Factoring sparse polynomials fast Alexander Demin National Research University Higher School of Economics 20 Myasnitskaya Ulitsa 101000 Moscow, Russia Email: asdemin_2@edu.hse.ru Joris van der Hoeven CNRS, École polytechnique, Institut Polytechnique de Paris Laboratoire d'informatique de l'École polytechnique (LIX, UMR 7161) Bâtiment Alan Turing, CS35003 1, rue Honoré d'Estienne d'Orves 91120 Palaiseau, France Email: vdhoeven@lix.polytechnique.fr January 2, 2024

1.Introduction

1.1.Motivation and main goals

Let be an effective field. Consider a sparse polynomial , represented as

(1.1)

where , , and for any . We call the size of and its support. The aim of this paper is to factor into a product of irreducible sparse polynomials.

All algorithms that we will present are based on the approach of sparse evaluation and interpolation. Instead of directly working with sparse representations (1.1), the idea is to evaluate input polynomials at a sequence of well-chosen points, do the actual work on these evaluations, and then recover the output polynomials using sparse interpolation. The evaluation-interpolation approach leads to very efficient algorithms for many tasks, such as multiplication [47, 45], division, gcd computations [51], etc. In this paper, we investigate the complexity of factorization under this light.

One particularly good way to choose the evaluation points is to take them in a geometric progression: for a fixed , we evaluate at , where . This idea goes back to Prony [88] and was rediscovered, extended, and popularized by Ben Or and Tiwari [5]. We refer to [89] for a nice survey. If is a finite field, then a further refinement is to use suitable roots of unity, in which case both sparse evaluation and interpolation essentially reduce to discrete Fourier transforms [48, 45].

In this paper, we do not specify the precise algorithms that should be used for sparse evaluation and interpolation, but we will always assume that the evaluation points form geometric progressions. Then the cost of sparse evaluation or interpolation at such points is quasi-linear in . We refer to Sections 2.1, 2.3, and 2.4 for more details on this cost function and the algebraic complexity model that we assume.

One important consequence of relying on geometric progressions is that this constraints the type of factorization algorithms that will be efficient. For instance, several existing methods start with the application of random shifts for one or more variables . Since such shifts do not preserve geometric progressions, this is a technique that we must avoid. On the other hand, monomial transformations like do preserve geometric progressions and we will see how to make use of this fact.

The main goal of this paper is to develop fast algorithms for factoring sparse polynomials under these constraints. Besides the top-level problem of factorization into irreducibles, we also consider several interesting subtasks, such as gcd computations, Hensel lifting, content-free and square-free factorization, and the extraction of multiple roots. While relying on known techniques, we shall show how to conciliate them with the above constraints.

Our complexity bounds are expressed in terms of the maximal size and total degree of the input and output polynomials. In practical applications, total degrees often remain reasonably small, so we typically allow for a polynomial dependence on the total degree times the required number of evaluation/interpolation points. In this particular asymptotic regime, our complexity bounds are very sharp and they improve on the bounds from the existing literature.

Concerning the top-level problem of decomposing sparse polynomials into irreducible factors, we develop two main approaches: a recursive one on the dimension and a more direct one based on simultaneous lifting with respect to all but one variables. We will present precise complexity bounds and examples of particularly difficult cases.

1.2.Overview of univariate and bivariate factorization methods

The factorization of polynomials is a fundamental problem in computer algebra. Since we are relying on sparse interpolation techniques, it is also natural to focus exclusively on randomized algorithms of Monte Carlo type. For some deterministic algorithms, we refer to [58, 98, 69].

Before considering multivariate polynomials, we need an algorithm for factoring univariate polynomials. Throughout this paper, we assume that we have an algorithm for this task (it can be shown that the mere assumption of being effective is not sufficient [27, 28]).

In practice, we typically have , , , or for some prime and . Most basic is the case when is a finite field, and various efficient probabilistic methods have been proposed for this case. An early such method is due to Berlekamp [6, 7]. A very efficient algorithm that is also convenient to implement is due to Cantor and Zassenhaus [16]. Asymptotically more efficient methods have been developed since [64, 67] as well as specific improvements for the case when is composite [53]. See also [31, Chapter 14] and [62].

Rational numbers can either been regarded as a subfield of or . For asymptotically efficient algorithms for the approximate factorizations of univariate polynomials over , we refer to [95, 84, 80]. When reducing a polynomial in modulo for a sufficiently large random prime, factorization over reduces to factorization over via Hensel lifting [94, 41, 104]. For more general factorization methods over , we refer to [26, 20, 79, 38, 3].

Now let and assume that we have an irreducible factorization with for or . (In practice, we require that are known with sufficient precision.) In order to turn this into a factorization over , we need a way to recombine the factors, e.g. to find the subsets for which . Indeed, if is irreducible in and , then is never irreducible in and irreducible with probability in for a large random prime . The first recombination method that runs in polynomial time is due to Lenstra-Lenstra-Lovasz [74]. Subsequently, many improvements and variants of this LLL-algorithm have been developed [43, 4, 82, 83, 91].

The problem of factoring a bivariate polynomial over is similar in many regards to factoring polynomials with rational coefficients. Indeed, for a suitable random prime , we have seen above that the latter problem reduces to univariate factorization over , Hensel lifting, and factor combination. In a similar way, after factoring for a sufficiently random (possibly in an extension field of , whenever is a small finite field), we may use Hensel lifting to obtain a factorization in , and finally recombine the factors. The precise algorithms for factor recombination are slightly different in this context [29, 68, 4, 71] (see also [90, 92] for earlier related work), although they rely on similar ideas.

1.3.Overview of multivariate factorization methods

Hensel lifting naturally generalizes to polynomials in three or more variables . Many algorithms for multivariate polynomial factorization rely on it [81, 101, 100, 106, 57, 32, 33, 59, 58, 8, 69, 77, 78, 17], as well as many implementations in computer algebra systems. One important property of higher dimensional Hensel lifting is that factor recombination can generally be avoided with high probability, contrary to what we saw for -adic and bivariate Hensel lifting. This is due to Hilbert and Bertini's irreducibility theorems [42, 10]:

Theorem 1.1. Assume that is irreducible and of total degree . Let be the set of points for which

(1.2)

is irreducible in . Then is an Zariski open subset of , which is dense over the algebraic closure of .

Effective versions of these theorems can be used to directly reduce the factorization problem in dimension to a bivariate problem (and even to a univariate problem if , using similar ideas). We refer to [71] and [72, Chapître 6] for a recent presentation of how to do this and to [97, Section 6.1] for the mathematical background.

In order to analyze the computational complexity of factorization, we first need to specify the precise way we represent our polynomials. When using a dense representation (e.g. storing all monomials of total degree with their (possibly zero) coefficients), Theorem 1.1 allows us to directly reduce to the bivariate case (if is very small, then one may need to replace by a suitable algebraic extension). The first polynomial time reduction of this kind was proposed by Kaltofen [57]. More recent bounds that exploit fast dense polynomial arithmetic can be found in [69].

Another popular representation is the “black box representation”, in which case we are only given an algorithm for the evaluation of our polynomial . Often this algorithm is actually a straight line program (SLP) [14], which corresponds to the “SLP representation”. In these cases, the relevant complexity measure is the length of the SLP or the maximal number of steps that are needed to compute one black box evaluation. Consequently, affine changes of variables (1.2) only marginally increase the program size. This has been exploited in order to derive polynomial time complexity bounds for factoring in this model [60, 65]; see also [30, 17, 18]. Here we stress that the output factors are also given in black box or SLP representation.

Plausibly the most common representation for multivariate polynomials in computer algebra is the sparse one (1.1). Any sparse polynomial naturally gives rise to an SLP of roughly the same size. Sparse interpolation also provides a way to convert in the opposite direction. However, for an SLP of length , it takes time to recover its sparse representation , where . A priori, the back and forth conversion therefore takes quadratic time . While it is theoretically possible to factor sparse polynomials using the above black box methods, this is suboptimal from a complexity perspective.

Unfortunately, general affine transformations (1.2) destroy sparsity, so additional ideas are needed for the design of efficient factorization methods based on Hilbert-Bertini-like irreducibility theorems. Dedicated algorithms for the sparse model have been developed in [32, 8, 76, 78]. There are two ways to counter the loss of sparsity under affine transformations, both of which will be considered in the present paper. One possibility is to successively use Hensel lifting with respect to . Another approach is to use a more particular type of changes of variables, like . However, both approaches require to be of a suitable form to allow for Hensel lifting. Some reference for Hensel lifting in the context of sparse polynomials are [59, 8, 75, 77, 78, 17].

For most applications in computer algebra, the total degree of large sparse polynomials is typically much smaller than the number of terms. The works in the above references mainly target this asymptotic regime. The factorization of “supersparse” polynomials has also been considered in [39, 36]. The survey talk [93] discusses the complexity of polynomial factorizations for yet other polynomial representations.

The theory of polynomial factorization involves several other basic algorithmic tasks that are interesting for their own sake. We already mentioned the importance of Hensel lifting. Other fundamental operations are gcd computations, multiple root computations, square-free factorizations, and determining the content of a polynomial. We refer to [31] for classical univariate algorithms. As to sparse multivariate polynomials, there exist many approaches for gcd computations [21, 105, 65, 63, 56, 22, 54, 73, 51, 55].

Whenever convenient, we will assume that the characteristic of is either zero or sufficiently large. This will allow us to avoid technical non-separability issues; we refer to [34, 99, 70] for algorithms to deal with such issues. A survey of multivariate polynomial factorization over finite fields (including small characteristic) can be found in [62]. Throughout this paper, factorizations will be done over the ground field . Some algorithms for “absolute factorization” over the algebraic closure of can be found in [61, 19, 23]; alternatively, one may mimic computations in using dynamic evaluation [24, 49].

1.4.Outline of our contributions

The goal of this paper is to redevelop the theory of sparse polynomial factorization, by taking advantage as fully as possible of evaluation-interpolation techniques at geometric sequences. The basic background material is recalled in Section 2. We recall that almost all algorithms in the paper are randomized, of Monte Carlo type. We also note that the correctness of a factorization can easily be verified, either directly or with high probability by evaluating the polynomial and the product of the potential factors at a random point.

As an appetizer, we start in Section 3 with the problem of multivariate gcd computations. This provides a nice introduction for the main two approaches used later in the paper: induction on dimension and direct reduction to the univariate (or bivariate or low dimensional) case. It also illustrates the kind of complexity bounds that we are aiming for. Consider the computation of the gcd of two sparse polynomials . Ideally speaking, setting , , , we are aiming for a complexity bound of the form

(1.3)

where is a constant. Since is typically much smaller than , we can afford ourselves the non-trivial overhead with respect to in the term . The inductive approach on the dimension achieves the complexity (1.3) with on many practical instances, but its worst case complexity is . This algorithm seems to be new. Using a direct reduction to univariate gcd computations via so-called “regularizing weights”, the second approach achieves the complexity (1.3) with , and even for many practical examples. This algorithm is a sharpened version of the algorithm from [51, Section 4.3].

Most existing algorithms for multivariate polynomial factorization reduce to the univariate or bivariate case. Direct reduction to the univariate case is only possible for certain types of coefficients, such as integers, rational numbers, or algebraic numbers. Reduction to the bivariate case works in general, thanks to Theorem 1.1, and this is even interesting when : first reduce modulo a suitable prime , then factor over , and finally Hensel lift to obtain a factorization over . In this paper, we will systematically opt for the bivariate reduction strategy. For this reason, we have included a separate Section 4 on bivariate factorization and related problems. This material is classical, but recalled for self-containedness and convenience of the reader.

If is a finite field, then we already noted that multivariate factorization does not directly reduce to the univariate case. Nevertheless, such direct reductions are possible for some special cases of interest: content-free factorization, extraction of multiple roots, and square-free factorization. In Section 5, we present efficient algorithms for these tasks, following the “regularizing weights” approach that was introduced in Section 3.2 for gcd computations. All complexity bounds are of the form (1.3) for the relevant notions of output size , input-output size , and total degree .

In Section 6 we turn to the factorization of a multivariate polynomial using induction on the dimension . Starting with a coprime factorization of a bivariate projection of for random , we successively Hensel lift this factorization with respect to . Using a suitable evaluation-interpolation strategy, the actual Hensel lifting can be done on bivariate polynomials. This leads to complexity bounds of the form with . In fact, we separately consider factorizations into two or more factors. In the case of two factors, it is possible to first determine the smallest factor and then perform an exact division to obtain the other one. In the complexity bound, this means that should really be understood as the number of evaluation-interpolation points, i.e. the minimum of the sizes of the two factors. It depends on the situation whether it is faster to lift a full coprime factorization or one factor at a time, although we expect the first approach to be fastest in most cases.

Due to the fact that projections such as are only very special types of affine transformations, Theorem 1.1 does not apply. Therefore, the direct inductive approach from Section 6 does not systematically lead to a full irreducible factorization of . In Remarks 6.14 and 6.15, we give an example on which our approach fails, together with two different heuristic remedies (which both lead to similar complexity bounds, but with or higher).

In the last Section 7, we present another approach, which avoids induction on the dimension and the corresponding overhead in the complexity bound. The idea is to exploit properties of the Newton polytope of and “face factorizations” (e.g. factorizations of restrictions of to faces of its Newton polytope). In the most favorable case, there exists a coprime edge factorization, which can be Hensel lifted into a full factorization, and we obtain a complexity bound of the form (1.3). In less favorable cases, different face factorizations need to be combined. Although this yields a similar complexity bound, the details are more technical. We refer to [1, 102] for a few existing ways to exploit Newton polytopes for polynomial factorization.

In very unfavorable cases (see Section 7.6), the factorization of cannot be recovered from its face factorizations at all. In Section 7.7, we conclude with a fully general algorithm for irreducible factorization. This algorithm is not as practical, but addresses pathologically difficult cases through the introduction of a few extra variables. Its cost is plus the cost of one univariate factorization of degree .

1.5.Notation

In this paper paper, we will measure the complexity of algorithms using the algebraic complexity model [14]. In addition, we assume that it is possible to sample a random element from (or a subset of ) in constant time. We will use as a shorthand for .

We let and . We also define , for any ring . Given a multivariate polynomial and , we write (resp. ) for the degree (resp. valuation) of in . We also write (resp. ) for the total degree (resp. valuation of ), and we set . Recall that stands for the number of terms of in its sparse representation (1.1).

Acknowledgment. We wish to thank Grégoire Lecerf for useful discussions during the preparation of this paper.

2.Preliminaries

2.1.Basic complexities

Let (or ) be the cost to multiply two dense univariate polynomials of degree in . Throughout the paper, we make the assumption that is a non-decreasing function. In the algebraic complexity model [14], when counting the number of operations in , we may take [15]. If is a finite field , then one has , under suitable number theoretic assumption [40]. In this case, the corresponding bit complexity (when counting the number of operations on a Turing machine [85]) is .

For polynomials of degree it is possible to find the unique , such that with . This is the problem of univariate division with remainder, which can be solved in time by applying Newton iteration [31, Section 9.1]. A related task is univariate root extraction: given and , check whether is of the form for some and monic , and determine and if so. For a fixed , this can be checked, and the unique can be found in arithmetic operations in by applying Newton iteration [31, polynomial analogue of Theorem 9.28].

Consider the Vandermonde matrix

where are pairwise distinct. Given a column vector with entries , it is well known [11, 66, 12, 9, 44] that the products , , , and can all be computed in time . These are respectively the problems of multi-point evaluation, (univariate) interpolation, transposed multi-point evaluation, and transposed interpolation. For fixed , these complexities can often be further reduced to using techniques from [44].

For our factorization algorithms, we will sometimes need to assume the existence of an algorithm to factor univariate polynomials in into irreducible factors. We will denote by the cost of such a factorization as a function of . We will always assume that is non-decreasing. In particular for all and .

If is the finite field with elements for some odd , then the best univariate factorization methods are randomized of Las Vegas type. When allowing for such algorithms, we may take , by using Cantor and Zassenhaus' method from [16]. With the use of fast modular composition [67], we may take

but this algorithm is only relevant in theory, for the moment [50]. If the extension degree is composite, then this can be exploited to lower the practical complexity of factorization [53].

2.2.The Schwarz–Zippel lemma

In all probabilistic algorithms in this paper, will stand for a sufficiently large integer such that “random elements in ” are chosen in some fixed subset of of size at least . In the case when is larger than the cardinality of , this means that needs to be replaced by an algebraic extension of degree , which induces a logarithmic overhead for the cost of field operations in . We will frequently use the following well-known lemma:

Lemma 2.1.

(Schwarz [96]–Zippel [105]) Let be a polynomial of total degree . Let be finite and let be chosen independently and uniformly. Then the probability that is at most .

Proof. We apply the lemma to .

Proof. We apply the lemma to .

2.3.Sparse polynomial interpolation

Consider a polynomial that is presented as a blackbox function. The task of sparse interpolation is to recover the sparse representation (1.1) from a sufficient number of blackbox evaluations of . One may distinguish between the cases when the exponents of are already known or not. (Here “known exponents” may be taken liberally to mean a superset of reasonable size of the set of actual exponents.)

One popular approach for sparse interpolation is based on Prony's geometric sequence technique [88, 5]. This approach requires an admissible ratio , such that for any , there is an algorithm to recover from . If , then we may take to be the -th prime number, and use prime factorization in order to recover . If is a finite field, where is a smooth prime (i.e. has many small prime divisors), then one may recover exponents using the tangent Graeffe method [37].

Given an admissible ratio , Prony's method allows for the sparse interpolation of using evaluations of at for , as well as operations in for determining , and subsequent exponent recoveries. If , then the exponents can be recovered if , which can be ensured by working over a field extension of with . If the exponents are already known, then the coefficients can be obtained from evaluations of at using one transposed univariate interpolation of cost .

If is a finite field, then it can be more efficient to consider an FFT ratio for which are roots of unity. When choosing these roots of unity with care, possibly in an extension field of , sparse interpolation can often be done in time from values of , using discrete Fourier transforms; see [48, 45] for details.

In what follows, we will denote by the cost of sparse interpolation of size , given values of at a suitable geometric sequence. When using Prony's approach, we may thus take , whenever the cost to recover the exponents from is negligible. If the discrete Fourier approach is applicable, then we may even take .

Remark 2.4. If we have a bound for the number of terms of , then we assume that our sparse interpolation method is deterministic and that it interpolates in time . If we do not know the number of terms of , then we may run the interpolation method for a guessed number of terms. We may check the correctness of our guessed interpolation by verifying that the evaluations of and coincide at a randomly chosen point. By the Schwartz-Zippel lemma, this strategy succeeds with probability at least .

Remark 2.5. The above interpolation methods readily generalize to the case when we use a geometric progression of the form with as the evaluation points, by considering the function instead of . Taking a random avoids certain problems due to degeneracies; this is sometimes called “diversification” [35]. If is itself chosen at random, then it often suffices to simply take . We will occasionally do so without further mention.

Remark 2.6. For many probabilistic proofs in the sequel of this paper, we will rely on Corollary 2.2. However, this requires the ratios of geometric progressions to be picked at random, which excludes FFT ratios. Alternatively, we could have relied on Corollary 2.3 and diversification of all input and output polynomials for a fixed random scaling factor (see the above remark).

Assume for instance that we wish to factor . Then the factors of are in one-to-one correspondence with the factors of . If we rely on Corollary 2.3 instead of 2.2 in our complexity bounds for factoring (like the bounds in Theorems 6.11 or 7.2 below), then the cost of diversification adds an extra term , where and is the total size of and the computed factors. On the positive side, in the corresponding bounds for the probability of failure, the quadratic dependence on the number of evaluation points reduces to a linear one. Similar adjustments apply for other operations such as gcd computations.

2.4.Sparse evaluation at geometric progressions

Opposite to sparse interpolation, one may also consider the evaluation of at points in a geometric progression. In general, this can be done in time , using one transposed multi-point evaluation of size . If is a suitable FFT ratio, then this complexity drops to , using a discrete Fourier transform of size . In what follows, we will assume that this operation can always be done in time .

More generally, we may consider the evaluation of at points in a geometric progression. If , we may do this in time , by reducing to the evaluation of at progressions of size . To obtain the evaluations of at for , we can evaluate at . If , then we may cut into polynomials of size , and do the evaluation in time .

Remark 2.7. If is an FFT-ratio, then the bound for the case when further reduces to plus bit operations on exponents, since the cyclic projections from [45, 48] reduce in linear time to cyclic polynomials with terms before applying the FFTs. We did not exploit this optimization for the complexity bounds in this paper, since we preferred to state these bounds for general ratios , but it should be straightforward to adapt them to the specific FFT case.

In this paper, we will frequently need to evaluate at all but one or two variables. Assume for instance that

where has terms for and . Then using the above method, we can compute for using operations.

One traditional application of the combination of sparse evaluation and interpolation are probabilistic algorithms for multiplication and exact division of sparse multivariate polynomials. For the given , we can compute the product by evaluating , and at a geometric progression with and recovering of in the sparse representation (1.1) via sparse interpolation. The total cost of this method is bounded by operations in , where . If and are known, then the exact quotient can be computed in a similar fashion and with the same complexity. If , then the quotient can actually be computed in time . Divisions by zero are avoided through diversification, with probability at least , by Corollary 2.2.

2.5.Newton polytopes

Consider a multivariate polynomial . We define to be the convex hull of and we call it the Newton polytope of . Given another polynomial , it is well known that

where the Minkowski sum of two subsets is .

Let be a non-zero weight vector. We define the -degree, -valuation, and -ecart of a non-zero polynomial by

Note that and , where we exploit the fact that we allow for negative weights. We say that is -homogeneous if . Any can uniquely be written as a sum

of its -homogeneous parts

We call and the -leading and -trailing parts of . We say that is -regular if consists of a single term . In that case, we denote and we say that is -monic if . Given another non-zero polynomial , we have

Setting , we also have

The Newton polytopes and are facets of . In particular, they are contained in the boundary .

2.6.Laurent polynomials

Consider the rings and of ordinary polynomials and Laurent polynomials. Both rings are unique factorization domains, but the group of units of is , whereas the group of units of is . Factoring in is therefore essentially the same as factoring in up to multiplications with monomials in . For instance, the factorization in gives rise to the factorization in . Conversely, the factorization in gives rise to the factorization in . Similarly, computing gcds in is essentially the same problem as computing gcds in .

Given any matrix , we define the monomial map by

This is clearly a homomorphism, which is injective (or surjective) if the linear map is injective (or surjective). Note also that for any matrices and . In particular, if is unimodular, then is an automorphism of with .

Laurent polynomials are only slightly more general than ordinary polynomials and we already noted above that factoring in is essentially the same problem as factoring in (and similarly for gcd computations). It is also straightforward to adapt the definitions from Section 2.5 and most algorithms for sparse interpolation to this slightly more general setting. The main advantage of Laurent polynomials is that they are closed under monomial maps, which allows us to change the geometry of the support of a polynomial without changing its properties with respect to factorization.

2.7.Tagging

Let be a non-zero weight vector and let . We define the -tagging map by

This map is an injective monomial map. For any , we have , , , and . Divisibility and gcds are preserved as follows:

Proof. We claim that divides in if and only if divides in . One direction is clear. Assume that divides in , so that with . We may uniquely write with and such that for . Since for , it follows that . Hence divides in . Our claim implies that divides in if and only if divides in . Now we may further extend to a monomial automorphism of by sending to itself. This yields (a). The second property is an easy consequence.

Corollary 2.9. Let and . Let , where and . Let be such that for . Then

Given a -regular polynomial , we note that any divisor must again be -regular. Hence, modulo multiplication with a suitable constant in , we may always normalize such a divisor to become -monic. In the setting of Laurent polynomials, we may further multiply by a monomial in such that . Similarly, when applying , we can always normalize to be monic as a Laurent polynomial in by considering .

Both for gcd computations and factorization, this raises the question of how to find weights for which a given non-zero polynomial is -regular. In [51, Section 4.3], a way was described to compute such a regularizing weight : let be such that is maximal. In that case, it suffices to take , and we note that , where is the total degree of . For our applications in Sections 3.2 and 5 it is often important to find a for which is small. By trying a few random weights with small (possibly negative) entries, it is often possible to find a regularizing weight with or .

Example 2.10. Consider . Then, is not -regular for the natural weight . If we take instead, then is -regular with , and we arrive at

Furthermore, can be normalized to be monic as a Laurent polynomial in by considering . Note that is also a regularizing weight for with .

3.Multivariate gcd computations

Before studying the factorization problem for multivariate polynomials, it is interesting to consider the easier problem of gcd computations. In this section we introduce two approaches for gcd computations that will also be useful later for factoring polynomials.

The first approach is iterative on the number of variables. It will be adapted to the factorization problem in Section 6. The second approach is more direct, but requires a regularizing weight (see Section 2.7). Square-free factorization can be accomplished using a similar technique, as we shall see in Section 5. The algorithms from Section 7 also draw some of their inspiration from this technique, but also rely on Newton polygons instead of regularizing weights.

3.1.Iterative computation of gcds

Let be random elements of . For any and , we define

Let and . As we will see below, for with high probability. We may easily compute the univariate greatest common divisor . In this subsection, we shall describe an iterative algorithm to compute from for . Eventually, this yields .

Let be an admissible ratio or an FFT ratio. For any and any , let

For any , we have with high probability. Now these greatest common divisors are only defined up to non-zero scalar multiples in . Nevertheless, there exists a unique greatest common divisor of and whose evaluation at coincides with .

If is known, then , , and can be computed for successive using fast evaluation at geometric progressions. For any , we may then compute the univariate gcd of and , under the normalization constraint that . It finally suffices to interpolate from sufficiently many . This yields the following algorithm:

Before we analyze this algorithm, we will need a few probabilistic lemmas. Assume that and are independently chosen at random from a subset of of size at least (if is a small finite field, this forces us to move to a field extension).

Proof. Let with be a variable that occurs both in and in . Then

If occurs in , then , which can happen for at most values of .

Proof. Let us write and , where and are coprime. Then we have if and only if and are not coprime. The result now follows by applying the previous lemma for .

Theorem 3.3. Let , , , and . Then Algorithm 3.1 is correct with probability at least and it runs in time

Remark. The probability bound implicitly assumes that , since the statement becomes void for smaller . In particular, we recall that this means that the cardinality of should be at least .

Proof. Assuming that and for and , let us prove that Algorithm 3.1 returns the correct answer. Indeed, these assumptions imply that can be normalized such that and that the unique such must coincide with . Now fails for some with probability at most , by Lemma 3.2. Since , the condition fails with probability at most for some and , by Corollary 2.2. This completes the probabilistic correctness proof.

As to the complexity, let us first ignore the cost of the recursive call. Then the sparse evaluations of , , and can be done in time : see Section 2.4. The univariate gcd computations take operations. Finally, the recovery of using sparse interpolation can be done in time . Altogether, the complexity without the recursive calls is bounded by . We conclude by observing that the degrees and numbers of terms of , , and can only decrease during recursive calls. Since the recursive depth is , the complexity bound follows.

Remark 3.4. When recovering from using sparse interpolation, one may exploit the fact that the exponents of in are already known.

Example 3.5. Let be random polynomials of total degree and consider , . With high probability, . Let us measure the overhead of recursive calls in Algorithm 3.1 with respect to the number of variables . With high probability, we have

Assuming that , it follows that

This shows that the sizes of the supports of the input and output polynomials in Algorithm 3.1 become at least twice as small at every recursive call. Consequently, the overall cost is at most twice the cost of the top-level call, roughly speaking.

3.2.Gcd computations through regularizing weights

Algorithm 3.1 has the disadvantage that the complexity bound in Theorem 3.3 involves a factor . Let us now present an alternative algorithm that avoids this pitfall, but which may require a non-trivial monomial change of variables. Our method is a variant of the algorithm from [51, Section 4.3].

Given , we first compute a regularizing weight for or , for which is as small as possible. From a practical point of view, as explained in Section 2.7, we first try a few random small weights . If no regularizing weight is found in this way, then we may always revert to the following choice:

Proof. Assume that . Then for any with . The case when is handled similarly.

Now consider , , and in . We normalize in such a way that and such that is monic as a polynomial in ; this is always possible since is -regular. Let be an admissible ratio or an FFT ratio. For any , we evaluate at and , which leads us to define the univariate polynomials

With high probability, , and is the monic gcd of and , where and . For sufficiently large (with ), we may thus recover from using sparse interpolation. Finally, for , we obtain , where for . This leads to the following algorithm:

Remark 3.7. If is normalized in to be monic as a polynomial in , then we may need to interpolate multivariate polynomials with negative exponents in order to recover from . In practice, many interpolation algorithms based on geometric sequences, like Prony's method, can be adapted to do this.

As in the previous subsection, assume that are independently chosen at random from a subset of of size at least . We let , , and .

Proof. We have if and only if does not vanish at . Now the degree of is at most , so the probability that for a randomly chosen and all is at least , by Corollary 2.2.

Corollary 3.9.

The probability that one can recover from with using sparse interpolation is at least .

Theorem 3.10. Let , , , and . Algorithm 3.2 is correct with probability at least and it runs in time

(3.1)

Proof. The correctness with the announced probability follows from Corollaries 2.9 and 3.9, while also using Remark 2.4. The computation of and through sparse evaluation at geometric progressions requires operations (see Section 2.4). The univariate gcd computations take further operations. The final interpolation of from can be done in time .

Example 3.11. Let . Consider the particular case when is monic as a polynomial in . Then, is a regularizing weight for , and therefore also for . This situation can be readily detected and, in this case, we have in the complexity bound (3.1).

Remark 3.12. We may need fewer evaluation points to interpolate the gcd in Algorithm 3.2 in case the terms of are distributed over the powers of . For instance, if the terms are distributed evenly, then we have in the complexity bound (3.1).

4.Bivariate factorization

Lemma 3.2 allows us to project the general problem of multivariate gcd computations down to the univariate case. For the polynomial factorization problem, no such reduction exists: given a random univariate polynomial of degree over a finite field, there is a non-zero probability that this polynomial is not irreducible. For this reason, it is customary to project down to bivariate instead of the univariate polynomials (when applicable, an alternative is to project down to univariate polynomials with integer coefficients; see [76], for instance).

This explains why it is interesting to study the factorization of bivariate polynomials in more detail. Throughout this section, is a bivariate polynomial in of degree in and of degree in . As in Sections 2.2 and 3, random numbers will be drawn from a subset of of size at least . We will recall some classical results concerning the complexity of bivariate factorization, important techniques, and special cases: content-free factorization, root extraction, Hensel lifting, and square-free factorization.

4.1.Content-free factorization

Recall that the content of in is defined by

We say that is content-free (or primitive) in if . Given two random shifts , we have with high probability. More precisely:

Proof. Without loss of generality, we may assume that . Let us first consider the case when . Then we claim that . Indeed, for pairwise distinct , the Vandermonde matrix is invertible, so . It follows that , regarded as an element of , is non-zero, and its total degree is bounded by . By Lemma 2.1, it follows that with probability at least . In that case, .

We have proved our probabilistic correctness claim in the particular case when . In general, we factor . With probability at least , we have .

As to the complexity bound, the evaluations and require operations and the univariate gcd computation can be done in time .

4.2.Root extraction

Let and . Assume that for some and . Assume that . Then can be computed efficiently as follows.

After dividing out a suitable power of , we may assume without loss of generality that . For a random shift , we next replace with . With high probability, this ensures that . Modulo division of by , we may then assume without loss of generality that .

Let be an admissible ratio or an FFT ratio. For any , we define the univariate polynomial . With high probability, we have . Let be the unique univariate polynomial such that . Such can be found efficiently using univariate root extraction. For , we may recover from using interpolation.

Proof. The random shift and the corresponding backshift can be computed in time using the so-called convolution method [2, Theorem 5]. The can also be computed in time using fast multipoint evaluation at geometric sequences [2, 13]. The same holds for the interpolation of from the . Finally, the univariate root extractions can be computed in time . The algorithm is correct as long as and for . The probability that and for a random choice of is at least , by Lemma 2.1. In that case, and the probability that for is at least , by Corollary 2.2.

4.3.Hensel lifting

Let be content-free in and assume that has a non-trivial factorization , and . Assume that and that and are known and coprime (in particular and are coprime). Using a random shift , these assumptions can be enforced with high probability, provided that and are coprime. Without loss of generality we may also assume that we normalized the factorization of such that is monic. Under these assumptions, we may compute and as follows:

• We first use Hensel lifting to obtain a factorization with and , , and such that is monic in . We compute and modulo for .

• For a random shift , we apply rational function reconstruction [31, Section 5.7] to to obtain with and and of the smallest possible degree with these properties. With high probability, we then have . We may compute in a similar way.

Proposition 4.3. Given and satisfying the above assumptions, let , , and . We may lift the factorization of into a factorization in time

with a probability of success of at least .

Proof. We first observe that there is a unique factorization that lifts the factorization of , thanks to our hypothesis that . Since this hypothesis also implies that , the denominator of as an element of coincides with the leading coefficient of as a polynomial in . Consequently, the denominator of equals if and only if . Since the degree of is bounded by , this happens with probability at least . Since the degrees of the numerator and denominator of do not exceed , it suffices to compute modulo in order to recover and . This completes the probabilistic correctness proof.

As to the complexity bound, the Hensel lifting requires operations in , when using a fast Newton iteration [31, Theorem 15.18, two factors]. The computation of requires further operations and the rational function reconstruction can be done in time using the technique of half gcds [31, Chapter 11].

The proposition generalizes in a straightforward way to the case when has pairwise coprime factors . In that case, one may use fast multifactor Hensel lifting [31, Theorem 15.18], to obtain the following:

Proposition 4.4. Let be such that and . Assume that can be factored as , where are pairwise coprime and known. Assume also that are monic. Then we may lift the factorization into a factorization in time

with a probability of success of at least .

Example 4.5. Consider

with

This factorization lifts to the following factorization of in :

Taking , we obtain the following rational reconstruction of up to the order :

Consequently, is the sought factor of in . In a similar way, we find that .

4.4.Square-free factorization

Assume that is content-free in and of total degree . Assume also that . Recall that the square-free factorization of is of the form

where each is the product of all irreducible factors of that occur with multiplicity . Note that some of the are allowed to be units in and that the are unique up to multiplication by such units. The polynomials are pairwise coprime. Since , they must also be separable in both and (i.e. ). The square-free factorization of can be computed efficiently as follows:

• For a random shift , replace by .

• Compute the square-free factorization of .

• Hensel lift this into the square-free factorization of using Proposition 4.4.

• Apply the shift in the opposite direction.

Proposition 4.6. We can compute the square-free factorization of in time

with a probability of success of at least , where .

Proof. Given , consider and . The polynomials and are coprime if and only if does not vanish at . Since this resultant has degree at most , this happens with probability . Therefore, the probability that all are pairwise coprime and all are separable is at least . In that case, is the square-free decomposition of . Modulo normalization, we are thus in the position to apply Proposition 4.4. This proves the probabilistic correctness of the algorithm.

The computation of the shift can be done in time using the algorithm from [2, Theorem 5] and the same holds for the shifts in the opposite direction in the last step. The square-free factorization of the univariate polynomial can be done in time : see [103] and [31, Theorem 14.23]. We conclude with Proposition 4.4.

4.5.General bivariate factorization

General bivariate factorization of can often be reduced to Hensel lifting as in Section 4.3 using a random shift and diversification , . Let , . The best currently known complexity bound is the following:

Theorem 4.7. [71, Proposition 8] Let be square-free and content-free in both and . Assume that or . Then we can compute the irreducible factorization of in time

and with a probability of success of at least .

The actual proposition in [71] also contains a similar result for finite fields of small characteristic. For as in Theorem 4.7, square-freeness and content-freeness can be achieved with high probability and negligible cost using the algorithms from Sections 4.1 and 4.4.

5.Efficient reductions

In the bivariate setting of the previous section, we have presented several efficient algorithms for the computation of partial factorizations. In this section, we will generalize three of them to the multivariate setting: removal of content, root extraction, and square-free factorizations. The common feature of these generalizations is that they recover the answer directly from the corresponding univariate specializations of the problem, in a similar fashion as the gcd algorithm from Section 3.2.

5.1.Content-free factorization

Consider a polynomial and a variable . If, for every non-trivial factorization with , both and depend on , then we say that is content-free (or primitive) in . Note that this is always the case if . If is content-free in for all , then we say that is content-free.

For a given variable , say , we can efficiently test whether is content-free with respect to : for random , we form the bivariate polynomial and compute using the method from Section 4.1. With high probability, is content-free with respect to if and only if . Performing this test for each of the variables yields:

Proof. The proof is similar to the one of Proposition 4.1. This time, for the probability bound, we consider the resultant as a polynomial in , of total degree at most . If , then this resultant does not vanish with probability at least for random , , .

As to the complexity bound, for , let and be random and consider and . We compute the simultaneously for in time and similarly for the . Finally, the computation of for takes operations.

Assume now that is not content-free, say with respect to . With high probability, the content of with respect to then equals the gcd of and , for two random shifts . This leads to a non-trivial factorization of for the cost of one gcd computation and one exact division.

5.2.Root extraction

Given and , multivariate -th root extraction is the problem of determining and , such that , whenever such and exist. We devise an algorithm in the same vein as the algorithm for gcd computations from Section 3.2.

We first compute a regularizing weight for such that is small. Recall that the regularity of ensures that for some and . We take and note that we then must have .

Now let with , so that and is monic as a polynomial in . Let be an admissible ratio or an FFT ratio. For any , we define the univariate polynomial . Let be the unique monic polynomial with . For sufficiently large (with ), we may recover from using sparse interpolation. Finally, we have , where is such that for .

Proposition 5.2. Assume that is -regular with . Then we may compute and with , whenever such and exist, in time

Proof. The evaluations take operations, whereas the sparse interpolation of from the can be done in time . The cost of the univariate -th root extractions is bounded by .

5.3.Square-free factorization

Consider of total degree . Assume that is content-free and that or . The factorization of

into square-free parts can be done using a similar technique as for gcd computations in Section 3.2. We start with the computation of a regularizing weight for . Setting , we recall that , whence . Let

and consider the normalized square-free factorization

where , , , and where are monic and of valuation zero in . Let be an admissible ratio or an FFT ratio. For any , we define the univariate polynomials

The normalized square-free factorization of is of the form

where , and are monic polynomials in . We recover using sparse interpolation and then by setting and multiplying by appropriate monomials in . More precisely, , where if and otherwise.

Proposition 5.3. Assume that is -regular with . Let and . Then we may compute a square-free factorization of in time

with a probability of success of at least .

Proof. The probabilistic correctness is proved in a similar way as in the bivariate case (see Proposition 4.6), while also using Corollary 2.2. The sparse evaluation and interpolation at a geometric sequence require operations. The univariate square-free factorizations can be done in time , using [103] and [31, Theorem 14.23].

5.4.A pathological example

It is well known that a divisor of a sparse polynomial can have far more terms than the polynomial itself, because of the identity

(5.1)

and the possibility to replace by any other sparse polynomial. For this reason, many problems on sparse polynomials turn out to be NP-hard [86, 87]. In a way that has been made precise in [25], this fundamental example is actually the main cause for such hardness results.

The example (5.1) is less dramatic if we consider sparse polynomials for which the total degree is much smaller than the total number of terms, which is often the case in practice. But even then, it still has some unpleasant consequences. Recall from [25] that

for coprime , with . This gcd contains exactly terms. Such gcds can also occur during content-free factorizations. For instance, the content of

in is . Now consider

Then and . The size of each individual factor in any irreducible factorization of is bounded by , which is sharp with respect to . However, the content of in has size . This means that content-free factorization as a preparation step (before launching a “more expensive” factorization method) is a bad idea on this particular example.

6.Factoring using iterated Hensel lifting

Let be a content-free polynomial and recall that any factor of is again content-free. Let be random non-zero elements of . For any and , we define

In this section, we describe several algorithms for the factorization of , following a similar recursive approach as for the computations of gcds in Section 3.1. This time, we start with the computation of a non-trivial factorization of the bivariate polynomial . From this, we will recursively obtain non-trivial factorizations of . This will in particular yield a non-trivial factorization of . We will separately study the cases when has a factorization into two or more coprime factors.

6.1.Faithful projections

In order to reconstruct factorizations of from factorizations of , it is important that the projection be sufficiently generic. For , let us denote by the projection . We say that is faithful for if for .

As usual, we assume that are independently chosen at random from a subset of of size at least .

Proof. Given , let . Then if and only if , which happens with probability at most .

Now consider a factorization such that are pairwise coprime. We say that is faithful for this factorization if is faithful for and are pairwise coprime.

Proof. This directly follows from Lemma 3.2 (while using that ) and the previous lemma (using induction on ).

While faithful mappings preserve coprime factorizations in a predictable way, it may still happen that an irreducible polynomial is projected to a reducible one. In fact this may even happen with probability for a random choice of .

Example 6.3. Let and for an odd prime . Consider

Then is irreducible, but whenever is a square in . If is a random element of , then this happens with probability . (Note that we may replace by any other irreducible polynomial that involves both and .)

This phenomenon is not so much of a problem if we want to recursively Hensel lift a coprime factorization for which we know that there exist with and (see Algorithms 6.1 and 6.2 below). However, any algorithm for Hensel lifting will fail if is irreducible or, more generally, if no such and exist (Algorithm 6.3 below for the irreducible factorization of may therefore fail on Example 6.3).

6.2.Lifting a coprime decomposition into two factors

Consider a non-trivial factorization , where are coprime. Assume that is faithful for this factorization. Let us show how to recover and from and , for .

Let be an admissible ratio or an FFT ratio. For any and any , let

and

With high probability, we have , , , and the polynomials and are again coprime. It follows that each factorization

can be Hensel-lifted (see Section 4.3) into a factorization

We now recover and from and , respectively, using sparse interpolation. In fact, if , then we may interpolate and recover using one exact division.

Moreover, we may exploit the assumption that the supports of and with respect to coincide with the supports of and . In the algorithm below, this explains why evaluation points indeed suffice:

Remark 6.4. The faithfulness assumption implies that . If is small, then this support bound is reasonably tight. Consequently, we may use sparse interpolation with known supports in order to recover .

Theorem 6.5. Let , , , and . Then Algorithm 6.1 runs in time

and returns the correct result with probability at least

Proof. Assume that we correctly recovered and and let us investigate the probability that the results and are correct.

Let us first examine the probability that the Hensel lifting method from Section 4.3 works correctly. This is the case whenever the following three conditions are satisfied for :

1. and are coprime;

2. We have ;

3. We have .

Consider

(6.1)

with . We have since and are coprime. The first condition fails for a given if and only if vanishes under the substitutions . This happens with probability at most for some , by Corollary 2.2. Let us next consider

where are formal indeterminates. Since is content-free, we have . Now whenever does not vanish under the substitutions . The second condition therefore fails for some with probability at most , by Corollary 2.2 and using the fact that . Finally, with probability at least , we have

for , by Corollary 2.2.

Let us now return to the correctness of the overall algorithm. Concerning the top-level call, we have the following:

• Obtaining from the evaluations , for by exact univariate polynomial division is possible as long as . This condition fails with probability at most by Corollary 2.2.

• We have shown above that the Hensel lifting strategy from Section 4.3 can be applied with probability at least . By adapting the proof of Proposition 4.3 such that we can apply Corollary 2.2, the Hensel lifting itself also succeeds with probability at least , for .

Altogether, we correctly determine and with probability at least . Since there are recursive levels and since the sizes of the supports of , , and are all smaller than those of , , and , the probabilistic correctness claim follows.

As to the complexity bound, let us now study the cost when not counting the recursive calls:

• The computation of the , , and , using sparse evaluation at geometric sequences requires operations in .

• The evaluations of are obtained by exact univariate polynomial division and require operations in total.

• Lifting the factorization for all of the evaluations requires further operations, by Proposition 4.3.

• We obtain from using sparse interpolation of the coefficients in time .

• The recovery of through sparse polynomial division takes further operations, as explained in Section 2.4.

We conclude that the cost is , when not counting the recursive calls. Since there are recursive levels and since the sizes of the supports of , , and are all smaller than those of , , and , the complexity bound follows.

Example 6.6. Let , where are coprime. Now consider the polynomial . When factoring using Algorithm 6.1, the last lifting steps with respect to all operate on a projection of size . This is an example when the overhead in the complexity bound is sharp. However, the support of is very special, since it is contained in an affine subspace of dimension . It is easy to detect this situation and directly obtain the exponents in the last variables as affine combinations of the known exponents in the first variables.

More generally, it may happen that the fibers of the support under the projection with respect to the last variables are all small. It would be interesting to develop specific optimizations for this situation, e.g. directly apply sparse interpolation on the fibers.

6.3.Simultaneous lifting of multiple factors

The lifting algorithm generalizes in a straightforward way to the case when is a product of more than two factors. This time, we wish to recover a factorization from , assuming that (hence ) are pairwise coprime.

Remark 6.7. More precisely, we compute using binary powering and from using dense bivariate -th root extraction, for . As an optimization, we may first sort the factors of such that and then compute using exact division.

Theorem 6.8. Let , , , and . Then Algorithm 6.2 runs in time

and returns the correct result with probability at least

Proof. The proof is similar to that of Algorithm 6.1. Assume now that we correctly recovered and let us investigate the probability that the results are correct. To apply the Hensel lifting method from Section 4.3, the following three conditions must be satisfied for :

1. are pairwise coprime;

2. We have ;

3. We have .

The analysis is similar as in the proof of Theorem 6.5, except that (6.1) now becomes

and the probability that vanishes for one of the substitutions is now bounded by , since . Using the fact there are recursive levels, this completes the probabilistic correctness proof.

For the cost analysis, we again start by analyzing the cost of the algorithm without the recursive calls:

• The evaluation of the factors on the geometric sequence can be done in time .

• The computation of the and takes operations.

• The powers can be obtained in time , using binary powering.

• The Hensel lifting is done using Proposition 4.4 instead of Proposition 4.3, which contributes to the cost.

• The bivariate root extractions take operations, by Proposition 4.2.

• The recovery of the from the using sparse interpolation requires operations.

Summing these costs and multiplying with the recursive depths yields the desired complexity bound.

Example 6.9. There are cases when the recursive application of Algorithm 6.1 may lead to intermediate expression swell. For instance, for and , consider the polynomials

and note that has terms, whereas has only terms. Now consider

Then a direct factorization of into irreducibles can be done in time , whereas recursively factoring out and then may lead us to consider intermediate expressions like of size .

Remark 6.10. The ideas behind Algorithm 6.2 can readily be adapted to -adic lifting, in order to factor a polynomial with rational coefficients. In that case, we start with a factorization of for some sufficiently large prime . The goal is to lift this into a factorization of for some sufficiently large and then to recover a factorization of using rational number reconstruction [31, Section 5.10]. The relevant analogues of and are and , where the prime number plays a similar role as the formal indeterminate . The bivariate Hensel lifting in is replaced by traditional univariate Hensel lifting in .

6.4.Irreducible factorization

In lucky cases, given an irreducible factorization , random choices of give rise with high probability to an irreducible factorization . For such , we may use the following algorithm to compute its irreducible factorization:

Theorem 6.11. Let , , , and . Then Algorithm 6.3 runs in time

and returns the correct result (when no exception is raised) with probability at least

Proof. This follows from Theorems 6.8, 4.7, and Lemma 6.2.

Remark 6.12. We have seen in Section 5.4 that the size of the content of a multivariate polynomial can be much larger than the size of the polynomial itself, in pathological cases. In such cases, we may wish to avoid content-free factorization as a first step of a general algorithm for irreducible factorization. This can be achieved by adapting Algorithm 6.2 so as to factor out the content in at the top-level and performing the recursive call and bivariate lifting to instead of . Incorporating the content-free factorization directly into the main algorithm in this way yields a similar complexity bound as in Theorem 6.11, but with instead of .

Remark 6.13. An alternative approach for reducing to the content-free case, which also works for the algorithms from Section 7 below, is to tag according to a regularizing weight . This has the advantage of “exposing” the entire factorization of with respect to the tagging variable . Of course, this requires to replace the degree in the complexity bound by .

Remark 6.14. The problem from Remark 6.3 can be partially remedied by amending the bivariate lifting step: instead of raising an error when , we may continue the Hensel lifting to a higher precision (the are now power series in ) and determine which factors need to be combined in order to obtain a factorization of (using the techniques from [71]). Doing this for all leads to a finest partition of such that is a polynomial factor of for and . We next apply the sparse interpolation to the polynomials instead of the series . This may require more than interpolation points, so we also double until the interpolation step succeeds. Combined with Remark 6.12, this yields to an algorithm of complexity

where is the maximal size of an irreducible factor of for .

Unfortunately, we have not yet been able to perform a clean probabilistic analysis for this method. Indeed, we still need to prove that the algorithm terminates in reasonable expected time for irreducible polynomials. Now consider the example

(6.2)

for which we obtain

Whenever with and is a square in , the projected polynomial is not irreducible. In principle, this only happens with probability , so this is unlikely to happen for all values of . However, we were unable so far to prove a general bound. We also note that this probabilistic argument is different from traditional Hilbert–Bertini style arguments [97, Section 6.1]; see also [71] and [72, Chapître 6].

Remark 6.15. Another way to turn Algorithm 6.3 into a method that always succeeds with high probability would be to apply random monomial transformation to . For instance, after the change of variables , , , we have

for the polynomial from example (6.2). With high probability, Algorithm 6.3 returns the correct irreducible factorization of after this rewriting.

7.Factoring using projective Hensel lifting

The iterative approach from Sections 3.1 and 6 has the disadvantage of introducing a dependence on the dimension in the complexity bounds. In the case of gcd computations, the idea of regularizing weights allowed for the more direct approach in Section 3.2.

Unfortunately, direct adaptations of this approach to factorization only work in very special cases, because it is unclear how to recombine the factors found at different evaluation points. One notable exception is when factors, say, into two irreducible factors of degrees one and two in one of the variables; in that case, we can recombine based on degree information.

In this section, we will develop another “direct” approach for the factorization of that avoids iteration on the dimension . Except for precomputations in the algorithm from Section 7.7, the algorithms in this section do not rely on regularizing weights, but exploits more subtle properties of the Newton polytope of . We will present three versions of our approach in order to deal with Newton polytopes of increasing complexity. For simplicity, we only present them in the case when is the product of two factors. As we shall see in Section 7.6, even the last and most elaborate version of our approach is not fully general. We will conclude with a theoretical variant that is less efficient in practice, but which has the advantage of providing a full algorithm for the computation of irreducible factorizations.

7.1.A favorable special case

Assume that the unique factorization of contains exactly two factors

(7.1)

where are irreducible and distinct and both depend on the “main” variable, say, . In particular, this implies that is content-free and square-free. Assume also that the following conditions hold:

H1

.

H2

and are coprime.

Note that H1 allows us to normalize the factorization

by requiring that is monic. From now on we will always assume that we have done this.

Under these assumptions, we claim that and can be computed from and using Hensel lifting and sparse interpolation. In order to see this, let be an admissible ratio or an FFT ratio. For each , we define bivariate polynomials by

Then and are coprime and we have . This allows us to compute and from , , and using Hensel lifting. For sufficiently large , with , we may then use sparse interpolation to recover from or from . This leads to the following algorithm:

Theorem 7.1. Let , , , , and . Then Algorithm 7.1 is correct with probability at least and runs in time

Proof. The correctness is clear. Let us analyze the cost of the main steps of the algorithm:

• The computation of the takes operations.

• The Hensel lifting has a total cost of .

• The sparse interpolation of (or ) takes operations.

• The sparse polynomial division to recover (or ) requires operations.

Adding up these costs, the complexity bound follows. The algorithm is correct as long as the final division succeeds, which is the case with probability at least .

7.2.Single slope bivariate Hensel lifting

The assumptions H1 and H2 are fairly strong: they are never satisfied both if is a homogeneous polynomial. Now the assumptions H1 and H2 essentially allow us to perform the bivariate Hensel lifting using the method from Section 4.3. The problem that we face in order to extend the approach from Algorithm 7.1 is that random shifts are not allowed for the bivariate Hensel lifting from Section 4.3: we only have an efficient algorithm to compute and are given, not and .

Instead, we need a way to generalize the algorithm from Section 4.3 to the case when the Newton polygon of is non-trivial. In this subsection, we start with the simplest “single slope” case. Since this material is a supplement to Section 4.3, we adopt the notation from there.

Assume that has a non trivial factorization with . We define the Newton polygon of to be the “lower border” of its Newton polytope:

It is the union of a finite number of edges between with , , and . For each edge , there is a corresponding weight such that .

Assume that has a single edge, let , and let and be coprime such that . Now consider

Then and . Moreover, , and we have similar expressions for and . If and are known and if their transforms and are coprime, then this enables us to compute and by applying the Hensel lifting method from Section 4.3 to , , and .

7.3.Single slope factorization

Let us now return to the factorization problem from Section 7.1 and let us show how to generalize Algorithm 7.1 using the material from the previous subsection.

Let and let be the lower boundary of its convex hull. With high probability, we have and , for any given . The last edge of joins the points and for with . Let with and , where , , and . Now consider the assumptions

H1'

.

H2'

and are coprime.

The hypotheses H1 and H2 correspond to the special case when . If and are known (e.g. through the recursive factorization of if is not -homogeneous), then the algorithm from Section 7.2 allows us to Hensel lift the factorization into a factorization . This leads to the following generalization of Algorithm 7.1:

Theorem 7.2. Let , , , , and . Then Algorithm 7.2 is correct with probability at least and runs in time

Proof. The proof is similar to the proof of Theorem 7.1. The main change is that the generalized algorithm also requires the evaluations of and on our sequence. This takes additional operations, which is absorbed by the complexity bound.

Note that the assumptions H1' and H2' are actually slightly more liberal than the statement that the Newton polygon should have a single edge. For this reason, Algorithm 7.2 is very likely to apply as soon as there exists a variable for which is small (of course, we may then assume modulo a permutation of variables). This in particular the case when , unless is not square-free (one may need to replace and multiply with ). Note that a single “good” variable suffices.

Remark 7.3. Both Algorithms 6.2 and 7.2 involve recursive factorizations of polynomials in less variables. However, the supports of the recursive calls are obtained through projection for Algorithm 6.2 and through restriction for Algorithm 7.2. The second case is often more favorable in the sense that the recursive supports decrease faster in size.

Remark 7.4. Consider the case when and . Then coincides with , so the requested factorization of is not simpler than the desired factorization of . This is due to the fact that the exponents of all lie in a linear subspace of . In particular, the degree in of any term of can be determined as a function of the degrees of the other variables. In particular, we may recover a factorization of from a factorization of . Using a straightforward induction on , this allows us to ensure that has strictly less terms than .

7.4.Multiple slope bivariate Hensel lifting

As soon as , it can happen that every factor of has a Newton polygon with at least two edges. In order to deal with this situation, the algorithm from Section 7.2 may be further generalized to accommodate Newton polygons with multiple slopes. In order to explain how, we again adopt the notation from Sections 4.3 and 7.2.

So assume that and , that has an arbitrary number of edges, and that and are known for each edge . Assume also that and are coprime for , where is the normalization mapping with . We will say that is a coprime edge factorization of . The aim of this subsection is to lift these factorizations efficiently into the global factorization .

It is well known that a variant of the Newton polygon method can be used in order to factor over the ring of Laurent series. An efficient algorithm for this task was described in [52]. One important subtask is distinct slope factorization: each edge gives rise to a unique monic factor of such that for , , and the natural generalization of the notation to . The methods from [52] allow for the efficient computation of the : it takes time to compute at order for .

Now for each , the known factor of induces a factor of that can be Hensel lifted into the factor of , by adapting the techniques from Section 4.3 to Laurent series coefficients. For some , we then have . We may determine in a similar way as in Section 4.3. The other factor can be obtained using one bivariate division. The total cost of this method to compute and is bounded by .

7.5.Multiple slope factorization

We are now in a position to generalize Algorithm 7.2 to the case when the bivariate Hensel lifting is done using the multiple slope method from the previous subsection. The general algorithm is fairly technical, so we found it more instructive to illustrate the main ideas on an example. Let

For generic , consider , , and . Then

whence is the closed triangle with vertices , , and . Its lower boundary consists of the edge from to and the edge from to , which correspond to the weights and respectively. The generalized algorithm starts with the recursive factorizations of and , which yields

However, these factorizations do not tell us from which factors of they originate: the factorization of could have been of the form , with and . In order to obtain the correct matches, the next idea is to consider the bivariate factorization of for some sufficiently generic values of and . For instance, for and , we obtain

From these computations, we deduce that the factor of comes from the same factor of as the factor of . We say that we have managed to match the factors and of the different slopes. In other words, if is a non-trivial factor of , then, up to constant scaling, we now know that either or .

For any and , let . Having completed the above matching, we may now use the lifting algorithm from Section 7.4 to deduce and from , , , , and . Doing this for sufficiently many , we may finally recover and using sparse interpolation.

7.6.A torture example

The approach from Section 7.5 is fairly general. However, as we will show now, it is possible to construct pathological examples that can still not be treated with this method.

Example 7.5. Consider a polynomial and a monomial such that lies in the interior of the Newton polytope . For instance, we may take

Now consider

for pairwise distinct . This polynomial cannot be factored using the techniques from this section, so far.

7.7.Factor matching through homotopies

In fact, it is not so much the factorization of the bivariate polynomials that is a problem: instead of Hensel lifting, we may very well rely on Theorem 4.7 (this only increases the exponent in in Theorems 7.1 and 7.2, which is subdominant anyway if ). The true problem is matching corresponding factors of for different , especially in the most difficult cases like Example 7.5. We conclude this section with an approach that completely solves this problem, modulo a polynomial overhead in .

Let , , be random elements of and let be new indeterminates. We define

(7.2)

For , we also define

If is irreducible, then is irreducible with high probability, by Theorem 1.1, and so are and . For general , this also means that the factors of , , and are in effective one to one correspondence, with high probability. Moreover, by construction,

Using this relation, we may therefore match corresponding factors of and with high probability.

Having solved the matching problem, we still need to ensure that the factorizations of the are normalized in a suitable way such that we can recover the factors of using sparse interpolation. For this, let be a regularizing weight for with . Let be yet another indeterminate and consider

By construction, any factor of has leading coefficient with respect to , for some , , and some monomial . Thus, any such factor can be normalized by dividing out the constant in . Now consider the unique factorization of into a product of normalized factors times a non-zero scalar in . This yields a factorization of by setting .

The factorization of can be lifted to the factorization of , which is, in turn, lifted to the factorization of , and so on. An irreducible factorization of is recovered via interpolation from the factorizations of for sufficiently large . Finally, to obtain a factorization of from a factorization of , we can set , and apply the map .

This leads to the following algorithm:

Theorem 7.6. Let , , , and . Assume that or . Then Algorithm 7.3 runs in time

and succeeds with probability at least .

Proof. We factor as a dense polynomial in four variables of degree (after division by a suitable power of ) using the algorithm from [69, Proposition 5]. This requires operations in and the probability of success is at least .

Let be an irreducible factorization of . By our assumption on the characteristic, the factors are all separable. We will apply [72, Théorème 6.9] for each of the points in our geometric progression. By using Corollary 2.2 instead of the Schwartz-Zippel lemma in the proof of [72, Théorème 6.9], we deduce that the specializations , , and thus are irreducible for and , with probability at least . Under this assumption, and modulo reordering the factors, the computed are of the form for suitable scaling factors that do not depend on . The check whether the computed factorization of is correct reports a false positive with probability at most , by Remark 2.4 or the Schwarz-Zippel lemma.

Let us now analyze the complexity. We first observe that , since when consists of a single monomial of total degree . Using [2, Theorem 5] in a recursive manner, we may compute from in time . We saw above that the factorization of requires at most operations in . The computation of the specializations for requires further operations. The Hensel lifting of the can be done in time using Proposition 4.4 and evaluation-interpolation in the remaining variable. The Hensel lifts succeed with probability at least . Adding up, we obtain the desired complexity bound, as well as the claimed bound for the probability of success.

Remark 7.7. Due to the overhead, Algorithm 7.3 is mainly of theoretical interest. It is plausible that (7.2) can be replaced by a less, but still sufficiently, generic formula. This would reduce the overhead in . In practice, one may use Algorithm 7.3 as a last resort, in the unlikely case that all other strategies from Sections 6 and 7 fail.

Bibliography