Berlekamp–Rabin algorithm: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 18:04, 15 August 2019 edit Bender the Bot (talk \| contribs) Bots 1,064,377 edits m →Correctness proof: switch to .com for Google Books; same content, but more trustworthy top-level ___domain, replaced: https://books.google.ru/ → https://books.google.com/ Tag: AWB ← Previous edit		Latest revision as of 20:25, 19 June 2025 edit undo OAbot (talk \| contribs) Bots 643,717 edits m Open access bot: url-access updated in citation with #oabot.
(43 intermediate revisions by 25 users not shown)
Line 1: {{short description\|Method in number theory}} In [[number theory]], the '''Berlekamp's root finding algorithm''', also called the '''Berlekamp–Rabin algorithm''', is the [[Randomized algorithm\|probabilistic]] method of [[Root-finding algorithm\|finding roots]] of [[Polynomial\|polynomials]] over a [[Finite field\|field]] <math>\mathbb Z_p</math>. The method was discovered by [[Elwyn Berlekamp]] in 1970<ref name=":0">{{cite journal \|author = \|editor= \|format= \|url= https://www.ams.org/mcom/1970-24-111/S0025-5718-1970-0276200-X/ \|title= Factoring polynomials over large finite fields \|type= \|origyear= \| agency = \|edition= Mathematics of Computation \|___location= \|year= 1970 \|publisher= \|at= \|volume= 24 \|issue= 111 \|number= \|pages = 713–735 \|page= \|series= \|isbn = \|issn = 00255718 \|doi = 10.1090/S0025-5718-1970-0276200-X \|bibcode = \|arxiv = \|pmid = \|ref= \|archiveurl = \|archivedate = \|language= en \|quote= }}</ref> as an auxiliary to the [[Berlekamp's algorithm\|algorithm]] for polynomial factorization over finite fields. The algorithm was later modified by [[Michael O. Rabin\|Rabin]] for arbitrary finite fields in 1979.<ref name=":1">{{cite journal \|author = M. Rabin \|editor= \|format= \|url= https://epubs.siam.org/doi/10.1137/0209024 \|title= Probabilistic Algorithms in Finite Fields \|type= \|origyear= \| agency = \|edition= SIAM Journal on Computing \|___location= \|year= 1980 \|publisher= \|at= \|volume= 9 \|issue= 2 \|number= \|pages = 273–280 \|page= \|series= \|isbn = \|issn = 00975397 \|doi = 10.1137/0209024 \|bibcode = \|arxiv = \|pmid = \|ref= \|archiveurl = \|archivedate = \|language= \|quote= }}</ref> The method was also independently discovered before Berlekamp by other researchers.<ref>{{cite book\| author = Donald E Knuth \| chapter = \| chapter-url = \| format = \| url = https://www.worldcat.org/title/art-of-computer-programming-vol-2/oclc/900627019&referer=brief_results \| title = The art of computer programming. Vol. 2 Vol. 2 \| orig-year = \| agency = \| edition = \|___location= \|date = 1998 \|publisher= \|at= \|volume= \|issue = \| pages = \| page = \| series = \| isbn = 9780201896848\| ref = }}</ref>▼ [[File:Elwyn_R_Berlekamp_2005.jpg\|thumb\|right\|Elwyn R. Berlekamp at conference on Combinatorial Game Theory at [[Banff International Research Station]]]] ▲In [[number theory]], ~~the~~ '''Berlekamp's root finding algorithm''', also called the '''Berlekamp–Rabin algorithm''', is the [[Randomized algorithm\|probabilistic]] method of [[Root-finding algorithm\|finding roots]] of [[Polynomial\|polynomials]] over athe [[Finite field\|field]] <math>\mathbb ~~Z_p~~F_p</math> with <math>p</math> elements. The method was discovered by [[Elwyn Berlekamp]] in 1970<ref name=":0">{{cite journal ~~\|author = \|editor= \|format=~~ \|url= https://www.ams.org/mcom/1970-24-111/S0025-5718-1970-0276200-X/ \|title= Factoring polynomials over large finite fields \|~~type= \|origyear= \| agency = \|edition~~journal= Mathematics of Computation ~~\|___location=~~ \|year= 1970 ~~\|publisher= \|at=~~ \|volume= 24 \|issue= 111 ~~\|number=~~ \|pages = 713–735 ~~\|page= \|series= \|isbn =~~ \|issn = ~~00255718~~0025-5718 \|doi = 10.1090/S0025-5718-1970-0276200-X \|~~bibcode~~ language= en \|~~arxiv~~ last1= Berlekamp\|~~pmid~~ first1= E. R.\|~~ref~~doi-access= free\|~~archiveurl = \|archivedate = \|language= en \|quote~~url-access= subscription }}</ref> as an auxiliary to the [[Berlekamp's algorithm\|algorithm]] for polynomial factorization over finite fields. The algorithm was later modified by [[Michael O. Rabin\|Rabin]] for arbitrary finite fields in 1979.<ref name=":1">{{cite journal \|author = M. Rabin ~~\|editor= \|format= \|url= https://epubs.siam.org/doi/10.1137/0209024~~ \|title= Probabilistic Algorithms in Finite Fields \|~~type= \|origyear= \| agency = \|edition~~journal= SIAM Journal on Computing ~~\|___location=~~ \|year= 1980 ~~\|publisher= \|at=~~ \|volume= 9 \|issue= 2 ~~\|number=~~ \|pages = 273–280 ~~\|page= \|series= \|isbn =~~ \|issn = ~~00975397~~0097-5397 \|doi = 10.1137/0209024 \|~~bibcode = \|arxiv = \|pmid = \|ref= \|archiveurl = \|archivedate = \|language= \|quote~~citeseerx= 10.1.1.17.5653 }}</ref> The method was also independently discovered before Berlekamp by other researchers.<ref>{{cite book\| author = Donald E Knuth \| ~~chapter = \| chapter~~author-~~url~~link = \|Donald ~~format~~E ~~= \| url = https://www.worldcat.org/title/art-of-computer-programming-vol-2/oclc/900627019&referer=brief_results~~Knuth \| title = The art of computer programming. Vol. 2 Vol. 2 ~~\| orig-year = \| agency = \| edition = \|___location=~~ \|date = 1998 \| publisher= ~~\|at~~= Addison-Wesley \|~~volume=~~ ~~\|issue~~isbn = 978-0201896848\| ~~pages~~oclc = ~~\| page = \| series = \| isbn = 9780201896848\| ref =~~900627019 }}</ref> == History == The method was proposed by [[Elwyn Berlekamp]] in his 1970 work<ref name=":0" /> on polynomial factorization over finite fields. His original work lacked a formal [[Correctness (computer science)\|correctness]] proof<ref name=":1" /> and was later refined and modified for arbitrary finite fields by [[Michael O. Rabin\|Michael Rabin]].<ref name=":1" /> In 1986 René Peralta proposed a similar [[algorithm]]<ref>{{cite journal \|author = Tsz-Wo Sze ~~\|editor= \|format= \|url= http://dx.doi.org/10.1090/s0025-5718-2011-02419-1~~ \|title= On taking square roots without quadratic nonresidues over finite fields \|~~type= \|origyear= \| agency = \|edition~~journal= Mathematics of Computation ~~\|___location=~~ \|year= 2011 ~~\|publisher= \|at=~~ \|volume= 80 \|issue= 275 ~~\|number=~~ \|pages = 1797–1811 ~~\|page= \|series= \|isbn =~~ \|issn = ~~00255718~~0025-5718 \|doi = 10.1090/s0025-5718-2011-02419-1 ~~\|bibcode =~~ \|arxiv =0812.2591 \|~~pmid = \|ref= \|archiveurl = \|archivedate = \|language= \|quote~~s2cid= 10249895 }}</ref> for finding square roots in <math>\mathbb ~~Z_p~~F_p</math>.<ref>{{cite journal \|author = R. Peralta ~~\|editor= \|format= \|url= https://ieeexplore.ieee.org/document/1057236~~ \|title= A simple and fast probabilistic algorithm for computing square roots modulo a prime number (Corresp.) \|~~type= \|origyear= \| agency = \|edition~~journal= IEEE Transactions on Information Theory ~~\|___location=~~ \|date=November 1986 ~~\|publisher= \|at=~~ \|volume= 32 \|issue= 6 ~~\|number=~~ \|pages = 846–847 ~~\|page= \|series= \|isbn =~~ \|issn = ~~00189448~~0018-9448 \|doi = 10.1109/TIT.1986.1057236 ~~\|bibcode = \|arxiv = \|pmid = \|ref= \|archiveurl = \|archivedate = \|language= \|quote=~~ }}</ref>. In 2000 Peralta's method was generalized for [[Cubic equation\|cubic equations]].<ref>{{cite journal \|author = C Padró, G Sáez ~~\|editor= \|format= \|url= http://dx.doi.org/10.1016/s0893-9659(02)00031-9~~ \|title= Taking cube roots in Zm \|~~type= \|origyear= \| agency = \|edition~~journal= Applied Mathematics Letters ~~\|___location=~~ \|date=August 2002 ~~\|publisher= \|at=~~ \|volume= 15 \|issue= 6 ~~\|number=~~ \|pages = 703–708 ~~\|page= \|series= \|isbn =~~ \|issn = ~~08939659~~0893-9659 \|doi = 10.1016/s0893-9659(02)00031-9 \|~~bibcode = \|arxiv = \|pmid = \|ref= \|archiveurl = \|archivedate = \|language= \|quote~~doi-access= }}</ref> == Statement of problem== Let <math>p</math> be an odd prime number. Consider the polynomial <math display="inline">f(x) = a_0 + a_1 x + \cdots + a_n x^n</math> over the field <math>\mathbb ~~Z_p~~F_p\simeq \mathbb Z/p\mathbb Z</math> of remainders modulo <math>p</math>. The algorithm should find all <math>\~~lambda_1,~~lambda</math> in <math>\~~ldots,~~mathbb ~~\lambda_k~~F_p</math> such that <math display="inline">f(\~~lambda_i~~lambda)~~\equiv~~= 0 ~~\pmod p~~</math> ~~for every possible~~in <math>i\mathbb F_p</math>.<ref name=":1" /><ref name=":2">{{cite book\| author = Alfred J. Menezes, Ian F. Blake, XuHong Gao, Ronald C. Mullin, Scott A. Vanstone ~~\| chapter = \| chapter-url = \| format =~~ \| url = https://www.springer.com/gp/book/9780792392828 \| title = Applications of Finite Fields ~~\| orig-year = \| agency = \| edition = \|___location=~~ \|date = 1993 \|publisher= Springer US ~~\|at= \|volume= \|issue = \| pages = \| page =~~ \| series = The Springer International Series in Engineering and Computer Science \| isbn = 9780792392828~~\| ref =~~ }}</ref> == Algorithm == === Randomization === Let <math display="inline">f(x) = (x-\lambda_1)(x-\lambda_2)\cdots(x-\lambda_n)</math>. Finding all roots of this polynomial is equivalent to finding its factorization into linear factors. To find such factorization it is sufficient to split the polynomial into any two non-trivial divisors and factorize them recursively. To do this, consider the polynomial <math display="inline">f_z(x)=f(x-z) = (x-\lambda_1 - z)(x-\lambda_2 - z) \cdots (x-\lambda_n-z)</math> where <math>z</math> is some ~~any~~ element of <math>\mathbb ~~Z_p~~F_p</math>. If one can represent this polynomial as the product <math>f_z(x)=p_0(x)p_1(x)</math> then in terms of the initial polynomial it means that <math>f(x) =p_0(x+z)p_1(x+z)</math>, which provides needed factorization of <math>f(x)</math>.<ref name=":0" /><ref name=":2" />. === Classification of <math>\mathbb ~~Z_p~~F_p</math> elements === Due to [[Euler's criterion]], for every [[monomial]] <math>(x-\lambda)</math> exactly one of following properties holds:<ref name=":0" /> Line 19 ⟶ 21: # The monomial divides <math display="inline">g_1(x)=(x^{(p-1)/2}+1)</math> if <math>\lambda</math> is quadratic non-residual modulo <math>p</math>. Thus if <math>f_z(x)</math> is not divisible by <math>x</math>, which may be checked separately, then <math>f_z(x)</math> is equal to the product of [[Polynomial greatest common divisor\|greatest common divisors]] <math>\gcd(f_z(x);g_0(x))</math> and <math>\gcd(f_z(x);g_1(x))</math>.<ref name=":2" />. === Berlekamp's method === Line 27 ⟶ 29: # Calculate remainders of <math display="inline">x,x^2, x^{2^2},x^{2^3}, x^{2^4}, \ldots, x^{2^{\lfloor \log_2 p \rfloor}}</math> modulo <math>f_z(x)</math> by squaring the current polynomial and taking remainder modulo <math>f_z(x)</math>, # Using [[exponentiation by squaring]] and polynomials calculated on the previous steps calculate the remainder of <math display="inline">x^{(p-1)/2}</math> modulo <math display="inline">f_z(x)</math>, # If <math display="inline">x^{(p-1)/2} \not \equiv \pm 1 \pmod{f_z(x)}</math> then <math>\gcd</math> mentioned ~~above~~below provide a non-trivial factorization of <math>f_z(x)</math>, # Otherwise all roots of <math>f_z(x)</math> are either residues or non-residues simultaneously and one has to choose another <math>z</math>. If <math>f(x)</math> is divisible by some non-linear [[Primitive polynomial (field theory)\|primitive polynomial]] <math>g(x)</math> over <math>\mathbb ~~Z_p~~F_p</math> then when calculating <math>\gcd</math> with <math>g_0(x)</math> and <math>g_1(x)</math> one will obtain a non-trivial factorization of <math>f_z(x)/g_z(x)</math>, thus algorithm allows to find all roots of arbitrary polynomials over <math>\mathbb ~~Z_p~~F_p</math>. === Modular square root === Consider equation <math display="inline">x^2 \equiv a \pmod{p}</math> having elements <math>\beta</math> and <math>-\beta</math> as its roots. Solution of this equation is equivalent to factorization of polynomial <math display="inline">f(x) = x^2-a=(x-\beta)(x+\beta)</math> over <math>\mathbb ~~Z_p~~F_p</math>. In this particular case problem it is sufficient to calculate only <math>\gcd(f_z(x); g_0(x))</math>. For this polynomial exactly one of the following properties will hold: # GCD is equal to <math>1</math> which means that <math>z+\beta</math> and <math>z-\beta</math> are both quadratic non-residues, Line 39 ⟶ 41: # GCD is equal to <math>(x-t)</math>which means that exactly one of these numbers is quadratic residue. In the third case GCD is equal to either <math>(x-z-\beta)</math> or <math>(x-z+\beta)</math>. It allows to write the solution as <math display="inline">\beta = (t - z) \pmod{p}</math>.<ref name=":0" />. === Example === Line 51 ⟶ 53: == Correctness proof == ~~Algorithm~~The algorithm finds [[factorization]] of <math>f_z(x)</math> in all cases except for ones when all numbers <math>z+\lambda_1, z+\lambda_2, \ldots, z+\lambda_n</math> are quadratic residues or non-residues simultaneously. According to [[theory of cyclotomy]],<ref>{{cite book\| author = Marshall Hall ~~\| chapter = \| chapter-url = \| format =~~ \| url = https://books.google.com/books?~~hl=en&lr=&~~id=__JCiiCfu2EC&~~oi=fnd&pg=PA1&dq~~q=Combinatorial+Theory+hall&~~ots~~pg=~~WeNDZ7uCSM&sig=a6JwSPPen2C2EysEnkSTXpUNaxM&redir_esc=y#v=onepage&q=Combinatorial%20Theory%20hall&f=false~~PA1 \| title = Combinatorial Theory ~~\| orig-year = \| agency = \| edition = \|___location=~~ \|date = 1998 \|publisher= John Wiley & Sons ~~\|at= \|volume= \|issue = \| pages = \| page = \| series =~~ \| isbn = 9780471315186~~\| ref =~~ }}</ref> the probability of such an event for the case when <math>\lambda_1, \ldots, \lambda_n</math> are all residues or non-residues simultaneously (that is, when <math>z=0</math> would fail) may be estimated as <math>2^{-k}</math> where <math>k</math> is the number of ~~dinstinct~~distinct values in <math>\lambda_1, \ldots, \lambda_n</math>.<ref name=":0" /> In this way even for the worst case of <math>k=1</math> and <math>f(x)=(x-\lambda)^n</math>, the probability of error may be estimated as <math>1/2</math> and for modular square root case error probability is at most <math>1/4</math>. == Complexity == Line 61 ⟶ 63: # Taking the <math>\gcd</math> of two polynomials via [[Euclidean algorithm]] works in <math>O(n^2)</math>. Thus the whole procedure may be done in <math>O(n^2 \log p)</math>. Using the [[fast Fourier transform]] and Half-GCD algorithm,<ref>{{cite book \| author = Aho, Alfred V. ~~\| chapter = \| chapter-url = \| format =~~ \| url = ~~http~~https://~~worldcat~~archive.org/~~oclc~~details/~~1147299~~designanalysisof00ahoarich \| title = The design and analysis of computer algorithms \| ~~orig-year = \| agency = \| edition = \|___location= \|~~date = 1974 \| publisher = Addison-Wesley Pub. Co \|~~at=~~ isbn ~~\|volume~~= 0201000296 \|~~issue~~ ~~= \| pages~~url-access = ~~\| page = \| series = \| isbn = 0201000296\| ref =~~registration }}</ref> the algorithm's complexity may be improved to <math>O(n \log n \log pn)</math>. For the modular square root case, the degree is <math>n = 2</math>, thus the whole complexity of algorithm in such case is bounded by <math>O(\log p)</math> per iteration.<ref name=":2" /> == References == {{reflist}} {{Number-theoretic algorithms}}~~<br />~~ [[Category:Algorithms]] [[Category:Algebra]]