COMMENT ⊗   VALID 00042 PAGES
C REC  PAGE   DESCRIPTION
C00001 00001
C00006 00002	\input acphdr % Section 4.6
C00007 00003	%folio 515 galley 14 Bad spots. (C) Addison-Wesley 1978	*
C00018 00004	%folio 518 galley 1 (C) Addison-Wesley 1978	*
C00030 00005	%folio 520 galley 2 (C) Addison-Wesley 1978	*
C00041 00006	%folio 522 galley 3 (C) Addison-Wesley 1978	*
C00052 00007	%folio 524 galley 4 (C) Addison-Wesley 1978	*
C00062 00008	%folio 526 galley 5 (C) Addison-Wesley 1978	*
C00076 00009	%folio 528 galley 6 Beginning lost. (C) Addison-Wesley 1978	*
C00088 00010	%folio 530 galley 7 (C) Addison-Wesley 1978	*
C00104 00011	%folio 535 galley 8 (C) Addison-Wesley 1978	*
C00123 00012	%folio 539 galley 9 Almost total loss. (C) Addison-Wesley 1978	*
C00131 00013	%folio 541 galley 10 (C) Addison-Wesley 1978	*
C00142 00014	%folio 543 galley 11 (C) Addison-Wesley 1978	*
C00153 00015	%folio 545 galley 12 (C) Addison-Wesley 1978	*
C00169 00016	%folio 550 galley 13 (C) Addison-Wesley 1978	*
C00189 00017	%folio 558 galley 14 (C) Addison-Wesley 1978	*
C00208 00018	%folio 568 galley 15 (C) Addison-Wesley 1978	*
C00221 00019	%folio 570 galley 16 (C) Addison-Wesley 1978	*
C00236 00020	%folio 574 galley 17 Much tape unreadable. (C) Addison-Wesley 1978	*
C00247 00021	%folio 579 galley 18 (C) Addison-Wesley 1978	*
C00260 00022	%folio 584 galley 19 (C) Addison-Wesley 1978	*
C00272 00023	%folio 587 galley 20 (C) Addison-Wesley 1978	*
C00288 00024	%folio 595 galley 1 Mostly unreadable. (C) Addison-Wesley 1978	*
C00300 00025	%folio 595 galley 2 Mostly lost. (C) Addison-Wesley 1978	*
C00312 00026	%folio 598 galley 3 Total loss. (C) Addison-Wesley 1978	*
C00318 00027	%folio 600 galley 4 Total loss. (C) Addison-Wesley 1978	*
C00331 00028	%folio 603 galley 5 Total loss. (C) Addison-Wesley 1978	*
C00354 00029	%folio 609 galley 6 Total loss (C) Addison-Wesley 1978	*
C00365 00030	%folio 611 galley 7 Mostly wiped out. (C) Addison-Wesley 1978	*
C00381 00031	%folio 614 galley 8 Tape worthless. (C) Addison-Wesley 1978	*
C00394 00032	%folio 618 galley 9 Unreadable. (C) Addison-Wesley 1978	*
C00407 00033	%folio 621 galley 1 (C) Addison-Wesley 1978	*
C00422 00034	%folio 624 galley 2a (C) Addison-Wesley 1978	*
C00434 00035	%New material 1 [1] (C) Addison-Wesley 1978	*
C00442 00036	%New material 2 [3] (C) Addison-Wesley 1978	*
C00460 00037	%New material 3 [8] (C) Addison-Wesley 1978	*
C00479 00038	%folio 628 galley 2b (C) Addison-Wesley 1978	*
C00482 00039	%folio 629 galley 3 (C) Addison-Wesley 1978	*
C00492 00040	%folio 632 galley 4 (C) Addison-Wesley 1978	*
C00504 00041	%folio 635 galley 5a (C) Addison-Wesley 1978	*
C00525 00042	\vfill\eject
C00526 ENDMK
C⊗;
\input acphdr % Section 4.6
\runninglefthead{ARITHMETIC} % chapter title
\titlepage\setcount00
\null
\vfill
\tenpoint
\ctrline{SECTION 4.6 of THE ART OF COMPUTER PROGRAMMING}
\ctrline{$\copyright$ 1978 Addison--Wesley Publishing Company, Inc.}
\vfill
\runningrighthead{POLYNOMIAL ARITHMETIC}
\section{4.6}
\eject
\setcount0 387
%folio 515 galley 14 Bad spots. (C) Addison-Wesley 1978	*
\def\\#1({\mathop{\hjust{#1}}(}
\sectionbegin{4.6. POLYNOMIAL ARITHMETIC}
T{\:cHE TECHNIQUES} we have been studying apply in a natural way to many different
types of mathematical quantities, not simply to numbers.
In this section we shall deal with polynomials, which are the next step up
from numbers. Formally speaking, a
{\sl polynomial over} $S$ is an expression of the form
$$u(x) = u↓nx↑n + \cdots + u↓1x + u↓0,\eqno (1)$$
where the ``coefficients'' $u↓n$, $\ldotss$, $u↓1$,
$u↓0$ are elements of some algebraic system $S$, and the ``variable''
$x$ may be regarded as a formal symbol with an indeterminate
meaning. We will assume that the algebraic system $S$ is a {\sl
commutative ring with identity\/}; this means that $S$ admits
the operations of addition, subtraction, and multiplication,
satisfying the customary properties: Addition and multiplication
are associative and commutative binary operations defined on
$S$, where multiplication distributes over addition; and subtraction
is the inverse of addition. There is an additive identity element
0 such that $a + 0 = a$, and a multiplicative identity element
1 such that $a \cdot 1 = a$, for all $a$ in $S$. The polynomial
$0x↑{n+m} + \cdots + 0x↑{n+1} + u↓nx↑n + \cdots + u↓1x + u↓0$
is regarded as the same polynomial as (1), although its expression
is formally different.

We say that (1) is a polynomial of {\sl degree} $n$ and {\sl leading
coefficient} $u↓n$ if $u↓n ≠ 0$; and in this case we write
$$\\deg(u) = n,\qquad \lscr(u) = u↓n.\eqno (2)$$
By convention, we also set
$$\\deg(0) = -∞,\qquad \lscr(0) = 0,\eqno (3)$$
where ``0'' denotes the zero polynomial whose coefficients
are all zero. We say $u(x)$ is a {\sl monic polynomial\/} if $\lscr(u)
= 1$.

Arithmetic on polynomials consists primarily of addition, subtraction,
and multiplication; in some cases, further operations such as division,
exponentiation, factoring, and taking the greatest common divisor are important. 
The processes of addition, subtraction, and multiplication are defined in
a natural way, as though the variable $x$ were an element of
$S$: Addition and subtraction are done by adding or subtracting
the coefficients of like powers of $x$. Multiplication is done
by the rule
$$(u↓rx↑r + \cdots + u↓0)(v↓sx↑s +\cdots+ v↓0)
= (w↓{r+s}x↑{r+s} + \cdots + w↓0),$$
where
$$w↓k = u↓0v↓k + u↓1v↓{k-1} + \cdots + u↓{k-1}v↓1 + u↓kv↓0.\eqno(4)$$
In the latter formula $u↓i$ or $v↓j$ are treated
as zero if $i>r$ or $j > s$.

The algebraic system $S$ is usually the
set of integers, or the rational numbers; or it may itself be
a set of polynomials (in variables other than $x$); in the latter
situation (1) is a {\sl multivariate} polynomial, a polynomial
in several variables. Another important case occurs when the
algebraic system $S$ consists of the integers 0, 1, $\ldotss$,
$m - 1$, with addition, subtraction, and multiplication performed
mod $m$ (cf.\ Eq.\ 4.3.2--11); this is called {\sl polynomial
arithmetic modulo $m$.} The special case of polynomial arithmetic modulo
2, when each of the coefficients
is 0 or 1, is especially important.

The reader should note the similarity between polynomial arithmetic
and multiple-precision arithmetic (Section 4.3.1), where the
radix $b$ is substituted for\penalty999\ $x$. The chief difference is that
the coefficient $u↓k$ of $x↑k$ in polynomial arithmetic bears
little or no essential relation to its neighboring coefficients
$u↓{k\pm1}$, so the idea of ``carrying'' from one place to the
next is absent. In fact, polynomial arithmetic modulo $b$ is
essentially identical to multiple-precision arithmetic with
radix $b$, except that all carries are suppressed. For example,
compare the multiplication of $(1101)↓2$ by $(1011)↓2$ in the binary
number system with the analogous multiplication of $x↑3 + x↑2
+ 1$ by $x↑3 + x + 1$ modulo 2:
$$\def\\{\lower2.323pt\vjust to 12pt{}}\baselineskip0pt\lineskip0pt
\vjust{\halign{\hfill#⊗#\hfill\hskip100pt⊗\hfill#⊗#\hfill\cr
\\Binary syst⊗em⊗Polynomials m⊗odulo 2\cr
\noalign{\vskip2pt}
\\1101⊗⊗1101\cr
$\underline{\\\times1011}$⊗⊗$\underline{\\\times1011}$\cr
\\1101⊗⊗1101\cr
\\1101\9⊗⊗1101\9\cr
$\underline{\\1101\9\9\9}$⊗⊗$\underline{\\1101\9\9\9}$\cr
\\10001111⊗⊗1111111\cr}}$$
The product of these polynomials modulo 2 is obtained
by suppressing all carries, and it is $x↑6 + x↑5 + x↑4 + x↑3
+ x↑2 + x + 1$. If we had multiplied the same polynomials over
the integers, without taking residues modulo 2, the result would
have been $x↑6 + x↑5 + x↑4 + 3x↑3 + x↑2 + x + 1$; again carries
are suppressed, but in this case the coefficients can get arbitrarily
large.

In view of this strong analogy with multiple-precision arithmetic,
it is unnecessary to discuss polynomial addition, subtraction,
and multiplication much further in this section. However, we
should point out some factors that often make polynomial arithmetic
somewhat different from multiple-precision arithmetic in practice:
There is often a tendency to have a large number of zero coefficients,
and polynomials of huge degrees, so special forms of representation
are desirable; this situation is considered in Section 2.2.4.
Furthermore, arithmetic on polynomials in several variables
leads to routines that are best understood in a recursive framework;
this situation is discussed in Chapter 8.

Although the techniques
of polynomial addition, subtraction, and multiplication are
comparatively straightforward, there are several other important
aspects of polynomial arithmetic that deserve special examination.
The following subsections therefore discuss {\sl division} of
polynomials, with associated techniques such as finding greatest
common divisors and factoring. We shall also discuss the problem of efficient
{\sl evaluation} of polynomials, i.e., the task of finding the value of
$u(x)$ when $x$ is a given element of $S$, using as few operations
as possible. The special case of evaluating $x↑n$ rapidly
when $n$ is large is quite important by itself, so it is discussed in
detail in Section 4.6.3.

The first major set of computer subroutines for doing polynomial
arithmetic was the ALPAK system [W. S. Brown, J. P. Hyde, and
B. A. Tague, {\sl Bell System Tech.\ J.} {\bf 42} (1963),
2081--2119; {\bf 43} (1964), 785--804, 1547--1562]. Another
early landmark in this field was the PM system of George Collins [{\sl CACM
\bf9} (1966), 578--589]; see also C. L. Hamblin, {\sl Comp.\ J.
\bf10} (1967), 168--171.
%folio 518 galley 1 (C) Addison-Wesley 1978	*
\def\\#1({\mathop{\hjust{#1}}(}
\exbegin{EXERCISES}

\exno 1. [10] If we are
doing polynomial arithmetic modulo 10, what is $7x + 2$ minus
$x↑2 + 3$? What is $6x↑2 + x + 3$ times $5x↑2 + 2?$

\exno 2. [17] True or false:\xskip (a) The product of monic polynomials
is monic.\xskip (b) The product of polynomials of respective degrees
$m$ and $n$ has degree $m + n$.\xskip (c) The sum of polynomials of respective
degrees $m$ and $n$ has degree $\max(m,n)$.

\exno 3. [M20] If each of the coefficients $u↓r$, $\ldotss$, $u↓0$,
$v↓s$, $\ldotss$, $v↓0$ in (4) is an integer satisfying the conditions
$|u↓i| ≤ m↓1$, $|v↓j| ≤ m↓2$, what is the maximum absolute value
of the product coefficients $w↓k$?

\trexno 4. [21] Can the multiplication of polynomials modulo 2
be facilitated by using the ordinary arithmetic operations on
a binary computer, if coefficients are packed into computer
words?

\trexno 5. [M21] Show how to multiply
two polynomials of degree $≤n$, modulo 2, with an execution
time proportional to $O(n↑{\lg3})$ when $n$ is large, by adapting
Karatsuba's method (cf.\ Section 4.3.3).

\runningrighthead{DIVISION OF POLYNOMIALS}
\section{4.6.1}
\sectionskip
\sectionbegin{4.6.1. Division of Polynomials}
It is possible to divide one polynomial by another
in essentially the same way that we divide one multiple-precision
integer by another, when arithmetic is being done on polynomials
over a ``field.'' A field $S$ is a commutative ring with identity,
in which exact division is possible as well as the operations
of addition, subtraction, and multiplication; this means as
usual that whenever $u$ and $v$ are elements of\penalty999\ $S$ and $v ≠
0$, there is an element $w$ in $S$ such that $u = vw$. The most
important fields of coefficients that arise in applications
are

\yskip\hang\textindent{a)}the rational numbers (represented as fractions,
see Section 4.5.1);

\hang\textindent{b)}the real or complex numbers (represented within a
computer by means of floating-point approximations; see Section
4.2);

\hang\textindent{c)}the integers modulo $p$ where $p$ is prime (with division
implemented as suggested in exercise 4.5.2--15);

\hang\textindent{d)}``rational functions'' over a field (namely, quotients
of two polynomials whose coefficients are in that field, the
denominator being monic).

\yskip\noindent Of special importance is the field
of integers modulo 2, when the two values 0 and 1 are the only
elements of the field. Polynomials over this field (namely polynomials
modulo 2) have many analogies to integers expressed in binary
notation; and rational functions over this field have striking
analogies to rational numbers whose numerator and denominator
are represented in binary notation.

Given two polynomials $u(x)$ and $v(x)$ over a
field, with $v(x) ≠ 0$, we can divide $u(x)$ by $v(x)$ to obtain
a quotient polynomial $q(x)$ and a remainder polynomial $r(x)$
satisfying the conditions
$$u(x) = q(x) \cdot v(x) + r(x),\qquad\\deg(r) <\\deg(v).\eqno(1)$$
It is easy to see that there is at most one pair of polynomials
$\biglp q(x), r(x)\bigrp$ satisfying these relations;
for if (1) holds for both $\biglp q↓1(x), r↓1(x)\bigrp$
and $\biglp q↓2(x), r↓2(x)\bigrp$ and for the same
polynomials $u(x), v(x)$, then $q↓1(x)v(x) + r↓1(x) = q↓2(x)v(x)
+ r↓2(x)$, so $\biglp q↓1(x) - q↓2(x)\bigrp v(x) = r↓2(x) -
r↓1(x)$. Now if $q↓1(x) - q↓2(x)$ is nonzero, then deg$\biglp
(q↓1 - q↓2) \cdot v\bigrp =\\deg(q↓1 - q↓2) +
\\deg(v) ≥\\deg(v) >\\deg(r↓2 - r↓1)$, a contradiction; hence
$q↓1(x) - q↓2(x) = 0$ and $r↓1(x) = 0$.

The following algorithm, which is essentially the
same as Algorithm 4.3.1D for multiple-precision division but
without any concerns of carries, may be used to determine $q(x)$
and $r(x)$:

\algbegin Algorithm D. (Division of polynomials over
a field). Given polynomials
$$u(x) = u↓mx↑m +\cdots + u↓1x + u↓0,\qquad v(x)
= v↓nx↑n +\cdots + v↓1x + v↓0$$
over a field $S$, where $v↓n ≠ 0$ and $m ≥ n ≥
0$, this algorithm finds the polynomials
$$q(x) = q↓{m-n}x↑{m-n} +\cdots + q↓0,\qquad r(x)
= r↓{n-1}x↑{n-1} +\cdots + r↓0$$
over $S$ that satisfy (1).

\algstep D1. [Iterate on $k$.]
Do step D2 for $k = m - n$, $m - n - 1$, $\ldotss$, 0; then the
algorithm terminates with $(r↓{n-1}, \ldotss , r↓0) ← (u↓{n-1},
\ldotss , u↓0)$.

\algstep D2. [Division loop.] Set $q↓k ← u↓{n+k}/v↓n$,
and then set $u↓j ← u↓j - q↓kv↓{j-k}$ for $j = n + k - 1$, $n
+ k - 2$, $\ldotss$, $k$.\xskip (The latter operation amounts to replacing
$u(x)$ by $u(x) - q↓kx↑kv(x)$, a polynomial of degree $<n +
k$.)\quad\blackslug

\yyskip An example of Algorithm D
appears below in (5). The number of arithmetic operations is
essentially proportional to $n(m - n + 1)$. For some reason
this procedure has become known as ``synthetic division'' of
polynomials. Note that explicit division of coefficients is
done only at the beginning of step D2, and the divisor
is always $v↓n$; thus if $v(x)$ is a monic polynomial (with $v↓n
= 1$), there is no actual division at all. If multiplication
is easier to perform than division it will be preferable to
compute $1/v↓n$ at the beginning of the algorithm and to multiply
by this quantity in step D2.

We shall occasionally write $u(x)\mod v(x)$ for
the remainder $r(x)$ in (1).

\subsectionbegin{Unique factorization domains} If
we restrict consideration to polynomials over a field, we are
not coming to grips with many important cases, such as polynomials
over the integers or polynomials in several variables. Let
us therefore now consider the more general situation that the
algebraic system $S$ of coefficients is a {\sl unique factorization domain},
not necessarily a field. This means that $S$ is a commutative
ring with identity, and that

\yskip\hang\textindent{i)}$uv ≠ 0$, whenever $u$ and $v$ are nonzero elements
of $S$;

\hang\textindent{ii)}every nonzero element $u$ of $S$ is either a ``unit''
or has a ``unique'' representation of the form
$$u = p↓1 \ldotsm p↓t,\qquad t ≥ 1,\eqno (2)$$
where $p↓1$, $\ldotss$, $p↓t$ are ``primes.''

\yskip\noindent Here a ``unit'' $u$ is an element that has a reciprocal, i.e.,
an element such that $uv = 1$
for some $v$ in $S$; and a ``prime'' $p$ is a nonunit element
such that the equation $p = qr$ can be true only if either $q$
or $r$ is a unit. The representation (2) is to be unique in
the sense that if $p↓1 \ldotsm p↓t = q↓1 \ldotsm q↓s$, where all
the $p$'s and $q$'s are primes, then $s = t$ and there is a
permutation $π↓1\ldotsm π↓t$ such that $p↓1 = a↓1q↓{π↓1}$,
$\ldotss$, $p↓t = a↓tq↓{π↓t}$ for some units $a↓1$, $\ldotss
$, $a↓t$. In other words, factorization into primes is unique,
except for unit multiples and except for the order of the factors.

Any field is a unique factorization domain, in
which each nonzero element is a unit and there are no primes.
The integers form a unique factorization domain in which the
units are $+1$ and $-1$, and the primes are $\pm 2$, $\pm 3$, $\pm 5$,
$\pm 7$, $\pm11$, etc. The case that $S$ is the set of all integers is
of principal importance, because it is often preferable to work
with integer coefficients instead of arbitrary rational coefficients.
%folio 520 galley 2 (C) Addison-Wesley 1978	*
\def\\#1({\mathop{\hjust{#1}}(}
\def\+#1\biglp{\mathop{\hjust{#1}}\biglp}
One of the key facts about polynomials (see exercise 10) is that
{\sl the polynomials over a unique factorization domain form
a unique factorization domain.} A\penalty999\ polynomial that is ``prime''
in this domain is usually called an {\sl irreducible polynomial.}
By using the unique factorization theorem repeatedly, we can
prove that multivariate polynomials over the integers, or over
any field, in any number of variables, can be uniquely factored
into irreducible polynomials. For example, the multivariate
polynomial $90x↑3 - 120x↑2y + 18x↑2yz - 24xy↑2z$ over the integers
is the product of five irreducible polynomials $2 \cdot 3 \cdot
x \cdot (3x - 4y) \cdot (5x + yz)$. The same polynomial, as
a polynomial over the rationals, is the product of three irreducible
polynomials $(6x) \cdot (3x - 4y) \cdot (5x + yz)$; this factorization
can also be written $x \cdot (90x - 120y) \cdot (x + {1\over
5}yz)$ and in infinitely many other ways, although the factorization
is essentially unique.

As usual, we say that $u(x)$ is a multiple of $v(x)$,
and $v(x)$ is a divisor of $u(x)$, if $u(x) = v(x)q(x)$ for
some polynomial $q(x)$. If we have an algorithm to tell whether
or not $u$ is a multiple of $v$ for arbitrary elements $u$ and
$v ≠ 0$ of a unique factorization domain $S$, and to determine
$w$ if $u = v \cdot w$, then Algorithm\penalty999\ D gives us a method to
tell whether or not $u(x)$ is a multiple of $v(x)$ for arbitrary polynomials $u(x)$
and $v(x) ≠ 0$ over $S$. For if $u(x)$ is a multiple of $v(x)$,
it is easy to see that $u↓{n+k}$ must be a multiple of $v↓n$
each time we get to step D2, hence the quotient $u(x)/v(x)$ will
be found.\xskip (Applying this observation repeatedly, we obtain an
algorithm that decides if a given polynomial over $S$, in any number of variables,
is a multiple of another given polynomial over $S$, and the algorithm will find
the quotient when it exists.)

A set of elements of a unique factorization domain is said to
be {\sl relatively prime} if no prime of that unique factorization
domain divides all of them. A polynomial over a unique factorization
domain is called {\sl primitive} if its coefficients are relatively
prime.\xskip (This concept should not be confused with the quite different
idea of ``primitive polynomials modulo $p$'' discussed in Section
3.2.2.)\xskip The following fact is of prime importance:

\algbegin Lemma G (\rm Gauss's Lemma). {\sl The product of
primitive polynomials over a unique factorization domain is
primitive.}

\proofbegin Let $u(x) = u↓mx↑m +\cdots+
u↓0$ and $v(x) = v↓nx↑n +\cdots + v↓0$ be primitive
polynomials. If $p$ is any prime of the domain, we must show
that $p$ does not divide all the coefficients of $u(x)v(x)$.
By assumption, there is an index $j$ such that $u↓j$ is not
divisible by $p$, and an index $k$ such that $v↓k$ is not divisible
by $p$. Let $j$ and $k$ be as small as possible; then the coefficient
of $x↑{j+k}$ in $u(x)v(x)$ is $u↓jv↓k + u↓{j+1}v↓{k-1} +
\cdots + u↓{j+k}v↓0 + u↓{j-1}v↓{k+1} +\cdots
+ u↓0v↓{k+j}$, and this is not a multiple of $p$ (since its
first term isn't, but all of its other terms are).\quad\blackslug

\yyskip If a nonzero polynomial $u(x)$ over $S$
is not primitive, we can write $u(x) = p↓1 \cdot u↓1(x)$, where
$p↓1$ is a prime of $S$ dividing all the coefficients of $u(x)$,
and where $u↓1(x)$ is another nonzero polynomial over $S$. All
of the coefficients of $u↓1(x)$ have one less prime factor than
the corresponding coefficients of $u(x)$. Now if $u↓1(x)$ is
not primitive, we can write $u↓1(x) = p↓2 \cdot u↓2(x)$, etc.,
and this process must ultimately terminate in a representation
$u(x) = c \cdot u↓k(x)$, where $c$ is an element of $S$ and
$u↓k(x)$ is primitive. In fact, we have the following lemma:

\thbegin Lemma H. {\sl Any nonzero polynomial $u(x)$ over
a unique factorization domain $S$ can be factored in the form
$u(x) = c \cdot v(x)$, where $c$ is in $S$ and $v(x)$ is primitive.
Furthermore, this representation is unique, in the sense that
if $u = c↓1 \cdot v↓1(x) = c↓2 \cdot v↓2(x)$, then $c↓1 = ac↓2$
and $v↓2(x) = av↓1(x)$ where $a$ is a unit of $S$.}

\proofbegin We have shown that such a representation
exists, and so only the uniqueness needs to be proved. Assume
that $c↓1 \cdot v↓1(x) = c↓2 \cdot v↓2(x)$, where $v↓1(x)$ and
$v↓2(x)$ are primitive and $c↓1$ is not a unit multiple of $c↓2$.
By unique factorization there is a prime $p$ of $S$ and an exponent
$k$ such that $p↑k$ divides one of $\{c↓1, c↓2\}$ but not the
other, say $p↑k$ divides $c↓1$ but not $c↓2$. Then $p↑k$ divides
all of the coefficients of $c↓2 \cdot v↓2(x)$, so $p$ divides
all the coefficients of $v↓2(x)$, contradicting the assumption
that $v↓2(x)$ is primitive. Hence $c↓1 = ac↓2$, where $a$ is
a unit; and $0 = ac↓2 \cdot v↓1(x) - c↓2 \cdot v↓2(x) = c↓2
\cdot \biglp av↓1(x) - v↓2(x)\bigrp$ implies that $av↓1(x)
- v↓2(x) = 0$.\quad\blackslug

\yyskip Therefore we may write any nonzero polynomial
$u(x)$ as
$$u(x) =\\cont(u) \cdot\+pp\biglp u(x)\bigrp ,\eqno (3)$$
where cont$(u)$, the ``content'' of $u$,
is an element of $S$, and pp$\biglp u(x)\bigrp $,
the ``primitive part'' of $u(x)$, is a primitive polynomial
over $S$. When $u(x) = 0$, it is convenient to define $\\cont(u)
=\+pp\biglp u(x)\bigrp= 0$. Combining Lemmas G
and H gives us the relations
$$\eqalign{\\cont(u \cdot v) ⊗= a\\cont(u)\\cont(v),\cr
\+pp\biglp u(x) \cdot v(x)\bigrp ⊗ = b\+pp\biglp
u(x)\bigrp\+pp\biglp v(x)\bigrp ,\cr}\eqno (4)$$
where $a$ and $b$ are units, depending on $u$ and $v$,
with $ab = 1$. When we are working with polynomials over the
integers, the only units are $+1$ and $-1$, and it is conventional
to define pp$\biglp u(x)\bigrp$ so that its leading
coefficient is positive; then (4) is true with $a = b = 1$.
When working with polynomials over a field we may take cont$(u)
=\lscr(u)$, so that pp$\biglp u(x)\bigrp$ is monic;
in this case again (4) holds with $a = b = 1$, for all $u(x)$
and $v(x)$.

For example, if we are dealing with polynomials
over the integers, let $u(x) = -26x↑2 + 39$ and $v(x) = 21x + 14$.
Then
$$\baselineskip15pt
\eqalign{\\cont(u)⊗=-13,\cr \\cont(v)⊗=+7,\cr \\cont(u\cdot v)⊗=-91\cr}\qquad\qquad
\eqalign{\+pp\biglp u(x)\bigrp⊗=2x↑2-3,\cr
\+pp\biglp v(x)\bigrp⊗=3x+2,\cr
\+pp\biglp u(x)\cdot v(x)\bigrp⊗=6x↑3+4x↑2-9x-6.\cr}$$
%folio 522 galley 3 (C) Addison-Wesley 1978	*
\def\\#1({\mathop{\hjust{#1}}(}\def\+#1\biglp{\mathop{\hjust{#1}}\biglp}
\subsectionbegin{Greatest common divisors} When there
is unique factorization, it makes sense to speak of a ``greatest
common divisor'' of two elements; this is a common divisor that
is divisible by as many primes as possible.\xskip (Cf.\ Eq.\ 4.5.2--6.)\xskip
Since a unique factorization domain may have many units, there
is a certain amount of ambiguity in this definition of greatest
common divisor; if $w$ is a greatest common divisor of $u$ and
$v$, so is $a \cdot w$, when $a$ is a unit. Conversely, the
assumption of unique factorization implies that if $w↓1$ and
$w↓2$ are both greatest common advisors of $u$ and $v$, then
$w↓1 = a \cdot w↓2$ for some unit $a$. Therefore it does not
make sense, in general, to speak of ``the'' greatest common
divisor of $u$ and $v$; there is a set of greatest common divisors,
each one being a unit multiple of the others.

Let us now consider the problem of finding a greatest
common divisor of two given polynomials over an algebraic system
$S$. If $S$ is a field, the problem is relatively simple; our
division algorithm, Algorithm D\null, can be extended to an algorithm
that computes greatest common divisors, just as Euclid's algorithm
(Algorithm 4.5.2A) yields the greatest common divisor of two
given integers based on a division algorithm for integers: If
$v(x) = 0$, then gcd$\biglp u(x), v(x)\bigrp = u(x)$; otherwise
$\gcd\biglp u(x), v(x)\bigrp = \gcd\biglp v(x), r(x)\bigrp
$, where $r(x)$ is given by (1). This procedure is called Euclid's algorithm
for polynomials over a field; it was first used by Simon Stevin
in 1585 [{\sl Les \oe uvres math\'ematiques de Simon Stevin},
ed.\ by A. Girard, {\bf 1} (Leyden, 1634), 56].

For example, let us determine the gcd of $x↑8 +
x↑6 + 10x↑4 + 10x↑3 + 8x↑2 + 2x + 8$ and $3x↑6 + 5x↑4 + 9x↑2
+ 4x + 8$, mod 13, by using Euclid's algorithm for polynomials
over the integers modulo 13. First, writing only the coefficients
to show the steps of Algorithm D\null, we have
$$\def\\{\lower2.323pt\vjust to 12pt{}}\baselineskip0pt\lineskip0pt
\vcenter{\halign{$\hfill#$\cr
\lower2.732pt\vjust to 12pt{}9\90\97\cr
\\3\90\95\90\99\94\98\9\overline{\vcenter{\vskip-.818pt
\hjust{\raise1pt\hjust{$\bigrp$}\91\90\91\90\910\910\9\98\92\98}\vskip.182pt}}\cr
\underline{\\1\90\96\90\9\93\910\9\97\9\9\9\9}\cr
\\0\98\90\9\97\9\90\9\91\92\98\cr
\underline{\\8\90\9\99\9\90\911\92\94}\cr
\\0\911\9\90\9\93\90\94\cr}}\eqno (5)$$
and hence
$$\twoline{x↑8 + x↑6 + 10x↑4 + 10x↑3 + 8x↑2 + 2x + 8}{2pt}{=
(9x↑2 + 7)(3x↑6 + 5x↑4 + 9x↑2 + 4x + 8)\;+\;(11x↑4
+ 3x↑2 + 4).}$$
Similarly,
$$\baselineskip15pt\vjust{\tabskip 0pt plus 1000pt minus 1000pt
   \halign to size{\hfill$\dispstyle{#}$\tabskip 0pt⊗$ #$\hfill
   ⊗$\dispstyle{\null#}$\hfill\tabskip 0 pt plus 1000pt minus 1000pt
   ⊗\hfill$ #$\tabskip 0pt\cr
3x↑6 + 5x↑4  + 9x↑2 + 4⊗x + 8 ⊗= (5x↑2
+ 5)(11x↑4 + 3x↑2 + 4)\; +\; (4x + 1);\cr
11x↑4 + 3x↑2 +4⊗
⊗= (6x↑3 + 5x↑2 + 6x + 5)(4x + 1)\;+\;12;\cr
4⊗x + 1 ⊗= (9x + 12) \cdot 12\;+\;0.⊗(6)\cr}}$$
(The equality sign here means congruence modulo 13,
since all arithmetic on the coefficients has been done mod 13.)\xskip
This computation shows that 12 is a greatest common divisor
of the two original polynomials. Now any nonzero element of
a field is a unit of the domain of polynomials over that field,
so any nonzero multiple of a greatest common divisor is also
a greatest common divisor (over a field). It is therefore conventional
in this case to divide the result of the algorithm by its leading
coefficient, producing a {\sl monic} polynomial that is called
{\sl the} greatest common advisor of the two given polynomials.
The gcd computed in (6) is accordingly taken to be 1, not 12.
The last step in (6) could have been omitted, for if deg$(v)
= 0$, then gcd$\biglp u(x), v(x)\bigrp = 1$, no matter what
polynomial is chosen for $u(x)$. Exercise 4 determines the average
running time for Euclid's algorithm on random polynomials modulo
$p$.

Let us now turn to the more general situation
in which our polynomials are given over a unique factorization
domain that is not a field. From Eqs.\ (4) we can deduce the
important relations
$$\baselineskip15pt\eqalign{\+cont\biglp\gcd(u,v)\bigrp ⊗= a \cdot\gcd\biglp
\\cont(u),\\cont(v)\bigrp ,\cr
\+pp\biglp\gcd(u(x), v(x))\bigrp ⊗= b \cdot\gcd\biglp
\+pp\biglp u(x)\bigrp, pp\biglp v(x)\bigrp\bigrp,\cr}\eqno (7)$$
where $a$ and $b$ are units. Here $\gcd\biglp u(x), v(x)\bigrp$
denotes any particular polynomial in $x$ that is a greatest
common divisor of $u(x)$ and $v(x)$. Equations (7) reduce the
problem of finding greatest common divisors of arbitrary polynomials
to the problem of finding greatest common divisors of {\sl primitive}
polynomials.

Algorithm D for division of polynomials over a
field can be generalized to a pseudo-division of polynomials
over any algebraic system that is a commutative ring with identity.
We can observe that Algorithm D requires explicit division only
by $\lscr(v)$, the leading coefficient of $v(x)$, and that step
D2 is carried out exactly $m - n + 1$ times; thus if $u(x)$
and $v(x)$ start with integer coefficients, and if we are working
over the rational numbers, then the only denominators that
appear in the coefficients of $q(x)$ and $r(x)$ are divisors
of $\lscr(v)↑{m-n+1}$. This suggests that we can always find polynomials
$q(x)$ and $r(x)$ such that
$$\lscr(v)↑{m-n+1}u(x) = q(x)v(x) + r(x),\qquad\\deg(r) < n,\eqno
(8)$$
where $m =\\deg(u)$ and $n =\\deg(v)$,
for any polynomials $u(x)$ and $v(x) ≠ 0$, provided that $m≥n$.

\algbegin Algorithm R (Pseudo-division of polynomials).
Given polynomials
$$u(x) = u↓mx↑m +\cdots + u↓1x + u↓0,\qquad v(x)
= v↓nx↑n +\cdots + v↓1(x) + v↓0,$$
where $v↓n ≠ 0$ and $m ≥ n ≥ 0$, this algorithm
finds polynomials $q(x) = q↓{m-n}x↑{m-n} +\cdots
+ q↓0$ and $r(x) = r↓{n-1}x↑{n-1} +\cdots + r↓0$
satisfying (8).

\algstep R1. [Iterate on $k$.] Do step
R2 for $k = m - n$, $m - n - 1$, $\ldotss$, 0; then the algorithm
terminates with $(r↓{n-1},\ldotss,r↓0)=(u↓{n-1}, \ldotss, u↓0)$.

\algstep R2. [Multiplication loop.] Set $q↓k ← u↓{n+k}v↑{k}↓{n}$,
and then set $u↓j ← v↓nu↓j - u↓{n+k}v↓{j-k}$ for $j = n + k
- 1$, $n + k - 2$, $\ldotss$, 0.\xskip (When $j < k$ this means that $u↓j
← v↓nu↓j$, since we treat $v↓{-1}$, $v↓{-2}$, $\ldots$ as zero.
These multiplications could have been avoided if we had started the algorithm
by replacing $u↓t$ by $v↑{m-n-t}↓{n}u↓t$, for $0 ≤ t < m - n$.)\quad\blackslug
%folio 524 galley 4 (C) Addison-Wesley 1978	*
\def\\#1({\mathop{\hjust{#1}}(}\def\+#1\biglp{\mathop{\hjust{#1}}\biglp}
\yyskip An example calculation appears below in
(10). It is easy to prove the validity of Algorithm R by induction
on $m - n$, since each execution of step R2 essentially replaces
$u(x)$ by $\lscr(v)u(x) - \lscr(u)x↑kv(x)$, where $k =\\deg(u)
-\\deg(v)$. Note that no division whatever is used in this
algorithm; the coefficients of $q(x)$ and $r(x)$ are themselves
certain polynomial functions of the coefficients of $u(x)$ and
$v(x)$. If $v↓n = 1$, the algorithm is identical to Algorithm
D\null. If $u(x)$ and $v(x)$ are polynomials over a unique factorization
domain, we can prove as before that the polynomials $q(x)$ and
$r(x)$ are unique; therefore another way to do the pseudo-division
over a unique factorizarion domain is to multiply $u(x)$ by
$v↑{m-n+1}↓{n}$ and apply Algorithm\penalty999\ D\null, knowing that all the
quotients in step D2 will exist.

Algorithm R can be extended to a ``generalized
Euclidean algorithm'' for primitive polynomials over a unique
factorization domain, in the following way: Let $u(x)$ and $v(x)$
be primitive polynomials with $\\deg(u) ≥\\deg(v)$, and determine
$r(x)$ satisfying (8) by means of Algorithm R. Now $\gcd\biglp
u(x), v(x)\bigrp =\gcd\biglp v(x), r(x)\bigrp$:  For any
common divisor of $u(x)$ and $v(x)$ divides $v(x)$ and $r(x)$;
conversely, any common divisor of $v(x)$ and $r(x)$ divides
$\lscr(v)↑{m-n+1}u(x)$, and it must be primitive $\biglp$since
$v(x)$ is primitive$\bigrp$ so it divides $u(x)$. If $r(x) = 0$,
we therefore have $\gcd\biglp u(x), v(x)\bigrp = v(x)$; on the other hand if $r(x)
≠ 0$, we have $\gcd\biglp v(x), r(x)\bigrp = \gcd\biglp v(x),
\+pp\biglp(r(x)\bigrp\bigrp$ since $v(x)$ is primitive, so the process can
be iterated.

\algbegin Algorithm E (Generalized Euclidean algorithm).
Given nonzero polynomials $u(x)$
and $v(x)$ over a unique factorization domain $S$, this algorithm
calculates a greatest common divisor of $u(x)$ and $v(x)$. We
assume that auxiliary algorithms exist to calculate greatest
common divisors of elements of $S$, and to divide $a$ by $b$
in $S$ when $b ≠ 0$ and $a$ is a multiple of $b$.

\algstep E1. [Reduce to primitive.] Set
$d ← \gcd\biglp\\cont(u),\\cont(v)\bigrp $, using the assumed
algorithm for calculating greatest common divisors in $S$.\xskip$\biglp$Note
that cont$(u)$ is a greatest common divisor of the coefficients
of $u(x)$.$\bigrp$\xskip Replace $u(x)$ by the polynomial $u(x)/\\cont(u)
=\+pp\biglp u(x)\bigrp$; similarly, replace $v(x)$ by $\+pp\biglp
v(x)\bigrp$.

\algstep E2. [Pseudo-division.] Calculate $r(x)$ using Algorithm
R.\xskip$\biglp$It is unnecessary to calculate the quotient polynomial
$q(x)$.$\bigrp$\xskip If $r(x) = 0$, go to E4. If deg$(r) = 0$, replace
$v(x)$ by the constant polynomial ``1'' and go to E4.

\algstep E3. [Make remainder primitive.] Replace $u(x)$ by $v(x)$
and replace $v(x)$ by $\+pp\biglp r(x)\bigrp $. Go back to step
E2.\xskip (This is the ``Euclidean step,'' analogous to the other
instances of Euclid's algorithm that we have seen.)

\algstep E4. [Attach the content.] The algorithm terminates,
with $d \cdot v(x)$ as the answer.\quad\blackslug

\yyskip As an example of
Algorithm E\null, let us calculate the greatest common divisor of
$$\baselineskip15pt\eqalign{u(x) ⊗ = x↑8 + x↑6 - 3x↑4 - 3x↑3 + 8x↑2 + 2x - 5,\cr
v(x)⊗=3x↑6+5x↑4-4x↑2-9x+21,\cr}\eqno(9)$$
over the integers. These polynomials are primitive, so step E1 sets $d←1$.
In step E2 we have the pseudo-division
$$\def\\{\lower2.323pt\vjust to 12pt{}}\baselineskip0pt\lineskip0pt
\vcenter{\halign{$\hfill#$\cr
\lower2.732pt\vjust to 12pt{}1\9\90\9\9{-6}\cr
\\3\90\95\90\9{-4}\9{-9}\921\9\overline{\vcenter{\vskip-.818pt
\hjust{\raise1pt\hjust{$\bigrp$}$\91\90\9\9\9\91\90\9\9{-3}\9{-3}\9\98\9\92\9\9\9
{-5}$}\vskip.182pt}}\cr
\\3\90\9\9\9\93\90\9\9{-9}\9{-9}\924\9\96\9\9{-15}\cr
\underline{\\3\90\9\9\9\95\90\9\9{-4}\9{-9}\921\9\9\9\9\9\9\9\9\9}\cr
\\0\9\9{-2}\90\9\9{-5}\9\9\90\9\93\9\96\9\9{-15}\cr
\\0\9\9{-6}\90\9{-15}\9\9\90\9\99\918\9\9{-45}\cr
\underline{\\0\9\9\9\90\90\9\9\9\90\9\9\90\9\90\9\90\9\9\9\9\90}\cr
\\{-6}\90\9{-15}\9\9\90\9\99\918\9\9{-45}\cr
\\{-18}\90\9{-45}\9\9\90\927\954\9{-135}\cr
\underline{\\{-18}\90\9{-30}\9\9\90\924\954\9{-126}}\cr
\\{-15}\9\9\90\9\93\9\90\9\9\9{-9}\cr}}\eqno(10)$$
Here the quotient $q(x)$ is $1\cdot3↑2x↑2+0\cdot3↑1x+{-6}\cdot3↑0$; we have
$$27u(x)\;=\;v(x)(9x↑2-6)\;+\;(-15x↑4+3x↑2-9).\eqno(11)$$
Now step E3 replaces $u(x)$ by $v(x)$ and $v(x)$ by $\+pp\biglp r(x)\bigrp=5x↑4
-x↑2+3$. The subsequent calculation may be summarized as follows, writing only
the coefficients:
$$\vjust{\baselineskip14pt\halign{$\hfill#$⊗$\hskip15pt\hfill#$⊗$\hskip15pt\hfill
#$\cr
u(x)\hfill⊗v(x)\hfill⊗r(x)\hfill\cr
\noalign{\vskip2pt}
1,0,1,0,-3,-3,8,2,-5⊗3,0,5,0,-4,-9,21⊗-15,0,3,0,-9\cr
3,0,5,0,-4,-9,21⊗5,0,-1,0,3⊗-585,-1125,2205\cr
5,0,-1,0,3⊗13,25,-49⊗-233150,307500\cr
13,25,-49⊗4663,-6150⊗143193869\cr}}\eqno(12)$$

It is instructive to compare this calculation with the computation of the same
greatest common divisor over the {\sl rational\/} numbers, instead of over the
integers, by using Euclid's algorithm for polynomials over a field as described
earlier in this section. The following surprisingly complicated sequence of
results occurs:
$$\vjust{\baselineskip15pt\halign{$\hfill#$⊗\qquad$\hfill#$\cr
u(x)\hfill⊗v(x)\hfill\cr
\noalign{\vskip2pt}
1,0,1,0,-3,-3,8,2,5⊗3,0,5,0,-4,-9,21\cr
3,0,5,0,-4,-9,21⊗-{5\over9},0,{1\over9},0,-{1\over3}\cr
-{5\over9},0,{1\over9},0,-{1\over3}⊗-{117\over25},-9,{441\over25}\cr
-{117\over25},-9,{441\over25}⊗{233150\over19773},-{102500\over6591}\cr
{233150\over19773},-{102500\over6591}⊗-{1288744821\over543589225}\cr}}\eqno(13)$$
%folio 526 galley 5 (C) Addison-Wesley 1978	*
\def\\#1({\mathop{\hjust{#1}}(}\def\+#1\biglp{\mathop{\hjust{#1}}\biglp}
To improve that algorithm, we can reduce
$u(x)$ and $v(x)$ to monic polynomials at each step, since this
removes ``unit'' factors that make the coefficients more complicated
than necessary; this is actually Algorithm E over the rationals:
$$\vjust{\baselineskip15pt\halign{$\hfill#$⊗\qquad$\hfill#$\cr
u(x)\hfill⊗v(x)\hfill\cr
\noalign{\vskip2pt}
1,0,1,0,-3,-3,8,2,5⊗3,0,5,0,-4,-9,21\cr
1,0,{5\over3},0,-{4\over3},-3,7⊗1,0,-{1\over5},0,{3\over5}\cr
1,0,-{1\over5},0,{3\over5}⊗1,{25\over13},-{49\over13}\cr
1,{25\over13},-{49\over13}⊗1,-{6150\over4663}\cr
1,-{6150\over4663}⊗1\cr}}\eqno(14)$$

In both (13) and (14) the sequence of polynomials
is essentially the same as (12), which was obtained by Algorithm
E over the integers; the only difference is that the polynomials
have been multiplied by certain rational numbers. Whether we
have $5x↑4 - x↑2 + 3$ or $-{5\over 9}x↑4 + {1\over 9}x↑2 -
{1\over 3}$ or $x↑4 - {1\over 5}x↑2 + {3\over 5}$, the computations
are essentially the same. But either algorithm using rational
arithmetic will run noticeably slower than the all-integer Algorithm
E\null, since rational arithmetic requires many more evaluations
of gcd's of integers within each step. Therefore it is definitely
preferable to use the all-integer algorithm instead of rational
arithmetic, when the gcd of polynomials with integer or rational
coefficients is desired.

It is also instructive to compare the above calculations
with (6) above, where we determined the gcd of the same polynomials
$u(x)$ and $v(x)$ modulo 13 with considerably less labor. Since
$\lscr(u)$ and $\lscr(v)$ are not multiples of 13, the fact that
$\gcd\biglp u(x), v(x)\bigrp = 1$ modulo 13 is sufficient to
prove that $u(x)$ and $v(x)$ are relatively prime over the integers
(and therefore over the rational numbers); we will return to
this time-saving observation at the close of Section 4.6.2.

\subsectionbegin{The subresultant algorithm} An ingenious
algorithm that is generally superior to Algorithm E\null, and that
gives us further information about Algorithm E's behavior, was
discovered by George E. Collins [{\sl JACM \bf 14} (1967),
128--142] and subsequently improved by W. S. Brown and J. F. Traub
[{\sl JACM \bf18} (1971), 505--514; see also W. S. Brown, {\sl ACM
Trans.\ Math.\ Software \bf4} (1978), to appear].
This algorithm avoids the calculation of primitive
part in step E3, dividing instead by an element of $S$ that
is known to be a factor of $r(x)$:

\algbegin Algorithm C (Greatest common divisor over a unique
factorization domain). This algorithm has the same input
and output assumptions as Algorithm E\null, and has the advantage
that fewer calculations of greatest common divisors of coefficients
are needed.

\algstep C1. [Reduce to primitive.] As in
step E1 of Algorithm E\null, set $d ← \gcd\biglp\\cont(u),\penalty0\\cont(v)\bigrp
$, and replace $\biglp u(x), v(x)\bigrp$ by $\biglp\+pp\biglp u(x)\bigrp,
\+pp\biglp v(x)\bigrp\bigrp$. Also set $g←h ← 1$.

\algstep C2. [Pseudo-division.] Set $\delta ← \\deg(u)-\\deg(v)$.
Calculate $r(x)$ using Algorithm\penalty999\ R\null. If $r(x) = 0$, go to C4.
If deg$(r) = 0$, replace $v(x)$ by the constant polynomial ``1''
and go to C4.

\algstep C3. [Adjust remainder.] Replace the polynomial $u(x)$
by $v(x)$, and replace $v(x)$ by $r(x)/gh↑\delta$.\xskip$\biglp$At this point all
coefficients of $r(x)$ are multiples of $gh↑\delta$.$\bigrp$\xskip Then set $g ←
\lscr(u)$, $h←h↑{1-\delta}g↑\delta$ and return to C2.\xskip$\biglp$The new value
of $h$ will be in the domain $S$, even if $\delta>1$.$\bigrp$

\algstep C4. [Attach the content.] The algorithm terminates,
with $d \cdot\+pp\biglp v(x)\bigrp$ as the answer.\quad\blackslug

\yyskip If we apply this algorithm
to the polynomials (9) considered earlier, the following sequence
of results is obtained at the beginning of step C2:
$$\vjust{\baselineskip15pt\halign{$\hfill#$⊗\qquad$\hfill#$⊗\qquad$\hfill#$⊗\qquad
$\hfill#$\cr
u(x)\hfill⊗v(x)\hfill⊗g⊗h\cr
\noalign{\vskip2pt}
1,0,1,0,-3,-3,8,2,5⊗3,0,5,0,-4,-9,21⊗1⊗1\cr
3,0,5,0,-4,-9,21⊗-15,0,3,0,-9⊗3⊗9\cr
-15,0,3,0,-9⊗65,125,-245⊗-15⊗25\cr
65,125,-245⊗-9826,12300⊗65⊗169\cr}}\eqno(15)$$
At the conclusion of the algorithm, $r(x)/gh↑\delta = 260708$.

The sequence of polynomials consists of integral
multiples of the polynomials in the sequence produced by Algorithm
E\null. In spite of the fact that
the polynomials are not reduced to primitive form, the coefficients
are kept to a reasonable size because of the reduction factor
in step C3.

In order to analyze Algorithm C and to prove that
it is valid, let us call the sequence of polynomials it produces
$u↓1(x)$, $u↓2(x)$, $u↓3(x)$, $\ldotss$, where $u↓1(x) = u(x)$ and
$u↓2(x) = v(x)$. Let $\delta↓j=n↓j-n↓{j+1}$ for $j≥1$, where $n↓j=\\deg(u↓j)$;
and let $g↓1=h↓1=1$, $g↓j=\lscr(u↓j)$, $h↓j=h↓{j-1}↑{1-\delta↓{j-1}}g↓{\!j}↑{\delta
↓{j-1}}$ for $j≥2$. Then we have
$$\baselineskip15pt\eqalign{
g↓2↑{\delta↓1+1}u↓1(x)⊗=u↓2(x)q↓1(x)+g↓1h↓1↑{\delta↓1}u↓3(x),\qquad n↓3<n↓2;\cr
g↓3↑{\delta↓2+1}u↓2(x)⊗=u↓3(x)q↓2(x)+g↓2h↓2↑{\delta↓2}u↓4(x),\qquad n↓4<n↓3;\cr
g↓4↑{\delta↓3+1}u↓3(x)⊗=u↓4(x)q↓3(x)+g↓3h↓3↑{\delta↓3}u↓5(x),\qquad n↓5<n↓4;\cr}
\eqno(16)$$
and so on. The process terminates when $n↓{k+1}
=\\deg(u↓{k+1}) ≤0$. We must show that $u↓3(x)$, $u↓4(x)$, $\ldotss
$, have coefficients in $S$, i.e., that the factors $g↓jh↓j↑{\delta↓j}$
evenly divide the remainders, and we must also
show that the $h↓j$ values all belong to $S$. The proof is rather
involved, and it can be most easily understood by considering
an example.

\topinsert{\tablehead{Table 1}
\vskip3pt
\ctrline{COEFFICIENTS IN ALGORITHM C}
\vskip6pt
\ctrline{(this table is being set separately)}\vskip 301.4pt}
%folio 528 galley 6 Beginning lost. (C) Addison-Wesley 1978	*
Suppose, as in (15), that $n↓1=8$, $n↓2=6$, $n↓3=4$, $n↓4=2$, $n↓5=1$,
$n↓6=0$, so that $\delta↓1=\delta↓2=\delta↓3=2$, $\delta↓4=\delta↓5=1$.
Let us write $u↓1(x)=a↓8x↑8+a↓7x↑7+\cdots+a↓0$,\xskip
$u↓2(x)=b↓6x↑6+b↓5x↑5+\cdots+b↓0$,\xskip
$\ldotss$,\xskip $u↓5(x)=e↓1x+e↓0$,\xskip $u↓6(x)=f↓0$,\xskip
so that $h↓1=1$, $h↓2=b↓6↑2$,
$h↓3=c↓4↑2/b↓6↑2$, $h↓4=d↓2↑2b↓6↑2/c↓4↑2$. In these terms it is helpful to
consider the array shown in Table 1. For concreteness, let us assume that the
coefficients of the polynomials are integers. We have $b↓6↑3u↓1(x)=u↓2(x)q↓1(x)+
u↓3(x)$; so if we multiply row $A↓5$ by $b↓6↑3$ and subtract appropriate
multiples of rows $B↓7$, $B↓6$, and $B↓5$ $\biglp$corresponding to the
coefficients of $q↓1(x)\bigrp$ we will get row $C↓5$. Similarly, if we multiply
row $A↓4$ by $b↓6↑3$ and subtract multiples of rows $B↓6$, $B↓5$, and $B↓4$,
we get row $C↓4$. In a similar way, we have $c↓4↑3u↓2(x)=u↓3(x)q↓2(x)+b↓6↑5u↓4(x)$;
so we can multiply row $B↓3$ by $c↓4↑3$, subtract integer multiples of rows
$C↓5$, $C↓4$, and $C↓3$, then divide by $b↓6↑5$ to obtain row $D↓3$. 

In order to prove that $u↓4(x)$ has integer coefficients, let us consider the
matrix
$$\cpile{A↓2\cr A↓1\cr A↓0\cr B↓4\cr B↓3\cr B↓2\cr B↓1\cr B↓0\cr}\quad
\left(\,\vcenter{\halign{$\ctr{#}$⊗\9$\ctr{#}$⊗\9$\ctr{#}$⊗\9$\ctr{#}$⊗\9
$\ctr{#}$⊗\9$\ctr{#}$⊗\9$\ctr{#}$⊗\9$\ctr{#}$⊗\9$\ctr{#}$⊗\9$\ctr{#}$⊗\9$\ctr{#}$\cr
a↓8⊗a↓7⊗a↓6⊗a↓5⊗a↓4⊗a↓3⊗a↓2⊗a↓1⊗a↓0⊗0⊗0\cr
0⊗a↓8⊗a↓7⊗a↓6⊗a↓5⊗a↓4⊗a↓3⊗a↓2⊗a↓1⊗a↓0⊗0\cr
0⊗0⊗a↓8⊗a↓7⊗a↓6⊗a↓5⊗a↓4⊗a↓3⊗a↓2⊗a↓1⊗a↓0\cr
b↓6⊗b↓5⊗b↓4⊗b↓3⊗b↓2⊗b↓1⊗b↓0⊗0⊗0⊗0⊗0\cr
0⊗b↓6⊗b↓5⊗b↓4⊗b↓3⊗b↓2⊗b↓1⊗b↓0⊗0⊗0⊗0\cr
0⊗0⊗b↓6⊗b↓5⊗b↓4⊗b↓3⊗b↓2⊗b↓1⊗b↓0⊗0⊗0\cr
0⊗0⊗0⊗b↓6⊗b↓5⊗b↓4⊗b↓3⊗b↓2⊗b↓1⊗b↓0⊗0\cr
0⊗0⊗0⊗0⊗b↓6⊗b↓5⊗b↓4⊗b↓3⊗b↓2⊗b↓1⊗b↓0\cr}}\,\right)=M.\eqno(17)$$
The indicated row operations and a permutation of rows
will transform $M$ into
$$\cpile{B↓4\cr B↓3\cr B↓2\cr B↓1\cr B↓0\cr C↓2\cr C↓1\cr D↓0\cr}\quad
\left(\,\vcenter{\halign{$\ctr{#}$⊗\9$\ctr{#}$⊗\9$\ctr{#}$⊗\9$\ctr{#}$⊗\9
$\ctr{#}$⊗\9$\ctr{#}$⊗\9$\ctr{#}$⊗\9$\ctr{#}$⊗\9$\ctr{#}$⊗\9$\ctr{#}$⊗\9$\ctr{#}$\cr
b↓6⊗b↓5⊗b↓4⊗b↓3⊗b↓2⊗b↓1⊗b↓0⊗0⊗0⊗0⊗0\cr
0⊗b↓6⊗b↓5⊗b↓4⊗b↓3⊗b↓2⊗b↓1⊗b↓0⊗0⊗0⊗0\cr
0⊗0⊗b↓6⊗b↓5⊗b↓4⊗b↓3⊗b↓2⊗b↓1⊗b↓0⊗0⊗0\cr
0⊗0⊗0⊗b↓6⊗b↓5⊗b↓4⊗b↓3⊗b↓2⊗b↓1⊗b↓0⊗0\cr
0⊗0⊗0⊗0⊗c↓4⊗c↓3⊗c↓2⊗c↓1⊗c↓0⊗0⊗0\cr
0⊗0⊗0⊗0⊗0⊗c↓4⊗c↓3⊗c↓2⊗c↓1⊗c↓0⊗0\cr
0⊗0⊗0⊗0⊗0⊗0⊗c↓4⊗c↓3⊗c↓2⊗c↓1⊗c↓0\cr
0⊗0⊗0⊗0⊗0⊗0⊗0⊗0⊗d↓2⊗d↓1⊗d↓0\cr}}\,\right)=M↑\prime.\eqno(18)$$
Because of the way $M↑\prime$ has been derived from
$M$, we have
$$b↓6↑3 \cdot b↓6↑3 \cdot b↓6↑3 \cdot
(c↓4↑3/b↓6↑5) \cdot\det M↓0 = \pm\det M↑\prime↓{\!0},\eqno(19)$$
if $M↓0$ and $M↑\prime↓{\!0}$ represent any square
matrices obtained by selecting eight corresponding columns from
$M$ and $M↑\prime $. For example, let us select the first seven
columns and the column containing $d↓1$; then
$$b↓6↑3\cdot b↓6↑3\cdot b↓6↑3\cdot(c↓4↑3/b↓6↑5)\cdot\det\left(\,\vcenter{
\halign{$\ctr{#}$⊗\9$\ctr{#}$⊗\9$\ctr{#}$⊗\9$\ctr{#}$⊗\9
$\ctr{#}$⊗\9$\ctr{#}$⊗\9$\ctr{#}$⊗\9$\ctr{#}$\cr
a↓8⊗a↓7⊗a↓6⊗a↓5⊗a↓4⊗a↓3⊗a↓2⊗0\cr
0⊗a↓8⊗a↓7⊗a↓6⊗a↓5⊗a↓4⊗a↓3⊗a↓0\cr
0⊗0⊗a↓8⊗a↓7⊗a↓6⊗a↓5⊗a↓4⊗a↓1\cr
b↓6⊗b↓5⊗b↓4⊗b↓3⊗b↓2⊗b↓1⊗b↓0⊗0\cr
0⊗b↓6⊗b↓5⊗b↓4⊗b↓3⊗b↓2⊗b↓1⊗0\cr
0⊗0⊗b↓6⊗b↓5⊗b↓4⊗b↓3⊗b↓2⊗0\cr
0⊗0⊗0⊗b↓6⊗b↓5⊗b↓4⊗b↓3⊗b↓0\cr
0⊗0⊗0⊗0⊗b↓6⊗b↓5⊗b↓4⊗b↓1\cr}}\,\right)=\pm b↓6↑4\cdot c↓4↑3\cdot d↓1.$$
Since $b↓6c↓4 ≠ 0$, this proves that $d↓1$ is an integer.
Similarly, $d↓2$ and $d↓0$ are integers.

In general, we can show that $u↓{j+1}(x)$ has integer
coefficients in a similar manner. If we start with the matrix
$M$ consisting of rows $A↓{n↓2-n↓j}$ through
$A↓0$ and $B↓{n↓1-n↓j}$ through $B↓0$, and if
we perform the row operations indicated in Table 1, we will
obtain a matrix $M↑\prime$ consisting in some order of rows
$B↓{n↓1-n↓j}$ through $B↓{n↓3-n↓j+1}$,\xskip
$C↓{n↓2-n↓j}$ through $C↓{n↓4-n↓j+1}$,\xskip $\ldotss$,\xskip $P↓{n↓{j-2}-n↓j}$
through $P↓1$,\xskip $Q↓{n↓{j-1}-n↓j}$ through $Q↓0$,\xskip and finally $R↓0$
$\biglp$a row containing the coefficients of $u↓{j+1}(x)\bigrp$. Extracting
appropriate columns shows that
$$\twoline{\hskip-10pt
(g↓2↑{\delta↓1+1}/g↓1h↓1↑{\delta↓1})↑{n↓2-n↓j+1}(g↓3↑{\delta↓2+1}/g↓2h↓2↑{\delta↓2}
)↑{n↓3-n↓j+1}\ldotss(g↓{\!j}↑{\delta↓{j-1}+1}/g↓{j-1}h↓{\!j-1}↑{\delta↓{j-1}})↑
{n↓j-n↓j+1}\det M↓0}{3pt}{=\pm g↓2↑{n↓1-n↓3}g↓3↑{n↓2-n↓4}\ldotss g↓{\!j-1}↑{n↓{j-2}
-n↓j}g↓{\!j}↑{n↓{j-1}-n↓j+1}r↓t,\quad(19)\hskip-10pt}$$
where $r↓t$ is a given coefficient of $u↓{j+1}(x)$ and $M↓0$ is a submatrix of
$M$. The $h$'s have been chosen very cleverly so that this equation simplifies to
$$\det M↓0=\pm \,r↓t\eqno(20)$$
(see exercise 24). Therefore {\sl every coefficient of $u↓{j+1}(x)$ can be
expressed as the determinant of an $(n↓1+n↓2-2n↓j+2)\times(n↓1+n↓2-2n↓j+2)$
matrix whose elements are coefficients of $u(x)$ and $v(x)$.}

It remains to be shown that the cleverly-chosen $h$'s also are integers. A
similar technique applies: Let's look, for example, at the matrix
$$\cpile{A↓1\cr A↓0\cr B↓3\cr B↓2\cr B↓1\cr B↓0\cr}\quad
\left(\,\vcenter{\halign{$\ctr{#}$⊗\9$\ctr{#}$⊗\9$\ctr{#}$⊗\9$\ctr{#}$⊗\9
$\ctr{#}$⊗\9$\ctr{#}$⊗\9$\ctr{#}$⊗\9$\ctr{#}$⊗\9$\ctr{#}$⊗\9$\ctr{#}$\cr
a↓8⊗a↓7⊗a↓6⊗a↓5⊗a↓4⊗a↓3⊗a↓2⊗a↓1⊗a↓0⊗0\cr
0⊗a↓8⊗a↓7⊗a↓6⊗a↓5⊗a↓4⊗a↓3⊗a↓2⊗a↓1⊗a↓0\cr
b↓6⊗b↓5⊗b↓4⊗b↓3⊗b↓2⊗b↓1⊗b↓0⊗0⊗0⊗0\cr
0⊗b↓6⊗b↓5⊗b↓4⊗b↓3⊗b↓2⊗b↓1⊗b↓0⊗0⊗0\cr
0⊗0⊗b↓6⊗b↓5⊗b↓4⊗b↓3⊗b↓2⊗b↓1⊗b↓0⊗0\cr
0⊗0⊗0⊗b↓6⊗b↓5⊗b↓4⊗b↓3⊗b↓2⊗b↓1⊗b↓0\cr}}\,\right)=M.\eqno(21)$$
Row operations as specified in Table 1, and permutation of rows, leads to
$$\cpile{B↓3\cr B↓2\cr B↓1\cr B↓0\cr C↓1\cr C↓0\cr}\quad
\left(\,\vcenter{\halign{$\ctr{#}$⊗\9$\ctr{#}$⊗\9$\ctr{#}$⊗\9$\ctr{#}$⊗\9
$\ctr{#}$⊗\9$\ctr{#}$⊗\9$\ctr{#}$⊗\9$\ctr{#}$⊗\9$\ctr{#}$⊗\9$\ctr{#}$\cr
b↓6⊗b↓5⊗b↓4⊗b↓3⊗b↓2⊗b↓1⊗b↓0⊗0⊗0⊗0\cr
0⊗b↓6⊗b↓5⊗b↓4⊗b↓3⊗b↓2⊗b↓1⊗b↓0⊗0⊗0\cr
0⊗0⊗b↓6⊗b↓5⊗b↓4⊗b↓3⊗b↓2⊗b↓1⊗b↓0⊗0\cr
0⊗0⊗0⊗b↓6⊗b↓5⊗b↓4⊗b↓3⊗b↓2⊗b↓1⊗b↓0\cr
0⊗0⊗0⊗0⊗c↓4⊗c↓3⊗c↓2⊗c↓1⊗c↓0⊗0\cr
0⊗0⊗0⊗0⊗0⊗c↓4⊗c↓3⊗c↓2⊗c↓1⊗c↓0\cr}}\,\right)=M↑\prime;\eqno(22)$$
hence if we consider any submatrices $M↓0$ and $M↓{\!0}↑\prime$ obtained by
selecting six corresponding columns of $M$ and $M↑\prime$ we have
$$b↓6↑3\cdot b↓6↑3 \cdot b↓6↑3\cdot\det M↓0=\pm\det M↓{\!0}↑\prime.$$
When $M↓0$ is chosen to be the first six columns of $M$, we find that
$\det M↓0=\pm c↓4↑2/b↓6↑2=\pm h↓3$, so $h↓3$ is an integer.

In general, to show that $h↓j$ is an integer for $j≥3$, we start with the
matrix $M$ consisting of rows $A↓{n↓2-n↓j-1}$ through $A↓0$ and $B↓{n↓1-n↓j-1}$
through $B↓0$; then we perform appropriate row operations until obtaining a
matrix $M↑\prime$ consisting of rows $B↓{n↓1-n↓j-1}$ through $B↓{n↓3-n↓j}$,\xskip
$C↓{n↓2+n↓j-1}$ through $C↓{n↓4-n↓j}$,\xskip $\ldotss$,\xskip
$P↓{n↓{j-2}-n↓j-1}$ through\penalty999\
$P↓0$,\xskip $Q↓{n↓{j-1}-n↓j-1}$ through $Q↓0$. Letting $M↓0$ be the first
$n↓1+n↓2-2n↓j$ columns of $M$, we obtain
$$\twoline{(g↓2↑{\delta↓1+1}/g↓1h↓1↑{\delta↓1})↑{n↓2-n↓j}(g↓3↑{\delta↓2+1}
/g↓2h↓2↑{\delta↓2})↑{n↓3-n↓j}\ldotss(g↓j↑{\delta↓{j-1}+1}/g↓{j-1}h↓{\!j-1}↑{\delta
↓{j-1}})↑{n↓j-n↓j}\det M↓0}{3pt}{=\pm g↓2↑{n↓1-n↓3}g↓3↑{n↓2-n↓4}\ldotss g↓{\!j-1}↑
{n↓{j-2}-n↓j}g↓{\!j}↑{n↓{j-1}-n↓j},\quad(23)\hskip-10pt}$$
an equation that neatly simplifies to
$$\det M↓0=\pm h↓j.\eqno(24)$$
(This proof, although stated for the domain of integers, obviously applies to any
unique factorization domain.)
%folio 530 galley 7 (C) Addison-Wesley 1978	*

In the process of verifying Algorithm C\null, 
we have also learned that every element
of $S$ dealt with by the algorithm can be expressed as a determinant whose
entries are the coefficients of the primitive parts of the original polynomials.
A well-known theorem of Hadamard (see exercise 15) states that
$$|\det(a↓{ij})|≤\prod↓{1≤i≤n}\;\bigglp\sum↓{1≤j≤n}a↓{ij}↑2\biggrp↑{1/2};
\eqno(25)$$
therefore an upper bound for the maximum coefficient
appearing in the polynomials computed by Algorithm C is
$$N↑{m+n}(m + 1)↑{n/2}(n + 1)↑{m/2},\eqno (26)$$
if all coefficients of the given polynomials $u(x)$
and $v(x)$ are bounded by $N$ in absolute value. This same
upper bound applies to the coefficients of all polynomials $u(x)$ and
$v(x)$ computed during the execution of Algorithm E\null, 
since the polynomials obtained
in Algorithm E are always divisors of the polynomials obtained
in Algorithm C.

This upper bound on the coefficients is extremely
gratifying, because it is much better than we would ordinarily
have a right to expect. For example, suppose we would perform Algorithm
E or Algorithm C with {\sl no} correction in step E3 or C3,
just replacing $v(x)$ by $r(x)$. This is the simplest
gcd algorithm, and it is the one that traditionally appears in
textbooks on algebra (for theoretical purposes, not intended
for practical calculations).\xskip If we suppose that $\delta↓1=\delta↓2=
\cdots = 1$, we find that the coefficients of $u↓3(x)$
are bounded by $N↑3$, the coefficients of $u↓4(x)$ are bounded
by $N↑7$, those of $u↓5(x)$ by $N↑7$, $\ldotss $; the coefficients of $u↓k(x)$
are bounded by $N↑{a↓k}$, where $a↓k = 2a↓{k-1} +
a↓{k-2}$. Thus the upper bound, in place of (25) for $m = n + 1$, would
be approximately
$$N↑{0.5(2.414)↑n},\eqno (26)$$
and experiments show that the simple algorithm
does in fact have this behavior; the number of digits in the
coefficients grows exponentially at each step! In Algorithm
E, by contrast, the growth in number of digits is only slightly more than
linear at most.

Another byproduct of our proof of Algorithm C is the fact that the degrees of the
polynomials will almost always decrease by 1 at each step, so that the number of
iterations of step C2 (or E2) will usually be deg$(v)$ if the given polynomials
are ``random.'' In order to see why this happens, note for example that we could
have chosen the first eight columns of $M$ and $M↑\prime$ in (16) and (17),
and then we would have found that $u↓4(x)$ has degree less than 3 if and only if
$d↓3=0$, that is, if and only if
$$\det\left(\,\vcenter{
\halign{$\ctr{#}$⊗\9$\ctr{#}$⊗\9$\ctr{#}$⊗\9$\ctr{#}$⊗\9
$\ctr{#}$⊗\9$\ctr{#}$⊗\9$\ctr{#}$⊗\9$\ctr{#}$\cr
a↓8⊗a↓7⊗a↓6⊗a↓5⊗a↓4⊗a↓3⊗a↓2⊗a↓1\cr
0⊗a↓8⊗a↓7⊗a↓6⊗a↓5⊗a↓4⊗a↓3⊗a↓2\cr
0⊗0⊗a↓8⊗a↓7⊗a↓6⊗a↓5⊗a↓4⊗a↓3\cr
b↓6⊗b↓5⊗b↓4⊗b↓3⊗b↓2⊗b↓1⊗b↓0⊗0\cr
0⊗b↓6⊗b↓5⊗b↓4⊗b↓3⊗b↓2⊗b↓1⊗b↓0\cr
0⊗0⊗b↓6⊗b↓5⊗b↓4⊗b↓3⊗b↓2⊗b↓1\cr
0⊗0⊗0⊗b↓6⊗b↓5⊗b↓4⊗b↓3⊗b↓2\cr
0⊗0⊗0⊗0⊗b↓6⊗b↓5⊗b↓4⊗b↓3\cr}}\,\right)=0.$$
In general, $\delta↓j$ will be greater than 1 for $j>1$ if and only if a similar
determinant in the coefficients of $u(x)$ and $v(x)$ is zero. Since such a
determinant is a nonzero multivariate polynomial in the coefficients, it will be
nonzero ``almost always,'' or ``with probability 1.''\xskip(See exercise 16 for a
more precise formulation of this statement, and see exercise 4 for a related
proof.)\xskip The example polynomials in (15) have both $\delta↓2$ and $\delta↓3$
equal to 2, so they are exceptional indeed.

The considerations above can be used to derive
the well-known fact that two polynomials are relatively prime
if and only if their ``resultant'' is nonzero; the resultant
is a determinant having the form of rows $A↓5$ through $A↓0$
and $B↓7$ through $B↓0$ in Table 1.\xskip$\biglp$This
is ``Sylvester's determinant'';
see exercise 12. Further properties of resultants are discussed
in B. L. van der Waerden, {\sl Modern Algebra}, tr.\ by Fred
Blum (New York: Ungar, 1949), Sections 27--28.$\bigrp$\xskip From the standpoint
discussed above, we could say that the gcd is ``almost always''
of degree zero, since Sylvester's determinant is almost never
zero. But many calculations of practical interest would never
be undertaken if there weren't some reasonable chance that the
gcd would be a polynomial of positive degree.

We can see exactly what happens during Algorithms
E and C when the gcd is not 1 by considering $u(x) = w(x)u↓1(x)$ and
$v(x) = w(x)u↓2(x)$, where $u↓1(x)$ and $u↓2(x)$ are relatively
prime and $w(x)$ is primitive. Then if the polynomials $u↓1(x)$,
$u↓2(x)$, $u↓3(x)$, $\ldots$ are obtained when Algorithm E works on
$u(x) = u↓1(x)$ and $v(x) = u↓2(x)$, it is easy to show that
the sequence obtained for $u(x) = w(x)u↓1(x)$ and $v(x) = w(x)u↓2(x)$
is simply $w(x)u↓1(x)$, $w(x)u↓2(x)$, $w(x)u↓3(x)$, $w(x)u↓4(x)$, $\ldotss\,$.
With Algorithm C the behavior is different; if the polynomials
$u↓1(x)$, $u↓2(x)$, $u↓3(x)$, $\ldots$ are obtained when Algorithm
C is applied to $u(x) = u↓1(x)$ and $v(x) = u↓2(x)$, and if
we assume that deg$(u↓{j+1}) =\hjust{deg}(u↓j) - 1$ (which is almost
always true when $j > 1$), then the sequence
$$w(x)u↓1(x),\; w(x)u↓2(x),\;\lscr↑2w(x)u↓3(x),\;\lscr↑4w(x)u↓4(x),
\;\lscr↑6w(x)u↓5(x),\;\ldots\eqno(27)$$
is obtained when Algorithm C is applied to $u(x)
= w(x)u↓1(x)$ and $v(x) = w(x)u↓2(x)$, where $\lscr=\lscr(w)$.\xskip
(See exercise 13.)\xskip So Algorithm E may be superior to Algorithm
C when the primitive part of the greatest common divisor has
a large enough leading coefficient.

\yskip Polynomials remainder sequences such as those in
Algorithm C and E are not useful merely for finding greatest
common divisors; another important application is to the enumeration
of real roots, for a given polynomial in a given interval, according
to the famous theorem of J. Sturm [{\sl M\'em.\ pr\'esentes
par divers savants \bf 6} (Paris, 1835), 271--318]. Let $u(x)$
be a polynomial over the real numbers, having distinct roots.
We shall see in the next section that this is the same as saying
gcd$\biglp u(x), u↑\prime (x)\bigrp = 1$, where $u↑\prime (x)$
is the derivative of $u(x)$; accordingly, there is a polynomial
remainder sequence proving that $u(x)$ is relatively prime
to $u↑\prime (x)$. We set $u↓0(x) = u(x)$, $u↓1(x) = u↑\prime
(x)$, and (following Sturm) we negate the sign of all remainders:
$$\baselineskip15pt
\eqalign{c↓1u↓0(x)⊗=u↓1(x)q↓1(x) - d↓1u↓2(x),\cr
c↓2u↓1(x) ⊗= u↓2(x)q↓2(x) - d↓2u↓3(x),\cr
⊗\9\;\vdots\cr
c↓ku↓{k-1}(x) ⊗= u↓k(x)q↓k(x) - d↓ku↓{k+1}(x),\cr}\eqno(28)$$
for some positive constants $c↓j$ and $d↓j$, where deg$(u↓{k+1})
= 0$. We say that the {\sl variation} $V(u, a)$ of $u(x)$ at $a$
is the number of changes of sign in the sequence $u↓0(a)$, $u↓1(a)$,
$\ldotss$, $u↓{k+1}(a)$, not counting zeros. For example, if the
sequence of signs is 0, +, $-$, $-$, 0, +, +, $-$ we have $V(u, a)
= 3$. Sturm's theorem asserts that {\sl the number of roots
of $u(x)$ in the interval $a < x ≤ b$ is $V(u, a) - V(u, b)$}; and
the proof is surprisingly short (see exercise 22).

\yskip Although Algorithms C and E are interesting, they aren't the whole story.
Important alternative ways to calculate polynomial
gcd's over the integers are discussed at the end of Section
4.6.2. There is also a general determinant-evaluation algorithm that may be said
to include Algorithm C as a special case; see E. H.
Bareiss, {\sl Math.\ Comp.\ \bf 22} (1968), 565--578.

\exbegin{EXERCISES}

\exno 1. [10] Compute the pseudo-quotient
$q(x)$ and pseudo-remainder $r(x)$, namely, the polynomials
satisfying (8), when $u(x) = x↑6 + x↑5 - x↑4 + 2x↑3 + 3x↑2 -
x + 2$ and $v(x) = 2x↑3 + 2x↑2 - x + 3$, over the integers.

\exno 2. [15] What is the greatest common divisor of $3x↑6 +
x↑5 + 4x↑4 + 4x↑3 + 3x↑2 + 4x + 2$ and its ``reverse'' $2x↑6
+ 4x↑5 + 3x↑4 + 4x↑3 + 4x↑2 + x + 3$, modulo 7?

\trexno 3. [M25] Show that Euclid's algorithm for polynomials
over a field $S$ can be extended to find polynomials $U(x)$ and
$V(x)$ over $S$ such that
$$u(x)V(x) + U(x)v(x) = \gcd\biglp u(x), v(x)\bigrp .$$
(Cf.\ Algorithm 4.5.2X.)\xskip What are the degrees of
the polynomials $U(x)$ and $V(x)$ that are computed by this
extended algorithm? Prove that if $S$ is the field of rational
numbers, and if $u(x) = x↑m - 1$ and $v(x) = x↑n - 1$, then
the extended algorithm yields polynomials $U(x)$ and $V(x)$
having {\sl integer} coefficients. Find $U(x)$ and $V(x)$ when
$u(x) = x↑{21} - 1$ and $v(x) = x↑{13} - 1$.

\trexno 4. [M30] Let $p$ be prime, and suppose that Euclid's algorithm
applied to the polynomials $u(x)$ and $v(x)$ modulo $p$ yields
a sequence of polynomials having respective degrees $m$, $n$, $n↓1$,
$\ldotss$, $n↓t$, $-∞$, where $m =\hjust{deg}(u)$, $n =\hjust{deg}(v)$, and $n↓t
≥ 0$. Assume that $m ≥ n$. If $u(x)$ and $v(x)$ are monic polynomials,
independently and uniformly distributed over all the $p↑{m+n}$
pairs of monic polynomials having respective degrees $m$ and
$n$, what are the average values of the three quantities $t$, $n↓1
+\cdots + n↓t$, $(n - n↓1)n↓1 +\cdots +
(n↓{t-1} - n↓t)n↓t$, as functions of $m, n$, and $p$?\xskip (These
three quantities are the fundamental factors in the running
time of Euclid's algorithm applied to polynomials modulo $p$,
assuming that division is done by Algorithm D.)\xskip[{\sl Hint:}
Show that $u(x) \mod v(x)$ is uniformly distributed and
independent of $v(x)$.]

\exno 5. [M22] What is the probability that $u(x)$ and $v(x)$
are relatively prime modulo $p$, if $u(x)$ and $v(x)$ are independently
and uniformly distributed monic polynomials of degree\penalty999\ $n$?

\exno 6. [M23] We have seen that Euclid's Algorithm 4.5.2A for
integers can be directly adapted to an algorithm for the greatest
common divisor of polynomials. Can the ``binary gcd algorithm,''
Algorithm 4.5.2B\null, be adapted in an analogous way to an algorithm
that applies to polynomials?

\exno 7. [M10] What are the units in the domain of all polynomials
over a unique factorization domain $S?$
%folio 535 galley 8 (C) Addison-Wesley 1978	*
\def\\#1({\mathop{\hjust{#1}}(}\def\+#1\biglp{\mathop{\hjust{#1}}\biglp}
\trexno 8. [M22] Show that if a polynomial with integer coefficients is
irreducible over the domain of integers, it is irreducible when considered as
a polynomial over the field of rational numbers.

\exno 9. [M25] Let $u(x)$ and
$v(x)$ be primitive polynomials over a unique factorization
domain $S$. Prove that $u(x)$ and $v(x)$ are relatively prime
if and only if there are polynomials $U(x)$ and $V(x)$ over $S$ such
that $u(x)V(x) + U(x)v(x)$ is a polynomial of degree zero.\xskip [{\sl
Hint:} Extend Algorithm E\null, as Algorithm 4.5.2E is extended
in exercise 3.]

\exno 10. [M28] Prove that the polynomials over a unique factorization
domain form a unique factorization domain.\xskip [{\sl Hint:}
Use the result of exercise 9 to help show that there is at
most one kind of factorization possible.]

\exno 11. [M22] What row names would have appeared in Table
1 if the sequence of degrees had been 9, 6, 5, 2, $-∞$ instead
of 8, 6, 4, 2, 1, 0?

\trexno 12. [M24] Let $u↓1(x)$, $u↓2(x)$, $u↓3(x)$, $\ldots$ be a sequence
of polynomials obtained during a run of Algorithm C.\xskip``Sylvester's matrix''
is the square matrix formed from rows $A↓{n↓2-1}$ through
$A↓0$ and $B↓{n↓1-1}$ through $B↓0$ (in a notation analogous
to that of Table 1). Show that if $u↓1(x)$ and $u↓2(x)$ have
a common factor of positive degree, then the determinant of
Sylvester's matrix is zero; conversely, given that deg$(u↓k)
= 0$ for some $k$, show that the determinant of Sylvester's
matrix is nonzero by deriving a formula for its absolute value
in terms of $\lscr(u↓j)$ and deg$(u↓j)$, $1 ≤ j ≤ k$.

\exno 13. [M22] Show that the leading coefficient $\lscr$ of the
primitive part of $\gcd\biglp u(x), v(x)\bigrp$ enters into Algorithm C's
polynomial sequence as shown in (27), when $\delta↓1 = \delta↓2 =\cdots
 = \delta↓{k-1} = 1$. What is the behavior for general $\delta↓j$?

\exno 14. [M29] Let $r(x)$ be the pseudo-remainder of $u(x)$
pseudo-divided by $v(x)$. If $\\deg(u) ≥\\deg(v) + 2$ and $\\deg(v)
≥\\deg(r) + 2$, show that $r(x)$ is a multiple of $\lscr(v)$.

\exno 15. [M26] Prove Hadamard's inequality (25).\xskip [{\sl Hint:}
Consider the matrix $AA↑T$.]

\exno 16. [HM22] Let $f(x↓1, \ldotss , x↓n)$ be a multivariate
polynomial with real coefficients not all zero, and let $a↓N$
be the number of solutions to the equation $f(x↓1, \ldotss ,
x↓n) = 0$ such that $|x↓1| ≤ N$, $\ldotss$, $|x↓n| ≤ N$, and such that each
$x↓j$ is an integer. Prove that
$$\lim↓{N→∞} a↓N/(2N + 1)↑n = 0.$$

\exno 17. [M32] ({\sl P. M. Cohn's algorithm
for division of string polynomials.})\xskip Let $A$ be an ``alphabet,''
i.e., a set of symbols.\xskip A {\sl string} $α$ on $A$ is a sequence
of $n ≥ 0$ symbols, $α = a↓1 \ldotsm a↓n$, where each $a↓j$ is
in $A$. The length of $α$, denoted by $|α|$, is the number $n$
of symbols.\xskip A {\sl string polynomial} on $A$ is a finite sum
$U = \sum ↓k r↓k\,α↓k$, where each $r↓k$ is a nonzero rational
number and each $α↓k$ is a string on $A$. The {\sl degree} of
$U$, deg$(U)$, is defined to be $-∞$ if $U = 0$ (i.e., if the
sum is empty), otherwise $\\deg(u)=\max|α↓k|$. The sum and product
of string polynomials are defined in an obvious manner, e.g.,
$(\sum ↓j r↓jα↓j)(\sum ↓k s↓kβ↓k) = \sum ↓{j,k} r↓js↓kα↓jβ↓k$,
where the product of two strings is obtained by simply juxtaposing
them. For example, if $A = \{a, b\}$, $U = ab + ba - 2a - 2b$, and
$V = a + b - 1$, then deg$(U) = 2$, deg$(V) = 1$, $V↑2 = aa + ab
+ ba + bb - 2a - 2b + 1$, and $V↑2 - U = aa + bb + 1$. Clearly,
$\\deg(UV) =\\deg(U) +\\deg(V)$, and $\\deg(U + V) ≤ \max\biglp\\deg(U),
\\deg(V)\bigrp $, with equality in the latter formula if $\\deg(U)
≠\\deg(V)$.\xskip (String polynomials may be regarded as ordinary
multivariate polynomials over the field of rational numbers,
except that the variables are {\sl not commutative} under multiplication.
In the conventional language of pure mathematics, the set of
string polynomials with the operations defined here is the ``free
associative algebra'' generated by $A$ over the rationals.)

\yskip\hang\textindent{a)}Let $Q↓1$, $Q↓2$, $U$, $V$ be string polynomials
with $\\deg(U) ≥\\deg(V)$ and such that $\\deg(Q↓1U - Q↓2V) <\\deg(Q↓1U)$.
Give an algorithm to find a string polynomial $Q$ such that
$\\deg(U - QV) <\\deg(U)$.\xskip $\biglp$Thus if we are given $U$ and $V$
such that $Q↓1U = Q↓2V + R$ and $\\deg(R) <\\deg(Q↓1U)$, for
some $Q↓1$ and $Q↓2$, then there is a solution to these conditions
with $Q↓1 = 1$.$\bigrp$

\hang\textindent{b)}Given that $U$ and $V$ are string polynomials
with $\\deg(V) >\\deg(Q↓1U - Q↓2V)$ for some $Q↓1$ and $Q↓2$,
show that the result of (a) can be improved to find a quotient
$Q$ such that $U = QV + R$, $\\deg(R) <\\deg(V)$.\xskip $\biglp$This is the
analog of (1) for string polynomials; part (a) showed that we
can make $\\deg(R) <\\deg(U)$, under weaker hypotheses.$\bigrp$

\hang\textindent{c)}A ``homogeneous'' polynomial is one whose terms
all have the same degree (length). If $U↓1$, $U↓2$, $V↓1$,
$V↓2$ are homogeneous string polynomials with $U↓1V↓1 = U↓2V↓2$
and $\\deg(V↓1) ≥\\deg(V↓2)$, show that there is a homogeneous
string polynomial $U$ such that $U↓2 = U↓1U$ and $V↓1 = UV↓2$.

\hang\textindent{d)}Given that $U$ and $V$ are homogeneous string
polynomials with $UV = VU$, prove that there is a homogeneous
string polynomial $W$ such that $U = rW↑m$, $V = sW↑n$ for some
integers $m$, $n$ and rational numbers $r$, $s$. Give an algorithm
to compute such a $W$ having the largest possible degree.\xskip (This
algorithm is of interest, for example, when $U = α$ and $V =
β$ are strings satisfying $αβ = βα$; then $W$ is simply a string
$\gamma $. When $U = x↑m$ and $V = x↑n$, the solution of largest
degree is $W = x↑{\gcd(m,n)}$, so this algorithm includes a
gcd algorithm for integers as a special case.)

\trexno 18. [M24] ({\sl Euclidean algorithm for string polynomials.})\xskip
Let $V↓1$ and $V↓2$ be string polynomials, not both zero, having
a ``common left multiple.''\xskip(This means that there exist string polynomials
$U↓1$ and $U↓2$, not both zero, such that $U↓1V↓1 = U↓2V↓2$.)\xskip The purpose
of this exercise is to find an algorithm to compute their ``greatest
common right divisor'' gcrd$(V↓1, V↓2)$ as well as their ``least
common left multiple'' lclm$(V↓1, V↓2)$. The latter quantities
are defined as follows:\xskip gcrd$(V↓1, V↓2)$ is a common right divisor
of $V↓1$ and $V↓2$ (that is, $V↓1 = W↓1\\gcrd(V↓1, V↓2)$ and
$V↓2 = W↓2\\gcrd(V↓1, V↓2)$ for some $W↓1$ and $W↓2$), and any common
right divisor of $V↓1$ and $V↓2$ is a right divisor of gcrd$(V↓1,
V↓2)$; lclm$(V↓1, V↓2) = Z↓1V↓1 = Z↓2V↓2$ for some $Z↓1$ and $Z↓2$,
and any common left multiple of $V↓1$ and $V↓2$ is a left multiple
of lclm$(V↓1, V↓2)$.

For example, let $U↓1 = abbbab + abbab - bbab +
ab - 1$, $V↓1 = babab + abab + ab - b$; $U↓2 = abb + ab - b$, $V↓2
= babbabab + bababab + babab + abab - babb - 1$. Then we have
$U↓1V↓1 = U↓2V↓2 = abbbabbabab + abbabbabab + abbbababab + abbababab
- bbabbabab + abbbabab - bbababab + 2abbabab - abbbabb + ababab
- abbabb - bbabab - babab + bbabb - abb - ab + b$. For these
string polynomials it can be shown that gcrd$(V↓1, V↓2) = ab
+ 1$, and lclm$(V↓1, V↓2) = U↓1V↓1$.

The division algorithm of exercise 17 may be restated
thus: If $V↓1$ and $V↓2$ are string polynomials, with $V↓2 ≠
0$, and if $U↓1 ≠ 0$ and $U↓2$ satisfy the equation $U↓1V↓1
= U↓2V↓2$, then there exist string polynomials $Q$ and $R$ such
that $V↓1 = QV↓2 + R$, $\\deg(R) <\\deg(V↓2)$.\xskip{\sl Note:} It
follows readily that $Q$ and $R$ are uniquely determined, they
do not depend on $U↓1$ and $U↓2$; furthermore the result is
right-left symmetric in the sense that
$$U↓2 = U↓1Q + R↑\prime \qquad\hjust{where }\\deg(R↑\prime )
=\\deg(U↓1)-\\deg(V↓2) +\\deg(R) <\\deg(U↓1).$$

Show that this division algorithm can be
extended to an algorithm that computes lclm$(V↓1, V↓2)$ and
gcrd$(V↓1, V↓2)$, and, in fact, the extended algorithm finds string polynomials
$Z↓1$ and $Z↓2$ such that $Z↓1V↓1 + Z↓2V↓2 =\\gcrd(V↓1, V↓2)$.\xskip [{\sl Hint:}
Use auxiliary variables $u↓1$, $u↓2$, $v↓1$, $v↓2$, $w↓1$, $w↓2$, $w↑\prime↓{1}$,
$w↑\prime↓{2}$, $z↓1$, $z↓2$, $z↑\prime↓{1}$, $z↑\prime↓{2}$,
whose values are string polynomials; start by setting $u↓1 ←
U↓1$, $u↓2 ← U↓2$, $v↓1 ← V↓1$, $v↓2 ← V↓2$, and throughout the algorithm
maintain the conditions
$$\baselineskip14pt
\eqalign{U↓1w↓1 + U↓2w↓2 ⊗= u↓1,\cr
U↓1w↑\prime↓{1} + U↓2w↑\prime↓{2} ⊗= u↓2,\cr
u↓1z↓1 - u↓2z↑\prime↓{1} ⊗= (-1)↑nU↓1,\cr
-u↓1z↓2 + u↓2z↑\prime↓{2} ⊗= (-1)↑nU↓2,\cr}\qquad\eqalign{
z↓1V↓1 + z↓2V↓2⊗= v↓1,\cr
z↑\prime↓{1}V↓1 + z↑\prime↓{2}V↓2 ⊗= v↓2,\cr
w↓1v↓1 - w↑\prime↓{1}v↓2 ⊗= (-1)↑nV↓1,\cr
-w↓2v↓1 + w↑\prime↓{2}v↓2 ⊗= (-1)↑nV↓2\cr}$$
at the $n$th iteration. This might be regarded as the ``ultimate'' extension
of Euclid's algorithm.]

\exno 19. [M39] ({\sl Common divisors of square matrices.})\xskip Exercise
18 shows that the concept of greatest common right divisor can
be meaningful when multiplication is not commutative. Prove
that any two $n \times n$ matrices $A$ and $B$ of integers have
a greatest common right matrix divisor $D$.\xskip [{\sl Suggestion:}
Design an algorithm whose inputs are $A$ and $B$, and whose
outputs are integer matrices $P$, $Q$, $X$, $Y$, where $A = PD$, $B
= QD$, $D = XA + YB$.]\xskip Find a greatest common right divisor of
$({1\atop 3}\,{2\atop 4})$ and $({4\atop 2}\,{3\atop 1})$.

\exno 20. [M40] Investigate the accuracy of Euclid's algorithm:
What can be said about
calculation of the greatest common divisor of polynomials whose
coefficients are floating-point numbers?

\exno 21. [M25] Prove that the computation
time required by Algorithm C to compute the gcd of two $n$th
degree polynomials over the integers is $O\biglp n↑4(\log Nn)↑2\bigrp
$, if the coefficients of the given polynomials are bounded
by $N$ in absolute value.

\exno 22. [M23] Prove Sturm's theorem.\xskip
[{\sl Hint:} Some sign sequences are impossible.]

\exno 23. [M22] Prove that if $u(x)$ in (28) has deg$(u)$ real
roots, then $\\deg(u↓{j+1}) =\\deg(u↓j) - 1$ for $0 ≤ j ≤ k$.

\exno 24. [M21] Show that (19) simplifies to (20) and (23) simplifies to (24).

\exno 25. [M24] (W. S. Brown.)\xskip Prove that all the polynomials $u↓j(x)$
in (16) for $j≥3$ are multiples of $\gcd\biglp\lscr(u),\lscr(v)\bigrp$,
and explain how to improve Algorithm C accordingly.

\runningrighthead{FACTORIZATION OF POLYNOMIALS}
\section{4.6.2}
\sectionskip
\sectionbegin{\star4.6.2. Factorization of Polynomials}
Let us now consider
the problem of {\sl factoring} polynomials, not merely finding
the greatest common divisor of two or more of them.

\subsectionbegin{Factoring modulo $\spose{$p$}\hskip.25pt p$} As in the
case of integer numbers (Sections 4.5.2, 4.5.4), the problem
of factoring seems to be more difficult than finding the greatest
common divisor. But factorization of polynomials modulo a prime
integer $p$ is not as hard to do as we might expect. It is much
easier to find the factors of an arbitrary polynomial of degree
$n$, modulo 2, than to use any known method to find the factors
of an arbitrary $n$-bit binary number. This surprising situation
is a consequence of an important factorization algorithm discovered
in 1967 by Elwyn R. Berlekamp [{\sl Bell System Technical J.
\bf 46} (1967), 1853--1859].

Let $p$ be a prime number; all arithmetic on polynomials
in the following discussion will be done modulo $p$. Suppose
that someone has given us a polynomial $u(x)$, whose coefficients
are chosen from the set $\{0, 1, \ldotss , p - 1\}$; we may assume
that $u(x)$ is monic. Our goal is to express $u(x)$ in the form
$$u(x) = p↓1(x)↑{e↓1} \ldotss p↓r(x)↑{e↓r},\eqno (1)$$
where $p↓1(x)$, $\ldotss$, $p↓r(x)$ are distinct, monic,
irreducible polynomials.
%folio 539 galley 9 Almost total loss. (C) Addison-Wesley 1978	*
\def\\#1({\mathop{\hjust{#1}}(}\def\Modulo#1){\penalty0\;\;\biglp\char'155
\char'157\char'144\char'165\char'154\char'157\,\,#1)\bigrp}
As a first step, we can use a standard technique
to determine whether any of the exponents $e↓1$, $\ldotss$, $e↓r$ are greater
than unity. If
$$u(x) = u↓nx↑n +\cdots + u↓0 = v(x)↑2w(x),\eqno(2)$$
then its ``derivative'' formed in the usual way
(but modulo $p$) is
$$u↑\prime (x) = nu↓nx↑{n-1} +\cdots + u↓1 = 2v(x)v↑\prime(x)w(x)+v(x)↑2w↑\prime(x),
\eqno (3)$$
and this is a multiple of the squared factor $v(x)$.
Therefore our first step in factoring $u(x)$ is to form
$$\gcd\biglp u(x), u↑\prime (x)\bigrp = d(x).\eqno (4)$$
If $d(x)$ is equal to 1, we know that $u(x)$
is ``squarefree,'' the product of distinct primes $p↓1(x) \ldotsm
p↓r(x)$. If $d(x)$ is not equal to 1 and $d(x) ≠ u(x)$, then
$d(x)$ is a proper factor of $u(x)$; so the process can be completed
by factoring $d(x)$ and $u(x)/d(x)$ separately. Finally, if
$d(x) = u(x)$, we must have $u↑\prime (x) = 0$; hence the coefficient
$u↓k$ of $x↑k$ is nonzero only when $k$ is a multiple of $p$.
This means that $u(x)$ can be written as a polynomial of the
form $v(x↑p)$, and in such a case we have
$$u(x) = v(x↑p) = \biglp v(x)\bigrp ↑p;\eqno (5)$$
the factorization process can be completed by finding
the irreducible factors of $v(x)$ and raising them to the $p$th
power.

Identity (5) may appear somewhat strange to the
reader, and it is an important fact that is basic to Berlekamp's
algorithm. We can prove it as follows: If $v↓1(x)$ and $v↓2(x)$
are any polynomials modulo $p$, then
$$\baselineskip16pt\eqalign{
\biglp v↓1(x)v↓2(x)\bigrp↑p⊗=v↓1(x)↑pv↓2(x)↑p,\cr
\noalign{\vskip2pt}
\biglp v↓1(x)+v↓2(x)\bigrp↑p⊗=\textstyle v↓1(x)↑p+{p\choose1}v↓1(x)↑pv↓2(x)+\cdots
+{p\choose p-1}v↓1(x)v↓2(x)↑{p-1}+v↓2(x)↑p\cr
⊗=v↓1(x)↑p+v↓2(x)↑p,\cr}$$
since the binomial coefficients $p\choose1$, $\ldotss$, $p\choose p-1$ are all
multiples of $p$.\xskip Furthermore if $a$ is any integer, $a↑p≡a\modulo p$.
Therefore when $v(x)=v↓mx↑m+v↓{m-1}x↑{m-1}+\cdots+v↓0$, we find that
$$\baselineskip15pt\eqalign{
v(x)↑p ⊗= (v↓mx↑m)↑p + (v↓{m-1}x↑{m-1})↑p +
\cdots + (v↓0)↑p\cr
⊗= v↓mx↑{mp} + v↓{m-1}x↑{(m-1)p} +\cdots +
v↓0\; =\; v(x↑p).\cr}$$ This proves (5).

The above remarks show that the problem of factoring
a polynomial reduces to the problem of factoring a squarefree
polynomial. Let us therefore assume that
$$u(x)=p↓1(x)p↓2(x)\ldotsm p↓r(x)\eqno(6)$$
is the product of distinct primes. How can we be clever enough to discover the
$p↓j(x)$'s when only $u(x)$ is given? Berlekamp's idea is to make use of the
Chinese remainder theorem, which is valid for polynomials just as it is valid
for integers (see exercise 3). If $(s↓1,s↓2,\ldotss,s↓r)$ is any $r$-tuple
of integers mod $p$, the Chinese remainder theorem implies that {\sl there is
a unique polynomial $v(x)$ such that}
$$\baselineskip15pt\cpile{
v(x)≡s↓1\Modulo p↓1(x),\quad\ldotss,\quad v(x)≡s↓r\Modulo p↓r(x),\cr
\\deg(v)<\\deg(p↓1)+\\deg(p↓2)+\cdots+\\deg(p↓r)=\\deg(u).\cr}\eqno(7)$$
The notation $g(x)≡h(x)\Modulo f(x)$ that appears here is the same as ``$g(x)≡h(x)$
$\biglp$modulo $f(x)$ and $p\bigrp$'' in exercise 3.2.2--11,
since we are considering polynomial arithmetic modulo $p$.
The polynomial $v(x)$ in (7) gives us a way to get at the factors of $u(x)$,
for if $r≥2$ and $s↓1≠s↓2$, we will have $\gcd\biglp u(x),v(x)-s↓1\bigrp$
divisible by $p↓1(x)$ but not by $p↓2(x)$.

Since this observation shows that we can get information about the factors of
$u(x)$ from appropriate solutions $v(x)$ of (7), let us analyze (7) more
closely. In the first place we can observe that the polynomial $v(x)$
satisfies the condition $v(x)↑p≡s↓j↑p=s↓j≡v(x)\Modulo p↓j(x)$ for $1≤j≤r$,
therefore
$$v(x)↑p≡v(x)\Modulo u(x),\qquad \\deg(v)<\\deg(u).\eqno(8)$$
In the second place we have the basic polynomial identity
$$x↑p - x ≡ (x - 0)(x - 1) \ldotsm \biglp x - (p - 1)\bigrp\quad\modulo p\eqno (9)$$
(see exercise 6); hence
$$v(x)↑p - v(x) = \biglp v(x) - 0\bigrp\biglp v(x) -
1\bigrp \ldotsm \biglp v(x) - (p - 1)\bigrp \eqno (10)$$
is an identity for any polynomial $v(x)$, when
we are working modulo $p$. If $v(x)$ satisfies (8), it follows
that $u(x)$ divides the left-hand side of (10), so every irreducible
factor of $u(x)$ must divide one of the $p$ relatively prime
factors of the right-hand side of (10). In other words, {\sl
all} solutions of (8) must have the form of (7), for some $s↓1$,
$s↓2$, $\ldotss$, $s↓r$; {\sl there are exactly $p↑r$ solutions of $(8)$}.
%folio 541 galley 10 (C) Addison-Wesley 1978	*
\def\\#1({\mathop{\hjust{#1}}(}\def\Modulo#1){\penalty0\;\;\biglp\char'155
\char'157\char'144\char'165\char'154\char'157\,\,#1)\bigrp}

The solutions $v(x)$ to congruence (8) therefore
provide a key to the factorization of $u(x)$. It may seem harder
to find all solutions to (8) than to factor $u(x)$ in the first
place, but in fact this is not true, since the set of solutions
to (8) is closed under addition. Let deg$(u) = n$; we can construct
the $n \times n$ matrix
$$Q=\left(\,\vcenter{\halign{$\ctr{#}$⊗\quad$\ctr{#}$⊗\quad$\ctr{#}$⊗\quad
$\ctr{#}$\cr
q↓{0,0}⊗q↓{0,1}⊗\ldots⊗q↓{0,n-1}\cr
\vdots⊗\vdots⊗⊗\vdots\cr
q↓{n-1,0}⊗q↓{n-1,1}⊗\ldots ⊗q↓{n-1,n-1}\cr}}\,\right)\eqno(11)$$
where
$$x↑{pk} ≡ q↓{k,n-1}x↑{n-1} +\cdots + q↓{k,1}x +
q↓{k,0}\;\Modulo u(x).\eqno (12)$$
Then $v(x) = v↓{n-1}x↑{n-1} +\cdots
+ v↓1x + v↓0$ is a solution to (8) if and only if
$$(v↓0, v↓1, \ldotss , v↓{n-1})Q = (v↓0, v↓1, \ldotss , v↓{n-1});\eqno
(13)$$
for the latter equation holds if and only if
$$\chop to 12pt{v(x) = \sum ↓{j} v↓j\,x↑j = \sum ↓{j} \sum ↓{k} v↓k\,q↓{k,j}\,x↑j
≡ \sum ↓{k} v↓k\,x↑{pk} = v(x↑p)\Modulo u(x).}$$

Berlekamp's factoring algorithm therefore proceeds
as follows:

\yskip\hang\textindent{\bf B1.}Ensure that $u(x)$ is squarefree; i.e.,
if $\gcd\biglp u(x), u↑\prime (x)\bigrp ≠ 1$, reduce
the problem of factoring $u(x)$, as stated earlier in this section.

\yskip\hang\textindent{\bf B2.}Form the matrix $Q$ defined by (11) and (12). This
can be done in one of two ways, depending on whether or not
$p$ is very large, as explained below.

\yskip\hang\textindent{\bf B3.}``Triangularize'' the matrix $Q - I$, where $I
= (\delta ↓{ij})$ is the $n \times n$ identity matrix, finding
its rank $n - r$ and finding linearly independent vectors $v↑{[1]}$,
$\ldotss$, $v↑{[r]}$ such that $v↑{[j]}(Q - I) = (0, 0, \ldotss
, 0)$ for $1 ≤ j ≤ r$.\xskip $\biglp$The first vector $v↑{[1]}$ may always
be taken as $(1, 0, \ldotss , 0)$, representing the trivial solution
$v↑{[1]}(x) = 1$ to (8). The ``triangularization'' needed in this step can
be done using appropriate column operations, as explained in
Algorithm N below.$\bigrp$\xskip{\sl At this point, $r$ is the number of irreducible
factors of $u(x)$}, because the solutions to (8) are the $p↑r$
polynomials corresponding to the vectors $t↓1v↑{[1]} +
\cdots + t↓rv↑{[r]}$ for all choices of integers $0 ≤ t↓1,
\ldotss, t↓r < p$. Therefore if $r = 1$ we know that $u(x)$
is irreducible, and the procedure terminates.

\yskip\hang\textindent{\bf B4.}Calculate $\gcd\biglp u(x), v↑{[2]}(x) - s\bigrp$
for $0 ≤ s < p$, where $v↑{[2]}(x)$ is the polynomial
represented by vector $v↑{[2]}$. The result will be a nontrivial
factorization of $u(x)$, because $v↑{[2]}(x) - s$ is nonzero
and has degree less than deg($u)$, and by exercise 7 we have
$$u(x) = \prod ↓{0≤s<p} \gcd\biglp v(x) - s,\, u(x)\bigrp \eqno(14)$$
whenever $v(x)$ satisfies (8).

\hangindent 19pt after 0 If the use of $v↑{[2]}(x)$ does not succeed
in splitting $u(x)$ into $r$ factors, further factors can be
obtained by calculating $\gcd\biglp v↑{[k]}(x) - s,\, w(x)\bigrp$
for $0 ≤ s < p$ and all factors $w(x)$ found so far, for $k
= 3$, 4, $\ldotss $, until $r$ factors are obtained.\xskip $\biglp$If we choose
$s↓i ≠ s↓j$ in (7), we obtain a solution $v(x)$ to (8) that
distinguishes $p↓i(x)$ from $p↓j(x)$; some $v↑{[k]}(x) - s$
will be divisible by $p↓i(x)$ and not by $p↓j(x)$, so this procedure
will eventually find all of the factors.$\bigrp$\quad\blackslug

\yyskip As an example of this procedure,
let us now determine the factorization of
$$u(x) = x↑8 + x↑6 + 10x↑4 + 10x↑3 + 8x↑2 + 2x + 8\eqno (15)$$
modulo 13.\xskip (This polynomial appears in several
of the examples in Section 4.6.1.)\xskip A quick calculation using
Algorithm 4.6.1E shows that $\gcd\biglp u(x), u↑\prime (x)\bigrp
= 1$; therefore $u(x)$ is squarefree, and we turn to step B2.
Step B2 involves calculating the $Q$ matrix, which in this case
is an $8 \times 8$ array. The first row of $Q$ is always $(1, 0,
0, \ldotss , 0)$, representing the polynomial $x↑0\mod u(x)
= 1$. The second row represents $x↑{13}\mod u(x)$, and, in
general, $x↑k\mod u(x)$ may readily be determined as follows
(for relatively small values of $k$): If
$$u(x) = x↑n + u↓{n-1}x↑{n-1} +\cdots+ u↓1x + u↓0$$
and if
$$x↑k ≡ a↓{k,n-1}x↑{n-1} +\cdots + a↓{k,1}x + a↓{k,0}\Modulo u(x),$$
then
$$\baselineskip15pt\eqalign{x↑{k+1}⊗ ≡ a↓{k,n-1}x↑n +\cdots + a↓{k,1}x↑2
+ a↓{k,0}x\cr ⊗≡ a↓{k,n-1}(-u↓{n-1}x↑{n-1} -\cdots
- u↓1x - u↓0) + a↓{k,n-2}x↑{n-1} +\cdots +
a↓{k,0}x\cr
⊗= a↓{k+1,n-1}x↑{n-1} +\cdots + a↓{k+1,1}x+ a↓{k+1,0},\cr}$$
where
$$a↓{k+1,j} = a↓{k,j-1} - a↓{k,n-1}u↓j.\eqno (16)$$
In this formula $a↓{k,-1}$ is treated as zero,
so that $a↓{k+1,0} = -a↓{k,n-1}u↓0$. The simple ``shift register''
recurrence (16) makes it easy to calculate $x↑1$, $x↑2$, $x↑3$, $\ldots$
mod $u(x)$. Inside a computer, this calculation would of course
be done by keeping a one-dimensional array $(a↓{n-1}, \ldotss
, a↓1, a↓0)$ and repeatedly setting $t ← a↓{n-1}$, $a↓{n-1} ←
(a↓{n-2} - tu↓{n-1}) \mod p$, $\ldotss$, $a↓1 ← (a↓0 - tu↓1)\mod
p$, $a↓0 ← (-tu↓0)\mod p$.\xskip (We have seen similar procedures
in connection with random-number generation; cf.\ 3.2.2--10.)\xskip
For our example polynomial $u(x)$ in (15), we obtain the following
sequence of coefficients of $x↑k \mod u(x)$, using arithmetic
modulo 13:
$$\def\\#1{\hskip-10pt$#1$\hskip-10pt\hfill}
\vjust{\:b
\halign{\hfill#⊗\qquad\hfill#⊗\qquad\hfill#⊗\qquad\hfill#⊗\qquad
\hfill#⊗\qquad\hfill#⊗\qquad\hfill#⊗\qquad\hfill#⊗\qquad\hfill#\cr
$k$⊗\\{a↓{k,7}}⊗\\{a↓{k,6}}⊗\\{a↓{k,5}}⊗\\{a↓{k,4}}⊗\\{a↓{k,3}}⊗
\\{a↓{k,2}}⊗\\{a↓{k,1}}⊗\\{a↓{k,0}}\cr
\noalign{\vskip 2pt}
0⊗0⊗0⊗0⊗0⊗0⊗0⊗0⊗1\cr
1⊗0⊗0⊗0⊗0⊗0⊗0⊗1⊗0\cr
2⊗0⊗0⊗0⊗0⊗0⊗1⊗0⊗0\cr
3⊗0⊗0⊗0⊗0⊗1⊗0⊗0⊗0\cr
4⊗0⊗0⊗0⊗1⊗0⊗0⊗0⊗0\cr
5⊗0⊗0⊗1⊗0⊗0⊗0⊗0⊗0\cr
6⊗0⊗1⊗0⊗0⊗0⊗0⊗0⊗0\cr
7⊗1⊗0⊗0⊗0⊗0⊗0⊗0⊗0\cr
8⊗0⊗12⊗0⊗3⊗3⊗5⊗11⊗5\cr
9⊗12⊗0⊗3⊗3⊗5⊗11⊗5⊗0\cr
10⊗0⊗4⊗3⊗2⊗8⊗0⊗2⊗8\cr
11⊗4⊗3⊗2⊗8⊗0⊗2⊗8⊗0\cr
12⊗3⊗11⊗8⊗12⊗1⊗2⊗5⊗7\cr
13⊗11⊗5⊗12⊗10⊗11⊗7⊗1⊗2\cr}}$$
Therefore the second row of $Q$ is $(2, 1, 7,
11, 10, 12, 5, 11)$. Similarly we may determine $x↑{26}\mod
u(x)$, $\ldotss$, $x↑{91}\mod u(x)$, and we find that
$$\eqalign{Q⊗=\left(\,\vcenter{\halign{\hfill#⊗\quad\hfill#⊗\quad\hfill#⊗\quad
\hfill#⊗\quad\hfill#⊗\quad\hfill#⊗\quad\hfill#⊗\quad\hfill#\cr
1⊗0⊗0⊗0⊗0⊗0⊗0⊗0\cr
2⊗1⊗7⊗11⊗10⊗12⊗5⊗11\cr
3⊗6⊗4⊗3⊗0⊗4⊗7⊗2\cr
4⊗3⊗6⊗5⊗1⊗6⊗2⊗3\cr
2⊗11⊗8⊗8⊗3⊗1⊗3⊗11\cr
6⊗11⊗8⊗6⊗2⊗7⊗10⊗9\cr
5⊗11⊗7⊗10⊗0⊗11⊗7⊗12\cr
3⊗3⊗12⊗5⊗0⊗11⊗9⊗12\cr}}\,\right),\cr
\noalign{\vskip9pt}
Q-I⊗=\left(\,\vcenter{\halign{\hfill#⊗\quad\hfill#⊗\quad\hfill#⊗\quad
\hfill#⊗\quad\hfill#⊗\quad\hfill#⊗\quad\hfill#⊗\quad\hfill#\cr
0⊗0⊗0⊗0⊗0⊗0⊗0⊗0\cr
2⊗0⊗7⊗11⊗10⊗12⊗5⊗11\cr
3⊗6⊗3⊗3⊗0⊗4⊗7⊗2\cr
4⊗3⊗6⊗4⊗1⊗6⊗2⊗3\cr
2⊗11⊗8⊗8⊗2⊗1⊗3⊗11\cr
6⊗11⊗8⊗6⊗2⊗6⊗10⊗9\cr
5⊗11⊗7⊗10⊗0⊗11⊗6⊗12\cr
3⊗3⊗12⊗5⊗0⊗11⊗9⊗11\cr}}\,\right).\cr}\eqno(17)$$
%folio 543 galley 11 (C) Addison-Wesley 1978	*
\def\\#1({\mathop{\hjust{#1}}(}\def\Modulo#1){\penalty0\;\;\biglp\char'155
\char'157\char'144\char'165\char'154\char'157\,\,#1)\bigrp}
\def\circle#1{\hjust to 10pt{#1\hskip-10ptminus10pt
\raise 6.944pt\hjust{\:@\char'141}\hskip0ptminus10pt}}
That finishes step B2; the next step of Berlekamp's procedure requires
finding the ``null space'' of $Q - I$. In general, suppose that
$A$ is an $n \times n$ matrix over a field, whose rank $n -
r$ is to be determined; suppose further that we wish to determine
linearly independent vectors $v↑{[1]}$, $v↑{[2]}$, $\ldotss$, $v↑{[r]}$
such that $v↑{[1]}A = v↑{[2]}A = \cdots =v↑{[r]}A = (0, \ldotss
, 0)$. An algorithm for this calculation can be based on the
observation that any column of $A$ may be multiplied by a nonzero
quantity, and any multiple of one of its columns may be added
to a different column, without changing the rank or the vectors
$v↑{[1]}, \ldotss , v↑{[r]}$.\xskip (These transformations amount to
replacing $A$ by $AB$, where $B$ is a nonsigular matrix.)\xskip The
following well-known ``triangularization'' procedure may therefore
be used.

\algbegin Algorithm N (Null space algorithm).
Let $A$ be an $n \times n$ matrix, whose elements
$a↓{ij}$ belong to a field and have subscripts in the range
$0 ≤ i, j < n$. This algorithm outputs $r$ vectors $v↑{[1]}$,
$\ldotss$, $v↑{[r]}$, which are linearly independent over the field
and satisfy $v↑{[j]}A = (0, \ldotss , 0)$, where $n - r$ is the
rank of $A$.

\algstep N1. [Initialize.] Set $c↓0 ← c↓1
←\cdots ← c↓{n-1} ← -1$, $r ← 0$.\xskip (During the calculation
we will have $c↓j ≥ 0$ only if $a↓{c↓jj}= -1$ and all
other entries of row $c↓j$ are zero.)

\algstep N2. [Loop on $k$.] Do step N3 for $k = 0$, 1, $\ldotss$,
$n - 1$, and then terminate the algorithm.

\algstep N3. [Scan row for dependence.] If there is some $j$
in the range $0 ≤ j < n$ such that $a↓{kj} ≠ 0$ and $c↓j < 0$,
then do the following: Multiply column $j$ of $A$ by $-1/a↓{kj}$
(so that $a↓{kj}$ becomes equal to $-1$); then add $a↓{ki}$ times
column $j$ to column $i$ for all $i ≠ j$; finally set $c↓j ←
k$.\xskip (Since it is not difficult to show that $a↓{sj} = 0$ for
all $s < k$, these operations have no effect on rows 0, 1, $\ldotss$,
$k - 1$ of $A$.)

\hangindent19pt after 0 On the other hand, if there is no $j$ in
the range $0 ≤ j < n$ such that $a↓{kj} ≠ 0$ and $c↓j < 0$,
then set $r ← r + 1$ and output the vector
$$v↑{[r]} = (v↓0, v↓1, \ldotss , v↓{n-1})$$
defined by the rule
$$v↓j=\left\{\vcenter{\halign{$#,\hfill$\qquad⊗#\hfill\cr
a↓{ks}⊗if $c↓s=j≥0$;\cr 1⊗if $j=k$;\cr 0⊗otherwise.\hskip50pt\blackslug\cr}}
\right.\eqno(18)$$

\yyskip An example will reveal the mechanism
of this algorithm. Let $A$ be the matrix $Q - I$ of (17) over
the field of integers modulo 13. When $k = 0$, we output the
vector $v↑{[1]} = (1, 0, 0, 0, 0, 0, 0, 0)$. When $k = 1$, we
may take $j$ in step N3 to be either 0, 2, 3, 4, 5, 6, or 7;
the choice here is completely arbitrary, although it affects
the particular vectors that are chosen to be output by the
algorithm. For hand calculation, it is most convenient to pick
$j = 5$, since $a↓{15} = 12 = -1$ already; the column operations
of step N3 then change $A$ to the matrix
$$\left(\,\vcenter{\halign{\hjust to 10pt{\hfill#}⊗\hjust to 20pt{\hfill#}⊗\!
\hjust to 20pt{\hfill#}⊗\hjust to 20pt{\hfill#}⊗\hjust to 20pt{\hfill#}⊗\!
\hjust to 20pt{\hfill#}⊗\hjust to 20pt{\hfill#}⊗\hjust to 20pt{\hfill#}\cr
0⊗0⊗0⊗0⊗0⊗0⊗0⊗0\cr
0⊗0⊗0⊗0⊗0⊗\circle{12}⊗0⊗0\cr
11⊗6⊗5⊗8⊗1⊗4⊗1⊗7\cr
3⊗3⊗9⊗5⊗9⊗6⊗6⊗4\cr
4⊗11⊗2⊗6⊗12⊗1⊗8⊗9\cr
5⊗11⊗11⊗7⊗10⊗6⊗1⊗10\cr
1⊗11⊗6⊗1⊗6⊗11⊗9⊗3\cr
12⊗3⊗11⊗9⊗6⊗11⊗12⊗2\cr
}}\,\right).$$
(The circled element in column ``5'', row
``1'', is used here to indicate that $c↓5 = 1$. Remember that
Algorithm N numbers the rows and columns of the matrix starting
with 0, not 1.)\xskip When $k = 2$, we may choose $j = 4$ and proceed
in a similar way, obtaining the following matrices, which all
have the same null space as $Q - I$:
$$\hjust to size{$\dispstyle{k=2\lower5pt\null\atop
\left(\,\vcenter{\halign{\hjust to 10pt{\hfill#}⊗\hjust to 20pt{\hfill#}⊗\!
\hjust to 20pt{\hfill#}⊗\hjust to 20pt{\hfill#}⊗\hjust to 20pt{\hfill#}⊗\!
\hjust to 20pt{\hfill#}⊗\hjust to 20pt{\hfill#}⊗\hjust to 20pt{\hfill#}\cr
0⊗0⊗0⊗0⊗0⊗0⊗0⊗0\cr
0⊗0⊗0⊗0⊗0⊗\circle{12}⊗0⊗0\cr
0⊗0⊗0⊗0⊗\circle{12}⊗0⊗0⊗0\cr
8⊗1⊗3⊗11⊗4⊗9⊗10⊗6\cr
2⊗4⊗7⊗1⊗1⊗5⊗9⊗3\cr
12⊗3⊗0⊗5⊗3⊗5⊗4⊗5\cr
0⊗1⊗2⊗5⊗7⊗0⊗3⊗0\cr
11⊗6⊗7⊗0⊗7⊗0⊗6⊗12\cr
}}\,\right)}\hfill
{k=3\lower5pt\null\atop
\left(\,\vcenter{\halign{\hjust to 10pt{\hfill#}⊗\hjust to 20pt{\hfill#}⊗\!
\hjust to 20pt{\hfill#}⊗\hjust to 20pt{\hfill#}⊗\hjust to 20pt{\hfill#}⊗\!
\hjust to 20pt{\hfill#}⊗\hjust to 20pt{\hfill#}⊗\hjust to 20pt{\hfill#}\cr
0⊗0⊗0⊗0⊗0⊗0⊗0⊗0\cr
0⊗0⊗0⊗0⊗0⊗\circle{12}⊗0⊗0\cr
0⊗0⊗0⊗0⊗\circle{12}⊗0⊗0⊗0\cr
0⊗\circle{12}⊗0⊗0⊗0⊗0⊗0⊗0\cr
9⊗9⊗8⊗9⊗11⊗8⊗8⊗5\cr
1⊗10⊗4⊗11⊗4⊗4⊗0⊗0\cr
5⊗12⊗12⊗7⊗3⊗4⊗6⊗7\cr
2⊗7⊗2⊗12⊗9⊗11⊗11⊗2\cr
}}\,\right)}$}$$

$$\hjust to size{$\dispstyle{k=4\lower5pt\null\atop
\left(\,\vcenter{\halign{\hjust to 10pt{\hfill#}⊗\hjust to 20pt{\hfill#}⊗\!
\hjust to 20pt{\hfill#}⊗\hjust to 20pt{\hfill#}⊗\hjust to 20pt{\hfill#}⊗\!
\hjust to 20pt{\hfill#}⊗\hjust to 20pt{\hfill#}⊗\hjust to 20pt{\hfill#}\cr
0⊗0⊗0⊗0⊗0⊗0⊗0⊗0\cr
0⊗0⊗0⊗0⊗0⊗\circle{12}⊗0⊗0\cr
0⊗0⊗0⊗0⊗\circle{12}⊗0⊗0⊗0\cr
0⊗\circle{12}⊗0⊗0⊗0⊗0⊗0⊗0\cr
0⊗0⊗0⊗0⊗0⊗0⊗0⊗\circle{12}\cr
1⊗10⊗4⊗11⊗4⊗4⊗0⊗0\cr
8⊗2⊗6⊗10⊗11⊗11⊗0⊗9\cr
1⊗6⊗4⊗11⊗2⊗0⊗0⊗10\cr
}}\,\right)}\hfill
{k=5\lower5pt\null\atop
\left(\,\vcenter{\halign{\hjust to 10pt{\hfill#}⊗\hjust to 20pt{\hfill#}⊗\!
\hjust to 20pt{\hfill#}⊗\hjust to 20pt{\hfill#}⊗\hjust to 20pt{\hfill#}⊗\!
\hjust to 20pt{\hfill#}⊗\hjust to 20pt{\hfill#}⊗\hjust to 20pt{\hfill#}\cr
0⊗0⊗0⊗0⊗0⊗0⊗0⊗0\cr
0⊗0⊗0⊗0⊗0⊗\circle{12}⊗0⊗0\cr
0⊗0⊗0⊗0⊗\circle{12}⊗0⊗0⊗0\cr
0⊗\circle{12}⊗0⊗0⊗0⊗0⊗0⊗0\cr
0⊗0⊗0⊗0⊗0⊗0⊗0⊗\circle{12}\cr
\circle{12}⊗0⊗0⊗0⊗0⊗0⊗0⊗0\cr
5⊗0⊗0⊗0⊗5⊗5⊗0⊗9\cr
12⊗9⊗0⊗0⊗11⊗9⊗0⊗10\cr
}}\,\right)}$}$$
Now every column that has no circled entry is
completely zero; so when $k = 6$ and $k = 7$ the algorithm outputs
two more vectors, namely
$$v↑{[2]} = (0, 5, 5, 0, 9, 5, 1, 0),\qquad v↑{[3]} = (0, 9,
11, 9, 10, 12, 0, 1).$$
From the form of matrix $A$ after $k = 5$, it is
evident that these vectors satisfy the equation $vA = (0, \ldotss
, 0)$. Since the computation has produced three linearly independent
vectors, $u(x)$ must have exactly three irreducible factors.
%folio 545 galley 12 (C) Addison-Wesley 1978	*
Finally we can go to step B4 of the factoring procedure.
The calculation of $\gcd\biglp u(x),\, v↑{[2]}(x) -s\bigrp$ for $s
= 0$, 1, $\ldotss$, 12, where $v↑{[2]}(x) = x↑6 + 5x↑5 + 9x↑4
+ 5x↑2 + 5x$, gives $x↑5 + 5x↑4 + 9x↑3 + 5x + 5$ as the answer
when $s = 0$,\xskip $x↑3 + 8x↑2 + 4x + 12$ when $s = 2$, and unity for
other values of $s$. Therefore $v↑{[2]}(x)$ gives us only two
of the three factors. Turning to $\gcd\biglp v↑{[3]}(x) - s,\,
x↑5 + 5x↑4 + 9x↑3 + 5x + 5\bigrp $, where $v↑{[3]}(x) = x↑7 + 12x↑5
+ 10x↑4 + 9x↑3 + 11x↑2 + 9x$, we obtain the value $x↑4 + 2x↑3
+ 3x↑2 + 4x + 6$ when $s = 6$,\xskip $x + 3$ when $s = 8$, and unity
otherwise. Thus the complete factorization is
$$u(x) = (x↑4 + 2x↑3 + 3x↑2 + 4x + 6)(x↑3 + 8x↑2 + 4x + 12)(x
+ 3).\eqno (19)$$

Let us now estimate the running time of Berlekamp's
method when an $n$th degree polynomial is factored modulo $p$.
First assume that $p$ is relatively small, so that the four
arithmetic operations can be done modulo $p$ in essentially
a fixed length of time.\xskip (Division modulo $p$ can be converted
to multiplication, by storing a table of reciprocals; modulo
13, for example, we have ${1\over 2} = 7$, ${1\over 3} = 9$,
etc.)\xskip The computation in step B1 takes $O(n↑2)$ units of time;
step B2 takes $O(pn↑2)$. For step B3 we use Algorithm N\null, which
requires $O(n↑3)$ units of time at most. Finally, in step B4
we can observe that the calculation of $\gcd\biglp f(x), g(x)\bigrp$
by Euclid's algorithm takes $O\biglp\hjust{deg}(f)\,\hjust{deg}(g)\bigrp$
units of time; hence the calculation of $\gcd\biglp v↑{[j]}(x)
- s,\, w(x)\bigrp$ for fixed $j$ and $s$ and for all factors $w(x)$
of $u(x)$ found so far takes $O(n↑2)$ units. Step B4 therefore
requires $O(prn↑2)$ units of time at most. {\sl Berlekamp's
procedure factors an arbitrary polynomial of degree $n$}, modulo
$p$, {\sl in $O(n↑3 + prn↑2)$ steps}, when $p$ is a small prime; and
exercise 5 shows that the average number of factors, $r$, is
approximately $\ln n$. Thus the algorithm is much faster than
any known methods of factoring $n$-digit numbers in the $p$-ary
number system.

When $p$ is large, a different implementation of
Berlekamp's procedure would be used for the calculations. Division
modulo $p$ would not be done with an auxiliary table of reciprocals;
instead the method of exercise 4.5.2--15, which takes $O\biglp
(\log p)↑2\bigrp$ steps, would probably be used. Then step
B1 would take $O\biglp n↑2(\log p)↑2\bigrp$ units of time;
similarly, step B3 takes $O\biglp n↑3(\log p)↑2\bigrp $. In
step B2, we can form $x↑p\mod u(x)$ in a more efficient way
than (16) when $p$ is large: Section 4.6.3 shows that this value
can essentially be obtained by using $O(\log p)$ operations
of ``squaring $\null\mod u(x)$,'' i.e., going from $x↑k\mod u(x)$
to $x↑{2k}\mod u(x)$. The squaring operation is relatively
easy to perform if we first make an auxiliary table of $x↑m
\mod u(x)$ for $m = n$, $n + 1$, $\ldotss$, $2n -2$; if
$$x↑k \mod u(x) = c↓{n-1}x↑{n-1} +\cdots
+ c↓1x + c↓0,$$
then
$$x↑{2k} \mod u(x) = \biglp c↑{2}↓{n-1}x↑{2n-2} +\cdots
+ (c↓1c↓0 + c↓1c↓0)x + c↓0↑2\bigrp\,\mod u(x),$$
where $x↑{2n-2}$, $\ldotss$, $x↑n$ can be replaced
by polynomials in the auxiliary table. The net time to compute
$x↑p\mod u(x)$ comes to $O\biglp n↑2(\log p)↑3\bigrp$ units,
and we obtain the second row of $Q$. To get further rows of $Q$,
we form $x↑{2p}\mod u(x)$, $x↑{3p}\mod u(x)$, $\ldots$ simply
by multiplying repeatedly by $x↑p\mod u(x)$, in a fashion
analogous to squaring mod $u(x)$; step B2 is completed in $O\biglp
n↑2(\log p)↑3 + n↑3(\log p)↑2\bigrp$ units of time. The same
upper bound applies to steps B1, B2, and B3 taken as a whole;
these three steps tell us the number of factors of $u(x)$.

But when $p$ is large and we get to step B4, we
are asked to calculate a greatest common divisor for $p$ different
values of $s$, and that is out of the question if $p$ is very
large. This hurdle was surmounted by Hans Zassenhaus [{\sl J.
Number Theory \bf 1} (1969), 291--311], who showed how to determine
all the ``useful'' values of $s$. Let $v(x)$ be a solution to (8), and let $w(x) =
\prod(x - s)$ where the product is over all $0 ≤ s < p$ such
that $\gcd\biglp u(x),\,v(x) - s\bigrp ≠ 1$. By (14), this quantity $w(x)$
is the polynomial of least degree such that $u(x)$ divides $w\biglp v(x)\bigrp$.
Algorithm N can therefore be adapted to find the coefficients
of $w$: Let $A$ be the $(r + 1) \times n$ matrix whose $k$th
row contains the coefficients of $v(x)↑k \mod
u(x)$, for $0 ≤ k ≤ r$. Apply the method of Algorithm N until
the first dependence is found in step N3; then the algorithm
terminates with $w(x) = v↓0 + v↓1x +\cdots + v↓kx↑k$,
where $v↓j$ is defined in (18).\xskip (An example is worked out below.)\xskip
At this point $2 ≤ k ≤ r$; in rare circumstances we may have
$k = n$.

It remains to find the factors of $w(x)$ modulo
a large prime $p$, when $w$ is known to split into linear factors.
Suppose $w(x) = (x -s↓1) \ldotsm (x - s↓k)$; then it divides
$x(x - 1) \ldotsm (x - p + 1) = x↑p - x = x(x↑{(p-1)/2} - 1)(x↑{(p-1)/2}
+ 1)$, hence the identity
$$w(x) = \gcd\biglp w(x),\, x + t) \cdot\gcd\biglp w(x),\,(x
+ t)↑{(p-1)/2} - 1) \cdot \gcd\biglp w(x),\,(x +
t)↑{(p-1)/2} + 1)\eqno (20)$$
holds for all integers $t$. Zassenhaus's procedure
for factoring $w$ is to try computing $\gcd\biglp w(x),\,(x+t)↑{(p-1)/2}-1\bigrp$ 
for $t = 0$, 1, 2, $\ldots$ until
$w$ has been completely split. At first glance this may appear
to be an inefficient trial-and-error method, but actually it
finds the factors very rapidly, since the probability of a nontrivial
gcd in (20) is approximately $1 - 2↑{-k}$ when $t$ is chosen
at random. The reason is that $x - s↓i$ divides $(x + t)↑{(p-1)/2}-1$
if and only if $(s↓i + t)↑{(p-1)/2}\mod p = 1$, and this
occurs for about half of all values $t$.\xskip(Exercise 14 gives a rigorous
proof that $\gcd\biglp w(x),(x+t)↑{(p-1)/2}-1\bigrp$ will be nontrivial more than
${1\over2}+O(p↑{-1})$ of the time when $t$ is chosen at random. Therefore the
expected number of trials is roughly 2, and we ``never'' will have to wait long.)
 
For example, let's reconsider the polynomial $v↑{[3]}(x)
= x↑7 + 12x↑5 + 10x↑4 + 9x↑3 + 11x↑2 + 9x$ mentioned earlier,
and let's pretend that 13 is a large prime. Then
\def\circle#1{\hjust to 10pt{#1\hskip-10ptminus10pt
\raise 6.944pt\hjust{\:@\char'141}\hskip0ptminus10pt}}
$$\hjust to size{$\dispstyle{\hjust{Matrix $A$}\lower5pt\null\atop
\left(\,\vcenter{\halign{\hjust to 10pt{\hfill#}⊗\hjust to 20pt{\hfill#}⊗\!
\hjust to 20pt{\hfill#}⊗\hjust to 20pt{\hfill#}⊗\hjust to 20pt{\hfill#}⊗\!
\hjust to 20pt{\hfill#}⊗\hjust to 20pt{\hfill#}⊗\hjust to 20pt{\hfill#}\cr
1⊗0⊗0⊗0⊗0⊗0⊗0⊗0\cr
0⊗9⊗11⊗9⊗10⊗12⊗0⊗1\cr
4⊗4⊗6⊗9⊗1⊗7⊗12⊗1\cr
4⊗6⊗3⊗6⊗11⊗8⊗0⊗5\cr
}}\,\right)}\hfill
{\hjust{is transformed into}\lower5pt\null\atop
\left(\,\vcenter{\halign{\hjust to 10pt{\hfill#}⊗\hjust to 20pt{\hfill#}⊗\!
\hjust to 20pt{\hfill#}⊗\hjust to 20pt{\hfill#}⊗\hjust to 20pt{\hfill#}⊗\!
\hjust to 20pt{\hfill#}⊗\hjust to 20pt{\hfill#}⊗\hjust to 20pt{\hfill#}\cr
\circle{12}⊗0⊗0⊗0⊗0⊗0⊗0⊗0\cr
0⊗0⊗0⊗0⊗0⊗\circle{12}⊗0⊗0\cr
0⊗0⊗0⊗0⊗0⊗0⊗\circle{12}⊗0\cr
9⊗0⊗0⊗0⊗0⊗8⊗0⊗0\cr
}}\,\right)}$}$$
so we have $w(x) = 9 + 8x + x↑3$. Setting $t =
0$ in (20) produces the factor $x + 1 = x - 12$, and we replace
$w(x)$ by $w(x)/(x - 12) = x↑2 + 12x + 9$. When $t = 1$ we get
the other factors
$x - 6$ and $x - 8$. The useful values of $s$ with respect to
$v↑{[3]}(x)$ are 6, 8, and 12.

If we assume (as we may) that a nontrivial factor of $w(x)$
will be found after $O(1)$ applications of (20), we can give an upper
bound on the time to perform B4: It takes $O\biglp r↑2n↑2(\log p)↑2\bigrp$
steps to compute each $w↓j(x)$ from $v↑{[j]}(x)$, plus at most
$O\biglp r↑3(\log p)↑3+r↑4(\log p)↑2\bigrp$ steps to find their roots,
plus at most $O(rn↑3(\log p)↑2\bigrp$ steps to compute gcd's as in (14).
The computation will usually be completed even faster, and $r$ is usually
small compared to $n$. Thus, step B4 is not the bottleneck after all,
when we use Zassenhaus's suggestions.

For discussion, see E. R. Berlekamp, {\sl Math.\ Comp.\ \bf24} (1970), 713--735;
Robert T. Moenck, {\sl Math.\ Comp.\ \bf31} (1977), 235--250.

\subsectionbegin{Distinct degree factorization} A
somewhat simpler method that often obtains factors modulo $p$
can be based on the fact that an irreducible polynomial $q(x)$
of degree $d$ is a divisor of $x↑{p↑d}- x$, and it is
not a divisor of $x↑{p↑c} - x$ for $c < d$; see exercise
16. We proceed as follows:

\yskip\hang\textindent{\bf S1.}Rule
out squared factors and find the matrix $Q$, as in Berlekamp's
method. Also set $v(x) ← u(x)$, $w(x) ← \hjust{``$x$''}$, and $d ← 0$.\xskip (Here
$v(x)$ and $w(x)$ are variables that have polynomials as values.)

\yskip\hang\textindent{\bf S2.}Increase $d$ by 1 and replace $w(x)$ by $w(x)↑p
\mod u(x)$.\xskip $\biglp$In other words, the coefficients $(w↓0, \ldotss
, w↓{n-1})$ are replaced by $(w↓0, \ldotss , w↓{n-1})Q$. At this
point $w(x) = x↑{p↑d}\mod u(x)$.$\bigrp$

\yskip\hang\textindent{\bf S3.}Find $g(x) = \gcd\biglp w(x)-x,v(x)\bigrp$.\xskip
$\biglp$This is the product of all the irreducible factors of $u(x)$
whose degree is $d$.$\bigrp$\xskip Replace $v(x)$ by $v(x)/g(x)$.

\yskip\hang\textindent{\bf S4.}If $d < {1\over 2}\hjust{deg}(v)$, return to S2.
Otherwise $v(x)$ is irreducible, and the procedure terminates.\quad\blackslug
%folio 550 galley 13 (C) Addison-Wesley 1978	*
\yyskip This procedure determines the product of
all irreducible factors of each degree $d$, and therefore it
tells us how many factors there are of each degree. Since the
three factors of our example polynomial (19) have different
degrees, they would all be discovered. The total running time,
analyzed as above, is $O\biglp n↑3(\log p)↑2 + n↑2(\log p)↑3\bigrp$.

The distinct degree factorization technique was
known to several people in 1960 [cf.\ S. W. Golomb, L. R. Welch,
A. Hales, ``On the factorization of trinomials over GF(2),''
Jet Propulsion Laboratory memo 20--189 (July 14, 1959)], but
there seem to be no references to it in the ``open literature.''
Previous work by \v S. Schwarz, {\sl Quart.\ J. Math.}, Oxford (2)
{\bf 7} (1956), 110--124, had shown how to determine the number
of irreducible factors of each degree, but not their product,
using the matrix $Q$.

If the distinct degree factorization procedure doesn't find a complete
factorization, it is not necessary to abandon hope: There is still a good
chance that the factors can be found by computing $\gcd\biglp g(x),\,
(x+t)↑{(p↑d-1)/2}-1\bigrp$ for $t=0$, 1, $\ldotss$, $p-1$, when $p$ is
odd and all irreducible factors of $g(x)$ have degree $d$. Every divisor of
$x↑{p↑d}-x$ also divides $$(x+t)↑{p↑d}-(x+t)=(x+t)\biglp(x+t)↑{(p↑d-1)/2}-1\bigrp
\biglp(x+t)↑{(p↑d-1)/2}+1\bigrp,$$so we can argue as in (20). If $d=1$, all
the linear factors will be found quickly, even when $p$ is large. If $d>1$,
we might not split $g(x)$ completely, but the prospects are good, {\sl especially}
if $p$ is large.

For example, there are eight irreducible polynomials $f(x)$ of degree 3, modulo
3, and they will all be distinguished by calculating $\gcd\biglp f(x),\,
(x+t)↑{13}-1\bigrp$ for $0≤t<3$:
$$\vjust{\halign{$\hfill#\null$⊗$\hfill#\null$⊗$\hfill#$\qquad⊗$\ctr{#}$⊗\qquad
$\ctr{#}$⊗\qquad$\ctr{#}$\cr
⊗f(x)⊗⊗t=0⊗t=1⊗t=2\cr
\noalign{\vskip4pt}
x↑3+⊗⊗2x+1⊗1⊗1⊗1\cr
x↑3+⊗⊗2x+2⊗f(x)⊗f(x)⊗f(x)\cr
x↑3+⊗x↑2+⊗2⊗f(x)⊗f(x)⊗1\cr
x↑3+⊗x↑2+⊗x+2⊗f(x)⊗1⊗f(x)\cr
x↑3+⊗x↑2+⊗2x+1⊗1⊗f(x)⊗f(x)\cr
x↑3+⊗2x↑2+⊗1⊗1⊗f(x)⊗1\cr
x↑3+⊗2x↑2+⊗x+1⊗1⊗1⊗f(x)\cr
x↑3+⊗2x↑2+⊗2x+x⊗f(x)⊗1⊗1\cr}}$$
On the other hand, when the number of irreducible polynomials of degree $d$
exceeds\-\ $2↑p$, it is clear that there will exist irreducibles that cannot
be distinguished by this method.\xskip M. O. Rabin has shown how to extend
the distinct-degree factorization technique to a complete factorization in
all cases, by doing arithmetic in a field with $p↑n$ elements (see exercise
31).

\subsectionbegin{Factoring over the integers} It
is somewhat more difficult to find the complete factorization
of polynomials with integer coefficients when we are {\sl not}
working modulo $p$, but some reasonably efficient methods are
available for this purpose.

Isaac Newton gave a method for finding linear and
quadratic factors of polynomials with integer coefficients in
his {\sl Arithmetica Universalis\/} (1707). This method was extended
by an astronomer named Friedrich von Schubert in 1793, who showed
how to find all factors of degree $n$ in a finite number of
steps; see M. Cantor, {\sl Geschichte der Mathematik \bf 4}
(Leipzig: Teubner, 1908), 136--137.\xskip L. Kronecker rediscovered
von Schubert's method independently about 90 years later; but
unfortunately the method is very inefficient when $n$ is five
or more. Much better results can be obtained with the help of
the ``mod $p$'' factorization methods presented above.

Suppose that we want to find the irreducible factors
of a given polynomial
$$u(x) = u↓nx↑n + u↓{n-1}x↑{n-1} +\cdots + u↓0,\qquad u↓n ≠ 0,$$
over the integers. As a first step, we can divide
by the greatest common divisor of the coefficients, and this
leaves us with a {\sl primitive} polynomial. We may also assume
that $u(x)$ is squarefree, by dividing out $\gcd\biglp u(x),
u↑\prime (x)\bigrp$ as above.

Now if $u(x) = v(x)w(x)$, where all of these polynomials
have integer coef\-ficients, we obviously have $u(x) ≡ v(x)w(x)
\modulo p$ for all primes $p$, so there is a nontrivial factorization
modulo $p$ unless $p$ divides $\lscr(u)$. Berlekamp's efficient
algorithm for factoring $u(x)$ modulo $p$ can therefore be used
in an attempt to reconstruct possible factorizations of $u(x)$
over the integers.

For example, let
$$u(x) = x↑8 + x↑6 - 3x↑4 - 3x↑3 + 8x↑2 + 2x - 5.\eqno (21)$$
We have seen above in (19) that
$$u(x) ≡ (x↑4 + 2x↑3 + 3x↑2 + 4x + 6)(x↑3
+ 8x↑2 + 4x + 12)(x + 3)\modulo{13};\eqno(22)$$
and the complete factorization of $u(x)$ modulo 2 shows
one factor of degree 6 and another of degree 2 (see exercise
10). From (22) we can see that $u(x)$ has no factor of degree
2, so it must be irreducible over the integers.

This particular example was perhaps too simple;
experience shows that most irreducible polynomials can be recognized
as such by examining their factors modulo a few primes, but
it is {\sl not\/} always so easy to establish irreducibility. For example,
there are polynomials that 
can be properly factored modulo $p$ for all primes
$p$, with consistent degrees of the factors, yet they are irreducible
over the integers (see exercise 12).

Almost all polynomials are irreducible over the
integers, as shown in exercise 27. But we usually aren't trying
to factor a random polynomial; there is probably some reason
to expect a nontrivial factor or else the calculation would
not have been attempted in the first place. We need a method
that identifies factors when they are there.

In general if we try to find the factors of $u(x)$
by considering its behavior modulo different primes, the results will not be
easy to combine; for example, if $u(x)$
actually is the product of four quadratic polynomials, it will
be hard to match up their images with respect to different prime
moduli. Therefore it is desirable to stick to a single prime and
to see how much mileage we can get out of it, once we feel that the
factors modulo this prime have the right degrees.

One idea is to work modulo a very {\sl large} prime
$p$, big enough so that the coefficients in any true factorization
$u(x) = v(x)w(x)$ over the integers must actually lie between
$-p/2$ and $p/2$. Then all possible integer factors can be ``read
off'' from the mod $p$ factors we know how to compute.

Exercise 20 shows how to obtain fairly good bounds
on the coefficients of polynomial factors. For example, if (21)
were reducible it would have a factor $v(x)$ of degree $≤4$, and
the coefficients of $v$ would be at most 67 in magnitude by
the results of that exercise. So all potential factors of $u(x)$
will be fairly evident if we work modulo any prime $p > 134$.
Indeed, the complete factorization modulo 137 is
$$(x↑3 + 32x↑2 + 21x + 56)(x↑5 - 32x↑4 + 45x↑3 - 2x↑2 - 51x - 27),$$
and we see immediately that $x↑3 +\cdots
+ 56$ is not a factor since 56 doesn't divide 5.\xskip $\biglp$Incidentally,
it is not trivial to obtain good bounds on the coefficients
of polynomial factors, since a lot of cancellation can occur
when polynomials are multiplied. For example, the innocuous-looking
polynomial $x↑n - 1$ has irreducible factors whose coefficients
exceed $\exp(n↑{1/\!\lg\lg n})$ for infinitely many $n$.\xskip
[See R. C. Vaughan, {\sl Michigan Math.\ J. \bf 21} (1974), 289--295].\xskip
The factorization of $x↑n-1$ is discussed in exercise 32.$\bigrp$

Instead of using a large prime $p$, which might
have to be truly enormous if $u(x)$ has large degree or large
coefficients, we can also make use of small $p$, provided that
$u(x)$ is squarefree mod $p$. For in this case, an important
construction introduced by K. Hensel [{\sl Theorie der Algebraischen
Zahlen} (Leipzig: Teubner, 1908), Chapter 4] can be used to
extend a factorization modulo $p$ in a unique way to a factorization
modulo $p↑e$ for arbitrarily high $e$. Hensel's method is described
in exercise 22; if we apply it to (22) with $p = 13$ and $e
= 2$, we obtain the unique factorization $u(x) ≡ (x - 36)(x↑3
- 18x↑2 + 82x - 66)(x↑4 + 54x↑3 - 10x↑2 + 69x + 84) \modulo
{169} = v↓1(x)v↓3(x)v↓4(x)$, say. Clearly $v↓1(x)$ and $v↓3(x)$
are not factors of $u(x)$ over the integers; and neither is
their product $v↓1(x)v↓3(x)$ when the coefficients have been
reduced modulo 169 to the range $(-{169\over 2},{169\over
2})$. Thus we have exhausted all possibilities, proving once
again that $u(x)$ is irreducible over the integers---this time
using only its factorization modulo 13.

The example we have been considering is atypical
in one important respect: We have been factoring the {\sl monic}
polynomial $u(x)$ in (21), so we could assume that all its factors
were monic. What should we do if $u↓n > 1$? In such a case,
the leading coefficients of all but one of the polynomial factors
can be varied almost arbitrarily modulo $p↑e$; we certainly
don't want to try all possibilities. Perhaps the reader has
already noticed this problem. Fortunately there is a simple way
out: the factorization $u(x) = v(x)w(x)$ implies a factorization
$u↓nu(x) = v↓1(x)w↓1(x)$ where $\lscr(v↓1) = \lscr(w↓1) = u↓n =
\lscr(u)$.\xskip (``Do you mind if I multiply your polynomial by its
leading coefficient before factoring it?'')\xskip We can proceed essentially
as above, but using $p↑e ≥ 2B$ where $B$ now bounds the maximum
coefficient for factors of $u↓nu(x)$ instead of $u(x)$.

Putting these observations all together results in the following procedure:

\yskip\hang\textindent{\bf F1.}Find the unique factorization
$u(x) ≡ \lscr(u)v↓1(x)\ldotsm v↓r(x)\modulo {p↑e}$, where $p↑e$ is sufficiently
large as explained above, and where
the $v↓j(x)$ are monic.\xskip (This will be possible for all but a
few primes $p$, see exercise 23.)\xskip Set $d ← 1$.

\yskip\hang\textindent{\bf F2.}For every combination of factors $v(x) = v↓{i↓1}
(x) \ldotsm v↓{i↓d}(x)$, with $i↓1
= 1$ if $d = {1\over 2}r$, form the unique polynomial
$\=v(x) ≡ \lscr(u)v(x)\modulo {p↑e}$ whose coefficients all lie
in the interval $[-{1\over 2}p↑e, {1\over 2}p↑e)$. If $v(x)$
divides $\lscr(u)u(x)$, output the factor pp$\biglp v(x)\bigrp
$, divide $u(x)$ by this factor, and remove the corresponding
$v↓i(x)$ from the list of factors modulo $p↑e$; decrease $r$ by the number of
factors removed, and terminate the algorithm if $d>{1\over2}r$.

\yskip\hang\textindent{\bf F3.}Increase $d$ by 1, and return to F2 if $d > {1\over
2}r$.\quad\blackslug

\yyskip\noindent At the conclusion of this process, the current value of
$u(x)$ will be the final irreducible factor of the originally
given polynomial. Note that if $|u↓0| < |u↓n|$, it is preferable
to do all of the work with the reverse polynomial $u↓0x↑n +\cdots
+ u↓n$, whose factors are the reverses of the factors of $u(x)$.

The above algorithm contains an obvious bottleneck:
We may have to test as many as $2↑{r-1}$ potential factors $v(x)$.
The average value of $2↑r$ in a random situation is about $n$,
or perhaps $n↑{1.5}$ (see exercise 5), but in nonrandom situations
we will want to speed up this part of the routine as much as
we can. One way to rule out spurious factors quickly is to compute
the trailing coefficient $\=v(0)$ first, continuing only if this
divides $\lscr(u)u(0)$.

Another important way to speed up the procedure
is to reduce $r$ so that it tends to reflect the true number
of factors. The distinct degree factorization algorithm above
can be applied for various small primes $p↓j$, thus obtaining
for each prime a set $D↓j$ of possible degrees of factors modulo
$p↓j$; see exercise 26. We can represent $D↓j$ as a string of
$n$ binary bits. Now we compute the intersection $\union D↓j$, namely
the logical ``and'' of these bit strings, and we perform step
F2 only for $d \in \union D↓j$. Furthermore $p$ is selected as that
$p↓j$ having the smallest value of\penalty999\ $r$. This technique is due
to David R. Musser, whose experience suggests trying about five
primes $p↓j$ (see {\sl JACM \bf 25} (1978), 271--282).
 Of course we would stop immediately if the current
$\union D↓j$ shows that $u(x)$ is irreducible.

 Musser has given a
complete discussion of a factorization method similar to the steps above, in
{\sl JACM \bf 22} (1975), 291--308. The procedure above incorporates an
improvement suggested in 1978 by G. E. Collins, namely to look for trial divisors
by taking combinations of $d$ factors at a time rather than combinations of total
degree $d$. This improvement is important because of the statistical
behavior of the modulo-$p$ factors of polynomials that are irreducible
over the rationals (cf.\ exercise 33). 
%folio 558 galley 14 (C) Addison-Wesley 1978	*
\subsectionbegin{Greatest common divisors} Similar techniques
can be used to calculate greatest common divisors of polynomials:
If $\gcd\biglp u(x), v(x)\bigrp = d(x)$ over the integers, and
if $\gcd\biglp u(x), v(x)\bigrp = q(x)\modulo p$ where $q(x)$
is monic, then $d(x)$ is a common divisor of $u(x)$ and $v(x)$
modulo $p$; hence
$$d(x)\quad\hjust{divides}\quad q(x)\quad\modulo p.\eqno(23)$$
If $p$ does not divide the leading coefficients
of both $u$ and $v$, it does not divide the leading coefficient
of $d$; in such a case $\hjust{deg}(d) ≤\hjust{deg}(q)$. When $q(x) = 1$
for such a prime $p$, we must therefore have deg$(d) = 0$, and
$d(x) =\gcd\biglp\hjust{cont}(u), \hjust{cont}(v)\bigrp $. This justifies
the remark made in Section 4.6.1 that the simple computation
of $\gcd\biglp u(x), v(x)\bigrp$ modulo 13 in 4.6.1--6 is enough
to prove that $u(x)$ and $v(x)$ are relatively prime over the
integers; the comparatively laborious calculations of Algorithm
4.6.1E or Algorithm 4.6.1C are unnecessary. Since two random
primitive polynomials are almost always relatively prime over
the integers, and since they are relatively prime modulo $p$
with probability $1 - 1/p$, it is usually a good idea to do
the computations modulo $p$.

As remarked above, we need good methods also for
the nonrandom polynomials that arise in practice. Therefore we wish to
sharpen our techniques and discover how to find $\gcd\biglp u(x),v(x)\bigrp$
in general, over the integers, based entirely on information that we obtain
working modulo primes $p$. We may assume that $u(x)$ and $v(x)$ are
primitive.

Instead of calculating $\gcd\biglp u(x), v(x)\bigrp$ directly, it will
be convenient to search instead for the polynomial
$$\=d(x) = c \cdot\gcd\biglp u(x), v(x)\bigrp ,\eqno(24)$$
where the constant $c$ is chosen so that
$$\lscr(\=d) =\gcd\biglp\lscr(u),\lscr(v)\bigrp .\eqno(25)$$
This condition will always hold for suitable $c$,
since the leading coefficient of any common divisor of $u(x)$
and $v(x)$ must be a divisor of $\gcd\biglp \lscr(u), \lscr(v)\bigrp
$. Once $\=d(x)$ has been found satisfying these conditions,
we can readily compute pp$\biglp \=d(x)\bigrp $, which is
the true greatest common divisor of $u(x)$ and $v(x)$. Condition
(25) is convenient since it avoids the uncertainty of unit multiples
of the gcd; it is essentially the idea we used to control leading
coefficients in our factorization routine.

If $p$ is a sufficiently large prime, based on
the bounds for coefficients in exercise 20 applied either to
$\lscr(\=d)u(x)$ or $\lscr(\=d)v(x)$, let us compute
the unique polynomial $\=q(x) ≡ \lscr(\=d)q(x)\modulo
p$ having all coefficients in $[-{1\over 2}p, {1\over 2}p)$.
When pp$\biglp \=q(x)\bigrp$ divides both $u(x)$ and $v(x)$,
it must equal $\gcd\biglp u(x), v(x)\bigrp$ because of (23).
On the other hand if it does not divide both $u(x)$ and $v(x)$
we must have deg$(q) >\hjust{deg}(d)$. A study of Algorithm 4.6.1E
reveals that this will be the case only if $p$ divides the leading
coefficient of one of the nonzero remainders computed by that
algorithm with exact integer arithmetic; otherwise Euclid's
algorithm modulo $p$ deals with precisely the same sequence
of polynomials as Algorithm 4.6.1E except for nonzero constant
multiples (modulo $p$). So only a small number of ``unlucky''
primes can cause us to miss the gcd, and we will soon find it
if we keep trying.

If the bound on coefficients is so large that single-precision
primes $p$ are insufficient, we can compute $\=d(x)$
modulo several primes $p$ until it has been determined via the
Chinese remainder algorithm in Section 4.3.2. This approach,
which is due to W. S. Brown and G. E. Collins, has been described
in detail by Brown in {\sl JACM \bf 18} (1971), 478--504. Alternatively,
as suggested by J. Moses and D. Y. Y. Yun [{\sl Proc.\ ACM Conf.\
\bf 28} (1973), 159--166], we can use Hensel's method to determine
$\=d(x)$ modulo $p↑e$ for sufficiently large $e$. Hensel's
construction is valid directly only when
$$\gcd\biglp d(x),\,u(x)/d(x)\bigrp = 1\qquad\hjust{or}\qquad\gcd\biglp
d(x),\,v(x)/d(x)\bigrp = 1,\eqno (26)$$
since the idea is to apply the techniques of exercise
22 to one of the factorizations $\lscr(\=d)u(x) ≡ \=q(x)
u↓1(x)$ or $\lscr(\=d)v(x) ≡ \=q(x)v↓1(x)\modulo
p$. In the comparatively rare cases when (26) fails, we can
still find the gcd by casting out squared factors in an appropriate
manner, as shown in exercise 29. The complete procedure has
been discussed by Miola and Yun in {\sl SIGSAM Bulletin \bf 8},
3 (August 1974), 46--54; it appears to be computationally superior
to the Chinese remainder approach.

The gcd algorithms sketched here are significantly
faster than those of Section 4.6.1 except when the polynomial
remainder sequence is very short. Perhaps the best combined
approach would be to start with the computation of $\gcd\biglp
u(x), v(x)\bigrp$ modulo a fairly small prime $p$, not a divisor
of both $\lscr(u)$ and $\lscr(v)$. If the result $q(x)$ is 1, we're
done; if it has high degree, we use Algorithm 4.6.1C\null; otherwise
we use one of the above methods, first computing a bound for
the coefficients of $\=d(x)$ based on the coefficients
of $u(x), v(x)$, and the (small) degree of $q(x)$. As in the
factorization problem, we should apply this procedure to the
reverses of $u(x), v(x)$ and reverse the result, if the trailing
coefficients are simpler than the leading ones.

\subsectionbegin{Multivariate polynomials} Similar
techniques lead to useful algorithms for factorization or gcd
calculations on multivariate polynomials with integer coefficients.
Such a polynomial $u(x↓1, \ldotss , x↓t)$ can be dealt with modulo
the irreducible polynomials $x↓2 - a↓2$, $\ldotss$, $x↓t - a↓t$,
yielding the univariate polynomial $u(x↓1, a↓2, \ldotss , a↓t)$;
these irreducible polynomials play the role of $p$
in the above discussion.\xskip $\biglp$Note that $v(x)\mod (x - a)$ is
$v(a)$.$\bigrp$\xskip When the integers $a↓2$, $\ldotss$,
$a↓t$ have been chosen so that $u(x↓1, a↓2, \ldotss , a↓t)$ has
the same degree in $x↓1$ as $u(x↓1, x↓2, \ldotss , x↓t)$, an
appropriate generalization of Hensel's construction will ``lift'' squarefree
factorizations of this univariate polynomial to factorizations
modulo $(x↓2 - a↓2)↑{n↓2}$, $\ldotss$, $(x↓t - a↓t)↑{n↓t}$,
where $n↓j$ is the degree of $x↓j$ in $u$; at the same time
we can work also modulo an appropriate integer prime $p$. As many
as possible of the $a↓j$ should be zero, so that sparseness
of the intermediate results is retained. For details, see P.
S. Wang and L. P. Rothschild, {\sl Math.\ Comp.\ \bf 29} (1975),
935--950, in addition to the papers by Musser and by Moses and
Yun cited earlier.

\exbegin{EXERCISES}

\trexno 1. [M24] Let $p$ be prime.
What is the probability that a random polynomial of degree\penalty999\ $n$
has a linear factor (a factor of degree 1), when $n ≥ p$?\xskip (Assume
that each of the $p↑n$ monic polynomials modulo $p$ is equally
probable.)

\trexno 2. [M25] (a) Show that any monic polynomial $u(x)$, over
a unique factorization domain, may be expressed uniquely in
the form
$$u(x) = v(x)↑2w(x),$$
where $w(x)$ is squarefree $\biglp$has no factor of positive
degree of the form $d(x)↑2\bigrp$ and both $v(x)$ and $w(x)$
are monic.\xskip(b) (E. R. Berlekamp.)\xskip How many monic
polynomials of degree $n$ are squarefree modulo $p$, when $p$
is prime?

\exno 3. [M25] Let $u↓1(x)$, $\ldotss$, $u↓r(x)$ be polynomials
over a field $S$, with $u↓j(x)$ relatively prime to $u↓k(x)$
for all $j ≠ k$. For any given polynomials $w↓1(x)$, $\ldotss$,
$w↓r(x)$ over $S$, prove that there is a unique polynomial $v(x)$
over $S$ such that
$$\def\\{\hjust{deg}}
\\(v)<\\(u↓1)+\cdots+\\(u↓r)$$
and
$$v(x) ≡ w↓j(x)\quad \biglp\hjust{modulo }u↓j(x)\bigrp$$
for $1 ≤j≤r$.\xskip (Compare with Theorem 4.3.2C.)

\exno 4. [HM28] Let $a↓{np}$ be the number of monic irreducible
polynomials of degree $n$, modulo a prime $p$. Find a formula
for the generating function $G↓p(z) = \sum ↓n a↓{np}z↑n$.\xskip [{\sl Hint:}
Prove the following identity connecting power series: $f(z)
= \sum ↓{j≥1}g(z↑j)/j↑t$ if and only if
$g(z)=\sum↓{n≥1} \mu (n)f(z↑n)/n↑t$.]\xskip What is $\lim↓{p→∞}a↓{np}/p↑n$?

\exno 5. [HM30] Let $A↓{np}$ be the average number of factors
of a randomly selected polynomial of degree $n$, modulo a prime
$p$. Show that
$\lim↓{p→∞} A↓{np} = H↓n$.\xskip What is the limiting average value of $2↑r$,
when there are $r$ factors?

\exno 6. [M21] (J. L. Lagrange, 1771.)\xskip Prove the congruence
(9).\xskip [{\sl Hint:} Factor $x↑p - x$ in the field of $p$
elements.]

\exno 7. [M22] Prove Eq.\ (14).

\exno 8. [HM20] How can we be sure that the vectors output by
Algorithm N are linearly independent?

\exno 9. [20] Explain how to construct a table of reciprocals
mod 101 in a simple way, given that 2 is a primitive root of
101.

\trexno 10. [21] Find the complete factorization of the polynomial
$u(x)$ in (21), modulo 2, using Berlekamp's procedure.

\exno 11. [22] Find the complete factorization of the polynomial
$u(x)$ in (21), modulo 5.

\trexno 12. [M22] Use Berlekamp's algorithm to determine the number
of factors of $u(x) = x↑4 + 1$ modulo $p$, for all primes
$p$.\xskip [{\sl Hint:} Consider the cases $p = 2$, $p = 8k + 1$, $p =
8k + 3$, $p = 8k + 5$, $p = 8k + 7$ separately; what is the matrix
$Q$? You need not discover the factors; just determine how many
there are.]

\exno 13. [M25] Give an explicit formula for the factors of
$x↑4 + 1$, modulo $p$, for all odd primes $p$, in terms of the quantities
$\sqrt{-1}$, $\sqrt2$, $\sqrt{-2}$ (if such quantities exist modulo
$p$).

\exno 14. [M30] (M. O. Rabin.)\xskip Let $w(x)=(x-s↓1)\ldotsm(x-s↓k)$ where
$0≤s↓1<\cdots<s↓k<p$, $k≥2$, and $p$ is prime. Let $P(s↓1,\ldotss,s↓k)$ be 
the probability
that $\gcd\biglp w(x),\,(x+t)↑{(p-1)/2}-1\bigrp$ is neither 1 nor $w(x)$,
when $t$ is an integer selected at random, modulo $p$. Prove that
$P(s↓1,\ldotss,s↓k)≥1/2-1/(2p)$.

\trexno 15. [M27] Design an algorithm to calculate the ``square
root'' of a given integer $u$ modulo a given prime $p$, i.e.,
to find an integer $U$ such that $U↑2 ≡ u\modulo p$ whenever
such a $U$ exists. Your algorithm should be efficient even for
very large primes $p$.\xskip (A solution to this problem leads to
a procedure for solving any given quadratic equation modulo\penalty999\ $p$, using
the quadratic formula in the usual way.)

\exno 16. [M30] Given that $f(x)$ is an irreducible polynomial
modulo a prime $p$, of degree $n$, prove that the $p↑n$ polynomials
of degree less than $n$ form a field under arithmetic modulo
$f(x)$ and $p$.\xskip ({\sl Note:} The existence of irreducible polynomials
of each degree is proved in exercise 4; therefore fields with
$p↑n$ elements exist for all primes $p$ and all $n ≥ 1$.)\xskip
(b) Show that any field with $p↑n$ elements has a ``primitive root'' element
$\xi$ such that the elements of the field are $\{0,1,\xi,\xi↑2,\ldotss,
\xi↑{p↑n-2}\}$.\xskip[{\sl Hint:} Exercise 3.2.1.2-16 proves this when
$n=1$.]\xskip(c) If $f(x)$ is an irreducible polynomial modulo $p$, of
degree $n$, prove that $x↑{p↑m}-x$ is divisible by $f(x)$ if and only if
$m$ is a multiple of $n$.\xskip$\biglp$It follows that we can test
irreducibility rather quickly: A given $n$th degree polynomial $f(x)$ is
irreducible modulo $p$ if and only if $x↑{p↑n}-x$ is divisible by $f(x)$
and $\gcd\biglp x↑{p↑{n/q}}-x,\,f(x)\bigrp = 1$ for all primes $q$ dividing $n
$.$\bigrp$
%folio 568 galley 15 (C) Addison-Wesley 1978	*
\exno 17. [M23] Let $F$ be a field with $13↑2$ elements. How
many elements of $F$ have order $f$, for each integer $f$ with
$1 ≤ f < 13↑2?$\xskip (The ``order'' of an element $a$ is the least
positive integer $m$ such that $a↑m = 1$.)

\trexno 18. [M25] Let $u(x) = u↓nx↑n +\cdots + u↓0,
u↓n ≠ 0$, be a primitive polynomial with integer coefficients,
and let $v(x)$ be the monic polynomial defined by
$$v(x) = u↑{n-1}↓{n} \cdot u(x/u↓n) = x↑n + u↓{n-1}x↑{n-1}
+ u↓{n-2}u↓nx↑{n-2} +\cdots u↓0u↑{n-1}↓{n}.$$
(a) Given that $v(x)$ has the complete factorization
$p↓1(x) \ldotsm p↓r(x)$ over the integers, where each $p↓j(x)$
is monic, what is the complete factorization of $u(x)$ over
the integers?\xskip (b) If $w(x) = x↑m + w↓{m-1}x↑{m-1} +\cdots
+ w↓0$ is a factor of $v(x)$, prove that $w↓k$ is a multiple
of $u↑{m-1-k}↓{n}$ for $0 ≤ k < m$.

\exno 19. [M20] ({\sl Eisenstein's criterion.})\xskip Perhaps the best-known
class of irreducible polynomials over the integers was introduced
by G. Eisenstein in {\sl J. f\"ur die reine und angew.\
Math.\ \bf 39} (1850), 166--167:\xskip Let $p$ be prime and let $u(x)
= u↓nx↑n +\cdots + u↓0$ have the following properties:\xskip
(i) $u↓n$ is not divisible by $p$;\xskip(ii) $u↓{n-1}$, $\ldotss$, $u↓0$
are divisible by $p$;\xskip(iii) $u↓0$ is not divisible by $p↑2$.
Show that $u(x)$ is irreducible over the integers.

\exno 20. [HM28] If $u(x) = u↓nx↑n +\cdots + u↓0$
is any polynomial over the complex numbers, let $|u| = \biglp|u↓n|↑2
+\cdots + |u↓0|↑2\bigrp↑{1/2}$.\xskip (a) Let $g(x) = (x - α)u(x)$
and $h(x) = (\=αx - 1)u(x)$, where $α$ is any complex
number and $\=α$ is its complex conjugate.
Prove that $|g| = |h|$.\xskip (b) Let the complete factorization
of $u(x)$ over the complex numbers be $u↓n{(x - α↓1)} \ldotsm
{(x - α↓n)}$, and write $M(u) = \prod↓{1≤j≤n}\max(1, |α↓j|)$. Prove
that $M(u) ≤ |u|/|u↓n|$.\xskip (c) Show that $|u↓j| ≤ |u↓n|\mathopen{\vcenter{
\hjust{\:@\char'0}}}{n-1\choose j}M(u)+{n-1\choose j-1}\mathclose{\vcenter{
\hjust{\:@\char'1}}}$
for $0 ≤ j ≤ n$.\xskip (d) Combine these results to prove that if
$u(x) = v(x)w(x)$ and $v(x) = v↓mx↑m +\cdots + v↓0$,
where $u$, $v$, $w$ all have integer coefficients, the coefficients
of $v$ are bounded by
$$\textstyle|v↓j| ≤ {m-1\choose j}|u| + {m-1\choose j-1}|u↓n|.$$

\exno 21. [HM30] The purpose of this
exercise is to obtain useful bounds on the coefficients of {\sl
multivariate} polynomials factors over the integers. Given a
polynomial $u(x↓1, \ldotss , x↓t)$ over the complex numbers,
let $|u|$ be $\biglp(\sum |u↓{j↓1 \ldotsm  j↓t}|↑2\bigrp↑{1/2}$ summed over
all the coefficients. Let $e(x) = e↑{2πix}$.\xskip (a) Prove that
$$|u|↑2 = \int ↑{1}↓{0} \cdotss\int ↑{1}↓{0}\left|u\biglp
e(\theta↓1), \ldotss, e(\theta↓t)\bigrp\right|↑2\,d\theta
↓t \ldotsm d\theta ↓1.$$
(b) Let $u(x) = v(x)w(x)$, where deg$(v) = m$ and
deg$(w) = k$. Use the results of exercise 20 to show that $|v||w|
≤ f(m, k)↑{1/2}|u|$, where $f(m, k) = {2m\choose m}{2k\choose
k}$.\xskip (c) Let $u(x↓{1}, \ldotss , x↓t) = v(x↓1, \ldotss , x↓t)w(x↓1,
\ldotss , x↓t)$, where $v$ and $w$ have the respective degrees
$m↓j$ and $k↓j$ in $x↓j$. Prove that
$$|v||w| ≤ \biglp f(m↓1, k↓1) \ldotsm f(m↓t, k↓t)\bigrp↑{1/2}|u|.$$

\trexno 22. [M24] ({\sl Hensel's Lemma.})\xskip
Let $u(x)$, $v↓e(x)$, $w↓e(x)$, $a(x)$, $b(x)$ be polynomials with integer
coefficients, satisfying the relations
$$u(x) ≡ v↓e(x)w↓e(x)\;\modulo{p↑e},\qquad
a(x)v↓e(x) + b(x)w↓e(x) ≡ 1\;\modulo p,$$
where $p$ is prime, $e ≥ 1$, $v↓e(x)$ is monic, deg$(a)
<\hjust{deg}(w↓e)$, deg$(b) <\hjust{deg}(v↓e)$, and deg$(u) =\hjust{deg}(v↓e)
+\hjust{deg}(w↓e)$. Show how to compute polynomials $v↓{e+1}(x) ≡
v↓e(x)$ and $w↓{e+1}(x) ≡ w↓e(x)$ (modulo $p↑e$), satisfying
the same conditions with $e$ increased by 1. Furthermore, prove
that $v↓{e+1}(x)$ and $w↓{e+1}(x)$ are unique, modulo $p↑{e+1}$.

Use your method for $p = 2$ to prove that (21)
is irreducible over the integers, starting with its factorization
mod 2 found in exercise 10.\xskip $\biglp$Note that Euclid's extended algorithm,
exercise 4.6.1--3, will get the process started for $e = 1$.$\bigrp$

\exno 23. [HM23] Let $u(x)$ be a squarefree polynomial with integer
coefficients. 
Prove that there are only
finitely many primes $p$ such that $u(x)$ is not squarefree
modulo $p$.

\exno 24. [M20] The text speaks only of factorization over the
integers, not over the field of rational numbers. Explain how
to find the complete factorization of a polynomial with rational
coefficients, over the field of rational numbers.

\exno 25. [M25] What is the complete factorization of $x↑5 +
x↑4 + x↑2 + x + 2$ over the field of rational numbers?

\exno 26. [20] Let $d↓1$, $\ldotss$, $d↓r$ be the degrees of the
irreducible factors of $u(x)$ modulo $p$, with proper multiplicity,
so that $d↓1 +\cdots + d↓r = n =\hjust{deg}(u)$. Explain
how to compute the set $\leftset\hjust{deg}(v) \relv u(x) ≡
v(x)w(x)\modulo p$ for some $v(x), w(x)\rightset$ by performing $O(r)$
operations on binary bit strings of length $n$.

\exno 27. [HM30] Prove that a random primitive polynomial over
the integers is ``almost always'' irreducible, in some appropriate
sense.

\exno 28. [M18] True or false: If $u(x)≠0$ and the complete factorization
of $u(x)$ modulo $p$ is $p↓1(x)↑{e↓1}\ldotss p↓r(x)↑{e↓r}$,
then $u(x)/\gcd\biglp u(x), u↑\prime
(x)\bigrp = p↓1(x) \ldotsm p↓r(x)$.

\trexno 29. [M21] (J. Moses and D. Y. Y. Yun.)\xskip Given an algorithm
for evaluating $d(x) = \gcd\biglp u(x), v(x)\bigrp$ subject
to condition (26), show how to compute the gcd in general (for
polynomials over the integers).

\exno 30. [M25] What is the probability that the distinct degree
factorization will completely factor a random polynomial of
degree $n$, modulo $p$, for fixed $n$ as $p → ∞$?

\exno 31. [M30] (M. O. Rabin, M. Ben-Or.)\xskip Let $p$ be an odd prime, and
let $g(x)$ be a polynomial whose irreducible factors modulo $p$ all have
the same degree $d$. Explain how to find a factor of $g(x)$ efficiently
by generalizing (20), using polynomial arithmetic in a field of $p↑d$
elements.

\def\+{\hjust{$\Psi$\hskip-1.5pt}}
\trexno 32. [M30] ({\sl Cyclotomic polynomials.})\xskip Let $\+↓n(x)=
\prod↓{1≤k≤n,\,\gcd(k,n)=1}(x-\omega↑k)$, where $\omega=e↑{2πi/n}$; thus,
the roots of $\+↓n(x)$ are the complex primitive $n$th roots of unity.
\xskip(a) Prove that $\+↓n(x)$ is a polynomial with integer coefficients,
satisfying$$\chop to 12pt{x↑n-1=\prod↓{d\rslash n}\+↓d(x);\qquad
\+↓n(x)=\prod↓{d\rslash n}(x↑d-1)↑{\mu(n/d)}.}$$
$\biglp$Cf.\ exercises 4.5.2--10(b) and 4.5.3--28(c).$\bigrp$\xskip
(b) Prove that $\+↓n(x)$ is irreducible over the integers, hence the above
formula is the complete factorization of $x↑n-1$ over the integers.\xskip
[{\sl Hint:} If $f(x)$ is an irreducible factor of $\+↓n(x)$ over the
integers, and if $\zeta$ is a complex number with $f(\zeta)=0$, prove that
$f(\zeta↑p)=0$ for all primes $p$ not dividing $n$. It may help to use the
fact that $x↑n-1$ is squarefree modulo $p$ for such primes.]\xskip(c) Discuss
the calculation of $\+↓n(x)$, and tabulate the values for $n≥15$.

\exno 33. [M22] (George E. Collins.)\xskip Let $d↓1$, $\ldotss$, $d↓r$ be
positive integers whose sum is $n$, and let $p$ be prime. What is
the probability that the irreducible factors of a random $n$th-degree
integer polynomial $u(x)$ have degrees $d↓1$, $\ldotss$, $d↓r$?
Show that this probability is asymptotically
the same
as the probability that a random permutation on $n$ elements has cycles of
lengths $d↓1$, $\ldotss$, $d↓r$.

\exno 34. [M47] (V. R. Pratt.)\xskip If possible, find a way to construct
proofs of irreducibility for all polynomials that are irreducible over the
integers, so that the length of proof is at most a polynomial in deg$(u)$ and
the length of its coefficients.\xskip(Only a bound on {\sl length} of proof is
requested here, as in exercise 4.5.4--17, not a bound on the time needed to
find such a proof.)
%folio 570 galley 16 (C) Addison-Wesley 1978	*
\runningrighthead{EVALUATION OF POWERS}
\section{4.6.3}
\sectionskip
\sectionbegin{4.6.3. Evaluation of Powers}

In this section we shall study the interesting
problem of computing $x↑n$ efficiently, given $x$ and $n$, where
$n$ is a positive integer. Suppose, for example, that we need
to compute $x↑{16}$; we could simply start with $x$ and
multiply by $x$ fifteen times. But it is possible to obtain
the same answer with only four multiplications, if we repeatedly
take the square of each partial result, successively forming
$x↑2$, $x↑4$, $x↑8$, $x↑{16}$.

The same idea applies, in general, to any value
of $n$, in the following way: Write $n$ in the binary number
system (suppressing zeros at the left). Then replace each ``1''
by the pair of letters SX, replace each ``0'' by S, and cross
off the ``SX'' that now appears at the left. The result is
a rule for computing $x↑n$, if ``S'' is interpreted as the operation
of {\sl squaring}, and if ``X'' is interpreted as the operation
of {\sl multiplying by $x$.} For example, if $n = 23$, its binary
representation is 10111; so we form the sequence SX S SX SX
SX and remove the leading SX to obtain the rule SSXSXSX. This
rule states that we should ``square, square, multiply by\penalty999\ $x$,
square, multiply by $x$, square, and multiply by $x$''; in
other words, we should successively compute $x↑2$, $x↑4$, $x↑5$,
$x↑{10}$, $x↑{11}$, $x↑{22}$, $x↑{23}$.

This ``binary method'' is easily justified by a
consideration of the sequence of exponents in the calculation:
If we reinterpret ``S'' as the operation of multiplying by 2
and ``X'' as the operation of adding 1, and if we start with
1 instead of $x$, the rule will lead to a computation of $n$
because of the properties of the binary number system. The method
is quite ancient; it appeared before 200 {\:m B.C.}
in Pingala's Hindu classic Chandah-s\A utra
[see B. Datta and A. N. Singh, {\sl History of Hindu Mathematics}
{\bf 1} (Bombay, 1935), 76]; however, there seem to be no other
references to this method outside of India during the next 2000
years!

The S-and-X binary method for obtaining $x↑n$ requires
no temporary storage except for $x$ and the current partial
result, so it is well suited for incorporation in the hardware
of a binary computer. The method can also be readily programmed
for either binary or decimal computers; but it requires that
the binary representation of $n$ be scanned from left to right,
while it is usually more convenient to do this from right to
left. For example, with a binary computer we can shift the binary
value of $n$ to the right one bit at a time until zero is reached;
with a decimal computer we can divide by 2 (or, equivalently,
multiply by 5 or ${1\over 2}$) to deduce the binary representation
from right to left. Therefore the following algorithm, based
on a right-to-left scan of the number, is often more convenient:

\algbegin Algorithm A (Right-to-left binary
method for exponentiation). This algorithm evaluates
$x↑n$, where $n$ is a positive integer.\xskip (Here $x$ belongs to
any algebraic system in which an associative multiplication,
with identity element 1, has been defined.)

\algstep A1. [Initialize.] Set $N ← n$, $Y ← 1$, $Z ← x$.

\topinsert{\vskip40mm
\hjust to size{\caption Fig.\ 12. Evaluation of $x↑n$,
based on a right-to-left scan of the binary notation for $n$.}}

\algstep A2. [Halve $N$.] (At this point, we have the relation
$x↑n = Y \cdot Z↑N$.)\xskip Set $N ← \lfloor N/2\rfloor$, and at the
same time determine whether $N$ was even or odd. If $N$ was
even, skip to step A5.

\algstep A3. [Multiply $Y$ by $Z$.] Set $Y ← Z$ times $Y$.

\algstep A4. [$N = 0$?] If $N = 0$, the algorithm
terminates, with $Y$ as the answer.

\algstep A5. [Square $Z$.] Set $Z ← Z$ times $Z$, and return
to step A2.\quad\blackslug

\yyskip As an example of Algorithm
A\null, consider the steps in the evaluation of $x↑{23}$:
$$\vjust{\halign{#\hskip 30pt\hfill⊗\hfill#\hskip 30pt⊗$#$\hfill\qquad⊗$#$\hfill\cr
⊗$N$⊗Y⊗Z\cr
\noalign{\vskip 3pt}
After step A1⊗23⊗1⊗x\cr
After step A4⊗11⊗x⊗x\cr
After step A4⊗5⊗x↑3⊗x↑2\cr
After step A4⊗2⊗x↑7⊗x↑4\cr
After step A4⊗0⊗x↑{23}⊗x↑{16}\cr}}$$
A \MIX\ program corresponding to Algorithm A appears in
exercise 2.

\yskip The great calculator al-Kash\A\i\ stated Algorithm
A about 1414 {\:m A.D.} [{\sl
Istoriko-Mat.\ Issledovani\t\i a \bf 7} (1954), 256--257]. It is
closely related to a procedure for multiplication that was
used by Egyptian mathematicians as early as 1800 {\:mB.C.}
If we change step A3 to ``$Y ← Y + Z$''
and step A5 to ``$Z ← Z + Z$'', and if we set $Y$ to zero instead
of unity in step A1, the algorithm terminates with $Y = nx$.
This is a practical method for multiplication by hand, since
it involves only the simple operations of doubling, halving,
and adding. It is often called the ``Russian peasant method''
of multiplication, since Western visitors to Russia in the nineteenth
century found the method in wide use there.

The number of multiplications required by Algorithm
A is $\lfloor\lg n\rfloor + \nu(n)$, where $\nu(n)$ is the
number of ones in the binary representation of $n$. This is
one more multiplication than the left-to-right binary method
mentioned at the beginning of this section would require, due
to the fact that the first execution of step A3 is simply a
multiplication by unity.

Because of the bookkeeping time required by this
algorithm, the binary method is usually not of importance for
small values of $n$, say $n ≤ 10$, unless the time for a multiplication
is comparatively large. If the value of $n$ is known in advance,
the left-to-right binary method is preferable. In some situations,
such as the calculation of $x↑n\mod u(x)$ discussed in Section
4.6.2, it is much easier to multiply by $x$ than to perform
a general multiplication or to square a value, so binary methods
for exponentiation are primarily suited for quite large $n$
in such cases. If we wish to calculate the exact multiple-precision
value of $x↑n$, when $x$ is an integer $>1$, binary methods are
no help unless $n$ is so huge that the high-speed multiplication
routines of Section 4.3.3 are involved; and such applications
are rare. Similarly, binary methods are usually inappropriate
for raising a polynomial to a power; see R. J. Fateman, {\sl
SIAM J. Computing \bf 3} (1974), 196--213, for a discussion of
the extensive literature on polynomial exponentiation. The point
of these remarks is that binary methods are nice, but not a
panacea. They are most applicable when the time to multiply
$x↑j \cdot x↑k$ is essentially independent of $j$ and $k$ (e.g.,
for floating-point multiplication, or multiplication mod $m$);
then the running time is reduced from order $n$ to order $\log
n$.

\subsectionbegin{Fewer multiplications} Several authors
have published statements (without proof) that the binary method
actually gives the {\sl minimum} possible number of multiplications.
But this is not true. The smallest counterexample is $n = 15$,
when the binary method needs 6 multiplications, yet we can calculate
$y = x↑3$ in two multiplications and $x↑{15} = y↑5$ in three
more, achieving the desired result with only 5 multiplications.
Let us now discuss some other procedures for evaluating\penalty999\ $x↑n$,
useful when $n$ is known in advance (e.g., within an optimizing
compiler).

The {\sl factor method} is based on a factorization
of $n$. If $n = pq$, where $p$ is the smallest prime factor
of $n$ and $q > 1$, we may calculate $x↑n$ by first calculating
$x↑p$ and then raising this quantity to the $q$th power. If
$n$ is prime, we may calculate $x↑{n-1}$ and multiply by $x$.
And, of course, if $n = 1$, we have $x↑n$ with no calculation
at all. Repeated application of these rules gives a procedure
for evaluating $x↑n$ given any value of $n$. For example, if we
want to calculate $x↑{55}$, we first evaluate $y = x↑5 = x↑4x
= (x↑2)↑2x$; then we form $y↑{11} = y↑{10}y = (y↑2)↑5y$. The
whole process takes eight multiplications, while the binary
method would have required nine. The factor method is better
than the binary method on the average, but there are cases $(n
= 33$ is the smallest example) where the binary method excels.

The binary method can be generalized to an {\sl $m$-ary
method} as follows: Let $n = d↓0m↑t + d↓1m↑{t-1} +\cdots
+ d↓t$, where $0 ≤ d↓j < m$ for $0 ≤ j ≤ t$. The computation
begins by forming $x$, $x↑2$, $x↑3$, $\ldotss$, $x↑{m-1}$.\xskip (Actually,
only those powers $x↑{d↓j}$ for $d↓j$ in the representation
of $n$ are needed, and this observation often saves some of
the work.)\xskip Then raise $x↑{d↓0}$ to the $m$th power and
multiply by $x↑{d↓1}$; we have computed $y↓1 = x↑{d↓0m+d↓1}$.
Next, raise $y↓1$ to the $m$th power and
multiply by $x↑{d↓2}$, obtaining $y↓2 = x↑{d↓0m↑2+d↓1m+d↓2}$.
The process continues in this way until $y↓t = x↑n$ has been
computed. Whenever $d↓j = 0$, it is, of course, unnecessary to
multiply by $x↑{d↓j}$. Note that this method reduces to the
left-to-right binary method discussed earlier, when $m=2$; but no
right-to-left $m$-ary method will give as few multiplications when
$m>2$. If $m$ is a small prime, the $m$-ary method will be
particularly efficient for calculating powers of one polynomial
modulo another, when the coefficients are treated modulo $m$ (see
Eq.\ 4.6.2--5).
%folio 574 galley 17 Much tape unreadable. (C) Addison-Wesley 1978	*
A systematic method that gives the minimum
number of multiplications for all of the relatively small values
of $n$ (in particular, for most $n$ that occur in practical
applications) is indicated in Fig.\ 13. To calculate $x↑n$, find
$n$ in this tree, and the path from the root to $n$ indicates
the sequence of exponents that occur in an efficient evaluation
of $x↑n$. The rule for generating this ``power tree'' appears
in exercise 5. Computer tests have shown that the power tree
gives optimum results for all of the $n$ listed in the figure.
But for large enough values of $n$ the power tree method is
not always an optimum procedure; the smallest examples are $n
= 77$, 154, 233. The first case for which the power tree is
superior to both the binary method and the factor method is
$n = 23$.

\topinsert{\vskip 60mm
\ctrline{\caption Fig.\ 13. The ``power tree.''}}

\subsectionbegin{Addition chains} The most
economical way to compute $x↑n$ by multiplication is a mathematical
problem with an interesting history. We shall now examine it
in detail, not only because it is interesting its own right,
but because it is an excellent example of the theoretical questions
that arise in a study of ``optimum methods of computation.''

Although we are concerned with multiplication of
powers of $x$, the problem can easily be reduced to addition, since the
exponents are additive. This leads us to the following abstract formulation:
An {\sl addition chain for} $n$ is a sequence of integers
$$1=a↓0,\quad a↓1, \quad a↓2, \quad\ldotss, \quad a↓r=n\eqno(1)$$
with the property that
$$a↓i=a↓j+a↓k,\qquad\hjust{for some }k≤j<i,\eqno(2)$$
for all $i=1$, 2, $\ldotss$, $r$. One way of looking at this definition is to
consider a simple  computer that has an accumulator and is capable of the
three operations \.{LDA}, \.{STA}, and \.{ADD}; the machine begins with the number
1 in its accumulator, and it proceeds to compute the number $n$ by adding together
previous results. Note that $a↓1$ must equal 2, and $a↓2$ is either 2, 3, or 4.

The shortest length, $r$, for which an addition chain for $n$ exists is denoted
by $l(n)$. Our goal in the remainder of this section is to discover as much as
we can about this function $l(n)$. The values of $l(n)$ for small $n$ are
displayed in tree form in Fig.\ 14, which shows how to calculate $x↑n$ with the
fewest possible multiplications for all $n≤100$.

\topinsert{\vskip 75mm
\ctrline{\caption Fig.\ 14. A tree that minimizes the number of multiplications,
for $n≤100$.}}

The problem of determining $l(n)$ was apparently first raised by H. Dellac in
1894, and a partial solution by E. de Jonqui\`eres mentioned the factor method
[cf.\ {\sl l'Interm\'ediaire des Math\'ematiciens \bf1} (1894), 20, 162--164].
In his solution, de Jonqui\`eres listed what he felt were the values of $l(p)$ for
all prime numbers $p<200$, but his table entries for $p=107$, 149, 163, 179 were
one too high.

The factor method tells us immediately that
$$l(mn) ≤ l(m) + l(n),\eqno (3)$$
since we can take the chains 1, $a↓1$, $\ldotss$,
$a↓r = m$ and 1, $b↓1$, $\ldotss$, $b↓s = n$ and form the chain 1,
$a↓1$, $\ldotss$, $a↓r$, $a↓rb↓1$, $\ldotss$, $a↓rb↓s = mn$.

We can also recast the $m$-ary method into addition-chain
terminology. Con\-sider the case $m = 2↑k$, and write $n = d↓0m↑t
+ d↓1m↑{t-1} +\cdots + d↑t$ in the $m$-ary number system;
the corresponding addition chain takes the form
$$\baselineskip15pt\vjust{\halign{$#\hfill$\cr
1, 2, 3, \ldotss, m - 2, m - 1,\cr
\qquad 2d↓0, 4d↓0, \ldotss, md↓0, md↓0 + d↓1,\cr
\qquad\qquad 2(md↓0\!+\!d↓1), 4(md↓0\!+\!d↓1), \ldotss , m(md↓0\!
+\!d↓1), m↑2d↓0 + md↓1 + d↓2,\cr
\qquad\qquad\qquad\ldotss ,\qquad \qquad
m↑td↓0 + m↑{t-1}d↓1 +\cdots + d↓t.\cr}}\eqno(4)$$
The length of this chain is $m - 2 + (k + 1)t$;
this number can often be reduced by deleting certain elements
of the first row that do not occur among the cofficients $d↓j$,
plus elements among $2d↓0$, $4d↓0$, $\ldots$ that already appear
in the first row. Whenever digit $d↓j$ is zero, the step at
the right end of the corresponding line may, of course, be dropped. Furthermore,
as \'E. G. Belaga has observed [{\sl Doklady Akad.\ Nauk SSSR \bf226} (1976),
15--18], we can omit all the even numbers (except 2) in the first row, if we
bring values of the form $d↓j/2↑e$ into the computation $e$ steps earlier.

The simplest case of the $m$-ary method is the
binary method $(m = 2)$, when the general scheme (4) simplifies
to the ``S'' and ``X'' rule mentioned at the beginning of this
section: The binary addition chain for 2$n$ is the binary chain
for $n$ followed by $2n$; for $2n + 1$ it is the binary chain
for $2n$ followed by $2n + 1$. From the binary method we conclude
that
$$l(2↑{e↓0}+ 2↑{e↓1} +\cdots + 2↑{e↓t}) ≤ e↓0 + t,\qquad
\hjust{if }e↓0 > e↓1 >\cdots
> e↓t ≥ 0.\eqno (5)$$
Let us now define two auxiliary functions for
convenience in our subsequent discussion:
$$\baselineskip 16pt\eqalignno{
λ(n) ⊗= \lfloor\lg n\rfloor ;⊗(6)\cr
\nu (n) ⊗=\hjust{number of 1's in the binary representation
of $n$.}⊗(7)\cr}$$
Thus $λ(17) = 4$, $\nu (17) = 2$; these functions may
be defined by the recurrence relations
$$\baselineskip 16pt\eqalign{λ(1)⊗=0,\cr\nu(1)⊗=1,\cr}\qquad
\eqalign{λ(2n) ⊗= λ(2n + 1) = λ(n)+ 1;\cr
\nu(2n)⊗=\nu(n),\qquad\nu(2n + 1) = \nu (n) + 1.\cr}\eqno\rpile{(8)\cr(9)\cr}$$
In terms of these functions, the binary addition chain
for $n$ requires $λ(n) + \nu (n) - 1$ steps, and (5) becomes
$$l(n) ≤ λ(n) + \nu (n) - 1.\eqno (10)$$

\subsectionbegin{Special classes of chains} We may
assume without any loss of generality that an addition chain
is ``ascending,''
$$1 = a↓0 < a↓1 < a↓2 <\cdots < a↓r = n.\eqno (11)$$
For if any two $a$'s are equal, one of them may
be dropped; and we can also rearrange the sequence (1) into
ascending order and remove terms $>n$ without destroying the
addition chain property (2). {\sl From now on we shall consider
only ascending chains}, without explicitly mentioning this assumption.

It is convenient at this point to define a few
special terms relating to addition chains. By definition we
have, for $1 ≤ i ≤ r$,
$$a↓i = a↓j + a↓k\eqno (12)$$
for some $j$ and $k$, $0 ≤ k ≤ j < i$. Let us say
that step $i$ of (11) is a {\sl doubling}, if $j = k = i - 1$;
then $a↓i$ has the maximum possible value $2a↓{i-1}$ that can
follow the ascending chain 1, $a↓1$, $\ldotss$, $a↓{i-1}$. If $j$
(but not necessarily $k$) equals $i - 1$, let us say that step
$i$ is a {\sl star step.} The importance of star steps is explained
below. Finally let us say that step $i$ is a {\sl small step}
if $λ(a↓i) = λ(a↓{i-1})$. Since $a↓{i-1} < a↓i ≤ 2a↓{i-1}$, the quantity $λ(a↓i)$
is always equal to either $λ(a↓{i-1})$ or $λ(a↓{i-1}) + 1$;
it follows that, in any chain (11), {\sl the length $r$ is equal
to $λ(n)$ plus the number of small steps.}
%folio 579 galley 18 (C) Addison-Wesley 1978	*
Several elementary relations hold between
these types of steps: Step 1 is always a doubling. A doubling
obviously is a star step, but never a small step. A doubling
must be followed by a star step. Furthermore if step $i$ is
{\sl not} a small step, then step $i + 1$ is either a small
step or a star step, or both; putting this another way, if step
$i + 1$ is neither small nor star, step $i$ must be small.

A {\sl star chain} is an addition chain that involves
only star steps. This means that each term $a↓i$ is the sum
of $a↓{i-1}$ and a previous $a↓k$; the simple ``computer'' discussed
above after Eq.\ (2) makes use only of the two operations \.{STA}
and \.{ADD} (not \.{LDA}) in a star chain, since each new term of the
sequence utilizes the pre\-ceding result in the accumulator. Most
of the addition chains we have discussed so far are star chains.
The minimum length of a star chain for $n$ is denoted by $l↑*(n)$;
clearly
$$l(n) ≤ l↑*(n).\eqno (13)$$
We are now ready to derive some nontrivial
facts about addition chains. First we can show that there must
be fairly many doublings if $r$ is not far from $λ(n)$:

\thbegin Theorem A. {\sl If the addition chain $(11)$ includes
$d$ doublings and $f = r - d$ nondoublings, then}
$$n ≤ 2↑{d-1}F↓{f+3}.\eqno (14)$$

\dproofbegin By induction on $r = d + f$, we see
that (14) is certainly true when $r = 1$. When $r > 1$, there
are three cases: If step $r$ is a doubling, then ${1\over 2}n
= a↓{r-1} ≤ 2↑{d-2}F↓{f+3}$; hence (14) follows. If steps $r$
and $r - 1$ are both non\-doub\-lings, then $a↓{r-1} ≤ 2↑{d-1}F↓{f+2}$
and $a↓{r-2} ≤ 2↑{d-1}F↓{f+1}$; hence $n = a↓r ≤ a↓{r-1} + a↓{r-2}
≤ 2↑{d-1}(F↓{f+2} + F↓{f+1}) = 2↑{d-1}F↓{f+3}$ by the definition
of the Fibonacci sequence. Finally, if step $r$ is a nondoubling
but step $r - 1$ is a doubling, then $a↓{r-2} ≤ 2↑{d-2}F↓{f+2}$
and $n = a↓r ≤ a↓{r-1} + a↓{r-2} = 3a↓{r-2}$. Now $2F↓{f+3}
- 3F↓{f+2} = {F↓{f+1} - F↓f} ≥ 0$; hence $n ≤ 2↑{d-1}F↓{f+3}$
in all cases.\quad\blackslug

\yyskip The method of proof we have used shows
that inequality (14) is ``best possible'' under the stated assumptions;
for the addition chain
$$1, 2, \ldotss , 2↑{d-1}, 2↑{d-1}F↓3, 2↑{d-1}F↓4, \ldotss ,
2↑{d-1}F↓{f+3}\eqno (15)$$
has $d$ doublings and $f$ nondoublings.

\thbegin Corollary. {\sl If the addition
chain $(11)$ includes $f$ nondoublings and $s$ small steps, then}
$$s ≤ f ≤ 3.271s.\eqno (16)$$

\dproofbegin Obviously $s ≤ f$. We have $2↑{λ(n)}
≤ n ≤ 2↑{d-1}F↓{f+3} ≤ 2↑d\phi ↑{\hskip.5pt f} = 2↑{λ(n)+s}(\phi /2)↑t$,
since $d + f = λ(n) + s$, and since $F↓{f+3} ≤ 2\phi ↑{\hskip.5pt f}$ when
$f ≥ 0$. Hence $0 ≤ s \ln 2 + f \ln(\phi /2)$, and (16) follows
from the fact that
$$\ln 2/\ln(2/\phi ) \approx 3.2706.\quad\blackslug$$

\subsectionbegin{Values of \spose{\hjust{$l(n)$}}\hskip.25pt$l(n)$ for special
\spose{\hjust{$n$}}\hskip.25pt$n$}
It is easy to show by induction that $a↓i ≤ 2↑i$, and therefore
$\lg n ≤ r$ in any addition chain (11). Hence
$$l(n) ≥ \lceil \lg n\rceil .\eqno (17)$$
This lower bound, together with the upper bound
(10) given by the binary method, gives us the values
$$\baselineskip 16pt \eqalignno{(2↑A) ⊗= A;⊗(18)\cr
l(2↑A + 2↑B) ⊗= A + 1,\qquad\hjust{if }A > B.⊗(19)\cr}$$
In other words, the binary method is optimum when $\nu(n) ≤ 2$.
With some further calculation we can extend these formulas to
the case $\nu (n) = 3$:

\thbegin Theorem B.
$$l(2↑A + 2↑B + 2↑C) = A + 2,\qquad\hjust{if }A > B > C.\eqno(20)$$

\dproofbegin We can, in fact, prove a stronger
result that will be of use to us later in this section:
{\sl All addition chains with exactly one small step have one
of the following six types}\xskip(where all steps indicated by ``$\ldots$''
represent doublings):

\def\\#1. {\vskip1.5pt\hangindent 40pt\bf Type #1.\xskip\rm}
\yskip\\1. 1, $\ldotss$, $2↑A$, $2↑A
+ 2↑B$, $\ldotss$, $2↑{A+C} + 2↑{B+C}$; $A > B ≥ 0$, $C ≥ 0$.

\\2. 1, $\ldotss$, $2↑A$, $2↑A + 2↑B$,
$2↑{A+1} + 2↑B$, $\ldotss$, $2↑{A+C+1} + 2↑{B+C}$; $A > B ≥ 0$, $C ≥
0$.

\\3. 1, $\ldotss$, $2↑A$, $2↑A + 2↑{A-1}$,
$2↑{A+1} + 2↑{A-1}$, $2↑{A+2}$, $\ldotss$, $2↑{A+C}$; $A
> 0$, $C ≥ 2$.

\\4. 1, $\ldotss$, $2↑A$, $2↑A + 2↑{A-1}$,
$2↑{A+1} + 2↑A$, $2↑{A+2}$, $\ldotss$, $2↑{A+C}$; $A > 0$, $C ≥ 2$.

\\5. 1, $\ldotss$, $2↑A$, $2↑A + 2↑{A-1}$,
$\ldotss$, $2↑{A+C} + 2↑{A+C-1}$, $2↑{A+C+1} + 2↑{A+C-2}$, $\ldotss$,
$2↑{A+C+D+1} + 2↑{A+C+D-2}$; $A > 0$, $C > 0$, $D ≥ 0$.

\\6. 1, $\ldotss$, $2↑A$, $2↑A + 2↑B$,
$2↑{A+1}$, $\ldotss$, $2↑{A+C}$; $A > B ≥ 0$, $C ≥ 1$.

\yskip\vskip1.5pt A straightforward hand calculation
shows that these six types exhaust all possibilities.\xskip (Note
that, by the corollary to Theorem A\null, there are at most three
nondoublings when there is one small step; this maximum of three
is attained only in sequences of type 3. All of the above are
star chains, except type 6 when $B < A - 1$.)

The theorem now follows from the observation that
$l(2↑A + 2↑B + 2↑C) ≤ A + 2$; and $l(2↑A+2↑B+2↑C)$ must be greater than $A
+ 1$, since none of the six possible types have $\nu(n) > 2$.\quad\blackslug

\yyskip$\biglp$E. de Jonqui\`eres stated without proof
in 1894 that $l(n) ≥ λ(n) + 2$ when $\nu (n) > 2$. The first
published demonstration of Theorem B was by A. A. Gioia, M.
V. Subbarao, and M. Sugunumma in {\sl Duke Math.\ J. \bf 29}
(1962), 481--487.$\bigrp$

The calculation of $l(2↑A + 2↑B + 2↑C + 2↑D)$,
when $A > B > C > D$, is more involved; by the binary method
it is at most $A + 3$, and by the proof of Theorem\penalty999\ B it is at
least $A + 2$. The value $A + 2$ is possible, since we know
that the binary method is not optimal when $n = 15$ or $n =
23$. The complete behavior when $\nu (n) = 4$ can be determined,
as we shall now see.

\thbegin Theorem C. {\sl If $\nu (n) ≥ 4$ then
$l(n) ≥ λ(n) + 3$, except in the following circumstances when
$A > B > C > D$ and $l(2↑A + 2↑B + 2↑C + 2↑D)$ equals $A + 2$}:

\yskip {\sl Case \it1}.\xskip$A - B = C - D$.\xskip(Example: $n = 15$.)

{\sl Case \it2}.\xskip$A - B = C - D + 1$.\xskip(Example: $n = 23$.)

{\sl Case \it3}.\xskip$A - B = 3$,\xskip$C - D = 1$.\xskip(Example:
$n = 39$.)

{\sl Case \it4}.\xskip$A - B = 5$,\xskip$B - C = C - D =
1$.\xskip(Example: $n = 135$.)

\proofbegin When $l(n) = λ(n) + 2$, there is
an addition chain for $n$ having just two small steps; such
an addition chain starts out as one of the six types in the
proof of Theorem B\null, followed by a small step, followed by a
sequence of nonsmall steps. Let us say that $n$ is ``special''
if $n = 2↑A + 2↑B + 2↑C + 2↑D$ for one of the four cases listed
in the theorem. We can obtain addition chains of the required
form for each special $n$, as shown in exercise 13; therefore
it remains for us to prove that no chain with exactly two small
steps contains any elements with $\nu (a↓i) ≥ 4$ except when
$a↓i$ is special.

Let a ``counterexample chain'' be an addition chain
with two small steps such that $\nu (a↓r) ≥ 4$, but $a↓r$ is
not special. If counterexample chains exist, let $1 = a↓0 <
a↓1 <\cdots < a↓r = n$ be a counterexample chain
of shortest possible length. Then step $r$ is not a small step,
since none of the six types in the proof of Theorem B can be
followed by a small step with $\nu (n) ≥ 4$ except when $n$
is special. Furthermore, step $r$ is not a doubling, otherwise
$a↓0$, $\ldotss$, $a↓{r-1}$ would be a shorter counterexample
chain; and step $r$ is a star step, otherwise $a↓0$, $\ldotss$,
$a↓{r-2}$, $a↓r$ would be a shorter counterexample chain. Thus
$$a↓r = a↓{r-1} + a↓{r-k},\qquad k≥2;\qquad\hjust{and }λ(a↓r)
= λ(a↓{r-1}) + 1.\eqno (21)$$
%folio 584 galley 19 (C) Addison-Wesley 1978	*
Let $c$ be the number of carries that
occur when $a↓{r-1}$ is added to $a↓{r-k}$ in the binary number
system by Algorithm 4.3.1A\null. Using the fundamental relation
$$\nu(a↓r) = \nu(a↓{r-1}) + \nu(a↓{r-k}) - c,\eqno (22)$$
we can prove that {\sl step $r - 1$ is not a
small step} (see exercise 14).

Let $m = λ(a↓{r-1})$. Since neither $r$ nor $r
- 1$ is a small step, $c ≥ 2$; and $c = 2$ can hold only when
$a↓{r-1} ≥ 2↑m + 2↑{m-1}$.

Now let us suppose that $r - 1$ is not a star step.
Then $r - 2$ is a small step, and $a↓0$, $\ldotss$, $a↓{r-3}$, $a↓{r-1}$
is a chain with only one small step; hence $\nu (a↓{r-1}) ≤
2$ and $\nu (a↓{r-2}) ≤ 4$. The relation (22) can now hold only
if $\nu (a↓r) = 4$, $\nu (a↓{r-1}) = 2$, $k = 2$, $c = 2$, $\nu (a↓{r-2})
= 4$. From $c = 2$ we conclude that $a↓{r-1} = 2↑m + 2↑{m-1}$;
hence $a↓0$, $a↓1$, $\ldotss$, $a↓{r-3} = 2↑{m-1} + 2↑{m-2}$ is an
addition chain with only one small step, and it must be of Type
1, so $a↓r$ belongs to Case 3. Thus {\sl$r - 1$ is a star step.}

Now assume that $a↓{r-1} = 2↑ta↓{r-k}$ for some
$t$. If $\nu (a↓{r-1}) ≤ 3$, then by (22), $c = 2$, $k = 2$, and
we see that $a↓r$ must belong to Case 3. On the other hand, if $\nu (a↓{r-1}) =
4$ then $a↓{r-1}$ is special, and it is easy to see by considering
each case that $a↓r$ also belongs to one of the four cases.\xskip
(Case 4 arises, for example, when $a↓{r-1} = 90$, $a↓{r-k} = 45$;
or $a↓{r-1} = 120$, $a↓{r-k} = 15$.)\xskip Therefore we may conclude
that $a↓{r-1} ≠ 2↑ta↓{r-k}$ for any $t$.

Let us now suppose that $λ(a↓{r-k}) = m -1$; the
case $λ(a↓{r-k}) < m - 1$ may be ruled out by similar arguments,
as shown in exercise 14. If $k = 4$, both $r - 2$ and $r - 3$
are small steps; hence $a↓{r-4} = 2↑{m-1}$, and (22) is impossible.
Therefore $k = 3$; step $r - 2$ is small, $\nu (a↓{r-3}) = 2$,
$c = 2$, $a↓{r-1} ≥ 2↑m + 2↑{m-1}$, and $\nu (a↓{r-1}) = 4$. There
must be at least two carries when $a↓{r-2}$ is added to ${a↓{r-1}
- a↓{r-2}}$; hence $\nu (a↓{r-2}) = 4$, and $a↓{r-2}$ (being
special and $≥{1\over 2}a↓{r-1}$) has the form $2↑{m-1} + 2↑{m-2}
+ 2↑{d+1} + 2↑d$ for some $d$. Now $a↓{r-1}$ is either
$2↑m + 2↑{m+1} + 2↑{d+1} + 2↑d$ or $2↑m + 2↑{m-1} + 2↑{d+2}
+ 2↑{d+1}$, and in both cases $a↓{r-3}$ must be $2↑{m-1} + 2↑{m-2}$,
so $a↓r$ belongs to Case 3.\quad\blackslug

\yyskip E. G. Thurber [{\sl Pacific J. Math.\ \bf 49} (1973),
229--242] has extended Theorem C to show that $l(n) ≥ λ(n) +
4$ when $\nu (n) > 8$. It seems reasonable to conjecture
that $l(n) ≥ λ(n) + \lg \nu (n)$ in general, since A. Sch\"onhage
has come very close to proving this (see exercise 29).

\subsectionbegin{Asymptotic values} Theorem C
indicates that it is probably quite difficult to get exact values
of $l(n)$ for large $n$, when $\nu (n) > 4$; however, we can
determine the approximate behavior in the limit as $n → ∞$.

\algbegin Theorem D ({\rm A. Brauer, {\sl Bull.\ Amer.\ Math.\ Soc.\
\bf 45} (1939), 736--739}).
$$\lim↓{n→∞} l↑*(n)/λ(n) = \lim↓{n→∞}
l(n)/λ(n) = 1.\eqno (23)$$

\dproofbegin The addition chain (4) for the $2↑k$-ary
method is a star chain if we delete the second occurrence of
any element that appears twice in the chain; for if $a↓i$ is
the first element among $2d↓0$, $4d↓0$, $\ldots$ of the second line
that is not present in the first line, we have $a↓i ≤ 2(m -
1)$; hence $a↓i = (m - 1) + a↓j$ for some $a↓j$ in the first
line. By totaling up the length of the chain, we have
$$λ(n) ≤ l(n) ≤ l↑*(n) < \left(1 + {1\over k}\right)\lg n + 2↑k\eqno
(24)$$
for all $k ≥ 1$. The theorem follows if we choose,
say, $k = \lfloor {1\over 2}\lg λ(n)\rfloor $.\quad\blackslug

\yyskip If we let $k=λλ(n)-2λλλ(n)$ in (24) for large $n$, where $λλ(n)$ denotes
$λ\biglp λ(n)\bigrp$, we obtain the stronger asymptotic bound
$$l(n)≤l↑*(n)≤λ(n)+λ(n)/λλ(n)+O\biglpλ(n)λλλ(n)/λλ(n)↑2\bigrp.\eqno(25)$$
The second term $λ(n)/λλ(n)$ is essentially the best that
can be obtained from (24). A much deeper analysis of lower bounds
can be carried out, to show that this term $λ(n)/λλ(n)$ is, in fact,
essential in (25). In order to see why this is so, let us consider
the following fact:

\algbegin Theorem E ({\rm Paul Erd\H os, {\sl Acta Arithmetica
\bf 6} (1960), 77--81}). {\sl Let $ε$ be a positive real number. The
number of addition chains $(11)$ such that
$$λ(n) = m,\qquad r ≤ m + (1 - ε)m/λ(m)\eqno (26)$$
is less than $α↑m$, for some $α < 2$, for all suitably
large $m$.}\xskip (In other words, the number of addition chains
so short that (26) is satisfied is substantially less than
the number of values of $n$ such that $λ(n) = m$, when $m$ is
large.)

\proofbegin We want to estimate the number
of possible addition chains, and for this purpose our first
goal is to get an improvement of Theorem A that enables us
to deal more satisfactorily with nondoublings:

\thbegin Lemma A. {\sl Let $\delta < \sqrt 2 - 1$ be a
fixed positive real number. Call step $i$ of an addition chain
a ``ministep'' if $a↓i < a↓j(1 + \delta)↑{i-j}$ for some $j$, where $0
≤ j < i$. If the addition chain contains $s$ small steps and $t$
ministeps, then}
$$t ≤ s/(1 - \theta ),\qquad\hjust{where }(1 + \delta )↑2 =
2↑\theta.\eqno (27)$$

\dproofbegin For each ministep $i↓k$, $1 ≤ k ≤ t$,
we have $a↓{i↓k} < a↓{j↓k}(1 + \delta )↑{i↓k-j↓k}$
for some $j↓k < i↓k$. Let $I↓1$, $\ldotss$, $I↓t$ be the intervals
$(j↓1, i↓1]$, $\ldotss$, $(j↓t, i↓t]$, where the notation $(j, i\,]$
stands for the set of all integers $k$ such that $j < k ≤ i$.
It is possible (see exercise 17) to find nonoverlapping intervals
$J↓1$, $\ldotss$, $J↓h = (j↑\prime↓{1}, i↑\prime↓{1}]$, $\ldotss
$, $(j↑\prime↓{h}, i↑\prime↓{h\,}]$ such that
$$\baselineskip18pt
\cpile{I↓1 ∪ \cdots ∪ I↓t = J↓1 ∪ \cdots ∪ J↓h,\cr
a↓{i↑\prime↓k}<a↓{j↑\prime↓k}(1+\delta)↑{2(i↓k↑\prime-j↓k↑\prime)},\qquad
\hjust{for }1 ≤ k ≤ h.\cr}\eqno(28)$$
Now for all steps $i$ outside of the intervals
$J↓1$, $\ldotss$, $J↓h$ we have $a↓i ≤ 2a↓{i-1}$; hence if
$$q = (i↑\prime↓{1} - j↑\prime↓{1}) + \cdots
+ (i↑\prime↓{h} - j↑\prime↓{h})$$
we have
$$2↑{λ(n)} ≤ n ≤ 2↑{r-q}(1 + \delta )↑{2q} = 2↑{λ(n)+s-(1-\theta
)q} ≤ 2↑{λ(n)+s-(1-\theta )t}.\quad\blackslug$$

Returning to the proof of Theorem E\null, let
us choose $\delta = 2↑{ε/4} - 1$, and let us divide the $r$
steps of each addition into three classes:
$$\quad t\hjust{ ministeps,}\qquad u\hjust{ doublings,}\qquad v\hjust{ other steps,}
\qquad t + u + v = r.\eqno (29)$$
Counting another way, we have $s$ small steps,
where $s + m = r$. By the hypotheses, Theorem A\null, and Lemma P\null,
we obtain the relations
$$t ≤ s/(1 - ε/2),\qquad t + v ≤ 3.271s,\qquad s ≤ (1 - ε)m/λ(m).\eqno
(30)$$

Given $s$, $t$, $u$, $v$ satisfying these conditions,
there are at most
$${r\choose t+v}{t+v\choose v}\eqno (31)$$
ways to decide which steps belong to which class. Given such a
distribution of the steps, let us consider how the non-ministeps
can be selected: If step $i$ is one of the ``other'' steps in
(29), $a↓i ≥ (1 + \delta )a↓{i-1}$, so $a↓i = a↓j + a↓k$, where
$\delta a↓{i-1} ≤ a↓k ≤ a↓j ≤ a↓{i-1}$. Also $a↓j ≤ a↓i/(1 +
\delta )↑{i-j} ≤ 2a↓{i-1}/(1 + \delta )↑{i-j}$, so $\delta ≤
2/(1 + \delta )↑{i-j}$. This gives at most $β$ choices for $j$,
where $β$ is a constant that depends only on $\delta $. There
are also at most $β$ choices for $k$, so the number of ways
to assign $j$ and $k$ for each of the non-ministeps is at most
$$β↑{2v}.\eqno (32)$$
%folio 587 galley 20 (C) Addison-Wesley 1978	*
Finally, once the ``$j$'' and ``$k$'' have
been selected for each of the non-ministeps, there are fewer
than
$${r↑2\choose t}\eqno (33)$$
ways to choose the $j$ and the $k$ for the ministeps:
We select $t$ distinct pairs $(j↓1, k↓1)$, $\ldotss$, $(j↓t, k↓t)$
of indices in the range $0 ≤ k↓h ≤ j↓h < r$, in fewer than (33)
ways. Then for each ministep $i$, in turn, we use a pair of
indices $(j↓h, k↓h)$ such that

\yskip\textindent{a)}$j↓h < i$;

\hang\textindent{b)}$a↓{j↓h}+a↓{k↓{\hskip.5pt h}}$
is as small as possible among the pairs
not already used for smaller ministeps $i$;

\hang\textindent{c)}$a↓i=a↓{j↓h}+a↓{k↓{\hskip.5pt h}}$
satisfies the definition of ministep.

\yskip\noindent If no such pair $(j↓h, k↓h)$ exists, we get no
addition chain; on the other hand, any addition chain with ministeps
in the designated places must be selected in one of these ways,
so (33) is an upper bound on the possibilities.

Thus the total number of possible addition chains
satisfying (26) is bounded by (31) times (32) times (33), summed
over all relevant $s$, $t$, $u$, and $v$. The proof of Theorem E
can now be completed by means of a rather standard estimation
of these functions (exercise 18).\quad\blackslug

\thbegin Corollary. {\sl The value of $l(n)$ is asymptotically
$λ(n) + λ(n)/λλ(n)$, for almost all\penalty999\ $n$. More precisely, there is
a function $f(n)$ such that $f(n) → 0$ as $n → ∞$, and}
$$\Pr \biglp\,\left|\vjust to 8pt{}
l(n) - λ(n) - λ(n)/λλ(n)\right| ≥ f(n)λ(n)/λλ(n)\,\bigrp
= 0.\eqno (34)$$
(See Section 3.5 for the definition of this probability ``Pr''.)

\proofbegin The upper bound (25) shows
that (34) holds without the absolute value signs. The lower
bound comes from Theorem E\null, if we let $f(n)$ decrease to zero
slowly enough so that, when $f(n) ≤ ε$, the value $N$ is
so large that at most $εN$ values $n ≤ N$ have $l(n) ≤
λ(n) + (1 - ε)λ(n)/λλ(n)$.\quad\blackslug

\subsectionbegin{Star chains} Optimistic people find
it reasonable to suppose that $l(n) = l↑*(n)$; given an addition
chain of minimal length $l(n)$, it appears hard to believe that
we cannot find one of the same length that satisfies the (apparently
mild) star condition. But in 1958 Walter Hansen proved the remarkable
theorem that, for certain large values of $n$, the value of $l(n)$ is definitely
less than $l↑*(n)$, and he also proved several related theorems
that we shall now investigate.

Hansen's theorems begin with an investigation of the detailed
structure of a star chain. This structure is given in terms
of other sequences and sets constructed from the given chain.
Let $n = 2↑{e↓0}+ 2↑{e↓1}+\cdots + 2↑{e↓t}$,
$e↓0 > e↓1 >\cdots > e↓t ≥ 0$, and let $1 = a↓0
< a↓1 <\cdots < a↓r = n$ be a star chain for 
$n$. If there are $d$ doublings in this chain, we define the auxiliary
sequence
$$0 = d↓0 ≤ d↓1 ≤ d↓2 ≤\cdots ≤ d↓r = d,\eqno (35)$$
where $d↓i$ is the number of doublings among steps
1, 2, $\ldotss$, $i$. We also define a sequence of ``multisets''
$S↓0$, $S↓1$, $\ldotss$, $S↓r$, which keep track of the powers of
2 present in the chain.\xskip(A {\sl multiset} is a mathematical
entity that is like a set but it is allowed to contain repeated
elements; an object may be an element of a multiset several
times, and its multiplicity of occurrences is relevant. See
exercise 19 for familiar examples of multisets.)\xskip The multisets $S↓i$ are
defined by the rules

\yskip\textindent{a)}$S↓0 = \{0\}$;

\vskip1.5pt\textindent{b)}If $a↓{i+1} = 2a↓i$, then $S↓{i+1} = \leftset x \relv x
- 1 \in S↓i\rightset$;

\vskip1.5pt\textindent{c)}If $a↓{i+1} = a↓i + a↓k$, $k < i$, then $S↓{i+1}
= S↓i \uplus S↓k$.

\yskip(The symbol $\uplus$ means that the multisets are combined,
adding the multiplicities.)\xskip From this definition it follows
that
$$\chop to 12pt{a↓i = \sum ↓{x\in S↓i} 2↑x,}\eqno (36)$$
where the terms in this sum are not necessarily
distinct. In particular,
$$\chop to 9pt{n = 2↑{e↓0} + 2↑{e↓1} +\cdots + 2↑{e↓t}
 = \sum ↓{x\in S↓r} 2↑x.}\eqno (37)$$
The number of elements in the latter sum is at
most $2↑f$, where $f = r - d$ is the number of nondoublings.

Since $n$ has two different binary representations
in (37), we can partition the multiset $S↓r$ into multisets
$M↓0$, $M↓1$, $\ldotss$, $M↓t$ such that
$$\chop to 9pt{2↑{e↓j} = \sum ↓{x\in M↓j}2↑x,
\qquad 0 ≤ j ≤ t.}\eqno (38)$$
This can be done by arranging the elements of $S↓r$
into nondecreasing order $x↓1 ≤ x↓2 ≤\cdots$ and taking $M↓t =
\{x↓1, x↓2, \ldotss, x↓k\}$, where $2↑{x↓1} +\cdots
+ 2↑{x↓k} = 2↑{e↓t}$. This must be possible,
since $e↓t$ is the smallest of the $e$'s. Similarly, $M↓{t-1}
= \{x↓{k+1}, x↓{k+2}, \ldotss, x↓{k↑\prime}\}$, and so on; the process
is easily visualized in binary notation.

Let $M↓j$ contain $m↓j$ elements (counting multiplicities);
then $m↓j ≤ 2↑f - t$, since $S↓r$ has at most $2↑f$ elements
and it has been partitioned into $(t + 1)$ nonempty multisets.
By Eq.\ (38), we can see that
$$e↓j≥x>e↓j-m↓j,\qquad\hjust{for all }x\in M↓j.\eqno(39)$$

Our examination of the star chain's structure is completed by forming the
multisets $M↓{ij}$ that record the ancestral history of $M↓j$. The multiset
$S↓i$ is partitioned into $(t+1)$ multisets as follows:

\yskip\textindent{a)}$M↓{rj}=M↓j$;

\vskip1.5pt\textindent{b)}If $a↓{i+1}=2a↓i$,
then $M↓{ij}=\leftset x\relv x+1\in M↓{(i+1)j}\rightset$;

\vskip1.5pt\hang\textindent{c)}If $a↓{i+1}=a↓i+a↓k$, $k<i$, then (since
$S↓{i+1}=S↓i\uplus S↓k$) we let $M↓{ij}=M↓{(i+1)j}$ minus $S↓k$, that is, we
remove the elements of $S↓k$ from $M↓{(i+1)j}$. If some element of $S↓k$ appears
in two or more different multisets $M↓{(i+1)j}$, we remove it from the set with
the largest possible value of $j$; this rule uniquely defines $M↓{ij}$ for each
$j$, when $i$ is fixed.

\yskip\noindent From this definition it follows that
$$e↓j+d↓i-d≥x>e↓j+d↓i-d-m↓j,\qquad\hjust{for all }x\in M↓{ij}.\eqno(40)$$

As an example of this detailed construction, let us consider the star chain
1,\penalty999\ 2,\penalty999\
 3, 5, 10, 20, 23, for which $t=3$, $r=6$, $d=3$, $f=3$. We obtain the
following array of multisets:
$$\baselineskip0pt\lineskip0pt
\def\\{\vrule height 9.5pt depth 2.5pt}
\def\¬{\vrule height 1.5pt}
\def\|{$\vcenter{\hjust{\vrule height 24.4pt}}$}
\def\+#1{\hjust to 19.6pt{\hfill#1\hfill}}
\def\α#1#2{$\vcenter{\vjust{\hjust{\lower 2.5pt\vjust to 12pt{}#1}
\vskip .4pt \hjust{\lower 2.5pt\vjust to 12pt{}#2}}}$}
\vjust{\halign{$\hfill#$⊗\hfill#⊗\+{#}⊗#⊗\+{#}⊗#⊗\+{#}⊗#⊗\+{#}⊗#⊗\+{#}⊗#⊗\+{#}⊗\!
#⊗\+{#}⊗#\hfill⊗$#$⊗$\quad#$\cr
⊗\¬\hjust to 0pt{\hskip0pt minus 200pt
\vjust to 1.5pt{\hrule width 140pt\vfill\hrule}
\hskip0pt minus 1000000pt}⊗⊗\¬⊗⊗\¬⊗⊗\¬⊗⊗\¬⊗⊗\¬⊗⊗\¬⊗⊗\¬\cr
(d↓0,d↓1,\ldotss,d↓6):⊗\\⊗0⊗\\⊗1⊗\\⊗1⊗\\⊗1⊗\\⊗2⊗\\⊗3⊗\\⊗3⊗\\\cr
⊗\¬\hjust to 0pt{\hskip0pt minus 200pt
\vjust to 1.5pt{\hrule width 140pt\vfill\hrule}
\hskip0pt minus 1000000pt}⊗⊗\¬⊗⊗\¬⊗⊗\¬⊗⊗\¬⊗⊗\¬⊗⊗\¬⊗⊗\¬\cr
(a↓0,a↓1,\ldotss,a↓6):⊗\\⊗1⊗\\⊗2⊗\\⊗3⊗\\⊗5⊗\\⊗10⊗\\⊗20⊗\\⊗23⊗\\\cr
⊗\¬\hjust to 0pt{\hskip0pt minus 200pt
\vjust to 1.5pt{\hrule width 140pt\vfill\hrule}
\hskip0pt minus 1000000pt}⊗⊗\¬⊗⊗\¬⊗⊗\¬⊗⊗\¬⊗⊗\¬⊗⊗\¬⊗⊗\¬\cr
(M↓{03},M↓{13},\ldotss,M↓{63}):⊗\\⊗⊗\\⊗⊗\\⊗⊗\\⊗⊗\\⊗⊗\\⊗⊗\\⊗0⊗\\⊗M↓3⊗e↓3=0,\,m↓3=1\cr
⊗\hjust to 0pt{\hskip0pt minus 200pt
\vjust{\hrule width 140pt}\hskip0pt minus 1000000pt}\cr
(M↓{02},M↓{12},\ldotss,M↓{62}):⊗\\⊗⊗\\⊗⊗\\⊗⊗\\⊗⊗\\⊗⊗\\⊗⊗\\⊗1⊗\\⊗M↓2⊗e↓2=1,\,m↓2=1\cr
⊗\hjust to 0pt{\hskip0pt minus 200pt
\vjust{\hrule width 140pt}\hskip0pt minus 1000000pt}\cr
(M↓{01},M↓{11},\ldotss,M↓{61}):⊗\\⊗⊗\\⊗⊗\\⊗0⊗\\⊗0⊗\\⊗1⊗\\⊗2⊗\\⊗2⊗\\⊗M↓1⊗e↓1=2,\,
m↓1=1\cr
⊗\hjust to 0pt{\hskip0pt minus 200pt
\vjust{\hrule width 140pt}\hskip0pt minus 1000000pt}\cr
(M↓{00},M↓{10},\ldotss,M↓{60}):⊗$\left\{\vcenter{\vjust to 23pt{}}\right.$\|
$\vcenter{\hjust to 0pt{\hskip0pt minus 200pt
\vjust{\hrule width 140pt}\hskip0pt minus 1000000pt}}$⊗
\α0 ⊗\|⊗\α1 ⊗\|⊗\α1 ⊗\|⊗\α11⊗\|⊗\α22⊗\|⊗\α33⊗\|⊗\α33⊗\|$\left.\vcenter{\vjust to
23pt{}}\right\}\,$⊗M↓0⊗e↓0=4,\,m↓0=2\cr
⊗\¬\hjust to 0pt{\hskip0pt minus 200pt
\vjust to 1.5pt{\hrule width 140pt\vfill\hrule}
\hskip0pt minus 1000000pt}⊗⊗\¬⊗⊗\¬⊗⊗\¬⊗⊗\¬⊗⊗\¬⊗⊗\¬⊗⊗\¬\cr
\noalign{\vskip 4pt}
⊗⊗$S↓0$⊗⊗$S↓1$⊗⊗$S↓2$⊗⊗$S↓3$⊗⊗$S↓4$⊗⊗$S↓5$⊗⊗$S↓6$\cr}}$$
Thus $M↓{40}=\{2,2\}$, etc. From the construction we can see that $d↓i$ is the
largest element of $S↓i$; hence
$$d↓i\;\in\;M↓{i0}.\eqno(41)$$

The most important part of this structure comes from Eq.\ (40); one of its
immediate consequences is

\thbegin Lemma K. {\sl If $M↓{ij}$ and $M↓{uv}$ both contain a common integer $x$,
then}
$$-m↓v<(e↓j-e↓v)-(d↓u-d↓i)<m↓j.\quad\blackslug\eqno(42)$$

\yyskip Although Lemma K may not look extremely
powerful, it says (when $M↓{ij}$ contains an element in common
with $M↓{uv}$ and when $m↓j$, $m↓v$ are reasonably small) that
the number of doublings between steps $u$ and $i$ is approximately equal to the
difference between the exponents $e↓v$ and $e↓j$. This imposes a certain amount
of regularity on the addition chain; and it suggests that we might be able to prove
a result analogous to Theorem B above, that $l↑*(n) = e↓0 +
t$, provided that the $e↓j$ are far enough apart. The next theorem
shows how this can be done.

\algbegin Theorem H ({\rm W. Hansen, {\sl J. f\"ur die reine und
angew.\ Math.\ \bf 202} (1959), 129--136}). {\sl Let $n = 2↑{e↓0}
+ 2↑{e↓1}+\cdots + 2↑{e↓t}$, $e↓0 > e↓1
>\cdots > e↓t ≥ 0$. If}
$$\quad e↓0 > 2e↓1 + 2.271(t - 1)\qquad\hjust{and}\qquad e↓{i-1}
≥ e↓i + 2m\quad\hjust{for $1 ≤ i ≤ t$,}\eqno (43)$$
{\sl where $m = 2↑{\lfloor 3.271(t-1)\rfloor } - t$,
then $l↑*(n) = e↓0 + t$.}
%folio 595 galley 1 Mostly unreadable. (C) Addison-Wesley 1978	*
\proofbegin We may assume that $t > 2$,
since the result of the theorem is true without restriction
on the $e$'s when $t ≤ 2$. Suppose that we have a star chain
$1 = a↓0 < a↓1 < \cdots < a↓r = n$ for $n$ with $r ≤ e↓0 + t
- 1$. Let the integers $d$, $f$, $d↓0$, $\ldotss$, $d↓r$, and the multisets
$M↓{ij}$ and $S↓i$ reflect the structure of this chain, as defined
above. By the corollary to Theorem A\null, we know that $f≤\lfloor3.271(t-1)
\rfloor$; therefore the value of $m$ is a bona fide upper bound for the
number of elements $m↓j$ in each multiset $M↓j$.

In the summation
$$a↓i=\bigglp\,\sum↓{x\in M↓{i0}}2↑x\biggrp+\bigglp\,\sum↓{x\in M↓{i1}}2↑x\biggrp+
\cdots+\bigglp\,\sum↓{x\in M↓{it}}2↑x\biggrp,$$
no carries propagate from the term corresponding to $M↓{ij}$ to the term
corresponding to $M↓{i(j-1)}$, if we think of this sum as being carried out
in the binary number system, since the $e$'s are so far apart.\xskip$\biglp$Cf.\
(40).$\bigrp$\xskip In particular, the sum of all the terms for
$j≠0$ will not carry up to affect the terms for $j=0$, so we must have
$$\chop to 9pt{a↓i≥\sum↓{x\in M↓{i0}}2↑x≥2↑{λ(a↓i)},\qquad 0≤i≤r.}\eqno(44)$$

In order to
prove Theorem H\null, we would like to show that in some sense the $t$ extra
powers of $n$ must be put in ``one at a time,'' so we want to find
a way to tell at which step each of these terms essentially enters
the addition chain.

Let $j$ be a number between 1 and $t$. Since $M↓{0j}$ is empty
and $M↓{rj} = M↓j$ is nonempty, we can find the {\sl first} step
$i$ for which $M↓{ij}$ is not empty.

From the way in which the $M↓{ij}$ are defined, we know that
step $i$ is a non-doubling; $a↓i = a↓{i-1} + a↓u$ for some $u
< i - 1$. We also know that all the elements of $M↓{ij}$ are elements of
$S↓u$. We will
prove that $a↓u$ must be relatively small compared to $a↓i$.

Let $x↓j$ be an element of $M↓{ij}$. Then since $x↓j \in S↓u$,
there is some $v$ for which $x↓j \in M↓{uv}$. It follows that
$$d↓i - d↓u > m,\eqno (45)$$
i.e., at least $m + 1$ doublings occur between
steps $u$ and $i$. For if $d↓i - d↓u≤m$, Lemma K tells us that
$|e↓j-e↓v|<2m$; hence $v=j$. But this is impossible, because $M↓{uj}$ is
empty by our choice of step $i$.

All elements of $S↓u$ are less than or equal to $e↓1+d↓i-d$. For if $x\in S↓u
\subset S↓i$ and $x>e↓1+d↓i-d$, then $x\in M↓{u0}$ and $x\in M↓{i0}$ by (40);
so Lemma K implies that $|d↓i-d↓u|<m$, contradicting (45). In fact, this argument
proves that $M↓{i0}$ has no elements in common with $S↓u$, 
so $M↓{(i-1)0} = M↓{i0}$. From (44) we have $a↓{i-1} ≥ 2↑{λ(a↓i)}$,
and therefore {\sl step $i$ is a small step.}

We can now deduce what is probably the key fact in this entire
proof: {\sl All elements of $S↓u$ are in $M↓{u0}$.}\xskip For if not,
let $x$ be an element of $S↓u$ with $x \notin M↓{u0}$.
Since $x ≥ 0$, (40) implies that $e↓1 ≥ d - d↓u$, hence
$$e↓0 = f + d -s ≤ 2.271s+d≤2.271(t - 1) + e↓1 + d↓u.$$
By hypothesis (43), this implies $d↓u > e↓1$. But
$d↓u \in S↓u$ by (41), and it cannot be in $M↓{i0}$, hence $d↓u≤e↓1+d↓i-d≤e↓1$,
a contradiction.

Going back to our element $x↓j$ in $M↓{ij}$, we have $x↓j \in
M↓{uv}$; and we have proved that $v=0$. Therefore, by equation (40) again,
$$e↓0+d↓u-d≥x↓j>e↓0+d↓u-d.\eqno(46)$$

For all $j=1$, 2, $\ldotss$, $t$ we have determined a number $x↓j$ satisfying (46),
and a small step $i$ at which the term $2↑{e↓j}$ may be said to have entered into
the addition chain. If $j≠j↑\prime$, the 
step $i$ at which this occurs cannot be the same for both $j$ and $j↑\prime$; for
(46) would tell us that $|x↓j-x↓{j↑\prime}|<m$, while elements of $M↓{ij}$ and
$M↓{ij↑\prime}$ must differ
by more than $m$, since $e↓j$ and $e↓{j↑\prime }$ are so far
apart. Therefore the chain contains at least $t$ small steps,
but this is a contradiction.\quad\blackslug

\algbegin Theorem F (\rm W. Hansen).
$$l(2↑A + xy) ≤ A + \nu (x) + \nu (y) - 1,\qquad\hjust{if }
λ(x) + λ(y) ≤ A.\eqno (47)$$

\dproofbegin An addition chain (which is
{\sl not} a star chain in general) may be constructed by combining
the binary method and the factor method. Let $x = 2↑{x↓1}
+ \cdots + 2↑{x↓u}, y = 2↑{y↓1} + \cdots + 2↑{y↓v}$,
where $x↓1 > \cdots > x↓u ≥ 0$ and $y↓1 > \cdots > y↓v ≥ 0$.

The first steps of the chain form successive powers of 2, until
$2↑{A-y↓1}$ is reached; in between these steps, the additional
values $2↑{x↓{u-1}}+2↑{x↓u}$,
$2↑{x↓{u-2}}+2↑{x↓{u-1}}+2↑{x↓u}$, $\ldotss$, and $x$ are inserted in the
appropriate places. After a chain up to $2↑{A-y↓i}+ x(2↑{y↓1-y↓i}
+ \cdots + 2↑{y↓{i-1}-y↓i})$
has been formed, wecontinue by adding $x$ and doubling the
resulting sum $y↓i - y↓{i+1}$ times; this yields
$$2↑{A-y↓{i+1}}+x(2↑{y↓1-y↓{i+1}}+\cdots+2↑{y↓i-y↓{i+1}}).$$
If this construction is done for $i = 1$, 2, $\ldotss$,
$v$, assuming for convenience that $y↓{v+1} = 0$, we have an
addition chain for $2↑A + xy$ as desired.\quad\blackslug

\yyskip Theorem F enables us to find values of $n$ for which $l(n) <
l↑*(n)$, since Theorem\penalty999\ H gives an explicit value of $l↑*(n)$ in certain
cases. For example, let $x = 2↑{1016} +1$, $y = 2↑{2032}+1$,
and let $$n = 2↑{6103} + xy = 2↑{6103} + 2↑{3048} + 2↑{2032} +
2↑{1016}+1.$$According to Theorem F\null, we have $l(n)≤6106$. But
Theorem H also applies, with $m =
508$, and this proves that $l↑*(n) = 6107$.

Extensive computer calculations have shown
that $n = 12509$ is the smallest value with $l(n) < l↑*(n)$.
No star chain for this value of $n$ is as short as the sequence
1, 2, 4, 8, 16, 17, 32, 64, 128, 256, 512, 1024, 1041, 2082,
4164, 8328, 8345, 12509. The brute force methods in the proof of
Theorem C could be extended by computer program to determine all $n$ such that
$l(n)=λ(n)+3$; this approach would also characterize all $n$ with $\nu(n)=5$
and $l(n)≠l↑*(n)$.\xskip(The smallest such\penalty999\
$n$ is $16537=2↑{14}+9\cdot17$.)

\subsectionbegin {Some conjectures} Although it was reasonable to guess at first
glance that $l(n)=l↑*(n)$, we have now seen that this is false. Another plausible
conjecture [first made by A. Goulard, and supposedly ``proved'' by E. de
Jonqui\`eres in {\sl l'Interm.\
des Math.\ \bf 2} (1895), 125--126] is that $l(2n) = l(n) +
1$; a doubling step is so efficient, it seems unlikely that
there could be any shorter chain for $2n$ than to add a doubling
step to the shortest chain for $n$. But computer calculations show that
this conjecture also fails, since $l(191) = l(382) = 11$.\xskip (A
star chain of length 11 for 382 is not hard to find; e.g., 1,
2, 4, 5, 9, 14, 23, 46, 92, 184, 198, 382. The number 191 is
minimal such that $l(n) = 11$, and it seems to be very difficult
to prove by hand that $l(191)>10$; the computer's proof of this fact, using a
backtrack method that will be sketched in Section 7.2.2, involved a detailed
examination of 948 cases.)\xskip The smallest four values
of $n$ such that $l(2n) = l(n)$ are $n =191$, 701, 743, 1111; E. G. Thurber
proved in the paper cited above that the third of these
is a member of an infinite family of such $n$, namely $737 \cdot
2↑k + 7$ for all $k≥ 0$. It seems reasonable to conjecture
that $l(2n) ≥ l(n)$, but even this may be false. Kevin R. Hebb
has shown that $l(n) - l(mn)$ can get arbitrarily large, for
all fixed integers $m$ not a power of 2 [{\sl Notices Amer.\
Math.\ Soc.\ \bf 21} (1974), A--294]. The smallest case in which
$l(mn) < l(n)$ is $l\biglp(2↑{13} + 1)/3\bigrp = 15$.
%folio 595 galley 2 Mostly lost. (C) Addison-Wesley 1978	*
Let $c(r)$ be the smallest value
of $n$ such that $l(n) = r$. We have the following table:
$$\vjust{\halign{\hfill#⊗\qquad\hfill#⊗\qquad\qquad\hfill#⊗\qquad\hfill#⊗\qquad
\qquad\hfill#\hfill⊗\qquad\hfill#\cr
$r$⊗$c(r)$⊗$r$⊗$c(r)$⊗$r$⊗$c(r)$\cr
\noalign{\vskip 2pt}
1⊗2⊗7⊗29⊗13⊗607\cr
2⊗3⊗8⊗47⊗14⊗1087\cr
3⊗5⊗9⊗71⊗15⊗1903\cr
4⊗7⊗10⊗127⊗16⊗3783\cr
5⊗11⊗11⊗191⊗17⊗6271\cr
6⊗19⊗13⊗607⊗18⊗11231\cr}}$$
For $r≤11$, the value of $c(r)$ is approximately equal to $c(r-1)+c(r-2)$, and
this fact led to speculation by several people that $c(r)$ grows like the
function $\phi↑r$; but the result of Theorem D $\biglp$with $n=c(r)\bigrp$
implies that $r/\!\lg c(r)→1$ as $n→∞$.\xskip[See E. G. Thurber, {\sl Duke
Math.\ J. \bf40} (1973), 907--913, for more detailed information about the
growth of $c(r)$.]\xskip Several people had conjectured at one
time that $c(r)$ would always be a prime number; but $c(15)=11\cdot173$ and
$c(18)=11\cdot1021$.
Perhaps no conjecture about addition chains is safe!

Tabulated values of $l(n)$ show that this
function is surprisingly smooth; for example, $l(n)=13$ for
all $n$ in the range $1125 ≤ n ≤ 1148$. The computer calculations
show that a table of $l(n)$ may be prepared for all $n ≤ 1000$
by using the formula
$$l(n) =\min(l(n) - 1) + 1, l) - \delta ,\eqno (48)$$
where $l = ∞$ if $n$ is prime, otherwise $l = l(p)
+ l(n/p)$ if $p$ is the smallest prime dividing $n$; and $\delta
= 1$ for $n$ in Table 1, $\delta = 0$ otherwise.

\topinsert{\tablehead{Table 1}
\vskip 3pt
\ctrline{VALUES OF $n$ FOR SPECIAL ADDITION CHAINS}
\vskip 6pt
\hjust to size{$
\vcenter{\halign{\hfill#\cr
23\cr43\cr59\cr77\cr83\cr107\cr149\cr}}\hfill
\vcenter{\halign{\hfill#\cr
163\cr165\cr179\cr203\cr211\cr213\cr227\cr}}\hfill
\vcenter{\halign{\hfill#\cr
229\cr233\cr281\cr283\cr293\cr311\cr317\cr}}\hfill
\vcenter{\halign{\hfill#\cr
319\cr323\cr347\cr349\cr355\cr359\cr367\cr}}\hfill
\vcenter{\halign{\hfill#\cr
371\cr373\cr377\cr381\cr382\cr395\cr403\cr}}\hfill
\vcenter{\halign{\hfill#\cr
413\cr419\cr421\cr423\cr429\cr437\cr451\cr}}\hfill
\vcenter{\halign{\hfill#\cr
453\cr455\cr457\cr479\cr503\cr509\cr551\cr}}\hfill
\vcenter{\halign{\hfill#\cr
553\cr557\cr561\cr569\cr571\cr573\cr581\cr}}\hfill
\vcenter{\halign{\hfill#\cr
599\cr611\cr619\cr623\cr631\cr637\cr643\cr}}\hfill
\vcenter{\halign{\hfill#\cr
645\cr659\cr667\cr669\cr677\cr683\cr691\cr}}\hfill
\vcenter{\halign{\hfill#\cr
707\cr709\cr711\cr713\cr715\cr717\cr739\cr}}\hfill
\vcenter{\halign{\hfill#\cr
741\cr749\cr759\cr779\cr787\cr803\cr809\cr}}\hfill
\vcenter{\halign{\hfill#\cr
813\cr825\cr835\cr837\cr839\cr841\cr845\cr}}\hfill
\vcenter{\halign{\hfill#\cr
849\cr863\cr869\cr887\cr893\cr899\cr901\cr}}\hfill
\vcenter{\halign{\hfill#\cr
903\cr905\cr923\cr941\cr947\cr955\cr983\cr}}$}}
Let $d(r)$ be the number of solutions
$n$ to the equation $l(n) = r$. We have the following table:
$$\vjust{\halign{\hfill#⊗\qquad\hfill#⊗\qquad\qquad\hfill#⊗\qquad\hfill#⊗\qquad
\qquad\hfill#\hfill⊗\qquad\hfill#\cr
$r$⊗$d(r)$⊗$r$⊗$d(r)$⊗$r$⊗$d(r)$\cr
\noalign{\vskip 2pt}
1⊗1⊗6⊗15⊗11⊗246\cr
2⊗2⊗7⊗26⊗12⊗432\cr
3⊗3⊗8⊗44⊗13⊗772\cr
4⊗5⊗9⊗78⊗14⊗1382\cr
5⊗9⊗10⊗136⊗15⊗2481\cr}}$$
Surely $d(r)$ must be an increasing function of $r$, but there is no evident way
to prove this seemingly simple assertion, much less to determine the asymptotic
growth of $d(r)$ for large $r$.

\yskip The most famous problem
about addition chains that is still outstanding is the ``Scholz-Brauer
conjecture,'' which states that
$$l(2↑n-1)≤n-1+l(n).\eqno(49)$$
Computer calculations show, in fact, that equality holds in
(49) for $1 ≤ n ≤ 14$; and hand calculations by E. G. Thurber
[{\sl Discrete Math.\ \bf 16} (1976), 279--289] have shown
that equality holds also for $n = 15$, 16, 17, 18, 20, 24, 32.
Much of the research on addition chains has been devoted to
attempts to prove (49); addition chains for the number $2↑n -
1$, which has so many ones in its binary representation, are
of special interest, since this is the worst case for the binary
method. Arnold Scholz coined the name ``addition chain'' (in
German) and posed (49) as a problem in 1937 [{\sl Jahresbericht
der deutschen Mathematiker-Vereinigung}, class II, {\bf47} (1937), 41--42];
Alfred Brauer proved in 1939 that
$$l↑*(2↑n-1)≤n-1+l↑*(n).\eqno(50)$$

Hansen's theorems show that $l(n)$ can be less than $l↑*(n)$, so more work is
definitely necessary in order to prove or disprove (49). As a step in this
direction, Hansen has defined the concept of an {\sl$l↑0$-chain}, which lies
``between'' $l$-chains and $l↑*$-chains. In a $l↑0$-chain, certain of the
elements are underlined; the condition is that $a↓i=a↓j+a↓k$, where $a↓j$ is
the largest underlined element less than $a↓i$.

As an example of an $l↑0$-chain (certainly not a minimum one), consider
$$\underline1, \underline2, \underline4, 5, \underline8, 10, 12, \underline{18};
\eqno (51)$$
it is easy to verify that the difference between
each element and the previous underlined element is in the chain.
We let $l↑0(n)$ denote the minimum length of an $l↑0$-chain
for $n$. Clearly $l(n) ≤ l↑0(n) ≤ l↑*(n)$.

The chain constructed in Theorem F is an
$l↑0$-chain (see exercise 22); hence we have $l↑0(n) < l↑*(n)$
for certain $n$. It is not known whether or not $l(n) = l↑0(n)$
in all cases; if this equation were true, the Scholz-Brauer
conjecture would be settled, because of another theorem due
to Hansen:

\thbegin Theorem G. $l↑0(2↑n - 1) ≤ n - 1 + l↑0(n)$.

\proofbegin Let $1 = a↓0$, $a↓1$, $\ldotss$, $a↓r = n$ be
an $l↑0$-chain of minimum length for $n$, and let $1 = b↓0$,
$b↓1$, $\ldotss$, $b↓t=n$ be the subsequence of underlined
elements.\xskip (We may assume that $n$ is underlined.)\xskip
Then we can get an $l↑0$-chain for $2↑n-1$ as follows:

\yskip\hang\textindent{a)}Include the $l↑0(n)$ numbers $2↑{a↓i}-1$, for $1≤i≤r$,
underlined if and only if $a↓i$ is underlined.

\vskip1.5pt\hang\textindent{b)}Include the numbers $2↑i(2↑{b↓j}-1)$, for $0≤j<t$
and for $0<i≤b↓{j+1}-b↓j$, all underlined.\xskip(This is a total of $b↓1-b↓0+\cdots
+b↓t-b↓{t-1}=n-1$ numbers.)

\vskip1.5pt\hang\textindent{c)}Sort the numbers from (a) and (b) into ascending
order.

\yskip We
may easily verify that this gives an $l↑0$-chain: The numbers
of (b) are all equal to twice some other element of (a) or (b);
furthermore, this element is the preceding underlined element.
If $a↓j = b↓j + a↓k$, where $b↓j$ is the largest underlined element
less than $a↓i$, then $a↓k = a↓j -b↓j≤ b↓{j+1} - b↓j$, so $2↑{a↓k}
(2↑{b↓j} - 1) = 2↑{a↓i} - 2↑{a↓k}$ appears underlined
in the chain, just preceding $2↑{a↓i}- 1$. Since $2↑{a↓i}
- 1$ is equal to $(2↑{a↓i}- 2↑{a↓k}) + (2↑{a↓k} - 1)$, where
both of these values appear in the chain, we have an addition chain
with the $l↑0$ property.\quad\blackslug

\yyskip The chain corresponding to (51), constructed in the proof of
Theorem G\null, is
$$\twoline{\underline1,\underline2,\underline3, \underline6, \underline{12},
\underline{15},\underline{30}, 31,\underline{60},\underline{120}, \underline{240},
\underline{255},\underline{510},\underline{1020},
1023, \underline{2040},}{2pt}{\underline{4080},
4095,\underline{8160},\underline{16320},\underline{32640},\underline{65280},
\underline{130560},\underline{261120},\underline{262143}.}$$
%folio 598 galley 3 Total loss. (C) Addison-Wesley 1978	*
\exbegin{EXERCISES}

\exno 1. [15] What is the value
of $Z$ when Algorithm A terminates?

\exno 2. [24] Write a \MIX\ program for Algorithm A\null, to calculate $x↑n\mod w$
given integers $n$ and $x$, where $w$ is the word
size. Assume that \MIX\ has the binary operations \.{SLB}, \.{JAE}, etc., which
are described in Section 4.5.2. Write another program that computes $x↑n\mod w$ in
a serial manner (multiplying repeatedly by $x$), and compare the running times
of these programs.

\trexno 3. [22] How is $x↑{975}$ calculated by (a) the binary method?\xskip
(b) the ternary method?\xskip (c) the quaternary method?\xskip (d) the factor
method?

\exno 4. [M20] Find a number $n$ for which the octal ($2↑3$-ary) method gives
ten less multiplications than the binary method.

\trexno 5. [24] Fig.\ 13 shows the first eight levels of the ``power tree.'' The
$(k+1)$-st level of this tree is defined as follows, assuming that the first $k$
levels have been constructed: Take each node $n$ of the $k$th level, from left
to right in turn, and attach below it the nodes
$$n+1,\;n+a↓1,\;n+a↓2,\;\ldotss,\;n+a↓{k-1}=2n$$
(in this order), where 1, $a↓1$, $a↓2$, $\ldotss$, $a↓{k-1}$ is the path from
the root of the tree to $n$; but discard any node that duplicates a number that
has already appeared in the tree.

Design an efficient algorithm that constructs the first $r+1$ levels of the
power tree.\xskip[{\sl Hint:} Make use of two sets of variables $\.{LINKU}[j]$,
$\.{LINKR}[j]$ for $0≤j≤2↑r$; these point upwards and right, respectively, if
$j$ is a number in the tree.]

\exno 6. [M26] If a slight change is made to the definition of the power tree
that is given in exercise 5, so that the nodes below $n$ are attached in
{\sl decreasing} order
$$n+a↓{k-1},\;\ldotss,\;n+a↓2,\;n+a↓1,\;n+1$$
instead of increasing order, we get a tree whose first five levels are
$$\vjust to 31mm{}$$
Show that this tree gives a method of computing $x↑n$ that requires exactly as
many multiplications as the binary method; therefore it is not as good as the
power tree, although it has been constructed in almost the same way.

\exno 7. [M21] Prove that there are infinitely many values of $n$

\yskip\textindent{a)}for which the factor method is better than the binary method;

\textindent{b)}for which the binary method is better than the factor method;

\textindent{c)}for which the power tree method is better than both the binary
and factor methods.

\yskip\noindent(Here the ``better'' method shows how to compute $x↑n$ using
fewer multiplications.)

\exno 8. [M21] Prove that the power tree (exercise 5) never gives more
multiplications for the computation of $x↑n$ than the binary method.

\exno 9. [M46] Is the power tree method ever worse than the factor method?\xskip
(Cf.\ exercises 7 and 8.)

\exno 10. [10] Fig.\ 14 shows a tree that indicates one way to compute $x↑n$ with
the fewest possible multiplications, for all $n≤100$. How can this tree be
conveniently represented within a computer, in just 100 memory locations?

\trexno 11. [M26] The tree of Fig.\ 14 depicts addition chains $a↓0$, $a↓1$,
$\ldotss$, $a↓r$ such that $l(a↓i)=i$ for all $i$ in the chain. Find all addition
chains for $n$ that have this property, when $n=43$ and when $n=77$. Show that
any tree such as Fig.\ 14 must either include the path 1, 2, 4, 8, 9, 17, 34, 43, 77
or the path 1, 2, 4, 8, 9, 17, 34, 68, 77.

\exno 12. [M10] Is it possible to extend the tree shown in Fig.\ 14 to an infinite
tree that yields a minimum-multiplication rule for computing $x↑n$, for all
positive integers $n$?
%folio 600 galley 4 Total loss. (C) Addison-Wesley 1978	*
\exno 13. [M21] Find a star chain of length $A+2$ for each of the four cases listed
in Theorem\penalty999\
C.\xskip(Consequently Theorem C holds also with $l$ replaced by $l↑*$.)

\exno 14. [M35] Complete the proof of Theorem C\null, by demonstrating that (a)
step $r-1$ is not a small step; and (b) $λ(a↓{r-k})$ cannot be less than $m-1$.

\exno 15. [M42] Write a computer program to extend Theorem C\null, characterizing
all $n$ such that $l(n)=λ(n)+3$ and characterizing all $n$ such that $l↑*(n)=λ(n)
+3$.

\exno 16. [HM15] Show that Theorem D is not trivially true just because of the
binary method; if $l↑B(n)$ denotes the length of the addition chain for $n$ produced
by the binary S-and-X method, $l↑B(n)/λ(n)$ does not approach a limit as $n→∞$.

\exno 17. [M25] Explain how to find the intervals $J↓1$, $\ldotss$, $J↓h$ that are
required in the proof of Lemma P.

\exno 18. [HM24] Let $β$ be a positive constant. Show that there is a constant
$α<2$ such that
$$\sum{m+s\choose t+v}{t+v\choose v}β↑{2v}{(m+s)↑2\choose t}\;<\;α↑m$$
for all large $m$, where the sum is over all $s$, $t$, $v$ satisfying (30).

\exno 19. [M23] A ``multiset'' is like a set, but it may contain identical
elements repeated a finite number of times. If $A$ and $B$ are multisets, we define
new multisets $A\uplus B$, $A∪B$, and
$A∩B$ in the following way: An element occurring
exactly $a$ times in $A$ and $b$ times in $B$ occurs exactly $a+b$ times in
$A\uplus B$, exactly $\max(a,b)$ times in $A∪B$, and exactly $\min(a,b)$ times
in $A∩B$.\xskip(A ``set'' is a multiset that contains no elements more than once;
if $A$ and $B$ are sets, so are $A∪B$ and $A∩B$, and the definitions given in
this exercise agree with the customary definitions of set union and intersection.)

\yskip\hang\textindent{a)}The prime factorization of an integer $n>0$ is a
multiset $N$ whose elements are primes, where $\prod↓{p\in N}=n$. The fact that
every positive integer can be uniquely factored into primes gives us a one-to-one
correspondence between the positive integers and the finite multisets of
prime numbers; for example, if $n=2↑2\cdot3↑3\cdot17$, the corresponding multiset
is $N=\{2,2,3,3,3,17\}$. If $M$ and $N$ are the multisets corresponding respectively
to $m$ and $n$, what multisets correspond to $\gcd(m,n)$, $\lcm(m,n)$, and $mn$?

\hang\textindent{b)}Every monic polynomial $f(z)$ over the complex numbers
corresponds in a natural way to the multiset $F$ of its ``roots''; we have
$f(z)=\prod↓{\zeta\in F}(z-\zeta)$. If $f(z)$ and $g(z)$ are the polynomials
corresponding to the finite multisets $F$ and $G$ of complex numbers, what
polynomials correspond to $F\uplus G$, $F∪G$, and $F∩G$?

\hang\textindent{c)}Find as many interesting identities as you can that hold
between multisets, with respect to the three operations $\uplus$, $∪$, $∩$.

\exno 20. [M20] What are the sequences $S↓i$ and $M↓{ij}$ ($0≤i≤r$, $0≤j≤t$)
arising in Hansen's structural decomposition of star chains (a) of Type 3?\xskip
(b) of Type 5?\xskip(The six ``types'' are defined in the proof of Theorem B.)

\trexno 21. [M25] (W. Hansen.)\xskip Let $q$ be any positive integer. Find a
value of $n$ such that $l(n)≤l↑*(n)-q$.

\exno 22. [M20] Prove that the addition chain constructed in the proof of
Theorem F is an $l↑0$-chain.

\exno 23. [M20] Prove Brauer's inequality (50).

\trexno 24. [M22] Generalize the proof of Theorem G to show that $l↑0\biglp(B↑n
-1)/(B-1)\bigrp≤(n-1)\,l↑0(B)+l↑0(n)$, for any integer $B>1$; and prove that $l(
2↑{mn}-1)≤l(2↑m-1)+mn-m+l↑0(n)$.

\exno 25. [20] Let $y$ be a fraction, $0<y<1$, expressed in the binary number
system as $y=(.d↓1\ldotsm d↓k)↓2$. Design an algorithm to compute $x↑y$ using
the operations of multiplication and square-root extraction.

\trexno 26. [M24] Design an efficient algorithm that computes the $n$th
Fibonacci number $F↓n$, modulo $m$, given large integers $n$ and $m$.

\trexno 27. [24] (E. G. Straus.)\xskip Find a way to compute a general
{\sl monomial\/} $x↓1↑{n↓1}x↓2↑{n↓2}\ldotss x↓m↑{n↓m}$ in at most $2λ\biglp
\max(n↓1,n↓2,\ldotss,n↓m)\bigrp+2↑m-m-1$ multiplications.

\def\\{\mathbin{\char'562}}
\exno 28. [M33] (A. Sch\"onhage.)\xskip
The object of this exercise is to give a fairly short
proof that $l(n) ≥ λ(n) + \lg \nu (n) - O\biglp\log\log\biglp\nu (n)
+ 1\bigrp\bigrp$.\xskip (a) When $x = (x↓k \ldotsm x↓0. x↓{-1}\ldotsm)↓2$ and
$y = (y↓k \ldotsm y↓0. y↓{-1}\ldotsm)↓2$ are real numbers written
in binary notation, let us write $x \subset y$ if $x↓j ≤ y↓j$
for all $j$. Give a simple rule for constructing the smallest
number $z$ with the property that $x↑\prime \subset x$ and $y↑\prime
\subset y$ implies $x↑\prime + y↑\prime \subset z$. Denoting
this number by $x \\ y$, prove that $\nu (x \\ y) ≤ \nu (x) + \nu
(y)$.\xskip (b) Given any addition chain (11) with $r = l(n)$, let the sequence
$d↓0$, $d↓1$, $\ldotss$, $d↓r$ be defined as in (37), and define the
sequence $A↓0$, $A↓1$, $\ldotss$, $A↓r$ by the following rules: $A↓0
= 1$; if $a↓i = 2a↓{i-1}$ then $A↓i = 2A↓{i-1}$; if $a↓i = a↓j
+ a↓k$ for some $0 ≤ k < j < i$, then $A↓i = A↓{i-1} \\ (A↓{i-1}/2↑{d↓j-d↓k})$.
Prove that this sequence ``covers'' the given chain, in the
sense that $a↓i \subset A↓i$ for $0 ≤ i ≤ r$.\xskip (c) Let $\delta$
be a positive integer (to be selected later). Call the nondoubling
step $a↓i = a↓j + a↓k$ a ``baby step'' if $d↓j - d↓k ≥ \delta
$, otherwise call it a ``close step.'' Let $B↓0 = 1$; $B↓i = 2B↓{i-1}$
if $a↓i = 2a↓{i-1}$; $B↓i = B↓{i-1} \\ (B↓{i-1}/2↑{d↓j-d↓k})$ if
$a↓i=a↓j+a↓k$ is a baby step; and $B↓i=\rho(2B↓{i-1})$ otherwise, where
$\rho(x)$ is the least number $y$ such that $x/2↑e\subset y$ for $0≤e≤\delta$.
Show that $A↓i\subset B↓i$ and $\nu(B↓i)≤(1+\delta c↓i)2↑{b↓i}$ for $0≤i≤r$,
where $b↓i$ and $c↓i$ respectively denote the number of baby steps and close
steps $≤i$.\xskip[{\sl Hint:} Show that the 1's in $B↓i$ appear in consecutive
blocks of size $≥1+\delta c↓i$.]\xskip(d) We now have $l(n)=r=b↓r+c↓r+d↓r$ and
$\nu(n)≤\nu(B↓r)≤(1+\delta c↓r)2↑{b↓r}$. Explain how to choose $\delta$ in
order to obtain the inequality stated at the beginning of this exercise.\xskip
[{\sl Hint:} See (16), and note that $n≤2↑rα{b↓r}$ for some $α<1$ depending
on $\delta$.]

\exno 29. [M49] Is $\nu(n)≤2↑{l(n)-λ(n)}$ for all positive integers $n$?\xskip
$\biglp$If so, we have the lower bound $l(2↑n-1)≥n-1+\lceil\lg n\rceil$; cf.\
(17) and (49).$\bigrp$

\exno 30. [20] An {\sl addition-subtraction chain} has the rule $a↓i=a↓j\pm
a↓k$ in place of (2); the imaginary computer described in the text has a
new operation code, \.{SUB}.\xskip(This corresponds in practice to evaluating
$x↑n$ using both multiplications and divisions.)\xskip Find an addition-subtraction
chain, for some $n$, that has less than $l(n)$ steps.

\exno 31. [M46] (D. H. Lehmer.)\xskip Explore the problem of minimizing
$εq+(r-q)$ in an addition chain (1), where $q$ is the number of ``simple'' steps
in which $a↓i=a↓{i-1}+1$, given a small positive ``weight'' $ε$.\xskip(This
problem comes closer to reality for many calculations of $x↑n$, if multiplication
by $x$ is simpler than a general multiplication; cf.\ Section 4.6.2.)

\exno 32. [M30] (A. C. Yao.)\xskip Let $l(n↓1,\ldotss,n↓m)$ be the length of the
shortest addition chain that contains $m$ given numbers $n↓1<\cdots<n↓m$. Prove
that $l(n↓1,\ldotss,n↓m)≤λ(n↓m)+mλ(n↓m)/λλ(n↓m)+O\biglp λ(n↓m)λλλ(n↓m)/λλ(n↓m)↑2
\bigrp$, thereby generalizing (25).

\exno 33. [M47] What is the asymptotic value of
$l(1,4,9,\ldotss,m↑2)-m$, as $m→∞$, in the notation of exercise 32?

\exno 34. [M50] Is $l(2↑n-1)≤n-1+l(n)$ for all positive integers $n$?\xskip
Does equality always hold?\xskip Does $l(n)=l↑0(n)$?

\exno 35. [M30] (A. C. Yao, F. F. Yao, R. L. Graham.)\xskip Associate the ``cost''
$a↓ja↓k$ with each step $a↓i=a↓j+a↓k$ of an addition chain (1). Show
that the left-to-right binary method yields a chain of minimum total cost,
for all positive integers $n$.
%folio 603 galley 5 Total loss. (C) Addison-Wesley 1978	*
\runningrighthead{EVALUATION OF POLYNOMIALS}
\section{4.6.4}
\sectionskip
\sectionbegin{4.6.4. Evaluation of Polynomials}
Now that we know efficient ways to evaluate the special polynomial
$x↑n$, let us consider the general problem of computing an $n$th degree
polynomial
$$u(x)=u↓nx↑n+u↓{n-1}x↑{n-1}+\cdots+u↓1x+u↓0,\qquad u↓n≠0,\eqno(1)$$
for given values of $x$. This problem arises frequently in practice.

In the following discussion we shall concentrate on minimizing the number of
operations required to evaluate polynomials by computer, blithely assuming that
all arithmetic operations are exact. Polynomials are most commonly evaluated using
floating-point arithmetic, which is not exact, and different schemes for the
evaluation will, in general, give different answers. A numerical analysis of
the accuracy achieved depends on the coefficients of the particular polynomial
being considered, and is beyond the scope of this book; the reader should be
careful to investigate the accuracy of any calculations undertaken with
floating-point arithmetic. In most cases the methods we shall describe turn out
to be reasonably satisfactory from a numerical standpoint, but many bad examples
can also be give.\xskip[See Webb Miller, {\sl SIAM J. Computing \bf4} (1975),
105--107, for a survey of the literature on stability of fast polynomial
evaluation, and for a demonstration that certain kinds of numerical stability
cannot be guaranteed for some families of high-speed algorithms.]

A beginning programmer will often evaluate the polynomial (1) in a manner
corresponding directly to its conventional textbook form: First $u↓nx↑n$ is
calculated, then $u↓{n-1}x↑{n-1}$, $\ldotss$, $u↓1x$, and finally all of the
terms of (1) are added together. But even if the efficient methods of Section
4.6.3 are used
to evaluate powers of $x$ in this approach, the resulting calculation is
needlessly slow unless nearly all of the coefficients $u↓k$ are zero. If the
coefficients are all nonzero, an obvious alternative would be to evaluate (1)
from right to left, computing the values of $x↑k$ and $u↓kx↑k+\cdots+u↓0$ for
$k=1$, $\ldotss$, $n$. Such a process involves $2n-1$ multiplications and $n$
additions, and it might also require further instructions to store and retrieve
intermediate results from memory.

\subsectionbegin{Horner's rule} One of the first things a novice programmer is
usually taught is an elegant way to rearrange this computation, by evaluating
$u(x)$ as follows:
$$u(x)=\biglp(\ldotsm(u↓nx+u↓{n-1})x+\cdots\bigrp x+u↓0.\eqno(2)$$
Start with $u↓n$, multiply by $x$, add $u↓{n-1}$, multiply by $x$, $\ldotss$,
multiply by $x$, add $u↓0$. This form of the computation is usually called
``Horner's rule''; we have already seen it used in connection with radix
conversion in Section 4.4. The entire process requires $n$ multiplications and $n$
additions, minus one addition for each coefficient that is zero. Furthermore,
there is no need to store partial results, since each quantity arising during
the calculation is used immediately after it has been computed.

W. G. Horner gave this rule early in the nineteenth century [{\sl Philosophical
Transactions}, Royal Society of London {\bf 109} (1819), 308--335] in connection
with a procedure for calculating polynomial roots. The fame of the latter method
[see J. L. Coolidge, {\sl Mathematics of Great Amateurs} (Oxford, 1949), Chapter
15] accounts for the fact that Horner's name has been attached to (2); but
actually Isaac Newton had made use of the same idea 150 years earlier. In a
well-known work entitled {\sl De Analysi per \AE quationes Infinitas}, originally
written in 1669, Newton wrote
$$\overline{\overline{\overline{y-4}\times y\,\mathclose:+5}\times y\,\mathclose:
-12}\times y\,\mathclose:+17$$
for the polynomial $y↑4-4y↑3+5y↑2-12y+17$; this clearly uses the idea of (2),
since he often denoted grouping by using horizontal lines and colons instead of
parentheses.\xskip[See D. T. Whiteside, ed., {\sl The Mathematical Papers of
Isaac Newton \bf2} (Cambridge Univ.\ Press, 1968), 222.]

Several generalizations of Horner's
rule have been suggested. Let us first consider evaluating $u(z)$
when $z$ is a complex number, while the coefficients $u↓k$ are
real. In particular, when $z=e↑{i\theta}=\cos\theta+i\sin\theta$, the polynomial
$u(z)$ is essentially two Fourier series,
$$(u↓0+u↓1\cos\theta+\cdots+u↓n\cos n\theta)\;+\;i(u↓1\sin\theta+\cdots+u↓n\sin n
\theta).$$
Complex addition and multiplication can obviously be reduced
to a sequence of ordinary operations on real numbers:
$$\vjust{\halign{#\hfill\qquad⊗\hfill#\qquad⊗#\hfill\cr
real + complex⊗requires⊗1 addition\cr
complex + complex⊗requires⊗2 additions\cr
real $\times$ complex⊗requires⊗2 multiplications\cr
complex $\times$ complex⊗requires⊗4 multiplications, 2 additions\cr
⊗or⊗3 multiplications, 5 additions\cr}}$$
(See exercise 41. Subtraction is here considered as if it were equivalent to
addition.)\xskip Therefore Horner's rule (2) uses either $4n-2$ multiplications
and $3n-2$ additions or $3n-1$ multiplications and $6n-5$ additions to evaluate
$u(z)$ when $z=x+iy$ is complex. Actually $2n-4$ of these additions can be
saved, since we are multiplying by the same number $z$ each time. An alternative
procedure for evaluating $u(x+iy)$ is to let
$$\baselineskip15pt
\vjust{\halign{$\dispstyle\ctr{#}$\cr
a↓1=u↓n,\qquad b↓1=u↓{n-1},\qquad r=x+x,\qquad s=x↑2+y↑2;\cr
a↓j=b↓{j-1}+ra↓{j-1},\qquad b↓j=u↓{n-j}-sa↓{j-1},\qquad 1<j≤n.\cr}}\eqno(3)$$
Then it is easy to prove by induction that $u(z)=za↓n+b↓n$. This scheme [{\sl BIT
\bf5} (1965), 142; cf.\ also G. Goertzel, {\sl AMM \bf65} (1958), 34--35]
requires only $2n+2$ multiplications and $2n+1$ additions, so it is an
improvement over Horner's rule when $n≥3$. In the case of Fourier series, when
$z=e↑{i\theta}$, we have $s=1$, so the number of multiplications drops to
$n+1$. The moral of this story is that a good programmer does not make
indiscriminate use of the built-in ``complex arithmetic'' features of high-level
programming languages.

Consider the process of dividing the polynomial $u(x)$ by the polynomial
$x-x↓0$, using Algorithm 4.6.1D to obtain $u(x)=(x-x↓0)q(x)+r(x)$; here deg$(r)
<1$, so $r(x)$ is a constant independent of $x$, and $u(x↓0)=0\cdot q(x↓0)+r=r$.
An examination of this division process reveals that the computation is essentially
the same as Horner's rule for evaluating $u(x↓0)$. Similarly, if we divide $u(z)$
by the polynomial $z-z↓0)(z-\=z↓0)=z↑2-2x↓0z+x↓0↑2+y↓0↑2$, the resulting
computation turns out to be equivalent to (3); we obtain $u(z)=(z-z↓0)(z-\=z↓0)
q(z)+a↓nz+b↓n$, hence $u(z↓0)=a↓nz↓0+b↓n$.

In general, if we divide $u(x)$ by $f(x)$ to obtain $u(x)=f(x)q(x)+r(x)$, and
if $f(x↓0)=0$, we have $u(x↓0)=r(x↓0)$; this observation leads to further
generalizations of Horner's rule. For example, we may let $f(x)=x↑2-x↓0↑2$;
this yields the ``second-order'' Horner's rule
$$\baselineskip15pt\eqalignno{u(x)⊗=\biglp\ldotsm(u↓{2\lfloor n/2\rfloor}x↑2
+u↓{2\lfloor n/2\rfloor-2})x↑2+\cdotss\bigrp\,x↑2+u↓0\cr
⊗\qquad+\biglp(\ldotsm(u↓{2\lceil n/2\rceil-1\,}x↑2+u↓{2\lceil n/2\rceil-3})x↑2
+\cdotss)+u↓1\bigrp\,x.⊗(4)\cr}$$
The second-order rule uses $n+1$ multiplications and $n$ additions (see
ex\-er\-cise\penalty999\ 5); so it is no improvement over Horner's rule from
this standpoint. But there are at least two circumstances in which (4) is
useful: If we want to evaluate both $u(x)$ and $u(-x)$, this approach yields
$u(-x)$ with just one more addition operation; two values can be obtained almost
as cheaply as one. Moreover, if we have a computer that allows parallel
computations, the two lines of (4) may be evaluated independently, so we save
about half the running time.

When our computer allows parallel computation on $k$ arithmetic units at once,
a ``$k$th-order'' Horner's rule $\biglp$obtained in a similar manner from $f(x)=
x↑k-x↓0↑k\,\bigrp$ may be used. Another attractive method for parallel computation
has been suggested by G. Estrin [{\sl Proc.\ Western Joint Computing Conf.\
\bf17} (1960), 33--40]; for $n=7$, Estrin's method is:
$$\baselineskip14pt\def\\{\vjust to 16pt{}}\hjust to size{$
\vtop{\halign{\hfill#\hfill\cr
Processor 1\cr
\hjust{$\eqalign{\\a↓1⊗=u↓7x+u↓6\cr
a↓2⊗=a↓1x↑2+b↓1\cr
a↓3⊗=a↓2x↑4+c↓2\cr}$}\cr}}\hfill
\vtop{\halign{\hfill#\hfill\cr
Processor 2\cr
\hjust{$\eqalign{\\b↓1⊗=u↓5x+u↓4\cr}$}\cr}\vskip0pt}\hfill
\vtop{\halign{\hfill#\hfill\cr
Processor 3\cr
\hjust{$\eqalign{\\c↓1⊗=u↓3x+u↓2\cr
c↓2⊗=c↓1x↑2+d↓1\cr}$}\cr}}\hfill
\vtop{\halign{\hfill#\hfill\cr
Processor 4\cr
\hjust{$\eqalign{\\d↓1⊗=u↓1x+u↓0\cr}$}\cr}\vskip0pt}\hfill
\vtop{\halign{\hfill#\hfill\cr
Processor 5\cr
\\$x↑2$\cr
$x↑4$\cr}}$}$$
Here $a↓3=u(x)$. However, an interesting analysis by W. S. Dorn [{\sl IBM J.
Res.\ and Devel.\ \bf6} (1962), 239--245] shows that these methods might not
actually be an
improvement over the second-order rule, if each arithmetic unit must access a
memory that communicates with only one processor at a time.

\subsectionbegin{Tabulating polynomial values} If we wish to evaluate an
$n$th degree polynomial at many points in an arithmetic progression $\biglp$i.e., if
we want to calculate $u(x↓0)$, $u(x↓0+h)$, $u(x↓0+2h)$, $\ldotss\bigrp$,
the process can be reduced to addition only, after the first few steps. For if
we start with any sequence of numbers $(α↓0,α↓1,\ldotss,α↓n)$ and apply the
transformation
$$α↓0←α↓0+α↓1,\quad α↓1←α↓1+α↓2,\quad\ldotss,\quad α↓{n-1}←α↓{n-1}+α↓n,\eqno(5)$$
we find that $k$ applications of (5) yields
$$α↓j↑{(k)}={k\choose0}β↓j+{k\choose1}β↓{j+1}+{k\choose2}β↓{j+2}+\cdotss,\qquad
0≤j≤n,$$
where $β↓j$ denotes the initial value of $α↓j$ and $β↓j=0$ for $j>n$. In
particular,
$$α↓0↑{(k)}={k\choose0}β↓0+{k\choose1}β↓1+\cdots+{k\choose n}β↓n\eqno(6)$$
is a polynomial of degree $n$ in $k$. By properly choosing the $β$'s, as shown
in exercise 7, we can arrange things so that $α↓0↑{(k)}$ is the desired value
$u(x↓0+kh)$, for all $k$. In other words, each execution of the $n$ additions
in (5) will produce the next value of the given polynomial.

{\sl Caution:} Rounding errors can accumulate after many repetitions of (5),
and an error in $α↓j$ produces a corresponding error in the coefficients of
$x↑0$, $\ldotss$, $x↑j$ in the polynomial being computed. Therefore the values
of the $α$'s should be ``refreshed'' after a large number of iterations.

\subsectionbegin{Derivatives and changes of variable} Sometimes we want to find
the coefficients of $u(x+x↓0)$, given a constant $x↓0$ and the coefficients of
$u(x)$. For example, if $u(x)=3x↑2+2x-1$, then $u(x-2)=3x↑2-10x+7$. This is
analogous to a radix conversion problem, converting from base $x$ to base $x+2$.

By Taylor's theorem, the desired coefficients are given by the derivatives of
$u(x)$ at $x=x↓0$, namely
$$u(x+x↓0)=u(x↓0)+u↑\prime(x↓0)x+\biglp u↑{\prime\prime}(x↓0)/2!\bigrp x↑2+\cdots
+\biglp u↑{(n)}(x↓0)/n!\bigrp x↑n,\eqno(7)$$
so the problem is equivalent to evaluating $u(x)$ and all its derivatives.

If we write $u(x)=q(x)(x-x↓0)+r$, then $u(x+x↓0)=q(x+x↓0)x+r$; so $r$ is the
constant coefficient of $u(x+x↓0)$, and the problem reduces to finding the
coefficients of $q(x+x↓0)$, where $q(x)$ is a known polynomial of degree
$n-1$. Thus the following algorithm is indicated:

\yyskip\hang\textindent{\bf H1.}Set $v↓j←u↓j$ for $0≤j≤n$.

\yskip\hang\textindent{\bf H2.}For $k=0$, 1, $\ldotss$, $n-1$ (in this order),
set $v↓j←v↓j+x↓0v↓{j+1}$ for $j=n-1$, $\ldotss$, $k+1$, $k$ (in this order).\quad
\blackslug

\yyskip\noindent At the conclusion of step H2 we have $u(x+x↓0)=v↓nx↑n+\cdots+
v↓1x+v↓0$. This procedure was a principal part of Horner's rootfinding method,
and when $k=0$ it is exactly rule (2) for evaluating $u(x↓0)$.

Horner's method requires $(n↑2+n)/2$ multiplications and $(n↑2+n)/2$ additions;
but notice that if $x↓0=1$ we avoid all of the multiplications. Fortunately
we can reduce the general problem to the case $x↓0=1$ by introducing
comparatively few multiplications and divisions:

\yyskip\hang\textindent{\bf S1.}Compute and store the values $x↓0↑2$, $\ldotss$,
$x↓0↑n$.

\yskip\hang\textindent{\bf S2.}Set $v↓j←u↓jx↓0↑j$ for $0≤j≤n$.\xskip$\biglp$Now
$v(x)=u(x↓0x).\bigrp$

\yskip\hang\textindent{\bf S3.}Perform step H2 but with $x↓0=1$.\xskip$\biglp$Now
$v(x)=u\biglp x↓0(x+1)\bigrp=u(x↓0x+x↓0).\bigrp$

\yskip\hang\textindent{\bf S4.}Set $v↓j←v↓j/x↓0↑j$ for $0<j≤n$.\xskip$\biglp$Now
$v(x)=u(x+x↓0)$ as desired.$\bigrp$\quad\blackslug

\yyskip\noindent This idea, due to M. Shaw and J. F. Traub [{\sl JACM \bf21} (1974),
161--167], has the same number of additions and the same numerical stability as
Horner's method, but it needs only $2n-1$ multiplications and $n-1$ divisions.
About ${1\over2}n$ of these multiplications can, in turn, be avoided (see
exercise 6).

If we want only the first few or the last few derivatives, Shaw and Traub have
observed that there are further ways to save time. For example, if we just want
to evaluate $u(x)$ and $u↑\prime(x)$, we can do the job with $2n-1$ additions
and about $n+\sqrt{2n}$ multiplications/divisions as follows:

\yyskip\hang\textindent{\bf D1.}Compute and store the values $x↑2$, $x↑3$,
$\ldotss$, $x↑t$, $x↑{2t}$, where $t=\lceil\sqrt{n/2}\,\rceil$.

\yskip\hang\textindent{\bf D2.}Set $v↓j←u↓jx↑{f(j)}$ for $0≤j≤n$, where $f(n)=t$,
$f(n-1-k)=t-1-(k\mod 2t)$ for $0≤k≤n-1$.\xskip$\biglp$Suppress the multiplication
when $f(j)=0$.$\bigrp$

\yskip\hang\textindent{\bf D3.}Set $v↓j←v↓j+v↓{j+1}x↑{g(j)}$ for $j=n-1$, $\ldotss$,
1, 0; here $g(j)=2t$ when $n-j$ is a multiple of $2t$, otherwise $g(j)=0$ and the
multiplication by $x↑{g(j)}$ is suppressed.

\yskip\hang\textindent{\bf D4.}Set $v↓j←v↓j+v↓{j+1}x↑{g(j)}$ for $j=n-1$, $\ldotss$,
2, 1. Now $v↓0/x↑{f(0)}=u(x)$ and $v↓1/x↑{f(1)}=u↑\prime(x)$.\quad\blackslug
%folio 609 galley 6 Total loss (C) Addison-Wesley 1978	*
\subsectionbegin{Adaptation of coefficients} Let us now return
to our original problem of eval\-uating a given polynomial $u(x)$
as rapidly as possible, for ``random'' values of $x$. The importance
of this problem is due partly to the fact that standard functions
such as $\sin x$, $\cos x$, $e↑x$, etc., are usually computed by
subroutines that rely on the evaluation of certain polynomials;
such polynomials are evaluated so often, it is desirable to
find the fastest possible way to do the computation.

Arbitrary polynomials of degree five and higher can be evaluated
with fewer operations than Horner's rule requires, if we first
``adapt'' or ``precondition'' the coefficients $u↓0$, $u↓1$,
$\ldotss$, $u↓n$. This
adaptation process might involve a lot of work,
as explained below; but the preliminary calculation is not wasted,
since it must be done only once while the polynomial will be
evaluated many times. For examples of ``adapted'' polynomials
for standard functions, see V. J. Pan, {\sl USSR Computational
Math.\ and Math.\ Physics \bf 2} (1963), 137--146.

The simplest case for which adaptation of coefficients is helpful
occurs for a fourth degree polynomial:
$$u(x) = u↓4x↑4 + u↓3x↑3 + u↓2x↑2 + u↓1x + u↓0,\qquad u↓4 ≠
0.\eqno (8)$$
This equation can be rewritten in a form originally suggested
by T. S. Motzkin,
$$y=(x+α↓0)x+α↓1,\qquad u(x)=\biglp(y+x+α↓2)y+α↓3\bigrp α↓4,\eqno(9)$$
for suitably ``adapted'' coefficients $α↓0$, $α↓1$, $α↓2$, $α↓3$, $α↓4$.
The computation in (9) involves three multiplications, five additions,
and (on a one-accumulator machine like \MIX) one instruction to store the partial
result $y$ into temp storage. By comparison with Horner's rule, we have traded a
multiplication for an addition and a possible storage command. Even this
comparatively small savings is worth while if the polynomial is to be evaluated
often.\xskip(Of couse, if the time for multiplication is comparable to the time for
addition, (9) gives no improvement; we will see that a general fourth-degree
polynomial always requires at least eight arithmetic operations for its evaluation.)

By comparing coefficients in (8) and (9), we obtain formulas for computing the
$α↓j$'s in terms of the $u↓k$'s:
$$\baselineskip15pt\vjust{\halign{$\ctr{#}$\cr
α↓0={1\over2}(u↓3/u↓4-1),\qquad β=u↓2/u↓4-α↓0(α↓0+1),\qquad α↓1=u↓1/u↓4-α↓0β,\cr
α↓2=β-2α↓1,\qquad α↓3=u↓0/u↓4-α↓1(α↓1+α↓2),\qquad α↓4=u↓4.\cr}}\eqno(10)$$
A similar scheme, which evaluates a fourth-degree
polynomial in the same number of steps as (9), appears in exercise
18; this alternative method will give greater numerical accuracy
than (9) in certain cases, although it yields poorer accuracy
in others.

Polynomials that arise in practice often have a rather small
leading coefficient, so that the division by $u↓4$ in (10) leads
to instability. In such a case it is usually preferable to replace
$x$ by $|u↓4|↑{1/4\,}x$ as the first step, reducing (8) to $\pm$
a monic polynomial. A similar transformation applies to polynomials of higher
degrees. This idea is due to C. T. Fike [{\sl CACM \bf10} (1967), 175--178], who
has presented several interesting examples.

Any polynomial of the fifth degree may be evaluated using four
multiplications, six additions, and one storing, by using the
rule $u(x) = U(x)x + u↓0$, where $U(x) = u↓5x↑4 + u↓4x↑3 + u↓3x↑2
+ u↓2x + u↓1$ is evaluated as in (9). Alternatively, we can
do the evaluation with four multiplications, five additions,
and three storings, if the calculations take the form
$$y=(x+α↓0)↑2,\qquad u(x)=\biglp((y+α↓1)y+α↓2)(x+α↓3)+α↓4\bigrp α↓5.\eqno(11)$$
The determination of the $α$'s this time requires the solution of a cubic equation
(see exercise 19).

On many computers the number of ``storing'' operations required by (11) is less
than 3; for example, we may be able to compute $(x+α↓0)↑2$ without storing $x+α↓0$.
In fact, many computers have more than one arithmetic register for floating-point
calculations, so we can avoid storing altogether. Because of the wide variety of
features available for arithmetic on different computers, we shall henceforth
in this section count only the arithmetic operations, not the operations of
storing and loading an accumulator. The computation schemes can usually be
adapted to any particular computer in a straightforward manner, so that very few
of these auxiliary
operations are necessary; on the other hand, it must be remembered
that this extra overhead might well overshadow the fact that we are saving a
multiplication or two, especially if the machine code is being produced by a
compiler that does not ``optimize.''

A polynomial $u(x)=u↓6x↑6+\cdots+u↓1x+u↓0$ of degree six can always be evaluated
using four multiplications and seven additions, with the scheme
$$\baselineskip15pt\vjust{\halign{$\ctr{#}$\cr
z=(x+α↓0)x+α↓1,\qquad w=(x+α↓2)z+α↓3,\cr
u(x)=\biglp(w+z+α↓4)w+α↓5\bigrp α↓6.\cr}}\eqno(12)$$
[See D. E. Knuth, {\sl CACM \bf5} (1962), 595--599.]\xskip This saves two of the
six multiplications required by Horner's rule. Here again we must solve a cubic
equation: Since $α↓6=u↓6$, we may assume that $u↓6=1$. Under this assumption,
let $β↓1={1\over2}(u↓5-1)$, $β↓2=u↓4-β↓1(β↓1+1)$, $β↓3=u↓3-β↓1β↓2$, $β↓4=β↓1-β↓2$,
$β↓5=u↓2-β↓1β↓3$. Let $β↓6$ be a real root of the cubic equation
$$\qquad 2y↑3+(2β↓4-β↓2+1)y↑2+(2β↓5-β↓2β↓4-β↓3)y+(u↓1-β↓2β↓5)=0.\eqno(13)$$
(This equation always has a real root, since the polynomial on the left approaches
$+∞$ for large positive $y$, and it approaches $-∞$ for large negative $y$; it
must assume the value zero somewhere in between.)\xskip Now if we define
$$β↓7=β↓6↑2+β↓4β↓6+β↓5,\qquad β↓8=β↓3-β↓6-β↓7,$$
we have finally
$$\baselineskip15pt\vjust{\halign{$\ctr{#}$\cr
α↓0=β↓2-2β↓6,\qquad α↓2=β↓1-α↓0,\qquad α↓1=β↓6-α↓0α↓2,\cr
α↓3=β↓7-α↓1α↓2,\qquad α↓4=β↓8-β↓7-α↓1,\qquad α↓5=u↓0-β↓7β↓8.\cr}}\eqno(14)$$

We can illustrate this procedure with a contrived example: Suppose that we want to
evaluate $x↑6+13x↑5+49x↑4+33x↑3-61x↑2-37x+3$. We obtain $α↓6=1$, $β↓1=6$, $β↓2=7$,
$β↓3=-9$, $β↓4=-1$, $β↓5=-7$, and so we meet with the cubic equation
$$2y↑3-8y↑2+2y+12=0.\eqno(15)$$
This equation has $β↓6=2$ as a root, and we continue to find $β↓7=-5$, $β↓8=-6$,
$α↓0=3$, $α↓2=3$, $α↓1=-7$, $α↓3=16$, $α↓4=6$, $α↓5=-27$. The resulting scheme is
$$z=(x+3)x-7,\qquad w=(x+3)z+16,\qquad u(x)=(w+z+6)w-27.$$
By sheer coincidence the quantity $x+3$ appears twice here, so we have found a
method that uses three multiplications and six additions.
%folio 611 galley 7 Mostly wiped out. (C) Addison-Wesley 1978	*
Another method for handling sixth-degree
equations has been suggested by
V.\penalty999\ J. Pan [{\sl Problemy Kibernetiki \bf5}
(1961), 17--29]. His method requires one more addition operation,
but it involves only rational operations in the
preliminary steps (no cubic equation needs to be solved). We may proceed as follows:
$$\baselineskip14pt\vjust{\halign{$\ctr{#}$\cr
z = (x + α↓0)x + α↓1,\qquad w = z + x + α↓2,\cr
u(x) = \biglp((z - x + α↓3)w + α↓4)z + α↓5\bigrp α↓6.\cr}}\eqno(16)$$
To determine the $α$'s, we divide the polynomial once again
by $u↓6 = α↓6$ so that $u(x)$ becomes monic. It can then be
verified that $α↓0 = u↓5/3$ and that
$$\qquad α↓1 = (u↓1 - α↓0u↓2 + α↓0↑2u↓3 - α↓0↑3u↓4 +
2α↓0↑5)/(u↓3 - 2α↓0u↓4+5α↓0↑3).\eqno(17)$$
Note that Pan's method requires that
the denominator in (17) does not vanish. In other words, (16) can be used only when
$$27u↓3u↓6↑2 - 18u↓6u↓5u↓4 + 5u↓5↑3 ≠ 0;\eqno(18)$$
in fact, this quantity should not be so small that
$α↓1$ becomes too large. Once $α↓1$ has been determined, the
remaining $α$'s may be determined from the equations
$$\baselineskip14pt\cpile{
β↓1 = 2α↓0,\qquad β↓2 = u↓4 - α↓0β↓1 - α↓1,\cr
β↓3 = u↓3 - α↓0β↓2 - α↓1β↓1,\qquad
β↓4 = u↓2 - α↓0β↓3 - α↓1β↓2,\cr
α↓3 = {1\over 2}\biglp β↓3 - (α↓0 - 1)β↓2 + (α↓0 -
1)(α↓0↑2 - 1)\bigrp - α↓1,\cr
α↓2 = β↓2 - (α↓0↑2 - 1) - α↓3 - 2α↓1,\cr
α↓4 = β↓4 - (α↓2 + α↓1)(α↓3 + α↓1),\cr
α↓5 = u↓0 - α↓1β↓4.\cr}\eqno (19)$$

We have discussed the cases of degree
$n = 4$, 5, 6 in detail because the smaller values of $n$ arise
most frequently in applications. Let us now consider a general
evaluation scheme for $n$th degree polynomials, a method that involves at most
$\lfloor n/2\rfloor +
2$ multiplications and $n$ additions.

\thbegin Theorem E. {\sl Every $n$th degree polynomial
$(1)$ with real coefficients, $n ≥ 3$, can be evaluated by
the scheme}
$$\baselineskip15pt\qquad\vjust{\halign{$\ctr{#}$\cr
y = x + c,\qquad w = y↑2;\cr
z = (u↓ny + α↓0)y + β↓0\quad (n\hjust{ even}),\qquad
z = u↓ny + β↓0\quad (n\hjust{ odd});\cr
u(x) = \biglp\ldotsm((z(w - α↓1)+β↓1)(w-α↓2)+β↓2)\ldotsm\bigrp(w-α↓m)+β↓m;\cr}}
\eqno (20)$$
{\sl for suitable real parameters $c$, $α↓k$ and $β↓k$,
where $m = \lfloor n/2\rfloor - 1$. In fact, it is possible to
select these parameters so that $β↓m=0$.}

\proofbegin Let us first examine the circumstances under which the $α$'s and $β$'s
can be chosen in (20), if $c$ is fixed: let
$$p(x)=u(x-c)=a↓nx↑n+a↓{n-1}x↑{n-1}+\cdots + a↓1x + a↓0.\eqno (21)$$
We want to show that $p(x)$ has the form $p↓1(x)(x↑2
- α↓m) + β↓m$ for some polynomial $p↓1(x)$ and some constants
$α↓m$, $β↓m$. If we divide $p(x)$ by $x↑2 - α↓m$, we can see that
the remainder $β↓m$ is a constant only if the auxiliary polynomial
$$q(x) = a↓{2m+1}x↑m + a↓{2m-1}x↑{m-1} + \cdots
+ a↓1,\eqno (22)$$
formed from every odd-numbered coefficient of $p(x)$, is
a multiple of $x - α↓m$. Conversely, if $q(x)$ has $x-α↓m$ as a factor,
then $p(x)=p↓1(x)(x↑2-α↓m)+β↓m$, for some constant $β↓m$ that
may be determined by division.

Similarly, we want $p↓1(x)$ to have the form $p↓2(x)(x↑2-α↓{m-1})+β↓{m-1}$, and
this is the same as saying that $q(x)/(x-α↓m)$ is a multiple of $x-α↓{m-1}$; for if
$q↓1(x)$ is the polynomial corresponding to $p↓1(x)$ as $q(x)$
corresponds to $p(x)$, we have $q↓1(x) = q(x)/(x
- α↓m)$. Continuing in the same way, we find that the parameters $α↓1$, $β↓1$,
$\ldotss$, $α↓m$, $β↓m$ will exist if and only if
$$q(x)=a↓{2m+1}(x-α↓1)\ldotsm(x - α↓m).\eqno (23)$$
In other words, either $q(x)$ is identically zero (and this can happen only when
$n$ is even), or else $q(x)$ is an $m$th degree polynomial having all real roots.

Now we have a surprising fact discovered by J. Eve [{\sl Numer.\ Math.\ \bf6}
(1964), 17--21]: {\sl If $p(x)$ has at least $n-1$ complex roots whose real parts
are all nonnegative, or all nonpositive, then the corresponding polynomial $q(x)$
is identically zero or has all real roots.}\xskip(See exercise 23.)\xskip Since
$u(x)=0$ if and only if $p(x+c)=0$, we need merely choose the parameter $c$ large
enough that at least $n-1$ of the roots of $u(x)=0$ have a real part $≥-c$, and
(20) will apply whenever $a↓{n-1}=u↓{n-1}-ncu↓n≠0$.

We can also determine $c$ so that these conditions are fulfilled and that
$β↓m=0$. First the $n$ roots of $u(x)=0$ are determined. If $a+bi$ is a root having
the largest or the smallest real part, and if $b≠0$, let $c=-a$ and $α↓m=-b↑2$;
then $x↑2-α↓m$ is a factor of $u(x-c)$. If the root with smallest or largest real
part is real, but the root with {\sl second\/} smallest (or second largest) real
part is nonreal, the same transformation applies. If the two roots with smallest
(or largest) real parts are both real, they can be expressed in the form $a-b$ and
$a+b$, respectively; let $c=-a$ and $α↓m=b↑2$. Again $x↑2-α↓m$ is a factor of
$u(x-c)$.\xskip
(Still other values of $c$ are often possible; see exercise 24.)\xskip
The coefficient $a↓{n-1}$ will be nonzero for at least one of these alternatives,
unless $q(x)$ is identically zero.\quad\blackslug

\yyskip Note that this method of proof usually gives at least two values of $c$,
and we also have
the chance to permute $α↓1$, $\ldotss$, $α↓{m-1}$ in $(m-1)!$ ways. Some of
these alternatives may give more desirable numerical accuracy than others.

\subsectionbegin{Polynomial chains} Now let us consider questions of optimality.
What are the {\sl best possible} schemes for evaluating polynomials of various
degrees, in terms of the minimum possible number of arithmetic operations? This
question was first analyzed by A. M. Ostrowski in
the case that no preliminary adaptation of coefficients is allowed
 [{\sl Studies in Mathematics and
Mechanics presented to R. von Mises} (New York: Academic Press, 1954), 40--48],
and by T. S. Motzkin in the case of adapted coefficients
[cf.\ {\sl Bull.\ Amer.\ Math.\ Soc.\ \bf61} (955), 163].

In order to investigate this question, we can extend Section 4.6.3's concept 
of addition chains to the notion
of {\sl polynomial chains}. A polynomial
chain is a sequence of the form
$$x=λ↓0,\quad λ↓1,\quad\ldotss,\quad λ↓r=u(x),\eqno(24)$$
where $u(x)$ is some polynomial in $x$, and for $1≤i≤r$
$$\baselineskip15pt\vcenter{\halign{\hfill# ⊗$#\hfill$⊗\qquad$#\hfill$\cr
either⊗λ↓i=(\pm λ↓j)\circ λ↓k,⊗0≤j,k<i\cr
or⊗λ↓i=α↓j\circ λ↓k,⊗0≤k<i.\cr}}\eqno(25)$$
Here ``$\circ$'' denotes any of the three operations ``+'',
``$-$'', or ``$\times$'', and $α↓j$ denotes a so-called ``parameter.''
Steps of the first kind are called {\sl chain steps}, and steps
of the second kind are called {\sl parameter steps.} We shall
assume that a different parameter $α↓j$ is used in each parameter
step; if there are $s$ parameter steps, they should involve
$α↓1$, $α↓2$, $\ldotss$, $α↓s$ in this order.

It follows that the polynomial $u(x)$ at the end of the chain
has the form
$$u(x) = q↓nx↑n + \cdots + q↓1x + q↓0,\eqno (26)$$
where $q↓n$, $\ldotss$, $q↓1$, $q↓0$ are polynomials
in $α↓1$, $α↓2$, $\ldotss$, $α↓s$ with integer coefficients. We shall
interpret the parameters $α↓1$, $α↓2$, $\ldotss$, $α↓s$ as real numbers,
and we shall therefore restrict ourselves to considering the
evaluation of polynomials with real coefficients. The {\sl result
set\/} $R$ of a polynomial chain is defined to be the set of all
vectors $(q↓n, \ldotss, q↓1, q↓0)$ of real numbers that occur
as $α↓1$, $α↓2$, $\ldotss$, $α↓s$ independently assume all possible
real values.

If for every choice of $t+1$ distinct integers $j↓0$, $\ldotss$,
$j↓t \in \{0, 1, \ldotss, n\}$ there is a nonzero multivariate
polynomial $f↓{j↓0\ldotsm j↓t}$ with integer coefficients such that 
$f↓{j↓0\ldotsm j↓t}(q↓{j↓0},\ldotss,q↓{j↓t})=0$ for all $(q↓n,\ldotss,q↓1,q↓0)$
in $R$, let us say that the result set $R$ has at most
$t$ {\sl degrees of freedom}, and that the chain (24) has at most $t$
degrees of freedom. We also say that the chain (24) {\sl computes} a given
polynomial $u(x)=u↓nx↑n+\cdots+u↓1x+u↓0$ if $(u↓n,\ldotss,u↓1,u↓0)$ is in $R$.
It follows that a polynomial
chain with at most $n$ degrees of freedom cannot compute all $n$th degree
polynomials (see exercise 27).

As an example of a polynomial chain, consider the following chain
corresponding to Theorem E\null, when $n$ is odd:
$$\baselineskip0pt\lineskip0pt\def\\{\lower 3pt\vjust to 13pt{}}
\eqalign{\\λ↓0⊗=x\cr
\\λ↓1 ⊗= α↓1 + λ↓0\cr
\\λ↓2 ⊗= λ↓1 \times λ↓1\cr
\\λ↓3 ⊗= α↓2 \times λ↓1\cr
\rpile{\\λ↓{1+3i}\cr\\λ↓{2+3i}\cr\\λ↓{3+3i}\cr} ⊗
\lpile{\\\null= α↓{1+2i} + λ↓{3i}\cr
\\\null= α↓{2+2i} + λ↓2\cr
\\\null= λ↓{1+3i}\times λ↓{2+3i}\cr}\quad\left\}\vcenter{\vjust to 36pt{}}\quad
1≤i<n/2.\right.\cr}\eqno\lower 39pt\hjust{(27)}$$
There are $\lfloor n/2\rfloor+2$ multiplications and $n$ additions; $\lfloor n/2
\rfloor+1$ chain steps and $n + 1$ parameter steps. By
Theorem E\null, the result set $R$ includes the set of all $(u↓n,
\ldotss , u↓1, u↓0)$ with $u↓n≠0$, so (27) computes
all polynomials of degree $n$. We cannot prove that $R$ has at most
$n$ degrees of freedom, since the result set has $n+1$ independent components.

{\sl A polynomial chain with $s$ parameter steps has at most $s$ degrees of
freedom.} In a sense, this is obvious: we can't compute a function with $t$
degrees of freedom using fewer than $t$ arbitrary parameters. But this
intuitive fact is not easy to prove formally; for
example, there are continuous functions (``space-filling curves'') that map
the real line onto a plane, and such functions map a single parameter into two
independent parameters. For our purposes, we need to verify that no polynomial
functions with integer coefficients can have such a property; and a proof appears
in exercise 28.

Given this fact, we can proceed to prove the results we seek:
%folio 614 galley 8 Tape worthless. (C) Addison-Wesley 1978	*
\algbegin Theorem M (\rm T. S. Motzkin, 1954). 
{\sl A polynomial chain with $m > 0$ multiplications has at most
$2m$ degrees of freedom.}

\proofbegin Let $\mu ↓1$, $\mu ↓2$, $\ldotss$, $\mu ↓m$ be
the $λ↓i$'s of the chain that correspond to multiplication
operations. Then
$$\baselineskip15pt
\eqalignno{\mu ↓i⊗= S↓{2i-1}\times S↓{2i},\qquad 1 ≤ i ≤ m,\cr
u(x) ⊗= S↓{2m+1},⊗(28)\cr}$$
where each $S↓j$ is a certain sum of $\mu$'s, $x$'s, and $α$'s. Write
$S↓j = T↓j + β↓j$, where $T↓j$ is a sum of $\mu$'s and $x$'s while $β↓j$ is a sum
of $α$'s.

Now $u(x)$ is expressible as a polynomial in $x$, $β↓1$, $\ldotss$, $β↓{2m+1}$ with
integer coefficients. Since the $β$'s are expressible as linear functions of
$α↓1$, $\ldotss$, $α↓s$, the set of values represented by all real values of
$β↓1$, $\ldotss$, $β↓{2m+1}$ contains the result set of the chain. Therefore there
are a most $2m+1$ degrees of freedom; this can be improved to $2m$ when $m>0$, as
shown in exercise 30.\quad\blackslug

\yyskip An example of the construction in the proof of Theorem M appears in
exercise\penalty999\ 25. A similar result can be proved for additions:

\algbegin Theorem A (\rm\'E. G. Belaga, 1958). {\sl A polynomial chain containing
$q$ additions and subtractions has at most $q+1$ degrees of freedom.}

\proofbegin [{\sl Problemi Kibernetiki \bf5} (1961), 7--15.]\xskip Let $\kappa↓1$,
$\ldotss$, $\kappa↓q$ be the $λ↓i$'s of the chain that correspond to addition or
subtraction operations. Then
$$\baselineskip15pt
\eqalignno{\kappa↓i⊗=\pm T↓{2i-1}\pm T↓{2i},\qquad 1 ≤ i ≤ q,\cr
u(x)⊗=T↓{2q+1},⊗(29)\cr}$$
where each $T↓j$ is a product of $\kappa$'s, $x$'s, and $α$'s. We may write
$T↓j=A↓{j\,}B↓j$,
 where $A↓j$ is a product of $α$'s and $B↓j$ is a product of $\kappa$'s
and $x$'s. The following transformation may now be made to the chain, successively
for $i=1$, 2, $\ldotss$, $q$:\penalty-100\ Let $β↓i=A↓{2i}/A↓{2i-1}$, so that
$\kappa↓i=A↓{2i-1}(\pm B↓{2i-1}\pm β↓{i\,}B↓{2i})$. Then change $\kappa↓i$ to
$\pm B↓{2i-1}\pm β↓{i\,}B↓{2i}$, and replace each occurrence of $\kappa↓i$ in future
formulas $T↓{2i+1}$, $T↓{2i+2}$, $\ldotss$, $T↓{2q+1}$ by $A↓{2i-1}\kappa↓i$.\xskip
(This replacement may change the values of $A↓{2i+1}$, $A↓{2i+2}$, $\ldotss$,
$A↓{2q+1}$.)

After the above transformation has been done for all $i$, let $β↓{q+1}=A↓{2q+1}$;
then $u(x)$ can be expressed as a polynomial in $β↓1$, $\ldotss$, $β↓{q+1}$, and
$x$, with integer coefficients. We are almost ready to complete the proof, but
it is necessary to be careful because the polynomials obtainable as
$β↓1$, $\ldotss$, $β↓{q+1}$ range over all real values
may not include all polynomials representable by the
original chain (see exercise 26); it is possible to have $A↓{2i-1}=0$, for some
values of the $α$'s, and this makes $β↓i$ undefined.

To complete the proof, let us observe that the result set $R$ of the original chain
can be written $R=R↓1∪R↓2∪\cdots∪R↓q∪R↑\prime$, where $R↓i$ is the set of result
vectors possible when $A↓{2i-1}=0$, and where
$R↑\prime$ is the set of result vectors
possible when all $α$'s are nonzero. The discussion above proves that $R↑\prime$
has at most $q+1$ degrees of freedom. If $A↓{2i-1}=0$, then $T↓{2i-1}=0$, so
addition step $\kappa↓i$ may be dropped to obtain another chain computing the
result set $R↓i$; by induction we see that each $R↓i$ has at most $q$ degrees
of freedom. Hence by exercise 29, $R$ has at most $q+1$ degrees of freedom.\quad
\blackslug

\thbegin Theorem C. {\sl If a polynomial chain $(24)$
computes all $n$th degree polynomials
$u(x)=u↓nx↑n+\cdots+u↓0$, for some $n≥2$, then it includes at least
$\lfloor n/2\rfloor+1$ multiplications and at least $n$ addition-subtractions.}

\proofbegin Let there be $m$ multiplication steps. By Theorem M\null, the chain has
at most $2m$ degrees of freedom, so $2m≥n+1$. Similarly, by Theorem A there are
$≥n$ addition-subtractions.\quad\blackslug

\yyskip This theorem states that no {\sl single} method having fewer than $\lfloor
n/2\rfloor+1$ multiplications or fewer than $n$ additions can evaluate all possible
$n$th degree polynomials. The result of exercise 29 allows us to strengthen this
and say that no finite collection of such polynomial chains will suffice for all
polynomials of a given degree. Some special polynomials can, of course,
be evaluated more efficiently: all we have really proved is that polynomials whose
coefficients are {\sl algebraically independent}, in the sense that they satisfy
no nontrivial polynomial equation, require $\lfloor n/2\rfloor+1$ multiplications
and $n$ additions. Unfortunately the coefficients we deal with in computers are
always rational numbers, so the above theorems don't really apply; in fact, we can
always get by with $O(\sqrt n\,)$ multiplications (and a possibly huge number of
additions), as shown in exercise 42. From a practical standpoint, the bounds of
Theorem C apply to ``almost all'' coefficients, and they seem to apply to all
reasonable schemes for evaluation. Furthermore it is possible to obtain lower
bounds corresponding to those of Theorem C even in the rational case: By
strengthening the above proofs, V. Strassen has shown, for example, that the
polynomial
$$\chop to 12pt{u(x)=\sum↓{0≤k≤n}2↑{2↑{kn↑3}}x↑k}\eqno(30)$$
cannot be evaluated by any polynomial chain of length $<n↑2/\lg n$ unless the
chain has at least ${1\over2}n-2$ multplications
and $n-4$ additions [{\sl SIAM J. Computing
\bf3} (1974), 128--149].  The coefficients of (30) are very large; but it is
also possible to find polynomials whose coefficients are just 0's and 1's, such
that every polynomial chain computing them involves at least $\sqrt n/(4\lg n)$
chain multiplications, for all sufficiently large $n$, even when the parameters
$α↓j$ are allowed to be arbitrary complex numbers.\xskip[See R. J. Lipton,
{\sl SIAM J. Computing \bf7} (1978), 61--69; C. P. Schnorr, {\sl Lecture Notes
in Comp.\ Sci.\ \bf53} (1977), 135--147.]\xskip Jean-Paul Van de Wiele has shown
that the evaluation of certain 0-1 polynomials requires
a total of at least $cn/\!\log n$ arithmetic
operations, for some $c>0$ [{\sl Proc.\ IEEE Symp.\ Foundations of Comp.\ Sci.\
\bf19} (1978), 159--165].

A gap still remains between the lower bounds of Theorem C and the actual operation
counts known to be achievable, except in the trivial case $n=2$. Theorem E gives
$\lfloor n/2\rfloor+2$ multiplications, not $\lfloor n/2\rfloor+1$, 
although it does
achieve the minimum number of additions. Our special methods for $n=4$ and $n=6$
have the minimum number of multiplications, but one extra addition. When $n$ is
odd, it is not difficult to prove that the lower bounds of Theorem C cannot
be achieved simultaneously for both multiplications and additions; see exercise
33. For $n=3$, 5, and 7, it is possible to show that at least $\lfloor n/2\rfloor
+2$ multiplications are necessary. Exercises 35 and 36 show that the lower bounds
of Theorem C cannot both be achieved when $n=4$ or $n=6$; thus the methods we have
discussed are best possible, for $n<8$. When $n$ is even, Motzkin proved that
$\lfloor n/2\rfloor+1$ multiplications are sufficient, but his construction
involves an indeterminate number of additions (see exercise 39). An optimal scheme
for $n=8$ was found by V. J. Pan, who showed that $n+1$ additions are necessary
and sufficient for this case when there are $\lfloor n/2\rfloor+1$ multiplications;
he also showed that $\lfloor n/2\rfloor+1$ multiplications and $n+2$ additions
will suffice
for all even $n≥10$. Pan's paper [{\sl Proc.\ ACM Symp. Theory of Computing \bf10}
(1978), 162--172] also establishes the exact minimum number of multiplications
and additions needed when calculations are done entirely with complex numbers
instead of reals, for all degrees $n$. Exercise 40 discusses the interesting
situation that arises for odd values of $n≥9$.
%folio 618 galley 9 Unreadable. (C) Addison-Wesley 1978	*
\yskip It is clear that the results we have
obtained about chains for polynomials in a single variable can
be extended without difficulty to multivariate polynomials.
For example, if we want to find an optimum scheme for polynomial
evaluation {\sl without} adaptation of coefficients, we can
regard $u(x)$ as a polynomial in the $n + 2$ variables $x$, $u↓n$,
$\ldotss$, $u↓1$, $u↓0$; exercise 38 shows that $n$ multiplications
and $n$ additions are necessary in this case. Indeed, A. Borodin
[{\sl Theory of Machines and Computations}, ed.\ by Z. Kohavi
and A. Paz (New York: Academic Press, 1971), 45--58] has proved
that Horner's rule (2) is essentially the {\sl only} way to compute
$u(x)$ in $2n$ operations without preconditioning.

With minor variations, the above methods can be extended to chains
involving division, i.e., to rational functions as well as polynomials.
Curiously, the continued-fraction analog of Horner's rule now
turns out to be optimal from an operation-count standpoint, if
multiplication and division speeds are equal, even when preconditioning
is allowed (see exercise 37).

Sometimes division is helpful during the evaluation of polynomials,
even though polynomials are defined only in terms of multiplication and
addition; we have seen examples of this in the Shaw--Traub algorithms for
polynomial derivatives. Another example is the polynomial $x↑n+\cdots+x+1$:
Since this polynomial
can be written $(x↑{n+1}-1)/(x-1)$, we can evaluate it with $l(n+1)$
multiplications (see Section 4.6.3), two subtractions, and one division, while
techniques that avoid division seem to require about three times as many operations
(see exercise 43).

\subsectionbegin{Special multivariate polynomials} The {\sl determinant} of an
$n\times n$ matrix may be considered to be a polynomial in $n↑2$ variables $x↓{ij}$,
$1≤i,j≤n$. If $x↓{11}≠0$, we have
$$\twoline{\hskip-10pt\det\left(\vcenter{\halign{$#\hfill$⊗\quad$#\hfill$⊗$\quad
#\quad$⊗$#\hfill$\cr
x↓{11}⊗x↓{12}⊗\ldots⊗x↓{1n}\cr
x↓{21}⊗x↓{22}⊗\ldots⊗x↓{2n}\cr
\9\vdots⊗\9\vdots⊗⊗\9\vdots\cr
x↓{n1}⊗x↓{n2}⊗\ldots⊗x↓{nn}\cr}}\right)}{8pt}{=x↓{11}\det\left(\vcenter{
\halign{$#\hfill$⊗$\null#\hfill$⊗$\quad#\quad$⊗$#\hfill$⊗$\null#\hfill$\cr
x↓{22}⊗-(x↓{21}/x↓{11})x↓{12}⊗\ldots⊗x↓{2n}⊗-(x↓{21}/x↓{11})x↓{1n}\cr
⊗\quad\vdots⊗⊗⊗\quad\vdots\cr
x↓{n2}⊗-(x↓{n1}/x↓{11})x↓{12}⊗\ldots⊗x↓{nn}⊗-(x↓{n1}/x↓{11})x↓{1n}\cr}}\right).
\qquad(31)\hskip-10pt}$$
The determinant of an $n\times n$ matrix may therefore be evaluated by evaluating
the determinant of an $(n-1)\times(n-1)$ matrix and using an additional
$(n-1)↑2+1$ multiplications, $(n-1)↑2$ additions, and $n-1$ divisions. Since a
$2\times2$ determinant can be evaluated with two multiplications and one
addition, we see that the determinant of almost all matrices (namely those for
which no division by zero is required) can be computed with at most $(2n↑3-3n↑2+
7n-6)/6$ multiplications, $(2n↑3-3n↑2+n)/6$ additions, and $(n↑2-n-2)/2$
divisions.

When zero occurs, the determinant is even easier to compute. For example, if
$x↓{11}=0$ but $x↓{21}≠0$, we have
$$\def\\{\vjust{\baselineskip 3pt\:d\vskip 4pt\hjust{.}\hjust{.}\hjust{.}}}
\baselineskip 9pt
\scriptstyle\quad\det\left(\vcenter{\halign{$\scriptstyle\ctr{#}$⊗$\scriptstyle\quad
\ctr{#}$⊗$\scriptstyle\quad#\quad$⊗$\scriptstyle\ctr{#}$\cr
0⊗x↓{12}⊗.\,.\,.⊗x↓{1n}\cr
x↓{21}⊗x↓{22}⊗.\,.\,.⊗x↓{2n}\cr
x↓{31}⊗x↓{32}⊗.\,.\,.⊗x↓{3n}\cr
\\⊗\\⊗⊗\\\cr
x↓{n1}⊗x↓{n2}⊗.\,.\,.⊗x↓{nn}\cr}}\right)\,\,=\,\,-x↓{21}\det\left(\vcenter{
\halign{$\scriptstyle\ctr{#}$⊗$\scriptstyle\quad#\quad$⊗$\scriptstyle\ctr{#}$\cr
x↓{12}⊗.\,.\,.⊗x↓{1n}\cr
x↓{32}-(x↓{31}/x↓{21})x↓{22}⊗.\,.\,.⊗x↓{3n}-(x↓{31}/x↓{21})x↓{2n}\cr
\\⊗⊗\\\cr
x↓{n2}-(x↓{n1}/x↓{21})x↓{22}⊗.\,.\,.⊗x↓{nn}-(x↓{n1}/x↓{21})x↓{2n}\cr}}\right)
\textstyle.\eqno(32)$$
Here the reduction to an $(n-1)\times(n-1)$ determinant saves $n-1$ of the
multiplications and $n-1$ of the additions used in (31), and this certainly
compensates for the additional bookkeeping required to recognize this case.
Therefore any determinant can be evaluated with roughly ${2\over3}n↑3$ arithmetic
operations (including division); this is remarkable, since it is a polynomial with
$n!$ terms and $n$ variables in each term.

If we want to evaluate the determinant of a matrix with {\sl integer} elements,
the above process appears to be unattractive since it requires rational
arithmetic. However, we can use the method to evaluate the determinant mod $p$,
for any prime $p$, since division mod $p$ is possible (exercise 4.5.2--15). If
this is done for sufficiently many primes $p$, the exact value of the
determinant can be found as explained in Section 4.3.2, since Hadamard's
inequality (4.6.1--25) gives an upper bound on the magnitude.

The coefficients of the {\sl characteristic polynomial\/} $\det(xI-X)$ of an
$n\times n$ matrix $X$ can also be computed in $O(n↑3)$ steps; cf.\ J. H.
Wilkinson, {\sl The Algebraic Eigenvalue Problem} (Oxford: Clarendon Press,
1965), 353--355, 410--411.

The {\sl permanent} of a matrix is a polynomial that is very similar to the
determinant; the only difference is that all of its nonzero coefficients are $+1$:
$$\hjust{per}\left(\vcenter{\halign{$#\hfill$⊗$\quad#\quad$⊗$#\hfill$\cr
x↓{11}⊗\ldots⊗x↓{1n}\cr
\9\vdots⊗⊗\9\vdots\cr
x↓{n1}⊗\ldots⊗x↓{nn}\cr}}\right)=\sum x↓{1j↓1}x↓{2j↓2}\ldotsm x↓{nj↓n}\eqno(33)$$
summed over all permutations $j↓1\,j↓2\ldotsm j↓n$ of $\{1,2,\ldotss,n\}$. No way
to evaluate the permanent as efficiently as the determinant is known; exercises 9
and 10 show that substantially less than $n!$ operations will suffice, for large
$n$, but the execution time of all known methods
still grows exponentially with the size of the matrix.

\yskip Another fundamental operation involving matrices is, of course, {\sl
matrix multiplication:}\xskip If $X=(x↓{ij})$ is an $m\times n$ matrix, $Y=(y↓{jk})$
is an $n\times s$ matrix, and $Z=(z↓{ik})$ is an $m\times s$ matrix, then
$Z=XY$ means that
$$\chop to 9pt{z↓{ik}=\sum↓{1≤j≤n}x↓{ij\,}y↓{jk},\qquad 1≤i≤m,\qquad 1≤k≤s.}
\eqno(34)$$
This equation may be regarded as the computation of $ms$ simultaneous polynomials 
in $mn+ns$ variables; each polynomial is the ``inner product'' of two $n$-place
vectors. A brute-force calculation would involve $mns$ multiplications and
$ms(n-1)$ additions; but S. Winograd has discovered an ingenious way to trade
about half of the multiplications for additions:
$$\vjust{\halign{$\hfill\dispstyle#\hfill$\cr
z↓{ik}=\sum↓{1≤j≤n/2}(x↓{i,2j}+y↓{\,2j-1,k})(x↓{i,2j-1}+y↓{\,2j,k})-a↓i-b↓k
+c↓{ik};\cr
a↓i=\sum↓{1≤j≤n/2}x↓{i,2j\,}x↓{i,2j-1};\qquad
b↓k=\sum↓{1≤j≤n/2}y↓{\,2j-1,k\,}y↓{\,2j,k};\cr
c↓{ik}=\left\{\lpile{0,\cr x↓{in}y↓{nk},\cr}\qquad\lpile{n\hjust{ even;}\cr
n\hjust{ odd.}\cr}\right.\cr}}\eqno(35)$$
This scheme uses $\lceil n/2\rceil ms+\lfloor n/2\rfloor(m+s)$ multiplications and
$(n+2)ms+{(\lfloor n/2\rfloor-1)}\*{(ms+m+s)}$ additions; the total number of
operations has increased slightly, but the number of multiplications has
roughly been halved.
%folio 621 galley 1 (C) Addison-Wesley 1978	*
An even better scheme for large $n$, discovered
by Volker Strassen in 1968, is based on the fact that the product
of $2 \times 2$ matrices can be evaluated with only 7 multiplications,
without relying on the commutativity of multiplication as in
(35). Therefore $2n \times 2n$ matrices can be partitioned into
four $n \times n$ matrices, and the idea can be used recursively
to obtain the product of $2↑k \times 2↑k$ matrices with only
$7↑k$ multiplications instead of $(2↑k)↑3 = 8↑k$. Strassen's
original $2 \times 2$ identity [{\sl Numer.\ Math.\ \bf 13} (1969),
354--356] used 7 multiplications and 18 additions; S. Winograd
later discovered the following more economical formula:
\mathrm bef \mathit hkl
$$\vjust{\halign{\hjust to size{$\dispstyle#$}\cr
\left({a\atop c}\9{b\atop d}\right)
\left({A\atop B}\9{C\atop D}\right)=\hfill\cr\noalign{\vskip6pt}
\hfill\left({aA+bB\atop w+(a{-}c)(D{-}C)-d(A{-}B{-}C{+}D)}\9{w+(c{+}d)(C{-}A)+
(a{+}b{-}c{-}d)\hskip1pt D\atop
w+(a{-}c)(D{-}C)+(c{+}d)(C{-}A)}\right)\,\hjust{(36)}\cr}}$$
\mathrm adf \mathit gjl
where $w = aA - (a{-}c{-}d)(A{-}C{+}D)$. If intermediate
results are appropriately saved, (36) involves 7 multiplications
and only 15 additions; by induction on $k$, we can multiply
$2↑k \times 2↑k$ matrices with $7↑k$ multiplications
and $5(7↑k - 4↑k)$ additions. The total number of operations
needed to multiply $n \times n$ matrices has therefore been
reduced from order $n↑3$ to $O(n↑{\lg7}) = O(n↑{2.8074})$.
A similar reduction applies also to the
evaluation of determinants and matrix inverses; cf.\ J. R. Bunch
and J. E. Hopcroft, {\sl Math.\ Comp.\ \bf 28} (1974), 231--236.
Exercise xx discusses a further improvement by V. J. Pan, who discovered in 1978
that the exponent in the running time can be reduced to less than $\lg 7$.

These theoretical results are quite striking, but
from a practical standpoint they are of limited use because
$n$ must be very large before we overcome the effect of additional
bookkeeping costs. Richard Brent [Stanford Computer Science
report CS157 (March, 1970), see also {\sl Numer.\ Math.\ \bf 16}
(1970), 145--156] found that a careful implementation of Winograd's
scheme (35), with appropriate scaling for numerical stability,
became better than the conventional scheme only when $n ≥ 40$,
and it saved 7 percent of the running time when $n = 100$. For
complex arithmetic the situation was somewhat different; (35)
became advantageous for $n > 20$, and saved 18 percent when
$n = 100$. He estimated that Strassen's scheme would not begin
to excel over (35) until $n\approx250$; and such enormous matrices, containing
more than 60,000 entries, rarely occur in practice
(unless they are very sparse, when other techniques apply).

\yskip By contrast, the methods we shall discuss next
are eminently practical and have found wide use. The {\sl finite
Fourier transform} $f$ of a complex-valued function $F$ of $n$
variables, over respective domains of $m↓1$, $\ldotss$, $m↓n$ elements, is
defined by the equation
$$\chop to 18pt{
f(s↓1, \ldotss , s↓n) = \sum ↓{{\scriptstyle 0≤t↓1<m↓1\atop\scriptstyle\cdot\,\cdot
\,\cdot}\atop\scriptstyle 0≤t↓n<m↓n}
\exp\left(2πi\left({s↓1t↓1\over m↓1} +\cdots + {s↓nt↓n\over
m↓n}\right)\right)\,F(t↓1, \ldotss , t↓n)}\eqno (37)$$
for $0 ≤ s↓1 < m↓1$, $\ldotss$, $0 ≤ s↓n < m↓n$; the
name ``transform'' is justified because we can recover the values
$F(t↓1, \ldotss , t↓n)$ from the values $f(s↓1, \ldotss , s↓n)$,
as shown in exercise 13. In the important special case that
all $m↓j = 2$, we have
$$\chop to 12pt{f(s↓1, \ldotss , s↓n) = \sum ↓{0≤t↓1, \ldotss , t↓n≤1} (-1)↑{s↓1t↓1
+\cdots + s↓nt↓n}F(t↓1, \ldotss , t↓n)}\eqno (38)$$
for $0 ≤ s↓1, \ldotss , s↓n ≤ 1$, and this may be
regarded as a simultaneous evaluation of $2↑n$ linear polynomials
in $2↑n$ variables $F(t↓1, \ldotss , t↓n)$. A well-known technique
due to F. Yates [{\sl The Design and Analysis of Factorial Experiments}
(Harpenden: Imperial Bureau of Soil Sciences, 1937)] can be
used to reduce the number of additions implied in (38) from
$2↑n(2↑n - 1)$ to $n2↑n$. Yates's method can be understood by
considering the case $n = 3$: Let $x↓{t↓1t↓2t↓3} = F(t↓1, t↓2,
t↓3)$.
$$\baselineskip10pt
\vjust{\halign to size{$\scriptstyle#\hfill$\tabskip0pt plus 10pt⊗
$\scriptstyle\hfill#\hfill$⊗$\scriptstyle\hfill#\hfill$⊗$\scriptstyle\hfill#\hfill
$\tabskip0pt\cr
\hjust{\:e Given\hskip-5pt}⊗\hjust{\:e First step}⊗\hjust{\:e Second step}⊗
\hjust{\:e Third step}\cr\noalign{\vskip2pt}
x↓{000}⊗ x↓{000} + x↓{001}⊗ x↓{000} + x↓{001}
+ x↓{010} + x↓{011}⊗ x↓{000} + x↓{001} + x↓{010} + x↓{011}
+ x↓{100} + x↓{101} + x↓{110} + x↓{111}\cr
x↓{001}⊗ x↓{010} + x↓{011}⊗ x↓{100} +
x↓{101} + x↓{110} + x↓{111}⊗ x↓{000} - x↓{001} + x↓{010}
- x↓{011} + x↓{100} - x↓{101} + x↓{110} - x↓{111}\cr
x↓{010}⊗ x↓{100} + x↓{101}⊗ x↓{000} -
x↓{001} + x↓{010} - x↓{011}⊗ x↓{000} + x↓{001} - x↓{010}
- x↓{011} + x↓{100} + x↓{101} - x↓{110} - x↓{111}\cr
x↓{011}⊗ x↓{110} + x↓{111}⊗ x↓{100} -
x↓{101} + x↓{110} - x↓{111}⊗ x↓{000} - x↓{001} - x↓{010}
+ x↓{011} + x↓{100} - x↓{101} - x↓{110} + x↓{111}\cr
x↓{100}⊗ x↓{000} - x↓{001}⊗ x↓{000} +
x↓{001} - x↓{010} - x↓{011}⊗ x↓{000} + x↓{001} + x↓{010}
+ x↓{011} - x↓{100} - x↓{101} - x↓{110} - x↓{111}\cr
x↓{101}⊗ x↓{010} - x↓{011}⊗ x↓{100} +
x↓{101} - x↓{110} - x↓{111}⊗ x↓{000} - x↓{001} + x↓{010}
- x↓{011} - x↓{100} + x↓{101} - x↓{110} + x↓{111}\cr
x↓{110}⊗ x↓{100} - x↓{101}⊗ x↓{000} -
x↓{001} - x↓{010} + x↓{011}⊗ x↓{000} + x↓{001} - x↓{010}
- x↓{011} - x↓{100} - x↓{101} + x↓{110} + x↓{111}\cr
x↓{111}⊗ x↓{110} - x↓{111}⊗ x↓{100} -
x↓{101} - x↓{110} + x↓{111}⊗ x↓{000} - x↓{001} - x↓{010}
+ x↓{011} - x↓{100} + x↓{101} + x↓{110} - x↓{111}\cr}}$$
To get from the ``Given'' to the ``First step''
requires four additions and four subtractions; and the interesting
feature of Yates's method is that exactly the same transformation
that takes us from ``Given'' to ``First step'' will take us
from ``First step'' to ``Second step'' and from ``Second step''
to ``Third step.'' In each case we do four additions, then four
subtractions; and after three steps we have the desired Fourier
transform $f(s↓1, s↓2, s↓3)$ in the place originally occupied
by $F(s↓1, s↓2, s↓3)$!

This special case is often called the {\sl Walsh
transform} of $2↑n$ data elements, since the corresponding pattern
of signs was studied by J. L. Walsh [{\sl Amer.\ J. Math.\ \bf 45}
(1923), 5--24]. Note that the number of sign changes from left
to right in the ``Third step'' above assumes the respective
values 0, 7, 3, 4, 1, 6, 2, 5. Walsh observed that there will
be exactly 0, 1, $\ldotss$, $2↑n - 1$ sign changes in some order
in the general case, so the coefficients provide discrete approximations
to sine waves with various frequencies.\xskip (See H. F. Harmuth,
{\sl IEEE Spectrum \bf 6}, 11 (Nov. 1969), 82--91, for applications
of this property; and see Section 7.2.1 for further discussion
of the Walsh coefficients.)

Yates's method can be generalized to the evaluation
of any finite Fourier transform, and, in fact, to the evaluation
of any sums that can be written
$$\twoline{\hskip-10pt f(s↓1, s↓2, \ldotss , s↓n) =}{6pt}{\chop to 18pt{\sum ↓
{{\scriptstyle0≤t↓1<m↓1\atop
\scriptstyle\cdot\,\cdot\,\cdot}\atop\scriptstyle0≤t↓n<m↓n}
\hskip-3pt
g↓1(s↓1, s↓2, \ldotss , s↓n, t↓1)g↓2(s↓2, \ldotss , s↓n, t↓2) \ldotsm
g↓n(s↓n, t↓n)F(t↓1, t↓2, \ldotss , t↓n)\quad(39)}\hskip-10pt}$$
for $0≤s↓j<m↓j$, given the functions $g↓j(s↓j, \ldotss , s↓n, t↓j)$.
We proceed as follows:
$$\def\\#1{{\hjust to 45pt{\hskip0pt plus100pt minus 100pt$\scriptstyle#1$
\hskip0pt plus100pt minus 100pt}}}
\eqalignno{f↑{[0]}(t↓1, t↓2, t↓3, \ldotss , t↓n) ⊗= F(t↓1,
t↓2, t↓3, \ldotss , t↓n);\cr
\noalign{\vskip3pt}
f↑{[1]}(s↓n, t↓1, t↓2, \ldotss , t↓{n-1}) ⊗= \sum
↓\\{0≤t↓n<m↓n} g↓n(s↓n, t↓n)f↑{[0]}(t↓1, t↓2, \ldotss , t↓n);\cr
f↑{[2]}(s↓{n-1}, s↓n, t↓1, \ldotss , t↓{n-2})
⊗= \sum ↓\\{0≤t↓{n-1}<m↓{n-1}} g↓{n-1}(s↓{n-1}, s↓n, t↓{n-1})f↑{[1]}(s↓n,
t↓1, \ldotss , t↓{n-1});\cr
⊗\9\vdots\cr
f↑{[n]}(s↓1, s↓2, s↓3, \ldotss , s↓n) ⊗= \sum
↓\\{0≤t↓1<m↓1} g↓1(s↓1, \ldotss , s↓n, t↓1)f↑{[n-1]}(s↓2, s↓3,
\ldotss , s↓n, t↓1);\cr
f(s↓1, s↓2, s↓3, \ldotss , s↓n)
⊗= f↑{[n]}(s↓1, s↓2, s↓3, \ldotss , s↓n).⊗(40)\cr}$$
For Yates's method as shown above, $g↓j(s↓j, \ldotss
, s↓n, t↓j) = (-1)↑{s↓jt↓j}$; $f↑{[0]}(t↓1, t↓2,
t↓3)$ represents the ``Given''; $f↑{[1]}(s↓3, t↓1, t↓2)$ represents
the ``First step''; etc. Whenever a sum can be put into the
form of (39), for reasonably simple functions $g↓j(s↓j, \ldotss
, s↓n, t↓j)$, the scheme (40) will reduce the amount of computation
from order $N↑2$ to order $N \log N$ or thereabouts, where $N =
m↓1 \ldotsm m↓{n\,}$; furthermore this scheme is ideally suited
to parallel computation. The important special case of one-dimensional
Fourier transforms is discussed in exercises 14 and 53; we have
considered the one-dimensional case also in Section 4.3.3.
%folio 624 galley 2a (C) Addison-Wesley 1978	*
\yskip
Let us consider one more special case of polynomial
evaluation. {\sl Lagrange's interpolation polynomial\/} of order
$n$, which we shall write as
$$\eqalignno{u↑{[n]}(x) ⊗= y↓0 {(x - x↓1)(x - x↓2) \ldotsm (x
- x↓n)\over (x↓0 - x↓1)(x↓0 - x↓2) \ldotsm (x↓0 - x↓n)}\cr\noalign{\vskip4pt}
⊗\qquad\null + y↓1 {(x - x↓0)(x - x↓2) \ldotsm (x - x↓n)\over (x↓1
- x↓0)(x↓1 - x↓2) \ldotsm (x↓1 - x↓n)} + \cdots \cr\noalign{\vskip4pt}
⊗\qquad\null+y↓n {(x - x↓0)(x - x↓1) \ldotsm (x - x↓{n-1})\over
(x↓n - x↓0)(x↓n - x↓1) \ldotsm (x↓n - x↓{n-1})} ,⊗(41)\cr}$$
is the only polynomial of degree $≤n$ in $x$ that takes
on the respective values $y↓0$, $y↓1$, $\ldotss$, $y↓n$ at the $n
+ 1$ distinct points $x = x↓0$, $x↓1$, $\ldotss$, $x↓n$.\xskip$\biglp$For it is
evident from (41) that $u↑{[n]}(x↓k) = y↓k$ for $0 ≤ k ≤ n$.
If $f(x)$ is any such polynomial of degree $≤n$, then $g(x)
= f(x) - u↑{[n]}(x)$ is of degree $≤n$, and $g(x)$ is zero for
$x = x↓0$, $x↓1$, $\ldotss$, $x↓n$; therefore $g(x)$ is a multiple
of the polynomial $(x - x↓0)(x - x↓1) \ldotsm (x - x↓n)$. The
degree of the latter polynomial is greater than $n$, so $g(x)
= 0$.$\bigrp$\xskip If we assume that the values of a function in some table
are well approximated by a polynomial, Lagrange's formula (41)
may therefore be used to ``interpolate'' for values of the
function at points $x$ not appearing in the table. Unfortunately,
there seem to be quite a few additions, subtractions, multiplications,
and divisions in Lagrange's formula; in fact, there are $n$
additions, $2n↑2 + 2$ subtractions, $2n↑2 + n - 1$ multiplications,
and $n + 1$ divisions. Fortunately (as we might suspect), improvement
is possible.

The basic idea for simplifying (41) is to note that
$u↑{[n]}(x) - u↑{[n-1]}(x)$ is zero for $x = x↓0$, $\ldotss$, $x↓{n-1}$;
thus $u↑{[n]}(x) - u↑{[n-1]}(x)$ is a polynomial of degree $≤n$
and a multiple of $(x - x↓0) \ldotsm (x - x↓{n-1})$. We conclude
that $u↑{[n]}(x) = {α↓n(x - x↓0) \ldotsm (x - x↓{n-1})} + u↑{[n-1]}(x)$,
where $α↓n$ is a constant. This leads us to {\sl Newton's interpolation
formula}$$\baselineskip14pt\eqalignno{u↑{[n]}(x)⊗=α↓n(x-x↓0)(x-x↓1)\ldotsm
(x - x↓{n-1}) + \cdots \cr ⊗\qquad\null+ α↓2(x - x↓0)(x
- x↓1) + α↓1(x - x↓0) + α↓0,⊗(42)\cr}$$
where the $α$'s are some constants we should like to
determine from $x↓0$, $x↓1$, $\ldotss$, $x↓n$, $y↓0$, $y↓1$, $\ldotss$, $y↓n$.
Note that this formula holds for all $n$; the coefficient $α↓k$ does not depend
on $x↓{k+1}$, $\ldotss$, $x↓n$, $y↓{k+1}$, $\ldotss$, or $y↓n$. Once the
$α$'s are known, Newton's interpolation formula is convenient
for calculation, since we may generalize Horner's rule once
again and write
$$\qquad u↑{[n]}(x) = \biglp (\ldotsm (α↓n(x{-}x↓{n-1}) + α↓{n-1})(x
{-}x↓{n-2}) +\cdotss)(x{-}x↓0) + α↓0\bigrp.\eqno(43)$$
This requires $n$ multiplications and $2n$ additions.
Alternatively, we may evaluate each of the individual terms of
(42) from right to left; with $2n - 1$ multiplications and $2n$
additions we thereby calculate all of the values $u↑{[0]}(x)$,
$u↑{[1]}(x)$, $\ldotss$, $u↑{[n]}(x)$, and this indicates whether
or not an interpolation process is ``converging.''

The coefficients $α↓k$ in Newton's formula may be found by computing
the {\sl divided differences} in the following tableau (shown
for $n = 3$):
$$\def\\{\noalign{\vskip-4pt}}
\vjust{\halign to 300pt{$#\hfill$\tabskip0pt plus 10pt
⊗$#\hfill$⊗$#\hfill$⊗$#\hfill$\tabskip0pt\cr
y↓0\cr\\
⊗(y↓1\!-\!y↓0)/(x↓1\!-\!x↓0) = y↑\prime↓{1}\cr\\
y↓1⊗⊗(y↑\prime↓{2}\!-\!y↑\prime↓{1})/(x↓2\!-\!x↓0) = y↓2↑{\prime\prime}\cr\\
⊗(y↓2\!-\!y↓1)/(x↓2\!-\!x↓1) = y↑\prime↓{2}⊗
⊗(y↓3\!-\!y↓2)/(x↓3\!-\!x↓0) = y↓3↑{\prime\prime\prime}\hskip-48pt\cr\\
y↓2⊗⊗(y↑\prime↓{3}\!-\!y↑\prime↓{2})/(x↓3\!-\!x↓1) = y↓3↑{\prime\prime}\cr\\
⊗(y↓3\!-\!y↓2)/(x↓3\!-\!x↓2) = y↓3↑\prime\cr\\
y↓3\cr}}\eqno(44)$$
It is possible to prove that
$α↓0 = y↓0$, $α↓1 = y↑\prime↓{1}$, $α↓2=y↓2↑{\prime\prime}$, etc., and to show that
the divided differences have important relations to the derivatives
of the function being interpolated; see exercise 15. Therefore
the following calculation $\biglp$corresponding to (44)$\bigrp$
may be used to obtain the $α$'s:
$$\hjust to 310pt{Start with $(α↓0, α↓1, \ldotss , α↓n) ← (y↓0, y↓1, \ldotss
, y↓n)$; then, for $k = 1$, 2, $\ldotss$, $n$
(in this order), set $α↓j ← (α↓j - α↓{j-1})/(x↓j - x↓{j-k})$
for $j = n$, $n - 1$, $\ldotss$, $k$ (in this order).}$$
This process requires ${1\over 2}(n↑2 + n)$
divisions and $n↑2 + n$ subtractions, so about three-fourths
of the work implied in (41) has been saved.

For example, suppose that we want to estimate ${3\over
2}$! from the values of $0!$, $1!$, $2!$, and $3!$, using a cubic polynomial.
The divided differences are
$$\def\\{\noalign{\vskip-4pt}}
\vjust{\halign{$\ctr{#}$⊗\quad#\quad\hfill⊗$\ctr{#}$⊗\quad$\ctr{#}$⊗\quad
$\ctr{#}$⊗\quad$\ctr{#}$\cr
x⊗\chop to 0pt{\hjust{\vrule height 9pt depth 66pt}}⊗y⊗y↑\prime⊗
y↑{\prime\prime}⊗y↑{\prime\prime\prime}\cr
\noalign{\vskip4pt}
0⊗⊗1\cr\\
⊗⊗⊗0\cr\\
1⊗⊗1⊗⊗{1\over 2}\cr\\
⊗⊗⊗1⊗⊗{1\over 3}\cr\\
2⊗⊗2⊗⊗{3\over 2}\cr\\
⊗⊗⊗4\cr\\
3⊗⊗6\cr}}$$
so $u↑{[0]}(x) = u↑{[1]}(x) = 1$, $u↑{[2]}(x)
= {1\over 2}x(x - 1) + 1$, $u↑{[3]}(x) = {1\over 3}x(x - 1)(x
- 2) + {1\over 2}x(x - 1) + 1$. Setting $x = {3\over 2}$ in the latter polynomial
gives $-{1\over 8} + {3\over8} + 1 = 1.25$; presumably the ``correct''
value is $\Gamma ({5\over 2}) = {3\over 4}\sqrtπ \approx
1.33$.

It is instructive to note that evaluation of the
interpolation polynomial is just a special case of the Chinese
remainder algorithm of Section 4.3.2, since we know the values
of $u↑{[n]}(x)$ modulo the relatively prime polynomials $x - x↓0$,
$\ldotss$, $x - x↓n$.\xskip$\biglp$As we have seen in Section 4.6.2, $f(x)$ mod
$(x - x↓0) = f(x↓0)$.$\bigrp$\xskip Under this interpretation,
Newton's formula (42) is precisely the ``mixed-radix representation''
of Eq.\ 4.3.2--24; and 4.3.2--23 yields another way to compute
$α↓0$, $\ldotss$, $α↓n$ using the same number of operations as (44).

By applying fast Fourier transforms, it is possible
to reduce the running time for interpolation to $O\biglp n\,(\log
n)↑2\bigrp$, and a similar reduction can also be made for related
algorithms such as the solution to the Chinese remainder problem
and the evaluation of an $n$th degree polynomial at $n$ different
points.\xskip[See E. Horowitz, {\sl Inf.\
Proc.\ Letters \bf 1} (1972), 157--163; R. Moenck and A. Borodin,
{\sl J. Comp.\ Syst.\ Sci.\ \bf 8} (1974), 336--385; and A. Borodin,
{\sl Complexity of Sequential and Parallel Numerical Algorithms},
ed.\ by J. F. Traub (New York: Academic Press, 1973), 149--180.]\xskip
However, this must be regarded as a purely theoretical possibility
at present, since the known algorithms have a rather large overhead
factor.

A remarkable modification of the method of divided
differences, an extension that applies to rational functions instead of to
polynomials, was introduced by T. N. Thiele in 1909. For a discussion
of Thiele's method of ``reciprocal differences,'' see L. M.
Milne-Thompson, {\sl Calculus of Finite Differences} (London:
MacMillan, 1933), Chapter 5; R. W. Floyd, {\sl CACM \bf 3} (1960),
508.

%New material 1 [1] (C) Addison-Wesley 1978	*
\subsectionbegin{\star Bilinear forms} Several of the problems we have considered in
this section are special cases of the general problem of evaluating a set of
{\sl bilinear forms}
$$z↓k=\chop to 12pt{\sum↓{\scriptstyle 1≤i≤m\atop\scriptstyle 1≤j≤n}
a↓{ijk}x↓iy↓j,\qquad\hjust{for }1≤k≤s,}\eqno(45)$$
where the $a↓{ijk}$ are specific coefficients belonging to some given field. The
three-dimensional array $(a↓{ijk})$ is called an $m\times n\times s$ {\sl tensor},
and we can display it by writing down $s$ matrices of size $m\times n$, one for each
value of $k$. For example, the problem of multiplying complex numbers, namely
the problem of evaluating
$$z↓1+iz↓2=(x↓1+ix↓2)(y↓1+iy↓2)=(x↓1y↓1{-}x↓2y↓2)+i(x↓1y↓2{+}x↓2y↓1),\eqno(46)$$
is the problem of computing the bilinear form specified by the $2\times2\times2$
tensor
$$\left({1\atop0}\9{0\atop-1}\right)\quad\left({0\atop1}\9{1\atop0}\right).$$
Matrix multiplication as defined in (34) is the problem of evaluating a set of
bilinear forms corresponding to a particular $mn\times ns\times ms$ tensor.
Fourier transforms (37) can also be cast in this mold, if we let the $x$'s be
constant rather than variable.

The evaluation of bilinear forms is most easily studied if we restrict ourselves
to what might be called {\sl normal} evaluation schemes, in which all chain
multiplications take place between a linear combination of the $x$'s and
a linear combination of the $y$'s. Thus, we form $t$ products
$$\qquad w↓l=(α↓{1l\,}x↓1+\cdots+α↓{ml\,}x↓m)(β↓{1l\,}y↓1+\cdots+β↓{nl\,}y↓n)\qquad
\hjust{for }1≤l≤t,\eqno(47)$$
and obtain the $z$'s as linear combinations of these products,
$$z↓k=\gamma↓{k1}w↓1+\cdots+\gamma↓{kt\,}w↓t,\qquad\hjust{for }1≤k≤s.\eqno(48)$$
Here all the $α$'s, $β$'s, and $\gamma$'s belong to a given field of
coefficients. By comparing (48) to (45), we see that a normal evaluation scheme
is correct for the tensor $(a↓{ijk})$ if and only if
$$a↓{ijk}=α↓{i1}β↓{j1}\gamma↓{k1}+\cdots+α↓{it\,}β↓{jt\,}\gamma↓{kt\,}\eqno(49)$$
for $1≤i≤m$, $1≤j≤n$, and $1≤k≤s$.

A nonzero tensor $(a↓{ijk})$ is said to be of rank one if there are three vectors
$(α↓1,\ldotss,α↓m)$, $(β↓1,\ldotss,β↓n)$, $(\gamma↓1,\ldotss,\gamma↓s)$ such
that $a↓{ijk}=α↓iβ↓j\hskip1pt\gamma↓k$ for all $i$, $j$, $k$. We can extend this
definition to all tensors by saying that {\sl the rank of $(a↓{ijk})$ is the
minimum number $t$ such that $(a↓{ijk})$ is expressible as the sum of\/\ $t$
rank-one tensors} in the given field.
Comparing this definition with Eq.\ (49) shows that the rank of a tensor is
the minimum number of chain multiplications in a normal evaluation of the
corresponding bilinear forms. Incidentally, when $s=1$ the tensor $(a↓{ijk})$
is just an ordinary matrix, and the rank of $(a↓{ij1})$ as a tensor is the
same as its rank as a matrix (see exercise 49). The concept of tensor rank was
introduced by F. L. Hitchcock in {\sl J. Math.\ and Physics \bf6} (1927),
164--189; its application to the complexity of polynomial evaluation was pointed
out in an important paper
by V. Strassen, {\sl J. f\"ur die reine und angew.\ Math.\ \bf264}
(1973), 184--202.

Winograd's scheme (35) for matrix multiplication is ``abnormal'' because it
mixes $x$'s and $y$'s before multiplying them. The Strassen-Winograd scheme
(36), on the other hand, does not rely on the commutativity of multilication,
so it is normal. In fact, (36) corresponds to the following way to represent
the $4\times4\times4$ tensor for $2\times2$ matrix multiplication as a sum of
seven rank-one tensors ($\=1=-1$):
$$\def\\#1.#2.#3.#4.{\left(\vcenter{\baselineskip 9pt
\halign{\hjust to 24pt{\:c##}\cr#1\cr#2\cr#3\cr#4\cr}}\right)}
\vjust{\lineskip6pt\halign{$#\hfill$\cr
\\1 0 0 0.0 1 0 0.0 0 0 0.0 0 0 0.
\\0 0 0 0.0 0 0 0.1 0 0 0.0 1 0 0.
\\0 0 1 0.0 0 0 1.0 0 0 0.0 0 0 0.
\\0 0 0 0.0 0 0 0.0 0 1 0.0 0 0 1.=
\\1 0 0 0.1 0 0 0.1 0 0 0.1 0 0 0.
\\1 0 0 0.1 0 0 0.1 0 0 0.1 0 0 0.
\\1 0 0 0.1 0 0 0.1 0 0 0.1 0 0 0.
\\1 0 0 0.1 0 0 0.1 0 0 0.1 0 0 0.\cr
\quad\null+
\\0 0 0 0.0 1 0 0.0 0 0 0.0 0 0 0.
\\0 0 0 0.0 0 0 0.0 0 0 0.0 0 0 0.
\\0 0 0 0.0 0 0 0.0 0 0 0.0 0 0 0.
\\0 0 0 0.0 0 0 0.0 0 0 0.0 0 0 0.+
\\0 0 0 0.0 0 0 0.0 0 0 0.0 0 0 0.
\\0 0 \=1 \=1.0 0 0 0.0 0 1 1.0 0 0 0.
\\0 0 0 0.0 0 0 0.0 0 0 0.0 0 0 0.
\\0 0 \=1 \=1.0 0 0 0.0 0 1 1.0 0 0 0.\cr
\quad\null+
\\0 0 0 0.0 0 0 0.0 0 0 0.0 0 0 0.
\\0 0 0 0.0 0 0 0.0 0 0 0.1 1 \=1 \=1.
\\0 0 0 0.0 0 0 0.0 0 0 0.0 0 0 0.
\\0 0 0 0.0 0 0 0.0 0 0 0.0 0 0 0.+
\\0 0 0 0.0 0 0 0.0 0 0 0.0 0 0 0.
\\0 0 0 0.0 0 0 0.0 0 0 0.0 0 0 0.
\\0 0 0 0.0 0 0 0.\=1 0 1 0.1 0 \=1 0.
\\0 0 0 0.0 0 0 0.\=1 0 1 0.1 0 \=1 0.\cr
\quad\null+
\\0 0 0 0.0 0 0 0.0 0 0 0.0 0 0 0.
\\0 0 0 0.0 0 0 0.0 0 0 0.0 0 0 0.
\\0 0 0 \=1.0 0 0 1.0 0 0 1.0 0 0 \=1.
\\0 0 0 0.0 0 0 0.0 0 0 0.0 0 0 0.+
\\0 0 0 0.0 0 0 0.0 0 0 0.0 0 0 0.
\\\=1 0 1 1.0 0 0 0.1 0 \=1 \=1.\=1 0 1 1.
\\\=1 0 1 1.0 0 0 0.1 0 \=1 \=1.\=1 0 1 1.
\\\=1 0 1 1.0 0 0 0.1 0 \=1 \=1.\=1 0 1 1..\cr}}
\eqno(50)\lower5pt\vjust to 19pt{}$$
%New material 2 [3] (C) Addison-Wesley 1978	*
\def\midlp{\mathopen{\vcenter{\hjust{\:@\char'20}}}}
\def\midrp{\mathclose{\vcenter{\hjust{\:@\char'21}}}}
The fact that (49) is symmetric in $i$, $j$, $k$ and invariant under a variety
of transformations makes the study of tensor rank mathematically tractable,
and it also leads to some surprising consequences about bilinear forms. We
can permute the indices $i$, $j$, $k$ to obtain ``transposed'' bilinear forms,
and the transposed tensor clearly has the same rank; but the corresponding
bilinear forms are conceptually quite different. For example, a normal scheme
for evaluating an $(m\times n)$ times $(n\times s)$ matrix product implies the
existence of a normal scheme to evaluate an $(n\times s)$ times $(s\times m)$
matrix product, using the same number of chain multiplications.  In matrix terms
these two problems hardly seem to be related to all---they involve different
numbers of dot products on vectors of different sizes---but in tensor terms they
are equivalent.\xskip(Cf.\ J. E. Hopcroft and J. Musinski, {\sl SIAM J.
Computing \bf2} (1973), 159--173.)

When the tensor $(a↓{ijk})$ can be represented as a sum (49) of $t$ rank-one
tensors, let $A$, $B$, $C$ be the matrices $(α↓{il})$, $(β↓{jl})$, $(\gamma↓{kl})$
of respective sizes $m\times t$, $n\times t$, $s\times t$; we shall say that
$A$, $B$, $C$ is a {\sl realization} of the tensor $(a↓{ijk})$. For example, the
realization of $2\times2$ matrix multiplication in (50) can be specified by the
matrices
$$\quad A=\left(\vcenter{\halign{#\cr
1 0 \=1 0 0 \=1 1\cr 0 1 0 0 0 1 0\cr 0 0 1 0 \=1 1 \=1\cr 0 0 0 1 1 \=1 1\cr
}}\right),\quad B=\left(\vcenter{\halign{#\cr
1 0 0 1 1 0 \=1\cr 0 1 0 1 0 0 0\cr 0 0 1 \=1 \=1 0 1\cr 0 0 1 \=1 0 1 1\cr
}}\right),\quad C=\left(\vcenter{\halign{#\cr
1 1 0 0 0 0 0\cr 1 0 1 1 0 0 1\cr 1 0 0 0 1 1 1\cr 1 0 1 0 1 0 1\cr}}\right).
\eqno(51)$$

An $m\times n\times s$ tensor $(a↓{ijk})$ can also be represented as a matrix by
grouping its subscripts together. We shall write $(a↓{(ij)k})$ for the $mn\times s$
matrix whose rows are indexed by the pair of subscripts $\langle i,j\rangle$ and
whose columns are indexed by $k$. Similarly, $(a↓{k(ij)})$ stands for the $s\times
mn$ matrix that contains $a↓{ijk}$ in row $k$ and column $\langle i,j\rangle$;\xskip
$(a↓{(ik)j})$ is an $ms\times n$ matrix, and so on. The indices of an array need not
be integers, and we are using ordered pairs as indices here. We can use this
notation to derive the following simple but useful lower bound on the rank of a
tensor.

\def\\{\hjust{\rm rank}}
\thbegin Lemma T. {\sl Let $A$, $B$, $C$ be a realization of an $m\times n\times s$
tensor $(a↓{ijk})$. Then $\\(A)≥\\(a↓{i(jk)})$, $\\(B)≥\\(a↓{j(ik)})$, and
$\\(C)≥\\(a↓{k(ij)})$; consequently}
$$\\(a↓{ijk})≥\max\biglp\\(a↓{i(jk)}),\\(a↓{j(ik)}),\\(a↓{k(ij)})\bigrp.$$

\dproofbegin It suffices by symmetry to show that $t≥\\(A)≥\\(a↓{i(jk)})$. Since
$A$ is an $m\times t$ matrix, it is obvious that $A$ cannot have rank greater than
$t$. Furthermore, according to (49), the matrix $(a↓{i(jk)})$ is equal to $AQ$,
where $Q$ is the $t\times ns$ matrix defined by $Q↓{l\langle j,k\rangle}=β↓{jl\,}
\gamma↓{kl\,}$. If $x$ is any row vector such that $xA=0$ then $xAQ=0$, hence all
linear dependencies in $A$ occur also in $AQ$. It follows that $\\(AQ)≤\\(A)$.\quad
\blackslug

\yyskip As an example of the use of Lemma T\null, let us consider the problem of
polynomial multiplication. Suppose we want to multiply a general polynomial
of degree 2 by a general polynomial of degree 3, obtaining the coefficients of
the product:
$$\twoline{\hskip-10pt(x↓0+x↓1u+x↓2u↑2)(y↓0+y↓1u+y↓2u↑2+y↓3u↑3)}{3pt}{=z↓0
+z↓1u+z↓2u↑2+z↓3u↑3+z↓4u↑4+z↓5u↑5.\qquad(52)\hskip-10pt}$$
This is the problem of evaluating six bilinear forms corresponding to the
$3\times4\times6$ tensor
$$\def\\#1.#2.#3.{\left(\vcenter{\baselineskip 10pt
\halign{##\cr#1\cr#2\cr#3\cr}}\right)}
\\1 0 0 0.0 0 0 0.0 0 0 0.
\\0 1 0 0.1 0 0 0.0 0 0 0.
\\0 0 1 0.0 1 0 0.1 0 0 0.
\\0 0 0 1.0 0 1 0.0 1 0 0.
\\0 0 0 0.0 0 0 1.0 0 1 0.
\\0 0 0 0.0 0 0 0.0 0 0 1..\eqno(53)$$
For brevity, we may write (52) as $x(u)y(u)=z(u)$, letting $x(u)$ denote the
polynomial $x↓0+x↓1u+x↓2u↑2$, etc. Note that we have come full circle from the
way we began this section, since Eq.\ (1) refers to $u(x)$, not $x(u)$; the
notation has changed because the {\sl coefficients} of the polynomials are now
the variables of interest to us.

If each of the six matrices in (53) is regarded as a vector of length 12 indexed
by $\langle i,j\rangle$, it is clear that the vectors are linearly independent,
since they are nonzero in different positions; hence the rank of (53) is at
least 6 by Lemma T\null. Conversely, it is possible to obtain the coefficients
$z↓0$, $z↓1$, $\ldotss$, $z↓5$ by making only six chain multiplications,
for example by computing
$$x(0)y(0),\;x(1)y(1),\;\ldotss,\;x(5)y(5);\eqno(54)$$
this gives the values of $z(0)$, $z(1)$, $\ldotss$, $z(5)$, and the formulas
developed above for interpolation will yield the coefficients of $z(u)$. The
evaluation of $x(j)$ and $y(j)$ can be carried out entirely in terms of additions
and/or parameter multiplications, and the interpolation formula merely takes linear
combinations of these values. Thus, all of the chain multiplications are shown in
(54), and the rank of (53) is 6.\xskip(We used essentially this same technique when
multiplying high-precision numbers in Algorithm 4.3.3C.)

The realization $A$, $B$, $C$ of (53) sketched in the above paragraph turns out
to be
$$\def\\#1{\left(\vcenter{\mathrm ccc\mathsy www\baselineskip 9pt
\def\q{\hskip4pt plus1000000000pt}
\halign{$\hfill##$⊗$\q##$⊗$\q##$⊗$\q##$⊗$\q##$⊗$\q##$\cr#1}}\right)}
\hjust to size{$\\{1⊗1⊗1⊗1⊗1⊗1\cr 0⊗1⊗2⊗3⊗4⊗5\cr 0⊗1⊗4⊗9⊗16⊗25\cr},\hfill
\\{1⊗1⊗1⊗1⊗1⊗1\cr 0⊗1⊗2⊗3⊗4⊗5\cr 0⊗1⊗4⊗9⊗16⊗25\cr 0⊗1⊗8⊗27⊗64⊗125\cr},\hfill
\\{120⊗0⊗0⊗0⊗0⊗0\cr
-274⊗600⊗-600⊗400⊗-150⊗24\cr
225⊗-770⊗1070⊗-780⊗305⊗-50\cr
-85⊗355⊗-590⊗490⊗-205⊗35\cr
15⊗-70⊗130⊗-120⊗55⊗-10\cr
-1⊗5⊗-10⊗10⊗-5⊗1\cr}{\times}{1\over120}$.}\eqno(55)$$
Thus, the scheme does indeed require the minimum number of chain multiplications,
but it is completely impractical because it involves so many additions and parameter
multiplications. We shall now study a practical approach to the generation of more
efficient schemes, suggested by S. Winograd.

In the first place, to evaluate the coefficients of $x(u)y(u)$ when deg$(x)=m$ and
deg$(y)=n$, one can use the identity
$$x(u)y(u)=\biglp x(u)y(u)\mod p(u)\bigrp+x↓my↓np(u),\eqno(56)$$
when $p(u)$ is any monic polynomial of degree $m+n$. The polynomial $p(u)$
should be chosen so that the coefficients of $x(u)y(u)\mod p(u)$ are
easy to evaluate.

In the second place, to evaluate the coefficients of $x(u)y(u)\mod p(u)$, when the
polynomial $p(u)$ can be factored into $q(u)r(u)$ where $\gcd\biglp q(u),r(u)\bigrp
=1$, one can use the identity
$$\twoline{\hskip-10pt
x(u)y(u)\mod q(u)r(u)=\midlp a(u)r(u)\biglp x(u)y(u)\mod q(u)
\bigrp}{2pt}{\null+b(u)q(u)\biglp x(u)y(u)\mod r(u)\bigrp\midrp\mod q(u)r(u)\qquad
(57)\hskip-10pt}$$
where $a(u)r(u)+b(u)q(u)=1$; this is essentially the Chinese remainder theorem
applied to polynomials. 

In the third place, to evaluate the coefficients of
$x(u)y(u)\mod p(u)$ when $p(u)$ has only one irreducible factor over the
field of coefficients, one can use the identity
$$x(u)y(u)\mod p(u)=\biglp x(u)\mod p(u)\bigrp\biglp y(u)\mod p(u)\bigrp\mod p(u).
\eqno(58)$$
Repeated application of (56), (57), and (58) tends to produce efficient schemes,
as we shall see.

For our example problem (52), let us choose $p(u)=u↑5-u$ and apply (56); the
reason for this choice of $p(u)$ will appear as we proceed. Writing $p(u)=
u(u↑4-1)$, rule (57) reduces to
$$\twoline{\hskip-10pt x(u)y(u)\mod u(u↑4-1)=\biglp-(u↑4-1)x↓0y↓0}{3pt}{\null
+u↑4\biglp x(u)y(u)\mod(u↑4-1)\bigrp\bigrp\mod(u↑5-u).\qquad(59)\hskip-10pt}$$
Here we have used the fact that $x(u)y(u)\mod u=x↓0y↓0$; in general it is a
good idea to choose $p(u)$ in such a way that $p(0)=0$, so that this simplification
can be used. If we could now determine the coefficients $w↓0$, $w↓1$, $w↓2$, $w↓3$
of the polynomial
$x(u)y(u)\mod(u↑4-1)=w↓0+w↓1u+w↓2u↑2+w↓3u↑3$, our problem would be solved,
since $$u↑4\biglp x(u)y(u)\mod(u↑4-1)\bigrp\mod(u↑5-u)=w↓0u↑4+w↓1u+w↓2u↑2+w↓3u↑3,$$
and the combination of (56) and (59) would reduce to
$$x(u)y(u)=x↓0y↓0+(w↓1-x↓2y↓3)u+w↓2u↑2+w↓3u↑3+(w↓0-x↓0y↓0)u↑4+x↓2y↓3u↑5.\eqno(60)$$
(This formula can, of course, be verified directly.)

The problem remaining to be solved is to compute $x(u)y(u)\mod(u↑4-1)$; and this
subproblem is interesting in itself. Let us momentarily allow $x(u)$ to be of
degree 3 instead of degree 2. Then the coefficients of $x(u)y(u)\mod(u↑4-1)$ are
respectively
$$\twoline{x↓0y↓0+x↓1y↓3+x↓2y↓2+x↓3y↓1,\quad
x↓0y↓1+x↓1y↓0+x↓2y↓3+x↓3y↓2,}{3pt}{x↓0y↓2
+x↓1y↓1+x↓2y↓0+x↓3y↓3,\quad x↓0y↓3+x↓1y↓2+x↓2y↓1+x↓3y↓0,}$$
and the corresponding tensor is
$$\def\\#1.#2.#3.#4.{\left(\vcenter{\baselineskip 10pt
\halign{##\cr#1\cr#2\cr#3\cr#4\cr}}\right)}
\\1 0 0 0.0 0 0 1.0 0 1 0.0 1 0 0.
\\0 1 0 0.1 0 0 0.0 0 0 1.0 0 1 0.
\\0 0 1 0.0 1 0 0.1 0 0 0.0 0 0 1.
\\0 0 0 1.0 0 1 0.0 1 0 0.1 0 0 0..\eqno(61)$$
In general when deg$(x)=\hjust{deg}(y)=n-1$, the coefficients of $x(u)y(u)\mod
(u↑n-1)$ are called the {\sl cyclic convolution} of $(x↓0,x↓1,\ldotss,x↓{n-1})$
and $(y↓0,y↓1,\ldotss,y↓{n-1})$. The $k$th coefficient $w↓k$ is the bilinear form
$\sum x↓{i\,}y↓j$ summed over all $i$ and $j$ with $i+j≡k\modulo n$.

The cyclic convolution of degree 4 can be obtained by applying rule (57). The
first step is to find the factors of $u↑4-1$, namely $(u-1)(u+1)(u↑2+1)$. We could
write this as $(u↑2-1)(u↑2+1)$, then apply rule (57), then use (57) again on
the part modulo $(u↑2-1)=(u+1)(u-1)$; but it is easier to generalize the
Chinese remainder rule (57) directly to the case of several relatively prime
factors, e.g.,
$$\baselineskip15pt
\vjust{\halign to size{$#$\cr
x(u)y(u)\mod q↓1(u)q↓2(u)q↓3(u)\hfill\cr
\quad=\midlp a↓1(u)q↓2(u)q↓3(u)\biglp
x(u)y(u)\mod q↓1(u)\bigrp+a↓2(u)q↓1(u)q↓3(u)\biglp x(u)y(u)\mod q↓2(u)\bigrp\cr
\hfill\null+a↓3(u)q↓1(u)q↓2(u)\biglp x(u)y(u)\mod q↓3(u)\bigrp\midrp
\mod q↓1(u)q↓2(u)q↓3(u),\quad(62)\cr}}$$
where $a↓1(u)q↓2(u)q↓3(u)+a↓2(u)q↓1(u)q↓3(u)+a↓3(u)q↓1(u)q↓2(u)=1$.\xskip
$\biglp$The latter equation can be understood in another way, by noting that
$a↓1(u)/q↓1(u)+a↓2(u)/q↓2(u)+a↓3(u)/q↓3(u)$ is the partial fraction expansion
of $1/q↓1(u)q↓2(u)q↓3(u)$. When each of the $q$'s is a linear polynomial
$u-α↓i$, the generalized Chinese remainder rule reduces to ordinary
interpolation as in Eq.\ (41), since $f(u)\mod(u-α↓i)=f(α↓i).\bigrp$\xskip
From (62) we obtain
$$\twoline{\hskip-10pt\textstyle
x(u)y(u)\mod(u↑4-1)=\midlp{u↑3+u↑2+u+1\over4}x(1)y(1)-
{u↑3-u↑2+u-1\over4}x(-1)y(-1)}{4pt}{\textstyle
\null-{u↑2-1\over2}\biglp x(u)y(u)\mod
(u↑2+1)\bigrp\midrp\mod(u↑4-1).\quad(63)\hskip-10pt}$$
%New material 3 [8] (C) Addison-Wesley 1978	*
The remaining problem is to evaluate $x(u)y(u)\mod(u↑2+1)$, and it is time to
invoke rule (58). First we reduce $x(u)$ and $y(u)$ mod $(u↑2+1)$, obtaining
$X(u)=(x↓0-x↓2)+(x↓1-x↓3)u$, $Y(u)=(y↓0-y↓2)+(y↓1-y↓3)u$. Then (58) tells us
to evaluate $X(u)Y(u)=Z↓0+Z↓1u+Z↓2u↑2$, and to reduce this in turn modulo
$(u↑2+1)$, obtaining $(Z↓0-Z↓2)+Z↓1u$. The job of computing $X(u)Y(u)$ is
simple, we can use rule (56) with $p(u)=u(u+1)$ and we get
$$Z↓0=X↓0Y↓0,\quad Z↓1=X↓0Y↓0-(X↓0{-}X↓1)(Y↓0{-}Y↓1)+X↓1Y↓1,\quad
Z↓2=X↓1Y↓1.$$
(We have thereby rediscovered the trick of Eq.\ 4.3.3--2 in a more systematic
way.)\xskip Putting everything together yields the following realization $A$, $B$,
$C$ of degree-4 cyclic convolution:
$$\def\\#1.#2.#3.#4.{\left(\vcenter{
\halign{##\cr\vjust to 10pt{}#1\cr#2\cr#3\cr#4\cr}}\right)}
\\1 1 1 0 1.1 \=1 0 1 \=1.1 1 \=1 0 \=1.1 \=1 0 \=1 1.,\qquad
\\1 1 1 0 1.1 \=1 0 1 \=1.1 1 \=1 0 \=1.1 \=1 0 \=1 1.,\qquad
\\1 1 2 \=2 0.1 \=1 2 2 \=2.1 1 \=2 2 0.1 \=1 \=2 \=2 2.\times\textstyle{1\over4}.
\eqno(64)$$
Here \=1 stands for $-1$ and \=2 for $-2$.

The tensor for cyclic convolution of degree $n$ satisfies
$$a↓{i,j,k}=a↓{k,-j,i},\eqno(65)$$
treating the subscripts modulo $n$, since $a↓{ijk}=1$ if and only if $i+j≡k\modulo
n$. Thus if $(α↓{il})$, $(β↓{jl})$, $(\gamma↓{kl})$ is a realization of the cyclic
convolution, so is $(\gamma↓{kl})$, $(β↓{-j,l})$, $(α↓{il})$; in particular, we can
realize (61) by transforming (64) into
$$\def\\#1.#2.#3.#4.{\left(\vcenter{
\halign{##\cr\vjust to 10pt{}#1\cr#2\cr#3\cr#4\cr}}\right)}
\\1 1 2 \=2 0.1 \=1 2 2 \=2.1 1 \=2 2 0.1 \=1 \=2 \=2 2.\times\textstyle{1\over4},
\qquad\\1 1 1 0 1.1 \=1 0 \=1 1.1 1 \=1 0 \=1.1 \=1 0 1 \=1.,
\qquad\\1 1 1 0 1.1 \=1 0 1 \=1.1 1 \=1 0 \=1.1 \=1 0 \=1 1..\eqno(66)$$
Now all of the complicated scalars appear in the $A$ matrix. This is important
in practice, since we often want to compute the convolution for many values
of $y↓0$, $y↓1$, $y↓2$, $y↓3$ but for a fixed choice of $x↓0$, $x↓1$, $x↓2$, $x↓3$.
In such a situation, the arithmetic on $x$'s can be done once and for all, and
we need not count it. Thus (66) leads to the following scheme for evaluating the
cyclic convolution $w↓0$, $w↓1$, $w↓2$, $w↓3$ when $x↓0$, $x↓1$, $x↓2$, $x↓3$ are
known in advance:
$$\baselineskip15pt\lineskip3pt\vjust{\halign{$
\hskip-90pt plus100pt#\hskip-90pt plus100pt$\cr
s↓1=y↓0+y↓2,\quad s↓2=y↓1+y↓3,\quad s↓3=s↓1+s↓2,\quad s↓4=s↓1-s↓2,\cr
s↓5=y↓0-y↓2,\quad s↓6=y↓3-y↓1,\quad s↓7=s↓5-s↓6;\cr
m↓1={x↓0+x↓1+x↓2+x↓3\over4}\cdot s↓3,\quad
m↓2={x↓0-x↓1+x↓2-x↓3\over4}\cdot s↓4,\quad
m↓3={x↓0+x↓1-x↓2-x↓3\over2}\cdot s↓5,\cr
m↓4={-x↓0+x↓1+x↓2-x↓3\over2}\cdot s↓6,\quad
m↓5={x↓3-x↓1\over2}\cdot s↓7;\cr
t↓1=m↓1+m↓2,\quad t↓2=m↓3+m↓5,\quad t↓3=m↓1-m↓2,\quad t↓4=m↓4-m↓5;\cr
w↓0=t↓1+t↓2,\quad w↓1=t↓3+t↓4,\quad w↓2=t↓1-t↓2,\quad w↓3=t↓3-t↓4.\cr}}\eqno(67)$$
There are 5 multiplications and 15 additions, while the definition of
cyclic convolution involves 16 multiplications and 12 additions. We will prove
later that 5 multiplications are necessary.

Going back to our original multiplication problem (52), using (60), we have
derived the realization
$$\textstyle
\left(\vcenter{\halign{#\cr
4 0 1 1 2 \=2 0\cr 0 0 1 \=1 2 2 \=2\cr 0 4 1 1 \=2 2 0\cr}}\right)\times{1\over4},
\qquad\left(\vcenter{\halign{#\cr
1 0 1 1 1 0 1\cr 0 0 1 \=1 0 \=1 1\cr 0 0 1 1 \=1 0 \=1\cr 0 1 1 \=1 0 1 \=1\cr
}}\right),
\qquad\left(\vcenter{\halign{#\cr
1 0 0 0 0 0 0\cr 0 \=1 1 \=1 0 1 \=1\cr 0 0 1 1 \=1 0 \=1\cr 0 0 1 \=1 0 \=1 1\cr
\=1 0 1 1 1 0 1\cr 0 1 0 0 0 0 0\cr}}\right).\eqno(68)$$
This scheme uses one more than the minimum number of chain multiplications, but
it requires far fewer parameter multiplications than (55). Of course, it must be
admitted that the scheme is still rather complicated: If our
goal is simply to compute
the coefficients $z↓0$, $z↓1$, $\ldotss$, $z↓5$ of the product of two given
polynomials ${(x↓0+x↓1u+x↓2u↑2)}\*{(y↓0+y↓1u+y↓2u↑2+y↓3u↑3)}$,
as a one-shot problem,
our best bet is still to use the obvious method that does 12 multiplications and
6 additions---unless (say) the $x$'s and $y$'s are matrices. Note that if the $x$'s
are fixed as the $y$'s vary, the new scheme does the evaluation with 7
multiplications and 17 additions. Even though (68) isn't especially useful as it
stands, our derivation has illustrated important techniques that are useful in a
variety of other situations. For example, Winograd has used this approach to compute
Fourier transforms using fewer multiplications than any other known scheme (see
exercise 53).

Let us conclude this section by determining the exact rank of the $n\times n\times
n$ tensor that corresponds to the multiplication of two polynomials modulo a
third,
$$\twoline{\hskip-10pt z↓0+z↓1u+\cdots+z↓{n-1}u↑{n-1}}{3pt}{=(x↓0+x↓1u+\cdots
+x↓{n-1}u↑{n-1})(y↓0+y↓1u+\cdots+y↓{n-1}u↑{n-1})\mod p(u).\quad(69)\hskip-10pt}$$
Here $p(u)$ stands for any given monic polynomial of degree $n$; in particular,
$p(u)$ might be $u↑n-1$, so one of the results of our investigation will be to
deduce the rank of the tensor corresponding to cyclic convolution of degree $n$.
It will be convenient to write $p(u)$ in the form
$$p(u)=u↑n-p↓{n-1}u↑{n-1}-\cdots-p↓1u-p↓0,\eqno(70)$$
so that $u↑n≡p↓0+p↓1u+\cdots+p↓{n-1}$ $\biglp\hjust{modulo }p(u)\bigrp$.

The tensor element $a↓{ijk}$ is the coefficient of $u↑k$ in $u↑{i+j}\mod p(u)$;
and this is the element in row $i$, column $k$ of the matrix $P↑j$, where
$$P=\left(\vcenter{\halign{$\ctr{#}$⊗\quad$\ctr{#}$⊗\quad$\ctr{#}$⊗\quad
$#\hfill$\quad⊗$\ctr{#}$\cr
0⊗1⊗0⊗\ldots⊗0\cr
\noalign{\vskip2pt}
0⊗0⊗1⊗\ldots⊗0\cr
\vdots⊗\vdots⊗\vdots⊗⊗\vdots\cr
0⊗0⊗0⊗\ldots⊗1\cr
p↓0⊗p↓1⊗p↓2⊗\ldots⊗p↓{n-1}\cr}}\right)\eqno(71)$$
is the so-called ``companion matrix'' of $p(u)$.\xskip(The indices $i$, $j$, $k$ in
our discussion will run from 0 to $n-1$ instead of from 1 to $n$.)\xskip
It is convenient to transpose the tensor, for if $b↓{ijk}=a↓{ikj}$ the individual
layers of $(b↓{ijk})$ for $k=0$, 1, 2, $\ldotss$, $n-1$ are simply given by the
matrices
$$I\qquad P\qquad P↑2\qquad \ldots\qquad P↑{n-1}.\eqno(72)$$

The first rows of the matrices in (72) are respectively the unit vectors
$(1,0,0,\ldotss,0)$,
$(0,1,0,\ldotss,0)$, $(0,0,1,\ldotss,0)$, $\ldotss$, $(0,0,0,\ldotss,1)$, hence
a linear combination such as $\sum↓{0≤k<n}c↓{k\,}P↑k$ will be the zero matrix if
and only if the $c↓k$ are all zero. Furthermore, most of these linear combinations
are actually nonsingular matrices, for we have
$$\twoline{(d↓0,d↓1,\ldotss,d↓{n-1})\sum↓{0≤k<n}c↓{k\,}P↑k=(0,0,\ldotss,0)}{0pt}{
\hjust{if and only if}\qquad c(u)d(u)≡0\quad\biglp\hjust{modulo }p(u)\bigrp,}$$
where $c(u)=c↓0+c↓1u+\cdots+c↓{n-1}u↑{n-1}$ and $d(u)=d↓0+d↓1u+\cdots+d↓{n-1}
u↑{n-1}$. Thus, $\sum↓{0≤k<n}c↓{k\,}P↑k$ is a singular matrix if and only if the
polynomial $c(u)$ is a multiple of some factor of $p(u)$. We are now ready to
prove the desired result.

\algbegin Theorem W (\rm S. Winograd, 1975). {\sl Let $p(u)$ be a monic polynomial
of degree $n$ whose complete factorization over a given infinite field is
$$p(u)=p↓1(u)↑{e↓1}\ldotss p↓r(u)↑{e↓r}.\eqno(73)$$
Then the rank of the tensor $(72)$ corresponding to the bilinear forms $(69)$
is $2n-r$ over this field.}

\proofbegin The bilinear forms can be evaluated with only $2n-r$ chain
multiplications by using rules (56), (57), (58) in an appropriate fashion, so
we must prove only that the rank is $≥2n-r$. The above discussion establishes
that rank$(b↓{(ij)k})=n$; hence by Lemma T\null, any $n\times t$ realization
$A$, $B$, $C$ of $(b↓{ijk})$ has rank$(C)=n$. Our idea will be to use Lemma T
again, by finding a vector $(c↓0,c↓1,\ldotss,c↓{n-1})$ that has the following two
properties:

\yskip\hang\textindent{a)}The vector $(c↓0,c↓1,\ldotss,c↓{n-1})C$ has at most
$r+t-n$ nonzero coefficients.

\hang\textindent{b)}The matrix $c(P)=\sum↓{0≤k<n}c↓{k\,}P↑k$
is nonsingular.

\yskip\noindent This and Lemma T will prove that $r+t-n≥n$, since the identity
$$\sum↓{1≤l≤t}α↓{il\,}β↓{jl\,}\bigglp\sum↓{0≤k<n}c↓{k\,}\gamma↓{kl}\biggrp\;=\;
c(P)↓{ij}$$
shows how to realize the $n\times n\times 1$ tensor $c(P)$ of rank $n$ with
$r+t-n$ chain multiplications.

We may assume for convenience that the first $n$ columns of $C$ are linearly
independent. Let $D$ be the $n\times n$ matrix such that the first $n$ columns
of $DC$ are equal to the identity matrix. Our goal will be achieved if there is
a linear combination $(c↓0,c↓1,\ldotss,c↓{n-1})$ of at most $r$ rows of $D$,
such that $c(P)$ is nonsingular; such a vector will satisfy conditions (a) and
(b).

Since the rows of $D$ are linearly independent, for each $i$ there must be some
row whose corresponding polynomial is not a multiple of $p↓i(u)$. Given a
vector $d=(d↓0,d↓1,\ldotss,d↓{n-1})$, let ``covered$(d)$'' be the set of all $i$
such that $d(u)$ is not a multiple of $p↓i(u)$. From two vectors $c$ and $d$ we
can find a linear combination $c+αd$ such that
$$\def\\{\hjust{covered}}
\\(c+αd)=\\(c)∪\\(d),\eqno(74)$$
for some $α$ in the field. The reason is that if $i$ is covered by $c$ or $d$ but
not both, then $i$ is covered by $c+αd$ for all nonzero $α$; if $i$ is covered
by both $c$ and $d$ and $i$ is not covered by $c+αd$ then $i$ is covered by
$c+βd$ for all $β≠α$. By trying $r+1$ different values of $α$, at least one must
yield (74). In this way we can systematically construct a linear combination of
at most $r$ rows of $D$, covering all $i$.\quad\blackslug

\yyskip One of the most important corollaries of Theorem W is that the rank of a
tensor can depend on the field from which we draw the elements of the realization
$A$, $B$, $C$. For example, consider the tensor corresponding to cyclic
convolution of degree 5; this is equivalent to multiplication of polynomials
mod $p(u)=u↑5-1$. Over the field of rational numbers, the complete factorization
of $p(u)$ is ${(u-1)}\*{(u↑4+u↑3+u↑2+u+1)}$ by exercise
4.6.2--32, so the rank of the tensor is $10-2=8$. On the other hand,
the complete factorization over the real numbers is
$(u-1)(u↑2+\phi u+1)(u↑2-\phi↑{-1}u+1)$; thus, the rank is only 7, if we allow
arbitrary real numbers to appear in $A$, $B$, $C$. Over the complex numbers the
rank is 5. This phenomenon does not occur in two-dimensional tensors (i.e.,
matrices), where the rank can be determined by evaluating determinants of
submatrices and testing for 0. The rank of a matrix does not change when the
field containing its elements is embedded in a larger field, but the rank of
a tensor {\sl can} decrease when the field gets larger.

In the paper that introduced Theorem W [{\sl Math.\ Systems Theory \bf10} (1977),
169--180], Winograd proved Theorem W and went on to show that {\sl all\/}
realizations of (69) in $2n-r$ chain multiplications correspond to the use of
(57), when $r$ is greater than 1. 
Furthermore he has shown that the only way to evaluate the
coefficients of $x(u)y(u)$ in deg$(x)+\hjust{deg}(y)+1$ chain multiplications
is to use interpolation or to use (56) with a polynomial that splits into
distinct linear factors in the field. Finally he has proved that the only way
to evaluate $x(u)y(u)\mod p(u)$ in $2n-1$ chain multiplications when $r=1$ is
essentially to use (58). These results hold for {\sl all\/} polynomial chains,
not only ``normal'' ones.

The tensor rank of an arbitrary $m\times n\times2$ tensor over an arbitrary field
has been determined by Joseph Ja' Ja', {\sl Proc.\ ACM Symp.\ Theory of
Computation \bf10} (1978), 173--183.
%folio 628 galley 2b (C) Addison-Wesley 1978	*
\subsectionbegin{For further reading} In this section
we have barely scratched the surface of a very large subject
in which many beautiful theories are emerging; a considerably more comprehensive
treatment appears in the book {\sl Computational Complexity
of Algebraic and Numeric Problems} by A. Borodin and I. Munro
(New York: American Elsevier, 1975).

\exbegin{EXERCISES}

\exno 1. [15] What is
a good way to evaluate an ``odd'' polynomial
$$u(x) = u↓{2n+1}x↑{2n+1} + u↓{2n-1}x↑{2n-1} +\cdots
+ u↓1x?$$

\trexno 2. [M20] Instead of computing
$u(x + x↓0)$ by steps H1 and H2 as in the text, discuss the application
of Horner's rule (2) when {\sl polynomial} multiplication and
addition are used, instead of arithmetic in the domain of coefficients.

\exno 3. [20] Give a method analogous to Horner's rule, for
evaluating a polynomial in two variables $\sum ↓{i+j≤n} u↓{ij}x↑iy↑j$.\xskip
$\biglp$This polynomial has $(n + 1)(n + 2)/2$ coefficients, and ``total
degree'' $n$.$\bigrp$\xskip Count the number of additions and multiplications
you use.

\exno 4. [M20] The text shows that scheme (3) is superior to
Horner's rule when we are evaluating a polynomial with real
coefficients at a complex point $z$. Compare (3) to Horner's
rule when {\sl both} the coefficients and the variable $z$ are
complex numbers; how many (real) multiplications and addition-subtractions
are required by each method?

\exno 5. [M15] Count the number of multiplications and additions
required by the second-order rule (4).
%folio 629 galley 3 (C) Addison-Wesley 1978	*
\exno 6. [22] (L. de Jong and
J. van Leeuwen.)\xskip Show how to improve on steps S1, $\ldotss$, S4
by computing only about ${1\over 2}n$ powers of $x↓0$.

\exno 7. [M24] How can $β↓0$, $\ldotss$, $β↓n$ be calculated so
that (6) has the value $u(x↓0 + kh)$ for all $k$?

\exno 8. [M20] The factorial power $x↑{\underline k}$ is defined to be $k!{x\choose
k} = x(x - 1) \ldotsm (x - k + 1)$. Explain how to evaluate
$u↓nx↑{\underline n} +\cdots + u↓1x↑{\underline1} + u↓0$ with at most $n$
multiplications and $2n - 1$ additions, starting with $x$ and
the $n + 3$ constants $u↓n$, $\ldotss$, $u↓0$, 1, $n - 1$.

\exno 9. [M24] (H. J. Ryser.)\xskip Show that if $X = (x↓{ij})$ is
an $n \times n$ matrix, then
$$\chop to 9pt{\hjust{per}(X) = \sum (-1)↑{n-ε↓1- \cdots -ε↓n}\prod ↓{1≤i≤n} \sum
↓{1≤j≤n} ε↓jx↓{ij}}$$
summed over all $2↑n$ choices of $ε↓1$, $\ldotss$,
$ε↓n$ equal to 0 or 1 independently. Count the number of addition
and multiplication operations required to evaluate per$(X)$
by this formula.

\exno 10. [M21] The permanent of an $n \times n$ matrix $X =
(x↓{ij})$ may be calculated as follows: Start with the $n$ quantities
$x↓{11}$, $x↓{12}$, $\ldotss$, $x↓{1n}$. For $1 ≤ k < n$, assume that
the ${n\choose k}$ quantities $A↓{kS}$ have been computed, for
all $k$-element subsets $S$ of $\{1, 2, \ldotss , n\}$, where
$A↓{kS} = \sum x↓{1j↓1}\ldotsm x↓{kj↓k}$ summed
over all $k!$ permutations $j↓1 \ldotsm j↓k$ of the elements
of $S$; then form all of the sums
$$\chop to 9pt{A↓{(k+1)S} = \sum ↓{j\in S} A↓{k(S\rslash\{j\})\,}x↓{(k+1)j}.}$$
We have per$(X) = A↓{n\{1, \ldotss, n\}}$.

How many additions and multiplications does this
method require? How much temporary storage is needed?

\exno 11. [M50] Is there any way to evaluate the permanent of
a general $n \times n$ matrix using a number of operations that
does not grow exponentially with $n$?

\exno 12. [M50] What is the minimum number of multiplications
required to form the product of two $n \times n$ matrices? What is the smallest
exponent $α$ such that $O(n↑α)$ multiplications are sufficient?

\exno 13. [M23] Find the inverse of the general finite Fourier
transform (37), by expressing $F(t↓1, \ldotss , t↓n)$ in terms
of the values of $f(s↓1, \ldotss , s↓n)$.\xskip [{\sl Hint:} See Eq.\
1.2.9--13.]

\trexno 14. [HM28] ({\sl ``Fast Fourier transforms.''\/})\xskip Show
that the scheme (40) can be used to evaluate the one-dimensional
Fourier transform
$$f(s) = \sum ↓{0≤t<2↑n} F(t)\,\omega ↑{st},\qquad \omega = e↑{2πi/2↑n},\qquad
0 ≤ s < 2↑n,$$
using arithmetic on complex numbers. Estimate the number of arithmetic operations
performed.

\trexno 15. [HM28] The $n$th {\sl divided difference} $f(x↓0, x↓1,
\ldotss , x↓n)$ of a function $f(x)$ at $n + 1$ distinct points
$x↓0$, $x↓1$, $\ldotss$, $x↓n$ is defined by the formula $$f(x↓0, x↓1,
\ldotss , x↓n) = \biglp f(x↓0, x↓1, \ldotss , x↓{n-1})
- f(x↓1, \ldotss , x↓{n-1}, x↓n)\bigrp/(x↓0 - x↓n),$$
for $n > 0$. Thus $f(x↓0, x↓1, \ldotss , x↓n) = \sum ↓{0≤k≤n}
f(x↓k)/\prod↓{0≤j≤n,\,j≠k}(x↓k - x↓j)$ is a symmetric function of
its $n + 1$ arguments.\xskip (a) Prove that $f(x↓0, \ldotss , x↓n)
= f↑{(n)}(\theta )/n!$, for some $\theta$ between $\min(x↓0,
\ldotss , x↓n)$ and $\max(x↓0, \ldotss , x↓n)$, if the $n$th derivative
$f↑{(n)}(x)$ exists and is continuous.\xskip [{\sl Hint:} Prove the identity
$$\twoline{\hskip-10pt f(x↓0, x↓1, \ldotss , x↓n) =}{4pt}{ \int ↑{1}↓{0}\hskip-3pt
dt↓1\int ↑{t↓1}↓{0}\hskip-4pt dt↓2\ldotsm\hskip-2pt
\int ↑{t↓{n-1}}↓{0}\hskip-9pt dt↓nf↑{(n)}\biglp x↓0(1{-}t↓1) + x↓1(t↓1
{-}t↓2) +\cdots + x↓{n-1}(t↓{n-1}{-}t↓n) + x↓n(t↓n
{-}0)\bigrp.\hskip-10pt}$$
This formula also defines $f(x↓0, x↓1, \ldotss
, x↓n)$ in a useful manner when the $x↓j$ are not distinct.]\xskip
(b) If $y↓j = f(x↓j)$, show that $α↓j = f(x↓0, \ldotss , x↓j)$ in
Newton's interpolation polynomial (42).

\exno 16. [M22] How can we readily compute the coefficients
of $u↑{[n]}(x) = u↓nx↑n +\cdots + u↓0$, if we are
given the values of $x↓0$, $x↓1$, $\ldotss$, $x↓{n-1}$, $α↓0$, $α↓1$, $\ldotss$,
$α↓n$ in Newton's interpolation polynomial (42)?

\exno 17. [M46] Is there a way to evaluate the polynomial
$$\chop to 9pt{\sum ↓{1≤i<j≤n} x↓ix↓j = x↓1x↓2 +\cdots + x↓{n-1}x↓n}$$
with fewer than $n - 1$ multiplications and $2n
- 4$ additions?\xskip(There are $n\choose 2$ terms.)

\exno 18. [M20] If the fourth-degree scheme (9) were changed
to
$$y = (x + α↓0)x + α↓1,\qquad u(x) = \biglp(y-x+α↓2)y + α↓3\bigrp α↓4,$$
what formulas for computing the $α↓j$'s in terms
of the $u↓k$'s would take the place of (10)?

\trexno 19. [M24] Explain how to determine the adapted coefficients
$α↓0$, $α↓1$, $\ldotss$, $α↓5$ in (11) from the coefficients $u↓5$,
$\ldotss$, $u↓1$, $u↓0$ of $u(x)$, and find the $α$'s for the particular
polynomial $u(x) = x↑5 + 5x↑4 - 10x↑3 - 50x↑2 + 13x + 60$.

\trexno 20. [21] Write a \MIX\ program that evaluates a fifth-degree
polynomial according to scheme (11); try to make the program
as efficient as possible, by making slight modifications to
(11). Use \MIX's floating-point arithmetic operators.

\exno 21. [20] Find two more ways to evaluate the polynomial
$x↑6 + 13x↑5 + 49x↑4 + 33x↑3 - 61x↑2 - 37x + 3$ by scheme (12),
using the two roots of (15) that were not considered in the
text.

\exno 22. [18] What is the scheme for evaluating $x↑6 - 3x↑5
+ x↑4 - 2x↑3 + x↑2 - 3x - 1$, using Pan's method (16)?

\exno 23. [HM30] (J. Eve.)\xskip Let
$f(z) = a↓nz↑n + a↓{n-1}z↑{n-1} +\cdots + a↓0$ be
a polynomial of degree\penalty999\ $n$ with real coefficients, having at
least $n - 1$ roots with a nonnegative real part. Let
$$\baselineskip14pt
\eqalign{g(z) ⊗= a↓nz↑n + a↓{n-2}z↑{n-2} +\cdots
+ a↓{n\mod2\,}z↑{n\mod2},\cr
h(z) ⊗= a↓{n-1}z↑{n-1} + a↓{n-3}z↑{n-3} +\cdots
+ a↓{(n-1)\mod2\,}z↑{(n-1)\mod2}.\cr}$$
Assume that $h(z)$ is not identically zero.
%folio 632 galley 4 (C) Addison-Wesley 1978	*
\yskip\hang\textindent{a)}Show that $g(z)$ has at least
$n - 2$ imaginary roots (i.e., roots whose real part is zero),
and $h(z)$ has at least $n - 3$ imaginary roots.\xskip[{\sl Hint:}
Consider the number of times the path $f(z)$ circles the
origin as $z$ goes around the path shown in Fig.\ 15, for a sufficiently
large radius $R$.]

\hang\textindent{b)}Prove that the squares of the roots of $g(z)
= 0$ and $h(z) = 0$ are all real.
$$\vjust{\vskip 33mm
\hjust{\caption Fig.\ 15. Proof of Eve's theorem.}}$$

\trexno 24. [M24] Find values of $c$ and $α↓k$, $β↓k$ satisfying
the conditions of Theorem E\null, for the polynomial
$u(x) = (x + 7)(x↑2 + 6x + 10)(x↑2
+ 4x + 5)(x + 1)$. Choose these values so that $β↓2 = 0$. Give
two different solutions to this problem!

\exno 25. [M20] When the construction in the proof of Theorem
M is applied to the (ineffi\-cient) polynomial chain
$$\baselineskip14pt\cpile{λ↓1 = α↓1 + λ↓0,\qquad λ↓2 = -λ↓0 - λ↓0,\qquad
λ↓3 = λ↓1 + λ↓1,\qquad λ↓4 = α↓2 \times λ↓3,\cr
λ↓5 = λ↓0 - λ↓0,\qquad λ↓6 = α↓6 - λ↓5,\qquad λ↓7 =
α↓7 + λ↓6,\qquad λ↓8 = λ↓7 \times λ↓7,\cr
λ↓9=λ↓1\timesλ↓4,\qquad λ↓{10}=α↓8-λ↓9,\qquad λ↓{11}=λ↓3-λ↓{10},\cr}$$
how can $β↓1$, $β↓2$, $\ldotss$, $β↓9$ be expressed in terms
of $α↓1$, $\ldotss$, $α↓8$?

\trexno 26. [M21] (a) Give the polynomial chain corresponding
to Horner's rule for evaluating polynomials of degree $n = 3$.\xskip
(b) Using the construction that appears in the text's proof of Theorem A\null,
express $\kappa ↓1$, $\kappa ↓2$, $\kappa ↓3$, and the result polynomial
$u(x)$ in terms of $β↓1$, $β↓2$, $β↓3$, $β↓4$, and $x$.\xskip (c) Show that
the result set obtained in (b), as $β↓1$, $β↓2$, $β↓3$, and $β↓4$ independently
assume all real values, omits certain vectors in the result
set of (a).

\exno 27. [M22] Let $R$ be a set that includes all $(n + 1)$-tuples
$(q↓n, \ldotss , q↓1, q↓0)$ of real numbers such that $q↓n ≠
0$; prove that $R$ does not have at most $n$ degrees of freedom.

\exno 28. [HM20] Show that if $f↓0(α↓1, \ldotss , α↓s)$, $\ldotss
$, $f↓s(α↓1, \ldotss , α↓s)$ are multivariate polynomials with
integer coefficients, then there is a nonzero polynomial $g(x↓0,
\ldotss , x↓s)$ with integer coefficients such that $g\biglp
f↓0(α↓1, \ldotss , α↓s), \ldotss , f↓s(α↓1,
\ldotss , α↓s)\bigrp = 0$ for all real $α↓1$, $\ldotss
$, $α↓s$.\xskip (Hence any polynomials chain with $s$ parameters has
at most $s$ degrees of freedom.)\xskip[{\sl Hint:} Use the
theorems about ``algebraic dependence'' that are found, for
example, in B. L. van der Waerden's {\sl Modern Algebra}, tr.\
by Fred Blum (New York: Ungar, 1949), Section 64.]

\trexno 29. [M20] Let $R↓1$, $R↓2$, $\ldotss$, $R↓m$ all be sets of
$(n + 1)$-tuples of real numbers having at most $t$ degrees
of freedom. Show that the union $R↓1 ∪ R↓2 ∪ \cdots ∪ R↓m$ also
has at most $t$ degrees of freedom.

\trexno 30. [M28] Prove
that a polynomial chain with $m↓c$ chain multiplications and
$m↓p$ param\-eter multiplications has at most $2m↓c + m↓p + \delta
↓{0m↓c}$ degrees of freedom.\xskip [{\sl Hint:} Generalize
Theorem M\null, showing that the first chain multiplication and each
parameter multiplication can essentially introduce only one
new parameter into the result set.]

\exno 31. [M23] Prove that a polynomial chain capable of computing
all {\sl monic} polynomials of degree $n$ has at least $\lfloor
n/2\rfloor$ multiplications and at least $n$ addition-subtractions.

\exno 32. [M24] Find a polynomial chain of minimum possible
length that can compute all polynomials of the form $u↓4x↑4
+ u↓2x↑2 + u↓0$; and prove that its length is minimal.

\trexno 33. [M25] Let $n ≥ 3$ be odd. Prove that a polynomial
chain with $\lfloor n/2\rfloor + 1$ multiplication steps cannot
compute all polynomials of degree $n$ unless it has at least
$n + 2$ addition-subtraction steps.\xskip[{\sl Hint:} See exercise
30.]

\exno 34. [M26] Let $λ↓0$, $λ↓1$, $\ldotss$, $λ↓r$ be a polynomial
chain in which all addition and subtraction steps are parameter
steps, and in which there is at least one parameter multiplication.
Assume that this scheme has $m$ multiplications and $k = r -
m$ addition-subtractions, and that the polynomial computed by
the chain has maximum degree $n$. Prove that all polynomials
computable by this chain, for which the coefficient of $x↑n$
is not zero, can be computed by another chain that has at most
$m$ multiplications and at most $k$ additions, and no subtractions;
and whose last step is the only parameter multiplication.

\trexno 35. [M25] Show that any polynomial chain that computes
a general fourth degree polynomial using only three multiplications
must have at least five addition-subtractions.\xskip[{\sl Hint:}
Assume that there are only four addition-subtractions, and
show that exercise 34 applies; this means the scheme must have
a particular form that is incapable of representing all fourth
degree polynomials.]

\exno 36. [M27] Show that any polynomial chain that computes
a general sixth-degree polynomial using only four multiplications
must have at least seven addition-subtractions. (Cf.\ exercise
35.)

\exno 37. [M21] (T. S. Motzkin.)\xskip Show that ``almost all'' rational
functions of the form
$$(u↓nx↑n + u↓{n-1}x↑{n-1} +\cdots + u↓1x + u↓0)/(x↑n
+ v↓{n-1}x↑{n-1} +\cdots + v↓1x + v↓0),$$
with coefficients in a field $S$, can be evaluated
using the scheme
$$α↓1 + β↓1/\biglp x + α↓2 + β↓2/(x +\cdots+ β↓n/(x
+ α↓{n+1}) \ldotsm)\bigrp,$$
for suitable $α↓j$, $β↓j$ in $S$.\xskip (This continued
fraction scheme has $n$ divisions and $2n$ additions; by ``almost
all'' rational functions we mean all except those whose coefficients
satisfy some nontrivial polynomial equation.)\xskip Determine the
$α$'s and $β$'s for the rational function $(x↑2 + 10x + 29)/(x↑2
+ 8x + 19)$.

\trexno 38. [HM32] (V. J. Pan, 1962.)\xskip The purpose of this exercise
is to prove that Horner's rule is really optimal if no preliminary
adaptation of coefficients is made; we need $n$ multiplications
and $n$ additions to compute $u↓nx↑n +\cdots + u↓1x
+ u↓0$, if the variables $u↓n$, $\ldotss$, $u↓1$, $u↓0$, $x$, and arbitrary
constants are given. Consider chains that are as before except
that $u↓n$, $\ldotss$, $u↓1$, $u↓0$, $x$ are each considered to be variables;
we may say, for example, that $λ↓{-j-1} = u↓j$, $λ↓0 = x$. In
order to show that Horner's rule is best, it is convenient to
prove a somewhat more general theorem: Let $A = (a↓{ij})$, $0
≤ i ≤ m$, $0 ≤ j ≤ n$, be an $(m + 1) \times (n + 1)$ matrix of
real numbers, of rank $n + 1$; and let $B = (b↓0, \ldotss , b↓m)$
be a vector of real numbers. Prove that {\sl any polynomial
chain that computes
$$\chop to 11pt{P(x; u↓0, \ldotss , u↓n) = \sum ↓{0≤i≤m}(a↓{i0}u↓0 +\cdots
+ a↓{in}u↓n + b↓i)x↑i}$$
involves at least $n$ chain multiplications.}\xskip (Note
that this does not mean only that we are considering some fixed
chain in which the parameters $α↓j$ are assigned values depending
on $A$ and $B$; it means that both the chain {\sl and} the values
of the $α$'s may depend on the given matrix $A$ and vector $B$.
No matter how $A$, $B$, and the values of $α↓j$ are chosen, it
is impossible to compute $P(x; u↓0, \ldotss , u↓n)$ without doing
$n$ ``chain-step'' multiplications.)\xskip The assumption that
$A$ has rank $n + 1$ implies that $m ≥ n$.\xskip[{\sl Hint:} Show
that from any such scheme we can derive another that has
fewer chain multiplications and that has $n$ decreased by one.]

%folio 635 galley 5a (C) Addison-Wesley 1978	*
\exno 39. [M29] (T. S.
Motzkin, 1954.)\xskip Show that schemes of the form $w↓1 = x(x + α↓1)
+ β↓1$, $w↓k = w↓{k-1}(w↓1 + \gamma ↓kx + α↓k) + \delta ↓kx +
β↓k$ for $1 < k ≤ m$, where the $α↓k$, $β↓k$ are real and the
$\gamma ↓k$, $\delta ↓k$ are integers, can be used to evaluate all
monic polynomials of degree $2m$ over the real numbers.\xskip (We
may have to choose $α↓k$, $β↓k$, $\gamma ↓k$, and $\delta ↓k$ differently
for different polynomials.)\xskip Try to let $\delta ↓k = 0$ whenever
possible.

\exno 40. [M46] Can the lower bound in the number of multiplications in
Theorem C be raised from $\lfloor n/2\rfloor + 1$ to $\lceil
n/2\rceil + 1$?\xskip (Cf.\ exercise 33.)

\exno 41. [22] Show that the real and imaginary
parts of $(a + bi)(c + di)$ can be obtained by doing 3 multiplications
and 5 additions of real numbers, where two of the additions involve $a$ and $b$
only.

\exno 42. [36] (M. Paterson and L. Stockmeyer.)\xskip
(a) Prove that a polynomial chain with $m ≥ 2$ chain multiplications
has at most $m↑2 + 1$ degrees of freedom.\xskip (b) Show that for
all $n ≥ 2$ there exist polynomials of degree $n$, all of whose
coefficients are 0 or 1, that cannot be evaluated by any polynomial
chain with fewer than $\lfloor\sqrt n\rfloor$ multiplications,
if we require all parameters $α↓j$ to be integers.\xskip (c) Show
that any polynomial of degree $n$ with integer coefficients
can be evaluated by an all-integer algorithm that performs
at most $2\lfloor\sqrt n\rfloor$ multiplications, if we don't
care how many additions we do.

\exno 43. [22] Explain how to evaluate $x↑n +\cdots
+ x + 1$ with $2l(n + 1) - 2$ multiplications and $l(n + 1)$
additions (no divisions or subtractions), where $l(n)$ is the function studied
in Section 4.6.3.

\trexno 44. [HM22] Let $(a↓{ijk})$ be an $m\times n\times s$ tensor, and let $F$,
$G$, $H$ be nonsingular matrices of respective sizes $m\times m$, $n\times n$,
$s\times s$. If
$$\textstyle b↓{ijk}=\sum↓{1≤p≤m}\sum↓{1≤q≤n}\sum↓{1≤r≤s}F↓{ip\,}G↓{jq\,}H↓{kr\,}
a↓{pqr}$$ for all $i$, $j$, $k$, prove that the tensor $(b↓{ijk})$ has the same
rank as $(a↓{ijk})$.\xskip[{\sl Hint:} Consider what happens when the matrices
$F↑{-1}$, $G↑{-1}$, $H↑{-1}$ are applied in the same way to $(b↓{ijk})$.]

\exno 45. [M28] Prove that all pairs $(z↓1,z↓2)$ of bilinear forms in $(x↓1,x↓2)$
and $(y↓1,y↓2)$ can be evaluated with at most three chain multiplications. In other
words, show that every $2\times2\times2$ tensor has rank $≤3$.

\exno 46. [M25] Prove that for all $m$, $n$, and $s$ there exists an $m\times n
\times s$ tensor whose rank is at least $\lceil mns/(m+n+s)\rceil$. Conversely,
show that every $m\times n\times s$ tensor has rank at most $mns/\!\max(m,n,s)$.

\exno 47. [M48] Is it possible to determine the rank of any given tensor $(a↓{ijk})$
over, say, the field of rational numbers, in a finite number of steps?\xskip[There
is a finite way to compute the tensor rank over algebraically closed fields like the
complex numbers, since this is a special case of the results of Alfred Tarski,
{\sl A Decision Method for Elementary Algebra and Geometry},
2nd ed.\ (Berkeley, California: Univ. of California Press, 1951); but the known
algorithms do not make this computation really feasible except for very small
tensors. Over the field of rational numbers,
the problem isn't even known to be solvable in finite time.]

\exno 48. [M49] (V. Strassen, S. Winograd.)\xskip If $(a↓{ijk})$ and $(a↓{ijk}↑
\prime)$ are tensors of sizes $m\times n\times s$ and $m↑\prime\times n↑\prime\times
s↑\prime$, their {\sl direct sum} $(a↓{ijk})\oplus(a↓{ijk}↑\prime)=(a↓{ijk}↑{\prime
\prime})$ is the $(m+m↑\prime)\times(n+n↑\prime)\times(s+s↑\prime)$ tensor defined
by $a↑{\prime\prime}↓{ijk}=a↓{ijk}$ if $i≤m$, $j≤n$, $k≤s$;\xskip$a↑{\prime\prime}↓
{ijk}=a↑\prime↓{i-m,j-n,k-s}$ if $i>m$, $j>n$, $k>s$; and $a↑{\prime\prime}↓{ijk}=0$
otherwise. Prove or disprove that (i) the rank of $(a↑{\prime\prime}↓{ijk})$ is
$t+t↑\prime$, the sum of the ranks of $(a↓{ijk})$ and $(a↑\prime↓{ijk})$; and in
fact (ii) any realization $A↑{\prime\prime}$, $B↑{\prime\prime}$, $C↑{\prime\prime}$
of $(a↑{\prime\prime}↓{ijk})$ as the sum of $t+t↑\prime$ rank-one tensors can be
converted (by permutation of columns) into the form $A↑{\prime\prime}=A\oplus A↑
\prime$, $B↑{\prime\prime}=B\oplus B↑\prime$, $C↑{\prime\prime}=C\oplus C↑\prime$,
where $A$, $B$, $C$ and $A↑\prime$, $B↑\prime$, $C↑\prime$ are realizations of
$(a↓{ijk})$ and $(a↑\prime↓{ijk})$, respectively.

\trexno 49. [HM22] Show that the rank of an $m\times n\times1$ tensor $(a↓{ijk})$
is the same as its rank as an $m\times n$ matrix $(a↓{ij1})$, according to the
traditional definition of matrix rank as the maximum number of linearly
independent rows.

\exno 50. [HM20] (S. Winograd.)\xskip Let $(a↓{ijk})$ be the $mn\times n\times m$
tensor corresponding to multiplication of an $m\times n$ matrix by an $n\times 1$
column vector. Prove that the rank of $(a↓{ijk})$ is $mn$.

\trexno 51. [M24] (S. Winograd.)\xskip Devise an algorithm for cyclic convolution
of degree 2 that uses 2 multiplications and 4 additions, not counting operations
on the $x↓i$. Similarly, devise an algorithm for degree 3, using 4 multiplications
and 11 additions.\xskip$\biglp$Cf.\ (67), which solves the analogous problem for
degree 4.$\bigrp$

\def\dprime{{\prime\prime}}
\exno 52. [M25] (S. Winograd.)\xskip Let $n=n↑\prime n↑\dprime$ where
$\gcd(n↑\prime,n↑\dprime)=1$. Given normal schemes for cyclic convolutions of
degrees $n↑\prime$ and $n↑\dprime$, using respectively $(m↑\prime,m↑\dprime)$
chain multiplications, $(p↑\prime,p↑\dprime)$ parameter multiplications, and
$(a↑\prime,a↑\dprime)$ additions, show how to construct a normal scheme for
cyclic convolution of degree $n$ using $m↑\prime m↑\dprime$ chain multiplications,
$p↑\prime n↑\dprime+m↑\prime p↑\dprime$ parameter multiplications, and
$a↑\prime n↑\dprime+m↑\prime a↑\dprime$ additions.

\exno 53. [HM35] (S. Winograd.)\xskip Let $\omega$ be a complex $m$th root of
unity, and consider the one-dimensional Fourier transform
$$\chop to 9pt{f(s)=\sum↓{1≤t≤m}F(t)\omega↑{st}},\qquad\hjust{for }1≤s≤m.$$
(a) When $m=p↑e$ is a power of an odd prime, show that efficient normal
schemes for computing cyclic convolutions of degrees $(p-1)p↑k$, for $0≤k<e$,
will lead to efficient algorithms for computing the Fourier transform on $m$
complex numbers. Give a similar construction for the case $p=2$.\xskip(b) When
$m=m↑\prime m↑\dprime$ and $\gcd(m↑\prime,m↑\dprime)=1$, show that Fourier
transformation algorithms for $m↑\prime$ and $m↑\dprime$ can be combined to yield
a Fourier transformation algorithm for $m$ elements.

\exno 54. [M21] Theorem W refers to an infinite field. How many elements must a
finite field have in order for the proof of Theorem W to be valid?

\exno 55. [HM22] Determine the rank of tensor (72) when $P$ is an {\sl arbitrary}
$n\times n$ matrix.

\exno 56. [M32] (V. Strassen.)\xskip Show that any polynomial chain that
evaluates a set of {\sl quadratic forms} $\sum↓{1≤i,j≤n}c↓{ijk}x↓ix↓k$ for $1≤k≤s$
must use at least ${1\over2}\hjust{rank}(c↓{ijk}+c↓{jik})$ chain multiplications.
\xskip[{\sl Hint:} Show that the minimum number of chain multiplications is the
minimum rank of $(b↓{ijk})$ taken over all tensors $(b↓{ijk})$ such that
$b↓{ijk}+b↓{jik}=c↓{ijk}+c↓{jik}$ for all $i$, $j$, $k$.]\xskip Use this to
prove that any polynomial chain that evaluates a set of bilinear forms (45)
corresponding to a tensor $(a↓{ijk})$, whether normal or abnormal, must use at
least ${1\over2}\hjust{rank}(a↓{ijk})$ chain multiplications.

\exno 57. [M20] Show that fast Fourier transforms can be used to compute the
coefficients of the product $x(u)y(u)$ of two given polynomials of degree $n$,
using $O(n\log n)$ operations of (exact) addition and multiplication of complex
numbers.\xskip[{\sl Hint:} Consider the product of Fourier transforms of the
coefficients.]

\exno 58. [HM28] (a) Show that any realization $A$, $B$, $C$ of the polynomial
multiplication tensor (53) must have
have the following property: Any nonzero linear combination of the three rows of
$A$ must be a vector with at least four nonzero elements; and any nonzero linear
combination of the four rows of $B$ must have at least three nonzero elements.\xskip
(b)\penalty999\
Find a realization $A$, $B$, $C$ of (53) using only $0$, $+1$, and $-1$ as
elements, where $t=8$. Try to use as many 0's as possible.

\exno 59. [M27] (V. J. Pan.)\xskip The problem of $(m\times n)$ times $(n\times s)$
matrix multiplication corresponds to an $mn\times ns\times sm$ tensor $(a↓{\langle
i,i↑\prime\rangle\langle j,j↑\prime\rangle\langle k,k↑\prime\rangle})$ where
$a↓{\langle i,i↑\prime\rangle\langle j,j↑\prime\rangle\langle k,k↑\prime\rangle}
= 1$ if and only $i↑\prime=j$ and $j↑\prime=k$ and $k↑\prime=i$. The rank
$M(m,n,s)$ of this tensor is the smallest $t$ such that numbers $α↓{ii↑\prime l}$,
$β↓{jj↑\prime l}$, $\gamma↓{kk↑\prime l}$ exist satisfying
$$\chop to 20pt{
\sum↓{{\scriptstyle1≤i≤m\atop\scriptstyle1≤j≤n}\atop\scriptstyle1≤k≤s}x↓{ij\,}
y↓{jk\,}z↓{ki}=
\sum↓{1≤l≤t}\;\bigglp\sum↓{\scriptstyle1≤i≤m\atop\scriptstyle
1≤i↑\prime≤n}α↓{ii↑\prime l\,}x↓{ii↑\prime}\biggrp
\bigglp\sum↓{\scriptstyle1≤j≤n\atop\scriptstyle
1≤j↑\prime≤s}α↓{jj↑\prime l\,}y↓{jj↑\prime}\biggrp
\bigglp\sum↓{\scriptstyle1≤l≤s\atop\scriptstyle
1≤k↑\prime≤m}α↓{kk↑\prime l\,}z↓{kk↑\prime}\biggrp.}$$
The purpose of this exercise is to exploit the symmetry of such a trilinear
representation, obtaining efficient realizations of matrix multiplication over
the integers when $m=n=s=2\nu$. For convenience we divide the indices $\{1,\ldotss,
n\}$ into two subsets $O=\{1,3,\ldotss,n-1\}$ and $E=\{2,4,\ldotss,n\}$ of $\nu$
elements each, and we set up a one-to-one correspondence between $O$ and $E$ by
the rule $\s\iit=i+1$ if $i\in O$;\xskip $\s\iit=i-1$ if $i\in E$. Thus
we have $\s{\s\iit}=i$ for all indices $i$.

\yskip\hang\textindent{a)}The first construction is based on the identity
$$abc+ABC=(a+A)(b+B)(c+C)-{(a+A)bC}-{A(b+B)c}-{aB(c+C)}.$$It follows that
$$\chop to 9pt{\sum↓{1≤i,j,k≤n}x↓{ij\,}y↓{jk\,}z↓{ki}=\sum↓{(i,j,k)\in S}(x↓{ij}+
x↓{\s k\s\iit})(y↓{jk}+y↓{\s\iit\s\jit})(z↓{ki}+z↓{\s\jit\s k})-\Sigma↓1-\Sigma↓2
-\Sigma↓3,}$$
where $S=E{\times}E{\times}E∪E{\times}E{\times}O ∪ E{\times}O{\times}E ∪O{\times}E
{\times}
E$ is the set of all triples of indices containing at most one odd index;
$\Sigma↓1$ is the sum of all terms of the form $(x↓{ij}+x↓{\s k\s\iit})y↓{jk\,}
z↓{\s\jit\s k}$ for $(i,j,k)\in S$; and $\Sigma↓2$, $\Sigma↓3$ similarly are sums
of the terms $x↓{\s k\s\iit}(y↓{jk}+y↓{\s\iit\s\jit})z↓{ki}$,
$x↓{ij\,}y↓{\s\iit\s\jit}(z↓{ki}+z↓{\s\jit\s k})$. Clearly $S$ has $4\nu↑3={1\over2}
n↑3$ terms. Show that each of $\Sigma↓1$, $\Sigma↓2$, $\Sigma↓3$ can be
realized as the sum of $3\nu↑2$ trilinear terms; furthermore, if the $3\nu$
triples of the forms $(i,i,\s\iit)$ and $(i,\s\iit,i)$ and $(\s\iit,i,i)$ are
removed from $S$, we can modify $\Sigma↓1$, $\Sigma↓2$, and $\Sigma↓3$ in such
a way that the identity is still valid, without adding any new trilinear terms.
Thus $M(n,n,n)≤{1\over2}n↑3-{3\over2}n+{9\over4}n↑2$.

\hang\textindent{b)}The second construction is based on the identity
$$\eqalign{abc+ABC+\Ascr
\Bscr\Cscr⊗=(a+A+\Ascr)(b+B+\Bscr)(c+C+\Cscr)\cr
⊗\qquad\null-\biglp a\Bscr(c+C+\Cscr)+Ab(c+
C+\Cscr)+\Ascr B(c+C+\Cscr)\bigrp\cr
⊗\qquad\null-\biglp a(b+B)C+A(B+\Bscr)\Cscr+\Ascr(\Bscr+b)c
\bigrp\cr
⊗\qquad\null-\biglp(a+\Ascr)b\Cscr+(A+a)Bc+(\Ascr+A)\Bscr C\bigrp\cr
⊗\qquad\null-\biglp aB\Cscr+A\Bscr c+\Ascr bC\bigrp.\cr}$$ Show that
$$\chop to 15pt{\sum↓{1≤i,j,k≤n}x↓{ij\,}y↓{jk\,}z↓{ki}=\sum↓{\scriptstyle
(i,j,k)\in S\atop\scriptstyle0≤ε,\zeta,\eta≤1}t(i,j,k;ε,\zeta,\eta)-\Sigma↓1
-\Sigma↓2-\Sigma↓3,}$$
where $t(i,j,k;ε,\zeta,\eta)=\biglp(-1)↑{\zeta+\eta}x↓{i+ε,j+\zeta}+(-1)↑{ε+\zeta}
x↓{j+\eta,k+ε}+(-1)↑{\eta+ε}x↓{k+\zeta,i+\eta}\bigrp\cdot
\biglp(-1)↑{\eta+ε}y↓{j+\zeta,
k+\eta}+(-1)↑{\zeta+\eta}y↓{k+ε,i+\zeta}+(-1)↑{ε+\zeta}y↓{i+\eta,j+ε}\bigrp\cdot
\biglp(-1)↑{ε+\zeta}z↓{k+\eta,i+ε}+(-1)↑{\eta+ε}z↓{i+\zeta,j+\eta}
+(-1)↑{\zeta+\eta}
z↓{j+ε,k+\zeta}\bigrp$ corresponds to the first term on the right-hand side of the
above identity and $\Sigma↓1$, $\Sigma↓2$, $\Sigma↓3$ correspond respectively to
the next three groups of terms; the remaining terms (namely those corresponding
to $aB\Cscr+A\Bscr c+\Ascr bC$) cancel out of the sum. The set $S$ in this
case is different from the $S$ in part (a); it consists of all $(i,j,k)\in
O{\times}O{\times}O$ such that $i≤j$ and $i<k$. It follows from this construction
that $M(n,n,n)≤{8\over3}\biglp({n\over2})↑3-({n\over2})\bigrp+6n↑2$.
\vfill\eject