Faster Satisfiability Algorithms for Systems of Polynomial Equations over Finite Fields and ACC^0[p]

Similar documents
Deterministic APSP, Orthogonal Vectors, and More:

Recent Developments on Circuit Satisfiability Algorithms

CSC 2429 Approaches to the P vs. NP Question and Related Complexity Questions Lecture 2: Switching Lemma, AC 0 Circuit Lower Bounds

3-SAT Faster and Simpler - Unique-SAT Bounds for PPSZ H. PPSZ Hold in General

An algorithm for the satisfiability problem of formulas in conjunctive normal form

Meta-Algorithms vs. Circuit Lower Bounds Valentine Kabanets

Finite fields, randomness and complexity. Swastik Kopparty Rutgers University

Multivariate Public Key Cryptography or Why is there a rainbow hidden behind fields full of oil and vinegar?

1. Introduction Recap

EXPONENTIAL LOWER BOUNDS FOR DEPTH THREE BOOLEAN CIRCUITS

Polynomial Representations of Threshold Functions and Algorithmic Applications. Joint with Josh Alman (Stanford) and Timothy M.

A Duality between Clause Width and Clause Density for SAT

Clause Shortening Combined with Pruning Yields a New Upper Bound for Deterministic SAT Algorithms

Fine Grained Counting Complexity I

The Time Complexity of Constraint Satisfaction

On Quantum Versions of Record-Breaking Algorithms for SAT

NP-Complete problems

An Improved Upper Bound for SAT

How proofs are prepared at Camelot

Notes for Lecture 25

Computational Complexity of Inference

20.1 2SAT. CS125 Lecture 20 Fall 2016

Complexity Theory of Polynomial-Time Problems

A Probabilistic Algorithm for -SAT Based on Limited Local Search and Restart

Majority is incompressible by AC 0 [p] circuits

The Complexity of Satisfiability of Small Depth Circuits

Exponential time vs probabilistic polynomial time

Connections between exponential time and polynomial time problem Lecture Notes for CS294

Algebraic Cryptanalysis of MQQ Public Key Cryptosystem by MutantXL

On the Complexity of the Hybrid Approach on HFEv-

Holger Dell Saarland University and Cluster of Excellence (MMCI) Simons Institute for the Theory of Computing

On the Average-case Complexity of MCSP and Its Variants. Shuichi Hirahara (The University of Tokyo) Rahul Santhanam (University of Oxford)

On the correlation of parity and small-depth circuits

Algebraic Proof Systems

Geometric Problems in Moderate Dimensions

Some Depth Two (and Three) Threshold Circuit Lower Bounds. Ryan Williams Stanford Joint work with Daniel Kane (UCSD)

Deterministic APSP, Orthogonal Vectors, and More: Quickly Derandomizing Razborov-Smolensky

Solving Underdetermined Systems of Multivariate Quadratic Equations Revisited

Takayuki Sakai (Kyoto University) Joint work with Kazuhisa Seto (Seikei University) Suguru Tamaki (Kyoto University) 1

Strong ETH Breaks With Merlin and Arthur. Or: Short Non-Interactive Proofs of Batch Evaluation

Hidden Field Equations

CSE 3500 Algorithms and Complexity Fall 2016 Lecture 25: November 29, 2016

Proof Complexity of Quantified Boolean Formulas

On Probabilistic ACC Circuits. with an Exact-Threshold Output Gate. Richard Beigel. Department of Computer Science, Yale University

New Directions in Multivariate Public Key Cryptography

On converting CNF to DNF

A FINE-GRAINED APPROACH TO

On the Structure and the Number of Prime Implicants of 2-CNFs

1 Randomized Computation

Solving SAT for CNF formulas with a one-sided restriction on variable occurrences

RESOLUTION OVER LINEAR EQUATIONS AND MULTILINEAR PROOFS

Intro to Theory of Computation

Little Dragon Two: An efficient Multivariate Public Key Cryptosystem

Lecture 26. Daniel Apon

Résolution de systèmes polynomiaux structurés et applications en Cryptologie

P, NP, NP-Complete, and NPhard

The Parity of Set Systems under Random Restrictions with Applications to Exponential Time Problems 1

Boolean and arithmetic circuit complexity

Certifying polynomials for AC 0 [ ] circuits, with applications

Gröbner Bases Techniques in Post-Quantum Cryptography

NP-COMPLETE PROBLEMS. 1. Characterizing NP. Proof

Analysis of Hidden Field Equations Cryptosystem over Odd-Characteristic Fields

Approximating Multilinear Monomial Coefficients and Maximum Multilinear Monomials in Multivariate Polynomials

Lecture 5 Polynomial Identity Testing

ALGEBRAIC PROOFS OVER NONCOMMUTATIVE FORMULAS

Polynomial Identity Testing and Circuit Lower Bounds

Local Reductions. September Emanuele Viola Northeastern University

An Improved Deterministic #SAT Algorithm for Small De Morgan Formulas

Introduction to Interactive Proofs & The Sumcheck Protocol

Algorithms for Testing Monomials in Multivariate Polynomials

: On the P vs. BPP problem. 18/12/16 Lecture 10

Limiting Negations in Non-Deterministic Circuits

NP Complete Problems. COMP 215 Lecture 20

Complexity Theory of Polynomial-Time Problems

Quantum Versions of k-csp Algorithms: a First Step Towards Quantum Algorithms for Interval-Related Constraint Satisfaction Problems

TOT, a Fast Multivariate Public Key Cryptosystem with Basic Secure Trapdoor

Ben Lee Volk. Joint with. Michael A. Forbes Amir Shpilka

Poly Dragon: An efficient Multivariate Public Key Cryptosystem

COMPUTATIONAL COMPLEXITY

CS154, Lecture 15: Cook-Levin Theorem SAT, 3SAT

NP-Complete Reductions 1

Algebraic Aspects of Symmetric-key Cryptography

arxiv: v1 [cs.ds] 10 Jun 2009

NP-Completeness. Andreas Klappenecker. [based on slides by Prof. Welch]

Counting Points on Curves of the Form y m 1 = c 1x n 1 + c 2x n 2 y m 2

Exponential Complexity of Satisfiability Testing for Linear-Size Boolean Formulas

Umans Complexity Theory Lectures

CS294: Pseudorandomness and Combinatorial Constructions September 13, Notes for Lecture 5

The Strength of Multilinear Proofs

The complexity of Unique k-sat: An Isolation Lemma for k-cnfs

Lecture 3: Nondeterminism, NP, and NP-completeness

MI-T-HFE, a New Multivariate Signature Scheme

Improved Cryptanalysis of HFEv- via Projection

MutantXL: Solving Multivariate Polynomial Equations for Cryptanalysis

Hardness amplification proofs require majority

Branching. Teppo Niinimäki. Helsinki October 14, 2011 Seminar: Exact Exponential Algorithms UNIVERSITY OF HELSINKI Department of Computer Science

Stanford University CS254: Computational Complexity Handout 8 Luca Trevisan 4/21/2010

Simple Matrix Scheme for Encryption (ABC)

CS21 Decidability and Tractability

Enumeration: logical and algebraic approach

Transcription:

Faster Satisfiability Algorithms for Systems of Polynomial Equations over Finite Fields and ACC^0[p] Suguru TAMAKI Kyoto University Joint work with: Daniel Lokshtanov, Ramamohan Paturi, Ryan Williams Satisfiability Lower Bounds and Tight Results for Parameterized and Exponential-Time Algorithms November 6, 2015, Simons Institute, Berkeley, CA

Systems of Polynomial Equations have been studied for more than 300 years: Resultant and Elimination Theory were used by 関孝和 1642-1708 Étienne Bézout 1730-1783 (Pictures from Wikipedia) 2

Our Problem: SysPolyEqs(q) Systems of Polynomial Equations over GF[q] Input: GF[q] polynomials p 1, p 2,, p m in formal variables x 1, x 2,, x n e.g. q = 3, p 1 = 2x 1 2 x 2 2 x 3 + x 3 2 x 4, p 2 = x 1 x 2 + x 2 2 + 1 Task: find a satisfying assignment a GF[q] n i.e. p 1 (a) = p 2 (a) = = p m (a) = 0 holds e.g. (x 1, x 2, x 3, x 4 ) = (2,2,1,1) (#SysPolyEqs(q) denotes the counting version) 3

Complexity of SysPolyEqs(q) P if each polynomial has degree 1 (linear equations) NP-complete if each polynomial has degree 2 Satisfying a 2 1 d 2 1 2d + ε fraction of equations is NP-hard on satisfiable instances when q = 2, degree d [Hastad 11] Best worst-case upper bound: q n poly(input-size) (even if q = 2, degree 2) Input: GF[q] polynomials p 1, p 2,, p m in formal variables x 1, x 2,, x n Task: find a satisfying assignment a GF[q] n i.e. p 1 (a) = p 2 (a) = = p m (a) = 0 holds 4

SysPolyEqs(q) as Hardness Assumption Crypto-systems assuming the hardness of: 1. Enumerating all satisfying assignments Hidden Fields Equations (HFE) [Patarin 96, ] Unbalanced Oil and Vinegar signature schemes (UOV) [Kipnis- Patarin-Goubin 99, ] McEliece variants [Faugere-Otmani-Perret-Tillich 10, ] Polly cracker [Albrecht-Faugere-Farshim-Perret 11, ] 2. Finding one satisfying assignment QUAD [Berbain-Gilbert-Patarin 06,09, ] Matsumoto-Imai public key scheme [- 88, ] 5

SysPolyEqs(q) as Hardness Assumption Strong Exponential Time Hypothesis (q n is necessary) for SysPolyEqs(q) on degree 2 instances implies: The current best algorithm for the Listing Triangles problem is optimal [Björklund-Pagh-Vassilevska Williams-Zwick'14] Beating brute force for the GF(q)-weight k-clique problem is impossible [Vassilevska-Williams'09] 6

Previous Algorithms Groebner Basis: used in practice, double exponential time in the worst case 2 n(1 ε) or polynomial time algorithms for SysPolyEqs(2) on degree 2 instances are known if instances satisfy some conditions e.g. [Yang-Chen'04,Bardet-Faugere-Salvy- Spaenlehauer'13,Miura-Hashimoto-Takagi'13, ] q n/2 length ``proof for the unsatisfiability of SysPolyEqs(q) on degree 2 instances [Woods 98] (i.e. co-nondeterministic algorithm for SAT) 7

Our Result 1 [randomized, search, bounded degree] SysPolyEqs(q) on degree k instances can be solved in randomized time q n(1 1/O(qk)) For q = k = 2, an important case for cryptography, we get the bound 2 0.8765n Input: GF[q] polynomials p 1, p 2,, p m in formal variables x 1, x 2,, x n Task: find a satisfying assignment a GF[q] n i.e. p 1 (a) = p 2 (a) = = p m (a) = 0 holds 8

Our Result 2 [deterministic, counting, bounded degree, prime field] For a prime q, #SysPolyEqs(q) on degree k instances can be solved in deterministic time q n(1 1/O(qk)) Input: GF[q] polynomials p 1, p 2,, p m in formal variables x 1, x 2,, x n Task: find a satisfying assignment a GF[q] n i.e. p 1 (a) = p 2 (a) = = p m (a) = 0 holds 9

Our Result 3 [deterministic, counting, unbounded degree, GF(2)] For s =the total number of monomials, #SysPolyEqs(2) can be solved in deterministic time 2 n(1 1/O(log(s/n))) Remark: exponentially faster than 2 n if s = O(n) Input: GF[q] polynomials p 1, p 2,, p m in formal variables x 1, x 2,, x n Task: find a satisfying assignment a GF[q] n i.e. p 1 (a) = p 2 (a) = = p m (a) = 0 holds 10

Our Result 4 [deterministic, counting, unbounded degree, GF(2)] GenSysPolyEqs(2) Input: ΣΠΣ circuits (sum of products of linear forms) p 1, p 2,, p m in formal variables x 1, x 2,, x n e.g. p 1 = x 1 + x 2 + 1 x 2 + x 3 + x 1 + x 4 x 2 + 1 Result: For s =the total number of products of linear forms, #GenSysPolyEqs(2) can be solved in deterministic time 2 n(1 1/O(log(s/n))) Remark: exponentially faster than 2 n if s = O(n) 11

Remark (k-)cnf SAT is a special case of SysPolyEqs(2) (on degree k instances) e.g. C 1 = x 1 x 2 x 3 p 1 = x 1 1 + x 2 1 + x 3 C 2 = x 1 x 3 x 4 p 2 = 1 + x 1 x 2 x 2 C 3 = x 2 x 3 x 4 p 3 = 1 + x 1 1 + x 2 1 + x 3 C 1 = C 2 = C 3 = 1 p 1 = p 2 = p 3 = 0 12

Optimality of Our Results 1. SysPolyEqs(2) on degree k instances can be solved in time 2 n(1 1/O(k)) 1. k-cnf SAT can be solved in time 2 n(1 1/k) [Paturi-Pudlak-Zane 97, ] 2. For s =the total number of products of linear forms, GenSysPolyEqs(2) can be solved in time 2 n(1 1/O(log(s/n))) 2. For s =the number of clauses, n(1 1/(2 log(s/n))) CNF SAT can be solved in time 2 [Schuler 05,Calabro-Impagliazzo-Paturi 06, ] 13

Our Techniques Polynomial Method in Circuit Complexity (originally used for proving circuit size lower bounds) We use (extensions of) 1. fast evaluation algorithms for polynomials [Yates 37, ] 2. approximation of polynomials by low degree probabilistic polynomials [Razborov 87,Smolensky 87] and its derandomization [Chan-Williams 16] 3. Schuler s width reduction for CNF-SAT [Schuler 05, ] 14

Cf. Polynomial Method AC 0 [q]-circuit: bounded depth, unbounded-fan-in Boolean circuit with AND/OR/NOT/mod q gates Circuits Lower Bounds by [Razborov 87,Smolensky 87]: 1. AC 0 [q]-circuit can be well approximated by a low-degree GF(q) polynomial 2. majority, mod r cannot be well approximated by a low-degree GF(q) polynomial 3. 1+2 majority, mod r AC 0 [q]-circuit Item 1 is useful in algorithm design 15

Algorithms via Polynomial Method (In what follows, we focus on GF(2)) 16

Our Tool 1 Lemma[Fast Evaluation [Yates 37, ]] Let p: {0,1} n 0,1 be a GF(2)-polynomial represented as a sum of monomials, then, the truth table of p can be generated in time poly n 2 n Note: The number of monomials in p can be 2 n If we evaluate p(x) for each x {0,1} n, then it takes poly n 4 n 17

Basic Idea Input: degree k polynomials p 1, p 2,, p m 1. Define P: 0,1 n 0,1 as P (p 1 +1)(p 2 +1) (p m +1) p 1 x = p 2 x = = p m x = 0 P x = 1 P might contain 2 n monomials when represented as a sum of monomials 2. Define R: 0,1 n n 0,1 for some n < n as R y (P y, a + 1) a 0,1 n x, P x = 1 y, R y = 0 Each P(y, a) might contain 2 n n monomials 18

Basic Idea Observation: If we can write R y as a sum of monomials in time 2 n n, we can also solve the problem in time poly n 2 n n by the Fast Evaluation Lemma Note: straitfoward expansion needs 2 n n 2 n 2 n 1. Define P: 0,1 n 0,1 as P (p 1 +1)(p 2 +1) (p m +1) 2. Define R: 0,1 n n 0,1 for some n < n as R y (P y, a + 1) a 0,1 n x, p 1 x = p 2 x = = p m x = 0 y, R y = 0 Each P(y, a) might contain 2 n n monomials 19

Our Tool 2 Definition: For s 1,, s d 0,1 n, define degree d polynomial Q {si }: 0,1 n 0,1 as d Q si (x) i=1 (s i, x) + 1, where (s i, x) j [n] (s i ) j x j Intuition: Q {si } i n x i + 1 Lemma[Probabilistic Polynomial [Razborov 87,Smolensky 87]] Select random s 1,, s d uniformly and independently, then, for every non-zero x 0,1 n, Pr[Q si x = 0] = 1 2 d (cf. Pr[Q si 0 = 1] = 1) 20

Our Algorithm for degree k Input: degree-k polynomials p 1, p 2,, p m 1. Define P: 0,1 n 0,1 as P (p 1 +1)(p 2 +1) (p m +1) 2. Define R: 0,1 n n 0,1 for some n < n as R y (P y, a + 1) a 0,1 n 3. Replace each product by a probabilistic polynomial and write R as a sum of monomials p 4. Construct the truth table T of p if T contains an entry with 0, the input has a solution 5. Repeat 3-4 and take the majority voting of T s 21

Analysis of Our Algorithm Input: degree-k polynomials p 1, p 2,, p m 1. Define P: 0,1 n 0,1 as P (p 1 +1)(p 2 +1) (p m +1) 2. Define R: 0,1 n n 0,1 for some n < n as R y (P y, a + 1) a 0,1 n 3. Replace each product by a probabilistic polynomial and write R as a sum of monomials p Step 3 takes time poly n 2 n n if each product is replaced by a low degree polynomial 22

Our Result 1 SysPolyEqs(q) on degree k instances can be solved in randomized time q n(1 1/O(qk)) For q = k = 2, an important case for cryptography, we get the bound 2 0.8765n Input: GF[q] polynomials p 1, p 2,, p m in formal variables x 1, x 2,, x n Task: find a satisfying assignment a GF[q] n i.e. p 1 (a) = p 2 (a) = = p m (a) = 0 holds 23

On Deterministic Algorithms 1. Derandomization of probabilistic polynomials due to Razoborov-Smolensky [Chan-Williams 16] small biased space [Naor-Naor 90, ] modulus amplifying polynomial [Toda 89,Yao 90,Beigel- Tarui 91] 2. Fast evaluation algorithms for non-multilinear integer polynomials fast rectangular matrix multiplication [Coppersmith 82,,LeGall 12] 24

Our Algorithm for unbounded degree Input: polynomials p 1, p 2,, p m 1. [Degree Reduction] generate exponentially many instances of SysPolyEqs(2) such that (1) original input has a solution if and only if at least one of generated instances has a solution (2) generated instances have degree at most k 2. Apply the algorithm for degree k 25

Our Algorithm for unbounded degree Degree Reduction: while there is a monomial of degree > k e.g. p 1 =x 1 x k x k+1 x n + generate two instances as I-1: x 1 x k = 1, i.e., x 1 = = x k = 1 I-2: x 1 x k = 0 (added as a polynomial equation) Note: Degree reduction can be generalized to handle ΣΠΣ circuits (sum of products of linear forms) by ``Simplification Rules based on ``change of basis in Linear Algebra 26

Conclusion 27

Our Results 1. SysPolyEqs(q) on degree k instances can be solved in randomized time q n(1 1/O(qk)) 2. For q = k = 2, an important case for cryptography, we get the bound 2 0.8765n 3. For a prime q, #SysPolyEqs(q) on degree k instances can be solved in deterministic time q n(1 1/O(qk)) 4. For s =the total number of products of linear forms, #GenSysPolyEqs(2) can be solved in deterministic time 2 n(1 1/O(log(s/n))) Optimality: Improvement requires that for (k-)cnf SAT 28

Future Directions Similar running time in polynomial space Degree Reduction for PolySysEqs(q), q 2 Beating Brute Force for other problems using the Polynomial Method Develop/Apply Fast Evaluation Algorithms for more expressive classes than polynomials Thank you for your attention! 29

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback