Fast method for testing the smoothness of polynomials Jean-Franc - - PowerPoint PPT Presentation

page.1

Fast method for testing the smoothness of polynomials

Jean-Franc ¸ois Biasse Mike Jacobson

University of Calgary

October 2013

Biasse-Jacobson (U of C) Fast smoothness test October 2013 1 / 24

page.2

Presentation of the problem

Let K be a finite field. Let B > 0 a bound. We want to test if a given P ∈ K[X] is B-smooth, that is if P = Pe1

1 · · · Pen n ,

with ∀i ≤ k deg(Pi) ≤ B.

Biasse-Jacobson (U of C) Fast smoothness test October 2013 2 / 24

page.3

Presentation of the problem

Let K be a finite field. Let B > 0 a bound. We want to test if a given P ∈ K[X] is B-smooth, that is if P = Pe1

1 · · · Pen n ,

with ∀i ≤ k deg(Pi) ≤ B. This occurs in the resolution of the disrete logarithm problem (DLP) : Function field sieve in (Fpm)∗.

Biasse-Jacobson (U of C) Fast smoothness test October 2013 2 / 24

page.4

Presentation of the problem

Let K be a finite field. Let B > 0 a bound. We want to test if a given P ∈ K[X] is B-smooth, that is if P = Pe1

1 · · · Pen n ,

with ∀i ≤ k deg(Pi) ≤ B. This occurs in the resolution of the disrete logarithm problem (DLP) : Function field sieve in (Fpm)∗. Random walk method in J (C).

Biasse-Jacobson (U of C) Fast smoothness test October 2013 2 / 24

page.5

Presentation of the problem

Let K be a finite field. Let B > 0 a bound. We want to test if a given P ∈ K[X] is B-smooth, that is if P = Pe1

1 · · · Pen n ,

with ∀i ≤ k deg(Pi) ≤ B. This occurs in the resolution of the disrete logarithm problem (DLP) : Function field sieve in (Fpm)∗. Random walk method in J (C). Quadratic sieve method in the Jacobian of J (C). where J (C) is the Jacobian of a hyperelliptic curve C over a finite field.

Biasse-Jacobson (U of C) Fast smoothness test October 2013 2 / 24

page.6

1 Motivation 2 Bernstein’s approach 3 Complexity analysis 4 Practical examples

Biasse-Jacobson (U of C) Fast smoothness test October 2013 2 / 24

page.7

The jacobian of a hyperelliptic curve

Let K be a finite field, a hyperelliptic curve C of genus g is defined by Y 2 + h(X)Y + f (X) = 0, where h, f ∈ K[X], deg(h) ≤ g and deg(f ) = 2g + 1 or 2g + 2.

Biasse-Jacobson (U of C) Fast smoothness test October 2013 3 / 24

page.8

The jacobian of a hyperelliptic curve

Let K be a finite field, a hyperelliptic curve C of genus g is defined by Y 2 + h(X)Y + f (X) = 0, where h, f ∈ K[X], deg(h) ≤ g and deg(f ) = 2g + 1 or 2g + 2.

The Jacobian variety

A hyperelliptic curve is associated to a group J (C) with |J (C)| ≈ qg where K = Fq. Solving the DLP at fixed g is exponential in log(q).

Biasse-Jacobson (U of C) Fast smoothness test October 2013 3 / 24

page.9

The jacobian of a hyperelliptic curve

Let K be a finite field, a hyperelliptic curve C of genus g is defined by Y 2 + h(X)Y + f (X) = 0, where h, f ∈ K[X], deg(h) ≤ g and deg(f ) = 2g + 1 or 2g + 2.

The Jacobian variety

A hyperelliptic curve is associated to a group J (C) with |J (C)| ≈ qg where K = Fq. Solving the DLP at fixed g is exponential in log(q). The DLP in |J (C)| in an essential topic in cryptography. Elliptic curves are the special case g = 1.

Biasse-Jacobson (U of C) Fast smoothness test October 2013 3 / 24

page.10

Smoothness in J (C)

Elements of J (C) can be represented by (u(X), v(X)) where deg(u) ≤ g is the degree of (u(X), v(X)). deg(v) < deg(v).

Biasse-Jacobson (U of C) Fast smoothness test October 2013 4 / 24

page.11

Smoothness in J (C)

Elements of J (C) can be represented by (u(X), v(X)) where deg(u) ≤ g is the degree of (u(X), v(X)). deg(v) < deg(v).

Smoothness of divisors

We say that a ∈ J (C) is B-smooth if a = p1 · · · pn for some n > 0, with ∀i, deg(pi) ≤ B.

Biasse-Jacobson (U of C) Fast smoothness test October 2013 4 / 24

page.12

Smoothness in J (C)

Elements of J (C) can be represented by (u(X), v(X)) where deg(u) ≤ g is the degree of (u(X), v(X)). deg(v) < deg(v).

Smoothness of divisors

We say that a ∈ J (C) is B-smooth if a = p1 · · · pn for some n > 0, with ∀i, deg(pi) ≤ B. If u(X) is B-smooth for B ≤ g, then (u(X), v(X)) is B-smooth in J (C).

Biasse-Jacobson (U of C) Fast smoothness test October 2013 4 / 24

page.13

Solving the DLP in J (C) from relations

Let a, b ∈ J (C), we want to find x ∈ Z such that b = ax. Let p1, · · · , pn generating J (C).

Biasse-Jacobson (U of C) Fast smoothness test October 2013 5 / 24

page.14

Solving the DLP in J (C) from relations

Let a, b ∈ J (C), we want to find x ∈ Z such that b = ax. Let p1, · · · , pn generating J (C).

M = m1,1 m1,n 0 0 ml,1 ml,n 0 0 ml+1,1 ml+1,n 1 0 ml+2,1 ml+2,n 0 1                   pm1,1

1

· · · pm1,n

n

= 1 pmk,1

1

· · · pmk,n

n

= 1 pmk+1,1

1

· · · pmk+1,n

n

b = 1 pmk+2,1

1

· · · pmk+2,n

n

a = 1 A : l + 2 rows n + 1 columns

Biasse-Jacobson (U of C) Fast smoothness test October 2013 5 / 24

page.15

Solving the DLP in J (C) from relations

Let a, b ∈ J (C), we want to find x ∈ Z such that b = ax. Let p1, · · · , pn generating J (C).

M = m1,1 m1,n 0 0 ml,1 ml,n 0 0 ml+1,1 ml+1,n 1 0 ml+2,1 ml+2,n 0 1                   pm1,1

1

· · · pm1,n

n

= 1 pmk,1

1

· · · pmk,n

n

= 1 pmk+1,1

1

· · · pmk+1,n

n

b = 1 pmk+2,1

1

· · · pmk+2,n

n

a = 1 A : l + 2 rows n + 1 columns

If XA = (0, · · · , 0, 1), then ∃y ∈ Z such that XM = (0, · · · , 0, 1, y). This means bay = 1, so x = −y is a solution.

Biasse-Jacobson (U of C) Fast smoothness test October 2013 5 / 24

page.16

Relations in J (C) from random walk

We can solve the DLP in J (C) from relations p1 · · · pn = 1 where B := {p1 · · · pn} generates J (C). B = {p = (u, v) ∈ J (C) | u prime , deg(u) ≤ B}.

Biasse-Jacobson (U of C) Fast smoothness test October 2013 6 / 24

page.17

Relations in J (C) from random walk

We can solve the DLP in J (C) from relations p1 · · · pn = 1 where B := {p1 · · · pn} generates J (C). B = {p = (u, v) ∈ J (C) | u prime , deg(u) ≤ B}.

Random walk strategy

We repeat the following steps. Draw pe1

1 · · · pen n = (u, v) at random.

Test if u ∈ Fq[X] is B-smooth. Each time u is B-smooth, we have a relation

i pei i = j qj.

Biasse-Jacobson (U of C) Fast smoothness test October 2013 6 / 24

page.18

Relations in J (C) from random walk

We can solve the DLP in J (C) from relations p1 · · · pn = 1 where B := {p1 · · · pn} generates J (C). B = {p = (u, v) ∈ J (C) | u prime , deg(u) ≤ B}.

Random walk strategy

We repeat the following steps. Draw pe1

1 · · · pen n = (u, v) at random.

Test if u ∈ Fq[X] is B-smooth. Each time u is B-smooth, we have a relation

i pei i = j qj.

The two main contribution to the cost are Arithmetic in J (C). Smoothness test of u.

Biasse-Jacobson (U of C) Fast smoothness test October 2013 6 / 24

page.19

Sieving in a fonction field

Let P ∈ K[x][y] of degree g. Let B > 0 and S ⊂ K[x]g+1. We want to find (ai(x)) ∈ S such that P(a0(x), · · · , ag(x)) is B −smooth.

Biasse-Jacobson (U of C) Fast smoothness test October 2013 7 / 24

page.20

Sieving in a fonction field

Let P ∈ K[x][y] of degree g. Let B > 0 and S ⊂ K[x]g+1. We want to find (ai(x)) ∈ S such that P(a0(x), · · · , ag(x)) is B −smooth.

Sieving methods

Using roots of P mod pi where deg(pi) ≤ B, we Preselect rapidly candidates Q1(x), · · · , Ql(x) where Qj ∈ P(S). Then we test the (Qi(x))i≤l for smoothness.

Biasse-Jacobson (U of C) Fast smoothness test October 2013 7 / 24

page.21

Sieving in a fonction field

Let P ∈ K[x][y] of degree g. Let B > 0 and S ⊂ K[x]g+1. We want to find (ai(x)) ∈ S such that P(a0(x), · · · , ag(x)) is B −smooth.

Sieving methods

Using roots of P mod pi where deg(pi) ≤ B, we Preselect rapidly candidates Q1(x), · · · , Ql(x) where Qj ∈ P(S). Then we test the (Qi(x))i≤l for smoothness. Sieving is faster than testing P(a0(x), · · · , ag(x)) for all (ai(x)) ∈ S. It still involves smoothness tests of elements in K[x].

Biasse-Jacobson (U of C) Fast smoothness test October 2013 7 / 24

page.22

Relations in J (C) from sieving

Let C : Y 2 + h(X)Y + f (X) = F(X, Y ) = 0 with deg(f ) = 2g + 1. Let O := Fq[X][Y ]/F(X, Y ) be the equation order. Cl(O) := {ideals of O}/{principal ideals} ≃ J (C).

Biasse-Jacobson (U of C) Fast smoothness test October 2013 8 / 24

page.23

Relations in J (C) from sieving

Let C : Y 2 + h(X)Y + f (X) = F(X, Y ) = 0 with deg(f ) = 2g + 1. Let O := Fq[X][Y ]/F(X, Y ) be the equation order. Cl(O) := {ideals of O}/{principal ideals} ≃ J (C).

Relations in Cl(O)

Relations in J (C) correpond to identities p1 · · · pn = (α) Where the pi are ideals of O and α ∈ Fq[X]. If N(α) ∈ Fq[X] is B-smooth, then the relation in J (C) is too.

Biasse-Jacobson (U of C) Fast smoothness test October 2013 8 / 24

page.24

Relations in J (C) from sieving

Let C : Y 2 + h(X)Y + f (X) = F(X, Y ) = 0 with deg(f ) = 2g + 1. Let O := Fq[X][Y ]/F(X, Y ) be the equation order. Cl(O) := {ideals of O}/{principal ideals} ≃ J (C).

Relations in Cl(O)

Relations in J (C) correpond to identities p1 · · · pn = (α) Where the pi are ideals of O and α ∈ Fq[X]. If N(α) ∈ Fq[X] is B-smooth, then the relation in J (C) is too. Let [a, ω] be an integral basis of O. We have N(xa + yω) = a2x2 + a Tr(ω)xy + N(ω)y2 := ψ(x, y).

Biasse-Jacobson (U of C) Fast smoothness test October 2013 8 / 24

page.25

Relations in J (C) from sieving

Let C : Y 2 + h(X)Y + f (X) = F(X, Y ) = 0 with deg(f ) = 2g + 1. Let O := Fq[X][Y ]/F(X, Y ) be the equation order. Cl(O) := {ideals of O}/{principal ideals} ≃ J (C).

Relations in Cl(O)

Relations in J (C) correpond to identities p1 · · · pn = (α) Where the pi are ideals of O and α ∈ Fq[X]. If N(α) ∈ Fq[X] is B-smooth, then the relation in J (C) is too. Let [a, ω] be an integral basis of O. We have N(xa + yω) = a2x2 + a Tr(ω)xy + N(ω)y2 := ψ(x, y). We derive relations from B-smooth values of ψ(x, y) obtained by sieving.

Biasse-Jacobson (U of C) Fast smoothness test October 2013 8 / 24

page.26

The function field sieve

We want to solve the DLP in K = Fpm. We construct relations in Fpm. Let f , g ∈ Fp[x][y] with ϕ(x) | Res(f , g), deg(ϕ) = m.

Biasse-Jacobson (U of C) Fast smoothness test October 2013 9 / 24

page.27

The function field sieve

We want to solve the DLP in K = Fpm. We construct relations in Fpm. Let f , g ∈ Fp[x][y] with ϕ(x) | Res(f , g), deg(ϕ) = m. We have the commutative diagramm Fp[x][y] Fp[x][y]/g(x, y) Fp[x][y]/f (x, y) Fp[x]/ϕ(x) = K

Biasse-Jacobson (U of C) Fast smoothness test October 2013 9 / 24

page.28

The function field sieve

We want to solve the DLP in K = Fpm. We construct relations in Fpm. Let f , g ∈ Fp[x][y] with ϕ(x) | Res(f , g), deg(ϕ) = m. We have the commutative diagramm Fp[x][y] Fp[x][y]/g(x, y) Fp[x][y]/f (x, y) Fp[x]/ϕ(x) = K Let N(a(x) + b(x)y) B-smooth in Fp[x][y]/g and Fp[x][y]/f . We obtain a relation between small elements in K.

Biasse-Jacobson (U of C) Fast smoothness test October 2013 9 / 24

page.29

The function field sieve

We want to solve the DLP in K = Fpm. We construct relations in Fpm. Let f , g ∈ Fp[x][y] with ϕ(x) | Res(f , g), deg(ϕ) = m. We have the commutative diagramm Fp[x][y] Fp[x][y]/g(x, y) Fp[x][y]/f (x, y) Fp[x]/ϕ(x) = K Let N(a(x) + b(x)y) B-smooth in Fp[x][y]/g and Fp[x][y]/f . We obtain a relation between small elements in K. We recombine the relations in K to get the DLP of all the small elements.

Biasse-Jacobson (U of C) Fast smoothness test October 2013 9 / 24

page.30

1 Motivation 2 Bernstein’s approach 3 Complexity analysis 4 Practical examples

Biasse-Jacobson (U of C) Fast smoothness test October 2013 9 / 24

page.31

Smoothness test over the integers

Bernstein described a smoothness test for integers. Runs in O(b(log(b))2 log log(b)) where b is the total size of the input. To be compared to ECM : O(b · Lb(1/2, 2 + o(1))).

Biasse-Jacobson (U of C) Fast smoothness test October 2013 10 / 24

page.32

Smoothness test over the integers

Bernstein described a smoothness test for integers. Runs in O(b(log(b))2 log log(b)) where b is the total size of the input. To be compared to ECM : O(b · Lb(1/2, 2 + o(1))).

Applications

Bernstein’s method was successfully used for Directly testing smoothness of integers. Testing the smoothness of cofactors in sieving algorithms.

Biasse-Jacobson (U of C) Fast smoothness test October 2013 10 / 24

page.33

Smoothness test over the integers

Bernstein described a smoothness test for integers. Runs in O(b(log(b))2 log log(b)) where b is the total size of the input. To be compared to ECM : O(b · Lb(1/2, 2 + o(1))).

Applications

Bernstein’s method was successfully used for Directly testing smoothness of integers. Testing the smoothness of cofactors in sieving algorithms. It is straightforward to adapt this method to Fq[X] but : Unlike in Z, factorization in Fq[X] takes polynomial. It requires efficient implementation of fast multiplication algorithms.

Biasse-Jacobson (U of C) Fast smoothness test October 2013 10 / 24

page.34

Product tree

Input : b1, · · · , bn, n = 2N. Output :

i bi.

Biasse-Jacobson (U of C) Fast smoothness test October 2013 11 / 24

page.35

Product tree

Input : b1, · · · , bn, n = 2N. Output :

i bi.

b1 b2 bn−1 bn

Biasse-Jacobson (U of C) Fast smoothness test October 2013 11 / 24

page.36

Product tree

Input : b1, · · · , bn, n = 2N. Output :

i bi.

b1b2 bn−1bn b1 b2 bn−1 bn

Biasse-Jacobson (U of C) Fast smoothness test October 2013 11 / 24

page.37

Product tree

Input : b1, · · · , bn, n = 2N. Output :

i bi.

b1 ···bn/2 bn/2+1 ···bn b1b2 bn−1bn b1 b2 bn−1 bn

Biasse-Jacobson (U of C) Fast smoothness test October 2013 11 / 24

page.38

Product tree

Input : b1, · · · , bn, n = 2N. Output :

i bi.

b1 ···bn b1 ···bn/2 bn/2+1 ···bn b1b2 bn−1bn b1 b2 bn−1 bn

Biasse-Jacobson (U of C) Fast smoothness test October 2013 11 / 24

page.39

Remainder tree

Input : P, b1, · · · , bn, n = 2N, product tree of (b1, · · · , bn). Output : P mod b1, · · · , P mod bn.

Biasse-Jacobson (U of C) Fast smoothness test October 2013 12 / 24

page.40

Remainder tree

Input : P, b1, · · · , bn, n = 2N, product tree of (b1, · · · , bn). Output : P mod b1, · · · , P mod bn.

Biasse-Jacobson (U of C) Fast smoothness test October 2013 12 / 24

page.41

Remainder tree

Input : P, b1, · · · , bn, n = 2N, product tree of (b1, · · · , bn). Output : P mod b1, · · · , P mod bn.

P mod b1 ···bn

Biasse-Jacobson (U of C) Fast smoothness test October 2013 12 / 24

page.42

Remainder tree

Input : P, b1, · · · , bn, n = 2N, product tree of (b1, · · · , bn). Output : P mod b1, · · · , P mod bn.

P mod b1 ···bn P mod b1 ···bn/2 P mod bn/2+1 ···bn

Biasse-Jacobson (U of C) Fast smoothness test October 2013 12 / 24

page.43

Remainder tree

Input : P, b1, · · · , bn, n = 2N, product tree of (b1, · · · , bn). Output : P mod b1, · · · , P mod bn.

P mod b1 ···bn P mod b1 ···bn/2 P mod bn/2+1 ···bn P mod b1b2 P mod bn−1bn

Biasse-Jacobson (U of C) Fast smoothness test October 2013 12 / 24

page.44

Remainder tree

Input : P, b1, · · · , bn, n = 2N, product tree of (b1, · · · , bn). Output : P mod b1, · · · , P mod bn.

P mod b1 ···bn P mod b1 ···bn/2 P mod bn/2+1 ···bn P mod b1b2 P mod bn−1bn P mod b1 P mod b2 P mod bn−1 P mod bn

Biasse-Jacobson (U of C) Fast smoothness test October 2013 12 / 24

page.45

Batch smoothness test

Algorithm

Input : B > 0, b1, · · · , bn. Output : B-smooth part of each bi.

Biasse-Jacobson (U of C) Fast smoothness test October 2013 13 / 24

page.46

Batch smoothness test

Algorithm

Input : B > 0, b1, · · · , bn. Output : B-smooth part of each bi. We start with the construction of the factor base B = {pi | deg(pi) ≤ B}. Calulate P =

i pi with a product tree.

Calculate the product tree of b1, · · · , bn.

Biasse-Jacobson (U of C) Fast smoothness test October 2013 13 / 24

page.47

Batch smoothness test

Algorithm

Input : B > 0, b1, · · · , bn. Output : B-smooth part of each bi. We start with the construction of the factor base B = {pi | deg(pi) ≤ B}. Calulate P =

i pi with a product tree.

Calculate the product tree of b1, · · · , bn. Then, the remainder tree gives us P mod bi for each i ≤ n. Calculate ci := P2e mod bi with e such that 2e > deg(bi). If ci = 0, bi is B-smooth

Biasse-Jacobson (U of C) Fast smoothness test October 2013 13 / 24

page.48

Batch smoothness test

Algorithm

Input : B > 0, b1, · · · , bn. Output : B-smooth part of each bi. We start with the construction of the factor base B = {pi | deg(pi) ≤ B}. Calulate P =

i pi with a product tree.

Calculate the product tree of b1, · · · , bn. Then, the remainder tree gives us P mod bi for each i ≤ n. Calculate ci := P2e mod bi with e such that 2e > deg(bi). If ci = 0, bi is B-smooth We compute P2e to accout for possible powers in the decomposition of bi.

Biasse-Jacobson (U of C) Fast smoothness test October 2013 13 / 24

page.49

1 Motivation 2 Bernstein’s approach 3 Complexity analysis 4 Practical examples

Biasse-Jacobson (U of C) Fast smoothness test October 2013 13 / 24

page.50

Standard smoothness test

Smoothness test in Fq[X] is more efficient than in Z. Let B > 0 and N ∈ Fq[X] to be tested for B-smoothness.

Biasse-Jacobson (U of C) Fast smoothness test October 2013 14 / 24

page.51

Standard smoothness test

Smoothness test in Fq[X] is more efficient than in Z. Let B > 0 and N ∈ Fq[X] to be tested for B-smoothness.

The standard algorithm

Let l′ = ⌊B/2⌋ + 1 and i = ⌈deg(N)/q⌉. Compute H = (X ql′ + X)(X ql′+1 + X) · · · (X qB + X) mod N. H ← Hqi mod N. If H = 0, then N is B-smooth.

Biasse-Jacobson (U of C) Fast smoothness test October 2013 14 / 24

page.52

Standard smoothness test

Smoothness test in Fq[X] is more efficient than in Z. Let B > 0 and N ∈ Fq[X] to be tested for B-smoothness.

The standard algorithm

Let l′ = ⌊B/2⌋ + 1 and i = ⌈deg(N)/q⌉. Compute H = (X ql′ + X)(X ql′+1 + X) · · · (X qB + X) mod N. H ← Hqi mod N. If H = 0, then N is B-smooth. The cost in operations in Fq is O(deg(N)3 + B deg(N)2).

Biasse-Jacobson (U of C) Fast smoothness test October 2013 14 / 24

page.53

Product tree with quadratic multiplication

We assume that ∀i ≤ n, deg(bi) = g. We assume that the multiplication has quadratic complexity.

Biasse-Jacobson (U of C) Fast smoothness test October 2013 15 / 24

page.54

Product tree with quadratic multiplication

We assume that ∀i ≤ n, deg(bi) = g. We assume that the multiplication has quadratic complexity.

b1 · · · bn b1 · · · bn/2 bn/2+1 · · · bn b1b2 bn−1bn b1 b2 bn−1 bn

Biasse-Jacobson (U of C) Fast smoothness test October 2013 15 / 24

page.55

Product tree with quadratic multiplication

We assume that ∀i ≤ n, deg(bi) = g. We assume that the multiplication has quadratic complexity.

b1 · · · bn b1 · · · bn/2 bn/2+1 · · · bn b1b2 bn−1bn b1 b2 bn−1 bn Leaves : n/2 multiplications of degree g polynomials

Biasse-Jacobson (U of C) Fast smoothness test October 2013 15 / 24

page.56

Product tree with quadratic multiplication

We assume that ∀i ≤ n, deg(bi) = g. We assume that the multiplication has quadratic complexity.

b1 · · · bn b1 · · · bn/2 bn/2+1 · · · bn b1b2 bn−1bn b1 b2 bn−1 bn Leaves : n/2 multiplications of degree g polynomials Leaves : amortized complexity O(g2)

Biasse-Jacobson (U of C) Fast smoothness test October 2013 15 / 24

page.57

Product tree with quadratic multiplication

We assume that ∀i ≤ n, deg(bi) = g. We assume that the multiplication has quadratic complexity.

b1 · · · bn b1 · · · bn/2 bn/2+1 · · · bn b1b2 bn−1bn b1 b2 bn−1 bn Leaves : amortized complexity O(g2) Root : 1 multiplication of degree ng/2 polynomials

Biasse-Jacobson (U of C) Fast smoothness test October 2013 15 / 24

page.58

Product tree with quadratic multiplication

We assume that ∀i ≤ n, deg(bi) = g. We assume that the multiplication has quadratic complexity.

b1 · · · bn b1 · · · bn/2 bn/2+1 · · · bn b1b2 bn−1bn b1 b2 bn−1 bn Leaves : amortized complexity O(g2) Root : 1 multiplication of degree ng/2 polynomials Root : amortized complexity O(ng2)

Biasse-Jacobson (U of C) Fast smoothness test October 2013 15 / 24

page.59

Polynomial time multiplication

The complexity of multiplying degree-g polynomials is in operations in Fq.

Biasse-Jacobson (U of C) Fast smoothness test October 2013 16 / 24

page.60

Polynomial time multiplication

The complexity of multiplying degree-g polynomials is in operations in Fq.

Naive multiplication

Direct application of the formula ci =

j+k=i ajbk.

Complexity O(g2).

Biasse-Jacobson (U of C) Fast smoothness test October 2013 16 / 24

page.61

Polynomial time multiplication

The complexity of multiplying degree-g polynomials is in operations in Fq.

Naive multiplication

Direct application of the formula ci =

j+k=i ajbk.

Complexity O(g2).

Karatsuba multiplication

Let a = a0 + xg/2a1 and b = b0 + xg/2b1. then ab = a1b1xg + (a1b0 + a0b1)x + a0b0. Complexity O(g1.58).

Biasse-Jacobson (U of C) Fast smoothness test October 2013 16 / 24

page.62

Sch¨

• nhage-Strassen quasi-linear time multiplication

Let R be a ring with an g-th root of unity ω. We have the correspondance P ∈ R[x] with deg(P) ≤ g ← → (P(1), P(ω), · · · , P(ωg−1)) =: DFTω(P).

Biasse-Jacobson (U of C) Fast smoothness test October 2013 17 / 24

page.63

Sch¨

• nhage-Strassen quasi-linear time multiplication

Let R be a ring with an g-th root of unity ω. We have the correspondance P ∈ R[x] with deg(P) ≤ g ← → (P(1), P(ω), · · · , P(ωg−1)) =: DFTω(P).

Interpolation of product

Let P, Q ∈ R[x], and ω a g-th root of unity then DFTω(PQ) = (P(1)Q(1), P(ω)Q(ω), · · · , P(ωg−1)Q(ωg−1)).

Biasse-Jacobson (U of C) Fast smoothness test October 2013 17 / 24

page.64

Sch¨

• nhage-Strassen quasi-linear time multiplication

Let R be a ring with an g-th root of unity ω. We have the correspondance P ∈ R[x] with deg(P) ≤ g ← → (P(1), P(ω), · · · , P(ωg−1)) =: DFTω(P).

Interpolation of product

Let P, Q ∈ R[x], and ω a g-th root of unity then DFTω(PQ) = (P(1)Q(1), P(ω)Q(ω), · · · , P(ωg−1)Q(ωg−1)). Multiplying polynomials boils down to point-wise multiplication in Rg. Complexity in O(g log(g)) operations in R.

Biasse-Jacobson (U of C) Fast smoothness test October 2013 17 / 24

page.65

Sch¨

• nhage-Strassen quasi-linear time multiplication

Let R be a ring with an g-th root of unity ω. We have the correspondance P ∈ R[x] with deg(P) ≤ g ← → (P(1), P(ω), · · · , P(ωg−1)) =: DFTω(P).

Interpolation of product

Let P, Q ∈ R[x], and ω a g-th root of unity then DFTω(PQ) = (P(1)Q(1), P(ω)Q(ω), · · · , P(ωg−1)Q(ωg−1)). Multiplying polynomials boils down to point-wise multiplication in Rg. Complexity in O(g log(g)) operations in R. There is a version for rings with unity and a specific one for char(K) = 2.

Biasse-Jacobson (U of C) Fast smoothness test October 2013 17 / 24

page.66

Product tree with fast multiplication

b1 b2 bn−1 bn

Biasse-Jacobson (U of C) Fast smoothness test October 2013 18 / 24

page.67

Product tree with fast multiplication

b1 · · · bn b1 · · · bn/2 bn/2+1 · · · bn b1b2 bn−1bn b1 b2 bn−1 bn

Biasse-Jacobson (U of C) Fast smoothness test October 2013 18 / 24

page.68

Product tree with fast multiplication

b1 · · · bn b1 · · · bn/2 bn/2+1 · · · bn b1b2 bn−1bn b1 b2 bn−1 bn Leaves : n/2 multiplications of degree g polynomials

Biasse-Jacobson (U of C) Fast smoothness test October 2013 18 / 24

page.69

Product tree with fast multiplication

b1 · · · bn b1 · · · bn/2 bn/2+1 · · · bn b1b2 bn−1bn b1 b2 bn−1 bn Leaves : n/2 multiplications of degree g polynomials Leaves : amortized complexity O(g2)

Biasse-Jacobson (U of C) Fast smoothness test October 2013 18 / 24

page.70

Product tree with fast multiplication

b1 · · · bn b1 · · · bn/2 bn/2+1 · · · bn b1b2 bn−1bn b1 b2 bn−1 bn Leaves : n/2 multiplications of degree g polynomials Leaves : amortized complexity O(g2) Root : 1 multiplication of degree ng/2 polynomials

Biasse-Jacobson (U of C) Fast smoothness test October 2013 18 / 24

page.71

Product tree with fast multiplication

b1 · · · bn b1 · · · bn/2 bn/2+1 · · · bn b1b2 bn−1bn b1 b2 bn−1 bn Leaves : n/2 multiplications of degree g polynomials Leaves : amortized complexity O(g2) Root : 1 multiplication of degree ng/2 polynomials Root : amortized complexity O((log(n) + log(g))g)

Biasse-Jacobson (U of C) Fast smoothness test October 2013 18 / 24

page.72

Optimal size of batch

Constraint 1 : minimizing log(n). Constraint 2 : Ensuring deg(P) ≤ deg(b1 · · · bn). If deg(P) > deg(b1 · · · bn), the cost of the remainder tree is not amortized.

Biasse-Jacobson (U of C) Fast smoothness test October 2013 19 / 24

page.73

Optimal size of batch

Constraint 1 : minimizing log(n). Constraint 2 : Ensuring deg(P) ≤ deg(b1 · · · bn). If deg(P) > deg(b1 · · · bn), the cost of the remainder tree is not amortized.

P mod b1 ···bn P mod b1 ···bn/2 P mod bn/2+1 ···bn P mod b1b2 P mod bn−1bn P mod b1 P mod b2 P mod bn−1 P mod bn log(n)

Biasse-Jacobson (U of C) Fast smoothness test October 2013 19 / 24

page.74

Optimal size of batch

Constraint 1 : minimizing log(n). Constraint 2 : Ensuring deg(P) ≤ deg(b1 · · · bn). If deg(P) > deg(b1 · · · bn), the cost of the remainder tree is not amortized.

P mod b1 ···bn P mod b1 ···bn/2 P mod bn/2+1 ···bn P mod b1b2 P mod bn−1bn P mod b1 P mod b2 P mod bn−1 P mod bn log(n)

The optimal solution is deg(P) = deg(b1 · · · bn)

Biasse-Jacobson (U of C) Fast smoothness test October 2013 19 / 24

page.75

Overall complexity

We are given n degree-g polynomials. Let P = p1 · · · pk.

Biasse-Jacobson (U of C) Fast smoothness test October 2013 20 / 24

page.76

Overall complexity

We are given n degree-g polynomials. Let P = p1 · · · pk. We choose a size of batch n such that ng = deg(P). Product and remainder tree take O(log(n)g2). The exponentiations take O(g2 log(g)).

Biasse-Jacobson (U of C) Fast smoothness test October 2013 20 / 24

page.77

Overall complexity

We are given n degree-g polynomials. Let P = p1 · · · pk. We choose a size of batch n such that ng = deg(P). Product and remainder tree take O(log(n)g2). The exponentiations take O(g2 log(g)). The overall complexity is in O

• g2
• log(g) + deg(P)

g

• .

Biasse-Jacobson (U of C) Fast smoothness test October 2013 20 / 24

page.78

1 Motivation 2 Bernstein’s approach 3 Complexity analysis 4 Practical examples

Biasse-Jacobson (U of C) Fast smoothness test October 2013 20 / 24

page.79

Comparison between multiplication methods

We compare multiplication methods in F25[X]. We use the C++ library Mathemagix.

Biasse-Jacobson (U of C) Fast smoothness test October 2013 21 / 24

page.80

Comparison between multiplication methods

We compare multiplication methods in F25[X]. We use the C++ library Mathemagix. Degree Karatsuba generic FFT triadic FFT 10 110 60 50 60 580 250 100 260 2280 1620 500 6530 10650 5130 1000 26110 27680 16500 2000 105970 41260 17360 3000 245220 100280 53480

Biasse-Jacobson (U of C) Fast smoothness test October 2013 21 / 24

page.81

Comparison between multiplication methods

We compare multiplication methods in F25[X]. We use the C++ library Mathemagix. Degree Karatsuba generic FFT triadic FFT 10 110 60 50 60 580 250 100 260 2280 1620 500 6530 10650 5130 1000 26110 27680 16500 2000 105970 41260 17360 3000 245220 100280 53480 The times are in CPU msec.

Biasse-Jacobson (U of C) Fast smoothness test October 2013 21 / 24

page.82

Test in F2k[X]

We use elliptic curves over Ex defined over Fx defining hyperelliptic curves via a Weil descent 1. C124 : genus 31 hyperelliptic curve over F24 arizing from E124. C155 : genus 31 hyperelliptic curve over F25 arizing from E155.

• 1. Jacobson,Menezes,Stein-2001

Biasse-Jacobson (U of C) Fast smoothness test October 2013 22 / 24

page.83

Test in F2k[X]

We use elliptic curves over Ex defined over Fx defining hyperelliptic curves via a Weil descent 1. C124 : genus 31 hyperelliptic curve over F24 arizing from E124. C155 : genus 31 hyperelliptic curve over F25 arizing from E155. Curve B Batch size deg(P) Time standard Time Batch C124 4 1933 69616 24m 32s 13n 38s C155 4 30036 1081312 27m 33s 21m 21s

• 1. Jacobson,Menezes,Stein-2001

Biasse-Jacobson (U of C) Fast smoothness test October 2013 22 / 24

page.84

Test in F2k[X]

We use elliptic curves over Ex defined over Fx defining hyperelliptic curves via a Weil descent 1. C124 : genus 31 hyperelliptic curve over F24 arizing from E124. C155 : genus 31 hyperelliptic curve over F25 arizing from E155. Curve B Batch size deg(P) Time standard Time Batch C124 4 1933 69616 24m 32s 13n 38s C155 4 30036 1081312 27m 33s 21m 21s Times correspond to the test of ≈ 1000000 polynomials. Times are in CPU sec. Multiplication is Karatsuba from the NTL library.

• 1. Jacobson,Menezes,Stein-2001

Biasse-Jacobson (U of C) Fast smoothness test October 2013 22 / 24

page.85

Test in F2[X]

NFS is used 2 to solve the DLP in F21039. The sieve selects cofactors. The smoothness boud is 25. The large prime bound is 33. Cofactors have degree 99 in F2[X].

• 2. Detrey,Gaudry,Videau-2013

Biasse-Jacobson (U of C) Fast smoothness test October 2013 23 / 24

page.86

Test in F2[X]

NFS is used 2 to solve the DLP in F21039. The sieve selects cofactors. The smoothness boud is 25. The large prime bound is 33. Cofactors have degree 99 in F2[X].

Parameters

We have the following parameters : deg(P) = 67100116. Batch size is 677778.

• 2. Detrey,Gaudry,Videau-2013

Biasse-Jacobson (U of C) Fast smoothness test October 2013 23 / 24

page.87

Test in F2[X]

NFS is used 2 to solve the DLP in F21039. The sieve selects cofactors. The smoothness boud is 25. The large prime bound is 33. Cofactors have degree 99 in F2[X].

Parameters

We have the following parameters : deg(P) = 67100116. Batch size is 677778. We test 1355556 polynomials using the library gf2x which includes FFT. Standard takes 5 m 8 s. Batch test takes 4 m 13 s.

• 2. Detrey,Gaudry,Videau-2013

Biasse-Jacobson (U of C) Fast smoothness test October 2013 23 / 24

page.88

Conclusion

This is work in progress. We have achieved the following : Design a theoretical model showing the improvement of the batch test. Show that the corresponding values are within practical range for the use of fast multiplication. Show that we can achieve a speed-up without fast multiplication.

Biasse-Jacobson (U of C) Fast smoothness test October 2013 24 / 24

page.89

Conclusion

This is work in progress. We have achieved the following : Design a theoretical model showing the improvement of the batch test. Show that the corresponding values are within practical range for the use of fast multiplication. Show that we can achieve a speed-up without fast multiplication. We still have to Incorporate the fast multiplication in F2m[X]. Refine the model to illustrate the optimal batch size.

Biasse-Jacobson (U of C) Fast smoothness test October 2013 24 / 24