# Berlekamp's algorithm

In mathematics, particularly computational algebra, Berlekamp's algorithm is a well-known method for factoring polynomials over finite fields (also known as Galois fields). The algorithm consists mainly of matrix reduction and polynomial GCD computations. It was invented by Elwyn Berlekamp in 1967. It was the dominant algorithm for solving the problem until the Cantor–Zassenhaus algorithm of 1981. It is currently implemented in many well-known computer algebra systems.

## Overview

Berlekamp's algorithm takes as input a square-free polynomial ${\displaystyle f(x)}$ (i.e. one with no repeated factors) of degree ${\displaystyle n}$ with coefficients in a finite field ${\displaystyle \mathbb {F} _{q}}$ and gives as output a polynomial ${\displaystyle g(x)}$ with coefficients in the same field such that ${\displaystyle g(x)}$ divides ${\displaystyle f(x)}$. The algorithm may then be applied recursively to these and subsequent divisors, until we find the decomposition of ${\displaystyle f(x)}$ into powers of irreducible polynomials (recalling that the ring of polynomials over a finite field is a unique factorization domain).

All possible factors of ${\displaystyle f(x)}$ are contained within the factor ring

${\displaystyle R={\frac {\mathbb {F} _{q}[x]}{\langle f(x)\rangle }}.}$

The algorithm focuses on polynomials ${\displaystyle g(x)\in R}$ which satisfy the congruence:

${\displaystyle g(x)^{q}\equiv g(x){\pmod {f(x)}}.\,}$

These polynomials form a subalgebra of R (which can be considered as an ${\displaystyle n}$-dimensional vector space over ${\displaystyle \mathbb {F} _{q}}$), called the Berlekamp subalgebra. The Berlekamp subalgebra is of interest because the polynomials ${\displaystyle g(x)}$ it contains satisfy

${\displaystyle f(x)=\prod _{s\in \mathbb {F} _{q}}\gcd(f(x),g(x)-s).}$

In general, not every GCD in the above product will be a non-trivial factor of ${\displaystyle f(x)}$, but some are, providing the factors we seek.

Berlekamp's algorithm finds polynomials ${\displaystyle g(x)}$ suitable for use with the above result by computing a basis for the Berlekamp subalgebra. This is achieved via the observation that Berlekamp subalgebra is in fact the kernel of a certain ${\displaystyle n\times n}$ matrix over ${\displaystyle \mathbb {F} _{q}}$, which is derived from the so-called Berlekamp matrix of the polynomial, denoted ${\displaystyle {\mathcal {Q}}}$. If ${\displaystyle {\mathcal {Q}}=[q_{i,j}]}$ then ${\displaystyle q_{i,j}}$ is the coefficient of the ${\displaystyle j}$-th power term in the reduction of ${\displaystyle x^{iq}}$ modulo ${\displaystyle f(x)}$, i.e.:

${\displaystyle x^{iq}\equiv q_{i,n-1}x^{n-1}+q_{i,n-2}x^{n-2}+\ldots +q_{i,0}{\pmod {f(x)}}.\,}$

With a certain polynomial ${\displaystyle g(x)\in R}$, say:

${\displaystyle g(x)=g_{n-1}x^{n-1}+g_{n-2}x^{n-2}+\ldots +g_{0},\,}$

we may associate the row vector:

${\displaystyle g=(g_{0},g_{1},\ldots ,g_{n-1}).\,}$

It is relatively straightforward to see that the row vector ${\displaystyle g{\mathcal {Q}}}$ corresponds, in the same way, to the reduction of ${\displaystyle g(x)^{q}}$ modulo ${\displaystyle f(x)}$. Consequently, a polynomial ${\displaystyle g(x)\in R}$ is in the Berlekamp subalgebra if and only if ${\displaystyle g({\mathcal {Q}}-I)=0}$ (where ${\displaystyle I}$ is the ${\displaystyle n\times n}$ identity matrix), i.e. if and only if it is in the null space of ${\displaystyle {\mathcal {Q}}-I}$.

By computing the matrix ${\displaystyle {\mathcal {Q}}-I}$ and reducing it to reduced row echelon form and then easily reading off a basis for the null space, we may find a basis for the Berlekamp subalgebra and hence construct polynomials ${\displaystyle g(x)}$ in it. We then need to successively compute GCDs of the form above until we find a non-trivial factor. Since the ring of polynomials over a field is a Euclidean domain, we may compute these GCDs using the Euclidean algorithm.

## Conceptual algebraic explanation

With some abstract algebra, the idea behind Berlkemap's algorithm becomes conceptually clear. We represent a finite field ${\textstyle \mathbb {F} _{q}[x]}$, where ${\textstyle q=p^{m}}$ for some prime p, as ${\textstyle \mathbb {F} _{p}[y]/(g(y))}$. We can assume that ${\textstyle f(x)\in \mathbb {F} _{q}[x]}$ is square free, by taking all possible pth roots and then computing the gcd with its derivative.

Now, suppose that ${\textstyle f(x)=f_{1}(x)\ldots f_{n}(x)}$ is the factorization into irreducibles. Then we have a ring isomorphism, ${\textstyle \sigma :\mathbb {F} _{q}[x]/(f(x))\to \prod _{i}\mathbb {F} _{q}[x]/(f_{i}(x))}$, given by the Chinese remainder theorem. The crucial observation is that the Frobenius automorphism ${\textstyle x\to x^{p}}$ commutes with ${\textstyle \sigma }$, so that if we denote ${\textstyle {\text{Fix}}_{p}(R)=\{f\in R:f^{p}=f\}}$, then ${\textstyle \sigma }$ restricts to an isomorphism ${\textstyle {\text{Fix}}_{p}(\mathbb {F} _{q}[x]/(f(x)))\to \prod _{i=1}^{n}{\text{Fix}}_{p}(\mathbb {F} _{q}[x]/(f_{i}(x)))}$. By finite field theory, ${\textstyle {\text{Fix}}_{p}(\mathbb {F} _{q}[x]/(f_{i}(x))}$ is always the prime subfield of that field extension. Thus, ${\textstyle {\text{Fix}}_{p}(\mathbb {F} _{q}[x]/(f(x)))}$ has ${\textstyle p}$ elements if and only if ${\textstyle f(x)}$ is irreducible.

Moreover, we can use the fact that the Frobenius automorphism is ${\textstyle \mathbb {F} _{p}}$-linear to calculate the fixed set. That is, we note that ${\textstyle {\text{Fix}}_{p}(\mathbb {F} _{q}[x]/(f(x)))}$ is a ${\textstyle \mathbb {F} _{p}}$-subspace, and an explicit basis for it can be calculated in the polynomial ring ${\textstyle \mathbb {F} _{p}[x,y]/(f,g)}$ by computing ${\textstyle (x^{i}y^{j})^{p}}$ and establishing the linear equations on the coefficients of ${\textstyle x,y}$ polynomials that are satisfied iff it is fixed by Frobenius. We note that at this point we have an efficiently computable irreducibility criterion, and the remaining analysis shows how to use this to find factors.

The algorithm now breaks down into two cases:

• In the case of small ${\textstyle p}$ we can construct any ${\textstyle g\in {\text{Fix}}_{p}(\mathbb {F} _{q}[x]/(f(x)))\setminus \mathbb {F} _{p}}$, and then observe that for some ${\textstyle a\in \mathbb {F} _{p}}$ there are ${\textstyle i,j}$ so that ${\textstyle g-a=0\mod f_{i}}$ and ${\textstyle g-a\not =0\mod f_{j}}$. Such a ${\textstyle g-a}$ has a nontrivial factor in common with ${\textstyle f(x)}$, which can be computed via the gcd. As ${\textstyle p}$ is small, we can cycle through all possible ${\textstyle a}$.
• For the case of large primes, which are necessarily odd, one can exploit the fact that a random nonzero element of ${\textstyle \mathbb {F} _{p}^{*}}$ is a square with probability ${\textstyle 1/2}$, and that the map ${\textstyle x\to x^{\frac {p-1}{2}}}$ maps the set of non-zero squares to ${\textstyle 1}$, and the set of non-squares to ${\textstyle -1}$. Thus, if we take a random element ${\textstyle g\in {\text{Fix}}_{p}(\mathbb {F} _{q}[x]/f(x))}$, then with good probability ${\textstyle g^{\frac {p-1}{2}}-1}$ will have a non-trivial factor in common with ${\textstyle f(x)}$.

For further details one can consult.[1]

## Applications

One important application of Berlekamp's algorithm is in computing discrete logarithms over finite fields ${\displaystyle \mathbb {F} _{p^{n}}}$, where ${\displaystyle p}$ is prime and ${\displaystyle n\geq 2}$. Computing discrete logarithms is an important problem in public key cryptography and error-control coding. For a finite field, the fastest known method is the index calculus method, which involves the factorisation of field elements. If we represent the field ${\displaystyle \mathbb {F} _{p^{n}}}$ in the usual way - that is, as polynomials over the base field ${\displaystyle \mathbb {F} _{p}}$, reduced modulo an irreducible polynomial of degree ${\displaystyle n}$ - then this is simply polynomial factorisation, as provided by Berlekamp's algorithm.

## Implementation in computer algebra systems

Berlekamp's algorithm may be accessed in the PARI/GP package using the factormod command, and the WolframAlpha [1] website.

## References

1. ^ "Theory of Computation - Dexter Kozen". Springer. Retrieved 2020-09-19.