Diplomarbeit Gröbner Bases in Cryptography

Transcription

1 Diplomarbeit Gröbner Bases in Cryptography Universität Ulm Fakultät für Informatik Institut für Theoretische Informatik Gunnar Völkel, 2009 Gutachter: Zweitgutachter: Prof. Dr. Uwe Schöning Dr. Tobias Eibach

2

3 Eidesstattliche Erklärung Hiermit versichere ich, die vorliegende Arbeit selbständig, ohne fremde Hilfe und ohne Benutzung anderer als der von mir angegebenen Quellen angefertigt zu haben. Die Arbeit wurde noch keiner Prüfungsbehörde in gleicher oder ähnlicher Form vorgelegt. Gunnar Völkel (Matrikelnummer ), 30. März 2009 i

4

5 Abstract In this thesis we study the theory of Gröbner bases and the special case of Boolean Gröbner bases. We explain the BUCHBERGER ALGORITHM and the improvements that can be made to limit the growth of the so-called critical pairs during the algorithm. Following to that we describe the F 4 ALGORITHM. Then the adjustments for computing Boolean Gröbner bases are described along with two new criteria for computing Boolean Gröbner bases. We sketch an algorithm that is able to employ both criteria. Knowing that the zeros of a Gröbner basis of a set of polynomials are the same zeros as of the set of polynomials itself, we apply the theory of Boolean Gröbner bases to perform cryptanalaysis on stream ciphers in general and BIVIUM, a reduced variant of TRIVIUM, in particular. We compare the performance of our implementation with others by using the attack on BIVIUM as benchmark. keywords: Gröbner basis, Boolean Gröbner basis, Buchberger Algorithm, F 4 Algorithm, Stream Cipher, Cryptanalysis, Bivium, Trivium, Benchmark. iii

6

7 Acknowledgments I want to thank Dr. Tobias Eibach for supervising my diploma thesis and giving valuable feedback on my work. Also, I want to thank Prof. Dr. Uwe Schöning who made it possible for me to attend the Sage Days 10 in Nancy, France. A special thanks I want to express to Michael Brickenstein who answered me a lot of questions on the topic of Gröbner bases. For taking the time to proofread my thesis, I want to thank Markus Dibo. v

8

9 Contents Eidesstattliche Erklärung i Abstract iii Acknowledgments v Table of Contents vii 1 Introduction Motivation Goals Structure Algebraic Fundamentals Rings, Fields and Ideals Order Relations Polynomials and Polynomial Rings Term Orderings and related Properties of Polynomials Reduction of Polynomials Conclusion Fundamentals of Gröbner Bases Definition, Existence and Uniqueness Buchberger Algorithm Example: BUCHBERGER ALGORITHM Standard Representations Improved Buchberger Algorithm Execution Time Solving Non-linear Algebraic Equation Systems Conclusion F4 Algorithm Application of Linear Algebra on Polynomials The Algorithm F4 Reduction Example Conclusion Gröbner Bases for Boolean Polynomials Boolean Polynomials and Boolean Functions Adapted Gröbner Bases Theory vii

10 Contents 5.3 New Criteria Algorithms revised Improved Boolean Algorithm Implementation Conclusion Application in Cryptography Stream Ciphers: Trivium, Bivium Algebraic Cryptanalysis of Bivium Gröbner Basis Attack Performance Conclusion Conclusion Results, Ideas and Open Questions Appendix I Bibliography III List of Algorithms V Index VII viii

11 1 Introduction In this diploma thesis we study the theory of Gröbner bases and their application in cryptography. Especially, we are interested in cryptanalysis of stream ciphers and how we can optimize Gröbner basis computation for that aim. Cryptanalysis of stream ciphers is important because they are widely used in everyday life. Their usage includes: mobile communication: GSM, UMTS device interconnection: Bluetooth software: encryption of large data, real-time scenarios 1.1 Motivation Before this thesis we worked in a practical course in cryptography on the cryptanalysis of current stream cipher proposals that were candidates of the estream project (see [est08]). In a previous practical course they worked out a method to attack BIVIUM a reduced variant of TRIVIUM (candidate of estream project) using SAT solvers 1. In this practical course we used a Gröbner basis based attack on BIVIUM and another one based on binary decision diagrams. As published in [EPV08] our first attempt to attack BIVIUM using Gröbner bases was not competitive to the SAT solver approach. So there was a lot potential to optimize this first attempt. The optimization possibilities, we studied, are explained in [EV08] which was presented at the SCC 08. With the optimal strategies, we found, the Gröbner basis based attack could now beat the SAT solver based attack. Among the feedback from the SCC 08 was the idea that one could optimize this attack even further by implementing an own Gröbner basis algorithm specialized for the Boolean polynomials, we get when attacking stream ciphers and in particular BIVIUM. This finally lead to the decision to study the theory of Gröbner bases more detailed in this thesis. Gröbner bases are of great importance because there are lots of applications for them in mathematics and computer science besides solving non-linear algebraic equation systems like we do for attacking BIVIUM. The classic one is the ideal membership problem for multivariate polynomials from computational algebra. Other examples are: 2 1 SAT solvers are programs that can solve the Boolean satisfiability problem. 2 These are some examples Buchberger lists in [Buc01a]. 1

12 Chapter 1. Introduction factorization of multivariate polynomial matrices solvability test and solution construction of unilateral and bilateral polynomial matrix equations, Bezout identity synthesis of deadbeat or asymptotic tracking controller / regulator elimination of variables for latent variable representation of a behavior Goals We want to study the theory of Gröbner bases to gain detailed knowledge of their computation. With that knowledge we want to improve our attack scheme on stream ciphers in general and on BIVIUM in particular. As a side effect we want to create a description of the different results (papers with different notations) on the computation of Gröbner bases with a uniform notation. 1.3 Structure The first chapter will provide us with the basic algebra definitions for rings and polynomials. Subsequently we will discuss orderings which are fundamental for Gröbner bases and properties of polynomials related to orderings. In the second chapter we will start with defining Gröbner bases and describing an algorithm that can compute them the BUCHBERGER ALGORITHM (year 1965). Since the BUCHBERGER ALGORITHM leaves possibilities for improvements we will discuss them afterwards. By Chapter three we will make a huge leap forward in time (year 1999) and present improvements that were made regarding the reduction of polynomials during Gröbner basis computation. In Chapter four we will explain the theory of Boolean Gröbner bases and will discuss improvements for this Boolean setting (by making another small leap on the timeline to 2007). Decisions regarding our own implementation will be discussed at the end of this chapter, too. The final fifth chapter will describe the application of Gröbner bases for performing cryptanalysis of stream ciphers and BIVIUM in particular. Chapter 2 and 3 are mainly based on the book Gröbner bases: A computational approach to commutative algebra (chapter 2 and 5) from Becker, Kredel and Weispfenning (cited as [BKW93]). Chapter 4 is mainly based on the paper A new efficient algorithm for computing Gröbner bases (F 4 ) from Jean-Charles Faugère (cited as [Fau99]). The theory of Boolean Gröbner bases in Chapter 5 is taken from New developments in the theory of Gröbner bases and applications to formal verification from M. Brickenstein, A. Dreyer and G.-M. Greuel et al. (cited as [BDG + 08]). Throughout the thesis we use the abbreviation w.r.t. for with respect to. 2

13 2 Algebraic Fundamentals In this chapter we will introduce the basic algebraic notions we will need to describe the theory of Gröbner bases later. This chapter is based on the book [BKW93]. We will only quote the proofs for some important theorems from [BKW93]. 2.1 Rings, Fields and Ideals Let us start by defining the basic algebra structures needed. Definition 2.1 (monoid) A monoid is a set M with a binary operation (a,b) a b and a distinguished element e M such that the following axioms hold: (i) a,b,c M : a (b c) = (a b) c (associativity) (ii) a M : a e = e a = a (neutral element) Definition 2.2 (Abelian monoid) An Abelian monoid M is a monoid whose operation is commutative that is: a,b M : a b = b a (commutativity) A classic example for an Abelian monoid is the set of the natural numbers with the addition as operation. 0 is the neutral element of the addition which is associative and commutative. Definition 2.3 (group) A group is a set G with a binary operation (a,b) a b and a distinguished element e G such that the following axioms hold: (i) a,b,c G : a (b c) = (a b) c (associativity) (ii) a G : a e = e a = a (neutral element) (iii) a G b G : b a = e (inverse element) Briefly, a group is a monoid for whose elements in each case an inverse element exists with respect to the operation. 3

14 Chapter 2. Algebraic Fundamentals Definition 2.4 (Abelian group) An Abelian group G is a group whose operation is commutative that is: a,b G : a b = b a (commutativity) For example the set of integers Z with the addition as operation is an Abelian group. For each a Z there exists an inverse element a Z such that a + ( a) = 0 which is the neutral element. The addition is associative and commutative. Definition 2.5 (ring) A ring is a set R with two binary operations + and, referred to as addition and multiplication, as well as a distinguished element 0 such that the following hold: (i) R is an Abelian group w.r.t. addition with neutral element 0. (ii) Multiplication is associative, i.e., (a b) c = a (b c) a,b,c R. (iii) The distributive laws a (b + c) = a b + a c and (a + b) c = a c + b c hold for all a,b,c R. Definition 2.6 (commutative ring with 1) A commutative ring with 1 is a ring R whose addition and multiplication is commutative (i.e. a,b R : a b = b a) and which contains a distinguished element 1 with 1 0 and a R : 1 a = a 1 = a. The set of integers Z is a commutative ring with 1 with respect to the addition and multiplication of integers. The integer 0 is the neutral element regarding the addition and 1 with respect to the multiplication. The distributive law holds for the integer addition and multiplication. From now on we will use ring for commutative ring with 1. Definition 2.7 (integral domain, domain) An integral domain (or short domain) R is a ring without zero divisors, that is: a R,a 0 : b R,b 0 : a b = 0 Definition 2.8 (ideal) Let R be a ring and I R. Then I is called an ideal of R if (i) a,b I : a + b I, and (ii) a I r R : ar I. I is called trivial if I = {0}. In this case it is also called the zero ideal. I is called proper if I R. For instance for n Z the set nz = {n z z Z} Z is an ideal of the ring Z with respect to integer addition and multiplication. 4

15 2.1. Rings, Fields and Ideals Definition 2.9 (generated ideal) Let R be a ring, a R. The ideal ar = {ar r R} of all multiples of a is called the principal ideal generated by a, and it is also denoted by Id(a) or a. If a 1,...,a n R, then the ideal n i=1 a ir = { n i=1 a ir i r i R for 1 i n } is called the ideal generated by a 1,...,a n. Any ideal of this form is called finitely generated, and it will also be denoted by Id(a 1,...,a n ) or a 1,...,a n. If A R then the ideal { n i=1 a ir i 0 < n N, r i R, and a i A for 1 i n } is called the ideal generated by A and will be denoted by Id(A) or A. In this case, A is also called an ideal basis of Id(A). Here, we use the convention that the empty sum equals 0, so that the empty set generates the zero ideal, that is Id( ) = {0}. Consider the following special characterization for a ring regarding a property of its ideals. Definition 2.10 (principal ideal ring) A principal ideal ring is a ring R with the property that every ideal I of R is principal (that is a R : I = {a r r R}). Definition 2.11 (field) Let R be a ring. R is called a field if every element of R other than 0 is invertible, that is: a R,a 0 : c R : a c = 1. For example the set of rational numbers Q is a field with respect to addition and multiplication of rational numbers. The following definition introduces fields we can work with in examples later on. Definition 2.12 (finite field F p ) Let p N be prime. The notation F p represents a finite field with p elements. It is defined by F p = Z/pZ = {0,1,...,p 1}. Definition 2.13 (least common multiple) Let R be a domain and a,b R. The least common multiple (short: lcm) of a and b is an element c R that is a common multiple of a and b (i.e. a c and b c) and divides any other common multiple of a and b (i.e. c R : a c, b c implies c c ). Definition 2.14 (greatest common divisor) Let R be a domain and a,b R. The greatest common divisor (short: gcd) of a and b is an element c R that is a common divisor of a and b (i.e. c a and c b) and is divided by any other common divisor of a and b (i.e. c R : c a, c b implies c c). Consider, for an example, the ring Z, a = 48 and b = 90. We know that a = 48 = and b = 90 = The least common multiple of a and b is lcm(a,b) = = 720. The greatest common divisor of a and b is gcd(a,b) = 2 3 = 6. 5

16 Chapter 2. Algebraic Fundamentals Definition 2.15 (R-module) Let R be a ring. An R-module M is an additive Abelian group with an additional operation : R M M, called scalar multiplication, such that the the following hold: (i) α R a,b M : α (a + b) = α a + α b (ii) α,β R a M : (α + β) a = α a + β a (iii) α,β R a M : (α β) a = α (β a) (iv) a M : 1 a = a 2.2 Order Relations In this section we give the basic definitions of order relations which we will need later for defining term orders. Definition 2.16 (binary relation) Let M be a non-empty set. A binary relation on M is a subset r M M where M M denotes the set of all ordered pairs (a,b) of elements a,b M. Definition 2.17 (well-founded relation, noetherian relation) Let M be a non-empty set and r a binary relation on M. r is called well-founded if every non-empty subset N M has a minimal element with respect to r. Definition 2.18 (quasi-order) A quasi-order on a set M is a binary relation for which the following axioms hold: (i) a M : a a (reflexivity) (ii) a,b,c M : a b b c = a c (transitivity) Definition 2.19 (Dickson basis, Dickson quasi-order) Let be a quasi-order on M and let N M. Then a subset B on N is called a Dickson basis of N with respect to if for every a N there exists some b B with b a. We say that has the Dickson property, or is a Dickson quasi-order, if every subset N of M has a finite basis with respect to. Definition 2.20 (partial order) A partial order on a set M is a binary relation for which the following axioms hold: (i) a M : a a (reflexivity) (ii) a,b M : a b b a = a = b (antisymmetry) (iii) a,b,c M : a b b c = a c (transitivity) 6

17 2.3. Polynomials and Polynomial Rings Definition 2.21 (total order, linear order) A total order, also called linear order, on a set M is a binary relation for which the following axioms hold: (i) a,b M : a b b a (totality) (ii) a,b M : a b b a = a = b (antisymmetry) (iii) a,b,c M : a b b c = a c (transitivity) Definition 2.22 (well-order) A total order on a set M is called a well-order if every non-empty subset N M has a minimal element with respect to. The natural order on the set of natural numbers N is a total order and also a well-order. Definition 2.23 (admissible order) Let (M,0,+) be an Abelian monoid and let be a linear order on M. Then we say is admissible if the following holds. (i) a M : 0 a (ii) a,b,c M : a < b = a + c < b + c 2.3 Polynomials and Polynomial Rings First we give the definition for univariate polynomials which we then extend to multivariate polynomials. Definition 2.24 (polynomial) Let R be a ring. A polynomial f in a variable X with coefficients a i R is an expression of the form f = f (X) = a i X i with m N i > m : a i = 0. This means that a polynomial has only finitely many nonzero coefficients a i. By convention we write X 1 = X and X 0 = 1. So a polynomial can also be written as f (X) = a m X m + a m 1 X m a 2 X 2 + a 1 X + a 0. An example for an univariate polynomial in Z is f = 4 X 5 2 X 3 + X Definition 2.25 (multivariate polynomial) Let R be a ring. A multivariate polynomial f in variables X 1,X 2,...,X n with coefficients c i1,...,i n R is an expression of the form f = f (X 1,...,X n ) = c i1,...,i n X i 1 1 Xi n n i 0 i 1,...,i n 0 with only finitely many non-zero coefficients c i1,...,i n. 7

18 Chapter 2. Algebraic Fundamentals Let x, y,z be variables. Then a multivariate polynomial in x, y,z with coefficients in Z is for example f = 3 x 2 y + 7 y z 2 2 x z. Definition 2.26 (set of multivariate polynomials) Let R be a ring. The set of multivariate polynomials in n variables with coefficients in R is written as R[X 1,...,X n ] = R[X] with X = (X 1,...,X n ). Define an addition + and a multiplication on R[X] by (+) R[X] R[X] R[X] a i1,...,i n X i 1 1 Xi n n, b i1,...,i n X i 1 1 Xi n n i 1,...,i n 0 i 1,...,i n 0 (a i1,...,i n + b i1,...,i n ) X i 1 1 Xi n n i 1,...,i n 0 ( ) R[X] R[X] R[X] a i1,...,i n X i 1 1 Xi n n, b i1,...,i n X i 1 1 Xi n n i 1,...,i n 0 i 1,...,i n 0 a i1,...,i n b j1,...,j n i 1,...,i n,j 1,...,j n 0,i 1 +j 1 =k 1,...,i n +j n =k n k 1,...,k n 0 Xk 1 1 Xk n n Definition 2.27 (multivariate polynomial ring) Let R be a ring. (R[X 1,...,X n ],+, ) is a commutative ring called the multivariate polynomial ring in variables X 1,...,X n with coefficients in R. The abbreviation R[X] with X = (X 1,...,X n ) is common. R is called the ground ring of the multivariate polynomial ring. For a proof that (R[X 1,...,X n ],+, ) is a commutative ring see Proposition 2.5 in [BKW93, p. 63]. Definition 2.28 (term) A term t in the variables X 1,...,X n is a power product of the form X α Xα n n with α i N for 1 i n. 1 = X X0 n is a term. The set of all terms is denoted by T [X 1,...,X n ] = T [X] or simply T. T forms an Abelian monoid (T,1, ) with neutral element 1 under the natural multiplication where two terms are multiplied by adding the respective exponents of each variable. The additive monoid N n is written as (N n,0,+). There exists an isomorphism between (T,1, ) and (N n,0,+) since two terms are different if and only if their exponent tuples are different and the product of two terms is the component-wise sum of their exponent tuples. 8

19 2.3. Polynomials and Polynomial Rings Definition 2.29 (exponent map η) A natural isomorphism (T,1, ) (N n,0,+) is given by the exponent map η which assigns to any term its exponent tuple. For t T (X 1,...,X n ) that is: η(t) = η(x α Xα n n ) = (α 1,...,α n ) N n. The inverse η 1 of η is the map (N n,0,+) (T,1, ). For α = (α 1,...,α n ) N n that is: η 1 (α) = η 1 ( (α 1,...,α n ) ) = X α Xα n n T [X]. For an example let t = v 4 x 2 y T [v,w,x, y,z]. Then we have and vice versa for α = (0,7,1,3,2) N 5 η(t) = η(v 4 x 2 y) = (4,0,2,1,0) N 5 η 1 (α) = η 1 ( (0,7,1,3,2) ) = w 7 x y 3 z 2 T [v,w,x, y,z]. Definition 2.30 (natural partial order on N n ) The partial order on N n obtained by forming the product of n copies of N with its natural order will be called the natural partial order on N n. It is defined as follows: (k 1,...,k n ) (m 1,...,m n ) k i m i 1 i n. For a definition of a partial order see Definition 2.20 on page 6. Definition 2.31 (divisibility relation ) The divisibility relation on T for s,t T is defined by s t s T : s s = t. The natural partial order and the divisibility relation correspond under the exponential map that is s,t T : s t η(s) η(t). Let us illustrate that through the following examples with terms in T [x, y,z]: x y 2 x 2 y 2 z (1,2,0) (2,2,1) and x y 2 z x y 2 (1,2,1) (1,2,0). THEOREM 2.1 The divisibility relation on T is a Dickson partial order on T. More explicitly, every non-empty subset S T has a finite subset B such that s S t B : t s. Definition 2.32 (monomial) Let R be a ring. A monomial m in the variables X 1,...,X n over R is a polynomial of the form m = at with 0 a R and t T. a is called the coefficient of m and t the term of m. The set of all monomials is denoted by M[X 1,...,X n ] = M[X] or simply M. 9

20 Chapter 2. Algebraic Fundamentals The multiplication on M is defined as a 1 t 1 a 2 t 2 = (a 1 a 2 )(t 1 t 2 ). M actually forms a commutative monoid under this multiplication and M contains both R \ {0} and T. Let f R[X] = R[X 1,...,X n ], f 0. The polynomial f can also be written as f = c f (α 1,...,α n )X α 1 1 Xα n n, c f (α 1,...,α n ) R. c f (α 1,...,α n ) 0 Now we introduce some definitions with respect to polynomials. Definition 2.33 (monomial set, term set, coefficient set) Let f R[X], f 0. The monomial set of f is defined as The term set of f is defined as The coefficient set of f is defined as M( f ) = {c f (α 1,...,α n )X α 1 1 Xα n n c f (α 1,...,α n ) 0}. T( f ) = {X α 1 1 Xα n n c f (α 1,...,α n ) 0}. C( f ) = {c f (α 1,...,α n ) c f (α 1,...,α n ) 0}. For instance let f Z[x, y,z] be a polynomial with f = 5 x 3 y z + 7 x y 2 3 y z + x. Then we have M( f ) = {5 x 3 y z,7 x y 2, 3 y z,x}, T( f ) = {x 3 y z,x y 2, y z,x}, C( f ) = {5,7, 3,1}. Definition 2.34 (total degree of terms) The total degree of a term t = X α 1 1 Xα n n T is defined as n deg(t) = α i. Definition 2.35 (total degree of polynomials) The total degree of a polynomial f R[X], f 0 is defined as i=1 deg( f ) = max{deg(t) t T( f )}. For an example consider the previous defined polynomial f. Its total degree is deg(5 x 3 y z + 7 x y 2 3 y z + x) = max{deg(x 3 y z),deg(x y 2 ),deg(y z),deg(x)} = max{5,3,2,1} = 5 10

21 2.4. Term Orderings and related Properties of Polynomials 2.4 Term Orderings and related Properties of Polynomials In this section we define term orders and properties derived from them. As we will see later these term orders play an essential role in the computation of Gröbner bases. Definition 2.36 (term order) A term order is a linear order on T that satisfies the following conditions. (i) t T : 1 t (ii) s,t 1,t 2 T : t 1 t 2 = t 1 s t 2 s Lemma 2.1 Let be an admissible order on (N n,0,+) and define on T by setting s,t T : s t η(s) η(t). Then is a term order on T. Moreover, every term order on T is obtained in this way and the resulting correspondence between term orders on T and admissible orders on (N n,0,+) is one-to-one. THEOREM 2.2 (i) If is a term order on T, then s,t T : s t s t. (ii) Every term order is a well-order on T. Now we are ready to define concrete types of term orders, starting with the lexicographical ones. Definition 2.37 (lexicographical order) The lexicographical order on T is defined as follows: X α 1 1 Xα n n X β 1 1 Xβ n n if and only if (α 1,...,α n ) = (β 1,...,β n ) 1 i n : 1 j i 1 : α j = β j α i < β i. Definition 2.38 (inverse lexicographical order) The inverse lexicographical order on T is defined as follows: X α 1 1 Xα n n X β 1 1 Xβ n n if and only if (α 1,...,α n ) = (β 1,...,β n ) 1 i n : i + 1 j n : α j = β j α i < β i. For a clearer understanding consider the following examples. Let be the lexicographical term order. Let x, y,z be variables with x < y < z. For a quick check there are the exponent vectors of the involved terms enlisted to the right of the examples. In this example the exponent map η maps to (α z,α y,α x ). example left term exponents right term exponents x y z η(x y) = (0,1,1) η(z) = (1, 0, 0) x 10 y η(x 10 ) = (0,0,10) η(y) = (0, 1, 0) y 8 z η(y 8 ) = (0,8,0) η(z) = (1, 0, 0) z z y η(z) = (1, 0, 0) η(z y) = (1,1,0) 11

22 Chapter 2. Algebraic Fundamentals To clarify the differences between the lexicographical and the inverse lexicographical term order consider the following explanation. We say X j is lexicographically greater than X i ( X j X i ) if α N : X j > X α. Then the lexicographical order satisfies i X 1 X 2 X n, whereas the inverse lexicographical one satisfies X n X n 1 X 1. Definition 2.39 (total degree-lexicographical order) Let be the lexicographical order on T. The total degree-lexicographical order on T is defined as follows: X α 1 1 Xα n n X β 1 1 Xβ n n if and only if n α i < i=1 n n β i α i = i=1 i=1 n i=1 β i X α 1 1 Xα n n X β 1 1 Xβ n n. In general the class of term orders defined like above for other orders on T that satisfy condition (ii) of Definition 2.36 is called the class of total degree orders. Now we have a look at some examples for the degree-lexicographical term order. Let be the degree-lexicographical term order. Let x, y,z be variables with x < y < z. For a quick check there are again the exponent vectors of the involved terms enlisted to the right of the examples. The exponent map η maps to (α z,α y,α x ) in this example. example left term exponents right term exponents z x y η(z) = (1, 0, 0) η(x y) = (0,1,1) z y 5 η(z) = (1, 0, 0) η(y 5 ) = (0,5,0) x y z x 4 η(x y z) = (1,1,1) η(x 4 ) = (0,0,4) x 3 x y z η(x 3 ) = (0,0,3) η(x y z) = (1,1,1) Definition 2.40 (total degree reverse lexicographical order) The total degree reverse lexicographical order is a total degree term order which uses an inverse lexicographical order instead of a lexicographical order (cf. total degree-lexicographical order). Another way to compose a term order would be to split the set of variables and use a different term order on each of the parts in a lexicographical kind of way. The following definition determines how this is done. Definition 2.41 (block order) Let 1 i < n and set T 1 = T (X 1,...,X i ) T and T 2 = T (X i+1,...,x n ) T. Let 1 and 2 be term orders on T 1 and T 2, respectively. Any t T may be written uniquely as t = t 1 t 2 with t 1 T 1 and t 2 T 2. The block order on T is defined as follows: s,t T : s t ( ) s 1 1 t 1 s 1 = t 1 s 2 2 t 2. 12

23 2.4. Term Orderings and related Properties of Polynomials Now that we are able to compare and sort terms, we need to transfer the term order to an order on monomials. Definition 2.42 (quasi-order on M induced by ) Let be a term order on T. The quasi-order on M induced by is defined by m,n M : m = as bt = n s t (a,b R; s,t T ) Let m 1,m 2 M have the same term but different coefficients. Then the following applies: m 1 m 2 but m 1 m 2 and m 2 m 1. That shows that is only a quasi-order but no order in general since it does not fulfill the antisymmetry condition. In the next step we extend a given term order to a well-founded quasi-order on all of R[X]. Therefore we denote the set of all finite subsets of T as P fin (T ) and consider the following definition. Definition 2.43 (induced well-order on P fin (T )) Let be a term order on T. Given two subsets T 1,T 2 P fin (T ) we define the induced well-order on P fin (T ) as follows (cf. [BKW93, pp , p. 193]). T 1 T 2 is defined by recursion on the number T 1 : If T 1 =, then T 1 T 2. If T 1, then T 1 T 2 if and only if T 2 and the following condition holds: max(t 1 ) < max(t 2 ), or max(t 1 ) = max(t 2 ) and T 1 \ {max(t 1 )} T 2 \ {max(t 2 )}. The induced well-order on P fin (T ) described briefly in an algorithmic way is just sorting both sets T 1,T 2 in a descending order using a given term order and performing a lexicographical comparison between the ordered terms until for t 1 T 1,t 2 T 2 t 1 t 2 applies or one of the sets T 1,T 2 has no more elements. Now we can use the order on P fin (T) to define our desired quasi-order on R[X]. Definition 2.44 (quasi-order on R[X]) Let be a term order on T and let be the induced well-order on P fin (T ). The quasi-order on R[X] is defined by setting f, g R[X] : f g T( f ) T(g). This quasi-order on R[X] is useful to sort sets of polynomials before an algorithm performs an equality check on two sets of polynomials. This way the check can be performed much faster. The following theorem is used as argument to proof Theorem 2.4 which states that the polynomial reduction relation (defined later) is noetherian reduction relation. 13

24 Chapter 2. Algebraic Fundamentals THEOREM 2.3 Let be a term order on T. Then is a linear, well-founded quasi-order on R[X] which extends and the induced quasi-order on the set M of monomials. 1 Next we define the important properties of polynomials with respect to a term ordering. These are used within the algorithms later on. Definition 2.45 (head term, head monomial, head coefficient, reductum) Let be an admissible term order on T. Given a polynomial f R[X] we define the head term as HT( f ) = max(t( f )), the head monomial as HM( f ) = max(m( f )) and the head coefficient as all with respect to. HC( f ) = the coefficient of HM( f ), The reductum red( f ) of f with respect to is defined as f HM( f ), i.e., f = HM( f ) + red( f ). Let be a degree-lexicographical term order and a polynomial 2 x 2 y z 3 +3 x y 2 z = f Z[x, y, z] with x < y < z. Then it is essential that HT( f ) = x 2 y z 3 HM( f ) = 2 x 2 y z 3 HC( f ) = 2. These definitions can be extended to sets of polynomials. Definition 2.46 (head term set, head monomial set) Let be an admissible term order on T. Given a set of polynomials F R[X] we define the head term set as and the head monomial set as HT(F) = {HT( f ) f F} HM(F) = {HM( f ) f F}. The following lemma describes how the properties defined before behave under composition. 1 For a proof see Theorem 5.12 in [BKW93, p. 193]. 14

25 2.5. Reduction of Polynomials Lemma 2.2 Let R be an integral domain and let f, g R[X] with f, g 0. Then (i) HT( f g) = HT( f ) HT(g) (ii) HM( f g) = HM( f ) HM(g) (iii) HC( f g) = HC( f ) HC(g) (iv) HT( f + g) max{ht( f ),HT(g)}. Definition 2.47 (monic polynomial) Let be a term order on T. A polynomial f R[X] is called monic w.r.t. if f 0 and HC( f ) = Reduction of Polynomials For this section, we assume that the ground ring is a field K. Moreover, we fix a term order on T and denote the induced linear quasi-order on K[X] by too. First we give the definitions for reduction relations and confluence. Definition 2.48 (reduction relation) Let be a relation on a non-empty set M. Then is called a reduction relation on M if is strictly antisymmetric. In connection with a reduction relation on M, we will write for the reflexive-transitive closure of, for the symmetric closure of, i.e., a b a b or b a for a,b M, for the reflexive-transitive closure of, i.e., the smallest equivalence relation on M extending, and for the relation on M defined by a b c M : a c and b c. Definition 2.49 (confluent, locally confluent) Let be a reduction relation on a non-empty set M. Then is said (i) to be confluent if b a c implies b c for all a,b,c M, (ii) to be locally confluent if b a c implies b c for all a, b, c M. Now, we can define the polynomial reduction. Definition 2.50 (polynomial reduction) Let f, g,p K[X] with f,p 0, and let P be a subset of K[X]. Then we say (i) f reduces to g modulo p by eliminating t (notation f p g[t]), if t T( f ), there exists s T with s HT(p) = t, and where a is the coefficient of t in f. g = f a HC(p) s p, 15

26 Chapter 2. Algebraic Fundamentals (ii) f reduces to g modulo p (notation f g), if f g[t] for some t T( f ). p p (iii) f reduces to g modulo P (notation f g), if f g for some p P. P p (iv) f is reducible modulo p if there exists g K[X] such that f g. p (v) f is reducible modulo P if there exists g K[X] such that f g. P The polynomial reduction (for multivariate polynomials), defined above, is a generalization of the single step of a polynomial division (in the univariate case). It is important that this polynomial reduction is not only defined for one reducing polynomial instead it is also defined for sets of polynomial. For comparison consider the univariate polynomials f = 5 x x 2 1 and p = x 2 x + 1 first. The first step of the polynomial division f divided by p is dividing the leading term 5 x 3 of f by the leading term x 2 of p which is 5 x. Then the following difference is calculated as remainder r 1 = f 5 x p = 3 x x 1. This procedure is continued as long as the leading term of p can divide the leading term of the current remainder r i. All calculation steps summarized are: f = 5 x x 2 1 p = x 2 x + 1 r 1 = f 5 x p = 3 x x 1 r 2 = r 1 ( 3) p = 8 x 4 r 2 cannot be divided by d anymore. So the result of the polynomial division is 5 x x 4 and the remainder of this polynomial division is 8 x 4. x 2 x+1 Now we will have a look at an example for a reduction within the polynomial ring F 7 [x, y,z] of a multivariate polynomial f = 6 x y 2 z + 2 y z reduced by a multivariate polynomial p = 2 x y + 3 x. The degree-lexicographical term order is used. First we need to find a term t in f so that the head term of p (HT(p ) = x y) divides this term t. In our example we find t = x y 2 z (= HT( f )). Then we need to do a similar division as in the univariate case to find the factor with which we have to multiply p : 6 x y2 z 2 x y = 3 y z. Like in the univariate case the following difference calculates a remainder r 1 = f 3 y z p = 5 x y z+2 y z. This procedure is continued until no term of the current remainder r can be divided by the head i term of p. Consider the following short summary of the calculation for comparison: f = 6 x y 2 z + 2 y z p = 2 x y + 3 x r = f 3 y z p = 5 x y z + 2 y z 1 r = r z p = 3 x z + 2 y z The computation ends with r 2 as remainder because there is no term in r that can 2 be divided by HT(p ). When reducing with a set of polynomials P the computation is continued as long as the head term HT(p ) of one of the polynomials p of the set P can divide a term of 16

27 2.5. Reduction of Polynomials the current remainder r. The complete algorithm is defined formally as Algorithm 1 i (see p. 19). Definition 2.51 (normal form) Let f,p, g K[X] with f,p 0, and let P K[X]. If f is not reducible modulo p (modulo P), then we say f is in normal form modulo p (modulo P). A normal form of f modulo P is a polynomial g that is in normal form modulo P and satisfies f g, P where P is the reflexive-transitive closure of P. For example the r 2 = 3 x z + 2 y z from above is in normal form modulo p = 2 x y + 3 x and r 2 is a normal form of f = 6 x y 2 z + 2 y z modulo {p }. Definition 2.52 (top-reduction) Let f,p, g K[X] with f,p 0, let t T, and let P K[X]. We call f g[t] p a top-reduction of f if t = HT( f ). Whenever a top-reduction of f exists (with p P), we say that f is top-reducible modulo p (modulo P). Lemma 2.3 Let f, g, p K[X] and P K[X]. Then the following hold: (i) f is reducible modulo p there exists t T( f ) such that HT(p) t. (ii) If f p f mp for some monomial m M, then HT(mp) T( f ). (iii) Suppose f g[t], t T( f ). Then t T(g), while t T with t > t, we have p t T( f ) if and only if t T(g). In fact, m M( f ) if and only if m M(g) for every monomial m > t. (iv) If f p g, then g < f. (v) If f P g, then g f, and g = 0 or HT(g) HT( f ). Statement (i) of the previous lemma is important for detecting in an algorithm whether a polynomial f is reducible modulo another polynomial p and in case it is reducible which term t T( f ) can be eliminated. The following theorem is an immediate consequence of statement (iv) of the previous lemma, and Theorem 2.3 which states that the order on K[X] is well-founded, and Lemma 4.73 in [BKW93, p. 175]. THEOREM 2.4 The relation P is a noetherian reduction relation on K[X] for every P K[X]. 17

28 Chapter 2. Algebraic Fundamentals This theorem is used in the proof of the next theorem to show that the reduction algorithm terminates. As already hinted the following theorem gives us a mean to compute reductions of polynomials modulo sets of polynomials the algorithm POLYREDUCTION. THEOREM 2.5 (polynomial reduction) Let P K[X] and f K[X]. Then there exists a normal form g K[X] of f modulo P and a family F = {q p } p P of elements of K[X] with f = q p p + g and max{ht(q p p) p P, q p p 0} HT( f ). p P If P is finite, the ground field K is computable, and the term order on T is decidable, then g and {q p } p P can be computed from f and P. Proof. The steps of the algorithm POLYREDUCTION are a mathematical construction that prove the existence of q p (p P) and g. Let g i be the value of the polynomial g after the i-th run through the while-loop with g 0 = f. Termination: Suppose the while-loop does not terminate. Then there would be an infinite chain g 0 P g 1 P which violates the fact that the reduction relation is noetherian (cf. Theorem 2.4). Correctness: As we already showed that the algorithm terminates, we can assume that there are N runs through the while-loop. We have i {0,...,N 1} : g i P g i+1 which implies that f equation P g is a invariant of the loop. Another loop invariant is the f = q p p + g. p P The last loop invariant max{ht(q p p) p P, q p p 0} HT( f ) is proven by induction. For the initialization it is trivially true. Suppose it is true after the i-th run (i {0,...,N 1}). We have HT(g i ) HT( f ) by Lemma 2.3 ((v)) and the first invariant. Let m p be the polynomial that is being subtracted from g i during the next run. Then HT(m p) T(g i ) and so HT(m p) HT(g i ) HT( f ). The claim follows easily from Lemma 2.2 (iv). Theorem 2.5 tells us that we can compute a normal form under the mentioned assumptions. The algorithm POLYREDUCTION (Algorithm 1) shows us how it is done. 18

29 2.5. Reduction of Polynomials Algorithm 1 POLYREDUCTION Polynomial reduction f P g (cf. [BKW93, p. 199]) Given: a finite subset P K[X] and f K[X] Find: a normal form g of f modulo P and a family F = {q p } p P of polynomials with f = p P q p p + g and max{ht(q p p) p P,q p p 0} HT( f ) begin 1: q p 0 ( p P) 2: g f 3: while g is reducible modulo P do 4: select p P such that g is reducible modulo p 5: determine a monomial m with g p g mp 6: g g mp 7: q p q p + m 8: end 9: F {q p } p P 10: return (F, g) end The following lemma shows some properties of the reduction relation concerning the multiplication. Lemma 2.4 Let P K[X] and f, g,h K[X], and let m M. (i) If f P, then h f 0. P (ii) If f P g, then m f P mg. (iii) If f P g, then m f P mg. In particular, f P 0 implies m f P 0. Lemma 2.5 (TRANSLATION LEMMA) Let f, g,h,h 1 K[X], and let P K[X]. (i) If f g = h and h h 1, then there exist f 1, g 1 KX such that f 1 g 1 = h 1, f f 1, P P and g P g 1. (ii) If f g P 0, then f P g, and so in particular f P g. Next, we relate polynomial reduction in K[X] to congruence relations on K[X] induced by ideals in K[X]. Therefore remember the definition of an ideal (see Definition 2.8). Definition 2.53 (generated polynomial ideal) For every P K[X], we let Id(P) be the polynomial ideal generated by P in K[X], i.e., the set of all finite linear combinations hi p i with h i K[X] and p i P (cf. Definition 2.9). Definition 2.54 (congruence relation modulo I) Let I be an ideal in K[X] and let f, g K[X], then the equivalence relation I defined by f I g f g I 19

30 Chapter 2. Algebraic Fundamentals is called the congruence relation modulo I on K[X]. Furthermore, f I g implies that f I g I. Lemma 2.6 Let P K[X] and let f, g K[X]. Then f Id(P) g f P g. In particular, f P g implies f g Id(P), and f P 0 implies f Id(P). In other words the previous lemma states a way to solve the membership problem of ideals (partly), that is to decide whether a polynomial is element of a polynomial ideal is possible in case the polynomial reduces to zero modulo the ideal base. If it does not, we cannot say anything about whether it might be a member of the ideal or not. To get a complete solution there remains more to do. Let K be a field; for the following definitions (and also later) we use the substitution homomorphism 1 for polynomials and denote the image of a polynomial f K[X] by f (c 1,...,c n ), where (c 1,...,c n ) T K n. As a shortcut we will also write f (c) where c = (c 1,...,c n ) T K n. Definition 2.55 (zero of a polynomial) Let K be a field. An n-tuple c K n is called a zero of the polynomial f if f (c) = 0. The previous definition can be extended for lists of polynomials or their generated ideals. Definition 2.56 (zero of an ideal, variety) Let K be a field, z K n and P K[X]. Then we say that z is a zero of P if it is a zero of every p P. The variety V(P) of P in K n is the set of all zeroes of P in K n, that is V(P) = {x K n f P : f (x) = 0}. We can also define the variety V(I) for ideals I K[X] as V(I) = {x K n f I : f (x) = 0}. Every zero of P is a zero of Id(P). Thus we have V(P) = V(Id(P)). Definition 2.57 (vanishing ideal) Let V K n. Then the vanishing ideal I(V) of V is defined by I(V) = { f x V : f (x) = 0 }. 1 The substitution homomorphism is defined in Lemma 2.17 (i) in [BKW93, pp.74-75]. 20

31 2.5. Reduction of Polynomials Definition 2.58 (monic, reduced) Let P K[X]. Then P is called monic if every p P is monic; P is called reduced (or autoreduced) if every p P is monic and in normal form modulo P \ {p}. The goal of the algorithm mentioned in the next theorem is to take an ideal basis and compute a basis that generates the same ideal with the property that each of its polynomials is in normal form modulo the other polynomials. THEOREM 2.6 Let P be a finite subset of K[X]. Suppose the ground field is computable and the term order on T is decidable. Then the algorithm BASISREDUCTION (Algorithm 2) computes a finite reduced subset Q K[X] such that Id(Q) = Id(P). Algorithm 2 BASISREDUCTION Ideal basis reduction Given: a finite subset P K[X] Find: a finite reduced set Q K[X] with Id(Q) = Id(P) begin 1: Q P 2: while p Q which is reducible modulo Q \ {p} do 3: select p Q which is reducible modulo Q \ {p} 4: Q Q \ {p} 5: h some normal form of p modulo Q 6: if h 0 then 7: Q Q {h} 8: end 9: end 10: Q {(HC(q)) 1 q q Q} 11: return Q end Proof. Correctness: It is easy to see that Id(Q) = Id(P) is an invariant of the whileloop since the algorithm only deletes polynomials p from Q that reduce to 0 modulo Q \ {p}. Correctness follows immediately from the while-clause now. Termination: Let P = {p 1,...,p m } be any input set. We may regard P as an ordered m-tuple (p 1,...,p m ) rather than a set. A polynomial p i (1 i m) that is selected in the while-loop is replaced by its reduct h modulo Q \ {p} even if h = 0. Let now Q i be the m-tuple after the i-th run through the loop. Assume that the algorithm does not terminate. At least one entry is changed when passing from Q i to Q i+1. So there must be a k {1,...,m} so that the k-th entry changes infinitely many times. But a zero entry never changes back to something non-zero and all other changes replace some polynomial p by h < p. Hence, we are looking at a strictly descending chain w.r.t. the induced quasi-order on K[X], which is impossible. 21

32 Chapter 2. Algebraic Fundamentals Let us have a look at a small example for clarification. We use polynomials f, g,h F 3 [x, y,z] with f = x z + y g = x y + z h = x z 2 + x z + y and a degree lexicographical term order with x > y > z (inverse lexicographical). We want to compute a reduced subset Q F 3 [x, y,z] of P = { f, g,h} with Id(Q) = Id(P) using the algorithm BASISREDUCTION. The following table shows the steps of the algorithm depending on the while loop. The first column contains the current loop number where zero stands for initialization before the loop. The second column holds the reducible polynomial whose reduction is shown in the third column. The last column lists the current ideal basis Q i after the end of loop i. i p Q i reduction resulting ideal basis 0 Q 0 = P = {x z + y,x y + z,x z 2 + x z + y} } {{ }} {{ }} {{ } = f =g =h 1 h r 1 = h z f = x z y z + y Q 1 = {x z + y,x y + z,x z y z + y} } {{ }} {{ }} {{ } = f =g =r 1 2 f r 2 = f r 1 = y z Q 2 = {x y + z,x z y z + y, y z } } {{ }} {{ }}{{} =g =r 1 =r 2 3 r 1 r 3 = r 1 ( 1) r 2 = x z + y Q 3 = {x y + z, y z,x z + y} } {{ }}{{}} {{ } =g =r 2 =r 3 (= f ) The algorithm terminates after loop 3 as Q 3 does not contain any reducible polynomial. Being monic, the polynomials of Q 3 do not have to be divided by their particular head coefficient. So the result is Q = Q Conclusion In this chapter we introduced the basic definitions which we need to explain the theory of Gröbner basis. We explained term orderings which are essential for the computation of Gröbner bases. The polynomial reduction was introduced and an algorithm for its computation was presented. Finally, we described an algorithm to create a reduced ideal basis from a given ideal basis. 22

33 3 Fundamentals of Gröbner Bases This chapter is an introduction to the theory of Gröbner bases. In the first section we will define the Gröbner basis of an ideal and cite the theorem for its existence. In Section 2 we will describe the BUCHBERGER ALGORITHM which computes a Gröbner basis for a given ideal and give a small example for such a computation. Consecutively, we will discus improvements for the BUCHBERGER ALGORITHM and their theoretical basics. Thereafter we will make a short note on the runtime complexity of the BUCHBERGER ALGORITHM. Finally, we will finish the chapter with explaining how Gröbner bases can be used to solve non-linear algebraic equation systems. Throughout the whole chapter we use a field K as ground ring for the polynomial ring K[X]. In addition to that we fix a term order on T and denote the induced linear quasi-order on K[X] by also. We will only quote the proofs for some important theorems from [BKW93]. 3.1 Definition, Existence and Uniqueness One motivation which leads to Gröbner bases is the following question 1 : Given a finite set P K[X], is it possible to construct another finite set G K[X] such that Id(P) = Id(G) and is locally confluent? G This can be answered with yes and leads to Gröbner bases which is outlined in this section. First we need to define the set of all terms that are divisible by the terms of a given set of terms which is used in the subsequent theorem. Definition 3.1 (set of all multiples) Let subset S T. Then mult(s) = {t T s S : s t} denotes the set of all multiples of elements of S. The equivalences listed in the next theorem are the distinguishing conditions for a Gröbner basis which are used in its definition later on. 1 quoted from [BKW93, p. 205] for a more detailed motivation see pp. 204ff 23

34 Chapter 3. Fundamentals of Gröbner Bases THEOREM 3.1 Let G be a subset of K[X]. Then the following are equivalent: 1 (i) G is locally confluent. (ii) G is confluent. (iii) G has unique normal forms. (iv) f G 0 for all f Id(G). (v) Every 0 f Id(G) is reducible modulo G. (vi) Every 0 f Id(G) is top-reducible modulo G. (vii) For every s HT(Id(G)) there exists t HT(G) with t s. (viii) HT(Id(G)) mult(ht(g)). (ix) The polynomials h K[X] that are in normal form w.r.t. G form a system of unique representatives for the partition { f + Id(G) f K[X]} of K[X]. Definition 3.2 (Gröbner basis) A subset G of K[X] is called a Gröbner basis (with respect to the term order ) if it is finite, 0 G, and satisfies the equivalent conditions of Theorem 3.1. If I is an ideal of K[X], then a Gröbner basis of I (w.r.t. ) is a Gröbner basis G (w.r.t. ) such that Id(G) = I. The previous theorem lists equivalences (iv) (ix) regarding Id(G) which are part of the definition of a Gröbner basis G. The converse is stated by the following theorem for the case that G is a Gröbner basis of I. THEOREM 3.2 Let I be an ideal of K[X] and G a finite subset of I with 0 G. Then each of the following is equivalent to G being a Gröbner basis of I. 2 (i) f I : f G 0. (ii) Every 0 f I is reducible modulo G. (iii) Every 0 f I is top-reducible modulo G. (iv) s HT(I) : t HT(G) : t s. (v) HT(I) mult(ht(g)). (vi) The polynomials h K[X] that are in normal form w.r.t. G form a system of unique representatives for the partition { f + I f K[X]} of K[X]. THEOREM 3.3 (Existence of a Gröbner basis) Let I be an ideal of K[X]. Then there exists a Gröbner basis G of I w.r.t For a proof see Theorem 5.35 in [BKW93, p. 206]. 2 For a proof see Proposition 5.38 in [BKW93, p. 207]. 3 For a complete proof see Theorem 5.41 in [BKW93, p. 208]. 24

35 3.2. Buchberger Algorithm Proof sketch. First we would have to show that the set HT(I) has a finite basis S with respect to divisibility. Now we know t S f t I : HT( f t ) = t. Let G = { f t t S}. Then G satisfies condition (iv) from Theorem 3.2. Hence, G is a Gröbner basis of I. As we have seen, the proof for the existence of a Gröbner basis G for an ideal I K[X] is non-constructive which means that it does not give us an algorithm to compute a Gröbner basis for a given ideal. To obtain an algorithm we need some more theory. A Gröbner basis of an ideal I is not uniquely determined by I. Therefore we introduce the following definition. Definition 3.3 (reduced Gröbner basis) A Gröbner basis that is reduced in the sense of Definition 2.58 is called a reduced Gröbner basis. THEOREM 3.4 (Existence of a reduced Gröbner basis) Let I be an ideal of K[X]. Then there exists a unique reduced Gröbner basis G of I w.r.t.. 1 From the previous theorem we know that for a given ideal I K[X] there exists a reduced Gröbner basis of I which is uniquely determined by the ideal I. 3.2 Buchberger Algorithm This section summarizes the theory and the algorithms to test whether a set of polynomials is a Gröbner basis and to construct a Gröbner basis for a given ideal which can be done by the so-called BUCHBERGER ALGORITHM. From Theorem 3.3 and Theorem 3.4 we know that for each ideal I K[X] there exists a unique Gröbner basis (in fact a reduced Gröbner basis). But the proofs of these theorems are not constructive and provide no means to construct a Gröbner basis nor to recognize whether a given set of polynomials in K[X] is a Gröbner basis. The problem with recognizing that a set of polynomials is a Gröbner basis of a given ideal is that the characterizations of the previous section depend on infinitely many tests. Since infinitely many tests are not manageable for an algorithm one of our goals is to find a characterization of a Gröbner basis with finitely many tests. To motivate the next lemma and explain the idea of Gröbner basis algorithms in general we use the example from [BKW93, p. 210]: 1 For a proof see Theorem 5.43 in [BKW93, p. 209]. 25