Holger Dell,Anselm Haak,Melvin Kallmayer,Leo Wennmann

2024-10-26

Abstract:We present a randomized algorithm for solving low-degree polynomial equation systems over finite fields faster than exhaustive search. In order to do so, we follow a line of work by Lokshtanov, Paturi, Tamaki, Williams, and Yu (SODA 2017), Björklund, Kaski, and Williams (ICALP 2019), and Dinur (SODA 2021). In particular, we generalize Dinur's algorithm for $\mathbb{F}_2$ to all finite fields, in particular the "symbolic interpolation" of Björklund, Kaski, and Williams, and we use an efficient trimmed multipoint evaluation and interpolation procedure for multivariate polynomials over finite fields by Van der Hoeven and Schost (AAECC 2013). The running time of our algorithm matches that of Dinur's algorithm for $\mathbb{F}_2$ and is significantly faster than the one of Lokshtanov et al. for $q>2$. We complement our results with tight conditional lower bounds that, surprisingly, we were not able to find in the literature. In particular, under the strong exponential time hypothesis, we prove that it is impossible to solve $n$-variate low-degree polynomial equation systems over $\mathbb{F}_q$ in time $O((q-\varepsilon)^{n})$. As a bonus, we show that under the counting version of the strong exponential time hypothesis, it is impossible to compute the number of roots of a single $n$-variate low-degree polynomial over $\mathbb{F}_q$ in time ${O((q-\varepsilon)^{n})}$; this generalizes a result of Williams (SOSA 2018) from $\mathbb{F}_2$ to all finite fields.

Computational Complexity,Data Structures and Algorithms

TANG Min,QI Niu-niu,DENG Guo-qiang

DOI: https://doi.org/10.3969/j.issn.1007-130x.2023.04.005

2023-01-01

Abstract:Sparse multivariate polynomial interpolation is an effective strategy to reconstruct black box functions by using the sparse structure of polynomials and the given interpolation point information, which is widely used in science and engineering fields. The complexity of the traditional sparse interpolation algorithm based on Prony method is related to the number and degree of polynomial terms, and the efficiency is low when en-countering large-scale problems due to the execution of multiple high-order algebraic operations. Therefore, this paper proposes a sparse multivariate polynomial interpolation algorithm based on polynomial coefficient parsing. The core operation is to resolve the coefficients of univariate polynomials by using modular arithmetic, which avoids the solution of higher-order equations and finding the roots of higher order equation in the traditional method. In this method, black box polynomial is regarded as a univariate polynomial with one variable as the principal component, and the multivariate polynomial is recovered by parsing the values of the coefficient polynomials of the principal component at different interpolation point. Theoretical analysis and numerical experiments show that the algorithm is effective and feasible.

Jianting Yang,Ke Ye,Lihong Zhi

2023-10-26

Abstract:The problem of verifying the nonnegativity of a function on a finite abelian group is a long-standing challenging problem. The basic theory of representation theory of finite groups indicates that a function $f$ on a finite abelian group $G$ can be written as a linear combination of characters of irreducible representations of $G$ by $ f(x)=\sum_{\chi \in \widehat{G}} \widehat{f} (\chi)\chi(x)$, where $\widehat{G}$ is the dual group of $G$ consisting of all characters of $G$ and $ \widehat{f} (\chi)$ is the Fourier coefficient of $f$ at $\chi \in \widehat{G}$. In this paper, we show that by performing the fast (inverse) Fourier transform, we are able to compute a sparse Fourier sum of squares (FSOS) certificate of $f$ on a finite abelian group $G$ with complexity \if $\operatorname{O}\left(|G| \log(|G|)+\log(k_{\min})\operatorname{SDP}(2k_{\min})\right)$,\fi that is quasi-linear in the order of $G$ and polynomial in the FSOS sparsity \if $k_{\min}$\fi of $f$. Moreover, for a nonnegatvie function $f$ on a finite abelian group $G$ and a set $S \subset \widehat{G}$, we give a lower bound of the constant $M$ such that $f+M$ admits an FSOS supported on} $S$. We demonstrate the efficiency of the proposed algorithm by numerical experiments on various abelian groups of orders up to $10^7$. As applications, we also solve some combinatorial optimization problems and the sum of Hermitian squares (SOHS) problem \if on $\mathbb{T}^n$\fi by sparse FSOS.

Optimization and Control

Alexander Demin,Joris van der Hoeven

2023-12-29

Abstract:Consider a sparse polynomial in several variables given explicitly as a sum of non-zero terms with coefficients in an effective field. In this paper, we present several algorithms for factoring such polynomials and related tasks (such as gcd computation, square-free factorization, content-free factorization, and root extraction). Our methods are all based on sparse interpolation, but follow two main lines of attack: iteration on the number of variables and more direct reductions to the univariate or bivariate case. We present detailed probabilistic complexity bounds in terms of the complexity of sparse interpolation and evaluation.

Symbolic Computation,Commutative Algebra

Feng Liu,Keqin Feng

DOI: https://doi.org/10.1007/978-3-540-72504-6_29

2007-01-01

Abstract:The computation on algebraic immunity (AI) of symmetric boolean functions includes: determining the AI of a given symmetric function and searching all symmetric functions with AI = d or AI >= d, where d <= [2/n]. In this paper we firstly showed a necessary and sufficient condition of AI of symmetric boolean functions and then proposed several efficient algorithms on computation of algebraic immunity of symmetric boolean functions. By these algorithms we could assess the vulnerability of symmetric boolean functions against algebraic/fast algebraic attacks efficiently, and find all symmetric functions having a given algebraic immunity AI(n)(f) = d, for some 0 <= d <= n.

Matthias Johann Steiner

DOI: https://doi.org/10.46586/tosc.v2024.i1.357-411

2024-03-04

Abstract:For Arithmetization-Oriented ciphers and hash functions Gröbner basis attacks are generally considered as the most competitive attack vector. Unfortunately, the complexity of Gröbner basis algorithms is only understood for special cases, and it is needless to say that these cases do not apply to most cryptographic polynomial systems. Therefore, cryptographers have to resort to experiments, extrapolations and hypotheses to assess the security of their designs. One established measure to quantify the complexity of linear algebra-based Gröbner basis algorithms is the so-called solving degree. Caminata \& Gorla revealed that under a certain genericity condition on a polynomial system the solving degree is always upper bounded by the Castelnuovo-Mumford regularity and henceforth by the Macaulay bound, which only takes the degrees and number of variables of the input polynomials into account. In this paper we extend their framework to iterated polynomial systems, the standard polynomial model for symmetric ciphers and hash functions. In particular, we prove solving degree bounds for various attacks on MiMC, Feistel-MiMC, Feistel-MiMC-Hash, Hades and GMiMC. Our bounds fall in line with the hypothesized complexity of Gröbner basis attacks on these designs, and to the best of our knowledge this is the first time that a mathematical proof for these complexities is provided. Moreover, by studying polynomials with degree falls we can prove lower bounds on the Castelnuovo-Mumford regularity for attacks on MiMC, Feistel-MiMC and Feistel-MiMC-Hash provided that only a few solutions of the corresponding iterated polynomial system originate from the base field. Hence, regularity-based solving degree estimations can never surpass a certain threshold, a desirable property for cryptographic polynomial systems.

Cryptography and Security,Commutative Algebra

Johannes Buchmann,Daniel Cabarcas,Jintai Ding,Mohamed Saied Emam Mohamed

DOI: https://doi.org/10.1007/978-3-642-12678-9_5

2010-01-01

Abstract:Recent developments in multivariate polynomial solving algorithms have made algebraic cryptanalysis a plausible threat to many cryptosystems. However, theoretical complexity estimates have shown this kind of attack unfeasible for most realistic applications. In this paper we present a strategy for computing Gröbner basis that challenges those complexity estimates. It uses a flexible partial enlargement technique together with reduced row echelon forms to generate lower degree elements–mutants. This new strategy surpasses old boundaries and obligates us to think of new paradigms for estimating complexity of Gröbner basis computation. The new proposed algorithm computed a Gröbner basis of a degree 2 random system with 32 variables and 32 equations using 30 GB which was never done before by any known Gröbner bases solver.

Pranjal Dutta,Amit Sinhababu,Thomas Thierauf

2024-11-26

Abstract:For a polynomial $f$ from a class $\mathcal{C}$ of polynomials, we show that the problem to compute all the constant degree irreducible factors of $f$ reduces in polynomial time to polynomial identity tests (PIT) for class $\mathcal{C}$ and divisibility tests of $f$ by constant degree polynomials. We apply the result to several classes $\mathcal{C}$ and obtain the constant degree factors in \begin{enumerate} \item polynomial time, for $\mathcal{C}$ being polynomials that have only constant degree factors, \item quasipolynomial time, for $\mathcal{C}$ being sparse polynomials, \item subexponential time, for $\mathcal{C}$ being polynomials that have constant-depth circuits. \end{enumerate} Result 2 and 3 were already shown by Kumar, Ramanathan, and Saptharishi with a different proof and their time complexities necessarily depend on black-box PITs for a related bigger class $\mathcal{C}'$. Our complexities vary on whether the input is given as a blackbox or whitebox. We also show that the problem to compute the sparse factors of polynomial from a class $\mathcal{C}$ reduces in polynomial time to PIT for class $\mathcal{C}$, divisibility tests of $f$ by sparse polynomials, and irreducibility preserving bivariate projections for sparse polynomials. For $\mathcal{C}$ being sparse polynomials, it follows that it suffices to derandomize irreducibility preserving bivariate projections for sparse polynomials in order to compute all the sparse irreducible factors efficiently. When we consider factors of sparse polynomials that are sums of univariate polynomials, a subclass of sparse polynomials, we obtain a polynomial time algorithm. This was already shown by Volkovich with a different proof.

Computational Complexity

Daniel S. Roche

DOI: https://doi.org/10.1145/3208976.3209027

2018-07-22

Abstract:Simply put, a sparse polynomial is one whose zero coefficients are not explicitly stored. Such objects are ubiquitous in exact computing, and so naturally we would like to have efficient algorithms to handle them. However, with this compact storage comes new algorithmic challenges, as fast algorithms for dense polynomials may no longer be efficient. In this tutorial we examine the state of the art for sparse polynomial algorithms in three areas: arithmetic, interpolation, and factorization. The aim is to highlight recent progress both in theory and in practice, as well as opportunities for future work.

Symbolic Computation

Jean Cardinal,Micha Sharir

DOI: https://doi.org/10.1007/s00454-024-00673-7

2024-06-27

Discrete & Computational Geometry

Abstract:In the classical linear degeneracy testing problem, we are given n real numbers and a k -variate linear polynomial F , for some constant k , and have to determine whether there exist k numbers from the set such that . We consider a generalization of this problem in which F is an arbitrary constant-degree polynomial, we are given k sets of n real numbers, and have to determine whether there exists a k -tuple of numbers, one in each set, on which F vanishes. We give the first improvement over the naïve algorithm for this problem (where the notation omits subpolynomial factors). We show that the problem can be solved in time for even k and in time for odd k in the real RAM model of computation. We also prove that for , the problem can be solved in time in the algebraic decision tree model, and for it can be solved in time in the same model, both improving on the above uniform bounds. All our results rely on an algebraic generalization of the standard meet-in-the-middle algorithm for k -SUM, powered by recent algorithmic advances in the polynomial method for semi-algebraic range searching. In fact, our main technical result is much more broadly applicable, as it provides a general tool for detecting incidences and other interactions between points and algebraic surfaces in any dimension. In particular, it yields an efficient algorithm for a general, algebraic version of Hopcroft's point-line incidence detection problem in any dimension.

mathematics,computer science, theory & methods

Liu Feng,Feng Keqin

2007-01-01

Abstract:The computation on algebraic immunity (AI) of symmetric boolean functions includes: determining the AI of a given symmetric function and searching all symmetric functions with AI = d or AI ≥ d, where d ≤ [n/2]. In this paper we firstly showed a necessary and sufficient condition of AI of symmetric boolean functions and then proposed several efficient algorithms on computation of algebraic immunity of symmetric boolean functions. By these algorithms we could assess the vulnerability of symmetric boolean functions against algebraic/fast algebraic attacks efficiently, and find all symmetric functions having a given algebraic immunity A I n(f) = d, for some 0 ≤ d ≤ n. © Springer-Verlag Berlin Heidelberg 2007.

Qichun Wang,Jie Peng,Haibin Kan,Xiangyang Xue

DOI: https://doi.org/10.1109/TIT.2010.2046195

IF: 2.5

2010-01-01

IEEE Transactions on Information Theory

Abstract:It is known that Boolean functions used in stream and block ciphers should have good cryptographic properties to resist algebraic attacks. Up until now, there have been several constructions of Boolean functions achieving optimum algebraic immunity. However, most of their nonlinearities are very low. Carlet and Feng studied a class of Boolean functions with optimum algebraic immunity and deduced the lower bound of its nonlinearity, which is good, but not very high. Moreover, the main practical problem with this construction is that it cannot be implemented efficiently. In this paper, we put forward a new method to construct cryptographically significant Boolean functions by using primitive polynomials, and construct three infinite classes of Boolean functions with good cryptographic properties: balancedness, optimum algebraic degree, optimum algebraic immunity, and a high nonlinearity.

Xiao-Shan Gao,Zhenyu Huang

DOI: https://doi.org/10.48550/arXiv.1011.6505

2010-11-30

Symbolic Computation

Abstract:Efficient characteristic set methods for computing solutions of polynomial equation systems in a finite field are proposed. The concept of proper triangular sets is introduced and an explicit formula for the number of solutions of a proper and monic (or regular) triangular set is given. An improved zero decomposition algorithm which can be used to reduce the zero set of an equation system in general form to the union of zero sets of monic proper triangular sets is proposed. As a consequence, we can give an explicit formula for the number of solutions of an equation system. Bitsize complexity for the algorithm is given in the case of Boolean polynomials. We also give a multiplication free characteristic set method for Boolean polynomials, where the sizes of the polynomials are effectively controlled. The algorithms are implemented in the case of Boolean polynomials and extensive experiments show that they are quite efficient for solving certain classes of Boolean equations.

HaiJian Zhou,Ping Luo,DaoShun Wang,YiQi Dai

DOI: https://doi.org/10.1007/s11432-009-0159-9

2009-01-01

Science in China Series F Information Sciences

Abstract:Finding the solution to a general multivariate modular linear equation plays an important role in cryptanalysis field. Earlier results show that obtaining a relatively short solution is possible in polynomial time. However, one problem arises here that if the equation has a short solution in given bounded range, the results outputted by earlier algorithms are often not the ones we are interested in. In this paper, we present a probability method based on lattice basis reduction to solve the problem. For a general multivariate modular linear equation with short solution in the given bounded range, the new method outputs this short solution in polynomial time, with a high probability. When the number of unknowns is not too large (smaller than 68), the probability is approximating 1. Experimental results show that Knapsack systems and Lu-Lee type systems are easily broken in polynomial time with this new method.

Prashanth Amireddy,Amik Raj Behera,Manaswi Paraashar,Srikanth Srinivasan,Madhu Sudan

2024-11-12

Abstract:In this work, we show that the class of multivariate degree-$d$ polynomials mapping $\{0,1\}^{n}$ to any Abelian group $G$ is locally correctable with $\widetilde{O}_{d}((\log n)^{d})$ queries for up to a fraction of errors approaching half the minimum distance of the underlying code. In particular, this result holds even for polynomials over the reals or the rationals, special cases that were previously not known. Further, we show that they are locally list correctable up to a fraction of errors approaching the minimum distance of the code. These results build on and extend the prior work of the authors [ABPSS24] (STOC 2024) who considered the case of linear polynomials and gave analogous results. Low-degree polynomials over the Boolean cube $\{0,1\}^{n}$ arise naturally in Boolean circuit complexity and learning theory, and our work furthers the study of their coding-theoretic properties. Extending the results of [ABPSS24] from linear to higher-degree polynomials involves several new challenges and handling them gives us further insights into properties of low-degree polynomials over the Boolean cube. For local correction, we construct a set of points in the Boolean cube that lie between two exponentially close parallel hyperplanes and is moreover an interpolating set for degree-$d$ polynomials. To show that the class of degree-$d$ polynomials is list decodable up to the minimum distance, we stitch together results on anti-concentration of low-degree polynomials, the Sunflower lemma, and the Footprint bound for counting common zeroes of polynomials. Analyzing the local list corrector of [ABPSS24] for higher degree polynomials involves understanding random restrictions of non-zero degree-$d$ polynomials on a Hamming slice. In particular, we show that a simple random restriction process for reducing the dimension of the Boolean cube is a suitably good sampler for Hamming slices.

Computational Complexity

Sourav Chakraborty,Swarnalipa Datta,Pranjal Dutta,Arijit Ghosh,Swagato Sanyal

2024-06-27

Abstract:Given an Abelian group G, a Boolean-valued function f: G -> {-1,+1}, is said to be s-sparse, if it has at most s-many non-zero Fourier coefficients over the domain G. In a seminal paper, Gopalan et al. proved "Granularity" for Fourier coefficients of Boolean valued functions over Z_2^n, that have found many diverse applications in theoretical computer science and combinatorics. They also studied structural results for Boolean functions over Z_2^n which are approximately Fourier-sparse. In this work, we obtain structural results for approximately Fourier-sparse Boolean valued functions over Abelian groups G of the form,G:= Z_{p_1}^{n_1} \times ... \times Z_{p_t}^{n_t}, for distinct primes p_i. We also obtain a lower bound of the form 1/(m^{2}s)^ceiling(phi(m)/2), on the absolute value of the smallest non-zero Fourier coefficient of an s-sparse function, where m=p_1 ... p_t, and phi(m)=(p_1-1) ... (p_t-1). We carefully apply probabilistic techniques from Gopalan et al., to obtain our structural results, and use some non-trivial results from algebraic number theory to get the lower bound. We construct a family of at most s-sparse Boolean functions over Z_p^n, where p > 2, for arbitrarily large enough s, where the minimum non-zero Fourier coefficient is 1/omega(n). The "Granularity" result of Gopalan et al. implies that the absolute values of non-zero Fourier coefficients of any s-sparse Boolean valued function over Z_2^n are 1/O(s). So, our result shows that one cannot expect such a lower bound for general Abelian groups. Using our new structural results on the Fourier coefficients of sparse functions, we design an efficient testing algorithm for Fourier-sparse Boolean functions, thata requires poly((ms)^phi(m),1/epsilon)-many queries. Further, we prove an Omega(sqrt{s}) lower bound on the query complexity of any adaptive sparsity testing algorithm.

Computational Complexity

Pascal Koiran,Subhayan Saha

DOI: https://doi.org/10.48550/arXiv.2110.05305

2021-10-11

Abstract:We study the decomposition of multivariate polynomials as sums of powers of linear forms. We give a randomized algorithm for the following problem: If a homogeneous polynomial $f \in K[x_1 , . . . , x_n]$ (where $K \subseteq \mathbb{C}$) of degree $d$ is given as a blackbox, decide whether it can be written as a linear combination of $d$-th powers of linearly independent complex linear forms. The main novel features of the algorithm are: (1) For $d = 3$, we improve by a factor of $n$ on the running time from an algorithm by Koiran and Skomra. The price to be paid for this improvement though is that the algorithm now has two-sided error. (2) For $d > 3$, we provide the first randomized blackbox algorithm for this problem that runs in time polynomial in $n$ and $d$ (in an algebraic model where only arithmetic operations and equality tests are allowed). Previous algorithms for this problem as well as most of the existing reconstruction algorithms for other classes appeal to a polynomial factorization subroutine. This requires extraction of complex polynomial roots at unit cost and in standard models such as the unit-cost RAM or the Turing machine this approach does not yield polynomial time algorithms. (3) For $d > 3$, when $f$ has rational coefficients, the running time of the blackbox algorithm is polynomial in $n,d$ and the maximal bit size of any coefficient of $f$. This yields the first algorithm for this problem over $\mathbb{C}$ with polynomial running time in the bit model of computation.

Computational Complexity,Data Structures and Algorithms

Lishan Fang,Hua-Lin Huang,Yuechen Li

DOI: https://doi.org/10.48550/arXiv.2310.14042

2023-10-21

Abstract:We study the computational complexity of a criterion and an algorithm for diagonalization of multivariate homogeneous polynomials, that is, expressing them as sums of powers of independent linear forms. They are based on Harrison's center theory and only require solving linear and quadratic systems of equations. Detailed descriptions and computational complexity of each step of the algorithm are provided. The complexity analysis focuses on the impacts of problem sizes, including the number of variables and the degree of given polynomials. We show that this algorithm runs in polynomial time and validate it through numerical experiments. Other diagonalization algorithms are reviewed and compared in terms of complexity.

Rings and Algebras,Number Theory

Nithin Govindarajan,Raphaël Widdershoven,Shivkumar Chandrasekaran,Lieven De Lathauwer

DOI: https://doi.org/10.1137/23m1550414

IF: 1.908

2024-01-25

SIAM Journal on Matrix Analysis and Applications

Abstract:SIAM Journal on Matrix Analysis and Applications, Volume 45, Issue 1, Page 368-396, March 2024. As a crucial first step towards finding the (approximate) common roots of a (possibly overdetermined) bivariate polynomial system of equations, the problem of determining an explicit numerical basis for the right null space of the system's Macaulay matrix is considered. If [math] denotes the total degree of the bivariate polynomials of the system, the cost of computing a null space basis containing all system roots is [math] floating point operations through standard numerical algebra techniques (e.g., a singular value decomposition, rank-revealing QR-decomposition). We show that it is actually possible to design an algorithm that reduces the complexity to [math]. The proposed algorithm exploits the Toeplitz structures of the Macaulay matrix under a nongraded lexicographic ordering of its entries and uses the low displacement rank properties to efficiently convert it into a Cauchy-like matrix with the help of fast Fourier transforms. By modifying the classical Schur algorithm with total pivoting for Cauchy-like matrices, a compact representation of the right null space is eventually obtained from a rank-revealing LU-factorization. Details of the proposed method, including numerical experiments, are fully provided for the case wherein the polynomials are expressed in the monomial basis. Furthermore, it is shown that an analogous fast algorithm can also be formulated for polynomial systems expressed in the Chebyshev basis.

mathematics, applied

Jintai Ding,Vlad Gheorghiu,András Gilyén,Sean Hallgren,Jianqiang Li

DOI: https://doi.org/10.22331/q-2023-07-26-1069

2023-07-22

Abstract:Recently Chen and Gao~\cite{ChenGao2017} proposed a new quantum algorithm for Boolean polynomial system solving, motivated by the cryptanalysis of some post-quantum cryptosystems. The key idea of their approach is to apply a Quantum Linear System (QLS) algorithm to a Macaulay linear system over $\mathbb{C}$, which is derived from the Boolean polynomial system. The efficiency of their algorithm depends on the condition number of the Macaulay matrix. In this paper, we give a strong lower bound on the condition number as a function of the Hamming weight of the Boolean solution, and show that in many (if not all) cases a Grover-based exhaustive search algorithm outperforms their algorithm. Then, we improve upon Chen and Gao's algorithm by introducing the Boolean Macaulay linear system over $\mathbb{C}$ by reducing the original Macaulay linear system. This improved algorithm could potentially significantly outperform the brute-force algorithm, when the Hamming weight of the solution is logarithmic in the number of Boolean variables. Furthermore, we provide a simple and more elementary proof of correctness for our improved algorithm using a reduction employing the Valiant-Vazirani affine hashing method, and also extend the result to polynomial systems over $\mathbb{F}_q$ improving on subsequent work by Chen, Gao and Yuan \cite{ChenGao2018}. We also suggest a new approach for extracting the solution of the Boolean polynomial system via a generalization of the quantum coupon collector problem \cite{arunachalam2020QuantumCouponCollector}.

Quantum Physics,Cryptography and Security