Root finding over finite fields using Graeffe transforms

Root finding over finite fields using Graeffe transforms

Bruno Grenet LIRMM U. Montpellier

Joris van der Hoeven & Grégoire Lecerf CNRS – LIX

École polytechnique

Statement of the problem

Root finding over finite fields

Given f∈Fq[X], compute its roots, that is {α∈Fq:f(α) =0}.

• Building block for many algorithms in computer algebra: root finding over Z, factorization, sparse interpolation, …

• Applications in cryptography, error correcting codes, …

• Derandomization

• Sparse interpolation: bottleneck in practice

[van der Hoeven & Lecerf, 2014]

1/21

Statement of the problem

Root finding over finite fields

Given f∈Fq[X], compute its roots, that is {α∈Fq:f(α) =0}.

• Building block for many algorithms in computer algebra: root finding over Z, factorization, sparse interpolation, …

• Applications in cryptography, error correcting codes, …

• Derandomization

• Sparse interpolation: bottleneck in practice

[van der Hoeven & Lecerf, 2014]

A first algorithm

Theorem

The roots off∈Fq[X]can be computed in deterministic time poly(q,d), whered =deg(f).

• Algo: Test eachα∈Fq, sequentially.

B Input size (1+d)logq: exponential time!

• Randomization: expected time (1−_d+1¹ )q.

2/21

A first algorithm

Theorem

The roots off∈Fq[X]can be computed in deterministic time poly(q,d), whered =deg(f).

• Algo: Test eachα∈Fq, sequentially.

B Input size (1+d)logq: exponential time!

• Randomization: expected time (1−_d+1¹ )q.

A first algorithm

Theorem

The roots off∈Fq[X]can be computed in deterministic time poly(q,d), whered =deg(f).

• Algo: Test eachα∈Fq, sequentially.

B Input size (1+d)logq: exponential time!

• Randomization: expected time (1−_d+1¹ )q.

2/21

State of the art

• No deterministic polytime algorithm is known

• √

S(p−1)(dlogp)^O(1) under ERH [Shoup (1991a)]

• √p(dlogp)^O(1) unconditionally [Shoup (1991b)]

• Both require the factorization of(p−1)

• ERH useless if a primitive element is given

• Root finding ⇐⇒ primitive element [von zur Gathen (1987)]

• Randomized algorithm in expected time O(d˜ log²q)

[Legendre (1785), Berlekamp (1970), Rabin (1980)]

• Factorization algorithms ⇝no improvement for root finding

[Cantor-Zassenhaus (1981), Kaltofen-Shoup (1998), Kedlaya-Umans (2011)]

• Better complexity bounds when q−1 issmooth

[Moenck (1977), von zur Gathen (1987), Mignotte-Schnorr (1988), Rónyai (1989), Shoup (1992), Źrałek (2010), …]

State of the art

• No deterministic polytime algorithm is known

• √

S(p−1)(dlogp)^O(1) under ERH [Shoup (1991a)]

• √p(dlogp)^O(1) unconditionally [Shoup (1991b)]

• Both require the factorization of(p−1)

• ERH useless if a primitive element is given

• Root finding ⇐⇒ primitive element [von zur Gathen (1987)]

• Randomized algorithm in expected time O(d˜ log²q)

[Legendre (1785), Berlekamp (1970), Rabin (1980)]

• Factorization algorithms ⇝no improvement for root finding

[Cantor-Zassenhaus (1981), Kaltofen-Shoup (1998), Kedlaya-Umans (2011)]

• Better complexity bounds when q−1 issmooth

[Moenck (1977), von zur Gathen (1987), Mignotte-Schnorr (1988), Rónyai (1989), Shoup (1992), Źrałek (2010), …]

3/21

State of the art

• No deterministic polytime algorithm is known

• √

S(p−1)(dlogp)^O(1) under ERH [Shoup (1991a)]

• √p(dlogp)^O(1) unconditionally [Shoup (1991b)]

• Both require the factorization of(p−1)

• ERH useless if a primitive element is given

• Root finding ⇐⇒ primitive element [von zur Gathen (1987)]

• Randomized algorithm in expected time O(d˜ log²q)

[Legendre (1785), Berlekamp (1970), Rabin (1980)]

• Factorization algorithms ⇝no improvement for root finding

[Cantor-Zassenhaus (1981), Kaltofen-Shoup (1998), Kedlaya-Umans (2011)]

• Better complexity bounds when q−1 issmooth

[Moenck (1977), von zur Gathen (1987), Mignotte-Schnorr (1988), Rónyai (1989), Shoup (1992), Źrałek (2010), …]

State of the art

• No deterministic polytime algorithm is known

• √

S(p−1)(dlogp)^O(1) under ERH [Shoup (1991a)]

• √p(dlogp)^O(1) unconditionally [Shoup (1991b)]

• Both require the factorization of(p−1)

• ERH useless if a primitive element is given

• Root finding ⇐⇒ primitive element [von zur Gathen (1987)]

• Randomized algorithm in expected time O(d˜ log²q)

[Legendre (1785), Berlekamp (1970), Rabin (1980)]

• Factorization algorithms ⇝no improvement for root finding

[Cantor-Zassenhaus (1981), Kaltofen-Shoup (1998), Kedlaya-Umans (2011)]

• Better complexity bounds when q−1 issmooth

[Moenck (1977), von zur Gathen (1987), Mignotte-Schnorr (1988), Rónyai (1989), Shoup (1992), Źrałek (2010), …]

3/21

State of the art

• No deterministic polytime algorithm is known

• √

S(p−1)(dlogp)^O(1) under ERH [Shoup (1991a)]

• √p(dlogp)^O(1) unconditionally [Shoup (1991b)]

• Both require the factorization of(p−1)

• ERH useless if a primitive element is given

• Root finding ⇐⇒ primitive element [von zur Gathen (1987)]

• Randomized algorithm in expected time O(d˜ log²q)

[Legendre (1785), Berlekamp (1970), Rabin (1980)]

• Factorization algorithms ⇝no improvement for root finding

[Cantor-Zassenhaus (1981), Kaltofen-Shoup (1998), Kedlaya-Umans (2011)]

• Better complexity bounds when q−1 issmooth

[Moenck (1977), von zur Gathen (1987), Mignotte-Schnorr (1988), Rónyai (1989), Shoup (1992), Źrałek (2010), …]

State of the art

• No deterministic polytime algorithm is known

• √

S(p−1)(dlogp)^O(1) under ERH [Shoup (1991a)]

• √p(dlogp)^O(1) unconditionally [Shoup (1991b)]

• Both require the factorization of(p−1)

• ERH useless if a primitive element is given

• Root finding ⇐⇒ primitive element [von zur Gathen (1987)]

• Randomized algorithm in expected time O(d˜ log²q)

[Legendre (1785), Berlekamp (1970), Rabin (1980)]

• Factorization algorithms ⇝no improvement for root finding

[Cantor-Zassenhaus (1981), Kaltofen-Shoup (1998), Kedlaya-Umans (2011)]

• Better complexity bounds when q−1 issmooth

[Moenck (1977), von zur Gathen (1987), Mignotte-Schnorr (1988), Rónyai (1989), Shoup (1992), Źrałek (2010), …]

3/21

State of the art

• No deterministic polytime algorithm is known

• √

S(p−1)(dlogp)^O(1) under ERH [Shoup (1991a)]

• √p(dlogp)^O(1) unconditionally [Shoup (1991b)]

• Both require the factorization of(p−1)

• ERH useless if a primitive element is given

• Root finding ⇐⇒ primitive element [von zur Gathen (1987)]

• Randomized algorithm in expected time O(d˜ log²q)

[Legendre (1785), Berlekamp (1970), Rabin (1980)]

• Factorization algorithms ⇝no improvement for root finding

[Cantor-Zassenhaus (1981), Kaltofen-Shoup (1998), Kedlaya-Umans (2011)]

• Better complexity bounds when q−1 issmooth

[Moenck (1977), von zur Gathen (1987), Mignotte-Schnorr (1988), Rónyai (1989), Shoup (1992), Źrałek (2010), …]

State of the art

• No deterministic polytime algorithm is known

• √

S(p−1)(dlogp)^O(1) under ERH [Shoup (1991a)]

• √p(dlogp)^O(1) unconditionally [Shoup (1991b)]

• Both require the factorization of(p−1)

• ERH useless if a primitive element is given

• Root finding ⇐⇒ primitive element [von zur Gathen (1987)]

• Randomized algorithm in expected time O(d˜ log²q)

[Legendre (1785), Berlekamp (1970), Rabin (1980)]

• Factorization algorithms ⇝no improvement for root finding

[Cantor-Zassenhaus (1981), Kaltofen-Shoup (1998), Kedlaya-Umans (2011)]

• Better complexity bounds when q−1 issmooth

[Moenck (1977), von zur Gathen (1987), Mignotte-Schnorr (1988), Rónyai (1989), Shoup (1992), Źrałek (2010), …]

3/21

State of the art

• No deterministic polytime algorithm is known

• √

S(p−1)(dlogp)^O(1) under ERH [Shoup (1991a)]

• √p(dlogp)^O(1) unconditionally [Shoup (1991b)]

• Both require the factorization of(p−1)

• ERH useless if a primitive element is given

• Root finding ⇐⇒ primitive element [von zur Gathen (1987)]

• Randomized algorithm in expected time O(d˜ log²q)

[Legendre (1785), Berlekamp (1970), Rabin (1980)]

• Factorization algorithms ⇝no improvement for root finding

[Cantor-Zassenhaus (1981), Kaltofen-Shoup (1998), Kedlaya-Umans (2011)]

• Better complexity bounds when q−1 issmooth

[Moenck (1977), von zur Gathen (1987), Mignotte-Schnorr (1988), Rónyai (1989), Shoup (1992), Źrałek (2010), …]

Settings

Goal

Obtainfastalgorithms for polynomial root finding in finite fields.

• Deterministic, probabilistic, heuristic; in practice or in theory.

• Assumption: fis monic,separable,splits overFq,f(0)̸=0: f(X) =

∏d i=1

(X−α_i), α_i ∈Fq^∗, α_i̸=α_j (A)

(easy reduction: f←gcd(f,X^q−1−1))

• Extra input: A primitive elementζ of Fq^∗

• FFT finite field: Fp with p=M·2^m+1 and M=O(logp)

• Old algorithms revisited

• New technique based onGraeffe transforms

• Fast implementations

4/21

Settings

Goal

Obtainfastalgorithms for polynomial root finding in finite fields.

• Deterministic, probabilistic, heuristic; in practice or in theory.

• Assumption: fis monic,separable,splits overFq,f(0)̸=0:

f(X) =

∏d i=1

(X−α_i), α_i∈Fq^∗, α_i̸=α_j (A) (easy reduction: f←gcd(f,X^q−1−1))

• Extra input: A primitive elementζ of Fq^∗

• FFT finite field: Fp with p=M·2^m+1 and M=O(logp)

• Old algorithms revisited

• New technique based onGraeffe transforms

• Fast implementations

Settings

Goal

Obtainfastalgorithms for polynomial root finding in finite fields.

• Deterministic, probabilistic, heuristic; in practice or in theory.

• Assumption: fis monic,separable,splits overFq,f(0)̸=0:

f(X) =

∏d i=1

(X−α_i), α_i∈Fq^∗, α_i̸=α_j (A)

(easy reduction: f←gcd(f,X^q−1−1))

• Extra input: A primitive elementζ of Fq^∗

• FFT finite field: Fp with p=M·2^m+1 and M=O(logp)

• Old algorithms revisited

• New technique based onGraeffe transforms

• Fast implementations

4/21

Settings

Goal

Obtainfastalgorithms for polynomial root finding in finite fields.

• Deterministic, probabilistic, heuristic; in practice or in theory.

• Assumption: fis monic,separable,splits overFq,f(0)̸=0:

f(X) =

∏d i=1

(X−α_i), α_i∈Fq^∗, α_i̸=α_j (A)

(easy reduction: f←gcd(f,X^q−1−1))

• Extra input: A primitive elementζ of Fq^∗

• FFT finite field: Fp with p=M·2^m+1 and M=O(logp)

• Old algorithms revisited

Multiplicative structure of finite fields

F ₁₇ ^∗

1 9

13

15

16

8

4 2 2 3

10

5

11

14

7 12 6

3

4

2 is a primitive root of unity of order 8

4 is a primitive root of unity of order 4

3 is a primitive element of F₁₇^∗:

F17^∗ ={3ⁱ:0≤i<16} X^q−1−1= ∏

α∈Fq^∗

(X−α)

5/21

Multiplicative structure of finite fields

F ₁₇ ^∗

1 9

13

15

16

8

4 2 2 3

10

5

11

14

7 12 6

3

4

2 is a primitive root of unity of order 8

4 is a primitive root of unity of order 4

3 is a primitive element of F₁₇^∗:

F17^∗ ={3ⁱ:0≤i<16} X^q−1−1= ∏

α∈Fq^∗

(X−α)

Multiplicative structure of finite fields

F ₁₇ ^∗

1 9

13

15

16

8

4 2 2 3

10

5

11

14

7 12 6

3

4

2 is a primitive root of unity of order 8

4 is a primitive root of unity of order 4

3 is a primitive element of F₁₇^∗:

F17^∗ ={3ⁱ:0≤i<16}

X^q−1−1= ∏

α∈Fq^∗

(X−α)

5/21

Multiplicative structure of finite fields

F ₁₇ ^∗

1 9

13

15

16

8

4 2 2 3

10

5

11

14

7 12 6

3

4

2 is a primitive root of unity of order 8

4 is a primitive root of unity of order 4

3 is a primitive element of F₁₇^∗:

F17^∗ ={3ⁱ:0≤i<16} X^q−1−1= ∏

α∈Fq^∗

(X−α)

Old algorithms revisited

Goal

• Many known randomized algorithms

• for the general case

• for special cases such as smooth(q−1)

• Idea: Adapt these algorithms for FFT finite fields

• Algorithms:

• Rabin’s algorithm (general case)

• Mignotte-Schnorr’s algorithm (smooth case)

• Moenck’s algorithm (FFT finite fields)

Goal

• Many known randomized algorithms

• for the general case

• for special cases such as smooth(q−1)

• Idea: Adapt these algorithms for FFT finite fields

• Algorithms:

• Rabin’s algorithm (general case)

• Mignotte-Schnorr’s algorithm (smooth case)

• Moenck’s algorithm (FFT finite fields)

6/21

Goal

• Many known randomized algorithms

• for the general case

• for special cases such as smooth(q−1)

• Idea: Adapt these algorithms for FFT finite fields

• Algorithms:

• Rabin’s algorithm (general case)

• Mignotte-Schnorr’s algorithm (smooth case)

• Moenck’s algorithm (FFT finite fields)

Goal

• Many known randomized algorithms

• for the general case

• for special cases such as smooth(q−1)

• Idea: Adapt these algorithms for FFT finite fields

• Algorithms:

• Rabin’s algorithm(general case)

• Mignotte-Schnorr’s algorithm (smooth case)

• Moenck’s algorithm (FFT finite fields)

6/21

Rabin’s algorithm

• ∏

α∈Fp^∗

(X−α) =X^p−1−1

=(X^p−21 −1)(X^p−21 +1)

α^p−12 =1

α^p−21 =−1 (α+τ)^p−12

=1

(α+τ)^p−21

=−1

• With some luck, gcd(f,X^p−21−1)∈ {/ 1,f}.

• Push your luck: gcd(f,(X+τ)^p−21 −1)for somerandom τ ∈Fp

deg(

gcd(f,(X+τ)^p−21 −1))

≃d/2 Randomized algorithm

The roots off∈Fp[X]can be computed in expected time O(d˜ log²p).

Rabin’s algorithm

• ∏

α∈Fp^∗

(X−α) =X^p−1−1=(X^p−21 −1)(X^p−21 +1)

α^p−12 =1

α^p−21 =−1 (α+τ)^p−12

=1

(α+τ)^p−21

=−1

• With some luck, gcd(f,X^p−21−1)∈ {/ 1,f}.

• Push your luck: gcd(f,(X+τ)^p−21 −1)for somerandom τ ∈Fp

deg(

gcd(f,(X+τ)^p−21 −1))

≃d/2 Randomized algorithm

The roots off∈Fp[X]can be computed in expected time O(d˜ log²p).

7/21

Rabin’s algorithm

• ∏

α∈Fp^∗

(X−α) =X^p−1−1=(X^p−21 −1)(X^p−21 +1)

α^p−12 =1

α^p−21 =−1 (α+τ)^p−12

=1

(α+τ)^p−21

=−1

• With some luck, gcd(f,X^p−21−1)∈ {/ 1,f}.

• Push your luck: gcd(f,(X+τ)^p−21 −1)for somerandom τ ∈Fp

deg(

gcd(f,(X+τ)^p−21 −1))

≃d/2 Randomized algorithm

The roots off∈Fp[X]can be computed in expected time O(d˜ log²p).

Rabin’s algorithm

• ∏

α∈Fp^∗

(X−α) =X^p−1−1=(X^p−21 −1)(X^p−21 +1)

α^p−12 =1

α^p−21 =−1 (α+τ)^p−12

=1

(α+τ)^p−21

=−1

• With some luck, gcd(f,X^p−21−1)∈ {/ 1,f}.

• Push your luck: gcd(f,(X+τ)^p−21 −1)for somerandom τ ∈Fp

deg(

gcd(f,(X+τ)^p−21 −1))

≃d/2 Randomized algorithm

The roots off∈Fp[X]can be computed in expected time O(d˜ log²p).

7/21

Rabin’s algorithm

• ∏

α∈Fp^∗

(X−α) =X^p−1−1=(X^p−21 −1)(X^p−21 +1)

α^p−12 =1

α^p−21 =−1 (α+τ)^p−12

=1

(α+τ)^p−21

=−1

• With some luck, gcd(f,X^p−21−1)∈ {/ 1,f}.

• Push your luck: gcd(f,(X+τ)^p−21 −1)for somerandom τ ∈Fp

deg(

gcd(f,(X+τ)^p−21 −1))

≃d/2 Randomized algorithm

The roots off∈Fp[X]can be computed in expected time O(d˜ log²p).

Rabin’s algorithm

• ∏

α∈Fp^∗

(X−α) =X^p−1−1=(X^p−21 −1)(X^p−21 +1)

α^p−12 =1

α^p−21 =−1 (α+τ)^p−12

=1

(α+τ)^p−21

=−1

• With some luck, gcd(f,X^p−21−1)∈ {/ 1,f}.

• Push your luck: gcd(f,(X+τ)^p−21 −1)for somerandom τ ∈Fp

deg(

gcd(f,(X+τ)^p−21 −1))

≃d/2

Randomized algorithm

The roots off∈Fp[X]can be computed in expected time O(d˜ log²p).

7/21

Rabin’s algorithm

• ∏

α∈Fp^∗

(X−α) =X^p−1−1=(X^p−21 −1)(X^p−21 +1)

α^p−12 =1

α^p−21 =−1 (α+τ)^p−12

=1

(α+τ)^p−21

=−1

• With some luck, gcd(f,X^p−21−1)∈ {/ 1,f}.

• Push your luck: gcd(f,(X+τ)^p−21 −1)for somerandom τ ∈Fp

deg(

gcd(f,(X+τ)^p−21 −1))

≃d/2 Randomized algorithm

The roots off∈Fp[X]can be computed in expected time O(d˜ log²p).

Modified Rabin’s algorithm (for FFT finite fields)

X^p−1−1=

2∏^ℓ−1

i=0

(X^M2m−ℓ−ξⁱ), whereξ is primitive of order 2^ℓ.

ξ⁰ ξ¹

ξ² ξ³

gcd(f,(X+τ)^M2m−ℓ−ξ⁰) gcd(f,(X+τ)^M2m−ℓ−ξ¹)

gcd(f,(X+τ)^M2m−ℓ−ξ²) gcd(f,(X+τ)^M2m−ℓ−ξ³)

degrees

≃d/2^ℓ

Worthwhile in practice forsmall ℓ=2,3, . . .

8/21

Modified Rabin’s algorithm (for FFT finite fields)

X^p−1−1=

2∏^ℓ−1

i=0

(X^M2m−ℓ−ξⁱ), whereξ is primitive of order 2^ℓ.

ξ⁰ ξ¹

ξ² ξ³

gcd(f,(X+τ)^M2m−ℓ−ξ⁰) gcd(f,(X+τ)^M2m−ℓ−ξ¹)

gcd(f,(X+τ)^M2m−ℓ−ξ²) gcd(f,(X+τ)^M2m−ℓ−ξ³)

degrees

≃d/2^ℓ

Worthwhile in practice forsmall ℓ=2,3, . . .

Modified Rabin’s algorithm (for FFT finite fields)

X^p−1−1=

2∏^ℓ−1

i=0

(X^M2m−ℓ−ξⁱ), whereξ is primitive of order 2^ℓ.

ξ⁰ ξ¹

ξ² ξ³

gcd(f,(X+τ)^M2m−ℓ−ξ⁰) gcd(f,(X+τ)^M2m−ℓ−ξ¹)

gcd(f,(X+τ)^M2m−ℓ−ξ²) gcd(f,(X+τ)^M2m−ℓ−ξ³)

degrees

≃d/2^ℓ

Worthwhile in practice forsmall ℓ=2,3, . . .

8/21

Modified Rabin’s algorithm (for FFT finite fields)

X^p−1−1=

2∏^ℓ−1

i=0

(X^M2m−ℓ−ξⁱ), whereξ is primitive of order 2^ℓ.

ξ⁰ ξ¹

ξ² ξ³

gcd(f,(X+τ)^M2m−ℓ−ξ⁰) gcd(f,(X+τ)^M2m−ℓ−ξ¹)

gcd(f,(X+τ)^M2m−ℓ−ξ²) gcd(f,(X+τ)^M2m−ℓ−ξ³)

degrees

≃d/2^ℓ

Worthwhile in practice forsmall ℓ=2,3, . . .

New technique: Graeffe transform

The Graeffe transform Letf(X) =∏

i(X−αi)

f(X)f(−X) =∏

i

(X−αi)(−X−αi) = (−1)^d∏

i

(X²−α²_i)

Definition G₂(f)(X) =∏

i(X−α_i²)is the Graeffe transformof f. G_ρ(f)(X) =∏

i(X−α^ρ_i) is theGraeffe transform of order ρof f.

Remarks:

• G_ρ1ρ2 =G_ρ1◦G_ρ2

• G_q−1(f)(X) =∏

i(X−α^q_i⁻¹) = (X−1)^d

The Graeffe transform Letf(X) =∏

i(X−αi)

f(X)f(−X) =∏

i

(X−αi)(−X−αi) = (−1)^d∏

i

(X²−α²_i)

Definition G₂(f)(X) =∏

i(X−α_i²)is the Graeffe transformof f.

G_ρ(f)(X) =∏

i(X−α^ρ_i) is theGraeffe transform of order ρof f.

Remarks:

• G_ρ1ρ2 =G_ρ1◦G_ρ2

• G_q−1(f)(X) =∏

i(X−α^q_i⁻¹) = (X−1)^d

9/21

The Graeffe transform Letf(X) =∏

i(X−αi)

f(X)f(−X) =∏

i

(X−αi)(−X−αi) = (−1)^d∏

i

(X²−α²_i)

Definition G₂(f)(X) =∏

i(X−α_i²)is the Graeffe transformof f.

G_ρ(f)(X) =∏

i(X−α^ρ_i) is theGraeffe transform of order ρof f.

Remarks:

• G_ρ1ρ2 =G_ρ1◦G_ρ2

• G_q−1(f)(X) =∏

i(X−α^q_i⁻¹) = (X−1)^d

The Graeffe transform Letf(X) =∏

i(X−αi)

f(X)f(−X) =∏

i

(X−αi)(−X−αi) = (−1)^d∏

i

(X²−α²_i)

Definition G₂(f)(X) =∏

i(X−α_i²)is the Graeffe transformof f.

G_ρ(f)(X) =∏

i(X−α^ρ_i) is theGraeffe transform of order ρof f.

Remarks:

• G_ρ1ρ2=G_ρ1◦G_ρ2

• G_q−1(f)(X) =∏

i(X−α^q_i⁻¹) = (X−1)^d

9/21

Computing Graeffe transforms

Lemma

Let ξ be a primitive root of unity of order π. Then G_π(f)(X^π) =f(X)f(ξX)· · ·f(ξ^π−1X).

⇝Given ξ,G_π(f)can be computed in time O(πd˜ logq)

Theorem

Let f∈Fq[X]andq−1=π₁· · ·π_m. The Graeffe transforms G_π1(f),G_π1π2(f), …,G_{π1···πm−1}(f) can be computed in time (dlog²q)^1+δ for all δ >0.

Based on modular composition[Kedlaya-Umans (2011)].

Computing Graeffe transforms

Lemma

Let ξ be a primitive root of unity of order π. Then G_π(f)(X^π) =f(X)f(ξX)· · ·f(ξ^π−1X).

⇝Given ξ,G_π(f)can be computed in time O(πd˜ logq) Theorem

Let f∈Fq[X]andq−1=π₁· · ·π_m. The Graeffe transforms G_π1(f),G_π1π2(f), …, G_{π1···πm−1}(f) can be computed in time (dlog²q)^1+δ for all δ >0.

Based on modular composition[Kedlaya-Umans (2011)].

10/21

Using Graeffe transforms

f g₁ g₂ … g_m−1 g_m

Z(f) Z₁ Z₂ … Z_m−1 {1}

G_π1 G_π2 G_π3 G_πm−1 G_πm

• Z_m−1 ⊆{ξⁱ :0≤i< πm} (ξ: primitive root of order πm)

={ζ^(q−1)i/πm:0≤i< πm} (ζ: primitive element ofFq^∗)

• If β ∈Z_k, there exists α∈Z_k−1 s.t. α^πk =β

• If β =ζ^e,α∈ {

ζ

e+(q−1)i

πk :0≤i< π_k }

Using Graeffe transforms

f g₁ g₂ … g_m−1 g_m

Z(f) Z₁ Z₂ … Z_m−1 {1}

G_π1 G_π2 G_π3 G_πm−1 G_πm

• Z_m−1 ⊆{ξⁱ :0≤i< πm} (ξ: primitive root of order πm)

={ζ^(q−1)i/πm:0≤i< πm} (ζ: primitive element ofFq^∗)

• If β ∈Z_k, there exists α∈Z_k−1 s.t. α^πk =β

• If β =ζ^e,α∈ {

ζ

e+(q−1)i

πk :0≤i< π_k }

11/21

Using Graeffe transforms

f g₁ g₂ … g_m−1 g_m

Z(f) Z₁ Z₂ … Z_m−1 {1}

G_π1 G_π2 G_π3 G_πm−1 G_πm

• Z_m−1 ⊆{ξⁱ :0≤i< πm} (ξ: primitive root of order πm)

={ζ^(q−1)i/πm:0≤i< πm} (ζ: primitive element ofFq^∗)

• If β ∈Z_k, there exists α∈Z_k−1 s.t. α^πk =β

• If β =ζ^e,α∈ {

ζ

e+(q−1)i

πk :0≤i< π_k }

Using Graeffe transforms

f g₁ g₂ … g_m−1 g_m

Z(f) Z₁ Z₂ … Z_m−1 {1}

G_π1 G_π2 G_π3 G_πm−1 G_πm

• Z_m−1 ⊆{ξⁱ :0≤i< πm} (ξ: primitive root of order πm)

={ζ^(q−1)i/πm:0≤i< πm} (ζ: primitive element ofFq^∗)

• If β ∈Z_k, there exists α∈Z_k−1 s.t. α^πk =β

• If β =ζ^e,α∈ {

ζ

e+(q−1)i

πk :0≤i< π_k }

11/21

Using Graeffe transforms

f g₁ g₂ … g_m−1 g_m

Z(f) Z₁ Z₂ … Z_m−1 {1}

G_π1 G_π2 G_π3 G_πm−1 G_πm

• Z_m−1 ⊆{ξⁱ :0≤i< πm} (ξ: primitive root of order πm)

={ζ^(q−1)i/πm:0≤i< πm} (ζ: primitive element ofFq^∗)

• If β ∈Z_k, there exists α∈Z_k−1 s.t. α^πk =β

• If β =ζ^e,α∈ {

ζ

e+(q−1)i

πk :0≤i< π_k }

A deterministic algorithm

× Z_m={ζ⁰}

×

×

×

×

×

×

{ζ

(q−1)i

πm :0≤i< π_m} g_m−1(ζ^e) =0

× ×

×

×

×

×

×

×

×

×

{ζ

e+(q−1)i

πm−1 :0≤i< πm−1} g_m−2(ζ^e) =0

…

Theorem

If max_iπ_i=O(logq), the algorithm runs in time O(d˜ log³q).

12/21

A deterministic algorithm

× Z_m={ζ⁰}

×

×

×

×

×

×

{ζ

(q−1)i

πm :0≤i< π_m} g_m−1(ζ^e) =0

× ×

×

×

×

×

×

×

×

×

{ζ

e+(q−1)i

πm−1 :0≤i< πm−1} g_m−2(ζ^e) =0

…

Theorem

If max_iπ_i=O(logq), the algorithm runs in time O(d˜ log³q).

A deterministic algorithm

× Z_m={ζ⁰}

×

×

×

×

×

×

{ζ

(q−1)i

πm :0≤i< π_m} g_m−1(ζ^e) =0

× ×

×

×

×

×

×

×

×

×

{ζ

e+(q−1)i

πm−1 :0≤i< πm−1} g_m−2(ζ^e) =0

…

Theorem

If max_iπ_i=O(logq), the algorithm runs in time O(d˜ log³q).

12/21