A Generalised Successive Resultants Algorithm

Abstract

The Successive Resultants Algorithm (SRA) is a root-finding algorithm for polynomials over \(\mathbb {F}_{p^n}\) and was introduced at ANTS in 2014 [19]. The algorithm is efficient when the characteristic p is small and \(n > 1\). In this paper, we abstract the core SRA algorithm to arbitrary finite fields and present three instantiations of our general algorithm, one of which is novel and makes use of a series of isogenies derived from elliptic curves with sufficiently smooth order.

Appendices

A Example of SRA with \(|\mathbb {F}_{p} ^*|\) Smooth

We demonstrate the \(p-1\) instantiation of SRA with a toy example. We use the finite field \(\mathbb {F} _{37}\), where \(36 = 2 \cdot 2 \cdot 3 \cdot 3\) is 3-smooth. Precomputation for \(\mathbb {F} _{37}\) gives us the series of rational maps (in fact polynomials)

$$\begin{aligned} {\left\{ \begin{array}{ll} K_1(x_1) &{}= x_1^2 = x_2\\ K_2(x_2) &{}= x_2^2 = x_3\\ K_3(x_3) &{}= x_3^3 = x_4\\ K_4(x_4) &{}= x_4^3 = x_5 \end{array}\right. } \end{aligned}$$

(15)

The composed map is \(K^{[4]}(x_1) = x_1^{36}\), which gives us \(B = \text {Image}(K^{[t]}) = \{0,1\}\). We wish to find the roots of

$$\begin{aligned} f(x) = x^{10} + 21x^9 + 22x^8 + 7x^7 + 12x^6 + 25x^5 + 35x^4 + 4x^3 + 25x \end{aligned}$$

(16)

We first compute \(f^{(i+1)}(x_{i+1}) = \mathsf {Res}_{x_i}(f^{(x_i)}, x_i^{n_i} - x_{i+1})\) with \(f^{(1)}(x_1) = f(x_1)\).

$$\begin{aligned} f^{(1)}(x_1)&= x_1^{10} + 19x_1^9 + 25x_1^8 + 6x_1^7 + 22x_1^6 + 32x_1^5 + 13x_1^4 + 32x_1^3 + 6x_1^2 + 24x_1\\ f^{(2)}(x_2)&= x_2^{10} + 22x_2^9 + 34x_2^8 + 22x_2^7 + 27x_2^6 + 32x_2^5 + 21x_2^4 + x_2^3 + 17x_2^2 + 16x_2\\ f^{(3)}(x_3)&= x_3^{10} + 28x_3^9 + 20x_3^8 + 23x_3^7 + 36x_3^6 + 36x_3^4 + 22x_3^3 + 35x_3^2 + 3x_3\\ f^{(4)}(x_4)&= x_4^{10} + 28x_4^9 + 28x_4^8 + 25x_4^7 + 18x_4^6 + 18x_4^5 + 21x_4^4 + 28x_4^3 + 28x_4^2 + 27x_4 \end{aligned}$$

We then compute \(g^{(i)}(x_i) = \mathsf {gcd}(f^{(i)}(x_i), x_i^{n_i} - \hat{x}^{i+1})\) for \(i=4,3,2,1\), where \(\hat{x}_5 \in B\) for \(i=4\) and \(\hat{x}^{i+1}\) is a root of \(g^{(i+1)}(x_i)\) for \(i=3,2,1\).

We will note the solutions of these polynomials to the right of each equation.

giving us the values for \(\hat{x_4}: \{0,1,10,26\}\). We use these roots to calculate

giving us the values for \(\hat{x}_3: \{0,7,9,10,12,33,34\}\). We use these roots to calculate

giving us the values for \(\hat{x}_2: \{0,3,7,9,11,12,21\}\). We use these roots to calculate

whose union is the set of roots \(\hat{x}_1: \{0,3,7,14,15,22,23,24,28,30\}\) which are the roots of of our original polynomial f(x).

B Example of SRA with \(p=2 \text { mod } 3\)

We provide the toy example for the case of finding solutions for \(h(u) \in \mathbb {F} _{41}[x]\), which fulfils our initial condition that \(p = 41 = 2 \text { mod } 3\).

We first perform the precomputation stage for the given p. A value of N is computed so that a large enough proportion of N is smooth and allows a suitable curve to be constructed. We find that \(N = 32\) is a such a value and compute the auxiliary curve

$$\begin{aligned} E_{1,0}(\mathbb {F} _{41}) := \{(x,y) \in \mathbb {F} _{41} \times \mathbb {F} _{41} ~:~y^2 = x^3 + x\} \end{aligned}$$

(17)

whose rational points we will convert our points in \(\mathbb {F} _{41}\) to via Icart’s map [15] as in Eq. 18,

$$\begin{aligned}&K_0: \mathbb {F} _{41}[u,x] \rightarrow E_{1,0}(\mathbb {F} _{41})\nonumber \\&(u,x) \mapsto -8u^8 + 14u^6x - u^4x^2 + u^2x^3 + 7u^4 + 10 \end{aligned}$$

(18)

The final step of the precomputation is to compute suitable elliptic curves and successive isogenies between them such that their degree is bounded by our smoothness bound. We will only use the rational map representations of the x-coordinate for these maps. The following series of isogenies with their rational-map representations of the mappings from x-coordinate to x-coordinates give rise to the following system of equations

(19)

After this precomputation is completed, we may begin the process of calculating the roots of h(u). We seek to find the roots of the polynomial

$$\begin{aligned} h(u) = u^5 + 19u^4 + 6u^3 + 37u^2 + 38u + 30 \end{aligned}$$

(20)

We first use the Icart map \(K_0\) to create our polynomial \(f^{(1)}(x_1)\), whose roots represent solutions of both h(u) and \(K_0(u,x)\) by means of taking the resultant with regards to u.

$$\begin{aligned} f(x)&= \mathsf {Res}_u(h(u), -8u^8 + 14u^6x - u^4x^2 + u^2x^3 + 7u^4 + 10)\nonumber \\&=39x^{15} + x^{14} + 22x^{13} + 30x^{12} + 4x^{11} + 33x^{10} +33x^{9}\nonumber \\&\quad + 32x^{8} + 9x^{7} + 4x^{6} + 33x^{5} + 40x^{4} + 12x^{3} + x + 2 \end{aligned}$$

(21)

we note that we now have a polynomial three times the degree of our original one, but we are only interested in linear factors hence we may obtain

$$\begin{aligned} f(x)&= \gcd (x^p - x, f^{(1)}(x)) \nonumber \\ f(x)&= x^4 - 15x^3 - 5x^2 + 14x + 14 \end{aligned}$$

(22)

which is of degree bounded by deg(h). We then compute the roots of f using the SRA algorithm with the maps \(M = \{K_i\}_{i=1}^5\), the set \(B = \emptyset \) and the flag \(\text {ParSeq} = \text {True}\).

As described in the generic case of SRA, we now apply the resultant stage to obtain our \(f^{(2)}(x_2),f^{(3)}(x_3),f^{(4)}(x_4),f^{(5)}(x_5)\) polynomials using the map structure we have derived from the rational maps of the isogenies as described in system 19. To do this we successively compute

$$\begin{aligned} f^{(i+1)}(x) = \mathsf {Res}_u(f^{(i)}(x_i), a_i(x_i) - x_4 + 17 \cdot x_{i+1}) \qquad \text { for }i=1,\ldots , t-1. \end{aligned}$$

(23)

This results in the series of polynomials

$$\begin{aligned} f^{(1)}(x_1)&= x_1^4 - 15x_1^3 - 5x_1^2 + 14x_1 + 14 \nonumber \\ f^{(2)}(x_2)&= 14x_2^4 + 9x_2^3 - 13x_2^2 - 5x_2 + 11 \nonumber \\ f^{(3)}(x_3)&= -14x_3^4 - 4x_3^3 - 16x_3^2 - 13x_3 - 16\\ f^{(4)}(x_4)&= -3x_4^4 + 7x_4^3 - x_4^2 - 11x_4 + 11 \nonumber \\ f^{(5)}(x_5)&= -2x_5^4 - 5x_5^3 + 3x_5^2 - 9x_5 + 5 \nonumber \end{aligned}$$

(24)

We may then begin the gcd stage of the algorithm. We note that at each stage we must repeatedly extract those values in the kernel as these values are not picked up by the root merging process. Our first set of roots is therefore calculated via

$$\begin{aligned} g^{(5)}(x_5) = \gcd (-2x_5^4 - 5x_5^3 + 3x_5^2 - 9x_5 + 5, x_5 + 16) \end{aligned}$$

giving us the candidate roots \(\hat{x}_5\): \(\{25\}\). We use this to compute the polynomial

$$\begin{aligned} g^{(4)}(x_4)&= \gcd (-3x_4^4 + 7x_4^3 - x_4^2 - 11x_4 + 11, x_4^2 + 17x_4 - 10 - (x_4 + 17)\cdot 25)\\&= x_4^2 + 33x_4 + 16 \end{aligned}$$

These give us \(\hat{x}_4: \{4\}\). We perform the same procedure to compute

$$\begin{aligned} g^{(3)}(x_3)&= \gcd (-14x_3^4 - 4x_3^3 - 16x_3^2 - 13x_3 - 16,x_3^2 + 12x_3 + 19 - (x_3+12)\cdot 4)\\&= x_3^2 + 8x_3 + 12 \end{aligned}$$

Giving us the candidate solutions \(\hat{x}_3: \{35,39\}\). We perform the same procedure to compute

$$\begin{aligned} g^{(2)}(x_2)&= \gcd (14x_2^4 + 9x_2^3 - 13x_2^2 - 5x_2 + 11, x_2^2 - 2x_2 + 8 - (x_2-2)\cdot 35)\\&= x_2 + 9\\ g^{(2)}(x_2)&= \gcd (14x_2^4 + 9x_2^3 - 13x_2^2 - 5x_2 + 11, x_2^2 - 2x_2 + 8 - (x_2-2)\cdot 39)\\&= x_2^2 + 4 \end{aligned}$$

Giving us the candidate solutions \(\{32\}\) and \(\{18,23\}\) respectively. Finally we compute

$$\begin{aligned} g^{(1)}(x_1)&= \gcd (x_1^4 - 15x_1^3 - 5x_1^2 + 14x_1 + 14, x_1^2 + 1 - (x_1)\cdot 18))\\&= x_1 + 21\\ g^{(1)}(x_1)&= \gcd (x_1^4 - 15x_1^3 - 5x_1^2 + 14x_1 + 14, x_1^2 + 1 - (x_1)\cdot 23))\\&= x_1^2 + 18x_1 + 1\\ g^{(1)}(x_1)&= \gcd (x_1^4 - 15x_1^3 - 5x_1^2 + 14x_1 + 14, x_1^2 + 1 - (x_1)\cdot 32))\\&= x_1 + 28 \end{aligned}$$

Solving these provides us with solutions \(\{20\},\{2,21\},\{13\}\) for f(x).

We then must convert these back into solutions for h(u). We now possess x-coordinate solutions and may retrieve the corresponding y-coordinates via substitution of x into the auxiliary curve and taking square roots. These lead to the solutions

$$\begin{aligned} (13, 18), (13, 23), (21, 4), (21, 37), (2, 16), (2, 25), (20, 5), (20, 36) \end{aligned}$$

each of which we substitute into the precomputed map \(L(x,y) = u^4 - 6xu^2 + 6uy - 3\) and take the gcd with h(u) to obtain the list of equations whose roots are precisely those of h(u) (excluding 0, which may be specially checked for).

The roots of h(u) are therefore \(\{21,24,26,34,40\}\).