Polynomial factorization and nonrandomness of bits of algebraic and some transcendental numbers

Abstract

We show that the binary expansions of algebraic numbers do not form secure pseudorandom sequences; given sufficiently many initial bits of an algebraic number, its minimal polynomial can be reconstructed, and therefore the further bits of the algebraic number can be computed. This also enables us to devise a simple algorithm to factor polynomials with rational coefficients. All algorithms work in polynomial time. Introduction. Manuel Blum raised the following question: Suppose we are given an approximate root of an unknown polynomial with integral coefficients and a bound on the degree and size of the coefficients of the polynomial. Is it possible to infer the polynomial? We answer his question in the affirmative. We show that if a complex number a satisfies an irreducible polynomial h(X) of degree d with integral coefficients in absolute value at most H, then given 0(d? + d ■ logH) bits of the binary expansion of the real and complex parts of a, we can find h(X) in deterministic polynomial time (and then compute in polynomial time any further bits of a). Using the concept of secure pseudorandom sequences formulated by Shamir [23], Blum and Micali [3] and Yao [25], we then show that the binary (or m-ary for any m) expansions of algebraic numbers do not form secure sequences in a certain well-defined sense. We are able to extend our results with the same techniques to transcendental numbers of the form log(a),cos_1(a), etc., where a is algebraic. The technique is based on the lattice basis reduction algorithm from [16]. Our answer to Blum's question enables us to devise a simple polynomial-time algorithm to factor polynomials with rational coefficients: We find an approximate root of the polynomial and use our algorithm to find the irreducible polynomial satisfied by the exact root, which must then be a factor of the given polynomial. This is repeated until all the factors are found. This algorithm was found independently by Schonhage [22], and was already suggested in [16]. The technique of the paper also provides a natural, efficient method to compute with algebraic numbers. This paper is the final journal version of [13], which contains essentially the entire contents of this paper. 1. A Polynomial-Time Algorithm for Blum's Question. Throughout this paper, Z denotes the set of the integers, Q the set of the rationals, R the set of the reals, and C the set of the complex numbers. The ring of polynomials with integral Received December 23, 1985; revised October 13, 1986 and April 6, 1987. 1980 Mathematics Subject Classification (1985 Revision). Primary 68Q15, 68Q25, 68Q40. ©1988 American Mathematical Society 0025-5718/88 $1.00 + $.25 per page