Technion - Computer Science Department - Technical Report CS-2004-08 - 2004
Probabilistic Algorithm
for Finding Roots of Linearized Polynomials
Vitaly Skachek
Ron M. Roth
Computer Science Department
Technion | Israel Institute of Technology
Haifa 32000, Israel
e-mail: fvitalys, [email protected]
Abstract
A probabilistic algorithm is presented for nding a basis of the space of roots of a
linearized polynomial
t
X
L(x) = Li xq
i
i=0
over GF(q ). The complexity of the presented algorithm is O(nt) operations over
GF(qn ).
n
Keywords: Linearized polynomials; Probabilistic algorithms; Symbolic GCD.
1 Introduction
Let q be a xed power of a prime. A linearized polynomial over GF(q n) (with respect to
GF (q )) is a polynomial of the form
L(x) =
t
X
i=0
Li xq ;
i
This research was supported by the Israel Science Foundation (grant No. 94/99).
1
Technion - Computer Science Department - Technical Report CS-2004-08 - 2004
where Li 2 GF(qn). References [1, Section 3.4] and [2, Section 4.9] contain rather extensive
summaries of the properties of linearized polynomials. In particular, it is known that the
mapping GF(qn) ! GF(qn) dened by x 7! L(x) is a linear mapping over GF(q). Conversely,
every linear mapping GF(qn) ! GF(qn) over GF(q) can be realized as a linearized polynomial
of degree less than qn. Those properties of linearized polynomials imply that the roots of a
given linearized polynomial over GF(qn) in any extension eld of GF(q) form a vector space
over GF(q). For the application of linearized polynomials to coding theory, see [2] and [4].
One problem that arises in those applications is nding a basis over GF(q) of the set of
roots in GF(qn) of a linearized polynomial L(x) of degree qt < qn over GF(qn). Gaussian
elimination can be applied to nd such a basis in time complexity O(n3) operations over
GF(q). Alternatively, we may apply the known algorithms for root extraction, such as the
probabilistic algorithm of Rabin [3]; however, a direct application of the latter algorithm may
require a number of operations over GF(qn) that grows (at least) linearly with the degree of
L(x), i.e., the complexity may be exponential in t. In this work, we present a fast algorithm
for root extraction that is tailored specically to linearized polynomials. The complexity of
our algorithm is O(nt) operations over GF(qn).
2 Symbolic GCD
Let F (x) and G(x) be linearized polynomials over GF(qn). The symbolic product of F (x)
and G(x) is dened by
F (x) G(x) = F (G(x)) :
It is known that symbolic product satises associativity and distributivity (with respect
to ordinary polynomial addition), but in general it does not satisfy commutativity; i.e.
F (x) G(x) and G(x) F (x) are typically not equal (however, they are equal when the
coecients of F (x) and G(x) are in the ground eld GF(q); see [1] and [2]).
Let F (x) and G(x) be linearized polynomials over GF(qn) where G(x) 6= 0. A right
symbolic quotient and a right symbolic remainder associated with the pair (F (x); G(x)) are
linearized polynomials Q(x) and R(x), respectively, over GF(qn) such that
F (x) = G(x) Q(x) + R(x) and deg R(x) < deg Q(x) :
The polynomials Q(x) and R(x) can be computed by an algorithm akin to the ordinary
`long division' of polynomials, thereby showing that Q(x) and R(x) are well-dened and
unique. When R(x) = 0, we say that G(x) is a left symbolic divisor of F (x). Hence, the
set of linearized polynomials over GF(qn) with ordinary polynomial addition and symbolic
multiplication form a non-commutative Euclidean ring (with the polynomial x as the multiplicative identity).
The terms left symbolic quotient and left symbolic remainder are dened in an analogous
2
Technion - Computer Science Department - Technical Report CS-2004-08 - 2004
manner. Accordingly, we say that G(x) is a right symbolic divisor of F (x) if F (x) = Q(x) G(x) for some linearized polynomial Q(x).
Lemma 2.1 A linearized polynomial G(x) is a right symbolic divisor of a linearized
polynomial F (x) over GF(q n ) if and only if G(x) divides F (x) in the ordinary sense.
Proof. Starting with the \only if" part, let F (x) = Q(x) G(x) where Q(x) = Pi Qixq .
i
Then
F (x) = Q(G(x)) =
X
i
Qi (G(x))q = G(x) i
X
i
Qi (G(x))q ?1 ;
i
which means that G(x) divides F (x).
Conversely, suppose that G(x) divides F (x) and write F (x) = Q(x) G(x)+ R(x) where
deg R(x) < deg G(x). It follows from the \only if" part that G(x) divides both F (x) and
Q(x) G(x). Hence, it must divide R(x), thereby implying that R(x) = 0.
A special case of Lemma 2.1, where the coecients of F (x) and G(x) lie in the base eld
GF(q), is covered by Theorem 3.62 in [1] and Lemma 23 in [2, Chapter 4].
Example 1 Let be a root of x3 + x + 1 in GF(23) and let F (x) be the linearized
polynomial x4 + 3x over GF(23). One can verify that
F (x) = (x2 + 2 x) (x2 + x) ;
making G1 (x) = x2 + 2x a left symbolic divisor of F (x) and G2(x) = x2 + x a right
symbolic divisor. We also have
F (x) = (x2 + x + 2 ) G2 (x) ;
i.e., G2 (x) is an ordinary divisor of F (x). On the other hand, since the nonzero root, 2, of
G1 (x) is not a root of F (x), it follows that G1 (x) is not an ordinary divisor of F (x). Hence,
by Lemma 2.1, G1(x) is not a right symbolic divisor of F (x). And from
F (x) = G2 (x) (x2 + 4 x) + 2 x
we see that G2(x) is not a left symbolic divisor of F (x).
Let F (x) and G(x) be linearized polynomials over GF(qn), not both zero. A right symbolic
greatest common divisor of F (x) and G(x) is a monic linearized polynomial H (x) over GF(q n )
of a largest degree such that H (x) is a right symbolic divisor of both F (x) and G(x).
Proposition 2.2 Let F (x) and G(x) be linearized polynomials over GF(qn), not both
zero. The right symbolic greatest common divisor of F (x) and G(x) is unique and equals the
return value of the algorithm in Figure 1.
3
Technion - Computer Science Department - Technical Report CS-2004-08 - 2004
Input: linearized polynomials F (x) 6= 0 and G(x) over GF(qn);
R?1 (x) F (x); R0 (x) G(x);
for (i 1; Ri?1(x) 6= 0; i++)
Ri (x) Ri?2 ? Qi (x) Ri?1 (x), where deg Ri (x) < deg Ri?1 (x);
normalize Ri?2 (x) to be monic;
Output: Ri?2(x).
Figure 1: Algorithm for computing rgcd(F (x); G(x)).
Proof. Denote by the largest value of i in Figure 1 for which Ri (x) 6= 0. Suppose
that H (x) is a right symbolic greatest common divisor of F (x) = R?1(x) and G(x) = R0 (x).
From
Ri (x) = Ri?2 (x) ? Qi (x) Ri?1 (x)
it follows by ascending induction on i = ?1; 0; : : : ; +1 that H (x) is a right symbolic divisor
of Ri (x). This holds in particular for i = .
Conversely, from
Ri?2 (x) = Qi (x) Ri?1 (x) + Ri (x)
it follows by descending induction on i = +1; ; : : : ; ?1 that R (x) is a right symbolic
divisor of Ri(x); in particular, this holds for R0 (x) = G(x) and R?1(x) = F (x).
The unique right symbolic greatest common divisor of F (x) and G(x) will be denoted by
rgcd(F (x); G(x)).
In a similar manner, we can also dene the left symbolic greatest common divisor,
lgcd(F (x); G(x)), and compute it by an algorithm which is similar to the one in Figure 1.
Example 2 Using the notations of Example 1 we see that rgcd(F (x); G2(x)) = G2 (x),
yet lgcd(F (x); G2(x)) = x. Hence, the right and left symbolic greatest common divisors do
not have to be equal.
Proposition 2.3 Let F (x) and G(x) be linearized polynomials over GF(qn), not both
zero. Then
rgcd(F (x); G(x)) = gcd(F (x); G(x)) ;
where gcd(F (x); G(x)) is the monic (ordinary) greatest common divisor of F (x) and G(x).
Proof. Let H (x) be rgcd(F (x); G(x)). Since H (x) is a right symbolic divisor of both
F (x) and G(x), it follows from Lemma 2.1 that H (x) divides those two polynomials in the
ordinary sense. Hence, H (x) divides gcd(F (x); G(x)).
4
Technion - Computer Science Department - Technical Report CS-2004-08 - 2004
Conversely, let be the largest value of i in Figure 1 for which Ri (x) 6= 0. From
Ri (x) = Ri?2 (x) ? Qi (x) Ri?1 (x)
and Lemma 2.1 it follows by ascending induction on i that gcd(F (x); G(x)) divides Ri (x);
in particular, it divides R (x) = H (x).
Lemma 2.4 A linearized polynomial G(x) over GF(qn) is a right symbolic divisor (or
an ordinary divisor) of the polynomial xq ? x if and only if it is a left symbolic divisor of
n
that polynomial.
Proof. Starting with the \only if" part, suppose that
xq ? x = L(x) G(x)
n
for some linearized polynomial L(x). Next write
xq
n
? x = G(x) Q(x) + R(x)
(1)
for some linearized polynomials Q(x) and R(x) such that deg R(x) < deg G(x). Computing
the symbolic product of L(x) with both sides of (1) we obtain
L(x) (xq
? x) = L(x) G(x) Q(x) + L(x) R(x) = (xq ? x) Q(x) + L(x) R(x) :
Now, the two polynomials L(x) (xq ? x) and (xq ? x) Q(x) vanish at each element of
GF(qn); therefore, so must L(x) R(x). However,
log deg(L(x) R(x)) = log deg L(x) + log deg R(x) < log deg L(x) + log deg G(x) < n ;
where the logarithms are taken to base q. Hence, L(x) R(x) = 0 and, so, R(x) = 0.
n
n
n
n
The proof of the \if" part is similar.
3 Finding roots of linearized polynomials
Figure 2 presents a probabilistic algorithm for nding a basis over GF(q) of the roots in
GF(qn) of a given linearized polynomial over GF(qn).
By Proposition 2.3 we have that the computed linearized polynomial H (x) in Figure 2
equals gcd(xq ? x; G(x)). So, the roots of H (x) in GF(qn) are the roots of G(x) in that
eld, and the dimension of the linear space of these roots is r = logq deg H (x).
Given that the algorithm in Figure 2 halts, it is rather straightforward to see that it
returns a basis of the root space of H (x) and, hence, of G(x). The rest of this section is
n
5
Technion - Computer Science Department - Technical Report CS-2004-08 - 2004
Input: linearized polynomial G(x) over GF(qn);
H (x) rgcd(xq ? x; G(x)); = use the algorithm in Figure 1 =
n
let r = logq deg H (x);
compute a linearized polynomial P (x) such that xq ? x = H (x) P (x);
for (j 0; j < r; j ++) f
do f
select at random an element zj 2 GF(qn);
n
g
while P (zj ) is in the linear span of P (z0); P (z1); : : : ; P (zj?1) over GF(q);
g
Output: basis elements P (z0); P (z1); : : : ; P (zr?1).
Figure 2: Algorithm for nding a basis of the root space of G(x) in GF(qn).
devoted to showing that the algorithm indeed stops in expected time complexity O(nt) where
t = logq deg G(x).
Hereafter, by `operations over GF(qn)' we mean arithmetic operations in GF(qn) and
exponentiations to powers qi; observe that when the eld GF(qn) is represented through a
normal basis over GF(q) [2, Ch. 4], such exponentiations boil down to cyclic shifts of vectors
of length n over GF(q).
Lemma 3.1 The polynomial H (x) in Figure 2 can be computed in time complexity O(nt)
operations over GF(q n).
x
qn
Proof. When t n (the typical case), we apply the algorithm of Figure 1 to R?1 (x) =
? x and R0 (x) = G(x). Otherwise, we switch the roles of R?1(x) and R0 (x).
The time complexity of iteration i in Figure 1 is bounded from above by
(log deg Ri?2 ? log deg Ri?1 ) log deg Ri?1
operations over GF(qn), where the logarithms are taken to base q. Therefore, the overall
time complexity of computing H (x) is bounded from above by
X
(log deg Ri?2 ? log deg Ri?1 ) log deg Ri?1
i1
X
(log deg R?1 ? log deg R0 ) log deg R0 + ((log deg Ri?2 )2 ? (log deg Ri?1)2 )
i2
= O(nt)
operations over GF(qn).
Recall that r = logq deg H (x). The following lemma is obvious.
6
Technion - Computer Science Department - Technical Report CS-2004-08 - 2004
Lemma 3.2 The polynomial P (x) in Figure 2 can be computed in time complexity O(nr)
operations over GF(q n).
Lemma 3.3 Given the polynomial P (x), the expected time complexity of computing the
basis elements P (z0 ); P (z1); : : : ; P (zr?1) in Figure 2 is O(nr) operations over GF(q n).
Proof. In iteration j (which selects zj ), the values P (z0); P (z1); : : : ; P (zj?1) are linearly
independent over GF(q). Since deg P (x) = qn?r and P (x) divides xq ? x, it follows that
the size of the kernel of the linear mapping x 7! P (x) is qn?r . Therefore, when zj is
n
randomly selected from GF(qn), the probability that P (zj ) is not in the linear span of
P (z0 ); P (z1 ); : : : ; P (zj ?1) equals
q n ? q n?r+j
1 ;
=
1
?
n
r
q
q ?j
and the expected number of random selections until P (zj ) satises this property is
1 =1+ 1 :
q r?j ? 1
1 ? q 1?
r
j
Summing over j , the expected overall number of elements that are randomly selected in
Figure 2 is
rX
?1
1 + qr?j1? 1 = O(r) :
j =0
Now, for each selected element zj , we compute P (zj ) using O(n?r) operations over
GF(qn). Then, we check whether P (zj ) is in the linear span of P (z0); P (z1); : : : ; P (zj?1). To
this end, we assume that the latter elements are represented as row vectors of length n over
GF(q) in upper-triangular form, and apply Gaussian elimination on P (zj ) as an (j +1)st row.
This can be done in O(n(j +1)) operations over GF(q), or O(j +1) operations over GF(qn).
Hence, the overall expected time complexity for nding z0 ; z1; : : : ; zr?1 is O(nr) operations
over GF(qn).
Summing up the results of Lemmas 3.1, 3.2, and 3.3, we conclude that the overall time
complexity of the algorithm of Figure 2 is O(nt) operations over GF(qn) (or O(n2) operations
if t > n).
References
[1] R. Lidl, H. Niederreiter, Finite Fields. Cambridge, UK: Cambridge Univ. Press,
1984.
7
Technion - Computer Science Department - Technical Report CS-2004-08 - 2004
[2] F.J. MacWilliams, N.J.A. Sloane, The Theory of Error-Correcting Codes. Amsterdam, The Netherlands: North-Holland, 1977.
[3] M.O. Rabin, Probabilistic algorithms in nite elds, SIAM J. Comput., 9 (1980),
273{280.
[4] R.M. Roth, Probabilistic crisscross error correction, IEEE Trans. Inform. Theory, 43
(1997), 1425{1436.
8