Abstract
We consider the question of certifying that a polynomial in 
or 
is irreducible. Knowing that a polynomial is irreducible lets us recognise that a quotient ring is actually a field extension (equiv. that a polynomial ideal is maximal). Checking that a polynomial is irreducible by factorizing it is unsatisfactory because it requires trusting a relatively large and complicated program (whose correctness cannot easily be verified). We present a practical method for generating certificates of irreducibility which can be verified by relatively simple computations; we assume that primes and irreducibles in 
are self-certifying.
Keywords: Certificate, Irreducibility
Introduction
What Is a “Certificate”?
A certificate that object X has property P is a “small” amount of extra information C such that some quick and simple computations with X and C suffice to confirm that X does have the property. We illustrate this vague definition with a well-known, concrete example.
Example 1
We can certify that a positive integer n is prime using a Lucas-Pratt certificate [9]. The idea is to find a witness w such that 
and 
for all prime factors q of 
.
These certificates have a recursive structure, since in general we must certify each prime factor q of 
. To avoid infinite recursion we say that all small primes up to some limit are “self-certifying” (i.e. they need no certificate).
Thus a Lucas-Pratt certificate comprises a witness w, and a list of prime factors 
of 
(and certificates for each 
). Verification involves:
verify that
;verify that each
;verify that
for positive exponents 
;recursively verify that each
is prime.
The operations required to verify such a certificate are: iteration over a list, exponentiation modulo an integer, comparison with 1, division of integers, and divisibility testing of integers. These are all simple operations, and the entire function to verify a Lucas-Pratt certificate is small enough to be fully verifiable itself.
An important point in this example is that the certificate actually involves several cases: namely, if the prime is small enough, the certificate just says that it is a “small prime” (e.g. we can verify by table-lookup); otherwise the certificate contains a non-trivial body. In this instance there are just two possible cases.
We note that generating a Lucas-Pratt certificate could be costly because the prime factorization of 
must be computed.
Costs of a Certificate
The total cost of a certificate comprises several components:
computational cost of generating the certificate;
size of the certificate (e.g. cost of storage or transmission);
computational cost of verification given the certificate;
size and code complexity of the verifier.
In the case of certifying the irreducibility of a polynomial in 
we could issue trivial certificates for all polynomials, and say that the verifier simply has to be an implementation of a polynomial factorizer. We regard this as unsatisfactory because the size and code complexity of the verifier are too high.
Irreducibility Criteria for 
and 
We can immediately reduce from 
to 
thanks to Gauss’s Lemma (for polynomials): let 
be non-constant then f is irreducible if and only if 
is irreducible, where 
and the uniquely defined, non-zero factor 
is such that all coefficients of 
are integers with common factor 1, and the leading coefficient is positive,
The problem of certifying irreducibility in 
has a long history, and has already been considered by several people. Here is a list of some approaches:
give a “large” evaluation point n such that f(n) has a large prime factor;
degree analysis (from factorizations over one or more finite fields)1;
a linear polynomial is obviously irreducible;
Newton polygon methods (e.g. Schönemann, Eisenstein, and Dumas [4]);
Vahlen-Capelli lemma [10] for binomials
Perron’s Criterion [8];
the coefficients are (non-negative) digits of a prime to some base b (e.g. [8]).
The first technique in the list was inspired by ideas from [3]; it seems to be new.
In this presentation, we shall assume that the degree is at least 2, and shall concentrate on the first two methods as they are far more widely applicable than others listed.
Factor Degree Analysis
Factor degree analysis is a well-known, behind-the-scenes technique in polynomial factorization. It involves using degrees of modular factors to obtain a list of excluded degrees for factors in 
.
We define a factor degree lower bound for 
to be 
such that we have excluded all degrees less than 
, e.g. through factor degree analysis. We can certify this lower bound by accompanying it with the modular factorizations used. Clearly, if degree analysis excludes all degrees up to 
then we have proved that
f
is irreducible. Finally, we may always take 
without any degree analysis.
In many cases we can indeed prove/certify irreducibility via degree analysis. However, there are some (infinite) families of polynomials where one must use “larger” primes, and there are also (infinite) families where irreducibility cannot be proved via factor degree analysis (e.g. resultants, in particular Swinnerton-Dyer polynomials, see also [6]).
Example 2
The well-known, classical example of a polynomial which cannot be proved irreducible by degree analysis is 
: every modular factorization is into either 4 linears or 2 quadratics, so this does not let us exclude the possible existence of a degree 2 factor.
There are also many polynomials which can be proved irreducible by degree analysis, but are not irreducible modulo any prime; this property depends on the Galois group of the polynomial. For instance, 
is one such polynomial: modulo 2 the irreducible factors have degrees 1 and 3, and modulo 5 both factors have degree 2; but it is never irreducible modulo p.
Degree Analysis Certificate. A degree analysis certificate comprises
a subset
of “not excluded” factor degreesa list, L, of pairs: a prime p, and the irreducible factors of f modulo p
If 
, we have a certificate of ireducibility; otherwise the smallest element of the set is a factor degree lower bound.
Verification of the certificate involves the following steps:
for each entry in L, check that the product of the modular factors is f;
for each entry in L, compute the set of degrees of all possible products of the modular factors; verify that their intersection is D;
check that each modular factor is irreducible (e.g. use gaussian reduction to compute the rank of
where B is the Berlekamp matrix).
The main cost of the verification is the computation of B and the rank of 
; the cost of computing B is greater for larger primes, so we prefer to generate certificates which use smaller primes if possible.
Practical Matters. We would like to know, in practice, how costly it is to produce a useful degree analysis certificate, and how large the resulting certificate could be. More specifically:
How many different primes should we consider? And how large?
How to find a minimal set of primes yielding the factor degree subset?
How many primes are typically in the minimal set?
In our experience, a minimal length list very rarely contains more than 3 entries, but we should expect to consider many more primes during generation of the certificate. We can construct irreducible polynomials which require considering “large” primes to obtain useful degree information (e.g. 
where 
) but in many cases “small” primes up to around 
suffice.
Irreducibility Certificates for 
via Evaluation
Bunyakowski’s conjecture (e.g. see page 323 of [7]) states that if 
is irreducible (and has trivial fixed divisor) then |f(n)| is prime for infinitely many 
. Assuming the conjecture is true, we can get a certificate of irreducibility by finding a suitable evaluation point n (and perhaps including a certificate that |f(n)| is prime).
Applying Bunyakowski’s conjecture directly is inconvenient for two reasons:
we want to handle polynomials with non-trivial fixed divisor;
finding a suitable n may be costly, and the resulting |f(n)| may be large.
The first point is solved by an easy generalization of the conjecture: let 
be irreducible and 
be its fixed divisor, then there are infinitely many 
such that 
is prime. The second point is a genuine inconvenience: for some polynomials, it can be costly to find a “Bunyakowski prime,” and the prime itself will be large (and thus costly to verify). For example, let 
then the smallest good evaluation point is 
, and 
.
A Large Prime Factor Suffices. Here we present a much more practical way of certifying irreducibility by evaluation: we require just a sufficiently large prime factor. Let 
be non-constant, and let 
be a root bound for f: that is, for every 
such that 
we have 
. We note that it is relatively easy to compute root bounds (e.g. see [2]). The following proposition was partly inspired by Theorem 2 in [3], but appears to be new.
Proposition 1
Let 
be non-constant, and let 
be a root bound for f. Let 
be a factor degree lower bound for f. If we have 
with 
such that 
where 
and p is prime then f is irreducible.
Proof
For a contradiction, suppose that 
is a non-trivial factorization. We may assume that 
. We have 
where 
, 
is the leading coefficient, and the 
are the roots of f in 
. We may assume that the 
are indexed so that the roots of g are 
where 
.
By evaluation we have 
with all values in 
. Also 
since 
. We now estimate |g(n)|:
 |
where 
is the leading coefficient. Each factor in the product has magnitude greater than 1, so 
. Similarly, 
. This contradicts the given factorization 
. 
When we have an evaluation point to which Proposition 1 applies we call it a large prime factor witness (abbr. LPFW) for 
and 
. We conjecture that every irreducible polynomial has infinitely many LPFWs; note that Bunyakowski’s conjecture implies this.
Example 3
This example shows that it can be beneficial to look for large prime factor witnesses rather than Bunyakowski prime witnesses.
Let 
and take 
. We compute 
as root bound, and then we obtain a LPFW at 
with prime factor 
. In contrast, the smallest Bunyakowski prime is 
at 
.
In the light of this example we exclude consideration of a certificate based on Bunyakowski’s conjecture, and consider only LPFWs.
We prefer to issue an LPFW certificate where the prime p is as small as “reasonably possible”. Our implementation searches for suitable n in an incremental way, since smaller values of |n| produce smaller values of |f(n)|, and we expect smaller values of |f(n)| to be more likely to lead to an “sp” factorization with small prime factor p—this is only a heuristic, and does not guarantee to find the smallest such p. We look for the factorization 
by trial division by the first few small primes (and GMP’s probabilistic prime test for p).
LPFW Certificate. An LPFW certificate comprises the following information:
a root bound
,a factor degree lower bound
with degree analysis certificate,the evaluation point
,the large prime factor p of |f(n)|
(opt.) with certificate of primality.
Verification of an LPFW certificate entails:
evaluating f(n) and verifying that p is a factor;
verifying that the discarded factor
satisfies 
;verifying that
is a root bound for f 
see comment below;(if
) verifying that 
is a factor degree lower bound;verifying that p is (probably) prime.
In many cases the root bound can be verified simply by evaluation of a modified polynomial: let 
and set 
, then if 
then 
is a root bound for f. Some tighter root bounds may require applying an (iterated) Gräffe transform to f first (e.g. see [2]).
Example 4
This example shows how degree information can be useful in finding a small LPFW. Let 
. We find that 
is a root bound. Without degree information (i.e. taking 
) we obtain the first LPFW at 
with corresponding prime 
. In contrast, from the factorization of f modulo 3 we can certify that 
is a factor degree lower bound for f. This information lets us obtain an LPFW at 
with far smaller corresponding prime 
.
Möbius Transformations
We define a (minor generalization of) a Möbius transformation for 
. The crucial property for us is that these transformations preserve irreducibility (except for some polynomials of degree 1).
Definition 1
Let 
be a 
matrix. Let 
be a polynomial in 
. We define the Möbius transform of f induced by M to be the polynomial 
.
In our applications the matrix entries will be integers, and we shall suppose that at least one of a and c is non-zero.
Definition 2
A Möbius transformation 
is degenerate if 
.
Definition 3
Let 
be a Möbius transform. We define the pseudo-inverse of 
to be the Möbius transformation corresponding to the classical adjoint 
. We write 
to denote the pseudo-inverse.
Here is a summary of useful properties of a Möbius transformation 
.
Proposition 2
Let 
be non-singular, so 
is non-degenerate.
Let
be a linear polynomial. If 
then 
is linear; otherwise 
is a non-zero constant.
respects multiplication: 
.
.If
then 
where 
.If
then 
where 
.If
and 
is irreducible and 
then prim
is irreducible.
Proof
Parts (a) and (b) are elementary algebra. Part (c) follows from (a) and (b) by considering the factorization of f over a splitting field. Parts (d) and (e) are elementary for linear f; the general case follows by repeated application of part (b).
For part (f), suppose we have a counter-example 
, then we have a non-trivial factorization 
, but by (b) and (d) we deduce that 
which is a non-trivial factorization, contradicting the assumption that f was irreducible.
Our interest in Möbius transformations is that they offer the possibility of finding a better LPFW certificate. Unfortunately we do not yet have a good way of determining which Möbius transformations are helpful.
Example 5
Let 
. We obtain a LPFW certificate with 
, 
, 
with corresponding prime factor 
.
Let 
. Let 
; by Proposition 2.(f) since 
a LPFW certificate for g also certifies that f is irreducible. For g we obtain a certificate with 
, 
, 
with much smaller corresponding prime factor 
.
Unsolved Problem: How to find a good Möbius matrix M given just f?
Certifying a Transformed Polynomial
Naturally, if we generate a LPFW certificate for a transformed polynomial 
then we must indicate which Möbius transformation was used. Given two polynomials 
of the same degree d, and 
, one can easily verify that 
by evaluating f at 
distinct rational points, and g at the (rational) transforms of these points, and then checking that the ratios of the values are all equal. So the extra information needed is M and 
.
Fixed Divisors
Definition 4
Let 
be non-zero. The fixed divisor of f is defined to be FD(f) = gcd 
.
Some content-free polynomials have non-trivial fixed divisors: an example is 
which is content-free but has fixed divisor 2.
Proposition 3
Let 
be non-zero. Its fixed divisor is equal to:
 |
Proof
The standard proof follows easily from representating of f with respect to the “binomial basis” for 
, namely 
.
Polynomials having large fixed divisor 
cannot have small LPFW certificates because we are forced to choose large evaluation points since we must have 
. This problem becomes more severe for higher degree polynomials since the fixed divisor can be as large as d! where d is the degree.
We can reduce the size of the fixed divisor by scaling the indeterminate (i.e. a Möbius transformation for a diagonal matrix), or perhaps reversing the polynomial and scaling the indeterminate (i.e. a Möbius transformation for an anti-diagonal matrix). We have not yet investigated the use of more general Möbius transformations.
Let 
be content-free, irreducible with fixed divisor 
. Let q be a prime factor of 
, and let k be the multiplicity of q in |f(0)|. Then 
has fixed divisor 
. In practice, we consider several polynomials obtained by scaling x by 
; in fact scaling by 
can also be beneficial.
Implementation and Experimentation
Our prototype implementation runs degree analysis and LPFW search “in parallel”: i.e. it repeatedly alternates a few iterations of degree analysis with a few iterations of LPFW search. If degree analysis finds a new factor degree lower bound, 
, this information is passed to the LPFW search.
Degree Analysis
We adopted the following strategy for choosing primes during degree analysis: initially we create a list of “preferential primes” (e.g. including the first few primes greater than the degree), then we pick primes alternately from this list or from a random generator. The range for randomly generated primes is gradually increased to favour finding quickly a certificate involving smaller primes (since these are computationally cheaper to verify).
This strategy was inspired by some experimentation. There exist polynomials whose degree analysis certificates must involve “large” primes: e.g. a good set of primes for 
must contain at least one prime greater than 101. Also, empirically we find that a degree analysis certificate for an (even) Hermite polynomial must use primes greater than the degree.
To issue a certificate, we look for a minimal cardinality subset of the primes used which suffices. This subset search is potentially exponential, but in our experiments it is very rare for a minimal subset to need more than 3 primes.
Large Prime Factor Witness
As already mentioned, not all polynomials can be certified irreducible by degree analysis. A well-known class of polynomials for which irreducibility cannot be shown by degree analysis are the Swinnerton-Dyer polynomials: they are the minimal polynomials for sums of square-roots of “independent” integers. A more general class of such polynomials was presented in [6].
We saw in Example 5, it can be better to issue a LPFW certificate for a transformed polynomial, but we do not yet have a good way of finding a good Möbius transformation. Our current prototype implementation considers only indeterminate scaling and possibly reversal: i.e. the Möbius matrix must be diagonal or anti-diagonal. A list of all scaling and reverse-scaling transforms by “simple” rationals is maintained, and the resulting polynomials are considered “in parallel”. For each transformed polynomial we keep track of two evaluation points (one positive, one negative) and the corresponding evaluations. The evaluations are then considered in order of increasing absolute value; once an evaluation has been processed the corresponding evaluation point is incremented (or decremented, if it is negative).
The LPFW search depends on a factor degree lower bound, 
, which is initially 1. The degree analysis “thread” may at any time furnish a better value for 
. So that this asynchrony can work well the LPFW search records, for each possible factor degree lower bound, any certificates it finds. When a higher 
is received, the search first checks whether a corresponding LPFW certificate has already been recorded; if so, that certificate is produced as output. Otherwise searching proceeds using the new 
.
Examples
Here are a few examples as computed by the current prototype, since degree analysis picks primes in a pseudo-random order different certificates may be issued for the same polynomial.
: degree analysis with prime list 
: degree analysis with prime list 
21-st cyclotomic polynomial: LPFW with
, 
, 
, and prime factor 
Swinnerton-Dyer polynomial for [71, 113, 163]: LPFW with
, 
(with 
), 
and prime factor 
: transform
, LPFW 
, 
(with 
), 
and prime factor 
A quick comment about run-times: our interpreted prototype favours producing certificates which are cheap to verify (rather than cheap to generate); the degree analysis certificates took 
s each to generate, the others 
s each. We did not measure verification run-time, but fully expect it to be less than 0.01 s in each case. In comparison, the polynomial factorizer in CoCoA took less than 0.01 s for all of these polynomials.
As a larger example: the prototype took 
s (we expect the final implementation to be significantly faster) to produce a certificate for the degree 64 (Swinnerton-Dyer) minimal polynomial of
 |
This polynomial has fixed divisor 
. Our prototype found and applied the transformation 
, then produced an LPFW certificate for the transformed polynomial: 
, 
(with 
), 
and 
which was confirmed to be “probably prime” (according to GMP [5]). The classical Berlekamp-Zassenhaus factorizer in CoCoA [1] took about 300 s to recognize irreducibility.
A Comment About Run-Time
An anonymous referee reasonably asked about expected run-time or a (possibly heuristic) complexity analysis. The answer is “It depends ...”. For “almost all” polynomials, degree analysis suffices and is quick. In our setting, the LPFW search effectively happens only if a degree analysis certificate cannot be quickly found. In our experiments, the number of iterations in LPFW search before producing a certificate was quite irregular.
Conclusion
As mentioned in the introduction there are many different criterions for certifying the irreducibility of a polynomial in 
. Here we have concentrated on just two of them, and have pointed out how they can “collaborate”.
We have built a prototype implementation in CoCoA [1], and plan to integrate it into CoCoALib, the underlying C++ library (where we expect significant performance gains).
An interesting future possibility is for the requester of the certificate to state which criterions may be used (dictated by the implemented verifiers that the requester has available). But, a too restrictive choice of criterions may make it impossible to generate a certificate: e.g. there is no “Eisenstein” certificate for most polynomials.
Footnotes
Degree analysis has likely been known for a long time.
Contributor Information
Anna Maria Bigatti, Email: bigatti@dima.unige.it.
Jacques Carette, Email: carette@mcmaster.ca.
James H. Davenport, Email: j.h.davenport@bath.ac.uk
Michael Joswig, Email: joswig@math.tu-berlin.de.
Timo de Wolff, Email: t.de-wolff@tu-braunschweig.de.
John Abbott, Email: abbott@dima.unige.it.
References
- 1.Abbott, J., Bigatti, A.M., Robbiano, L.: CoCoA: a system for doing Computations in Commutative Algebra. http://cocoa.dima.unige.it/
-
2.Abbott J. Bounds on factors in
J. Symb. Comput. 2013;50:532–563. doi: 10.1016/j.jsc.2012.09.004. [DOI] [Google Scholar] - 3.Davenport J, Padget J. Heugcd: how elementary upperbounds generate cheaper data. In: Caviness BF, editor. EUROCAL ’85; Heidelberg: Springer; 1985. pp. 18–28. [Google Scholar]
- 4.Dumas G. Sur quelques cas d’irréductibilité des polynomes à coefficients rationnels. Journ. de Math. 1906;6(2):191–258. [Google Scholar]
- 5.Granlund, T., et al.: GNU multiprecision library. http://www.gmplib.org/
- 6.Kaltofen E, Musser DR, Saunders BD. A generalized class of polynomials that are hard to factor. SIAM J. Comput. 1983;12:473–483. doi: 10.1137/0212031. [DOI] [Google Scholar]
- 7.Lang S. Algebra. 3. Reading: Addison Wesley; 1993. [Google Scholar]
- 8.Perron O. Neue Kriterien für die Irreduzibilität algebraischer Gleichungen. J. Reine Angew. Math. 1907;132:288–307. [Google Scholar]
- 9.Pratt VR. Every prime has a succinct certificate. SIAM J. Comput. 1975;4:214–220. doi: 10.1137/0204018. [DOI] [Google Scholar]
- 10.Rowlinson E. New proofs for two theorems of Capelli. Can. Math. Bull. 1964;7:431–433. doi: 10.4153/CMB-1964-042-9. [DOI] [Google Scholar]