Algorithms for finite field arithmetic ric Schost (joint with Luca - PowerPoint PPT Presentation

Algorithms for finite field arithmetic Éric Schost (joint with Luca De Feo & Javad Doliskani) Western University → University of Waterloo July 9, 2015

Basics 2 / 30

Finite fields Definition A finite field is a field (a set with addition, multiplication, inverse) which is finite . Examples. F 2 = { 0 , 1 } , with operations XOR and AND F p = { 0 , . . . , p − 1 } , p prime, with addition and multiplication mod p { 0 , 1 , 2 , 3 } with operations mod 4 is not a field 3 / 30

Finite fields are ubiquitous number theory and algebraic geometry cryptography elliptic curve cryptography multivariate cryptography coding theory Reed-Solomon, AG codes, . . . Our objective Efficient algorithms for building and working with finite fields 4 / 30

Computing in finite fields k1:=GF(5^1); a1:=Random(k1); ... k10:=GF(5^10); a10:=Random(k10); ... k100:=GF(5^100); a100:=Random(k100); ... k1000:=GF(5^1000); a1000:=Random(k1000); ... How does this scale? 5 / 30

Building finite fields If Q is an irreducible polynomial of degree d over F p , F p [ X ] /Q ( X ) = { a 0 + a 1 X + · · · + a d − 1 X d − 1 | a i ∈ F p } is a finite field with p d elements, with operations done mod p and Q . Facts: all finite fields can be constructed this way no canonical choice Not covered here finding primes, normal bases, Zech logarithms, Conway polynomials, . . . 6 / 30

On the algorithmic side Basic arithmetic operands: elements of F p operations + , × , ÷ in F p have unit cost Working with F p d an element of F p d : d elements of F p polynomial time: ( d log( p )) O (1) If Q ( X ) is given Arithmetic in F p d is easy : operations on univariate polynomials (multiplication, division, XGCD) quasi-linear time if FFT-based techniques are used. 7 / 30

The big picture No deterministic polynomial-time algorithm is known. Deterministic algorithms run in time ( dp ) O (1) [ Shoup’89 ] With d = 2 , this amounts to finding x in F p which is not a square O (1) random choices suffice under Generalized Riemann Hypothesis, log( p ) O (1) choices Same ideas in higher degrees ERH [ Adleman-Lenstra ] recent work by [ Ivanyos et al. ] to remove dependency on GRH. Not covered here Special primes [ von zur Gathen, Rónyai, Shoup ], average case anal- ysis [ Gao-Panario ], bounds on degrees [ von zur Gathen, Adleman- Lenstra ], . . . 8 / 30

Lattices of finite fields 9 / 30

Computing in finite fields A Magma session: k4:=GF(5^4); k6:=GF(5^6); a4:=Random(k4); a6:=Random(k6); a:=a4+a6; Parent(a); Finite field of size 5^12 The question is not only building F 5 4 or F 5 6 . We also have to make them all fit together. 10 / 30

More on finite fields Fact: if m divides n , there is an embedding F p m ֒ → F p n . For instance, F p ֒ → F p 2 ֒ → F p 4 ֒ → F p 8 · · · is obtained by a series of extensions of degree 2. Same with powers of 3 , 5 , . . . Explicitly Amounts to the following computation: F p [ X ] /Q ( X ) ֒ → F p [ X ] /R ( X ) F ( X ) �→ F ( G ) mod R. 11 / 30

What does ¯ F p look like? F (3) F (5) p p F p 9 F p 25 F ( ℓ ) p F p ℓ 2 F p 3 F p 5 F (2) p F p 4 F p ℓ F p 2 F p From [ De Smit-Lenstra ] 12 / 30

Some previous work All in a similar spirit: [ Shoup’90 ] and [ Shoup’94 ] irreducibles [ Couveignes-Lercier ] irreducibles [ De Smit-Lenstra ] standard model Very complete design in Magma [ Bosma-Cannon-Steel ] several representations and algorithms arbitrary field isomorphisms and embeddings Libraries: PARI, NTL, FLINT, . . . 13 / 30

Interlude: Polynomial arithmetic 14 / 30

Univariate and multivariate An extension of degree 6 of F 11 : F 11 [ X ] / � X 6 + 4 X 5 + 2 X 4 + 5 X 2 + 9 X + 6 � 15 / 30

Univariate and multivariate An extension of degree 6 of F 11 : F 11 [ X ] / � X 6 + 4 X 5 + 2 X 4 + 5 X 2 + 9 X + 6 � Another extension of degree 6 of F 11 : F 11 [ Z, T ] / � Z 3 + 3 Z 2 + 5 Z + 1 , T 2 + 6 T + 1 � 15 / 30

Univariate and multivariate An extension of degree 6 of F 11 : F 11 [ X ] / � X 6 + 4 X 5 + 2 X 4 + 5 X 2 + 9 X + 6 � Another extension of degree 6 of F 11 : F 11 [ Z, T ] / � Z 3 + 3 Z 2 + 5 Z + 1 , T 2 + 6 T + 1 � Working in the second model multiplication: reduction by two polynomials inversion: similar to XGCD, more complex 15 / 30

Univariate and multivariate An extension of degree 6 of F 11 : F 11 [ X ] / � X 6 + 4 X 5 + 2 X 4 + 5 X 2 + 9 X + 6 � Another extension of degree 6 of F 11 : F 11 [ Z, T ] / � Z 3 + 3 Z 2 + 5 Z + 1 , T 2 + 6 T + 1 � A useful tool: change-of-basis. F ( X ) �→ F ( T 2 Z + 3 T 2 + 10 TZ + 8 T + 2 Z + 9) mod � Z 3 + · · · , T 2 + · · ·� 15 / 30

Triangular sets Continuing this way, we may end up with structures such as � T n ( X 1 , . . . , X n ) � . � . . � � � T 2 ( X 1 , X 2 ) � � T 1 ( X 1 ) � Triangular sets many algorithms for polynomial system solving [ Ritt, Wu, Lazard, Kalkbrenner, Moreno Maza, . . . ] still no quasi-linear algorithm for basic arithmetic 16 / 30

Triangular sets Continuing this way, we may end up with structures such as � T n ( X 1 , . . . , X n ) � . � . . � � � T 2 ( X 1 , X 2 ) � � T 1 ( X 1 ) � Triangular sets many algorithms for polynomial system solving [ Ritt, Wu, Lazard, Kalkbrenner, Moreno Maza, . . . ] still no quasi-linear algorithm for basic arithmetic Change of basis almost linear time [ Umans, Kedlaya-Umans, Poteaux-S. ] in a boolean model does not appear to be useful in practice (yet) 16 / 30

Towers 17 / 30

One direction of the lattice F (3) F (5) p p F p 9 F p 25 F ( ℓ ) p F p ℓ 2 F p 3 F p 5 F (2) p F p ℓ F p 4 F p 2 F p 18 / 30

Example: halving on an elliptic curve 19 / 30

Example: halving on an elliptic curve P 19 / 30

Example: halving on an elliptic curve P − R 19 / 30

Example: halving on an elliptic curve P R − R 19 / 30

Example: halving on an elliptic curve P R − R Recovering P from R → extracting 2 square roots 19 / 30

Example: halving on an elliptic curve P R − R Recovering P from R → extracting 2 square roots Similar questions division by p [ Couveignes, De Feo ] hyperelliptic curves [ Gaudry-S. ] 19 / 30

Basic construction Smallest prime, ℓ = 2 : Suppose that x 0 is not a square. Then X 2 − x 0 is irreducible. And X 4 − x 0 . And X 8 − x 0 . . . p ≡ 1 (mod 4) General prime ℓ , with ℓ � = p : If x 0 is not an ℓ th power, X ℓ i − x 0 is irreducible for all i . Existence of x 0 ⇐ ⇒ existence of ℓ th roots of unity ⇒ ℓ divides p − 1 . ⇐ We are looking at fibers of x �→ x ℓ 20 / 30

Cyclotomy [ Shoup, De Smit-Lenstra, De Feo-Doliskani-S. ] F p ( ζ ℓ i ) Cyclotomic fields F p ( x i ) F p ( ζ ℓ 3 ) r r replace F p by F p ( ζ ℓ ) ℓ F p ( x 2 ) F p ( ζ ℓ 2 ) ( ζ ℓ : ℓ th root of unity) r ℓ ℓ F p ( x 1 ) F p ( ζ ℓ ) Q i r ℓ F p 21 / 30

Cyclotomy [ Shoup, De Smit-Lenstra, De Feo-Doliskani-S. ] F p ( ζ ℓ i ) Cyclotomic fields r F p ( x i ) F p ( ζ ℓ 3 ) r ℓ do as before F p ( x 2 ) F p ( ζ ℓ 2 ) r ℓ ℓ F p ( x 1 ) F p ( ζ ℓ ) Q i r ℓ F p 21 / 30

Cyclotomy [ Shoup, De Smit-Lenstra, De Feo-Doliskani-S. ] F p ( ζ ℓ i ) Cyclotomic fields r F p ( x i ) Q i can be computed F p ( ζ ℓ 3 ) by resultants r divide-and-conquer ℓ F p ( x 2 ) F p ( ζ ℓ 2 ) algorithm for embedding r ℓ ℓ cost: O ˜( ℓ i + c ) F p ( x 1 ) F p ( ζ ℓ ) Q i r ℓ F p 21 / 30

Elliptic curves [ Couveignes-Lercier, De Feo-Doliskani-S. ] Rule of thumb If you know an algorithm relying on cyclotomic constructions, it may have an elliptic counterpart: multiplication in F ⋆ addition on an elliptic curve ← → p Examples: Pollard’s p − 1 and extensions / Lenstra’s ECM Primality test, FFT, . . . 22 / 30

Elliptic curves [ Couveignes-Lercier, De Feo-Doliskani-S. ] Rule of thumb If you know an algorithm relying on cyclotomic constructions, it may have an elliptic counterpart: multiplication in F ⋆ addition on an elliptic curve ← → p Here: we use an analogue of the ℓ th-power map x �→ x ℓ (isogenies between curves) need curves with suitable cardinality properties divide-and-conquer algorithm for embedding, cost O ˜( ℓ i + c ) 22 / 30

Completing the lattice 23 / 30

What is left to do F (3) F (5) p p F p 9 F p 25 F ( ℓ ) p F p ℓ 2 F p 3 F p 5 F (2) p F p ℓ F p 4 F p 2 F p 24 / 30

Composita of fields Composed product [ Brawley-Carlitz ] Suppose that � � and P = ( X − a i ) Q = ( X − b j ) i =1 ,...,m j =1 ,...,n Their composed product is � R = ( X − a i b j ) . i,j Prop. if m and n are coprime, over a finite field, R is irreducible 25 / 30

Composita of fields Composed product [ Brawley-Carlitz ] Suppose that � � and P = ( X − a i ) Q = ( X − b j ) i =1 ,...,m j =1 ,...,n Their composed product is � R = ( X − a i b j ) . i,j Computing R as a resultant [ Shoup ] quasi-linear through its Newton sums [ Bostan et al. ] 25 / 30

Change of basis Given √ √ x = 1 + 5 and 3 y = 3 , 2 6 ( xy ) 3 + 1 how to find that x = 1 2 ? This is linear algebra. 26 / 30