[PPT] - On The Complexity Of Computing Grbner Bases For Quasi-Homogeneous PowerPoint Presentation

SLIDE 1

On The Complexity Of Computing Gröbner Bases For Quasi-Homogeneous Systems

Jean-Charles Faugère1 Mohab Safey El Din1,2 Thibaut Verron1,3

1Université Pierre et Marie Curie, Paris 6, France

INRIA Paris-Rocquencourt, Équipe POLSYS Laboratoire d’Informatique de Paris 6, UMR CNRS 7606

2Institut Universitaire de France 3École Normale Supérieure, Paris, France

June 29, 2013

SLIDE 2

Motivation

0 =          7871 18574 14294 32775 20289          e16 5 +          53362 50900 36407 58813 20802          ˜ e8 1 +          26257 128 3037 38424 41456          ˜ e7 1 ˜ e2 +          25203 23117 28918 29298 56353          ˜ e6 1 ˜ e2 2 +          19817 29737 52187 36574 46683          ˜ e5 1 ˜ e3 2 +          9843 3752 27006 64195 63059          ˜ e4 1 ˜ e4 2 +          11204 25459 58263 17964 57146          ˜ e3 1 ˜ e5 2 +          46217 5478 45631 13171 42548          ˜ e2 1 ˜ e6 2 +          63811 50777 48809 1858 55751          ˜ e1 ˜ e7 2 +          40524 6881 1238 8056 54831          ˜ e8 2 +          4522 1728 18652 54885 8241          ˜ e7 1 ˜ e3 +          27518 32176 31159 28424 5276          ˜ e6 1 ˜ e2 ˜ e3 + 2067 smaller monomials

Discrete Logarithm Problem (Faugère, Gaudry, Huot, Renault 2013)

SLIDE 3

Motivation

0 =          7871 18574 14294 32775 20289          e16 5 +          53362 50900 36407 58813 20802          ˜ e8 1 +          26257 128 3037 38424 41456          ˜ e7 1 ˜ e2 +          25203 23117 28918 29298 56353          ˜ e6 1 ˜ e2 2 +          19817 29737 52187 36574 46683          ˜ e5 1 ˜ e3 2 +          9843 3752 27006 64195 63059          ˜ e4 1 ˜ e4 2 +          11204 25459 58263 17964 57146          ˜ e3 1 ˜ e5 2 +          46217 5478 45631 13171 42548          ˜ e2 1 ˜ e6 2 +          63811 50777 48809 1858 55751          ˜ e1 ˜ e7 2 +          40524 6881 1238 8056 54831          ˜ e8 2 +          4522 1728 18652 54885 8241          ˜ e7 1 ˜ e3 +          27518 32176 31159 28424 5276          ˜ e6 1 ˜ e2 ˜ e3 + 2067 smaller monomials

Discrete Logarithm Problem (Faugère, Gaudry, Huot, Renault 2013)

Description of the system

◮ Ideal invariant under the group

(Z/2Z)n−1 ⋊ Sn, rewritten with the invariants:

˜

ei := ei(x2

1 , . . . , x2 n ) (1 ≤ i ≤ n − 1)

en(x1, . . . , xn)

◮ n equations of degree 2n−1

in Fq[˜ e1, . . . , ˜ en−1, en]

◮ 1 DLP = thousands of such systems

Goal: compute a Gröbner basis

◮ Total degree grading

→ difficult (intractable with Magma) → non regular

◮ Weighted degree grading

Weight(˜ ei) = 2 · Weight(ei) → easier → regular

◮ Two questions:

◮ Algorithms for this structure? ◮ Complexity estimates?

SLIDE 4

Motivation

0 =          7871 18574 14294 32775 20289          e16 5 +          53362 50900 36407 58813 20802          ˜ e8 1 +          26257 128 3037 38424 41456          ˜ e7 1 ˜ e2 +          25203 23117 28918 29298 56353          ˜ e6 1 ˜ e2 2 +          19817 29737 52187 36574 46683          ˜ e5 1 ˜ e3 2 +          9843 3752 27006 64195 63059          ˜ e4 1 ˜ e4 2 +          11204 25459 58263 17964 57146          ˜ e3 1 ˜ e5 2 +          46217 5478 45631 13171 42548          ˜ e2 1 ˜ e6 2 +          63811 50777 48809 1858 55751          ˜ e1 ˜ e7 2 +          40524 6881 1238 8056 54831          ˜ e8 2 +          4522 1728 18652 54885 8241          ˜ e7 1 ˜ e3 +          27518 32176 31159 28424 5276          ˜ e6 1 ˜ e2 ˜ e3 + 2067 smaller monomials

Discrete Logarithm Problem (Faugère, Gaudry, Huot, Renault 2013)

Description of the system

◮ Ideal invariant under the group

(Z/2Z)n−1 ⋊ Sn, rewritten with the invariants:

˜

ei := ei(x2

1 , . . . , x2 n ) (1 ≤ i ≤ n − 1)

en(x1, . . . , xn)

◮ n equations of degree 2n−1

in Fq[˜ e1, . . . , ˜ en−1, en]

◮ 1 DLP = thousands of such systems

Goal: compute a Gröbner basis

◮ Total degree grading

→ difficult (intractable with Magma) → non regular

◮ Weighted degree grading

Weight(˜ ei) = 2 · Weight(ei) → easier → regular

◮ Two questions:

◮ Algorithms for this structure? ◮ Complexity estimates?

SLIDE 5

Motivation

0 =          7871 18574 14294 32775 20289          e16 5 +          53362 50900 36407 58813 20802          ˜ e8 1 +          26257 128 3037 38424 41456          ˜ e7 1 ˜ e2 +          25203 23117 28918 29298 56353          ˜ e6 1 ˜ e2 2 +          19817 29737 52187 36574 46683          ˜ e5 1 ˜ e3 2 +          9843 3752 27006 64195 63059          ˜ e4 1 ˜ e4 2 +          11204 25459 58263 17964 57146          ˜ e3 1 ˜ e5 2 +          46217 5478 45631 13171 42548          ˜ e2 1 ˜ e6 2 +          63811 50777 48809 1858 55751          ˜ e1 ˜ e7 2 +          40524 6881 1238 8056 54831          ˜ e8 2 +          4522 1728 18652 54885 8241          ˜ e7 1 ˜ e3 +          27518 32176 31159 28424 5276          ˜ e6 1 ˜ e2 ˜ e3 + 2067 smaller monomials

Discrete Logarithm Problem (Faugère, Gaudry, Huot, Renault 2013)

Description of the system

◮ Ideal invariant under the group

(Z/2Z)n−1 ⋊ Sn, rewritten with the invariants:

˜

ei := ei(x2

1 , . . . , x2 n ) (1 ≤ i ≤ n − 1)

en(x1, . . . , xn)

◮ n equations of degree 2n−1

in Fq[˜ e1, . . . , ˜ en−1, en]

◮ 1 DLP = thousands of such systems

Goal: compute a Gröbner basis

◮ Total degree grading

→ difficult (intractable with Magma) → non regular

◮ Weighted degree grading

Weight(˜ ei) = 2 · Weight(ei) → easier → regular

◮ Two questions:

◮ Algorithms for this structure? ◮ Complexity estimates?

SLIDE 6

Gröbner bases and structured systems

Polynomial system f : X 2 + 2XY + Y 2 + X = 0 g : X 2 − XY + Y 2 + Y − 1 = 0      Gröbner basis Y 3 + Y 2 − 4

9X − 2 9Y − 4 9

X 2 + Y 2 + 1

3X + 2 3Y − 2 3

XY + 1

3X − 1 3Y + 1 3

          

Problematic

Structured systems → Can we exploit it?

Successfully studied structures

◮ Bihomogeneous (Dickenstein,

Emiris, Faugère, Safey, Spaenlehauer...)

◮ Group symmetries (Colin,

Faugère, Gatermann, Rahmany, Svartz...)

◮ Quasi-homogeneous?

SLIDE 7

Quasi-homogeneous systems: définitions

Definition (e.g. [Robbiano 1986], [Becker and Weispfenning 1993])

System of weights: W = (w1, . . . , wn) ∈ Nn Weighted degree (or W-degree): degW(X α1

1

. . . X αn

n ) = n i=1 wiαi

Quasi-homogeneous polynomial: poly. containing only monomials of same W-degree → Example: physical systems: Volume= Area×Height Weight 3 Weight 2 Weight 1

Given a general (non-quasi-homogeneous) system and a system of weights

Computational strategy: quasi-homogenize it as in the homogeneous case Complexity estimates: consider the highest-W-degree components of the system

◮ Enough to study quasi-homogeneous systems

SLIDE 8

Quasi-homogeneous systems: définitions

Definition (e.g. [Robbiano 1986], [Becker and Weispfenning 1993])

System of weights: W = (w1, . . . , wn) ∈ Nn Weighted degree (or W-degree): degW(X α1

1

. . . X αn

n ) = n i=1 wiαi

Quasi-homogeneous polynomial: poly. containing only monomials of same W-degree → Example: physical systems: Volume= Area×Height Weight 3 Weight 2 Weight 1

Given a general (non-quasi-homogeneous) system and a system of weights

Computational strategy: quasi-homogenize it as in the homogeneous case Complexity estimates: consider the highest-W-degree components of the system

◮ Enough to study quasi-homogeneous systems

SLIDE 9

Complexity for generic homogeneous systems

F(X1, . . . , Xn) GREVLEX basis LEX basis Buchberger F4 F5 . . . FGLM [Buchberger 1976] [Faugère 1999] [Faugère 2002] [Faugère, Gianni, Lazard and Mora 1993] Homogeneous, generic, with total degree (d1, . . . , dn) (zero-dimensional)

SLIDE 10

Complexity for generic homogeneous systems

F(X1, . . . , Xn) GREVLEX basis LEX basis F5 FGLM Homogeneous, generic, with total degree (d1, . . . , dn) (zero-dimensional) Highest degree dmax ≤

n

i=1

(di − 1) + 1 Size of a matrix at degree d =

n + d − 1

d

Number of solutions = n

i=1 di (Bézout bound)

         O  

n + dmax − 1

dmax 3 + n n

i=1

di 3 

SLIDE 11

Main results: strategy and complexity results

F(X1, . . . , Xn), W F(X w1

1 , . . . , X wn n )

W-GREVLEX basis of F LEX basis F5 FGLM Homogeneous, with total degree (d1, . . . , dn) W-Homogeneous, generic, with W-degree (d1, . . . , dn) (zero-dimensional) W = (w1, . . . , wn) Highest W-degree dW,max ≤

n

i=1

(di − 1) + 1 −

n

i=1

(wi − 1) + max{wj} − 1 Size of the matrix at W-degree d ≃ 1 n

i=1 wi

n + d − 1

d

Number of solutions =

n

i=1 di

n

i=1 wi

(weighted Bézout bound)                    O  

1

n

i=1 wi

3  

n + dW,max − 1

dW,max 3 + n n

i=1

di 3   

SLIDE 12

Roadmap

Input

◮ W = (w1, . . . , wn) system of weights ◮ F = (f1, . . . , fn) generic sequence of W-homogeneous polynomials

with W-degree (d1, . . . , dn) General roadmap:

1. Find a generic property which rules out all reductions to zero

◮ Regular sequences

2. Design new algorithms to take advantage of this structure

◮ Adapt algorithms for the homogeneous case to the quasi-homogeneous case

3. Obtain complexity results

SLIDE 13

Regular sequences

Definition (e.g. [Eisenbud 1995])

F = (f1, . . . , fm) homo. ∈ K[X] is regular iff    F K[X] ∀i, fi is no zero-divisor in K[X]/f1, . . . , fi−1 X Y X 2 + Y 2 − 1 X − 2Y − 1

SLIDE 14

Regular sequences

Definition (e.g. [Eisenbud 1995])

F = (f1, . . . , fm) homo. ∈ K[X] is regular iff    F K[X] ∀i, fi is no zero-divisor in K[X]/f1, . . . , fi−1 X Y X 2 + Y 2 − 1 X − 2Y − 1 Regular sequences

f homo. polynomials

Generic Good properties F5-criterion Hilbert series

SLIDE 15

Regular sequences

Definition (e.g. [Eisenbud 1995])

F = (f1, . . . , fm) quasi-homo. ∈ K[X] is regular iff    F K[X] ∀i, fi is no zero-divisor in K[X]/f1, . . . , fi−1 X Y X 2 + Y 2 − 1 X − 2Y − 1 Regular sequences

f quasi-homo. polynomials

Generic if = ∅ Good properties F5-criterion Hilbert series

Result (Faugère, Safey, V.)

SLIDE 16

From quasi-homogeneous to homogeneous

Transformation morphism

homW : (K[X], W-deg) → (K[X], deg) f → f(X w1

1 , . . . , X wn n ) ◮ Graded injective morphism ◮ Sends regular sequences on regular sequences ◮ S-Pol(homW (f), homW (g)) = homW (S-Pol(f, g))

− → Good behavior w.r.t Gröbner bases (Quasi-homogeneous) F Basis of F w.r.t hom−1

W (≺)

(Homogeneous) homW (F) Basis of homW (F) w.r.t ≺ Gröbner Gröbner homW hom−1

W

SLIDE 17

Adapting the algorithms

Detailed strategy

◮ F5 algorithm on the homogenized system ◮ FGLM algorithm on the quasi-homogeneous system

Input: F, W W-GREVLEX basis of F homW (F) = F(X w1

1 , . . . , X wn n )

GREVLEX basis of homW (F) F5 homW hom−1

W

SLIDE 18

Adapting the algorithms

Detailed strategy

◮ F5 algorithm on the homogenized system ◮ FGLM algorithm on the quasi-homogeneous system

Input: F, W W-GREVLEX basis of F n

i=1 di

n

i=1 wi

solutions homW (F) = F(X w1

1 , . . . , X wn n )

GREVLEX basis of homW (F) n

i=1 di solutions

F5 homW hom−1

W

SLIDE 19

Adapting the algorithms

Detailed strategy

◮ F5 algorithm on the homogenized system ◮ FGLM algorithm on the quasi-homogeneous system

Input: F, W W-GREVLEX basis of F LEX basis

f F

homW (F) = F(X w1

1 , . . . , X wn n )

GREVLEX basis of homW (F) F5 FGLM homW hom−1

W

n

i=1 di

n

i=1 wi

solutions

SLIDE 20

Benchmarking

F : affine system with a quasi-homogeneous structure fi =

α

cαmα with degW(mα) ≤ di Assumption: the highest W-degree components are regular (e.g. if F is generic) Direct strategy F GREVLEX basis of F LEX basis

f F

Quasi-homo. strategy F W-GREVLEX basis of F LEX basis

f F

homW (F) = F(X w1

1 , . . . , X wn n )

GREVLEX basis of homW (F) F5 FGLM homW hom−1

W

F5 FGLM

SLIDE 21

Benchmarks for generic systems

7 8 9 10 11 12 13 14 1 10 100 1,000 Ratio = 8.4 # Variables Time (s)

Algorithm F5, timings

Direct Quasi-homogeneous FGLM timing for n = 13:    5602.3 s 1645.1 s 65 536 solutions Ratio = 2.1

◮ Generic systems in n variables with

   weights W = (2, . . . , 2, 1, 1) W-degree D = (4, . . . , 4)

◮ Number of solutions: 2n+2 ◮ Benchmarks obtained with FGb :

   F5 [Faugère 2002] SPARSEFGLM [Faugère and Mou 2013]

SLIDE 22

A closer look at F5 (the DLP example)

1 5 10 15 20 25 30 35 10 20 30 Step Degree W-degree/2

Algorithm F5, step by step

Direct Quasi-homogeneous 36

◮ 5 equations of W-degree (16, . . . , 16) in 5 variables with W = (2, . . . , 2, 1) ◮ 65 536 solutions ◮ Timings:

Magma (F4)

> 12 h 6044 s Speed-up: 9.3 FGb (F5) 12 297 s 567 s Speed-up: 21.7

SLIDE 23

Conclusion

What we have done

◮ Theoretical results for quasi-homogeneous systems under generic assumptions ◮ Computational strategy for quasi-homogeneous systems ◮ Complexity results for F5 and FGLM for this strategy

◮ Bound on the maximal degree reached by the F5 algorithm ◮ Complexity overall divided by ( wi)3

Consequences

◮ Successfully applied to a cryptographical problem ◮ Wide range of potential applications

Perspectives

◮ Overdetermined systems: adapt the definitions and the results ◮ Affine systems: find the most appropriate system of weights

(e.g for the DLP , how to choose the weights of the ei’s?)

SLIDE 24

Conclusion

What we have done

◮ Theoretical results for quasi-homogeneous systems under generic assumptions ◮ Computational strategy for quasi-homogeneous systems ◮ Complexity results for F5 and FGLM for this strategy

◮ Bound on the maximal degree reached by the F5 algorithm ◮ Complexity overall divided by ( wi)3

Consequences

◮ Successfully applied to a cryptographical problem ◮ Wide range of potential applications

Perspectives

◮ Overdetermined systems: adapt the definitions and the results ◮ Affine systems: find the most appropriate system of weights

(e.g for the DLP , how to choose the weights of the ei’s?)

SLIDE 25