Journal
of Algorihms, to appear (accepted for publication January 2001).
/
c Academic Press, 2001.
The complete analysis of
a polynomial factorization algorithm
over finite fields
Philippe Flajolet
Algorithms Project,INRIA
Rocquencourt,
F-78153
Le
Chesnay,
France
E-mail:
Xavier Gourdon
Algorithms Project, INRIA
France
!"Rocquencourt,
#%$
&'"F-78153
!"Le(%Chesnay,
E-mail: and
Daniel Panario
School of Mathematics and Statistics,
'"Carleton
*)!+-University,
,"Ottawa,
.-, K1S 5B6, Canada.
E-mail:
Communicated by H. Prodinger
Received 2000; revised 2000; accepted 2001
A unified treatment of parameters relevant to factoring polynomials over finite fields is
given. The framework is based on generating functions for describing parameters of interest
and on singularity analysis for extracting asymptotic values. An outcome is a complete
analysis of the standard polynomial factorization chain that is based on elimination of
repeated factors, distinct degree factorization, and equal degree separation. Several basic
statistics on polynomials over finite fields are obtained in the course of the analysis.
Key Words: Analysis of algorithms, analytic combinatorics, computer algebra, finite
fields, factorization algorithms, random polynomials
INTRODUCTION
Factoring polynomials over finite fields intervenes in many areas of computer
science and computational mathematics like symbolic computation at large [24],
polynomial factorization over the integers [12, 40], cryptography [10, 44, 48], number theory [5], or coding theory [4]. The implications include finding complete
1
2
P. FLAJOLET, X. GOURDON, D. PANARIO
partial fraction decompositions, designing cyclic redundancy codes, computing
the number of points on elliptic curves, and building arithmetic public key cryptosystems. In particular, the factorization of random polynomials over finite fields
is directly needed in the randomized index calculus method for computing discrete
logarithms over finite fields [48].
This paper derives basic probabilistic properties of random polynomials over
finite fields that are of interest in the study of polynomial factorization algorithms.
We show that the main characteristics of random polynomial can be treated systematically by methods of “analytic combinatorics” based on the combined use
of generating functions and of singularity analysis. Our object of study is the
classical factorization chain which is described in Fig. 1 and which, despite its
simplicity, does not appear to have been totally analysed so far. In this paper, we
provide a complete average-case analysis.
In asymptotic terms, the algorithm that we study need not be the fastest available
at the moment; compare with [25, 26, 34, 55, 56]. For instance, Shoup [55] provides
the average-case analysis of an algorithm he proposes and his highly interesting
methods are based on estimates for the number of solutions of equations over
finite fields and Weil’s bounds—the scope is however quite different from the
framework of this paper. One of the good reasons for studying the classical chain
is that it is representative of what is often implemented in general purpose computer
algebra systems and of what is likely to be practically relevant for many problems
of “moderate” size. In effect, the book by Geddes et al. [28] describes a chain
very much similar to ours on which the design of polynomial factorization in the
0214356
system is based—a fact easily confirmed by tracing facilities available
under the system. Knuth’s authoritative treatise [40] and the remarkable recent
book of von zur Gathen and Gerhard [24] expose the fundamental aspects of the
classical chain in detail. We refer globally to [40, p. 449] and [24, pp. 393–397]
for the historical context of this and closely related algorithms, with some of the
originators being Legendre, Gauß, Galois, Berlekamp, Cantor, and Zassenhaus.
An important reason for our interest in these questions is methodological. Indeed, the discipline of analysing completely an algorithm, which is in the line of
Knuth’s works [39, 40, 41, 42], reveals parameters that are of general interest for
polynomial factorization algorithms and for problems that deal with polynomials
over finite fields at large. A specific illustration is the paper of Panario and Richmond [52] that deals with testing polynomial irreducibility along lines similar to
those of the present paper.
Algorithmic framework. Let 78 be the finite field with 9 elements. The algorithmic problem that we address is as follows: given a monic univariate polynomial
:<;
:A@B:DGI
CFE HJHJH : CK
:
:"O
L , where GMJNNJNJM
78= >? , find the complete factorization
are
*
G
M
J
N
N
J
N
M
L
pairwise distinct monic irreducible polynomials and P
P are (strictly) positive integers. The basic factorization chain (see Fig. 1) operates in three stages.
3
ANALYSIS OF POLYNOMIAL FACTORIZATION
,'&Q,SRFUTVW)X"Y[Z
\ ST%]^
_
(R`!Y4Z
ab b cdc"e&
f
g h#T%]i
i
(R-Y4Z
ab h b cjk
"Q
,#l
k'!c,k'm
cf
.T%] \ Z
n poq) \ jq'
#T%]#^
i
SRrh+sotSuro!Y4Z
a !j'!c!,k'
m
k,#vd'm# b o b f
'SZ
w &SRF#%,SRFxY
Y[Z
"'SZ
FIG. 1. The complete factorization chain.
ERF: elimination of repeated factors replaces a polynomial
:V@y:DG C E HHJH : C K
L
by a squarefree one that contains all the irreducible factors of the original polynomial but with exponents reduced to 1:
:{z|~}@y`p: N
DDF: distinct-degree factorization splits a squarefree polynomial into polynomials whose irreducible factors all have the same degree:
}z| G H
HJHH
O @
: N
where
Jr O
EDF: equal-degree factorization completely splits a polynomial whose irreducible factors are already constrained to have the same degree:
O @y N
Oz|O G HJHJH O %
where J
An often used variant of the first stage is:
:
@y¡ *¢ SFF: squarefree
factorization determines directly the decomposition
¢ ¢ @£
:
where the are squarefree and pairwise coprime so that
.
C F
4
P. FLAJOLET, X. GOURDON, D. PANARIO
As implied by the results of Section 2 the difference in costs induced by the two
versions, ERF and SFF, is marginal, while consideration of ERF greatly simplifies
the whole analysis. We refer globally to [24, Ch. 14] for a complete discussion of
this and other algorithmic aspects.
Given a polynomial over the integers, like
¢@
>¤¦¥¨§>©.ª¬«>!®¥¨§>¯ª±°>!²®¥<°">³#ª¬>´#ª2> ¥<°">ªkµ M
most general-purpose computer algebra will approach the factorization via modular reductions. For instance, the reduction modulo 5 gives
:·¶ ¢¹¸º
S@
¼»
>!¤.ª½°">©.ª¬«>!ª½°">¯.ª±°>!².ª½§">³.ª¬>´+ª2> ª½§">ªpµ N
Elimination of repeated factors (ERF) is easily achieved by gcd computations and
it produces, modulo 5, the partial factorization
:{@
>ª¬«
r}@
>ª¬« > © ª¬§> ª±°> ¯ ª2«> ² ª¬> ³ ª½«> ´ ª¬>ª2« N
(1)
The next phase of distinct-degree factorization (DDF) then uncovers a partial
factorization of the eighth degree factor as
}@d G H
¾@À¿
¿
> ª±°>ª±°*Á H >¯.ª¬>²+ª¬§>³.ª¬>´.ª½§"> ª¬>ª½°Á N
(2)
There, in two successive steps, the groups of factors of degree 1 (there must be two
such factors) and of degree 2 (there must be three such factors) have been isolated.
Finally, the second and sixth degree polynomials are split by two separate calls
to the equal-degree factorization (EDF) algorithm into their linear and quadratic
factors:
G @
@
>¼ª¬§ Â>ª2« M
Â> ª¬>ªpµ > ª2>ª½° > ª¬«>ªpµ N (3)
:
In this way, the complete factorization of modulo 5 is obtained from (1), (2), (3):
:{@
Â>ª½§ Â>ª¬« > ª¬>ªkµ > ª¬>±
ª ° Â> ª¬«>ªpµ N
Various methods, not discussed in this paper, then permit one to lift the factorization
to the integers; see [24, Ch. 15]. Here, this eventually produces the complete
factorization over ÃÄ= >? ,
:·@
Â>Å¥Qµ > ¥¡>ªkµ > ª¬>ªkµ Â> ´ ¥¨> ªkµ N
In this case, the squarefree factorization
(SFF)
approach would only lead to ex
¸º
tracting the repeated factor Â>Å¥Qµ , or >ª2«
¼» , at an early stage.
ANALYSIS OF POLYNOMIAL FACTORIZATION
5
@ÀÆ!Ç Æ
Computational model. We fix a finite field 78 with 9
( prime) and
consider the ring of polynomials 78= >? ; see [4, 24, 28, 40, 45] for background.
The probabilistic model assumes all 9 monic polynomials of degree È to be
equally likely and all average-case analyses are expressed as asymptotic forms in
È , the degree of the polynomial to be factored. The complexity model assumes
that a basic field operation has cost Év%µ , the
cost of a sum is ÉvÈ , and the
cost of a product, a division or a gcd is ÉvÈ , when applied to polynomials of
degree ÊUÈ . For dominant asymptotics, we can freely
restrict our attention to
.@dÍ G
polynomial products and gcds. We take as ËÌÈ
È the cost of multiplying
two polynomials
of degree less than È modulo a polynomial of degree È , and as
Î
@pÍ
È
È the cost of a gcd between a polynomial of degree È and a polynomial
Í
ÍJ
of degree at most È . (There, G and are system and implementation dependent
constants.) What we have in mind is a general purpose factorization algorithm
typically applied to polynomials of moderate size and degree, where operations
are often implemented by quadratic algorithms. Similar studies could be conducted
using FFT (fast Fourier transform) based algorithms.
Summary of results. Figure 2 summarizes the interplay between probabilistic
properties of random polynomials and polynomial factorization. We offer here a
few comments.
A random polynomial of degree È is irreducible with a small probability of
º
about µ*ÏÈ and has close to Ð SÈ factors on average and with a high probability
(Section 1). Thus, the factorization of a random polynomial over a finite field is
almost surely nontrivial. Each of the various phases of polynomial factorization
has its own “physics” with implications on the corresponding costs. Here is a brief
summary.
ERF: The first phase of the factorization is the elimination of repeated factors, ERF. It is deterministic and described in Section 2. This ERF stage returns
the squarefree part of the original polynomial in which each irreducible factor
of the original polynomial appears exactly once (the remaining factors form the
non-squarefree part). In fact, the squarefree polynomials have a positive density
(asymptotically) and the non-squarefree part of a random polynomial is with high
probability of degree ÉÅrµ as expressed by Theorem 2.1. In a precise technical
sense, the cost of the ERF phase is asymptotically that of a single gcd (Theorem 2.2), so that most of the factorization cost results from the subsequent phases,
namely, DDF and EDF.
DDF: The second phase DDF, also deterministic and described in Section 3,
}
}¨@
splits the squarefree part of the polynomial to be factored into a product
G H
HJHH
O
}
, where is formed by the product of all the irreducible factors of
6
P. FLAJOLET, X. GOURDON, D. PANARIO
Phase
Properties
Refs.
(Sec. 1)
Fraction of irreducibles is ÑUÓ Ò .
The number of irreducible factors has mean Ñ
ÔÖÕ×XØ
and a limiting Gaussian law.
Eq. (8); [4, 40]
Eq. (13); [4, 7, 21, 40]
ERF
(Sec. 2)
Non squarefree part has size ÙÄÚÛÜ on average and
with high probability.
Ø
Algorithmic cost of ERF is ÑpÝÞÚ Ü on average
and with high probability
Thm. 2.1; [4, 9, 18]
Largest degree is ßÞÚ Ü with Dickman distribu×àØ
×já
tion and mean Ñ
where â¬ã á ä*åJæç*å .
Modified Dickman laws hold for two largest degrees.
Ø!è Ø ÔÖÕ×Xé
Ú Ü
Ü;
Algorithmic cost of DDF is ÙÄÚ
three stopping rules are compared.
Thm 3.1; [30, 50]
DDF
(Sec. 3)
(Sec. 4)
ERF
(Sec. 5)
Ø
Thm 2.2; [18]
Thm 3.2; [30, 50]
Thm 3.3; [18]
DDF yields a complete factorization with probability close to ê*ë
ì .
Total degree of unfactored part after DDF has
ÔÖÕ×àØ
Ü , but “soft” distribution tails and
mean ÙÄÚ
Ø
standard deviation Ù¹Úîí Ü .
Thm 4.1; [18, 32, 38]
The probability of repeated irreducible factors of
degree ï is approximately Poisson
Ûðé ïÜ
ØñÔÖÕÚ×à
Ü on averAlgorithmic cost of ERF is Ù¹Ú
ØòÔóÕ×àé
Ü.
age, as opposed to a worst-case Ù¹Ú
Thm 5.1; [37]
Thm 4.2; [18, 35]
Thm 5.2; [18]
FIG. 2. Main properties of random polynomials of degree ô and of corresponding factorizations,
ñ
together with some relevant references. Here õ¡ö÷ôø®ù úQû ô represents the cost of a polynomial
ñ
Ò
multiplication and ü.öýô
ø[ù úVû ñ ô the cost of a gcd.
that have degree . A random polynomial has with high probability several large
factors, that is, of degrees þÈ . This is quantified by Theorems 3.1 and 3.2 where
the Dickman function and some of its relatives serve to express the corresponding
probability distributions. Such estimates form the basis of a precise comparison of
three stopping rules: the “naı̈ve” rule, the “half-degree” rule and the “early abort”
rule whose costs are found to be in the approximate proportion µ{ÿýÿ ´ ÿýÿ ; see
³
´
Theorem 3.3. At the end of the DDF phase, the factorization is complete with
a probability ranging asymptotically between N » and N (Theorem 4.1). In
addition, the number of degree values such that more than one irreducible factor
ANALYSIS OF POLYNOMIAL FACTORIZATION
7
of that degree occurs is typically Év%µ , and the total degree passed to EDF is
º
ÉÅÂÐ È on average, though it has a large variability (Theorem 4.2).
EDF: The third phase, EDF, is a randomized procedure described in Section 5.
It involves a recursive refinement process based on randomized splittings that
turns out to be closely related to digital trees, also known as “tries”, see [41]. The
analysis combines properties of polynomials (Theorem 5.1) with properties of the
splitting process (Lemma 5.1). As a consequence,
the expected cost of EDF is
º
proved to be comparatively small, being ÉvÈ Ð .9 (Theorem 5.2).
Precise statements are given in the next sections with an explicit dependence on
the field cardinality 9 . (Some of them involve number-theoretic functions that can
be both evaluated and estimated easily.) A simplified picture is as follows. The
ERF phase involves with high probability
little more than a single polynomial gcd,
º
so that its expected cost is ÉvÈ . The DDF phase of cost ÉvÈ ´ Ð .9 (both on
average and in the worst-case) is the one that is most intensive computationally,
where control by the “early-abort” strategy is expected to bring gains close to
36%. The last phase
º of EDF is typically executed less than 50% of the time
and its cost, ÉvÈ Ð 9 on average, is again small compared to that of DDF. A
comparison between worst-case costs and average-case costs for each phase is
drawn in Section 6.
Note on methodology. An earlier but almost identical version of this paper submitted to another journal dedicated to computing was met with sharp criticism from
two referees. One criticism had to do with the asymptotically suboptimal character of the algorithms that we analyse. However, record-breaking computations are
only one facet of the story and, from the authors’ experience with computer algebra
systems, much usage involves polynomials of moderate degree having moderately
large coefficients. For this, good implementations are definitely wanted; thus, we
claim some justification for interest in algorithms that are suboptimal in the strict
asymptotic sense but may very well turn out in many practical contexts to perform
better than asymptotically optimal algorithms.
Another criticism had to do with the model
of random polynomials that we adopt,
namely the uniform distribution over the 9 polynomials of degree È . One referee
said: “most polynomials are not sampled at random over the set of all polynomials”. This is certainly true in a narrow-minded perspective. However, we make
the following observations: a large body of algorithms building on top of factorization over finite fields do already involve a randomization that is expected to
“propagate”, see for example Ben-Or’s construction of irreducible polynomials [3]
or the index calculus method described in [48]; no one is aware of any explicit
construction law that would bias polynomials towards being more likely to be irreducible than factorizable [47, Problem 27]—indeed such a law would be a major
8
P. FLAJOLET, X. GOURDON, D. PANARIO
discovery!—so that the randomness assumption, even if somewhat heuristic1 , is
one decent way of coping with the current lack of our knowledge; simulations amply confirm that many varieties of polynomials produced by all sorts
of processes behave “as expected” with respect to factorization (see below for a
striking example);
accordingly, there exist several theoretical results demonstrating rigorously the fact that various systematic “laws” produce polynomials
whose behaviour with respect to factorization is just as predicted by the uniform
randomness model. As a typical illustration of the latter point, Hensley [33] has
established a “Dirichlet’s theorem” for the ring of polynomials over a finite field
to the effect that the distribution of irreducibles in any arithmetic progression (i.e.,
}
}
a sequence Â> ÈSÂ> ª Â> with M fixed) conforms to “normality”.
To demonstrate our point, here is an easily reproducible experiment. We build
quite specific polynomials by a deterministic process
and examine the mean numÆ
ber of irreducible factors that they contain. Let be the th prime and let ËÌÈ M
Æ
Hankel matrix filled with primes starting with L : the M entry of Ë is
be the
{;
Æ L G ; the test polynomial L >
ÃÄ= >? is the characteristic polynomial
@
° and reduce the of ËÌÈ M . In the experiment, we fix the dimension È
Æ
polynomials modulo various primes (actually the primes of rank « M µ M "« NJNJN )
@
MNJNJNJM . Here is the observed mean over each
upon averaging over values sample of size 100 as compared to the values predicted by the uniform model and
given in [40, Ex. 4.6.2.5].
Æ
Exact mean
Sample mean
7
53
311
1619
8161
38873
3.690
3.84
3.607
3.57
3.599
3.60
3.598
3.53
3.597
3.40
3.597
3.50
We purposely took here a small sample of special polynomials (characteristic
polynomials) associated with structured matrices (of Hankel type) built on particular coefficients (here the prime numbers). We indeed verify that the empirical
data conform quite well to what the uniform randomness model predicts.
This paper constitutes the journal version of an extended abstract presented at the
ICALP’96 Conference [18]. It is also organized as a survey of major probabilistic
properties of polynomials that are relevant to basic factorization algorithms.
1. ANALYTIC–COMBINATORIAL METHODS
Ò For instance the design of Pollard’s “rho method” for integer factoring is entirely based on similar
heuristics regarding integers; these were later largely vindicated by Bach [2].
9
ANALYSIS OF POLYNOMIAL FACTORIZATION
This section gathers basic tools needed to analyse properties of random polynomials. It centres around the use of generating functions, either univariate or
multivariate, whose functional relations reflect the algebraic decompositions of
various classes of polynomials. The asymptotic analysis of coefficients of generating functions is then attained by means of singularities. The results in this section
are classical, but they are needed to set the stage for subsequent analyses. General
references for this section are Chapter 3 of Berlekamp’s book [4], the exercise
section 4.6.2 of Knuth’s book [40], the paper [19] or Odlyzko’s survey [49] for
asymptotic techniques, and the book [20] for the interplay between combinatorial
and analytic methods.
1.1. Generating functions
We present first a few general principles that enable one to set up “symbolically” equations for generating functions starting from combinatorial specifications. Given a combinatorial object , the formal identity
µ
µ®¥
@
µ.ªAª
ª HJHH
generates symbolically arbitrary sequences composed of . Let be a family of
“primitive” combinatorial objects. Then, the products
d@
%µ#ª
M
@
!
and
" %µ®¥#
G N
(4)
generate respectively the class of all finite sets and multisets (sets with possible
by
repetitions) of elements taken from . (This results simply from expansion
G
distributivity and the remark above concerning the meaning of %µ®¥#
.)
We now specialize the discussion to monic polynomials2 and take to be the
collection of all monic irreducible polynomials. Then, by the unique factorization
property of polynomials, ! gives rise to the collection of all monic polynomials
and becomes the collection of all monic squarefree polynomials over 7 8 . Let $
be a formal variable, and % &% be the degree of the polynomial . The substitution
z|
$' ' in formal sums and products of objects gives rise to counting generating
function. For itself identified with the formal sum ( " , the generating
function is
ñ
)
*$
S@,+
" $ ' '
@-+
)
$
M
All subsequent enumeration results are for polynomials normailized so as to be monic.
10
P. FLAJOLET, X. GOURDON, D. PANARIO
)
where
is the number of polynomials in having degree È . Similarly, the
generating functions of and ! are obtained as reflexes of the decompositions (4):
.
4
*$
*$
±@
Q@
%µ.ª/$ ' '
@
G
%µ®¥$ ' '
@
0
21
3
G
0
13 N
"
G %µ¦¥$
%µ#ª/$
(5)
.
4 @
4
The coefficients
= $ ? *$ and
= $ ? *$ evaluate to the number of
monic squarefree polynomials of degree È , and to the number of monic polyno4 @
9 , and therefore we have a
mials of degree È , respectively. Obviously,
priori
S@
4
µ
N
(6)
$
µ®¥<95$
.
4
)
In other words, we know $ elementarily while *$ and *$ are bound by
4
their relations to $ .
)
First and foremost, the number of irreducible polynomials, , is determined
4
implicitly from the second equation of (5) that relates it to $ . A well-known
process based on the Moebius inversion formula gives it in explicit form; see [9,
p. 41], and Theorem 3.43 in [4, p. 84]. Indeed, taking logarithms and rearranging
the sums leads to
O
) 7 O
)
º
@6+ 0
@ +
µ
$
9
M
N
and
(7)
Ð
O G
O
µ®¥<95$
È
'
)
The relation is then solved for by means of Moebius inversion, which yields
:7 O
º
) @ µ +
) S@ + 0 8
µ O N
M
$
9
and
Ð
O
9
8
O
È
µ®¥<95$
G
'
In summary:
)
;=<=>@?BA
The number of irreducible polynomials over 78= >? satisfies
7`
7 O
@ 9
) Å@ µ +
9
N
9
ªQÉDC
(8)
È O 98
È
ÈFE
'
. @
Thus, a fraction very close to µÏ*È of the polynomials of degree È is irreducible.
This theorem is an analogue of the prime number theorem for integers. As an
aside, it was first proven by Gauss in the case of prime fields and it appeared in
his posthumous opus [27]; see also [15, 53] for early references.
ANALYSIS OF POLYNOMIAL FACTORIZATION
11
.
Next the number
of squarefree polynomials is entirely determined by the
.
)
knowledge of , given Equation (5). A direct way to make
explicit goes as
:
:·@HG H2I
G
follows: each polynomial factors uniquely as
, where is a squarefree
:
polynomial and I is an arbitrary polynomial (separate the irreducible factors of
+@J.
H 4
4
$
$ ,
according to the parity of their exponents). We thus have $
so that
4
.
S@
*$
@ µ®¥¨95$ N
4
*$
$
µ®¥<95$
Thus, the number of squarefree polynomials of degree È in 7 8 = >? is
@
M µM
. ¼@LK 9 G
if È
9
Â9Þ¥Qµ if È#Nk° N
(9)
This result seems to have appeared for the first time in Carlitz’s study [9].
1.2. Parameters
We need extensions of the symbolic method in order to take care of characteristic
parameters of polynomial factorization. Let O be a class of monic polynomials,
and P some integer–valued parameter on O . Then, the bivariate generating function
S@D+
$ M2R
$ ' ' RUT
"S
O Q
is such that the coefficient = $ R ? $ M2R represents the number of polynomials
of degree È in O with P –parameter equal to . Bivariate generating functions
contain all information related to the distribution of a parameter. Averages and
standard deviations are obtained by successive differentiations of these bivariate
generating functions with respect to R (the variable marking the parameter), and
@
then by setting R
µ .
: ¢S@
:D
¢
P. ªVP. for relatively
If the parameter P is additive, meaning that P. H
: M ¢v;
prime
of the form (5) generalize under
78= >? , then product decompositions
z|
$ ' 'R T
the translation rule . The technique of rearranging logarithms of
infinite products employed in (7) is then useful in simplifying such expressions.
For instance, the bivariate generating function of all polynomials with P the number
of their irreducible factors (multiplicity being counted) is
O
"13
O )
0
(
@
@
+
4
$
R
R
] N
$ M2R
Y[Z#\ O
(10)
XW G rµ®¥ $
G
Q
Much use is made of this technique in the next four sections.
12
P. FLAJOLET, X. GOURDON, D. PANARIO
A graphical rendering of the factorization types of 5 polynomials of degree 100 over ^:_ :
Each circle represents the degree of an irreducible factor with the circle areas being proportional to degrees. On this experiment, the 5 factorization types found are
`
`
`
`
`
Ûba å a2ca-Ûdca ä cfea ç aga åJä a äJæ ea ÛbaÛa å a2h5a2ia-ÛÛbaÛdcah ç ea ÛaÛba-ÛaÛba2h5a2cÛea å a å ajc ä e á
This illustrates the property that factorizations over finite fields are usually nontrivial and that
there tends to be one or a few irreducible factors of comparatively large degree (Theorems 3.1
and 3.2).
FIG. 3. Simulations of random polynomial factorizations.
1.3. Asymptotic analysis
Generating functions encode complete information on their coefficients. Furthermore, the behaviour of a generating function near its dominant positive singularity (“dominant” means in this context “of smallest modulus”) is an important
source of coefficient asymptotics.
:
@
The generating functions $ to be studied in this paper are singular at $
µÏ9
:¼@
and
Consequently, their coefficients
:most have there an isolated singularity.
: lk [m
¸po2q m G 7` @
= $ ? $ satisfy an estimate of the form
9
È , where Ðn
Zr% ÂÈ %
@
µ is a subexponential factor that reflects the nature of the singularity at $
µÏ9 .
@
µ*Ï9 of the form
In particular, an expansion near $
O
: (@
º
r
µ
µ
2s CÐ
$
%µ.ª/t%µ
(11)
rµ®¥¨95$
µ®¥<95$ E
translates into coefficients by the method known as singularity analysis [19, 49]:
s G
O
: @
: (@
º
r
È
Ð SÈ
(12)
= $ ? $
9 u
%µ#ª/t%µ N
v
The transition from (11) to (12) is ensured by transfer theorems that require analytic
:
continuation of *$ outside its circle of convergence, a condition that is verified
by inspection in most cases considered here.
A typical instance is the analysis of the number of irreducible factors in a random
polynomial of degree È . The bivariate generating function appears already in (10).
@
µ and then analysing the singularity
Differentiating with respect to R , setting R
@
at R
µ provides moment estimates [40, Ex. 4.6.2.5]; methods that build further
on singularity analysis even give access to a limiting distribution [7, 21].
ANALYSIS OF POLYNOMIAL FACTORIZATION
13
Let w
be the random variable that represents the number
of irreducible
factors in a random polynomial of degree È . Then the mean x¦w
and variance
y{z|
satisfy
w
;=<=>@?BA
x w
S@
º
Ð S
ȼªQÉv%µ M
In addition the distribution of w
mal.
¥x¦w
y{z|
r
w
Ï@}
S@
y{z|
º
РȼªQÉÅrµ N
w
(13)
is asymptotically nor-
Thus, the factorization of a polynomial is with high probability nontrivial; see
Figure 3 for a graphic illustration.
Another useful asymptotic coefficient extraction method is Darboux’s method [13,
:
$ defined in the closed
32] whose principle is as follows: if an analytic function
O
@
disk % $U%
Ê 1 is times continuously differentiable (~ ) on % $U%
µ , then its coefficients satisfy
O
: (@
N
= $ ? *$
t%µÏ*È
(14)
A recourse to Darboux’s method is needed in Section 4, given the existence of
natural boundaries for generating functions that occur specifically there.
1.4. The permutation model and large fields
The following fact is well-known: As the cardinality 9 of the field 78 goes to
infinity (È staying fixed!), the joint distribution of the degrees of the irreducible
factors in a random polynomial of degree È converges to the joint distribution of the
lengths of cycles in a random permutation of size È . This property is visible at the
generating functions level, whenever a generating function of polynomials taken at
|
) to the corresponding exponential generating function
$
Ï"9 converges (as 9
of permutations. For instance, the generating function of all monic polynomials,
z|
when normalized with the change of variable $
$
Ï"9 , is
@
@ +0
4
$
µ
$ M
C
È È
9 E
µ®¥$
which is also the exponential generating function of all permutations. Similarly,
we have
0
|
º
@
+
)
$
µ
$ M
C
Ð µ®¥$
G È{¥±µ È
9E 8
0
the exponential generating function of cyclic permutations. The relation (10)
4
)
between *$ and $ that expresses the unique factorization property for poly-
14
P. FLAJOLET, X. GOURDON, D. PANARIO
,'&¬^
_
SR` TvW*)X"
Y4Z
m T%]pm!,"' R`SuF{Y4Z¼ T%]dxmZ{o T%]dm,"'(RFmuDY4Z
m T]pmxoZ{o T%]km!,'(RFmu%Y 'SZ
DQo@[ \ '
mJ \ p T%]kU^
_
(RFmDR \ x"DY
Y¡!4Z
a!b b cdc"e&f
&RrDY4Z
'SZ
FIG. 4. The elimination of repeated factors algorithm (ERF).
nomials reduces as 9
|
to
@
º
µ
µ
M
fYXZCÐ
µ®¥$
µ®¥$E
which is well-kknown to express the unique decomposition of permutations into
cycles; see [20, 29] for background.
This gives rise to a useful heuristic: probabilistic properties of polynomial factorization are expected to have a shape resembling that of corresponding properties
of the cycle decomposition of permutations3. A precise instance of this fact is mentioned by Greene and Knuth [32] in connection with the probability that a random
polynomial admits factors of distinct degrees, which, for large 9 and large È is
. Such phenomena are clearly useful in understanding the
found to approach P
behaviour of polynomial factorizations in fields of “large” cardinalities—the case
of “small” fields then appearing as a “9 –deformation” with a typically mild effect.
Section 4 provides several examples related to quantifying the output of the DDF
factorization.
2. ELIMINATION OF REPEATED FACTORS (ERF)
The first step in the factorization chain summarized in Figure 4 is the elimination
of its repeated factors. In characteristic zero, this is achieved thanks to the following
:
:U
extracts all the
property: A gcd between a polynomial and its derivative
:
repeated factors of .
@ Æ Ç
Æ
In 7 8 with 9
and a prime number, additional control is needed in
Æ
order to deal with th powers whose derivatives are identically 0. The first line
of the algorithm in Figure 4 collects in one copy of each of the irreducible
:
Æ
factors of , except the ones whose multiplicity is a multiple of . The while
ò
There is a similar “resemblance” between properties of natural numbers whose representation in
base has length ô and polynomials of degree ô in [ . For additive properties, this corresponds
to a rough equivalence between additions with or without carries; for mixed additive-multiplicative
properties, the analogy lies however far deeper and is accordingly much less understood.
ANALYSIS OF POLYNOMIAL FACTORIZATION
15
¢
Æ
loop stores in the factors whose multiplicity is a power of , without eliminating
¢
their repetitions. The last part of the algorithm adds to the factors
in with
Æ
¢ G 7
repetitions eliminated. The auxiliary computation of th roots,
, is performed
}
G 7j @
}
.
in the classical way [28, p. 344], using the identity
ª
ª
There exist alternative algorithms giving the full squarefree factorization (see [40],
Ex. 4.6.2.36); however, as Theorem 2.1 below shows, the reduction of degree
induced by the additional computational effort is only Év%µ . We have opted for the
elimination of repeated factors by ERF (rather than the more common squarefree
factorization SFF) as the analysis develops more transparently while the overall
costs of the complete factorization chain are only very marginally affected by the
algorithm chosen for the first stage.
XU [¡£¢A¥¤[A
A random polynomial of degree ÈDN ° in 7 8 = >? has a
probability µ®¥Qµ*Ï9 to be squarefree.
The total degree ¦ of the non-squarefree part of a random polynomial of
degree È has an expected value that tends to the limit
) O
§ @¨+
O
O M
8
O W G 9
¥¨9
§
§ k
|
µ*Ï"9 as 9
in addition, the quantity 8 satisfies 8
.
The tail probabilities of ¦ decay exponentially fast:
O
:DS@y M : @
S@
©ª|
°
] N
¦
% %
È
É«\¬C
§E
Proof. Part is a classical result that we have already derived in (9). As for
part
, the bivariate generating function of the degree of the non-squarefree part
of monic polynomials in 78= >? is, by the symbolic method of Section 1,
O
1
(
@
4
$
O O
N
$ M2R
O W G C µ.ª µ®¥ R $ E
@
µ in the
The mean degree of the non-squarefree part is obtained by setting R
4
derivative of *$ MR with respect to R and the asymptotic estimate follows by
singularity analysis,
O
4 M2R
@
H +
4
) O $
$
O
$
O W G
R
® G
®
µ
¥
$
®
O
®
®¯
k
+
) O 9
µ
O
7
M
°
G 8 µ®¥¨95$ O W G
µ®¥<9
16
P. FLAJOLET, X. GOURDON, D. PANARIO
§
§
|F
hence the stated value of 8 . The asymptotic
of 8 as 9
is obtained
7`
O
O limit
) OÄ@
from there by the expansion
.
9 ª±ÉvÂ9
.
4
As regards part , consider the function *$ M §Ï"° and compare it with *$ ,
the generating function of squarefree polynomials:
O O
1
4
$ M §
Ï"° @
O$ ´
O O ]
N
.
\Xµ.ª
W
O
*$
rµ.ª±$ %µ®¥j ´ $
G
The infinite product is convergent and analytic in a disk that properly contains
@
4
§ Ï"° has a simple pole at $
% $U%#Ê µÏ9 . Thus, *$ M µ*Ï"9 , and by singularity
analysis, one has
9
µ
=$ ?
4
à¶
$ M § Ï"°
Thus the expectation x¦F§
Ï"°
tail bound.
9
µ
+
§
C
°UE²
' '
ý
@
Év%µ N
remains bounded, which implies the exponential
²
Theorem 2.1 has meaningful consequences for the recursive structure of the
,
procedure. The exponential tail of Part
implies that any polynomially
bounded function of the non-squarefree part stays of order ÉÅrµ on average. In
particular, the overall cost of the recursive calls (Step 4 in the top-level factor
procedure of Figure 1) is Év%µ on average. Accordingly, the ERF phase has a cost
: :Uý
.
entirely dominated by that of its first gcd, namely :³D M
XU [¡£¢A´¢A
The expected cost of the ERF phase applied to a random
polynomial of degree È is asymptotically that of a single gcd,
Í@µ9¶¬·Ä k ÍJ
N
È
3. DISTINCT-DEGREE FACTORIZATION (DDF)
The second stage of the factorization chain is the distinct-degree factorization
and it involves splitting a squarefree polynomial into polynomials whose irreducible factors all have the same degree. This means expressing the squarefree
}
O
where is the product of all the irreducible
polynomial in the form G H HJHH
}
factors of degree that figure in (assumed to be squarefree). The basic algorithm
is described in Fig. 5 and its design relies on the following property (see, e.g., [45],
17
ANALYSIS OF POLYNOMIAL FACTORIZATION
,'&¬i
i
SR-ÀTvW*)X"
Y4Z
s b b cQ½)D,pc"e&
¬W)X"t
T%]d'm(R-Y4Zvm T%]d(Z{ T%]H¸Z
po T] \ jq'
\ T]pe±)!'dmSZ
g h®sot T%]pm!,"' Rr¹¸u%mY4Z
n m T]dmxh®sotSZ
a!b b &p
,c½d'm-]of
w kh®sot¨[ \ p T]pj)'kmy!4Z
'SZ
&Rrh®s \ t.h®s g t
h+s tY4Z
a h®sotqc±'.{B*
'.Vd'm#%]of
'SZ
FIG. 5. The “basic strategy” of the distinct-degree factorization algorithm (DDF).
¼@
@
;
p. 91, Theorem 3.20): For N µ , the polynomial º
ÿ >
¥2>
78= >? is the
product of all monic irreducible polynomials in 78= >? whose degree divides .
O
Thus sweeping over successive values of and computing gcd’s with º leads to
a partial factorization. Three different stopping rules can be considered:
— The basic strategy explores all the values
version given in the algorithm in Fig. 5.
O
8
µ N N È and corresponds to the
— The half-degree strategy consists in stopping the DDF loop when
since at that moment the remaining factor is either µ or irreducible.
¼@
ÈXÏ° ,
— The early-abort strategy stops the main loop of DDF as soon as ° exceeds
¢
the degree of the remaining factor . In this case, the remaining factor is by
necessity irreducible.
The first rule is too naı̈ve to be of algorithmic interest but it serves the purpose
of introducing the basic methods needed. The analyses are carried out in Subsection 3.2. They benefit from informations regarding the two largest irreducible
factors of a random polynomial, a topic that we address first in Subsection 3.1.
See Figures 6 and 7 for numerical data.
3.1. Distribution of largest degrees of factors
A random polynomial has with high probability several irreducible factors
whose degree is of the order of È . The distribution of the largest degree among
the irreducible factors of a random polynomial over 78 underlies many problems dealing with polynomials over finite fields. For instance, information on
18
P. FLAJOLET, X. GOURDON, D. PANARIO
this distribution is useful when computing discrete logarithms in order to discard
polynomials that cannot be written in terms of smoothG¾ ones
¾ [48].
Specifically, we consider the two largest degrees »½¼ , »¿¼ of the distinct factors
of a random polynomial of degree È in 78 . Statistics on the largest degree of the
irreducible factors of a random polynomial in 7 8 = >? have already been considered
in the literature. Car [8] first
obtained an asymptotic expression for the cumulative
G¾
distribution function of » ¼ in terms of the Dickman function. This function is a
classical number-theoretic function that was originally introduced to describe the
distribution of the largest prime divisor of a random integer. We refer to [14, 16,
41, 43, 57] as general references to the Dickman function in relation to arithmetic
problems, especially Tenebaum’s analytic treatment of the Dickman function [57],
the paper of Knuth and Trabb Pardo on integer factorization [43], and Knuth’s
account in [41, Sec. 4.5.4].
G¾
;
;=<=>@?BA
The distribution of the largest degree » ¼ satisfies for all >
* M µ :
G¾
Ðn ¸ ©{|À » ¼ ʱ>ÂÁ @÷ Â> M
0
·
S@
where >
¦%µÏ*> and ¦ denotes the Dickman function. The Dickman function
is defined as the unique continuous solution of the difference-differential equation
S@
¦! R
µ
*Ê R Ê£µ M
In particular, one has
where
@N
R ¦[Ä% R S@
G¾ k
x¦*» ¼
¥Å¦ R ¥Qµ
RÆ
µ N (15)
SÈ M
N °«§° is known as Golomb’s constant; see [17].
G¾
¾
In the context of this paper, fine properties of » ¼ , » ¼ provide insight on the
stopping condition for the DDF stage. The statements of Theorems 3.1 and 3.2
that follow are borrowed4 from [50]. The proofs given in [50] rely on an original approach of Gourdon [30, 31] that leads to local limit theorems. Indeed,
TheoremsG¾ 3.1,
¾3.2 below, give the asymptotic distribution of the two largest de
grees »½¼ M »¿¼ where the limit density functions are accessed via their Laplace
µ
transforms. A key rôle is played by the exponential integral function defined by
UÉ
µ
I @¨Ç
0 P
N
È
FÊ
Ë
The authors take this opportunity to correct mistakes in the statements of Theorems 1 and 2 of [50]:
the error terms inadvertently written there as multiplicative terms should be read as additive correction terms (in accordance to the proofs that stand). See Tenenbaum’s informative review of [50] in
Mathematical Reviews, 2001, in press.
19
ANALYSIS OF POLYNOMIAL FACTORIZATION
1
0.8
0.6
0.4
0.2
0
0.2
0.4
0.6
0.8
1
FIG. 6. A plot of the “density” of the largest irreducible factor degree for polynomials of _ :
the representation of öÌôøÍÎFöÐÏ
Ò úôø , for degrees ôú/ÑdÒ2Ó2Ó2ÓjÒ*ÔdÕ and ×ÖØ ÙbÒjÑ (dashed lines)
shows fast convergence against the limit ÚöÌø (continuous curve).
G¾
The largest degree ½
» ¼ among the irreducible factors of a
random polynomial of degree È over 7 8 satisfies the “local limit” estimate
XU [¡JÛ"A¥¤[A
©ª|
G¾ @ÃÜ·.@
*» ¼
Ü
µ :½Ý
Ü
ÈØÞ
ªQÉ
º
Ð S
È
C Ü
E
M
:
where 8 is a continuous function that is defined by the inverse Laplace integral:
[ G
Uà Ìáâ G áâ
:
@
µ Ç
0 P
8
P
N
(16)
Ê
°5ß G
0
In other words, the largest degree is on average ÉÅÂÈ , and the probability that its
Ü
Ü
value equals is about µÏ
with a modulation factor that involves the Dickman
:
S@
function. (It can be verified by direct Laplace transform calculations that 8
¦!rµ*Ï 8 ¥kµ , with ¦ the Dickman function as defined by (15).) The next theorem
shows that similar estimates involving “Dickman-like” functions hold if a gap is
imposed or if one considers the joint distribution of the two largest factors.
G¾
¾
XU [¡JÛ"A´¢A
The two largest degrees » ¼ and » ¼ of the distinct factors
of a random polynomial of degree È in 78 satisfy
Ü
for Ê
ÊQÈ ,
Ü
º
Ü
S@ µ ¢ G Ý
©{|
Ð
È
G¾ @ÃÜ M ¾
M
Ü
*» ¼
» ¼ Ê
Ï"°
ªQÉDC Ü
ÈØÞ
E
20
P. FLAJOLET, X. GOURDON, D. PANARIO
50
40
30
20
10
20
40
60
80
FIG. 7. Two largest degrees for 1,000 random polynomials of degree
circle represents a value of the pair öÐÏ Ò
Ï ñ ø .
100
ôvúÃÑ2ÙdÙ
in
_ :
each
Ò
¢
where G 8 is defined by the inverse Laplace integral,
[ 7`
G
Uà Ìáâ G áâ
¢ G @
µ Ç
P
0
8
P
ÂM
Ê
°5ß G
0
Ü{
¬ãäÜ G
Ê±È ,
for Ê
Ü
Ü{
º
¢
Ý G M
©ª|
µ
Ð SÈ
M
G¾ @HÜ G M ¾ @HÜ{
S@
Ü G Ü
*» ¼
» ¼
ªQL
É C Ü G Ü
È
È£Þ
E
¢
where 8 G*M 8
is defined by
[ G
Uà Ìá5åæâ G á á å â
E ¢
GM
S@
µ Ç
P
0
8 8
P
N
G
°5ß
Ê
0
Figure 7 exemplifies the phenomena at stake by means of simulations. Estimates
similar to Theorems 3.1 and 3.2 hold for largest cycles in permutations [54] (this
is in agreement with the earlier discussion of the random permutation model of
Section 1.4) and for integers as shown by Knuth and Trabb Pardo in [43]. Arratia,
Barbour, and Tavaré [1] present an interesting asymptotic model, the PoissonDirichlet process, that puts these facts in perspective and covers random mappings,
integer partitions, permutations, integers, as well as polynomials.
3.2. Analysis of the distinct-degree factorization
The main result of this section, Theorem 3.3, provides a quantitative comparison
of the three stopping rules for the DDF algorithm. It is based on three lemmas,
one for each of the strategies to be analysed.
ANALYSIS OF POLYNOMIAL FACTORIZATION
21
We first fix some notation. The DDF algorithm in its basic version is specified
in Fig. 5. The computation in Step 1 is done by means of the classical binary
powering method [40, p. 441-442] that leads to introducing two number-theoretic
functions.
ç
[è:éê"éÐ?=é¥UêëÛA¥¤[A
The function ìDÂ9 is the number of ones in the binary
representation of 9 . The function í4î9 is defined as
íXÂ9
.@«î º
Ð b9 ï+ª±ìDî9 ¥±µ M
(17)
¸º ¢
and it represents the number of products needed to compute 8
by binary
powering.
By the exponential tail result of Theorem 2.1, we need only consider the cost of
}
:
DDF applied to the squarefree part of the input polynomial , and our subsequent
:
analyses are all relative to the statistics induced by a random input of degree È .
¢
O
Let
denote the degree of polynomial when the th iteration of the main
O
Ê
loop of DDF starts. The parameter is also the sum of the degrees of the distinct
:
Ê
factors of with degree N
.
XU [¡JÛ"AðÛ"A
The expected cost of the DDF phase satisfies
ñ
Í
· ñ k
%Í
ÍJ
#@Dî º
»Ø»
*íXÂ9 G ª
È ´
íXÂ9
Ð 9bï+ª±ìDî9 ¥±µ M
8
ñ
where 8
is a constant depending on the strategy ò ,
ÌóX @
ÌôöõS @ » @
» @N N
N §µ°» M
«::[ M
8
8
µ*°
µ
ø
àÂ÷ @
Ç 0 P
@N N
»
µ Ç 0 ®
µ
¡
¥
>
¥
P
fYXZ¿C[¥ ø
>
°ù §§[ M
¯ R
R
8
µ*°
§
Ê E
>
Ê
for the basic *ú
, half-degree *û»
or early-abort
µ9üÞ
strategy, respectively.
§ G
§#
§
§
§
ª
ª
ª
Proof. The cost of the basic DDF is
, where
denotes
³
cost of line number in the algorithm of Fig 5. Let´ § be
the
the expectation of
§
:
º
§
§ @
ª
. The
number of irreducible factors of is ÉvÐ .È , so that
º mean
´
³
§ G
§
.
ÉÅÂÈ Ð SÈ ; thus it suffices to consider
ª
:
O
The quantity is the sum of the degrees of the distinct factors of with degree
§
§
Í
Í
2ý
Ê
N
. Then, the quantity G ª
is equal to *íXÂ9 G ª
, where
ýl@
+
O M
(18)
Gÿþ O þ Ê
22
P. FLAJOLET, X. GOURDON, D. PANARIO
@
with the stopping value for the DDF loop. We have
È for the basic strat @
@y¸ z À G M
egy,
ÈXÏ° for the half degree rule,
Y » Ï"° » Á for the early abort
strategy, where » G , » are the largest and second largest degree of the distinct irreducible factors of the polynomial. The theorem follows from the three lemmas below.
@
By (18) taken with
È , the analysis of the basic strategy only involves an
additive parameter of polynomial factorizations. It is thus dealt with directly by
bivariate generating functions and singularity analysis, as summarized in Section 1.
The estimate also serves (by difference) in the analysis of the other two strategies.
ý
|
X¡ ¡ö<Û"A¥¤[A
The expected value of in the basic strategy satisfies, as È
,
ý Ì óà k
»
È[´ N
µ*°
O
Proof. The parameter is by definition the sum of the degrees
of the distinct
:
ý ÌóX
ý óX @
Ê
factors
of
with individual degree N
and the parameter
of (18) is
O
O
O
( G
. The bivariate generating function of is, by the basic
decompositions,
Ê
Ê
1
1
4 O MR (@
$
µ
R
N
C
*$
W O C µSª
µ®¥$ E
O µ®¥$ E
ý óX
The expected value of
is then given by
4 O
ý ÌóX @ µ
M
S@-+
* $ MR ª
C
= $ ? *$
*$
W
O
R
9
G
4 O
*$ MR
N
E ®® G
®
®¯
The basic relation (5) and a computation of *$ by logarithmic derivatives
S@ 4
G
r
*$ $ ª $ where
imply that $
S@ +
S@ +
)
+
)
N
´
G $
$
¥
$
$
and
W G
W O $
O W G
R
)
The function G $ is a simple variant of *$ , namely
´ )
N
µ )
C@$ Ê
C $ ¥
$
$ÂE
ù
E
Ê
@
Thus, G * $ has its dominant singularity at $
*µ Ï9 and near this point,
S@
G *$
4
k
$ G $
°
N
rµ®¥¨95$ ³
23
ANALYSIS OF POLYNOMIAL FACTORIZATION
4
Singularity analysis then yields = $ ? $
)
We next turn to $ . The estimate O
@
O
+
)
$
$
C
ª±ò
W O 9E
µ®¥$
so that
C
@
$
9E
$
µ
ª±ò®$ M
µ ª/$ rµ®¥$ ´
k
G $
9 È ´ 7FÏ
§ .
@
9
$ M
ò®*$
ª·ÉÅî9
O
ò
S@
$
S@
entails, for % $"%
O
$ O 7`
M
É C
E
9
ã
µ!ª ,
O O
O
°$ ò $
N
C
/
ª
ò
$
O W G
µ®¥$
E
+
O
The bounds satisfied by ò *$ make ò®$ regular beyond the unit disk. Thus,
4
singularity analysis can be applied to the function $Ï9 * $
Ï"9 . There are two
@
µ has greater weight. The
dominant singularities at µ and ¥ µ , but the one at $
|
resulting estimate, as $
µ ,
4
C
$
9 E
C
k
$
9 E
µ
M
°%µ®¥$ ³
implies that the È th coefficient is asymptotic to È ´ Ï
µ*° . Thus, finally,
@
%µÏ§¾ªpµ*Ï
µ*° È ´
»È ´ ϵ° .
ý óX k
The analysis of the Ghalf-degree
rule is related to Theorem 3.1 since it involves
¾
the distribution of » ¼ . In fact, it only depends on areas where the Dickman
function simplifies so that a direct argument can be applied.
X¡ ¡ö<Û"A´¢A
|
,
È
The expected value of
ý Ì ôöõS k
ý
for the half-degree rule satisfies, as
»
È[´ N
µb
ý ÌôöõS @
O þ 7`
O
(
Proof. We now have
differ
. It suffices to consider Gthe
¾
ý#@«ý ÌóX
ý ô õS @
7`
O þ O Ê
(
ence
. If the largest degree »½¼ satisfies
¥
Ê
G¾
G¾
G¾
ý(@
ý @
î
» ¼ ÊqÈXÏ"° , we have
» ¼ ¥ ÈXÏ° ï G¾ » ¼
. Otherwise we have
since there can be only one factor of degree larger than ÈXÏ"° , namely »¿¼ . Thus,
ý
the mean value of is given by
ý @
+
N
©ª|
È
G¾ @y Ý
*
»
¥
(19)
¼
7`
O þ
° Þ
24
P. FLAJOLET, X. GOURDON, D. PANARIO
By the symbolic method of Section 1, the generating function of polynomials
Ü
for which all factors have degree Ê
is
Ç
1
S
@
µ
O
N
P Ç $
(20)
O G C µ+¥$ E
G¾ @ÃÜ
Thus, the generating function of polynomials for which » ¼
S@
Q Ç
$
and the probability
Ç 1 M
P Ç $
µ®¥j%µ®¥$
S@
P Ç *$ ¥#P Ç G *$
©ª|
is
(21)
G¾ @p
*» ¼
is related to this generating function by
©ª|
G¾ @d@
*» ¼
9
µ
Æ
Q O
ÈXÏ"° , the È th coefficient of $
O
1 ® Q O @ 4
$
$
µ®¥Qrµ®¥$
O %µ¦¥$
When
=$
?
QO
*$ N
is obtained from
G
O
1 @ 4
) O
$
$ ªQÉÅ*$
G¾ @ ã
Ä@ ) O O k
©ª|
Ï9
µ*Ï Ìô for
ÈXÏ°
ÊIÈ . Plugging this
which entails *» ¼
ý k
ý õ @ ý Ìóà
ý k
G² È ´ .
¥
estimate into (19) gives
² È ´ . Thus
³`©
¯
The early-abort strategy needs to be handled in a more technical way. There
is a striking parallel with the analysis of integer factoring by trial divisions, as
stated in
given by Knuth and Trabb-Pardo [43]. The joint distribution of » GM »
Theorem 3.2 now intervenes.
ý
|
X¡ ¡ö<Û"AðÛ"A
The expected value of in the early-abort rule satisfies, as È
,
k ý àÂ÷ È[´ M
where
@
»
¥
µ °
µ Ç 0 P
§
æø
Ç 0
fYXZ C ¥ ø
P
R
R ¯ Ê E
µ®¥¨>
>
Ê
>
@N
N °:ù §§: N
(22)
Proof. Algebra. As above, we denote by » G the degree of the largest
:
irreducible factor of , and by »
the degree of the second largest irreducible
@
:
:
factor of (set »
if is irreducible). The iteration is now aborted at step
25
ANALYSIS OF POLYNOMIAL FACTORIZATION
@k¸ z À î G
ý àB÷ @
Y » Ï"°5ï M » Á and
ý @Hý Ìóà
¥
ý àB÷ @
(
O þ O
O
. Consider the difference
+
O N
F
7
(
'
O
õ å ) þ Ê
"!$#&% õ E
Ê
ý k
We need to prove the mean-value estimate
G²
¥
È ´ .
ý D@
î
ý @
G
G
G
G
We have
» ¥ » Ï"° ï » if » Ï"° Nû , and
ã
ý
» G Ï"°
» . Thus, the mean value of
is
ý @
+
©{|
» G
G¾ @
¾
» G C » G +
¥ *
*» ¼
» G*M » ¼
° ,E
õ E G
G¾
+
G » G ¥»
©{| » ¼ @ » GM » ¼
ª
»
õ å õ E þ
õ å
G
if
» G ¥»
»
Êp» G Ï°
¾ @
»
(23)
N
ý
Hence, the generating function .*$ of the cumulated values of the parameter
Q õ
is expressible
in
¾ terms of the generating function / E $ of polynomials for which
G¾ @
Q
» ¼
» G M » G¾ ¼ ʱ» G Ï°
,¾ and the generating function õ E õ å *$ of polynomials
@
@
» G M» ¼
» . By symbolic
methods, the generating function
for which » ¼
G¾ @ÃÜ
¾
Ü
of polynomials for which »¿¼
and »½¼ Ê
Ï° is
) Ç Ç
S@
Q Ç
7F(
'
$
/ $
(24)
P %Ç
$
Ç M
µ®¥$
¾
with P Ç $ defined
in (20). In ¾ the same way, the generating function of polyno@HÜ G
@HÜ{
Ü·
¬ã±Ü G
mials with » G ¼
and » ¼
,
is
Ç
) Ç
E $ E M
Q Ç Ç å S@ Q Ç å
E
(25)
$
*$
Ç E
µ®¥$
Q
with Ç $ defined in (21). Thus,
S@¨+
+
Q
» G
G ¥V»
» G Q õ E õ å $ N
.$
C@» G ¥ *
» G / õ E $ ª
*
»
° ,UE
õ E
õ å õ E þ
õ å
Analysis. The analysis of the generating function .*$ near the positive sin@
gularity $
µ*Ï"9 is done by approximating sums with integrals (Euler-Maclaurin
summation). The following property summarizes what is needed.
1
0U<" =éÐ?"¡öé¥> 2&[ ¡ö<"éÐ4
ê 3U[6
587d?=饡ö<?=UA
O
The remainders of the logarithmic
@
O
Ç $ Ï , are approximable in terms of the exponential inteseries, Ç $ ÿ (
gral,
â
Ç îP S@Hµ Ü ªQÉDC Ü µ
M
(26)
E
26
P. FLAJOLET, X. GOURDON, D. PANARIO
where the É –error term is uniform with respect to Æ
.
Justifying this for any Æ
only requires the Euler Maclaurin formula and
“subtraction of singularities”,
Ü
O
â
+
@-Ç
0
0 UÉ 7 Ï
Ç ÂP ±@ Ç
R
]
\ O
P
P
Ê
É Ç
â
â
Ç
Ê
P
±
¥
µ
¯
Ç
UÉ Ý @ µ Ü
¶
¶
0
Ç Ü M
Ç R S@ Ü µ Ç
ª
P Ü
M
ÞÊ
¯
S@
°
with *$
µ*ÏÂP ¥Qµ ¥Qµ*Ï5$ that is continuous over the positive half-line.
Q
The estimate of Equation (26) applied to P Ç $ and Ç *$ entails
9 7
9 7
G Ç
G Ç Ç â
â
"à Ç â
â
"à Ç â
@
@
Q
P
P
P
P
P
M
N
Ç
Ç
â
â
Ü
C
C
P
9«E
µ®¥<P
9DE
µ®¥<P
(27)
@ È
P Ï9 with I Æ , the evaluation (27) together with the expressions (24)
When $
and (25) of the intervening generating functions give
7`"
' È
È õ E "à % õ E
Ìõ E õ å È "à Ìõ å È
: P
;
;
:
Q õ
Q
P
P
P
õ E õ å *$
M
N
/ E $
G
G
I
I
»
» »
@ È
|
Approximating sums by integrals, when $
, <yields
P Ï"9 with I
<
ø È
Èø
ø 7F
"à È
"à È
k µ Ç 0
Ç <
<
P
µ =
.$
> P
P
>Dª I
¥ > >
P
> > N
ø
>X?
° I
Ê
@> >
Ê Ê
z|
|z
The change of variables I >
> and I >
> , rephrases the double< integral as
<
È
ø
ø
k
"
à
Ç
Ç
P
«
µ
°¦ª>¥¨P
°¦ª¬§A>Þª±°B>
0
0
. C
> ª I
P
> N
I³ > P
Ê
Ê
9ëE
>
³
These integrals simplify under partial integration, and one finds
È
k C
D
|
M
@ »
P
I
C
. C
¥ N
(28)
I³
9 E
°
|
is consistent with
Coefficients. The asymptotic form (28) of .*$ as I
the assertion that
kEC
(29)
= $ ? .*$
9 È[´ M
though it does not imply it. Indeed, an asymptotic estimate like (28) is confined to
the vicinity of the real line, since it can be proved that the function .$ admits its
ANALYSIS OF POLYNOMIAL FACTORIZATION
27
circle of convergence as a natural boundary. Thus singularity analysis cannot be
applied. (A Tauberian theorem could be tried, but Tauberian side conditions appear
to be delicate to establish.) We then proceed instead by an Abelian argument that
is based on a direct proof of existence of the limit
F
ÿ
@
Ðn ¸
0
µ
9 È ´
= $ ? .*$ N
(30)
Indeed, Theorem 3.2 applied to Formula (23) guarantees the existence of the limit
in (30) since
ý «k
+
¢ G » G
» G
C
» G C » G +
¥ *
° ,E
È-E
õ E G
G
G
+
G C »
¥Qµ ¢
C » M »
ª
»
»
E
È
ȨE
õ å õ E þ
õ å
ø
G
G
k
GÇ > ¢ G
Ç
Ç
¢
M
>
>
>¼ª >\ øb7`
C
¥±µ
> > > ] >IH¨È[´ M
°
Ê
>
Ê
Ê
E
where, in the second line, Riemann sums have been approximated by integrals.
This is sufficient to conclude on the existence of F in (30). This value must then be
identical to C Ï in accordance with (28) and (29).
The constant in the above proof is a close relative of the famous Golomb
constant that intervenes in the expectation of the longest cycle in a random permutation [54].
The global savings of the early abort strategy is thus of 36% compared to the
basic strategy, and of 15% compared to the half-degree rule. The expected cost of
º
DDF is ÉvÈ ´ Ð 9 and this cost dominates in the whole factorization chain.
4. THE OUTPUT CONFIGURATION OF DDF
The DDF procedure does not completely factor a polynomial that has different
irreducible factors of the same degree. However, as shown by the following results,
“most” of the factoring has been completed after DDF. First, the DDF procedure
produces a complete factorization with asymptotic probability greater than µ*Ï°
(Theorem 4.1). Next, the number of calls to the subsequent phase of EDF, that
is to say the number of degree values for which more than one factor occurs,
is only Év%µ , and the sum of the degrees where this happens (the total degree
º
of the fragments passed to EDF) is ÉvÐ .È . However, this total degree has a
fairly large variability so that the cost of EDF (to be analysed in the next section)
28
P. FLAJOLET, X. GOURDON, D. PANARIO
is comparatively small but not entirely negligible. Theorem 4.2 quantifies some
of these phenomena. They are established here by means of a hybridization of
singularity analysis and Darboux’s method, a general technique that we explain in
some detail when we first encounter it in the next theorem.
XU [¡KJUA¥¤[A
The asymptotic probability for the distinct-degree factorization to be the complete factorization is
C8
@
O W G
CDµ.ª
9
O
) O
¥±µE
%µ®¥<9
O
1 N
@N N
@N N
@N N
@N
In particular: C
N » M C
µ°§ M C
»ùµ M C
´
²
³
@
@
N »µù , and C
N »µ « M where L is Euler’s constant.
P
0
N »§» M C
²`
@N
Proof. Permutation model. We start with the analysis of the permutation
model, as this illustrates a “bare-bones” version of the method. By remarks above,
@,
this corresponds to the limit case 9
. The probability
that a permutation of
·
length È has all its cycles of different lengths is = $ ? *$ , where the generating
·
function *$ is susceptible to a variety of expressions obtained by the technique
of convergence factors:
O
·
@ 0
$
*$ ÿ
O G CDµ.ª E
O
7O
"° µ.ª $ 0
"°
@
$
P
CDµ.ª
P
µ®¥$ O
E
(31)
@
µª/$
µ M
C
Y[Z C ¥ Li $
µ+¥$
°
E EO
7O å 7
O å
å 7`
"° °
0
U°
°
$
H \ P
]
O
C µ.ª E P
@
¶
ò®*$ H *$ N
O
@
O W G
Here Li *$ ÿ (
is the classical dilogarithm function. The first factor,
$ Ï
ò®$ , in the bottom equality of (31) satisfies the conditions of singularityG analysis,
¶
(of class ~ ) on the
while the second one, $ is continuously differentiable
L °
closed unit disc » , since it is of the form P
where the coefficient = $ ? *$ is
ÉÅÂÈ ´ .
We thus have a situation where the generating function of interest is the product
@ N
O
of a singular part ò¦$ that satisfies strong analyticity properties outside of $
µ ,
¶
and of a function *$ of the Darboux type that is smooth on the closed unit disc » .
29
ANALYSIS OF POLYNOMIAL FACTORIZATION
We only need to justify the fact that dominant asymptotics of the coefficients
·
¶
= $ ? $ can be extracted “as though” $ were itself analytic on » .
N
The local expansions of ò®$ at its singularities µ are readily found to be
G 7`
7`
Q
@
Q
P
º
º
r
µ
P
ªQÉÅF%µ¦¥$ Ð rµ®¥$
ò G $
°"P
C
ª¬Ð
°rµ®¥$
E
7`
µ®¥$
P
±@ µ Q
º
F
ò G $
P
°$Þªkµ ª±Évr*$Þªpµ Ð !$ ªpµ M
«
with the error terms being ~ on » . In summary, we have found that
·
$
S@
C°P
7`
P
º
H ¶
µ
ª2Ð !%µ®¥$ ª I $
*$ M
µ®¥$
E
(32)
G
¶
for some I $ that is ~ , and $ that is ~ on » .
¶
@ ¶
%µ ªSR$ *$¹¥pµ with a function R*$ that is ~ ,
The expansion $
can then be inserted in (32). Darboux’s method applies to the resulting form for
·
$ (see the discussion relative to Equation (14) in Section 1.3), and one has
=$
?
·
$
S@
°
¶
`7
`7
QP
¶
@ G 0
rµ P
ª trµ M %µ ÿ P
O
CDµ.ª
µ
E
P
7 O G 7
O å
G
N
u
This finally simplifies using the infinite product formula for r µ :
·
S@ 0
= $ ? $
O G C[µ.ª
µ
E
P
7 O
G
ª trµ
S@
P
ª/t%µ N
This last estimate has been already established by Greene and Knuth [32] by
means of a Tauberian argument combined with bootstrapping. The method used
here is in contrast a hybrid of singularity analysis and of Darboux’s method. It
can be employed to derive complete asymptotic expansions, with roots of unity
that intervene in successive asymptotic terms corresponding to smaller and smaller
singularity weights. (This leads to fluctuating terms involving successive roots of
unity.)
Finite field model. We next turn to the case of a finite field of fixed cardinality 9 to which the same principles apply. The generating function of polynomials
with irreducible factors all of distinct degrees (but with single factors possibly
repeated) is, by standard decomposition formulæ,
O
O
O
O
·
(@
@
O
) O
)
$
O N (33)
$
*$ ª/$
ª/$ ´ ª HJHJH
O W G µ.ª
O W G C[µª
µ®¥$ E
30
P. FLAJOLET, X. GOURDON, D. PANARIO
@
An equivalent form that reveals the pole-like singularity
*µ Ï9 is obtained by
O at $
1
multiplying each term of the product (33) by %µ®¥$
,
O
O
·
S@
1 N
) O $ O
µ
C
$
.
µ
ª
r
¦
µ
¥
$
µ®¥<95$ O W G
µ®¥$ E
|
Thus, as $
·
9
$
k
G
, we have
C8
µ®¥<95$
M
C8
0
@
O G
C µ.ª
) O
9
O µ
¥±µ@E
rµ®¥¨9
O
1 M
(34)
and the preceding discussion applies, with the rôle of the dilogarithm function now
T
played by
) O
O
S@ + 0
O
N
$
O G C 9 ¥Qµ@E $
The hybrid method then yields,
=$ ?
·
C
@
$
9E
C 8Sª/t%µ M
which, by (34), is our statement.
Theorem 4.1 was obtained by Knopfmacher and Warlimont [38] and independently by the authors in [18]. The methods used in [18] as well as in the present
paper are however rather different from those of [38]. The paper [38] uses elementary techniques and derives constructive bounds. The methods developed here
are geared towards full asymptotic expansions and have been successfully used by
Gourdon [30] to solve the Golomb-Knuth conjecture [39, Ex. 1.3.3.23] regarding
the expectation of maximal cycle lengths in random permutations.
XU [K
¡ JUA´¢A
The number of degree values for which there is more than
one irreducible factor produced by DDF has an average that is asymptotic to the
constant
O
) O O
O
1
U
1
@
+
9
O N
C[rµ®¥¨9
¥Qµ®¥
O W G rµ®¥¨9
8
µ®¥¨9
E
º
The total degree G of the corresponding polynomials has expectation Ð DÈ(ª¹Év%µ
and standard deviation of order U È .
ANALYSIS OF POLYNOMIAL FACTORIZATION
Proof. Given a family V
31
of elements, the expression
µ
+
µ
#
¥
&W
formally generates all (finite) multisets of elements taken from V . The expression
µ.ª
+
"&W µ®¥#
µ
ª R \
&W µ®¥
¥Qµ®¥
+
]
"&W µ®¥#
formally generates all multisets each affected by a coefficient of R if there are
different elements comprising the multiset, and by a coefficient of µ otherwise. This
@
.
applies to the class of irreducible polynomials of each degree È , taking V
Thus, the bivariate generating function of the number of degree values for
which there are repeated elements is
O
O
) O
) O
O
U
1
4 M2R (@
$
$ O
O
R CD%µ¾¥$
N
$
¥Qµ®¥
(35)
O W G CDµ.ª µ®¥$ ª
µ®¥$ E E
The logarithmic derivative with respect to R satisfies
4 M
O
O
1
U1
$ µ @-+
4 M
%
®
µ
¥
$
C
[
r
®
µ
¥
$
¥Qµ®¥
O W G
$ µ
O
$ O
N
µ®¥$ E
) O
(36)
By our general discussion of the hybrid singularity analysis and Darboux method,
4
the quantity has an expectation that is asymptotic to the limit 8 of $ M µ Ï
|
4 M
µÏ9 . This quantity is thus nothing but the value of the right hand
$ µ as $
@
side of (36) at $
µÏ9 .
For the sum G of the degrees of these polynomials, an adaptation of (35) yields
the bivariate generating function,
O
O
1
O
O
) O
4 G M2R (@
$ O
$ O
R
R
] N
$
¥j
¥±µ
O W G \ C µ.ª
µ®¥$ E
µ®¥$
¶
We only discuss briefly the first moment of G . The mean value is 9 O = $ ? O 7`*$
,
¶
) O@
4
where *$ equals G $ M2R % G . Thanks to the
expansion G
9 ªjÉÅî9
,
@
¶
G º
near $
to %µX¥Å95$
. Thus, the expectaµÏ9 , *$ is asymptotic
Ð rµ4 ¥Å95$
¯
¶
k º
tion of G taken over polynomials of degree È is 9
=
$ ? *$
Ð È . 4The second
factorial moment of G is obtained by a further differentiation of G $ M2R at
@
R
µ .
32
P. FLAJOLET, X. GOURDON, D. PANARIO
The analysis of G in Theorem 4.2 was given in [18] and Knopfmacher [35]
has independently obtained an estimate of the first two moments of .
It should be clear that the hybrid asymptotic method has great flexibility. As a
final illustration, we discuss a question of von zur Gathen and consider the quantity
/ that is the largest degree for which two or more factors occur. The generating
function of polynomials such that / Ê is in this case
O
O
· L S@
d"1 ) O $ O
N
$
C[µ.ª
O þ rµ®¥$
O
µ®¥$ E
L
L
Thus, the probability of /
C8
L @
Ê is, for large degree È and fixed , asymptotic to
O
O
U1
) O 9
O M
C µ.ª
(37)
O rµ®¥¨9
®
µ
¨
¥
9
E
L
and for large field cardinalities, these constants have a limit,
G 7 O
L @
G
µ
N
C
P
CDµ.ª
P
O
E
þ L
0
L @
We have µ ¥ C 8
@
9
being:
G @N
@N N
C
»µJ« M C
0
0
(38)
Év%µÏ for all fixed 9 , some representative values with
N 5§µ M C
0
@N
N
N ù§:ù M C ² @
0
N µ5 M C
0
G ` @ N
N »« N
Thus, (37) and (38) give the following simplified picture in the asymptotic limit
(È and 9 large).
;=<=>@?BA
A random polynomial has a small number, Év%µ , of “colliding” de
grees; the largest
colliding degree has a probability distribution tail that decays
like ÉÅrµ*Ï (for ÊjÈXÏ° ). Because of this slow tail
decay, the largest colliding
G Å@ ÉÅÂÐ º È , but a second
y
(
L
degree alone has a first Smoment
that
is
v
É
@
moment that is ÉÅ (pL µ
ÉvÈ .
These observations are seen to be consistent with what Theorem 4.2 asserts.
5. EQUAL-DEGREE FACTORIZATION (EDF)
After the first two stages of the general algorithm, the factorization problem has
been eventually reduced to factoring a collection of monic squarefree polynomials
O
all of whose irreducible factors have the same (known) degree . The third
step in the factorization process, the equal-degree factorization algorithm (EDF),
ANALYSIS OF POLYNOMIAL FACTORIZATION
33
,'&¬^
i
SRJ, TvW*)X"
uÅo T<
m!Y4Z
a!b , b cQj'&!,d *
'&,hc¬p'm
b o b f
p'm
RJ,Y/]dodd&R,Y2!4Z
T%]p'W(R`'m
àRJ,
Y¹ \ Y4Z
a ' k'*)£W*)X"
f
\ T%]kDRR`eUo=¹ \ Yx g Y¹ \ )'q,XZ
g ' T%]pm!,"' R-(u,Y[Z
&RF^
i
(R`'SuroYX^
iSR,x'(uroY
Y4Z
'SZ
FIG. 8. The equal-degree factorization algorithm (EDF).
focuses on polynomials with this special form. Our reference chain uses the
classical Cantor-Zassenhaus algorithm [6] for this purpose. The analysis combines
a recursive partitioning problem akin to digital trees —also known as “tries” [41,
46]— together with estimates on the degrees of irreducible factors of random
polynomials [37]. The net result is that the global cost of EDF is quadratic, a
sharp contrast with the cubic cost of DDF. For convenience, we first assume that
9 is odd, and relegate to Section 5.4 the case of a characteristic equal to 2.
The EDF algorithm is described in Fig. 8, and we briefly recall the principle
ç
X
here.
=éÐêU>@Zé Y\[ U]
è 5 ;ÅA
Let C be: a polynomial
that is a product of irreducible
@p: G MJNNJNJM :
factors C
, with each of degree . The Chinese remainder theorem
implies the ring homomorphism,
k@
: G 8^ HHJH ^
: M
78= >?ÂÏ C
78= >?Ï
78= >?Ï
and a random
element of 78= >?ÂÏ C is associated
to a -tuple
GMJNNJNJM , where
:
each is a random element of 78= >?Ï .
: The: following splitting principle makes it possible to isolate the various . Since
:
each is irreducible, the
is
multiplicative group of each component 78= >?ÂÏ
a fieldO isomorphic to 7 8 . Such a group being cyclic, there7`
are the same num 8 G @
µ discriminates
ber î9 ¥jµ Ï"° of squares and nonsquares. The test
in7`
this multiplicative group. Thus, taking a random and computing
the squares
8 G
} @
¸º
} M
¥Aµ
C , we have that
: ÿ
: :³[ C “extracts” the product of all the
for which is a square in 7 8 = >?ÂÏ
.
From the algorithmic standpoint, taking random polynomials , leads to succes@yO
sive refinements of each factor C
known to be composed solely of irreducible
polynomials of degree . The computation develops as a tree (Figure 9). From
34
P. FLAJOLET, X. GOURDON, D. PANARIO
ABCDE
ACD
BE
E
B
ACD
1
C
AD
A
D
FIG. 9. A tree of successive refinements by EDF of the factorization
_Dúa`cbedÏgf
.
:
the probabilistic pointG of view,
each
component
that
is
random
in
7
8
=
>
Â
?
Ï
@
G
¥ 8 of being discriminated by the gcd test and the dual
has probability v
G
@
G
probability, h
ª 8 of being a nonsquare—the (small) difference between v
and h is accounted for by the possibility of having noninvertible components.
Then, the analysis of the complete EDF phase (Section 5.3) requires a purely
combinatorial analysis of what takes place at each degree (Section 5.2) combined with an estimate of the probability that there are irreducible factors of
degree in a random polynomial of degree È . These probabilities give interesting
information on random polynomials and have been obtained by Knopfmacher and
Knopfmacher [37] whose results we recall in Section 5.1.
5.1. Irreducible factors of each degree
be the random variable counting the number of distinct irreducible
Let i
factors of degree in a random polynomial of degree È . We consider here as
fixed. The corresponding probability distribution was given in [37]. It can be
easily computed by the decomposition techniques of Section 1, as we now show.
XU [¡kjA¥¤
(Knopfmacher and Knopfmacher). The probability that there
are distinct irreducible factors of degree in a random polynomial of degreeO È
) O"
) O
is, for È large enough È/N
, given by the binomial distribution l M 9
,
namely,
©{|fÀ
@
i
=Á
@
C
) O
E
Â9
O
%µ¾¥¨9
O
j1
N
35
ANALYSIS OF POLYNOMIAL FACTORIZATION
Proof. The bivariate generating function for the number of irreducibles of
degree is, by the basic decomposition,
O
1
. O M2R ½@
"1o
$
O
$
CDµ.ª R
r
®
µ
¥
$
n
m
O
µ®¥$ E
O
@
1 N
µ
%µ.ªd R ¥Qµ $
µ®¥¨95$
|
@
The asymptotics as È
are derived from the polar singularity at $
µ*Ï9 : the
|
probability generating function of the distribution is in the limit È
,
O
1 M
%µ.ªd R ¥±µ 9
that is to say, the probability generating function of a binomial distribution l
As is easily observed, this asymptotic formula is even exact as soon as ÈN
O
) O M
9
.
) O
.
Since a binomial distribution corresponding to rare events converges to a Poisson
distribution, one has:
;=<=>@?BA
The probability distribution of the number of factors of degree in a
random polynomial of degree È is approximately a Poisson
law of parameter µ*Ï ,
©{|À
S@
: G7O
N
i
=Á
P
This fact is in accordance with the known distribution of cycle lengths in the
random permutation model [54]. The table below provides numerical values of
@
Q@
©{|À ¼@
i
=Á for µ M ° M § , when
µ M ° M § . The data corresponding to
@
@
M
degree È
° (for values of 9
° µ ) show an excellent fit with the Poisson law
@-
), even in the non-asymptotic regime.
(9
é
ï â Û
ï â å
ï â ç
p â
Û
p â å
p â ç
p â
Û
p â å
p â ç
p â
Û
p â å
p â ç
2
0.250
0.250
0.187
0.750
0.187
0.046
0.765
0.191
0.035
17
0.356
0.356
0.188
0.624
0.293
0.069
0.717
0.238
0.0396
q
0.367
0.367
0.183
0.606
0.303
0.075
0.716
0.238
0.039
5.2. EDF and splitting trees
36
P. FLAJOLET, X. GOURDON, D. PANARIO
For each value of , we can regard the EDF phase as an abstract splitting process
Î
Ü
as follows. Start with a group formed of individuals. (In EDF, if the degree of
O
ÜÀ@
Î
is , then,
.) By flipping coins, separate randomly into two subgroups,
Î
Î
Î
Î
and G , with the probabilities for each element to be sent to and G being
v and h . The process is repeated recursively until all elements have been isolated.
Clearly, any such recursive execution is described by a binary tree (Figure 9). The
corresponding randomness model
Ü
Ç Ç Ç M
Î @ÃÜ @
©{| Î @HÜ
C Ü v
%
%
% %
h
E
®
(39)
@ µ
@ µ
®
µ M
µ M
v
¥
h
ª
°
°9
°
°"9
that is induced by independent splittings then coincides with the one underlying
digital trees. Given the importance of the digital tree in the design and analysis of
algorithms many properties are known. We cite here:
;=<=>@?BA
Ü The expectation of the number of binary
nodes in a splitting tree,
relative to individuals and with probabilities *v M h , is
Ü
Ü r
Ü M
@
º
µ
º
µ M
%µ#s
ª r*
ª/t
û
v¹Ð
ª h Ð
û
v
h
Ü·
ã
with r
a fluctuating function of amplitude typically µ ² . The expectation
of the height of the tree is
G
N
t @ º
° º
Ü
t Ð
ªQÉÅrµ M
Ð *v ª h
The size estimate due to Knuth and De Bruijn around 1965 (published in the
1973 edition of [41]) involves the entropy function û ; the height estimate first
appeared in [22] (a paper already motivated
by
polynomial factorization) and it
ª h . Nowadays, these results are
involves the “coincidence probability” v u
best understood in the context of Vallée’s general theory of dynamical sources;
see [11, 58]. As a consequence of these estimates, splitting trees tend to be fairly
well balanced so that the cost of an EDF phase is expected to be close to that of
a perfect splitting. The lemma below provides an explicit expression for the costs
induced by the computational model at hand.
§ O
X¡ ¡öv
< jA¥¤[A
The expected cost
of the EDF algorithm applied to any
product of irreducible factors of degree is
Ç
Üw
Ç Ç +0 +
G O"Í G Í
F M
!̹¥±µ
]
\
C
ª
v
h
®
µ
j
¥
%
®
µ
¥
v
h
ª
8
°vh
E
Ç
ANALYSIS OF POLYNOMIAL FACTORIZATION
where 8
O @
íXrî9
O
¥±µ Ï°
º
8
G
Ð
(@
ª±ì
Ý 8
G
Þ
37
¥±µ N
Proof. It is convenient to regard an execution of the splitting process as a tree I
and to consider, with I M I G the root subtrees, a general cost function of the additive
type,
§
@
§
§ G N
(40)
=I ?
P È ª
= I ?
ª
=I ?
' '
È
I
Here P is a (problem specific) “toll” function that depends on the size % % , that is
' '
to say, the number of irreducible factors (of degree ) to be separated.
The subtree sizes obey the Bernoulli probability of (39). Also the subproblems
by design, the same characteristics as the whole tree.
described by I M I G have,
§
C of = I ? over trees of size satisfies the recurrence
Thus, the expectation
w
w
@
+
S@
+
C
C
C
P ª
v h
C ª C P ª
v h
ª/v
h C N
E
E
This translates in terms of the exponential
generating functions
§
@¨+"
µ
S@ +"
C $ Ï= M
*$
$
P $ Ï= M
into the functional equation
§
$
S@
µ
$
ª¬Pyx
° §
v $
ª¬P
s ° §
zhÂ$ N
This difference equation iterates, leading to the explicit generating function solu
tion
w
| {
§
@ + 0 +
° G s o o N
µ
C
(41)
*$
v
h
$
P
x
E
The analysis is completed by specializing this discussion to the EDF costs. The
toll function that arises from the top-level execution of the EDF procedure is then
} @
ÍJ
M
O Í
P
8 G ª
O
for pN ° . There, 8 is the number of multiplications of the binary powering
the naı̈ve multiplication
method, and the quadratic costs are induced by
and gcd
G
@
corresponds to the
algorithms considered here. The toll function P
rµD¥
µ
#@
°
coefficients of
$!ÂP %µ#ª±$ ¥jµ in (41). Extracting
generating function $
}
§
the resulting generating function $ in (41) and rescaling by P ÏP then yields the
statement.
38
P. FLAJOLET, X. GOURDON, D. PANARIO
5.3. Complete analysis
Completing the analysis of EDF only requires weighting the costs given by
©ª| ¾@
of finding irreducible
Lemma 5.1 by the probability i
factors
of
degree given by Theorem 5.1. By Lemma 5.1, the cost is ofG 7 the
O form ÉvÌ ´ ,
and by Theorem 5.1, the probabilities are approximately P
Ïf ; thus, we
expect the total cost of the DDF phase to be of the order of
+ H
C
O* ´
E
@
ÉvÈ
N
The main result of this section gives a firm basis to this heuristic computation and
determines the implied constant. In order to prove the final estimate of Theorem 5.2
below, we need two technical lemmas.
¼|
X¡ ¡öv
< jA´¢A
When
, one has for all such that ÊQÈ
1
@
©{| .@
O %µ.ªQÉÅrµ*Ï r M
~ i
9
where the ÉÅrµ*Ï
is uniform in . Moreover, the following uniform estimate holds
S@
©{| S@
µ
N
~ i
É C
E
Proof. When ¼
Ê±È , Theorem 5.1 yields
1
1 S@
M @ +
©{| S@
O
O` M ~ i
%µª
%¥ µ
9
9
G
@k¸
î
) O
n4 X
È Ï ï¥ª M ª
¥ N
@
is large,
ÉÅrµ*Ï
since
one has
1 1 O
O
1 1
@
@
+
`
O
% % Ê
% µ.ª½9
¥±µ Ê£%µ#ª½9
¥ µ
±
G 9
When
ÉÅrµ*Ï
N
This proves the first estimate. As for the
second one,
it suffices to note that
O
) O
) O
@
9
M
C
É C
Ê
E
E
and to use the first estimate of the lemma.
39
ANALYSIS OF POLYNOMIAL FACTORIZATION
X¡ ¡ö<vjAðÛ"A
§
The average costs
§ O @¨§ G O @
O
of Lemma 5.1 satisfy for all
§
O @
M
and, uniformly,
§
O @
°
vh
ÉvÌ
8
O"Í G
Í
ª
M
N
´
Proof.
The first relations are directG applications of Lemma 5.1. For the estimate
§ O
of
, the inequality µ®¥Qrµ®¥ R
Ê£ ¥Qµ R implies
§
O
Ê
@
Ç
+
+
Q
¥ µ
ª W
#
C
°
v h
Ç
Í
N
O Í G
!̹¥±µ
8
ª
v h
Üw
E
Ç
ÌÄ¥Qµ v
h
8
Í
O Í G
ª
The last equality holds since
+
+
Ç
Ç W
Since 8
O @
Év
Üw
C
E
v
Ç
@
h
+
Ç W
v
ª-h
Ç
@
µ N
°vh
, the statement follows.
We are now ready to prove the main result of this section.
XU [¡kjA´¢A
The expected cost of the EDF phase satisfies
7`
(
O
O
Í G
Í@µ
· lk
+
O M
O @
º
9 ¥±µ
9 ¥±µ
»
*%Ð
ª±ì C
¥±µ N
8
v h O G 8
°
,
°
E
º
In addition, this cost is ÉÅÂÈ Ð 9 and
H M
Í@µ
· lk
º
§ Í G
9
µ
µ
C
Ð 9
%µ
ª È
¥
ªtrµ
Ê Ê
ª t%µ N
»
«
9 ¥Qµ
E
§
§
(42)
Proof. The intuition behind the proof is that the major contribution comes
from situations where just 2 factors are present, the other cases having globally
µ¾O
a very small probability of occurrence. Let
be the expected value of the
40
P. FLAJOLET, X. GOURDON, D. PANARIO
to degree . By definition, we have
EDF algorithm corresponding
cost of the
µ¾OÄ@
@§ O
§ O
W!
©{| @
(
, where
is given by Lemma 5.1.
~i
¼|
as
When ° ÊQÈ , Lemma 5.2 and Lemma 5.3 entail,
,
1
Í G
µ
· O @ §#
O
O
F
@
+
O
»
rµ.ª±Év%µÏ
ª W É«C
´
ª±Év%µ N
9
E
v h 8
´
Æ
µ
·àOÄ@
7`
(
»
When °
. Thus, the overall cost of the EDF component
È , we have
@ E
O
O µ O
s ( O G 8 ª{ÉÅÂÈ . The second form of the cost is obtained from
is (
Ü·
º
Ü
Ü
x
µÊJìD
Ê µ+ª±Ð
, upon subtracting from ìD
its
the general inequality
G
º
Ü
“mean value” Ð
.
The quantity in the statement measures the default of uniformity in binary
representations of numbers related to the powers of 9 . Under the unproven assumption that such representations behave like random integers, the arithmetic
function should be close to . This assumption is well supported by empirical
@
evidence: for instance, with 9
µ5 , we have
²
@
¥
N «°» M G @
¥
N M
@
¥
For all practical purposes, we may safely regard 5.4.
N °« M @
²
¥
N µ N
as being asymptotic to 0.
Equal-degree factorization in characteristic 2
In the previous sections, we have analysed in detail the equal-degree factorization over finite fields with odd characteristic. For these cases, we have followed the
algorithm by Cantor and Zassenhaus [6] who also provide a solution for the even
case that relies on factoring the polynomial in a quadratic extension. Ben-Or [3]
showed that this detour is not needed while proposing a method based on trace
computations.
Trace computations introduce only a small change in the EDF algorithm of
Ü
@
Ç
Fig. 8. Let be such that 9
° . In order to compute the traces, we replace
line µ by
\
T%]jI g R g g Y.
DR g DR%o")¹ \ YYV)'kh.Z
We observe that the analysis for the odd case is valid for the even case. First, the
@
@
h
µ*Ï"° ). Then, the cost of
splitting process is the same (with probabilities v
\
\
computing line is the same as the cost of computing line in Fig. 8. Indeed, the
XÜ
trace computations can be determined using basically
products
of a polynomial
[Ü
@y
º
containing factors of degree . This costs essentially
Ì
´ Ð 9 , the
same cost as in the odd case.
ANALYSIS OF POLYNOMIAL FACTORIZATION
Phase
ERF
DDF
EDF
Worst-case
ÉvÈ
º
ÉvÈ ´ Ð 9
º
ÉvÈ ´ Ð 9
41
Average-case
ÍJ
È
N °:ù
í4î9 Í G ª ÍJ
È ´
å
º
N G
F
Ý Í G å8
rµ
ª t rµ
´ 8 G Ð .9 H È
Þ
³
´
FIG. 10. A comparison of the worst cases and the average cases of the three phases of polynomial
factorization. (The cost of multiplying two polynomials of degree less than ô modulo a polynomial Ú
ñ
ñ
of degree ô is û ô , and the cost of a gcd between Ú and a polynomial of degree less than ô is û ñ ô .
Ò
The number of products needed to compute mod Ú is
öø!ú ñ (öø\ØÑ .)
6. CONCLUSIONS
In this paper we have shown how analytic combinatorics adapts well to the case
of polynomials over finite fields. A systematic usage of this methodology leads
not only to the derivation of basic probabilistic properties of random polynomials
over finite fields but also to the average-case analysis of a complete polynomial
factoring algorithm. Figure 10 summarizes the main results of the paper in terms of
the average-case analysis of the factoring algorithm and it provides a comparison
with worst-case behaviour.
It should be clear that a large number of variants of the factorization chain can
be analysed by our methods. For instance, specifics of the elimination of repeated
factors stage are largely immaterial from the expected complexity standpoint, since
they lead to identical results in asymptotic terms. A radical possibility is then to
bypass completely the first stage. In this variant, DDF not only produces the
polynomials for the EDF part but also returns a polynomial containing the nonsquarefree part of the original polynomial. Once more, there is no difference in
asymptotic terms.
Several authors [26, 34] have stated that from a worst-case perspective, and even
when considering fast arithmetic instead of the classical one, DDF is the bottleneck
for the factorization process. Our results confirm that such is also the case from
an average-case perspective. Chapter 15 of the recent book [24] further illustrates
this point with striking graphics.
Finally, we should mention here a few other algorithms that have been subjected
to a “Knuthian” analysis similar to what was conducted here. Panario and Richmond analyse in [52] the irreducibility test of Ben-Or that is based on trial DDF:
the analysis involves statistics on smallest degrees of irreducible factors and the
Buchstab function, a dual of the Dickman function. Rabin’s probabilistic construc-
42
P. FLAJOLET, X. GOURDON, D. PANARIO
tion of irreducible polynomials is also dealt with in [51]. Last but not least, the
Euclidean algorithm turns out to be somewhat easier to analyse for polynomials
than for integers: see the analyses by Knopfmacher and Knopfmacher [36] as well
as by Friesen and Hensley [23].
ACKNOWLEDGMENT
The work of Philippe Flajolet was supported in part by the c$¡ Q¢£@¤ Project (number IST-199914186) of the European Union. The work of Daniel Panario was done for the most part while with the
Department of Computer Science of the University of Toronto. We are grateful to Joachim von zur
Gathen for having put us in contact and for having incited us to analyse polynomial factorization in
detail. Thanks to Brigitte Vallée for many constructive suggestions regarding the general organization
of the paper. Thanks also to Helmut Prodinger and Allan Borodin for much appreciated support.
REFERENCES
1.
2.
c¥B¥B¦n§¨¦I©4ª¬«©Q¦&¥B®B&¯A¥\©48«°g«±©@¦&²&³a¤\¦´¦&¥¶ µ ©Q·¸«
Random combinatorial structures and
prime factorizations. Notices of the American Mathematical Society 44 (1997), 903–910.
¦&$¹I©Iºc«
Toward a theory of Pollard’s rho method. Information and Computation 90 (1991),
139–155.
3.
4.
5.
¶
²A¢~»c¥\©¼½« Probabilistic algorithms in finite fields. In Proc. 22nd IEEE Symp. Foundations
Computer Science (1981), pp. 394–398.
¶ B¥ ¶y¾ ¦A Q¿¡©Aºc« Algebraic Coding Theory. McGraw Hill, New York NY, 1968.
¯A$¹A Q¦&²A²I©AÀ&« Complexity of algorithms in algebraic number theory. In Number Theory. Proc.
First Conf. Canadian Number Theory Assoc. Walter de Gruyter, 1990, pp. 37–53.
6.
ÁQ¦&²A§A¥\©4°g«©4¦&²&³ÃÂA¦AÄ|Ä ¶ ²&¹&¦B¯AÄ©4Ŭ«
A new algorithm for factoring polynomials over finite
fields. Math. Comp. 36 (1981), 587–592.
7.
8.
9.
10.
ÁQ¦&¥\©¸¼½« Factorisation dans [ . C. R. Acad. Sci. Paris Ser. I 294 (1982), 147–150.
ÁQ¦&¥\©¸¼½« Théorèmes de densité dans Æ5 Ç . Acta Arith. 48 (1987), 145–165.
ÁQ¦&¥B¨§BÈy©¡ÉQ« The arithmetic of polynomials in a Galois field. Amer. J. Math. 54 (1932), 39–50.
ÁQ¹AA¥\©¸;«©¡¦A²&³Êª¨ ´ ¶ ħ=©\ª¬« A knapsack-type public key cryptosystem based on arithmetic in
finite field. IEEE Trans. Inform. Theory. 34 (1988), 901–909.
¶ ¶
¶
¶y¶
11.
ÁQ@µ ²&§=©¸ÀA«©A£@˦AÌA §=©¸Íc«©¡¦&²&³ÏÎ@¦&Iµ ©¸« Dynamical sources in information theory: a
general analysis of trie structures", Algorithmica 29 (2001), 307–369.
12.
ÁA˨²AÄ©Ð?« Factoring univariate integral polynomials in polynomial average time. In Proc.
EUROSAM 79 (1979), vol. 72 of Lecture Notes in Computer Science, pp. 317–329.
13.
14.
Á¡ Q§ ¶ §=©¡ÉQ« Advanced Combinatorics. Reidel, Dordrecht, 1974.
³ ¶ ¥¯&¨Ì²I©\Ñ8« On the number of positive integers Ò and free of prime factors ÓÕÔ
. Indag.
Math. 13 (1951), 2–12.
15.
° ¶ ³ y¶ ¾ ¨ ²&³@©8ª¬«
Abriss einer Theorie der höhern Congruenzen in Bezug auf einen reellen
Primzahlmodulus. J. reine u. angew. Math. 54 (1857), 1–26.
¾
16.
°Ö¨ Q¦&²I©&׫ On the frequency of numbers containing prime factors of a certain relative magnitude. Ark. Mat. Astr.Fys. 22 (1930), 1–14.
17.
£I¨²A$¹I©4·=« Golomb-Dickman constant. In Favorite Mathematical Constants (2000). Published
electronically at ØnÙÙËÚ4ÛÜÜÝÞËßnà=áâãnäâ"Ý\áZåänÜ"æçàÞËèéÜêà"ãç(ÙÝ(ãnÙnÜêà"ãç(ÙÝ(ãnÙIáëØnÙíìBÞ .
ANALYSIS OF POLYNOMIAL FACTORIZATION
18.
19.
20.
21.
43
¶
£I¦&Ì& §=©1Íc«©ÐA¯&¥B³AA²I©Qî8«±©¦A²&³ÕÍA¦&²A¦&¥B¨I©°g« Random polynomials and polynomial
factorization. In Automata, Languages, and Programming (1996), F. Meyer auf der Heide and
B. Monien, Eds., vol. 1099 of Lecture Notes in Computer Science, Springer-Verlag, pp. 232–243.
Proceedings of the 23rd ICALP Conference, Paderborn, July 1996.
¶
¾
£I¦&Ì& §=©&Íc«©B¦&²A³ï»Ö³&ð¡È I©B8« Singularity analysis of generating functions. SIAM Journal
on Discrete Mathematics 3:2 (1990), 216–240.
£I¦&Ì& ¶ §=©¸Í«±©A¦&²&³½· ¶ ³Añ ¶ò ¨ ¾ ©¡ª¬« Analytic Combinatorics. Book in preparation (2000).
óIôõ&ö÷&ôønù=ú¸ûü±úAõ&ý&þÊÿB÷õIú ü Gaussian limiting distributions for the number of components
in combinatorial structures. Journal of Combinatorial Theory, Series A 53 (1990), 165–182.
22.
23.
24.
óIôõ&ö÷&ôønù=úÖûcüúõ&ýAþvÿ$ùø$õ&ønù¸ú&ü A branching process arising in dynamic hashing, trie
searching and polynomial factorization. In Proc. 9th ICALP Symp. 1982 (1982), vol. 140 of
Lecture Notes in Computer Science, Springer-Verlag, pp. 239–251.
ó
øønýIúü¸õAý&þøyýôø@ú
gü , The statistics of continued fractions for polynomials over a
finite field. Proc. Amer. Math. Soc. 124 (1996), 2661–2673.
A÷&ýÖõyù&ønýIúAüú&õAý&þÖø&õBþAü Modern Computer Algebra. Cambridge University
Press, 1999.
25.
A÷&ýÖõyùAønýIú &üú¸õ&ý&þ½û¡õ&ý&õ÷@ú!gü Factoring polynomials over finite fields: a survey.
To appear in J. of Symb. Comp., 2000.
26.
A÷&ý"#õnù&øný@ú&üúnõ&ý&þ ÿ¡÷$¡ú&%8ü Computing Frobenius maps and factoring polynomials.
Comput. Complexity 2 (1992), 187–224.
27.
28.
Öõ'ú Öü Untersuchungen über höhere Mathematik. Chelsea, New York, 1889.
Öøyþ&þ&øú)(?ü±ú)*"õ$$÷\ú1ÿ¸üúõ&ý&þ,+=õ-õ&ýIú)gü Algorithms for Computer Algebra. Kluwer
Academic Publishers, Boston, 1992.
29.
30.
÷&ôþ&ønýIú/.íüú¡õ&ý&þnõ01/|÷&ý@úgü Combinatorial Enumeration. John Wiley, New York, 1983.
÷BþA÷&ý@ú@îgü Combinatoire, algorithmique et géométrie des polynômes. Thèse, École Poly-
technique, 1996.
31.
32.
÷BþA÷&ý@ú¸îgü Largest components in random combinatorial structures. Discrete Mathematics
180 (1998), 185–209.
2Bøyøný&ø¡ú/güú¡õ&ý&þ(;ý&ùIúgü Mathematics for the Analysis of Algorithms, 3 ed. Birkhäuser,
Boston, 1990.
33.
cønýôø4ú3gü Dirichlet’s theorem for the ring of polynomials over
Mathematics 123 (1986), 93–101.
34.
(õ&ô|ùB÷:nønýIú;cüú&õ&ýAþïÿA÷$¡ú%gü Subquadratic-time factoring of polynomials over finite fields.
In Proc. 27th ACM Symp. Theory of Computing (1995), pp. 398–406.
35.
(ýA÷$:<Qõ0&ø\ú=8ü On the degrees of irreducible factors of polynomials over a finite field. Disc.
Math. 196 (1999), 197–206.
36.
(
> ?ýA@ ÷AC$B :<Qõ0&ø\úAüú&õAý&þ(ýA÷$:<Qõ0&ø\ú=¬ü The exact length of the Euclidean algorithm in
45*6879 . Pacific Journal of
. Mathematika 35 (1988), 297-304.
37.
(ýA÷$:<Qõ0&ø\ú&ü±ú@õ&ý&þD(ýA÷$:<Qõ0&ø\ú3=8ü Counting irreducible factors of polynomials
over a finite field. SIAM Journal on Discrete Mathematics 112 (1993), 103–118.
38.
(ýA÷$:<Qõ0&ø\ú=¬ü±úõ&ý&þ"E õBôFG<÷Aý&ù=úH¬ü Distinct degree factorizations for polynomials over
a finite field. Trans. Amer. Math. Soc. 347 (1995), 2235–2243.
39.
(ý&ùIúgü The Art of Computer Programming, Vol.1: Fundamental Algorithms, 3 ed. AddisonWesley, Reading MA, 1997.
40.
(ý&ùIúgü The Art of Computer Programming, Vol.2: Seminumerical Algorithms, 3 ed. AddisonWesley, Reading MA, 1997.
44
41.
P. FLAJOLET, X. GOURDON, D. PANARIO
(ý&ùIúIgü The Art of Computer Programming, Vol.3: Sorting and Searching, 2 ed. AddisonWesley, Reading MA, 1998.
(ý&ùIú/gü Selected Papers on Analysis of Algorithms. CSLI Publications, Stanford, CA, 2000.
43. (ý&
ùI
úg
üú$õ&ý&þKJ*Bõ--Lû¡õBþA÷Iú+Qü Analysis of a simple factorization algorithm. Theoretical
42.
Computer Science 3 (1976), 321–348.
+=ønýùBõIú!8ü On the Chor-Rivest knapsack cryptosystem. J. of Cryptology 3 (1991), 149–155.
H üúAõAý&þMønþ&øBøùø\ú!8ü Finite Fields, vol. 20 of Encyclopedia of Mathematics and
45. + þ&ôú/¬
44.
its Applications. Addison-Wesley, 1983.
46.
47.
õ<÷&þIú8ü Evolution of Random Search Trees. John Wiley, New York, 1992.
&ôôønýI
ú gü +Qüú$õ&ý&þïÿ$ËõBôNýO1 ú.íü Open problems in finite fields. In Proc. 3rd Conference
of Finite Fields and their Applications. London Math. Soc., Lect. Note Series 233 (1996), 243–268.
48.
49.
50.
51.
Pcþ&ôO/1A÷@ú3=8ü Discrete logarithms and their cryptographic significance. In Advances in Cryptology, Proceedings of Eurocrypt 1984 (1985), vol. 209 of Lecture Notes in Computer Science,
Springer-Verlag, pp. 224–314.
Pcþ&ôO/1A÷@ú
=Ÿ Asymptotic enumeration methods. In Handbook of Combinatorics, R. Graham,
M. Grötschel, and L. Lovász, Eds., vol. 2. Elsevier, 1995, pp. 1063–1229.
ûAõAý&õ÷Iú güú
÷BþA÷&ý@úAîgüú¸õ&ý&þ½óIôõ&ö÷&ôønù=ú=ûü An analytic approach to smooth polynomials. In Algorithmic Number Theory Symposium (1998), vol. 1423 of Lecture Notes in Computer
Science, Springer-Verlag, pp. 226-236.
ûAõAý&õ÷Iú&güúûQùùønôú&Rüú&HSG0<÷Aý&þIú&Rüúõ&ýAþT%2÷AôËõ@úF=8ü Analysis of Rabin’s irreducibility
test for polynomials over finite fields. Preprint, 2000.
52.
ûAõAý&õ÷Iú&güúõAý&þUHSG0<÷Aý&þIúRü Analysis of Ben-Or’s polynomial irreducibility test. Random
Struct. Alg. 13 (1998), 439–456.
53.
54.
ÿ0)÷&V ýAø<Qõ&ý&ý@úJ;ü Grundzüge einer allgemeinen Theorie der höheren Congruenzen, deren Modul
eine reelle Primzahl ist. J. f. d. reine u. angew. Math. 31 (1846), 269–325.
ÿ&ø$$Aú+Qüú$õ&ý&þK+=ô÷AþIú&ÿ¸ü
Ordered cycle lengths in a random permutation. Trans. Amer. Math.
Soc. 121 (1966), 340–357.
55.
ÿA÷$Aú!%gü On the deterministic complexity of factoring polynomials over finite fields. Inform.
Process. Lett. 33 (1990), 261–267.
56.
ÿA÷$Aú %gü A new polynomial factorization algorithm and its implementation. J. Symb. Comp.
20 (1996), 363–397.
57.
J1øyý&øný-õ<Öú
gü Introduction to Analytic and Probabilistic Number Theory. Cambridge Uni-
versity Press, 1995.
58.
%Iõ&ôô3ønW ø¡ú/Rü Dynamical sources in information theory: fundamental intervals and word prefixes,
Algorithmica 29 (2001), 262–306.
© Copyright 2026 Paperzz