On computing subfields. A detailed description of the algorithm

J

OURNAL DE

T

HÉORIE DES

N

OMBRES DE

B

ORDEAUX

J

ÜRGEN

K

LÜNERS

On computing subfields. A detailed description

of the algorithm

Journal de Théorie des Nombres de Bordeaux, tome

10, n

o

_{2 (1998),}

p. 243-271

<http://www.numdam.org/item?id=JTNB_1998__10_2_243_0>

© Université Bordeaux 1, 1998, tous droits réservés.

L’accès aux archives de la revue « Journal de Théorie des Nombres de Bordeaux » (http://jtnb.cedram.org/) implique l’accord avec les condi-tions générales d’utilisation (http://www.numdam.org/conditions). Toute uti-lisation commerciale ou impression systématique est constitutive d’une infraction pénale. Toute copie ou impression de ce fichier doit conte-nir la présente mention de copyright.

Article numérisé dans le cadre du programme Numérisation de documents anciens mathématiques

On

_Computing

Subfields.

A

Detailed

_Description

of

the

_Algorithm

par JÜRGEN KLÜNERS

RÉSUMÉ. Soit

_Q(03B1)

un _corps de nombres défini _par le

polynôme

minimal de 03B1. Nous nous intéressons à déterminer _{les sous-corps}

Q(03B2)

C

_Q(03B1)

de

_degré

donné.

_Chaque

sous-corps est décrit en donnant le

_polynôme

_{minimal g}

de

_03B2

et le

_plongement

_{de 03B2}

dans

Q(03B1)

donné _par un

polynôme h

tel que

h(03B1) =

03B2.

Il y a une

bijection

entre les

_systèmes

de blocs du _groupe de Galois de

f

et

les sous-corps de

Q(03B1).

Ces

systèmes

de blocs sont calculés en utilisant les _sous-groupes

_cycliques

du _groupe de Galois

qui

sont

obtenus à

_partir

du critère de Dedekind.

_{Lorsqu’un système}

de blocs est connu, on calcule le _sous-corps

_{correspondants}

par des

méthodes

_p-adiques.

Nous

_presentons

ici une

_description

détaillée de

_{l’algorithme.}

ABSTRACT. Let

_Q(03B1)

be an

_algebraic

number field

_{given by}

the minimal

_polynomial

_f

of a. We want to determine all subfields

Q(03B2)

~

_Q(03B1)

of

_given

_degree.

It is convenient to describe each

subfield

_by

a _pair

(g, h)

~

_{Z [t]}

x

Q[t]

such that _g is the minimal

polynomial

of

_03B2

=

_{h(03B1) .}

There _{is a}

_bijection

between the block

systems of the Galois _group of

_f

and the subfields of

_Q(03B1).

These block _systems are

_{computed using cyclic}

_subgroups

of the Galois

group which we _get from the Dedekind criterion. When a block

system is known we _compute the

_{corresponding}

subfield

_using

p-adic methods. We

_give

a detailed

description

for all _parts of the

algorithm.

1. INTRODUCTION

Let E =

Q(a)

be an

_algebraic

number field of

_degree

_n, where a is a root of a monic irreducible

_polynomial

_f

E

_Z[t].

In this article a method is

_developed

for

_determining

all subfields L =

Q(/3)

of E of fixed

degree

_m

over

Q.

We describe each subfield L

_by

the minimal

_{polynomial g}

of

_~3

and the

_embedding

of

₃

into

_E,

which is

_{given by}

a

_{polynomial h}

E

_Q[t]

with

Lemma 1.1. 1. Each

_subfield

L

_of

E has a

_{representation}

as a

_pair

(g, h)

E x

_Q[t],

such that

_{g o h = 0}

mod

_jZ[t].

2. A

_pair

_{(g, h)}

E

_Z[t]

x

Q[t]

such

_{that g}

o h - 0 mod and g

irre-ducible describes a

subfield

L

of

E.

Note that the coefficients of the

_embedding

_{Polynornial h}

are not

neces-sarily integral

because the

_equation

order is in

_general

not

_integrally

closed.

_W.l.o.g.

we assume that the

_degree

of h is less than _n, otherwise we

replace h by

its remainder modulo

f .

The lemma is used to check if a

pair

(g, h)

presents

a subfield L of E. Such a subfield L is

_represented

in

the form hence

_isomorphic

fields are not

_{distinguishable}

_{by g}

alone.

Example

1.2. We determine all

_subfields

L

_of

E =

of degree

3. There are three

_subfields

with

_{characterizing}

_pairs

(t3 108, t2), (t3

-108,

_{i2 t5}

+

2 t2 )

and

_{(t3 -}

_{108, -12 t5}

+

2 t2 ) .

In all cases the minimal

poly-nomial

_{of ~3}

is the _same;

_however,

we are able to

_distinguish

the three

isomorphic subfields by

their

_{embedding polynomials.}

There are several other

_algorithms

[1,

_{3, 8, 9, 12, 14,}

15]

for

_calculating

subfields. In this article we

_improve

the methods described in

[12].

The

generating polynomials

are constructed

_by

factorizations of

_polynomials

over finite fields and Hensel

lifting

over

p-adic

fields. We

give improved

algorithms

for the

_computations

in

_p-adic

fields. In the combinatorial

_part

of the

_algorithm

we can reduce the number of

possibilities

dramatically.

Three other methods

_[9,

_14,

_15]

need factorizations of

_polynomials

over

number

_{fields, respectively}

factorizations of

_polynomials

over the rational

integers

of much

_{higher degree}

than the

_degree

of the

_given

field. The method

_presented

in

_[1]

needs hard numerical

_computations

and lattice reduction

_algorithms.

_Although

the

_algorithm

in

_[3]

_computes

subfields it is not

_guaranteed

that all subfields will be found. A

_comparison

of

_running

times is

_given

in section 8.

This _paper is

_organized

as follows. In the next section we focus on

algorithms

for

_computations

in

_p-adic

fields. The block

_systems

of a Galois group and their relation to subfields is

_presented

in section 3. In section

4 and 5 we

_develop

methods to

_compute

_{generating polynomials}

_resp. the

embedding

of a subfield via its block

_system.

In the last section we discuss

the

_efficiency

of the

_algorithm

and

_give

some

examples.

This _paper contains

the results

_concerning

the subfield

_computation

of the dissertation

_[11]

of the author.

2. _{UNRAMIFIED p-ADIC} EXTENSIONS

The subfield

_computation

is based on

_p-adic

methods. Therefore we

_give

a detailed

_description

of the

_algorithms

we are

_going

to use for

_computation

in the

_p-adic

fields.

2.1. Introduction. In the

_following

we recall some fundamental

proper-ties of unramified

_p-adic

extensions. The

_proofs

can be found _{e.g. in}

[2, 17].

In the

_following

let .~ and E be unramified extensions of

_Qp

with maximal orders _{OF, os} and

_prime

_{ideals p,}

_{fl3, respectively.}

The

_{corresponding}

residue class fields are denoted

by 0

and

E.

Lemma 2.1. For every extension there exists an

_unique

_unramified

extension such that

9

and

_Fq

are

_isomorphic.

The extension

EIJ7

is

cyclic

with

_{isomorphic to}

Lemma 2.2. Let

_9/.F

be an

unrarraified p-adic

extension

of degree

s.

If

pi, ... , PS are

representatives

of

a basis

of

then

_they

are a

_of-basis

of

0,,.

Using

this

_lemma,

it is

_{straightforward}

to construct a

ow-basis

of _o£. Let

15 E

Y[t]

be a monic irreducible

_polynomial

of

_degree

s and w E with

w - 15 _{mod p. Then the}

_equation

order

_o~-~p~

= _{o Jr + o Jrp + ... +} =

o£, where is a zero of w.

The

_following

lemma

_gives

a method to reduce elements of os modulo

.

Lemma 2.3.

_{Let £1 F}

be an

unramified

extensions with

integral

basis

and k E N. Then we have x E

q3 k

_if

and

_{only if}

xi E

pk

(1

i

s).

Proof.

Since 93

= _pos it follows that

fl3*’

=

pkoe

and the assertion is _an

easy consequence. 0

2.2. Arithmetic in unramified

_p-adic

extensions.

_Using

Lemmata 2.2

and 2.3 we are able to

_{generate p-adic extensions,}

such that their

_equation

orders are maximal. Now we

explain

how to

_compute

the sum and the

product

of

_p-adic

numbers. This will be done in the same _way as the

arithmetic in

_algebraic

number fields. In the

_following

let x =

Ei=O

Xipi

and y =

Es-1

yip’

be elements of _os

(xi, y2

_{E of}

(0

i

s)).

Then _we

have:

The

_product

of x

_{and y}

can be

easily

described via

polynomial

operations.

that _xy = We have _to solve the

problem

_to find _a basis

repre-sentation of _xy. We define

_P~y

:= mod w. Since

w(p)

= 0 it follows

that

_Pxy(p)

_{= xy} and

_deg(Pxy)

s. From

.

We note that we need no divisions to reduce the

_product

modulo w since

w is monic. We

need s2

_{multiplications}

and additions in OF to

compute

and

_{s (s - 1)}

_{multiplications}

and additions in OF to reduce the result modulo w. This leads to the

_following

lemma.

Lemma 2.4. The sum

_of

two numbers _{x, y} E oE can be

_computed

_{using s}

additions in OF. The

product of

two numbers _{x, y} E oE can be

computed

using 2s2 -

s

multiplications

and additions in _OF.

We remark that it is

_possible

to divide two numbers _{x, y E oE} in an

analogue

way to the number field case.

Now we

explain

how to reduce a

_p-adic

number modulo

p~,

where _p is

an odd

_prime

and k E N. Let

k-1

Then we define x mod

pk

as

E

zip2,

which can be

interpreted

as an

integer

i=o

in

{ ~, ... ,

Since we need

frequently

to embed small

_(negative)

integers

into the

_p-adic

_field,

we chose the

_symmetric

residue _system. In our

applications

this

_{yields usually}

smaller

_{representatives.}

_Using

Lemma 2.3

we are able to reduce

_arbitrary

_p-adic

numbers modulo

_prime

ideal _powers. 2.3. Hensel

_lifting.

Let

_f

E

_Z[t]

be a monic irreducible

polynomial

and

p t disc( f )

be a

_prime.

Let

_f

be the

_image

of

_f

under the canonical

embedding

from

_Z[t]

to

_{Zp[t] .}

Our aim is to

_{factorize f}

over an unramified

extension Since

_f

mod _p has no

_multiple

factors we know that

_f

has no

multiple

factors in

,~’~t~.

The factorization can be done _up to an

arbitrary p-adic

precision

using

the

_following

lemma. Lemma 2.5.

_(Hensel

_lemma)

Let R be a commutative

_ring

with 1 and b an ideal

_{of R.}

Let

_f,

and

f2,o

be

_monic,

non-constant

_polynomials

with the

_following

_properties:

1.

_f

--_

_fl,o.f2,o

mod

b [t]

2. There exist

_{R[t], i}

=

l, 2, ao,o E

with

_al,ofl,o

+ =

1 + ao,o .

Then

_for

_every k E N there exist

_polynomials

_fl,k,

and _ao,k E

R[t]

with

_fj,k

monic and

_{non-constant,}

and

_(i

=

1, 2)

and

_it]

such that the

_following

conditions hold:

1.

_{f -}

_{f l,xfz,k}

mod

_[t]

2.

_fi,x

m

_fi,o

mod

3. +

_a2,kf2,k

= 1 ₊

ao , k.

A

_proof

can be found in e.g.

[18].

In our

examples

the ideal b is

always

a

_prime

ideal and a finite field. Therefore we can

_compute

the ai,o

using

the extended Euclidean

_algorithm

for

_polynomials

over finite fields.

An

_algorithm

to

_compute

the Hensel

_lifting

can be found in

[4, 18].

These

_algorithms

are

only

formulated for two factors.

_Using

induction this can be extended to more factors. This will be demonstrated

_by

the

following

example.

Example

2.6. Let

_{f - flf2f3 mod p. Define}

_fi,2

:=

flf2

and

deter-mine the

_{following factorization}

_using

Hensel’s lemma:

_{f -}

_fl,2f3

_{MO dp k}

Now compute

_fi,2

=

11 12

mod

pk.

_Combining

these results we

_get

_f

-mod

_pk.

Now we are able to

_give

a first method to factorize a

polynomial f

E

over an extension 7 modulo

pk:

1. Factorize

_f

_{f, ... fr}

_{mod p.}

2.

_{Compute f m 11 ... fr}

mod

_{~k using}

Hensel

_lifting.

The

_disadvantage

of this method is that all

_computations

are carried out in

7.

_Assuming

the

_degree

of

_0/Qp

is

_10,

we need 190

_{multiplications}

in

_Zp

to

_multiply

two elements of oT. We

improve

this

_{approach by computing}

some factorizations over smaller fields. This will be demonstrated in the

following procedure:

1. Factorize

_{f - 11 ... fs}

mod _p.

2.

_{Compute f *}

_{fi ...}

_{fs mod pk using}

Hensel

_lifting

in

_Zp[t].

3. For i =

1, ... ,

_s do:

(a)

Factorize h

=

_{fi,l ~ ~ ~ fi,ri}

_{mod p.}

(b)

Compute fi

m fj,i ... h,ri

mod

_p*’

_using

Hensel

_lifting

in 4. Combine the results:

_f

=

/i,i -’ -

mod

_pk.

We demonstrate this

_by

the

_following

_example:

Example

2.7. Let

_{f (t)}

= t12

+ tll -

40t9

+

180t$

+

426t7

+

89t6

-444t5 -

75t3

+

27t2

+ llt + l. We want to

_{factorize f over}

an

un-rdmified

extension

_7/Q3

_of

_{degree 3}

modulo

_p2.

In a

first

_step

we

_compute

In a second

_step

we

_compute

the Hensel

_{lifting of}

each

factor

in modulo

p2,

where F is

_{generated by}

a zero _p

of

v(t)

=

t3-t+1.

We _use the notation

[a,

b,

c]

for

a +

_bp

+

cp2

and

_get:

.

We have factorized a

_polynomial

of

_degree

12 but we have

applied

the

Hensel

_lifting

over 7

_only

for

_polynomials

of

_degree

3. An

_important

fact

was that it was

_{easily possible}

to embed

_Zp

in _{o x.}

_Suppose

we have a

poly-nomial of

_degree

4 over

Zp

and we want to factorize it over an unramified

extension £ of

_degree

4. Since the

_unique

extension £ is

_cyclic

over

_{Qp ,}

_f

factorizes in four linear factors over E. We know that E has a subfield F

of

_degree

2. We know that

_{f splits}

over _{o x} into two

_quadratic

factors. A natural idea is first to factorize

_f

over _{o Jr} and then to factorize the factors

over _o£. If we want to do this we have to solve the

_problem

in which _way

we can embed the elements of _{o Jr in o£.} It suffices to

_give

an

_image

of all

elements of a basis of

Instead of

_{simple p-adic}

extensions of

_~p

we rather consider towers of

extensions.

_Doing

this we can embed

trivially

the elements of o z in o£.

Definition 2.8. Let _{p E}

_{P, n}

=

pr with pi E P and

_p2

_...

pT. We call an extension 0 = over

Qp

=

Fo

successively generated, if

= where _Ti is a zero

_of

an irreducible and monic

polynomial

vi E

_[t]

of degree

pi

(1 ~

i

r).

We denote the

prime

ideals in

with

_ _

The

_following

lemma follows

_immediately.

Lemma 2.9. Let _p E P and

_{Tr/Qp be}

_{successively generated.}

Then there

is a canonical

_{embedding from}

to _oyi

₍₁

i

_r).

Now we

_give

the whole

_algorithm.

Algorithm

2.10.

_{(Hensel lifting)}

Input:

p E

_f

E

_Zp[t],

_{successively generated.}

Output:

Factorization

_{of f}

in

_[t]

modulo

_{pT .}

Step

l:

_Compute

the

_{factorization of f}

=

_{fo,l ~ ~ ~}

_10,80

mod

pk.

Step

2: For i =

1, ... ,

r do

1.

_Compute

the

_{factorizations of}

_fi-,,j

in mod

_p

₍₁

2.4. The

_generalized

Newton

_lifting.

Let F be an

_algebraic

number

field and R an order in F. The

special

case F

= Q

and R = Z is

possible.

Let

_{f, g}

E

_R[t]

be irreducible

_polynomials

of

_degree

n _resp. m. A zero a of

f

generates the number field E =

F(a).

Furthermore we know a modulo

p-approximation

00 E

R of a zero of _g, that means 0 mod

_pR.

In the

_following

we use the notation mod

pk

instead of mod

pkR.

We

denote with

_{1 ( f)}

the

_principal

ideal in R

_{generated by}

_{disc( f ).}

We choose

a

_prime

_p such that

gcd(pR,

a( f )c~(g))

= R.

Using

the extended Euclidean

algorithm

we can

_compute

an element wo e _oE such that

wog’(00)

= 1

mod p

holds. In the

_following

we construct elements with the

fol-lowing

properties:

We use the

following

double iteration:

The correctness can be

_easily

verified

[10].

We remark that it is

_possible

to

solve our

problem using

the

following

iteration:

The

_disadvantage

of this

_approach

is that divisions are much more

com-plicated

to

_compute.

If we

analyze

the double iteration we notice that the

evaluations and are the most

_expensive

_steps.

_Using

_Horner’s

scheme we need

_{(m - 1)}

₊

_{(m - 2)}

= 2m - 3

multiplications

of

algebraic

numbers of

_{degree n}

where m =

deg(g).

We need

2n2 - n

multiplications

in R to

_multiply

two numbers in E. Therefore we need

(2m -

3) (2n2 -

_n)

multiplications

in R to

_compute

their evaluations.

It is better to first

_compute

_1,

_{~~, ... ,}

_/3"k

which can be done

_using

m -1

multiplications

in E. After this we need m +

_{(m - 1)}

multiplications

of elements of F with elements of E to

compute

the evaluations.

_Altogether

we need

(m -

1) (2n2 - n)

+

_{n(2m - 1)}

=

(2m -

2)n2

_{+ mn}

multiplications

have not looked at the size of the coefficients. Practical

_experience

shows that the second

_approach

is about

50%

faster than the first one.

Algorithm

2.11.

_{(Newton lifting)}

Step

4: Print

_,Q~

and terminate.

In the

_following

we

give

a variant of this

algorithm.

In our

application

of the Newton

_lifting

we want to find an element

_,~

E E with = 0. We

know estimates for the numerators and denominators of the coefficients of

0.

In this case the

following

lemma is _very useful.

Lemma 2.12. Let such that

_{(U, M)}

= 1 and

suppose that there exists a

_pair

of

_integers

(C,

D)

such that C - DU

(mod

M)

with D &#x3E; 0 and D

_M/2.

Then the

_pair

is

_uniquely

determined and there exists an

efficient algorithm to

_compute

it.

The

_proof

and the

_algorithm

can be found in

[5].

We remark that

alge-braic numbers are reconstructed

_{by applying}

the lemma to all coefficients. If we know estimations for the numerators and denominators we are able

to

_compute

_{3

from Since the a

_priori

estimates we use are

_usually

not

sharp,

we want to use a smaller k in the Newton

lifting

_process to

_compute

{3.

One idea is to

_compute

an

element 0 from flk using

Lemma 2.12. Now it can be checked if

g(,(3)

= 0.

Unfortunately

it turns out that an evaluation

with a

_{"wrong" {3}

is _very

_expensive.

Therefore we need a

_good

test which

is

_likely

to detect

₍₃

=

~3 at

an

_early

_stage.

This is used in the

_following

algorithm.

3. BLOCKS OF IMPRIMITIVITY

In this section we

_develop

some

_properties

about blocks of

_{imprimitivity.}

We recall a

correspondence

between blocks and

subfields,

which is very

useful for the

_computation.

In the

_following

let

_f

E

_Z[t]

be an irreducible

monic

_polynomial

with roots

_{a

=

aI, ... , in a suitable extension. The

Galois _group G =

Gal( f )

_operates

transitively

on S2 :=

{al, ... ,

3.1. Introduction.

Definition 3.1.

_(Blocks

of

_{imprimitivity)}

1.

0

~

A C S2 is called block

_{(of imprimitivity),}

_if

A- fl 0 E

_{{0, Al}

_for

aIlTEG.

2. A =

(1 ~

i

n)

and A = S2 _are called trivial blocks. G is called

imprimitive

if

there exists a non-trivial block. Otherwise G is called

primitive.

3. Blocks

_{~1,... ,}

_Am

with

_{Ai =,4}

i

_j

_m)

are called a

(complete)

block

_system,

_if

the set remains invariant under G.

If A is a block _{it is easy} to see that A’ is a

_block,

too. It follows that each block is contained in

_exactly

one block

_system.

The number of elements in a block or the number of elements of a block of a block

_system

is called the size of a block or a block

_system.

The

_proof

of the

_following

theorem can be found in

[20,

Theorem

2.3].

Combined with the main theorem of Galois

_theory

we

_get

a

correspondence

Theorem 3.2. The

_{correspondence A}

H

_GA

:=

(T

E

_{G ~ I}

~ 7 =

Al

is a

bijection

between the set

_of

blocks which contain ce and the set

of subgroups

of

G

_containing

the

_isotropy

_subgroup

_Ga

_of

a.

The

_{following diagram}

illustrates our situation:

We have a

bijection

between subfields L of E and blocks A which contain cx. In this case we _say that L

_corresponds

to A. The

_proof

of the

_following

lemma can be found in

[20].

Lemma 3.3. Let

_Bl

and

B2

two blocks which contain a with

_{corresponding}

subfields

L1

and

_L2

_of

E. Then B :=

Bl

fl

B2

is a block which contains a.

It

_corresponds

to a

subfield

L =

LlL2

of

E. Furthermore

Ll

is a

_subfield

of

L2

if

and

_{only if}

_B2

C

_Bl.

This lemma is very useful if some subfields are

_already

known. This will

be discussed later.

Suppose

that we know a

complete

block

_system

O1, ... ,

which

cor-responds

to a subfield L. From H := we

_get

L =

Fix(H).

Define

Therefore we

_get

61

E

_Fix(H)

= L. Furthermore

the 6j

(1

i

m)

_are all

is the characteristic

_polynomial

of

₆₁

E L over

_Q.

This

_polynomial

is of the form

_g(t)

_{with j}

E

_{N and §}

irreducible. In the case

that g

is irreducible we have found a

_primitive

element of L. Otherwise the

_{polynomial g}

has

multiple

roots which can be

easily

checked. In this case we make a linear

transformation

_{f (t)}

t-

f (t - a)

with a E Z and

_compute

a new _g. Later we

will _prove that at most n substitutions leads to

_multiple

roots for _g.

3.2. The Dedekind criterion. We have reduced the

_problem

of

com-puting

subfields to the

_problem

of

_computing

block

_systems

of the Galois

group of G. This reduction is

only

theoretical since the Galois group

com-putation

is a _very difficult

_problem

for

_{higher degrees.}

We want to use the

knowledge

of

_{cyclic subgroups}

of the Galois group which we

_get

from the

following

theorem.

Theorem 3.4.

_{(Dedekind Criterion)}

Let R be a

_{UFD, p}

a

prime

ideal in

R,

R :=

R/p

its residue class

ring,

f

E

_R[t]

and

_f

E

R[t]

with

_{f -}

_f

_{mod p.}

_If

_f

is

_square-free,

it

_follows

that G =

_{Gal( f )}

is

_isomorphic

to a

subgroup of

G =

Gal(f).

The Dedekind criterion allows us to determine

_{cyclic subgroups}

of G which are

generated by

a

_permutation

7r E G. Let 7r = be the

decomposition

of 7r into

disjoint

cycles and ni

=

11ril

the number of _zeros

permuted by

~ri

(1 ~

i

u).

We say that 7r is of

cycle

_type

[7~1,... , nuls

and

w.l.o.g.

we can assume

_...

_nu. In our situation we choose a

_prime

p t

disc( f )

to obtain a _congruence factorization

f - fl - ... fu mod

pZ [t].

It follows that n2

(i

=

_{1, ... ,}

u)

coincides with the

degree

of the

polynomial

fi.

The

_cycles

~ri

permute

the roots of

fi.

Example

3.5. Let

_{f (t)}

= t4

+ 2 be a

_generating

podynomial of

K and

Let p denote the modulus. In the

first

case _p divides the discriminant

and the Dedekind criterion is

_of

no use. In the other cases we

_get

cycles of

cycle

type

~1, 1, 2~, [4]

and

_{~2, 2~.}

In all

_of

these cases the roots can

_only

be

identified

modulo _p in a suitable

finite field.

3.3. Potential block

_systems.

In the

_algorithm

we are

_trying

to

enu-merate all block

_systems

without

_knowing

the Galois group G. So we

enumerate a

larger

set of

_potential

block

_systems

that can be defined with

the

_knowledge

of a

cyclic

subgroup

of G. This

subgroup

can be obtained

Fix an

arbitrary

7r E G. Let 1f = _{1fl ...} be the

decomposition

of 1f into

disjoint cycles

of

_length

_l1fil

= _ni

(1

i

u).

Definition 3.6. A subset A C 52 with d elements is called

_potential

block

of

size

_d,

_if

A1rj

fl A E

_for

_{1 j ~}

_1(1f)I.

A

_system

_{AI,... Am of}

potential

blocks

_of

size d is called

_potential

block

_system

_of

size

_{d, if}

Remark 3.7. The

_{definitions potential}

block and

_potential

block

_system

depend

on 7r. A block is

always

a

potential

block and a block

_system

is

always

a

_potential

block

_system.

Our

_goal

is to determine all

_potential

block

_systems

_(for

one

7r).

In the

following

we

_give

some useful

properties

of

potential

block

_systems.

We _say

that a

_cycle

_7ri contains an element cx if this element is not fixed under this

cycle

or _7ri =

(a) .

Theorem 3.8. Let A be a

_potential

block

_{corresponding}

to 7r and k be the

smallest

_positive

_integer

such that

A11"k

= A.

If

_a

cycle

7rl

of length

nl

contains an element

_{of A,}

then k divides _nl and _7rl contains

exactly

elements

_{of A.}

Proof.

Since A is a

potential

block it follows that there exists a k with

A 11"J

n A

= 0

for 1

_j

1~ and

A 11" k

= A.

Suppose

that cx is contained in A and _7rl. It follows that all elements of the

form

a1rck

_(c

E

_N)

are contained in A and _7rl. From

a11"nz

= a we see that k

divides nl. Furthermore 7rl contains

exactly )

elements of A. D

Definition 3.9. The number k

_from

theorem 3.8 is called inertia

_{degree of}

the

_potential

block.

Theorem 3.10. Let

_{AI, ... ,}

_Am

be a

_potential

block

_system

_{corresponding}

to 7r

of

inertia

degrees I~1, ...

km.

If

Ai

and

Aj

contain an element

of

the same

_cycle,

_{it follows}

_{that ki}

=

kj.

In this case

Ai

contains an element

_of

the

_cycle

~-t

if

and

_{only if}

_Aj

contains an element

of

the same

cycle.

Proof.

There exists a minimal number c E N such that

_Aic

n

0.

From

the definition of a

_potential

block

_system

it follows that

AYc

-

Aj.

The

assertion follows

_immediately.

D

Definition 3.11. Let

_{A1, ... ,}

_Am

be a

(potential)

block

_system

_{of inertia}

degrees

1~ W ~ ...

. We call

A 2 ~ A" i &#x3E; ...

a

(potential)

block cluster

¿From

theorem 3.10 we

_get

that all blocks of a

(potential)

block cluster

have the same inertia

_degree.

The

_preceding

two theorems are _very

important

for the construction of

potential

block

_systems.

We will construct

_systems

of subsets

_{A1, ... ,}

C S2 of size d and

_{corresponding}

inertia

_degrees

_{I~~ , ...}

with the

_following

properties:

1.

2. If

_Ai

contains elements of a

cycle

_7rl, then

Ai

contains

exactly ni

elements of this

_cycle.

- J v . v i

5. All

_{potential blocks}

of a

potential

block cluster are contained in

A~, ... , ,Am,

that means

Aij

e

_{{~4.i,... ?}

_{(0 ~j}

A

_system

of subsets

_{AI, ... ,}

_Am

is a

potential

block

_system

if and

only

if it has the above

_properties.

These

_properties

are sufficient to

_give

an

efhcient

_algorithm

to

_compute

all

_potential

block

_systems

and therefore all block

_systems.

To

_compute

the minimal

_polynomial

_g of a

_primitive

element of a subfield

L we need a method to

_compute

the zeros which are contained in a

_potential

block. Let _p E P with

_{p f}

_{disc( f )}

and

_f

E

_{IFp [t]}

be the

_image

of

_f

under the canonical

_mapping

from Z to

_Fp.

We denote the zeros of

f

in a suitable extension

_Fq

of

_Fp

with

_{aI, ... ,}

_an. Furthermore let

_{f =}

E

_Fp

_[t]

be a

_complete

factorization.

_Suppose

that 7r = is

computed

using

Dedekind’s criterion 3.4. We know that ~r2

permutes

the zeros of

f¿.

Let

_{A1, ... ,}

_Ak

be a

_potential

block cluster of inertia

_degree

1~.

_W.I.o.g.

we assume that it contains the zeros of _{TTi,... ,} that means the

potential

blocks contain the zeros of

11, ... , Iv.

Let

Then permutes the zeros of

(1 j G k,

1 i v).

Therefore

all these zeros are contained in one

_potential

block. We want to

_compute

equation

(9).

Therefore we are

only

interested in the

product

of the zeros

of which is

_equal

to That means that there is no reason to factor

_{f over}

a

_larger

finite field.

Definition 3.12.

_(Polynomial

_{representation}

of

_potential

blocks and block

systems)

Let A be a set

_{of polynorraials.}

We _say that A is a

_Potential

block in

polynomial

representation

if

the set

_of

zeros

of

the

polynomials

in A is a

potential

block. We _say that a

potential

block

_system

is

given

in

polynomial

A

_potential

block cluster is

_given

in

_polynomial

_{representation}

_if

all its blocks

are

_given

in

_polynorrzial

_{representation.}

The

_polynomials

of a

polynomial

representation

are not

necessarily

lin-ear. Now we can formulate our

_algorithm

to

_compute

_potential

block

sys-tems.

Algorithm

3.13.

_{(ComputePotentialBlockSystems)}

Input:

Generating polynomial f of E,

the block size d and a

_prime

-

p ~

disc( f ).

Output:

A list

_of

all

_potential

block

_systems

_of

size d in

_polynomial

rep-resentation.

Step

1:

_Compute

_{f (t)}

mod

Step

2: Set Z :=

{!1,...

and call

ComputeBlockCluster(Z,

d,

0).

Algorithm

3.14.

_{(ComputeBlockCluster)}

Input:

A set Z

_consisting

_of

r irreducible

polynomials fi

in

Fp[t],

a

-

block size d E N‘ and a set Y

consisting

of already

computed

block clusters in

_polynomial

_{representation.}

Output:

A list

_{of potential}

block

_systems

_of

size d in

_polynomial

repre-sentation.

Step

1: Set k := 1

and ni

:=

deg(fi) (1

i

r).

Step

2: Determine all B C

_{{2,... , r}}

_{(including 0)}

with dk - nl =

EBEB nb

and k

_for

all b E B.

Step

3: For all

_computed

B do:

1.

2. Set Y := Y U

_{Z’}.

3.

_{If Z = Z’,}

call

_{PrintBlockSystem(Y’, d);}

otherwise call

_{ComputeBlockCluster(Z B}

_Z’,

_d,

_Y).

4.

Set Y := Y B {Z’}.

Step

4:

_Terrraanate,

_{if k}

= _nl. Otherwise set k :=

minfl

E

k and _go to

_Step

2.

Algorithm

3.15.

_{(PrintBlockSystem)}

Input:

A set Y

_consisting

_of

r sets

Yi

of

block clusters in

polynomial

representation

and a block size d.

Output:

A list

_of

all

_potential

block

_systems

in

_polynomial

_{representation}

The above

_algorithm

_computes

all

_potential

block

_systems

_~4.i,...

_Am.

Each

_Ai

contains irreducible

_polynomials

which are

_given

over an

ex-tension of

_{IFp .}

The block consists

_exactly

of the zeros of these

_polynomials.

We have remarked that we are

only

interested in the

product

of the zeros.

It is

_possible

that

_polynomials

in different blocks are

given

over different

extension

fields,

but in a block cluster all

_polynomials

are

_given

over the same extension field. Let

A1, ... , Ak

be a block cluster. Then we have

(compare

(10)):

1

3.4. The intersection of block

_systems.

For the

_computation

of po-tential block

_systems

we have used the

_knowledge

of a 7r E G. If we do not

find a

_"good"

_7r, we have to consider a lot of

potential

block

_systems

which are not block

_systems.

We have seen in Lemma 3.3 that the intersection of two blocks is a block.

We want to use this in two ways.

Firstly

we are able to

_compute

new block

systems

from

_existing

ones.

_Secondly

we want to reduce the number of

potential

block

_systems

to consider. That means, we need one

(or more)

criteria to

_{distinguish "wrong"}

_potential

block

_systems

from block

_systems.

Definition 3.16. The intersection

_of

two

_(potential)

block

_systems

A 1, - - - ,

and

,~ 1, ...

_{im are}

the

_(potential)

blocks which are contained in the set

_fAi

₁

i _m,

_{1 j}

_{0}.

Lemma 3.17. The intersection

_of

two block

_systems

_{~1, ... , Am}

and

O1, ... , Am

is a block

_system

_of

size c E N. The intersection

_of

two blocks

Ai

and

_0~

is the

_empty

set or contains c el ements

(1 ~

i

m, 1 j

m) .

Proof.

The assertion follows from the fact that a block is contained in

exactly

one block

_system.

D

In the

_following

let

_{O1, ... , Am}

be a block

_system

and

A1, ... ,

Ar

a

potential

block

_system.

_W.l.o.g.

we assume that cx

fl A1

and c =

In the

_sequel

we will

_give

some more _necessary conditions for

potential

block

_systems

to be block

_systems.

We will use this to reduce

the number of

_wrongly

_computed

_{generating polynomials}

and

_embeddings.

The

_following

lemma is an immediate _consequence of the last lemma. Lemma 3.18. Let M

₁

1 i

_{m, 1}

_j

_{r~ ~ {0}.}

_If

M contains an element

of

size not

equal

_c, it

follows

that

AI,... , Ar

is not a

block

_system.

Definition 3.19. The number c

_of

the last lemma is called intersection

number.

_If

there is an element

of

size not

_equal

to c in

M,

the intersection

number is

_defined

to be 0. The intersection number

_of

a

potential

block

cluster is

_defined

in an

_analogues

_way.

Let us consider the intersection

O1, ... ,

of two block

_systems

Ai , ... ,

Am

and

~,1, ... , Om.

We know that the intersection is a block

system,

too. Let

_{Al, ... ,}

_Ar

be a

potential

block

_system.

We want to

test if

_{~4i,... ,}

_Ar,.t

can be a block

_system.

A natural

_question

to ask if it

is necessary to intersect

_{AI,... , Am}

with all known block

_systems

to

_get

maximal information.

Example

3.20. To

_simplify

we consider

only

the indices

of

the zeros.

Let Q

_{- 1, ... ,12}.}

_Suppose

we know two block

systems ( 1 ,

2, 7,

8},

~3,

4,

9, 10}, ~5, 6, 11, 12}

and

_{I,

_{2, 3, 4, 5,}

_{6}, {7,}

_8,

_{9, 10, 11, 12}.}

The

inter-section

_of

these block

_systems

is

_{{I, 2,}, ~3, 4}, {5, 6}, {7, 8}, {9, 10},}

_{{II, 12}.}

We consider the

_potential

block

_system

_{f 1,}

_2,

_{3,10,11, 12},}

_{4,

_{5, 6, 7, 8,}

_91.

Looking

at the intersection with the

_first

two block

_systems

we

_get

no

contra-diction. But we

have ~ 1, 2, 3,10,11,12~ n {1,2} == {1,2} a~ {1,2,3,10,11,

12}

n

_{{3,4} = {3}.}

_{This proves} that

_{A1, ... ,}

Ar

is not a

_potential

block

sys-tem.

This

_example

shows that it is useful to consider all known block

_systems.

With this method we can decide for most

_potential

block

_systems

that

they

are not block

_systems.

We summarize what we have done _up to now.

Let

_{L1, ... ,}

_L~,

be the known subfields and B be a set of

_potential

block

systems.

1.

_Compute

the set S’

_containing

the block

_systems

_{corresponding}

to

2.

_Compute

the intersection of all block

_systems

in S and add the

non-trivial ones to S.

3. Set T

:= 0

and for all

_potential

block

_systems

_{Å1, ... , Am}

contained in B do:

(a)

Intersect

_{A1, ... ,}

_Am

with each block

_system

from S’ and

_apply

Lemma 3.18.

(b)

If

_{AI, ... ,}

_Am

_passes all

_tests,

then add it to T.

4. Print T.

The block

_systems

which are

computed

in

_steps

1 and 2 are known in

most cases. Now we

_give

a method how to

_compute

a block

_system

if we

know a subfield and the zeros of

f

in some

representation.

This

algorithm

is useful if some subfields are known or if we want to

_change

the

_prime

_p. The

_following

lemma can be

easily proved.

Lemma 3.21. Let _{al, ... ,} on be the zeros

of f and ~31, ... , {3m

be the zeros

of

g

given

in the same

completion. If

are

_pairwise

distinct,

then

~1,...

Am

with

is the

_{corresponding}

block

_system.

The intersection method allows us

easily

to detect many

potential

block

systems

which are not block

_systems.

In the

_following

we

_give

conditions to

exclude a lot of block

_systems

with one intersection. If we look at

algorithm

3.15 we see that

_potential

block

_systems

consist of r

_potential

block clusters.

We want to

_give

conditions that a

potential

block cluster cannot be a

_part

of a block

_system.

We denote the inertia

degrees

of the block clusters with

J~1, ... ,

k.

If we

_analyze

_algorithm

3.15 we see that each block cluster

consists

_{of si}

modulo _p factors of

_{f . Suppose}

_{that Tl}

_{(1 i r)}

is a set of all constructed block clusters. In the last

_step

of the

_algorithm

all

_potential

block

_systems

are constructed in the

_following

way:

We have used the

_{notation vi}

for

_~z,i?.’.

₍₁

i

_r).

The number of elements of

v

only

depend

on ki

and si. We

get:

The

_algorithm

_generates

_I

_potential

block

_systems.

_Suppose

we are able to show that a

potential

block cluster vl E

_Vl

cannot be

_part

of

a block

_system.

In this case we have decreased the number of

_{possibilities}

by

~Y2 ~ ’ ’ ’ ~ Vr ~.

Furthermore we

only

combine block clusters with the same

intersection number

_(Definition

_3.19).

We want to use all known block

systems

to

_get

maximal information. We denote with

_{(ci, ... ,}

_cw)t

the intersection numbers of a

_potential

block cluster with tb block

_systems,

Algorithm

3.22.

_{(Intersection algorithm)}

defined

in the above text. w known block

_systems.

Set

_{of potential}

block

_systems,

such that there is no contradic-tion with the known block

_systems.

(a)

Set

_Wi,j

to the intersection number

_of

_vi,j with the known block

_systems.

(b)

If

one

of

the

_components

of

_Wi,j

equals

0,

set

Vi

:=

Compute

all

_potential

block

_systems

_{Vl,j1 , ... , vr,jr with}

_{W1,j1 =}

... =

W,,j,

and _vi,ji E

v

(1

i

_r)

and

_print

the

_computed

ones.

Terminate the

_algorithm.

4. THE COMPUTATION OF GENERATING POLYNOMIALS

We call a minimal

_polynomial

of a

_primitive

element of an extension a

generating polynomial.

As in the last sections let E =

Q(a),

f

be the minimal

_polynomial

of _cx, and

_{c~

= _{al, ... ,} be the roots of

f .

The

Galois _group G

_operates

_transitively

on the roots of

_{f .}

In the last section

we have seen how to

_compute

_potential

block

_systems

_{corresponding}

to

a

_permutation

7r. In this section we will

_explain

how to

_get

_generating

polynomials

from a block

_system.

As a

byproduct,

we

_get

more _necessary

conditions for

_potential

block

_systems

to be block

_systems.

_{Nevertheless,}

we will not

_get

sufficient conditions.

_Wrong

_systems

_remaining

after this

step

will

_finally

be removed in the

_concluding

_step,

the

_computation

of the

embedding.

Let Ai, ... ,

Am

be a block

_system

_consisting

of zeros of

f ,

where the zeros of

_Aj

are in the

_splitting

field N of E. Furthermore let

_q3

be an

arbitrary

prime

ideal of _oN

_lying

over _p. We denote with E =

Nq3

the

p-adic completion.

Let (D be the canonical

_embedding

from N to E. Now let

_f

and

_{al , ... ,}

be the zeros

of f

in

E,

where 4P (ai)

=

a2 .

Letting

Aj

( 1 i m)

we define:

Theorem 4.1. Let

_{O1, ... ,}

be a block

_system

_{and 9 and 9}

as

_defined

in

₍₁₁₎

and

_(12),

then

_{= g.}

Supposing

that

_{O1, ... ,}

is

_only

a

potential

block

_system

correspond-ing

to 1r we still

_{get 9}

E

_{Zp[t] ,}

where p

corresponds

to 1r. We remark that we

have no method to

compute $ explicitly.

We know that for each extension

there exists a

unique

unramified p-adic

extension

£ /Qp

such that the

residue class field

_equals

_IF9.

In the last section we have

developed

an

algo-rithm to

_compute

_potential

block

_systems

_{Ai , ... ,}

_Am.

We have identified the zeros _resp.

the b2

in a suitable finite field.

Using

the

p-adic

methods

presented

in section 2 it is

_possible

to

_compute

these values modulo

_pk.

The

_following

lemma is an immediate _consequence.

Lemma 4.2. Let

_{g, g}

E £

_{(1 ~ i ~ m)}

be as

defined

in

(11)

and

(12).

Furthermore be the maximal ideal

_of

o£.

SuPposing

8i

= 8

mod

_pk

_{(1 ~}

_i

_m)

and

_{g(t) =}

8i)

we

modpk.

Thus we

have 9 ==

₉ mod

pk.

Let M be a bound for the size of the coefficients

of 9

and _suppose

p*’

&#x3E; 2M. Then it follows that choose the

_symmetrical

residue

_system

{ 2

... , for the coefficients of

g.

The

following

lemma

gives

us an estimation for M. It is an immediate _consequence of

[4,

Lemma

3.5.2].

Lemma 4.3. Let

_{g(t) _}

_defined

as in

(12).

We

_get:

¿From

the construction of _g we know that = 1 and

bo

= ~ f (0).

Supposing

the

_knowledge

of an _upper bound for B it is _easy to

_compute

an _upper bound for the absolute size of the coefficients of _g. One _way is to

compute

approximations

of the roots of

_f

in C to derive a bound B. If we

do not want to

_compute

the zeros of

f

in C we can use an estimation of

Mignotte

[16,

Theorem

_1].

Lemma 4.4. Let

_{f (t)}

we have:

It remains to discuss the case when _{g is} not

_{irreducible, i.e. g}

has

_multiple

roots. As remarked

_above,

we use linear transforms on

f :

/(~)~2013/(~+a).

The next lemma shows that this

_procedure

will

_yield

irreducible

polynomi-als _g.

Lemma 4.5. There are at most n linear substitutions to

_f

such that the constructed

_polynomial

_g

₍₁₂₎

has

_multiple

roots.

Proof.

For 1 i m we define:

These

_polynomials

are

_pairwise

distinct since

they

have different zeros. All

polynomials

have

_degree

d. This means that at most d evaluations of two

polynomials

can coincide. If

the b2

in

(12)

are not

_{pairwise distinct,}

then

each 6j

is a

multiple

root

_{since g}

is a characteristic

polynomial.

There-fore there are at most

_{d(m - 1)}

= n - d evaluations values a E Z such that

_Di(a)

for 2 i m. If we choose another a E Z for the transformation we

_get

that

all 6j

are

_pairwise

distinct. D This lemma remains valid if the

_ground

field is a finite field. We need

the additional

_assumption

that the finite field contains

_enough

elements. The

_following

lemma is an immediate _consequence.

Lemma 4.6. Let _p &#x3E; n and _suppose that

p f

disc(f).

Then there are at most n linear substitutions

for f

such that _p

disc(g).

For our

embedding algorithm

it is

_important

to have

_{p t disc(g).}

There-fore we choose

_primes

_p &#x3E; n in our

_algorithm.

Now we

_give

an

algorithm

to

_compute

_generating

_polynomials

for the subfields

_{corresponding}

to a block

_system.

Algorithm

4.7.

_{(ComputeGeneratingPolynomial)}

Input:

A

_generating

_{polynomial f of}

a number

field

E. A

prime

_p &#x3E; n

-

and a

_Potential

block

_system

O1, ... ,

Am

in

polynomial

repre-sentation.

Output:

A

_generating

_polynomial

_g

_of

a

potential subfield L,

or the mes-sage, that

Ai,... ,

Am

is not a block

_system.

Step

1:

_Compute

the inertia

_degrees

_ki

₍₁

i

_m)

_of

the blocks

All

... ,

- _

Step

2: Set I :=

lcm(kl, ... , km).

Step

3:

_Compute

with Lemma

_4.3

a bound M

for

the absolute size

of

the

_{coefficients of}

_g.

Step

4: Factorize

_{f - fl ... fr}

mod

_pk

over an

_unramified

_p-adic

exten-sion

_of

_degree

I

_of

_Qp,

where

_pk

&#x3E; 2M.

Step

5: Set :=

I

1 i

_{r, it}

exists

a f

E

_Aj

with

Step

6: For i =

_{1, ... ,}

_m

_compute

the

product b2 of

the

zeros, which are

~

contained in

_Di.

Step

7:

_Compute

_Ji

_(modulo

_{p k).}

_If

the absolute value

_of

this sum

~

is

_larger

than

_M,

_{go to}

_step

12.

Step

8:

_Compute

_g(t)

:=

6i)

(modulo

pk).

Step

9:

If the

absolute value

_of

one

of

the

coefficients of

_{g is}

larger

than

~

M,

go to

step

12.

Step

10:

_{If g}

modulo _p has

_{multiple factors,}

set

_{f (t)}

:=

f (t

+

₁₎

_{and go}

to

_step

3.

Step

11:

_Compute

_{f (t) := f (t+ 1), bi}

_g(t)

b2)

and a bound

M

for

the

coefficients of

g. Test,

if

the absolute

size

_{of coefficients of g}

are smaller than

M.

In this case

_print

potential

generating

polynomial g

and terminate.

Step

12:

_Print,

that

_{O1, ... ,}

_{Am is}

not a block

_system

and terminate.

The correctness of the

_algorithm

follows from the above considerations. We remark that it is advisable to store a lot of values. The inertia

_degrees

of the

_potential

block

systems

are

already

known. The bound M in

_step

3

only depends

on

_f

and the

_degree

of the subfield.

The most critical

_part

of the

_algorithm

is the factorization of

_f

over an unramified

_p-adic

extension of

_degree

1. It is

_important

to

_compute

this factorization

_only

once and store the result for further use. An other

question

is how to choose k in

_step

4. Since we use

quadratic

lifting

it is

useful to choose k of the form

2k.

It is necessary to choose k in a _way that

p2 k&#x3E;

2M. But

_{practical experience}

shows that it is better to choose k such that

_{p*’ z}

M4

holds. The reason is that we have a better chance to detect

in

_step

7 or 9 that

O1, ... ,

Am

is not a block

_system.

We

_already

remarked

that it is

_possible

to detect a

"wrong"

block

_system

during

the

embedding

algorithm,

but it turns out that _{this is very}

_expensive.

To avoid this we

have inserted

_step

11 in the

_algorithm.

This is another necessary condition

which must hold if

_{A i,... ,}

_Am

is a block

_system.

We know no

_example

that passes all these tests but it is not a block

_system.

We use these tests

only

to

_get

better

_running

times. The results will be

_proved

if we

_compute

the

_embedding.

5. COMPUTATION OF THE EMBEDDING OF THE SUBFIELDS

In this section we

_give

an

algorithm

to

_compute

an

embedding

of the

computed potential

subfields L in the

_given

field E. As in the

_preceding

sections let E =

_Q(a),

_f

be the minimal

_polynomial

of _a, and

_{a

=

a1,... , be the roots of

f .

Furthermore let L =