Trading GRH for algebra: algorithms for factoring polynomials and related structures

T rading GRH for Algebra: Algorithms for F actoring P olynomials and Related Structures G´ ab or Iv an y os ∗ Marek Karpinski † La jos R´ on y ai ‡ Nitin Saxena §¶ Abstract In this pap er we dev elop techniques that eliminate the need o f the Generalized Rie- mann Hypo thesis (GRH) from v arious (almost all) known results ab out deterministic po lynomial factoring ov er ﬁnite ﬁelds. Our main result shows that given a p olynomial f ( x ) of degree n o ver a ﬁnite ﬁeld k , we can ﬁnd in deter ministic p oly ( n log n , log | k | ) time either a nontrivial factor of f ( x ) or a no n trivial a utomorphism of k [ x ] / ( f ( x )) of order n . This main too l leads to v ar ious new GRH-free re s ults, most striking of which are: 1. Given a noncommutativ e algebr a A of dimension n over a ﬁnite ﬁeld k . There is a deterministic pol y ( n log n , log | k | ) time algo rithm to ﬁnd a zero divisor in A . This is the b est kno wn deter ministic GRH-free result since F riedl and R´ ony ai (STOC 1985 ) ﬁrst studied the problem of ﬁnding zero diviso rs in ﬁnite algebras and showed that this problem has the same c o mplexit y as factoring p olynomia ls ov er ﬁnite ﬁelds. 2. Given a p ositive integer r such that either 8 | r or r has at least tw o distinct o dd prime factors. There is a deter ministic po lynomial time algo r ithm to ﬁnd a nontrivial factor o f the r - th cyclotomic p olynomial ov er a ﬁnite ﬁeld. This is the bes t known deterministic GRH-fre e result since Huang (STOC 19 85) show ed that cyclotomic poly nomials ca n b e factored o ver ﬁnite ﬁelds in deterministic po lynomial time assuming GRH. In this paper , follo wing the seminal work of Lenstra (1991) on constructing isomor- phisms b et ween ﬁnite ﬁelds, we further generalize classical Galois theory constructs like cyclo tomic extensions, Kummer extensions, T eichm¨ uller subgroups, to the case of commutativ e semisimple algebr as with automor phis ms. These g eneralized constructs help elimina te the dependence on GRH. 1 In tro duction The problem of ﬁnd ing a n on trivial factor of a giv en p olynomial o v er a ﬁnite ﬁ eld is a fu n- damen tal compu tati onal problem. There are man y pr ob lems wh ose kn o wn algorithms ﬁr st ∗ Computer and Automation Researc h Institut e of the Hungarian Academ y of Sciences (MT A SZT AKI), L´ agym´ any osi u. 11, 1111 Budap est, Hungary . E-mail: Gabor.Ivanyos @sztaki.hu † Department of Computer S cience and Hausdorﬀ Center for Mathematics, Univers ity of Bonn, 53117 Bonn, Germany . E-mail: marek@cs. uni-bonn.de ‡ MT A SZT AKI and D epartmen t of Algebra, Budap est Universit y of T echnolo gy and Economics, M˝ uegy etem rk p . 3-9, 1111 Budap est, Hungary . E-mail: lajos@ilab.s ztaki.hu § Hausdorﬀ Cen ter for Mathematics, Endenicher Alle e 62, 53115 Bonn, German y . E-mail: ns@hcm.uni -bonn.de ¶ The au t hors thank the Hausdorﬀ R esearc h Institute for Mathematics for its kind supp ort. 1 require f actoring p olynomials. Thus, p olynomial factoring is an intensely studied question and v arious rand omized p olynomial time algorithms are kno wn – Berlek amp [Be67], Rabin [Rab80], Cantor and Zassenhaus [CZ81], von zur Gathen and Shoup [GS92], Kaltofen and Shoup [KS98] – but its deterministic complexity is a longstanding op en problem. T here are although seve r al partial results k n o w n ab out the deterministic complexit y of p oly- nomial fact oring b ased on the conjectured truth of the generalized Riemann Hyp othesis (GRH). T h e surp rising conn ecti on of GRH with p olynomial factoring is based on the fact that if GRH is true and r is a pr im e dividing ( | k | − 1) then one can ﬁ nd primitive r -th nonresidues in the ﬁ nite ﬁeld k , which can then b e used to factor ‘sp ecial’ p olynomials, x r − a o v er k , in deterministic p olynomial time (see [Ev89]). Based on this are many deterministic factoring algorithms known, b ut all of them are sup er-p olynomial time except on sp ecial in stances. The sp ecial instance wh en the degree n of the input p olynomial f ( x ) has a “small” prime factor r has b een particularly in teresting. R´ o ny ai [R´ o87] sho wed that u nder GRH one can ﬁn d a non trivial factor of f ( x ) in d eterministic p olynomial time. Later it wa s sho wn by Evdokimo v [Ev94] that R´ on y ai’s algorithm can b e mo diﬁed to get un der GRH a deterministic algorithm that factors any inp ut p olynomial f ( x ) ∈ k [ x ] of degree n in sub- exp onential time pol y ( n log n , log | k | ). Th is line of app roac h has sin ce b een in vesti gated, in an attempt to remo v e GRH or impro ve the time complexit y , leading to sev eral alg ebr aic- com binatorial conjectures and quite sp ecial case solutions [CH00, Gao0 1 , IKS08]. Some other instances s tudied ha v e b een related to the Galois gr oup of the giv en p olyno- mial o v er rationals. R´ o ny ai [R´ o89b] show ed under GRH that any p olynomial f ( x ) ∈ Z [ x ] can b e factored mo dulo p deterministically in time p olynomial in the size of the Galois group ov er Q of f , except for ﬁnitely man y primes p . Other results of a similar ﬂ a vor are: Evdokimo v [Ev89] show ed un der GRH that f ( x ) can b e factored in d eterministic p olyno- mial time if it has a solvable Galois group w hile Huang [Hua85] s h o wed un der GRH that f ( x ) can b e factored in deterministic p olynomial time if it has an Ab elian Galois group. Another instance studied is that of “sp ecial” ﬁnite ﬁelds. Bac h, v on zu r Gathen and Lenstra [BGL01] sho wed und er GRH that p olynomials o v er ﬁnite ﬁ elds of characte ristic p can b e factored in deterministic p olynomial time if φ k ( p ) is “smooth” for some integ er k , where φ k ( x ) is the k -th cyclotomic p olynomial. This result generalize s the previous wo r k s of R ´ on y ai [R´ o89a ], Mignotte an d Sc hnorr [MS88], v on zur Gathen [G87], Camion [Cam83] and Mo enc k [Moe77 ]. P olynomial f acto rin g has s everal applications b oth in the real wo rld - co ding theory and cryptograph y - and in fund amen tal computational alge b ra problems. The latter kind of applications are relev an t to th is w ork. F riedl and R´ ony ai [FR85] s tu died the compu tati onal problem of ﬁn ding th e simp le comp onen ts and a zero divisor of a giv en ﬁnite algebra ov er a ﬁn ite ﬁeld. They sho we d that all th ese prob lems dep end on factoring p olynomials o v er ﬁnite ﬁelds and h en ce hav e randomized p olynomial time alg orithms. F urthermore, they ha ve under GRH d eterministic sub exp onenti al time algorithms. In this w ork we giv e an unconditional version of this result. W e sho w th at if the giv en algebra is noncommutat ive then in fact w e can ﬁn d a zero divisor in deterministic sub exp onen tial time without needin g GRH. 2 1.1 Our Results and T ec hniques As we saw ab ov e there are sev er al r esults on p olynomial f acto rin g that assum e the truth of the GRH. Of course one would like to eliminate the need of GRH but that goal is still elusiv e. As a ﬁrst step in that direction we giv e in this work GRH free v ersions of all the results men tioned ab ov e. In th ese versions the basic tool is that w e either su ccessfully ﬁnd a n on trivial factor of a p olynomial f ( x ) o ver a ﬁnite ﬁ eld k or w e ﬁn d a non trivial automorphism of the algebra k [ x ] / ( f ( x )). F ormally sp eaking the m ain result of the pap er is: Main Theorem: L et A b e a c ommutative semisimple algebr a of dimension n over a ﬁnite ﬁeld k and let A b e given in the input in terms of b asis elements over k . Then ther e is a deterministic algorithm which in sub exp onential time p oly ( n log n , log | k | ) c omputes a de c omp osition of A into a dir e ct sum A 1 ⊕ . . . ⊕ A t and ﬁnds an automorphism of or der dim k A i of the algebr a A i , for e ach 1 ≤ i ≤ t . This main theorem can b e consider ed as a GRH-fr ee ve r s ion of Evdokimo v’s facto rin g result [Ev94], bu t its pro of leads us to signiﬁcan tly generalize standard notions and dev elop no ve l algebraic tec hniqu es that suggest a general paradigm for GRH elimination. W e are going to u se it as a to ol for more imp ortan t applications b ut ﬁ rst let us exp lain the imp ortance of this result itself. It is the ﬁr st deterministic sub exp onen tial time algorithm to ﬁnd a non trivial automorphism of a giv en commutativ e semisimple algebra o ve r a ﬁnite ﬁeld. Finding a non trivial automorphism of a given arbitrary ring is in general as hard as in teger factoring [KS05] but our r esu lt sho w s that it might b e a lot easier for a commutat ive semisimple algebra o v er a ﬁn ite ﬁeld. Note that in the sp ecial case wh en A = k [ x ] / ( f ( x )) with f ( x ) sp litting o ver k as Q n j =1 ( x − α j ), w ith α 1 , . . . , α n all distinct, we h a ve A ∼ = ⊕ n j =1 k [ x ] / ( x − α j ). The ab o ve algorithm eit h er giv es t > 1 comp onents of A – in whic h case it eﬀect ively yields a nontrivia l factor of f ( x ) – or t = 1 and it giv es an automorphism σ of A of order n , th us yielding n d istinct “ro ots” of f ( x ) – x , σ ( x ) , . . . , σ n − 1 ( x ) – all living in A \ k . This latter case can b e in terpreted as ﬁnd ing ro ots o v er ﬁnite ﬁ elds in terms of “radicals”, in analogy to classical Galois theory where one s tudies rational p olynomials whose ro ots can b e expressed b y radicals, see Section 4 for details. The k ey ideas in ﬁ nding a non trivial automorphism of a giv en commutati ve semisimple B -algebra A o v er a ﬁnite ﬁeld k ⊆ B are as f ollo ws . W e consider a sp ecial id eal A ′ (what w e call the essential p art in Section 5.2) of the tensor pro duct A ⊗ B A . The ideal A ′ is jus t the kernel of a standard homomorphism of A ⊗ B A ont o A and has rank (“dimens ion”) rk B A (rk B A − 1) o ve r B . The algebra A gets naturally em b edded in A ′ b y a map φ , hence A ′ is an extension algebra of φ ( A ) ∼ = A which in turn is an extension algebra of φ ( B ) ∼ = B . Also, w e kn o w a n atural automorph ism of A ′ ﬁxing B – the map τ : x ⊗ y 7→ y ⊗ x . A lot of tec hn ical eﬀort goes into “bringing do wn” this automorphism (or certain other automorph ism σ of order 2 obtained by recursion) from A ′ to A , i.e. getti n g a B - automorphism σ ′ of A . The tec hnical argu m en ts fall in to t w o cases, d ep ending on w hether rk A A ′ = rk B A ′ / rk B A is odd or ev en. (1) If th e rank rk B A is eve n then rk A A ′ is o dd. W e ﬁnd an element u ∈ A ′ with u τ = − u . If u ∈ A then the restriction of τ is a B -automorph ism of the subalgebra B [ u ] of A generated b y B and u . If u 6∈ A then either the subalgebra A [ u ] of A ′ is not a free 3 A -mo dule or A ′ is not a free A [ u ]-mod ule. Both cases giv e us a zero divisor in A ′ to go to a smaller id eal I of A ′ suc h that we kn ow an automorphism of I , it con tains a “co py” of A and rk A I is o dd, th us we can contin u e this “descen t” (from A ′ to I ) till we h a ve a B -automorphism of A or of a subalgebra of A (this p ro cess app ears in Section 5.1). In the form er case w e are d one while in th e latter case w e use tw o recursiv e calls and certain tec h niques to “glue” the three a v ailable automorphism s . ( 2) If the rank r k B A is od d then rk A A ′ is ev en and w e can use the technique ab o v e to ﬁnd an A -automorphism σ of A ′ . It turns out that σ and τ generate a group of automorphisms of A ′ whic h is big enough to ﬁnd a p r op er ideal I of A ′ eﬃcien tly . W e may fu rther assu me that the rank of I o ver A is at most rk A A ′ / 2 = (rk B A − 1) / 2. T h is allo ws us a recursiv e call with ( I , A ) in place of ( A , B ) to get an A -automorph ism of I , w hic h w e ev en tually sho w is enough to extract an automorphism of A using tensor pr op erties and a recursive call (this case 2 gets handled in 5.3). This algebraic-extensions jugglery either go es through and yields a nont rivial auto- morphism σ ′ of A ﬁxing B or it “fails” and yields a zero d ivisor in A which w e use to “break” A in to smaller subalgebras and con tin u e working there. As in eac h r ecursiv e call, in the ab ov e t w o cases, the r ank of the bigger algebra o ve r the subalgebra is at most half of the original one, th e depth of the recursion is at most log rk B A . This giv es an n log n term in the time complexity analysis. Ro ots of unit y p la y a signiﬁcan t role in gluing automorphism s (i.e. in extending an automorphism of a subalgebra, of elemen ts ﬁxed by another automorph ism, to the whole algebra). T he gluing pr ocess is describ ed in Section 4.4. As w e d o not kn o w ro ots of unit y in k we resort to attac hing virtual r -th r oots of unit y for a su itable prime r , i.e. w orking in the cyclotomic extension k [ ζ r ] := k [ x ] / ( P r − 1 i =1 x i ) and A ′ [ ζ r ] := k [ ζ r ] ⊗ k A ′ . W e then n eed to generalize standard alge br aic constructions, like Kummer extensions and T eichm ¨ ul ler sub gr oups whic h were ﬁrs t u s ed in a cont ext similar to ours b y Lenstra [L91] to ﬁnd isomorph isms b et w een ﬁ elds, to our situation of comm utativ e semisimple algebras. The ab ov e theorem and its pro of tec hniqu es hav e imp ortan t applications. The ﬁrst one is in ﬁndin g zero divisors in a noncomm utativ e algebra. Application 1: L et A b e an algebr a of dimension n over a ﬁnite ﬁeld k and let A b e gi ven in the input in terms of b asis elements over k . Assume that A is nonc ommu- tative. Then ther e is a deterministic algorithm which ﬁnds a zer o divisor in A in time pol y ( n log n , log | k | ) . The previous b est result wa s du e to R´ on y ai [R´ o90] who ga v e an algorithm in vo kin g p olynomial factorization o v er ﬁ nite ﬁelds and hence taking sub exp on ential time assumin g GRH. Ou r result remo ves the GRH assump tion. It is in teresting to note that if we prov e suc h a result f or c ommutative algebras as w ell then w e w ould basically b e able to factor p olynomials in su b exp onen tial time with ou t needing GRH. If A is a simple algebra o ver the ﬁn ite ﬁeld k then it is isomorph ic to th e algebra M m ( K ) of th e m × m matrices with en tries fr om an extension ﬁeld K of k . By Appli- cation 1 w e ﬁnd a pr op er left id eal of A . A recursiv e call to a certain subalgebra of the left ideal w ill ultimately giv e a minimal left ideal of A and u sing th is minimal one-sided ideal an isomorphism with M m ( K ) can b e eﬃcien tly computed. Thus, for constan t m , Application 1 extends Lenstra’s result (on computing isomorphisms b et w een input ﬁ elds) to noncommutati ve simple algebras, i.e, the explicit isomorphism pr oblem is solv ed in this 4 case. W e n ote that, in general, algebra isomorphism pr ob lem ov er ﬁnite ﬁelds is not “b e- liev ed” to b e NP-hard bu t it is at least as hard as the graph isomorph ism problem [KS05]. W e also remark that the analogous pr oblem of constructing isomorphism with the algebra of matrices o ver the r atio n als has a su rprising applicatio n to rational parametrizatio n of certain curves, see [GHPS06]. The tec hn iques used to p ro v e Main Theorem can b e applied to ﬁnd a nontrivia l factor of an r -th cyclotomic p olynomial o ver a ﬁnite ﬁeld k , for almost all r ’s, in deterministic p olynomial time. Application 2: L et r b e a p ositive inte ger such that the multiplic ative gr oup Z ∗ r is noncyclic and let φ r ( x ) b e the r -th cyclotomic p olynomial. Then we c an ﬁnd a nontrivial factor of φ r ( x ) over a ﬁnite ﬁeld k in deterministic pol y ( r , log | k | ) time. Ro ots of an r -th cyclotomic p olynomial o v er k are the r -th r oots of un it y and th us naturally related to all p olynomial factoring algorithms. Assuming GRH seve ral algo- rithms are kno wn to factor these imp ortan t p olynomials (see [Ev89]). The ab o v e r esult giv es the ﬁrs t deterministic p olynomial time algorithm to non trivially factor “most” of the cyclotomic p olynomials without assum ing GRH. The third application of the tec hniques used to pr o ve Main Theorem is in the instance of p olynomial factoring o ve r pr ime ﬁ elds when we kn o w the Galois group of the inp ut p olynomial. Th e follo wing theorem can b e s een as the GRH-free v ersion of the m ain theorem of R´ ony ai [R´ o89b]. Application 3: L et F ( X ) ∈ Z [ X ] b e a p olynomial irr e ducible over Q with Galois gr oup of size m and let L b e the maximum length of the c o eﬃcients of F ( X ) . L et p b e a prime not dividing the discriminant of F ( X ) and let f ( x ) = F ( X ) (mo d p ) . Then by a deterministic algorithm of running time pol y ( m, L, log p ) we c an ﬁnd either a nontrivial factor of f ( x ) or a nontrivial automorph ism of F p [ x ] / ( f ( x )) of or der deg f . The fourth app licat ion of the tec h n iques used to pr o ve Main Th eorem is in the instance of p olynomial factoring o ver F p when p is a prime with smo oth ( p − 1). The follo wing theorem can b e seen as the GRH-free version of the main theorem of R´ on yai [R´ o89a]. Application 4: L et f ( x ) b e a p olynomial of de gr e e n , that splits into line ar factor s over F p . L et r 1 < . . . < r t b e the prime factors of ( p − 1) . Then by a deterministic algorithm of running time p oly ( r t , n, log p ) , we c an ﬁnd e i ther a nontrivial factor of f ( x ) or a nontrivial automorp hism of F p [ x ] / ( f ( x )) of or der n . In fact, we always ﬁnd a nontrivial factor of f ( x ) in c ase n 6 | lcm { r i − 1 | 1 ≤ i ≤ t } . Th u s o v er “sp ecial” ﬁelds (i.e. when p − 1 has only sm all p rime factors) the ab o ve actually giv es a deterministic p olynomial time algorithm, a signiﬁcan t improv ement ov er Main Th eorem. 1.2 Organization In S ectio n 2 w e collect v arious standard ob jects and structural facts asso ciated to algebras. W e also d iscuss the three b asic method s that lead to disco vering a zero d ivisor in an algebra – ﬁn ding discrete log for elemen ts of prime-p o we r order, ﬁnding a f ree base of a mo dule and reﬁ n ing an ideal b y a giv en automorphism. 5 In this work we u se metho ds for ﬁndin g zero divisors in algebras in the case wh en certain groups of automorphisms are giv en. One of suc h metho ds is computing ﬁxed sub- algebras and testing freeness ov er them. In Section 3 we give a charact erization of algebras and groups whic h survive these kin ds of attac ks. Th ese algebras, called semir e gular wrt the group, b ehav e lik e ﬁelds in the sense that the w h ole alge b r a is a f ree mo du le o ver the subalgebra of ﬁxed p oin ts of the group and the rank equals the size of the group. In S ectio n 4 w e build a small th eory for the main algebraic construction, Kummer- typ e extensions o ver algebras, that w e are going to u se. W e in ve stigate there the acti on of the automorphisms of an algebra A on a certain subgroup, T eichm¨ ul ler sub gr oup , of the m ultiplicativ e group of a Kummer-typ e extension of A . The pro ofs of Applications 2 and 3 get complete d in this section. In S ectio n 5 w e apply the m achinery of Section 4 to th e tensor p o w er algebras and complete the pro of of Main Theorem. In S ection 6 w e ﬁnd suitable subalgebras of a giv en noncomm utativ e algebra to in vok e Main Th eorem and complete the pro of of Ap plicatio n 1. In Section 7 w e use the tec hniques deve lop ed f or the Main Theorem in the case of sp ecial ﬁnite ﬁ elds and complete the pro of of Application 4. 2 Preliminaries In this section we list some algebraic n otions that w e u s e in this wo rk and that can b e found in standard algebra texts, for example [La80]. Rings, Units and Zero-divisors: A ring with identity (or r ing, for short) R is a set of elemen ts together with t wo op erations – denoted by addition + and multiplic ation · – suc h that ( R, + ) is an Ab elian group, · is associativ e, d istributes ov er + and has an identity elemen t 1 R . Note that the set R ∗ , con taining all the element s of R that h a ve a multiplica tive in ve rs e, is a m ultiplicativ e group cal led the group of units . F or a prime in teger r w e call a un it x an r -element if the m ultiplicativ e ord er of x is a p o w er of r . An elemen t x is call ed a zer o divisor if x 6 = 0 and there exist nonzero y , y ′ ∈ A suc h that y x = xy ′ = 0. Mo dules: Let ( R, + , · ) b e a comm u tativ e ring and ( M , + ) b e an Ab elian group . W e call M an R -mo dule wrt an op eration R × M → M (called sc alar multiplic ation and denoted as rx for r ∈ R and x ∈ M ) if for all r, s ∈ R ; x, y ∈ M , w e hav e: r ( x + y ) = r x + r y ; ( r + s ) x = r x + sx ; ( rs ) x = r ( sx ) and 1 x = x . Note that a ve ctor sp ace V o ver a ﬁeld F is also an F -mo dule. F ree and Cyclic: F or an R -mo du le M , a set E ⊂ M is calle d a fr e e b asis of M if: E is a gener ating set for M , i.e. ev ery eleme nt of M is a ﬁ nite s u m of elemen ts of E m ultiplied b y co eﬃcients in R , and E is a fr e e set , i.e. for all r 1 , . . . , r n ∈ R ; e 1 , . . . , e n ∈ E , r 1 e 1 + · · · + r n e n = 0 implies that r 1 = · · · = r n = 0. A fr e e mo dule is a mo dule with a free basis. | E | is called the r ank or dimension of the free mo du le M o v er R . Clearly , a v ector space is a free mo dule. A mod ule is called a cyclic mo du le if it is generated by one elemen t. Algebras: Let ( R, + , · ) b e a commutativ e ring and ( A , + , · ) b e a ring whic h is also an R -mo dule, where the additive op eration of A as a mo dule coincides with +. W e sa y that A is an associativ e R -alge br a with iden tit y (or just an R -algebr a for sh ort) if multiplicat ion 6 b y elemen ts of R comm utes with multiplicati on by elemen ts of A : for every r ∈ R and for ev ery a, b ∈ A we ha ve r ( ab ) = ( r a ) b = a ( r b ). Subalgebras: A sub algebr a B of an R -algebra ( A , + , · ) is ju st a s u bmo dule of A closed under multiplica tion. In this p ap er unless otherwise stated, by a sub alge br a of A w e mean a subalgebra con taining the identit y elemen t 1 A . Note that if B is a comm u tativ e subalgebra of A then A is a B -mo dule in a natural wa y . If , further m ore, B is con tained in the cen ter of A (that is, ab = ba for ev ery a ∈ A and for every b ∈ B ) then A is a B -algebra. Presen tation: In this wo rk we will consid er only k -algebras A that are ﬁnite dimensional o v er a ﬁ nite ﬁeld k . S o w e can assume that an algebra A is alw ays presented in the input-output in term s of an add itive basis of ( A , + ) o ver k , i.e. there are b asis elements b 1 , . . . , b n ∈ A s u c h that A = k b 1 + · · · + k b n and further m ore a i,j,ℓ ∈ k are give n such that b i · b j = P ℓ a i,j,ℓ b ℓ . Suc h an n is called the dimension , dim k A , of A o ve r k . Extension: If B is a comm u tati ve k -algebra and a B -algebra A is also a fr ee mo du le o ver B then w e call A an algebr a e xtension or an e xtension algebr a o v er B . T his terminology is justiﬁed b y the fact that B is em b ed ded int o (the cen ter of ) A b y the map b 7→ b 1 A . W e denote the rank (“dimension”) of A as a B -mo dule by rk B A or [ A : B ]. W e sometimes use this notation also when there is an implicit em b ed d ing of B in A . Primitiv e Element: W e call an algebra extension A o ve r B simple if there is an α ∈ A suc h that { 1 , α, . . . , α n − 1 } forms a free basis of A o v er B . W e call α a primitive element and wr ite A = B [ α ]. F ollo win g is a version of the standard Primitive E lement The or em . F act 1. If K ⊇ F ar e ﬁelds such that char F is 0 or > [ K : F ] 2 , then K has a primitive element over F . There are t wo natural op erations deﬁn ed on algebras – the dir e ct sum and the tensor pr o duct – eac h constructs a bigger algebra. Direct Sum: Let ( A 1 , + , · ) and ( A 2 , + , · ) b e t wo algebras. Then th e dir e ct sum algebr a , A 1 ⊕ A 2 , is the set { ( a 1 , a 2 ) | a 1 ∈ A 1 , a 2 ∈ A 2 } together with comp on ent-wise addition and multiplica tion op erations. In a similar ve in, for su balgebras A 1 , A 2 of an algebra A w e write A = A 1 ⊕ A 2 , if A = A 1 + A 2 and A 1 , A 2 are ortho g onal i.e. ∀ a 1 ∈ A 1 , a 2 ∈ A 2 , a 1 a 2 = a 2 a 1 = 0. T ensor Pro duct: F urtherm ore, if B is a commutati ve algebra such that A 1 , A 2 are B - algebras of dimensions n 1 , n 2 resp ectiv ely o v er B then their tensor pr o duct algebr a wrt B , A 1 ⊗ B A 2 , is the set { a 1 ⊗ a 2 | a 1 ∈ A 1 , a 2 ∈ A 2 } naturally viewe d as a B -mo dule having the multiplicati on op eration: ( a 1 ⊗ a 2 ) · ( a ′ 1 ⊗ a ′ 2 ) = ( a 1 a ′ 1 ⊗ a 2 a ′ 2 ) for all a 1 , a ′ 1 ∈ A 1 and a 2 , a ′ 2 ∈ A 2 . Note that the tensor pro duct algebra has dimension n 1 n 2 o v er B . Thus, if B is ﬁnite then |A 1 ⊕ A 2 | = |B | n 1 + n 2 , wh ile |A 1 ⊗ B A 2 | = |B | n 1 n 2 . Nilp oten t and Idempote n t : I n an algebra A we call an elemen t x ∈ A nilp otent if x m = 0 for some m ∈ Z , while we call x idemp otent if x 2 = x . It is called a primitive idemp oten t if it cannot b e expressed as the su m of t wo idemp oten ts whose p r od uct is zero. It is calle d nontrivial if it is not 0 or 1. Decomp osabilit y: An algebra A is called inde c omp osable if th ere are n o nonzero algebras R, S suc h that A ∼ = R ⊕ S . 7 F ollo win g are some standard facts relating decomp osabilit y to id emp oten ts in commu- tativ e algebras. F act 2. L e t A b e a c ommutative algebr a then: (1) A de c omp oses iﬀ A has a nont rivial idemp otent. (2) If e is an idemp otent in A then A ∼ = e A ⊕ (1 − e ) A . (3) If e is a primitive idemp otent in A then e A is inde c omp osable. Ideal: An ide al I of an algebra A is a sub set that is an add itiv e subgroup of A , is closed under m ultiplication and it con tains b oth aI := { a · i | i ∈ I } ; I a := { i · a | i ∈ I } for all a ∈ A . Note that { 0 } and A are ideals of A , we call them trivial ideals. Also note that prop er ideals are not sub alge br as in the strict sense u sed in this pap er. Semisimplicit y: An algebra A is ca lled simple if it has no nontrivial ideal. An algebra is called semisimple if it is a direct sum of simple algebras. F ollo win g are some standard facts ab out commutati ve semisimple algebras. F act 3. L e t A b e a c ommutative semisimple algebr a then: (1) A is a dir e ct sum of ﬁelds. (2) If I is an ide al of A and I ⊥ := { a ∈ A | aI = 0 } (c al le d the complement of I ) then A = I ⊕ I ⊥ . F urthermor e, ther e exists an idemp otent e of A such that I = e A thus giving an explicit pr oje ction fr om A to I . F ollo win g is the celebrated Art in- We dderburn The or em that classiﬁes semisimp le al- gebras. F act 4. Any semisimple algebr a A is isomorphic to a dir e ct sum of n i × n i matrix algebr as over division rings D i (i.e. D i satisﬁes al l ﬁeld axioms exc ept c ommutative multiplic ation). Both the n i ’s and D i ’s ar e uniq uely determine d up to p ermutation of the indic es i . Morphisms: Let φ b e a map b et we en t wo algebras A , B . If φ p reserv es the add ition and m ultiplication op erations of the algebras then w e call it a homomor phism . If the homomorphism φ is injectiv e then w e call it an emb e dding . If the homomorp h ism φ is b oth injectiv e and su rjectiv e then w e call it an isomorp hism . A homomorphism fr om an algebra to itself is ca lled an endomorph ism . An isomorphism fr om an algebra to itself is called an automorph ism . A set S is said to b e invariant under th e automorphism φ of A if f or all s ∈ S , φ ( s ) ∈ S . φ is said to ﬁx S if φ ﬁxes eac h element of S , i.e. f or all s ∈ S , φ ( s ) = s . T he group of S -automorph isms of A , Aut S ( A ), is the set of all automorphisms of A th at ﬁx S . Throughout this pap er all algebras are algebras with identit y elemen ts. Unless oth- erwise stated explicitly , by a su balgebra we mean a subalgebra c ontaining the i dentity element . Thus, in this strict sense a prop er ideal is not considered as a subalgebra. In the rest of this section A stands for a comm utativ e semisimple alg ebr a o v er the ﬁ nite ﬁeld k . 2.1 Discrete Log for r -elemen ts Giv en t wo r -elemen ts (i.e. h a vin g ord er a p o we r of the p rime r ) in a commuta tive semisim- ple algebra there is an algorithm that compu tes the discrete logarithm or ﬁn ds a zero divisor (of a sp ecial form) in A . W e describ e this algorithm b elo w, it is a v arian t of th e P ohlig-Hellman [PH78] algorithm with the equalit y testing of elemen ts replaced by testing whether their diﬀerence is a zero divisor. 8 Lemma 2.1. Given a prime r distinct fr om the char acteristic of a ﬁnite ﬁeld k , a ﬁnite dimensional c ommutative semisimple algebr a A over k and two r -elements a, b ∈ A ∗ , such that the or der of a is gr e ater than or e qual to the or der of b . Ther e is a deterministic algorithm which c omputes i n time poly ( r, log |A | ) : (1) either two non-ne gative inte gers s, s ′ such that a s − b s ′ is a zer o divisor in A , (2) or an inte ge r s ≥ 0 with a s = b . Pr o of. Let t a b e the smallest non negativ e in teger suc h that a r t a − 1 is zero or a zero divisor in A . Sin ce t a ≤ log r |A| w e can compu te a r 0 − 1 , a r 1 − 1 , . . . , a r t a − 1 in pol y (log |A| ) time via fast exp onen tiation. W e are done if 0 6 = a r t a − 1 = a r t a − b 0 is a zero divisor. Therefore w e may assume that a r t a = 1, i.e. the order of a is r t a . Let t b b e the smallest non-negativ e in teger suc h that b r t b − 1 is a zero divisor. Lik e t a , t b can b e computed in p olynomial time and w e ma y again assu me that r t b is the order of b . Replacing a with a r t a − t b w e ma y assure that t a = t b = t . I n this case for ev ery prim itive idemp oten t e of A : ea, eb ha v e order r t in th e ﬁn ite ﬁeld e A . As the m ultiplicativ e group of a ﬁnite ﬁ eld is cyclic, this means that there exists a nonn egat ive integer s < r t suc h that ( ea ) s = eb . S o w e no w attempt to ﬁn d this discrete log, s , and the corresp onding idemp otent e as well. W e iterativ ely compute the consecutiv e sections of th e base r expansion of s . T o b e more sp eciﬁc, we compu te inte gers s 0 = 0 , s 1 , s 2 , . . . , s t together with idemp oten ts e 1 , . . . , e t of A suc h th at, for all 1 ≤ j ≤ t : 0 ≤ s j < r j , s j ≡ s j − 1 (mo d r j − 1 ) and a s j r t − j e j = b r t − j e j . In the initial case j = 1 we ﬁ nd by exh austiv e searc h, in at most r roun ds, an s 1 ∈ { 1 , . . . , r − 1 } suc h that z 1 = ( a r t − 1 s 1 − b r t − 1 ) is zero or a zero divisor. If it is zero then w e set e 1 = 1 otherwise w e compute and set e 1 equal to the identit y elemen t of the annih ilat or ideal { x ∈ A| z 1 x = 0 } . Assume th at for some j < t we h a ve foun d already s j and e j with the desired prop erty . Then we ﬁnd by exhaustive searc h, in at most r r ounds, an int eger d j +1 ∈ { 0 , . . . , r − 1 } suc h that z j +1 = ( a ( s j + r j d j +1 ) r t − j − 1 − b r t − j − 1 ) is zero or a zero divisor. W e set s j +1 = ( s j + d j +1 r j ) and tak e as e j +1 the iden tit y elemen t of the ann ihilator ideal { x ∈ e j A| xz j +1 = 0 } . The ab o ve pro cedure clearly terminates in t rounds and u s ing fast exp onentia tion can b e implemente d in pol y ( r , log |A| ) time. ✷ 2.2 F ree Bases of Mo dules One of the p ossible m ethod s f or ﬁn ding zero divisors in algebras is attempting to compu te a fr ee basis of a mo dule o v er it. F ollo wing Lemma states the b asic to ol to d o that. Lemma 2.2. L e t V b e a ﬁnitely gener ate d mo dule over a ﬁnite dimensional algebr a A over a ﬁnite ﬁe ld k . If V is not a fr e e A -mo dule then one c an ﬁnd a zer o divisor in A deterministic al ly in time pol y (dim A V , log |A | ) . Pr o of. W e giv e an algorithm that attempts to ﬁ nd a free basis of V o ver A , b ut as there is no fr ee basis it ends up ﬁnding a zero divisor. Pic k a non zero v 1 ∈ V . W e can eﬃcie ntly c hec k wh ether a n onzero x ∈ A exists suc h that xv 1 = 0, and also ﬁnd it b y linear algebra o ver k . If w e get suc h an x then it is a zero d ivisor, for otherwise x − 1 w ould exist imp lying v 1 = 0. So supp ose such an x do es not exist, hence V 1 := A v 1 is a free A -mo dule. No w V 1 6 = V so ﬁnd a v 2 ∈ V \ V 1 b y linear 9 algebra o v er k . Again w e can eﬃcie ntly c hec k whether a nonzero x ∈ A exists suc h that xv 2 ∈ V 1 , and also ﬁ nd it by linear alge b r a ov er k . If we get su c h an x then it is a zero divisor, for otherwise x − 1 w ould exist imp lying v 2 ∈ V 1 . So su pp ose suc h an x does not exist, hence V 2 := A v 1 + A v 2 is a free A -mo dule. No w V 2 6 = V so w e can ﬁnd a v 3 ∈ V \ V 2 b y lin ear alge b r a o v er k and con tin ue this pro cess. This pro cess will, in at most dim A V iterations, yield a zero d ivisor as V is n ot a f r ee A -mo dule. ✷ 2.3 Automorphisms and Inv arian t Ideal Dec ompositions Automorphisms of A are assumed to b e giv en as linear transform ations of the k -vec tor space A in terms of a k -linear b asis of A . F or images we use the sup erscrip t notation w hile for the ﬁxed p oin ts the sub script notation: if σ is an au tomorp h ism of A then the image of x ∈ A under σ is den oted b y x σ . If Γ is a set of automorphisms of A then A Γ denotes the set of the elemen ts of A ﬁxed b y ev ery σ ∈ Γ. It is ob vious that A Γ is a sub alge b ra of A . F or a sin gle automorphism σ w e u se A σ in place of A { σ } . Giv en an ideal I of A and an automorph ism σ of A w e usu ally try to ﬁ nd zero divisors from the acti on of σ on I . Note that, by F act 3, A = I ⊕ I ⊥ . No w I σ is an id eal of A , and if it is n either I nor I ⊥ then we try computing I ∩ I σ . This can b e easily computed b y ﬁrst ﬁnding the identit y elemen t e of I , and then I ∩ I σ is simply A ee σ . By the hyp othesis this will b e a prop er id eal of I , thus leading to a r eﬁnement of the decomp osition: A = I ⊕ I ⊥ . This basic idea can b e carried all the wa y to giv e the follo w ing to ol that ﬁ n ds a reﬁned, in v arian t, ideal decomp osition. Lemma 2.3. Given A , a c ommutative semisimple algebr a over a ﬁnite ﬁeld k to gether with a set of k -automorph isms Γ of A and a de c omp osition of A into a sum of p air- wise ortho gonal ide als J 1 , . . . , J s , ther e is a deterministic algorithm of time c omplexity pol y ( | Γ | , log |A| ) that c omputes a de c omp osition of A into a su m of p airwise ortho g onal ide als I 1 , . . . , I t such that: (1) the new de c omp osition is a r eﬁnement of the original one – for every j ∈ { 1 , . . . , t } , ther e exists i ∈ { 1 , . . . , s } su ch that I j ⊆ J i , and (2) the new de c omp osition is invariant under Γ – the gr oup gener ate d by Γ p e rmutes the ide als I 1 , . . . , I t , i.e. for ev ery σ ∈ Γ and for e v ery index j ∈ { 1 , . . . , t } , we have I σ j = I j σ for some index j σ ∈ { 1 , . . . , t } . 3 Semiregularit y In this sectio n w e con tinue to assume th at A is a comm utativ e semisimple algebra o ver a ﬁnite ﬁeld k . Giv en Γ ⊆ Aut k ( A ), a basis of A Γ can b e computed b y solving a system of linear equations in A . Thus, we can apply the metho d of Lemma 2.2 considering A as a A Γ -mo dule wr t the m u ltiplication in A . In th is section we describ e a class of algebras, toget h er with automorp h isms, that are free mo dules ov er th e su balgebra of the ﬁxed p oints of the corresp on d ing set of automorphisms , i.e. on whic h the to ol of Lemma 2.2 is ineﬀectiv e. Let σ b e a k -automorphism of A . W e say that σ is ﬁx-fr e e if th ere is no non trivial ideal I of A such th at σ ﬁxes I . W e call a group G ≤ Aut( A ) semir e gular if every non-iden tit y elemen t of G is ﬁ x-free. A single automorphism σ of A is semir e gular if σ generates a semiregular group of automorphisms of A . 10 W e ha v e the follo wing c haracterization of semiregularit y . Lemma 3.1. L et A b e a c ommutative semisimple algebr a over a ﬁnite ﬁeld k and let G b e a g r oup of k -automorphisms of A . Then dim k A ≤ | G | · d im k A G , wher e e quality holds if and only if G is semir e gular. This c ondition is also e quivalent to saying that A is a fr e e A G -mo dule of r ank | G | . Pr o of. The p ro of is based on the observ ation that A is a direct sum of ﬁ elds and a k - automorphism of A just p ermutes these comp onen t ﬁelds. Let e b e a primitive idemp oten t of A . W e d enote the stabilizer of e in G by G e , i.e, G e = { σ ∈ G | e σ = e } . Let C b e a complete s et of right coset representa tive s mo dulo G e in G . T he orbit of e und er G is { e γ | γ ∈ C } and they are | G : G e | many pairwise orthogonal primitiv e id emp oten ts in A . This m eans th at the comp onen t ﬁeld e A is s en t to the other comp onen t ﬁ elds { e γ A| γ ∈ C } by G . T hus, the elemen t f := P γ ∈ C e γ ∈ A G is a primitive idemp oten t of A G and equiv alen tly f A G is a ﬁeld. The subgrou p G e acts as a group of ﬁeld automorphisms of e A . This giv es a restriction map λ : G e → Aut k ( e A ) whose kernel say is N e , so N e = { σ ∈ G | σ ﬁxes e A} is a normal subgroup of G e , thus G e / N e are distinct k -automorphisms of the ﬁ eld e A . W e claim th at ( e A ) G e = e A G . The inclusion e A G ⊆ ( e A ) G e is trivial. T o see th e rev erse inclusion, let x ∈ ( e A ) G e and consider y := P γ ∈ C x γ . Sin ce x ∈ e A we get ex = x and y = P γ ∈ C e γ x γ , whence using the orth ogo n ality of the id emp oten ts e γ , we infer ey = x . Th e fact that y ∈ A G completes th e pro of of th e claim. As G e is a group of au tomorp h isms of the ﬁeld e A , this claim implies e A G is a ﬁeld too and also by Galois theory [ e A : e A G ] = | G e / N e | . Observe that ef = e and this makes multiplic ation b y e a ont o homomorphism from f A G to e A G . This homomorph ism is also injectiv e as e A G , f A G are ﬁelds, th us making f A G ∼ = e A G . T ogether with the fact that f A is a free e A -mo dule of dimension | G : G e | this implies th at d im f A G f A = | G : G e | dim e A G e A . F urtherm ore, from the last p aragraph dim e A G e A = | G e : N e | , th us d im f A G f A = | G : N e | ≤ | G | . Finally , this giv es dim k f A ≤ dim k f A G · | G | . Applying this for all the p r imitiv e idemp oten ts e of A (and th us to all the corresp onding primitive idemp oten ts f of A G ), we obtain the asserted inequalit y . Observe that equalit y h olds iﬀ | N e | = 1 for ev ery primitiv e id emp oten t e of A . In th at case for ev ery primitiv e idemp oten t e of A , there is n o non-ident ity automorphism in G that ﬁxes e A , thus equiv alen tly f or ev ery nontrivial ideal I of A there is no n on-iden tit y automorphism in G that ﬁx es I . Th is means that equalit y holds iﬀ G is semiregular. Also, equalit y holds iﬀ d im f A G f A = | G | for ev ery primitiv e id emp oten t e of A . Th e latter condition is equiv alen t to saying that every comp onen t ﬁ eld of A G has multiplicit y | G | in th e A G -mo dule A , this in turn is equ iv alen t to sa ying that A is a fr ee A G -mo dule of dimension | G | . ✷ Using the ab o ve Lemma we can decide semiregularit y in an eﬃcien t wa y . Prop osition 3.2. Given a c ommutative semisimple algebr a A over a ﬁnite ﬁeld k , to gether with a set Γ of k -automorphism s of A . L et G b e the gr oup gener ate d by Γ . In deterministic pol y ( | Γ | , log |A| ) time one c an list al l the elements of G if G is semir e gular, or one c an ﬁnd a zer o divisor of A i f G is not semir e gular. Pr o of. W e ﬁrst compute A Γ b y linear algebra ov er k . W e can assume that A is a free A Γ -mo dule otherwise the algorithm in Lemma 2.2 ﬁ nds a zero divisor. By Lemma 3.1 11 | G | ≥ dim A Γ A =: m so try to en umerate ( m + 1) diﬀeren t elemen ts in the group G . If w e are unable to get that man y elemen ts then, b y Lemma 3.1, G is semiregular and w e end up with a list of m elemen ts that exactly comprise G . If we do get a set S of ( m + 1) elemen ts then G is clearly not semiregular. Let e b e a primitiv e idemp oten t of A suc h that the subgroup N e ≤ G , consisting of automorphisms that ﬁ x e A , is of maximal size. Then from the pr oof of Lemma 3.1 w e obtain | G : N e | ≤ m whic h means, by pigeon-hole prin ciple, that in the set S there are t w o d iﬀeren t elemen ts σ 1 , σ 2 suc h that σ := σ 1 σ − 1 2 ∈ N e , thus σ ﬁxes e A . W e no w compute A σ and w e know from this discussion that e A ⊆ A σ . Thus we get t wo orthogonal comp onent algebras e A σ and (1 − e ) A σ of A σ . W e ha ve fr om the pro of of Lemma 3.1 that e A σ = ( e A ) σ = e A wh ile (1 − e ) A σ = ((1 − e ) A ) σ 6 = (1 − e ) A (if ((1 − e ) A ) σ = (1 − e ) A then σ wo uld ﬁx ev ery elemen t in A and w ould b e a trivial automorphism). As a result A is n ot a free mo dule o v er A σ and hen ce w e can ﬁnd a zero divisor of A using the metho d of Lemma 2.2. ✷ Subgroup G B : Let G b e a semiregular group of k -automorphisms of A and let B b e a subalgebra of A . W e deﬁne G B to b e the su bgroup of automorphisms of G that ﬁx B . W e giv e b elo w a Galois theory-lik e c haracterization of G B . Prop osition 3.3. Give n a semir e gular gr oup G of automorphisms of a c ommutative semisimple algebr a A over a ﬁnite ﬁeld k and a su b algebr a B of A c ontaining A G , one c an ﬁnd a zer o divisor in A in deterministic p olynomial time if B 6 = A G B . Pr o of. If A is a ﬁeld extension of k then by Galois theory B = A G B . I f | k | < (dim k A ) 2 and A is not a ﬁeld then we can ﬁnd a zero divisor in A using Berlek amp ’s deterministic p oly- nomial time algo rithm . So for the rest of the pr o of we ma y assu me th at | k | ≥ (dim k A ) 2 and then the u sual pro of of F act 1 giv es a deterministic p olynomial time algorithm for ﬁnding a primitiv e elemen t x of A o ve r k , see [GI00]. Let | G | = d . W e may assume th at the elemen ts 1 , x, x 2 , . . . , x d − 1 form a free basis of A o v er A G since otherwise w e ﬁnd a zero divisor in A using the metho d of Lemma 2.2 . Let x d = P d − 1 i =0 a i x i with a i ∈ A G and let f ( X ) := X d − P d − 1 i =0 a i X d ∈ A G [ X ]. Obviously x is a r oot of f ( X ) and as any σ ∈ G ﬁxes the co eﬃcien ts of f ( X ) w e get that x σ is also a ro ot of f ( X ). Again b y Lemma 2.2 we ma y assume that A is a B -mod ule with { 1 , x, . . . x m − 1 } as a free basis, where m := dim B A . Let x m = P m − 1 i =0 b i x i with b i ∈ B , th us x is a root of the p olynomial g ( X ) := X m − P m − 1 i =0 b i X i ∈ B [ X ]. Let us consider f ( X ) as a p olynomial in B [ X ]. As g ( X ) is monic w e can apply the usual p olynomial division algorithm to obtain p olynomials h ( X ) and r [ X ] from B ( X ) suc h that the degree of h ( X ) is ( d − m ); the degree of r ( X ) is less than m and f ( X ) = g ( X ) h ( X ) + r ( X ). W e hav e r ( x ) = 0 which together with the freeness of th e basis { 1 , . . . , x m − 1 } im p lies that r ( X ) = 0 and f ( X ) = g ( X ) h ( X ). W e kn o w fr om the last paragraph th at f or all σ ∈ G , x σ is a ro ot of g ( X ) h ( X ). If neither g ( x σ ) nor h ( x σ ) is zero then we h a ve a pair of zero divisors. If g ( x σ ) = 0 then we can p erform the division of g ( X ) by ( X − x σ ) obtaining a p olynomial g 1 ( X ) ∈ B [ X ] with g ( X ) = ( X − X σ ) g 1 ( X ) and can th en pr o ceed with a new automorph ism σ ′ ∈ G and with g 1 ( X ) in place of g ( X ). In d rounds w e either ﬁnd a zero divisor in A or t w o disjoint sub sets K, K ′ of G w ith g ( X ) = Q σ ∈ K ( X − x σ ) and h ( X ) = Q σ ′ ∈ K ′ ( X − x σ ′ ). F or σ ∈ K let φ σ : B [ X ] → A b e the homomorph ism which ﬁ xes B bu t s ends X to x σ . As g ( x σ ) = 0, φ σ induces a homomorphism fr om B [ X ] / ( g ( X )) to A , which w e denote agai n by φ σ . W e kno w that φ 1 12 is actually an isomorphism B [ X ] / ( g ( X )) ∼ = A , therefore the maps µ σ = φ σ ◦ φ − 1 1 ( σ ∈ K ) are B -endomorph isms of A . Note that w e can ﬁnd a zero divisor in A if any µ σ is not an automorphism, also by Prop osition 3.2 w e can ﬁnd a zero divisor in A if the m ap s µ σ ( σ ∈ K ) generate a non -semir egular group of B -automorphisms of A . Th us , we can assume that µ σ , for all σ ∈ K , generate a semiregular group of B -automorphisms of A . As | K | = dim B A this means, by L emm a 3.1, that the set { µ σ | σ ∈ K } is a group say H . W e can as w ell assume that the group of k -automorph isms of A generated by G and H is semiregular, for otherwise we ﬁnd a zero divisor in A . Again as | G | = dim k A this means, b y Lemma 3.1, that H is a subgrou p of G . T h us, by Lemma 3.1, [ A : A H ] = | H | = | K | = [ A : B ] whic h together with the fact B ≤ A H giv es A H = B . As H ≤ G B w e also get H = G B (if H < G B then [ A : A H ] < [ A : A G B ] ≤ [ A : B ] whic h is a con tradiction). Thus, if none of the ab o ve steps yield a zero divisor then B = A G B . ✷ 4 Kummer Extensions and Automorphisms of an Algebra o v er a Finite Field In classica l ﬁeld theory a ﬁeld extension L o ve r k is called a Kummer extension if k has, sa y , an r -th p rimitiv e ro ot of unit y and L = k ( r √ a ). K ummer extensions are the b uilding blo c ks in ﬁeld th eory b ecause they ha v e a cyclic Galois group. In the p revious sectio n w e dev elop ed a notion of semiregular groups to mimic the cla ssical notion of Galois group s, no w in this secti on w e extend the classical notion of Ku m mer extensions to comm u tative semisimple algebra A ov er a ﬁn ite ﬁeld k . Th e p rop erties of Ku m mer extensions of A , that we pr o ve in the next three su bsections, are the reason w hy w e can get p olynomial factoring-lik e r esults without inv oking GRH. 4.1 Kummer-t yp e extensions W e generalize b elo w sev eral to ols and results in ﬁeld theory , from the seminal pap er of Lenstra [L91], to comm utativ e semisimp le algebras. k [ ζ r ] and ∆ r : Let k b e a ﬁnite ﬁeld and let r b e a p rime diﬀeren t from char k . By k [ ζ r ] we denote the factor algebra k [ X ] / ( P r − 1 i =1 X i ) and ζ r := X (mo d P r − 1 i =1 X i ). Then k [ ζ r ] is an ( r − 1)-dimensional k -algebra with b asis { 1 , ζ r , . . . , ζ r − 2 r } and f or ev ery inte ger a coprime to r , ther e exists a unique k -automorphism ρ a of k [ ζ r ] which sends ζ r to ζ a r . Let ∆ r denote the set of all ρ a ’s. Clearly , ∆ r is a group isomorph ic to the m ultiplicativ e group of in tegers m o du lo r , therefore it is a cyclic group of order ( r − 1). Note that for r = 2, we h a ve ζ 2 = − 1, A [ ζ 2 ] = A and ∆ 2 = { id } . A [ ζ r ] and ∆ r : Let A b e a comm utativ e semisimple algebra o v er k then by A [ ζ r ] we denote A ⊗ k k [ ζ r ]. W e consider A as em b edded into A [ ζ r ] via the map x 7→ x ⊗ 1 and k [ ζ r ] em b edd ed in to A [ ζ r ] via th e map x 7→ 1 ⊗ x . Every elemen t ρ a of the group ∆ r can b e extended in a u n ique wa y to an automorphism of A [ ζ r ] which acts as an identi ty on A . These extended automorphisms of A [ ζ r ] are also denoted by ρ a and their group by ∆ r . Note that if A = A 1 ⊕ . . . ⊕ A t then A [ ζ r ] = A 1 [ ζ r ] ⊕ . . . ⊕ A t [ ζ r ], thus A ’s semisimplicit y implies that A [ ζ r ] is s emisimp le as well. W e can also easily s ee the ﬁxed p oin ts in A [ ζ r ] of ∆ r just like Prop osition 4.1 of [L91]: 13 Lemma 4.1. A [ ζ r ] ∆ r = A . Pr o of. Observe that A [ ζ r ] is a free A -mo du le w ith basis { ζ r , . . . , ζ r − 1 r } . As r is prime th is basis is transitiv ely p ermuted by ∆ r , th us an x = P r − 1 i =1 a i ζ i r ∈ A [ ζ r ] is ﬁxed b y ∆ r iﬀ a i ’s are equal iﬀ x ∈ A . ✷ Consider the m ultiplicativ e group A [ ζ r ] ∗ of units in A [ ζ r ]. Sylo w subgroup A [ ζ r ] ∗ r : Let A [ ζ r ] ∗ r b e the r -eleme nts of A [ ζ r ] ∗ . Note that A [ ζ r ] ∗ r is of an r -p o wer size and is also the r -Sylo w su bgroup of the group A [ ζ r ] ∗ . Let |A [ ζ r ] ∗ r | = : r t . Automorphism ω ( a ) : Let a b e coprim e to r . Observ e that the residue class of a r t − 1 mo dulo r t dep ends only on the residu e class of a mo dulo r , b ecause map a 7→ a r t − 1 corresp onds just to the pro jection of the multiplica tive group Z ∗ r t ∼ = ( Z r − 1 , +) ⊕ ( Z r t − 1 , +) to the ﬁrst comp onent. This together w ith the fact that for any x ∈ A [ ζ r ] ∗ r , x r t = 1 we get that the element x a r t − 1 dep ends only on the residue class of a mo dulo r . This motiv ates the deﬁnition of the map, follo win g [L91], ω ( a ) : x 7→ x ω ( a ) := x a r t − 1 from A [ ζ r ] ∗ r to itself. Note that we use the term ω ( a ) for b oth the ab ov e map as well as the resid ue of a r t − 1 mo dulo r t . Note th at the map ω ( a ) is an automorphism of the group A [ ζ r ] ∗ r and it comm utes with all the endomorphisms of the group A [ ζ r ] ∗ r . Also, the map a 7→ ω ( a ) is a grou p em b edding Z ∗ r → Aut( A [ ζ r ] ∗ r ). T eic hm ¨ uller subgro up: Notice that if x ∈ A [ ζ r ] h as order r u then x ω ( a ) = x a r u − 1 . Th u s, ω ( a ) can b e considered as an extension of the map ρ a that raised elemen ts of ord er r to the a -th p o wer. The elemen ts on which the act ions of ω ( a ) and ρ a are the same, for all a , form the T eichm¨ ul ler sub gr oup , T A ,r , of A [ ζ r ] ∗ : T A ,r := { x ∈ A [ ζ r ] ∗ r | x ρ a = x ω ( a ) for ev ery ρ a ∈ ∆ r } Note that f or r = 2, T A , 2 is j u st the 2-Sylo w subgroup of A ∗ . By [L91], Prop osition 4.2, if A is a ﬁ eld then T A ,r is cyclic . W e sho w in the follo wing lemma that, in our general case, giv en a witness of non-cylicness of T A ,r w e can compute a zero divisor in A . Lemma 4.2. Given u, v ∈ T A ,r such that the sub gr oup gener ate d by u and v is not cyclic, we c an ﬁnd a zer o divisor in A i n deterministic poly ( r, log |A| ) time. Pr o of. Supp ose th e subgroup generated by u and v is n ot cyclic. Then, by Lemma 2.1 w e can eﬃcien tly ﬁn d a zero divisor z , in the semisimp le algebra A [ ζ r ], of the form z = ( u s − v s ′ ). Next w e compute the annihilator ideal I of z in A [ ζ r ] and its iden tit y elemen t e , th us I = e A [ ζ r ]. If we can sho w that I is inv arian t under ∆ r then ∆ r is a group of algebra automorphisms of I whic h of course w ould ﬁx the iden tit y element e of I . Thus, e is in A [ ζ r ] ∆ r and hence e is in A by Lemma 4.1, so w e ha v e a zero d ivisor in A . No w we show that the annihilator ideal I = e A [ ζ r ] of z in A [ ζ r ] is in v arian t un der ∆ r . By deﬁn ition e is an idemp otent such that e ( u s − v s ′ ) = 0. Observe that for an y a ∈ { 1 , . . . , r − 1 } , we ha ve that ( eu s ) ω ( a − 1 ) = ( ev s ′ ) ω ( a − 1 ) . Using this tog ether with the fact that u s , v s ′ ∈ T A ,r w e ob tain e ρ a ( u s − v s ′ ) = ( e (( u s ) ρ − 1 a − ( v s ′ ) ρ − 1 a )) ρ a = ( e (( u s ) ω ( a − 1 ) − ( v s ′ ) ω ( a − 1 ) )) ρ a = (( eu s ) ω ( a − 1 ) − ( ev s ′ ) ω ( a − 1 ) ) ρ a = 0 ρ a = 0. T h us, for all a ∈ { 1 , . . . , r − 1 } , e ρ a ∈ I wh ich means that I is in v ariant under ∆ r . ✷ 14 No w w e are in a p osition to deﬁne what w e call Kummer extension of an alge b ra A . Kummer extension A [ ζ r ][ s √ c ] : F or c ∈ A [ ζ r ] ∗ and a p o w er s of r , b y A [ ζ r ][ s √ c ] we denote the facto r algebra A [ ζ r ][ Y ] / ( Y s − c ) and s √ c := Y (mo d Y s − c ) . Remark. Giv en c, c 1 ∈ T A ,r suc h that the order of c is greater than or equal to the order of c 1 and c 1 is not a p ow er of c , b y Lemma 4.2, w e can ﬁnd a zero divisor in A in pol y ( r , log |A | ) time. Th er efore, the r eally in teresting Kumm er extensions are of the form A [ ζ r ][ s √ c ], wh er e c ∈ T A ,r and ζ r is a p o wer of s √ c . Clearly , A [ ζ r ][ s √ c ] is a fr ee A [ ζ r ]-mo dule of rank s with b asis { 1 , s √ c, . . . , s √ c s − 1 } . If c ∈ T A ,r then s √ c is an r -elemen t of A [ ζ r ][ s √ c ] ∗ and for an y in teger a coprime to r , we no w iden tify an automorphism of the Kummer extension. Extend ing [L91], Prop osition 4.3, w e obtain: Lemma 4.3. L et c ∈ T A ,r . Then we c an e xtend every ρ a ∈ ∆ r to a unique automorphism of A [ ζ r ][ s √ c ] that sends s √ c to ( s √ c ) ω ( a ) . Pr o of. F or a ρ a ∈ ∆ r let ˜ ρ a denote the map fr om A [ ζ r ][ Y ] to A [ ζ r ][ s √ c ] that ﬁ xes A , sends ζ r to ζ a r and Y to ( s √ c ) ω ( a ) . As c ∈ T A ,r , ˜ ρ a maps c to c ω ( a ) and th u s maps ( Y s − c ) to zero. Th is means that ˜ ρ a can b e seen as an end omorphism of A [ ζ r ][ s √ c ] that sends s √ c to ( s √ c ) ω ( a ) . Clearly , ˜ ρ b · ˜ ρ b ′ is th e same endomorphism as ˜ ρ bb ′ if b, b ′ are b oth coprime to r . No w as ˜ ρ a · ˜ ρ a − 1 = ˜ ρ 1 is the iden tit y automorphism of A [ ζ r ][ s √ c ] we get that ˜ ρ a is also an automorphism of A [ ζ r ][ s √ c ], completing the pro of. In the rest of the pap er we will use ρ a also to r efer to the automorphism ˜ ρ a . ✷ W e saw ab o ve automorphisms of the Kummer extension A [ ζ r ][ s √ c ] that ﬁxed A . When s = r w e can also iden tify automorphisms that ﬁx A [ ζ r ]: Prop osition 4.4. L et c ∈ T A ,r and ∆ r b e the automorph isms of A [ ζ r ][ s √ c ] identiﬁe d in L emma 4.3. Then ther e is a u ni q ue automo rphism σ of A [ ζ r ][ r √ c ] such that: (1) σ ﬁxes A [ ζ r ] and maps r √ c to ζ r r √ c . (2) σ c ommutes with the action of ∆ r . (3) σ is a semir e gu lar automorphism of A [ ζ r ][ r √ c ] ∆ r of or der r and ( A [ ζ r ][ r √ c ] ∆ r ) σ = A . Pr o of. The map ﬁxing A [ ζ r ] and mapping Y to ζ r Y is clearly an automorphism of A [ ζ r ][ Y ] / ( Y r − c ). Thus imp lyin g the existence and uniqueness of σ . Let ρ a ∈ ∆ r b e an au tomorp h ism of A [ ζ r ][ r √ c ]. Clearly , th e action of σ and ρ a is comm utativ e on an y elemen t x ∈ A [ ζ r ]. Also, ( r √ c ) σρ a = ( ζ r r √ c ) ρ a = ( ζ r r √ c ) ω ( a ) = ζ ω ( a ) r ( r √ c ) ω ( a ) = (( r √ c ) ω ( a ) ) σ = ( r √ c ) ρ a σ . Th is implies the comm u tativit y of the actions of σ and ∆ r on A [ ζ r ][ r √ c ]. F rom comm utativit y it f ollo ws that ( A [ ζ r ][ r √ c ] ∆ r ) σ = A [ ζ r ][ r √ c ] ∆ r , th us σ is an auto- morphism of A [ ζ r ][ r √ c ] ∆ r . L et G b e the group generated b y ∆ r and σ . Then G is a commu- tativ e group of ord er r ( r − 1). As A [ ζ r ][ r √ c ] G = ( A [ ζ r ][ r √ c ] σ ) ∆ r = A [ ζ r ] ∆ r = A , L emma 3.1 implies that G is semiregular on A [ ζ r ][ r √ c ]. But then th e subgroup ∆ r is semiregular as we ll and by Lemma 3.1: dim k A [ ζ r ][ r √ c ] ∆ r = dim k A [ ζ r ][ r √ c ] / | ∆ r | = r dim k A = | ( σ ) | dim k A . This again implies that σ is a semiregular automorphism of A [ ζ r ][ r √ c ] ∆ r . ✷ 15 4.2 A and the Kummer extension of A τ , where τ ∈ Aut k ( A ) In this sub section w e sh o w ho w to express A [ ζ r ] as a Kummer extension of A τ giv en a semiregular τ ∈ Aut k ( A ) of order r . Th e Lagrange resolv ent tec h nique of [R´ o87] remains applicable in our con text as well and leads to the follo win g: Lemma 4.5. Given a c ommutative semisimple algebr a A over a ﬁnite ﬁeld k , a k - au- tomorp hism τ of A of prime or der r 6 = char k and a r o ot ξ ∈ A τ of the cyc lotomic p olynomial X r − 1 X − 1 . We c an ﬁnd in deterministic poly ( r , log |A| ) time a nonzer o x ∈ A such that x τ = ξ x . Pr o of. Observe that if ξ ∈ A is a r oot of 1 + X + . . . + X r − 1 then so is ev ery p o w er ξ i ( i = 1 , . . . , r − 1). T ak e an eleme nt y ∈ A \ A τ and compute the L agr ange-r esolvents for 0 ≤ j ≤ r − 1: ( y , ξ j ) := r − 1 X i =0 ξ ij y τ i It is easy to see that ( y , ξ 0 ) = y + y τ + . . . + y τ r − 1 ∈ A τ as τ r = id , while P r − 1 j =0 ( y , ξ j ) = r y + P r − 1 i =1 P r − 1 j =0 ξ ij y τ i = r y + P r − 1 i =1 y τ i P r − 1 j =0 ( ξ i ) j = r y 6∈ A τ . It follo ws that for some 1 ≤ j ≤ ( r − 1), ( y , ξ j ) 6∈ A τ , ﬁx th is j . In particular, ( y , ξ j ) 6 = 0 and taking l := ( − j ) − 1 (mo d r ) we ﬁnd x := ( y , ξ j ) l is also nonzero as comm utativ e semisimple algebras do not con tain nilp otent elemen ts. This x is th en the element promised in the claim as: x τ = (( y , ξ j ) τ ) l = ( ξ − j ( y , ξ j )) l = ξ x. ✷ W e no w pro ceed to describ e an algorithm that giv en a k -automorphism τ of A of pr ime order r , exp resses A [ ζ r ] as a Kummer extension of A τ . Em b edding Aut k ( A ) in Aut k ( A [ ζ r ]) : Give n a semiregular automorphism τ of A we extend τ to an automorphism of A [ ζ r ] b y letting ζ τ r := ζ r . It is easy to s ee that the extension (denoted again b y τ ) is a semiregular automorphism of A [ ζ r ] as well and it comm utes with ∆ r . Application of Lemma 4.5, tec hniques fr om [L91] and a careful treatment of cases wh en w e ﬁnd zero d ivisors, giv e the follo wing. Prop osition 4.6. Given a c ommutative semisimple algebr a A over a ﬁnite ﬁeld k to gether with a semir e gular k -automor phism τ of A of prime or der r 6 = char k , we c an ﬁnd in deterministic pol y (log |A| ) time an element x ∈ T A ,r such that x τ = ζ r x . Any such x satisﬁes c := x r ∈ T A τ ,r and deﬁnes an isomorphism φ : A τ [ ζ r ][ r √ c ] ∼ = A [ ζ r ] which ﬁxes A τ [ ζ r ] . Also φ c ommutes with the action of ∆ r , ther efor e inducing an isomorph ism ( A τ [ ζ r ][ r √ c ]) ∆ r ∼ = A . Pr o of. The pro of idea is to ﬁrst app ly Lemma 4.5 to ﬁnd a nonzero x ∈ A [ ζ r ] suc h that x τ = ζ r x . Note that this x maybe a zero divisor of A [ ζ r ], in that case w e in tend to decomp ose A [ ζ r ] as m uc h as p ossible and apply Lemma 4.5 to eac h of these comp onents. This pro cess is rep eated till it yields an y ∈ A [ ζ r ] ∗ suc h that y τ = ζ r y . Secondly , this y is used to form the x and φ as promised in the claim. W e main tain: a decomp osition of the id en tit y elemen t 1 = 1 A [ ζ r ] = 1 A in to orthogonal idemp oten ts e, f that are ﬁ x ed b y τ ; and an element y ∈ ( f A [ ζ r ]) ∗ suc h that y τ = ζ r y (for f = 0 w e deﬁne ( f A [ ζ r ]) ∗ as (0)). Initially , w e tak e e = 1 , f = 0 , y = 0. Sin ce τ 16 is semiregular its restriction to e A [ ζ r ] has to b e nontrivial (as long as e 6 = 0) and hence of pr ime order r . Therefore w e can apply Lemm a 4.5 with ξ = eζ r to ﬁnd a n onzero x ∈ e A [ ζ r ] suc h that x τ = ( eζ r ) x = ζ r x . No w compute the iden tit y elemen t e 1 of x A [ ζ r ] (whic h is an ideal of e A [ ζ r ]). Note that x A [ ζ r ] is in v arian t u nder τ s in ce for all z ∈ A [ ζ r ], ( xz ) τ = x τ z τ = ζ r xz τ ∈ x A [ ζ r ]. Th is mak es τ an automorphism of x A [ ζ r ] and so τ ﬁxes the iden tit y elemen t e 1 . W e could no w replace e with ( e − e 1 ), f with ( f + e 1 ), y with ( x + y ) and rep eat the ab o ve steps. Note that the ab o v e one iteration d ecomp osed e A [ ζ r ] in to orthogonal comp onent s ( e − e 1 ) A [ ζ r ] and e 1 A [ ζ r ] and th us the pro cedure has to stop in at most dim k A [ ζ r ] round s with e = 0. So far w e ha ve found an elemen t y ∈ A [ ζ r ] ∗ with y τ = ζ r y . Deﬁne |A [ ζ r ] ∗ r | =: r t , ℓ := |A [ ζ r ] ∗ | /r t and m := ( − ℓ ) − 1 (mo d r ). Note that ℓ can b e calculated fr om the sizes of the simp le comp onen ts of A [ ζ r ] which in turn can b e easily computed b y u sing the standard distinct d egree f actorization of p olynomials o v er ﬁnite ﬁelds. Th u s, we can compute the elemen t z := y ℓm . By the deﬁn ition of ℓ and y , z ∈ A [ ζ r ] ∗ r and z τ = ζ ℓm r z = ζ − 1 r z . Next compu te the element x = Q r − 1 b =1 ( z ω ( b ) ) ρ − 1 b . Note that for all ρ a ∈ ∆ r , x ρ a = Q r − 1 b =1 ( z ω ( a − 1 b ) ω ( a ) ) ρ − 1 a − 1 b = x ω ( a ) , whence x ∈ T A ,r . Also, as τ comm utes with ∆ r w e ha ve x τ = Q r − 1 b =1 (( ζ − 1 r z ) ω ( b ) ) ρ − 1 b = x · Q r − 1 b =1 (( ζ − 1 r ) ω ( b ) ) ρ − 1 b = ( ζ − 1 r ) r − 1 x = ζ r x . Finally , w e deﬁne the c as x r . F rom the prop erties of x , c ∈ A [ ζ r ] τ = A τ [ ζ r ] and hence c ∈ T A τ ,r . Let us deﬁn e the map φ from A τ [ ζ r ][ r √ c ] to A [ ζ r ] as the one that sends r √ c to x and ﬁxes A τ [ ζ r ]. It is obvio us from c = x r that φ is a h omomorphism. If φ m ap s an elemen t P r − 1 i =0 a i ( r √ c ) i to zero then P r − 1 i =0 a i x i = 0. Applying τ on th is j times giv es P r − 1 i =0 a i ζ ij r x i = 0 (r ememb er τ ﬁxes A τ [ ζ r ] and hence a i ’s). S umming these equations for all 0 ≤ j ≤ ( r − 1) we get a 0 = 0, as x is inv ertible this means that φ maps P r − 1 i =1 a i x i − 1 to zero. W e can no w rep eat the argument and deduce that a i ’s are all zero, thus φ is injectiv e. Using that x ∈ T A ,r , it is also straigh tforw ard to ve rif y th at φ comm utes with ∆ r (view ed as automorphisms of A [ ζ r ][ r √ c ]). Thus it remains to sho w that φ is su rjectiv e. T o th is end let B d en ote the image of φ . Then B is the subalgebra of A [ ζ r ] generated b y A τ [ ζ r ] and x , thus B is τ -inv ariant. Su pp ose w e can sh ow τ semiregular on B . Then b y Lemma 3.1, dim k B = r dim k B τ , this together with B τ con taining A τ [ ζ r ] and the injectivit y of φ means that dim k B ≥ r dim k A τ [ ζ r ] = r dim k A [ ζ r ] τ whic h is fur ther equal to dim k A [ ζ r ] as τ is semiregular on A [ ζ r ]. Thus, dim k B ≥ dim k A [ ζ r ] wh ic h obvio usly means that φ is indeed su rjectiv e. It remains to pro v e th e semiregularity of τ on B . Assume for con tradiction th at I is a nonzero ideal of B suc h that τ ﬁx es I and e b e the identit y element of I . T h en ( ex ) τ = ex . On the other hand, as e τ = e and x τ = ζ r x , w e ha ve ( ex ) τ = ζ r ex . Combining the t wo equalities we obtain that ( ex )( ζ r − 1) = 0. Note that if r = 2 then char k > 2 and ( ζ r − 1) is not a zero d ivisor and if r > 2 then A [ ζ r ] is a free A -mo dule with basis { 1 , . . . , ζ r − 2 r } . Th u s, x ( ζ r − 1) is in v ertible in all cases, implying e = 0 wh ic h is a con tradiction. Thus τ is indeed semiregular on B completing the p ro of that φ is an isomorph ism. ✷ 4.3 Zero Divisors using Noncyclic Groups: Pro of of Application 2 In this part w e pro ve Application 2 b y pr o vin g the follo wing stronger r esu lt. Theorem 4.7. Given a c ommutative semisimple algebr a A over a ﬁnite ﬁeld k to gether with a noncyclic gr oup G of k - automo rphisms of A (in terms of gene r ators), one c an ﬁnd 17 a zer o divisor in A in deterministic p olynomial time. Pr o of. Notice that sin ce G is noncyclic, the algebra A is certainly not a ﬁ eld and zero divisors do exist. W e assume th at G is semiregular otherwise we can eﬃcien tly ﬁn d a zero divisor in A by Prop osition 3.2. W e can also assume that | G | is not divisib le by char k otherwise char k ≤ | G | ≤ dim k A and Berlek amp’s deterministic algorithm f or p olynomial factoring can b e used to ﬁ nd all the simple comp onen ts of A . As G is a s m all group of s ize dim k A , w e can list all its elemen ts of prime ord er. Th e pro of no w pro ceeds by analyzing the Sylo w sub groups of G and showing them all cyclic unless they yield a zero divisor of A . F or ev ery prime divisor r of | G | let Π r b e the set of elemen ts of G of order r and let P r b e an r -S y low subgroup of G . F or ev er y σ ∈ Π r w e can u s e Prop osition 4.6 to compute an elemen t x σ ∈ T A ,r with x σ σ = ζ r x σ . Let H r b e the subgroup of T A ,r generated b y { x σ | σ ∈ Π r } . W e can assume H r to b e cyclic or else w e can ﬁnd a zero divisor in A by Lemma 4.2. So c h oose an element x ∈ { x σ | σ ∈ Π r } such that x is a generator of H r . No w for any σ ∈ G , as x σ is aga in in T A ,r , w e can assume x σ ∈ H r for otherwise we can ﬁn d a zero divisor b y Lemma 4.2. Thus, H r is G -inv ariant and G acts as a group of automorphisms of H r . As ev ery elemen t of P r of ord er r mov es some elemen t in H r , there is no non trivial elemen t of P r acting trivially on H r , thus P r in tersects trivially with the k ernel K r of the restriction homomorph ism G → Aut ( H r ). Since H r is cyclic, its automorphism group is Ab elian. The last tw o observ ations imply that G/K r is an Ab elian group with a natural em b eddin g of P r → G/K r ∼ = Aut ( H r ). Thus the normal series K r ✁ G can b e reﬁned to K r ✂ N r ✁ G suc h that | P r | = | G/ N r | . Since w e ha v e this for every r divid in g | G | , it follo w s that G is a dir ect pro du ct of its Sylo w subgroups . Also, as eac h P r is Ab elian, G is Ab elian. Moreo ver, since the automorphism group of a cyclic group of o dd prime-p ow er order is cyclic , Aut ( H r ) is cyclic and ﬁ nally P r is cyclic, for ev ery o dd prime r || G | . It remains to sho w that we can ﬁ nd a zero d ivisor eﬃciently if the 2-Sylo w sub group P 2 of G is not cyclic. T o this end w e tak e a closer look at the subgroup H 2 constructed for the prime r = 2 by the m etho d outlined ab ov e. It is generated b y an element x , con tains − 1, and P 2 acts faithfully as a group of automorphism s of H 2 . If | H 2 | = 2 k then Aut ( H 2 ) ∼ = Z ∗ 2 k . As P 2 injectiv ely em b eds in Aut ( H 2 ) and P 2 is n oncyclic we get that Z ∗ 2 k is noncyclic, implyin g that k > 2 and s tr ucturally Z ∗ 2 k is the direct pr od uct of the cyclic groups generate d by ( − 1) and (5) mo dulo 2 k resp ectiv ely . No w an y noncyclic subgroup of su c h a Z ∗ 2 k will ha v e the order 2 element s: ( − 1) and 5 2 k − 3 ≡ (2 k − 1 + 1). Thus, P 2 has the maps σ 1 : x 7→ x − 1 and σ 2 : x 7→ x 2 k − 1 +1 = − x . Since σ 1 and σ 2 comm ute, A σ 1 is σ 2 -in v ariant. As the group ( σ 1 , σ 2 ) is of size 4 while the group ( σ 1 ) is only of size 2 w e get by the semiregularit y of G that the restriction of σ 2 to A σ 1 is not th e identit y map. Hence, by Pr op ositio n 4.6 w e can ﬁnd an elemen t y ∈ T A σ 1 , 2 suc h that y σ 2 = − y . W e can assume that the subgroup of A ∗ generated by x and y is cyclic as otherwise w e ﬁn d a zero divisor b y Lemma 4.2. Ho w eve r, as x 6∈ A σ 1 while y ∈ A σ 1 , it can b e seen that: ( x, y ) is a cyclic grou p only if y ∈ H 2 2 (i.e. y is square of an elemen t in H 2 ). Bu t this is a con tradiction b ecause σ 2 ﬁxes H 2 2 . Th is ﬁnishes the pro of. ✷ No w w e can giv e a pro of of App lica tion 2. Let r b e a p ositiv e inte ger such that the m ultiplicativ e group Z ∗ r is noncyclic and let φ r ( x ) b e the r -th cyclotomic p olynomial. W e ca n assum e r to b e coprime to char k as otherwise we factor φ r ( x ) simply b y using Berlek amp’s algorithm for p olynomial factoring. Deﬁne A := k [ x ] / ( φ r ( x )), it is clearly 18 a commutativ e semisimple algebra of d imension φ ( r ) ov er k . Moreo v er, if ζ r ∈ k is a primitiv e r -th ro ot of unit y then: φ r ( x ) = Q i ∈ Z ∗ r ( x − ζ i r ). This implies that for any i ∈ Z ∗ r , φ r ( x ) | φ r ( x i ) and if for a g ( X ) ∈ k [ X ], φ r ( x ) | g ( x i ) then φ r ( X ) | g ( X ) as well. In other w ords for an y i coprime to r the map ρ i : x → x i is a k -automorphism of A . C onsider the group G := { ρ i | i ∈ Z ∗ r } , it is clearly isomorp hic to the m ultiplicativ e group Z ∗ r , wh ic h is n on cyclic for our r . Th u s, G is n oncyclic and w e can ﬁ n d a zero divisor a ( x ) ∈ A by Theorem 4.7. Finally , the gcd of a ( x ) and φ r ( x ) giv es a non trivial factor of φ r ( x ). Rational p olynomials known to hav e small bu t noncomm utativ e Galois groups also emerge in v arious branc hes of mathematics and its app licat ions. F or example, the six ro ots of the p olynomial F j ( X ) = ( X 2 − X + 1) 3 − j 2 8 X 2 ( X − 1) 2 are the p ossible p arameters λ of the elliptic curv es from the L e g e ndr e family E λ ha ving prescrib ed j -in v arian t j , s ee [Hu86]. (Recall that the curve E λ is deﬁned b y the equation Y 2 = X ( X − 1)( X − λ ).) The Galois group of F j ( X ) is S 3 , whence T heorem 4.7 giv es a p artial factorizat ion of the p olynomial F j ( X ) mo dulo p where p is od d and j is coprime to p . 4.4 Extending A utomorphisms of A τ to A , where τ ∈ Aut k ( A ) Lemma 4.8. Given a c ommutative semisimple algebr a A over a ﬁnite ﬁeld k , a k - auto- morphism τ of A and a k -automorph ism µ of A τ . Assume that the or der of τ is c oprime to char k . Then in deterministic poly (log |A| ) time we c an c ompute either a zer o divisor in A or a k -automorphism µ ′ of A that extends µ such that A µ ′ = ( A τ ) µ . Pr o of. Supp ose th at the order of τ is r 1 · · · r t , where r i ’s are p rimes (not n ecessarily distinct). Cleary it is su ﬃcien t to show h ow to extend µ from A τ r 1 ··· r i − 1 to A τ r 1 ··· r i (or ﬁnd a zero divisor du ring the pro cess). W e can therefore assume that the order of τ is a prime r . W e ma y also assume that b oth τ and µ are semiregular since otherwise we can ﬁnd a zero divisor in A by Prop osition 3.2. W e work in th e alge b r a A [ ζ r ]. W e extend τ to A [ ζ r ] and µ to A τ [ ζ r ] in the n atural w a y . By Prop osition 4.6, we can eﬃcien tly ﬁnd x ∈ T A ,r suc h that x τ = ζ r x . Clearly , c := x r ∈ T A τ ,r and c µ ∈ T A τ ,r . The elemen ts c and c µ ha ve the same order. If c µ is not in the cyclic group generated b y c then by Lemma 4.2 , w e can ﬁnd a zero divisor in A . S o assume that c µ is in the cyclic group of c , in whic h case ﬁnd an intege r j coprime to r suc h that c µ = c j using Lemma 2.1. Note that by Le mm a 4.2, w e can also ﬁn d a zero d ivisor in A in the case w hen ζ r is not a p o wer of c , so assume that ζ r = c ℓ and compute this integ er ℓ . Then ζ r = ζ µ r = ( c ℓ ) µ = ( c µ ) ℓ = c j ℓ = ζ j r , and h en ce j ≡ 1 (mo d r ). W e set x ′ := x j . As x τ = ζ r x and x ′ τ = ζ r x ′ , by the pro of of Prop osition 4.6, there are isomorp hism maps φ : A τ [ ζ r ][ r √ c ] → A [ ζ r ] and φ ′ : A τ [ ζ r ][ r √ c µ ] → A [ ζ r ] sending r √ c to x and r √ c µ to x ′ resp ectiv ely; b oth ﬁxing A τ [ ζ r ]. W e can naturally extend µ to an isomorphism map µ ′′ : A τ [ ζ r ][ r √ c ] → A τ [ ζ r ][ r √ c µ ]. Then the comp osition map µ ′ := φ ′ ◦ µ ′′ ◦ φ − 1 is an automorph ism of A [ ζ r ] wh ose restriction to A τ [ ζ r ] is µ . As µ ′′ , φ and φ ′ comm ute with ∆ r , so d oes µ ′ . Therefore A = A [ ζ r ] ∆ r is µ ′ -in v ariant and we hav e the promised k -automorph ism of A . ✷ 4.5 Zero Divisors using Galois Groups: Pro of of Application 3 If the input p olynomial f ( x ) ∈ Q [ x ] h as a “small” Galois group then can we factor f ( x ) mo dulo a p r ime p ? Th is question was studied in [R´ o89b] and an algorithm wa s giv en 19 assuming GRH. In this su bsection we give a GRH-free version. W e start with th e follo wing unconditional an d generaliz ed version of Theorem 3.1. in [R´ o89b]: Theorem 4.9. Assume that we ar e gi v en a semir e gular g r oup G of automo rphisms of a c ommutative semisimple algebr a A over a ﬁnite ﬁeld k with A G = k and a nonzer o ide al B (with k emb e dde d) of a sub algebr a of A . Then in deterministic poly (log |A| ) time we c an either ﬁnd a zer o divisor in B or a semir e gular k - automo rphism σ of B of or der dim k B . Remark. Here B is an ide al of a subalgebra of A , th us it is n ot assumed that 1 A ∈ B . Pr o of. The idea of the algorithm is to ﬁn d a non trivial ideal I of A and then reduce the problem to the smaller in s tance I . If G is noncyclic then using Th eorem 4.7 we can ﬁnd a non trivial ideal I of A . If G is cyclic th en u sing Pr op ositio n 3.3 we can ﬁn d either a non trivial ideal I of A or a subgroup H of G w ith B = A H . In the latte r case H is trivially a normal subgroup of G and the restriction of an y generator σ of G will generate a semiregular group , of k -automorphisms of B , isomorp hic to G/H . Th us, we get a semiregular k -automorphism of B of ord er | G/H | = dim k B . Let us assum e w e ha ve a nontrivia l ideal I of A . Then, u s ing the metho d of Lemma 2.3, w e ﬁn d an id eal J of A su c h that the ideals { J σ | σ ∈ G } are pairwise orthogonal or equal. By the hyp othesis A G = k , G acts transitiv ely on the minimal id eals of A , th us th e group G 1 := { σ ∈ G | J σ = J } acts semiregularly on J and for coset representati ves C of G/G 1 : A = ⊕ σ ∈ C J σ . Also, note that for all σ ∈ C the conjugate subgroup G σ 1 := σ − 1 G 1 σ acts semiregularly on J σ . W e can ﬁnd a zero divisor in B if th e pro jection of B to some J σ is neither the zero map n or in jectiv e. Thus w e assume that there is an ideal J σ suc h that the pro jection of A on to J σ injectiv ely em b eds B . In that case w e r educe our original problem to the smaller in stance – J σ instead of A , G σ 1 instead of G and the em b eddin g of B instead of B – and apply the steps of the last paragraph. ✷ The follo win g Corollary giv es the pro of of a slight ly stronger v ersion of Application 3. Corollary 4.10. L et F ( X ) ∈ Z [ X ] b e a p olynomial irr e ducible over Q with Galois gr oup of si ze m ; let L b e the maximum length of the c o eﬃcients of F ( X ) ; let p b e a prime not dividing the discriminant of F ( X ) ; let f ( X ) := F ( X ) (mo d p ) ; and let g ( X ) b e a non-c onstant divisor of f ( X ) in F p [ X ] . Then by a deterministic pol y ( m, L, log p ) time algorithm we c an ﬁnd either a nontrivial factor of g ( X ) or an automorphism of or der deg g of the algebr a F p [ x ] / ( g ( x )) . Pr o of. The assumption on th e d iscriminan t implies that th e leading co eﬃcien t of F ( X ) is not divisible by p , and wlog we can assume F ( X ) to b e monic. Also assume that p > m 4 as otherwise we can us e Berlek amp’s deterministic algorithm f or facto r in g f ( x ) completely . No w u sing the algorithm of Theorem 5.3. of [R´ o89b], we compute an algebraic in teger α := x (mo d H ( x )) generating the splitting ﬁeld Q [ x ] / ( H ( x )) of F ( X ) such that the discriminant of the m inimal p olynomial H ( X ) of α is not divisible by p . Deﬁne A := Z [ α ] / ( p ) and usin g th e metho d describ ed in Section 4 of [R´ o89b], we eﬃcient ly compute a group G of automorphisms of A wh ic h is isomorphic to the Galo is group of α o v er rationals. Let β ∈ Q [ x ] / ( H ( x )) b e a ro ot of F ( X ). Th en β = P m − 1 i =0 a i α i for some a i ∈ Q . F rom Prop osition 13 of Chapter 3 in [La80], for ev ery 0 ≤ i < m , a i can b e wr itten in the form 20 a i = r i /q i , where r i , q i ∈ Z and q i is coprim e to p . Compute t i ∈ Z with t i q i ≡ 1 (mo d p ). Then β ′ := P m − 1 i =0 r i t i α i is in Z [ α ] and the minimal p olynomial of the element β := β ′ (mo d p ) ∈ A is f ( X ). Let C b e the subalgebra F p [ β ] cont ained in A . Notice that C is isomorphic to the algebra F p [ x ] / ( f ( x )). Let B b e the ideal of C generated b y f ( β ) /g ( β ). Then B is isomorphic to the algebra F p [ x ] / ( g ( x )) and hen ce a zero divisor of B will giv e us a f acto r of g ( X ). So w e run the algorithm describ ed in Theorem 4.9 on G, A , B and get either a factor of g ( X ) or an automorphism of B of order d im F p B , thus ﬁnishin g the pro of. ✷ 5 Finding A utomorphisms of Algebras via Kummer Exten- sions In this s ection we complete the pro of of our main T heorem, i.e. give n a comm utativ e semisimple algebra A o ver a ﬁnite ﬁeld k we can u nconditionally ﬁ nd a nontrivial k - automorphism of A in deterministic sub exp onen tial time. The pro of in volv es computing tensor p o w ers of A , whose automorph isms we kno w, and then bringing down those auto- morphisms to A . Before em barking on th e pr oof we n eed to ﬁrst see ho w to b ring do w n automorphisms u sing Kummer extensions; and deﬁ ne notions r elat ed to tensor p o we rs of A . 5.1 Bringing Do wn Automorphisms of D to A ≤ D W e do this b y usin g Kum mer extensions, so we ﬁr st show ho w to emb ed a K ummer extension of A in to the cyclotomic extension of D . Lemma 5.1. L et A ≤ D b e c ommutative semisimple algebr as over a ﬁnite ﬁeld k and let r 6 = char k b e a prime. Then for any x ∈ T D ,r \ A [ ζ r ] satisfying c := x r ∈ A [ ζ r ] , ther e is a unique ring homomo rphism φ : A [ ζ r ][ r √ c ] → D [ ζ r ] that ﬁxes A [ ζ r ] , maps r √ c to x and: (1) φ c ommutes with the action of ∆ r , thus φ ( A [ ζ r ][ r √ c ] ∆ r ) ⊆ D . (2) φ is inje ctive if and only if its r estriction to A [ ζ r ][ r √ c ] ∆ r is inje ctive. (3) If φ is not inje c tiv e then we c an ﬁnd a zer o divisor of D in deterministic p olynomial time . Pr o of. The existence and uniqu eness of the homomorphism φ are ob vious: the map from A [ ζ r ][ X ] to D [ ζ r ] which sends X to x factors through A [ ζ r ][ r √ c ]. As x ∈ T D ,r , for ev ery ρ a ∈ ∆ r w e ha ve φ (( r √ c ) ρ a ) = φ (( r √ c ) ω ( a ) ) = x ω ( a ) = ( φ ( r √ c )) ρ a . On the other h an d , for ev ery u ∈ A [ ζ r ] we ha ve φ ( u ) ρ a = u ρ a = φ ( u ρ a ). As A [ ζ r ] and ( r √ c ) generate A [ ζ r ][ r √ c ], the t w o equ aliti es ab ov e pro v e that φ comm utes with the action of ∆ r . As a consequence, φ ( A [ ζ r ][ r √ c ] ∆ r ) ⊆ D [ ζ r ] ∆ r = D . Since the elements ζ 0 r , . . . , ζ r − 2 r form a free basis of D [ ζ r ] as a D -mo dule, th e sub- spaces ζ i r D of D [ ζ r ] ( i = 0 , . . . , r − 2) are indep endent o ver k . T his m eans the images φ ( ζ i r ( A [ ζ r ][ r √ c ] ∆ r )) are indep endent as well th us, dim k φ ( A [ ζ r ][ r √ c ]) = ( r − 1) dim k φ ( A [ ζ r ][ r √ c ] ∆ r ). Th is together with the f act dim k A [ ζ r ][ r √ c ] = ( r − 1) dim k A [ ζ r ][ r √ c ] ∆ r means that φ is injectiv e if and only if its restriction to A [ ζ r ][ r √ c ] ∆ r is. T o see the last assertion assume that φ , and hence its restriction to C := A [ ζ r ][ r √ c ] ∆ r , is not injectiv e. W e compute the kernel I of φ | C , clearly I is a nonzero ideal of C . L et σ b e the semiregular k -automorphism of C inv estigated in Prop osition 4.4, which also tells 21 us that dim k C = r d im k A . Assume that φ ( C ) =: D ′ . W e compute J := { u ∈ C | uI = 0 } , the ideal complementa ry to I so that C = I ⊕ J . Note that by the deﬁnition of I , the restriction of φ to J yields an isomorphism J ∼ = D ′ . Hence ﬁnding a zero divisor in J implies ﬁnding a zero divisor in D . Let e J b e the identi ty element of J , then as φ ﬁxes A , for all a ∈ A , a = φ ( a ) = φ ( e J a ), in other wo rd s φ induces an isomorph ism e J A ∼ = A . Using this w e now sho w that the actio n of σ on J yields a zero divisor in J . Firstly , w e claim that for all 1 ≤ i ≤ ( r − 1), J 6 = J σ i . Supp ose for some 1 ≤ i ≤ ( r − 1), J σ i = J and σ i ﬁxes J , then J ⊆ C σ i = A . This together with th e fact that φ − 1 injectiv ely em b eds A in J giv es J = A , whic h implies that φ ( C ) = A , th us φ ( A [ ζ r ][ r √ c ]) = φ ( C [ ζ r ]) = A [ ζ r ] con tradicting x 6∈ A [ ζ r ]. The other case then is: for some 1 ≤ i ≤ ( r − 1), J σ i = J and the restriction of σ i to J is a semiregular automorphism of order r of J , therefore dim k J = r dim k J σ i ≥ r dim k e J A = r dim k A (as σ i ﬁxes A it has to ﬁ x e J A ), whic h cont r ad icts to dim k J < dim k C = r dim k A . Secondly , w e claim that for some i ∈ { 1 , . . . , r − 1 } , J ∩ J σ i 6 = 0. Ind eed, assu m ing the con trary , we would ha ve J σ j ∩ J σ i = ( J ∩ J σ i − j ) σ j = 0 wh enev er i 6≡ j (mo d r ), whence the J σ i w ould b e pairwise orthogonal id eals, w hence dim k J = 1 r dim k P r − 1 t =0 J σ t ≤ 1 r dim k C = dim k A . T h is together with the fact that φ − 1 injectiv ely emb eds A in J giv es J = A , which implies that φ ( C ) = A , thus φ ( A [ ζ r ][ r √ c ]) = φ ( C [ ζ r ]) = A [ ζ r ] contradict ing x 6∈ A [ ζ r ]. F rom the ab o ve t wo claims w e get an i ∈ { 1 , . . . , r − 1 } , for which J 6 = J σ i and J ∩ J σ i 6 = 0, w h ence by the metho d of Lemma 2.3 we get a zero divisor of J , thus ﬁn ish ing the pro of. ✷ No w we s h o w th e main result of this sub sectio n : bringing do wn automorph ism s of D to A ≤ D . Prop osition 5.2. Given a c ommutative semisimple algebr a D over a ﬁnite ﬁeld k , its semir e gu lar k -automorphism τ of prime or der r 6 = char k , a sub algebr a A ⊃ k of D such that dim k D dim k A is an inte ger not divisible by r . Then we c an ﬁnd in deterministic poly (log |D | ) time either a zer o divisor in A or a sub algebr a C ≤ A to gether with a semir e gular auto- morphism τ ′ of C of or der r such that C τ ′ ≥ A τ (:= A ∩ D τ ) . Pr o of. W e u se the metho d of Prop osition 4.6 to ﬁ nd an elemen t x ∈ T D ,r suc h that x τ = ζ r x . I f x ∈ A [ ζ r ] then we deﬁne C := A τ [ ζ r ][ x ] ∆ r . As τ ﬁxes ζ r while ∆ r ﬁxes D , τ comm utes with ∆ r . Thus, C τ = ( A τ [ ζ r ][ x ] τ ) ∆ r = A τ [ ζ r ] ∆ r = A τ . Th is means that we ha ve the C and the τ ′ := τ | C as promised. On the other hand if x 6∈ A [ ζ r ] then w e claim that we can ﬁnd a zero divisor in D , decomp ose D in to a direct sum of orthogonal ideals and constru ct the C and the τ ′ in one of the id eals recursiv ely . Sa y x 6∈ A [ ζ r ], then since x r t = 1 D ∈ A for some inte ger t > 0, w e can c h oose a y ∈ { x, x r , x r 2 , . . . } suc h that y 6∈ A [ ζ r ] but c ′ := y r ∈ A [ ζ r ]. By Lemma 5.1, w e can ﬁnd a zero divisor in D unless A [ ζ r ][ r √ c ′ ] is isomorphic to the subalgebra A [ ζ r ][ y ]. In the latter case D 0 := A [ ζ r ][ y ] ∆ r ≤ D is a f ree A -mo dule of rank r , by Prop osition 4.4. Comparing dimensions it follo ws that D cannot b e a free D 0 -mo dule, therefore w e can ﬁ nd a zero divisor z in D 0 b y Lemma 2.2 . Thus, whenever x 6∈ A [ ζ r ], we can ﬁnd a zero divisor z in D . W e pro ceed with computing the ideal of D generated by z and using Lemma 2.3, obtain a τ -inv ariant decomp osition of D in to the orthogonal ideals I 1 , . . . , I t . F or 1 ≤ j ≤ t , we denote by φ j the pro jection D → I j . W e can assume that for all j , φ j | A is injectiv e as oth- erwise we ﬁn d a zero divisor in A and let E ⊆ { I 1 , . . . , I t } b e a set of represen tativ es of all 22 the r -sized orb its of τ . W e h a ve dim k D dim k A = P t j =1 dim k I j dim k A = P I τ j = I j dim k I j dim k A + r P I j ∈ E dim k I j dim k A , from which w e infer that the ﬁr s t sum is nonempt y and includes at least one term n ot divisible by r , therefore w e can c ho ose an index j su c h that I j is τ -inv arian t and r 6 | dim k I j dim k A . So w e can pro ceed with I j and φ j A ∼ = A in place of D and A resp ectiv ely in th e algorithm describ ed ab o ve . The p r ocess describ ed ab ov e stops when either w e ﬁnd a zero divisor in A or an elemen t x ∈ T A ′ ,r with x τ = ζ r x , where A ′ ∼ = A is the image of A un der the pro jection φ of D to some τ -in v ariant ideal I . In the latter case we compute th e subalgebra C ′ := A ′ τ [ ζ r ][ x ] ∆ r . Finally put C := φ − 1 ( C ′ ) and τ ′ := φ − 1 ◦ τ ◦ φ . Notice that, if e I is the identit y elemen t of I then τ will ﬁ x e I and φ : D → I w ill just b e the h omomorphism d 7→ e I d , th us τ comm utes with φ . Consequently , C τ ′ = φ − 1 ( C ′ τ ) = φ − 1 ( A ′ τ ) ≥ A τ . ✷ 5.2 Essen tial P art of the T ensor Po wer Let A b e a commutat ive semisimple algebra o ver a ﬁn ite ﬁ eld k . Let B b e its subalgebra suc h that k ⊆ B and A b e a fr ee mo dule o v er B of rank m . If char k ≤ m 2 then p olynomial factorization can b e done in deterministic time by Berlek amp’s algorithm and consequen tly , all our results can b e obtained easily . So w e assume from now on that char k > m 2 . But then we can also assume that A is a simple extension algebra of B and ﬁnd a p rimitiv e elemen t α b y running an algo rith m ic version of F act 1 (if this “fails” then it giv es a zero divisor of A ). If g ( X ) ∈ B [ X ] is a m inimal p olynomial of α then we ha ve that A = B [ X ] / ( g ( X )). It wa s sho wn by R´ on yai [R´ o87] that, under GRH, a zero divisor in A can b e f ound in time pol y ((dim k A ) r , log | k | ) if r is a prime divisor of d im k A . In this section we extend the metho d of [R´ o87] and obtain a GRH-free v ersion that will b e crucial in the pro of of Main Theorem. A k ey idea of R´ ony ai was to wo rk in the essential p art of the tensor p o wers of A . Befo re going to the formal deﬁnition of it w e give a motiv ating deﬁnition assum in g A = k [ X 1 ] / ( f ( X 1 )), the essential part of A ⊗ k 2 := A ⊗ k A is its ideal isomorp hic to the algebra: k [ X 1 , X 2 ] / ( f ( X 1 ) , f 2 ( X 1 , X 2 )) , where f 2 ( X 1 , X 2 ) := f ( X 2 ) X 2 − X 1 ∈ A [ X 2 ] . Similarly , w e can write down an exp r ession for the essent ial p art of A ⊗ k r inductiv ely , as a factor algebra of k [ X 1 , . . . , X r ]. F unctional interpretation of tensor p o w ers: Let a comm utativ e semisimple A b e a simple extension algebra o v er B ⊇ k such that A = B [ X ] / ( g ( X )) and g ( X ) ∈ B [ X ] is a monic p olynomial of degree m . Let r ≤ m . W e consider the r -th tensor p o w er A ⊗ B r ( A tensored with itself r times wrt B ). T o deﬁn e (and compu te) the essential part of this tensor p ow er it is con v enient to in terpret A as a collection of functions V → B that are expressible as a p olynomial o ver B (called B - p olynomial functions ), where B := k ⊗ k B is the algebr aic closur e of B and V ⊂ B is a set of ro ots of g ( X ). If B is n ot a ﬁ eld then there are v arious p ossibilities f or V and we need one with Q v ∈ V ( X − v ) = g ( X ). S uc h a V clearly exists b y the deﬁnition of the algebraic clo su re. T his functional interpr etation of A generalize s to A ⊗ B A , whic h n o w b ecomes the set of all B -p olynomial fu nctions from the set V × V to B and ﬁn ally A ⊗ B r is the set of all B -p olynomial functions f r om the set V r to B . Note that in this interpretation a rank 1 tensor elemen t h 1 ⊗ · · · ⊗ h r in A ⊗ B r corresp onds to th e function V r → B that maps ( v 1 , . . . , v r ) 7→ h 1 ( v 1 ) · · · h r ( v r ) . 23 Essen tial part of tensor p o wers: The essential p art ] A ⊗ B r of A ⊗ B r is the subset of functions that v anish on all the r -tuples ( v 1 , . . . , v r ) that ha ve v i = v j for some i 6 = j . It can b e seen that ] A ⊗ B r is an ideal of A ⊗ B r . W e show b elo w that given a basis of A o v er B we can directly compu te a basis for ] A ⊗ B r o v er B . Lemma 5.3. A b asis for ] A ⊗ B r over B c an b e c ompute d by a deterministic algorithm i n time pol y ( m r , log |A| ) . Pr o of. Consider emb eddings µ i of A in to A ⊗ B r ( i = 1 , . . . , r ) give n as µ i ( a ) = 1 ⊗ . . . ⊗ 1 ⊗ a ⊗ 1 ⊗ . . . ⊗ 1 where a is in the i -th place. In the in terpretation as fu nctions, µ i ( A ) corresp ond to the B -p olynomial functions on V r whic h dep end only on the i th elemen t in the tuples. Ob serv e that the set, for 1 ≤ i < j ≤ r : ∆ r i,j = { b ∈ A ⊗ B r | ( µ i ( a ) − µ j ( a )) b = 0 f or ev ery a ∈ A} is the ideal of A ⊗ B r consisting of the B -p olynomial functions whic h are zero on ev ery tuple ( v 1 , . . . , v r ) with v i 6 = v j . Give n a basis for A , a basis f or ∆ r i,j can b e computed by solving a system of linear equations in time (counti n g k -op erations as unit time) p olynomial in dim k A ⊗ B r = m r dim k B . Finally , notice that ] A ⊗ B r can b e computed as w ell since it is the annihilator of P 1 ≤ i m then τ 1 ( A ) 6 = τ 2 ( A ) . Pr o of. T o see the ﬁr st statemen t observe that ^ A ⊗ B A is the ideal of A ⊗ B A generated by the set of element s { x ⊗ 1 − 1 ⊗ x | x ∈ A } , see Lemma 5.3. It follo w s that I (as an ideal) is generated by the elemen ts { τ 1 ( x ) − τ 2 ( x ) | x ∈ A} . Consequent ly , if τ 1 ( x ) − τ 2 ( x ) = 0 for all x ∈ A then I = 0. T o see the second assertion, note that as I is an ideal of the essen tial part of th e semisimple A ⊗ B A , there is a natural pr o jection φ : A ⊗ B A → I . Th en τ 1 ( A ) = φ ( A ⊗ B 1) and τ 2 ( A ) = φ (1 ⊗ B A ). F rom this and from the fact that A⊗ B 1 and 1 ⊗ B A generate A⊗ B A w e inf er that τ 1 ( A ) and τ 2 ( A ) generate I . As dim k τ i ( A ) ≤ dim k A = m dim k B < dim k I , this excludes the p ossibilit y of τ 1 ( A ) = τ 2 ( A ). ✷ 5.3 Pro of of Main T heorem W e now prov e the follo wing sligh tly stronger version of Main Theorem. Theorem 5.6. Given a c ommutative semisimple algebr a A over a ﬁnite ﬁeld k and a sub algebr a B ⊇ k of A such that A is a fr e e B -mo dule of r ank m . Then in determin- istic pol y ( m log m , log |A| ) time one c an either ﬁnd a ze r o divisor in A or a semir e gular automorp hism σ of A of or der m with A σ = B . Pr o of. W e ma y assume that char k > m 2 as otherwise u sing Berlek amp’s factoring algo- rithm we can completely decomp ose A into simple comp onents. If m is ev en then using th e algorithm of T heorem 5.4 w e either ﬁn d a zero divisor in A or a sub alge b ra C ≤ A together with a s emiregular automorphism σ 0 of C of order 2 with C σ 0 ≥ B in d eterministic p olynomial time. In the former case w e are d one wh ile in the latter case we mak e tw o recursive calls: one on the p air ( A , C ) and the other on the pair ( C σ 0 , B ). This w a y we either ﬁ nd a zero divisor in A or w e ﬁnd a semiregular automorphism σ 1 of A satisfying A σ 1 = C as well as a semiregular automorphism σ 2 of C σ 0 satisfying ( C σ 0 ) σ 2 = B . In the former case w e are d on e while in the latter case we apply the algorithm of Lemma 4.8 tw o times to construct σ from σ 0 , σ 1 , σ 2 . This ﬁ nishes the ev en m case. Assume for the rest of the pro of that m is o dd. W e outline here the o v erall ﬂo w of the algorithm. W e work in the algebra A ′ := ^ A⊗ B A and B ′ := φ 1 ( A ) wh ere, φ 1 and φ 2 are resp ectiv ely the left and right em b eddings of A in to A ′ . Durin g the course of th e algorithm w e main tain a nonzero ideal I ✂ A ′ with B ′ em b edded in it. Any time w e ﬁnd a zero divisor in I w e r eplace I with either the id eal generated b y the zero d ivisor or its complemen t, dep ending on whic h has smaller dimension. W e can assume the new ideal to b e a free mo dule o v er an em b edded B ′ as otherwise we can ﬁn d a zero divisor in B ′ 25 (equiv alen tly in A ). Note that the ran k of the new ideal ov er the em b edded B ′ is at most half of the original one. I n itially I = A ′ and it is a free B ′ -mo dule of ev en rank ( m − 1) and so we can apply the recursion outlined in the second paragraph of this pro of. In this w a y at an y stag e w e either ﬁnd a smaller ideal of I or a semiregular automorphism σ of I such that I σ = e I B ′ ∼ = B ′ , where e I is the iden tit y elemen t of I . In the form er case we replace I by the smaller ideal (with an emb edded B ′ ) and apply recursion w hic h again either ﬁnds a zero divisor (and hence a s m aller id eal) or a B ′ -automorphism of the new ideal. The recursion outlined ab o ve halts either with a zero divisor found in B ′ (equiv alen tly in A ) or with a semiregular automorphism σ of an I ✂ A ′ suc h that I σ = e I B ′ ∼ = B ′ . In the form er case we are done w hile the latte r case is w hat we handle no w . Let τ 1 : A → I mapping a 7→ e I φ 1 ( a ) b e the em b edding of A in to I . Lo ok at the homomorphism τ 2 : A → I that maps a 7→ e I φ 2 ( a ). It is a nonzero h omomorphism as τ 2 (1) = e I 6 = 0. So w e can assume τ 2 to b e an em b edding of A in I as w ell or else we get a zero divisor in A If σ is trivial, i.e. I = e I B ′ ∼ = B ′ ∼ = A , then µ := τ − 1 2 τ 1 is a non trivial B -automorph ism of A b y the ﬁrs t part of Lemma 5.5. If µ is not semiregular then we can ﬁnd a zero divisor by Pr op osition 3.2 while if µ is semir egular then w e can apply recursion to the pair ( A µ , B ), ﬁnd an automorph ism of A µ and ﬁn ally extend it to a promised automorp h ism of A by Lemma 4.8. So let us assume that σ is non trivial, i.e. I > I σ = τ 1 ( A ), th us rk τ 1 ( B ) I > m . Then w e deﬁne B ′′ := τ 2 ( A ) and apply recursion to the p air ( I , B ′′ ). W e either ﬁnd a zero divisor of I or obtain a s emir egular automorphism σ ′ of I with I σ ′ = B ′′ . In the former case we can pro ceed with a smaller ideal of I or ﬁn ish with a zero divisor of B ′′ and hence of A , so the latter case of having a σ ′ is w hat w e think ab out no w . W e can assume that σ and σ ′ comm ute as otherwise we can ﬁnd a zero divisor of I b y the algorithm of Theorem 4.7 and pro ceed w ith r ecursion. Thus, I σ ′ is σ -in v ariant and I σ is σ ′ -in v ariant. Th u s b oth σ and σ ′ can b e viewe d as automorphism s of τ 2 ( A ) and τ 1 ( A ) resp ectiv ely . If b oth these actions are trivial then τ 1 ( A ) = I σ = ( I σ ) σ ′ = ( I σ ′ ) σ = I σ ′ = τ 2 ( A ), which cont rad icts the second statmen t of Lemma 5.5. Th us one of them is n on trivial, wlog sa y σ is a non trivial automorphism of τ 2 ( A ). Then µ := τ − 1 2 σ τ 2 is a non trivial automorphism of A . Again we can either ﬁn d a zero divisor of A or pro ceed with a r ecur sion to the p air ( A µ , B ), getting a pr omised au tomorp h ism of A b y the algorithm of Lemma 4.8. T o see th e d omin ating term in the time complexit y observ e that in any recur s iv e call on s ome pair, sa y C , D with d := rk D C , if d is o dd then w e need to go to the tensor square of C wrt D . T h us w e need to then work in an algebra of rank d times th e original rank. As w e start with r ank m we hav e d ≤ m and as the rank d is at least halv ed in the sub sequen t recursiv e call (if there is one), we deduce that the algorithm w orks at all times in an algebra of rank (o ver B ) at most m log m . It is then routine to v erify that the algorithm requires in all just poly ( m log m ) man y B -op er ations, which p r o ves the time complexit y as promised. ✷ T o ﬁn ish the pro of of Main Th eorem, app ly the pro cess describ ed in the ab o ve Theorem to B = k . If it yields a zero divisor z of A then the ideal I := A z and its complemen tary ideal I ⊥ giv e a decomp osition of A = I ⊕ I ⊥ . If e I is the iden tit y elemen t of I then we can rep eat the pro cess now w ith A replaced b y e I A = I and B r eplace d by e I k ∼ = k . Thus after seve ral iterations based on Theorem 5.6 w e get the dir ect sum decomp osition of A 26 together with automorphisms as promised in Main Theorem. 6 Noncomm u tativ e App licatio ns In this section w e s h o w that giv en a noncommuta tive algebra A o v er a ﬁn ite ﬁ eld w e can unconditionally ﬁnd zero divisors of A in deterministic su b exp onen tial time. The idea is to compute a comm utativ e s ubalgebra D of A , ﬁnd an automorphism of D u sing the algorithm d escrib ed in T heorem 5.6, and ﬁ nally construct a zero divisor of A us ing this automorphism. Prepro cessing: Let A b e a ﬁnite dimensional non commutativ e algebra o v er a ﬁnite ﬁeld k . If A is not semisimple then we can compu te the radical of A , by the deterministic p olynomial time algorithm of [R´ o90, CIW96], and get sev eral zero divisors. So we can assume th at A is semisimp le. W e can eﬃcien tly compu te the cente r C of A ( C is the subalgebra ha ving elemen ts that comm ute w ith all elemen ts in A ) by solving a system of linear equations. By th e Artin-W edderbur n Theorem (see F act 4) we kn o w that if C 1 , . . . , C r are the simple comp onents of C then, stru ctur ally , A = L r i =1 M m i ( C i ), where M m ( R ) stands for the algebra of all m × m matrices ov er the k -algebra R . Note that if the m i ’s are not all th e same then A w ould n ot b e a fr ee mo du le o ver C and h ence we can ﬁnd a zero divisor in C b y Lemma 2.2. So w e can assu m e A = L r i =1 M m ( C i ) = M m ( ⊕ r i =1 C i ) = M m ( C ). T hus the h ard case is to ﬁnd a zero divisor in an algebra isomorphic to M m ( C ), this is w hat w e focu s on in th e remaining section. W e iden tify C with the scala r matrices in M m ( C ). 6.1 Automorphisms of a Comm utative Semisimple Subalgebra of M m ( C ) Note that for an y in vertible matrix A th ere is a n atur al automorphism of the full matrix algebra that maps x to A − 1 xA , we call this a c onjugation automorphism. W e sho w in the ﬁrst L emm a that, un der certain mild condition, an automorphism of a comm utativ e semisimple subalgebra of the full matrix algebra corresp onds to a conjugation automor- phism. Recall that ev ery maximal comm utativ e semisimple algebra of the full matrix algebra M m ( F ) o v er a p erfect ﬁeld F has dimen sion m o ve r F . If F i s algebraica lly closed then ev ery comm utativ e semisimp le subalgebra of M m ( F ) is in fact (upto a conjugation isomorphism) a subalgebra of the diagonal m atrice s. Lemma 6.1. L e t C b e a c ommutative semisimple algebr a over a ﬁnite ﬁeld k , let B ≤ M m ( C ) b e a c ommutative semisimple C -algebr a and let σ b e a C -automorphism of B . L et ther e b e a maximal c ommutative semisimple sub algebr a D ≤ M m ( C ) c ontaining B such that D is a fr e e B -mo dule. Then ther e exists a nonzer o y ∈ M m ( C ) suc h that ∀ x ∈ B , x σ = y − 1 xy . Pr o of. W e get h old of this element y by reducing the qu estion to the case of C b eing an algebraical ly closed ﬁeld, when D b ecomes a direct sum of m copies of C and B b ecomes a dir ect sum of r | m copies of C . In that case w e can ﬁn d a basis of 0-1 diago n al matrices for B that is p ermuted by σ and hence constru ct the promised y as a p ermutat ion matrix. Firstly , w e can assume C to b e a ﬁeld b ecause if I 1 , . . . , I c are the simple comp onen ts of C then clearly the I i ’s are all ﬁnite ﬁelds , and w e can try ﬁnding the p romised y i for the 27 instance of ( D I i , B I i , I i ). Note that since σ wa s ﬁ xing I i , σ is still a ( I i )-automorphism of B I i and by freeness condition, D I i is still a free ( B I i )-mo dule and it is a maximal comm utativ e semisimple su b algebra of M m ( I i ). Also, once w e ha ve the y i , for all 1 ≤ i ≤ c , satisfying y i x σ = xy i for all x ∈ I i ; it is easy to see that ( y 1 + . . . + y r ) is the promised y . So for the r est of the pro of we assume that C is a ﬁnite ﬁeld extension of k . Secondly , notice that the condition y x σ = xy is equiv alen t to the system of equations: y x σ 1 = x 1 y , . . . , y x σ r = x r y for a C -basis x 1 , . . . , x r of B . In terms of th e entries of the matrix y this is a system of homogeneous linear equations in the ﬁeld C . This system has a nonzero solution o ve r C iﬀ the same s y s tem has a nonzero solution o v er the algebraic closure C of C . A solution ov er C giv es a matrix y ∈ M m ( C ) such that y x σ = xy for ev ery x ∈ B where B := C ⊗ C B and we extend σ C -linearly to an algebra automorphism of B . Because k was a ﬁnite ﬁeld, B ≤ M m ( C ) is a comm utativ e semisimp le algebra o v er C . Similarly , D := C ⊗ C D is a maximal comm utative semisimple subalgebra of M m ( C ), and is also a free B -mod ule. By the former condition d im C D = m and by th e latter condition r | m . W e will now fo cus on th e instance of ( D , B , C ) and try to construct the promised y . As D is a su m of m copies of C , b y an appr opriate basis change we can mak e D the algebra of all diagonal m atrices in M m ( C ). Also, as D is a free B -mo dule, a fu r ther basis c hange makes B the algebra generated by the matrices e 1 , . . . e r where eac h e j is a diagonal 0-1 matrix ha ving m/r consecutive 1’s. I n that case the automorphism σ has a simp le action, namely it p erm utes th e matrices { e 1 , . . . , e r } . Let y b e a blo c k r × r -matrix wh ose blo c ks are all m/r × m/r zero matrices except at p ositions i, i σ ( i σ is deﬁn ed by e σ i = e i σ ), where the blo c k is the m/r × m/r identit y matrix. Clearly then , e i σ = y − 1 e i y for all 1 ≤ i ≤ r and hence x σ = y − 1 xy for ev ery x ∈ B by extending the equalities linearly to B . ✷ In the second Lemma w e show that a conjugation automorphism of prime order of a comm utativ e semisimple s ubalgebra corresp onds to a zero divisor of the original algebra. Lemma 6.2. L et A b e a ﬁnite dimensional algebr a over the p erfe ct ﬁeld F and let B ≤ A b e a c ommutative semisimple algebr a c ontaining F 1 A . L et r b e a prime diﬀer ent fr om c har F and let y ∈ A b e of or der r such that: y − 1 B y = B but ther e is an element x ∈ B with y − 1 xy 6 = x . Then the minimal p olynomial of y over F is in fact ( X r − 1) . As a c onse qu e nc e, ( y − 1) and (1 + y + . . . + y r − 1 ) is a p air of zer o divisors in A . Pr o of. Let F b e the algebraic closure of F . Note that in A := F ⊗ F A , the m in imal p olynomial of 1 ⊗ y is the same as that of y in A , B := F ⊗ B remains commutativ e semisimple an d conjugation b y 1 ⊗ y acts on it as an automorp h ism of order r . Thus for the rest of the p roof w e can assume F to b e algebraically close d . As conjugation b y y d o es not ﬁx B , there exists a primitiv e idemp otent e of B for wh ic h the elemen ts e j = y − j ey j ( j = 1 , . . . , r ) are pairwise orthogo n al p rimitiv e idemp oten ts of B . This means that the corresp onding left ideals L j := A e j are lin early indep endent o v er F . Assu me no w that the minimal p olynomial of y h as degree less th an r . So th er e are elemen ts α 0 , . . . , α r − 1 ∈ F , not all zero, such that P r − 1 j =0 α j y j = 0. Implying that e P r − 1 j =0 α j y j = P r − 1 j =0 α j y j e j = 0, this together with the fact that y j e j ’s are all n onzero, con tradicts the linear indep endence of L 1 , . . . , L r . ✷ 28 6.2 Pro of of Application 1 In this subsection w e give the pro of of App licat ion 1: giv en a noncomm utativ e algebra A o v er a ﬁ nite ﬁeld k , one can u nconditionally ﬁ nd zero divisors of A in deterministic sub exp onentia l time. By the pr epr o c essing discuss ed in the b eginning of the section it is clear that w e n eed to only h andle the case of A ∼ = M m ( C ), where C is a comm utativ e semisimple algebra o ver k . T he basic id ea in the algorithm then is to ﬁ n d a maximal comm utativ e semisimple su balgebra D ≤ A , ﬁn d a C -automorphism σ of D , u se it to deﬁne a subalgebra of A whic h is a so called cyclic algebr a , and then ﬁnd a zero divisor in this cyclic algebra by the metho d of [W05]. The cyclic algebr as A ′ o v er C w e encoun ter ha ve tw o generators x, y such that for a pr ime r : xy = ζ r y x and the m ultiplicativ e orders of x, y are p o wers of r . These alge b ras hav e the ring of quaternions as their classic sp ecial case, when x 2 = y 2 = − 1 and xy = − y x . Giv en the alge b r a A (with an unknown isomorphism to M m ( C )) in basis form ov er the ﬁnite ﬁeld k . W e can compute easily the center of A , and it will b e C . W e can also compu te a maximal comm u tativ e semisimple subalgebra D of A b y the deterministic p olynomial time algorithm of [GI00 ] ( D has an unkno wn isomorphism to the subalgebra of diagonal matrices of M m ( C )). Being maximal, D is a free mo dule o ver C of rank m . By Theorem 5.6 w e can, in deterministic poly ( m log m , log |A| ) time, either ﬁn d a zero d ivisor in D or compute a semiregular automorph ism σ of D such that D σ = C . In the former case we are done, so it is the latt er case that we no w assume. By Lemma 6.1, there certa inly exists a y ∈ A su ch that d σ = y − 1 dy for ev ery d ∈ D , so by pic kin g a nonzero solution of th e corresp onding system of linear equations we either ﬁnd a zero d ivisor of A or we ﬁnd such a y . So su pp ose w e ﬁ nd a y suc h th at d σ = y − 1 dy 6 = d for ev ery d ∈ D \ C . W e can eﬃcient ly obtain a m ultiple M of the multiplic ativ e order of y , or d ( y ), just b y looking at the degrees of the irreducible factors of the minimal p olynomial of y o v er k (this can b e done deterministically without actually computing the f acto rization). Fix a prime factor r | m , as σ is a semir egular C -automorphism of D , σ is of order m , hence using M we can replace y and σ b y an app ropriate p o wer such th at or d ( y ) is a p o w er of r while or d ( σ ) = r . By this construction, conjugation b y y is no w a C -automorphism σ of D of order r . Put z := y r , th us d = d σ r = z − 1 dz for every d ∈ D . Note that w e can assume z 6 = 1 as otherw ise ( y − 1) is a zero divisor of A by Lemma 6.2. Thus an appropriate p o we r, s ay ζ r , of z h as order r . Consider the sub alge b ra D [ z ], it is comm utativ e b y the action of z on D as seen b efore, it can also b e assumed to b e semisimple as otherwise w e can ﬁn d man y zero d ivisors b y just computing its r adical. So D [ z ] is a comm utativ e semisimple algebra. By the maximalit y of D w e deduce th at D [ z ] = D , hence z ∈ D and ζ r ∈ D . So by Lemma 4.5 we can ﬁnd eﬃcien tly either a zero divisor in D or an x ∈ D ∗ suc h that x σ = ζ r x . W e assu me the latter case and w e replace x b y an appropriate p o wer so that or d ( x ) is an r -p o wer. Let w := x r , as σ ﬁxes w , it has to b e in C . Let A ′ := C [ x, y ], D x := C [ x ] ≤ A ′ , D y := C [ y ] ≤ A ′ and C ′ := C [ w , z ] ≤ A ′ . Note that b y the deﬁ nitions of w , z it is easy to deduce that C ′ is in the cen ter of A ′ and x, y 6∈ C ′ . F urthermore by xy = ζ r y x it follo w s that the set { x i y j | 1 ≤ i, j ≤ ( r − 1) } is a system of generators f or A ′ as a C ′ -mo dule. The relation xy = ζ r y x also implies, that conjugation b y y acts on D x as an automorphism of order r and that the conjugation by x acts on D y as an automorphism of ord er r . W e can assume that b oth these C ′ -automorphisms are semiregular as otherwise we can ﬁn d a zero divisor b y Prop osition 3.2. T h us b oth D x and 29 D y are fr ee mo dules o ver C of rank r , furthermore assume A ′ to b e a free C -mo du le (also free C ′ -mo dule) or else w e ﬁnd a zero divisor in C (or C ′ ) by Lemma 2.2. W e can assume that w , z generate a cyclic subgroup of C ′ otherwise b y Lemma 2.1 w e can ﬁnd a zero divisor in C ′ . If the order of z is larger than the order of w then there is a u ∈ C ′ with u r = w . Put x ′ := u − 1 x , then x ′ r = 1 and x ′ y = ζ r y x ′ , th us conjugation by x ′ giv es an automorphism of D y , wh ence ( x ′ − 1) is a zero divisor by Lemma 6.2. Similarly , w e ﬁ nd a zero divisor if the order of w is larger than the order of z . Thus w e can assume that w and z ha ve equal orders, sa y r t . By looking at the elements w r t − 1 and z r t − 1 , b oth of wh ic h ha v e order r and they generate a cyclic group, w e can ﬁnd a unique 0 < j < r suc h that or d ( w j z ) < r t . W e no w follo w the metho d of th e p ro of of Theorem 5.1 of [W05] to ﬁn d a zero d ivisor in A ′ . Deﬁne y ′ := x j y , and u sing ( yxy − 1 = ζ − 1 r x ) rep eate d ly w e get , y ′ r = ( x j y ) r − 2 ( x j y )( x j y ) = ( x j y ) r − 3 ( x j y )( ζ − j r x 2 j y 2 ) = · · · = ζ − j r ( r − 1) / 2 r x r j y r = ζ − j r ( r − 1) / 2 r w j z . Th us if r is o dd then y ′ r = w j z , and replacing y with y ′ leads to the case discussed ab o v e w here the ord er of the new z (i.e. w j z ) is less than that of w (remem b er that xy ′ = ζ r y ′ x still holds), and w e already get a zero divisor. If r = 2 then y ′ 2 = − wz ( j = 1), and the argument of th e o dd r case can b e rep eated except wh en or d ( − w z ) d oes not fall, i.e. orders are su c h th at or d ( wz ) < or d ( w ) = or d ( z ) = or d ( − wz ). This case is only p ossible (recall z 6 = 1) when w = z = − 1, so x 2 = y 2 = − 1 and y − 1 xy = − x . Notice that in this case A ′ is lik e a r in g of quaternions and w e handle this case next in a standard w a y . T o tr eat this case, b y T h eorem 6.1 of [W05], one can eﬃcien tly ﬁnd α, β ∈ k su c h that α 2 + β 2 = − 1. Put u := ( αy + β ) ∈ D y and x ′ := ux . If x ′ ∈ D y then x ∈ u − 1 D y = D y whic h is a con tradiction. Thus, x ′ 6∈ D y , in particular x ′ 6 = ± 1. While using xy = − y x we can d ed uce that x ′ 2 = ( αy + β ) x ( αy + β ) x = ( αy + β )( − αy + β ) x 2 = ( α 2 + β 2 )( − 1) = 1. Th u s ( x ′ − 1) is a zero divisor. Th is ﬁ nishes the p roof of Application 1 in all cases. 6.3 F urther Results on Finding Zero Divisors in M m ( C ) In th is part w e brieﬂy outline an alternativ e of the approac h of Ap p licati on 1. F ormal statemen ts and details of pro ofs will b e sub ject of a subsequent pap er. Assume that A ∼ = M m ( C ) for some comm utativ e semisimple algebra C o ver the ﬁ nite ﬁeld k . As in the pro of of Application 1, w e use the metho d of [GI00] to ﬁnd a maximal semisimple subalgebra D of A . Note that D is a fr ee m od ule o ve r C of rank m . Let r b e a prime d ivisor of m . Then we can use the algorithm of Theorem 5.4 to ﬁ nd an automorphism of a sub algebr a B of order r in time pol y ( m r , log |A| ). The r emaining p art of the pro of of Application 1 can b e mo diﬁed so that an au tomorp h ism of prime order of a subalgebra of D rather than one of the w hole D can b e used to ﬁ nd a zero d ivisor in A in p olynomial time. This wa y we obtain a deterministic algorithm of complexit y pol y ( m r , log |A| ) for ﬁnd ing a zero divisor in an algebra A isomorphic to M m ( C ), where r is the smallest prime d ivisor of m . Using a generaliza tion [C IK97] of a metho d of [BR90 ] we can use the zero divisor obtained ab o v e to compu te a subalgebra of A (in th e broader sense, thus a su balgebra of a one-sided ideal of A ) isomorphic to M m ′ ( C ), where m ′ is a certain divisor of m . Iterating this metho d we u ltimate ly ﬁnd a zero d ivisor z of A w hic h is equiv alen t to an elemen tary matrix (a matrix ha ving just one nonzero ent ry ) wr t an isomorphism A ∼ = M m ( C ). Then the left ideal A z is isomorphic to the standard mo du le for M m ( C ) (the mo dule of column 30 v ectors of length m o v er C ). Finding such a mo dule is equiv alen t to constr u cting an explicit isomorph ism with M m ( C ). Th e time complexit y is pol y ( m r , log |A| ), where r is the lar gest prime divisor of m . In particular, if A ∼ = M 2 ℓ ( C ), our metho d computes su c h an isomorphism in deterministic p olynomial time . 7 Sp ecial Finite Fields: Pro of of Application 4 In this section w e assume that k = F p for a pr ime p > 3 and the p rime factors of ( p − 1) are b ounded b y S . W e also assume that all the algebras that app ear in the section are completely split semisimple algebras o ver k , i.e. isomorphic to direct sums of copies of k . W e ﬁrst sho w an algorithm that constructs an r -th K ummer extension of an algebra giv en a pr ime r | ( p − 1). W e b asical ly generalize Lemma 2.3 of [R´ o89a] to the follo wing form: Lemma 7.1. Assume that A is a fr e e mo dule over its sub algebr a B of r ank d . Then in time poly (log |A| , S ) we c an ﬁnd either a zer o divisor in A or an element x ∈ A ∗ with a p ower of r or der, for a prime r | ( p − 1) , satisfying one of the fol lowing c onditions: (1) r 6 = d , x 6∈ B and x r ∈ B , (2) r = d , x r 6∈ B and x r 2 ∈ B , Pr o of. As B is a completely split semisimp le algebra, sa y of dimens ion n ov er k , there are orthogonal primitive idemp oten ts f 1 , . . . , f n suc h th at f i B ∼ = k for all i . F or an i ∈ { 1 , . . . , n } , we ca n pro ject the hypothesis to the f i comp onen t, th us dim k f i A = d and there are orth ogonal pr imitiv e idemp otents e i, 1 , . . . , e i,d of A suc h th at f i A = e i, 1 A ⊕ · · · ⊕ e i,d A . As f i is an iden tit y elemen t of f i A we further get that f i = ( e i, 1 + · · · + e i,d ). No w pick an y ∈ A \ B . Supp ose (for the sak e of con tr ad iction) for all 1 ≤ i ≤ n there is a sin gle y ∗ i ∈ k that satisﬁes for all 1 ≤ j ≤ d , y e i,j = y ∗ i e i,j . Th en their sum give s us that y = P n i =1 y ∗ i f i , as eac h y ∗ i f i ∈ B we further get that y ∈ B . Th is con tradiction sho ws that there is an i ∈ { 1 , . . . , n } and distinct j, j ′ ∈ { 1 , . . . , d } suc h th at y e i,j = y 1 e i,j and y e i,j ′ = y 2 e i,j ′ for some y 1 6 = y 2 ∈ k . Let us ﬁx these i, j, j ′ , y 1 , y 2 for the rest of the p ro of, w e d o not compute them but use their existence for the correctness of the algorithm. W e can assume y ∈ A ∗ otherwise we ha ve a zero divisor and we are done. Let r 1 , . . . , r t b e the p rime d ivisors of ( p − 1). Let us assume p ≥ ( S log p + 1) as other- wise w e can ju st in vok e Berlek amp’s p olynomial factoring algorithm to ﬁnd a complete s p lit of A , and we are done. As p ≥ ( S log p + 1) th en there is an inte ger 0 ≤ a < ( S log p + 1) suc h that ( y 1 + a ) r ℓ 6 = ( y 2 + a ) r ℓ for all ℓ ∈ { 1 , . . . , t } (since there can b e at most tS elemen ts in F p satisfying at least one of these equations). W e could also assume ( y + a ) to b e in vertible as otherwise we are done. Note that ( y + a ) r ℓ e i,j = ( y 1 + a ) r ℓ e i,j and ( y + a ) r ℓ e i,j ′ = ( y 2 + a ) r ℓ e i,j ′ whic h together with ( y 1 + a ) r ℓ 6 = ( y 2 + a ) r ℓ implies that ( y + a ) r ℓ 6∈ B . Thus z := ( y + a ) is an elemen t in A ∗ for which z r ℓ 6∈ B for ℓ ∈ { 1 , . . . , t } . Note th at z p − 1 = 1, in particular z p − 1 ∈ B . T h us we can ﬁnd t wo, not necessarily distinct, prim e divisors r 1 and r 2 of ( p − 1) such that replacing z with an appropriate p o w er of it we hav e z r 1 , z r 2 6∈ B but z r 1 r 2 ∈ B . Either r 1 = r 2 = d and w e tak e ( x, r ) = ( z , d ), or r 1 6 = r 2 in whic h case sa y wlog r 1 6 = d and we tak e ( x, r ) = ( z r 2 , r 1 ). Finally we can raise x by a suitable p o wer (coprime to r ) so that x has a p o we r of r order together with the other prop erties. ✷ 31 F or an intege r m we denote by Φ m ( X ) the m th cyclotomic p olynomial in k [ X ]. Let r 1 , . . . , r t b e the prime divisors of ( p − 1). Then for a subset I of { 1 , . . . , t } we d enote th e pro duct Q i ∈ I r i b y r I . W e n o w giv e an algorithm that either ﬁnds a zero divisor in A or a homomorp h ism from an r I -th cyclotomic extension on to A . Lemma 7.2. L et B < A . Assume that we ar e also given a surje ctive homomo rphism fr om k [ X ] / (Φ r I ( X )) onto B for some subset I of { 1 , . . . , t } . Then i n time pol y (log |A| , S ) we c an c ompute either a zer o divisor in A or a sub algebr a B ′ > B of A to gether with a surje ctive homomorph ism fr om k [ X ] / (Φ r I ′ ( X )) onto B ′ for some subset I ′ ⊆ { 1 , . . . , t } . Pr o of. W e ma y clea r ly assume that A is a free mo du le (of rank d ) o ver B . L et the prime r and the elemen t x ∈ A ∗ b e the result of an application of the algorithm of Lemma 7.1. If B [ x ] is a prop er su balgebra of A th en w e can s olve the pr oblem b y t wo recursive calls: ﬁrs t on ( B [ x ] , B ) and then on ( A , B [ x ]). T h us the base case of the recursion is when A = B [ x ]. W e hand le this case no w. In this case clearly d ≤ r . Assume case (2) i.e. d = r . W e can assume A = B [ x r ] as otherwise the sub alge br a B [ x r ] is a prop er sub alge b ra of A an d w e can ﬁnd a zero divisor b ecause A cannot b e a free mo du le o ver this subalgebra (as dim B A = r is a prime). It follo w s that Φ r ( x r ) 6 = 0 b ecause otherwise the rank of A as a B -mo du le w ould b e at most φ ( r ) < r , a contradict ion. So we can assume x r 2 6 = 1 as otherwise Φ r ( x r ) | ( x r 2 − 1) is a zero divisor and we are done. Th u s we can ﬁnd a p o w er ζ 6 = 1 of x r 2 for whic h ζ r = 1. This means, in particular, that a prim itive r -th ro ot of unity is in B , and w e ha ve A ∼ = B [ X ] / ( X r − x r 2 ). S o we get a B -automorphism σ of A that sends x r 7→ ζ x r . The automorphism σ is of order r , is semiregular and satisﬁes A σ = B . W e compute th e elemen t z := Q r − 1 i =0 x σ i . Then z σ = z , therefore z ∈ B . Also, z r = Q r − 1 i =0 ( x r ) σ i = ζ r ( r − 1) / 2 x r 2 . If r is od d then z r = x r 2 while z 6 = ζ i x r for all i ( z , ζ i ∈ B but x r 6∈ B ), th us ( z − ζ i x r ) is a zero divisor of A , for some i , and w e are d one. If r = 2 then z 2 = − x 4 . W e use the algorithm of [S c h 85 ] for ﬁnding a square ro ot w of − 1 in k , obser ve that ( w z ) 2 = x 4 . Again as wz 6 = ± x 2 ( z , w ∈ B but x 2 6∈ B ), th us ( wz − x 2 ) is a zero d ivisor of A and we are done. Assume case (1) i.e. d < r , with x r 6 = 1. W e could assume A = B [ x ] to b e a fr ee B -mo dule with the f ree basis { 1 , x, . . . , x d − 1 } , as otherwise w e can ﬁ nd a zero divisor in B b y L emma 2.2. Also we can ﬁnd a p ow er ζ 6 = 1 of x r for which ζ r = 1. Th ese tw o facts mean that there is a we ll deﬁned endomorphism φ of A that maps x to ζ x and ﬁxes B . Compute the k er n el J ( A of this end omorphism. If J is n onzero then the elemen ts of J are zero d ivisors of A (as φ cannot send a unit to zero), and we are done. If J is zero th en φ is a B -automorphism of A , clea r ly of order r . As d im B A < r , φ cannot b e semiregular, so we get a zero divisor by Prop osition 3.2 and we are done. Finally assume again case (1) i.e. d < r , with x r = 1. Let ψ denote the giv en map k [ X ] / (Φ r I ( X )) onto B . If r ∈ I then p ut y := ψ ( X r I /r ). Then y ∈ B ∗ \ { 1 } b ecause X r I /r , ( X r I /r − 1) are coprime to Φ r I ( X ) and are th us units. As x r = y r but x 6 = x i y f or all i ( y ∈ B while x 6∈ B ), w e deduce that ( x − x i y ) is a zero divisor for some i , and we are done. Assu me th at r 6∈ I . Let I ′ := I ∪ { r } and let C = k [ X ] / (Φ r I ′ ( X )). W e n o w break C using Chinese R emaind ering. Let q 1 b e a multiple of r whic h is congruent to 1 mo dulo r I and let q 2 b e a multiple of r I congruen t 1 mo dulo r . Let X 1 := X q 1 , X 2 := X q 2 and let C 1 resp. C 2 b e the s ubalgebras of C generated by X 1 resp. X 2 . Then C 1 ∼ = k [ X 1 ] / (Φ r I ( X 1 )) and C 2 ∼ = k [ X 2 ] / (Φ r ( X 2 )). Let ψ 1 b e th e giv en surjectiv e map f r om C 1 on to B and let ψ 2 b e the map from C 2 sending X 2 to x . Let ψ ′ b e the map from C ∼ = C 1 ⊕ C 2 in to A that is 32 the linear extension of the map s ending X i = ( X i 1 , X i 2 ) to ψ 1 ( X i 1 ) ψ 2 ( X i 2 ). Clearly , ψ ′ is a homomorphism fr om C to A and is onto (as A = B [ x ]). Th is ﬁ nishes the p roof. ✷ Using Lemm a 7.2 as an induction to ol, we obtain the follo win g. Theorem 7.3. L et f ( X ) b e a p olynomial of de g r e e n which c ompletely splits into line ar factors over F p . L et r 1 < . . . < r t b e the prime factors of ( p − 1) . Then by a deterministic algorithm of running time pol y ( r t , n, log p ) , we c an either ﬁnd a nontrivial factor of f ( X ) or c ompute a surje ctive homomorp hism ψ fr om F p [ X ] / (Φ r I [ X ]) to F p [ X ] / ( f ( X )) , wher e r I = Q i ∈ I r i for some subset I of { 1 , . . . , t } and Φ r I ( X ) i s the cyclotom ic p olynomial of de gr e e Q i ∈ I ( r i − 1) . ✷ Note that if ψ is not an isomorphism then w e can br eak the cyclotomic r ing ab o v e and ﬁnd its in v ariant decomp osition into ideals by Lemma 2.3. As we kn ow the automorphism group of cyclotomic extension rings o v er F p (and of their ideals as well), this theorem immediately implies the statemen t of App licat ion 4. References [BR90] L. Babai, L. R´ on ya i, Computing irreducible repr esen tations of ﬁ n ite groups, Pr o c. 30th IEEE F OCS (19 89) pp . 93-98 ; jour nal version app eared in Mathe- matics of Computation 55, 192 (1990), 705-722. [BGL01] E. Bac h, J. vo n zur Gathen, H. W. Lenstra, Jr., F actoring p olynomials o v er sp ecial ﬁnite ﬁelds; Finite Fields and Their Applic ations 7(20 01), 5-28. [Be67] E. R. Berlek amp, F actoring p olynomials o ver ﬁnite ﬁelds, Bel l System T e c h- nic al Journal 46(1967), 185 3-1859. [Cam83] P . Camion, A deterministic algorithm for f actorizing p olynomials of F q [ x ], Ann. Discr. Math., 17, (1983), 149-157. [CH00] Q. C heng, M. A. Huang, F actoring Po lynomials o ve r Finite Fields and Stable Colorings of T ournaments, Algorithmic Numb er The ory Symp osium(ANTS) IV, LNCS 1838, (2000), 233-245. [CIK97] A. Chistov, G. Iv an yo s, M. Karpinski, P olynomial time algorithms for mo dules o v er ﬁnite d imensional algebras, P r o c. ISSA C 1997, 68-74. [CIW96] A. M. Cohen, G. Iv an yos, D. B. W ales, Finding the r adical of an algebra of linear transformations, Journal of Pu r e and Applie d A lgebr a 117–118 (1997), 177–1 93. (Pr o c. MEGA’96.) [CZ81] D. G. Cant or, H. Zassenh aus, A n ew algo rithm for factoring p olynomials o ver ﬁnite ﬁelds, Mathematics of Computation, 36(154), 1981, 587-592. [Ev89] S. A. Evdokimo v, F actorizatio n of a solv able p olynomial ov er ﬁn ite ﬁelds and the generalized Riemann Hyp othesis, Zapiski Nauchnyck Seminar ov LOM I, 176(19 89), 104-117. 33 [Ev94] S. Evd okimo v, F acto rization of p olynomials o ve r ﬁnite ﬁelds in su b exp onen tial time under GRH, Pr o c. 1st A NTS, L e ctur e Notes In Computer Scienc e 877, Springer-V erlag 199 4. [FR85] K. F r iedl, L. R´ on y ai, Polynomial time s olutions of some problems of computa- tional algebra; Pr o c . 17th A CM STOC (1985), pp. 153 -162. [Gao01 ] S. Gao , On the deterministic complexit y of factoring p olynomials, J . of Sym- b olic Computation, 31 (1-2), 2001 , 19-36. [G87] J. v on zur Gathen, F actoring p olynomials and primitiv e elemen ts f or sp ecial primes, The or etic al Computer Scienc e, 52, 1987, 77-89. [GHPS06] W. A. de Graaf, M. Harrison, J. Pilniko v a, J. Sc hic ho, A Lie algebra metho d for rational parametrization of Sev eri-Brauer surf aces, J. Algebra 303, 2006, 514-5 29. [GI00] W. A. de Graaf, G. Iv any os, Finding maximal tori and splitting elemen ts in matrix alge br as, In: F. van Oyste ayen, M. Saorin (e ds), Inter action b etwe e n R ing The ory and R e pr esentations of Algebr as, L e ctur e Notes in Pur e and Ap- plie d M athema tics 210, Mar c e l Dekker 2000 , 95-105. [GS92] J. v on zur Gathen, V. Sh oup, Comp uting F r ob enius map s an d factoring p oly- nomials, Comput. Complexity, 2(19 92), 187-224 . [Hua85] M. A. Huang, Riemann h yp othesis and ﬁnding ro ots ov er ﬁnite ﬁelds, Pr o c. 17th ACM STOC (1985) pp. 121-130; journ al version app eared in J. Algo- rithms, 12 (1991), 464-481. [Hu86] D. Husem¨ oller, Elliptic cur v es; Springer, 1986. [IKS08] G. Iv any os, M. Karpinski, N. S axena, Sc hemes f or Deterministic P olynomial F actoring, Pr eprint: CoRR abs/0804 .1974, (2008). [KS98] E. Kaltofen, V. Sh oup, S ub quadratic-time factoring of p olynomials o ve r ﬁnite ﬁelds, Math. Comp., 67(1 998), 1179-119 7. [KS05] N. K a yal, N. Saxena, On th e Ring Isomorph ism and Au tomorp h ism Problems, Pr o c. 20th IEEE Confer enc e on Computational Complexity (2005) pp. 2-12; journal version app eared in Computational Complexity 15(4), (2006 ), 342- 390. [La80] S. Lang, Algebraic num b er theory , Springer-V erlag, 1980. [L91] H. W. Lenstra, Find ing isomorph isms b et ween ﬁnite ﬁ elds, Mathematics of Computation 56(1991 ), 329-347 . [MS88] M. Mignotte, C.-P . Schnorr, C alcul d ´ eterministe des racines d ”un p olynˆ ome dans un corps ﬁ ni, Comptes R endus A c ad ´ emie des Scienc es (Paris), 306, (1988), 467-472. 34 [Mo e77] R. T. Mo enc k, On the eﬃciency of algorithms for p olynomial factoring, Math. Comp., 31, (1977), 235-250. [PH78] S. Po hlig, M. Hellman, An Im p ro v ed Algorithm for Computing Logarithms o v er GF(p) and its Cryp tographic S igniﬁcance, IEEE T r ansactions on Infor- mation The ory, 24 (197 8), 106-11 0. [Rab80] M. O. Rabin, Probabilistic algorithms in ﬁnite ﬁelds, SIAM J. Comput, 9 (1980), 273–280 . [R´ o87] L. R´ on yai, F actoring P olynomials o v er ﬁnite ﬁelds, Pr o c . 28th IE EE F OCS (1987) pp. 132-137; journal v ersion app eared in Journal of A lgorithms 9, (1988), 391-400 [R´ o89a] L. R´ ony ai, F actoring p olynomials mo dulo sp ecial primes, Combinatoric a, 9, (1989), 199-206. [R´ o90] L. R´ ony ai, Comp uting the structure of ﬁnite algebras, Journal of Symb olic Computation 9, (1990) 355-373. [R´ o89b] L. R´ ony ai, Galois Groups and F actoring P olynomials o ver Finite Fields, Pr o c. 30th IEEE F OCS (1989) pp. 99-104; jou r nal v ersion app eared in SIAM J. on Discr ete Mathema tics 5, (1992), 345– 365. [Sc h85] R. J. Sc ho of, Elliptic curv es o ve r ﬁnite ﬁelds and the computation of square ro ots mo d p, Mathematics of Computation 44 (1985), 483-494. [W05] C. v an de W o estijne, Deterministic equ atio n solving o ve r ﬁn ite ﬁelds, Pr o c. ISSAC 2005, 348-353. 35

Trading GRH for algebra: algorithms for factoring polynomials and related structures

Original Paper

Comments & Academic Discussion

Leave a Comment

Original Paper

Related Papers

Comments & Academic Discussion

Leave a Comment