Programming ECC - Finding Roots of Polynomials

Finding Roots of Polynomials

Once a Hilbert polynomial $H_{D} (x)$ has been computed, a root in $𝔽_{q}$ must be found. It will be used as the $j$ -invariant when constructing an elliptic curve. We discuss one method for finding roots of a polynomial in a given finite field below.

Squarefree Factorization

Usually the first step is to remove factors so that the polynomial is squarefree. This is unnecessary if we only want the roots because the method we use for extracting the degree 1 factors automatically removes repeated roots.

For completeness we describe how to make a polynomial squarefree in general.

In a field of characteristic 0, a squarefree version of $f (x)$ can be obtained by computing $f (x) / \gcd (f (x), f' (x))$ .

In a field of characteristic $p$ however, a polynomial $f (x)$ satisfies $f' (x) = 0$ precisely when $f (x) = w (x)^{p}$ for some polynomial $w (x)$ .

Thus if it is known that the degree of $H_{D} (x)$ is less than $p$ we may use the same algorithm unchanged. Otherwise:

Compute $f' (x)$ .
If $f' (x) = 0$ , write $f (x) = w (x)^{p}$ , replace $f$ with $w$ and goto step 1, otherwise replace $f (x)$ with $f (x) / \gcd (f (x), f' (x))$ and goto step 1.

Distinct Degree Factorization

The next step is to factorize $f (x)$ as

f (x) = f_{1} (x) . . . f_{m} (x)

where each $f_{i}$ is a product of irreducible polynomials of degree $i$ .

As we only care about the roots, we only need $f_{1} (x)$ . This is precisely $\gcd (x^{q} - x, f (x))$ since $x^{q} - x$ is the product of all irreducible polynomials of degree 1. Use repeated squaring to efficiently compute the latter polynomial.

In general, observe that if $p (x)$ is an irreducible polynomial of degree $d$ then $𝔽_{q} [x] / p (x) 𝔽_{q} [x]$ is a field of degree $q^{d}$ . Suppose we have $x^{q^{d}} - x = p (x) q (x) + r (x)$ . Since every element of the field has order $q^{d}$ , we see that $r (x) = 0$ . Hence $p (x)$ is a factor of $x^{q^{d}} - x$ .

This suggests the following algorithm.

Compute $f_{1} (x) = \gcd (x^{q} - x, f (x))$ .
Compute $f_{2} (x) = \gcd (x^{q^{2}} - x, f (x) / f_{1} (x))$ .
Compute $f_{3} (x) = \gcd (x^{q^{3}} - x, f (x) / f_{1} (x) / f_{2} (x))$ .

…and so on until all factors are found.

The Cantor-Zassenhaus Algorithm

An algorithm of Cantor and Zassenhaus factorizes any polynomial whose irreducible factors have the same degree. We only need a special case. Suppose $f (x)$ is a degree $n$ polynomial that splits in our field.

Select a random polynomial $r (x)$ of degree less than $n$ .
If $\gcd (r (x), f (x)) \neq 1$ then return the result.
Compute $s (x) = r (x)^{(q - 1) / 2} \mod f (x)$ . Then $\gcd (s (x) + 1, f (x))$ is a proper factor with probability $1 - 2^{n - 1}$ .
Repeat until successful.

For completeness we describe how to proceed with the general case. First assume $q$ is odd. Then for any $g (x) \in 𝔽_{q}$ , consider the polynomial:

g^{q^{d}} - g = g (g^{\frac{q^{d} - 1}{2}} - 1) (g^{\frac{q^{d} - 1}{2}} + 1)

Each element of $𝔽_{q^{d}}$ is a root, so $x^{q^{d}} - x$ divides this polynomial. Also, observe the right-hand side factors are mutually coprime. Since $f$ is squarefree and is a product of irreducible degree $d$ polynomials, using a fact from above gives:

f = \gcd (f, g^{q^{d}} - g) = \gcd (f, g) \gcd (f, g^{\frac{q^{d} - 1}{2}} - 1) \gcd (f, g^{\frac{q^{d} - 1}{2}} + 1)

This explains the above procedure.

When $p = 2$ , define $u (x) = x + x^{2} + . . . + x^{2^{d - 1}}$ . Then for any $g (x) \in 𝔽_{2} [x]$ we have

(u compose g) (u compose g + 1) = g^{2^{d}} - g

thus $f = \gcd (f, u compose g) \gcd (f, u compose g + 1)$ and we proceed as before.

Irreducible Polynomials

On a related note, a polynomial $f (x) \in 𝔽_{q}$ of degree $n$ is irreducible if and only if

$f (x) ∣ x^{q^{n}} - x$
For all primes $d$ dividing $n$ ,
$\gcd (f (x), x^{q^{n / d}} - x) = 1$