Revisiting Approximate Polynomial Common Divisor Problem and Noisy - - PowerPoint PPT Presentation

revisiting approximate polynomial common divisor problem
SMART_READER_LITE
LIVE PREVIEW

Revisiting Approximate Polynomial Common Divisor Problem and Noisy - - PowerPoint PPT Presentation

Apr 15, 2023 12 likes •206 views

Revisiting Approximate Polynomial Common Divisor Problem and Noisy Multipolynomial Reconstruction Jun Xu (Institute of Information Engineering, CAS) Santanu Sarkar (Indian Institute of Technology Madras) Lei Hu (Institute of Information

slide-1
SLIDE 1

Revisiting Approximate Polynomial Common Divisor Problem and Noisy Multipolynomial Reconstruction

Jun Xu (Institute of Information Engineering, CAS) Santanu Sarkar (Indian Institute of Technology Madras) Lei Hu (Institute of Information Engineering, CAS) Speaker: Ayineedi Venkateswarlu

slide-2
SLIDE 2

Outline

◮ Approximate polynomial common divisor problem ◮ How to solve approximate polynomial common divisor problem ◮ Its relation with noisy multipolynomial reconstruction problem

slide-3
SLIDE 3

Approximate polynomial common divisor problem

◮ Approximate polynomial common divisor problem

(Polynomial-ACD problem) includes:

◮ Approximate polynomial general common divisor problem

(Polynomial-GACD problem).

◮ Approximate polynomial partial common divisor problem

(Polynomial-PACD problem).

slide-4
SLIDE 4

Polynomial-GACD problem

Definition ((γ, η, ρ)-Polynomial-GACD problem)

Let F[x] be the polynomial ring over a finite field F. Let r1(x), · · · , rn(x) be n random polynomials where degrees of all ri(x) lie in [0, ρ]. Let p(x) = (x − p1) · · · (x − pη), where p1, · · · , pη are random elements in F. Suppose n polynomials a1(x), · · · , an(x) with degree at most γ and with at least one has degree γ in F[x] are given with

ai(x) ≡ ri(x) mod p(x) for 1 ≤ i ≤ n,

where a1(x), · · · , an(x) are called n samples. The goal is to

  • utput the approximate common divisor p(x).
slide-5
SLIDE 5

Polynomial-PACD problem

The definition of a (γ, η, ρ)-Polynomial-PACD problem is the same as that of a (γ, η, ρ)-Polynomial-GACD problem except that an exact multiple of γ-degree polynomial an(x) of p(x) is given with all roots of an(x) are in F.

slide-6
SLIDE 6

Polynomial-ACD problem

According to the above definitions, we have:

◮ Polynomial-ACD problem can be regarded as a polynomial

version of approximate integer common divisor problem (Integer-ACD problem).

slide-7
SLIDE 7

An algorithm for solving Polynomial-ACD problem

◮ Since ai(x) ≡ ri(x) mod p(x) for 1 ≤ i ≤ n, there exist

polynomials qi(x) subject to ai(x) = p(x)qi(x) + ri(x) for i = 1, · · · , n. (1)

◮ Let β(x) be a polynomial such that 0 ≤ deg β(x) < γ. ◮ Let L(β) be the polynomial lattice spanned by the row vectors

  • f the following n × n matrix

M(β) =        1 ⌊ a1(x)

β(x) ⌋

... . . . 1 ⌊ an−1(x)

β(x) ⌋

⌊ an(x)

β(x) ⌋

      

slide-8
SLIDE 8

Our algorithm

Input: (γ, η, ρ)-Polynomial-ACD samples a1(x), · · · , an(x) where γ > η > ρ + 1 Output: p(x) or the (γ − ρ) most significant coefficients of p(x) 1. Construct the n × n polynomial matrix M(xρ) =         1 ⌊ a1(x)

xρ ⌋

... . . . 1 ⌊

an−1(x) xρ

⌋ ⌊ an(x)

xρ ⌋

        . 2. If the degrees of at least two rows in M′(xρ) are larger than or equal to η − ρ, abort 3. Write U such that U · M(xρ) = M′(xρ), where U is a unimodular n × n matrix. Write the last column of matrix U−1 as (w1n(x), · · · , wnn(x))T 4. If it is a case of Polynomial-PACD problem Return p(x) = d−1 an(x)

wnn(x) , where d is some constant such that d−1 an(x) wnn(x) is monic.

5. Else Compute d−1⌊ an(x)

wnn(x) ⌋, where d is some constant satisfying d−1⌊ an(x) wnn(x) ⌋ is monic.

If γ > η + ρ return p(x) = d−1⌊ an(x)

wnn(x) ⌋

Else return the (γ − ρ) most significant coefficients of d−1⌊ an(x)

wnn(x) ⌋

slide-9
SLIDE 9

Output of our algorithm

From our algorithm, one can get:

◮ For Polynomial-PACD problem, directly output p(x); ◮ For Polynomial-GACD problem,

◮ if γ > η + ρ, directly output p(x); ◮ else, output the (γ − ρ) most significant coefficients of p(x).

slide-10
SLIDE 10

Main theorem

Our algorithm is based on the following result:

Theorem

Given a vector v = (u1(x), · · · , un−1(x),

n

  • i=1

ui(x)⌊ ai(x)

β(x) ⌋) ∈ L(β),

we have deg

  • n
  • i=1

ui(x)qi(x)

  • ≤ deg v + max {deg β(x), ρ} − η.
slide-11
SLIDE 11

A key observation

◮ Note that v is given, if n

  • i=1

ui(x)qi(x) = 0, one can get a linear equation on variables q1(x), · · · , qn(x).

◮ If there are sufficiently linear independent equations on

variables q1(x), · · · , qn(x), one can solve q1(x), · · · , qn(x).

◮ Once q1(x), · · · , qn(x) are revealed, one can obtain the

knowledge of p(x) from (1), i.e., ai(x) = p(x)qi(x) + ri(x) for i = 1, · · · , n.

slide-12
SLIDE 12

Our results

We heuristic present that one can solve Polynomial-ACD problem if

n ≥ γ − η η − ρ − 1 + 1. (2)

slide-13
SLIDE 13

Experimental results

◮ p: a random 128-bit prime. ◮ Polynomial-PACD problem instances over finite field Fp

n η γ ρ

γ−η η−ρ−1 + 1

Our Algorithm Average reduction time (sec.) 4 11 20 7 4.0 0.01 6 10 20 7 6.0 0.03 12 9 20 7 12.0 0.18 15 84 165 77 14.5 2.84 18 86 170 80 17.8 4.75

slide-14
SLIDE 14

Noisy multipolynomial reconstruction

Definition (Noisy Multipolynomial Reconstruction Problem)

Suppose r1(x), · · · , rn(x) are n univariate polynomials with at most ρ-degree in F[x]. For given γ distinct points x1, · · · , xγ in F, there exist the following γ vectors:

  • r1(x1), · · · , rn(x1)
  • , · · · ,
  • r1(xγ), · · · , rn(xγ)
  • .

Suppose that η vectors are not corrupted in the received γ vectors, the goal is to reconstruct each polynomial ri(x).

slide-15
SLIDE 15

Noisy multipolynomial reconstruction

◮ Consider n univariate polynomials r1(x), . . . , rn(x) of degree ρ

  • ver a finite field F.

◮ Suppose these polynomials are evaluated at points x1, · · · , xγ. ◮ Let zis = rs(xi) for 1 ≤ i ≤ γ and 1 ≤ s ≤ n. ◮ yis are given for 1 ≤ i ≤ γ and 1 ≤ s ≤ n where yis = zis for

i ∈ {i1, i2, . . . , iη} for each values of s.

◮ Target is to find r1(x), . . . , rn(x) from the knowledge of xi and

yis.

slide-16
SLIDE 16

Noisy Multipolynomial Reconstruction VS Polynomial-PACD Problem

◮ Assume without loss of generality yis = zis for 1 ≤ i ≤ η and

1 ≤ s ≤ n.

◮ Use Lagrange interpolation to construct n polynomial as(x)

with degree γ − 1 such that as(xi) = yis for 1 ≤ i ≤ γ and 1 ≤ s ≤ n.

◮ Note that as(xj)=yis=zis=rs(xj) with s = 1, · · · , n and

j = 1, · · · , η.

◮ Let p(x) = (x − x1) · · · (x − xη). ◮ Thus, as(x) ≡ rs(x) mod p(x) for s = 1, · · · , n. ◮ Therefore, the above relations correspond to a

polynomial-ACD problem.

slide-17
SLIDE 17

Noisy Multipolynomial Reconstruction VS Polynomial-PACD Problem

◮ Moreover, there is N(x) = (x − x1) · · · (x − xγ) ≡ 0 mod p(x). ◮ Thus there are polynomials q1(x), · · · , qn(x), qn+1(x) in F[x]

such that as(x) = p(x)qs(x) + rs(x) for s = 1, · · · , n and N(x) = p(x)qn+1(x).

◮ Hence, these equations correspond to a polynomial-PACD

problem.

slide-18
SLIDE 18

Noisy Multipolynomial Reconstruction over finite field Fp

p: a random 128-bit prime. n η γ ρ Fp Our Algorithm USENIX 2012 Average reduction time (sec.) 14 87 100 85 < 1 < 1 22 27 90 23 6.33 11.13 20 97 200 90 9.86 32.44 25 86 200 80 19.95 63.48 40 83 163 80 41.04 135.19 54 97 150 95 57.73 173.00 70 75 145 73 156.63 484.02

slide-19
SLIDE 19

Thank you for your attention

Query: {xujun,hulei}@iie.ac.cn,sarkar.santanu.bir1@gmail.com