Counting basic-irreducible factors mod p k in deterministic poly-time and p -adic applications
aa r X i v : . [ c s . S C ] F e b Counting basic-irreducible factors mod p k indeterministic poly-time and p -adic applications Ashish Dwivedi ∗ Rajat Mittal † Nitin Saxena ‡ Abstract
Finding an irreducible factor, of a polynomial f ( x ) modulo a prime p , is not known to bein deterministic polynomial time. Though there is such a classical algorithm that counts thenumber of irreducible factors of f mod p . We can ask the same question modulo prime-powers p k . The irreducible factors of f mod p k blow up exponentially in number; making it hard todescribe them. Can we count those irreducible factors mod p k that remain irreducible mod p ?These are called basic-irreducible . A simple example is in f = x + px mod p ; it has p manybasic-irreducible factors. Also note that, x + p mod p is irreducible but not basic-irreducible!We give an algorithm to count the number of basic-irreducible factors of f mod p k in de-terministic poly(deg( f ) , k log p )-time. This solves the open questions posed in (Cheng et al,ANTS’18 & Kopp et al, Math.Comp.’19). In particular, we are counting roots mod p k ; whichgives the first deterministic poly-time algorithm to compute Igusa zeta function of f . Also, ouralgorithm efficiently partitions the set of all basic-irreducible factors (possibly exponential) intomerely deg( f )-many disjoint sets, using a compact tree data structure and split ideals. Theory of computation– Algebraic complexity theory, Pseudoran-domness and derandomization; Computing methodologies– Algebraic/ Number theory algorithms,Hybrid symbolic-numeric methods; Mathematics of computing– Combinatoric problems.
Keywords: deterministic, root, counting, modulo, prime-power, tree, basic irreducible, unramified.
Factoring a univariate polynomial, over prime characteristic, is a highly well studied problem.Though efficient factoring has been achieved using randomization, still efficient derandomization isa longstanding problem. A related question of equal importance is root finding, but this is knownto be equivalent to factoring in deterministic poly-time. Surprisingly, testing irreducibility, or evencounting irreducible factors, is easy in this regime. The main tool here is the magical Frobeniusmorphism of prime p characteristic rings: x x p .Though much effort has been put in prime characteristic, few results are known in composite characteristic n [Sha93]. Even irreducibility testing of a polynomial, with the prime factorization of n given, has no efficient algorithm known. This reduces to prime-power characteristic p k [vzGH98].Deterministic factoring in such a ring is a much harder question (at least it subsumes deterministicfactoring mod p ). In fact, even randomized algorithms, or practical solutions, are currently elusive[vzGH96, vzGH98, Kli97, S˘al05, Sir17, DMS19]. The main obstruction is non-unique factorization. ∗ CSE, Indian Institute of Technology, Kanpur, [email protected] † CSE, Indian Institute of Technology, Kanpur, [email protected] ‡ CSE, Indian Institute of Technology, Kanpur, [email protected] p ?Such factors are called basic -irreducible in the literature. This is much more than counting rootsmod p k (as, f ( α ) = 0 iff x − α is a basic-irreducible factor of f ). These roots, besides beingnaturally interesting, have various applications in— factoring [Chi87, Chi94, CG00], coding theory[BLQ13, S˘al05], elliptic curve cryptography [Lau04], arithmetic algebraic-geometry [ZG03, DH01,Den91, Igu74]. Towards this we design a machinery, yielding the following result: Given a degree d integral polynomial f ( x ) and a prime-power p k , we partition the set of allbasic-irreducible factors of f mod p k into at most d (compactly provided) subsets in deterministicpoly ( d, k log p ) -time; in the same time we count the number of factors in each of these subsets.Also, we can compactly partition (and count) the roots of f mod p k in deterministic poly-time. This efficient partitioning of (possibly exponentially many) roots into merely d subsets is remi-niscent of the age-old fact: there are at most deg( g ) roots of a polynomial g ( x ) over a field. Rootsets mod p k are curious objects; not every subset of Z /p k Z is a root set (except when k = 1).Their combinatorial properties have been studied extensively [Sie55, CP56, Bha97, DM97, Mau01].In this regard, our result is one more step to understand the hidden properties of root-sets modprime-powers.Factoring mod p k has applications in factoring over local fields [Chi87, Chi94, CG00]. Previously,the latter was achieved through randomized factoring mod p [CZ81] and going to extensions of Q p .Directly factoring mod p k , for arbitrary k , would imply a new and more natural factoring algorithmover p -adic fields. In fact, our method gives the first deterministic poly-time algorithm to count basic-irreducible factors of f ∈ Q p [ x ]; by picking k such that p k ∤ discriminant( f ). This derandomizationwas not known before, though Q p [ x ] is indeed a unique factorization domain. The questions of root finding and root counting of f mod p k are of classical interest, see [NZM13,Apo13]. Using Hensel lifting (Section A) we know how to ‘lift’ a root, of multiplicity one, of f mod p to a root of f mod p k , in a unique way. But this method breaks down when the root (mod p )has multiplicity more than one. [BLQ13, Cor.4] was the first work to give an efficient randomizedalgorithm to count, as well as find, all the roots of f mod p k . In this line of progress, very recently[CGRW18] gave a deterministic algorithm to count roots in time exponential in the parameter k .Extending the idea of [CGRW18], [KRRZ18] gave another efficient randomized algorithm to countroots of f mod p k . Note that finding the roots deterministically seems a difficult problem becauseit requires efficient deterministic factoring of f mod p (which is a classical open problem). Butcounting the roots mod p k deterministically may be an easier first step.Recently there has been some progress in factoring f mod p k when k is constant. [DMS19] gavethe first efficient randomized algorithm to factor f mod p k for k ≤
4. This gives an exponentialimprovement over the previous best algorithms of [Sir17, vzGH98, vzGH96] mod p k ( k ≤ p k , for k ≤
4, in the difficult case when f mod p is power of an irreducible. The related derandomization questions are all open.2he case of factoring f mod p k when k is “large”— larger than the maximum power of p dividingthe discriminant of the integral f —has an efficient randomized algorithm due to [vzGH98]. Theyshowed, assuming large k , that factorization mod p k is well behaved and corresponds to the unique p -adic factorization of f (i.e. in Q p [ x ]). In turn, p -adic factoring has known efficient randomizedalgorithms [Chi87, Chi94, CG00]. The derandomization questions are all open.We now give a deterministic method to count all the roots (resp. basic-irreducible factors)efficiently. In fact, our proof can be seen as a deterministic poly-time reduction of basic-irreduciblefactor finding mod p k to root finding mod p . In particular, it subsumes all the results of [BLQ13]. Theorem 1 (Root count) . Let p be a prime, k ∈ N and f ( x ) ∈ Z [ x ] . Then, all the roots of f mod p k can be counted in deterministic poly( deg f, k log p )-time. This is the first efficient derandomization of the randomized root counting algorithms [BLQ13,KRRZ18], and an exponential improvement over the recent deterministic algorithm of [CGRW18].The challenge arises from the fact that we need to count the possibly exponentially many rootswithout being able to find them.
Remarks. 1)
In the algorithm, the (possibly exponential) root-set of f mod p k gets partitionedinto at most deg( f )-many disjoint subsets and we output a compact representation, called splitideal , for each of these subsets. We do count them, but do not yet know how to find a rootdeterministically. This gives an efficient way to deterministically compute the Igusa zeta function, given anintegral univariate f and a prime p . This follows from the fact that we just need to compute N k ( f ) :=number of roots of f mod p k , for k ∈ [ ℓ ] s.t. p ℓ ∤ discriminant( f ), to estimate Poincar´eseries P ∞ i =0 N i ( f ) x i [Den91, Igu74]. Interestingly, it converges to a rational function! This is the first deterministic poly-time algorithm to count the number of lifts of a repeated root of f mod p to f mod p k . This gives the first deterministic poly-time algorithm to count the number of p -adic integralroots of a given p -adic polynomial f ∈ Q p [ x ]. (Count roots mod p ℓ where p ℓ ∤ discriminant( f ).)Next, we extend the ideas for counting roots to count all the basic-irreducible factors of f mod p k in deterministic polynomial time. Recall that a basic-irreducible factor of f mod p k is one thatremains irreducible in mod p arithmetic. Theorem 2 (Factor count) . Let p be a prime, k ∈ N and f ( x ) ∈ Z [ x ] . Then, all the basic-irreduciblefactors of f mod p k can be counted in deterministic poly( deg f, k log p )-time. We achieve this by extending the idea of counting roots to more general p -adic integers. Essen-tially, we efficiently count all the roots of f ( x ) in O K / h p k i , where O K is the ring of integers of a p -adic unramified extension K/ Q p (refer [Kob77] for the standard notation). Currently, there is nofast, practical method known to find/count roots when K is ramified . Corollary 3.
Consider (an unknown) p -adic extension K := Q p [ y ] / h g ( y ) i , which is unramifiedand has degree ∆ . Let f ( x ) ∈ Z [ x ] , p, k, ∆ be given as input (in binary).Then, we can count all the roots of f , in O K / h p k i , in deterministic poly( deg( f ) , k log p, ∆ )-time. Remarks. 1)
This gives the first deterministic poly-time algorithm to count the number of (un-ramified p -adic integral) roots of a given p -adic polynomial f ∈ K [ x ].3 ) Our method generalizes to efficiently count all the roots of a given polynomial f ( x ) ∈ ( F [ t ] / h h ( t ) k i )[ x ] for a given polynomial h (resp. f ∈ F [[ t ]][ x ] with power-series coefficients); assumingthat F is a field over which root counting is efficient (eg. Q , R , F p and their algebraic extensions). Our implementation involves constructing a list data structure L which implicitly partitions theroot-set of f mod p k into at most deg( f )-many disjoint subsets; and count the number of roots ineach such subset. The construction of L is incremental, by doing arithmetic modulo special ideals, Split ideals. A split ideal I l of length l + 1, and degree b , is a ‘triangular’ ideal defined as I l = h h ( x ) , h (¯ x ) , . . . , h l (¯ x l ) i , where the notation ¯ x i refers to the variable set { x , . . . , x i } and b = Q ≤ i ≤ l deg x i ( h i ). It implicitly stores a size- b subset of the root-set of f mod p k , where a rootlooks like P ≤ i ≤ l x i p i till precision p l +1 . Note that a root r of f mod p k is also a root of f mod p l for all l ∈ [ k ]. Since we cannot access them directly, we ‘virtualize’ them in the notation ¯ x l .The structure of these ideals is quite nice and recursive (Section 2). So it may keep splitting(in Algorithm 1) till it becomes a maximal ideal , which corresponds to a single point in ( F p ) l andhas degree one. Or, the algorithm may halt earlier, due to ‘stable clustering’ of roots, and then wecall the ideals– maximal split ideal ; in fact, L has only maximal split ideals. These do not give usthe actual roots but do give us their count! List data structure. L implicitly stores, and may partition, the root-set of f mod p k . Essen-tially, L is a set of at most d maximal split ideals, i.e. L = { I ( l , d ) , . . . , I n ( l n , d n ) } , where eachideal I j ⊆ F p [¯ x k − ] has two parameters— length l j and degree d j . A maximal split ideal I ( l, D )implicitly stores a size- D subset of the root-set of f mod p k . This yields a simple count of Dp k − l for the corresponding roots. Ideals in L have the property that they represent disjoint subsets ofroots; and they collectively represent the whole root-set of f mod p k . Thus, L gives us both the(implicit) structure and the (exact) size of the root-set of f mod p k . In the intermediate steps ofthe algorithm, for efficiency reasons, we will store a tuple ( I j , f I j ) in a changing stack S . Where, f I j (¯ x l j − , x ) := f ( x + px + · · · + p l j − x l j − + p l j x ) mod ˆ I j is a ‘shifted and reduced’ version of f tagging along (with x as the only free variable). Roots-tree data structure.
Most importantly, we need to prove that |L| , and the degree ofthe split ideals in L , remains at most deg( f ) at all times in the algorithm (while f mod p k may haveexponentially many roots). To achieve this, we use a different way to look at the data structure L — in tree form RT where each generator h i appearing in an I ∈ L appears as an edge of the tree;conversely, each tree node v denotes the intermediate split ideal corresponding to the path fromthe root (of the tree RT ) to v .The roots-tree RT has a useful parameter at every node– degree. Degree of a node measuresthe possible extensions to the next level, and it possesses the key property: it ‘distributes’ to itschildren degrees. This helps us to simultaneously bound the width of RT and degree of split ideals,to be at most the degree deg( f ) of the root node. Otherwise, since we compute with k -variatepolynomials, a naive analysis of the tree-size (resp. degree of split ideals) would give a bound ofdeg( f ) k , or a slightly better deg( f )2 k as in [CGRW18, pg.9]; which is exponential in the input sizedeg( f ) · k log p . Proof idea of Theorem 1.
Let R := Z / h p k i ; so R/ h p i ∼ = F p . Let Z R ( f ) be the zeroset of f mod p k . 4he idea to count roots of f mod p k comes from the elementary fact: Any root r ∈ R of f mod p k can be seen in a p -adic (or base- p ) representation as r =: r + pr + p r + . . . + p k − r k − ,for each r i ∈ F p . Thus, we decompose our formal variable x into multi-variables x , . . . , x k − beingrelated as, x = x + px + p x + . . . + p k − x k − .Though, getting roots of f ( x ) mod p deterministically is difficult, we can get the count on thenumber of roots of f ( x ) mod p from the degree of a polynomial h ( x ) ∈ F p [ x ], which is the gcdof f and Frobenius polynomial x p − x mod p . This way of implicitly representing a set of desiredobjects by a polynomial and using its properties (eg. degree) to get a count on the objects is widelytermed as polynomial method .This gives us a length-1 and degree-deg x ( h ) split ideal I := h h ( x ) i . Since I represents allroots of f mod p , we can again apply the polynomial method to incrementally build on ideal I toget greater length split ideals representing roots of f with greater precision, say mod p l +1 .To do this, we trivially lift I to make it an ideal ˆ I in R . Solve f ( x + px ) ≡ p α g ( x , x ) mod ˆ I for α ∈ N and g p . Reduce g ( x , x ) over F p again, and calculate the next set of candidates for x implicitly in a polynomial h ∈ F p [ x , x ] defined as, h := GCD ( g ( x , x ) mod p, x p − x ) mod I .Using the properties of split ideal (Lemma 11), multivariate-gcd modulo I yields h that ‘stores’all the candidates for x , for each root x represented by I . So, we get a length 2 split ideal I := I + h h ( x , x ) i .In every iteration, we add a new variable, by solving equations like f ( x + px + p x + . . . + p l x l + p l +1 x ) ≡ p α g (¯ x l , x ) modulo a length l + 1 triangular ideal ˆ I l , for α ∈ N and g p .This gives us the next candidate h l +1 (¯ x l , x ) := GCD ( g (¯ x l , x ) mod p, x p − x ) mod I l ; moving to amore precise split ideal. Sometimes we get that g and x p − x are coprime mod I l , those casesindicate dead-end and we stop processing those branches. Finally we reach α = k , which indicates full precision ; and we get a maximal split ideal I l which we add to the list L . Division by ‘zero’.
Some computations modulo a split ideal may not be possible. Thesecases arise only due to zerodivisors . In those cases, we will exploit the zerodivisor to split/factorthe current split ideal into more split ideals of smaller degree. We can keep track of all these splitideals using a stack and keep performing the same computations iteratively. Since a split ideal hasfinite length, the process must terminate. The real challenge lies in proving a good bound.
Efficiency via roots-tree.
Now, we need to show that the algorithm to construct L is efficientand that |L| ≤ deg( f ) (in fact, sum of degrees of all maximal split ideals in L is at most deg( f )). Ina particular iteration, the algorithm just performs routine computations like– reduction modulo thecurrent split ideal I , inversion, zerodivisor testing, gcd, exponentiation, and computing p -valuationsor multiplicities; which are clearly bounded by poly(deg( f ) , k log p, deg( I )) (Sections C & D). It isharder to bound the number of iterations and deg( I ).To understand the number of iterations, we review the construction of L as the formation ofa tree, which we call roots-tree RT . A node of RT corresponds to an intermediate split ideal I ,where an edge at level i on the path from the root (of RT ) to the node corresponds to the generator h i (¯ x i ) of I . Each time we update a split ideal I l − to I l := I l − + h h l i we add a child, to thenode corresponding to I l − , hanging by a new edge labelled h l . Similarly, splitting of an ideal atsome generator h i (¯ x i ) into m ideals corresponds to creating m subtrees hanging by edges which are m copies of the edge labelled h i . This way the roots-tree upper bounds the number of iterations;moreover, the maximal split ideals in L appear as leaves in RT . Degree distribution in RT . Each node N of RT has an associated parameter, ‘degree of node’[ N ] (Definition 15), which is defined in such a way that it distributes to degree of its children5i.e. [ N ] is at least the sum of degrees of its child nodes). This is intended to measure the possibleextensions x l modulo the corresponding split ideal I l − , and is a suitable multiple of deg( I l − ).Applying degree’s property inductively, we get that the degree of root node of RT , which is deg( f ),distributes to the degree of the leaves and so the sum of degrees of all maximal split ideals in L is at most deg( f ). The distributive property of [ N ], corresponding to ideal I l − , comes from thefact: the degree of a child C corresponding to ideal I l = I l − + h h l i is bounded by the multiplicity of roots of h l (¯ a, x ) times deg( I l − ), corresponding to some root ¯ a of I l − ; and the overall sum ofthese multiplicities for every child of N is naturally bounded by the degree of N (Lemma 16).The details are given in Section 3. Proof idea of Theorem 2.
The idea, and even the algebra, is the same as for Theorem 1. Thedefinition of list L easily extends to implicitly store all the basic-irreducible factors of f mod p k of some degree b (a generalization over roots which corresponds to degree b = 1 basic-irreduciblefactors). This uses a strong property possessed by basic-irreducible factors. A basic-irreduciblefactor g ( x ) ∈ ( Z / h p k i )[ x ] of f mod p k , of degree b , completely splits over the Galois ring G ( p k , b ) := Z [ y ] / h p k , ϕ ( y ) i , where ϕ ( y ) mod p is an irreducible of degree b (Section A). Conversely, if we finda root of f ( x ), in G ( p k , b ), then we find a degree- b basic-irreducible factor of f mod p k .By distinct degree factorization we can assume f ( x ) ≡ ( ϕ . . . ϕ m ) e + ph ( x ) mod p k , where each ϕ i ( x ) mod p is irreducible and degree- b . We construct L by applying the algorithm of Theorem 1,with one change: every time to update a length- l split ideal I l − to a length l +1 ideal I l := I l − + h h l i ,we compute h l using the Frobenius polynomial x q − x mod p , where q := p b . Basically, for x , wefocus on F q -roots instead of the erstwhile F p -roots.We count the number of (distinct, monic, degree- b ) basic-irreducible factors represented by eachmaximal split ideal I ( l, D ) ∈ L as: Dq k − l /b . The details are given in Section 4. Here we introduce our main tool - ‘split ideals’. Proofs for this section have been moved to SectionB. Basic introduction to Galois rings (i.e. non-prime characteristic analog of finite fields), Hensellifting, randomized factoring over finite fields, etc. have been moved to Section A.We will be given a univariate polynomial f ( x ) ∈ Z [ x ] of degree d and a prime power p k (for aprime p and a positive integer k ∈ N ). Wlog, we assume that f is monic over F p .A tuple of variables ( x , . . . , x l ) will be denoted by ¯ x l . Often, an ( l + 1)-variate polynomial a ( x , x , . . . , x l ) will be written as a (¯ x l ), and the polynomial ring F p [ x , . . . , x l ] as F p [¯ x l ].We denote the ring Z / h p k i by R (ring R/ h p i is the same as field F p ). An element a ∈ R can beseen in its p -adic representation as a = a + pa + . . . + p k − a k − , where a i ∈ F p for i ∈ { , . . . , k − } . Z R ( g ) := { r ∈ R | g ( r ) ≡ p k } denotes the zeroset of a polynomial g ( x ) ∈ R [ x ]. Zeroset of an ideal I ⊆ F p [ x , . . . , x l ] is defined as the intersection of zeroset of all polynomialsin I , Z F p ( I ) := { ¯ a = ( a , . . . , a l ) ∈ ( F p ) l +1 | g (¯ a ) ≡ p, ∀ g ∈ I } .We will heavily use ideals of the form I := h h (¯ x ) , h (¯ x ) , . . . , h l (¯ x l ) i satisfying the condition—for any i ∈ [ l + 1] and ¯ a ∈ Z F p ( h h (¯ x ) , h (¯ x ) , . . . , h i − (¯ x i − ) i ), polynomial h i (¯ a, x i ) splits com-pletely into distinct linear factors. They are formally defined as: Definition 4 (Split ideal) . We will call a polynomial monic wrt x if the leading-coefficient is one.Given f ( x ) ∈ R [ x ] , an ideal I , in F p [¯ x l ] , is called a split ideal wrt f mod p k if,1) I is a triangular ideal of length l + 1 , meaning: I =: h h (¯ x ) , h (¯ x ) , . . . , h l (¯ x l ) i , for some ≤ l ≤ k − ; h i (¯ x i ) ∈ F p [¯ x i ] is monic wrt x i , for all i ∈ { , . . . , l } ,2) |Z F p ( I ) | = Q li =0 deg x i ( h i ) , and3) ∀ ( a , . . . , a l ) ∈ Z F p ( I ) , f ( a + pa + . . . + p l a l ) ≡ p l +1 .The length of I is l + 1 and its degree is deg( I ) := Q li =0 deg x i ( h i ) . Split ideal I relates to possible roots of f mod p k . Since f, p, k are fixed, we will call I a splitideal . The definition of a split ideal implies that its roots represent a set of “potential” roots of f ,i.e. roots of f modulo some p l +1 for 0 ≤ l < k . Restriction of a split ideal is also a split ideal. Lemma 5 (Restriction of a split ideal) . Let I l := h h (¯ x ) , . . . , h l (¯ x l ) i be a split ideal in F p [ x , . . . , x l ] ,then ideal I j := h h (¯ x ) , . . . , h j (¯ x j ) i is also a split ideal in F p [ x , . . . , x j ] , for all ≤ j ≤ l . Further, we show that a split ideal I can be decomposed in terms of its zeros. Lemma 6 (Split ideal structure) . A split ideal I ⊆ F p [ x , . . . , x l ] can be decomposed as I = T ¯ a ∈Z F p ( I ) I ¯ a , where each I ¯ a := h x − a , . . . , x l − a l i corresponds to root ¯ a =: ( a , . . . , a l ) ∈ Z F p ( I ) .By Chinese remainder theorem, R/I = L ¯ a ∈Z F p ( I ) R/I ¯ a . Let I =: h h (¯ x ) , h (¯ x ) , . . . , h l (¯ x l ) i be a split ideal. Suppose some h i factors as h i (¯ x i ) = h i, (¯ x i ) . . . h i,m (¯ x i ). Define I j := h h (¯ x ) , . . . , h i − (¯ x i − ) , h i,j (¯ x i ) , h i +1 (¯ x i +1 ) , . . . , h l (¯ x l ) i , for j ∈ [ m ]. The following corollary of Lemma 6 is evident because root-sets of I j partition the root-set of I . Corollary 7 (Splitting split ideals) . Let I = h h (¯ x ) , . . . , h l (¯ x l ) i be a split ideal of F p [ x , . . . , x l ] .Let some h i (¯ x i ) factor as h i (¯ x i ) = h i, (¯ x i ) . . . h i,m (¯ x i ) .Then, I = T mj =1 I j , where each I j := h h (¯ x ) , . . . , h i − (¯ x i − ) , h i,j (¯ x i ) , h i +1 (¯ x i +1 ) , . . . , h l (¯ x l ) i isa split ideal. We call a split ideal I l := h h , . . . , h l i to be maximal split ideal if,1) for any ¯ a = ( a , . . . , a l ) ∈ Z F p ( I l ), g ( x ) := f ( a + pa + . . . + p l a l + p l +1 x ) vanishes identicallymod p k ,2) the restriction I l − := h h , . . . , h l − i does not follow the previous condition. Lemma 8 (Roots represented by a root of maximal split ideal) . Let I be a maximal split ideal oflength l + 1 , then a zero ¯ a = ( a , . . . , a l ) ∈ Z F p ( I ) maps to exactly p k − l − zeros of f in Z R ( f ) . Wewill say that these p k − l − roots of f are represented by ¯ a . The algorithm to compute a compact data-structure which stores roots of f mod p k will be describedin Section 3.1. Algorithm’s correctness will be proved in Section 3.2, which involves studying thealgebraic structure underlying the algorithm. Its efficiency will be shown in Section 3.3, by devisingan auxiliary structure called roots-tree and the important notion of ‘degree of a node’. f ( x ) mod p k We describe our algorithm in this section. It takes a monic univariate polynomial f ( x ) ∈ Z [ x ] ofdegree d and a prime-power p k as input (in binary), and outputs a list of at most d maximal splitideals whose roots partition the root-set of f modulo p k .7 maximal split ideal I j =: h h (¯ x ) , . . . , h l (¯ x l ) i has |Z F p ( I j ) | = Q li =0 deg x i ( h i ) zeros, and eachsuch zero ‘represents’ p k − l − actual zeros of f mod p k (Lemma 8). Thus, this algorithm gives anexact count on the number of zeros of f in R . Overview of Algorithm 1:
Since any root of f mod p k is an extension of a root modulo p , the algorithm starts by initializing a stack S with the ideal I := h h ( x ) i , where h ( x ) :=gcd( x p − x , f ( x )). This is a split ideal containing all the roots of f mod p . By a lift ˆ I ⊂ R [ x ]of I , we mean the ideal generated by the generator { h } when viewed as a polynomial in R [ x ](i.e. char p k ).At every intermediate iteration (Steps 4 − pop a split ideal from the stack and try to in-crease the precision of its root-set (equivalently, lengthen the split ideal). This step mostly results intwo cases: either we succeed and get a split ideal whose root-set has increased precision (Step 18) bya new placeholder x l +1 , or the split ideal factors into more split ideals increasing the size of the stack S (Steps 10 , , f ’ to f I (¯ x l , x l +1 + px ) mod ˆ J ( J is the new splitideal) that we carry around with each split ideal. This helps in efficiently increasing the precisionof roots in the next iteration. Otherwise, computing f (cid:0) x + px + · · · + p l x l + p l +1 x (cid:1) /p α mod I istoo expensive, in Step 6, due to the underlying degree- d ( l + 1)-variate monomials blowup.If we reach a maximal split ideal (Step 7), it is moved to a list L . Sometimes the split idealcannot be extended and we get a dead-end (Step 16). The size of the stack decreases when we geta maximal split ideal or a dead-end. The algorithm terminates when stack becomes empty. List L contains maximal split ideals which partition, and cover, the root-set of f (implicitly). Thisbecomes our output.The main intuition behind our algorithm: If two roots of a split ideal (representing potentialroots of f ) give rise to different number of roots of f , the split ideal will get factored further.Though not at all apparent immediately, we will show that the algorithm takes only polynomialnumber of steps (Section 3.3).We will use four subroutines to perform standard ring arithmetic modulo split ideals; they aredescribed in the Appendices C & D.1. Modify f (Steps 3, 18, 20) whenever pushing in the stack (Lemma 30 & 31).2. Reduce ( a (¯ x l ) , J l ) gives the reduced form of a mod triangular ideal J l (over a Galois ring).3. Test-Zero-Div ( a (¯ x l ) , I l ) either reports that a is a not a zero-divisor modulo triangular ideal I l or outputs a non-trivial factorization of one of the generators of I l when true.4. GCD ( a (¯ x l , x ) , b (¯ x l , x ) , I l ) either successfully computes a monic gcd, wrt x , of two multivari-ates modulo a triangular ideal I l , or encounters a zerodivisor in intermediate computation(outputting F alse and a non-trivial factorization of one of the generators of I l ). Algorithm 1
Root-counting mod p k Let L = {} be a list and S = {} be a stack (both initially empty). Let ˜ f ( x ) := f ( x ) mod p for a monic univariate ˜ f ∈ F p [ x ] of degree d . [ Initializing the stack S ] Let h ( x ) := gcd( ˜ f ( x ) , x p − x ), I := h h i , ˆ I ⊆ R [ x ] be a lift of I . Compute f I ( x , x ) := f ( x + px ) mod ˆ I using Lemma 30. Update S ← push (( { h } , f I )). while S is not empty do S top ← pop ( S ). Let S top = ( { h ( x ) , . . . , h l ( x , . . . , x l ) } , f I (¯ x l , x )) where I = h h , . . . , h l i ⊆ F p [¯ x l ] is a split ideal. Let ˆ I ⊆ R [ x , . . . , x l ] be a lift of I .8 : [ Valuation computation ] Compute α ∈ N and g ∈ R [¯ x l , x ] such that f I ≡ p α g (¯ x l , x ) modˆ I and p g mod ˆ I . [ Maximal split ideal found ] if ( α ≥ k ) then update List L ← L ∪ { I } . Go to Step 4. Let ˜ g := g (¯ x l , x ) mod I be the polynomial in F p [¯ x l , x ], and let g (¯ x l ) be the leading coefficientof ˜ g (¯ x l , x ) wrt x . if Test-Zero-Div ( g (¯ x l ), I )= T rue then
Test-Zero-Div ( g (¯ x l ) , I ) returns a factorization h i (¯ x i ) =: h i, (¯ x i ) h i, (¯ x i ) . . . h i,m (¯ x i )mod I i − of some generator h i (¯ x i ) of I . Go to Step 20. end if [ Filter out distinct virtual F p -roots by taking gcd with x p − x ] Recompute ˜ g := g (¯ x l , x ) · g (¯ x l ) − mod I (Lemmas 29, 28). Compute x p by repeatedlysquaring and reducing modulo the triangular ideal I + h ˜ g i (Algorithm 2 and Lemma 28).This yields ˜ h l +1 (¯ x l , x ) := x p − x mod I in a reduced form. if GCD (˜ g , ˜ h l +1 , I ) = F alse then
The call
GCD (˜ g , ˜ h l +1 , I ) returns factorization h i (¯ x i ) = h i, (¯ x i ) h i, (¯ x i ) . . . h i,m (¯ x i ) mod I i − of a generator h i (¯ x i ) of I . Go to Step 20. else if ˜ g and ˜ h l +1 are coprime then [ Dead End ] The ideal I cannot grow more, go to Step 4. else [ Grow the split ideal I ] Here gcd x (˜ g, ˜ h l +1 ) mod I is non-trivial, say h l +1 (¯ x l , x ) (monicwrt x ). Substitute x by x l +1 in h l +1 (¯ x l , x ) and update J ← I + h h l +1 (¯ x l +1 ) i .Let ˆ J ⊆ R [ x , . . . , x l +1 ] be a lift of J . Substitute x by x l +1 + px in f I (¯ x l , x ),and compute f J (¯ x l +1 , x ) := f I (¯ x l , x l +1 + px ) mod ˆ J using Lemma 30. Update S ← push (( { h , . . . , h l +1 } , f J )), and go to Step 4. end if [ Factoring split ideals ] We have a factorization h i (¯ x i ) = h i, (¯ x i ) h i, (¯ x i ) . . . h i,m (¯ x i ) mod I i − of a generator h i of I . Push S top back in stack S . For every entry ( U, f h U i ) ∈ S , where h i (¯ x i ) appears in U , find m (smaller) split ideals U j (using Corollary 7); using Lemma 31compute f h U j i and push ( U j , f h U j i ) in S , for j ∈ [ m ]. end while Return L (the list of maximal split ideals partitioning the root-set Z R ( f )). Our main goal is to prove the following result about partitioning of root-set.
Theorem 9 (Algo 1 partitions Z R ( f )) . Algorithm 1 yields the structure of the root-set Z R ( f ) through a list data structure L (a collection of maximal split ideals I , . . . , I n ) which partitions thezeroset Z R ( f ) =: F j ∈ [ n ] S j , where S j is the set of roots of f mod p k represented by Z F p ( I j ) . Later, we will show a surprising property: n ≤ d (Section 3.3). Proof of Theorem 9.
From Lemmas 12, 13 and the definition of maximal split ideal, it is clear thatAlgorithm 1 returns a list L containing maximal split ideals I , . . . , I n , for n ∈ N . Further, weshow:1) The root-set of I j (1 ≤ j ≤ n ) yields a subset S j of Z R ( f ), and they are pairwise disjoint.2) Given a root r ∈ Z R ( f ), there exists j such that r is represented by a root in Z F p ( I j ).9or the first part, root-sets for different maximal split ideals I j are pairwise disjoint becauseof Lemma 12. Each of these root-set yields a subset of the zeroset of f mod p k (follows from thedefinition of maximal split ideal).For the second part, let r =: P k − i =0 r i p i be a root in Z R ( f ). Stack S was initialized by the splitideal h h := gcd( f ( x ) mod p, x p − x ) i ; so r ∈ Z F p ( I ), as f ( r ) ≡ f ( r ) ≡ p .Assume that I is not a maximal split ideal (otherwise we are done). Applying Lemma 14, theremust exist an I whose root-set contains ( r , r ). Repeated applications of Lemma 14 show that wewill keep getting split ideals of larger lengths, partially representing r ; finally, reaching a maximalsplit ideal (say I j ) fully representing r .We showed that each root r of f mod p k is represented by a unique maximal split ideal I , givenby Algorithm 1, and they collectively represent exactly the roots of f modulo p k . Hence, root-setsof ideals in L partition the zeroset Z R ( f ).Now, let us see the properties of our algorithm which go in proving Theorem 9. Given apolynomial g (¯ x l ) ∈ F p [¯ x l ] and an element ¯ a ∈ F lp , consider the projection g ¯ a ( x l ) := g (¯ a, x l ). UsingChinese remainder theorem (Lemma 6) we easily get the following degree condition. (Here, lc x refers to the leading coefficient wrt variable x .) Claim 10.
Let I be a split ideal of F p [¯ x l − ] and g ∈ F p [¯ x l ] . Then, lc x l ( g ) is unit mod I iff ∀ ¯ a ∈ Z F p ( I ) , deg( g ¯ a ( x l )) = deg x l ( g (¯ x l ) mod I ) . Chinese remaindering also gives us a gcd property under projections.
Lemma 11.
Let w (¯ x l ) , z (¯ x l ) ∈ F p [¯ x l ] and I l − ⊆ F p [¯ x l − ] be a split ideal. Suppose Algorithm 4succeeds in computing gcd of w and z mod I l − : define h (¯ x l ) := GCD ( w (¯ x l ) , z (¯ x l ) , I l − ) . Then, forall ¯ a ∈ Z F p ( I l − ) : h ¯ a ( x l ) equals gcd( w ¯ a ( x l ) , z ¯ a ( x l )) up to a unit multiple (in F ∗ p ).Proof. Lemma 33 proves, h (¯ x l ) is a monic polynomial mod I l − , s.t., h | w and h | z (mod I l − ). Fix¯ a ∈ Z F p ( I l − ). Since h ¯ a ( x l ) p ( ∵ h is monic), restricting ¯ x l − to ¯ a gives h ¯ a | w ¯ a and h ¯ a | z ¯ a ,showing h ¯ a | gcd( w ¯ a , z ¯ a ), in F p [ x l ].Lemma 33 also shows that there exists u, v ∈ ( F p [¯ x l − ] /I l − )[ x l ], such that, h = uw + vz .Restricting first l co-ordinates to ¯ a , we get h ¯ a = u ¯ a w ¯ a + v ¯ a z ¯ a . This equation implies gcd( w ¯ a , z ¯ a ) | h ¯ a .Thus, we get an equality up to a unit multiple.Let I ⊆ F p [¯ x i ] , J ⊆ F p [¯ x j ] be two split ideals (say i ≤ j ). I and J are called prefix-free iff ∄ ¯ a = ( a , a , . . . , a i ) ∈ Z F p ( I ) , ¯ b = ( b , b , . . . , b j ) ∈ Z F p ( J ) : a k = b k ∀ k ≤ i .(Note that it may still happen that ( a , . . . , a i − ) = ( b , . . . , b i − ) above.)Our next lemma shows an invariant about Algorithm 1. Lemma 12 (Stack contents) . Stack S in Algorithm 1 satisfies following conditions at every point:1) l < k and in Step 6, α > l .2) All ideals in S are split ideals.3) Any two ideals in S are prefix-free.Proof. We first prove the invariant 1. Step 6 defines g via f I as, f I =: p α g (¯ x l , x ) mod ˆ I . Lookingat the f I analogues pushed in Steps 3 , ,
20, one easily deduces the invariants: f (cid:16)P ≤ i ≤ l x i p i + xp l +1 (cid:17) ≡ f I (¯ x l , x ) mod ˆ I , and f (cid:16)P ≤ i ≤ l x i p i (cid:17) ≡ I + h p l +1 i . 10hus, f (cid:16)P ≤ i ≤ l x i p i (cid:17) ≡ p α g (¯ x l , x ) ≡ I + h p l +1 i . Since, p ∤ g mod ˆ I , we deduce α > l .Moreover, by Step 7 we know that l < k throughout the algorithm.There are three ways in which a new ideal is added to stack S . We show below that the invariantis maintained in all three cases.(Step 3) S is initialized with the ideal I = h h ( x ) i ⊆ F p [ x ]. The triangular ideal I is a splitideal, because |Z F p ( I ) | = deg x ( h ) and its root are all the distinct roots of f ( x ) mod p .(Step 20) Ideal I l is popped from S , and some generator h i of I l splits. In this case, we update S with the corresponding factors of any ( U, f h U i ) ∈ S , wherever currently U has h i . Corollary 7 showsthat the factors of U are split ideals themselves, and their root-sets partition that of U . Thus, theseroot-sets are prefix-free among themselves. Moreover, they are prefix-free with any other ideal J appearing in S , because U was prefix-free with J .(Step 18) Ideal I l is popped, it grows to I l +1 by including h l +1 (¯ x l , x ) = gcd x (˜ g (¯ x l , x ) , x p − x ) mod I l (˜ g is defined in Step 8). First (resp. third) condition for I l +1 being a split ideal followsfrom the definition of ˜ g (resp. h l +1 ).For the second condition for I l +1 being a split ideal, fix a particular root ¯ a ∈ Z F p ( I l ). UsingLemma 11, the projection h l +1 , ¯ a ( x ) equals gcd(˜ g ¯ a ( x ) , x p − x ) (up to a unit multiple). By Lemma 33, h l +1 is monic mod I l ; giving deg( h l +1 , ¯ a ) = deg x l +1 ( h l +1 ). Since h l +1 | x p − x , there are exactlydeg x ( h l +1 )-many a l +1 ∈ F p , such that h l +1 , ¯ a ( a l +1 ) ≡ p . So, every root ¯ a ∈ Z F p ( I l ) can beextended to deg x ( h l +1 )-many roots; giving |Z F p ( I l +1 ) | = deg x ( h l +1 ) · Q li =0 deg x i ( h i ). This makes I l +1 a split ideal. I l +1 remains prefix-free with any other ideal J of S , because roots of I l +1 are extension of rootsof I l (recall: I l was prefix-free with J and it was popped out of S ).This proves all the invariants for the stack S .Using the invariant, we prove that Algorithm 1 terminates on any input. Lemma 13.
Algorithm 1 finishes in finite number of steps for any f ∈ Z [ x ] and a prime power p k .Proof. We show that the number of iterations in Algorithm 1 are finite. Assume that all the idealswhich result in a dead-end are moved to a list D ; say C is the disjoint union of all ideals in S , L and D . Whenever a split ideal I from S is moved to L or D , the underlying roots (of I ) stopextending to the next precision. Togetherwith Lemma 12, we deduce that in fact all the ideals in C are prefix-free. Now by Step 18, and the rate of growth of split ideals up to length l + 1 ≤ k , weget a lazy estimate of | C | ≤ min( d k , p k ).Let len( I ) denote the length of an ideal I , it is bounded by k . Notice that factoring/growingan ideal increases P I ∈ C len( I ); and getting a maximal split ideal/ dead-end increases |L| + | D | .Thus, every iteration of the algorithm strictly increases the quantity ( P I ∈ C len( I )) + |L| + | D | . Bythe estimate on | C | , all the terms in this quantity are bounded; thus, the number of iterations arefinite.The following lemma shows: if we see a restriction of r ∈ Z R ( f ) (say, up to length l + 1) atsome point in Algorithm 1, we will again see its restriction of length l + 2 at a later point in thealgorithm. Lemma 14 (Getting roots with more precision) . Assume that at some time (say t ), Algorithm 1pops an ideal I of length l + 1 , that is not yet a maximal split ideal. Let ¯ a = ( a , . . . , a l ) ∈ Z F p ( I )11 artially represent a “root” r =: P ≤ i ≤ l +1 a i p i such that f ( r ) ≡ p l ′ , but f ( r − a l +1 p l +1 ) p l ′ , for some l + 2 ≤ l ′ ≤ k . Then, there exists a time t ′ > t , when stack S will pop an ideal J of length l + 2 , such that, (¯ a, a l +1 ) ∈ Z F p ( J ) .Proof. We again consider three possible situations.(Step 18) Ideal I grows to another split ideal, say J . Notice, J is obtained by adding h l +1 := GCD ( g (¯ x l , x ) , x p − x ) mod I to I (setting x x l +1 ).Step 6 defines g via f I as, f I =: p α g (¯ x l , x ) mod ˆ I . Looking at the f I analogues pushed in Steps3 , ,
20, one can deduce the invariant: f (cid:16)P ≤ i ≤ l x i p i + xp l +1 (cid:17) ≡ f I (¯ x l , x ) mod ˆ I .Now, let us project to (suitable integral lifts of) ¯ a and consider f (cid:16)P ≤ i ≤ l a i p i + xp l +1 (cid:17) ≡ f I (¯ a, x ) ≡ p α g (¯ a, x ) mod ˆ I . By Step 9, and Claim 10, we are assured that g (¯ a, x ), g (¯ x l , x ) mod I are equi-degree (wrt x ). Thus, by non-maximality hypothesis we have α < l ′ . Hypothesis tells usthat f (cid:16)P ≤ i ≤ l +1 a i p i (cid:17) ≡ p l ′ . So, by the previous paragraph, p α g (¯ a, a l +1 ) ≡ p l ′ .Whence, g (¯ a, a l +1 ) ≡ p . Clearly, a pl +1 − a l +1 ≡ p . Thus, h l +1 (¯ a, a l +1 ) ≡ p . So(¯ a, a l +1 ) is a root of J .(Step 16) Proof of the previous case shows that h l +1 (¯ a, x ) has degree at least 1, so I could notresult in a dead-end .(Step 20) Ideal I factors into (smaller) split ideals. In this case, ¯ a will be included in exactlyone of those ideals (by Corollary 7). This ideal will be handled later in the algorithm and will givean ideal J with (¯ a, a l +1 ) as root. RT We know that Algorithm 1 takes finite amount of time and terminates (Lemma 13). To show thatit is efficient, note that the time complexity of the algorithm can be divided into two parts.1) Number of iterations taken by Algorithm 1, which is clearly bounded by the number ofupdates on Stack S in the algorithm.2) Time taken by the various algebraic operations in one iteration of the algorithm: reductionby a triangular ideal, valuation computation modulo a split ideal, testing if some polynomial isa zerodivisor modulo a split ideal, performing repeated squaring modulo a triangular ideal andcomputing gcd of two multi-variates modulo a split ideal.For the purpose of bounding iterations, we define a ‘virtual’ tree, called roots-tree ( RT ) , whichessentially keeps track of the updates on Stack S . We will map a node N = ( I, f I ) in roots-treeto the element ( I, f I ) in stack S . Each push will create a new node in RT . The nodes are never deleted from RT . Construction of roots-tree ( RT ): Denote the root of RT by N h i := ( h i , f h i := f ( x )). Adda child node N I to the root corresponding to the initialization of Stack S by ( I , f I ), where I := h h ( x ) i (label the edge h in RT ).If, at some time t , the algorithm pops ( I l − , f I l − ) from S then the current node in RT will bethe leaf node N I l − = ( I l − , f I l − ). We map the updates on stack S to RT as follows:(Step 18) If ideal I l − grows to I l := I l − + h h l i and ( I l , f I l ) is pushed in S , then create a childof N I l − in RT using an edge labelled h l (label the node N I l := ( I l , f I l )).(Steps 7 ,
16) If the algorithm reached dead-end (no update in stack S or list L ), then add achild labelled D to node N I l − . It indicates a dead-end at the current branch. Analogously, if the12lgorithm finds a maximal split ideal , we add a child labelled M to Node N I l − (indicating I l − isa maximal split ideal).(Step 20) Suppose, processing of length- l split ideal I l − results in factoring each ideal U in S ,containing h i , to m split ideals. We describe the duplication process for a particular U (repeat itfor each split ideal containing h i ).Let U i − be the length- i restriction of U . First, we move to the ancestor node N U i − :=( U i − , f U i − ) of N U . Make m copies of the sub-tree at Node N U i − , each of them attached to N U i − by edges labelled with h i, , . . . , h i,m respectively. The copy of each old node N = ( V, f V ), in sub-tree corresponding to h i,j , will be relabelled with ( V j , f V j ) corresponding to the factor split ideal V j of V and the newly computed f V j .This step does not increase the height of the tree, though it increases the size.For the rest of this section, RT denotes the final roots-tree created at the end of the aboveprocess. We state some easy properties of RT , which will help us in analyzing the time complexity.1) By construction, size of the roots-tree increases at every iteration. We never delete a nodeor an edge (though relabelling might be done). So, the size of RT bounds the number of iterationstaken by Algorithm 1.2) Consider a node N I =: ( I, f I ) in RT . Here f I (¯ x l , x ) ∈ R [¯ x l , x ], and let g I ∈ R [¯ x l , x ] bedefined as in Algorithm 1, g I := f I (¯ x l , x ) /p α mod ˆ I , where p α || f I mod ˆ I , and ˆ I is a lift of I over R . Then, g I mod I is a nonzero polynomial over F p .3) For each node N I =: ( I, f I (¯ x l , x )) and its child N J =: ( J, f J (¯ x l +1 , x )), we have the relation, f J = f I (¯ x l , x l +1 + px ) mod ˆ J . Bounding | RT | : To bound the size of RT , we define a parameter for a node N of RT , called the degree of the node N and denoted by [ N ]. Definition 15 (Degree of a node in RT ) . The degree of root node N h i is [ N h i ] := d ( = deg( f ) ).Degree of leaves D resp. M is defined to be .Let N I =: ( I, f I ) be a node corresponding to a split ideal I ⊆ F p [¯ x l ] , where f I (¯ x l , x ) belongs to R [¯ x l , x ] . Let p α || f I mod ˆ I and g I (¯ x l , x ) := f I /p α mod ˆ I . Except, g I := 0 if α ≥ k .Then, the degree of N is defined as, [ N ] := max (1 , deg x ( g I mod I ) × deg( I )) . We show that the degree of a parent node bounds the sum of the degree of its children.
Lemma 16 (Degree distributes in RT ) . Let N be a node in roots-tree RT and des ( N ) denote theset of all children of N . Then, [ N ] ≥ P C ∈ des ( N ) [ C ] .So, the sum of the degrees of all nodes, at any level l , is at least the sum of the degrees of allnodes at level l + 1 .Proof. Let N = ( I, f I ), where I = h h , . . . , h l i and f I (¯ x l , x ) ∈ R [¯ x l , x ]. Define ˜ g I ∈ F p [¯ x l , x ] as˜ g I := g I (¯ x l , x ) mod I . Assume α < k , otherwise we are done. So, g I mod I is nontrivial wrt x ; byStep 9 (failure) and Claim 10, we get, ∀ ¯ a ∈ Z F p ( I ) : deg x (˜ g I mod I ) = deg x (˜ g I (¯ a, x )) . (1)Recall h l +1 (¯ x l , x ) := gcd(˜ g I (¯ x l , x ) , x p − x ).Let C be a child node of N in RT such that C =:( J C , f J C ), where J C =: I + h h l,C (¯ x l +1 ) i and f J C (¯ x l +1 , x ) := f I (¯ x l , x l +1 + px ) mod ˆ J C . This gives usthe factorization h l +1 (¯ x l , x ) = Q C ∈ des( N ) h l,C (¯ x l , x ) mod I (Step 20, and ‘duplication step’ whenwe constructed RT ). Again, ∀ ¯ b ∈ Z F p ( J C ) : deg x (˜ g J C mod J C ) = deg x (˜ g J C (¯ b, x )) . (2)13f g J C =: f J C /p v ′ mod ˆ J C for some v ′ ∈ N , by property 3 of RT , we have g J C = f I (¯ x l , x l +1 + px ) /p v ′ mod ˆ J C .By definition, [ N ] = deg( I ) · deg x (˜ g I ) and [ C ] = deg( J C ) · deg x (˜ g J C ). Since deg( J C ) = deg( I ) · deg x ( h l,C (¯ x l , x )), the lemma statement is equivalent to showing,deg x (˜ g I ) ≥ X C ∈ des( N ) deg x ( h l,C (¯ x l , x )) · deg x (˜ g J C ) . (3)Continuing with the notation of a particular child C , fix an ¯ a ∈ Z F p ( I ). Since J C is a splitideal, h l,C (¯ a, x ) (of degree d ′ C ) can be written as Q d ′ C i =1 ( x − c i ), where each c i ∈ F p and are distinct.Then, each c i is also a root of ˜ g I (¯ a, x ), say with multiplicity m i ∈ N . So, there exists G ( x ) ∈ F p [ x ](coprime to x − c i ), such that, ˜ g I (¯ a, x ) ≡ ( x − c i ) m i · G ( x ) mod p . Lifting this equation mod p k ,there exists G ( x ) ∈ R [ x ], of degree less than m i , and a unique lift G ( x ) ∈ R [ x ] of G ( x ) (Hensellemma (21)) : g I (¯ a, x ) ≡ (( x − c i ) m i + pG ( x )) · G ( x ) mod p k . Substituting x → c i + px , we get, g I (¯ a, c i + px ) ≡ (( px ) m i + pG ( c i + px )) · G ( c i + px ) mod p k .Let ¯ b i = (¯ a, c i ) ∈ Z F p ( J C ). We know that ˜ g J C (¯ b i , x ) = f I (¯ a, c i + px ) /p v ′ mod p is nontrivial.This implies that, (( px ) m i + pG ( c i + px )) /p v ′ mod p is a nonzero polynomial of degree at most m i ( ∵ p ∤ G ( c i )).Since G ( c i + px ) p is a unit, deg x (˜ g J C (¯ b i , x )) = deg x (˜ g J C ) ≤ m i (Eqn. 2). Summingup over all the roots c i of ˜ g I (¯ a, x ), d ′ C X i =1 deg x (˜ g J C (¯ b i , x )) = d ′ C · deg x (˜ g J C ) ≤ d ′ C X i =1 m i =: d C ( g I ) . Summing over all children C ∈ des( N ) (using Eqn. 1, factorization of h l +1 & distinctness of F p -roots), we deduce, X C ∈ des( N ) deg x ( h l,C ) deg x (˜ g J C ) ≤ X C d C ( g I ) ≤ deg x (˜ g I (¯ a, x )) = deg x (˜ g I ) . This proves Eqn. 3, and hence the lemma.Define the degree of list L as, deg( L ) := Σ I ∈L deg( I ). Lemma 17 (Bounding | RT | , deg( I ), deg( L ), |L| ) . Let RT be the roots-tree constructed from theexecution of Algorithm 1. The number of leaves of RT , resp. deg( L ) , is at most d = deg( f ( x )) .Also, the size | RT | of the roots-tree (hence, the number of iterations by Algorithm 1) is bounded by dk .Proof. Applying Lemma 16 inductively, sum of the degrees of nodes at any level is bounded by thedegree d of the root node. In particular,1) We can extend every leaf to bring it to the last level (create a chain of nodes of same degree)without changing the degree distribution property. So, deg( L ) = Σ I ∈L deg( I ) ≤ d . Since thenumber of leaves is ≥ |L| , we get |L| ≤ d .2) For any split ideal I in stack S , deg I ≤ d .3) Since the depth of the roots-tree is at most k , | RT | ≤ kd .14 emma 18 (Computation cost at a node) . Computation cost at each node of RT (time taken byAlgorithm 1 in every iteration of the while loop) is bounded by poly ( d, k log p ) .Proof. During an iteration, the major computations performed by the algorithm are— testingfor zerodivisors (Step 9), computing modular gcd (Step 13), computing reduced f I (Steps 3 , d, k log p , deg( I )), where I is the concerned triangular ideal.For any split ideal I (or its lift ˆ I ), we know that deg( I ) ≤ d (Lemma 17). So, Steps 3 , , , , d, k log p ). Step 12 to compute repeated squaring modulo I + h ˜ g i takes timepoly(deg x (˜ g ) , deg( I ) , k log p ) (using Lemma 28). Since I is a split ideal with deg( I ) ≤ d , anddegree of ˜ g is at most d , so Step 12 also takes poly( d, k log p ) time.Hence the computation cost at each node is poly( d, k log p ). Proof of Theorem 1.
The definition of roots-tree shows that the number of leaves upper bound thenumber of all maximal split ideals in L . Lemmas 17 and 18 show that the time complexity ofAlgorithm 1 is bounded by poly( d, k log p ) (by bounding both number of iterations and the cost ofcomputation at each iteration). Using Lemma 8 on the output of Algorithm 1, we get the exactcount on the number of roots of f mod p k in time poly( d, k log p ). A polynomial f can be factored mod p k if it has two basic-irreducible factors of different degree(using distinct degree factorization [vzGP01] and Hensel Lemma 21).If two basic-irreducible factors appear with different exponents/multiplicities, then again f canbe factored (using formal derivatives [vzGP01] and Hensel Lemma 21).So, for factoring f mod p k , we can assume f ≡ ( ϕ . . . ϕ t ) e + ph mod p k , where every ϕ i ∈ ( Z / h p k i )[ x ] is a basic-irreducible polynomial of a fixed degree b . Also, d := deg( f ) = bte . Let us fixthis assumption for this section, unless stated explicitly.A basic-irreducible factor of f mod p k has the form ϕ i + pw i ( x ) mod p k , for i ∈ [ t ] (Lemma 22).If b = 1, counting basic-irreducible factors of f is equivalent to counting roots of f .When b >
1, we prove a simple generalization of this idea; it is enough to count all the roots of f in the ring extension Z [ y ] / h p k , ϕ ( y ) i , where ϕ ( y ) is an irreducible mod p of degree- b . These ringsare called Galois rings , we denote them by G ( p k , b ) (unique, for fixed k and b , up to isomorphism). G ( p k , b ) By Lemma 22, any basic-irreducible factor of f mod p k is a factor of a unique ( ϕ ie + pw i ( x )); and ϕ i are coprime mod p . So in this subsection, for simplicity of exposition, we will assume that f ( x )equals ϕ e mod p ( ϕ is a monic degree- b irreducible mod p ).Define G := G ( p k , b ). Let y , y , . . . , y b − be the roots of ϕ ( x ) in G (Claim 24). Wlog, taking y := y , y i ≡ y p i mod p , for all i ∈ { , . . . , b − } (Frobenius conjugates in F p ). Note that G ∼ =( Z / h p k i )[ y ] =: G ′ . We will prefer to use G ′ below.The lemma below associates a root of f , in G or G ′ , to a unique basic-irreducible factor of f in( Z / h p k i )[ x ]. 15 emma 19 (Root to factor) . Let r ( y ) ∈ G ′ be a root of f ( x ) . Then, h ( x ) := Q b − i =0 ( x − r ( y i )) is theunique basic-irreducible factor of f having root r ( y ) . We say: h ( x ) is the basic-irreducible factor associated to root r ( y ) .Proof. The coefficients of h are symmetric polynomials in r ( y i ) (over 0 ≤ i < b ). Since theautomorphism ψ : y → y of G ′ (as defined in Claim 25) permutes r ( y i )’s ( ∵ it permutes y i ’s),it fixes all the coefficients of h . From Claim 25, all these coefficients are then in Z / h p k i . Hence, h ∈ ( Z / h p k i )[ x ].If r ( y ) is a root of another polynomial h ′ in ( Z / h p k i )[ x ], then r ( y i )’s are also roots of h ′ (applyingautomorphisms ψ i of G ′ ). Since these roots are coprime mod p , we actually get: h | h ′ . Thus, h isthe unique monic irreducible factor of f containing r ( y ).Looking mod p , r ( y i )’s are a permutation of the roots of ϕ ( x ), so h ( x ) ≡ ϕ ( x ) mod p . Hence, h ( x ) is the unique monic basic-irreducible factor of f .Following is the reduction to counting all roots of f in G . Theorem 20 (Factor to root) . Any degree- b basic-irreducible factor of f mod p k has exactly b roots in G . Conversely, if f has a root r ( y ) ∈ G , then it must be a root of a unique degree- b basic-irreducible factor of f mod p k .So, the number of degree- b basic-irreducible factors of f mod p k is exactly the number of roots,of f in G , divided by the degree b .Proof. By Lemma 19 (& uniqueness of Galois rings), for every root r ( y ) ∈ G of f , we can associatea unique basic-irreducible factor of f ( x ).Conversely, let h ( x ) =: ϕ ( x ) + pw ( x ) be a basic-irreducible factor of f ( x ). It splits completelyin G (as, h ( x ) ≡ ϕ mod p ; first factor in G/ h p i and then Hensel lift to G ). So, h has exactly b rootsin G , each of them is also a root of f in G .Hence the theorem statement follows. Remark.
This ‘irreducible factor vs root’ correspondence, for f mod p k , breaks down if G is not a Galois ring. Eg. for the ring Z [ y ] / h p k , y − p i ? G ( p k , b ) – Wrapping up Thm. 2 In this section, we show how to count the roots of f ≡ ( ϕ ϕ . . . ϕ t ) e + ph ( x ) mod p k in G ( p k , b ).Since G := G ( p k , b ) is a Galois ring, so G/ h p i = F p b =: F q . (Recall: R = Z / h p k i .) Split ideals and zerosets in the Galois ring:
First, we will modify the definition of zerosets(Section 2) to include zeros of f in G . A G -zeroset of f ( x ) ∈ R [ x ] will be defined as Z G ( f ) := { r ∈ G | f ( r ) ≡ p k } . Similarly, for an ideal I ⊆ F p [¯ x l ], its F q -zeroset is defined as Z F q ( I ) := { ¯ a =( a , . . . , a l ) ∈ ( F q ) l +1 | g (¯ a ) ≡ p k , ∀ g ∈ I } .The definition of triangular ideals, split ideals and maximal split ideals will remain exactly same(generators defined over F p , Section 2), except that in the third condition for split ideals, zerosetwill be over F q instead of F p . But, they can now be seen as storing potential roots of f ( x ) in G (or,storing potential basic irreducible factors of f mod p k ). The reason is, a root r ( y ) ∈ G of f mod p k can be viewed as, r ( y ) = r ( y )+ pr ( y )+ p r ( y )+ . . . + p k − r k − ( y ), where each r i ( y ) ∈ G/ h p i = F q .So, the decomposition of formal variable x =: x + px + p x + . . . + p k − x k − , now representscandidates for r , r , and so on, over F q . 16 split ideal I l ⊆ F p [¯ x l ], defined as I l := h h ( x ) , . . . , h l (¯ x l ) i , now implicitly stores the candidatesfor ( r ) in h , ( r , r ) in h , and so on. These, in turn, give candidates for basic-irreducible factorsof f mod p l ′ (some l ′ ≤ k ).In particular, when I l is a maximal split ideal, an ¯ r l implicitly denote a basic-irreducible factorof f mod p k . The number of such factors is deg( I l ) · p k − l − /b (Theorem 20 & Lemma 8).Split ideals follow all the properties given in Section 2, just by replacing the fact that rootsbelong to F q and not F p . Description of the modified algorithm:
Algorithm 1, to count roots in R , extends directlyto count roots in G . The algorithm is exactly same except one change: to compute GCD (Steps 3and 13), we now use the Frobenius polynomial x q − x instead of the prior x p − x (GCD computationimplicitly stores the candidate roots, they are in F q now).So the algorithm works as follows:1. It gets f ( x ) ≡ ( ϕ . . . ϕ t ) e + pw ( x ) mod p k as input, computes gcd h ( x ) := gcd( f ( x ) , x q − x )over F p . Since x q − x , over F p , is the product of all irreducible factors of degree dividing b ,we deduce: h ( x ) = ϕ . . . ϕ t mod p ; and define the first split ideal I := h h i . (Note– We donot have access to ϕ i ’s themselves.) Remark.
The length 1 split ideal stores all the roots of f in G/ h p i , or all the basic irreduciblefactors of f mod p ; as h ( x ) = ϕ . . . ϕ t . Also, its degree is tb , which when divided by b , givesthe count of the basic-irreducible factors of f mod p .2. The algorithm then successively looks for the next precision candidates. It computes h l bytaking gcd with x q − x , and adds it to the previous ideal I l − like before.3. All the supporting algebraic algorithms and lemmas (given in appendix) work the same asbefore; since they are being passed the same parameters— a split ideal, or a triangular ideal,or a polynomial over R .Thus, a similar proof of correctness and time complexity can be given as before. Proof of Theorem 2.
Consider a univariate f ( x ) mod p k . As discussed in the beginning of thissection, f mod p k can be efficiently factorized as f ≡ Q mi =1 f i mod p k , where each f i ( x ) is a powerof a product of degree- b i irreducible polynomials mod p (i.e. of the form ≡ ( ϕ ϕ . . . ϕ t ) e + ph ( x ),where ϕ j is a degree- b i irreducible mod p ).On each such f i mod p k , we use Algorithm 1 with the new Frobenius polynomial ( x q i − x )( q i = p b i ), in Steps 3 and 18, as discussed above. Let the final list output, for f i mod p k , be L i =: { I ( l , D ) , . . . , I n ( l n , D n ) } . Thus, we get the count on the G ( p k , b i )-roots of f i mod p k asΣ nj =1 D j q k − l j i (Lemma 8). Using Theorem 20, the number of the degree- b i basic-irreducible factorsof f mod p k is B k ( f i ) := (1 /b i ) × Σ nj =1 D j q k − l j i .Using Lemma 22, we get the count on the basic-irreducible factors of f mod p k as, B k ( f ) =Σ mi =1 B k ( f i ).For the time complexity, only difference is the repeated-squaring to compute the reduced formof polynomial x q i − x (Steps 3 , b i log p operations instead of log p operations. But b i ≤ d , so the algorithm runs in time poly( d, k log p ) (& remains deterministic).17 Conclusion
There are well known efficient deterministic algorithms to count the number of roots/irreduciblefactors over prime characteristic. Surprisingly, not many results are known when the characteristicis a prime-power . The main difficulty is that the ring has non -unique factorization.We give the first efficient deterministic algorithm to count the number of basic-irreduciblefactors modulo a prime-power. Restricting it to degree-one irreducibles, we get a deterministicpolynomial-time algorithm to count the roots too. This is achieved by storing and improving roots(wrt precision) virtually using split ideals (we do not have access to roots directly). As a corollary:we can compute the Igusa zeta function deterministically, and we also get a deterministic algorithmto count roots in p -adic rings (resp. formal power-series ring).Many interesting questions still remain to be tackled. For p -adic fields, there is only a ran-domized method to count the number of irreducible factors. Analogously, the question of countingirreducible factors modulo a prime-power also remains open; no efficient method is known even inthe randomized setting. The ramified roots seem to elude practical methods. On the other hand,the problem of actually finding an irreducible factor (resp. a root) deterministically, seems muchharder; it subsumes the analogous classic problem in prime characteristic. Acknowledgements.
We thank Vishwas Bhargava for introducing us to the open problem offactoring f mod p and the related prime-power questions. A.D. thanks Sumanta Ghosh for thediscussions. N.S. thanks the funding support from DST (DST/SJF/MSA-01/2013-14). R.M. wouldlike to thank support from DST through grant DST/INSPIRE/04/2014/001799. References [Apo13] Tom M Apostol.
Introduction to analytic number theory . Springer Science & BusinessMedia, 2013. 2[Bha97] Manjul Bhargava. P-orderings and polynomial functions on arbitrary subsets ofdedekind rings.
Journal fur die Reine und Angewandte Mathematik , 490:101–128, 1997.2[BLQ13] J´er´emy Berthomieu, Gr´egoire Lecerf, and Guillaume Quintin. Polynomial root find-ing over local rings and application to error correcting codes.
Applicable Algebra inEngineering, Communication and Computing , 24(6):413–443, 2013. 2, 3[CG00] David G Cantor and Daniel M Gordon. Factoring polynomials over p -adic fields. In International Algorithmic Number Theory Symposium , pages 185–208. Springer, 2000.2, 3[CGRW18] Qi Cheng, Shuhong Gao, J Maurice Rojas, and Daqing Wan. Counting roots of polyno-mials over prime power rings. In
Thirteenth Algorithmic Number Theory Symposium,ANTS-XIII . Mathematical Sciences Publishers, 2018. arXiv:1711.01355. 2, 3, 4[Chi87] AL Chistov. Efficient factorization of polynomials over local fields.
Dokl. Akad. NaukSSSR , 293(5):1073–1077, 1987. 2, 3[Chi94] AL Chistov. Algorithm of polynomial complexity for factoring polynomials over localfields.
Journal of mathematical sciences , 70(4):1912–1933, 1994. 2, 318CP56] M Chojnacka-Pniewska. Sur les congruences aux racines donn´ees. In
Annales PoloniciMathematici , volume 3, pages 9–12. Instytut Matematyczny Polskiej Akademii Nauk,1956. 2[CZ81] David G Cantor and Hans Zassenhaus. A new algorithm for factoring polynomials overfinite fields.
Mathematics of Computation , pages 587–592, 1981. 2, 21[Den91] Jan Denef. Report on Igusa’s local zeta function.
Ast´erisque , 730-744(201-203):359–386,1991. 2, 3[DH01] Jan Denef and Kathleen Hoornaert. Newton polyhedra and Igusa’s local zeta function.
Journal of number Theory , 89(1):31–64, 2001. 2[DM97] Bruce Dearden and Jerry Metzger. Roots of polynomials modulo prime powers.
Euro-pean Journal of Combinatorics , 18(6):601–606, 1997. 2[DMS19] Ashish Dwivedi, Rajat Mittal, and Nitin Saxena. Efficiently factoring polynomialsmodulo p . arXiv preprint arXiv:1901.06628 , 2019. 1, 2[Hen18] Kurt Hensel. Eine neue theorie der algebraischen zahlen. Mathematische Zeitschrift ,2(3):433–452, Sep 1918. 20[Igu74] Jun-ichi Igusa. Complex powers and asymptotic expansions. i. functions of certaintypes.
Journal f¨ur die reine und angewandte Mathematik , 268:110–130, 1974. 2, 3[Kli97] Adam Klivans. Factoring polynomials modulo composites. Technical report, Carnegie-Mellon Univ, Pittsburgh PA, Dept of CS, 1997. 1[Kob77] Neal Koblitz. P-adic numbers. In p-adic Numbers, p-adic Analysis, and Zeta-Functions ,pages 1–20. Springer, 1977. 3[KRRZ18] Leann Kopp, Natalie Randall, J Maurice Rojas, and Yuyu Zhu. Randomizedpolynomial-time root counting in prime power rings. arXiv preprint arXiv:1808.10531 ,2018. (to appear in Math.Comp.). 2, 3[Lau04] Alan GB Lauder. Counting solutions to equations in many variables over finite fields.
Foundations of Computational Mathematics , 4(3):221–267, 2004. 2[LN94] Rudolf Lidl and Harald Niederreiter.
Introduction to finite fields and their applications .Cambridge university press, 1994. 21[Mau01] Davesh Maulik. Root sets of polynomials modulo prime powers.
Journal of Combina-torial Theory, Series A , 93(1):125–140, 2001. 2[McD74] Bernard R McDonald.
Finite rings with identity , volume 28. Marcel Dekker Incorpo-rated, 1974. 21[NZM13] Ivan Niven, Herbert S Zuckerman, and Hugh L Montgomery.
An introduction to thetheory of numbers . John Wiley & Sons, 2013. 2[S˘al05] Ana S˘al˘agean. Factoring polynomials over Z and over certain galois rings. Finite fieldsand their applications , 11(1):56–70, 2005. 1, 219Sha93] Adi Shamir. On the generation of multivariate polynomials which are hard to factor. In
Proceedings of the twenty-fifth annual ACM symposium on Theory of computing , pages796–804. ACM, 1993. 1[Sho09] Victor Shoup.
A computational introduction to number theory and algebra . Cambridgeuniversity press, 2009. 24, 27[Sie55] Wac law Sierpi´nski. Remarques sur les racines d’une congruence.
Annales PoloniciMathematici , 1(1):89–90, 1955. 2[Sir17] Carlo Sircana. Factorization of polynomials over Z / ( p n ). In Proceedings of the 2017ACM on International Symposium on Symbolic and Algebraic Computation , pages 405–412. ACM, 2017. 1, 2[vzGH96] Joachim von zur Gathen and Silke Hartlieb. Factorization of polynomials modulo smallprime powers. Technical report, Paderborn Univ, 1996. 1, 2[vzGH98] Joachim von zur Gathen and Silke Hartlieb. Factoring modular polynomials.
Journalof Symbolic Computation , 26(5):583–606, 1998. (Conference version in ISSAC’96). 1, 2[vzGP01] Joachim von zur Gathen and Daniel Panario. Factoring polynomials over finite fields:A survey.
Journal of Symbolic Computation , 31(1-2):3–17, 2001. 15[Zas69] Hans Zassenhaus. On hensel factorization, I.
Journal of Number Theory , 1(3):291–311,1969. 20[ZG03] WA Zuniga-Galindo. Computing Igusa’s local zeta functions of univariate polynomials,and linear feedback shift registers.
Journal of Integer Sequences , 6(2):3, 2003. 2
A Preliminaries
Lifting factorization:
Below we state a lemma, originally due to Kurt Hensel [Hen18], for I -adic lifting of factorization of a given univariate polynomial. Over the years, Hensel’s lemma hasacquired many forms in different texts, version presented here is due to Zassenhaus [Zas69]. Lemma 21 (Hensel’s lemma [Hen18]) . Let R be a commutative ring with unity, denote the poly-nomial ring over it by R [ x ] . Let I ⊆ R be an ideal of ring R . Given a polynomial f ( x ) ∈ R [ x ] ,suppose f factorizes as f = gh mod I , such that gu + hv = 1 mod I (for some g, h, u, v ∈ R [ x ] ). Then, given any l ∈ N , we can efficientlycompute g ∗ , h ∗ , u ∗ , v ∗ ∈ R [ x ] , such that, f = g ∗ h ∗ mod I l . Here g ∗ = g mod I , h ∗ = h mod I and g ∗ u ∗ + h ∗ v ∗ = 1 mod I l (i.e. pseudo -coprime lifts). Moreover g ∗ and h ∗ are unique up to multiplication by a unit. Using Hensel’s lemma, for the purpose of counting roots (resp. basic-irreducible factors), aunivariate polynomial f ( x ) ∈ Z [ x ] can be assumed to be a power of an irreducible modulo p .20 emma 22. By the fundamental theorem of algebra, a univariate f ( x ) ∈ Z [ x ] factors uniquely,over F p , into coprime powers as, f ≡ Q mi =1 ϕ ie i , where each ϕ i ∈ Z [ x ] is irreducible mod p and m, e i ∈ N . Then, for all k ∈ N ,1. f factorizes mod p k as f = g g . . . g m , where g i ’s are mutually co-prime mod p k and g i ≡ ϕ ie i mod p , for all i ∈ [ m ] .2. any basic-irreducible factor of f ( x ) mod p k is a basic-irreducible factor of a unique g j mod p k ,for some j ∈ [ m ] . Let B k ( h ) denote the number of (coprime) basic-irreducible factors of h ( x ) mod p k . Then, B k ( f ) = Σ mi =1 B k ( g i ) .3. any root of f mod p k is a root of a unique g i mod p k . Let N k ( h ) denote the number of(distinct) roots of h ( x ) mod p k . Then, N k ( f ) = Σ mi =1 N k ( g i ) .Proof. We can apply Hensel’s lemma by taking ring R := Z and ideal I := h p i . The co-primefactorization of f mod p lifts to a unique coprime factorization f ≡ g g . . . g m mod p k , for any k ∈ N and g i ≡ ϕ ie i mod p .Any basic-irreducible factor h ( x ) of f ( x ) mod p k has to be h ≡ ϕ i mod p for some i ∈ [ m ];otherwise, h will become reducible mod p . Since g i ’s are co-prime and h | f mod p k , h must divide aunique g i . So, any basic-irreducible factor h of f ( x ) mod p k is a basic-irreducible factor of a unique g j mod p k . Clearly, any basic-irreducible factor of a g i is also a basic-irreducible factor of f mod p k .This proves B k ( f ) = Σ mi =1 B k ( g i ).The third part follows from a similar reasoning as the second part. Root finding over a finite field:
The following theorem, called CZ in this paper and givenby Cantor-Zassenhaus [CZ81], finds all roots of a given univariate polynomial over a finite field inrandomized polynomial time. (Equivalently, it finds all irreducible factors as well.)
Theorem 23 (Cantor-Zassenhaus Algo (CZ)) . Given a univariate degree d polynomial f ( x ) overa finite field F q , all roots of f in F q can be found in randomized poly( d, log q ) time. A.1 Properties of Galois rings– Analogues of finite fields A Galois ring , of characteristic p k and size p kb , is denoted by G ( p k , b ) (where p is a prime, k, b ∈ N ).It is known that two Galois rings of same characteristic and size are isomorphic to each other. Wewill define Galois ring G ( p k , b ) as the ring G := Z [ y ] / h p k , ϕ ( y ) i , where ϕ ( y ) ∈ Z [ y ] is an irreduciblemod p of degree b [McD74]. Let us prove some useful properties of G below. Claim 24 (Roots of ϕ ) . Let ϕ ′ ( x ) ∈ Z [ x ] be any irreducible mod p of degree b . There are b distinctroots of ϕ ′ ( x ) in G . Let r denote one of the roots, then all other roots, modulo p , are of the form r p i ( i ∈ { , . . . , b − } ).Proof. G / h p i is isomorphic to the finite field of degree b over F p . So, irreducible ϕ ′ ( x ) ∈ F p [ x ]has exactly b roots in G / h p i [LN94, Ch.2]. By Hensel Lemma 21, roots in G / h p i can be lifted to G uniquely. Hence, ϕ ′ ( x ) has exactly b distinct roots in G . Modulo p , they are of the form r p i ( i ∈ { , . . . , b − } ) for a root r (lifted from roots in G / h p i ).Using Claim 24, denote roots of ϕ ( x ) as y , . . . , y b − ; here y i ≡ y p i mod p for all i ∈ { , . . . , b − } .For all roots y j , G ≡ R [ y j ]. In other words, y j generate the extension G over R .21 laim 25 (Symmetries of G ) . There are exactly b automorphisms of G fixing R = Z / h p k i , denotedby ψ j ( j ∈ { , . . . , b − } ). Each of these automorphisms can be described by a map taking y toone of the roots of ϕ ( x ) and fixing R . Wlog, assume ψ j maps y → y j .Moreover, for all j coprime to b , ψ j fixes R and nothing else.Proof. Since coefficients of ϕ ( x ) belong to R , an automorphism fixing R should map the root y =: y to another of its roots y j . We only need to show that ψ j is an automorphism (it is a valid mapbecause y j ∈ G )Writing elements of G in terms of y (i.e. G ∼ = R [ y ]), it can be verified that ψ j ( ab ) = ψ j ( a ) ψ j ( b )and ψ j ( a + b ) = ψ j ( a ) + ψ j ( b ), so ψ j is a homomorphism.Similarly, if ψ j ( g ) = 0, writing g in terms of y , we get that g = 0. So, kernel of ψ j is the set { } ; thus, it is an isomorphism.For the moreover part, let ψ j be such that j is coprime to b . We will show a stronger statementby induction: for any i ≤ k −
1, if a ( y ) = ψ j ( a ( y )) in G / h p i i , then a ( y ) ∈ Z / h p i i . Base case: If i = 1 and j = 1, then a ( y ) = ψ ( a ( y )) mod p ⇒ a ( y ) = a ( y ) p mod p . It means a ( y ) ∈ Z / h p i .If j is coprime to b , then ψ j generates ψ modulo p . So, a ( y ) = ψ j ( a ( y j )) mod p implies that, a ( y ) mod p =: a ∈ Z / h p i .This argument also proves: for any i ≤ k , if a ( y ) = a ( y j ) in G / h p i i , then a ( y ) ∈ F p (in otherwords, a ( y ) is y free). Induction step:
Let us assume that a ( y ) = ψ j ( a ( y )) in G / h p i i . By the previous argument, a ( y ) = a + pa ′ ( y ), where a ∈ Z / h p i and a ′ ( y ) ∈ G / h p i − i .From the definition, a ( y ) = ψ j ( a ( y )) iff a ′ ( y ) = ψ j ( a ′ ( y )) in G / h p i − i . By induction hypoth-esis, the latter is equivalent to a ′ ( y ) ∈ Z / h p i − i . So, a ( y ) ∈ Z / h p i i .Hence, the only fixed elements under the map ψ j ( j coprime to b ) are integers; in Z / h p k i . B Proofs of Section 2
Proof of Lemma 5.
It is enough to show the lemma for j = l −
1. It is easy to observe that I l − istriangular.Looking at the second condition for being a split ideal, |Z F p ( I l − ) | ≤ Q l − i =0 deg x i ( h i ) followsbecause a degree d ≥ d roots in F p .To show equality, notice that for any ¯ a = ( a , . . . , a l − ) ∈ Z F p ( I l − ), deg x l ( h l (¯ a, x l )) is boundedby deg x l ( h l ). This implies h l (¯ a, x l ) can have at most deg x l ( h l ) roots in F p . If |Z F p ( I l − ) | < Q l − i =0 deg x i ( h i ) then |Z F p ( I l ) | < deg x l ( h l ) · Q l − i =0 deg x i ( h i ), contradicting that I l is a split ideal. For the third condition, since I l is a split ideal, for any ( a , . . . , a l − ) ∈ Z F p ( I l − ), f ( a + pa + . . . + p l a l ) ≡ p l +1 ⇒ f ( a + pa + . . . + p l − a l − ) ≡ p l . Lemma 6 shows that a split ideal I can be decomposed in terms of ideals I ¯ a := h x − a , . . . , x l − a l i , where ¯ a =: ( a , . . . , a l ) is a root of I . Before we prove this structural lemma, let us see someproperties of these ideals I ¯ a ’s. Claim 26.
Let I be a split ideal.1. For any ideal I ¯ a , quotient F p [ x , . . . , x l ] /I ¯ a ∼ = F p is a field . This argument also shows that every F p -zero of I l − ‘extends’ to exactly deg x l ( h l ) many F p -zeros of I l . . I ¯ a and I ¯ b are coprime for any two distinct roots ¯ a, ¯ b ∈ Z F p ( I ) . This is because there exists i ,for which a i = b i ; yielding ( a i − b i ) − (( x i − b i ) − ( x i − a i )) = 1 in the sum-ideal I ¯ a + I ¯ b .3. I ¯ a ∩ I ¯ b = I ¯ a I ¯ b for any two distinct roots ¯ a, ¯ b ∈ Z F p ( I ) . It follows because there exist r ¯ a ∈ I ¯ a and r ¯ b ∈ I ¯ b , s.t., r ¯ a + r ¯ b = 1 . So, r ∈ I ¯ a ∩ I ¯ b ⇒ r = r ( r ¯ a + r ¯ b ) ∈ I ¯ a I ¯ b . On the other hand, I ¯ a I ¯ b ⊆ I ¯ a ∩ I ¯ b follows from the definition of the product-ideal.4. Generalizing the previous point— for a set A of distinct roots ¯ a ’s, T ¯ a ∈ A I ¯ a = Q ¯ a ∈ A I ¯ a .Proof of Lemma 6. We will prove this decomposition by applying induction on the length of thesplit ideal. For the base case, length of I is 1 and I = h h (¯ x ) i ⊆ F p [ x ]. Since I is a split ideal, h ( x ) = Q deg( h ) i =1 ( x − a i ) for distinct a i ∈ F p . So, I = Q deg( h ) i =1 I a i = T deg( h ) i =1 I a i by Claim 26.Let I be a split ideal of length l + 1, I =: h h (¯ x ) , . . . , h l (¯ x l ) i ⊆ F p [ x , . . . , x l ]. Define ideal I ′ := h h (¯ x ) , . . . , h l − (¯ x l − ) i . By Lemma 5, I ′ is a split ideal. From the induction hypothesis (&Claim 26), we have I ′ = T ¯ a ∈Z F p ( I ) I ′ ¯ a = Q ¯ a I ′ ¯ a , where I ′ ¯ a := h x − a , . . . , x l − − a l − i for a zero¯ a =: ( a , . . . , a l − ) of I ′ . We know that, I = I ′ + h h l (¯ x l ) i = Y ¯ a ∈Z F p ( I ′ ) (cid:0) I ′ ¯ a + h h l (¯ x l ) i (cid:1) . (4)Claim 10 shows deg( h l (¯ a, x l )) = deg x l ( h l ) for all ¯ a ∈ Z F p ( I ′ ), and h l (¯ a, x l ) splits completely over F p . So, for any ¯ a ∈ Z F p ( I ′ ), I ′ ¯ a + h h l (¯ x l ) i = Q deg xl ( h l ) i =1 I ¯ a,b i , where (¯ a, b i ) are roots of I extendedfrom ¯ a . From Eqn. 4 (& Claim 26), I = Q ¯ b ∈Z F p ( I ) I ¯ b = T ¯ b ∈Z F p ( I ) I ¯ b .This finishes the inductive proof, completely factoring I .Lemma 8 shows that a root of a maximal split ideal represents a set of roots of f mod p k andprovides the size of that set. Proof of Lemma 8.
By definition of a maximal split ideal, for any ¯ a = ( a , . . . , a l ) ∈ Z F p ( I ), p k | g ( x )where g ( x ) = f ( a + pa + p a + . . . + p l a l + p l +1 x ). So, g ( x ) = 0 mod p k for any p k − l − choices of x . For each such fixing of x , a + pa + p a + . . . + p l a l + p l +1 x is a distinct root of f ( x ) mod p k .Hence proved. C Computation modulo a triangular ideal– Reduce & Divide
For completeness, we show that it is efficient to reduce a polynomial a (¯ x l ) ∈ G [¯ x l ] modulo atriangular ideal J l = h b (¯ x ) , b (¯ x ) , . . . , b l (¯ x l ) i ⊆ G [¯ x l ], where G is any Galois ring (in particular, R = Z /p k , or F p ).Note: J l need not be a split ideal for f mod p k , though the algorithms of this section work forsplit ideals ( ∵ they are triangular by definition).Assumptions: In the generators of the triangular ideal we assume deg x i b i (¯ x i ) ≥ ≤ i ≤ l ).Otherwise, we could eliminate variable x i and work with fewer variables (& smaller length triangularideal). Additionally, each b i (¯ x i ) (for 0 ≤ i ≤ l ) is monic (leading coefficient is 1 wrt x i ), andpresented in a reduced form modulo the prior triangular ideal J i − := h b (¯ x ) , . . . , b i − (¯ x i − ) i ⊆ G [¯ x i − ].Let us first define reduction mod an ideal (assume G to be the Galois ring G ( p k , b )).23 efinition 27 (Reduction by a triangular ideal) . The reduction of a multivariate polynomial a (¯ x l ) ∈ G [¯ x l ] by a triangular ideal J l = h b (¯ x ) , . . . , b l (¯ x l ) i ⊆ G [¯ x l ] is the unique polynomial ˜ a (¯ x l ) ≡ a (¯ x l ) mod J l , where deg x i (˜ a ) < deg x i ( b i ) , for all i ∈ { , . . . , l } . Idea of reduction:
The idea behind the algorithm is inspired from the univariate reduction.If l = 0, then reduction of a ( x ) modulo b ( x ) is simply the remainder of the division of a by b inthe underlying polynomial ring G [ x ]. For a larger l , the reduction of a (¯ x l ) modulo the triangularideal J l = h b ( x ) , . . . , b l (¯ x l ) i is the remainder of the division of a (¯ x l ) by b l (¯ x l ) in the polynomialring ( G [ x , . . . , x l − ] /J l − )[ x l ]. The fact that b l is monic, helps in generalizing ‘long division’. Input: An a (¯ x l ) ∈ G [¯ x l ] and a triangular ideal J l = h b (¯ x ) , . . . , b l (¯ x l ) i ⊆ G [¯ x l ]. Output:
Reduction ˜ a of a mod J l as defined above. Algorithm 2
Reduce a (¯ x l ) modulo J l procedure Reduce ( a (¯ x l ), J l ) if l = 0 then [ Reduce a ( x ) by b ( x )] return remainder of univariate division of a by b in R [ x ]. end if d a ← deg x l ( a ) and d b ← deg x l ( b l ). Let a (¯ x l ) =: Σ d a i =0 a i (¯ x l − ) x il be the polynomial representation of a (¯ x l ) with respect to x l . Recursively reduce each coefficient a i (¯ x l − ) of a mod J l − :˜ a i (¯ x l − ) ← Reduce ( a i (¯ x l − ), J l − ), for all i ∈ { , . . . , d a } . while d a ≥ d b do a (¯ x l ) ← a − (cid:16) a d a · x d a − d b l · b l (cid:17) Update d a ← deg x l ( a ). Update a i ’s such that a (¯ x l ) =: Σ d a i =0 a i (¯ x l − ) · x il . Call
Reduce ( a i (¯ x l − ), J l − ) for all i ∈ { , . . . , d a } : recursively reduce each coefficient a i (¯ x l − ) mod J l − (like Step 7). end while return a (¯ x l ). end procedure Following lemma shows that reduction modulo a triangular ideal (Algorithm 2) is efficient.
Lemma 28 (Reduction) . Given a (¯ x l ) ∈ G [¯ x l ] and J l ⊆ G [¯ x l ] , to reduce a (¯ x l ) mod J l , Algorithm 2takes time poly (cid:16)Q li =0 deg x i ( a ) , log | G | , deg( J l ) (cid:17) .In particular, if each coefficient a i (¯ x l − ) of a (¯ x l ) (viewed as a polynomial in x l ) is in reducedform mod J l − , then reduction takes time poly ( d a , log | G | , deg( J l )) , where d a = deg x l ( a ) .Proof. We prove the lemma by induction on the length l + 1 of the ideal J l .For l = 0, we have a standard univariate reduction which takes at most O (deg( a ) deg( b )) ringoperations in G . Since addition/multiplication/division in G take time at most ˜ O (log | G | ) [Sho09],we get the lemma.Assume that the lemma is true for any ideal of length less than l .Coefficients a i (¯ x l − ) can be reduced, in time poly (cid:16)Q l − i =0 deg x i ( a ) , log | G | , deg( J l − ) (cid:17) , mod J l − using induction hypothesis. We need to make d a +1 such calls; total time is bounded by poly (cid:16)Q li =0 deg x i ( a ) , log | G | , deg( J l − ) (cid:17) .In the same time we can compute Step 9. 24fter the update at Step 9, individual-degrees deg x i ( a ) (for 0 ≤ i < l ) can become at mostdouble the previous degree (safely assuming 2 ≤ deg x i ( b i ) ≤ deg x i ( a )). By induction hypothesis,each call to reduce a i (¯ x l − ) mod J l − takes time poly (cid:16)Q l − i =0 deg x i ( a ) , log | G | , deg( J l − ) (cid:17) . Algorithmmakes at most d a such calls and the while-loop runs at most d a times. Hence, the algorithm takestime poly (cid:16)Q li =0 deg x i ( a ) , log | G | , deg( J l ) (cid:17) ; and we are done.If coefficients of a are already reduced modulo J l − , then deg x i ( a ) < deg x i ( b i ) for all 0 ≤ i < l .Hence, Algorithm 2 takes time d a · poly (log | G | , deg( J l − )). Lemma 29 (Division mod triangular ideal) . Given a triangular ideal J l ⊆ G [¯ x l ] and a unit a (¯ x l ) ∈ G [¯ x l ] /J l . We can compute a − mod J l , in reduced form, in time poly (cid:16)Q li =0 deg x i ( a ) , log | G | , deg( J l ) (cid:17) .Proof. Let u (¯ x l ) ∈ G [¯ x l ] /J l be such that u · a ≡ J l . We can write u as X ¯ e ≥ ¯0 ∀ ≤ i ≤ l, e i < deg xi ( b i ) u ¯ e · ¯ x ¯ el . We want to find the unknowns u ¯ e in G , satisfying u · a ≡ J l . This gives us a linear systemin the unknowns; it has size deg( J l ). The linear system can be written down, using Algorithm 2,by reducing the monomial products ¯ x ¯ el · ¯ x ¯ e ′ l that appear in the product u · a . This takes timepoly (cid:16)Q li =0 deg x i ( a ) , log | G | , deg( J l ) (cid:17) .Since there exists a unique u , our linear system is efficiently solvable, by standard linear algebra,in the required time.Let us see two direct applications of the reduction Algorithm 2 to compute valuation and tocompute reduced form of split ideals.First, we explain how Algorithm 1 (Steps 3, 18) computes reduced f J modulo the lift ˆ J of thenewly computed split ideal J , when x is replaced by x l +1 + px in the intermediate polynomial f I (¯ x l , x ). Lemma 30 (Updating stack with reduced polynomial) . Let I ⊆ F p [¯ x l ] be a split ideal and f I (¯ x l , x ) ∈ R [¯ x l , x ] be reduced modulo ˆ I (the lift of I over R ). Define split ideal J ⊆ F p [¯ x l +1 ] as J := I + h h l +1 (¯ x l +1 ) i , and ˆ J be the lift of J over R .Then, in time poly (log | R | , deg x ( f I ) , deg( J )) , we can compute a reduced polynomial f J modulo ˆ J defined by, f J (¯ x l +1 , x ) := f I (¯ x l , x l +1 + px ) mod ˆ J .
Proof.
Since f I (¯ x l , x ) is already reduced modulo ˆ I , deg x i ( f I ) < deg x i ( h i ). Define D := deg x ( f I ),perform the shift x → x l +1 + px in f I , and expand f I using Taylor series, f J (¯ x l , x ) = f I (¯ x l , x l +1 + px ) =: g (¯ x l +1 ) + g (¯ x l +1 )( px ) + . . . + g D (¯ x l +1 )( px ) D , where g i could also be seen as the i -th derivative of f I (¯ x l , x l +1 ) (wrt x l +1 ) divided by i !. To compute f J mod ˆ J , we call Reduce ( g i , ˆ J ) (for all i ) to get the reduction of each term mod ˆ J .To calculate the time complexity of Reduce ( g i , ˆ J ), note that coefficients of each g i , wrt x l +1 ,is already reduced mod ˆ I . Since J = I + h h l +1 i , using Lemma 28, time complexity of reducing each g i by ˆ J is at most poly(deg x l +1 ( g i ) , log | R | , deg( J )) (deg( J ) = deg( ˆ J )).Since deg x l +1 ( g i ) ≤ deg x ( f I ) (for i ≤ D ), total time complexity is poly (log | R | , deg x ( f I ) , deg( J )).25ext, we explain Step 20 in Algorithm 1 a bit more. Lemma 31 (Ideal factors in reduced form) . Consider the tuple ( U := { h (¯ x ) , . . . , h l (¯ x l ) } , f h U i ) ∈ S and consider a non-trivial factorization h i =: h i, . . . h i,m for some h i ∈ U . Wlog each factor h i,j ismonic wrt x i .Then, we can compute the factor-related tuples ( U j , f h U j i ) , for all j ∈ [ m ] , in time poly (deg( h U i ) , log | R | , deg x ( f h U i )) ( f h U j i will be in reduced form mod h U j i ).Proof. First, we successively reduce h i + t (1 ≤ t ≤ l − i ) modulo triangular ideal I i + t,j := h h , . . . , h i − , h i,j , h i +1 , . . . , h i + t i .Time complexity of each of these steps is bounded by poly(deg( h U i ), log | R | ) (Lemma 28). Thisensures that the degree of h i + t in a variable x s ( s < i + t ) is less than the individual-degree of the s -th generator of ideal h U j i .Then, f h U j i can be calculated by reducing each deg x ( f h U i ) + 1 coefficients of f h U j i (wrt x ) by thelifted triangular ideal ˆ I l,j = ˆ U j . By Lemma 28, this takes time poly( Q li =0 deg x i ( f h U i ) , deg x ( f h U i ) , log | R | ,deg( h U i )). Since coefficients (wrt x ) of f h U i were already reduced modulo h U i , Q li =0 deg x i ( f h U i ) ≤ deg( h U i ).So, the computation time is bounded by poly (cid:0) deg( h U i ) , log | R | , deg x ( f h U i ) (cid:1) . D Computation modulo a triangular ideal— Zerodivisor test &GCD
Test-Zero-Div ( a (¯ x l ), I l ), for a triangular ideal I l =: h h , . . . , h l i , either reports that a (¯ x l ) is nota zerodivisor modulo I l , or returns a non-trivial factorization of a generator h i =: h i, · · · h i,m (intomonic, wrt x i , factors mod prior ideal). In this section we assume F to be a finite field. Idea:
In the quotient ring F [¯ x l ] / h I l i , a monic (wrt x i ) polynomial a (¯ x i ) is a zerodivisor iff itcontains a factor of h i (¯ x i )— generator of triangular ideal I l with variables { x , . . . , x i } . So, firstlythe algorithm checks if the given polynomial a (¯ x l ) is monic (recursively, from variables x l − to x ).If it fails, it factors some generator h i for i < l . After making a (¯ x l ) monic, we take gcd of a with h l — if it finds non-trivial gcd it factors h l , else a (¯ x l ) is not a zerodivisor. Algorithm 3
Zerodivisor test of a (¯ x l ) modulo I l procedure Test-Zero-Div ( a (¯ x l ), I l ) if l = 0 then [ Take univariate GCD ] gcd ← gcd( a ( x ) , h ( x )). if gcd is non-trivial then Factorize h ( x ) =: gcd · h gcd ; return ( T rue, gcd · h gcd ). else return ( F alse ). end if end if Let the leading coefficient of a (¯ x l ) wrt x l be ˜ a (¯ x l − ). Call
Test-Zero-Div (˜ a (¯ x l − ), I l − ). if The test returned
T rue then return the result of the test including the factorization of a generator h i (¯ x i ).26 end if [Now, we will take gcd of a and h l using iterated division method (Euclid’s method).] Define b (¯ x l ) ← h l (¯ x l ). while b (¯ x l ) = 0 do Let ˜ b (¯ x l − ) be the leading coefficient of b (¯ x l ) wrt x l . if Test-Zero-Div (˜ b (¯ x l − ), I l − ) = T rue then return result of
Test-Zero-Div (˜ b (¯ x l − ), I l − ), factorization of a generator h i (¯ x i ). end if Let c (¯ x l ) ← Reduce ( a (¯ x l ), I l − + h b (¯ x l ) / ˜ b i ) (same as taking remainder of a (¯ x l ) whendivided by the monic polynomial b (¯ x l ) / ˜ b modulo I l − ). a (¯ x l ) ← b (¯ x l ) / ˜ b , b (¯ x l ) ← c (¯ x l ). [Invariant: deg x l ( b ) has fallen.] end while [Gcd of original a (¯ x l ) and h l (¯ x l ) mod I l is stored in a (¯ x l ).] if gcd a (¯ x l ) is non-trivial then return ( T rue , a non-trivial factorization of h l (¯ x l )). else return ( F alse ). [ a (¯ x l ) is not a zerodivisor.] end if end procedureLemma 32 (Efficiency of testing zerodivisors) . Assuming, coefficients of a (¯ x l ) wrt x l are in reducedform modulo I l − , Algorithm 4 takes time poly (deg x l ( a ) , log | F | , deg( I l )) .Proof. We apply induction on the length l + 1 of ideal I l .For l = 0, it runs univariate gcd and takes time poly(deg( a ) , deg( h ) , log | F | ) [Sho09].Assume lemma statement holds true for ideals of length l .By induction, checking ˜ a (¯ x l − ) is a zerodivisor mod I l − , takes poly(deg x l − (˜ a ) , log | F | , deg( I l − ))time.To compute gcd of a and h l , Euclidean gcd algorithm will run at most deg x l ( a )+deg x l ( h l ) while-loops. From induction hypothesis, and Lemmas 28-29, each loop takes at most poly(deg x l ( a ) , log | F | ,deg( I l )) time. So, we are done. GCD ( a (¯ x l , x ), b (¯ x l , x ), I l ) computes gcd of two polynomials a (¯ x l , x ) and b (¯ x l , x ) modulo atriangular ideal I l = h h ( x ) , . . . , h l (¯ x l ) i resp. F alse . It computes the monic gcd resp. returns a non-trivial factorization of some h i . Algorithm 4
GCD computation modulo I l procedure GCD ( a (¯ x l , x ), b (¯ x l , x ), I l ) Let ˜ b (¯ x l ) be the leading coefficient of b with respect to x . if Test-Zero-Div (˜ b (¯ x l ), I l ) = T rue then return F alse , Test-Zero-Div (˜ b (¯ x l ), I l ) factors some generator h i (¯ x i ). end if Let c (¯ x l , x ) ← Reduce ( a , I l + h b/ ˜ b i ). if c = 0 then return b/ ˜ b . else return GCD ( b (¯ x l , x ), c (¯ x l , x ), I l ). end if end procedureLemma 33 (Multivariate GCD) . Algorithm 4 either factors a generator h i (& outputs F alse ),or computes a monic polynomial g (¯ x l , x ) ∈ F [¯ x l , x ] , such that, g divides a, b modulo I l . Moreover, g = ua + vb mod I l , for some u (¯ x l , x ) , v (¯ x l , x ) ∈ F [¯ x l , x ] .If a and b are in reduced form mod I l , then it takes time poly (deg x ( a ) , deg x ( b ) , log | F | , deg( I l )) .Proof. Algorithm 4 is just an implementation of multivariate Euclidean gcd algorithm over the co-efficient ring F p [¯ x l ] /I l =: R ′ . If the algorithm outputs g (¯ x l , x ) ∈ R ′ [ x l ] then, by standard Euclideangcd arguments (using recursion), there exists u (¯ x l , x ) , v (¯ x l , x ) ∈ R ′ [ x ], such that, ua + vb = g , and g divides both a and b modulo I l .The algorithm works fine if in each step it was able to work with a monic divisor. Otherwise,it gets stuck at a ‘division’ step, implying that the divisor’s leading-coefficient is a zerodivisor,factoring some generator of I l .For time complexity, each recursive step makes one call each to Test-Zero-Div , Reduce , anddivision procedures. They take time poly (deg x ( a ) , deg x ( b ) , log | F | , deg( I l )) ( ∵ coefficients of a and b are in reduced form mod I l , and use Lemmas 28, 29 & 32). Since number of recursive steps arebounded by deg x ( a ) + deg x ( b ), total time is bounded by poly (deg x ( a ) , deg x ( b ) , log | F | , deg( I ll