-
Optimized Gröbner basis algorithms for maximal determinantal ideals and critical point computations
Authors:
Sriram Gopalakrishnan,
Vincent Neiger,
Mohab Safey El Din
Abstract:
Given polynomials $g$ and $f_1,\dots,f_p$, all in $\Bbbk[x_1,\dots,x_n]$ for some field $\Bbbk$, we consider the problem of computing the critical points of the restriction of $g$ to the variety defined by $f_1=\cdots=f_p=0$. These are defined by the simultaneous vanishing of the $f_i$'s and all maximal minors of the Jacobian matrix associated to $(g,f_1, \ldots, f_p)$. We use the Eagon-Northcott…
▽ More
Given polynomials $g$ and $f_1,\dots,f_p$, all in $\Bbbk[x_1,\dots,x_n]$ for some field $\Bbbk$, we consider the problem of computing the critical points of the restriction of $g$ to the variety defined by $f_1=\cdots=f_p=0$. These are defined by the simultaneous vanishing of the $f_i$'s and all maximal minors of the Jacobian matrix associated to $(g,f_1, \ldots, f_p)$. We use the Eagon-Northcott complex associated to the ideal generated by these maximal minors to gain insight into the syzygy module of the system defining these critical points. We devise new $F_5$-type criteria to predict and avoid more reductions to zero when computing a Gröbner basis for the defining system of this critical locus. We give a bound for the arithmetic complexity of this enhanced $F_5$ algorithm and compare it to the best previously known bound for computing critical points using Gröbner bases.
△ Less
Submitted 11 February, 2024;
originally announced February 2024.
-
Computing Krylov iterates in the time of matrix multiplication
Authors:
Vincent Neiger,
Clément Pernet,
Gilles Villard
Abstract:
Krylov methods rely on iterated matrix-vector products $A^k u_j$ for an $n\times n$ matrix $A$ and vectors $u_1,\ldots,u_m$. The space spanned by all iterates $A^k u_j$ admits a particular basis -- the \emph{maximal Krylov basis} -- which consists of iterates of the first vector $u_1, Au_1, A^2u_1,\ldots$, until reaching linear dependency, then iterating similarly the subsequent vectors until a ba…
▽ More
Krylov methods rely on iterated matrix-vector products $A^k u_j$ for an $n\times n$ matrix $A$ and vectors $u_1,\ldots,u_m$. The space spanned by all iterates $A^k u_j$ admits a particular basis -- the \emph{maximal Krylov basis} -- which consists of iterates of the first vector $u_1, Au_1, A^2u_1,\ldots$, until reaching linear dependency, then iterating similarly the subsequent vectors until a basis is obtained. Finding minimal polynomials and Frobenius normal forms is closely related to computing maximal Krylov bases. The fastest way to produce these bases was, until this paper, Keller-Gehrig's 1985 algorithm whose complexity bound $O(n^ω\log(n))$ comes from repeated squarings of $A$ and logarithmically many Gaussian eliminations. Here $ω>2$ is a feasible exponent for matrix multiplication over the base field. We present an algorithm computing the maximal Krylov basis in $O(n^ω\log\log(n))$ field operations when $m \in O(n)$, and even $O(n^ω)$ as soon as $m\in O(n/\log(n)^c)$ for some fixed real $c>0$. As a consequence, we show that the Frobenius normal form together with a transformation matrix can be computed deterministically in $O(n^ω\log\log(n)^2)$, and therefore matrix exponentiation~$A^k$ can be performed in the latter complexity if $\log(k) \in O(n^{ω-1-\varepsilon})$, for $\varepsilon>0$. A key idea for these improvements is to rely on fast algorithms for $m\times m$ polynomial matrices of average degree $n/m$, involving high-order lifting and minimal kernel bases.
△ Less
Submitted 11 February, 2024;
originally announced February 2024.
-
Faster List Decoding of AG Codes
Authors:
Peter Beelen,
Vincent Neiger
Abstract:
In this article, we present a fast algorithm performing an instance of the Guruswami-Sudan list decoder for algebraic geometry codes. We show that any such code can be decoded in $\tilde{O}(s^2\ell^{ω-1}μ^{ω-1}(n+g) + \ell^ωμ^ω)$ operations in the underlying finite field, where $n$ is the code length, $g$ is the genus of the function field used to construct the code, $s$ is the multiplicity parame…
▽ More
In this article, we present a fast algorithm performing an instance of the Guruswami-Sudan list decoder for algebraic geometry codes. We show that any such code can be decoded in $\tilde{O}(s^2\ell^{ω-1}μ^{ω-1}(n+g) + \ell^ωμ^ω)$ operations in the underlying finite field, where $n$ is the code length, $g$ is the genus of the function field used to construct the code, $s$ is the multiplicity parameter, $\ell$ is the designed list size and $μ$ is the smallest positive element in the Weierstrass semigroup of some chosen place.
△ Less
Submitted 14 April, 2023;
originally announced April 2023.
-
Refined $F_5$ Algorithms for Ideals of Minors of Square Matrices
Authors:
Sriram Gopalakrishnan,
Vincent Neiger,
Mohab Safey El Din
Abstract:
We consider the problem of computing a grevlex Gröbner basis for the set $F_r(M)$ of minors of size $r$ of an $n\times n$ matrix $M$ of generic linear forms over a field of characteristic zero or large enough. Such sets are not regular sequences; in fact, the ideal $\langle F_r(M) \rangle$ cannot be generated by a regular sequence. As such, when using the general-purpose algorithm $F_5$ to find th…
▽ More
We consider the problem of computing a grevlex Gröbner basis for the set $F_r(M)$ of minors of size $r$ of an $n\times n$ matrix $M$ of generic linear forms over a field of characteristic zero or large enough. Such sets are not regular sequences; in fact, the ideal $\langle F_r(M) \rangle$ cannot be generated by a regular sequence. As such, when using the general-purpose algorithm $F_5$ to find the sought Gröbner basis, some computing time is wasted on reductions to zero. We use known results about the first syzygy module of $F_r(M)$ to refine the $F_5$ algorithm in order to detect more reductions to zero. In practice, our approach avoids a significant number of reductions to zero. In particular, in the case $r=n-2$, we prove that our new algorithm avoids all reductions to zero, and we provide a corresponding complexity analysis which improves upon the previously known estimates.
△ Less
Submitted 14 June, 2023; v1 submitted 10 February, 2023;
originally announced February 2023.
-
Beating binary powering for polynomial matrices
Authors:
Alin Bostan,
Vincent Neiger,
Sergey Yurkevich
Abstract:
The $N$th power of a polynomial matrix of fixed size and degree can be computed by binary powering as fast as multiplying two polynomials of linear degree in~$N$. When Fast Fourier Transform (FFT) is available, the resulting complexity is \emph{softly linear} in~$N$, i.e.~linear in~$N$ with extra logarithmic factors. We show that it is possible to beat binary powering, by an algorithm whose comple…
▽ More
The $N$th power of a polynomial matrix of fixed size and degree can be computed by binary powering as fast as multiplying two polynomials of linear degree in~$N$. When Fast Fourier Transform (FFT) is available, the resulting complexity is \emph{softly linear} in~$N$, i.e.~linear in~$N$ with extra logarithmic factors. We show that it is possible to beat binary powering, by an algorithm whose complexity is \emph{purely linear} in~$N$, even in absence of FFT. The key result making this improvement possible is that the entries of the $N$th power of a polynomial matrix satisfy linear differential equations with polynomial coefficients whose orders and degrees are independent of~$N$. Similar algorithms are proposed for two related problems: computing the $N$th term of a C-finite sequence of polynomials, and modular exponentiation to the power $N$ for bivariate polynomials.
△ Less
Submitted 26 May, 2023; v1 submitted 8 February, 2023;
originally announced February 2023.
-
Rank-Sensitive Computation of the Rank Profile of a Polynomial Matrix
Authors:
George Labahn,
Vincent Neiger,
Thi Xuan Vu,
Wei Zhou
Abstract:
Consider a matrix $\mathbf{F} \in \mathbb{K}[x]^{m \times n}$ of univariate polynomials over a field $\mathbb{K}$. We study the problem of computing the column rank profile of $\mathbf{F}$. To this end we first give an algorithm which improves the minimal kernel basis algorithm of Zhou, Labahn, and Storjohann (Proceedings ISSAC 2012). We then provide a second algorithm which computes the column ra…
▽ More
Consider a matrix $\mathbf{F} \in \mathbb{K}[x]^{m \times n}$ of univariate polynomials over a field $\mathbb{K}$. We study the problem of computing the column rank profile of $\mathbf{F}$. To this end we first give an algorithm which improves the minimal kernel basis algorithm of Zhou, Labahn, and Storjohann (Proceedings ISSAC 2012). We then provide a second algorithm which computes the column rank profile of $\mathbf{F}$ with a rank-sensitive complexity of $O\tilde{~}(r^{ω-2} n (m+D))$ operations in $\mathbb{K}$. Here, $D$ is the sum of row degrees of $\mathbf{F}$, $ω$ is the exponent of matrix multiplication, and $O\tilde{~}(\cdot)$ hides logarithmic factors.
△ Less
Submitted 9 May, 2022; v1 submitted 18 February, 2022;
originally announced February 2022.
-
Faster change of order algorithm for Gröbner bases under shape and stability assumptions
Authors:
Jérémy Berthomieu,
Vincent Neiger,
Mohab Safey El Din
Abstract:
Solving zero-dimensional polynomial systems using Gröbner bases is usually done by, first, computing a Gröbner basis for the degree reverse lexicographic order, and next computing the lexicographic Gröbner basis with a change of order algorithm. Currently, the change of order now takes a significant part of the whole solving time for many generic instances.
Like the fastest known change of order…
▽ More
Solving zero-dimensional polynomial systems using Gröbner bases is usually done by, first, computing a Gröbner basis for the degree reverse lexicographic order, and next computing the lexicographic Gröbner basis with a change of order algorithm. Currently, the change of order now takes a significant part of the whole solving time for many generic instances.
Like the fastest known change of order algorithms, this work focuses on the situation where the ideal defined by the system satisfies natural properties which can be recovered in generic coordinates. First, the ideal has a \emph{shape} lexicographic Gröbner basis. Second, the set of leading terms with respect to the degree reverse lexicographic order has a \emph{stability} property; in particular, the multiplication matrix can be read on the input Gröbner basis.
The current fastest algorithms rely on the sparsity of this matrix. Actually, this sparsity is a consequence of an algebraic structure, which can be exploited to represent the matrix concisely as a univariate polynomial matrix. We show that the Hermite normal form of that matrix yields the sought lexicographic Gröbner basis, under assumptions which cover the shape position case. Under some mild assumption implying $n \le t$, the arithmetic complexity of our algorithm is $O\tilde{~}(t^{ω-1}D)$, where $n$ is the number of variables, $t$ is a sparsity indicator of the aforementioned matrix, $D$ is the degree of the zero-dimensional ideal under consideration, and $ω$ is the exponent of matrix multiplication. This improves upon both state-of-the-art complexity bounds $O\tilde{~}(tD^2)$ and $O\tilde{~}(D^ω)$, since $ω< 3$ and $t\le D$. Practical experiments, based on the libraries msolve and PML, confirm the high practical benefit.
△ Less
Submitted 15 May, 2022; v1 submitted 18 February, 2022;
originally announced February 2022.
-
Faster Modular Composition
Authors:
Vincent Neiger,
Bruno Salvy,
Éric Schost,
Gilles Villard
Abstract:
A new Las Vegas algorithm is presented for the composition of two polynomials modulo a third one, over an arbitrary field. When the degrees of these polynomials are bounded by $n$, the algorithm uses $O(n^{1.43})$ field operations, breaking through the $3/2$ barrier in the exponent for the first time. The previous fastest algebraic algorithms, due to Brent and Kung in 1978, require $O(n^{1.63})$ f…
▽ More
A new Las Vegas algorithm is presented for the composition of two polynomials modulo a third one, over an arbitrary field. When the degrees of these polynomials are bounded by $n$, the algorithm uses $O(n^{1.43})$ field operations, breaking through the $3/2$ barrier in the exponent for the first time. The previous fastest algebraic algorithms, due to Brent and Kung in 1978, require $O(n^{1.63})$ field operations in general, and ${n^{3/2+o(1)}}$ field operations in the special case of power series over a field of large enough characteristic. If cubic-time matrix multiplication is used, the new algorithm runs in ${n^{5/3+o(1)}}$ operations, while previous ones run in $O(n^2)$ operations.
Our approach relies on the computation of a matrix of algebraic relations that is typically of small size. Randomization is used to reduce arbitrary input to this favorable situation.
△ Less
Submitted 20 July, 2023; v1 submitted 15 October, 2021;
originally announced October 2021.
-
Algorithms for Linearly Recurrent Sequences of Truncated Polynomials
Authors:
Seung Gyu Hyun,
Vincent Neiger,
Éric Schost
Abstract:
Linear recurrent sequences are those whose elements are defined as linear combinations of preceding elements, and finding recurrence relations is a fundamental problem in computer algebra. In this paper, we focus on sequences whose elements are vectors over the ring $\mathbb{A} = \mathbb{K}[x]/(x^d)$ of truncated polynomials. Finding the ideal of their recurrence relations has applications such as…
▽ More
Linear recurrent sequences are those whose elements are defined as linear combinations of preceding elements, and finding recurrence relations is a fundamental problem in computer algebra. In this paper, we focus on sequences whose elements are vectors over the ring $\mathbb{A} = \mathbb{K}[x]/(x^d)$ of truncated polynomials. Finding the ideal of their recurrence relations has applications such as the computation of minimal polynomials and determinants of sparse matrices over $\mathbb{A}$. We present three methods for finding this ideal: a Berlekamp-Massey-like approach due to Kurakin, one which computes the kernel of some block-Hankel matrix over $\mathbb{A}$ via a minimal approximant basis, and one based on bivariate Padé approximation. We propose complexity improvements for the first two methods, respectively by avoiding the computation of redundant relations and by exploiting the Hankel structure to compress the approximation problem. Then we confirm these improvements empirically through a C++ implementation, and we discuss the above-mentioned applications.
△ Less
Submitted 8 June, 2021; v1 submitted 6 February, 2021;
originally announced February 2021.
-
Deterministic computation of the characteristic polynomial in the time of matrix multiplication
Authors:
Vincent Neiger,
Clément Pernet
Abstract:
This paper describes an algorithm which computes the characteristic polynomial of a matrix over a field within the same asymptotic complexity, up to constant factors, as the multiplication of two square matrices. Previously, this was only achieved by resorting to genericity assumptions or randomization techniques, while the best known complexity bound with a general deterministic algorithm was obt…
▽ More
This paper describes an algorithm which computes the characteristic polynomial of a matrix over a field within the same asymptotic complexity, up to constant factors, as the multiplication of two square matrices. Previously, this was only achieved by resorting to genericity assumptions or randomization techniques, while the best known complexity bound with a general deterministic algorithm was obtained by Keller-Gehrig in 1985 and involves logarithmic factors. Our algorithm computes more generally the determinant of a univariate polynomial matrix in reduced form, and relies on new subroutines for transforming shifted reduced matrices into shifted weak Popov matrices, and shifted weak Popov matrices into shifted Popov matrices.
△ Less
Submitted 9 April, 2021; v1 submitted 9 October, 2020;
originally announced October 2020.
-
Generic bivariate multi-point evaluation, interpolation and modular composition with precomputation
Authors:
Vincent Neiger,
Johan Rosenkilde,
Grigory Solomatov
Abstract:
Suppose $\mathbb{K}$ is a large enough field and $\mathcal{P} \subset \mathbb{K}^2$ is a fixed, generic set of points which is available for precomputation. We introduce a technique called \emph{resha**} which allows us to design quasi-linear algorithms for both: computing the evaluations of an input polynomial $f \in \mathbb{K}[x,y]$ at all points of $\mathcal{P}$; and computing an interpolant…
▽ More
Suppose $\mathbb{K}$ is a large enough field and $\mathcal{P} \subset \mathbb{K}^2$ is a fixed, generic set of points which is available for precomputation. We introduce a technique called \emph{resha**} which allows us to design quasi-linear algorithms for both: computing the evaluations of an input polynomial $f \in \mathbb{K}[x,y]$ at all points of $\mathcal{P}$; and computing an interpolant $f \in \mathbb{K}[x,y]$ which takes prescribed values on $\mathcal{P}$ and satisfies an input $y$-degree bound. Our genericity assumption is explicit and we prove that it holds for most point sets over a large enough field. If $\mathcal{P}$ violates the assumption, our algorithms still work and the performance degrades smoothly according to a distance from being generic. To show that the resha** technique may have an impact on other related problems, we apply it to modular composition: suppose generic polynomials $M \in \mathbb{K}[x]$ and $A \in \mathbb{K}[x]$ are available for precomputation, then given an input $f \in \mathbb{K}[x,y]$ we show how to compute $f(x, A(x)) \operatorname{rem} M(x)$ in quasi-linear time.
△ Less
Submitted 4 June, 2020; v1 submitted 27 March, 2020;
originally announced March 2020.
-
A divide-and-conquer algorithm for computing Gröbner bases of syzygies in finite dimension
Authors:
Simone Naldi,
Vincent Neiger
Abstract:
Let $f_1,\ldots,f_m$ be elements in a quotient $R^n / N$ which has finite dimension as a $K$-vector space, where $R = K[X_1,\ldots,X_r]$ and $N$ is an $R$-submodule of $R^n$. We address the problem of computing a Gröbner basis of the module of syzygies of $(f_1,\ldots,f_m)$, that is, of vectors $(p_1,\ldots,p_m) \in R^m$ such that $p_1 f_1 + \cdots + p_m f_m = 0$.
An iterative algorithm for this…
▽ More
Let $f_1,\ldots,f_m$ be elements in a quotient $R^n / N$ which has finite dimension as a $K$-vector space, where $R = K[X_1,\ldots,X_r]$ and $N$ is an $R$-submodule of $R^n$. We address the problem of computing a Gröbner basis of the module of syzygies of $(f_1,\ldots,f_m)$, that is, of vectors $(p_1,\ldots,p_m) \in R^m$ such that $p_1 f_1 + \cdots + p_m f_m = 0$.
An iterative algorithm for this problem was given by Marinari, Möller, and Mora (1993) using a dual representation of $R^n / N$ as the kernel of a collection of linear functionals. Following this viewpoint, we design a divide-and-conquer algorithm, which can be interpreted as a generalization to several variables of Beckermann and Labahn's recursive approach for matrix Padé and rational interpolation problems. To highlight the interest of this method, we focus on the specific case of bivariate Padé approximation and show that it improves upon the best known complexity bounds.
△ Less
Submitted 4 June, 2020; v1 submitted 15 February, 2020;
originally announced February 2020.
-
Computing syzygies in finite dimension using fast linear algebra
Authors:
Vincent Neiger,
Éric Schost
Abstract:
We consider the computation of syzygies of multivariate polynomials in a finite-dimensional setting: for a $\mathbb{K}[X_1,\dots,X_r]$-module $\mathcal{M}$ of finite dimension $D$ as a $\mathbb{K}$-vector space, and given elements $f_1,\dots,f_m$ in $\mathcal{M}$, the problem is to compute syzygies between the $f_i$'s, that is, polynomials $(p_1,\dots,p_m)$ in $\mathbb{K}[X_1,\dots,X_r]^m$ such th…
▽ More
We consider the computation of syzygies of multivariate polynomials in a finite-dimensional setting: for a $\mathbb{K}[X_1,\dots,X_r]$-module $\mathcal{M}$ of finite dimension $D$ as a $\mathbb{K}$-vector space, and given elements $f_1,\dots,f_m$ in $\mathcal{M}$, the problem is to compute syzygies between the $f_i$'s, that is, polynomials $(p_1,\dots,p_m)$ in $\mathbb{K}[X_1,\dots,X_r]^m$ such that $p_1 f_1 + \dots + p_m f_m = 0$ in $\mathcal{M}$. Assuming that the multiplication matrices of the $r$ variables with respect to some basis of $\mathcal{M}$ are known, we give an algorithm which computes the reduced Gröbner basis of the module of these syzygies, for any monomial order, using $O(m D^{ω-1} + r D^ω\log(D))$ operations in the base field $\mathbb{K}$, where $ω$ is the exponent of matrix multiplication. Furthermore, assuming that $\mathcal{M}$ is itself given as $\mathcal{M} = \mathbb{K}[X_1,\dots,X_r]^n/\mathcal{N}$, under some assumptions on $\mathcal{N}$ we show that these multiplication matrices can be computed from a Gröbner basis of $\mathcal{N}$ within the same complexity bound. In particular, taking $n=1$, $m=1$ and $f_1=1$ in $\mathcal{M}$, this yields a change of monomial order algorithm along the lines of the FGLM algorithm with a complexity bound which is sub-cubic in $D$.
△ Less
Submitted 19 June, 2020; v1 submitted 4 December, 2019;
originally announced December 2019.
-
An Algebraic Attack on Rank Metric Code-Based Cryptosystems
Authors:
Magali Bardet,
Pierre Briaud,
Maxime Bros,
Philippe Gaborit,
Vincent Neiger,
Olivier Ruatta,
Jean-Pierre Tillich
Abstract:
The Rank metric decoding problem is the main problem considered in cryptography based on codes in the rank metric. Very efficient schemes based on this problem or quasi-cyclic versions of it have been proposed recently, such as those in the submissions ROLLO and RQC currently at the second round of the NIST Post-Quantum Cryptography Standardization Process. While combinatorial attacks on this prob…
▽ More
The Rank metric decoding problem is the main problem considered in cryptography based on codes in the rank metric. Very efficient schemes based on this problem or quasi-cyclic versions of it have been proposed recently, such as those in the submissions ROLLO and RQC currently at the second round of the NIST Post-Quantum Cryptography Standardization Process. While combinatorial attacks on this problem have been extensively studied and seem now well understood, the situation is not as satisfactory for algebraic attacks, for which previous work essentially suggested that they were ineffective for cryptographic parameters. In this paper, starting from Ourivski and Johansson's algebraic modelling of the problem into a system of polynomial equations, we show how to augment this system with easily computed equations so that the augmented system is solved much faster via Groebner bases. This happens because the augmented system has solving degree $r$, $r+1$ or $r+2$ depending on the parameters, where $r$ is the rank weight, which we show by extending results from Verbel et al. (PQCrypto 2019) on systems arising from the MinRank problem; with target rank $r$, Verbel et al. lower the solving degree to $r+2$, and even less for some favorable instances that they call superdetermined. We give complexity bounds for this approach as well as practical timings of an implementation using Magma. This improves upon the previously known complexity estimates for both Groebner basis and (non-quantum) combinatorial approaches, and for example leads to an attack in 200 bits on ROLLO-I-256 whose claimed security was 256 bits.
△ Less
Submitted 23 February, 2020; v1 submitted 2 October, 2019;
originally announced October 2019.
-
Implementations of efficient univariate polynomial matrix algorithms and application to bivariate resultants
Authors:
Seung Gyu Hyun,
Vincent Neiger,
Éric Schost
Abstract:
Complexity bounds for many problems on matrices with univariate polynomial entries have been improved in the last few years. Still, for most related algorithms, efficient implementations are not available, which leaves open the question of the practical impact of these algorithms, e.g. on applications such as decoding some error-correcting codes and solving polynomial systems or structured linear…
▽ More
Complexity bounds for many problems on matrices with univariate polynomial entries have been improved in the last few years. Still, for most related algorithms, efficient implementations are not available, which leaves open the question of the practical impact of these algorithms, e.g. on applications such as decoding some error-correcting codes and solving polynomial systems or structured linear systems. In this paper, we discuss implementation aspects for most fundamental operations: multiplication, truncated inversion, approximants, interpolants, kernels, linear system solving, determinant, and basis reduction. We focus on prime fields with a word-size modulus, relying on Shoup's C++ library NTL. Combining these new tools to implement variants of Villard's algorithm for the resultant of generic bivariate polynomials (ISSAC 2018), we get better performance than the state of the art for large parameters.
△ Less
Submitted 10 May, 2019;
originally announced May 2019.
-
Verification Protocols with Sub-Linear Communication for Polynomial Matrix Operations
Authors:
David Lucas,
Vincent Neiger,
Clément Pernet,
Daniel S. Roche,
Johan Rosenkilde
Abstract:
We design and analyze new protocols to verify the correctness of various computations on matrices over the ring F[x] of univariate polynomials over a field F. For the sake of efficiency, and because many of the properties we verify are specific to matrices over a principal ideal domain, we cannot simply rely on previously-developed linear algebra protocols for matrices over a field. Our protocols…
▽ More
We design and analyze new protocols to verify the correctness of various computations on matrices over the ring F[x] of univariate polynomials over a field F. For the sake of efficiency, and because many of the properties we verify are specific to matrices over a principal ideal domain, we cannot simply rely on previously-developed linear algebra protocols for matrices over a field. Our protocols are interactive, often randomized, and feature a constant number of rounds of communication between the Prover and Verifier. We seek to minimize the communication cost so that the amount of data sent during the protocol is significantly smaller than the size of the result being verified, which can be useful when combining protocols or in some multi-party settings. The main tools we use are reductions to existing linear algebra verification protocols and a new protocol to verify that a given vector is in the F[x]-row space of a given matrix.
△ Less
Submitted 11 December, 2019; v1 submitted 3 July, 2018;
originally announced July 2018.
-
Computing Popov and Hermite forms of rectangular polynomial matrices
Authors:
Vincent Neiger,
Johan Rosenkilde,
Grigory Solomatov
Abstract:
We consider the computation of two normal forms for matrices over the univariate polynomials: the Popov form and the Hermite form. For matrices which are square and nonsingular, deterministic algorithms with satisfactory cost bounds are known. Here, we present deterministic, fast algorithms for rectangular input matrices. The obtained cost bound for the Popov form matches the previous best known r…
▽ More
We consider the computation of two normal forms for matrices over the univariate polynomials: the Popov form and the Hermite form. For matrices which are square and nonsingular, deterministic algorithms with satisfactory cost bounds are known. Here, we present deterministic, fast algorithms for rectangular input matrices. The obtained cost bound for the Popov form matches the previous best known randomized algorithm, while the cost bound for the Hermite form improves on the previous best known ones by a factor which is at least the largest dimension of the input matrix.
△ Less
Submitted 17 May, 2018; v1 submitted 6 February, 2018;
originally announced February 2018.
-
Certification of minimal approximant bases
Authors:
Pascal Giorgi,
Vincent Neiger
Abstract:
For a given computational problem, a certificate is a piece of data that one (the prover) attaches to the output with the aim of allowing efficient verification (by the verifier) that this output is correct. Here, we consider the minimal approximant basis problem, for which the fastest known algorithms output a polynomial matrix of dimensions $m \times m$ and average degree $D/m$ using…
▽ More
For a given computational problem, a certificate is a piece of data that one (the prover) attaches to the output with the aim of allowing efficient verification (by the verifier) that this output is correct. Here, we consider the minimal approximant basis problem, for which the fastest known algorithms output a polynomial matrix of dimensions $m \times m$ and average degree $D/m$ using $O\tilde{~}(m^ω\frac{D}{m})$ field operations. We propose a certificate which, for typical instances of the problem, is computed by the prover using $O(m^ω\frac{D}{m})$ additional field operations and allows verification of the approximant basis by a Monte Carlo algorithm with cost bound $O(m^ω+ m D)$.
Besides theoretical interest, our motivation also comes from the fact that approximant bases arise in most of the fastest known algorithms for linear algebra over the univariate polynomials; thus, this work may help in designing certificates for other polynomial matrix computations. Furthermore, cryptographic challenges such as breaking records for discrete logarithm computations or for integer factorization rely in particular on computing minimal approximant bases for large instances: certificates can then be used to provide reliable computation on outsourced and error-prone clusters.
△ Less
Submitted 17 May, 2018; v1 submitted 6 February, 2018;
originally announced February 2018.
-
Fast computation of approximant bases in canonical form
Authors:
Claude-Pierre Jeannerod,
Vincent Neiger,
Gilles Villard
Abstract:
In this article, we design fast algorithms for the computation of approximant bases in shifted Popov normal form. We first recall the algorithm known as PM-Basis, which will be our second fundamental engine after polynomial matrix multiplication: most other fast approximant basis algorithms basically aim at efficiently reducing the input instance to instances for which PM-Basis is fast. Such reduc…
▽ More
In this article, we design fast algorithms for the computation of approximant bases in shifted Popov normal form. We first recall the algorithm known as PM-Basis, which will be our second fundamental engine after polynomial matrix multiplication: most other fast approximant basis algorithms basically aim at efficiently reducing the input instance to instances for which PM-Basis is fast. Such reductions usually involve partial linearization techniques due to Storjohann, which have the effect of balancing the degrees and dimensions in the manipulated matrices.
Following these ideas, Zhou and Labahn gave two algorithms which are faster than PM-Basis for important cases including Hermite-Pade approximation, yet only for shifts whose values are concentrated around the minimum or the maximum value. The three mentioned algorithms were designed for balanced orders and compute approximant bases that are generally not normalized. Here, we show how they can be modified to return the shifted Popov basis without impact on their cost bound; besides, we extend Zhou and Labahn's algorithms to arbitrary orders.
Furthermore, we give an algorithm which handles arbitrary shifts with one extra logarithmic factor in the cost bound compared to the above algorithms. To the best of our knowledge, this improves upon previously known algorithms for arbitrary shifts, including for particular cases such as Hermite-Pade approximation. This algorithm is based on a recent divide and conquer approach which reduces the general case to the case where information on the output degree is available. As outlined above, we solve the latter case via partial linearizations and PM-Basis.
△ Less
Submitted 6 April, 2019; v1 submitted 14 January, 2018;
originally announced January 2018.
-
Block-Krylov techniques in the context of sparse-FGLM algorithms
Authors:
Seung Gyu Hyun,
Vincent Neiger,
Hamid Rahkooy,
Eric Schost
Abstract:
Consider a zero-dimensional ideal $I$ in $\mathbb{K}[X_1,\dots,X_n]$. Inspired by Faugère and Mou's Sparse FGLM algorithm, we use Krylov sequences based on multiplication matrices of $I$ in order to compute a description of its zero set by means of univariate polynomials.
Steel recently showed how to use Coppersmith's block-Wiedemann algorithm in this context; he describes an algorithm that can…
▽ More
Consider a zero-dimensional ideal $I$ in $\mathbb{K}[X_1,\dots,X_n]$. Inspired by Faugère and Mou's Sparse FGLM algorithm, we use Krylov sequences based on multiplication matrices of $I$ in order to compute a description of its zero set by means of univariate polynomials.
Steel recently showed how to use Coppersmith's block-Wiedemann algorithm in this context; he describes an algorithm that can be easily parallelized, but only computes parts of the output in this manner. Using generating series expressions going back to work of Bostan, Salvy, and Schost, we show how to compute the entire output for a small overhead, without making any assumption on the ideal $I$ other than it having dimension zero. We then propose a refinement of this idea that partially avoids the introduction of a generic linear form. We comment on experimental results obtained by an implementation based on the C++ libraries Eigen, LinBox and NTL.
△ Less
Submitted 15 January, 2019; v1 submitted 12 December, 2017;
originally announced December 2017.
-
Algorithms for zero-dimensional ideals using linear recurrent sequences
Authors:
Vincent Neiger,
Hamid Rahkooy,
Éric Schost
Abstract:
Inspired by Faugère and Mou's sparse FGLM algorithm, we show how using linear recurrent multi-dimensional sequences can allow one to perform operations such as the primary decomposition of an ideal, by computing the annihilator of one or several such sequences.
Inspired by Faugère and Mou's sparse FGLM algorithm, we show how using linear recurrent multi-dimensional sequences can allow one to perform operations such as the primary decomposition of an ideal, by computing the annihilator of one or several such sequences.
△ Less
Submitted 6 July, 2017;
originally announced July 2017.
-
Two-Point Codes for the Generalized GK curve
Authors:
Elise Barelli,
Peter Beelen,
Mrinmoy Datta,
Vincent Neiger,
Johan Rosenkilde
Abstract:
We improve previously known lower bounds for the minimum distance of certain two-point AG codes constructed using a Generalized Giulietti-Korchmaros curve (GGK). Castellanos and Tizziotti recently described such bounds for two-point codes coming from the Giulietti-Korchmaros curve (GK). Our results completely cover and in many cases improve on their results, using different techniques, while also…
▽ More
We improve previously known lower bounds for the minimum distance of certain two-point AG codes constructed using a Generalized Giulietti-Korchmaros curve (GGK). Castellanos and Tizziotti recently described such bounds for two-point codes coming from the Giulietti-Korchmaros curve (GK). Our results completely cover and in many cases improve on their results, using different techniques, while also supporting any GGK curve. Our method builds on the order bound for AG codes: to enable this, we study certain Weierstrass semigroups. This allows an efficient algorithm for computing our improved bounds. We find several new improvements upon the MinT minimum distance tables.
△ Less
Submitted 7 October, 2017; v1 submitted 2 June, 2017;
originally announced June 2017.
-
Fast Computation of the Roots of Polynomials Over the Ring of Power Series
Authors:
Vincent Neiger,
Johan Rosenkilde,
Eric Schost
Abstract:
We give an algorithm for computing all roots of polynomials over a univariate power series ring over an exact field $\mathbb{K}$. More precisely, given a precision $d$, and a polynomial $Q$ whose coefficients are power series in $x$, the algorithm computes a representation of all power series $f(x)$ such that $Q(f(x)) = 0 \bmod x^d$. The algorithm works unconditionally, in particular also with mul…
▽ More
We give an algorithm for computing all roots of polynomials over a univariate power series ring over an exact field $\mathbb{K}$. More precisely, given a precision $d$, and a polynomial $Q$ whose coefficients are power series in $x$, the algorithm computes a representation of all power series $f(x)$ such that $Q(f(x)) = 0 \bmod x^d$. The algorithm works unconditionally, in particular also with multiple roots, where Newton iteration fails. Our main motivation comes from coding theory where instances of this problem arise and multiple roots must be handled.
The cost bound for our algorithm matches the worst-case input and output size $d °(Q)$, up to logarithmic factors. This improves upon previous algorithms which were quadratic in at least one of $d$ and $°(Q)$. Our algorithm is a refinement of a divide \& conquer algorithm by Alekhnovich (2005), where the cost of recursive steps is better controlled via the computation of a factor of $Q$ which has a smaller degree while preserving the roots.
△ Less
Submitted 30 May, 2017;
originally announced May 2017.
-
Computing Canonical Bases of Modules of Univariate Relations
Authors:
Vincent Neiger,
Thi Xuan Vu
Abstract:
We study the computation of canonical bases of sets of univariate relations $(p_1,\ldots,p_m) \in \mathbb{K}[x]^{m}$ such that $p_1 f_1 + \cdots + p_m f_m = 0$; here, the input elements $f_1,\ldots,f_m$ are from a quotient $\mathbb{K}[x]^n/\mathcal{M}$, where $\mathcal{M}$ is a $\mathbb{K}[x]$-module of rank $n$ given by a basis $\mathbf{M}\in\mathbb{K}[x]^{n\times n}$ in Hermite form. We exploit…
▽ More
We study the computation of canonical bases of sets of univariate relations $(p_1,\ldots,p_m) \in \mathbb{K}[x]^{m}$ such that $p_1 f_1 + \cdots + p_m f_m = 0$; here, the input elements $f_1,\ldots,f_m$ are from a quotient $\mathbb{K}[x]^n/\mathcal{M}$, where $\mathcal{M}$ is a $\mathbb{K}[x]$-module of rank $n$ given by a basis $\mathbf{M}\in\mathbb{K}[x]^{n\times n}$ in Hermite form. We exploit the triangular shape of $\mathbf{M}$ to generalize a divide-and-conquer approach which originates from fast minimal approximant basis algorithms. Besides recent techniques for this approach, we rely on high-order lifting to perform fast modular products of polynomial matrices of the form $\mathbf{P}\mathbf{F} \bmod \mathbf{M}$.
Our algorithm uses $O\tilde{~}(m^{ω-1}D + n^ω D/m)$ operations in $\mathbb{K}$, where $D = \mathrm{deg}(\det(\mathbf{M}))$ is the $\mathbb{K}$-vector space dimension of $\mathbb{K}[x]^n/\mathcal{M}$, $O\tilde{~}(\cdot)$ indicates that logarithmic factors are omitted, and $ω$ is the exponent of matrix multiplication. This had previously only been achieved for a diagonal matrix $\mathbf{M}$. Furthermore, our algorithm can be used to compute the shifted Popov form of a nonsingular matrix within the same cost bound, up to logarithmic factors, as the previously fastest known algorithm, which is randomized.
△ Less
Submitted 30 May, 2017;
originally announced May 2017.
-
Fast, deterministic computation of the Hermite normal form and determinant of a polynomial matrix
Authors:
George Labahn,
Vincent Neiger,
Wei Zhou
Abstract:
Given a nonsingular $n \times n$ matrix of univariate polynomials over a field $\mathbb{K}$, we give fast and deterministic algorithms to compute its determinant and its Hermite normal form. Our algorithms use $\widetilde{\mathcal{O}}(n^ω\lceil s \rceil)$ operations in $\mathbb{K}$, where $s$ is bounded from above by both the average of the degrees of the rows and that of the columns of the matrix…
▽ More
Given a nonsingular $n \times n$ matrix of univariate polynomials over a field $\mathbb{K}$, we give fast and deterministic algorithms to compute its determinant and its Hermite normal form. Our algorithms use $\widetilde{\mathcal{O}}(n^ω\lceil s \rceil)$ operations in $\mathbb{K}$, where $s$ is bounded from above by both the average of the degrees of the rows and that of the columns of the matrix and $ω$ is the exponent of matrix multiplication. The soft-$O$ notation indicates that logarithmic factors in the big-$O$ are omitted while the ceiling function indicates that the cost is $\widetilde{\mathcal{O}}(n^ω)$ when $s = o(1)$. Our algorithms are based on a fast and deterministic triangularization method for computing the diagonal entries of the Hermite form of a nonsingular matrix.
△ Less
Submitted 29 March, 2017; v1 submitted 14 July, 2016;
originally announced July 2016.
-
Fast Computation of Shifted Popov Forms of Polynomial Matrices via Systems of Modular Polynomial Equations
Authors:
Vincent Neiger
Abstract:
We give a Las Vegas algorithm which computes the shifted Popov form of an $m \times m$ nonsingular polynomial matrix of degree $d$ in expected $\widetilde{\mathcal{O}}(m^ωd)$ field operations, where $ω$ is the exponent of matrix multiplication and $\widetilde{\mathcal{O}}(\cdot)$ indicates that logarithmic factors are omitted. This is the first algorithm in $\widetilde{\mathcal{O}}(m^ωd)$ for shif…
▽ More
We give a Las Vegas algorithm which computes the shifted Popov form of an $m \times m$ nonsingular polynomial matrix of degree $d$ in expected $\widetilde{\mathcal{O}}(m^ωd)$ field operations, where $ω$ is the exponent of matrix multiplication and $\widetilde{\mathcal{O}}(\cdot)$ indicates that logarithmic factors are omitted. This is the first algorithm in $\widetilde{\mathcal{O}}(m^ωd)$ for shifted row reduction with arbitrary shifts.
Using partial linearization, we reduce the problem to the case $d \le \lceil σ/m \rceil$ where $σ$ is the generic determinant bound, with $σ/ m$ bounded from above by both the average row degree and the average column degree of the matrix. The cost above becomes $\widetilde{\mathcal{O}}(m^ω\lceil σ/m \rceil)$, improving upon the cost of the fastest previously known algorithm for row reduction, which is deterministic.
Our algorithm first builds a system of modular equations whose solution set is the row space of the input matrix, and then finds the basis in shifted Popov form of this set. We give a deterministic algorithm for this second step supporting arbitrary moduli in $\widetilde{\mathcal{O}}(m^{ω-1} σ)$ field operations, where $m$ is the number of unknowns and $σ$ is the sum of the degrees of the moduli. This extends previous results with the same cost bound in the specific cases of order basis computation and M-Padé approximation, in which the moduli are products of known linear factors.
△ Less
Submitted 12 May, 2016; v1 submitted 1 February, 2016;
originally announced February 2016.
-
Fast Computation of Minimal Interpolation Bases in Popov Form for Arbitrary Shifts
Authors:
Claude-Pierre Jeannerod,
Vincent Neiger,
Eric Schost,
Gilles Villard
Abstract:
We compute minimal bases of solutions for a general interpolation problem, which encompasses Hermite-Padé approximation and constrained multivariate interpolation, and has applications in coding theory and security.
This problem asks to find univariate polynomial relations between $m$ vectors of size $σ$; these relations should have small degree with respect to an input degree shift. For an arbi…
▽ More
We compute minimal bases of solutions for a general interpolation problem, which encompasses Hermite-Padé approximation and constrained multivariate interpolation, and has applications in coding theory and security.
This problem asks to find univariate polynomial relations between $m$ vectors of size $σ$; these relations should have small degree with respect to an input degree shift. For an arbitrary shift, we propose an algorithm for the computation of an interpolation basis in shifted Popov normal form with a cost of $\mathcal{O}\tilde{~}(m^{ω-1} σ)$ field operations, where $ω$ is the exponent of matrix multiplication and the notation $\mathcal{O}\tilde{~}(\cdot)$ indicates that logarithmic terms are omitted.
Earlier works, in the case of Hermite-Padé approximation and in the general interpolation case, compute non-normalized bases. Since for arbitrary shifts such bases may have size $Θ(m^2 σ)$, the cost bound $\mathcal{O}\tilde{~}(m^{ω-1} σ)$ was feasible only with restrictive assumptions on the shift that ensure small output sizes. The question of handling arbitrary shifts with the same complexity bound was left open.
To obtain the target cost for any shift, we strengthen the properties of the output bases, and of those obtained during the course of the algorithm: all the bases are computed in shifted Popov form, whose size is always $\mathcal{O}(m σ)$. Then, we design a divide-and-conquer scheme. We recursively reduce the initial interpolation problem to sub-problems with more convenient shifts by first computing information on the degrees of the intermediate bases.
△ Less
Submitted 13 May, 2016; v1 submitted 1 February, 2016;
originally announced February 2016.
-
Computing minimal interpolation bases
Authors:
Claude-Pierre Jeannerod,
Vincent Neiger,
Éric Schost,
Gilles Villard
Abstract:
We consider the problem of computing univariate polynomial matrices over a field that represent minimal solution bases for a general interpolation problem, some forms of which are the vector M-Padé approximation problem in [Van Barel and Bultheel, Numerical Algorithms 3, 1992] and the rational interpolation problem in [Beckermann and Labahn, SIAM J. Matrix Anal. Appl. 22, 2000]. Particular instanc…
▽ More
We consider the problem of computing univariate polynomial matrices over a field that represent minimal solution bases for a general interpolation problem, some forms of which are the vector M-Padé approximation problem in [Van Barel and Bultheel, Numerical Algorithms 3, 1992] and the rational interpolation problem in [Beckermann and Labahn, SIAM J. Matrix Anal. Appl. 22, 2000]. Particular instances of this problem include the bivariate interpolation steps of Guruswami-Sudan hard-decision and Kötter-Vardy soft-decision decodings of Reed-Solomon codes, the multivariate interpolation step of list-decoding of folded Reed-Solomon codes, and Hermite-Padé approximation.
In the mentioned references, the problem is solved using iterative algorithms based on recurrence relations. Here, we discuss a fast, divide-and-conquer version of this recurrence, taking advantage of fast matrix computations over the scalars and over the polynomials. This new algorithm is deterministic, and for computing shifted minimal bases of relations between $m$ vectors of size $σ$ it uses $O~( m^{ω-1} (σ+ |s|) )$ field operations, where $ω$ is the exponent of matrix multiplication, and $|s|$ is the sum of the entries of the input shift $s$, with $\min(s) = 0$. This complexity bound improves in particular on earlier algorithms in the case of bivariate interpolation for soft decoding, while matching fastest existing algorithms for simultaneous Hermite-Padé approximation.
△ Less
Submitted 13 June, 2016; v1 submitted 10 December, 2015;
originally announced December 2015.
-
Faster Algorithms for Multivariate Interpolation with Multiplicities and Simultaneous Polynomial Approximations
Authors:
Muhammad F. I. Chowdhury,
Claude-Pierre Jeannerod,
Vincent Neiger,
Eric Schost,
Gilles Villard
Abstract:
The interpolation step in the Guruswami-Sudan algorithm is a bivariate interpolation problem with multiplicities commonly solved in the literature using either structured linear algebra or basis reduction of polynomial lattices. This problem has been extended to three or more variables; for this generalization, all fast algorithms proposed so far rely on the lattice approach. In this paper, we red…
▽ More
The interpolation step in the Guruswami-Sudan algorithm is a bivariate interpolation problem with multiplicities commonly solved in the literature using either structured linear algebra or basis reduction of polynomial lattices. This problem has been extended to three or more variables; for this generalization, all fast algorithms proposed so far rely on the lattice approach. In this paper, we reduce this multivariate interpolation problem to a problem of simultaneous polynomial approximations, which we solve using fast structured linear algebra. This improves the best known complexity bounds for the interpolation step of the list-decoding of Reed-Solomon codes, Parvaresh-Vardy codes, and folded Reed-Solomon codes. In particular, for Reed-Solomon list-decoding with re-encoding, our approach has complexity $\mathcal{O}\tilde{~}(\ell^{ω-1}m^2(n-k))$, where $\ell,m,n,k$ are the list size, the multiplicity, the number of sample points and the dimension of the code, and $ω$ is the exponent of linear algebra; this accelerates the previously fastest known algorithm by a factor of $\ell / m$.
△ Less
Submitted 13 February, 2015; v1 submitted 4 February, 2014;
originally announced February 2014.
