aa r X i v : . [ m a t h . A C ] M a y Certifying Irreducibility in Z [ x ] John AbbottMay 12, 2020
Abstract
We consider the question of certifying that a polynomial in Z [ x ] or Q [ x ] is irreducible. Knowing that a polynomial is irreducible lets us recognisethat a quotient ring is actually a field extension (equiv. that a polynomialideal is maximal). Checking that a polynomial is irreducible by factor-izing it is unsatisfactory because it requires trusting a relatively largeand complicated program (whose correctness cannot easily be verified).We present a practical method for generating certificates of irreducibilitywhich can be verified by relatively simple computations; we assume thatprimes and irreducibles in F p [ x ] are self-certifying. A certificate that object X has property P is a “small” amount of extra infor-mation C such that some quick and simple computations with X and C sufficeto confirm that X does have the property. We illustrate this vague definitionwith a well-known, concrete example. Example 1.1.
We can certify that a positive integer n is prime using a Lucas-Pratt certificate [9]. The idea is to find a witness w such that w n − ≡ n and w ( n − /q n for all prime factors q of n − .These certificates have a recursive structure, since in general we must certifyeach prime factor q of n − . To avoid infinite recursion we say that all smallprimes up to some limit are “self-certifying” (i.e. they need no certificate).Thus a Lucas-Pratt certificate comprises a witness w , and a list of primefactors q , q , . . . of n − (and certificates for each q j ). Verification involves: • verify that w n − ≡ n ; • verify that each w ( n − /q j n ; • verify that n − Q j q e j j for positive exponents e j ; • recursively verify that each q j is prime. he operations required to verify such a certificate are: iteration over a list,exponentiation modulo an integer, comparison with , division of integers, anddivisibility testing of integers. These are all simple operations, and the entirefunction to verify a Lucas-Pratt certificate is small enough to be fully verifiableitself. An important point in this example is that the certificate actually involvesseveral cases: namely, if the prime is small enough, the certificate just says thatit is a “small prime” ( e.g. we can verify by table-lookup); otherwise the certificatecontains a non-trivial body. In this instance there are just two possible cases.We note that generating a Lucas-Pratt certificate could be costly becausethe prime factorization of n − must be computed. The total cost of a certificate comprises several components: • computational cost of generating the certificate; • size of the certificate ( e.g. cost of storage or transmission); • computational cost of verification given the certificate; • size and code complexity of the verifier.In the case of certifying the irreducibility of a polynomial in Z [ x ] we couldissue trivial certificates for all polynomials, and say that the verifier simplyhas to be an implementation of a polynomial factorizer. We regard this asunsatisfactory because the size and code complexity of the verifier are too high. Z [ x ] and Q [ x ] We can immediately reduce from Q [ x ] to Z [ x ] thanks to Gauss’s Lemma (forpolynomials): let f ∈ Q [ x ] be non-constant then f is irreducible if and only if prim( f ) ∈ Z [ x ] is irreducible, where prim( f ) = αf and the uniquely defined,non-zero factor α ∈ Q is such that all coefficients of prim( f ) are integers withcommon factor , and the leading coefficient is positive,The problem of certifying irreducibility in Z [ x ] has a long history, and hasalready been considered by several people. Here is a list of some approaches: • give a “large” evaluation point n such that f ( n ) has a large prime factor; • degree analysis (from factorizations over one or more finite fields) ; • a linear polynomial is obviously irreducible; • Newton polygon methods ( e.g.
Schönemann, Eisenstein, and Dumas [4]); • Vahlen-Capelli lemma [10] for binomials degree analysis has likely been known for a long time Perron’s Criterion [8]; • the coefficients are (non-negative) digits of a prime to some base b ( e.g. [8]).The first technique in the list was inspired by ideas from [3]; it seems to be new.In this presentation, we shall assume that the degree is at least , and shallconcentrate on the first two methods as they are far more widely applicablethan others listed. Factor degree analysis is a well-known, behind-the-scenes technique in polyno-mial factorization. It involves using degrees of modular factors to obtain a listof excluded degrees for factors in Z [ x ] .We define a factor degree lower bound for f ∈ Z [ x ] to be ∆ ∈ N such thatwe have excluded all degrees less than ∆ , e.g. through factor degree analysis. Wecan certify this lower bound by accompanying it with the modular factorizationsused. Clearly, if degree analysis excludes all degrees up to deg f then we haveproved that f is irreducible. Finally, we may always take ∆ = 1 without anydegree analysis.In many cases we can indeed prove/certify irreducibility via degree analysis.However, there are some (infinite) families of polynomials where one must use“larger” primes, and there are also (infinite) families where irreducibility cannotbe proved via factor degree analysis ( e.g. resultants, in particular Swinnerton-Dyer polynomials, see also [6]).
Example 2.1.
The well-known, classical example of a polynomial which cannotbe proved irreducible by degree analysis is x + 1 : every modular factorization isinto either linears or quadratics, so this does not let us exclude the possibleexistence of a degree factor.There are also many polynomials which can be proved irreducible by degreeanalysis, but are not irreducible modulo any prime; this property depends on theGalois group of the polynomial. For instance, f = x + x + 3 x + 4 is one suchpolynomial: modulo 2 the irreducible factors have degrees 1 and 3, and modulo 5both factors have degree ; but it is never irreducible modulo p . A degree analysis certificate comprises • a subset D ⊆ { , , . . . , deg f } of “not excluded” factor degrees • a list, L , of pairs: a prime p , and the irreducible factors of f modulo p If D = ∅ , we have a certificate of ireducibility; otherwise the smallest elementof the set is a factor degree lower bound. Verification of the certificate involves the following steps: • for each entry in L , check that the product of the modular factors is f ;3 for each entry in L , compute the set of degrees of all possible products ofthe modular factors; verify that their intersection is D ; • check that each modular factor is irreducible ( e.g. use gaussian reductionto compute the rank of B − I where B is the Berlekamp matrix).The main cost of the verification is the computation of B and the rank of B − I ;the cost of computing B is greater for larger primes, so we prefer to generatecertificates which use smaller primes if possible. We would like to know, in practice, how costly it is to produce a useful de-gree analysis certificate, and how large the resulting certificate could be. Morespecifically: • How many different primes should we consider? And how large? • How to find a minimal set of primes yielding the factor degree subset? • How many primes are typically in the minimal set?In our experience, a minimal length list very rarely contains more than entries,but we should expect to consider many more primes during generation of thecertificate. We can construct irreducible polynomials which require considering“large” primes to obtain useful degree information ( e.g. x + N x + N where N = 1000000! ) but in many cases “small” primes up to around deg f suffice. Z [ x ] via Evaluation Bunyakowski’s conjecture ( e.g. see page 323 of [7]) states that if f ∈ Z [ x ] isirreducible (and has trivial fixed divisor) then | f ( n ) | is prime for infinitely many n ∈ Z . Assuming the conjecture is true, we can get a certificate of irreducibilityby finding a suitable evaluation point n (and perhaps including a certificate that | f ( n ) | is prime).Applying Bunyakowski’s conjecture directly is inconvenient for two reasons: • we want to handle polynomials with non-trivial fixed divisor; • finding a suitable n may be costly, and the resulting | f ( n ) | may be large.The first point is solved by an easy generalization of the conjecture: let f ∈ Z [ x ] be irreducible and δ be its fixed divisor, then there are infinitely many n ∈ Z suchthat | f ( n ) | /δ is prime. The second point is a genuine inconvenience: for somepolynomials, it can be costly to find a “Bunyakowski prime,” and the prime itselfwill be large (and thus costly to verify). For example, let f = x +4 x +6 x +4 then the smallest good evaluation point is n = 6615 , and | f ( n ) | ≈ . × .4 .2.1 A large prime factor suffices Here we present a much more practical way of certifying irreducibility by eval-uation: we require just a sufficiently large prime factor. Let f ∈ Z [ x ] be non-constant, and let ρ ∈ Q be a root bound for f : that is, for every α ∈ C suchthat f ( α ) = 0 we have | α | ≤ ρ . We note that it is relatively easy to computeroot bounds ( e.g. see [2]). The following proposition was partly inspired byTheorem 2 in [3], but appears to be new. Proposition 2.2.
Let f ∈ Z [ x ] be non-constant, and let ρ ∈ Q be a root boundfor f . Let ∆ ∈ N be a factor degree lower bound for f . If we have n ∈ Z with | n | > ρ such that | f ( n ) | = sp where s < ( | n | − ρ ) ∆ and p is prime then f isirreducible.Proof. For a contradiction, suppose that f = gh ∈ Z [ x ] is a non-trivial factor-ization. We may assume that ∆ ≤ deg g ≤ deg h . We have f = C f Q dj =1 ( x − α j ) where d = deg f , C f ∈ Z is the leading coefficient, and the α j are the roots of f in C . We may assume that the α j are indexed so that the roots of g are α , . . . , α d g where d g = deg g .By evaluation we have f ( n ) = g ( n ) h ( n ) with all values in Z . Also f ( n ) = 0 since | n | > ρ . We now estimate | g ( n ) | : g ( n ) = C g d g Y j =1 ( n − α j ) where C g ∈ Z is the leading coefficient. Each factor in the product has magni-tude greater than 1, so | g ( n ) | ≥ ( | n | − ρ ) ∆ > s . Similarly, | h ( n ) | > s . Thiscontradicts the given factorization f ( n ) = sp .When we have an evaluation point to which Prop. 2.2 applies we call ita large prime factor witness (abbr. LPFW ) for f, ρ and ∆ . We conjec-ture that every irreducible polynomial has infinitely many LPFWs; note thatBunyakowski’s conjecture implies this. Example 2.3.
This example shows that it can be beneficial to look for largeprime factor witnesses rather than Bunyakowski prime witnesses.Let f = x + 12 x + 92 and take ∆ = 1 . We compute ρ = as root bound,and then we obtain a LPFW at n = 5 with prime factor p = 81382739 . Incontrast, the smallest Bunyakowski prime is ≈ . × at n = 2865 . In the light of this example we exclude consideration of a certificate basedon Bunyakowski’s conjecture, and consider only LPFWs.We prefer to issue an LPFW certificate where the prime p is as small as “rea-sonably possible”. Our implementation searches for suitable n in an incrementalway, since smaller values of | n | produce smaller values of | f ( n ) | , and we expectsmaller values of | f ( n ) | to be more likely to lead to an “ sp ” factorization withsmall prime factor p — this is only a heuristic, and does not guarantee to findthe smallest such p . We look for the factorization | f ( n ) | = sp by trial divisionby the first few small primes (and GMP’s probabilistic prime test for p ).5 .2.2 LPFW certificate An LPFW certificate comprises the following information: • a root bound ρ , • a factor degree lower bound ∆ ←− with degree analysis certificate, • the evaluation point n > ρ , • the large prime factor p of | f ( n ) | ←− (opt.) with certificate of primality. Verification of an LPFW certificate entails: • evaluating f ( n ) and verifying that p is a factor; • verifying that the discarded factor s = | f ( n ) | /p satisfies s < ( | n | − ρ ) ∆ ; • verifying that ρ is a root bound for f ←− see comment below; • (if ∆ > ) verifying that ∆ is a factor degree lower bound; • verifying that p is (probably) prime.In many cases the root bound can be verified simply by evaluation of a mod-ified polynomial: let f ( x ) = P dj =0 a j x j and set f ∗ ( x ) = | a d | x d − P d − j =0 | a j | x j ,then if f ∗ ( ρ ) > then ρ is a root bound for f . Some tighter root bounds mayrequire applying an (iterated) Gräffe transform to f first ( e.g. see [2]). Example 2.4.
This example shows how degree information can be useful infinding a small LPFW. Let f = x − x + 7744 . We find that ρ = 33 is aroot bound. Without degree information (i.e. taking ∆ = 1 ) we obtain the firstLPFW at n = 65 with corresponding prime p = 13481269 . In contrast, fromthe factorization of f modulo we can certify that ∆ = 2 is a factor degreelower bound for f . This information lets us obtain an LPFW at n = 47 withfar smaller corresponding prime p = 14519 . We define a (minor generalization of) a
Möbius transformation for Z [ x ] . Thecrucial property for us is that these transformations preserve irreducibility (ex-cept for some polynomials of degree ). Definition 3.1.
Let M = (cid:0) a bc d (cid:1) be a × matrix. Let f = P deg( f ) j =0 c j x j be apolynomial in Z [ x ] . We define the Möbius transform of f induced by M tobe the polynomial µ M ( f ) = P deg fj =0 c j ( ax + b ) j ( cx + d ) deg( f ) − j . In our applications the matrix entries will be integers, and we shall supposethat at least one of a and c is non-zero. Definition 3.2.
A Möbius transformation µ M is degenerate if det M = 0 . Definition 3.3.
Let µ M be a Möbius transform. We define the pseudo-inverse of µ M to be the Möbius transformation corresponding to the classical adjoint M adj = (cid:0) d − b − c a (cid:1) . We write µ ∗ M to denote the pseudo-inverse. µ M . Proposition 3.4.
Let M = (cid:0) a bc d (cid:1) be non-singular, so µ M is non-degenerate.(a) Let f = αx + β be a linear polynomial. If f ( ac ) = 0 then µ M ( f ) is linear;otherwise µ M ( f ) = αb + βd is a non-zero constant.(b) µ M respects multiplication: µ M ( gh ) = µ M ( g ) µ M ( h ) .(c) deg( µ M ( f )) = deg( f ) ⇐⇒ f ( ac ) = 0 .(d) If deg( µ M ( f )) = deg( f ) then µ ∗ M ( µ M ( f )) = D deg( f ) f ( x ) where D =det M .(e) If deg( µ ∗ M ( f )) = deg( f ) then µ M ( µ ∗ M ( f )) = D deg( f ) f ( x ) where D =det M .(f ) If a, b, c, d ∈ Z and f ∈ Z [ x ] is irreducible and deg( µ M ( f )) = deg( f ) then prim( µ M ( f )) is irreducible.Proof. Parts (a) and (b) are elementary algebra. Part (c) follows from (a)and (b) by considering the factorization of f over a splitting field. Parts (d)and (e) are elementary for linear f ; the general case follows by repeated appli-cation of part (b).For part (f), suppose we have a counter-example f ∈ Z [ x ] , then we havea non-trivial factorization µ M ( f ) = gh , but by (b) and (d) we deduce that D deg( f ) f = µ ∗ M ( g ) µ ∗ M ( h ) which is a non-trivial factorization, contradicting theassumption that f was irreducible.Our interest in Möbius transformations is that they offer the possibility offinding a better LPFW certificate. Unfortunately we do not yet have a goodway of determining which Möbius transformations are helpful. Example 3.5.
Let f = 97 x + 76 x + 78 x + 4 x + 2 . We obtain a LPFWcertificate with ρ = 7 / , ∆ = 1 , n = − with corresponding prime factor p = 10601 .Let M = (cid:0) − (cid:1) . Let g = prim( µ M ( f )) = ( x + 1) ; by Prop. 3.4.(f ) since deg g = deg f a LPFW certificate for g also certifies that f is irreducible. For g we obtain a certificate with ρ = 1 , ∆ = 1 , n = 2 with much smaller correspond-ing prime factor p = 17 . Unsolved problem:
How to find a good Möbius matrix M given just f ? Naturally, if we generate a LPFW certificate for a transformed polynomial µ M ( f ) then we must indicate which Möbius transformation was used. Giventwo polynomials f, g ∈ Z [ x ] of the same degree d , and M ∈ Mat × ( Z ) , one caneasily verify that g = prim( µ M ( f )) by evaluating f at deg( f ) distinct rationalpoints, and g at the (rational) transforms of these points, and then checkingthat the ratios of the values are all equal. So the extra information needed is M and µ M ( f ) . 7 .2 Fixed divisors Definition 3.6.
Let f ∈ Z [ x ] be non-zero. The fixed divisor of f is definedto be FD( f ) = gcd { f ( n ) | n ∈ Z } . Some content-free polynomials have non-trivial fixed divisors: an example is f = x + x + 2 which is content-free but has fixed divisor . Proposition 3.7.
Let f ∈ Z [ x ] be non-zero. Its fixed divisor is equal to: FD( f ) = gcd( f (1) , f (2) , . . . , f (deg f )) Proof.
The standard proof follows easily from representating of f with respectto the “binomial basis” for Z [ x ] , namely { (cid:0) xk (cid:1) | k ∈ N } .Polynomials having large fixed divisor δ cannot have small LPFW certificatesbecause we are forced to choose large evaluation points since we must have ( | n |− ρ ) ∆ > δ . This problem becomes more severe for higher degree polynomialssince the fixed divisor can be as large as d ! where d is the degree.We can reduce the size of the fixed divisor by scaling the indeterminate( i.e. a Möbius transformation for a diagonal matrix), or perhaps reversing thepolynomial and scaling the indeterminate ( i.e. a Möbius transformation for ananti-diagonal matrix). We have not yet investigated the use of more generalMöbius transformations.Let f ∈ Z [ x ] be content-free, irreducible with fixed divisor δ . Let q be aprime factor of δ , and let k be the multiplicity of q in | f (0) | . Then g ( x ) = q − k f ( q k x ) ∈ Z [ x ] has fixed divisor δ/q k . In practice, we consider several poly-nomials obtained by scaling x by q , q , . . . , q k ; in fact scaling by q − , q − , . . . can also be beneficial. Our prototype implementation runs degree analysis and LPFW search “in par-allel”: i.e. it repeatedly alternates a few iterations of degree analysis with a fewiterations of LPFW search. If degree analysis finds a new factor degree lowerbound, ∆ , this information is passed to the LPFW search. We adopted the following strategy for choosing primes during degree analysis:initially we create a list of “preferential primes” ( e.g. including the first fewprimes greater than the degree), then we pick primes alternately from this list orfrom a random generator. The range for randomly generated primes is graduallyincreased to favour finding quickly a certificate involving smaller primes (sincethese are computationally cheaper to verify).This strategy was inspired by some experimentation. There exist polynomi-als whose degree analysis certificates must involve “large” primes: e.g. a good8et of primes for x + 16 x + 5 x − x − must contain at least one primegreater than . Also, empirically we find that a degree analysis certificate foran (even) Hermite polynomial must use primes greater than the degree.To issue a certificate, we look for a minimal cardinality subset of the primesused which suffices. This subset search is potentially exponential, but in ourexperiments it is very rare for a minimal subset to need more than primes. As already mentioned, not all polynomials can be certified irreducible by degreeanalysis. A well-known class of polynomials for which irreducibility cannot beshown by degree analysis are the
Swinnerton-Dyer polynomials : they are theminimal polynomials for sums of square-roots of “independent” integers. A moregeneral class of such polynomials was presented in [6].We saw in Example 3.5, it can be better to issue a LPFW certificate for atransformed polynomial, but we do not yet have a good way of finding a goodMöbius transformation. Our current prototype implementation considers onlyindeterminate scaling and possibly reversal: i.e. the Möbius matrix must bediagonal or anti-diagonal. A list of all scaling and reverse-scaling transforms by“simple” rationals is maintained, and the resulting polynomials are considered“in parallel”.For each transformed polynomial we keep track of two evaluation points (onepositive, one negative) and the corresponding evaluations. The evaluations arethen considered in order of increasing absolute value; once an evaluation hasbeen processed the corresponding evaluation point is incremented (or decre-mented, if it is negative).The LPFW search depends on a factor degree lower bound, ∆ , which isinitially . The degree analysis “thread” may at any time furnish a better valuefor ∆ . So that this asynchrony can work well the LPFW search records, for eachpossible factor degree lower bound, any certificates it finds. When a higher ∆ isreceived, the search first checks whether a corresponding LPFW certificate hasalready been recorded; if so, that certificate is produced as output. Otherwisesearching proceeds using the new ∆ . Here are a few examples as computed by the current prototype, since degreeanalysis picks primes in a pseudo-random order different certificates may beissued for the same polynomial. • x + 4 x + 6 x + 4 : degree analysis with prime list L = [13 , • x + 16 x + 5 x − x − : degree analysis with prime list L = [107] • -st cyclotomic polynomial: LPFW with ρ = 2 , ∆ = 1 , n = 3 , and primefactor p = 368089 • Swinnerton-Dyer polynomial for [71 , , : LPFW with ρ = 43 , ∆ = 2 (with L = [3] ), n = 82 and prime factor p = 2367715751029 x + 76 x + 78 x + 4 x + 2 : transform x x , LPFW ρ = 67 / , ∆ = 2 (with L = [3] ), n = − and prime factor p = 3041 A quick comment about run-times: our interpreted prototype favours producingcertificates which are cheap to verify (rather than cheap to generate); the degreeanalysis certificates took ∼ . s each to generate, the others ∼ . s each. Wedid not measure verification run-time, but fully expect it to be less than 0.01sin each case. In comparison, the polynomial factorizer in CoCoA took less than0.01s for all of these polynomials.As a larger example: the prototype took ∼ s (we expect the final imple-mentation to be significantly faster) to produce a certificate for the degree 64(Swinnerton-Dyer) minimal polynomial of √
61 + √
79 + √
139 + √
181 + √
199 + √ This polynomial has fixed divisor δ = 2 ≈ . × . Our prototypefound and applied the transformation x x , then produced an LPFW cer-tificate for the transformed polynomial: ρ = 451 / , ∆ = 2 (with L = [19] ), n = 46 and p ≈ . × which was confirmed to be “probably prime” (accord-ing to GMP [5]). The classical Berlekamp-Zassenhaus factorizer in CoCoA [1]took about 300s to recognize irreducibility. An anonymous referee reasonably asked about expected run-time or a (possiblyheuristic) complexity analysis. The answer is “It depends . . . ” . For “almost all”polynomials, degree analysis suffices and is quick. In our setting, the LPFWsearch effectively happens only if a degree analysis certificate cannot be quicklyfound. In our experiments, the number of iterations in LPFW search beforeproducing a certificate was quite irregular.
As mentioned in the introduction there are many different criterions for certi-fying the irreducibility of a polynomial in Z [ x ] . Here we have concentrated onjust two of them, and have pointed out how they can “collaborate”.We have built a prototype implementation in CoCoA [1], and plan to inte-grate it into CoCoALib, the underlying C++ library (where we expect signifi-cant peformance gains).An interesting future possibility is for the requester of the certificate to statewhich criterions may be used (dictated by the implemented verifiers that therequester has available). But, a too restrictive choice of criterions may make itimpossible to generate a certificate: e.g. there is no “Eisenstein” certificate formost polynomials. 10 eferences [1] Abbott, J., Bigatti, A.M., Robbiano, L.: CoCoA: a system for doing Com-putations in Commutative Algebra. URL http://cocoa.dima.unige.it/ [2] Abbott, J.: Bounds on factors in Z [ x ] . J. Symb. Comput. , 532–563(2013)[3] Davenport, J., Padget, J.: HEUGCD: How elementary upperbounds gen-erate cheaper data. Computer algebra, EUROCAL ’85, Proc. Eur. Conf.,Linz/Austria 1985, Vol. 2, Lect. Notes Comput. Sci. 204, 18-28 (1985).(1985).[4] Dumas, G.: Sur quelques cas d’irréductibilité des polynomes à coefficientsrationnels. Journ. de Math. (6) , 191–258 (1906)[5] Granlund, T., et al.: Gnu multiprecision library. URL [6] Kaltofen, E., Musser, D.R., Saunders, B.D.: A generalized class of polyno-mials that are hard to factor. SIAM J. Comput. , 473–483 (1983)[7] Lang, S.: Algebra. 3. ed. Reading, MA: Addison Wesley, 3. ed. edn. (1993)[8] Perron, O.: Neue Kriterien für die Irreduzibilität algebraischer Gleichun-gen. J. Reine Angew. Math. , 288–307 (1907)[9] Pratt, V.R.: Every prime has a succinct certificate. SIAM J. Comput. ,214–220 (1975)[10] Rowlinson, E.: New proofs for two theorems of Capelli. Can. Math. Bull.7