Jean-Charles Faugre with many collaborators [in the talk] Workshop - - PowerPoint PPT Presentation

Recent progress on computing Gröbner bases: theory and practice

Jean-Charles Faugère

with many collaborators [in the talk] Workshop 3: Computer Algebra and Polynomials Linz - Nov. 2013

Solving Polynomial Systems of Equations

K a field, Krx1, . . . , xns multivariate polynomials in n variables. $ & % f1px1, . . . , xnq “ 0 ¨ ¨ ¨ fmpx1, . . . , xnq “ 0 In this talk: Zero-dimensional System = Finite Number of Solutions

☞ Reduce the difficult problem (several equations, deg ą 1) Ý

Ñ easier case (several polynomials in one variable)

Solving Polynomial Systems of Equations

K a field, Krx1, . . . , xns multivariate polynomials in n variables. $ & % f1px1, . . . , xnq “ 0 ¨ ¨ ¨ fmpx1, . . . , xnq “ 0 In this talk: Zero-dimensional System = Finite Number of Solutions

☞ Reduce the difficult problem (several equations, deg ą 1) Ý

Ñ easier case (several polynomials in one variable) Tool: Gröbner bases [Buchberger] (rely heavily on linear algebra).

Applications: source of challenging problems

• Comp. Geometry

Topology of ridges, Voronoi, ..

Robotic

Parallel Robots, Mecanisms, ...

Cryptology (finite fields) HFE, Minrank, IP, Discrete Logarithm Problem (finite fields or curves) Error Correcting Codes, (Mc Eliece) ...

Gröbner Bases: summary

f1 “ ¨ ¨ ¨ “ fm “ 0

Gröbner: total degree Gröbner: lexicographical Gaussian Elimination of Macaulay matrices up to degree dmax Linear algebra in Krxs{I ù xi “ hipxnq

Gröbner Bases: summary

Macaulay Matrix in degree d Md “ ¨ ˚ ˚ ˚ ˚ ˚ ˚ ˝ m1 ą m2 ą ¨ ¨ ¨ ą mk t1,1f1 . . . t1,2f1 . . . . . . coeff pt fi, mjq t2,1f2 . . . . . . . . . ˛ ‹ ‹ ‹ ‹ ‹ ‹ ‚

f1 “ ¨ ¨ ¨ “ fm “ 0

Gröbner: total degree Gröbner: lexicographical Gaussian Elimination of Macaulay matrices up to degree dmax Linear algebra in Krxs{I ù xi “ hipxnq

Gröbner Bases: summary

Macaulay Matrix in degree d Md “ ¨ ˚ ˚ ˚ ˚ ˚ ˚ ˝ m1 ą m2 ą ¨ ¨ ¨ ą mk t1,1f1 . . . t1,2f1 . . . . . . coeff pt fi, mjq t2,1f2 . . . . . . . . . ˛ ‹ ‹ ‹ ‹ ‹ ‹ ‚ all products t fi, t P Monomialspd ´ degpfiqq

f1 “ ¨ ¨ ¨ “ fm “ 0

Gröbner: total degree Gröbner: lexicographical Gaussian Elimination of Macaulay matrices up to degree dmax Linear algebra in Krxs{I ù xi “ hipxnq terms of degree d

Gröbner Bases: summary

Macaulay Matrix in degree d Md “ ¨ ˚ ˚ ˚ ˚ ˚ ˚ ˝ m1 ą m2 ą ¨ ¨ ¨ ą mk t1,1f1 . . . t1,2f1 . . . . . . coeff pt fi, mjq t2,1f2 . . . . . . . . . ˛ ‹ ‹ ‹ ‹ ‹ ‹ ‚ all products t fi, t P Monomialspd ´ degpfiqq

f1 “ ¨ ¨ ¨ “ fm “ 0

Gröbner: total degree Gröbner: lexicographical Gaussian Elimination of Macaulay matrices up to degree dmax Linear algebra in Krxs{I ù xi “ hipxnq

Maximal degree d reached: dmax We stop the computation when #Rows ě #Columns Algorithmic goal: generate full rank matrices

terms of degree d

Gröbner Bases: summary

Macaulay Matrix in degree d Md “ ¨ ˚ ˚ ˚ ˚ ˚ ˚ ˝ m1 ą m2 ą ¨ ¨ ¨ ą mk t1,1f1 . . . t1,2f1 . . . . . . coeff pt fi, mjq t2,1f2 . . . . . . . . . ˛ ‹ ‹ ‹ ‹ ‹ ‹ ‚ all products t fi, t P Monomialspd ´ degpfiqq

f1 “ ¨ ¨ ¨ “ fm “ 0

Gröbner: total degree Gröbner: lexicographical Gaussian Elimination of Macaulay matrices up to degree dmax Linear algebra in Krxs{I ù xi “ hipxnq

• Buchberger (1965)
• F4 (1999)
• F5 (2002)
• . . .
• FGLM (1993)

Maximal degree d reached: dmax We stop the computation when #Rows ě #Columns Algorithmic goal: generate full rank matrices

terms of degree d

Gröbner Bases: summary

Macaulay Matrix in degree d Md “ ¨ ˚ ˚ ˚ ˚ ˚ ˚ ˝ m1 ą m2 ą ¨ ¨ ¨ ą mk t1,1f1 . . . t1,2f1 . . . . . . coeff pt fi, mjq t2,1f2 . . . . . . . . . ˛ ‹ ‹ ‹ ‹ ‹ ‹ ‚ all products t fi, t P Monomialspd ´ degpfiqq

f1 “ ¨ ¨ ¨ “ fm “ 0

Gröbner: total degree Gröbner: lexicographical Gaussian Elimination of Macaulay matrices up to degree dmax « Op `n`dmax

n

˘ωq Linear algebra in Krxs{I ù xi “ hipxnq ˜ Op#Sols3q

• Buchberger (1965)
• F4 (1999)
• F5 (2002)
• . . .
• FGLM (1993)

Maximal degree d reached: dmax We stop the computation when #Rows ě #Columns Algorithmic goal: generate full rank matrices

terms of degree d

Research Directions

Intrinsic Exponential Complexity: #Sols “ D “ ś degpfiq and NP-hard when K “ Fp Hopeless ?

Research Directions

Intrinsic Exponential Complexity: #Sols “ D “ ś degpfiq and NP-hard when K “ Fp Hopeless ? Structured Systems Implementations/ Linear Algebra Algorithms Symmetries Overdetermined Dedicated Linear Algebra ˜ Op#Solsωq Finite fields Multi-core implementations Bilinear eqs

[Lachartre, Martani, Eder]

Quasi-homogeneous LGPL Multi-homogeneous

Research Directions

Intrinsic Exponential Complexity: #Sols “ D “ ś degpfiq and NP-hard when K “ Fp Hopeless ? Structured Systems Implementations/ Linear Algebra Algorithms Symmetries Overdetermined Dedicated Linear Algebra ˜ Op#Solsωq Finite fields Multi-core implementations Bilinear eqs

[Lachartre, Martani, Eder]

Quasi-homogeneous LGPL Multi-homogeneous Over Fp: Katsura 18, #Sols=262144 solutions, Size > 200 Gb Over Q : problem submitted by D. Henrion as a numerical challenge. #Sols=40320 Compute 7 univariate polynomials of size 3.2 Gbytes ☞ Bottleneck: real roots isolation (cannot be read by Maple)

Structured Systems

Solving Systems with Symmetries

G is a finite group. Compute the roots of the system: VL “ tz P Ln | f1pzq “ ¨ ¨ ¨ “ fmpzq “ 0u Difficult case: VL is globally invariant by G: if z P VL then σ . z P VL for all σ P G Open Issue: How to compute efficiently VL{G ?

Solving Systems with Symmetries

Open Issue: How to compute efficiently VL{G ? Theorem ([F., Svartz 2013]) I “ pf1, . . . , fmq a 0-dimensional ideal, invariant under an Abelian Group G “ Zq1 ˆ ¨ ¨ ¨ ˆ Zqk. Dedicated F5 algorithm and divide the GB complexity by: |G|3 Abelian Group and/or Multi-homogeneous : Grading pd1, . . . , dkq with di P Zqi where qi “ 0 or qi “ pki

i

Instead of Macaulaypdq Ý Ñ Ť Macaulaypd1, . . . , dkq

Overdetermined Systems

Theorem (Bardet, F., Salvy) For m “ α n semi-regular quadratic equations in Qrx1, . . . , xns: dmax « pα ´ 1 2 ´ a αpα ´ 1qqn

1 1.5 2 2.5 3 0.2 0.4 0.6 0.8 1 α dmax{n

Overdetermined Systems

Theorem (Bardet, F., Salvy) For m “ α n semi-regular quadratic equations in Qrx1, . . . , xns: dmax « pα ´ 1 2 ´ a αpα ´ 1qqn

1 1.5 2 2.5 3 0.2 0.4 0.6 0.8 1 α dmax{n

If m “ n1`β with 0 ă β ă 1 dmax « 1

8n1´β

☞ Sub-exp algorithm

Improve the complexity when solutions are in a finite field

Fact: in Fp solving m equations ¨ ¨ ¨ , fipx1, . . . , xnq, ¨ ¨ ¨ in n variables õ solve qk systems of m equations / n ´ k variables ð Overdetermined k tradeoff between exhaustive search and Gröbner General Case [Bettale, F

.,Perret, Issac, 2012]

direct Gröbner basis approach hybrid approach „ 21.8 n Boolean case over F2 pK “ F2q Theorem ([Bardet, F.,Salvy, Spaenlehauer,J. Comp.2012]) Under precise algebraic assumption, a Boolean quadratic polynomial pf1, . . . , fαnq can be solved in probabilistic time faster than exh. search: Op2p1´0.208αqnq when α ď 1.82

Key Ingredients

Solving sparse linear systems !

• D. Wiedemann.

Solving sparse linear equations over finite fields. IEEE Transactions on Information Theory, 32(1):54–62, 1986.

• E. Kaltofen and B. David Saunders.

On Wiedemann’s method of solving sparse linear systems. AAECC, p. 29–38, 1991.

• G. Villard.

Further analysis of Coppersmith’s block Wiedemann algorithm for the solution of sparse linear systems. ISSAC’97, p. 32–39. ACM, 1997.

• M. Giesbrecht, A. Lobo, and B. D. Saunders.

Certifying inconsistency of sparse linear systems. ISSAC’98, p. 113–119, 1998.

Solving αn equations in n variables: 2c n

1 1.82 3 4 5

0.31 0.79 1

α c: exponent of the complexity Exhaustive search Dedicated Algorithm Gröbner Bases

Bilinear systems

Particular case of multi-homogeneous systems: BiLinear f phqpx0, . . . , xnx, y0, . . . , ynyq “ ÿ ai,jxi yj. Minrank Input: M1, . . . , Mk k n ˆ n matrices in Kn2 and r ă n integer Find if any λ1, . . . , λk P ¯ K such that: λ1M1 ` . . . ` λkMk ´ In has rank r NP hard ! J.O. Shallit, G.S. Frandsen, and J.F. Buss.

The Computational Complexity of some Problems of Linear Algebra.

BRICS series report, Aarhus, Denmark, RS-96-33. Can be used to break cryptosystems: HFE, Minrank, . . . Can be used to simplify quadratic system of equations

Minrank: two algebraic modelings

M “ M0 ´ řk

i“1 λiMi.

The minors modeling RankpMq ď r

õ

all minors of size pr ` 1q of M vanish. ` m

r`1

˘2 equations of degree r ` 1. k variables. Few variables, lots of equations, high degree !!

The vectors modeling

RankpMq ď r ô Dxp1q, . . . , xpm´rq P KerpMq.

M ¨

¨ ˚ ˚ ˚ ˚ ˚ ˚ ˚ ˝

Im´r

xp1q

1

. . . xpm´rq

1

. . . . . . . . . xp1q

r

. . . xpm´rq

r

˛ ‹ ‹ ‹ ‹ ‹ ‹ ‹ ‚

“ 0.

mpm ´ rq bilinear equations. k ` rpm ´ rq variables.

Minrank: two algebraic modelings

M “ M0 ´ řk

i“1 λiMi.

The minors modeling RankpMq ď r

õ

all minors of size pr ` 1q of M vanish. ` m

r`1

˘2 equations of degree r ` 1. k variables. Few variables, lots of equations, high degree !!

The vectors modeling

RankpMq ď r ô Dxp1q, . . . , xpm´rq P KerpMq.

M ¨

¨ ˚ ˚ ˚ ˚ ˚ ˚ ˚ ˝

Im´r

xp1q

1

. . . xpm´rq

1

. . . . . . . . . xp1q

r

. . . xpm´rq

r

˛ ‹ ‹ ‹ ‹ ‹ ‹ ‹ ‚

“ 0.

mpm ´ rq bilinear equations. k ` rpm ´ rq variables.

Issue What is the theoretical/practical complexity ?

Complexity of affine bilinear systems

with M Safey El Din,PJ Spaenlehauer, JSC 2011

Theorem: Complexity + Algorithm Degree of the elements in a grevlex GB of a generic 0-dim affine bilinear system: dreg ď 1 ` minpnx, nyq. Sharp bound in practice. + Dedicated F5 algorithm for bi-homogeneous systems Corollary: any GB can be computed in polynomial time in D “ `nx`ny

nx

˘ Ingredients in the proof: Link between bilinear systems and determinantal ideals ` Determinant miracle: An extension of a Theorem of Bernstein, Sturmfels and Zelevinski M a p ˆ q linear matrix in Krx1, . . . , xss (q ` s ´ 1 ě p ě q). Generically, a grevlex GB of xMinorspMqy is a linear combination of the generators.

Application of bilinear systems / Impact

Crypto: Breaking HFE, Variants of McEliece, . . . Solve in Polynomial Time the Minrank problem when r is small or big. Real root solutions [M. Safey El Din]: computing critical points, Global Optimisation, Lagrange multipliers, . . .

Application of bilinear systems / Impact

Also used by other researchers to solve the DLP over finite fields:

§ 2013, CARAMEL: F2809 in ă 20000 core-hrs § . . . § 11th Apr’13, [F. Gölo˘

glu, R. Granger, G. McGuire, and J. Zumbrägel ]:

F26120 in 750 core-hrs

§ 21st May’13, [A.Joux]: F26168 in 550 core-hrs

“The main computational cost is no longer on the initial phases of the algorithm, but on the individual logarithm part which was previously considered as negligible. This individual logarithm step now requires to blend several descent techniques. One of these techniques, whose performance critically affects the computational costs, is based on the resolution of bilinear systems

• f polynomial equations. The analysis of these structured

systems, as presented in [8] was essential for the discovery of the Lp1{4 ` op1qq algorithm” (A. Joux, 2013)

[8] J.-C. Faugère, M. Safey El Din, and P .-J. Spaenlehauer. Gröbner bases of bihomogeneous ideals generated by polynomials of bidegree (1, 1): Algorithms and

• complexity. JSC, 46(4), 2011.

Algorithms

Two families of algorithms

Direct computation of a Gröbner Basis

§ Buchberger § Using linear algebra: F4 Default algorithm in Maple, Magma. § Avoid reduction to 0 F5 algorithms ‹ the most promising ‹ difficult to implement in general computer algebra system ‹ A lot of variants (!) have been proposed

Change the order of a Gröbner for a zero dimensional system: FGLM

Signature Gröbner bases: Survey Paper

Joint work with C. Eder

Signature Gröbner bases: Survey Paper

Joint work with C. Eder Number of Multiplications n Algo1 Algo2 Algo3 Algo4 10 227.4 227.2 225.1 225.1 11 30.2 230.2 227.5 227.5 12 233.1 233.1 230.2 230.2 Random Quadratic Systems in n variables

Fast FGLM

joint work with C. Mou

Fast FGLM: High Performance Algorithm and Implementation

Sparse FGLM - Problem

with C. Mou

Input System Gröbner Basis: total degree Gröbner Basis: lexicographical Bottleneck! FGLM: « minimal polynomial

• f some matrix

Buchberger F4{F5 rely on linear algebra

Magma

MinRank(9,7,4) MinRank(9,8,5) Random(14, 2) Random(15, 2) D 4116 14112 214 215 Step 1 208.1s 3343.5s 7832.4s 74862.9s Step 2 1360.4s ą1 day 84374.6s ą15 days

Sparse FGLM - Problem

with C. Mou

Input System Gröbner Basis: total degree Gröbner Basis: lexicographical Bottleneck! FGLM: « minimal polynomial

• f some matrix

Buchberger F4{F5 rely on linear algebra

Magma

MinRank(9,7,4) MinRank(9,8,5) Random(14, 2) Random(15, 2) D 4116 14112 214 215 Step 1 208.1s 3343.5s 7832.4s 74862.9s Step 2 1360.4s ą1 day 84374.6s ą15 days Goal: a faster algorithm for the change of ordering

FGLM revisited

Input: some Gröbner basis G1 of I for some order ă1 xn ą ¨ ¨ ¨ ą x2 ą x1 D is the number of solutions Krx1, . . . , xns{I is D dimensional vector space NormalFormpf, G1q “ 0 ô f P I Step 1: Compute B “ rε1, . . . , εDs, the canonical basis of Krx1, . . . , xns{I ordered according to ă1 Step 2: Construct multiplication matrices Ti Multiplication matrix by xi : pD ˆ Dq-matrix represent: bj ÞÝ Ñ NormalFormpxibjq, j “ 1, . . . , D.

§ change of ordering é linear algebra on Ti

FGLM revisited

Step 3: Handles terms in Krx1, . . . , xns one by one according to ă2

FGLM revisited

Step 3: Handles terms in Krx1, . . . , xns one by one according to ă2 monomial xs xs “ xs1

1 ¨ ¨ ¨ xsn n

ù ñ coordinate vector vs “ T s1

1 ¨ ¨ ¨ T sn n 1,

where 1 “ p1, 0, . . . , 0qt

FGLM revisited

Step 3: Handles terms in Krx1, . . . , xns one by one according to ă2 monomial xs xs “ xs1

1 ¨ ¨ ¨ xsn n

ù ñ coordinate vector vs “ T s1

1 ¨ ¨ ¨ T sn n 1,

where 1 “ p1, 0, . . . , 0qt a polynomial in G2 f “ ÿ

s

cs xs, ð ù a (minimal) linear dependency ř

s csvs “ 0

FGLM revisited

Step 3: Handles terms in Krx1, . . . , xns one by one according to ă2 monomial xs xs “ xs1

1 ¨ ¨ ¨ xsn n

ù ñ coordinate vector vs “ T s1

1 ¨ ¨ ¨ T sn n 1,

where 1 “ p1, 0, . . . , 0qt a polynomial in G2 f “ ÿ

s

cs xs, ð ù a (minimal) linear dependency ř

s csvs “ 0

ù change of ordering élinear algebra ù OpnD3q: Gaussian elimination

Key observation 1

with C. Mou

T1, . . . , Tn are sparse, especially T1.

T1 for Random(3, 10): 1000 ˆ 1000, 6.86%

DLP Edwards Cyclic10 MinRank (9,9,6) D 4096 34940 41580 Sparsity 3.4% 1.0% 16% Random(3, 14) Random(3, 40) D 2744 64000 Sparsity 4.2% 1.6%

Key observation 1

with C. Mou

T1, . . . , Tn are sparse, especially T1.

T1 for Random(3, 10): 1000 ˆ 1000, 6.86%

DLP Edwards Cyclic10 MinRank (9,9,6) D 4096 34940 41580 Sparsity 3.4% 1.0% 16% Random(3, 14) Random(3, 40) D 2744 64000 Sparsity 4.2% 1.6% Theorem (Faugère,Mou) n is fixed. For generic polynomial systems of degree d: % of nonzero entries

„ dÑ8

d 6 π 1 d n

1 2

Density: theoretical bound vs practice

10 20 30 40

1% 3% 5% 10%

Random equations of degree d in 3 variables d Density of T1 Theoretical bound Experimental Sparsity

Key observation 2

with C. Mou

Any polynomial ř

s csxs in the Gröbner basis is a minimal relation:

ÿ

s

csT s1

1 ¨ ¨ ¨ T sn n 1 “ 0.

Define a n-dimensional mapping E : Zn

ě0 Ý

Ñ K as Ψn : ps1, . . . , snq ÞÝ Ñ xT s1

1 ¨ ¨ ¨ T sn n 1, ry

r random vector.

Key observation 2

with C. Mou

Any polynomial ř

s csxs in the Gröbner basis is a minimal relation:

ÿ

s

csT s1

1 ¨ ¨ ¨ T sn n 1 “ 0.

Define a n-dimensional mapping E : Zn

ě0 Ý

Ñ K as Ψn : ps1, . . . , snq ÞÝ Ñ xT s1

1 ¨ ¨ ¨ T sn n 1, ry

r random vector. Find minimal recurrence relation of Ψn ù Can be found using BMS (Berlekamp-Massey-Sakata from Coding Theory) Ð Multi-dimensional generalization of Berlekamp–Massey algorithm

[Sakata 1988 & 1990; Saints and Heegard 2002]

Complexity Opk2q where k ď 2nD nb of iterations Wiedemann Algorithm : particular case with Ψ1

This talk: Shape Position case

Assume that I is in shape position: Shape position [Becker, Mora, Marinari, and Traverso 1994] Ideal I Ă Krx1, . . . , xns is in shape position if its Gröbner basis w.r.t. LEX (x1 ă ¨ ¨ ¨ ă xn) is of the form rf1px1q, x2 ´ f2px1q, . . . , xn ´ fnpx1qs.

This talk: Shape Position case

Shape position [Becker, Mora, Marinari, and Traverso 1994] Ideal I Ă Krx1, . . . , xns is in shape position if its Gröbner basis w.r.t. LEX (x1 ă ¨ ¨ ¨ ă xn) is of the form rf1px1q, x2 ´ f2px1q, . . . , xn ´ fnpx1qs. Recover f1: Wiedemann algorithm Construct s “ rxr, T i

11y : i “ 0, . . . , 2 D ´ 1s, with r a random vector

ó Compute ˜ f1 from s via Berlekamp–Massey algorithm ó Check degp˜ f1q “ D

This talk: Shape Position case

Shape position [Becker, Mora, Marinari, and Traverso 1994] Ideal I Ă Krx1, . . . , xns is in shape position if its Gröbner basis w.r.t. LEX (x1 ă ¨ ¨ ¨ ă xn) is of the form rf1px1q, x2 ´ f2px1q, . . . , xn ´ fnpx1qs. Recover f1: Wiedemann algorithm Construct s “ rxr, T i

11y : i “ 0, . . . , 2 D ´ 1s, with r a random vector

ó Compute ˜ f1 from s via Berlekamp–Massey algorithm ó Check degp˜ f1q “ D ù shape position

Shape position case: linear systems

Suppose fi “ řD´1

k“0 ci,kxk 1 p fori “ 2, . . . , nq

Recover f2, . . . , fn: constructing linear equations NormalFormpxi ´ řD´1

k“0 ci,kxk 1 q “ 0

ó Ti1 “ řD´1

k“0 ci,k ¨ T k 1 1

T j

1Ti1 “ řD´1 k“0 ci,k ¨ T j 1T k 1 1

xr, T j

1Ti1y “ řD´1 k“0 ci,k ¨ xr, T k`j 1

1y, j “ 0, . . . , D ´ 1 xpT t

1qjr, Ti1y “ řD´1 k“0 ci,k ¨ xpT t 1qk`jr, 1y,

j “ 0, . . . , D ´ 1 Solve a linear system: H ci “ b H“ » — — — – xpT t

1q0r, 1y

xpT t

1q1r, 1y

¨ ¨ ¨ xpT t

1qD´1r, 1y

xpT t

1q1r, 1y

xpT t

1q2r, 1y

¨ ¨ ¨ xpT t

1qDr, 1y

. . . . . . ... . . . xpT t

1qD´1r, 1y

xpT t

1qDr, 1y

¨ ¨ ¨ xpT t

1q2D´2r, 1y

fj ffj ffj ffj fm ,b“ » — – xr, Ti1y . . . xpT t

1qD´1r, Ti1y

fj ffj fm

Shape position case

Solve: H ci “ b with ci “t rci,0, . . . , ci,D´1s H “ » — — — – xpT t

1q0r, 1y

@ pT t

1q1r, 1

D ¨ ¨ ¨ @ pT t

1qD´1r, 1

D @ pT t

1q1r, 1

D xpT t

1q2r, 1y

¨ ¨ ¨ xpT t

1qDr, 1y

. . . . . . ... . . . @ pT t

1qD´1r, 1

D xpT t

1qDr, 1y

¨ ¨ ¨ xpT t

1q2D´2r, 1y

fj ffj ffj ffj fm Matrix H is a Hankel matrix:

Shape position case

Solve: H ci “ b with ci “t rci,0, . . . , ci,D´1s H “ » — — — – xpT t

1q0r, 1y

@ pT t

1q1r, 1

D ¨ ¨ ¨ @ pT t

1qD´1r, 1

D @ pT t

1q1r, 1

D xpT t

1q2r, 1y

¨ ¨ ¨ xpT t

1qDr, 1y

. . . . . . ... . . . @ pT t

1qD´1r, 1

D xpT t

1qDr, 1y

¨ ¨ ¨ xpT t

1q2D´2r, 1y

fj ffj ffj ffj fm Matrix H is a Hankel matrix: Its construction is free: s “ rxr, T i

11y “ xpT t 1qir, 1y : i “ 0, . . . , p2 D ´ 2qs

It is invertible: relationship between linear recurring sequences and Hankel matrices [Jonckheere and Ma 1989] Solving efficiently H x “ b: complexity OpD log2pDqq [Brent, Gustavson,

and Yun 1980].

Shape position case

Solve: H ci “ b with ci “t rci,0, . . . , ci,D´1s H “ » — — — – xpT t

1q0r, 1y

@ pT t

1q1r, 1

D ¨ ¨ ¨ @ pT t

1qD´1r, 1

D @ pT t

1q1r, 1

D xpT t

1q2r, 1y

¨ ¨ ¨ xpT t

1qDr, 1y

. . . . . . ... . . . @ pT t

1qD´1r, 1

D xpT t

1qDr, 1y

¨ ¨ ¨ xpT t

1q2D´2r, 1y

fj ffj ffj ffj fm Matrix H is a Hankel matrix: Its construction is free: s “ rxr, T i

11y “ xpT t 1qir, 1y : i “ 0, . . . , p2 D ´ 2qs

It is invertible: relationship between linear recurring sequences and Hankel matrices [Jonckheere and Ma 1989] Solving efficiently H x “ b: complexity OpD log2pDqq [Brent, Gustavson,

and Yun 1980].

Construction of xpT t

1qjr, Ti1y is also free: r is also free.

Shape position case

Total complexity for ideals in shape position OpDpN1 ` n log2pDqqq: N1 the number of nonzero entries in T1 compared with OpnD3q for FGLM computing the minimal polynomial of T1.

Shape position case

Total complexity for ideals in shape position OpDpN1 ` n log2pDqqq: N1 the number of nonzero entries in T1 compared with OpnD3q for FGLM computing the minimal polynomial of T1. Random polynomial systems n be fixed / d Ñ `8: the complexity is Op 1

?nD2` n´1

n q

Benchmarks D % Magma Singular

Sparse-FGLM

Katsura 12

4096 21.2% 1408s 2623.5s 0.73s

Random(n=3,d=19)

6859 3.50% 1084s 8248s 0.74s EC DLP Edwards Curves [F. ,Gaudry, Huot, Renault J. Cryptology 2013] F5+SparseFGLM : D “ 216, 2164 sec

General Algorithm

Main Algorithm

Input: T1, . . . , Tn Construct the linearly recurring sequence s Compute ˜ f with BM deg( ˜ f) = D? Yes No Recover f2, . . . , fn Compute F with BMS F = G2? Yes No Compute G2 with FGLM End End End

Deterministic algorithm

Fast FGLM

with P. Gaudry, L. Huot, G. Renault

Can we improve the theoretical complexity ? How to compute all the multiplication matrices Ti [original: OpnD3q] Can we compute even faster T1 ?

Fast FGLM

with P. Gaudry, L. Huot, G. Renault

Can we improve the theoretical complexity ? Ý Ñ ˜ OpDωq How to compute all the multiplication matrices Ti [original: OpnD3q] Ý Ñ ˜ OpDωq Can we compute even faster T1 ? Ý Ñ 0 We provide probabilistic/deterministic algorithms.

Fast-FGLM: key ideas

1 Multiplication matrices

FGLM fast-FGLM n D normal forms ” dependent Oplog2pDqq row echelon form matrix-vector products Fast matrix multiplication Opn D3q r OpDωq

Fast-FGLM: key ideas

1 Multiplication matrices

FGLM fast-FGLM n D normal forms ” dependent Oplog2pDqq row echelon form matrix-vector products Fast matrix multiplication Opn D3q r OpDωq

2 LEX Gröbner basis

T “ T t

1 matrix of size D ˆ D and #T number of nonzero in T.

r random column vector of size D.

Sparse FGLM fast-FGLM 2D matrix-vector products Step 1 T jr for j “ 0, . . . , p2D ´ 1q worst case OpD3q Step 2 Solving n Hankel systems OpnD log2

2 Dq

probabilistic

OpDp#T ` n log2

2 Dqq

Fast-FGLM: key ideas

1 Multiplication matrices

FGLM fast-FGLM n D normal forms ” dependent Oplog2pDqq row echelon form matrix-vector products Fast matrix multiplication Opn D3q r OpDωq

2 LEX Gröbner basis

T “ T t

1 matrix of size D ˆ D and #T number of nonzero in T.

r random column vector of size D.

Sparse FGLM fast-FGLM 2D matrix-vector products 2 log2pDq matrix products Step 1 T jr for j “ 0, . . . , p2D ´ 1q Fast matrix multiplication worst case OpD3q r OpDωq Step 2 Solving n Hankel systems OpnD log2

2 Dq

probabilistic

OpDp#T ` n log2

2 Dqq

Oplog2 DpDω ` n log2 Dqq

— Keller-Gehrig Ñ

Computing T jr for j “ 0, . . . , 2D ´ 1

(Keller-Gehrig)

1

Compute T 2, T 4, . . . , T 2rlog2pDqs with rlog2pDqs multiplication matrices. Oplog2pDqDωq arithmetic operations .

2

Compute rlog2pDqs multiplication matrices of the form

T 2pTr | rq “ pT 3r | T 2rq T 4pT 3r | T 2r | Tr | rq “ pT 7r | T 6r | T 5r | T 4rq . . . T 2rlog2pDqspT 2rlog2pDqs´1r | . . . | rq “ pT 2D´1r | T 2D´2r | . . . | T 2rlog2pDqsrq.

Oplog2pDqDωq arithmetic operations .

Fast change of ordering

Theorem Given T1 and Gą1 of an ideal in Shape Position, the LEX Gröbner basis can be computed in Oplog2pDqpDω ` n log2pDqDqq (probabilistic); Oplog2pDqDω ` D2pn ` log2pDq log2plog2pDqqqqq (deterministic). Multiplication matrices Compute T1 with less than OpnD3q arithmetic operations ?

Computing T1, . . . , Tn : the original FGLM algorithm

Computing T1, . . . , Tn ô computing NFpǫixjq i “ 1, . . . , D and j “ 1, . . . , n. Ti “ ¨ ˚ ˝ ‹ ¨ ¨ ¨ ‹ . . . ... . . . ‹ ¨ ¨ ¨ ‹ ˛ ‹ ‚ǫ1 . . . ǫD

NFpǫ1 xiq ¨ ¨ ¨ NFpǫD xiq

need to compute elements at distance 1 of the staircase : F and #F ď nD

x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x

x2 x F

Computing T1, . . . , Tn : the original FGLM algorithm

Computing T1, . . . , Tn ô computing NFpǫixjq i “ 1, . . . , D and j “ 1, . . . , n. FGLM need to compute elements at distance 1 of the staircase : F and #F ď nD

x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x

x2 x1 F xk

NFptq “

D

ÿ

ℓ“1

αℓ NFą1 pxkǫℓq “ Tk ¨ pα1, . . . , αl, 0, . . . , 0qt

Computing T1, . . . , Tn Simultaneously

Computing T1, . . . , Tn ô computing NFpǫixjq i “ 1, . . . , D and j “ 1, . . . , n. New: need to compute elements at distance 1 of the staircase : F and #F ď nD

x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x

x2 x1 F

Computing T1, . . . , Tn Simultaneously

Computing T1, . . . , Tn ô computing NFpǫixjq i “ 1, . . . , D and j “ 1, . . . , n. New: need to compute elements at distance 1 of the staircase : F and #F ď nD

x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x

x2 x1 F

Computing T1, . . . , Tn using fast linear algebra

We proceed degree by degree: d 0 ¨ ¨ ¨ 1 ¨ ¨ ¨ ‹ ¨ ¨ ¨ ‹ . . . . . . ... . . . ... . . . C . . . 0 ¨ ¨ ¨ 0 ¨ ¨ ¨ 1 ‹ ¨ ¨ ¨ ‹ ǫi P B tj P F tℓ P F degptjq ă d degptℓq “ d

tj ´ NFptjq degptjq ă d

Computing T1, . . . , Tn using fast linear algebra

We proceed degree by degree: d T 1 ‹ ¨ ¨ ¨ ‹ ‹ ¨ ¨ ¨ ‹ ‹ ¨ ¨ ¨ ‹ 1 . . . ‹ ¨ ¨ ¨ ‹ ‹ ¨ ¨ ¨ ‹ . . . ... ‹ . . . A . . . . . . B . . . 0 ¨ ¨ ¨ 1 ‹ ¨ ¨ ¨ ‹ ‹ ¨ ¨ ¨ ‹ 0 ¨ ¨ ¨ 1 ¨ ¨ ¨ ‹ ¨ ¨ ¨ ‹ . . . . . . ... . . . ... . . . C . . . 0 ¨ ¨ ¨ 0 ¨ ¨ ¨ 1 ‹ ¨ ¨ ¨ ‹ ǫi P B tj P F tℓ P F degptjq ă d degptℓq “ d

tj ´ NFptjq degptjq ă d tℓ “ LTpfℓq P F, degptℓq “ d

We compute a redundant (non reduced) Gröbner Basis

Computing T1, . . . , Tn using fast linear algebra

We proceed degree by degree: d 1 0 ¨ ¨ ¨ 0 ¨ ¨ ¨ ‹ ¨ ¨ ¨ ‹ 1 . . . 0 ¨ ¨ ¨ ‹ ¨ ¨ ¨ ‹ . . . ... . . . ... . . .

T´1pB ´ ACq

0 ¨ ¨ ¨ 1 0 ¨ ¨ ¨ ‹ ¨ ¨ ¨ ‹ 0 ¨ ¨ ¨ 1 ¨ ¨ ¨ ‹ ¨ ¨ ¨ ‹ . . . . . . ... . . . ... . . . C . . . 0 ¨ ¨ ¨ 0 ¨ ¨ ¨ 1 ‹ ¨ ¨ ¨ ‹ ǫi P B tj P F tℓ P F degptjq ă d degptℓq “ d

tj ´ NFptjq @tj P F, degptjq ă d tℓ ´ NFptℓq @tℓ P F, degptℓq “ d Reduced Row Echelon Form

Size of the matrix at most nD ˆ pn ` 1qD. Normal forms of all the monomials of same degree can be computed simultaneously.

Construction of T1: p1q the generic case

To compute T1 we only need NFpǫix1q for i “ 1, . . . , D. Theorem For generic ideals and grevlex ordering, ǫix1 P B Y LTpGq for i “ 1, . . . , D. Hence T1 is free. Moreno-Socias For any instantiation of degxj for j P t1, . . . , n ´ 1uztiu xi x1

x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x

1 1 1 1 1 1

Construction of Tn: p2q the non-generic case

Assume characteristic of K is 0 or sufficiently large. Galligo, Bayer and Stillman, Pardue I an homogeneous ideal. There exists a Zariski open subset U Ă GLpK, nq s.t. @S P U, S ¨ I has the structure of generic ideals. Theorem I “ xf1, . . . , fny an affine ideal and Iphq “ xf phq

1

, . . . , f phq

n y.

pf phq

1 , . . . , f phq n q regular ñ LTpS ¨ Iq “ LTpS ¨ Iphqq;

no arithmetic operation to obtain T1 of S ¨ I where S is randomly chosen in GLpK, nq. Shape Lemma If I a radical ideal, there exists a Zariski open subset V Ă GLpK, nq such that for all S P V, S ¨ I is in Shape Position.

To summarize

S “ tf1, . . . , fnu with degpfiq ď d with xf1, . . . , fny is radical. New algorithms Change of ordering Complexity/Probabilistic ˛ Multiplication matrix T1 ˛ Fast FGLM Oplog2pDqDωq ˛ Sparse FGLM OpDp#T1 ` n log2pDqqq In practice: Efficient Algorithm

1

add a random linear form and a new variable : t ´ řn

i“1 αi xi

2

compute a grevlex GB G in Krx1, . . . , xn, ts

3

extract T1 from G (no computation)

4

use the sparsity of T1 to recover the lex. GB Can solve system with ě 362880 solutions !