Berlekamp–Rabin algorithm: Difference between revisions

In [[number theory]], the '''Berlekamp's root finding algorithm''' (also ''Berlekamp-Rabin algorithm'') is the [[Randomized algorithm|probabilistic]] method of [[Root-finding algorithm|finding roots]] of [[Polynomial|polynomials]] over a [[Finite field|field]] <math>\mathbb Z_p</math>. The method was discovered by [[Elwyn Berlekamp|Berlekamp]] in 1970<ref name=":0">{{cite journal |author = |editor= |format= |url= https://www.ams.org/mcom/1970-24-111/S0025-5718-1970-0276200-X/ |title= Factoring polynomials over large finite fields |type= |origyear= | agency = |edition= Mathematics of Computation |___location= |date= 1970 |year= 1970 |publisher= |at= |volume= 24 |issue= 111 |number= |pages = 713–735 |page= |series= |isbn = |issn = 00255718 |doi = 10.1090/S0025-5718-1970-0276200-X |bibcode = |arxiv = |pmid = |ref= |archiveurl = |archivedate = |language= en |quote= }}</ref> as an auxiliary to the [[Berlekamp's algorithm|algorithm]] for polynomial factorization over finite fieldfields. The algorithm was later modified by [[Michael O. Rabin|Rabin]] for arbitrary finite fieldfields in 1979.<ref name=":1">{{cite journal |author = M. Rabin |editor= |format= |url= https://epubs.siam.org/doi/10.1137/0209024 |title= Probabilistic Algorithms in Finite Fields |type= |origyear= | agency = |edition= SIAM Journal on Computing |___location= |date= 1980 |year= 1980 |publisher= |at= |volume= 9 |issue= 2 |number= |pages = 273–280 |page= |series= |isbn = |issn = 00975397 |doi = 10.1137/0209024 |bibcode = |arxiv = |pmid = |ref= |archiveurl = |archivedate = |language= |quote= }}</ref>. The method was also independently discovered before Berlekamp by some other researchers.<ref>{{cite book| author = Donald E Knuth | chapter = | chapter-url = | format = | url = https://www.worldcat.org/title/art-of-computer-programming-vol-2/oclc/900627019&referer=brief_results | title = The art of computer programming. Vol. 2 Vol. 2 | orig-year = | agency = | edition = |___location= |date = 1998 |publisher= |at= |volume= |issue = | pages = | page = | series = | isbn = 9780201896848| ref = }}</ref>.

The method was proposed by [[Elwyn Berlekamp]] in his work<ref name=":0" /> on polynomial factorization over finite fields. OriginalHis original work lacked a formal correctness proof<ref name=":1" /> and was later refined and modified for arbitrary finite fields by [[Michael O. Rabin|Michael Rabin]].<ref name=":1" />. In 1986 René Peralta proposed a similar algorithm<ref>{{cite journal |author = Tsz-Wo Sze |editor= |format= |url= http://dx.doi.org/10.1090/s0025-5718-2011-02419-1 |title= On taking square roots without quadratic nonresidues over finite fields |type= |origyear= | agency = |edition= Mathematics of Computation |___location= |date= 2011 |year= 2011 |publisher= |at= |volume= 80 |issue= 275 |number= |pages = 1797–1811 |page= |series= |isbn = |issn = 00255718 |doi = 10.1090/s0025-5718-2011-02419-1 |bibcode = |arxiv = |pmid = |ref= |archiveurl = |archivedate = |language= |quote= }}</ref> for finding square roots in <math>\mathbb Z_p</math><ref>{{cite journal |author = R. Peralta |editor= |format= |url= https://ieeexplore.ieee.org/document/1057236 |title= A simple and fast probabilistic algorithm for computing square roots modulo a prime number (Corresp.) |type= |origyear= | agency = |edition= IEEE Transactions on Information Theory |___location= |date= 1986 |year= 1986 |publisher= |at= |volume= 32 |issue= 6 |number= |pages = 846–847 |page= |series= |isbn = |issn = 00189448 |doi = 10.1109/TIT.1986.1057236 |bibcode = |arxiv = |pmid = |ref= |archiveurl = |archivedate = |language= |quote= }}</ref>. In 2000 Peralta's method was generalized for cubic equations.<ref>{{cite journal |author = C Padró, G Sáez |editor= |format= |url= http://dx.doi.org/10.1016/s0893-9659(02)00031-9 |title= Taking cube roots in Zm |type= |origyear= | agency = |edition= Applied Mathematics Letters |___location= |date= 2002 |year= 2002 |publisher= |at= |volume= 15 |issue= 6 |number= |pages = 703–708 |page= |series= |isbn = |issn = 08939659 |doi = 10.1016/s0893-9659(02)00031-9 |bibcode = |arxiv = |pmid = |ref= |archiveurl = |archivedate = |language= |quote= }}</ref>.

Let <math>p</math> be thean odd prime number. Consider the polynomial <math display="inline">f(x) = a_0 + a_1 x + \dots + a_n x^n</math> over field <math>\mathbb Z_p</math> of remainders modulo <math>p</math>. OneThe havealgorithm toshould find all <math>\lambda_1, \dots, \lambda_k</math> such that <math display="inline">f(\lambda_i)\equiv 0 \pmod p</math> for every possible <math>i</math>.<ref name=":1" /><ref name=":2">{{cite book| author = Alfred J. Menezes, Ian F. Blake, XuHong Gao, Ronald C. Mullin, Scott A. Vanstone | chapter = | chapter-url = | format = | url = https://www.springer.com/gp/book/9780792392828 | title = Applications of Finite Fields | orig-year = | agency = | edition = |___location= |date = 1993 |publisher= Springer US |at= |volume= |issue = | pages = | page = | series = The Springer International Series in Engineering and Computer Science | isbn = 9780792392828| ref = }}</ref>.

Let <math display="inline">f(x) = (x-\lambda_1)(x-\lambda_2)\dots(x-\lambda_n)</math>. Finding all roots of suchthis polynomial is equivalent to finding its factorization into linear factors. To find such factorization it's is sufficient to split the polynomial into any two non-trivial divisors and factorize them recursively. To do this, consider the polynomial <math display="inline">f_z(x)=f(x-z) = (x-\lambda_1 - z)(x-\lambda_2 - z) \dots (x-\lambda_n-z)</math> where <math>z</math> is some randomany element of <math>\mathbb Z_p</math>. If one can represent this polynomial as the product <math>f_z(x)=p_0(x)p_1(x)</math> then in terms of the initial polynomial it means that <math>f(x) =p_0(x+z)p_1(x+z)</math>, which provides needed factorization of <math>f(x)</math><ref name=":0" /><ref name=":2" />.

Due to [[Euler's criterion]], for every [[monomial]] <math>(x-\lambda)</math> exactly one of following properties holds:<ref name=":0" />:

# MonomialThe monomial is equal to <math>x</math> if <math>\lambda = 0</math>,

# MonomialThe monomial divides <math display="inline">g_0(x)=(x^{(p-1)/2}-1)</math> if <math>\lambda</math> is [[quadratic residue]] modulo <math>p</math>,

# MonomialThe monomial divides <math display="inline">g_1(x)=(x^{(p-1)/2}+1)</math> if <math>\lambda</math> is quadratic non-residual modulo <math>p</math>.

PropertyThe writtenproperty above leads to the following algorithm:<ref name=":0" />:

# Calculate remainders of <math display="inline">x,x^2, x^{2^2},x^{2^3}, x^{2^4}, \dots, x^{2^{\lfloor \log_2 p \rfloor}}</math> modulo <math>f_z(x)</math> by consequently squaring the current polynomial and taking remainder modulo <math>f_z(x)</math>,

# If <math display="inline">x^{(p-1)/2} \not \equiv \pm 1 \pmod{f_z(x)}</math> then <math>\gcd</math> mentioned above provide a non-trivial factorization of <math>f_z(x)</math>,

If <math>f(x)</math> is divisible by some non-linear [[Primitive polynomial (field theory)|primitive polynomial]] <math>g(x)</math> over <math>\mathbb Z_p</math> then when calculating <math>\gcd</math> with <math>g_0(x)</math> and <math>g_1(x)</math> one will obtain a non-trivial factorization of <math>f_z(x)/g_z(x)</math>, thus algorithm allows to find all roots of arbitrary polynomials over <math>\mathbb Z_p</math>.

Consider equation <math display="inline">x^2 \equiv a \pmod{p}</math> having elements <math>\beta</math> and <math>-\beta</math> as its roots. Solution of this equation is equivalent to factorization of polynomial <math display="inline">f(x) = x^2-a=(x-\beta)(x+\beta)</math> over <math>\mathbb Z_p</math>. In this particular case problem is a bit simpler because it is sufficient to calculate only <math>\gcd(f_z(x); g_0(x))</math>. For this polynomial exactly one of the following properties will hold:

ManualA manual check shows that, indeed, <math display="inline">7^2 \equiv 49 \equiv 5\pmod{11}</math> and <math display="inline">4^2\equiv 16 \equiv 5\pmod{11}</math>.

Algorithm finds factorization of <math>f_z(x)</math> in all cases except for ones when all numbers <math>z+\lambda_1, z+\lambda_2, \dots, z+\lambda_n</math> are quadratic residues or non-residues simultaneously. According to [[theory of cyclotomy]],<ref>{{cite book| author = Marshall Hall | chapter = | chapter-url = | format = | url = https://books.google.ru/books?hl=en&lr=&id=__JCiiCfu2EC&oi=fnd&pg=PA1&dq=Combinatorial+Theory+hall&ots=WeNDZ7uCSM&sig=a6JwSPPen2C2EysEnkSTXpUNaxM&redir_esc=y#v=onepage&q=Combinatorial%20Theory%20hall&f=false | title = Combinatorial Theory | orig-year = | agency = | edition = |___location= |date = 1998 |publisher= John Wiley & Sons |at= |volume= |issue = | pages = | page = | series = | isbn = 9780471315186| ref = }}</ref> the probability of such an event for the case when <math>\lambda_1, \dots, \lambda_n</math> are all residues or non-residues simultaneously (that is, when <math>z=0</math> would fail) may be estimated as <math>2^{-k}</math> where <math>k</math> is the number of differentdinstinct values amongin <math>\lambda_1, \dots, \lambda_n</math>.<ref name=":0" />. In this way even for the worst case of <math>k=1</math> and <math>f(x)=(x-\lambda)^n</math>, the probability of error may be estimated as <math>1/2</math> and for modular square root case error probability is at most <math>1/4</math>.

AssumeLet thata polynomial's have degree is <math>n</math>. Here'sWe estimationderive ofthe algorithm's steps complexity as follows:

# Due to the [[binomial theorem]] <math display="inline">(x-z)^k = \sum\limits_{i=0}^k \binom{k}{i} (-z)^{k-i}x^i</math>, thuswe may transition from <math>f(x)</math> to <math>f(x-z)</math> may be done in <math>O(n^2)</math>, time.

# Polynomial multiplication and taking remainder of one polynomial modulo another one may be done in <math display="inline">O(n^2)</math>, thus calculation of <math display="inline">x^{2^k} \bmod f_z(x)</math> is done in <math display="inline">O(n^2 \log p)</math>,.

# Binary exponentiation works in <math>O(n^2 \log p)</math> as well,.

# Taking the <math>\gcd</math> of two polynomials via [[Euclidean algorithm]] works in <math>O(n^2)</math>.

Thus the whole procedure may be done in <math>O(n^2 \log p)</math>. Using the [[fast Fourier transform]] and Half-GCD algorithm,<ref>{{cite book| author = Aho, Alfred V. | chapter = | chapter-url = | format = | url = http://worldcat.org/oclc/1147299 | title = The design and analysis of computer algorithms | orig-year = | agency = | edition = |___location= |date = 1974 |publisher= Addison-Wesley Pub. Co |at= |volume= |issue = | pages = | page = | series = | isbn = 0201000296| ref = }}</ref> the algorithm's complexity may be improved to <math>O(n \log n \log pn)</math>. For the modular square root case, the degree is <math>n</math> is= equal to <math>2</math>, thus the whole complexity of algorithm in such case may beis estimatedbounded asby <math>O(\log p)</math> per iteration.<ref name=":2" />.