Add to collection(s) Add to saved
  1. Math
  2. Algebra

Kristin Lauter: Okay

advertisement 
>> Kristin Lauter: Okay. So today we're very pleased to have Robert Rolland visiting us
from the University of Marseilles. Robert has -- this is his first visit to Microsoft
Research, but I've known Robert for quite a long time. He's been involved in
cryptography for decades and elliptic curve and hyperelliptic curve cryptography and he's
the author of a book on cryptography in French, which we are still waiting for the
translation of.
And so it's my great pleasure to introduce him, and he will speak to us about bilinear
complexity of the multiplication in finite fields.
>> Robert Rolland: Okay. Thank you.
So first I want to thank Kristin for inviting me here. And also all crypto group of
Microsoft for this welcome. And I am speaking about a theoretical problem which can
perhaps be applied for multiplication in finite fields. But the story is not finished.
Okay. So for the notations, we get -- we take a finite field of Q, we square the amount
and an extension of FQ of degree N. And we know that if you want to speak about
complexity, you have to choose representation of the element. So for me the extension is
just the quotient of FQ of X by a high order generated by a polynomial P where P is
irreducible with degree N and coefficient NFQ.
So with this representation of multiplication of [inaudible] of FQ over N is a product of
two polynomial FQ of X with degree less than N modulo pi of X. The basic operation
now is multiplication in FQ. And we tried to multiply in FQ power N.
So, for example, a typical case if to choose Q sufficiently small and the N large degree,
then if your Q is sufficiently small you can store a built-in multiplication table for FQ and
compute in the large field FQ power N using a basic operation, a basic operation, the
multiplication of FQ, for example, to compute NF2 power 1 [inaudible] 60, one can take
Q2 power 8, which is rather small, and you can store the table of -- the multiplication
table and N equaled 20 or Q equaled 2 power 4 and N40, depending upon the size of the
hardware.
Okay. First there is an algebraic interpretation of this multiplication. So the
multiplication M, but little M, in the finite field is bilinear application from this product
onto this space. And it can be considered as a linear application, when you have a
bilinear application, you consider that it is a linear application, big M, from the tensor
product, which is L, onto FQ power N.
And then one or so can represent M about tensor TM. This tensor product where FQN
star denotes a dual of FQN. And this tensor has many decomposition like that, TM is a
sum of this product. And this decomposition is not unique. What happened for the
product if you compute X.Y, this you have to compute the combination of the tensor on
the -- on X tensor Y, and this is -- nothing else is on this sum. This is an -- this is a linear
application, a linear from, this also, and this, at an amount of FQN.
And now when you have searched the composition, you have an algorithm to compute
the product. So if you want to have best -- a good complexity, you have to choose a
decomposition of the tensor, which little K, as little as possible.
The bilinear complexity of the multiplication in FQ power N over FQ will denote by mu
Q of N is minimum number of term in -- previews the composition, the K was over the
sigma sign. Alternatively, the bilinear complexity of the multiplication is a rank of the
tensor TM.
So there is a theoretical problem, is to find the rank of tensor. And let us remark that the
bilinear complexity of the multiplication is not the global complexity of the
multiplication. Because you are just -- studies the product of variable. But note this
computation, which is linear form, now this one, which is a [inaudible] linear form.
You just compute the bilinear complexity. And namely the computation of XI star of X
and Y star of Y, I will now take in account in the bilinear complexity. I develop this, the
bilinear complexity is now all the complexity. In the simple case of the usual
multiplication of polynomials with complex coefficient, if you use a discreet Fourier
transform to do the computation, the bilinear complexity is linear in the degree, just the
product coefficient by coefficient.
But if you -- but all the complexities given, you also to take in account the Fourier
transform. And even if you use the first Fourier transform, you have an algorithm which
is bigger -- big O, N log N. Or in this example the bilinear complexity is less than the
linear complexity for the computation of the Fourier transform.
However, it is indispensable to count separately the two parts. Indeed, to multiply two
variable X and Y, you have to use general algorithms of multiplication. On the contrary,
to multiply variable X by constant R, the algorithm may be simpler and adapt to the value
of A. A best example is the case A is 1 because we have nothing to do in this case.
But in general we have to compute some linear form and that is a product of a [inaudible]
biometrics, and the metrics can be with many zeros or on the special form or so on and so
on. So you have to separate the two case. Yes.
>>: In a crypto context, do we care about the fast Fourier [inaudible] it will keep the
[inaudible] presentation, you never have to convert, so it becomes a zero-cost operation.
>> Robert Rolland: Yes.
>>: Nobody said you have to keep the polynomial by coefficient. You can keep the
polynomial by Fourier.
>> Robert Rolland: Yes.
>>: Small polynomials.
>> Robert Rolland: For small polynomial, no, it is not ->>: No, the one [inaudible] -- in your case of 2 to the 60 being 40 is order over 4.
>> Robert Rolland: No. This is just -- this is not exactly in my problem because this is
in complex coefficient and there's not exactly the same integers in example to see that the
bilinear complexity is not all the complexity. But this example is -- we'll see that it is not
so far from old problem.
So first the old result. So you fix a polynomial, which is a [inaudible] polynomial of
degree N, which is normalized, that is the coefficient of the highest degree term is 1 and
irreducible, okay, with coefficient in the field F.
And now two polynomials of degree less than N minus 1 or equal to this, too, N minus 1.
And the coefficient here are variable. And you compute first this multiplication. And
after we recompute this multiplication modulo P. The bilinear complexity of the
multiplication which is L is greater or equal than 2N minus 1. Okay. This is first fact.
Yes.
>>: So just for my understanding, one slide back, one more, on this page here, the
bilinear complexity of this algorithm is 2N? Is that right?
>> Robert Rolland: What?
>>: Would you say the bilinear complexity of this approach is 2N for if you're trying to
multiply polynomials of N?
>> Robert Rolland: Yes. Yes.
>>: Okay. So then the next slide is -- it's almost tight.
>> Robert Rolland: Yes.
>>: All right.
>> Robert Rolland: And an algorithm's reaching exactly the bound when F is an infinite
field was first given by Toom, and so effectively when F is infinite this bound is exactly
reached.
Later Winograd characterized all the algorithms. It's a very nice paper. It described all
the algorithms reaching the bound 2N minus 1. You know exactly how to do and nothing
else.
Moreover, Winograd proved that if you have an algorithm with bilinear complexity 2N
minus 1 which computes the coefficient of this product mod P. And this algorithm
compute also all the coefficient of this product. So you do not weigh anything with the
modulo. It's just if you do this, if you do this, you have the same minimal complexity.
And these algorithms use interpolation algorithms. So with interpolation algorithms we
cannot achieve these algorithms if the cardinality of F is less than 2N minus 2 because
there is no -- not enough points to recover the product.
Then we get the following. If the cardinality of F is less than 2N minus 2, any algorithms
computing the coefficient of this product modulo P as bilinear complexity which is
strictly [inaudible] on 2N minus 1. Okay. And it is a case of many extension of finite
fields.
So by applying the result of Winograd and the [inaudible] theorem to the multiplication
in the finite extension of a finite field, we obtain the following. The bilinear complexity
of the multiplication in this finite field satisfy MQ of N greater or equal 2N minus 1.
And so equality occurs if [inaudible] so extension is not too large because of there was
not enough points, so [inaudible] and it's less or equal than Q over 2 plus 1.
Okay. And then this result does not give any estimate for M mu Q when N is large. So
the first result of [inaudible] for finite field was obtained by Lempel, Seroussi and
Winograd who proved that mu Q as an upper bound quasi-linear, like we say that the
[inaudible] of this, the theorem is the bilinear complexity of the multiplication in the
finite field of FQ satisfy MQ less than FQN. Multiply N where FQ of N is a very low
increasing function that is something which is O, log, log, log, log, N with [inaudible]
times log for [inaudible] all K.
But now new results. Then if the cardinality of the [inaudible] field is too low, the
multiplication cannot be done by an interpolating algorithms of Winograd. Then D. and
G. Chudnovsky design and algorithm where the interpolation is done on the rational
point of an algebraic curve define [inaudible] field.
It's their idea and they proved that the bilinear complexity of the multiplication in the
extension of a finite field is linear in the degree of the extension. But there is the -- there
is the theorem. Let F over F cube be an algebraic function field, Q, a place of degree N
of this field, D an effective divisor, and P a system of points, P1, PN, a set of plus of
degree 1, that is point on the curve.
We suppose that QP1 and so on, PN, are not in the support of D. And that the two
following condition are satisfied, the evaluation map from LD to FQ. FQN, I denote by
FQ, the local field that is FQ is -- you consider all the function -- all the function which
are defined of the rational function which are defined for Q [inaudible] generated by Q in
the place.
So, in fact, you know because of place [inaudible] of degree N that the dimension of the
space is exactly N and so there is a isomorphism between FQ power N and FQ.
So you suppose that this evaluation map is subject here and that the map -- which map, an
element of 2D into FQ power of 10, the number of plus of degree 1. So constitute by the
evaluation of F in P1 and so on, the evaluation of F in PN. You suppose that this map is
[inaudible]. Then mu Q of N is less than big N.
I want to precise this, because like that, it is a little complicated. So let X and Y to the
amount of FQN. You want to multiply these two elements.
We know that the residue field FQ in the place Q, which is of degree N, is isomorphic to
FQ over N, the residue field.
Then X and Y can be considered at element of Q. Using the condition 1, there is two
algebraic functions F and G and L of D such that FQ is X and GQ is Y. Now you have F
and G. Let us evaluate F and G on the point, P1, PN.
So if you do the product of the two function, now we are in L of 2D and the value of H
on P1 PN is given by FP1, GP1, FPN, GPN. So to compute FP1 and so on, FPN, you
adjust to make the product component by component. That is exactly big N
multiplication in FQ.
Now, you know that H is a product of these two functions [inaudible] know that
[inaudible] is in L2D then using the [inaudible] part, this condition. We recover
[inaudible]. There is only one edge like this.
Now, we evaluate our edge on the point Q, in the place Q, and edge in the place Q give
you F of Q, G of Q. That is exactly the product XY. And the only bilinear operation of
the end product FPI, GPI.
Okay. Using the previous algorithms with a good sequence of algebraic function field
Chudnovsky and Chudnovsky proved that the bilinear complexity of the multiplication is
linear and they prove exactly that for all prime power of Q there is a constant CQ such
that mu Q of N is less or equal CQN.
But they don't give any value because they use a very complicated sequence of algebraic
function field and you cannot give a fixed value for CQ, no evaluation. This is -- it just
knows that there is a constant like that, but they cannot give a bound for these constants.
Yes.
>>: Sorry. In the previous one, so it's possible this constant is greater than 2 and so
therefore doesn't represent an improvement over the simpler theorem from like the slide
5? Is it the same end and the same -- maybe one more. Forward.
>> Robert Rolland: Which one?
>>: The other way. There's bound 2N minus 1, right?
>> Robert Rolland: Yes. But this is -- this is greater than, but you have not this
complexity less than. So in the new theorem, you have an upper bound.
>>: By some constant C, which might be greater than 2.
>> Robert Rolland: We don't know. In fact, we hope that C is not too far from this, but
we don't know.
>>: Okay. Okay.
>> Robert Rolland: So I want to explain you why I think that this is not far from Fourier
transform and Laplace transform. It is my interpretation. What in the theorem
[inaudible] 5, first with X and Y, but let us consider X, we associate a function F such
that F of Q is X. So in fact with X you associate and algebraic function that is a rational
function quotient of two polynomials. You associate to an algebraic function 2X.
And this is near a Fourier-Laplace transform which is called the Z-transform. When you
have a function given by these values, a discreet function given by these values, you
associate in the Z-transform the polynomial having for coefficient these values. So at
point you associate a polynomial here and to point you associate an algebraic function, a
rational function.
And after when you have F, you evaluate F on the point P1, P2, P2, PN. And this is very
similar to Fourier transform [inaudible] evaluation of the Z-transform on the [inaudible].
So it is very similar. And perhaps this is interesting for comprehension of the problem.
So the Laplace transform. We have the residue field which this is a set of algebraic
rational function define on Q. Algebraic function is quotient of polynomial which don't
vanish where -- the denominator don't vanish in Q, [inaudible] in Q, and the quotient by
the high order generated by Q. And you know that this is subjective, so if you take an
XL you choose that you can choose F here such that X is F of Q.
This is my equivalent of the Laplace transform. And the Fourier transform, when you
have F and G, you -- for F you evaluate F on this point and for G you evaluate on this
point. And this is similar to evaluate the Laplace transform on some point for the Fourier
transform, the a classical Fourier transform, this point are root of [inaudible].
Now you do this multiplication. This is multiplication, but because you know this
point -- and you can recover in this space this multiplication. And now we evaluate this
function on Q and it gives you -- it gives you the product XY.
This seems complicated, but all this is only bilinear operation. Also this operation can be
done effectively because they are product of matrices, and you can effectively do this on
computers.
So now you have -- I return to the theorem here. You have this condition to obtain and
this one. And after you have to find algebraic function field like that. And the proof of
Chudnovsky and Chudnovsky was [inaudible] that is they give a special sequence for
algebraic function field is a proof for this sequence that these two condition are realized.
But it will be better to have some simple conditions on the algebraic function field, which
say -- saying that these conditions are realized. So it was the work of one of my students
which is Stéphane Ballet and for his Ph.D. And first he proved that if there is this, then
algebraic function field of genus G where the following condition 2G plus 1 is less than
this quantity, and such that the number of rational points satisfy N1 greater than this, then
the complexity is less than 2N plus G minus 1. And the proof of this is -- was technical
and used computation and [inaudible] theorem. Okay.
Now the global strategy for the problem is, one, to define modification to generalize the
theorem of Chudnovsky-Chudnovsky algorithms in order to get better bounds and find
some sufficient condition will permit to apply the algorithms and build a sequence and
general tower of algebraic function field which will revise a previous condition.
Let us remark that we have two studies of bilinear complexity when the degree N of the
extension is growing to infinity. So for each N we have to adapt algebraic function field
in order to verify the condition. Because when N is going up, you have -- you need more
and more and more points. So you have to change the curve. When you have a curve,
you have a number of point, and when it is not announced, you have to change the curve.
So you have to take a tower of curve, algebraic function field and adapt the step of the
tower to the -- to obtain enough points to do the computation.
So for [inaudible] you have to adapt the algebraic function field in order to verify the
condition, in particular to have [inaudible] points for the interpolation process.
So the number of point needed is also growing to infinity because the degree of the
extension is growing to infinity, and consequently the genus of the algebraic function
field also. In fact, the same function field can be used on an interval for N. You can use
the same curve for an -- on an interval for the degree of extension. And when M
becomes greater than the upper bound of this interval, you must change the function field.
Okay. So this also successively and proved as the upper bound for bilinear complexity,
and the actual bounds are the following. So mu Q of N is less than CNN, with if Q2N,
CQ is 46. If Q is 3, then CG is 18, 4, 12, and[inaudible] 5 -- until 5 in this particular case
[inaudible] particular case when Q is P, is the prime and the greater than 5, then you have
this formula.
And there is another particular case when Q is a square greater or equal to 9, then you
have this formula. And the general case is when Q is greater than 5 and not of the
following -- of this form, then you have this. If you observe you'll see that there is the
coefficient 3 and 1 and this is -- P is the prime field, so P is less than Q minus 2, so this is
less than 1. So this is less than 6. So you have a uniform constant for all Q, 6 is the
uniform constant. And this is not exactly 2 or something, but at the moment there is a
best bound. Okay [inaudible].
So for each degree you have to adapt the algebraic function field to use, and the algebraic
function field must have enough [inaudible] points for this degree. So the best actually is
to use a tower or function field and a not random tower but a good tower. Good towers
are built on the -- where Q is over [inaudible] Q2 on the square.
There are towers which reach -- which are better at the moment. Because we have two
constraint which are antagonist as originally in that, the first constraint is to have many,
many points, and the second constraint is [inaudible] is to be as small as possible.
So we use in fact the Garcia & Stichtenoth tower. This one -- because they have built
many towers. But this one is very -- was the first to reach what is called the
Drinfeld-Vladut bound. I will explain later what this is.
So we start from rational function, FQ2 X1. The rational function field over FQ2. And
we built [inaudible] FK plus 1 equal FK of ZK plus 1 where ZK plus 1 satisfies a
question which is here. And this is proved to be irreducible over the field FK.
And after you have to build the following, XK, XK plus 1 is ZK plus 1 divided by XK.
This gives a tower of function field which has many good properties. We know exactly
the genus. It is easy to compute the genus. And the number of rational points is greater
than this.
So you have exactly what we want to control, the genus and the number of points, and to
verify that the number of points is sufficient and the genus is not too large.
And this tower reaches a Drinfeld-Vladut bound; namely, the number of points divided
by the genus, you take the limit with K growing to infinity, and this [inaudible] is exactly
the bound [inaudible] the FQ tower, the bound of Drinfeld-Vladut's, that this is exactly Q
minus 1, which is the maximum.
Okay. Now we have a tower like that. But to improve the bound Stéphane Ballet using
Galois theory built intermediate step between two consecutive step of the
Garcia-Stichtenoth tower.
The other tower, each has a number of pointed in the genus, and I tell you you have the
next step. But if you can put some step, some intermediate step, you can better control
the genus and the number of point. Because if you have to do a greed step, you can lose
something.
Here you can have just enough point and the genus more small in the intermediate step.
That is the idea. So [inaudible] can best adapt the genus to the number of points required.
[inaudible] a problem that [inaudible] constraint, so the number of rational point must be
greater than some value, and the genus of the curve has to be as low as possible. And so
if you have intermediate steps, it's better. And this is done by standard amount of Galois
theory. We have called this the Garcia-Stichtenoth tower [inaudible].
And now there is another improvement to perform the multiplication over FQ, we have to
do an important -- as the tower is built on FQ2, so there is a problem because when you
have to deal with a Q which is not a square. And you have to take a square not too far
from Q and do some computation with interpolation and so on and you lose [inaudible].
So if you could perform the multiplication directly on FQ, it will be better. So we
modified the Chudnovsky-Chudnovsky algorithm using not only interpolation of over
rational point but also over plus of degree 2. And if you use plus of degree 2, you can
work on FQ and not on FQ2.
Two papers on this improvement. And the two [inaudible] of a function field of FQ2 on
the function field over FQ in such a way that the function field over FQ2 is the complex
field of J, that is [inaudible] product J FQ2. So in fact you have a field over FQ2, you
want the field over FQ such that it's complexified in the first field.
And now you obtain two theorem. One is not used now, but I give it too to explain the
next improvement. Let Q of prime power [inaudible] exist a function field of genus J
such that always the same -- the same bounds here. And N1 of F, there's 2 -- N2 of F.
This is the number of place of degree 1 and this is the number of place of degree 2. And
if you have this in equality, then you have mu Q, this less than 3N plus CG.
And the second is you have -- there is the same hypothesis and one supplementary
composition, one supplementary hypothesis, there is no special divisor of degree G minus
1. And then you have 3 here and not 6. And we win something. And after Stéphane
Ballet and Dominique Le Brigand prove later that for Q greater than 4, such a nonspecial
divisor always exist. Okay. So with this we improve this bound.
Now [inaudible] exists for particular cases, for example, if Q is prime using all those
towers. But now the most important problem [inaudible] linear part of algorithms in
order to obtain a global complexity. It will be very nice to obtain something like
[inaudible] Fourier transform.
And this is perhaps possible because when you test with, for example, [inaudible] in fact
to place Q P1 and so on, the divisor, you can take randomly [inaudible] and so there are
many, many, many choice, possible choice. And so perhaps it's possible to choose each
of these value to obtain them at [inaudible] which many zero of matrices with special
form and so on. But this is not done and this is future work perhaps. Thank you very
much.
[applause]
>> Kristin Lauter: Questions.
>> Robert Rolland: Yes.
>>: [inaudible] speedups [inaudible] over F of 2 to the 160 which divides nicely into 4
and 8. Now, our friends at [inaudible] usually like F2 to the prime number, other such
speedups, if it's F of Q to the prime number.
>> Robert Rolland: Yes. Yes. If you take Q with the prime number, yes, it's possible.
But for tower there is a problem because all the theorem are true after four. So if you
take two, it's a prime number, it is not a power of four, and there is a problem. But for
[inaudible] actually looking at the case too because in each of the proof, 2 is forbidden.
But Y and the -- is it possible to bypass this constraint? Perhaps.
>> Kristin Lauter: What was the tower of function fields that Chudnovsky-Chudnovsky
used?
>> Robert Rolland: They don't take towers, they take a sequence [inaudible] modulo
curves and they have no control on the -- they can say something, but they have not
exactly the genus, not exactly the number of point, so they can't give exactly as a bound
C. [inaudible] edge of the tower of Garcia & Stichtenoth. That is -- these are good
towers.
When they are an explicit tower, you can build it explicitly the function because you have
the polynomial, the successive polynomials, so you can compute the quotient and so on.
And it was proved later by [inaudible] that it is modulo [inaudible].
>>: Why do you set your goal at the fast Fourier transform? Do you think you could
even do better than the -- like something [inaudible] more rich representation better than
the N log N? In terms of linear operation? So ->> Robert Rolland: At the moment, the algorithms is M square. And I don't think that it
is possible to be better, to have better results than for C. And so if you obtain N log N, if
you -- it would be very nice.
And why I like the fast Fourier transform because of -- for example, it's an idea but it
does not work, and now in the first step when the extension is not too large, you can use
elliptic curve. And the elliptic curve is a group. So you have the point -- the points are
the point of the group. And so it's possible to have something like the Fourier transform.
Because when you have the group, it's -- so but the work has to be done.
>> Kristin Lauter: So how does this relate to Peter's fast Fourier transform for
multiplication [inaudible]?
>>: [inaudible]
[multiple people speaking at once].
>>: Q of the M?
>> Kristin Lauter: Q to the M.
>>: [inaudible]
>> Kristin Lauter: No, not necessarily. Just I thought you also had done some more
work on the fast Fourier transform for multiplication.
>> Robert Rolland: In terms of -- there are very nice algorithms using some special basis
of finite field. But when we take polynomial representation without ->> Kristin Lauter: So like the reducible polynomial is like [inaudible].
Any questions?
[applause]
Related documents
Evaluate Multiplication and Division Expressions
Evaluate Multiplication and Division Expressions
Algebraic expression: A mathematical phrase involving at least one
Algebraic expression: A mathematical phrase involving at least one
Chapter 9- Algebra using multiplication and division facts
Chapter 9- Algebra using multiplication and division facts
Doubling & Halving
Doubling & Halving
Unit 1, Lesson 6: The Number Properties
Unit 1, Lesson 6: The Number Properties
Algebraic Expressions *Introduction Lesson 3.1 Big Ideas
Algebraic Expressions *Introduction Lesson 3.1 Big Ideas
Curriculum Night - Franks Frontier
Curriculum Night - Franks Frontier
Download
advertisement