Improvements on the Cantor-Zassenhaus

Factorization Algorithm

Michele Elia∗, Davide Schipani †

March 30, 2018

arXiv:1012.5322v2 [math.NT] 27 May 2011

Abstract
After revisiting the Cantor-Zassenhaus polynomial factorization algorithm, we describe a new
simplified version of it, which entails a lower computational cost. Moreover, we show that it
m
can be used to find a factor of a fully splitting polynomial of degree t over F2m with O( 23t )
m
attempts and over Fpm for odd p with O( p2t ) attempts.

Keywords: Polynomial factorization, Cantor-Zassenhaus

Mathematics Subject Classification (2010): 12Y05, 12E30

1 Introduction
The Cantor-Zassenhaus polynomial factorization algorithm ([6]) is an efficient (polynomial-time)
probabilistic algorithm for factoring polynomials over a finite field Fpm , that are the product of
irreducible polynomials with a common degree s and multiplicity one. When the multiplicity
is above 1, the factors can be separated by computing the greatest common divisor of the given
polynomial and its formal derivative. If the irreducible polynomials have different degrees, the
factors are separated by computing the greatest common divisors with polynomials of the form
mr
xp −1 − 1, starting from r = 1, so as to obtain the product of all irreducible factors of degree
r = 1, 2, . . . (see e.g. [7]). Thus standard methods can be used to reduce the problem to the above
case.
We will now introduce the Cantor-Zassenhaus factorization algorithm, providing a non-
standard explanation which will be the basis for the rest of the paper: in the Sections below we
will show how it can be improved, giving a new description with a more favorable estimate of its
complexity and success rate. In fact this description leads us to consider a deterministic version of
the algorithm, so that we will be concerned with the problem of establishing how many attempts
are needed in the worst case to obtain a factor (with probability 1) and what is the least degree of
the polynomial such that a factor is found with at most a fixed number of attempts.
∗
Politecnico di Torino, Italy
†
University of Zurich, Switzerland
 Let σ(z) be a polynomial of degree t over Fpm which is a product of irreducible polynomials
of degree s, i.e. t = s · d.
Let us assume that s = 1 as a first instance and suppose that the trivial factor z does not
divide σ(z).
We first deal with the case p = 2, and following [6] we assume that m is even, otherwise
we would consider a quadratic extension solely for the computations. If α is a known primitive
m
element of F2m , we define ℓm = 2 3−1 and ρ = αℓm , which is thus a primitive cubic root of unity in
the field F2m .
Let c(z) be a non-constant polynomial over F2m of degree less than t, and let

a(z) = c(z)ℓm mod σ(z)

which is again a polynomial of degree at most t − 1. Furthermore, we have

m −1
(c(z)ℓm + 1)(c(z)ℓm + ρ)(c(z)ℓm + ρ2 ) = c(z)2 −1 .

Now, either gcd(c(z), σ(z)) is non-trivial (and thus we already have a factor of σ(z)) or else
m m
c(z)2 −1 − 1 = 0 mod σ(z). In this latter case, if we write c(z)2 −1 − 1 = Q(z)σ(z) + R(z) and
specialize it in the roots {zi } of σ(z), we see that R(z), which is a polynomial of degree t − 1, takes
m
the value 0 for all t roots, as β 2 −1 − 1 = 0 for any β ∈ F∗2m . This implies that R(z) is identically 0.
Thus we can write

(c(z)ℓm + 1)(c(z)ℓm + ρ)(c(z)ℓm + ρ2 ) = (a(z) + 1)(a(z) + ρ)(a(z) + ρ2 ) = 0 mod σ(z) .

Since every factor of the product (a(z) + 1)(a(z) + ρ)(a(z) + ρ2 ) has degree less than t, at least
two of them must have a common non-trivial factor with σ(z), unless a(z) = 1, ρ, ρ2 . In this latter
case, the Cantor-Zassenhaus algorithm considers another random polynomial instead of c(z), and
reiterates the procedure until all factors have been found.
Notice that a(z) ≡ 0 never occurs, since c(z) has degree less than σ(z), so that at least one
root of σ(z), say β, is not a root of c(z); then substituting β in the identity c(z)ℓm = q(z)σ(z) + a(z),
we get a(β) 6= 0, therefore a(z) is not identically zero (this holds even if the roots of σ were not in
the field of the coefficients, as in the original description of the algorithm).
m
For the case p > 2, the procedure is similar: we would consider ℓm = p 2−1 and ρ = αℓm = −1,
where α is a primitive element of Fpm . Here we would compute a(z) = c(z)ℓm mod σ(z) and then
factor as soon as a(z) 6= ±1.
Let us consider now the case s > 1. One option is to look at Fpsm , where the polynomial fully
mi
splits into linear factors: once a factor z − β is found, it can be multiplied with the factors z − β p ,
with 1 ≤ i ≤ s − 1, to obtain an irreducible factor of degree s. A second option is the application
of the algorithms over Fpm ([5], [6]), to directly find the irreducible factors of degree s over Fpm . If
p = 2, the argument follows as above: either gcd(c(z), σ(z)) is non-trivial, or gcd(c(z), σ(z)) = 1,
in which case

(c(z)ℓsm + 1)(c(z)ℓsm + ρ)(c(z)ℓsm + ρ2 ) = (a(z) + 1)(a(z) + ρ)(a(z) + ρ2 ) = 0 mod σ(z) .

Since every factor of the product (a(z) + 1)(a(z) + ρ)(a(z) + ρ2 ) has degree less than t, at least
two of them must have a common non-trivial factor with σ(z) in F2m , unless a(z) = 1, ρ, ρ2 . In
this latter case, the Cantor-Zassenhaus algorithm considers another random polynomial c(z), and
reiterates the procedure until all factors have been found.

2
 sm
For the case p > 2, the procedure is similar: we would consider ℓsm = p 2−1 and compute
a(z) = c(z)ℓsm mod σ(z) and then factor as soon as a(z) 6= ±1.
In the next Section we will present a variant of the Cantor-Zassenhaus algorithm, according
to the description given above, and then deal with probabilistic as well as deterministic consider-
ations about its success rate.

2 An improved algorithm
We focus first on the case s = 1 and show that it is enough, and indeed convenient, to choose
c(z) = z as initial test polynomial and to choose c(z) = z + β, for some random β 6= 0, as further
test polynomial, and continuing by choosing random βs different from the previous ones until a
factor is found. A similar approach was already present in [13] for the case of odd characteristic
(cf. also [1]).
We then consider the case s > 1, where polynomials of degree 1 or s will be involved as test
polynomials in order to obtain bounds on the number of attempts to find a factor.

2.1 Case s = 1
Suppose σ(z) is over F2m and z ℓm = ρi mod σ(z), i ∈ {0, 1, 2}. Now, any element in F∗2m can
be written as αk+3n , with k ∈ {0, 1, 2}: we define A0 = {α3i : i = 0, . . . , ℓm − 1}, that is the
subgroup of the elements of F∗2m that are cubic powers, and let A1 = αA0 and A2 = α2 A0 be
the two cosets that complete the coset partition of F∗2m . If we substitute αk+3n for any root zi of
σ(z) in z ℓm − ρi = Q(z)σ(z), we obtain ρk − ρi = 0, which implies k = i. This means that if
z ℓm = ρi mod σ(z), then all the roots of σ(z) are of the form αi+3n , that is they belong to the same
coset. When this situation occurs, we consider another test polynomial c(z) = z + β, which is
equivalent to testing c(z) = z for the polynomial ς(z) whose set of roots is {zi + β}. The test
succeeds as soon as we find a β such that the roots zi + β do not all belong to the same coset.
The next step is to determine an upper bound to the number of attempts needed in the worst
case scenario, or on average, until a factor is found.
Let us first consider the simple case t = 2: suppose that z1 and z2 belong to the same coset;
then we look for a β such that z1 + β and z2 + β are in different cosets. For the worst case scenario,
we need to know how many pairs (z1 + β, z2 + β) have both elements in the same coset. This is
equivalent to knowing the number of ways in which z1 −z2 = z1 +β −(z2 +β) can be written as the
m
sum of two elements in the same coset. This number is actually 2 3−1 − 1, as can be deduced from
m
[19, Theorem 1] specialized with i = 0 and χ the cubic character. So at most with 2 3−1 attempts
we can factor a polynomial of degree 2. Clearly at each test we can factor with a probability of 23 ,
so that the expected number of attempts is 1.5.
m
If σ(z) is a polynomial over Fpm , p > 2, then the maximum number of attempts is p 2−1 , by
similar reasoning: we again use some additive properties of residues ([11, 12, 14, 19]). At each test
we can factor with a probability of 12 , so that the expected number of attempts is 2.
The remainder of this paper will be devoted to establishing both probabilistic estimates and
deterministic bounds on the number of attempts needed to successfully factor, for a generic t. A
first deterministic, though very loose, bound is the following:

3
Proposition 1 The maximum number of attempts needed to find a factor is upper bounded by ℓm (that is
m
2m −1
3 or p 2−1 for p = 2 or p odd, respectively). In particular, in the Cantor-Zassenhaus algorithm it is
sufficient to consider only linear polynomials as test polynomials c(z).

P ROOF. In characteristic 2, if a root zi belongs to a given known coset, we can test all the ℓm
elements of that coset, until we obtain zi itself: zi + zi adds to 0, which does not belong to any
coset. Thus we will succeed with at most ℓm attempts. In characteristic p greater than 2, it is
sufficient to add all the elements of the coset multiplied by p − 1.
That it is enough to consider all the pm monic linear polynomials is anyway clear since com-
puting gcd{z − β, σ(z)} for all β in Fpm would be enough to find all the factors.

Remark 1 The above argument implies that, if the first attempt fails, we know which coset the
roots belong to, and can restrict our choice of β to that coset.

Remark 2 Alternatively, the upper bounds of the proposition follow from the above remarks
about t = 2: clearly, if t is bigger than 2, then a degree-2 polynomial is anyway a factor of the
t-degree polynomial, so that the maximum number of attempts cannot exceed the number needed
to factor this degree-2 polynomial.

Remark 3 In the original version of the Cantor-Zassenhaus algorithm, gcd(a(z), σ(z)) is com-
puted when searching for a factor of σ(z), corresponding to the case when gcd(c(z), σ(z)) is non-
trivial. Our version of the algorithm avoids this computation, since it is sufficient to evaluate σ(z)
in β with any efficient polynomial evaluation algorithm; this can be done before exponentiating
to the power ℓm .

pm −1
Remark 4 If q is a prime factor of pm − 1, then we may consider the exponent ℓm = q : in
q−1
this case the probability of success is and the corresponding expected number of attempts is
q
q
q−1 , which is close to 1 already for small primes like 5 or 7; the drawback is that, if q is large,
in the worst case we must check q greatest common divisors, namely gcd(a(z) + ζqj , σ(z)), for
0 ≤ j ≤ q − 1, where ζq is a q-th primitive complex root of unity.

2.2 Case s > 1

If s > 1, either we look for linear factors in Fpms , and the analysis is the same as in the case s = 1,
or we choose the direct method, as explained in the previous section. In this case, by a similar
argument as above, the algorithm succeeds as soon as c(zi ), zi being the roots of σ(z), are not all
in the same coset. This is equivalent to ask that non conjugate roots are not all in the same coset,
as m m m
c(zip )ℓsm = ((c(zi ))p )ℓsm = ((c(zi ))ℓsm )p = (c(zi ))ℓsm
by the properties of the Frobenius automorphism.
Let us see this more precisely, describing in detail the case p = 2, while a similar argument
applies in the case of odd primes. Let σ(z) be, as above, a polynomial of degree t over F2m ,

4
which is a product of d irreducible polynomials σi (z) of degree s over the same field F2m , where
it is not restrictive to assume even m. According to Cantor-Zassenhaus algorithm, a polynomial
c(z) over F2m , relatively prime with σ(z), separates σ(z) into two polynomials of smaller degree
if a(z) = c(z)ℓsm mod σ(z) is different from 1, ρ, ρ2 : at least two factors σi (z) are in two distinct
greatest common divisors between σ(z) and a(z) + 1, a(z) + ρ, and a(z) + ρ2 , respectively.

Lemma 1 With the above hypotheses and definitions, a polynomial c(z) over F2m separates σ(z) into two
polynomials one containing the factor σ1 (z), and a second one containing the factor σ2 (z) if and only if
c(z)ℓsm mod σ1 (z) 6= c(z)ℓsm mod σ2 (z). Equivalently, σ1 (z) and σ2 (z) are separated if and only if c(z1 )
and c(z2 ) belong to different cosets A′h of F∗2sm , where z1 and z2 are roots of σ1 (z) and σ2 (z), respectively.

P ROOF. The polynomial σ(z) can be written as a product of three polynomials, i.e. σ1 (z), σ2 (z),
and σr (z) which collects the remaining factors, thus a(z) can be decomposed, using the Chinese
Remainder Theorem (CRT), as

a(z) = a1 (z)ψ1 (z) + a2 (z)ψ2 (z) + ar (z)ψr (z) mod σ(z) , ψ1 (z) + ψ2 (z) + ψr (z) = 1 ,

where a1 (z) = c(z)ℓsm mod σ1 (z), a2 (z) = c(z)ℓsm mod σ2 (z), and ar (z) = c(z)ℓsm mod σr (z).
If a(z) = 1, ρ, ρ2 , the uniqueness of the CRT decompositions implies that a1 (z) = a2 (z) =
ar (z).
If a(z) 6= 1, ρ, ρ2 , then c(z) separates σ(z) into two polynomials of smaller degree, and we
distinguish two cases:

1) a1 (z) 6= a2 (z): the polynomials σ1 (z) and σ2 (z) are in different factors because, if both of
them were in the same factor, they would both divide the same polynomial a(z) + ρh , thus
ai (z) = a(z) = ρh modulo σi (z), i = 1, 2, contrary to the assumption.

2) a1 (z) = a2 (z): σ1 (z) and σ2 (z) are in the same factor; in fact, suppose they are not, then
a1 (z) = a(z) = ρh1 mod σ1 (z) 6= a2 (z) = a(z) = ρh2 mod σ2 (z), yielding a contradiction.

Also, since a(z) = c(z)ℓsm mod σ(z) and a(z) = ai (z) = ρhi mod σi (z), we have that c(zi )ℓsm = ρhi ,
i = 1, 2, which means that c(zi ) ∈ A′hi , hence it follows from the first part of the lemma that c(z)
separates σ1 (z) and σ2 (z) if and only if c(z1 ) 6= c(z2 ).

Now, as in the case s = 1, we are interested in upper bounds for the number of attempts and
we can limit the choice of c(z), according to our convenience. For example, if we know at least
one primitive polynomial m(z) of degree s, we can choose the polynomials c(z) within the set of
ms
monic irreducible polynomials of degree s, so that we get directly p s as an upper bound. If we
do not have any primitive polynomial of degree s, that is no means to get and draw from the pool
of irreducible polynomials of degree s, then we can choose the polynomials c(z) within the larger
set of monic polynomials of degree s, and we have the looser bound pms . Somehow surprisingly,
we show next that usually it is actually sufficient to consider again linear polynomials.
Let χ′3 (x) be a non-trivial cubic character over F2sm , namely χ′3 is a mapping from F∗2sm into
the complex numbers defined as

χ′3 (αh θ) = ζ3h θ ∈ A′0 , h = 0, 1, 2 ,

5
α being a primitive element of F∗2sm , ζ3 a primitive complex cubic root of unity, and A′0 the coset
of cubes in F∗2sm . Moreover, we set χ′3 (0) = 0 by definition.
If z1 and z2 are roots of two distinct irreducible polynomials of degree s, we denote with
(m)
N2 (z1 , z2 ) the number of monic polynomials c(z) = z + β with β ∈ F2m such that χ′3 (c(z1 )) =
χ′3 (c(z2 )).

Proposition 2 The maximum number NA of attempts needed to find an irreducible factor of degree s,
m
using monic linear polynomials as test polynomials, is upper bounded by 23 (1 + 4s−2
√
2m
+ 21m ) if p = 2, or
pm 2s−1 4s−2
by 2 (1 + pm ) if p is odd. In particular linear polynomials are sufficient to find a factor if < 2 or
√ √
2m
2s−1
√ m < 1, respectively.
p

(m)
P ROOF. In the case of characteristic 2, NA is upper bounded by the maximum of N2 (z1 , z2 ) + 1
taken over all distinct pairs of roots z1 and z2 of distinct irreducible polynomials of degree s. Thus
(m)
an upper bound for N2 (z1 , z2 ) independent of z1 and z2 is also an upper bound for NA − 1.
Consider the indicator function
1 + ζ̄3h χ′3 (c(zi )) + ζ3h χ̄′3 (c(zi ))
IA′h (c(zi )) = i = 1, 2 ,
3
which is 1 if the cubic character of c(zi ) is ζ3h , and is 0 otherwise, if we suppose c(z) relatively
prime with σ(z).
Therefore, for a given c(z) we have a coincidence whenever the product IA′h (c(z1 ))IA′h (c(z2 ))
is 1. Thus,
2
X 1
1 + χ′3 (c(z1 ))χ̄′3 (c(z2 )) + χ̄′3 (c(z1 ))χ′3 (c(z2 ))


IA′h (c(z1 ))IA′h (c(z2 )) =
3
h=0

is the coincidence indicator for a fixed polynomial c(z). Summing over all monic linear polynomi-
(m)
als z + β over F2m , we get the total number N2 (z1 , z2 ) of coincidences

(m) 1 X
2
N2 (z1 , z2 ) = 1 + χ′3 (z1 + β)χ̄′3 (z2 + β) + χ̄′3 (z1 + β)χ′3 (z2 + β) − ,
3 3
β∈F2m

where − 23 comes from excluding those polynomials z + β having z1 or z2 as root. We split the
summation in three summations, the first summation is simply 2m , and the second and third
summations are complex conjugated, thus it is enough to evaluate only the summation
X
C= χ′3 (z1 + β)χ̄′3 (z2 + β) .
β∈F2m

This summation is hard to evaluate in closed form, thus we content ourselves with a bound.
Namely, as χ′3 can be considered as the lifted character of a nontrivial character χ3 over F2m [9],
we can write X
C= χ3 (NF2ms /F2m (z1 + β))χ̄3 (NF2ms /F2m (z2 + β)),
β∈F2m

6
 . m m(s−1)
where NF2ms /F2m (x) = x · x2 · · · x2 is the relative norm of x.
Since NF2ms /F2m (zi + β), i = 1, 2, are polynomials of degree s in β, and χ̄3 = χ23 , we can then
use the Weil bound ([16, Theorem 2C’]; cf. also [18],[20, Lemma 2.2]) to obtain

C < (2s − 1)2m/2 .

In conclusion we obtain NA bounded as

2m 4s − 2 1
NA < (1 + √ + m) .
3 2m 2

The same argument works similarly for p odd, and making the appropriate changes the conclusion
is
pm 2s − 1
NA < (1 + √ m ) .
2 p


In the following we analyse the algorithm more in detail both from a probabilistic and a
deterministic point of view; in particular we will show that the maximum number of attempts to
get a factor is usually very small, so that the algorithm, which is probabilistic in nature, can often
be considered deterministic. In order to simplify the subsequent analysis, we will suppose that
s = 1 from now on.

3 Probability of factoring
The Cantor-Zassenhaus algorithm is very efficient in factoring polynomials, but is not determin-
istic. We can show, however, that the maximum number of attempts, following the modified
version above, decreases exponentially with the degree of the polynomial, so that the probability
of factoring with one test is close to 1 when the degree is large enough.
Making the reasonably assumption that the set of {zi + β} for some β is made up of elements
which belong to each coset Ai with probability 1/3 (or 1/2 in the case p > 2), independently of
one another, then 3 · 31t is the probability that they all belong to a common coset of the three cosets
(and 2 · 21t in case of the two cosets in F∗pm , p > 2). Therefore the number of attempts to obtain a
m m
factor, in the worst case scenario, is roughly 32t−1 and 2pt−1 respectively. And the expected number
is 1− 1 1 = 1 + 3t−11 −1 or 1 + 2t−11 −1 .
3t−1
Furthermore, suppose we fail at the first attempt, then we can choose β within a certain coset,
and the probability of failing at the next n attempts is only 31tn .
Clearly, once a factor is found, the polynomial splits into two parts to which we will re-apply
the previous computation if we are interested in a complete factorization, untill all linear factors
are obtained.

7
4 Deterministic splitting I: fixed t
If we use the proposed variant of the Cantor-Zassenhaus algorithm, the tightest upper bound to
the number of attempts necessary to split a polynomial σ(z) of degree t over F2m is equal to

1+ max N2 (t),
z1 6=z2 6=···6=zt

where N2 (t) is the number of solutions β of a system of t equations in F2m of the form
 i 3

 α z1 + β = αk y13
 αi z 3 + β = αk y 3

2 2
.. (1)


 .
 i 3
α zt + β = αk yt3

where αi z13 , αi z23 , · · · , αi zt3 are given and distinct (i.e. they are the roots of σ(z)), whereas the yi s
must be chosen in the field to satisfy the system, and the three values {0, 1, 2} for k and i are all
considered. However, we may assume i = 0, since dividing each equation by αi , and setting
β ′ = βα−i and k′ = k − i mod 3, we see that the number of solutions of the system is independent
of i. If the system is unsolvable, then the number of attempts is 1.
To evaluate N2 (t), we define an indicator function of the sets Au using the cubic character,
namely for every x 6= 0

1 + ζ32j χ3 (x) + ζ3j χ̄3 (x)


1 if x ∈ Aj
IAj (x) = = j = 0, 1, 2 ,
3 0 otherwise

(where the bar denotes complex conjugation). Then, given a zi we can partition the elements
β 6= zi3 in F2m into subsets depending on the k ∈ {0, 1, 2} such that χ3 (β + zi3 ) = ζ3k . Therefore, a
solution of (1) for a fixed k and i = 0 is singled out by the product
t t
Y 1 X (k)
IAk (β + zi3 ) = t
[1 + σi ] ,
3
i=1 i=1

(k)
where each σi is a homogeneous sum of monomials which are products of i characters of the
form χ3 (β + zh3 ) or χ̄3 (β + zh3 ). Thus N2 (t) is
" t t t
#
X Y Y Y
N2 (t) = IA0 (β + zi3 ) + IA1 (β + zi3 ) + IA2 (β + zi3 ) . (2)
β∈F2m i=1 i=1 i=1
β6∈{zi3 }

The roots zi in the sum need not be considered, since in any case they are not solutions (zi3 + zi3 = 0
cannot be in the same coset as zi3 + zj3 if i 6= j).
Similarly, in characteristic greater than 2, the tightest upper bound to the number of attempts
necessary to split a polynomial σ(z) of degree t is equal to

1+ max Np (t),
z1 6=z2 6=···6=zt

8
where Np (t) is the number of solutions β of a system of t equations in Fpm of the form
 i 2
 α z1 + β = αk y12
 αi z 2 + β = αk y 2


2 2
. (3)

 .
.

 i 2
α zt + β = αk yt2

where αi z12 , αi z22 , · · · , αi zt2 are given and distinct and the two values {0, 1} for k and i are consid-
ered. Again, we may assume i = 0 and we can define an indicator function of the sets Bu using the
quadratic character, where B0 is the set of squares and B1 the complementary set in F∗pm : namely,
let χ2 be a mapping from F∗pm into the complex numbers defined as

χ2 (αh θ) = (−1)h θ ∈ B0 , h = 0, 1 .

Again, we set χ2 (0) = 0.

The corresponding indicator function is thus

1 + (−1)j χ2 (x)

1 if x ∈ Bj
IBj (x) = = j = 0, 1 .
2 0 otherwise

Given a zi we partition Fpm \ {zi2 } into subsets depending on the value of k, such that χ2 (β + zi2 ) =
(−1)k . Therefore, a solution of (3) for a fixed k is given by the product
t t
Y 1 X (k)
IBk (β + zi2 ) = [1 + σi ] ,
2t
i=1 i=1

(k)
where each σi is a homogeneous sum of monomials which are product of i characters of the form
χ2 (β + zh2 ). Thus Np (t) is
" t t
#
X Y Y
Np (t) = IB0 (β + zi2 ) + IB1 (β + zi2 ) . (4)
β∈Fpm i=1 i=1
β6∈{−zi2 }

The following subsections deal with computations of Np (t) for small values of t, then with
general bounds on Np (t).

4.1 Computations for small t

In the following
P computations, we will use
P some properties of nontrivial characters that we briefly
mention: x∈Fq χ(x) = 0; if β 6= 0, then x∈Fq χ(x)χ̄(x + β) = −1 ([15, 19]). Moreover,
X
χ3 (x)χ3 (x + 1) = Gm (1, χ) = −(−2)m/2 ,
x∈F2m

with Gm (1, χ) being the Gauss sum ([15]).

We will start with the case p = 2. First we compute N2 (2), already found above with another
technique, then analogously N2 (3).

9
t = 2. Setting xi = β + zi3 , we have
2
Y 1 (h) (h)

IAh (xi ) = 1 + σ1 + σ2 h = 0, 1, 2 ,
9
i=1

where
(h)
σ1 = ζ32h χ3 (x1 ) + ζ3h χ̄3 (x1 ) + ζ32h χ3 (x2 ) + ζ3h χ̄3 (x2 )
(h)
σ2 = ζ3h χ3 (x1 )χ3 (x2 ) + χ3 (x1 )χ̄3 (x2 ) + χ̄3 (x1 )χ3 (x2 ) + ζ32h χ̄3 (x1 )χ̄3 (x2 )

(0) (1) (2) (0) (1) (2)

Since σ1 + σ1 + Q σ1 = 0 and σ2 + σ2 + σ2 = 3(χ3 (x1 )χ̄3 (x2 ) + χ̄3 (x1 )χ3 (x2 )), the sum of
the three products 2i=1 IAk (xi ) is 13 (1 + χ3 (x1 )χ̄3 (x2 ) + χ̄3 (x1 )χ3 (x2 )), and thus the sum over β
in the whole field F2m , with the exclusion of β = z13 and β = z23 , is
 
1 X
N2 (2) = 2m − 2 + χ3 (β + z13 )χ̄3 (β + z23 ) + χ̄3 (β + z13 )χ3 (β + z23 )  .


3 3 3 β6=z1 ,z2

Let S denote the above summation, then S can be evaluated in closed form: by the substitution
β = z13 + η, since χ3 is a nontrivial cubic character, we have
X
χ3 (η)χ̄3 (η + z13 + z23 ) + χ̄3 (η)χ3 (η + z13 + z23 ) = −2 ,


S=
η6=0,z13 +z23

as the summation of each of the two parts gives −1 (z13 + z23 6= 0 by hypothesis). In conclusion, we
have
1
N2 (2) = (2m − 4) ,
3
so that
1
1 + max N2 (2) = (2m − 1) .
z1 6=z2 3

t = 3. In this case
3
Y 1  (h) (h) (h)

IAh (β + zi3 ) = 1 + σ1 + σ2 + σ3 h = 0, 1, 2 ,
27
i=1

where
(h)
σ1 = ζ32h χ3 (x1 ) + ζ3h χ̄3 (x1 ) + ζ32h χ3 (x2 ) + ζ3h χ̄3 (x2 ) + ζ32h χ3 (x3 ) + ζ3h χ̄3 (x3 )
(h)
σ2 = ζ3h χ3 (x1 )χ3 (x2 ) + χ3 (x1 )χ̄3 (x2 ) + χ̄3 (x1 )χ3 (x2 ) + ζ32h χ̄3 (x1 )χ̄3 (x2 )+
ζ3h χ3 (x2 )χ3 (x3 ) + χ3 (x2 )χ̄3 (x3 ) + χ̄3 (x2 )χ3 (x3 ) + ζ32h χ̄3 (x2 )χ̄3 (x3 )+
ζ3h χ3 (x3 )χ3 (x1 ) + χ3 (x3 )χ̄3 (x1 ) + χ̄3 (x3 )χ3 (x1 ) + ζ32h χ̄3 (x3 )χ̄3 (x1 )+
(h)
σ3 = χ3 (x1 )χ3 (x2 )χ3 (x3 ) + χ̄3 (x1 )χ̄3 (x2 )χ̄3 (x3 ) + ζ32h χ̄3 (x1 )χ3 (x2 )χ3 (x3 )+
ζ32h χ3 (x1 )χ̄3 (x2 )χ3 (x3 ) + ζ32h χ3 (x1 )χ3 (x2 )χ̄3 (x3 ) + ζ3h χ̄3 (x1 )χ̄3 (x2 )χ3 (x3 )+
ζ3h χ3 (x1 )χ̄3 (x2 )χ̄3 (x3 ) + ζ3h χ̄3 (x1 )χ3 (x2 )χ̄3 (x3 )

10
We thus have
σ10 + σ11 + σ12 = 0
σ20 + σ21 + σ22 = 3(χ3 (x1 )χ̄3 (x2 ) + χ̄3 (x1 )χ3 (x2 ) + χ3 (x2 )χ̄3 (x3 ) + χ̄3 (x2 )χ3 (x3 )+
χ3 (x3 )χ̄3 (x1 ) + χ̄3 (x3 )χ3 (x1 ))
0 1 2
σ3 + σ3 + σ3 = 3(χ3 (x1 )χ3 (x2 )χ3 (x3 ) + χ̄3 (x1 )χ̄3 (x2 )χ̄3 (x3 ))

In the summation over β of the sum of the three products, the values of β = z13 , z23 , z33 should be
excluded. Thus we must compute
 
1 1 X
N2 (3) = 2m − 3 + (σ20 + σ21 + σ22 ) + (σ30 + σ31 + σ32 )  .
 
9 3 3 3 3 β6=z1 ,z2 ,z3

Therefore, two types of summations must be evaluated, namely

X X
S2 = χ3 (β + z13 )χ̄3 (β + z23 ) and S3 = χ3 (β + z13 )χ3 (β + z23 )χ3 (β + z23 ) ,
β6=z13 ,z23 ,z33 β6=z13 ,z23 ,z33

the remaining ones being obtained by symmetry or complex conjugation. Considering S2 , and
defining for short y1 = z23 + z33 , y2 = z13 + z33 , and y3 = z23 + z13 , we have
X X
S2 = −χ3 (y2 )χ̄3 (y1 ) + χ3 (β + z13 )χ̄3 (β + z23 ) = −χ3 (y2 )χ̄3 (y1 ) + χ3 (x)χ̄3 (x + y3 ) ,
β6=z13 ,z23 x6=0,y3

thus S2 = −χ3 (y2 )χ̄3 (y1 ) − 1. Considering S3 we have

X X
S3 = χ3 (β + z13 )χ3 (β + z23 )χ3 (β + z33 ) = χ3 (x)χ3 (x + y3 )χ3 (x + y2 )
β6=z13 ,z23 ,z33 x6=0,y2 ,y3

thus, with the change of variable x = 1/z, since the character is cubic we obtain
X X y2 y2
S3 = χ3 (1 + zy3 )χ3 (1 + zy2 ) = χ3 (X)χ3 (X + 1 + )
y3 y3
z6=0,1/y2 ,1/y3 X6=1,0,1+y3 /y2

X y3
S3 = χ3 (y2 )χ̄3 (y3 ) χ3 (X)χ3 (X + 1 + )
y2
X6=1,0,1+y3 /y2

X y3
= −1 + χ3 (y2 )χ̄3 (y3 ) χ3 (X)χ3 (X + 1 + )
y2
X6=0,1+y3 /y2

X
= −1 + χ̄3 (y2 )χ̄3 (y3 )χ̄3 (y1 ) χ3 (x)χ3 (x + 1) .
x∈F2m

In conclusion, we obtain
h m
N2 (3) = 19 2m − 11 − (−2) 2 [χ3 (y1 y2 y3 ) + χ̄3 (y1 y2 y3 )] − χ3 (y1 y22 ) + χ3 (y12 y2 )+
.
χ3 (y2 y32 ) + χ3 (y22 y3 ) + χ3 (y3 y12 ) + χ3 (y32 y1 )



11
Note that, if z1 = 0 (which corresponds to choosing β in one particular coset), then y2 and y3 are
cubes, and the number of solutions is
1 m m

N2 (3) = 2 − 13 − [(−2) 2 + 2][χ3 (y1 ) + χ̄3 (y1 )] .
9
Finally we focus our interest on the maximum over the zi and obtain
 1 m m/2 − 2) for m/2 even
1 + max N2 (3) = 9 (2 + 2 .
1 m m/2+1 + 1) for m/2 odd
z1 6=z2 6=z3 9 (2 + 2

Let us deal now with the case p > 2:

t = 2. In this case, we have

2
Y 1 (h) (h)

IBh (β + zi2 ) = 1 + σ1 + σ2 h = 0, 1 ,
4
i=1

(h) (h)
where σ1 = (−1)h χ2 (x1 ) + (−1)h χ2 (x2 ), and σ2 = χ2 (x1 )χ2 (x2 ).
(0) (1) (0) (1)
Since σ1 + σ1 = 0 and σ2 + σ2 = 2(χ2 (x1 )χ2 (x2 )), the sum over β in the whole field Fpm
with the exclusion of β = −z12 and β = −z22 is
 
1 X
Np (2) = pm − 2 + χ2 (β + z12 )χ2 (β + z22 )  .


2 2 2 β6=−z1 ,−z2

Let S denote the above summation: we evaluate it in closed form by substituting β = η − z12 ; since
χ2 is a nontrivial quadratic character, we have
X
χ2 (η)χ2 (η + z22 − z12 ) = −1 ,


S=
η6=0,z12 −z22

the summation being independent of the term z22 − z12 , which is non-zero by hypothesis. In con-
clusion we have
1
Np (2) = (pm − 3) ,
2
so that
1
1 + max Np (2) = (pm − 1) .
z1 6=z2 2

t = 3. In this case
3
Y 1 (h) (h) (h)

IBh (β + zi2 ) = 1 + σ1 + σ2 + σ3 h = 0, 1 ,
8
i=1

(h) (h)
where σ1 = (−1)h χ2 (x1 ) + (−1)h χ2 (x2 ) + (−1)h χ2 (x3 ), σ2 = χ2 (x1 )χ2 (x2 ) + χ2 (x1 )χ2 (x3 ) +
(h)
χ2 (x2 )χ2 (x3 ), and σ3 = (−1)h χ2 (x1 )χ2 (x2 )χ2 (x3 ).

12
 Since σ10 + σ11 = 0, σ20 + σ21 = 2(χ2 (x1 )χ2 (x2 ) + χ2 (x1 )χ2 (x3 ) + χ2 (x2 )χ2 (x3 )), and σ30 + σ31 = 0,
the summation over β of the sum of the two products, where the values of β equal to −z12 , −z22 ,
and −z32 are excluded, becomes
 
1 m X
Np (3) = p −3+ [χ2 (x1 )χ2 (x2 ) + χ2 (x1 )χ2 (x3 ) + χ2 (x2 )χ2 (x3 )] .
4 2 2 2
β6=−z1 ,−z2 ,−z3

We thus need to evaluate only one type of summation, namely

X X
S2 = χ2 (β+z12 )χ2 (β+z22 ) = χ2 (η)χ2 (η+z22 −z12 ) = −1−χ2 (z12 −z32 )χ2 (z22 −z32 ) ,
β6=−z12 ,−z22 ,−z32 η6=0
z12 −z22 ,z12 −z32

the remainder being obtained by symmetry. In conclusion, we obtain

1 m
p − 6 − (χ2 (z12 − z32 )χ2 (z22 − z32 ) + χ2 (z12 − z22 )χ2 (z32 − z22 ) + χ2 (z32 − z12 )χ2 (z22 − z12 )) .

Np (3) =
4
And , if we consider the maximum, we have
 1 m
 4 (p − 1) p = 4k + 1
1 m
1 + max Np (3) == (p + 1) p = 4k + 3, m odd
z1 6=z2 6=z3  41 m
4 (p − 1) p = 4k + 3, m even

4.2 Bounds
As the number of equations in system 1 or 3 becomes larger, exact computations become less
meaningful for our purpose, as it would then be necessary to think about estimates and bounds
on rather cumbersome expressions. We will thus shift our interest to a general upper bound for
the function Np (r); we will first deal with the case p = 2, then the case p > 2.
Consider equation (2) written as
1 X
N2 (r) = [P0 + P1 + P2 ] , (5)
3r
β∈F2m
β6∈{zi3 }

where
r
(k) (k)
Y
r
Pk = 3 IAk (xi ) = 1 + σ1 + σ2 + · · · + σr(k) k = 0, 1, 2 ,
i=1
(k)
xi being β + zi3 , and each σj is a sum of monomials which are products of the same number j of
2
  χ3 (xi ) or χ̄3 (xi ), possibly times ζ3 or ζ3 . In particular the number of
distinct variables (characters)
(k) r
addends in σj is 2j .
j
(0) (1) (2)
Define σj = σj + σj + σj for every j = 1, . . . , r; then σj contains fewer addends than any
(k)
σj , since all monomials multiplied by either ζ3 or ζ32 are canceled out with monomials multiplied
by 1, and the surviving monomials are multiplied by 3 (see also the examples above). In particular,

13
σ1is zero;
 σ2 is a sum of monomials of the form χ3 (xi )χ̄3 (xl ) (i, l distinct), whose total number is
r
2 ; σ3 is a sum of monomials of the form χ3 (xi )χ3 (xl )χ3 (xm ) (i, l, m all distinct), whose total
2
 
r
number is 2 ; and σ4 is a sum of monomials of the form χ3 (xi )χ3 (xl )χ̄3 (xm )χ̄3 (xs ) (i, l, m, s
3
 
r
all distinct), whose total number is 6 . In general, the number of surviving monomials of
4
degree j can be computed by considering that each monomial is a product of n1 characters and n2
complex conjugate characters; thus n1 + n2 = j. Supposing that χ3 (xi ) are multiplied by ζ3 and
χ̄3 (xh ) are multiplied by ζ32 , the surviving monomial satisfies the condition n1 + 2n2 = 0 mod 3.
Therefore, the admissible values of 0 ≤ n2 ≤ j satisfy thecondition  n2 = 2j mod 3: if e= 2j mod3
r P⌊ j−e
3
⌋ j
and e ∈ {0, 1, 2}, the number of surviving monomials is aj , where aj = h=0 ,
j e + 3h
with {aj }Z>1 = 2, 2, 6, 10, 22, 42, 86, 170, 342 . . . matching the sequence A078008 in [17] with the
first two terms disregarded. We observe now that the product of j characters, whose arguments
are distinct linear functions of β, can be interpreted as a single character whose argument is a
polynomial f (β) with √ j distinct roots: by [16, Theorem 2C’], each sum of these characters is upper
bounded by (j − 1) 2m , so that
 
r
√
 
1 X r
N2 (r) ≤ r−1 2m − r + aj (j − 1) 2m  .
3 j
j=2

1 P2 −he
The summation above is evaluated as follows, using the expression aj = 3 h=0 ζ3 (1 + ζ3h )j for
the sequence aj as can be found in [2, 3, 8]:
r   r 2   2 r  
X r X 1X r 1 X X −he r
aj (j − 1) = ζ3−he (1 + ζ3h )j (j − 1) = ζ3 (1 + ζ3h )j (j − 1) .
j 3 j 3 j
j=2 j=2 h=0 h=0 j=2

Now, observing that e = −j mod 3 and ζ3 is a cubic root of the unity, we may substitute ζ3hj for
ζ3−he and write (ζ3h + ζ32h )j for ζ3hj (1 + ζ3h )j in the last expression, which we then write as
 
2 r   2 r   X r  
1 X X h 2h j r 1 X X r r
(ζ3 +ζ3 ) (j−1) +1 = 1+ j(ζ3h + ζ32h )j − (ζ3h + ζ32h )j  .
3 j 3 j j
h=0 j=0 h=0 j=0 j=0

Using the binomial sum and its derivative, we finally obtain

r   2
X r 1 X h 
aj (j − 1) =1+ r(ζ3 + ζ32h )(1 + ζ3h + ζ32h )r−1 − (1 + ζ3h + ζ32h )r ,
j 3
j=2 h=0

that is
r  
X r 1
aj (j − 1) = 1 + [2r3r−1 − 3r ] ,
j 3
j=2

14
because (1 + ζ3h + ζ32h ) is 3 when h = 0 and is 0 otherwise. In conclusion

1 h m √ m r−2
√ i
N2 (r) ≤ 2 + 2 − r + 3 (2r − 3) 2m ,
3r−1
√ √ 2m
where we see that, when 3r−2 (2r−3) 2m −r+ 2m << 2m , roughly r << m/2, then N2 (r) ≃ 3r−1
,
so that this deterministic bound supports the probabilistic estimate discussed above.

In the case p > 2, consider equation (4) written as

1 X
Np (r) = [Q0 + Q1 ] , (6)
2r
β∈Fpm
β6∈{−zi2 }

where
r
(k) (k)
Y
r
Qk = 2 IBk (xi ) = 1 + σ1 + σ2 + · · · + σr(k) k = 0, 1 ,
i=1
(k)
xi being β + zi2 , and each σj is a sum of monomials which are products of the same number j
(k)
of distinct variables (characters) χ2 (xi ). In particular, only σj s with even subscripts occur, and
theyare the elementary symmetric functions of r variables; thus the number of addends in
clearly 
(k) r
σj is . The same argument used to upper bound N2 (r) also applies here, in this case the
j
√
sum of products of j characters is bounded as (j − 1) pm by [16, Theorem 2C’], so that
 
r
r √ m
 
1 X
Np (r) ≤ r−1 pm − r + (j − 1) p .
2 j
j=2

which, after some manipulation, can be written as

1  √ 
Np (r) ≤ pm − r + [2r−1 (r − 2) + 1] pm ,
2r−1
√ m pm
and we see that, when [2r−1 (r − 2) + 1] pm − r << pm , roughly r << 2 log2 p, then Np (r) ≃ 2r−1
as in our probabilistic estimate.

5 Deterministic splitting II: fixed N

This section examines the smallest t such that the algorithm succeeds, in at most 1 or 2 attempts:
we will call these t0 (1) and t0 (2), respectively.
Clearly, t0 (1) = ℓm + 1, since there are exactly ℓm elements belonging to a given coset; then, if
t > ℓm , the algorithm succeeds at the first attempt.
To evaluate t0 (2), we must examine the number of representations of a β 6= 0 in the field
being the sum of an element in a given coset and an element in another (possibly the same) given
coset (see also [12, 11, 14]). We then consider the maximum M , over β 6= 0 in the field and over all
possible pairs of cosets, so that t0 (2) is 1 + M .

15
 For the case of the cubic character, M can be calculated as follows:
X 1 + ζ 2j χ3 (z) + ζ j χ̄3 (z) 1 + ζ 2i χ3 (β + z) + ζ i χ̄3 (β + z)
3 3 3 3
M = max
i,j,β 3 3
z6=0,β

which is the maximum over i, j, β of the following expression:

1h m i
2 − 2 − χ3 (β)(ζ32i + ζ32j ) − χ̄3 (β)(ζ3i + ζ3j ) − ζ32i+j − ζ3i+2j − (−2)m/2 (ζ32i+2j χ̄3 (β) + ζ3i+j χ3 (β)) ,
9
P P
where we have again exploited the relations x∈F2m χ3 (x) = 0, x∈F2m χ3 (x)χ̄3 (x + β) = −1 and
m/2 ([4, 15, 19]). Then we have
P
x∈F2m χ3 (x)χ3 (x + 1) = Gm (1, χ3 ) = −(−2)
 1 m m/2 − 2) for m/2 even
M= 9 (2 + 2 .
1 m m/2+1 + 1) for m/2 odd
9 (2 + 2

For the case of the quadratic character, we consider similarly

X 1 + (−1)j χ2 (z) 1 + (−1)i χ2 (β − z)
M = max
i,j,β 2 2
z6=0,β

 
1 m i j i+j


= max p − 2 − χ2 (β)(−1) − χ2 (β)(−1) − (−1) χ2 (−1) ,
i,j,β 4
therefore
1 m

 4 (p − 1) p = 4k + 1
1 m
M= 4 (p + 1) p = 4k + 3, m odd
1 m
4 (p − 1) p = 4k + 3, m even


Remark 5 It is interesting to notice that M , which is the maximum t such that it is still possible
to fail splitting a polynomial of degree t with two attempts, is equal to the maximum number of
attempts to split a polynomial of degree 3. Similarly, ℓm is at the same time the maximum t such
that it is possible to fail splitting a polynomial of degree t at the first attempt and the maximum
number of attempts to split a polynomial of degree 2.

6 Acknowledgments
We would like to thank Joachim Rosenthal and Elisa Gorla for support and fruitful discussions.
The Research was supported in part by the Swiss National Science Foundation under grants
No. 126948 and 132256.

References
[1] E. Bach and J. Shallit, Algorithmic Number Theory, Vol. 1. The MIT Press, Cambridge, 1996.

[2] A.T. Benjamin, J.N. Scott, Third and Fourth Binomial Coefficients, Fibonacci Quart., Vol. 49,
N.2, May 2011, pp.99-101.

16
 [3] A.T. Benjamin, B. Chen, K. Tucker, Sums of evenly spaced binomial coefficients, Math. Mag.,
Vol. 83, 2010, pp.370-373.

[4] B. Berndt, R.J. Evans, H. Williams, Gauss and Jacobi Sums, Wiley, New York, 1998.

[5] M. Ben-Or, Probabilistic Algorithms in Finite Fields, Proc. 22nd Annual IEEE Symp. Founda-
tions of Computer Science (FOCS1981), Nashville, Tennessee, 1981, pp. 394-398.

[6] D.G. Cantor, H. Zassenhaus, A new Algorithm for Factoring Polynomials over Finite Fields,
Math. Comp., Vol. 36, N. 154, April 1981, pp.587-592.

[7] J. von zur Gathen, J. Gerhard, Modern Computer Algebra, Cambridge Univ. Press, 1999.

[8] H.W. Gould, Combinatorial Identities, Morgantown Printing and Binding Co., Morgantown,
1972.

[9] D. Jungnickel, Finite Fields, Structure and Arithmetics, Wissenshaftsverlag, Mannheim, 1993.

[10] R. Lidl, H. Niederreiter, Finite Fields, Cambridge Univ. Press, 1997.

[11] C. Monico, M. Elia, Note on an Additive Characterization of Quadratic Residues Modulo p,

J. Comb. Inf. Syst. Sci., Vol. 31, 2006, p.209-215.

[12] C. Monico, M. Elia, An Additive Characterization of Fibers of Characters on F∗p , Int. J. Algebra,
Vol. 1-4, N.3, 2010, p.109-117.

[13] M.O. Rabin, Probabilistic algorithms in finite fields, SIAM J. Comput., Vol. 9, 1980, 273280.

[14] D. Raymond, An Additive Characterization of Quadratic Residues, Master Degree thesis, Texas
Tech University (Lubbock), 2009.

[15] D. Schipani, M. Elia, Gauss Sums of the Cubic Character over F2m : an elementary derivation,
to appear in Bull. Pol. Acad. Sci. Math., 2011.

[16] W.M. Schmidt, Equations over Finite Fields: An Elementary Approach , Lecture Notes in Math.,
Vol. 536, Springer, New York, 1975.

[17] N.J.A. Sloane, The On-Line Encyclopedia of Integer SequencesT M (OEIST M ).

[18] D. Wan, Genarators and irreducible polynomials over finite fields, Math. Comp., Vol. 66, N.
219, 1997, p.1195-1212.

[19] A. Winterhof, On the Distribution of Powers in Finite Fields, Finite Fields Appl., Vol. 4, 1998,
p.43-54.

[20] A. Winterhof, Character sums, primitive elements, and powers in finite fields, J. Number The-
ory, Vol. 91, 2001, p.153-163.

17