Sub-Linear Root Detection for Sparse Polynomials Over Finite Fields

Size: px

Start display at page:

Download "Sub-Linear Root Detection for Sparse Polynomials Over Finite Fields"

Shauna Chambers
5 years ago
Views:

1 1 / 27 Sub-Linear Root Detection for Sparse Polynomials Over Finite Fields Jingguo Bi Institute for Advanced Study Tsinghua University Beijing, China October, 2014 Vienna, Austria This is a joint work with Qi Cheng and J. Maurice Rojas.

2 2 / 27 Applications of lattice theory Lattice theory has fruitful applications in Physics and Chemistry, such as the structure of particle systems under a variety of physical constraints, packing problems, etc, but also has applications in Computational Number Theory, Computational Algebra, Coding Theory, Theoretical Computer Science and Cryptography, etc.

3 3 / 27 The Problem Let R be a ring. Given any univariate t-nomial f (x) := c 1 + c 2 x a 2 + c 3 x a c t x at R[x] (decision version) decide whether there is a root in R (search version) find one of the roots in R (counting version) count the number of roots in R

4 4 / 27 Previous work Cucker, Koiran, and Smale found a polynomial-time algorithm to find all integer roots of a univariate polynomial f in Z[x] with exactly t terms H. W. Lenstra, Jr. gave a polynomial-time algorithm to compute all factors of fixed degree over an algebraic extension of Q of fixed degree (and thereby all rational roots) Independently, Kaltofen and Koiran and Avendano, Krick, and Sombra extended this to finding bounded-degree factors of sparse polynomials in Q[x, y] in polynomial-time

5 5 / 27 Previous work on finite fields NP-hardness over even characteristic for sparse polynomials (Kipnis-Shamir 1999) For prime order finite field, detecting rational roots for straight-line program is prove to be NP-hard (Cheng-Hill-Wan 2012) Even for trinomials, no nontrivial algorithm is known

6 6 / 27 Main Results Given any univariate t-nomial f (x) = c 0 + c 1 x a 1 + c 2 x a c t 1 x a t 1 F q [x] We can decide, within 4 t+o(t) q t 2 t 1 +o(1) deterministic bit operations, whether f (x) has a root in F q Moreover, we also give the structure of the roots of f (x) over F q When t is fix, this is the first sub-linear in q algorithm to solve this problem There is an algorithm running in time q 1/2+o(1) to decide whether a trinomial in F q [x] has a root in F q

7 7 / 27 Backgrounds of Lattice What Is a Lattice? Given n linearly independent vectors b 1,..., b n R m (n m), the lattice generated by them is the set of vectors L(b 1,..., b n ) = { n x i b i : x i Z} i=1 The vectors b 1,..., b n form a basis of the lattice

8 8 / 27 Backgrounds of Lattice The Shortest Vector Problem The most famous computational problem on lattices is the shortest vector problem (SVP): Given a basis of a lattice L, find a vector u L, such that v u for any vector v L \ 0

9 9 / 27 Backgrounds of Lattice The Minkowski Convex Body Theorem There exists a nonzero lattice vector with length less than n det(l) 1/n

10 10 / 27 Backgrounds of Lattice The LLL Reduction There is a polynomial time algorithm to find a base such that the length of the shortest vector in the base (2/ 3) n λ 1, where λ 1 denotes the length of the shortest nonzero vector in the lattice

11 11 / 27 Backgrounds of Lattice Exact algorithm for SVP There is an algorithm to compute the shortest nonzero vector of a n-dimensional lattice which needs at most 4 n+o(n) arithmetic operations. (Micciancio-Voulgaris 2010)

12 12 / 27 Main idea Main theorem Given any univariate t-nomial f (x) = c 0 + c 1 x a 1 + c 2 x a c t 1 x a t 1 F q [x] We can decide, within 4 t+o(t) q t 2 t 1 +o(1) deterministic bit operations, whether f (x) has a root in F q

13 13 / 27 Main idea Observation Detecting roots over F q is the same as detecting linear factors of polynomials in F q [x] However, to detect roots in F q, we don t need the full power of factoring we need only decide whether gcd(x q x, f (x)) has positive degree, which takes time deg(f ) 1+o(1) (log q) O(1) (E.Bach and J. Shallit 1996)

14 14 / 27 Main idea Degree reduction Replace x by y e in f. f (y e ) := c 0 + c 1 y ea 1 + c 2 y ea c t 1 y ea t 1

15 14 / 27 Main idea Degree reduction Replace x by y e in f. f (y e ) := c 0 + c 1 y ea 1 + c 2 y ea c t 1 y ea t 1 If gcd(e, q 1) = 1, then the map from F q to F q given by y e is one-to-one, thus it will not change the solvability of f

16 14 / 27 Main idea Degree reduction Replace x by y e in f. f (y e ) := c 0 + c 1 y ea 1 + c 2 y ea c t 1 y ea t 1 If gcd(e, q 1) = 1, then the map from F q to F q given by y e is one-to-one, thus it will not change the solvability of f A new polynomial c 0 +c 1 y ea 1 (mod q 1) +c 2 y ea 2 (mod q 1) + +c t 1 y ea t 1 (mod q 1)

17 14 / 27 Main idea Degree reduction Replace x by y e in f. f (y e ) := c 0 + c 1 y ea 1 + c 2 y ea c t 1 y ea t 1 If gcd(e, q 1) = 1, then the map from F q to F q given by y e is one-to-one, thus it will not change the solvability of f A new polynomial c 0 +c 1 y ea 1 (mod q 1) +c 2 y ea 2 (mod q 1) + +c t 1 y ea t 1 (mod q 1) Find a suitable e to reduce the degree.

18 15 / 27 Find a suitable e Lemma (Find e) Given integers a 1,, a t 1, N satisfying 0<a 1 < <a t 1 <N and gcd(n, a 1,, a t 1 ) = 1, one can find, within 4 t+o(t) bit operations, an integer e with the following property for all i {1,..., t 1}: m 1 ea 1 mod N, m 2 ea 2 mod N,, m t 1 ea t 1 mod N if m i [ N/2, N/2], then m i t 1N t 2 t 1

19 16 / 27 Find a suitable e Find e Consider the lattice L generated by the row vectors of the matrix: a 1 a 2 a t 1 N 0 0 B = 0 N N

20 16 / 27 Find a suitable e Find e Consider the lattice L generated by the row vectors of the matrix: a 1 a 2 a t 1 N 0 0 B = 0 N N det(l) N t 2

21 16 / 27 Find a suitable e Find e Consider the lattice L generated by the row vectors of the matrix: a 1 a 2 a t 1 N 0 0 B = 0 N N det(l) N t 2 From Minkowski s Theorem, let m = (m 1, m 2,, m t 1 ) be the shortest vector of lattice L, then, m t 1N t 2 t 1

22 16 / 27 Find a suitable e Find e Consider the lattice L generated by the row vectors of the matrix: a 1 a 2 a t 1 N 0 0 B = 0 N N det(l) N t 2 From Minkowski s Theorem, let m = (m 1, m 2,, m t 1 ) be the shortest vector of lattice L, then, m t 1N t 2 t 1 One can find m by using the Micciancio-Voulgaris algorithm

23 17 / 27 Find a suitable e Find e From m = (m 1, m 2,, m t 1 ) L, then there exists an integer e such that m 1 = ea 1 (mod N), m 2 = ea 2 (mod N),, m t 1 = ea t 1 (mod N) Because gcd(a 1, a 2,, a t 1, N) = 1, one can find integers x 1, x 2,, x t s.t., t 1 x i a i + x t N = 1 Let i=1 t 1 e = x i m i i=1 mod N Therefore, for i, 1 i t 1, we have ea i m i m i m t 1N t 2 t 1 mod N and

24 18 / 27 Proof of main theorem Main theorem Given any univariate t-nomial f (x) = c 0 + c 1 x a 1 + c 2 x a c t 1 x a t 1 F q [x] We can decide, within 4 t+o(t) q t 2 t 1 +o(1) deterministic bit operations, whether f (x) has a root in F q

25 19 / 27 Proof of main theorem The case of gcd(a 1, a 2, a t 1, q 1) > 1. Let δ = gcd(a 1, a 2, a t 1, q 1). The F q -solvability of f (x) := c 0 + c 1 x a 1 + c 2 x a c t 1 x a t 1 is equivalent to the solvability of the following system of equations: c 0 + c 1 y a1/δ + + c t 1 y at 1/δ = 0 y q 1 δ = 1

26 20 / 27 Proof of main theorem The main lemma Given a finite field F q and the polynomials ( ) x N 1 and c 0 + c 1 x a c t 1 x a t 1, in F q [x] with 0<a 1 < <a t 1 <N, gcd(n, a 1,, a t 1 ) = 1, c i 0 for all i, and N (q 1), there exists a deterministic q 1/4 (log q) O(1) + 4 t (t log N) O(1) + t 1 2 +o(1) N t 2 t 1 +o(1) (log q) 2+o(1) algorithm to decide whether these two polynomials share a root in F q. Remark: One can find a generator g of F q within q 1/4 (log q) O(1) bit operations. (Shparlinski, 1996)

27 21 / 27 Proof of main theorem Proof of the main lemma we can find an integer e in time 4 t+o(t) by reducing the lattice a 1 a 2 a t 1 N 0 0 B = 0 N N such that if m 1,..., m t 1 are the unique integers in the range [ N/2, N/2 ] respectively congruent to ea 1,..., ea t 1, then m i < t 1N t 2 t 1 for each i {1,..., t 1}.

28 22 / 27 Proof of main theorem Since N (q 1), we have x N 1 x q x, then the roots of x N 1 = 0 the same as x g q 1 N, let ζ N = g q 1 N, and k = gcd(e, N) If k = 1, the map is one-to-one ϕ :< ζ N > < ζ N > x x e finding a solution for ( ) is equivalent to finding x ζ N such that c 0 + c 1 x ea c t 1 x ea t 1 =0 The last equation can be rewritten as the lower degree equation c 0 + c 1 x m c t 1 x m t 1 =0 Time complexity: ( t 1N t 2 t 1 ) 1+o(1) (log q) 2+o(1)

29 23 / 27 Proof of main theorem if k >1, the map from ζ N to ζ N given by x x e is no longer one-to-one. Instead, it sends ζ N to a smaller subgroup ζ k N of order N/k Any element x ζ N can be written as ζn i z for some i {0,..., k 1} and z ζn k Now, gcd(e/k, N/k) = 1, so the map ϕ 1 is one-to-one ϕ 1 :< ζn k > < ζn k > y y e/k

30 24 / 27 Proof of main theorem Let x N 1 = 0 and c 0 + c 1 x a 1 + c 2 x a c t 1 x a t 1 = 0 x < ζ N > and c 0 + c 1 x a 1 + c 2 x a c t 1 x a t 1 = 0 i, 1 i k, x = (ζ N ) i y, y < ζn k > and c 0 + c 1 x a 1 + c 2 x a c t 1 x a t 1 = 0 i, 1 i k, y < ζn k > and c 0 + c 1 ((ζ N ) i y) a c t 1 ((ζ N ) i y) a t 1 = 0 i, 1 i k, y < ζn k > and c 0 + c 1 ((ζ N ) i y e/k ) a c t 1 ((ζ N ) i y e/k ) a t 1 = 0 i, 1 i k, y N/k 1 = 0 and c 0 + c 1 (ζ N ) a1i y m1/k + + c t 1 (ζ N ) at 1i y mt 1/k = 0 f i (y) = c 0 + c 1 (ζ N ) a 1i y m 1/k + + c t 1 (ζ N ) a t 1i y m t 1/k

31 25 / 27 Proof of main theorem If f i is identically { zero then we have found a whole set of x solutions for N 1 = 0 c 0 + c 1 x a 1 + c 2 x a c t 1 x a t 1 = 0 : the coset ζn i ζk N If f i is not identically zero then let l:=min i min(m i /k, 0) The polynomial z l f i (z) then has degree bounded from above by 2 t 1N t 2 t 1 /k. Deciding whether the pair of equations { y N/k 1 = 0 y l f i (y) = 0 has ( a solution for some i takes deterministic time t ) t 2 1+o(1) k 1N t 1 /k (log q) 2+o(1)

32 26 / 27 Proof of main theorem Roots structure Let γ be the number of f i 0, then the solutions of equations { x N 1 = 0 c 0 + c 1 x a 1 + c 2 x a c t 1 x a t 1 = 0 has two parts over F q. The first part contains at most 2γ t 1N t 2 t 1 /k isolated roots, the other part includes k γ subgroup of F q with order N/k

33 27 / 27 Proof of main theorem Thank you!

SUB-LINEAR ROOT DETECTION, AND NEW HARDNESS RESULTS, FOR SPARSE POLYNOMIALS OVER FINITE FIELDS

SUB-LINEAR ROOT DETECTION, AND NEW HARDNESS RESULTS, FOR SPARSE POLYNOMIALS OVER FINITE FIELDS JINGGUO BI, QI CHENG, AND J. MAURICE ROJAS Abstract. We present a deterministic 2 O(t) q t 2 t 1 +o(1) algorithm