Overview of Modular Methods http://cocoa.dima.unige.it/ J. Abbott - - PowerPoint PPT Presentation

Overview of Modular Methods

http://cocoa.dima.unige.it/

• J. Abbott

Universität Kassel

• J. Abbott

Modular Methods IITGN, Feb 2016 1 / 19

What are Modular Methods?

Given two polynomials f, g ∈ Z[x], compute h = gcd(f, g) ∈ Z[x] direct computation by Euclid’s Algorithm is often slow using pseudo-remainder produces large coefficients using Q coefficients requires rational normalization subresultant algorithm faster but more complicated In contrast: Euclid’s Algorithm works well in Fp[x] Idea: Pick a prime p. Compute ¯ h = gcd(¯ f, ¯ g) ∈ Fp[x]. Reconstruct h from modular gcd, ¯ h.

• J. Abbott

Modular Methods IITGN, Feb 2016 2 / 19

What are Modular Methods? (cont’d)

Two big questions: Which prime(s) to use? How to “reconstruct” the correct answer? The ring homomorphism φN : Z − → Z/N is not invertible. But suppose we knew a bound B for the coefficients of h: namely |h|∞ ≤ B

• r equiv

− B ≤ ci ≤ B And suppose that N > 2B . . . Now can we reconstruct h from ¯ h?

• J. Abbott

Modular Methods IITGN, Feb 2016 3 / 19

What are Modular Methods? (cont’d)

No!! We need to avoid bad primes, where ¯ h does not “look like” h. Example (A): f = g = 3x + 1 and p = 3; then gcd(¯ f, ¯ g) = 1 Example (B): f = x + 1 and g = 4x + 1 and p = 3; then gcd(¯ f, ¯ g) = x + 1 Bad primes of type (A) are easy to recognize: they divide LC(f) or LC(g). We exclude such primes from now on.

• J. Abbott

Modular Methods IITGN, Feb 2016 4 / 19

What are Modular Methods? (cont’d)

Bad primes of type (B) are not easy to recognise. We can nevertheless recognize relatively bad primes: Let ¯ h1 be the gcd modulo prime p1, and let ¯ h2 be the gcd modulo prime p2. If deg(¯ h1) > deg(¯ h2) then surely p1 is bad. By considering the rank of a suitable Sylvester matrix we can say: there are only finitely many bad primes.

• J. Abbott

Modular Methods IITGN, Feb 2016 5 / 19

How many primes? What size?

Suppose we have a bound B for the coefficients of the gcd: |h|∞ ≤ B We could use either one big prime p > 2B

• r many small primes p1, . . . , ps and use Chinese Remaindering
• r one small prime p and use Hensel Lifting.

Notes: Chinese Remaindering works well in a parallel context; also helpful for detecting bad primes.

• J. Abbott

Modular Methods IITGN, Feb 2016 6 / 19

How many primes? What size?

Just how big can the gcd h be? It is easy to get a degree bound for h, but what about the coefficients? “Rare” example: gcd with big coefficients gcd(x3 − x2 − x + 1, x4 − x3 − x + 1) = x2 − 2x + 1 many results about size of coeffs of factors in C[x] all known bounds are very pessimistic for factors in Z[x] Summary: we can compute a bound B but it is annoyingly large.

• J. Abbott

Modular Methods IITGN, Feb 2016 7 / 19

Scalar factors

Still one important detail to settle: scalar factors. The gcd in Fp[x] is defined up to a scalar factor. We want to ensure that ¯ h = φp(h) for every good prime p. Idea: ensure that LC(¯ h) = φp(LC(h)). We do not know the value of LC(h) but it surely divides gcd(LC(f), LC(g)) Choose modular gcd so that LC(¯ (h)) = φp(gcd(LC(f), LC(g))); reconstruct “small” scalar multiple of h ∈ Z[x]. Note: must increase B by the same scalar factor!

• J. Abbott

Modular Methods IITGN, Feb 2016 8 / 19

Rational Recovery

An alternative way to scale: make the gcd monic. This means that gcd(f, g) ∈ Q[x] ← − the coeffs are rational numbers. We can easily extend φp : Q ∩ Zp − → Z/p How to invert it? Rational Reconstruction

• riginally by Wang, Guy, Davenport

refined by Collins, Encarnacion uses Continued Fractions, equiv. Euclid’s Algorithm it can fail: no such rational number exists New bound for modulus: to reconstruct p/q ∈ Q, assume we know bounds P ≥ |p| and Q ≥ q require the modulus N > 2PQ.

There is also vector rational reconstruction by Bright and Storjohann.

• J. Abbott

Modular Methods IITGN, Feb 2016 9 / 19

Final Verification

The Final Verification If the prime(s) we used were good then the reconstructed poly is h; it is easy to sort out the matter of the scalar multiple. But how do we know the primes were good? What if all the primes we tried were bad? We must verify the result: check that the reconstructed h actually divides both f and g.

• J. Abbott

Modular Methods IITGN, Feb 2016 10 / 19

In practice...

Theory and practice. . . Since we have to verify the result anyway, and since all known bounds are very pessimistic... We ignore the coeff bound, and attempt reconstruction every few primes until success. How often to attempt reconstruction? We “watch” one coeff until it stabilizes, then try a full reconstruction.

• J. Abbott

Modular Methods IITGN, Feb 2016 11 / 19

Coefficient Field Extensions

Coefficients in Algebraic Extensions We can use a similar approach for gcds in Q(α, β, . . .)[x]. map coeffs into Z/p(α, β, . . .) ← − probably not a field! map coeffs into Z/p(¯ α, ¯ β, . . .)

for Z[α] solved by Lenstra using LLL lattice reduction generalized to Q(α, β, . . .) by Abbott

• J. Abbott

Modular Methods IITGN, Feb 2016 12 / 19

Hensel Lifting: p-adic Integers

Quick Reminder of p-adic Integers Recall p-adic norm |a|p = p−ν where pν||a. Zp is completion of Z with norm | · |p. Elements of Zp are formal power series in p: α = a0p0 + a1p1 + a2p2 + · · · Note that α mod pk is a formal polynomial in p: α mod pk = a0p0 + a1p1 + · · · + ak−1pk−1 α mod pk is a “good” k-th order approx to α:

• α − (α mod pk)
• p ≤ p−k
• J. Abbott

Modular Methods IITGN, Feb 2016 13 / 19

Hensel Lifting: outline

Let f ∈ Z[x] and let p be a prime not dividing LC(f). Suppose φp(f) = ¯ g ¯ h ∈ Z/p[x] where gcd(¯ g, ¯ h) = 1. Then by Hensel Lifting we can obtain a better factorization: f ≡ ¯ g(k) ¯ h(k) ∈ Z/pk[x] for any k ∈ N. linear lifting goes from Z/pk to Z/pk+1 quadratic lifting goes from Z/pk to Z/p2k Hensel lifting can be applied in several contexts

(same principle, different details)

• J. Abbott

Modular Methods IITGN, Feb 2016 14 / 19

Hensel Lifting a Factorization

Lifting a factorization: main step Let f ∈ Z[x] be monic and let p be a prime, and suppose f ≡ g1h1 mod p1 with gcd(g1, h1) = 1. Since Z/p[x] is a PID, there exist ˆ g, ˆ h ∈ Z/p[x] such that ˆ g g + ˆ h h = 1 in Z/p[x] Set ∆ = (f − g1h1)/p1 ∈ Z[x]. Set ∆g = ˆ h ∆ mod g1 ∈ Z/p[x] and ∆h = ˆ g ∆ mod h1 ∈ Z/p[x] Now f ≡ g2h2 mod p2 where g2 = g1 + p1∆g and h2 = h1 + p1∆h. Repeat until f ≡ gkhk mod pk.

• J. Abbott

Modular Methods IITGN, Feb 2016 15 / 19

Factorization Picture

Z[x] Factorization Picture f ∈ Z[x] f = f1f2 · · · fr ∈ Z[x] ↓ ↑ ↓ ↑ ↓ ↑ f ≡ g1g2 · · · gs mod p − → f ≡ G1G2 · · · Gs mod pk Note: for some polynomials (e.g. x4 + 1) all primes are bad!

• J. Abbott

Modular Methods IITGN, Feb 2016 16 / 19

GCD of Multivariate Polynomials

Multivariate Polynomials Let f ∈ k[x, y], and let a ∈ k. Observe that evaluating y → a is just k[x, y] − → k[x, y]/y − a. if k is a finite field all choices of a may be bad Hensel lift all variables together Hensel lift the variables one at a time new problem: loss of sparsity

Lagrange interpolation Zippel’s Algorithm sparse polynomial interpolation (de Prony, Ben-Or & Tiwari) ad hoc tricks exploiting sparsity

• J. Abbott

Modular Methods IITGN, Feb 2016 17 / 19

Fault-tolerant Rational Reconstruction

Fault-tolerant Reconstruction Let a = p/q ∈ Q, and suppose we have residue-modulus pairs (ri, mi) satisfying qri ≡ p (mod mi) for most indices i. Some of the residues may be wrong We can still reconstruct a: using continued fractions (Abbott, generalizes WGD) using lattice reduction (Böhm, Decker, Fieker, Pfister) New relationship between combined modulus and bounds: M/M2

bad > 2PQ

Useful when bad primes cannot be recognized (e.g. implicitization)

• J. Abbott

Modular Methods IITGN, Feb 2016 18 / 19

The End

The End

• J. Abbott

Modular Methods IITGN, Feb 2016 19 / 19