Keywords

1 Introduction

1.1 What Is a “Certificate”?

A certificate that object X has property P is a “small” amount of extra information C such that some quick and simple computations with X and C suffice to confirm that X does have the property. We illustrate this vague definition with a well-known, concrete example.

Example 1

We can certify that a positive integer n is prime using a Lucas-Pratt certificate [9]. The idea is to find a witness w such that \(w^{n-1} \equiv 1 \mod n\) and \(w^{(n-1)/q} \not \equiv 1 \mod n\) for all prime factors q of \(n-1\).

These certificates have a recursive structure, since in general we must certify each prime factor q of \(n-1\). To avoid infinite recursion we say that all small primes up to some limit are “self-certifying” (i.e. they need no certificate).

Thus a Lucas-Pratt certificate comprises a witness w, and a list of prime factors \(q_1,q_2,\ldots \) of \(n-1\) (and certificates for each \(q_j\)). Verification involves:

  • verify that \(w^{n-1} \equiv 1 \mod n\);

  • verify that each \(w^{(n-1)/q_j} \not \equiv 1 \mod n\);

  • verify that \(n-1 \,=\, \prod _j q_j^{e_j}\) for positive exponents \(e_j\);

  • recursively verify that each \(q_j\) is prime.

The operations required to verify such a certificate are: iteration over a list, exponentiation modulo an integer, comparison with 1, division of integers, and divisibility testing of integers. These are all simple operations, and the entire function to verify a Lucas-Pratt certificate is small enough to be fully verifiable itself.

An important point in this example is that the certificate actually involves several cases: namely, if the prime is small enough, the certificate just says that it is a “small prime” (e.g. we can verify by table-lookup); otherwise the certificate contains a non-trivial body. In this instance there are just two possible cases.

We note that generating a Lucas-Pratt certificate could be costly because the prime factorization of \(n-1\) must be computed.

1.2 Costs of a Certificate

The total cost of a certificate comprises several components:

  • computational cost of generating the certificate;

  • size of the certificate (e.g. cost of storage or transmission);

  • computational cost of verification given the certificate;

  • size and code complexity of the verifier.

In the case of certifying the irreducibility of a polynomial in \({\mathbb Z}[x]\) we could issue trivial certificates for all polynomials, and say that the verifier simply has to be an implementation of a polynomial factorizer. We regard this as unsatisfactory because the size and code complexity of the verifier are too high.

2 Irreducibility Criteria for \({\mathbb Z}[x]\) and \({\mathbb Q}[x]\)

We can immediately reduce from \({\mathbb Q}[x]\) to \({\mathbb Z}[x]\) thanks to Gauss’s Lemma (for polynomials): let \(f \in {\mathbb Q}[x]\) be non-constant then f is irreducible if and only if \(\mathop {\hbox {prim}}\nolimits (f) \in {\mathbb Z}[x]\) is irreducible, where \(\mathop {\hbox {prim}}\nolimits (f) = \alpha f\) and the uniquely defined, non-zero factor \(\alpha \in {\mathbb Q}\) is such that all coefficients of \(\mathop {\hbox {prim}}\nolimits (f)\) are integers with common factor 1, and the leading coefficient is positive,

The problem of certifying irreducibility in \({\mathbb Z}[x]\) has a long history, and has already been considered by several people. Here is a list of some approaches:

  • give a “large” evaluation point n such that f(n) has a large prime factor;

  • degree analysis (from factorizations over one or more finite fields)Footnote 1;

  • a linear polynomial is obviously irreducible;

  • Newton polygon methods (e.g. Schönemann, Eisenstein, and Dumas [4]);

  • Vahlen-Capelli lemma [10] for binomials

  • Perron’s Criterion [8];

  • the coefficients are (non-negative) digits of a prime to some base b (e.g. [8]).

The first technique in the list was inspired by ideas from [3]; it seems to be new.

In this presentation, we shall assume that the degree is at least 2, and shall concentrate on the first two methods as they are far more widely applicable than others listed.

2.1 Factor Degree Analysis

Factor degree analysis is a well-known, behind-the-scenes technique in polynomial factorization. It involves using degrees of modular factors to obtain a list of excluded degrees for factors in \({\mathbb Z}[x]\).

We define a factor degree lower bound for \(f \in {\mathbb Z}[x]\) to be \(\varDelta \in {\mathbb N}\) such that we have excluded all degrees less than \(\varDelta \), e.g. through factor degree analysis. We can certify this lower bound by accompanying it with the modular factorizations used. Clearly, if degree analysis excludes all degrees up to \(\frac{1}{2} \deg f\) then we have proved that f is irreducible. Finally, we may always take \(\varDelta =1\) without any degree analysis.

In many cases we can indeed prove/certify irreducibility via degree analysis. However, there are some (infinite) families of polynomials where one must use “larger” primes, and there are also (infinite) families where irreducibility cannot be proved via factor degree analysis (e.g. resultants, in particular Swinnerton-Dyer polynomials, see also [6]).

Example 2

The well-known, classical example of a polynomial which cannot be proved irreducible by degree analysis is \(x^4+1\): every modular factorization is into either 4 linears or 2 quadratics, so this does not let us exclude the possible existence of a degree 2 factor.

There are also many polynomials which can be proved irreducible by degree analysis, but are not irreducible modulo any prime; this property depends on the Galois group of the polynomial. For instance, \(f = x^4+x^3+3x+4\) is one such polynomial: modulo 2 the irreducible factors have degrees 1 and 3, and modulo 5 both factors have degree 2; but it is never irreducible modulo p.

Degree Analysis Certificate. A degree analysis certificate comprises

  • a subset \(D \subseteq \{1,2,\ldots ,\frac{1}{2}\deg f\}\) of “not excluded” factor degrees

  • a list, L, of pairs: a prime p, and the irreducible factors of f modulo p

If \(D = \emptyset \), we have a certificate of ireducibility; otherwise the smallest element of the set is a factor degree lower bound.

Verification of the certificate involves the following steps:

  • for each entry in L, check that the product of the modular factors is f;

  • for each entry in L, compute the set of degrees of all possible products of the modular factors; verify that their intersection is D;

  • check that each modular factor is irreducible (e.g. use gaussian reduction to compute the rank of \(B-I\) where B is the Berlekamp matrix).

The main cost of the verification is the computation of B and the rank of \(B-I\); the cost of computing B is greater for larger primes, so we prefer to generate certificates which use smaller primes if possible.

Practical Matters. We would like to know, in practice, how costly it is to produce a useful degree analysis certificate, and how large the resulting certificate could be. More specifically:

  • How many different primes should we consider? And how large?

  • How to find a minimal set of primes yielding the factor degree subset?

  • How many primes are typically in the minimal set?

In our experience, a minimal length list very rarely contains more than 3 entries, but we should expect to consider many more primes during generation of the certificate. We can construct irreducible polynomials which require considering “large” primes to obtain useful degree information (e.g. \(x^2+Nx+N\) where \(N = 1000000!\)) but in many cases “small” primes up to around \(\deg f\) suffice.

2.2 Irreducibility Certificates for \({\mathbb Z}[x]\) via Evaluation

Bunyakowski’s conjecture (e.g. see page 323 of [7]) states that if \(f \in {\mathbb Z}[x]\) is irreducible (and has trivial fixed divisor) then |f(n)| is prime for infinitely many \(n \in {\mathbb Z}\). Assuming the conjecture is true, we can get a certificate of irreducibility by finding a suitable evaluation point n (and perhaps including a certificate that |f(n)| is prime).

Applying Bunyakowski’s conjecture directly is inconvenient for two reasons:

  • we want to handle polynomials with non-trivial fixed divisor;

  • finding a suitable n may be costly, and the resulting |f(n)| may be large.

The first point is solved by an easy generalization of the conjecture: let \(f \in {\mathbb Z}[x]\) be irreducible and \(\delta \) be its fixed divisor, then there are infinitely many \(n \in {\mathbb Z}\) such that \(|f(n)|/\delta \) is prime. The second point is a genuine inconvenience: for some polynomials, it can be costly to find a “Bunyakowski prime,” and the prime itself will be large (and thus costly to verify). For example, let \(f = x^{16}+4x^{14}+6x^2+4\) then the smallest good evaluation point is \(n=6615\), and \(|f(n)| \approx 1.3 \times 10^{61}\).

A Large Prime Factor Suffices. Here we present a much more practical way of certifying irreducibility by evaluation: we require just a sufficiently large prime factor. Let \(f \in {\mathbb Z}[x]\) be non-constant, and let \(\rho \in {\mathbb Q}\) be a root bound for f: that is, for every \(\alpha \in {\mathbb C}\) such that \(f(\alpha )=0\) we have \(|\alpha | \le \rho \). We note that it is relatively easy to compute root bounds (e.g. see [2]). The following proposition was partly inspired by Theorem 2 in [3], but appears to be new.

Proposition 1

Let \(f \in {\mathbb Z}[x]\) be non-constant, and let \(\rho \in {\mathbb Q}\) be a root bound for f. Let \(\varDelta \in {\mathbb N}\) be a factor degree lower bound for f. If we have \(n \in {\mathbb Z}\) with \(|n| > 1+\rho \) such that \(|f(n)| = sp\) where \(s < (|n|-\rho )^\varDelta \) and p is prime then f is irreducible.

Proof

For a contradiction, suppose that \(f=gh \in {\mathbb Z}[x]\) is a non-trivial factorization. We may assume that \(\varDelta \le \deg g \le \deg h\). We have \(f = C_f \prod _{j=1}^d (x - \alpha _j)\) where \(d = \deg f\), \(C_f \in {\mathbb Z}\) is the leading coefficient, and the \(\alpha _j\) are the roots of f in \({\mathbb C}\). We may assume that the \(\alpha _j\) are indexed so that the roots of g are \(\alpha _1,\ldots ,\alpha _{d_g}\) where \(d_g = \deg g\).

By evaluation we have \(f(n) = g(n) \, h(n)\) with all values in \({\mathbb Z}\). Also \(f(n) \ne 0\) since \(|n| > \rho \). We now estimate |g(n)|:

$$ g(n) \; = \; C_g\, \prod _{j=1}^{d_g} (n- \alpha _j) $$

where \(C_g \in {\mathbb Z}\) is the leading coefficient. Each factor in the product has magnitude greater than 1, so \(|g(n)| \,\ge \, (|n|-\rho )^\varDelta \,>\, s\). Similarly, \(|h(n)| > s\). This contradicts the given factorization \(f(n) = sp\). \(\square \)

When we have an evaluation point to which Proposition 1 applies we call it a large prime factor witness (abbr. LPFW) for \(f, \rho \) and \(\varDelta \). We conjecture that every irreducible polynomial has infinitely many LPFWs; note that Bunyakowski’s conjecture implies this.

Example 3

This example shows that it can be beneficial to look for large prime factor witnesses rather than Bunyakowski prime witnesses.

Let \(f = x^{12} +12x^4 +92\) and take \(\varDelta =1\). We compute \(\rho =\frac{7}{4}\) as root bound, and then we obtain a LPFW at \(n=5\) with prime factor \(p=81382739\). In contrast, the smallest Bunyakowski prime is \(\approx 3.06 \times 10^{41}\) at \(n=2865\).

In the light of this example we exclude consideration of a certificate based on Bunyakowski’s conjecture, and consider only LPFWs.

We prefer to issue an LPFW certificate where the prime p is as small as “reasonably possible”. Our implementation searches for suitable n in an incremental way, since smaller values of |n| produce smaller values of |f(n)|, and we expect smaller values of |f(n)| to be more likely to lead to an “sp” factorization with small prime factor p—this is only a heuristic, and does not guarantee to find the smallest such p. We look for the factorization \(|f(n)| = sp\) by trial division by the first few small primes (and GMP’s probabilistic prime test for p).

LPFW Certificate. An LPFW certificate comprises the following information:

  • a root bound \(\rho \),

  • a factor degree lower bound \(\varDelta \)    \(\longleftarrow \) with degree analysis certificate,

  • the evaluation point \(n > 1+\rho \),

  • the large prime factor p of |f(n)|    \(\longleftarrow \) (opt.) with certificate of primality.

Verification of an LPFW certificate entails:

  • evaluating f(n) and verifying that p is a factor;

  • verifying that the discarded factor \(s=|f(n)|/p\) satisfies \(s < (|n|-\rho )^\varDelta \);

  • verifying that \(\rho \) is a root bound for f    \(\longleftarrow \) see comment below;

  • (if \(\varDelta > 1\)) verifying that \(\varDelta \) is a factor degree lower bound;

  • verifying that p is (probably) prime.

In many cases the root bound can be verified simply by evaluation of a modified polynomial: let \(f(x) = \sum _{j=0}^d a_j x^j\) and set \(f^*(x) = |a_d|x^d - \sum _{j=0}^{d-1} |a_j|x^j\), then if \(f^*(\rho ) > 0\) then \(\rho \) is a root bound for f. Some tighter root bounds may require applying an (iterated) Gräffe transform to f first (e.g. see [2]).

Example 4

This example shows how degree information can be useful in finding a small LPFW. Let \(f = x^4 -1036x^2 +7744\). We find that \(\rho =33\) is a root bound. Without degree information (i.e. taking \(\varDelta =1\)) we obtain the first LPFW at \(n=65\) with corresponding prime \(p=13481269\). In contrast, from the factorization of f modulo 3 we can certify that \(\varDelta =2\) is a factor degree lower bound for f. This information lets us obtain an LPFW at \(n=47\) with far smaller corresponding prime \(p=14519\).

3 Möbius Transformations

We define a (minor generalization of) a Möbius transformation for \({\mathbb Z}[x]\). The crucial property for us is that these transformations preserve irreducibility (except for some polynomials of degree 1).

Definition 1

Let be a \(2 \times 2\) matrix. Let \(f = \sum _{j=0}^{\deg (f)} c_j x^j\) be a polynomial in \({\mathbb Z}[x]\). We define the Möbius transform of f induced by M to be the polynomial \(\mu _M(f) = \sum _{j=0}^{\deg f} c_j \, (ax+b)^j \, (cx+d)^{\deg (f)-j}\).

In our applications the matrix entries will be integers, and we shall suppose that at least one of a and c is non-zero.

Definition 2

A Möbius transformation \(\mu _M\) is degenerate if \(\det M = 0\).

Definition 3

Let \(\mu _M\) be a Möbius transform. We define the pseudo-inverse of \(\mu _M\) to be the Möbius transformation corresponding to the classical adjoint . We write \(\mu _M^*\) to denote the pseudo-inverse.

Here is a summary of useful properties of a Möbius transformation \(\mu _M\).

Proposition 2

Let be non-singular, so \(\mu _M\) is non-degenerate.

  1. (a)

    Let \(f = \alpha x+\beta \) be a linear polynomial. If \(f(\frac{a}{c}) \ne 0\) then \(\mu _M(f)\) is linear; otherwise \(\mu _M(f) = \alpha b + \beta d\) is a non-zero constant.

  2. (b)

    \(\mu _M\) respects multiplication: \(\mu _M(gh) = \mu _M(g)\, \mu _M(h)\).

  3. (c)

    \(\deg (\mu _M(f)) = \deg (f) \quad \Longleftrightarrow \quad f(\frac{a}{c}) \ne 0\).

  4. (d)

    If \(\deg (\mu _M(f)) = \deg (f)\) then \(\mu _M^*(\mu _M(f)) = D^{\deg (f)} f(x)\) where \(D = \det M\).

  5. (e)

    If \(\deg (\mu _M^*(f)) = \deg (f)\) then \(\mu _M(\mu _M^*(f)) = D^{\deg (f)} f(x)\) where \(D = \det M\).

  6. (f)

    If \(a,b,c,d \in {\mathbb Z}\) and \(f \in {\mathbb Z}[x]\) is irreducible and \(\deg (\mu _M(f)) = \deg (f)\) then prim\((\mu _M(f))\) is irreducible.

Proof

Parts (a) and (b) are elementary algebra. Part (c) follows from (a) and (b) by considering the factorization of f over a splitting field. Parts (d) and (e) are elementary for linear f; the general case follows by repeated application of part (b).

For part (f), suppose we have a counter-example \(f \in {\mathbb Z}[x]\), then we have a non-trivial factorization \(\mu _M(f) = gh\), but by (b) and (d) we deduce that \(D^{\deg (f)} f = \mu _M^*(g) \, \mu _M^*(h)\) which is a non-trivial factorization, contradicting the assumption that f was irreducible.

Our interest in Möbius transformations is that they offer the possibility of finding a better LPFW certificate. Unfortunately we do not yet have a good way of determining which Möbius transformations are helpful.

Example 5

Let \(f = 97x^4 +76x^3 +78x^2 +4x +2\). We obtain a LPFW certificate with \(\rho =7/5\), \(\varDelta =1\), \(n=-4\) with corresponding prime factor \(p=10601\).

Let . Let \(g = \mathop {\hbox {prim}}\nolimits (\mu _M(f)) = (x^4+1)\); by Proposition 2.(f) since \(\deg g = \deg f\) a LPFW certificate for g also certifies that f is irreducible. For g we obtain a certificate with \(\rho =1\), \(\varDelta =1\), \(n=2\) with much smaller corresponding prime factor \(p=17\).

Unsolved Problem: How to find a good Möbius matrix M given just f?

3.1 Certifying a Transformed Polynomial

Naturally, if we generate a LPFW certificate for a transformed polynomial \(\mu _M(f)\) then we must indicate which Möbius transformation was used. Given two polynomials \(f,g \in {\mathbb Z}[x]\) of the same degree d, and \(M \in \mathop {\hbox {Mat}}\nolimits _{2{\times }2}({\mathbb Z})\), one can easily verify that \(g = \mathop {\hbox {prim}}\nolimits (\mu _M(f))\) by evaluating f at \(\deg (f)\) distinct rational points, and g at the (rational) transforms of these points, and then checking that the ratios of the values are all equal. So the extra information needed is M and \(\mu _M(f)\).

3.2 Fixed Divisors

Definition 4

Let \(f \in {\mathbb Z}[x]\) be non-zero. The fixed divisor of f is defined to be FD(f) = gcd \(\{ f(n) \mid n \in {\mathbb Z}\}\).

Some content-free polynomials have non-trivial fixed divisors: an example is \(f = x^2+x+2\) which is content-free but has fixed divisor 2.

Proposition 3

Let \(f \in {\mathbb Z}[x]\) be non-zero. Its fixed divisor is equal to:

$$ {\mathrm {FD}}(f) \;=\; {\mathrm {gcd}}(f(1),f(2),\ldots ,f(\deg f)) $$

Proof

The standard proof follows easily from representating of f with respect to the “binomial basis” for \({\mathbb Z}[x]\), namely \(\{ \left( {\begin{array}{c}x\\ k\end{array}}\right) \mid k \in {\mathbb N}\}\).

Polynomials having large fixed divisor \(\delta \) cannot have small LPFW certificates because we are forced to choose large evaluation points since we must have \((|n|-\rho )^\varDelta > \delta \). This problem becomes more severe for higher degree polynomials since the fixed divisor can be as large as d! where d is the degree.

We can reduce the size of the fixed divisor by scaling the indeterminate (i.e. a Möbius transformation for a diagonal matrix), or perhaps reversing the polynomial and scaling the indeterminate (i.e. a Möbius transformation for an anti-diagonal matrix). We have not yet investigated the use of more general Möbius transformations.

Let \(f \in {\mathbb Z}[x]\) be content-free, irreducible with fixed divisor \(\delta \). Let q be a prime factor of \(\delta \), and let k be the multiplicity of q in |f(0)|. Then \(g(x) = q^{-k} f(q^k x) \in {\mathbb Z}[x]\) has fixed divisor \(\delta /q^k\). In practice, we consider several polynomials obtained by scaling x by \(q^1, q^2,\ldots , q^k\); in fact scaling by \(q^{-1}, q^{-2}, \ldots \) can also be beneficial.

4 Implementation and Experimentation

Our prototype implementation runs degree analysis and LPFW search “in parallel”: i.e. it repeatedly alternates a few iterations of degree analysis with a few iterations of LPFW search. If degree analysis finds a new factor degree lower bound, \(\varDelta \), this information is passed to the LPFW search.

4.1 Degree Analysis

We adopted the following strategy for choosing primes during degree analysis: initially we create a list of “preferential primes” (e.g. including the first few primes greater than the degree), then we pick primes alternately from this list or from a random generator. The range for randomly generated primes is gradually increased to favour finding quickly a certificate involving smaller primes (since these are computationally cheaper to verify).

This strategy was inspired by some experimentation. There exist polynomials whose degree analysis certificates must involve “large” primes: e.g. a good set of primes for \(x^4 +16x^3 +5x^2 -14x -18\) must contain at least one prime greater than 101. Also, empirically we find that a degree analysis certificate for an (even) Hermite polynomial must use primes greater than the degree.

To issue a certificate, we look for a minimal cardinality subset of the primes used which suffices. This subset search is potentially exponential, but in our experiments it is very rare for a minimal subset to need more than 3 primes.

4.2 Large Prime Factor Witness

As already mentioned, not all polynomials can be certified irreducible by degree analysis. A well-known class of polynomials for which irreducibility cannot be shown by degree analysis are the Swinnerton-Dyer polynomials: they are the minimal polynomials for sums of square-roots of “independent” integers. A more general class of such polynomials was presented in [6].

We saw in Example 5, it can be better to issue a LPFW certificate for a transformed polynomial, but we do not yet have a good way of finding a good Möbius transformation. Our current prototype implementation considers only indeterminate scaling and possibly reversal: i.e. the Möbius matrix must be diagonal or anti-diagonal. A list of all scaling and reverse-scaling transforms by “simple” rationals is maintained, and the resulting polynomials are considered “in parallel”. For each transformed polynomial we keep track of two evaluation points (one positive, one negative) and the corresponding evaluations. The evaluations are then considered in order of increasing absolute value; once an evaluation has been processed the corresponding evaluation point is incremented (or decremented, if it is negative).

The LPFW search depends on a factor degree lower bound, \(\varDelta \), which is initially 1. The degree analysis “thread” may at any time furnish a better value for \(\varDelta \). So that this asynchrony can work well the LPFW search records, for each possible factor degree lower bound, any certificates it finds. When a higher \(\varDelta \) is received, the search first checks whether a corresponding LPFW certificate has already been recorded; if so, that certificate is produced as output. Otherwise searching proceeds using the new \(\varDelta \).

4.3 Examples

Here are a few examples as computed by the current prototype, since degree analysis picks primes in a pseudo-random order different certificates may be issued for the same polynomial.

  • \(x^{16}+4x^{14}+6x^2+4\): degree analysis with prime list \(L=[13,127]\)

  • \(x^4 +16x^3 +5x^2 -14x -18\): degree analysis with prime list \(L=[107]\)

  • 21-st cyclotomic polynomial: LPFW with \(\rho =2\), \(\varDelta =1\), \(n=3\), and prime factor \(p=368089\)

  • Swinnerton-Dyer polynomial for [71, 113, 163]: LPFW with \(\rho =43\), \(\varDelta =2\) (with \(L=[3]\)), \(n=82\) and prime factor \(p=2367715751029\)

  • \(97x^4 +76x^3 +78x^2 +4x +2\): transform \(x \mapsto \frac{2}{x}\), LPFW \(\rho =67/5\), \(\varDelta =2\) (with \(L=[3]\)), \(n=-29\) and prime factor \(p=3041\)

A quick comment about run-times: our interpreted prototype favours producing certificates which are cheap to verify (rather than cheap to generate); the degree analysis certificates took \(\sim \! 0.25\) s each to generate, the others \(\sim \! 0.5\) s each. We did not measure verification run-time, but fully expect it to be less than 0.01 s in each case. In comparison, the polynomial factorizer in CoCoA took less than 0.01 s for all of these polynomials.

As a larger example: the prototype took \(\sim \!20\) s (we expect the final implementation to be significantly faster) to produce a certificate for the degree 64 (Swinnerton-Dyer) minimal polynomial of

$$ \sqrt{61}+\sqrt{79}+\sqrt{139}+\sqrt{181}+\sqrt{199}+\sqrt{211} $$

This polynomial has fixed divisor \(\delta = 2^{29} \, 5^{14} \, 13^4 \approx 1.2 \times 10^{28}\). Our prototype found and applied the transformation \(x \mapsto \frac{52}{15}x\), then produced an LPFW certificate for the transformed polynomial: \(\rho = 451/16\), \(\varDelta =2\) (with \(L=[19]\)), \(n=46\) and \(p \approx 7.5 \times 10^{180}\) which was confirmed to be “probably prime” (according to GMP [5]). The classical Berlekamp-Zassenhaus factorizer in CoCoA [1] took about 300 s to recognize irreducibility.

4.4 A Comment About Run-Time

An anonymous referee reasonably asked about expected run-time or a (possibly heuristic) complexity analysis. The answer is “It depends ...”. For “almost all” polynomials, degree analysis suffices and is quick. In our setting, the LPFW search effectively happens only if a degree analysis certificate cannot be quickly found. In our experiments, the number of iterations in LPFW search before producing a certificate was quite irregular.

5 Conclusion

As mentioned in the introduction there are many different criterions for certifying the irreducibility of a polynomial in \({\mathbb Z}[x]\). Here we have concentrated on just two of them, and have pointed out how they can “collaborate”.

We have built a prototype implementation in CoCoA [1], and plan to integrate it into CoCoALib, the underlying C++ library (where we expect significant performance gains).

An interesting future possibility is for the requester of the certificate to state which criterions may be used (dictated by the implemented verifiers that the requester has available). But, a too restrictive choice of criterions may make it impossible to generate a certificate: e.g. there is no “Eisenstein” certificate for most polynomials.