Revisiting Approximate Polynomial Common Divisor Problem and Noisy Multipolynomial Reconstruction Jun Xu (Institute of Information Engineering, CAS) Santanu Sarkar (Indian Institute of Technology Madras) Lei Hu (Institute of Information Engineering, CAS) Speaker: Ayineedi Venkateswarlu
Outline ◮ Approximate polynomial common divisor problem ◮ How to solve approximate polynomial common divisor problem ◮ Its relation with noisy multipolynomial reconstruction problem
Approximate polynomial common divisor problem ◮ Approximate polynomial common divisor problem (Polynomial-ACD problem) includes: ◮ Approximate polynomial general common divisor problem (Polynomial-GACD problem). ◮ Approximate polynomial partial common divisor problem (Polynomial-PACD problem).
Polynomial-GACD problem Definition (( γ, η, ρ )-Polynomial-GACD problem) Let F [ x ] be the polynomial ring over a finite field F . Let r 1 ( x ), · · · , r n ( x ) be n random polynomials where degrees of all r i ( x ) lie in [0 , ρ ]. Let p ( x ) = ( x − p 1 ) · · · ( x − p η ), where p 1 , · · · , p η are random elements in F . Suppose n polynomials a 1 ( x ), · · · , a n ( x ) with degree at most γ and with at least one has degree γ in F [ x ] are given with a i ( x ) ≡ r i ( x ) mod p ( x ) for 1 ≤ i ≤ n , where a 1 ( x ) , · · · , a n ( x ) are called n samples. The goal is to output the approximate common divisor p ( x ).
Polynomial-PACD problem The definition of a ( γ, η, ρ )-Polynomial-PACD problem is the same as that of a ( γ, η, ρ )-Polynomial-GACD problem except that an exact multiple of γ -degree polynomial a n ( x ) of p ( x ) is given with all roots of a n ( x ) are in F .
Polynomial-ACD problem According to the above definitions, we have: ◮ Polynomial-ACD problem can be regarded as a polynomial version of approximate integer common divisor problem (Integer-ACD problem).
An algorithm for solving Polynomial-ACD problem ◮ Since a i ( x ) ≡ r i ( x ) mod p ( x ) for 1 ≤ i ≤ n , there exist polynomials q i ( x ) subject to a i ( x ) = p ( x ) q i ( x ) + r i ( x ) for i = 1 , · · · , n . (1) ◮ Let β ( x ) be a polynomial such that 0 ≤ deg β ( x ) < γ . ◮ Let L ( β ) be the polynomial lattice spanned by the row vectors of the following n × n matrix ⌊ a 1 ( x ) 1 β ( x ) ⌋ . ... . . M ( β ) = ⌊ a n − 1 ( x ) 1 β ( x ) ⌋ ⌊ a n ( x ) β ( x ) ⌋
Our algorithm Input: ( γ, η, ρ )-Polynomial-ACD samples a 1 ( x ) , · · · , a n ( x ) where γ > η > ρ + 1 Output: p ( x ) or the ( γ − ρ ) most significant coefficients of p ( x ) 1. Construct the n × n polynomial matrix ⌊ a 1( x ) 1 x ρ ⌋ . ... . M ( x ρ ) = . . an − 1( x ) 1 ⌊ ⌋ x ρ ⌊ an ( x ) x ρ ⌋ If the degrees of at least two rows in M ′ ( x ρ ) are larger than or equal to η − ρ , abort 2. Write U such that U · M ( x ρ ) = M ′ ( x ρ ), where U is a unimodular n × n matrix. Write the last column of 3. matrix U − 1 as ( w 1 n ( x ) , · · · , w nn ( x )) T 4. If it is a case of Polynomial-PACD problem Return p ( x ) = d − 1 an ( x ) wnn ( x ) , where d is some constant such that d − 1 an ( x ) wnn ( x ) is monic. 5. Else Compute d − 1 ⌊ an ( x ) wnn ( x ) ⌋ , where d is some constant satisfying d − 1 ⌊ an ( x ) wnn ( x ) ⌋ is monic. If γ > η + ρ return p ( x ) = d − 1 ⌊ an ( x ) wnn ( x ) ⌋ Else return the ( γ − ρ ) most significant coefficients of d − 1 ⌊ an ( x ) wnn ( x ) ⌋
Output of our algorithm From our algorithm, one can get: ◮ For Polynomial-PACD problem, directly output p ( x ); ◮ For Polynomial-GACD problem, ◮ if γ > η + ρ , directly output p ( x ); ◮ else, output the ( γ − ρ ) most significant coefficients of p ( x ).
Main theorem Our algorithm is based on the following result: Theorem n u i ( x ) ⌊ a i ( x ) � Given a vector v = ( u 1 ( x ) , · · · , u n − 1 ( x ) , β ( x ) ⌋ ) ∈ L ( β ) , i =1 we have n � � � deg u i ( x ) q i ( x ) ≤ deg v + max { deg β ( x ) , ρ } − η. i =1
A key observation n ◮ Note that v is given, if � u i ( x ) q i ( x ) = 0, one can get a i =1 linear equation on variables q 1 ( x ) , · · · , q n ( x ). ◮ If there are sufficiently linear independent equations on variables q 1 ( x ) , · · · , q n ( x ), one can solve q 1 ( x ) , · · · , q n ( x ). ◮ Once q 1 ( x ) , · · · , q n ( x ) are revealed, one can obtain the knowledge of p ( x ) from (1), i.e., a i ( x ) = p ( x ) q i ( x ) + r i ( x ) for i = 1 , · · · , n .
Our results We heuristic present that one can solve Polynomial-ACD problem if γ − η n ≥ η − ρ − 1 + 1 . (2)
Experimental results ◮ p : a random 128-bit prime. ◮ Polynomial-PACD problem instances over finite field F p γ − η n η γ ρ η − ρ − 1 + 1 Our Algorithm Average reduction time (sec.) 4 11 20 7 4.0 0.01 6 10 20 7 6.0 0.03 12 9 20 7 12.0 0.18 15 84 165 77 14.5 2.84 18 86 170 80 17.8 4.75
Noisy multipolynomial reconstruction Definition (Noisy Multipolynomial Reconstruction Problem) Suppose r 1 ( x ), · · · , r n ( x ) are n univariate polynomials with at most ρ -degree in F [ x ]. For given γ distinct points x 1 , · · · , x γ in F , there exist the following γ vectors: � � � � r 1 ( x 1 ) , · · · , r n ( x 1 ) , · · · , r 1 ( x γ ) , · · · , r n ( x γ ) . Suppose that η vectors are not corrupted in the received γ vectors, the goal is to reconstruct each polynomial r i ( x ).
Noisy multipolynomial reconstruction ◮ Consider n univariate polynomials r 1 ( x ) , . . . , r n ( x ) of degree ρ over a finite field F . ◮ Suppose these polynomials are evaluated at points x 1 , · · · , x γ . ◮ Let z is = r s ( x i ) for 1 ≤ i ≤ γ and 1 ≤ s ≤ n . ◮ y is are given for 1 ≤ i ≤ γ and 1 ≤ s ≤ n where y is = z is for i ∈ { i 1 , i 2 , . . . , i η } for each values of s . ◮ Target is to find r 1 ( x ) , . . . , r n ( x ) from the knowledge of x i and y is .
Noisy Multipolynomial Reconstruction VS Polynomial-PACD Problem ◮ Assume without loss of generality y is = z is for 1 ≤ i ≤ η and 1 ≤ s ≤ n . ◮ Use Lagrange interpolation to construct n polynomial a s ( x ) with degree γ − 1 such that a s ( x i ) = y is for 1 ≤ i ≤ γ and 1 ≤ s ≤ n . ◮ Note that a s ( x j )= y is = z is = r s ( x j ) with s = 1 , · · · , n and j = 1 , · · · , η . ◮ Let p ( x ) = ( x − x 1 ) · · · ( x − x η ). ◮ Thus, a s ( x ) ≡ r s ( x ) mod p ( x ) for s = 1 , · · · , n . ◮ Therefore, the above relations correspond to a polynomial-ACD problem.
Noisy Multipolynomial Reconstruction VS Polynomial-PACD Problem ◮ Moreover, there is N ( x ) = ( x − x 1 ) · · · ( x − x γ ) ≡ 0 mod p ( x ) . ◮ Thus there are polynomials q 1 ( x ) , · · · , q n ( x ) , q n +1 ( x ) in F [ x ] such that a s ( x ) = p ( x ) q s ( x ) + r s ( x ) for s = 1 , · · · , n and N ( x ) = p ( x ) q n +1 ( x ). ◮ Hence, these equations correspond to a polynomial-PACD problem.
Noisy Multipolynomial Reconstruction over finite field F p p : a random 128-bit prime. n η γ ρ F p Our Algorithm USENIX 2012 Average reduction time (sec.) 14 87 100 85 < 1 < 1 22 27 90 23 6.33 11.13 20 97 200 90 9.86 32.44 25 86 200 80 19.95 63.48 40 83 163 80 41.04 135.19 54 97 150 95 57.73 173.00 70 75 145 73 156.63 484.02
Thank you for your attention Query: { xujun,hulei } @iie.ac.cn,sarkar.santanu.bir1@gmail.com
Recommend
More recommend