First-degree prime ideals of composite extensions

Giordano Santilli; Daniele Taufer

doi:10.1515/jmc-2024-0036

Article Open Access

First-degree prime ideals of composite extensions

Giordano Santilli and Daniele Taufer

Published/Copyright: April 14, 2025

Published by

Become an author with De Gruyter Brill

Submit Manuscript Author Information

From the journal Journal of Mathematical Cryptology Volume 19 Issue 1

Abstract

Let Q ( α ) and Q ( β ) be linearly disjoint number fields and let Q ( θ ) be their compositum. We prove that the first-degree prime ideals (FDPIs) of Z [ θ ] may almost always be constructed in terms of the FDPIs of Z [ α ] and Z [ β ] , and vice versa. We identify the cases where this correspondence does not hold, and provide explicit counterexamples for each obstruction. We show that for every pair of coprime integers d , e ∈ Z , such a correspondence almost always respects the divisibility of principal ideals of the form ( e + d θ ) Z [ θ ] , with a few exceptions that we characterize. Finally, we establish the asymptotic computational improvement of such an approach, and we verify the reduction in time needed for computing such primes for certain concrete cases.

Keywords: first-degree prime ideals; principal ideal factorization; linearly disjoint extensions

MSC 2010: 11Y05; 11Y40; 12F05

1 Introduction

Let O be the ring of integers of a number field Q ( θ ) . It is well known that the norm of its prime ideals is always a prime power p e , and this property also holds for every sub-order of O , such as Z [ θ ] . A special family of primes that deserves particular attention comprises those of degree e = 1 , namely, those of prime norm. Such first-degree prime ideals (FDPIs) have been classically studied as they constitute a set of basic components for ideals. In fact, a positive fraction of prime integers splits only by means of first-degree primes [1, Thm. 84], and any Galois field class group may be generated from products of such ideals [1, Thm. 89].

More recently, similar results have been obtained in a more applied framework: FDPIs of Z [ θ ] have been proved to constitute a basis for principal ideals generated by e + d θ in Z [ θ ] for every coprime pair e , d ∈ Z [2], and this evidence has been exploited for designing the celebrated General Number Field Sieve (GNFS) algorithm [3,4], which is nowadays the most efficient classical algorithm known for factoring large integers. Indeed, after a parameters selection phase, such an algorithm needs to compute large sets of FDPIs of Z [ θ ] , which will be employed for factoring the aforementioned principal ideals. Afterward, these factorizations will be sieved in order to detect certain relations, which should lead to the factorization of the input integer with a positive probability. Moreover, the same algorithm has been proven effective for solving the discrete logarithm problem over finite fields, both for prime [5] and power-of-prime [6,7] fields.

In this article, the theory of FDPIs of Z [ θ ] is further enhanced by establishing their relation with the corresponding prime ideals obtained from the minimal (non-trivial) sub-fields of Q ( θ ) . The novelty of this work is twofold. From a theoretical perspective, whenever Q ( θ ) is realized as the compositum of two linearly disjoint sub-fields Q ( α ) and Q ( β ) , the factorization of ( e + d θ ) is proved to be almost always readable from the divisibility of its relative norm in Z [ α ] and Z [ β ] . On a computational side, the described procedure leads to a more efficient method for producing first-degree primes of Z [ θ ] , outperforming the standard algorithm of a linear factor which depends on the smoothness of the extension degree [ Q ( θ ) : Q ] .

More precisely, employing the convenient description of such primes [2] as

( t , p ) = ker ( Z [ θ ] → F p , θ ↦ t ) ,

the combination of first-degree primes ( r , p ) ⊆ Z [ α ] and ( s , p ) ⊆ Z [ β ] is defined as ( r + s , p ) ⊆ Z [ θ ] , and such an operation is proved to describe the vast majority of first-degree primes in Z [ θ ] . Furthermore, the divisibility of principal ideals I = ( e + d θ ) Z [ θ ] is respected in all but exceptional cases, which are fully characterized in terms of the zeroes of the affine map

ϕ : F p → F p , x ↦ − x − d − 1 e .

The main novel results of this study are collected in Table 1. Its first row indicates when the combination of FDPIs in Z [ α ] and Z [ β ] dividing I α = I ∩ Z [ α ] and I β = I ∩ Z [ β ] is an FDPI of Z [ α + β ] , and when it divides I . The second row depicts the opposite scenario, namely when an FDPI of Z [ α + β ] dividing I determines FDPIs in Z [ α ] and Z [ β ] , and when they divide I α and I β .

Table 1

Overview of the main results of the study

	Existence	Divisibility
( r , p ) , ( s , p ) ⇒ ( t , p )	Always	unless g ( ϕ ( r ) ) ≡ 0 mod p f ( ϕ ( s ) ) ≡ 0 mod p ϕ ( r ) ≢ s mod p ϕ ( s ) ≢ r mod p
	(Proposition 3.3)	(Theorem 4.3)
( t , p ) ⇒ ( r , p ) , ( s , p )	when:
	t is a simple root of minpol Q ( α + β ) mod p , or	Always
	Q ( α ) and Q ( β ) are normal and of coprime degrees
	(Propositions 3.6 and 3.10)	(Theorem 4.6)

Such results lead to a bottom-up approach that may be employed to accelerate the production of these primes and to design new algorithms based on the smaller extensions, whose usage is often computationally preferable.

In practice, the employed hypotheses are not truly restrictive: every pair of reasonably uncorrelated fields happen to be linearly disjoint [8,9], thus every composite extension may be realized this way, with a suitable choice of sub-extensions. However, ad hoc examples are provided to show that every required hypothesis is essential in general.

This study is an extension of a previous work by Santilli and Taufer [10], which addresses the same problem when the field Q ( θ ) is biquadratic. However, the techniques employed and developed in the current study are more sophisticated and lead to a deeper comprehension of ideals in towers of fields. The novel results not only generalize those of Santilli and Taufer [10], but also cover a much wider range of situations and provide theoretical tools that may be exploited for computational and cryptographic purposes, such as factoring and sieving through number fields.

This study is organized as follows: in Section 2, the basic results about resultant and linearly disjoint extensions are recalled and combined to properly identify the field extensions that we address in the present work. Section 3 is devoted to defining the FDPIs combination and establishing when this construction defines a complete correspondence of the considered FDPIs. Such an association is proved to almost always respect the divisibility of prescribed principal ideals in Section 4. In Section 5, the complexity of a combination-based approach for computing FDPIs is discussed, and a computational comparison with the state-of-the-art method is presented. Finally, in Section 6, we review the work and hint at possible future research directions.

2 Preliminaries

2.1 Resultant

In this section, we recall the main properties of the polynomial resultant over a field.

Definition 2.1

(Resultant) Let k be a field and f = ∑ i = 0 n a i x i , g = ∑ i = 0 m b i x i ∈ k [ x ] be polynomials of degree n and m , i.e., a n b m ≠ 0 . The resultant R ( f , g ) of f and g is defined as the determinant of their Sylvester matrix, i.e.,

R ( f , g ) = det a n a n − 1 a n − 2 … a 0 0 0 … 0 0 a n a n − 1 … a 1 a 0 0 … 0 ⋮ ⋮ ⋮ ⋮ ⋮ ⋮ ⋮ 0 … 0 a n … a 1 a 0 b m b m − 1 b m − 2 … b 0 0 0 … 0 0 b m b m − 1 … b 1 b 0 0 … 0 ⋮ ⋮ ⋮ ⋮ ⋮ ⋮ ⋮ 0 … 0 b m … b 1 b 0 .

Hence, the resultant is the determinant of a ( n + m ) × ( n + m ) matrix, whose first m rows contain the coefficients of f padded with zeroes and shifted, respectively, on the right by 0 , 1 , … , m − 1 positions, while the remaining n rows are made of the coefficients of g padded with zeroes and shifted, respectively, on the right by 0 , 1 , … , n − 1 positions. The resultant may be directly constructed from the roots f and g .

Proposition 2.2

[11, Prop. IV.8.3] Let f , g ∈ k [ x ] as above, and let L be an extension of k where both f and g split completely, i.e.,

f = a n ( x − α 1 ) … ( x − α n ) ∈ L [ x ] , g = b m ( x − β 1 ) … ( x − β m ) ∈ L [ x ] .

Then,

R ( f , g ) = a n m b m n ∏ i = 1 n ∏ j = 1 m ( α i − β j ) .

Remark 2.3

The roots of f and g as above need not to be different. Indeed, these polynomials have a common root if and only if R ( f , g ) = 0 [11, Cor. IV.8.4].

Corollary 2.4

[11, p. 203] Let f , g ∈ k [ x ] as above, then

R ( f , g ) = a n m ∏ i = 1 n g ( α i ) , R ( f , g ) = ( − 1 ) n m b m n ∏ j = 1 m f ( β j ) .

We will apply resultants for constructing minimal polynomials of composite extensions. In this perspective, we employ it to define another polynomial in k [ x ] .

Notation 2.5

Let f , g ∈ k [ x ] as above. For every y ∈ k we denote

R f , g ( y ) = R ( f ( x ) , g ( y − x ) ) .

We can view it as a polynomial R f , g ( y ) ∈ k [ y ] , which by renaming the variable can be seen again as a polynomial R f , g ∈ k [ x ] . Finally, we will drop the indices f and g when they are clear from the context.

Proposition 2.6

Let f , g ∈ k [ x ] be monic with n = deg ( f ) , m = deg ( g ) , and let α 1 , … , α n and β 1 , … , β m be their respective (not necessarily distinct) roots in an extension L of k . Then,

R f , g = ∏ i = 1 n ∏ j = 1 m ( x − α i − β j ) .

Proof

Since g = ∏ j = 1 m ( x − β j ) ∈ L [ x ] , for every y ∈ k , we have g ( y − x ) = ∏ j = 1 m ( y − x − β j ) . From Corollary 2.4, we obtain

R f , g ( y ) = R ( f ( x ) , g ( y − x ) ) = ∏ i = 1 n g ( y − α i ) = ∏ i = 1 n ∏ j = 1 m ( y − α i − β j ) ,

which evaluated in x as in Notation 2.5 gives the desired result.□

Remark 2.7

It immediately follows from definitions that

R ( g ( y − x ) , f ( x ) ) = ( − 1 ) n m R f , g ( y ) = R g , f ( y ) .

2.2 Linear disjoint extensions

In this section, we recall the basics of linearly disjoint field extensions that will be employed in this study.

Proposition 2.8

[8, §5, Prop. 5.1] Let k be a field and Ω be an algebraic extension of k . Let A and B be k -subalgebras of Ω . The following conditions are equivalent:

The k -algebra homomorphism defined by
A ⊗ k B → Ω , a ⊗ b ↦ a b ,
is injective.
Any k -basis of A is linearly independent over B.
Any k -basis of B is linearly independent over A.
If { u i } i is a k -basis of A and { v j } j is a k -basis of B, then { u i v j } i , j are k -linearly independent.

In this work, we will always consider k = Q . Moreover, A and B will be number fields (seen as subfields of C after a fixed field embedding), and Ω will be their compositum A B , namely, the smallest number field containing both A and B .

Definition 2.9

(Linearly disjointness) Two number fields satisfying any (every) condition of Proposition 2.8 are called linearly disjoint.

The simplest way to detect linear disjointness is by looking at the composite degree. For the reader’s convenience, we recall the proof of this fact.

Lemma 2.10

Two number fields L 1 and L 2 are linearly disjoint if and only if

[ L 1 L 2 : Q ] = [ L 1 : Q ] [ L 2 : Q ] .

Proof

Let { u i } 1 ≤ i ≤ [ L 1 : Q ] be a Q -basis of L 1 and { v j } 1 ≤ j ≤ [ L 2 : Q ] be a Q -basis of L 2 . By definition of compositum, we have

L 1 L 2 = ⟨ { u i v j } i , j ⟩ Q .

The fields L 1 and L 2 are linearly disjoint if and only if { u i v j } i , j are Q -linearly independent, i.e., they generate a space of dimension [ L 1 : Q ] [ L 2 : Q ] over Q .□

From the above lemma, it is easy to see that when L 1 and L 2 are linearly disjoint, then L 1 ∩ L 2 = Q . If at least one of them is normal, the opposite implication also holds.

Proposition 2.11

[8, §5, Thm. 5.5] Let L 1 , L 2 be number fields, of which at least one is a normal extension of Q . Then, they are linearly disjoint if and only if

L 1 ∩ L 2 = Q .

If the discriminants of two number fields L 1 , L 2 are coprime, then they are known to be linearly disjoint. The opposite also holds whenever O L 1 L 2 = O L 1 O L 2 [9].

A primitive element of the compositum of linearly disjoint fields may be easily characterized.

Proposition 2.12

Let Q ( α ) , Q ( β ) be linearly disjoint number fields. Then, their compositum is Q ( α + β ) .

Proof

It follows from [12, Thm. p. 638], by noticing that the condition gcd ( deg α , deg β ) = 1 is only used in its proof to imply the field degrees multiplicativity, which in our assumptions follows by Lemma 2.10.□

Corollary 2.13

Let Q ( α ) and Q ( β ) be two linearly disjoint number fields and let f , g ∈ Q [ x ] be minimal polynomials of α and β over Q . Then, a defining polynomial for Q ( α , β ) is R f , g .

Proof

Let n = [ Q ( α ) : Q ] = deg ( f ) and m = [ Q ( β ) : Q ] = deg ( g ) , and let h ∈ Q [ x ] be the minimal polynomial of α + β over Q . Proposition 2.12 ensures that Q ( α , β ) = Q ( α + β ) and since the number fields are linearly disjoint, from Lemma 2.10, we know that m n = [ Q ( α + β ) : Q ] = deg ( h ) . From Proposition 2.6, the polynomial R f , g is monic, has degree n m , and α + β is one of its roots, then h ∣ R f , g . Since they have the same degree, we conclude that h = R f , g .□

By means of Corollary 2.13, we will always regard the compositum of two linearly disjoint number fields Q [ x ] ⁄ ( f ) and Q [ x ] ⁄ ( g ) as the field generated by their resultant, namely, Q [ x ] ⁄ ( R f , g ) .

Remark 2.14

Even if R f , g is a generator for the compositum Q ( α + β ) , we are not guaranteed that it is a convenient one. In fact, the minimal polynomials of elements { α + k β } k ∈ Z tend to have large coefficients [13, Remark to Algorithm 2.1.8].

3 FDPIs

We consider the following setting: let Q ( α ) and Q ( β ) be two linearly disjoint number fields and let f ∈ Z [ x ] (resp. g ∈ Z [ x ] ) be the minimal polynomial of α (resp. β ) over Q . We also consider the compositum Q ( α , β ) , which is equal to Q ( α + β ) by Proposition 2.12. Let L be a field extension of the field k , we will denote by N L ⁄ k ( x ) the norm of the element x ∈ L over the field k . Given an algebraic integer θ ∈ C , we recall that the norm of a non-zero ideal a ⊆ Z [ θ ] is

N ( a ) = [ Z [ θ ] : a ] .

Definition 3.1

(FDPIs) Let θ ∈ C be an algebraic integer. A non-zero prime ideal p of Z [ θ ] is called a FDPI if N ( p ) is a prime integer.

These particular ideals admit a practical representation as follows.

Theorem 3.2

[2, pp. 58–59] Let f ∈ Z [ x ] be an irreducible monic polynomial and θ ∈ C one of its roots. Then, for every integer prime p, there is a bijection between

{ ( r , p ) ∣ r ∈ F p such t h a t f ( r ) = 0 ∈ F p }

and

{ p ∣ p ∈ Spec Z [ θ ] such t h a t N ( p ) = p } .

The bijection considered in the previous theorem is given by the evaluation of θ in a root r of f mod p , namely, such ideals p arise as kernels of the evaluations

ev θ ↦ r : Z [ θ ] → F p , θ ↦ r .

Certain ideals of Z [ θ ] can be factored using only FDPIs [2], and this is one of the main facts on which the GNFS relies. For a quick recap on these results, refer [10, Section 2].

Here we are interested in studying the relation among FDPIs of the orders Z [ α ] , Z [ β ] and those of Z [ α + β ] . The following result shows that it is always possible to efficiently construct FDPIs of Z [ α + β ] starting from those of Z [ α ] and Z [ β ] .

Proposition 3.3

Let ( r , p ) be an FDPI of Z [ α ] and ( s , p ) be an FDPI of Z [ β ] , then ( r + s , p ) is an FDPI of Z [ α + β ] .

Proof

From Corollary 2.13, we know that the minimal polynomial of α + β is R f , g . Since ( r , p ) is an FDPI of Z [ α ] , then r is a root of f mod p . Analogously, s is a root of g mod p . The definition of R f , g as seen in Proposition 2.6 leads to the desired result.□

Remark 3.4

The previous result applied to biquadratic extensions is precisely [10, Theorem 2].

Proposition 3.3 motivates the following definition.

Definition 3.5

(Combination) We say that the FDPI ( r + s , p ) ⊆ Z [ α + β ] is the combination of ( r , p ) ⊆ Z [ α ] and ( s , p ) ⊆ Z [ β ] .

The following proposition shows that almost every FDPI of Z [ α + β ] arise from a combination of FDPIs of Z [ α ] and Z [ β ] .

Proposition 3.6

Let ( t , p ) be an FDPI of Z [ α + β ] , where t is a simple root of R f , g mod p . Then, ( t , p ) is a combination of FDPIs of Z [ α ] and Z [ β ] .

Proof

Let F q be an extension of F p where both f mod p and g mod p split. By Proposition 2.6, the roots of R = R f , g mod p are sums of roots in F q of f mod p and g mod p , i.e., there are γ 1 , γ 2 ∈ F q such that t = γ 1 + γ 2 and

f ( γ 1 ) = 0 = g ( γ 2 ) .

It is well known [14, Theorem 2.14] that the conjugates of γ over F p , namely, { γ p n } n ∈ N , are simple roots of the same irreducible polynomial, hence in particular we have

f ( γ 1 p ) = 0 = g ( γ 2 p ) .

Therefore, γ 1 p + γ 2 p is also a root of R . However, we have

γ 1 p + γ 2 p = ( γ 1 + γ 2 ) p = t p = t .

Thus, either t is a multiple root of R or all the conjugates of γ 1 are equal, and so are those of γ 2 . By hypothesis we are in the latter case, then γ 1 , γ 2 ∈ F p and ( t , p ) is the combination of ( γ 1 , p ) and ( γ 2 , p ) .□

Remark 3.7

The resultant polynomial R f , g is irreducible over Q by Corollary 2.13, then it has no repeated roots. Hence, its discriminant R ( R f , g , R ′ ) is a non-zero integer, which is therefore divisible only by primes from a finite set P . In particular, for every prime p ∉ P , the projected resultant R f , g mod p has only simple roots, so every prime ideal of Z [ α + β ] of norm p arises as a combination of FDPIs in Z [ α ] and Z [ β ] by Proposition 3.6. For a more precise description of this set P , we refer to [13, Lemma 2.1.13].

Remark 3.8

We note that Proposition 3.6 generalizes [10, Theorem 3]. In fact, let f ( x ) = x 2 − a , g ( x ) = x 2 − b , let p be a prime and γ 1 , γ 2 ∈ F p 2 such that f ( γ 1 ) = 0 = g ( γ 2 ) . It is clear that − γ 1 (resp. − γ 2 ) is also a root of f (resp. g ), therefore, the roots of R f , g in F p 2 are ± γ 1 ± γ 2 . An easy check shows that R f , g has a multiple root if and only if

p = 2 , or
γ 1 = 0 or γ 2 = 0 , or
t = γ 1 + γ 2 = 0 .

In the first two cases, the FDPI ( t , p ) ⊆ Z [ α + β ] arises anyway as a combination, while when t = 0 this does not necessarily hold [10, Example 3].

We now prove that when Q ( α ) and Q ( β ) are both normal and of coprime degrees, we are guaranteed that every FDPI of Z [ α + β ] arises as a combination, without exceptions. First, we prove a technical result linking a global property of polynomials with the degrees of their local factors. It is stated independently on the following results, as it has its own theoretical interest.

Proposition 3.9

Let f ∈ Z [ x ] be a monic polynomial and let L be its splitting field over Q . Let p be an integer prime and h ∈ F p [ x ] be an irreducible factor of f mod p . Then,

deg h ∣ [ L : Q ] .

Proof

Let O L be the ring of integers of L over Q and let p ⊆ O L be a prime lying over p . Since L ⁄ Q is Galois, the ramification index e and the inertia degree f are independent of p [13, Prop. 10.1.3]. Thus, if g is the number of primes lying over p , we have

[ L : Q ] = e f g ,

and in particular f ∣ [ L : Q ] . Since f is monic with integer coefficients, its roots are in O L , so it splits in O L ⁄ p . Thus, this extension of F p contains the splitting field of f over F p . Since h is irreducible, O L ⁄ p also contains the field F p [ x ] ⁄ ( h ) , which has degree deg h over F p . Therefore, we have

deg h ∣ [ O L ⁄ p : F p ] = f ,

which concludes the proof.□

We can now prove the combination result.

Proposition 3.10

Let f , g ∈ Z [ x ] be monic and irreducible polynomials of coprime degrees such that Q ( α ) = Q [ x ] ⁄ ( f ) and Q ( β ) = Q [ x ] ⁄ ( g ) are normal extensions of Q . If ( t , p ) is an FDPI of Z [ α + β ] , then it is a combination of FDPIs of Z [ α ] and Z [ β ] .

Proof

Since the degrees are coprime, we have Q ( α ) ∩ Q ( β ) = Q , and since Q ( α ) and Q ( β ) are normal, by Proposition 2.11 we know that they are linearly disjoint. Thus, by Corollary 2.13, their compositum Q ( α , β ) is generated by R = R f , g , and by hypothesis we have

R ( t ) ≡ 0 mod p .

Let f ¯ , g ¯ ∈ F p [ x ] be the projections of f and g modulo p , and let F q be their common splitting field. By Proposition 2.6 there are ν , μ ∈ F q such that

f ¯ ( ν ) = 0 , g ¯ ( μ ) = 0 , t = ν + μ .

Let h f and h g be minimal polynomials of ν and μ over F p , respectively. Since Q ( α ) and Q ( β ) are normal over Q , then they are the splitting fields of α and β , so Proposition 3.9 implies that

deg h f ∣ deg f , deg h g ∣ deg g .

Since deg f and deg g are coprime, also gcd ( deg h f , deg h g ) = 1 . However, since ν + μ = t ∈ F p we have F p ( ν ) = F p ( μ ) . This may only happen if

F p ( ν ) = F p ( μ ) = F p ,

which means that ν , μ ∈ F p . Hence, we conclude that ( t , p ) is the combination of ( ν , p ) and ( μ , p ) .□

The following examples show that both normality and coprimality of degrees are necessary conditions for Proposition 3.10.

Example 3.11

Let us consider the following irreducible polynomials:

f ( x ) = x 2 − 3 , g ( x ) = x 3 − 2 ,

and let Q ( α ) = Q [ x ] ⁄ ( f ) and Q ( β ) = Q [ x ] ⁄ ( g ) be the number fields they generate. We note that the degrees are coprime and Q ( α ) is Galois, while Q ( β ) is not normal. A defining polynomial of the compositum Q ( α + β ) is the resultant

R f , g = x 6 − 9 x 4 − 4 x 3 + 27 x 2 − 36 x − 23 .

The FDPIs of Z [ α ] and Z [ β ] with norm 17 correspond to the roots modulo 17 of f and g . One can directly verify that there are none of them in Z [ α ] , while ( 8 , 17 ) is an FDPI in Z [ β ] . However, ( 13 , 17 ) ⊆ Z [ α + β ] is an FDPI of norm 17, which cannot be a combination of FDPIs in the underlying extensions. In fact, one can directly check that, with the notation employed in the proof of Proposition 3.10, we obtain h g = x 2 + 8 x + 13 , whose degree does not divide deg g . This shows that the hypothesis of normality on both extensions is necessary for Proposition 3.10.

Example 3.12

Let f be as in Example 3.11 and consider g = x 4 + 1 . These polynomials are irreducible over Q and generate normal extensions Q ( a ) and Q ( β ) . The compositum Q ( α + β ) is defined by the polynomial

R f , g = x 8 − 12 x 6 + 56 x 4 − 72 x 2 + 100 .

Neither Z [ α ] nor Z [ β ] have FDPIs with norm 5, although there is an FDPI in Z [ α + β ] of norm 5, that is ( 0 , 5 ) , which again cannot arise from any combination of FDPIs in the underlying extensions. Therefore, we also need coprime degrees in Proposition 3.10.

4 Divisibility of prescribed principal ideals

Given an algebraic integer θ ∈ C , it is known that the prime factors of principal ideals of the form ( e + d θ ) Z [ θ ] with gcd ( e , d ) = 1 are all first-degree primes ( t , p ) ⊆ Z [ θ ] such that e + d t ≡ 0 mod p [2, Corollary 5.5]. In this section, we detail how this divisibility can be read from the underlying fields and vice versa. The results presented in the study by Santilli and Taufer [10, Section 4] may therefore be seen as particular instances of those discussed in the present section. To pursue this direction, we first need to characterize the intersection of this principal ideal with the underlying rings Z [ α ] and Z [ β ] .

Theorem 4.1

Let α , β ∈ C be algebraic integers defining linearly disjoint number fields Q ( α ) and Q ( β ) , and let g = ∑ i = 0 m b i x i ∈ Z [ x ] be the minimal polynomial of β over Q . Let e , d ∈ Z be coprime integers and let I be the principal ideal generated by ξ = e + d ( α + β ) in Z [ α + β ] . Then,

I ∩ Z [ α ] = ( χ ) Z [ α ]

is still principal, generated by χ = N Q ( α + β ) ⁄ Q ( α ) ( ξ ) , namely,

χ = ∑ i = 0 m ( − d ) i Ω m − i b m − i , where Ω = e + d α ∈ Z [ α ] .

Proof

We directly prove the two inclusions.

( ⊆ ) Every z ∈ I = ( ζ ) Z [ α + β ] can be written as

z = ( Ω + d β ) ( λ 0 + λ 1 β + … + λ m − 1 β m − 1 ) ,

for some λ 0 , … , λ m − 1 ∈ Z [ α ] . Since Q ( α ) and Q ( β ) are linearly disjoint, then { 1 , β , … , β m − 1 } is a basis for Q ( α + β ) over Q ( α ) by Proposition 2.8. Hence, if this z also belongs to Z [ α ] , all its non-constant coefficients as an element of Z [ α ] [ β ] need to vanish, i.e.,

(1) λ 1 Ω + d λ 0 − λ m − 1 d b 1 = 0 , λ 2 Ω + d λ 1 − λ m − 1 d b 2 = 0 , ⋮ λ m − 2 Ω + d λ m − 3 − λ m − 1 d b m − 2 = 0 , λ m − 1 Ω + d λ m − 2 − λ m − 1 d b m − 1 = 0 .

We first prove that for every 0 ≤ i ≤ m − 1 we have d i ∣ λ i . To do so, we prove by induction on 0 ≤ j ≤ i that d j ∣ λ i . The base step j = 0 is trivial. Let us assume that d j ∣ λ i for all j ≤ i ≤ m − 2 . For every 1 ≤ k ≤ i − j , the ( j + k ) th equation of system (1) gives

e λ j + k = d ( λ m − 1 b j + k − λ j + k − 1 − α λ j + k ) .

Since ( e , d ) = 1 and by induction d j ∣ λ m − 1 b j + k − λ j + k − 1 − α λ j + k , d j + 1 ∣ λ j + k for every 1 ≤ k ≤ i − j , i.e., d j + 1 ∣ λ i whenever j + 1 ≤ i . We now prove by induction on 2 ≤ k ≤ m that

(2) λ m − k = λ m − 1 d k − 1 ∑ j = 0 k − 1 d j ( − Ω ) k − 1 − j b m − j ,

which is well defined since λ m − 1 d k − 1 ∈ Z , as noted before. The base step k = 2 is given by the last equation of (1), indeed

λ m − 2 = λ m − 1 d ( d b m − 1 − Ω ) .

We now suppose that (2) holds for k ≤ m − 1 and check that this implies it for k + 1 . From the ( m − k ) th equation of system (1), we have

λ m − k Ω + d λ m − k − 1 − d λ m − 1 b m − k = 0 ,

which by inductive hypothesis becomes

λ m − k − 1 = 1 d d λ m − 1 b m − k + λ m − 1 d k − 1 ∑ j = 0 k − 1 b m − j d j ( − Ω ) k − j = λ m − 1 d k d k b m − k + ∑ j = 0 k − 1 b m − j d j ( − Ω ) k − j = λ m − 1 d k ∑ j = 0 k b m − j d j ( − Ω ) k − j .

This proves that (2) holds, and in particular

(3) λ 0 = λ m − 1 d m − 1 ∑ j = 0 m − 1 b m − j d j ( − Ω ) m − 1 − j .

When system (1) holds, we have z = λ 0 Ω − λ m − 1 d b 0 , which by means of (3) can be written as

λ 0 Ω − λ m − 1 d b 0 = λ m − 1 d m − 1 ∑ j = 0 m − 1 b m − j d j ( − Ω ) m − 1 − j Ω − λ m − 1 d b 0 = λ m − 1 d m − 1 ∑ j = 0 m − 1 b m − j d j ( − 1 ) m + 1 − j Ω m − j − d m b 0 = ( − 1 ) m + 1 λ m − 1 d m − 1 ∑ j = 0 m − 1 b m − j ( − d ) j Ω m − j + ( − d ) m b 0 = ( − 1 ) m + 1 λ m − 1 d m − 1 χ .

Since λ m − 1 d m − 1 ∈ Z [ α ] , z ∈ ( χ ) Z [ α ] .

( ⊇ ) By definition χ ∈ Z [ α ] , and by a straightforward computation, we obtain

(4) χ = ∏ i = 1 m ( Ω + d β i ) = N Q ( α + β ) ⁄ Q ( α ) ( ξ ) ,

where β i ’s are the roots of g ( x ) in its splitting field. Since ξ ∈ Z [ α + β ] ⊆ O Q ( α + β ) , it satisfies a polynomial with coefficients in Z [ α ] , namely, there are h i ∈ Z [ α ] such that

h ( ξ ) = h t ξ t + h t − 1 ξ t − 1 + … + h 0 = 0 .

Then,

χ = N Q ( α + β ) ⁄ Q ( α ) ( ξ ) = ( − 1 ) t h 0 = ( − 1 ) t + 1 ξ ( h t ξ t − 1 + h t − 1 ξ t − 2 + … + h 1 ) ,

so it belongs to ( ξ ) Z [ α + β ] .□

Remark 4.2

It is easy to verify that the biquadratic case discussed in the study by Santilli and Taufer [10, Proposition 4] is simply an instance of Theorem 4.1, when β 2 ∈ Z and g = x 2 − β 2 .

We now fix some notation: let α , β ∈ C be algebraic integers such that Q ( α ) and Q ( β ) are linearly disjoint, let e , d ∈ Z be coprime integers and let us consider the principal ideal I = ( e + d ( α + β ) ) ⊆ Z [ α + β ] . Let also f = ∑ i = 0 n a i x i ∈ Z [ x ] be the minimal polynomial of α and g = ∑ i = 0 m b i x i ∈ Z [ x ] be the minimal polynomial of β . By Theorem 4.1, we know that

I α = I ∩ Z [ α ] = ( χ α ) Z [ α ] , where χ α = ∑ i = 0 m ( − d ) i ( e + d α ) m − i b m − i

and

I β = I ∩ Z [ β ] = ( χ β ) Z [ β ] , where χ β = ∑ i = 0 n ( − d ) i ( e + d β ) n − i a n − i .

Finally, whenever p is a prime not dividing d , we may define the affine map

ϕ : F p → F p , x ↦ − x − d − 1 e .

Theorem 4.3

In the above notation, let ( r , p ) be a first-degree prime of Z [ α ] dividing I α and ( s , p ) be a first-degree prime of Z [ α ] dividing I β . Then, ( r + s , p ) is a first-degree prime of Z [ α + β ] dividing I, unless ϕ ( r ) is a root of g mod p different from s and, at the same time, ϕ ( s ) is a root of f mod p different from r .

Proof

Since ( r , p ) ∣ I α , I α ⊆ ker ( ev α ↦ r ) , so we have

∑ i = 0 m ( − d ) i ( e + d r ) m − i b m − i ≡ 0 mod p .

If d ≡ 0 mod p , the above equation leads to e m ≡ 0 mod p , contradicting the coprimality of e and d . Hence, we may assume d ≢ 0 mod p and write

∑ i = 0 m ( − d ) i ( e + d r ) m − i b m − i = ( − d ) m g e + d r − d = ( − d ) m g ( ϕ ( r ) ) .

Since p ∤ d , ϕ ( r ) is a root of g mod p . The same argument also shows that ϕ ( s ) needs to be a root of f mod p . By hypothesis we may assume that either ϕ ( r ) = s or ϕ ( s ) = r , both of which imply

r + s + d − 1 e ≡ 0 mod p .

Since I is generated by e + d ( α + β ) , the above congruence shows that the combination ( r + s , p ) , which is an FDPI of Z [ α + β ] by Proposition 3.3, divides I .□

The condition ϕ ( r ) ≠ s being a root of g mod p and ϕ ( s ) ≠ r being a root of f mod p of Theorem 4.3 will be referred to as the exceptional case. It appears to be extremely rare, especially when the considered extensions are small (e.g., Proposition 4.9). However, it can occasionally occur and may not be evident a priori, as shown in the following example.

Example 4.4

Let us consider the polynomials

f = x 3 + x 2 + x + 19 , g = x 4 − 6 x 2 − 7 x + 5 ,

generating the number fields Q ( α ) and Q ( β ) , whose composite Q ( θ ) is generated by

h = x 12 + 4 x 11 − 8 x 10 + 11 x 9 + 193 x 8 + 824 x 7 + 5663 x 6 + 8910 x 5 + 32405 x 4 + 120009 x 3 + 185557 x 2 + 255445 x + 24299 .

Let us consider the principal ideal

I = ( 1 + θ ) Z [ θ ] ,

whose intersections with Z [ α ] and Z [ β ] are generated by

χ α = − 4 α 2 − 23 α − 50 , χ β = β 3 + 2 β 2 + 2 β − 18 .

We observe that ( 1 , 11 ) , ( 2 , 11 ) , ( 7 , 11 ) ⊆ Z [ α ] are FDPIs, while the norm-11 first-degree primes of Z [ β ] are ( 3 , 11 ) , ( 9 , 11 ) ⊆ Z [ β ] . However, we have

ϕ ( 1 ) ≡ 9 mod 11 , ϕ ( 3 ) ≡ 7 mod 11 .

Hence, we are in the exceptional case of Theorem 4.3: the FDPI ( 4 , 11 ) ⊆ Z [ θ ] given by the combination of ( 1 , 11 ) ∈ Z [ α ] and ( 3 , 11 ) ∈ Z [ β ] does not divide I , as

1 + ( 1 + 3 ) ≡ 5 ≢ 0 mod 11 .

Remark 4.5

We highlight that Theorem 4.3, applied to biquadratic fields, improves [10, Theorem 4]. In fact, when f ( x ) = x 2 − a and g ( x ) = x 2 − b , the exceptional case occurs only if

e + d r ≡ d s mod p , e + d s ≡ d r mod p .

If p = 2 , these equations are both equivalent to e + d ( r + s ) ≡ 0 mod 2 , so ( r + s , 2 ) ∣ ( e + d ( α + β ) ) , thus the exceptional case does not prevent ideal divisibility. If p ≠ 2 , the above equations imply that e ≡ 0 mod p , which gives r ≡ s mod p since gcd ( d , e ) = 1 . However, we would still have ideal divisibility if 2 r ≡ r + s ≡ 0 mod p , hence this may fail only if

p ≠ 2 , e ≡ 0 mod p , r ≡ s ≢ 0 mod p .

The above condition is sharper than the condition established in [10, Theorem 4], and it is satisfied by [10, Example 4].

On the other hand, we show that if a combination divides I , then its constituents always divide the correspondent restrictions I α and I β .

Theorem 4.6

In the above notation, let ( t , p ) ⊆ Z [ α + β ] be an FDPI dividing I. If there exist first-degree primes ( r , p ) ⊆ Z [ α ] and ( s , p ) ⊆ Z [ β ] such that r + s ≡ t mod p , then ( r , p ) ∣ I α and ( s , p ) ∣ I β .

Proof

If ( r + s , p ) divides the ideal generated by e + d ( α + β ) , then we have

e + d ( r + s ) ≡ 0 mod p .

Since ( d , e ) = 1 , p ∤ d , so we can write r ≡ − d − 1 e − s mod p . Thus, we have

∑ i = 0 m ( − d ) i ( e + d r ) m − i b m − i ≡ b m g ( − d − 1 e − r ) ≡ b m g ( s ) ≡ 0 mod p ,

which proves that ( s , p ) ∣ ( χ β ) Z [ β ] . The proof of ( r , p ) ∣ ( χ α ) Z [ α ] is completely analogous.□

Remark 4.7

We note that [10, Theorem 5] follows by Theorem 4.6, when the considered number fields are quadratic.

The norms over Q of the considered principal ideals are equal, hence even the exponents of the first-degree divisors of the given principal ideal may be read from the underlying extensions [2].

Lemma 4.8

Let ξ , χ α , and χ β be defined as above, then their norms over Q are the same, namely,

N Q ( α + β ) ⁄ Q ( ξ ) = N Q ( α ) ⁄ Q ( χ α ) = N Q ( β ) ⁄ Q ( χ β ) .

Proof

It follows directly from (4) and the composition of norms (refer [11, Theorem VI.5.1]).□

Finally, we conclude this section by observing that for small extensions, we can prevent exceptional cases with a few assumptions. For instance, the following proposition describes a family of composite fields where the correspondence between the FDPIs is perfect, namely, exceptional cases never occur.

Proposition 4.9

Let m be an odd integer, Q ( θ ) be a Galois field of degree 2 m and let Q ( α ) and Q ( β ) be its degree-2 and degree- m subfields, respectively. Let d , e ∈ Z be coprime and I = ( e + d θ ) Z [ θ ] . Then, either I ∩ Z [ α ] = ( 0 ) or the FDPIs of Z [ θ ] dividing I are precisely the combinations of FDPIs of Z [ α ] and Z [ β ] dividing I ∩ Z [ α ] and I ∩ Z [ β ] , respectively.

Proof

We first note that Q ( α ) and Q ( β ) are normal extensions of coprime degrees, hence by Proposition 2.11 they are linearly disjoint.

On one side, by Proposition 3.10, every FDPI of Z [ θ ] arises from a combination of ( r , p ) ⊆ Z [ α ] and ( s , p ) ⊆ Z [ β ] , and by Theorem 4.6, we know that ( r , p ) ∣ I α and ( s , p ) ∣ I β .

On the other side, assume that there are FDPIs ( r , p ) ∣ I α and ( s , p ) ∣ I β . In this case p ∤ d , otherwise

0 ≡ ev α ↦ r ( χ α ) ≡ e m ,

which would contradict the coprimality of e and d . Since [ Q ( α ) : Q ] = 2 , χ α is a linear polynomial in α . Thus, either χ α = 0 , or there is at most one solution w ∈ F p to

ev α ↦ w ( χ α ) = ( − d ) m g ( ϕ ( w ) ) .

In the latter case, since ( r , p ) ∣ I α we conclude that w = r is the unique zero of ev α ↦ w ( χ α ) over F p . Since ϕ is linear and p ∤ d , this implies that s = ϕ ( r ) is the unique root of g mod p , so Theorem 4.3 applies, proving that ( r + s , p ) ∣ I .□

Proposition 4.9 notably applies for k = 3 on sextic extensions, which are widely studied for the GNFS optimization [19,20]. We observe that the normality condition is only necessary for ensuring that every first-degree prime of Z [ θ ] is obtained via ideal combination, but it may be dropped whenever finding them all is not a requirement. This is usually the case in algorithmic practice, where we are only interested in efficiently finding plenty of them. Furthermore, in Section 5.3 we will computationally observe that the quantity of FDPIs one may miss by dropping the normality assumption is negligible, especially when their norm is large.

5 Computational improvement

In Sections 3 and 4, we proved that, apart from rare exceptions, we may compute FDPIs in composite extensions by addressing the same problem inside underlying subfields and composing the resulting solutions. This approach is particularly efficient for computing large sets of FDPIs in composite extensions with smooth degrees, although consistent time improvements may also be appreciated in the well studied degree-6 extensions.

In the present section, we discuss the time reduction obtained from such an approach, and we computationally evaluate the results with Magma [15]^[1].

5.1 Asymptotic complexity

We consider a number field Q ( θ ) = Q [ x ] ⁄ ( h ) obtained from the compositum of linearly disjoint number fields Q ( α i ) = Q [ x ] ⁄ ( f i ) , and we compare the following approaches for finding FDPIs of Z [ θ ] of norm p (Table 2).

Table 2

Standard and composite approaches for finding FDPIs

Standard approach	Composite approach
Compute the roots ℛ of f mod p	Compute the roots ℛ i of f i mod p
Return { ( r j , p ) } r j ∈ ℛ	Return { ( ∑ j r j , p ) } ( r j ) j ∈ ∏ j ℛ j

The complexity of both algorithms depends on the complexity of computing the roots of a given degree- n polynomial over F p , which can be achieved via the renowned Berlekamp algorithm [16], or with more sophisticated approaches [17,18], whose asymptotic complexity depends on the relation between n and p . From a GNFS perspective, one is mostly interested in the asymptotic behavior of p , and the asymptotic complexity for the best-known algorithms when p → ∞ is

O ( n 1 + o ( 1 ) log p ) .

A random positive integer ≤ M is prime with probability 1 ⁄ log M , and when it is prime, it requires O ( n 1 + o ( 1 ) log M ) field operations to compute the first-degree primes of that norm. Thus, the computational cost of computing the FDPIs of norms ≤ M is expected to grow linearly with M .

In our setting, since the underlying extensions are linearly disjoint, if n i = deg ( f i ) , then h may be obtained as an iterated resultant and it has degree deg ( h ) = ∏ i n i . Hence, the standard approach for finding first-degree primes in Z [ θ ] of norms ≤ M should require O ( deg ( h ) 1 + o ( 1 ) M ) field operations.

On the other side, solving the same problem in the smaller subfields requires repeated roots finding of degree- n i polynomials over the same base-field F p , each of which can be accomplished in O ( n i 1 + o ( 1 ) p ) fields operations. Afterward, the solutions need to be composed, which requires at most ∏ i n i additions over F p , which does not depend on p so it is a constant factor we can neglect.

The above discussion implies that, for large values of p , the two approaches have the same asymptotic linear complexity. However, it also shows that by employing the composite approach we should expect an asymptotically linear reduction in time of about ∏ i n i ∑ i n i . In Sections 5.2 and 5.3, we will computationally verify these estimates observing that, although linear, this improvement may actually be conspicuous even in small cases.

5.2 Degree-6 extensions

Here we consider degree-6 extensions, the degree that is often employed for the polynomial-selection phase of the GNFS [19,20]. In the sieving phase of such an algorithm, a large set of FDPIs has to be computed to construct the algebraic factor base.

Every degree-2 polynomial is normal, and constructing degree-3 normal polynomials is computationally effortless, hence we have decided to deal with degree-6 Galois extensions. This way, by Proposition 3.10, we are guaranteed that both approaches produce the same outcome.

We randomly selected ten instances of such extensions and computed the average time needed for the two aforementioned approaches to produce the FDPIs of norm p ≤ M for M ≤ 1 0 9 . The results are shown in Figure 1.

Figure 1

Time needed to compute FDPIs of norm up to M for a degree-6 defining polynomial.

As discussed in Section 5.1, the computational time appears to increase linearly with M , and the composite approach proves to be faster by a factor ∼ 1.5 .

5.3 Extensions of smooth degrees

According to the complexity estimations of Section 5.1, the composite approach is expected to be notably faster whenever the degree of the composite extensions has small prime factors.

We consider different number fields of degree 315 = 3 2 × 5 × 7 , which can be obtained from their linearly disjoint number sub-fields of small degrees, as shown in Figure 2.

Figure 2

Lattice of the minimal fields in a number field of degree 315. The large extension is realized as the compositum of the small underlying fields.

A repeated application of Proposition 3.3 shows that we can compute the first-degree primes of Z [ θ ] by simply composing those of each Z [ α i ] . The time improvement with respect to the standard approach is noteworthy, as it is witnessed by Figure 3. In this case, the composite approach is ∼ 39 times faster than the standard one.

Figure 3

Time needed to compute FDPIs of norm up to M for a degree-315 defining polynomial.

In this setting, neither the degrees of the sub-fields are coprime nor the considered extensions are normal, so we should expect to miss a few first-degree primes. We have considered ten randomly generated degree-315 number fields and we have collected the number of ideals constructed with the two approaches in Table 3.

Table 3

Number of norm- p FDPIs constructed with the different approaches

	p ranging from i ⋅ 1 0 7 to ( i + 1 ) ⋅ 1 0 7
	i = 0	i = 1	i = 2	i = 3	i = 4	i = 5	i = 6	i = 7	i = 8	i = 9
Standard	94759	83520	80137	79167	76478	74732	71694	75699	73324	72671
Composite	94679	83518	80131	79166	76478	74732	71694	75698	73324	72671
Difference	80	2	6	1	0	0	0	1	0	0

The number of ideals that the composite approach misses in the considered examples is irrelevant, especially when their norm increases. This is expected by Proposition 3.6, as explained in Remark 3.7.

6 Conclusion

We have analyzed the behavior of FDPIs in composite number fields in terms of those lying in the underlying extensions, and we have established huge families of cases where such correspondence is completely achieved. Moreover, we have studied the divisibility of special-shaped principal ideals in terms of the FDPIs of the underlying fields dividing the relative norms of the considered ideal.

Our work shows that, in most cases, the information on FDPIs of composite extensions can efficiently be read from the underlying fields. Thus, when designing algorithms that deal with FDPIs, one may conceivably work inside small and easy-to-handle fields to achieve results in more complex extensions. In fact, we demonstrated that knowing the behavior of such prime ideals inside prime-degree number fields is often sufficient and worthwhile.

The largest limitation of the current approach is the shape of minimal polynomials arising from the resultant construction, which is not always ideal for computational applications. For instance, several heuristical properties are usually required in the polynomial selection of the GNFS to speed up the successive phases [21]. However, other types of ideal combinations may be investigated to extend the additive linear combination proposed in this work. Indeed, we considered linearly disjoint number fields, whose generators α , β linearly combine to produce the generator θ = α + β of the composite extension. This led to combining FDPIs by simply adding the first entries in their representations. If, instead, θ was given as a non-linear polynomial expression in the generators α , β , one could look for different types of ideal combinations, which may similarly allow us to read the properties of composite fields from those of their underlying subfields, while at the same time controlling the shape of the polynomial generating the composite extension.

Acknowledgements

The authors would like to thank professors Massimiliano Sala, Michele Elia, and Willem A. de Graaf for their useful advice and discussions, and the anonymous reviewer for the careful reading and observations. This work was presented at CIFRIS24, www.decifris.it/cifris24, the second congress of De Cifris.

Funding information: DT was supported in part by the European Union’s H2020 Program, Grant number ERC-669891, and in part by the Research Foundation – Flanders (FWO), project 12ZZC23N.
Author contributions: All authors have equally contributed and accepted responsibility for the entire content of this manuscript.
Conflict of interest: The authors declare no conflicts of interest.
Data availability statement: The computational routines used to generate and analyze the data during the current study are available in the GitHub repository, https://github.com/DTaufer/First-degree-prime-ideals.

References

[1] Hilbert D. The theory of algebraic number fields. Berlin-Heidelberg: Springer; 1998. 10.1007/978-3-662-03545-0Search in Google Scholar

[2] Buhler JP, Lenstra HW, Pomerance C. Factoring integers with the number field sieve. in: The development of the number field sieve. Berlin-Heidelberg: Springer; 1993. p. 50–94. 10.1007/BFb0091539Search in Google Scholar

[3] Bernstein DJ, Lenstra AK. A general number field sieve implementation. in: The development of the number field sieve, Berlin-Heidelberg: Springer; 1993. p. 103–26. 10.1007/BFb0091541Search in Google Scholar

[4] Lenstra AK, Lenstra HW, Manasse MS, Pollard JM. The number field sieve. in: The development of the number field sieve, Berlin-Heidelberg: Springer; 1993. p. 11–42. 10.1007/BFb0091537Search in Google Scholar

[5] Gordon DM. Discrete logarithms in GF(p) using the number field sieve. SIAM J Discrete Math. 1993;6(1):124–38. 10.1137/0406010Search in Google Scholar

[6] Barbulescu R, Gaudry P, Kleinjung T. The tower number field sieve. ASIACRYPT 2015;2015:31–55. 10.1007/978-3-662-48800-3_2Search in Google Scholar

[7] Joux A, Pierrot C. The special number field sieve in Fpn. in: Pairing-Based Cryptography - Pairing 2013; 2014. p. 45–61. 10.1007/978-3-319-04873-4_3Search in Google Scholar

[8] Cohn PM. Algebra. Vol. 3. Wiley; 1991. Search in Google Scholar

[9] Khanduja SK. The discriminant of compositum of algebraic number fields. Int J Number Theory. 2019;15(2):353–60. 10.1142/S1793042119500167Search in Google Scholar

[10] Santilli G, Taufer D. First-degree prime ideals of biquadratic fields dividing prescribed principal ideals. Mathematics. 2020;8(9):1433. 10.3390/math8091433Search in Google Scholar

[11] Lang S. Algebra. New York: Springer; 2002. 10.1007/978-1-4613-0041-0Search in Google Scholar

[12] Isaacs IM. Degrees of sums in a separable field extension. Proc Am Math Soc. 1970;25(3):638–41. 10.2307/2036661Search in Google Scholar

[13] Cohen H. Advanced topics in computational number theory. New York: Springer; 2000. 10.1007/978-1-4419-8489-0Search in Google Scholar

[14] Lidl R, Niederreiter H. Finite fields. Cambridge: Cambridge University Press; 1996. 10.1017/CBO9780511525926Search in Google Scholar

[15] Bosma W, Cannon J, Playoust C. The Magma algebra system. I. The user language. J Symbolic Comput. 1997;24:235–65. 10.1006/jsco.1996.0125Search in Google Scholar

[16] Berlekamp ER, Factoring polynomials over large finite fields. Math Comp. 1970;24:713–35. 10.1090/S0025-5718-1970-0276200-XSearch in Google Scholar

[17] Kaltofen E, Shoup V. Subquadratic-time factoring of polynomials over finite fields. Math Comp. 1998;67:1179–97. 10.1090/S0025-5718-98-00944-2Search in Google Scholar

[18] Kedlaya K, Umans C. Fast polynomial factorization and modular composition. SIAM J Comput. 2011;40(6):1767–802. 10.1137/08073408XSearch in Google Scholar

[19] Bai S, Thomé E, Zimmermann P. Factorisation of RSA-704 with CADO-NFS. 2012; hal-00760322. Search in Google Scholar

[20] Kleinjung T, Aoki K, Franke J, Lenstra AK, Thomé E, Bos JS, et al. Factorization of a 768-bit RSA modulus. In: CRYPTO 2010; 2010. p. 333–50. 10.1007/978-3-642-14623-7_18Search in Google Scholar

[21] Briggs ME. An introduction to the general number field sieve. Ph.D. Dissertation. Virginia Tech; 1998. Search in Google Scholar

Received: 2024-10-25

Revised: 2025-01-20

Accepted: 2025-01-20

Published Online: 2025-04-14

This work is licensed under the Creative Commons Attribution 4.0 International License.

Articles in the same Issue

https://doi.org/10.1515/jmc-2024-0036

Keywords for this article

first-degree prime ideals; principal ideal factorization; linearly disjoint extensions

Creative Commons

BY 4.0