originally by Wang, Guy, Davenport refined by Collins, Encarnacion uses Continued Fractions, equiv. Euclid's Algorithm it can fail: no such rational number ...
Overview of Modular Methods
http://cocoa.dima.unige.it/ J. Abbott Universität Kassel J. Abbott
Modular Methods
IITGN, Feb 2016
1 / 19
What are Modular Methods?
Given two polynomials f , g ∈ Z[x], compute h = gcd(f , g) ∈ Z[x] direct computation by Euclid’s Algorithm is often slow using pseudo-remainder produces large coefficients using Q coefficients requires rational normalization subresultant algorithm faster but more complicated In contrast: Euclid’s Algorithm works well in Fp [x] Idea: Pick a prime p. ¯ = gcd(¯f , g ¯ ) ∈ Fp [x]. Compute h ¯ Reconstruct h from modular gcd, h. J. Abbott
Modular Methods
IITGN, Feb 2016
2 / 19
What are Modular Methods? (cont’d)
Two big questions: Which prime(s) to use? How to “reconstruct” the correct answer? The ring homomorphism φN : Z −→ Z/hNi is not invertible. But suppose we knew a bound B for the coefficients of h: namely |h|∞ ≤ B
or equiv
− B ≤ ci ≤ B
And suppose that N > 2B . . . ¯ Now can we reconstruct h from h?
J. Abbott
Modular Methods
IITGN, Feb 2016
3 / 19
What are Modular Methods? (cont’d)
No!! ¯ does not “look like” h. We need to avoid bad primes, where h Example (A): ¯) = 1 f = g = 3x + 1 and p = 3; then gcd(¯f , g Example (B): ¯) = x + 1 f = x + 1 and g = 4x + 1 and p = 3; then gcd(¯f , g Bad primes of type (A) are easy to recognize: they divide LC(f ) or LC(g). We exclude such primes from now on. J. Abbott
Modular Methods
IITGN, Feb 2016
4 / 19
What are Modular Methods? (cont’d)
Bad primes of type (B) are not easy to recognise. We can nevertheless recognize relatively bad primes: ¯1 be the gcd modulo prime p1 , and Let h ¯2 be the gcd modulo prime p2 . let h ¯1 ) > deg(h ¯2 ) then surely p1 is bad. If deg(h By considering the rank of a suitable Sylvester matrix we can say: there are only finitely many bad primes.
J. Abbott
Modular Methods
IITGN, Feb 2016
5 / 19
How many primes? What size?
Suppose we have a bound B for the coefficients of the gcd: |h|∞ ≤ B
We could use either one big prime p > 2B or many small primes p1 , . . . , ps and use Chinese Remaindering or one small prime p and use Hensel Lifting. Notes: Chinese Remaindering works well in a parallel context; also helpful for detecting bad primes.
J. Abbott
Modular Methods
IITGN, Feb 2016
6 / 19
How many primes? What size?
Just how big can the gcd h be? It is easy to get a degree bound for h, but what about the coefficients? “Rare” example: gcd with big coefficients gcd(x 3 − x 2 − x + 1, x 4 − x 3 − x + 1) = x 2 − 2x + 1
many results about size of coeffs of factors in C[x] all known bounds are very pessimistic for factors in Z[x] Summary: we can compute a bound B but it is annoyingly large.
J. Abbott
Modular Methods
IITGN, Feb 2016
7 / 19
Scalar factors
Still one important detail to settle: scalar factors. The gcd in Fp [x] is defined up to a scalar factor. ¯ = φp (h) for every good prime p. We want to ensure that h ¯ = φp (LC(h)). Idea: ensure that LC(h) We do not know the value of LC(h) but it surely divides gcd(LC(f ), LC(g)) Choose modular gcd so that LC(¯(h)) = φp (gcd(LC(f ), LC(g))); reconstruct “small” scalar multiple of h ∈ Z[x]. Note: must increase B by the same scalar factor!
J. Abbott
Modular Methods
IITGN, Feb 2016
8 / 19
Rational Recovery
An alternative way to scale: make the gcd monic. This means that gcd(f , g) ∈ Q[x] ←− the coeffs are rational numbers. We can easily extend φp : Q ∩ Zhpi −→ Z/hpi How to invert it? Rational Reconstruction originally by Wang, Guy, Davenport refined by Collins, Encarnacion uses Continued Fractions, equiv. Euclid’s Algorithm it can fail: no such rational number exists New bound for modulus: to reconstruct p/q ∈ Q, assume we know bounds P ≥ |p| and Q ≥ q require the modulus N > 2PQ. There is also vector rational reconstruction by Bright and Storjohann. J. Abbott
Modular Methods
IITGN, Feb 2016
9 / 19
Final Verification
The Final Verification If the prime(s) we used were good then the reconstructed poly is h; it is easy to sort out the matter of the scalar multiple. But how do we know the primes were good? What if all the primes we tried were bad? We must verify the result: check that the reconstructed h actually divides both f and g.
J. Abbott
Modular Methods
IITGN, Feb 2016
10 / 19
In practice...
Theory and practice. . . Since we have to verify the result anyway, and since all known bounds are very pessimistic... We ignore the coeff bound, and attempt reconstruction every few primes until success. How often to attempt reconstruction? We “watch” one coeff until it stabilizes, then try a full reconstruction.
J. Abbott
Modular Methods
IITGN, Feb 2016
11 / 19
Coefficient Field Extensions
Coefficients in Algebraic Extensions We can use a similar approach for gcds in Q(α, β, . . .)[x]. map coeffs into Z/hpi(α, β, . . .) ←− probably not a field! ¯ . . .) map coeffs into Z/hpi(α ¯ , β, for Z[α] solved by Lenstra using LLL lattice reduction generalized to Q(α, β, . . .) by Abbott
J. Abbott
Modular Methods
IITGN, Feb 2016
12 / 19
Hensel Lifting: p-adic Integers
Quick Reminder of p-adic Integers Recall p-adic norm |a|p = p−ν where pν ||a. Zp is completion of Z with norm | · |p . Elements of Zp are formal power series in p: α = a0 p0 + a1 p1 + a2 p2 + · · · Note that α mod pk is a formal polynomial in p: α mod pk = a0 p0 + a1 p1 + · · · + ak −1 pk −1 α mod pk is a “good” k -th order approx to α: α − (α mod pk ) ≤ p−k p
J. Abbott
Modular Methods
IITGN, Feb 2016
13 / 19
Hensel Lifting: outline
Let f ∈ Z[x] and let p be a prime not dividing LC(f ). ¯ ∈ Z/hpi[x] where gcd(g ¯ = 1. ¯h ¯ , h) Suppose φp (f ) = g Then by Hensel Lifting we can obtain a better factorization: ¯ (k ) ∈ Z/hpk i[x] ¯ (k ) h f ≡g for any k ∈ N. linear lifting goes from Z/hpk i to Z/hpk +1 i quadratic lifting goes from Z/hpk i to Z/hp2k i Hensel lifting can be applied in several contexts (same principle, different details)
J. Abbott
Modular Methods
IITGN, Feb 2016
14 / 19
Hensel Lifting a Factorization
Lifting a factorization: main step Let f ∈ Z[x] be monic and let p be a prime, and suppose f ≡ g1 h1 mod p1 with gcd(g1 , h1 ) = 1. ˆ ∈ Z/hpi[x] such that ˆ, h Since Z/hpi[x] is a PID, there exist g ˆh = 1 ˆg+h g
in Z/hpi[x]
Set ∆ = (f − g1 h1 )/p1 ∈ Z[x]. ˆ ∆ mod g1 ∈ Z/hpi[x] Set ∆g = h ˆ ∆ mod h1 ∈ Z/hpi[x] and ∆h = g Now f ≡ g2 h2 mod p2 where g2 = g1 + p1 ∆g and h2 = h1 + p1 ∆h . Repeat until f ≡ gk hk mod pk . J. Abbott
Modular Methods
IITGN, Feb 2016
15 / 19
Factorization Picture
Z[x] Factorization Picture f ∈ Z[x] ↓ ↓ ↓ f ≡ g1 g2 · · · gs mod p
−→
f = f1 f2 · · · fr ∈ Z[x] ↑ ↑ ↑ f ≡ G1 G2 · · · Gs mod pk
Note: for some polynomials (e.g. x 4 + 1) all primes are bad!
J. Abbott
Modular Methods
IITGN, Feb 2016
16 / 19
GCD of Multivariate Polynomials
Multivariate Polynomials Let f ∈ k [x, y ], and let a ∈ k . Observe that evaluating y 7→ a is just k [x, y ] −→ k [x, y ]/hy − ai. if k is a finite field all choices of a may be bad Hensel lift all variables together Hensel lift the variables one at a time new problem: loss of sparsity Lagrange interpolation Zippel’s Algorithm sparse polynomial interpolation (de Prony, Ben-Or & Tiwari) ad hoc tricks exploiting sparsity
J. Abbott
Modular Methods
IITGN, Feb 2016
17 / 19
Fault-tolerant Rational Reconstruction
Fault-tolerant Reconstruction Let a = p/q ∈ Q, and suppose we have residue-modulus pairs (ri , mi ) satisfying qri ≡ p (mod mi ) for most indices i. Some of the residues may be wrong We can still reconstruct a: using continued fractions (Abbott, generalizes WGD) using lattice reduction (Böhm, Decker, Fieker, Pfister) New relationship between combined modulus and bounds: 2 > 2PQ M/Mbad
Useful when bad primes cannot be recognized (e.g. implicitization)
J. Abbott
Modular Methods
IITGN, Feb 2016
18 / 19
The End
The End
J. Abbott
Modular Methods
IITGN, Feb 2016
19 / 19
