Berlekamp–Rabin algorithm explained

F_p

with

elements. The method was discovered by Elwyn Berlekamp in 1970^[1] as an auxiliary to the algorithm for polynomial factorization over finite fields. The algorithm was later modified by Rabin for arbitrary finite fields in 1979.^[2] The method was also independently discovered before Berlekamp by other researchers.^[3]

History

The method was proposed by Elwyn Berlekamp in his 1970 work on polynomial factorization over finite fields. His original work lacked a formal correctness proof and was later refined and modified for arbitrary finite fields by Michael Rabin. In 1986 René Peralta proposed a similar algorithm^[4] for finding square roots in

F_p

.^[5] In 2000 Peralta's method was generalized for cubic equations.^[6]

Statement of problem

Let

be an odd prime number. Consider the polynomial

f(x) = a_0 + a_1 x + \cdots + a_n x^n

over the field

F_p\simeqZ/pZ

of remainders modulo

. The algorithm should find all

F_p

such that

f(\lambda)= 0

F_p

.^[7]

Algorithm

Randomization

Let $f(x) = (x-\lambda_1)(x-\lambda_2)\cdots(x-\lambda_n)$ . Finding all roots of this polynomial is equivalent to finding its factorization into linear factors. To find such factorization it is sufficient to split the polynomial into any two non-trivial divisors and factorize them recursively. To do this, consider the polynomial $f_z(x)=f(x-z) = (x-\lambda_1 - z)(x-\lambda_2 - z) \cdots (x-\lambda_n-z)$ where

is some element of

F_p

. If one can represent this polynomial as the product

f_z(x)=p_0(x)p_1(x)

then in terms of the initial polynomial it means that

f(x)=p_0(x+z)p_1(x+z)

, which provides needed factorization of

f(x)

Classification of

F_p

elements

(x-λ)

exactly one of following properties holds:

The monomial is equal to

λ=0

The monomial divides $g_0(x)=(x^-1)$ if

is quadratic residue modulo

The monomial divides $g_1(x)=(x^+1)$ if

is quadratic non-residual modulo

Thus if

f_z(x)

is not divisible by

, which may be checked separately, then

f_z(x)

is equal to the product of greatest common divisors

\gcd(f_z(x);g_0(x))

and

\gcd(f_z(x);g_1(x))

Berlekamp's method

The property above leads to the following algorithm:

Explicitly calculate coefficients of

f_z(x)=f(x-z)

Calculate remainders of $x,x^2, x^,x^, x^, \ldots, x^$ modulo

f_z(x)

by squaring the current polynomial and taking remainder modulo

f_z(x)

Using exponentiation by squaring and polynomials calculated on the previous steps calculate the remainder of $x^$ modulo $f_z(x)$ ,
If $x^ \not \equiv \pm 1 \pmod$ then

\gcd

mentioned below provide a non-trivial factorization of

f_z(x)

Otherwise all roots of

f_z(x)

are either residues or non-residues simultaneously and one has to choose another

f(x)

is divisible by some non-linear primitive polynomial

g(x)

over

F_p

then when calculating

\gcd

with

g_0(x)

and

g_1(x)

one will obtain a non-trivial factorization of

f_z(x)/g_z(x)

, thus algorithm allows to find all roots of arbitrary polynomials over

F_p

Modular square root

Consider equation $x^2 \equiv a \pmod$ having elements

\beta

and

-\beta

as its roots. Solution of this equation is equivalent to factorization of polynomial

f(x) = x^2-a=(x-\beta)(x+\beta)

over

F_p

. In this particular case problem it is sufficient to calculate only

\gcd(f_z(x);g_0(x))

. For this polynomial exactly one of the following properties will hold:

GCD is equal to

which means that

z+\beta

and

z-\beta

are both quadratic non-residues,

GCD is equal to

f_z(x)

which means that both numbers are quadratic residues,

GCD is equal to

(x-t)

which means that exactly one of these numbers is quadratic residue.

In the third case GCD is equal to either

(x-z-\beta)

(x-z+\beta)

. It allows to write the solution as

\beta = (t - z) \pmod

Example

Assume we need to solve the equation $x^2 \equiv 5\pmod$ . For this we need to factorize

f(x)=x^{2-5=(x-\beta)(x+\beta)}

. Consider some possible values of

z=3

. Then

f_z(x)=(x-3)²-5=x²-6x+4

, thus

\gcd(x²-6x+4;x⁵-1)=1

. Both numbers

3\pm\beta

are quadratic non-residues, so we need to take some other

z=2

. Then

f_z(x)=(x-2)²-5=x²-4x-1

, thus

\gcd(x^2 - 4x - 1 ; x^5 - 1)\equiv x - 9 \pmod

. From this follows

x - 9 = x - 2 - \beta

, so

\beta\equiv7\pmod{11}

and

-\beta \equiv -7 \equiv 4 \pmod

A manual check shows that, indeed, $7^2 \equiv 49 \equiv 5\pmod$ and $4^2\equiv 16 \equiv 5\pmod$ .

Correctness proof

The algorithm finds factorization of

f_z(x)

in all cases except for ones when all numbers

z+λ_1,z+λ_2,\ldots,z+λ_n

are quadratic residues or non-residues simultaneously. According to theory of cyclotomy,^[8] the probability of such an event for the case when

λ_1,\ldots,λ_n

are all residues or non-residues simultaneously (that is, when

z=0

would fail) may be estimated as

2^-k

where

is the number of distinct values in

λ_1,\ldots,λ_n

. In this way even for the worst case of

k=1

and

f(x)=(x-λ)ⁿ

, the probability of error may be estimated as

1/2

and for modular square root case error probability is at most

1/4

Complexity

Let a polynomial have degree

. We derive the algorithm's complexity as follows:

Due to the binomial theorem $(x-z)^k = \sum\limits_^k \binom (-z)^x^i$ , we may transition from

f(x)

f(x-z)

O(n²⁾

time.

Polynomial multiplication and taking remainder of one polynomial modulo another one may be done in $O(n^2)$ , thus calculation of $x^ \bmod f_z(x)$ is done in $O(n^2 \log p)$ .
Binary exponentiation works in

O(n²logp)

Taking the

\gcd

of two polynomials via Euclidean algorithm works in

O(n²⁾

Thus the whole procedure may be done in

O(n²logp)

. Using the fast Fourier transform and Half-GCD algorithm,^[9] the algorithm's complexity may be improved to

O(nlognlogpn)

. For the modular square root case, the degree is

n=2

, thus the whole complexity of algorithm in such case is bounded by

O(logp)

per iteration.

Notes and References

Factoring polynomials over large finite fields . Mathematics of Computation . 1970 . 24 . 111 . 713–735 . 0025-5718 . 10.1090/S0025-5718-1970-0276200-X . en . Berlekamp. E. R.. free.
M. Rabin . Probabilistic Algorithms in Finite Fields . SIAM Journal on Computing . 1980 . 9 . 2 . 273–280 . 0097-5397 . 10.1137/0209024 . 10.1.1.17.5653 .
Book: Donald E Knuth . Donald E Knuth . The art of computer programming. Vol. 2 Vol. 2 . 1998 . 978-0201896848. 900627019 .
Tsz-Wo Sze . On taking square roots without quadratic nonresidues over finite fields . Mathematics of Computation. 2011 . 80 . 275 . 1797–1811 . 0025-5718 . 10.1090/s0025-5718-2011-02419-1 . 0812.2591 . 10249895 .
R. Peralta . A simple and fast probabilistic algorithm for computing square roots modulo a prime number (Corresp.) . IEEE Transactions on Information Theory . November 1986 . 32 . 6 . 846–847 . 0018-9448 . 10.1109/TIT.1986.1057236 .
C Padró, G Sáez . Taking cube roots in Zm . Applied Mathematics Letters . August 2002 . 15 . 6 . 703–708 . 0893-9659 . 10.1016/s0893-9659(02)00031-9 .
Book: Alfred J. Menezes, Ian F. Blake, XuHong Gao, Ronald C. Mullin, Scott A. Vanstone . Applications of Finite Fields . 1993 . Springer US . The Springer International Series in Engineering and Computer Science . 9780792392828.
Book: Marshall Hall . Combinatorial Theory . 1998 . John Wiley & Sons . 9780471315186.
Book: Aho, Alfred V. . The design and analysis of computer algorithms . 1974 . Addison-Wesley Pub. Co . 0201000296 . registration .