 This lecture is part of Berkeley Math 115, an introductory undergraduate course on number theory, and will be mostly about finding roots of polynomials modulo some prime number p. So the previous lecture we discussed polynomials of degree two and showed there was a reasonably fast algorithm to do this. In general if you want to solve fx as congruent to zero mod p for f and arbitrary function, this can be rather hard if p is large. For example if you want to solve the discrete logarithm problem, a to the power of x is congruent to b modulo p, that doesn't seem to be any particularly easy way of doing this. However it's easy for special functions p, it's easy if f is polynomial. And there are several ways of doing this. There's one found by Berler Kamp, and another found by Kantor and Zassenhaus, and I'm going to be describing the main idea of the Kantor-Zassenhaus algorithm for finding roots. In fact this is a special case of factorizing f into irreducible factors, so finding the roots is just the same as finding the linear factors, and I'll say a little bit more about this later. In order to do this we're going to need several other algorithms that we've discussed earlier, so I'll just briefly recall these. First of all we've got the Euclidean algorithm for finding the greatest common divisor of two numbers a and b, which is very fast. And what we're going to use is the fact this works for polynomials. If we've got two polynomials f and g then we can find the greatest common divisor for polynomials f and g, except these polynomials might have coefficients in the integers modulo modulo prime number. Well that's okay, it doesn't really make very much difference. Well this is fast if the degree of f and g is small, whatever small means, if the degree of f is large, say 10 to the 30 or something like that, then the obvious division by remainder of f by g, which you need a Euclidean algorithm, starts getting very very very slow because the number of steps it takes is going to be approximately equal to the degree of f. So we also want to be able to speed up division with remainder, and for this we recall the Russian peasant method of exponentiation, so you remember if we want to compute a to the n, we don't use n minus one multiplications, we write n in binary, in other words n is equal to two to the a zero plus two to the a one plus two to the a two for various integers a one and a two and so on, and then we work out a to the one, we square it to find a squared, we square it again to find a to the four and then we find a to the eight, and we work out say a to the 13 as that would be a to the eight times a to the four times a to the one, where we write 13 in binary as two cubed plus two squared plus two to the zero, so we recall we can do exponentiation fast, and we also recall that we should reduce modulo something or other at each step, so if we're working modulo a prime we should reduce modulo the prime at each step, and if we're trying to divide by a polynomial we should reduce modulo the polynomial at each step, and now we can do a fast division of polynomials, so we want to divide polynomials f by g and and what we should do is you think of g is having small degree, f might have very large degree, however most coefficients are zero and what what we want is a way of speeding up the division of f by g, well if f is say equal to x to the n plus lower terms with n very large, what we do instead of dividing f by g directly, we work out x to the n modulo the polynomial g, so i'm not taking modulo a number i'm taking actually taking modulo a polynomial which just means you throw away all multiples of this polynomial, and we can work out x to the n mod g using the russian peasant method, and this is a very fast method of working out exponentials, and if f is only a few non-zero coefficients we can do that with with each monomial that occurs in f, and so we get a fast way of dividing polynomials with remainder even if one of the polynomials has really large degree, okay having reviewed these fast algorithms let's go back to find the roots of f, where f is some polynomial of smallish degree, and we recall that x to the p minus x was equal to x times x minus 1 times x minus 2 all the way up to x minus p minus 1, okay that's by firmass theorem, because each of these numbers 0, 1, 2, 3, and so on is a root of this polynomial, that's just what firmass theorem says, so this must be divisible by all these, and then you can see they're the same because their degrees are equal, so the greatest common divisor x to the p minus x with f is equal to x minus r1 times x minus r2 and so on, where r1, r2 and so on are distinct roots of f, so if f is multiple roots we only get the multiple roots one each time, because you can see that these will be exactly the factors dividing both this expression here and the polynomial f, so we can find the number of roots is equal to the degree of x to the p minus x and f, so we can count the number of roots of f not counting multiplicity very fast, and you notice that this has might a very high degree, but only has very few non-zero coefficients, so we can work out the greatest common divisor very fast by working out x to the p modulo f using the russian peasant method, so this is indeed a fast algorithm even if p is very large with hundreds of digits, well we don't just want to know the number of roots, we want to know what the actual roots are and here's the clever idea that the point is we can actually factorize x to the p minus x as a product of polynomials with only a few coefficients, we can write it as x times x to the p minus one minus one and now we can write this as x to the p minus one over two minus one times x to the p minus one over two plus one, here we're assuming p is odd, if p is equal to two it's completely trivial to find the roots of f because you just try out the root x equals zero and x equals one, so assuming p is odd doesn't really matter, we need p being odd so we can divide p minus one by two and now you notice this will be a product of some of the roots of f and this will be a product of some of the roots of f but it won't be all of them, so what we can do is we can calculate f the greatest common divisor of f with x to the p minus one over two minus one and we can calculate the greatest common divisor of f with x to the p minus one over two plus one and this will be a product of x minus r i for some of the roots and this will be a product of x minus r i for others of the roots and if we are lucky we are lucky some roots of f are roots of x to the p minus one over two minus one and some are roots of x to the p minus one over two plus one and in that case when we take the greatest common divisor has degree less than the degree of f so we've broken f into a product of two polynomials of smaller degree and then we can just carry on so by induction we assume we can find all the roots of polynomials of smaller degree and so on well so that will sometimes work but what if all the roots of f are roots of say x to the p minus one over two minus one in that case taking the greatest common divisor of f in this polynomial here will just give us back f and we haven't made any progress so we haven't managed to reduce its degree well all you do now is we change f f to f of x plus one and this changes all the roots by plus one and then with any luck if we take the greatest common divisor of f of x plus one with x to the p minus one over two minus one this will probably have degree less than f of x plus one what if it doesn't well then we try f of x plus two with x to the p minus one over two minus one or we mean we don't have to add zero one and two we could just add random numbers here but usually there's no particular reason not to just keep on adding one to x so each of these has sort of at least a 50 chance of either finding a root or reducing the degree of f so this is a sort of probabilistic algorithm we just try changing f at random until we find something that breaks it down into into smaller factors so let's just do an example of this suppose we want to solve say x to the four minus x squared minus two is congruent to zero modulo five of course we could do just by trial and error but let's pretend that five is a really big number so we factor x to the five minus one as being x times x squared minus one times x squared plus one so this is x times x to the p minus one over two minus one times x to the p minus one over two plus one and we we probably ought to stop and check that zero isn't a root but that's pretty trivial I mean if the constant term vanishes then of course we notice the polynomial has zero as a root so what we do is we take the greatest common divisor of f with x to the we may as well take the greatest common divisor with x the five minus one and this will give us a polynomial which just has um um degree one factors and we find the greatest common divisor of this is x squared plus one so we know it's got two roots now we try and find the roots of x squared plus one pretending we haven't already noticed they're two and minus two so we take the greatest common divisor x squared plus one with x to the five minus one over two minus one and we compute this greatest common divisor well I mean we ought to use the Russian peasant method if two was a very large number but of course um we just find this is equal to one and this is no good it hasn't told us what any of the roots are so so now we change this to x plus one squared plus one so here we're just changing x to x plus one in this factor and we try again so we get x to the five minus one over two minus one and if we compute this greatest common divisor well this is just x squared plus two and if we compute the greatest common divisor of these two um um the greatest common divisor is now x plus one so we found a root x equals minus one of of this expression here so so um a root of x squared plus one is um minus one minus one which is minus two so we've managed to find a root of our original polynomial and then we can take out a root and continue and so on um so this will find um roots of um um polynomials we can also factor polynomials into irreducible factors and I'm not going to give the details of this I'll just just have the main idea so so the main idea the degree one the degree one factors is that x minus a divides x to the p minus x so so so this is any degree one factor um and then um any degree two irreducible polynomial divides x to the p squared minus x I'm not going to prove this it's a result you can um prove if you study finite fields so now instead of using x to the p minus x to pick out degree one factors we can do the same trick with x to the p squared minus x to produce degree two factors say right this is x times x to the p squared minus one over two minus one times x to the p squared minus one over two plus one and again we we now take f the greatest common divisor of f with x to the p squared minus one over two minus one and if we're lucky this will produce a factorization of f and if we're not lucky we can just try changing f to f plus one and so on more generally any degree n irreducible polynomial divides an x to the p to the n minus x so we can again do the same trick by the way we notice this only works if um p is not equal to two if p is equal to two then this method doesn't work directly and you need to try something a little bit more complicated and okay next lecture we'll be discussing how to um rewrite a lot of number theory in terms of abstract algebra like groups rings and fields and so on