table 2. Average time in seconds for testing 10 n p olynomials over IF of degree n

with many prime divisors.

n Rabin Rabin's Ben-Or Number of

Variant Irreducible

101 4.1564 8.9188 0.5901 4

256 20.8451 46.9867 2.7950 5

331 32.7156 71.8685 2.7719 9

Table 3. Average time in seconds for testing 5 n p olynomials over IF of degree n

with few prime divisors. 11

Similar results for testing irreducibility of p olynomials over the nite eld

IF are presented in Table 4 b elow.

1021

n Rabin Rabin's Ben-Or Number of

Variant Irreducible

101 186.1383 280.2633 13.0198 4

105 78.2952 61.8381 11.2629 5

210 227.5800 174.7400 23.0000 3

Table 4. Average time in seconds for testing 5 n p olynomials of degree n over IF .

1021

We also tested the case of very large elds. For instance, the average time

in seconds of CPU for testing 315 p olynomials of degree 105 over IF , p a prime

with 100 bits, was:

Rabin 774.054

Rabin's variant 613.267

Ben-Or 137.565

In this case, 5 irreducible p olynomials were found.

These timings suggest that Ben-Or's algorithm has a much b etter average

time b ehavior than others, even though its worst-case complexityis the worst

among them. A variant of the ab ove algorithms that economizes gcd's computa-

tions can b e given using Ben-Or's ideas up to O log n iterations and our Rabin's

variant after that p oint. For this algorithm together with more exp erimental re-

sults, see [25].

5 Construction of sparse irreducible p olynomials

When implementing the irreducibility tests in Section 2, wewanted to exp eri-

ment our programs on various p olynomials of large degrees. For reducible p oly-

nomials, they are likely to have small factors, as shown in Section 3, and the

programs terminate almost immediately.However, when testing an irreducible

p olynomial, wedo not have a priori any idea of how long it will take to com-

plete the task. It is desirable to have some simple p olynomials whichwe knowin

advance are irreducible so that we can test the correctness of our programs and

know the approximate time our computer needs on various degrees. This would

also help us in deciding the range of degrees to compare the tests. By \simple",

we mean p olynomials that can either b e constructed easily without testing for

irreducibility or have only a few nonzero terms. The problem of constructing

sparse irreducible p olynomials is also of indep endentinterest.

Awell-known op en problem is to construct irreducible p olynomials over IF

of degree n with at most O log n nonzero terms in its lowest co ecients. These 12

p olynomials are useful in the discrete logarithm problem [6], [23]. Shoup pri-

vate communication, 1994 p oints out that if IF =IF [x]=f with f = x + g

2 2

irreducible and g 2 IF [x] of small degree, say deg g 2 log n, then exp onenti-

ation in IF can be achieved with O n loglog n op erations in IF and using

2 2

storage for O n=log n elements from IF see also [9]. Exp erimental results

show that such p olynomial f exists for n 1000 taking deg g 2 + log n.

Shparlinski [33] gives a construction of irreducible p olynomials with degrees

k ` k ` k `

of the form 4 3 5 over IF ,42 5 over IF , and 2 2 3 over IF , for any

2 3 p

prime p>3, and k; l nonnegativeintegers. In the following, we rst generalize his

construction and then construct explicitly several in nite families of irreducible

p olynomials.

1 k

Theorem 5.1 Let p ;:::;p be any xed primes and n = mp :::p where

1 k

m is the multiplicative order of q modulo p p and e ;:::;e are arbitrary

1 k 1 k

nonnegative integers. Then, over any nite eld IF whose characteristic is dis-

tinct from p ;:::;p , thereisanirreducible polynomial of degree n with at most

1 k

2m +1 2p 1 p 1 + 1 nonzero terms.

1 k

Proof. Let ` = m if all p are o dd. If one of p ,sayp , is 2 and q 3 mo d 4, let

i i 1

` `

` = lcm2;m. Then, p jq 1 for 1 i `, and 4jq 1 if p is even.

i 1

Let b e an elementinIF ` that is not a p th p ower in IF ` for 1 i k . The

q q

minimal p olynomial x of over IF has degree `. By Lidl and Niederreiter

[21], p. 124, Theorem 3.75,

e e

1 2

p p :::p

1 2

is irreducible over IF ` for all nonnegativeintegers e ;:::;e . Then

1 k

e e

1 2

p p :::p

1 2

x 4

e e

1 2 k

is irreducible over IF of degree `p p p . The p olynomial 4 has at most

1 2

` +1 2m+ 1 nonzero terms.

Irreducible p olynomials from the construction of Theorem 5.1 are usually

very sparse. In fact, the number of nonzero terms dep ends only on the prime

factors of n, and if we x them and let the exp onents grow arbitrarily then

these p olynomials have only O 1 nonzero terms even though not necessarily

the lowest co ecients. This can b e seen from the following examples.

Example 5.2 q 1mod4 and n = 2 . Take a 2 IF to be any quadratic

nonresidue. Then x a is irreducible over IF for al l k 0.For instance,

i. if q = p 3mod8 is a prime, then take a =2;

ii. if q = p 5mod12 is a prime, then take a =3;

iii. if q = p 2mod5 is a prime, then take a =5.

These results arefrom [17 ] Proposition 5.1.3 for the rst two, and Theorem 2,

p. 54, for the third. 13

Example 5.3 q 3mod4 and n = 2 . In this case, ` = 2 in the proof of

Theorem 5.1. We need to nd a quadratic nonresidue in IF and compute its

minimal polynomial. The fol lowing elegant solution is from [3 ]. Suppose that

m v v+1

q = p where m is odd and p 3mod4is a prime. Let 2 jp +1, 2 6jp+1.

Then v 2. Construct u 2 IF iteratively as fol lows:

u =0;

p+1

u +1

u = mo d p; for 1

p+1

u 1

u = mo d p;

where, at each step, one can take any of the signs arbitrarily. Let u = u . Then

x 2ux 1 is the minimal polynomial of some quadratic nonresidue in IF .

Therefore

k k 1

2 2

x 2ux 1

is irreducible over IF , and over IF as wel l, for al l k 1.

p q

Example 5.4 q = 2. Theorem 5.1 yields the fol lowing families of irreducible

polynomials over IF for al l k ; `; m; n 0:

k k

23 3

x + x +1

k k

37 7

x +x +1

k ` k `

43 5 3 5

x +x +1

k ` k `

63 7 3 7

x +x +1

k ` m k ` m

103 11 31 33 11 31

x + x +1

k ` m n k ` m n k ` m n k ` m n

123 5 7 13 83 5 7 13 23 5 7 13 3 5 7 13

x + x + x + x +1:

For other explicit constructions of irreducible p olynomials, see [22] Chap-

ter 3, and [10].

Acknowledgment. We thank Bruce Richmond for helpful discussions and Vic-

tor Shoup for the use of his package. Part of this work was done by the rst

author while visiting the UniversityofWaterlo o whose hospitality and supp ort

are gratefully acknowledged.

References

1. Ben-Or, M. Probabilistic algorithms in nite elds. In Proc. 22nd IEEE Symp.

Foundations Computer Science 1981, pp. 394{398.

2. Blake, I., Gao, S., and Lambert, R. Constructive problems for irreducible

p olynomials over nite elds. In Information Theory and Applications, A. Gulliver

and N. Secord, Eds., vol. 793 of Lecture Notes in Computer Science. Springer-

Verlag, 1994, pp. 1{23. 14

3. Blake, I., Gao, S., and Mullin, R. Explicit factorization of x +1 over IF

with prime p 3 mo d 4. Appl. Alg. Eng. Comm. Comp. 4 1993, 89{94.

4. Butler, M. On the reducibility of p olynomials over a nite eld. Quart. J. Math.

Oxford5 1954, 102{107.

5. Cantor, D., and Kaltofen, E. On fast multiplication of p olynomials over

arbitrary algebras. Acta. Inform. 28 1991, 693{701.

6. Coppersmith, D. Fast evaluation of logarithms in elds of characteristic two.

IEEE Trans. Info. Theory 30 1984, 587{594.

7. Flajolet, P., Gourdon, X., and Panario, D. Random p olynomials and p oly-

nomial factorization. In Proc. 23rd ICALP Symp. 1996, vol. 1099 of Lecture

Notes in Computer Science, Springer-Verlag, pp. 232{243.

8. Flajolet, P., and Odlyzko, A. Singularity analysis of generating functions.

SIAM Journal on Discrete Mathematics 3 2 1990, 216{240.

9. Gao, S., von zur Gathen, J., and Panario, D. Gauss p erio ds and ecient

arithmetic in nite elds. Submitted to Journal of Symb olic Computation ex-

tended abstract in Pro c. LATIN'95,vol. 911 of Lecture Notes in Computer Science,

311{322, 1995.

10. Gao, S., and Mullen, G. Dickson p olynomials and irreducible p olynomials over

nite elds. J. Number Theory 49 1994, 118{132.

11. Gao, S., and Panario, D. Density of normal elements. Submitted to Finite

Fields and their Applications abstract in AMS Abstracts 102 Fall 1995, 904-

68-227, p. 798, 1995.

12. von zur Gathen, J., and Gerhard, J. Arithmetic and factorization of p olyno-

mials over IF . In Proc. ISSAC'96, Zurich, Switzerland 1996, L. Y.N., Ed., ACM

press, pp. 1{9.

13. von zur Gathen, J., and Panario, D. A survey on factoring p olynomials over

nite elds. Submitted to the sp ecial issue of the MAGMA conference in J. Symb.

Comp., 1996.

14. von zur Gathen, J., and Shoup, V. Computing Frob enius maps and factoring

p olynomials. Comput complexity 2 1992, 187{224.

15. Golomb, S. W. Shift register sequences. Aegean Park Press, Laguna Hills, Cali-

fornia, 1982.

16. Graham, R., Knuth, D., and Patashnik, O. Concrete Mathematics, 2nd ed.

Addison-Wesley, Reading, MA, 1994.

17. Ireland, K., and Rosen, M. A Classical Introduction to Modern Number Theory,

2nd ed. Springer-Verlag, Berlin, 1990.

18. Kaltofen, E., and Shoup, V. Sub quadratic-time factoring of p olynomials over

nite elds. In Proc. 27th ACM Symp. Theory of Computing 1995, pp. 398{406.

19. Knopfmacher, J., and Knopfmacher, A. Counting irreducible factors of p oly-

nomials over a nite eld. SIAM Journal on Discrete Mathematics 112 1993,

103{118.

20. Knuth, D. The art of computer programming, vol.2: seminumerical algorithms,

2nd ed. Addison-Wesley, Reading MA, 1981.

21. Lidl, R., and Niederreiter, H. Finite elds,vol. 20 of Encyclopedia of Mathe-

matics and its Applications. Addison-Wesley, Reading MA, 1983.

22. Menezes, A., Blake, I., Gao, X., Mullin, R., Vanstone, S., and Yaghoo-

bian, T. Applications of Finite Fields. Kluwer Academic Publishers, Boston,

Dordrecht, Lancaster, 1993. 15

23. Odlyzko, A. Discrete logarithms and their cryptographic signi cance. In Ad-

vances in Cryptology, Proceedings of Eurocrypt 1984 1985, vol. 209 of Lecture

Notes in Computer Science, Springer-Verlag, pp. 224{314.

24. Odlyzko, A. Asymptotic enumeration metho ds. In Handbook of Combinatorics,

R. Graham, M. Grotschel, and L. Lov asz, Eds. Elsevier, 1996.

25. Panario, D. Combinatorial and algebraic asp ects of p olynomials over nite elds.

PhD Thesis, in preparation, 1996.

26. Rabin, M. O. Probabilistic algorithms in nite elds. SIAM J. Comp. 9 1980,

273{280.

27. Schonhage, A. Schnelle Multiplikation von Polynomenub er Korp ern der Charak-

teristik 2. Acta Inf. 7 1977, 395{398.

28. Schonhage, A., and Strassen, V. Schnelle Multiplikation groer Zahlen. Com-

puting 7 1971, 281{292.

29. Sedgewick, R., and Flajolet, P. An Introduction to the Analysis of Algorithms.

Addison-Wesley, Reading MA, 1996.

30. Shepp, L., and Lloyd, S. Ordered cycle lengths in a random p ermutation. Trans.

Amer. Math. Soc. 121 1966, 340{357.

31. Shoup, V. Fast construction of irreducible p olynomials over nite elds. J. Symb.

Comp. 17 1995, 371{391.

32. Shoup, V. A new p olynomial factorization algorithm and its implementation. J.

Symb. Comp. 20 1996, 363{397.

33. Shparlinski, I. Finding irreducible and primitive p olynomials. Appl. Alg. Eng.

Comm. Comp. 4 1993, 263{268.

Note. This pap er has app eared in Foundations of Computational Mathematics,

F. Cucker and M. Shub Eds., Springer 1997, 346{361.

This article was pro cessed using the L T X macro package with LLNCS style

E 16