Chapter III: The P -scheme algorithm
3.9 Putting it together
We combine the results in previous sections to obtain theP-scheme algorithm. The pseudocode is given in Algorithm 6 below.
Algorithm 6PschemeAlgorithm
Input: f(X)∈Fp[X]and its irreducible lifted polynomialf˜(X)∈Z[X]
Output: factorization off
1: call ComputeNumberFieldsto compute a(Q,f)˜-subfield systemF such that (1)F =Q[X]/( ˜f(X))∈ F, and (2) for someH ∈ P satisfyingLH ∼= F, all strongly antisymmetric P-schemes are discrete (resp. inhomogeneous) on H, whereP is the subgroup system overG= Gal( ˜f /Q)associated withF
2: callComputePschemeon the input(p,F)to obtainIK forK ∈ F
3: callExtractFactorsto extract a factorization off fromIF, and output it The subroutineComputeNumberFieldsat Line 1 is the generic part of the algorithm and can be implemented in various ways. It is supposed to compute a(Q,f)˜-subfield systemF such thatF ∈ F, and the associated subgroup systemP overGsatisfies a certain combinatorial property (see Theorem 3.9 below). The latter condition is used to show that the factoring algorithm always produces the complete factorization (resp. a proper factorization) off.
The algorithmComputePscheme(see Section 3.4) at Line 2 takes the input(p,F) and outputs data that includes the idempotent decompositions IK for K ∈ F. Finally, we call the subroutine ExtractFactors (see Section 3.3) at Line 3 to extract a factorization off fromIF.
The following theorem is the main result of this chapter.
Theorem 3.9(Theorem 3.2 restated). Suppose there exists a deterministic algorithm that given a polynomial g(X) ∈ Z[X] irreducible over Q, constructs a (Q, g)- subfield systemF in timeT(g)such that
• Q[X]/(g(X))is inF, and
• for someH ∈ P satisfying (L(g))H ∼= Q[X]/(g(X)), all strongly antisym- metricP-schemes are discrete (resp. inhomogeneous) onH, whereP is the subgroup system overGal(g/Q)associated withF, andL(g)is the splitting field ofgoverQ.
Then under GRH, there exists a deterministic algorithm that given a polynomial f(X)∈Fp[X]satisfying Condition 3.1 and an irreducible lifted polynomialf(X)˜ ∈ Z[X] of f, outputs the complete factorization (resp. a proper factorization) of f overFp in time polynomial inT( ˜f)and the size of the input.
Proof. Consider the algorithmPschemeAlgorithmabove and implement the sub- routine ComputeNumberFields using the hypothetical algorithm in the theorem.
Chooseg = ˜f. By Theorem 3.8, the P-collectionC = {CH : H ∈ P}defined by CH =P(¯τH(IK))is a strongly antisymmetricP-scheme. By the second condition in the theorem, we have CH = ∞H\G (resp. CH 6= 0H\G) for some H ∈ P sat- isfyingLH ∼= F. So the corresponding idempotent decompositionIF is complete (resp. proper). By Theorem 3.7, the algorithm outputs the complete factorization (resp. a proper factorization) off overFp.
The subroutine ComputeNumberFieldsruns in time T( ˜f). In particular, the size of F is bounded by T( ˜f). The claim about the running time then follows from Theorem 3.8 and Theorem 3.7.
By Theorem 3.9 and Lemma 3.21, we have a deterministic factoring algorithm whose running time is related to the notationsd(G)andd0(G)introduced in Definition 2.8:
Corollary 3.2. Under GRH, there exists a deterministic algorithm that, given a polynomialf(X)∈Fp[X]of degreen ∈ N+satisfying Condition 3.1 and an irre- ducible8lifted polynomialf˜(X)∈Z[X]off, computes the complete factorization (resp. a proper factorization) off overFpin time polynomial innd(G)(resp. nd0(G)) and the size of the input, whereGis the permutation groupGal(f /Q)acting on the set of roots off.˜
The unifying framework via theP-scheme algorithm. TheP-scheme algorithm and the underlying notion of P-schemes provide a unifying framework for deter- ministic polynomial factoring over finite fields. To illustrate this point, we show that the main results achieved by known factoring algorithms [Hua91a; Hua91b; Rón88;
Rón92; Evd94; IKS09] can be easily derived from Theorem 3.9 or Corollary 3.2 for the special case that the input polynomial satisfies Condition 3.1 (the general case is solved in Chapter 5).
Suppose we want to factorize f(X) ∈ Fp[X] given a (possibly reducible) lifted polynomial f˜(X) ∈ Z[X] of f. We reduce to the case that the lifted polynomial is irreducible as follows: first use the factoring algorithm for rational polynomials [LLL82] to factorizef˜into its irreducible factorsf1(X), . . . , fk(X)∈Q[X]overQ in polynomial time. By Gauss Lemma (see [Lan02, Section IV.2]), we may assume each factor f˜i(X) lies in Z[X]. Then the problem of factoring f(X) is reduced to the problem of factoring each fi(X) := ˜f(X) mod p ∈ Fp[X] with the aid of its irreducible lifted polynomial f˜i(X). Moreover, for i ∈ [k], the Galois group Gal( ˜fi(X)/Q) is a quotient group of Gal( ˜f /Q), and hence |Gal( ˜fi(X)/Q)| ≤
|Gal( ˜f(X)/Q)|.
So assumef˜is irreducible overQ. ChooseF ={F, L}whereF =Q[X]/( ˜f(X)) and L is the splitting field of f˜over Q. Compute F in time polynomial in [L : Q] = Gal( ˜f(X)/Q) and the size of f˜using Lemma 3.20. By Lemma 2.4, all antisymmetricP-schemes are discrete onHfor allH ∈ Psince the trivial subgroup {e}is inP. Therefore by Theorem 3.9 and the reduction above, we have
Theorem 3.10([Rón92]). Under GRH, there exists a deterministic algorithm that, given a polynomialf(X)∈Fp[X]satisfying Condition 3.1 and a lifted polynomial f˜(X) ∈ Z[X] of f, computes the complete factorization of f over Fp in time polynomial in|Gal( ˜f /Q)|and the size of the input.
8The assumption that f˜ is irreducible is not necessary, and can be avoided by adapting Lemma 3.21. We omit the details.
When Gal( ˜f /Q) is abelian, it acts semiregularly on the set of roots of f˜. So we have|Gal( ˜f /Q)| ≤ deg(f)(the equality holds iff f˜is irreducible over Q). Then Theorem 3.10 gives
Corollary 3.3([Hua91a; Hua91b]). Under GRH, there exists a deterministic algo- rithm that, given a polynomialf(X)∈ Fp[X]satisfying Condition 3.1 and a lifted polynomial off with an abelian Galois group, computes the complete factorization off overFp in polynomial time.
Suppose only the polynomial f is known. Let n = deg(f). We may lift f to a degree-npolynomialf˜(X)∈Z[X]such that all coefficients off˜are in the interval [0, p−1]. So the size off˜isO(nlogp). Reduce to the case thatf˜is irreducible over Qas above. As Gal( ˜f(X)/Q)is a subgroup of Sym(n), we derive the following theorem from Theorem 3.10.
Theorem 3.11 ([Rón88; Rón92]). Under GRH, there exists a deterministic algo- rithm that, given a polynomial f(X) ∈ Fp[X] of degree n ∈ N+ that satisfies Condition 3.1, computes the complete factorization of f in time polynomial in n!
andlogp.
Alternatively, Theorem 3.11 can be derived from Corollary 3.2 by notingd(G) ≤ n−1 (where G = Gal( ˜f /Q)). Similarly, using the bound d(G) = O(logn) in Lemma 2.6, we derive the following theorem from Corollary 3.2.
Theorem 3.12([Evd94; IKS09]). Under GRH, there exists a deterministic algorithm that, given a polynomialf(X)∈Fp[X]of degreen∈N+satisfying Condition 3.1, computes the complete factorization off over Fp in time polynomial in nlogn and logp.
By Corollary 3.2 and Lemma 2.18, we have
Theorem 3.13 ([Rón88; IKS09]). Under GRH, there exists a deterministic algo- rithm that, given a polynomial f(X) ∈ Fp[X] of degreen > 1 satisfying Condi- tion 3.1, computes a proper factorization off overFp in time polynomial inn`and logp, where`is the least prime factor ofn.
In latter chapters, we also prove (and generalize) the main result of [Evd92] using theP-scheme algorithm. It states that polynomial factoring over finite fields can be solved in deterministic polynomial time under GRH given a lifted polynomial that has a solvable Galois group. For more details, see Theorem 4.3 and Theorem 5.13.
C h a p t e r 4
CONSTRUCTING NUMBER FIELDS
In this chapter, we discuss the problem of constructing number fields using a poly- nomialg(X)∈Q[X]irreducible overQ. In particular, we prove Lemma 3.20 and Lemma 3.21 as promised before.
In fact, we consider the more general problem of constructingrelative number fields, which we explain now.
Relative number fields. Recall that a number fieldKis encoded using the minimal polynomialh(X) ∈ Q[X]of a primitive elementα ofK overQ, i.e.,K = Q(α). Suppose K0 is a number field encoded in this way. A relative number field K over K0 is a number field containing K0, encoded by the minimal polynomial h(X) ∈ K0[X] of a primitive element α of K over K0 (i.e. K = K0(α)). We regard K as a K0-algebra by maintaining its structure constants in the standard K0-basis
{1 + (h(X)), X + (h(X)), . . . , Xd−1+ (h(X))},
whered= [K : K0]. Note that whenK0 =Q, this this the usual way we encode a number field.
Given a number field K0, we discuss various techniques of constructing relative number fields overK0 given a polynomialg(X) ∈ K0[X]irreducible overK0. In particular, we discuss the technique of adjoining roots of polynomials and use it to prove Lemma 3.20 and Lemma 3.21.
Motivated by the P-scheme algorithm in Chapter 2, we consider the problem of constructing a collection of (relative) number fields using g(X), such that for the associated subgroup systemP, all strongly antisymmetricP-schemes are discrete (resp. inhomogeneous) on a distinguished subgroup H ∈ P. We describe a re- duction of this problem to the case that the Galois group of g(X) is a primitive permutation group. The idea was essentially introduced in [LM85], leading to a polynomial-time algorithm that determines if a given rational polynomial is solv- able.1 It was also used in [Evd92] to obtain to a polynomial-time factoring algorithm
1A rational polynomialg(X)∈Q[X]is solvable if its roots are expressible in the field operations and radicals. It is equivalent to the solvability of the Galois groupGal(g/Q).
forf(X)∈Fp[X], provided that a solvable polynomialf(X)˜ ∈Z[X]liftingf(X) is given. We reproduce the main result of [Evd92] for the case that f satisfies Condition 3.1. For the general case, see Chapter 5.
We note that most results in this chapter are essentially known in the literature, except that we state them in a relative setting or in the terminology ofP-schemes.
In particular, the discussion about algebraic numbers in Section 4.1 follows [WR76], and the techniques of constructing number fields are mostly folklore or from [Lan84;
LM85; Evd92].
Outline of the chapter. Notations and preliminaries are given in Section 4.1. In particular, we define thecomplexityof a subgroup system, which is used to bound the size of a collection of (relative) number fields and the running time of the algorithms. This notion also plays a role in subsequent chapters. In Section 4.2, we discuss the technique of constructing (relative) number fields by adjoining roots of a polynomial, and use it to prove Lemma 3.20 and Lemma 3.21. In Section 4.3, we establish the reduction to primitive Galois groups and use it to prove the main result of [Evd92] for the special case thatf(X)∈ Fp[X]satisfies Condition 3.1. Finally, we discuss some other techniques in Section 4.4. These techniques are not directly used in the thesis, but may still have their own interest.
4.1 Preliminaries
LetKandK0be relative number fields over a number fieldK0. We say an embedding (resp. isomorphism)τ :K →K0is an embedding (resp. isomorphism)overK0 if τ isK0-linear, i.e.,τ(ax) = aτ(x)for alla ∈K0 andx∈K. By choosingx = 1, we see that this is equivalent toτ(a) = afor alla ∈ K0. We writeK ∼=K0 K0 for the statement thatKis isomorphic toK0 overK0.
(K0, g)-subfield systems and the associated subgroup systems. We generalize the notion of(Q, g)-subfield systems (Definition 3.3) and the associated subgroup systems (Definition 3.4) as follows:
Definition 4.1 ((K0, g)-subfield system). Let K0 be a number field. Let g(X) be a polynomial in K0[X] with the splitting field L over K0. LetF be a collection of relative number fields over K0 such that (1) the fields in F are mutually non- isomorphic overK0, and (2) each fieldK0 ∈ F is isomorphic to a subfield ofLover K0. We sayF is a(K0, g)-subfield system.
Definition 4.2. Letg(X)be a polynomial inK0[X]with the splitting field Lover K0. LetF be a(K0, g)-subfield system. DefineP]to be the poset of subfields ofL that includes all the fields isomorphic to those inF overK0:
P] :={K0 ⊆L:K0 ∼=K0 K for someK ∈ F }.
By Galois theory, it corresponds to a posetP of subgroups ofGal(g/K0), given by P :=
H ⊆Gal(g/K0) :LH ∈ P] ,
which is closed under conjugation in Gal(g/K0), and hence is a subgroup system overGal(g/K0). We sayP andP]areassociated withF.
The complexity of a subgroup system. The size of a(K0, g)-subfield systemF is primarily controlled by the total degree of the fields inF overK0, which is the number of coefficients in K0 we need to maintain. We relate this quantity to the complexityof a subgroup system, defined as follows.
Definition 4.3(complexity of a subgroup system). SupposeP is a subgroup system over a finite groupG. ThenGacts onP by conjugation, i.e.,g ∈ GsendsH ∈ P togHg−1 ∈ P. Let P0 ⊆ P be a complete set of representatives of the G-orbits under this action. Define thecomplexityofP to be
c(P) := X
H∈P0
[G:H].
As conjugate subgroups have the same order, the complexityc(P)is well defined.
And we have
Lemma 4.1. For a(K0, g)-subfield systemF, the total degree of the fields inFover K0 equalsc(P), whereP is the subgroup system associated withF.
Proof. Conjugate subgroups correspond to conjugate subfields under the Galois correspondence. So forK ∈ F there exists a unique subgroupH ∈ P0 satisfying LH ∼=K0 K. And the mapK 7→H is a one-to-one correspondence betweenF and P0. Finally note that[K :K0] = [G:H]forHcorresponding toK.
The following lemma bounds the complexity of a system of stabilizers.
Lemma 4.2. Let G be a finite group acting on a finite set S. Let m ∈ N+ and m0 = min{|S|, m}. LetP be the system of stabilizers of depth m0 with respect to the action ofGonS. Then
c(P)≤
m0
X
k=1 k
Y
i=1
(|S| −i) = O
|S|m0 .
Proof. Replacingmwithm0does not changeP. So we may assumem =m0 ≤ |S|. When|S| ≥2, we have
m
X
k=1 k−1
Y
i=0
(|S| −i)≤
m
X
k=1
|S|k =O(|S|m).
The same holds trivially when|S|= 1. Next we provec(P)≤Pm
k=1
Qk
i=1(|S| −i). LetP0 ⊆ P be as in Definition 4.3. It suffices to find an injective map
τ : a
H∈P0
H\G ,→
m
a
k=1
S(k),
since the cardinality of`
H∈P0H\Gisc(P), whereas the cardinality of`m k=1S(k) isPm
k=1
Qk
i=1(|S| −i).
For each k ∈ [m], the group G acts diagonally on S(k). For each H ∈ P0, we pickk = k(H)≤ m andx =x(H) ∈ S(k) such thatH = Gx with respect to the diagonal action. By Lemma 2.1, we have an injective map H\G → S(k) whose image is the G-orbit of x. These maps altogether give the map τ. To show τ is injective, it suffices to show that for different H, H0 ∈ P0, the coset spacesH\G andH0\G are mapped to differentG-orbits. Assume to the contrary that they are mapped to the the sameG-orbitO. Sox(H), x(H0)∈O. Thenk(H) =k(H0)and x(H0) =g(x(H))for someg ∈G. But then we have
H0 =Gx(H0)=Ggx(H)=gGx(H)g−1 =gHg−1, which is a contradiction to the choice ofP0. Soτ is injective.
Algebraic numbers. The fields in a (K0, g)-subfield system F are encoded by polynomials in K0[X]. So to bound the size of F, we also need to bound the size of the coefficients of these polynomials, which are algebraic numbers inK0. This is closely related to the following definition, introduced in [WR76].
Definition 4.4. For an algebraic numberα, definekαkto be the greatest absolute value ofi(α)∈Cwhereiranges over the embeddings ofQ(α)inC.2
For algebraic numbersα, β, we clearly havekα+βk ≤ kαk+kβkandkα·βk ≤ kαk · kβk.
The following lemma relates the size of an algebraic number α ∈ K0 (i.e., the number of bits used to encodeαinK0) tokαk.
Lemma 4.3. SupposeK0is a number field encoded by a polynomialh(X)∈Q[X]
irreducible overQof degreenand sizes0. Let αbe an algebraic number inK0 of sizes. LetDbe the smallest positive integer such thatDα is an algebraic integer.
Thensis polynomial inlogkαk, logDands0. Conversely,logkαkandlogDare polynomial insands0.
Proof. Suppose h(X) = Pn
i=0ciXi where n = deg(h) and ci ∈ Q for all i. By substituting X with X/k for some large enough k ∈ N+ and clearing the denominators, we may assumeh(X) ∈Z[X]andcn = 1. Both the encoding ofh and that ofαuse at leastncoefficients inQ. So we haves, s0 ≥n.
The algebraic number α ∈ K0 is encoded by the constants d0, . . . , dn−1 ∈ Q satisfying
α=
n−1
X
i=0
diβi, (4.1)
whereβ is a root of hinK0. So we havekαk ≤ Pn−1
i=0 |di|kβki. It was shown in [WR76] thatkβk ≤Pn−1
i=0 |ci|. And we clearly havelog|ci| ≤ s0 andlog|di| ≤ s for0≤i≤n−1. It follows thatlogkαkis polynomial insands0.
LetD0 ∈ N+be the least common multiple of the denominators ofdi. Ash(X)∈ Z[X]andcn = 1, we knowβis an algebraic integer. ThenD0αis also an algebraic integer by (4.1). So Dis bounded byD0. It follows thatlogDis polynomial in s ands0. Then the second claim of the lemma is proved.
For the first claim, it suffices to show that the size of eachdiis polynomial inlogkαk, logDands0. This follows from [WR76, Section 7 and Lemma 8.3].
The following lemma relates the size of the minimal polynomial of an algebraic numberαover a number fieldK0 tokαk.
2kαkis called the size ofαin [WR76]. We reserve the termsize(of an object) for the number of bits used to encode an object in an algorithm.
Lemma 4.4. Suppose K0 is a number field encoded by a rational polynomial irreducible overQof sizes0 (lets0 = 1ifK0 =Q). Letαbe an algebraic number, and letDbe the smallest positive integer such thatDαis an algebraic integer. Let h(X) ∈ K0[X]be the minimal polynomial of α whose size iss and degree is n.
Thens is polynomial in logkαk, logD, s0 andn. Conversely, logkαkandlogD are polynomial insands0.
Proof. We clearly have n ≤ s. Supposeh(X) = Pn
i=0ciXi, whereci ∈ K0 and cn = 1. It was as shown in [WR76] that kαk ≤ Pn−1
i=0 kcik. It follows from Lemma 4.3 thatlogkαkis polynomial insands0.
Note that for sufficiently largek ∈N+that is polynomial insands0, the coefficients of the polynomial knh(X/k) are all algebraic integers. It follows that kα is an algebraic integer (cf. [AM69, Corollary 5.4]). SoDis bounded bykand hence is polynomial insands0. Then the second claim of the lemma is proved.
For the first claim, we may assumeαis an algebraic integer by replacingαwithDα andci withDn−ici. Then any conjugateα0 ofαoverQis also an algebraic integer, andkα0k=kαk. For0≤i≤n−1, the coefficientciofhis (up to sign) given by theith elementary symmetric polynomial in a subset of conjugates ofα overQ. It follows from Lemma4.3that the size of eachci is polynomial inlogkαk,logD,s0 andn. Sosis polynomial inlogkαk,logD,s0 andnas well.
Finding a primitive element over Q. Suppose K0 = Q(α) is a number field encoded by the minimal polynomial of a primitive elementαoverQ, andK =K0(β) is a relative number field overK0, encoded by the minimal polynomial of a primitive elementβoverK0. We would like to representKdirectly in the formQ(γ), encoded by the minimal polynomial of a primitive element γ over Q. The first step is to find such an elementγ, which can be achieved using a constructive version of the primitive element theorem (see, e.g., [Wae91]). For completeness, we give the details as follows.
Lemma 4.5. SupposeK0 is a number field and α, β are algebraic numbers. Let d = [K0(α, β) : K0]. Thenkα+β is a primitive element ofK0(α, β)overK0 for some integerk∈[1, d+ 1].
Proof. Consider a “bad” nonzero integerkfor whichK0(kα+β)is a proper subfield ofK0(α, β). LetLbe the Galois closure ofK0(α, β)/K0. Then by the fundamental
theorem of Galois theory, there exists an automorphismφofLfixingK0(kα+β) but not K0(α, β). Then either φ(α) 6= α or φ(β) 6= β. As φ fixes kα+β, we have kφ(α) +φ(β) = φ(kα+β) = kα+β, from which we see that actually φ(α) 6= α and φ(β) 6= β both hold. Then k is determined by φ(α) andφ(β)via k = (φ(β)−β)/(α−φ(α)). So the number of bad choices of k is bounded by the number of(φ(α), φ(β))whereφranges over the automorphisms ofLfixingK0. The later is the cardinality of the orbit of(α, β)under the action ofGal(L/K0). By the orbit-stabilizer theorem, it equals
[Gal(L/K0) : Gal(L/K0(α, β))] = [K0(α, β) :K0] =d.
So there are at mostdbad choices ofk. The lemma follows since[1, d+ 1]contains more thandintegers.
This gives an efficient algorithm of finding a primitive element overQ:
Lemma 4.6. There exists a polynomial-time algorithm that given a number fieldK0
and a relative number fieldK overK0, find a primitive elementγ ofK overQand its minimal polynomialh(X)∈Q[X]overQ.
Proof. SupposeK0 is encoded by a polynomialg(X)∈ Q[X]irreducible overQ, andK is encoded by a polynomialg0(X) ∈ K0[X]irreducible overK0. Then we are explicitly given a rootαofg(X)and a rootβofg0(X)inK, andK =Q(α, β). Enumerate the integersk ∈[1, d+ 1], whered= [K :Q]. For eachk, we compute γ =kα+β ∈K, and then compute its minimal polynomialh(X)∈Q[X]overQ by solving linear equations overQ. This step runs in polynomial time by Lemma 4.4.
Outputγandhwheneverdeg(h) = [K :Q]. By Lemma 4.5, a primitive elementγ is guaranteed to be found.
By computing a primitive element overQ, we can efficiently turn a relative number field into an ordinary number field:
Corollary 4.1. There exists a polynomial-time algorithm that given a number field K0 and a relative number fieldK overK0, computes an ordinary number fieldK0, a Q-basisB of K, and an isomorphismφ : K → K0 encoded by φ(x) ∈ K0 for x∈B.
Proof. Find a primitive element γ of K over Q and its minimal polynomial h(X) ∈ Q[X] over Q using Lemma 4.6. Compute K0 := Q[X]/(h(X)) and B = {1, γ, γ2, . . . , γd−1}, where d = [K : Q]. Then compute the isomorphism φ:K →K0, which sendsγi toXi+ (h(X))fori= 0,1, . . . , d−1.
As an application, we generalize Lemma 3.10 to obtain an efficient algorithm that computes embeddings of relative number fields over a given number field.
Lemma 4.7. There exists a polynomial-time algorithm ComputeRelEmbeddings that given a number fieldK0and relative number fieldsKandK0overK0, computes all the embeddings ofK inK0overK0.
Proof. IdentifyKandK0with ordinary number fields using Corollary 4.1. Run the algorithmComputeEmbeddingsin Lemma 3.10 to compute all the embeddings of K inK0, and ignore those not fixingK0.
4.2 Adjoining roots of polynomials
One of the most basic techniques of constructing number fields is adjoining roots of polynomials. It can be efficiently performed by the following lemma.
Lemma 4.8. There exists a polynomial-time algorithm AdjoinRoot that given a number fieldK0, a relative number fieldKoverK0, and a polynomialh(X)∈K[X]
irreducible overK, computes the relative number fieldK0 =K(α)overK0 (up to isomorphism overK0), whereαis an arbitrary root ofh(X). Moreover, supposeK is encoded by the minimal polynomial of a primitive elementβ ∈K overK0. Then K0is encoded by the minimal polynomial of an element of the formβ+kαoverK0, where1≤k ≤[K0 :K0] + 1.
Proof. Form the K-algebra K00 := K[X]/(h(X)) which is a field. We need to encodeK00as a relative number field overK0. Letα:=X+ (h(X))∈K00which is a root ofh(X). Thenαandβare explicitly known inK00. Letd:= [K00:K0] + 1. By Lemma 4.5, there existsk ∈[1, d+1]such thatγ =β+kαis a primitive element ofK00 overK0. Compute such an elementγ by enumeratingkand checking if the degree of the minimal polynomial ofγ overK0 equalsd. Onceγis found, compute the relative number fieldK0 :=K0[X]/(g(X))overK0, whereg(X)is the minimal polynomial ofγoverK0. It is isomorphic toK00 =K(α)overK0via theK0-linear map sendingX+ (g(X))toγ.