Computer Mathematics - Proceedings of the 5th Asian Symposium, ASCM 2001 (Lecture Notes Series on Computing)

Lecture Notes Series on Computing -Vol. 9

Computer Mathematics Proceedings of the Fifth Asian Symposium (ASCM 2001)

TT

Kiyoshi Shirayanagi & Kazuhiro Y o k o y a m a World Scientific

Computer Mathematics

LECTURE NOTES SERIES ON COMPUTING Editor-in-Chief: D T Lee {Northwestern Univ., USA)

Published Vol. 1:

Computing in Euclidean Geometry Eds. D-Z Du&F Hwang

Vol. 2:

Algorithmic Aspects of VLSI Layout Eds. DTLee&M Sarrafzadeh

Vol. 3:

String Searching Algorithms G A Stephen

Vol. 4:

Computing in Euclidean Geometry (Second Edition) Eds. D-Z Du&F Hwang

Vol. 5:

Proceedings of the Conference on Parallel Symbolic Computation — PASCO '94 Ed. H Hong

Vol. 6:

VLSI Physical Design Automation: Theory and Practice Sadiq M Sait & Habib Youssef

Vol. 7:

Algorithms: Design Techniques and Analysis Ed. M H Alsuwaiyel

Vol. 8:

Computer Mathematics Proceedings of the Fourth Asian Symposium (ASCM 2000) Eds. X-S Gao & D Wang

Lecture Notes Series on Computing - Vol. 9

Computer Mathematics Proceedings of t h e Fifth Asian Symposium (ASCM 2001)

Matsuyama, Japan

26 - 28 September 2001 Editors

Kiyoshi Shirayanagi NTT Communication Science Laboratories, Japan

Kazuhiro Yokoyama Kyushu University, Japan

V | f e World Scientific wb

London ••Sinaapore* New Jersey 'London Singapore • Hong Kong

Published by World Scientific Publishing Co. Pte. Ltd. P O Box 128, Farrer Road, Singapore 912805 USA office: Suite IB, 1060 Main Street, River Edge, NJ 07661 UK office: 57 Shelton Street, Covent Garden, London WC2H 9HE

British Library Cataloguing-in-Publication Data A catalogue record for this book is available from the British Library.

COMPUTER MATHEMATICS Proceedings of the Fifth Asian Symposium (ASCM 2001) Copyright © 2001 by World Scientific Publishing Co. Pte. Ltd. All rights reserved. This book, or parts thereof, may not be reproduced in any form or by any means, electronic or mechanical, including photocopying, recording or any information storage and retrieval system now known or to be invented, without written permission from the Publisher.

For photocopying of material in this volume, please pay a copying fee through the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, USA. In this case permission to photocopy is not required from the publisher.

ISBN 981-02-4763-X

Printed in Singapore by World Scientific Printers (S) Pte Ltd

INVITED SPEAKERS Jean-Charles Faugere

Universite Paris VI, France

Erich Kaltofen

North Carolina State University, USA

GENERAL CHAIR Matu-Tarow Noda

Ehime University, Japan

PROGRAM COMMITTEE Co-Chairs Kiyoshi Shirayanagi Kazuhiro Yokoyama Members Eng Wee Chionh Shang-Ching Chou Mark J. Encarnacion Yuyu Feng Xiao-Shan Gao George Havas Hoon Hong Jieh Hsiang Deepak Kapur Hongbo Li Tien-Yien Li Ziming Li Masayuki Noro Tateaki Sasaki Yosuke Sato Nobuki Takayama Dongming Wang Paul S. Wang Wenping Wang Lu Yang Hantao Zhang

NTT Communication Science Laboratories, Japan Kyushu University, Japan National University of Singapore, Singapore Wichita State University, USA University of the Philippines, Philippines University of Science and Technology of China, China Chinese Academy of Sciences, China The University of Queensland, Australia North Carolina State University, USA National Taiwan University, Taiwan University of New Mexico, USA Chinese Academy of Sciences, China Michigan State University, USA Chinese Academy of Sciences, China Kobe University, Japan University of Tsukuba, Japan Ritsumeikan University, Japan Kobe University, Japan Centre National de la Recherche Scientifique, France Kent State University, USA Hongkong University, China Chinese Academy of Sciences, China University of Iowa, USA

v

vi

LOCAL A R R A N G E M E N T Hiroshi Kai Matu-Tarow Noda

Ehime University, Japan Ehime University, Japan

PREFACE This volume contains papers presented at the Fifth Asian Symposium on Computer Mathematics (ASCM) held in Matsuyama, Japan, September 26-28, 2001. The 19 full papers and 3 extended abstracts are selected, by the Program Committee under a strict refereeing process, from 44 submissions. These original contributions together with two invited talks cover some of the most recent and significant advances in computational mathematics, ranging from algebraic and geometric computation to software design and engineering/network applications. We hope that this proceedings presents some interesting aspects and new trends on doing mathematics using computers. The ASCM series has been localized in Asian countries with international participants since 1995, and has become an ideal forum for presentation of original research and exchange of ideas on the interaction of mathematics and computers. The previous four symposia ASCM'95, 96, 98, and 2000 were held in Beijing (China), Kobe (Japan), Lanzhou (China), and Chiang Mai (Thailand), respectively. These symposia were organized under close collaboration between the Mathematics Mechanization Research Center (MMRC) of the Chinese Academy of Sciences and the Japan Society for Symbolic and Algebraic Computation (JSSAC). The ASCM program includes two invited talks by Erich Kaltofen and Jean-Charles Faugere (Wen-tsiin Wu had been also expected to deliver an invited talk but unfortunately it did not meet his schedule) and 22 technical presentations by researchers from 8 countries in Asia, Europe, Oceania, and North and South America. ASCM 2001 is hosted by Ehime University with financial support. Many people have contributed to the organization of ASCM 2001 and the preparation of this proceedings. The dedicated work of Matu-Tarow Noda, general chair, and Hiroshi Kai, local organizer, has made the conference a great success. The expertise and elaborate efforts of the Program Committee members and external referees are essential for the quality of the conference program. The publication of this proceedings as a volume in the Lecture Notes Series on Computing by World Scientific will make ASCM more accessible to the academic community. Yubing Zhai, administrative manager of World Scientific Publishing Co., made efforts for the agreement of the proceedings. Furthemore, in creating the proceedings, Hiroshi Kai provided tremendous assistance on editing the camera-ready papers. Last but not least, Xiao-Shan Gao and Dongming Wang gave valuable advice to us and made great efforts by themselves from various aspects based on their experiences of ASCM 2000. We thank all of them for their generous contribution, help, and cooperation. VII

VIII

We hope that the ASCM series will contribute to the development of computer mathematics in the world by offering new concepts and theories from Asia. in Atsugi and Fukuoka July 2001

Kiyoshi Shirayanagi Kazuhiro Yokoyama

CONTENTS Preface

vii

Invited Talks Finding All the Solutions of Cyclic 9 Using Grobner Basis Techniques J.-C. Faugere (France)

1

On the Complexity of Computing Determinants (Extended Abstract) E. Kaltofen and G. Villard (USA and France)

13

Papers Investigating the Growth of Length of Intermediate Expressions in Polynomial Sequences Using a Maple Program (Extended Abstract) .. 28 M. A. O. Camargo-Brunetto (Brazil) Giesbrecht's Algorithm, the HFE Cryptosystem and Ore's ^/-polynomials R. S. Coulter, G. Havas and M. Henderson (Australia)

36

Solution of a Linear Differential Equation in the Form of Power Series and its Application T. Kitamoto (Japan)

46

A New Algorithm for Real Roots of a Zero-Dimensional System by a Linear Separating Map Y. Kondoh, T. Saito and T. Takeshima (Japan)

56

On the Specification for Solvers of Polynomial Systems D. hazard (France) On the Construction of a PSE for GCD Computation (Extended Abstract) K. Li, L. H. Zhi and M.-T. Noda (Japan and China)

66

76

OMEI: An Open Mathematical Engine Interface W. Liao, D. Lin and P. S. Wang (China and U.S.A.)

82

Polynomial Solutions of Algebraic Differential Equations Y. Ma and X.-S. Gao (China)

92

IX

X

The Design and Implementation of OpenXM-RFC 100 and 101 M. Maekawa, M. Noro, N. Takayama, Y. Tamura and K. Ohara (Japan)

102

FIGUE: Mathematical Formula Layout with Interaction and MathML Support H. Naciri and L. Rideau (France)

112

Symbolic-Numeric Computations of Wu's Method: Comparison of the Cut-off Method and the Stabilization Techniques Y. Notake, H. Kai and M.-T. Noda (Japan)

122

An Inductive Approach to Formalizing Notions of Number Theory Proofs T. M. Rasmussen (Denmark)

131

Application of Grobner Basis and Quantifier Elimination in Engineering Design: An Introduction for Engineers H. Sawada and X.-T. Yan (Japan and UK)

141

JavaMath: An API for Internet Accessible Mathematical Services A. Solomon and C. A. Struble (Australia and USA) Deformation of Double Cusp Singularity on an Irreducible Quartic Curve by Using the Computer Algebra System Risa/Asir T. Takahashi (Japan)

151

161

A Generalized Algorithm for Computing Characteristic Sets D. Wang (France)

165

Deciding Inclusion of Differential Quasi-Algebraic Varieties J. Wang, L. LI and F. Xie (China)

175

Action Refinement for Timed LOTOS J. Wu (China)

183

Symbolic Computation and Abundant New Families of Exact Solutions for the Coupled Modified KdV-KdV Equation (Extended Abstract) Z. Yan and H. Zhang (China)

193

xi

Exact Analytical Solutions to a Set of Coupled Nonlinear Differential Equations Using Symbolic Computation R.-X. Yao and Z.-B. Li (China)

201

An Effective Algorithm for Isolating the Real Solutions of Semi-Algebraic Systems and its Applications B. C. Xia and L. Yang (China)

211

C-D Integrable System and Computer Aided Solver for Differential Equations H. Zhang (China)

221

Author Index

227

F I N D I N G ALL T H E SOLUTIONS OF CYCLIC 9 USING G R O B N E R BASIS T E C H N I Q U E S JEAN-CHARLES FAUGERE* LIP6/CNRS Universite Paris VI case 168, 4 pi- Jussieu, F-75252 Paris Cedex 05 E-mail: [email protected] We show how computer algebra methods based on Grobner basis computation and implemented in the program FGb enable us to compute all the solution of the Cyclic 9 problem a previously untractable problem. There are one type of infinite solutions of dimension two and 6156 isolated points without multiplicities.

1

Introduction

The main purpose of this paper is to show how today efficient computer algebra programs and algorithms can find automatically all cyclic 9-roots l l 2 ' 3 . The title of this paper refer of course to the papers 4 ' 5 . We quote from these papers: "This paper presents some tricks which may be used when solving a system of algebraic equations which is too complex to be handled directly by a symbolic algebra system". Here the goal is exactly the opposite since we want to use the computer and the programs as black boxes. In this paper we do not use the symmetry of the problem for computing the solutions but we use the symmetry for the classification of the solutions. Then Cyclic n problem is (we the convention xn+i = a;i,x n + i = X2, • • •)• n

(C„)

( / i , . . . , / „ _ ! , / „ = 1) where/j = ^ j=l

k-\-i—\

JJ

xk

k=j

The Cyclic n has become a standard benchmark for polynomial system solving and has now a long history. We would like to stress the close relationship of some algebraic systems occuring in optimal design of filter banks. Cyclic n can be solved for n < 7 by the most efficient computer algebra systems, but for n = 8 it requires human interaction and software computations 3 . The case n — 9 is a very challenging problem because it is • a non zero dimensional system: we recall that if m 2 divides n then Cn is at least of dimension m — 1 (see 6 ' 7 and lemma 1.1). So for n = 9 we know that Cg is of dimension at least 2. 1

2

• a difficult system: with classical Buchberger algorithm it was impossible to compute a Grobner basis of Cg even for a total degree ordering. Very recently we propose a new algorithm for computing Grobner basis F4 and it takes 15 days with this algorithm to compute a DRL Grobner basis. The result request 1.7 Giga bytes on the hard disk. Consequently it is difficult to "solve" completely this problem. By solving, in this paper, we mean give a concise list of solution as in 4 ' 5 . Since the first version of this paper we have developped new algorithms for computing Grobner bases and it is now possible to solve the Cyclic 10 problem: it is a zero dimensional system of degree 34940. But the Cyclic 9 is still more interesting and in some sense more difficult since it is not zerodimensional. The plan of this paper is as follows: in the first section we explain how to obtain a decomposition into irreducible components mainly by using the FGb program and the NTL library. We then provide in the second section a complete classification of all the solutions of Cyclic 9 using the symmetries. The last section contains the classification of the solutions by their multiplicities. We begin by recalling the following lemma (see also 6 ' 7 ): Lemma 1.1 If m2 divides n, then the dimension of Cn is at least m — 1. Proof We set ri\ = m, and 712 = —. We choose j to be a 712 th primitive root of unity (for instance j = e "2 ), then we claim that

Snij(2/0,•

jyo,---Jyn1-i,j2yo,---,

• • , y n i - 1 ) = (2/0,2/1,• • •,2/m-1, 2

j yni-i,-

n2 l

• -,i ~ yo,

•••

J^'^m-i)

is a solution of cyclic n as soon as (yo, • • • , 2/m-i)™2 = 1- The end of the proof is a simple substitution to check that the original equations are satisfied. Moreover, in the case n — 9, we have found a solution of dimension 2 and degree 2 * 9 = 18. • 2

Decomposition into irreducible varieties

Let / be the ideal generated by the equations Cg and V the associated variety, that is to say the complex roots of Cg. 2.1

General decomposition

Theorem 2.1 The solutions of Cyclic 9 can be decomposed in V = uJiiViMore precisely, for each variety Vi we have computed a lexicographic Grobner

3

basis G,. Moreover all the components are zero dimension except V* for i € {111, 112,113} which are components of dimension 2 and degree 6. index 1,...,18 1 9 , . . . , 36 3 7 , . . . , 54 55, . . . , 6 3 number 18 18 18 9 dimension 0 0 0 0 degree 2 4 12 24 index 6 4 , . . . , 99 100,..., 108 109,110 111,...,113 number 9 2 36 3 dimension 0 0 0 2 degree 48 216 972 6 that is to say Cg is a two dimensional variety of degree 18 with 6156 isolated points. Proof The proof of this theorem is done by computer algebra. The first and most straightforward method is to use an algorithm for computing such a decomposition (decomposition into primes, triangular systems, . . . ) ; unfortunately the size of cyclic 9 (and even cyclic 8) is far beyond the capacities of all the current implementation. For this reason we have developed a new very efficient algorithm called F7 for computing decomposition into primes of an ideal: the algorithm rely heavily on Grobner basis 8 > 9 ' 1 0 ' n computation but try to split the ideal in early stages; with this algorithm, implemented in the Gb 12 and FGb 13 programs, it takes 3 days on a PC Pentium II (400 Mhz with 512 Mega bytes of memory) to compute the decomposition. In view of the fact that this algorithm is not yet published and cannot be described in a short paper we give an alternate (and longer) proof. First we compute a Grobner basis for a DRL ordering as explained in 14 : it takes 15 days and the size of the result is 1.7 Giga bytes. Then we have to separate the non zero dimensional components: let / be the ideal generated by the equations of Cyclic 9, we can use the known solutions given by lemma 1.1 or use the first polynomials given by F7: /1 = x5x9 - x6x8 f2 = x3 + x6 + x9 then we can use the decomposition y/l = I\ C\ I2 ("1 h = \jl + (fi, f2) D y/(I + (fi)) : (/2°°) n y/(I) : (f°°). Of course there is possibly some redundancy in this decomposition. Computing a lexicographic Grobner of I\ is straightforward from the original equation and it is obvious to check that it is exactly the component given by lemma 1.1. In order to compute / : (fi°) we add a new variable u > xi > • • • > Xg and a new equations u / i = 1 and we compute a Grobner for an elimination ordering with u as the first block (about

4

10 hours). We proceed in the same way for computing ( / + (fi)) : (/2 0 ) (20 minutes of CPU time). From this first computations we find that I2 (resp. I3) is a zero dimensional ideal of degree 469 (resp. 6156). Since we have now only zero dimensional systems we can use standard tools to change the ordering to compute lexicographic Grobner bases 15 ' 7 of l2,h (7 hours). Then we use the lextriangular algorithm 16 implemented in Gb to obtain a decomposition into triangular systems. To find prime components in this decomposition we need to factorize some univariate polynomials: we use the powerful package NTL 5.1 17 . All the factorization are done easily (less than 10 minutes) except for one polynomial P(x9) of degree 972 which was untractable (this is a "Swinerton Dyer" example). Very recently a new algorithm 18 was implemented by V. Shoup in NTL and it takes only 32 min 57 sec and 1.3 Giga bytes of memory to factor P on a alpha workstation 500 Mhz. With an even more recent algorithm of M. van Hoeij it takes less than one minute. From this point all the components are in triangular form [a;"1 + hi(x\,... ,xg),... ,Xgs + h8(xg,Xg), hg(xg)] with hg an irreducible polynomial. We need now to factorize in algebraic extension: this is done simply by factorizing with NTL a primitive element of each component (fortunately all the components are close to the shape lemma form, that is to say 5Z i = 1 ai *s small). We have to remove duplicated components which can be very easily done since two identical components have exactly the same lexicographic Grobner basis. The total time for decomposing the I2 and .Z3 represent less than 20% of the time for computing a DRL Grobner basis. • Remark 2.1 The size of this decomposition in text format is 2.5 Mega bytes. 2.2

Decomposition using the symmetry

For any polynomial p in XI,...,XN and any permutation a, set a.p = p{xa(i),...,xa(N)). If F is finite subset, then a(F) = {o~(v) : Wv 6 F}. In the rest of the paper x\ and recomputing a Grobner basis: for all Gj we apply the substitution, compute a lexicographic Grobner basis and then we identify the new component in the list of theorem 2.1. • In the rest of the paper G'k = Ggk-s, G'13 — Gi0g, G'14 = Gno and Wk are the corresponding varieties. Since all the G'k are in shape lemma for we can fix the notation G'k = \gg ' ( a ^ ) , ^ — g^ (xg), ...,xi 3

— g{ (xg) .

Classification of the solutions

We proceed degree by degree beginning with the non zero dimensional and low degree varieties found in theorem 2.2. 3.1

Non zero dimensional components

Since we found only 3 components of dimension 2 and degree 6 it is obvious from lemma 1.1 that Szj with j G {e~zL,e~~5L} describe all the non zero dimensional components. Remark 3.1 The solution (l,a,a2,... ,as) where a9 = 1, which is always a solution of the cyclic n problem, is a member of this infinite component. 3.2

Degree 2

It is straightforward from the Grobner basis of G[ and G'2 to identify the following patterns: W\ = I - , 1, — , —a, l,a, - , l , a 1 with a 2 + 3a + 1 = 0 \a a a J and

W2 = ( 1 , 1 , 1 , 1 , 1 , 1 , 1 , - , a ]

with a2 + 7a+l

= 0

6

3.3

Degree 4

So far we have not used the fact that if ( x i , . . . , x n ) is a solution then (}(xi,..., xn) = (ffxi,... 0xn) is also a solution if (39 = 1. We define f3W to be {/3w | w £ W}. Since we are working with decomposition into irreducible components we should factorize ft - 1 = (/? - l)(/3 2 + /3 + \){ft + ft + 1). For any Grobner basis G in the list of theorem 2.1 such that the univariate equation in xg is x\ + xg + 1 or x\ + Xg + 1 we introduce new variables Xi > • • • > xg > yi > • • • > j/9 and we add the equations yiXg = X\, i = 1 , . . . , 8, J/9 = 1. Then we compute a lexicographical Grobner and we take the intersection with Q[j/i,..., j/ 9 ]; we note f- the resulting Grobner basis. It is straightforward to see that gg3'(xg) = gg(x9) = x\ + x9 + 1 (to be fully rigorous we have to search this univariate polynomial in all the Grobner bases Gig,... ,G36). We check that —* = G[ and that —*• = G'2. Consequently there is no new solution of degree 4. 3.4

Degree 12

In exactly the same way we see that gg {xg) = and that —&• = G\.

We study the variety W-j. We have a polynomial gg (x 9 ) of degree 24. We compute a DRL Grobner basis of Gg in order to find algebraic relation and we keep only low degree equations: y

Xi = 0, X2X3 = 1, XIX4 = 1, X6X8 = 1, X5X9 = 1, X7 = 1 i

We have thus discovered the pattern of this component:

( —, — , z 3 , x 4 , —, — , l , x 8 , x 9 ) X4

X3

Xg

X8

We can try to simplify gg (xg): we remark that PW7 C V ior P9 — 1; from the observation that /3g - 1 = (/? - l)(/32 + 0 + \){ft + /33 + 1) we should find in the decomposition of theorem 2.1 some varieties of degree 2 x 24 = 48 and 6 x 24 = 144. Since it is not the case for 144 we conclude that the variety aWy for a 6 + a 3 + 1 = 0 is not irreducible, or in other words (since x-j = 1)

7 t h a t the univariate polynomial gg (X9) is not irreducible over Q(a). We a d d a new variable a and the equation a 6 + a3 + 1 = 0 t o G'6 and we decompose the resulting variety W6 in U\ U U2 U C/3. All the [/* are of degree 48. We can keep only one factor, say U\ and we find 6) = I / + ( 5 Q 2 + 2 - 5 a + 5 a 5 ) x 9 7 + ( - 2 0 a 2 - 1 5 a 5 - 22 + 2 0 a + 5 a 4 ) xg6 + 3< ( - 1 5 a + 1 5 a 2 + 9 + 5 a 5 - 1 0 a 4 ) x 9 5 + (5 - 10a - 10a 4 + 1 0 a 2 ) x / + ( - 1 5 a + 1 5 a 2 + 9 + 5 a 5 - 1 0 a 4 ) x 9 3 + ( - 2 0 a 2 - 1 5 a 5 - 22 + 2 0 a + 5 a 4 ) x92 + (5 a 2 + 2 - 5 a + 5 a 5 ) x9 + 1 = 0 This representation of the solutions is not satisfactory since degree(Wj) = 24 a n d we have now 48 solutions. We remark t h a t t h e coefficient of x\ can be rewritten 5 a 2 + 2 - 5 « + 5 a 5 = 2 — 5 ( a + ^ ) and similarly for the other coefficients. Thus gg is invariant if replace a by a t h e complex conjugate of a. So we replace Q ( a ) by Q(7) where 7 is a root of the minimum polynomial of a + ^ = cos(a) = c o s ( ^ ) (hence 7 is a root of 8x3 — 6x + 1 = (a; — cos(^-))(x — cos(^-))(x — cos(^-))). We note also t h a t g$ ' is a self reciprocal polynomial and we add the new variable c(x{) = Xj + ~- and s(xi) = Xi — ^-. We recompute a new decomposition in 3 varieties of degree 24 and we found: H(x9) = c(a:9) 4 +(20 7 2 + 1 0 7 - 8 ) c{x9f + ( - 6 0 7 2 - 4 0 7 + 4) c(x9f + ( - 4 0 7 2 + 23) c{x9) + 120 7 2 + 100 7 - 9 = 0 the next equation is c(xg) 2 — s(xg)2 = 4 and for all the other variables i £ { 1 , 2 , 3 , 4 , 5 , 6 , 8 } we introduce in t h e same way c(xi) = Pi(c(xQ),j), s(xi) = Qiisixg)^). We give P 8 : 3924989c(x8) = -2339596 c(x9)3j2 - 2784 c(x 9 ) 3 7 + 1252564 c{x9)3 + 2 2 2 3678516 c(x 9 ) 7 - 2271060 c(x 9 ) 7 - 2028597 c(x9)2 + 36734620 c(x9) 7 2 + 6538322 c(x9) 7 - 23201914 c(x9) + 20909524 7 2 + 8944278 7 - 17802043 For all 7 = cos(^jL) and k £ { 1 , 2 , 3 } we check t h a t H(c(xg)) has four real roots c(xg) = rf]:

- 2 < r[k) < r[k) < 2 and 2 < \r[k)\ < \r[k)\ and we

can compute 5(2:9) = ±y/c(xg)2 — 4 and we find two real roots when j = 3,4 and two complex roots of modulus one when j = 1,2. In the first case it is obvious (since we have a shape lemma form) t h a t all the other coordinates are reals. In the second case we check (numerically for instance) t h a t all the other coordinates are also of modulus one. For the p a t t e r n (^-,^-,x3,X4,^-,^-,l,x$,x9) it is obvious t h a t the X4

X3

XQ

XS

length of the association is 3. 3.6

Degree 48

W$ can be represented by one of the Grobner basis G 4 8 , . . . , G56; among these Grobner bases we find one, say G's, such t h a t t h e univariate polynomial is Xg +

8

xl + 1. We compute -^ and we find G7. (since the direct computation of the lexicographical Grobner basis is a little more difficult we can first change the ordering of G'8 from lexicographical to DRL with the algorithm F2 or FGLM, then add new variables and the new equations, compute a DRL Grobner and finally change the ordering again to obtain a lexicographical Grobner basis). In exactly the same way we find —a = —m = G7. We find also —LL = G'7 with the polynomial x\ + xg + 1. There is no new solution of degree 48. 3.7

Degree 216

The study of W\2 is much more difficult: first we compute a DRL Grobner but we do not find interesting algebraic relation of small degree. We know from theorem 2.2 that W\2 can be represented by G100, • • •, Gios, so that (up to renumbering) Vioo+i = CQVIOO- It is easy to show by computation that we have also e2*EVioo = Vioi+*

fce{l,...,8}

Since it is not possible to find patterns as usual it is necessary to give a name to all the roots of g^12\xg) (all the roots are complex): z\, . . . , Z216 (the choice of the indices is arbitrary). By inspecting the Grobner basis we remark that the univariate polynomial (the unknown is Xg) in G100 and in G103 = CoCrioo are the same; we conclude immediately that there exists a permutation a of { 1 , . . . , 216} such that (xi,x2,x3,za(k),X5,x6,x7,xs,Zk) £ W12 for k € {1, . . . , 2 1 6 } . Moreover we can deduce that all the other univariate polynomials have the same roots than g(12^(xg) multiplied by some e~^~. With the help of the mpsSolve 19 program we can compute all the complex roots of g' 1 2 '(z g ) with guaranteed numerical approximation (we take 100 digits), then plug in these values in the other coordinates; we can identify the value of k for each coordinate of W\2'-

zzz 0: Yi B[j+i^c[i] = Y XTrAi+iYS 2=0

= 0m.

j=0

For the minimum polynomial of A, fA (A), and for the /i-th unit vector in K m , el"l, fA(\)eM e (K[A])ra = Km[A] is such a generator because it already generates the Krylov sequence {A'Y^}i>0, where Y^ is the /i-th column of Y. We can now consider the set Wx' of all such right vector generators. This

18

set forms a K[A]-submodule of the K[A]-module K[A]m and contains m linearly independent (over the field of rational functions K(A)) elements, namely all / (A)e^l. Furthermore, the submodule has an ("integral") basis over K[A], namely any set of m linearly independent generators such that the degree in A of the determinant of the matrix formed by those basis vector polynomials as columns is minimal. The matrices corresponding to all integral bases clearly are right equivalent with respect to multiplication from the right by any unimodular matrix in ]K[A] mxm , whose determinant is by definition of unimodularity a non-zero element in K. Thus we can pick a matrix canonical form for this right equivalence, say the Popov form, and obtain a unique minimum matrix generating polynomial for (4), denoted by F£'Y {\) G K mXra [A] = (K[A]) mxm . The minimum matrix generating polynomial is computed from the sequence (4) by a block version of the Berlekamp/Massey algorithms [11] or its variants, like by a matrix Pade approximation [4], by a matrix Euclidean algorithm [29], or by a block Toeplitz solver following the classical Levinson-Durbin approach [23]. The latter most easily elucidates the advantage of blocking: the number of sequence elements needed can be much shorter. Let d = \n/m\, v = m(d + 1), e = \v/l~\, and let /x = le. Then the columns in Fx' (A) correspond to solutions of the fi x v block Toeplitz system •

BW d

l

Bi + \ _g[d+e+lj

Bw

£?[°]

BW fll2J

BW £k-lj _

rm

Jd^TT

= 0M.

(5)

^or

We have d+e — 1 < n/l+n/m+2m/l+l. That there are m linearly independent solutions follows from rank considerations. As with the unblocked Wiedemann projections, unlucky projection block vectors X and Y cause a drop in the maximal degree of the minimum matrix generator, which is in Popov form and its degree is to be taken as a vector of column degrees, or equivalently a drop in the maximal rank of the block Toeplitz matrix in (5). It is possible to both characterize the maximal degree vector/maximal rank and to establish conditions under which the block vectors X and Y preserve them. We shall do this in Theorem 1 below. A relationship between the minimum polynomial fA(X) and det(F^' y (A)) follows from the theory of realizations of multivariate control theory. The basis is the matrix power series

XTr{I - \A)-XY = X^i^XX^Y i>0

= YJB[i\\i. i>0

19 For the minimum matrix generator F$'Y(X)

= C[d]Xd + ••• + C[0] €

Kmxm[A]

we then have XTr(I - A.4)"1 Y(C [d] + • • • + C[0]Xd) = G(A) e K[A] m x m which yields the matrix Pade approximation XTr{I - XA)~lY

= G(X)(C[d] + ••• + C[0]Xd)~l.

(6)

In control theory, the left side of (6) is called a realization of the rational matrix on the right side of (6). Clearly, the reverse polynomial of fA(X) is a common denominator of the rational entries of the matrices on both sides. If the least common denominator of the left side matrix in (6) is actually det(7 — A^4), then it follows from degree considerations that det(F Y ' (A)) = a • det(A7 — A) for a non-zero element o i n K . Our algorithm uses the matrix preconditioners discussed in Section 2 and random projections to achieve this determinantal equality. We shall make the relationship between XI — A and Fx' (A) more explicit. For a matrix H(X) G (K[A])'yx,/ we consider the Smith normal form, which is an equivalent diagonal matrix over K[A] with diagonal elements Si(A),..., s$(X), 1,..., 1, 0 , . . . , 0, where Sj are the invariant factors of H, that is, nonconstant monic polynomials with the property that Sj is a (trivial or nontrivial) polynomial factor of S;_i for all 2 < i < (p. Because the Smith normal form of the characteristic matrix XI —A corresponds to the canonical forms (Frobenius, Jordan) for similarity to A, the largest invariant factor of XI — A, S\ (A), equals the minimum polynomial fA(X). Theorem 1 Let A G K n x n , X e Knxl, Y G K n x m and let s i , . . . , s 0 denote all invariant factors of XI — A. Suppose that I > min{m, }. Then for all i, the i-th invariant factor of Fx' (A) divides S{. Furthermore, there exist matrices U G K n x / and V G K n x m such that for all i the i-th invariant factor of Fv' (A) is equal to Si. In the latter case, degx(det(F$'v(X)))

= deg(si) + • • • + deg(s min{mi(/)} ) < n

(7)

which is also the maximal rank of the block Toeplitz matrix on the left side of (5). The existence of such U, V establish maximality of the matrix generator for symbolic X and Y, and via the Schwartz/Zippel lemma for random projection

20

matrices. If K is a small finite field, Wiedmann's analysis has been generalized in [31]. The degree formula (7) already shows the superiority of blocking over our original solution of Section 2. If the number of invariant factors satisfies <j> < m, we can omit preconditioning of our input matrix A from our algorithm, which we shall—at last—present now. Let the blocking factors be I = m = \n" ] where a = 1/3. Step 1. Precondition A such that with high probability det(XI-A) = Si (A) • • • s min{m,o-

Step 4. Compute the leading and constant coefficients of A(A) = det(Fx' (A)). If deg(A) < n and A(0) ^ 0 then return "failure" else return det(^4) = A(0)/leading coefficient(A). For Step 2 we utilize our baby steps/giant steps technique of Section 2. Let the number of giant steps be s = \nT ] , where r = 1/3, and let the number of baby steps be r = \{2n/m + 3)/s] = 0(n1-'T-T). Substep 2.1 for j = 1,2,..., r - 1 Do V^ is the exponent for square matrix multiplication. However, Step 4 creates a problem for the case that we wish to compute the entire characteristic polynomial of A, that is, d e t ( F x ( '' (A)). A preliminary straight-forward implementation of Step 4 obtains a division-free complexity for the characteristic polynomial of 0 ( n 2 8 0 6 5 2 ) (a = 0.34, T = 0.23). 5

Conclusion

Our methods apply to entry domains other than the integers, like polynomial rings and algebraic number rings. We would like to add that if the entries are polynomials over a finite field, there are different techniques possible [26]. Our determinant algorithm for integer matrices may be extended to a Monte Carlo method for computing the integral Smith normal form of an integral matrix by the techniques described in [18]. The reduction of the bit complexity of an algebraic problem below that of its known algebraic complexity times the bit length of the answer should raise important considerations for the design of generic algorithms with abstract coefficient domains [20] and for algebraic lower bounds for low complexity problems [28]. We demonstrate that the interplay between the algebraic structure of a given problem and the bits of the intermediately computed numbers can lead to a dramatic reduction in the bit complexity of a fundamental mathematical computation task. Acknowledgement We thank William J. Turner for his observations made on the practicality of our method, and Mark Giesbrecht for reporting to us the value of the smallest exponent in [16] prior to its publication. References Note: many of the authors' publications cited below are accessible through links in their webpages listed under the title. 1. J. Abbott, M. Bronstein, and T. Mulders. Fast deterministic computation of determinants of dense matrices. In S. Dooley, editor, ISSAC 99

25

2. 3. 4.

5.

6.

7.

8. 9.

10.

11. 12. 13.

14. 15. 16.

Proc. 1999 Internat. Symp. Symbolic Algebraic Comput., pages 181-188, New York, N. Y., 1999. ACM Press. A. Aho, J. Hopcroft, and J. Ullman. The Design and Analysis of Algorithms. Addison and Wesley, Reading, MA, 1974. W. Baur and V. Strassen. The complexity of partial derivatives. Theoretical Comp. Sci, 22:317-330, 1983. B. Beckermann and G. Labahn. A uniform approach for fast computation of matrix-type Pade approximants. SIAM J. Matrix Anal. Appl., 15(3):804-823, July 1994. R. P. Brent, F. G. Gustavson, and D. Y. Y. Yun. Fast solution of Toeplitz systems of equations and computation of Pade approximants. J. Algorithms, 1:259-295, 1980. H. Bronnimann, I. Emiris, V. Pan, and S. Pion. Sign determination in residue number systems. Theoretical Comput. Sci., 210(1):173-197, 1999. Special issue on real numbers and computers. H. Bronnimann and M. Yvinec. A complete analysis of Clarkson's algorithm for safe determinant evaluation. Technical Report INRIA2051, Institut National de Recherche en Informatique et en Automatique, Novembre 1996. D. G. Cantor and E. Kaltofen. On fast multiplication of polynomials over arbitrary algebras. Acta Inform., 28(7):693-701, 1991. L. Chen, W. Eberly, E. Kaltofen, B. D. Saunders, W. J. Turner, and G. Villard. Efficient matrix preconditioners for black box linear algebra. Manuscript submitted for publication, 2000. Kenneth L. Clarkson. Safe and efficient determinant evaluation. In Proc. 33rd Annual Symp. Foundations of Comp. Sci., pages 387-395, Los Alamitos, California, 1992. IEEE Computer Society Press. D. Coppersmith. Solving homogeneous linear equations over GF(2) via block Wiedemann algorithm. Math. Comput., 62(205):333-350, 1994. D. Coppersmith. Rectangular matrix multiplication revisited. J. Complexity, 13:42-49, 1997. D. Coppersmith and S. Winograd. Matrix multiplication via arithmetic progressions. J. Symbolic Comput., 9(3):251-280, 1990. Special issue on complexity theory. J. Dixon. Exact solution of linear equations using p-adic expansions. Numer. Math., 40(1):137-141, 1982. J. L. Dornstetter. On the equivalence between Berlekamp's and Euclid's algorithms. IEEE Trans. Inf. Theory, lT-33(3):428-431, 1987. W. Eberly, M. Giesbrecht, and Gilles Villard. On computing the determinant and Smith form of an integer matrix. In Proc. J^lstAnnual

26

17. 18. 19. 20.

21. 22.

23.

24.

25.

26.

27. 28.

29.

Symp. Foundations of Comp. Sci., Los Alamitos, California, 2000. IEEE Computer Society Press. J. von zur Gathen and J. Gerhard. Modern Computer Algebra. Cambridge University Press, Cambridge, New York, Melbourne, 1999. M. Giesbrecht. Fast computation of the Smith form of a sparse integer matrix. Computational Complexity, 2001. to appear. Xiaohan Huang and Victor Y. Pan. Fast rectangular matrix multiplication and applications. J. Complexity, 14:257-299, 1998. R. D. Jenks, R. S. Sutor, and S. M. Watt. Scratchpad II: An abstract datatype system for mathematical computation. In J. R. Rice, editor, Mathematical Aspects of Scientific Software, volume 14 of The IMA Volumes in Mathematics and its Application, pages 157-182. Springer Verlag, New York, 1988. E. Kaltofen. Greatest common divisors of polynomials given by straightline programs. J. ACM, 35(l):231-264, 1988. E. Kaltofen. On computing determinants of matrices without divisions. In P. S. Wang, editor, Internat. Symp. Symbolic Algebraic Comput. 92, pages 342-349, New York, N. Y., 1992. ACM Press. E. Kaltofen. Analysis of Coppersmith's block Wiedemann algorithm for the parallel solution of sparse linear systems. Math. Comput., 64(210) :777-806, 1995. E. Kaltofen and V. Pan. Processor-efficient parallel solution of linear systems II: the positive characteristic and singular cases. In Proc. 33rd Annual Symp. Foundations of Comp. Sci., pages 714-723, Los Alamitos, California, 1992. IEEE Computer Society Press. T. Mulders and A. Storjohann. Certified dense linear system solving. Manuscript available from h t t p : / / w w w . s c l . c s d . u w o . c a / ~ s t o r j o h a / , 2001. T. Mulders and A. Storjohann. On lattice reduction for polynomial matrices. Manuscript available from h t t p : / / w w w . s c l . c s d . u w o . c a / " s t o r j o h a / , 2001. V. Strassen. Vermeidung von divisionen. J. reine u. angew. Math., 264:182-202, 1973. In German. V. Strassen. Algebraic complexity theory. In J. van Leeuwen, editor, Handbook of Theoretical Computer Science, Algorithms and Complexity, volume A, pages 633-672. Elsevier Science Publ., Amsterdam, 1990. E. Thome. Fast computation of linear generators for matrix sequences and application to the block Wiedemann algorithm. In B. Mouraine, editor, Proc. 2001 Internat. Symp. Symbolic Algebraic Comput., New York, N. Y., 2001. ACM Press, to appear.

27

30. G. Villard. Further analysis of Coppersmith's block Wiedemann algorithm for the solution of sparse linear systems. In W. Kiichlin, editor, ISSAC 97 Proc. 1997 Internat. Symp. Symbolic Algebraic Comput., pages 32-39, New York, N. Y., 1997. ACM Press. 31. G. Villard. A study of Coppersmith's block Wiedemann algorithm using matrix polynomials. Rapport de Recherche 975 IM, Institut d'Informatique et de Mathematiques Appliquees de Grenoble, www. imag. f r, April 1997. 32. Gilles Villard. Computing the Frobenius normal form of a sparse matrix. In V. G. Ganzha, E. W. Mayr, and E. V. Vorozhtsov, editors, CASC 2000 Proc. the Third International Workshop on Computer Algebra in Scientific Computing, pages 395-407. Springer Verlag, 2000. 33. D. Wiedemann. Solving sparse linear equations over finite fields. IEEE Trans. Inf. Theory, lT-32:54-62, 1986.

I N V E S T I G A T I N G T H E G R O W T H OF L E N G T H OF INTERMEDIATE EXPRESSIONS IN POLYNOMIAL SEQUENCES USING A MAPLE PROGRAM

M. A. O. C A M A R G O - B R U N E T T O Computer

Science

Department, State University Londrina, PR, 86051-970 E-mail:angelicaQuel.br

of Londrina,

UEL

We present a study that addresses the problem of growth of the length of intermediate expressions generated in a polynomial sequence, with special interest in Sturm sequences and Schur-Cohn sequences. We analyze how some features of a polynomial affect the computational efficiency. Particularly we point out some algorithms that use some kind of polynomial sequence, to determine the number of polynomial zeros in a closed region. A computational experiment was designed, to measure how the length of the coefficients changes along a polynomial sequence, according to the kind of polynomial. A Maple program was developed to analyze polynomial sequences using both primitive Sturm and modified Schur-Cohn sequences. The results of the tests show that for the modified Schur-Cohn sequence with Chebyshev polynomials, increasing of the length of the coefficients occurs, but not so intensively as it occurs for most of polynomials. For Sturm sequences with Chebyshev polynomials, the length of the coefficients decreases, but for the same kind of sequence with linear combination of Chebyshev polynomials, the length of the coefficients begins decreasing and in the last terms of the sequence, the length increases.

1

Introduction

Algorithms that manipulate recursive sequences, as it occurs with greatest common divisors, division of polynomials, Sturm sequences, and others have a problem with growth of the intermediate expressions. Such problem have been addressed by 1 - 5 . Also it is known that for Chebyshev polynomials the length of the coefficients decreases in a Sturm sequence2 . Such property was used by6 who presents an algebraic algorithm to enumerate zeros inside a circle, based on Chebyschev polynomials. The first results about the execution time of the algorithm were good, and this would be probably due to the property of Chebyshev polynomials, that in Sturm sequences have their coefficients decreasing in length. It was observed, however, that for polynomials of higher degree, the execution time is not so good, compared to another algorithm, as for example the modified Schur-Cohn method 3 . This has motivated a more detailed study about how the length of coefficients of a polynomial sequence changes, along their terms. 28

29 2

Mathematical Foundations

We outlined two kinds of polynomial sequences, namely Sturm sequence and a sequence used in the Schur-Cohn Algorithm 3 ' 7 , that performs a recursive computation, with the division of polynomials. Such results are helpful to solve the problem of enumerating polynomial zeros inside a region. Theorem 2.1 (Principle of Argument) Let R be a closed curve with boundary 6R, e p(z) a nonzero polynomial over SR . Let A^Rarg p(z) be the change in the continuous function arg p(z) when z traverses 6R counter-clockwise. Then, the number N of zeros ofp(z) inside R, considering their multiplicities is the following: N =—ASRarg

p{z)

(1)

This value is an integer number and represents the winding number of image p(z) around the origin when z traverses 8R counter-clockwise. For any argument function, tan arg p(z) = ^ p r ; . The changes in arg p(z) can be obtained, counting the jumps at ^ Qzl when z traverses 5R. When p(z) crosses the imaginary axis counter-clockwise, tan arg p(z) jumps from +00 to —00 and if this cross is clockwise the jump is from —00 to +00. The counting of these jumps can be made using the Cauchy index 7 ' 8 . Cauchy index and the Principle of Argument are linked through the following theorem 8 . Theorem 2.2 (Cauchy's Theorem) Let 6R : z = z(x), a < x < 0 be a closed curve and p is a polynomial defined over 6R, then: ASRarg p(z) =-TTI^

(2)

'Ji p where Ia%^ *5 Cauchy index. The Cauchy index can be computed by using Sturm sequences 7 ' 8 . Theorem 2.3 (Sturm Theorem) Let fo,fi,—fm a Sturm sequence for [a, 6] and let V{x) be the net sign variations through this sequence at the point x. Then

lb

"7T^

=V ^ -

V

^

(3)

According to Schelin9 from the theorems 2.1 and 2.2, the following can be established.

30

Theorem 2.4 Let p(z) = ^22=0 akzk w^ ak real, and p(z) ^ 0 whenever \z\ = 1, then the number N of zeros of p inside the unit circle including multiplicities is given by N = I1_lPi/po

(4)

where n

Po(x) = ^2,akTk{x)

n

, pi{x) = Y^akUk-1(x)

k=0

(5)

k=l

Tk and Uk being the Chebyshev polynomials of the 1st and 2nd kinds respectively. 3

Algorithms for Polynomial Sequences

Several studies addressing polynomial sequences were developed by CamargoBrunetto 3 ' 4 ' 6 ' 1 0 . In this section we will present only the aspects that treat with the generation of such sequences. Details about the complete algorithms can be viewed in the references. 3.1 5

Algorithms using Sturm Sequences

In it was proposed an algorithm to enumerate polynomial zeros inside a rectangle, using Sturm sequences, based on the Wilf's method 11 . It is well known that Sturm sequences commonly produce terms with coefficients that grow in size 1 ' 3 . Collins observed in2 that when a Sturm sequence is generated with Chebyshev polynomials, the coefficients decrease in size, contrasting with the common increasing that occurs in other kinds of polynomials. Camargo-Brunetto observed in 5 that the problem of increase in the length of the coefficients can be reduced by the use of primitive Sturm sequences, even considering that computing primitive part involves the calculation of the greater common divisor. A primitive Sturm sequence is obtained by replacing each term of the Sturm sequence by its primitive part, which coefficients are integers and so small as possible. An algorithm to enumerate zeros of polynomials inside a circle was proposed by 6 using results from theorems 2.1 and 2.4. The first two terms of the Sturm sequence is given according to the formula 5.

31

3.2

The Sequence from Schur

Transformations

The Schur-Cohn method 7 is a result to determine the number of zeros inside the unit circle. Camargo-Brunetto in3 proposed a modification in the Schur-Cohn method, seeking to reduce the length of the coefficients of the intermediate expressions. This effect was reached by applying primitive part to each term of the sequence. A brief explanation of the polynomial sequence used in the method is presented here. Let p(z) = anzn + an-\Zn~l + ... + a0 be a polynomial with complex coefficients of degree n. Also let a(p) be the primitive part of p. The SchurCohn transformations (in the modified fashion) are obtained in a recursive form, beginning with T°(p) = p(z) and for k varying from 1 to n Tk(p):=T(a{Tlk-V(p))) 4

(6)

A Computational Experiment

The efficiency of an algorithm can be determined by means of its computational complexity, that reflects a theoretical measure. It is also possible to do experimental tests and to consider the time consumed to compute some expression. In this research, we investigate how the length of the coefficients of the polynomials affects the computational efficiency when generating a polynomial sequence. Previous research showed us that the big coefficients are responsible for high time consuming of the computer programs that manipulate polynomial sequences. So, we design a set of experiments with the objective to analyze how much the length of the coefficients of polynomial grows along a sequence, considering different polynomial sequences and different kinds of polynomials. We work basically with primitive Sturm sequences and modified Schur-Cohn sequences, according to the description in the last section. Both kinds of sequences have been tested with orthogonal polynomials (Chebyshev, Hermite and Laguerre) and random polynomials. Sturm sequences were also tested with linear combination of polynomials. The measure of the growth of the length of the coefficients was performed by taking the greatest coefficient (in modulo) of each term of the polynomial sequence. For each sequence generated, we computed a list composed by L(d,), where L(di) denotes the number of digits of the greatest coefficient (d) of the ith term in a polynomial sequence. To perform this measure, we used the algebraic algorithms developed by the author, which were implemented in the computer algebra system Maple V. The following cases were tested: i) Sturm sequences of the Chebyshev polynomials of the first and second kinds, ii) Sturm sequences of the Hermite and of Laguerre polynomials, iii)

32

Sturm sequences of random polynomials, iv) Sturm sequences of linear combination of Chebyshev polynomials, using the random polynomials of case ii and the equation 5, v) Modified Schur-Cohn sequences of the Chebyshev polynomials of the first and second kinds, vi) Modified Schur-Cohn sequences of the Hermite and Laguerre polynomials and vii) Modified Schur-Cohn sequences of random polynomials. 4-1

Examples

From the tests performed, we present the following comparative graphics : i) Modified Schur-Cohn sequence of random and Chebyshev polynomials and ii) Sturm sequence of Chebyshev polynomials and of linear combination of Chebyshev polynomials . Figures 1 and 2 are presented at the end of the section. For Sturm sequence with linear combination of Chebyshev polynomials, we observe that the increase in the length of the coefficients begins at the ith term in the sequence and i is related to n as shown in Table 1, at the end of the section. 400

350

300

£

250

g 3 "^

200

I °

150

100

50 ~0

5

10

15

20

25

Figure 1. Growth of coefficients for modified Schur-Cohn sequences with random polynomial and Chebyshev polynomial of degree 22

5

Results and Concluding Remarks

Modified Schur-Cohn sequences and primitive Sturm sequences have the same pattern of growth of the coefficients, considering random polynomials. Considering the modified Schur-Cohn sequence, with Chebyshev Polynomials, the

33

Figure 2. Growth of coefficients for Sturm sequences with Chebyshev polynomials and linear combination of Chebyshev polynomials of degree 22

Table 1. Comparing growth of coefficients for Sturm sequences with linear combination of Chebyshev polynomials

n 5 6 7 8 9 10 11 12

i

5 5 6 7 7 8 8 9

i = f(n) n-0 n-0 n- 1

n- 1 n-2 n-2 n—3

n-3

n 13 14 15 16 17 18 19 20

i

i = f(n)

9 10 10 11 11 12 12 13

n n n n n n

—A —4 —5 —5 —6 —6

n-7 n-7

increase in the coefficients occurs, but in a moderate way. Chebyshev polynomials in a modified Schur-Cohn sequence, have the coefficients increasing, but in a moderate way. Comparing Sturm sequences using Chebyshev polynomials and linear combination of Chebyshev polynomials, we observed that for the last case, the length of the coefficients decrease until a determined term of the sequence and the increase is delayed if compared with most of polynomials. A regular behavior was observed, that is presented in Table 1. With respect to Laguerre and Hermite polynomials, it was observed that the Sturm sequences have the length of the coefficients also decreasing, but not so intensively as in the case of Chebyshev polynomials. As a future work we

34

must devise some theoretical results from the measures performed. Acknowledgments Work herein is partially supported by CNPq. Many thanks to Marco S. F. da Silva and Tiago Prado Lone, students of the Computer Science course, for their contributions in the production of the graphics of the examples tested. References 1. DAVENPORT, J. H., SIRET, Y., TOURNIER, E. Computer Algebra: Systems and algorithms for algebraic computation. Academic Press, 1988. 2. COLLINS, G. E. Infallible Calculation of Polynomial Zeros to Specified Precision. G. E. Collins In: Mathematical Software edited by J. Rice, 1977. 3. CAMARGO, M. A. 0.,TREVISAN, V. and CLAUDIO, D. M. Counting Polynomial Zeros in a Disk Using Symbolic Computation. Scientific Computation and Mathematical Modelling. S. Markov (Ed). DATECS Publishing, Sofia, 1993. 4. CAMARGO-BRUNETTO, M. A. 0 . Analysing algorithms for enumerating Polynomial zeros using Computer Algebra In: Proceedings of II Workshop on Arithmetic, Interval and Symbolic Computation, p. 17 -17, Recife-Br, 1996. 5. CAMARGO-BRUNETTO, M. A. O.; TREVISAN, V.; CLAUDIO, D. M. An algebraic algorithm to Isolate Complex polynomial zeros using Sturm Sequences Computer Mathematics With Applications v. 39, p. 95-105 , 2000 6. CAMARGO-BRUNETTO, M. A. O. An algebraic algorithm for counting polynomial zeros in a circle using Principle of Argument and Chebyshev Polynomials In: Proceedings of International Congress on Industrial and Applied Mathematics, Edimburgh, 1999. 7. HENRICI, Peter. Applied and computational complex analysis vol. 1. A. Wiley and Sons,1974. 8. MARDEN, M: The Geometry of the zeros of a polynomial in a complex variable. AMS Mathematical Surveys III, 1949. 9. SCHELIN, C. W. Counting Zeros of Real Polynomials within the unit disk.SLW J. Numeric. Analysis, vol. 20 (1). p. 1023-1031, 1983. 10. CAMARGO-BRUNETTO, M. A. O. Algebraic Algorithms for Enumerating Polynomial Zeros in a Disk: How to choose the suitable algorithm In: Proceedings of International Symposium on Scientific Computing , p.

35

XVII3 -XVII6 , Lyon- Fr, 1997. 11. WILF, H. S. A Global Bisection algorithm for computing the zeros of late polynomials in the complex plane. Journal of the ACM, 25(3), 1978.

GIESBRECHT'S ALGORITHM, THE HFE CRYPTOSYSTEM A N D ORE'S ^-POLYNOMIALS

R O B E R T S. C O U L T E R * \ G E O R G E HAVAS* A N D M A R I E H E N D E R S O N * * Centre for Discrete Mathematics and Computing School of Computer Science and Electrical Engineering The University of Queensland, St.Lucia 4072, Australia E-mail: {shrub, havas, marie) Qcsee.uq.edu.au ^Information Security Reseach Centre Queensland University of Technology GPO Box 2434, Brisbane QLD 4001 Australia E-mail: shrubQisrc.qut.edu.au We report on a recent implementation of Giesbrecht's algorithm for factoring polynomials in a skew-polynomial ring. We also discuss the equivalence between factoring polynomials in a skew-polynomial ring and decomposing p s -polynomials over a finite field, and how Giesbrecht's algorithm is outlined in some detail by Ore in the 1930's. We end with some observations on the security of the Hidden Field Equation (HFE) cryptosystem, where p-polynomials play a central role.

1

Introduction and Background

Let ¥q denote the finite field with q = pe elements, p a prime. We use 1FJ to denote the non-zero elements of Fq. The polynomial ring in an indeterminate X over any field K will be denoted by K[X] and for f,g£ K[X], f ° g = f(g) represents the composition of / with g. We recall that a permutation polynomial is a polynomial which permutes the elements of the finite field under evaluation. A p-polynomial (sometimes called an additive or linearised polynomial) is a polynomial L £ Fq [X] of the shape

L(X) = Y^aiX"i i

with ai E F , . More specifically, for any integer s, a p s -polynomial is a ppolynomial where a, = 0 whenever i is not a multiple of s. We note that ^/-polynomials are closed under composition (this is simply established). The problem of completely decomposing a polynomial / € K[X] into indecomposable factors, where K is a field, has a long and rich history. When K is the complex plane, Ritt 23 showed that there exists an essentially unique decomposition for any chosen polynomial. It is unique in the sense that for an Y / € K[X] in a complete decomposition of / : the number of factors is 36

37

invariant; and the degrees of the factors are unique up to permutation. So, if we have two complete decompositions / = / l ° • • • ° fin

= 9\ ° • ' • ° fln, then m = n and deg(/;) = deg(g7r(ij) for some permutation ir of { 1 , . . . ,m). Any class of polynomials denned over a field for which this property holds is commonly said to satisfy Ritt's theorem. The generalisation of Ritt's theorem to all fields of characteristic zero was carried out by Engstrom 10 , and Levi 18 . However, for fields of non-zero characteristic, the situation is not so clearcut. A polynomial is called wild if its degree is divisible by the characteristic p, and tame otherwise. Any non-linear p5-polynomial is therefore a wild polynomial. A distinction between the behaviour of wild and tame polynomials arises when one considers Ritt's theorem in the context of a finite field. Fried and MacRae 11 showed that any tame polynomial satisfies Ritt's theorem. However, Dorey and Whaples 9 gave an example which showed that not all wild polynomials satisfied Ritt's Theorem. Other properties (not discussed in this article) of tame and wild polynomials are also distinct. However, not all wild polynomials deviate from tame polynomial behaviour. Specific to this question, Ore 19 showed in the 1930's that p-polynomials satisfy Ritt's theorem. It is interesting to note that p-polynomials over a finite field appear to be the second class of polynomials shown to satisfy Ritt's theorem, after Ritt had established the complex field case. This was not noted by Ore but is evident from his work: see Ore 19 (Chapter 2, Theorem 4) which gives a statement equivalent to Ritt's theorem for p-polynormals. A further class of wild polynomials, known as (p s ,d)-polynomials (or, sub-linearised polynomials) can be shown to satisfy Ritt's theorem by using results of Henderson and Matthews 15 . Exponential-time algorithms for determining the complete decomposition of polynomials were first given by Alagar and Thanh 1 , and Barton and Zippel2. The first polynomial-time algorithm was published by Kozen and Landau 17 , and separately by Gutierrez, Recio and Ruiz de Velasco14. These results were improved for the tame case over a finite field by von zur Gathen 12 . A general purpose polynomial-time algorithm for finding a complete decomposition of a rational function over an arbitrary field was given by Zippel 26 . This last algorithm provides a method for decomposing any polynomial, wild or tame, over a finite field. However, one should note that in the wild case, the algorithm simply finds any complete decomposition, as there does not necessarily exist an essentially unique decomposition.

38

Although p-polynomials were the first polynomials over a finite field shown to satisfy Ritt's theorem, they are the latest class of polynomials for which a polynomial-time decomposition algorithm has been given. The algorithm we refer to was described and analysed by Giesbrecht 13 . Giesbrecht presents his algorithm in terms of factoring in skew-polynomial rings but it is well known (and we later show) that the problem he considers is equivalent to decomposing p-polynomials over a finite field. We note that any decomposition algorithm for p s -polynomials can be adapted, at no computational cost, to decomposing (ps,c?)-polynomials. For (p,d)-polynomials this was shown by the authors 5 , following earlier work of Henderson and Matthews 15 . This can be extended to all (p s ,d)-polynomials using the work of Ore 19 . This subject is covered in another paper under preparation by the authors. In this article, we report on a successful implementation of Giesbrecht's algorithm, making some specific comments concerning the probabilistic part of the algorithm. We also recall the work of Oystein Ore, showing how Giesbrecht's algorithm is equivalent to an algorithm described by Ore sixty years earlier. We also consider implications of Ore's work to the security of the Hidden Field Equations (HFE) cryptosystem. 2

Giesbrecht's algorithm and the work of Ore

Giesbrecht 13 introduces a probabilistic polynomial-time algorithm for obtaining a complete (essentially unique) factorisation of a polynomial in some classes of skew-polynomial ring defined over a finite field. This problem is intimately connected to the problem of determining an essentially unique complete decomposition of p-polynomials, a class of wild polynomials. In fact, there is a one-one correspondence between factoring in a particular skewpolynomial ring over a finite field and decomposing p s -polynomials over a finite field. The skew-polynomial ring Fg [Y; a], where Y is an indeterminate and a is an automorphism of F,, is a ring of polynomials with the usual componentwise addition, and with multiplication defined by Ya = a(a)Y for any a e¥g (we simply use juxtaposition to represent multiplication in ¥q [X] and ¥q [Y; a}). Since a is an automorphism of ¥q, we must have a{a) — ap for some integer s. Given the definition of multiplication above, it is easily seen that the skew-polynomial ring ¥q [Y; a] is isomorphic to the ring of ps-polynomials over ¥q with the operations of polynomial addition and composition. Explicitly, the required isomorphism $ satisfies $(XP) o $(aX) = Ya = apY — $(apXp). From this it follows that composition of ^'-polynomials acts in exactly the same manner as multiplication in the skew-polynomial ring ¥q[Y,a].

39 The theory introduced by Giesbrecht 13 is developed in its entirety in the works of Ore 19 ' 20 ' 21 . It may be more efficient to implement Giesbrecht's algorithm using the //-polynomial representation of the ring rather than the skew-polynomial ring representation as set out in Giesbrecht's article but this is yet to be tested. While Giesbrecht refers to Ore 20 , it is in Ore's other two papers that he develops the algorithm which Giesbrecht has rediscovered. Giesbrecht's key contribution is to find a way of computing the crucial step, which is to find non-zero zero divisors in a small algebra. He does this by using what he refers to as Eigen rings. Ore 19 discusses the same method in Chapter 2, Section 6 where he uses invariant rings. In particular, Ore's Theorem 12 of that section is the key idea in Giesbrecht's algorithm. Of course, Ore develops his theory in terms of //-polynomials rather than skewpolynomial rings. Ore obtains these results using an earlier paper, Ore 20 , where he developed theory on factoring and primality of polynomials in more general skew-polynomial rings than discussed here. The problem of developing an algorithm for factoring polynomials over any skew-polynomial ring remains open. Recently, a successful implementation of Giesbrecht's algorithm was produced by Larissa Meinecke at the University of Queensland using the Magma 4 algebra package. There is one step in Giesbrecht's algorithm which is probabilistic in nature, the rest of the algorithm is strictly deterministic. Giesbrecht gives a lower bound for the probability of this step being successful as 1/9. We have carried out some testing regarding this step which suggests this lower bound is very conservative. While we have been unable to determine a worstcase scenario, in almost all cases tested, the step has been successful on the first attempt. 3

HFE and p-polynomials

The Hidden Field Equation (HFE) cryptosystem was introduced by Patarin 22 . HFE is a public key cryptosystem and can be described as follows: 1. Choose a finite field ¥g, q = pe, and a basis ( f t , . . . , /?e) for F, over F p . 2. Select a polynomial D of "relatively small degree" with the shape D(X) =

Y,aijXpi+pl

where Oy € ¥g for all i,j. 3. Choose two p-polynomials, S and T, that permute ¥q.

40

4. Calculate E(X) = S o D o T(X) mod (X« - X). 5. Calculate n\,...,

ne € F p [ X i , . . . , X e ] satisfying e

E(X) = ^2pini(X1,...,Xe) i=\

and publish F, and the rii, 1 < i < e. The polynomials S,T and Z) are the secret keys. If someone wishes to send a message m to the owner of E(X), then they simply calculate E{m) = y and send y. Decryption is carried out by performing the following steps. As 5 and T are permutation polynomials, they have functional and compositional (modulo Xq — X) inverses. As 5 and T are known to the owner, they can determine the inverse polynomials modulo Xq — X (note that these inverses are also p-polynomials). Thus the recipient of the message y knows S, D, T, S 1-1 and T~l. They determine z satisfying S~1(y) — z — D(T(m)). Next they determine any mi € ¥q so that D(mi) = z. Once mi is chosen they determine m = T _ 1 ( m i ) . The middle step is only computationally feasible because the degree of D is chosen to be "small". The security of the system relies on the assumption that if deg(i5) is large, then solving for m in E(m) = y is computationally infeasible. Note that several mi € ¥q may need to be tried to find a "sensible" message m. This is because D is not necessarily chosen to be a permutation of F, as the authors of HFE assumed that this may be too difficult. However, Blokhuis et al.3 have since given examples of permutation polynomials from this class. Note that it makes no difference whether the polynomial E or the set of e polynomials n; is published if the basis used is known. In fact, an attacker need not know the basis chosen as they may choose any basis to reconstruct a different, but effectively equivalent encryption function (see the discussion below). If E is constructed from the e polynomials n, using a different basis, alternative secret keys S,T and D may be obtained and used to decipher messages. The HFE system is one of a family of cryptosystems which use functional composition. Recently, some general attacks for these systems were developed by Ye, Dai and Lam 25 . An attack which targets HFE specifically has been published by Kipnis and Shamir 16 . This is general in nature and is quite successful, but does not break HFE in all cases. This attack has since been improved by Courtois 7 . Polynomials with the shape D are known as Dembowski-Ostrom (DO) polynomials, see Dembowski8, Coulter and Matthews 6 and Blokhuis et al.3.

41 For any p-polynomial L £ Fq [X] and any DO polynomial D G F g [X], L o D and D o L are both DO polynomials. In other words, DO polynomials are closed under composition with p-polynomials. Also, it can be established that the reduction of a DO polynomial modulo Xq — X is again a DO polynomial. The HFE description given above works in exactly the same way as that given by Patarin 22 precisely because of the above comments, coupled with the well known fact that any function over ¥q can be represented by a polynomial in ¥q [X] of degree less than q and a well known result concerning linear operators (discussed below). Kipnis and Shamir 16 note several problems an attacker faces when they consider this scheme. We address some of their concerns here. In the original description of HFE, two linear transformations (or linear operators) over the vector space Fp are chosen, rather than two linearised polynomials as described above. Kipnis and Shamir comment that "these mixing operations have natural interpretation over ¥p but not over Fp«, and it is not clear apriori that the e published polynomials over F p can be described by a single univariate polynomial G over F p e". In fact, there is a natural interpretation. Roman 24 (pages 184-5) shows that every linear operator on Fp can be represented by a linearised polynomial over Fp«. So the description of HFE as given above is equivalent. As DO polynomials are closed under composition with linearised polynomials and their reduction modulo Xq — X still results in a DO, we are guaranteed that the published polynomials can be described by a single univariate polynomial: it must be a DO. Kipnis and Shamir continue "Even if it exists (a single univariate polynomial), it may have an exponential number of coefficients, and even if it is sparse, it may have an exponentially large degree which makes it practically unsolvable". As the resulting polynomial is a DO polynomial, it has 0(e2) terms (compare to a random polynomial which has 0(pe) terms), which is not exponential. Certainly, the degree may be large. It remains our objective, then, of finding a method of reducing the size of the degree. We can make more comments concerning the univariate description of HFE given above. Let E(X) be the public key, which is a DO polynomial. Suppose we can determine p-polynomials L\ and L2 which are permutation polynomials and satisfy L\ o / o L2 = E. Clearly, / must also be a DO polynomial. Then we can decrypt any message sent to the owner of E using exactly the same method used to decrypt in the standard way, but using the polynomials Li,L2 and / , providing the degree of / is sufficiently small. Of course, it may not be possible to determine p-polynomials that permute F, which are left or right decompositional factors of E(X). However, when considering this problem, the following result by Coulter and Matthews 6 ,

42

immediately draws our attention. For any a € ¥q and any polynomial t € F ? [X], define the difference polynomial of t with respect to a by At a(X) = t(X + a)-t(X)-t(a). Theorem 1 Let f € F g [X] with deg(f) < q. The following conditions are equivalent. (i) f = D + L, where D is a Dembowski-Ostrom polynomial and L is a ppolynomial. (ii) For each a £¥*q, Af(•») (t * 0 ) c a n ] j e computed easily with the formula

eA4

e A|"»(*-M

=

1 +

...+(Aim))l(*-to)
'", we need the following lemma: L e m m a 1 Let f(q) be a given polynomial in the form of f(q) =a0

+ aiq +

h

amqm.

(8)

50 Then, taylor expansion of e^q'

is given by

e'(«) =(30+piq

+ ...+{3kq>