4.5.1 Irreducible polynomials

If f (x) ∈Z p [x] is irreducible over Z p and a is a non-zero element in Z p , then a ·f(x) is also irreducible over Z p . Hence it suffices to restrict attention to monic polynomials in Z p [x],

i.e., polynomials whose leading coefficient is 1. Observe also that if f (x) is an irreducible polynomial, then its constant term must be non-zero. In particular, if f (x) ∈Z 2 [x], then its constant term must be 1. There is a formula for computing exactly the number of monic irreducible polynomi- als in Z p [x] of a fixed degree. The M¨obius function, which is defined next, is used in this formula.

4.65 Definition Let m be a positive integer. The M¨obius function µ is defined by

if m is divisible by the square of a prime,

−1) k , if m is the product of k distinct primes.

4.66 Example (M¨obius function) The following table gives the values of the M¨obius function µ(m) for the first 10 values of m:

§ 4.5 Irreducible polynomials over Z p 155

1 2 3 4 5 6 7 8 9 10 µ(m) 1 −1 −1 0 −1 1 −1 0 0 1

4.67 Fact (number of monic irreducible polynomials) Let p be a prime and m a positive integer. (i) The number N p (m) of monic irreducible polynomials of degree m in Z p [x] is given

by the following formula:

N p (m) =

µ(d)p m/d ,

d|m

where the summation ranges over all positive divisors d of m. (ii) The probability of a random monic polynomial of degree m in Z p [x] being irreducible over Z p is roughly 1 m . More specifically, the number N p (m) satisfies

1 N p (m)

2m ≤

Testing irreducibility of polynomials in Z p [x] is significantly simpler than testing pri- mality of integers. A polynomial can be tested for irreducibility by verifying that it has no

irreducible factors of degree

2 ⌋. The following result leads to an efficient method (Al- gorithm 4.69) for accomplishing this.

≤⌊ m

4.68 Fact Let p be a prime and let k be a positive integer. (i) The product of all monic irreducible polynomials in Z p [x] of degree dividing k is

equal to x p k − x. (ii) Let f (x) be a polynomial of degree m in Z i p [x]. Then f (x) is irreducible over Z p if and only if gcd(f (x), x p

− x) = 1 for each i, 1 ≤ i ≤ ⌊ m

4.69 Algorithm Testing a polynomial for irreducibility INPUT: a prime p and a monic polynomial f (x) of degree m in Z p [x].

OUTPUT: an answer to the question: “Is f (x) irreducible over Z p ?”

1. Set u(x) ←x.

2. For i from 1 to m ⌊ 2 ⌋ do the following:

2.1 Compute u(x) ←u(x) p mod f (x) using Algorithm 2.227. (Note that u(x) is a polynomial in Z p [x] of degree less than m.)

2.2 Compute d(x) = gcd(f (x), u(x) − x) (using Algorithm 2.218).

2.3 If d(x) = 1 then return(“reducible”).

3. Return(“irreducible”). Fact 4.67 suggests that one method for finding an irreducible polynomial of degree m

in Z p [x] is to generate a random monic polynomial of degree m in Z p [x], test it for irre- ducibility, and continue until an irreducible one is found (Algorithm 4.70). The expected

number of polynomials to be tried before an irreducible one is found is approximately m.

Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone.

156 Ch. 4 Public-Key Parameters

4.70 Algorithm Generating a random monic irreducible polynomial over Z p

INPUT: a prime p and a positive integer m. OUTPUT: a monic irreducible polynomial f (x) of degree m in Z p [x].

1. Repeat the following:

1.1 (Generate a random monic polynomial of degree m in Z p [x]) Randomly select integers a 0 ,a 1 ,a 2 ,...,a m−1 between 0 and p − 1 with a 0 =

0. Let f (x) be the polynomial f (x) = x m +a m−1 x m−1 + · · ·+a 2 x 2 +a 1 x+a 0 .

1.2 Use Algorithm 4.69 to test whether f (x) is irreducible over Z p . Until f (x) is irreducible.

2. Return( f (x)). It is known that the expected degree of the irreducible factor of least degree of a random

polynomial of degree m in Z p [x] is O(lg m). Hence for each choice of f (x), the expected number of times steps 2.1 – 2.3 of Algorithm 4.69 are iterated is O(lg m). Each iteration

takes O((lg p)m 2 )Z p -operations. These observations, together with Fact 4.67(ii), deter- mine the running time for Algorithm 4.70.

4.71 Fact Algorithm 4.70 has an expected running time of O(m 3 (lg m)(lg p)) Z p -operations. Given one irreducible polynomial of degree m over Z p , Note 4.74 describes a method,

which is more efficient than Algorithm 4.70, for randomly generating additional such poly- nomials.

4.72 Definition Let F q

be a finite field of characteristic p, and let α ∈F q . A minimum polyno- mial of α over Z p is a monic polynomial of least degree in Z p [x] having α as a root.

4.73 Fact Let F q

be a finite field of order q=p m , and let α ∈F q .

(i) The minimum polynomial of α over Z p , denoted m α (x), is unique. (ii) m α (x) is irreducible over Z p . (iii) The degree of m α (x) is a divisor of m. (iv) Let t t be the smallest positive integer such that α p

= α. (Note that such a t exists

since, by Fact 2.213, α p m

4.74 Note (generating new irreducible polynomials from a given one) Suppose that f (y) is a given irreducible polynomial of degree m over Z p . The finite field F p m can then be repre- sented as F p m =Z p [y]/(f (y)). A random monic irreducible polynomial of degree m over Z p can be efficiently generated as follows. First generate a random element α ∈F p m and then, by repeated exponentiation by p, determine the smallest positive integer t for which

α p t = α. If t < m, then generate a new random element α ∈F p m and repeat; the probabil- ity that t < m is known to be at most (lg m)/q m/2 . If indeed t = m, then compute m α (x) using the formula (4.1). Then m α (x) is a random monic irreducible polynomial of degree

m in Z p [x]. This method has an expected running time of O(m 3 (lg p)) Z p -operations (com- pare with Fact 4.71).

§ 4.5 Irreducible polynomials over Z p 157