Departmentof Mathematis
Ph.D. inMathematis
XXVI Cyle
Computational tehniques for nonlinear odes
and Boolean funtions
Emanuele Bellini
Supervisor: Prof. Massimiliano Sala
Head of PhD Shool: Prof. Franeso Serra Cassano
Departmentof Mathematis
Ph.D. inMathematis
XXVI Cyle
Computational tehniques for nonlinear odes
and Boolean funtions
Ph.D.Thesis of:
EmanueleBellini
Supervisor:
Prof. Massimiliano Sala
Head of PhD Shool:
Prof. FranesoSerra Cassano
I Preliminaries 5
1 A brief introdution to polynomial system solving 7
1.1 Monomialordering . . . 7
1.2 Basinotions and properties of Gröbnerbases . . . 9
1.3 Solving systems of polynomialsequations . . . 14
1.4 The 0-dimensionalase . . . 16
1.4.1 Representation of 0-dim. ideals . . . 17
1.4.2 Traverso's Algorithm . . . 18
1.4.3 Hybridapproah . . . 23
1.4.4 XL familyof algorithms . . . 24
1.4.5 Booleanpolynomialsystems . . . 24
1.4.6 Magma approah . . . 25
2 A brief introdution to nonlinear and systemati odes 27 2.1 Basinotion and notation . . . 27
2.2 Equivaleneof odes . . . 29
3 A brief introdution to Boolean funtion 31 3.1 Representationsof Boolean funtions . . . 31
3.1.1 Evaluationvetor . . . 31
3.1.2 Algebrainormal form . . . 32
3.1.3 Numerialnormal form . . . 33
3.2 Nonlinearity of aBoolean funtion . . . 34
3.3 Walsh transformof a Boolean funtion . . . 35
3.4 Non-linearity and Walsh transform . . . 36
3.5 Bent funtions. . . 37
4.2.1 The Hammingupper bound . . . 46
4.2.2 The Plotkinupperbound . . . 47
4.2.3 The Johnson upper bounds . . . 49
4.2.4 The Singleton upperbound and MDS odes . . . 51
4.2.5 The Eliasupperbound . . . 52
4.2.6 The Linear Programmingupper bound . . . 52
4.2.7 The Levenshtein upper bound . . . 53
4.2.8 The Zinoviev-Litsyn-Laihonen upper bound . . . 54
4.2.9 The Griesmerupper bound forlinear odes . . . 55
4.3 Lower bounds . . . 57
4.3.1 The Gilbert-Varshamov lower bound . . . 57
5 A generalization of the Griesmer bound to systemati odes 59 5.1 The Griesmerbound . . . 59
5.2 The ase
q
≥
d
. . . 605.3 The ase
d
= 1
,
2
,
3
,
4
. . . 605.4 The ase
q
= 2
andd
= 5
,
6
. . . 616 A new bound on the size of odes 65 6.1 A rst result for aspeial family of odes . . . 65
6.2 Animprovement of the ZLL bound . . . 67
6.2.1 Restrition tothe systematiase . . . 70
6.2.2 Theoretialomparison with the ZLLbound . . . 70
6.3 Experimental omparisons: linear ase . . . 71
6.4 Experimental omparisons: nonlinear ase . . . 72
6.5 Tables . . . 73
III Polynomials tehniques for minimum weight problems 75 7 Computing the minimum weight of a ode 79 7.1 Polynomials and vetor weights . . . 80
7.2 Representing aode as aset ofBoolean funtions . . . 81
7.2.1 Memory ost of representing a ode . . . 83
7.3 Numberof oeientsof the NNF. . . 85
7.4 Findingthe odewords with weight
< t
. . . 877.5 Findingthe odewords with weight exatly
t
. . . 887.6.2 From dening polynomialstoweight polynomial . . . 93
7.6.3 Evaluationof the weight polynomial . . . 93
7.6.4 Comparisonwith brute-fore method . . . 95
7.6.5 Comparisonwith Brouwer-Zimmermanmethod for linearodes 97 7.7 Binary odes whose ardinalityis not a powerof 2 . . . 98
7.7.1 Method1: expanding the ode . . . 98
7.7.2 Method2: dividingintosubodes . . . 100
8 Computing the nonlinearity of Boolean funtion 103 8.1 Polynomials and vetor weights . . . 104
8.2 Nonlinearity and polynomialsystems over
F
. . . 1058.3 Nonlinearity and polynomialsystems over
Q
. . . 1098.4 Computingthe nonlinearity using fast polynomialevaluation . . . 111
8.5 Propertiesof the nonlinearity polynomial . . . 112
8.6 Complexity of onstrutingthe nonlinearity polynomial . . . 117
8.7 Complexity onsiderations . . . 119
8.7.1 Some onsiderationsonAlgorithm 9 . . . 119
8.7.2 Algorithm9 and 10 . . . 120
8.7.3 Algorithm11 . . . 121
IV MAGMA ode 123 9 Funtions for Part II 125 9.1 Nordstrom-Robinsonode . . . 125
9.2 Bound
A
,B
. . . 1279.2.1 The Johnson bound. . . 127
9.2.2 The Linear Programmin bound . . . 134
9.2.3 The best known nonlinear upperbound . . . 135
9.2.4 Bound
B
. . . 1389.2.5 Bound
A
. . . 1399.2.6 Comparisonwith known bounds . . . 140
10 Funtions for Part III 147 10.1 Traverso's algorithm . . . 147
10.2 Basifuntions . . . 155
10.2.1 Algebraiand numerialnormalform . . . 155
10.4 Nonlinearity algorithms. . . 170
The theory oferror orretingodesallowstoenode data by addingredundany
information to it, in order to be able to orret possible errors arose during the
transmission of this enoded data through anoisy hannel. The majority of modern
ommuniationsuse theeld of bitsasalphabet,and messages an bethought asbit
sequenes of equal length
k
. One the number of messages is xed, an analysis of the noise of the hannel provides statistial information on the number and on thekind of errors that may our during the transmission. Based on this information,
to eah message, we want to add the minimum possible redundany allowing us to
detet and possibly orret all ourring errors. Clearly a larger redundany ould
orret atleast the same numberof errors but would overload the hannel.
Fromamathematialpointofview,aodeanbeseenastheimageofaninjetive
funtion
f
froma subset of{
0
,
1
}
k
of size
M
to a subset of{
0
,
1
}
n
of the same size,
with
n
≥
k
. Thusf
isalso invertible.One trivial example of
f
ould be a funtion whih simply onatenates a wordw
to itself 3 times. One sent through a hannel whih ips one bit with probability1
/
3
, when the enoded wordf
(
w
)
is reeived, it will be very likely that if the bits in positioni,
2
i,
3
i
, for1
≤
i
≤
k
, disagree, then the transmitted bit was the one ourring more often.Applying
f
, i.e. enoding, andf
−
1
, i.e. deoding, should be an eient task, and,
given
f
, it should be easy to derive how many errors the ode an orret. F ur-thermore, we do not wishn
to be muh larger thank
, as in the trivial example we desribed, but atthe same timen
should belarge enough topermit usto orretas many errors aspossible.An eient enoding/deoding funtionfor whih wean eiently derive the
num-beroforretableerrors,an beonstrutedby imposingsomespeialgebrai
on-straints,yielding whatare usually known aslinear odes. This algebraionstraints,
though, severely limit the possible hoies of
f
. In fat, there exist odes whih are notlinearodes, i.e. donotembedausefulalgebraistruture,butwhihan enodemore messages than any linear ode and orret the same number of errors. On the
odes an orret.
In this thesis we deal with suh non-linear odes, and we fous our researh into
two main problems.
In Part II we deal with the problem of determining aeptable ode parameters. In
other words, given the number of errors we want to orret and the length
n
of the enoded message, we want to determine whihis the largest number of messagesM
thatan beenoded. Usuallyitisnot possibletogiveapreisevalueforM
,butonly upper or lower limits. In partiular, one of our main results is a losed formula foranupper limit(bound)of
M
improvingsome previous estimates.InPartIIIweprovideadeterministimethod,insomeasesfaster thanabrutefore
searh, to ndthe number oforretable errors for any ode, provided that the ode
is represented ina partiular eient form. All methods weare aware ofsolving the
same problemare either brute fore methodsor probabilistimethods. Probabilisti
methods are very eient, but an only be applyed to linear odes. Our result on
odeshasalsoanappliationsinryptography,sineitallowstoomputeapartiular
parameter alled the nonlinearity of Boolean funtions. These are funtions used in
many ryptographiprimitives tospread the entropy duringenryption.
In more details, this thesis is strutured asfollows.
PartIisdevotedtopreliminaries,essentialtounderstandtherestofthemanusript.
In partiular we start in Chapter 1 with an overview on polynomial system solving,
withfous onsystemswith anitenumberofsolutions,then weprovideanoverview
onodes inChapter 2,and an overview onBoolean funtionsin Chapter 3.
PartII beginswithanoverview onlassialknown bounds(Chapter 4),in
parti-ular fousingon upper bounds fornonlinear odes. Chapter 5 and 6 ontain original
results. The rst hapter generalizesan upper bound for linearodes, i.e. the
Gries-mer bound, to an innite subset of a larger family of odes, alled systemati. The
seond hapter presents a new upper bound on the size of nonlinear odes, whih
improves inmany ases the most importantlassial upper bounds.
Part III faes two important related problems: nding the minimum weight (a
quantity relatedtothe numberof orretableerrors)of anonlinear ode (Chapter7)
and nding the nonlinearity of aBoolean funtion (Chapter 8). We provideoriginal
eient algorithmsfor both problems, applying similar tehniques based on
the ode is represented in a ertain form whih we prove to be as eient as the
lassial representation. In the seond ase we nd a deterministi algorithmof the
same omplexity of the best known algorithmswhih solve the same problem.
PartIV liststhe Magma odewhihimplementthe new boundof Chapter 6, and
In this hapter weintroduesome basi notionsand known resultsfrom[CLO07℄
and[ST09℄. Somematerialomes fromthe leturenotesofthe ourseCodingTheory
letured by M. Sala and written by E. Bellini, D. Frapporti, O. Geil, M. Piva, M.
Sala.
Inpartiular,weintroduesomeimportanttoolstosolveageneripolynomialsystem
of equations with anite number of solutions.
We denote by
Fq
the eld withq
elements, whereq
is a power of a prime. Letn
≥
1
be anaturalnumberand let(Fq)
n
bethe vetor spaeof dimension
n
overFq
. Wedenote byK
any (not neessarily nite)eld and byK
itsalgebrailosure.1.1 Monomial ordering
A monomial in
x
1
, . . . , x
r
is aprodut of the formx
α
1
1
·
. . .
·
x
α
r
r
where all of the exponents
α
j
are non negative integers. The sumα
1
+
. . .
+
α
r
is dened to be the total degree of this monomial. We denote byM
(
X
) =
M
the set of allmonomialsin the variablesx
1
, . . . , x
r
.A polynomial
f
inx
1
, . . . , x
r
with oeients inK
is a nite linear ombination of monomials. That is,f
=
X
α
a
α
x
α
,
a
α
∈
K
,
where
x
α
=
x
α
1
1
·
. . .
·
x
α
r
r
and the sum is over a nite number ofm
-uplesα
=
(
α
1
, . . . , α
r)
. Thenwealla
α
theoeient ofthemonomialx
α
, weall
a
α
x
α
aterm,
andwedenoteby
deg(
f
)
thetotaldegree off
whihisthemaximum|
α
|
=
α
1
+
. . .
+
α
r
suh that the oeienta
α
isnonzero.Note that the sum and produt of two polynomials is again a polynomial. It
example,
1
/x
is not a polynomial). For this reasonK[
X
]
, the set of all polynomials inx
1
, . . . , x
r
withoeientsinK
, isalled a polynomial ring.As in the ase of univariate polynomials, we would like to be able to arrange
the terms of amultivariatepolynomial unambiguously, indesending (orasending)
order. Todo this, wehave to denea monomialordering
≺
.Denition 1.1.1. A monomial ordering
≺
is a binary relation onM
suhthat: 1.∀
m
1
6
=
m
2
∈ M
, eitherm
1
≺
m
2
orm
2
≺
m
1
.∀
m
1
, m
2
, m
3
∈ M
, ifm
1
≺
m
2
andm
2
≺
m
3
, thenm
1
≺
m
3
.2.
∀
m
1
, m
2
, m
∈ M
ifm
1
≺
m
2
thenm
1
·
m
≺
m
2
·
m
. 3.1
≺
m,
∀
m
∈ M
, m
6
= 1
.It an beproved that
≺
isa well-ordering,i.e. every non-empty subsetofM
has a least element.Now that we have dened monomial ordering, we report some examples. We an
suppose that
x
1
≻
. . .
≻
x
r
and letm
1
, m
2
∈ M
suh thatm
1
=
x
α
1
1
·
. . .
·
x
r
α
r
andm
2
=
x
1
β
1
·
. . .
·
x
r
β
r
.Lex: lexiographi order. We say that
m
1
≺
lex
m
2
if thereexistsj
suhthatα
j
< β
j
andα
i
=
β
i
for1
≤
i < j
≤
r
.Example 1.1.2. Let
M
=
M
[
x, y, z
]
andx
≻
y
≻
z
. Thenx
2
≻
y
4
and
x
2
yz
3
≻
xy
4
z.
GrLex: graded lexiographi order and it is also all total lexiographi order. We
say that
m
1
≺
GrL
m
2
if|
α
|
<
|
β
|
orif|
α
|
=
|
β
|
andm
1
≺
lex
m
2
. Example 1.1.3. LetM
=
M
[
x, y, z
]
andx
≻
y
≻
z
. Thenx
2
≺
y
4
andx
2
yz
3
≻
xy
4
z.
DegRevLex: graded reverse lexiographi order. To say that
m
1
≺
DRL
m
2
, rst of allweompare their totaldegrees: if|
α
|
<
|
β
|
thenm
1
≺
DRL
m
2
,otherwise we havetoomparethe totaldegreeofn
1
=
x
α
1
1
·
. . .
·
x
α
r
−1
r
−
1
andn
2
=
x
β
1
1
·
. . .
·
x
β
r
−1
r
−
1
,and so on.
Example 1.1.4. Let
M
=
M
[
x, y, z
]
andx
≻
y
≻
z
. Thenx
2
≺
y
4
andx
2
yz
3
≺
xy
4
z
sine
x
Note that DegRevLex is the same to reverse the lexiographi order, that is,
m
1
≺
DRL
m
2
if thereexistsj
thatα
j
> β
j
andα
j
=
β
j
for1
≤
j < i
≤
r
.Weighted Degree. We assign a weight
w
i
∈
N
∗
to eah variable
x
i
and we denote byw(
m
1
) =
P
i
α
i
w
i
and byw(
m
2
) =
P
i
β
i
w
i
. Wesaythatm
1
≺
w
m
2
ifeitherw(
m
1
)
<
w(
m
2
)
orw(
m
1
) = w(
m
2
)
andm
1
≺
lex
m
2
.Example 1.1.5. Let
M
=
M
[
x, y, z
]
andx
≻
y
≻
z
. Weassign the weightto eahvariablesw
x
= 2
,w
y
= 1
w
z
= 3
. Thenx
2
≺
y
4
andx
2
yz
3
≻
xy
4
z.
Wewilluse the followingterminology.
Denition 1.1.6. Let
Ω
∈
N
r
. Let
f
=
P
α
∈
Ω
a
α
x
α
be a non zero polynomial inK[
X
]
and let≺
be a monomialordering. We say thatx
β
is the leading monomial
of
f
ifx
β
≻
x
α
for all
α
6
=
β
suh thatα
∈
Ω
and it is denoted bylm(
f
) =
x
β
.
We denote by
T
(
f
) =
a
β
x
β
the leading term of
f
and bylc
(
f
) =
a
β
the leading oeient off
.Given a monomial ordering, it an be proven that the leading monomial, the
leadingterm and the leadingoeient of
f
are welldened and unique. Example 1.1.7. Letf
= 4
x
2
y
+
xy
3
z
+ 5
z
in
R[
x, y, z
]
and let≻
lex
be a lex order. Thenlm(
f
) =
x
2
y
,
lc
(
f
) = 4
andT
(
f
) = 4
x
2
y
.
1.2 Basi notions and properties of Gröbner bases
In this setion we introdue ideals and Gröbnerbases.
Denition 1.2.1. A subset
I
⊂
K[
X
]
is an ideal if 1.0
∈
I
.2. If
f, g
∈
I
thenf
+
g
∈
I
.3. If
f
∈
I
andh
∈
K[
X
]
thenf h
∈
I
. Letf
1
, . . . , f
s
be polynomialsinK[
X
]
. IfI
=
n
s
X
i
=1
λ
i
f
i
|
λ
i
∈
K[
X
]
o
then
I
is nitely generated byf
1
, . . . , f
s
and itis denoted byI
=
h
f
1
, . . . , f
s
i
.An ideal generated by one elementis alled a prinipalideal.
Denition 1.2.2. We dene a semigroup ideal
T
as a subset ofM
suh that for allt
∈
T
,m
∈ M
we havet
·
m
∈
T
.Let
t
1
, . . . , t
k
∈ M
and set:T
=
k
[
i
=1
{
λt
i
|
λ
∈ M}
.
Then T is a semigroup ideal of
M
. We say thatT
isgenerated
by{
t
1
, . . . , t
k
}
and we writeT
=
h
t
1
, . . . , t
k
i
.Lemma 1.2.3. Let
M
⊂ M
andI
=
h
m
i
|
m
i
∈
M
i
be an ideal. Then a monomialm
lies inI
if and only ifm
is divisible bym
i
forsomem
i
∈
M
.Proof. See Lemma 2of hapter2 of [CLO07,4℄.
Theorem 1.2.4 (Dikson's Lemma). Every semigroup ideal is generated by a nite
set.
Proof. See Theorem 5 of hapter 2 of[CLO07, 4℄.
In the previous setion,we dened the leadingterm of
f
∈
I
. Forany idealI
,we an deneitsidealof leading termsT
(
I
)
asthe set ofleadingterms ofelementsofI
. That is,T
(
I
) =
{
λm
|
there existsf
∈
I
withT
(
f
) =
λm
}
.
And wedenote byh
T
(
I
)
i
the ideal generated by the elementsofT
(
I
)
. In a similarway we an denethe ideal of leading monomials ofI
,that is,lm(
I
) =
{
lm(
f
)
|
f
∈
I
} ⊂ M
.
It is lear that
lm(
I
)
is asemigroup ideal.Note that, if
I
=
h
f
1
, . . . , f
k
i
, thenh
T
(
f
1
)
, . . . ,
T
(
f
k)
i ⊆ h
T
(
I
)
i
, but these two ideals may be dierent and it isthe same forlm(
I
)
.Example 1.2.5. Let
I
=
h
f
1
, f
2
i
wheref
1
=
x
2
−
x
and
f
2
=
xy
−
y
+ 1
. We use lexiographi ordering on the monomialsinK[
x, y
]
. Thenxf
2
−
yf
1
=
x
, sox
∈
I
. Thusx
=
T
(
x
)
∈ h
T
(
I
)
i
butx
is not divisible byT
(
f
1
) =
x
2
or
T
(
f
2
) =
xy
. Hene, by Lemma 1.2.3,x
6∈ h
T
(
f
1
)
,
T
(
f
2
)
i
.Proof. See Proposition 3of hapter 2 of [CLO07, 5℄.
Theorem1.2.7 (HilbertBasisTheorem). Any ideal
I
⊂
K[
X
]
hasanitegenerating set.Proof. See Theorem 4 of hapter 2 of[CLO07, 5℄.
Wejustnoted,inExample 1.2.5,that notallbases
{
f
1
, . . . , f
k
}
of anidealI
have the speial property thath
T
(
I
)
i
=
h
T
(
f
1
)
, . . . ,
T
(
f
k)
i
. Those bases for whih the equality holds give rise tothe following denition.Denition 1.2.8. Let
I
be an ideal and≺
be a monomial ordering. We say thatG
=
{
g
1
, . . . , g
k
}
is a Gröbner basis forI
ifh
T
(
I
)
i
=
h
T
(
g
1
)
, . . . ,
T
(
g
k)
i
. We denote byGB(
I
)
.Equivalently,
G
is a Gröbner basis ofI
ifG ⊆
I
and if for allf
∈
I
there existg
i
∈ G
suh thatlm(
g
i)
divideslm(
f
)
.Theorem 1.2.9 (Buhberger Theorem). For every ideal
I
⊆
K[
X
]
and for every monomial ordering≺
onM
, there exist a Gröbner basisG
forI
.Proof. See Corollary 6of hapter2 of [CLO07, 5℄.
Moreover,thereexistsanalgorithm,thatis,Buhbergeralgorithm[Bu06,Bu98℄
[CLO07,27℄ that transformsany nite set of generators for
I
into aGröbner basis.Atually,GröbnerbasesomputedusingtheBuhbergeralgorithmareoftenlarger
than neessary. We an eliminate some unneeded generators by using the following
lemma.
Lemma 1.2.10. Let
G
be a Gröbner basisfor the polynomial idealI
. Letg
∈ G
be a polynomial suh thatT
(
g
)
∈ h
T
(
G\{
g
}
)
i
. ThenG\{
g
}
is also a Gröbner basis for I. Proof. See Lemma 3of hapter2 of [CLO07,7℄.Beause of Lemma 1.2.10, we an dene a minimal Gröbner basis for
I
⊆
K[
X
]
as a Gröbner basisG
forI
suh that for allg
∈ G
we have thatlc
(
g
) = 1
andT
(
g
)
6∈ h
T
(
G\{
g
}
)
i
.Unfortunately, a given ideal
I
may have many minimal Gröbner bases. But we an dene a speial minimal basis, that we all aredued basis. In this way toany idealwe an assoiate a unique basis.
Proposition1.2.12. Let
I
6
=
{
0
}
bea polynomialideal. Then, foragivenmonomial ordering,I
has a unique redued Gröbner basis.Proof. See Proposition 6of hapter 2 of [CLO07, 7℄.
It an beproved the following
Proposition 1.2.13. Let
I
be an ideal inK[
X
]
and let{
g
1
, . . . , g
k
}
be a redued Gröbner basis ofI
with respet to some monomial order. For anyf
∈
K[
X
]
there exists a unique remainderr
∈
K[
X
]
suh that no termofr
isdivisible by the leading term of anyg
i
and suh thatf
−
r
belongs toI
.This unique polynomial
r
, that we indiate withNf(
f, I
)
, is sometimes alled the Normal Form off
w.r.tI
.For any ideal
I
in a polynomialringK[
X
]
,X
=
{
x
1
, . . . , x
r
}
, we denote byV
(
I
)
the variety ofI
inK
, that is the set of allzeros ofI
inK
V
(
I
) =
{
P
∈
K
r
|
f
(
P
) = 0
∀
f
∈
I
}
.
Theorem 1.2.14. Let
I
=
h
f
1
, . . . , f
k
i
be an ideal inK[
X
]
and letP
∈
K
r
. Then
f
1
(
P
) =
. . .
=
f
k(
P
) = 0
⇐⇒
g
(
P
) = 0
∀
g
∈
I.
Proof. See Proposition 9of hapter 2 of [CLO07, 5℄.
Denition 1.2.15. Let
I
be an ideal. If the ardinality ofV
(
I
)
is nite, thenI
is alled a0
-dimensional ideal.Theorem 1.2.16 (The Weak Nullstellensatz). Let
K
be an algebraially losed eldand let
I
⊆
K[
X
]
be an ideal satisfyingV
(
I
) =
∅
. ThenI
=
K[
X
]
. Proof. See Theorem 1 of hapter 4 of[CLO07, 2℄.Denition1.2.17. Forany
Z
⊂
K
r
asetofpoints,wedenoteby
I
(
Z
)
thevanishing ideal ofZ
,I
(
Z
)
⊂
K[
X
]
, thatis,I
(
Z
) =
{
f
∈
K[
X
]
|
f
(
P
) = 0
∀
P
∈
Z
}
.
Denition 1.2.18. Let
I
be an ideal in a polynomial ringK[
X
]
, the radial ofI
, denote by√
I
is the set√
I
=
{
f
∈
K[
X
]
|
f
n
∈
I
for some
n
≥
1
}
.
NotethatI
⊆
√
I
. IfI
=
√
I
,thenI
isradial,that is,f
n
∈
I
impliesthat
f
∈
I
, for somen
≥
1
.It is easyto prove that
I
(
Z
)
is radial(Corollary 3of hapter 4 of [CLO07,2℄). Theorem 1.2.19 (Hilbert Nullstellensatz). LetK
be an algebraially losed eld. IfI
⊆
K[
X
]
is an ideal, then√
Proof. See Theorem 6 of hapter 4 of[CLO07, 2℄.
Theorem 1.2.20 (The Ideal-Variety Correspondene). Let
K
be an arbitrary eld.If
I
1
⊂
I
2
areideals,thenV
(
I
2
)
⊂ V
(
I
1
)
and, similarly,ifV
(
I
2
)
⊂ V
(
I
1
)
arevarieties, thenI
(
V
(
I
1
))
⊂ I
(
V
(
I
2
))
Proof. See Theorem 7 of hapter 4 of[CLO07, 2℄.
Theorem 1.2.21. Let
I
⊂
Fq[
X
]
be an ideal suh that{
x
q
i
−
x
i
|
1
≤
i
≤
r
} ⊆
I
, thenI
is0
-dimensional and radial.Proof. If
{
x
q
i
−
x
i
|
1
≤
i
≤
r
} ⊆
I
itmeansthatV
(
I
)
⊂
F
r
q
and then#
V
(
I
)
≤ |
F
r
q
|
=
q
r
. Thus
I
is0
−
dimensional. SineI
⊆
√
I
, toprove thatI
is radial itis suient toshow that√
I
⊆
I
. Letf
=
a
1
m
1
+
. . . a
n
m
n
wherea
i
∈
K
,m
i
∈ M
suh thatm
i
=
x
α
1
,i
1
·
. . .
·
x
α
r,i
r
with1
≤
i
≤
n
. Firstof allnote thatf
q
=
f
mod
I
. In fat,sine
a
∈
Fq
we havea
q
=
a
and
m
q
i
=
m
i
mod
I
sine the eld equations are in the ideal and som
i
q
= (
x
α
1
,i
1
·
. . .
·
x
α
r
r,i
)
q
= (
x
q
1
)
α
1
,i
·
. . .
·
(
x
q
r
)
α
r,i
=
x
α
1
,i
1
·
. . .
·
x
α
r
r,i
=
m
i
Iff
∈
√
I
thenf
s
∈
I
by denition of radial of
I
,f
s
∈
I
is equivalent to say that
f
s
= 0 mod
I
. We an always onsider that
s < q
sine, otherwise, we redues
moduleq
. Sof
s
∈
I
=
⇒
f
s
·
f
q
−
s
∈
I
, that is,
f
q
= 0 mod
I
butf
q
=
f
mod
I
and so we an onlude that
f
∈
I
and√
I
⊆
I
.We now dene the esalier
N(
I
)
, whih is the set of all the monomials that are not leading monomialof any polynomialinI
:Denition 1.2.22. The set
N(
I
) =
M\
lm(
I
)
is alled the Hilbert stairase or footprint or esalierofI
.Let
I
⊂
K[
X
]
thereisa nieand naturalonnetionbetween the numberof zeros ofI
and the numberof pointsin itsfootprint w.r.t. any ordering.Theorem 1.2.23. Let
I
be a0
-dimensional radial ideal inFq
. For any monomial ordering we have:#
V
(
I
) = #N(
I
)
.Moreover, the set
B
=
{
m
+
I
|
m
∈
N(
I
)
}
onstitutes a basis for
R
as a vetor spae overK
Proof. See [CLO07℄, Propotiotion 3 p. 219, Proposition 1 p. 227, Proposition 4 p.
We onsider
I
⊂
K[
X
]
an ideal suh that{
x
q
i
−
x
i
|
1
≤
i
≤
r
} ⊂
I
and letR
=
K[
X
]
/I
.Theorem 1.2.24. Let
I
be an ideal inK[
X
]
and let≺
a monomial ordering. The setB
=
{
m
+
I
|
m
∈
N(
I
)
}
onstitutes a basis for
R
as a vetor spae overK
Proof. See Theorem 5 of [Gei09℄.1.3 Solving systems of polynomials equations
Solving multivariatepolynomialsystem of equations is a very important issue in
appliedmathematis,withmanyappliationsinareasuhasodingtheoryand
ryp-tology.
ThePolynomialSystemSolving problem,sometimesreferredtowiththearonymous
PoSSo,is a NP-Hard problemin omputer algebra.
Onewaytosolveasystemofpolynomialequationsittondtheorresponding
Gröb-nerbasis. ThehistorialalgorithmtoomputeGröbnerbasesistheBuhberger
algo-ritm ([Bu06, Bu98℄, [Mor05℄, [CLO07,27℄). Other algorithms(FGLM [FGLM93℄,
F4[Fau99℄,F5 [Fau02℄,fastFGLM[FM11℄)havebeenproposedtoomputeGröbner
bases, oftenmore eiently.
A new trendin the eld istopropose dediated toolsto solvestrutured polynomial
systems (for using the symmetries indued by a nite group [FR09℄ or the bilinear
struture [FEDS11℄ ordeterminantalideals [FEDS10℄).
Dediatedmethodsfornite eldshave alsobeenproposed [BFP09℄,[BFP12℄, orfor
0
-dimensionalideals [MCD+
10℄, [Mor05℄ (Algorithm29.3.1).
In Chapters 7and8 wedeal withthreetypesof systems ofpolynomialequations,
allwith a nite number of orno solutions:
TYPE 1 Multivariatepolynomialsystem
over the binary eld
F
2
, in
k
variablesx
1
, . . . , x
k
,and with
r
squarefree-polynomialsof degree≤
k
. TYPE 2 Multivariatepolynomialsystem over the rational eld
Q
(or aprime eldFp
withp
∼
2
k
in
k
variablesx
1
, . . . , x
k
,and with one dense(∼
2
k
terms)squarefree-polynomial
g
(
x
1
, . . . , x
k
)
ofdegreek
, plusk
F
2
-eld equationsx
2
1
−
x
1
, . . . , x
2
k
−
x
k
.TYPE 3 Multivariatepolynomialsystem
over the rational eld
Q
(or aprime eldFp
withp
∼
2
k
),
in
k
+ 1
variablesx
1
, . . . , x
k
, t
, and with one dense (∼
2
k
terms) squarefree-polynomial
g
(
x
1
, . . . , x
k)
−
t
of degreek
, plusk
F
2
-eld equationsx
2
1
−
x
1
, . . . , x
2
k
−
x
k
.Inpartiular,inour ase,weknowthatTYPE1and TYPE2systems eitherhaveno
solutionsorhave anitenumberof solutionsin
{
0
,
1
}
k
. Regarding TYPE 3systems,
they always have a nite number of solutionssuh that
(
x
1
, . . . , x
k
, t
)
∈ {
0
,
1
}
k
⊕
Zn
for aertainn
≥
k
.Wewrite one example for eahtype of system we need tosolve.
Example 1.3.1 (TYPE 1). In this ase we have
k
= 4
andr
= 11
with an idealI
∈
F
2
[
x
1
, . . . , x
4
]
/
h
x
2
1
+
x
1
, x
2
2
+
x
2
, x
2
3
+
x
3
, x
2
4
+
x
4
i
suh thatI
=
{
x
1
x
2
x
3
x
4
+
x
2
x
3
x
4
,
x
1
x
2
x
3
x
4
+
x
1
x
3
x
4
,
x
1
x
3
x
4
+
x
2
x
3
x
4
,
x
1
x
2
x
3
x
4
+
x
1
x
2
x
3
+
x
1
x
2
x
4
+
x
1
x
2
,
x
1
x
2
x
3
x
4
+
x
1
x
2
x
3
+
x
2
x
3
x
4
+
x
2
x
3
,
x
1
x
2
x
3
x
4
+
x
1
x
2
x
3
x
1
x
2
x
3
x
4
,
x
1
x
2
x
3
+
x
1
x
3
,
x
1
x
2
x
3
x
4
+
x
1
x
2
x
4
+
x
2
x
3
x
4
+
x
2
x
4
,
x
1
x
2
x
3
+
x
1
x
3
x
4
,
x
1
x
2
x
3
x
4
+
x
1
x
2
x
3
+
x
1
x
3
x
4
+
x
1
x
3
+
x
2
x
3
x
4
+
x
2
x
3
+
x
3
x
4
+
x
3
}
.
Note that here the equations
x
2
1
+
x
1
, x
2
2
+
x
2
, x
2
3
+
x
3
, x
2
4
+
x
4
are impliit,sine we are working over the ane algebraF
2
[
x
1
, . . . , x
4
]
/
h
x
2
1
+
x
1
, x
2
2
+
x
2
, x
3
2
+
x
3
, x
2
4
+
x
4
i
. The solutionsof the systems areExample1.3.2 (TYPE 2). Inthis asewehave
k
= 4
andanidealI
∈
Q[
x
1
, . . . , x
4
]
suh thatI
=
{
x
2
1
−
x
1
, x
2
2
−
x
2
, x
2
3
−
x
3
, x
2
4
−
x
4
,
−
4
x
1
x
2
x
3
x
4
+ 4
x
1
x
2
x
3
−
2
x
1
x
2
x
4
−
3
x
1
x
2
+ 8
x
1
x
3
x
4
+
−
4
x
1
x
3
−
4
x
1
x
4
+ 6
x
1
+ 2
x
2
x
3
x
4
−
4
x
2
x
3
+ 4
x
2
−
5
x
3
x
4
+ 7
x
3
+ 4
x
4
−
7
}
.
The solutionsof this system are
V
=
{
(0
,
0
,
1
,
0)
,
(0
,
1
,
1
,
0)
,
(1
,
1
,
0
,
0)
}
.
Example1.3.3 (TYPE 3). Inthis asewehave
k
= 4
andanidealI
∈
Q[
x
1
, . . . , x
4
]
suh thatI
=
{
x
2
1
−
x
1
, x
2
2
−
x
2
, x
2
3
−
x
3
, x
2
4
−
x
4
,
−
4
x
1
x
2
x
3
x
4
+ 4
x
1
x
2
x
3
−
2
x
1
x
2
x
4
−
3
x
1
x
2
+ 8
x
1
x
3
x
4
+
−
4
x
1
x
3
−
4
x
1
x
4
+ 6
x
1
+ 2
x
2
x
3
x
4
−
4
x
2
x
3
+ 4
x
2
−
5
x
3
x
4
+ 7
x
3
+ 4
x
4
−
t
}
.
The solutionsof this system are
V
=
{
(0
,
0
,
0
,
0
,
0)
,
(0
,
0
,
0
,
1
,
4)
,
(0
,
0
,
1
,
0
,
7)
,
(0
,
0
,
1
,
1
,
6)
,
(0
,
1
,
0
,
0
,
4)
,
(0
,
1
,
0
,
1
,
8)
,
(0
,
1
,
1
,
0
,
7)
,
(0
,
1
,
1
,
1
,
8)
,
(1
,
0
,
0
,
0
,
6)
,
(1
,
0
,
0
,
1
,
6)
,
(1
,
0
,
1
,
0
,
9)
,
(1
,
0
,
1
,
1
,
12)
,
(1
,
1
,
0
,
0
,
7)
,
(1
,
1
,
0
,
1
,
5)
,
(1
,
1
,
1
,
0
,
10)
,
(1
,
1
,
1
,
1
,
9)
}
.
1.4 The 0-dimensional ase
From a pratial point of view, it is muh faster to ompute a Gröbner basis for
a degree ordering suh as the degree reverse lexiographi (DegRevLex) order than
for a lexiographi order. For
0
-dimensional systems, it is usually less ostly to rstompute a DegRevLex-Gröbner basis, and then to ompute the Lex-Gröbner basis
using a hange ordering algorithm suh as FGLM [FGLM93℄. This strategy, alled
zero-dim solving,is performedblindly in modernomputer algebrasoftwares suhas
MAGMAorMAPLE.Thisisonvenientfortheuser,butanbeanissueforadvaned
users. In general,apolynomialsystem of equations witha nitenumberofsolutions
may yield more eient algorithms to solve it. In partiular, this is the ase when
the solutionsof the system liein a niteeld, as isour ase.
The polynomialsystem solving problem over nite elds is sometimes referred toas
PoSSo
q
.the size
q
[GJ79℄. Thus, any algorithmforPoSSoq
shouldbeexponentialintheworst ase. However, this does not exlude that large family of PoSSoq
instanes an besolved insub-exponentialor polynomialomplexity. In addition,the exat exponent
ourring in algorithmsof exponential omplexity is often a ritial question in
ap-pliations.
Wenow present some approahes whih,aording to the author,deserve
onsidera-tion when trying to solve a system of polynomial equations with a nite number of
solutions.
1.4.1 Representation of 0-dim. ideals
The following notionsan be found in [Mor05℄.
Let
X
=
x
1
, . . . , x
k
. LetJ
⊂
K[
X
]
be a zero-dimensional ideal,deg(
J
) =
s,
and denoteA
:=
K
[
X
]
/
J
theorrespondingquotientalgebra,whihsatisesdim
K
(
A
) =
s.
For anyf
∈
K[
X
]
, we will denote[
f
]
∈
A
its residue lass moduloJ
andΦf
the endomorphismΦf
:
A
→
A
dened byΦ
f
([
g
]) = [
f g
]
∀
[
g
]
∈
A
.
Natural representation
If wex any
K
-basisb
=
{
[
b
1
]
, . . . ,
[
b
s]
}
ofA
sothatA
= span
K
(
b
)
,
then foreahg
∈
K[
X
]
,
there is a unique (row) vetor, the Gröbner desription ofg
,Rep
(
g,
b
) := (
γ
(
g, b
1
,
b
)
, . . . , γ
(
g, b
s
,
b
))
∈
K
s
whihsatises
[
g
] =
X
j
γ
(
g, b
j
,
b
)[
b
j
]
and the endomorphism
Φ
f
is naturallyrepresented by the square matrixM
([
f
]
,
b
) =
γ
(
f b
i
, b
j
,
b
)
: Φf
(
b
i) = [
f b
i] =
X
j
γ
(
f b
i
, b
j
,
b
)[
b
j
]
.
Denition 1.4.1. A natural representation of
J
is the assignement of a
K
-basisb
=
{
[
b
1
]
, . . . ,
[
b
s]
} ⊂
A
and the square matriesA
h
:=
a
(
ij
h
)
=
M
([
x
h
]
,
b
)
for eahh,
1
≤
h
≤
k
.Remark that, for eah
f
(
x
1
, . . . , x
k
)
∈
K[
X
]
,M
([
f
]
,
b
) =
f
(
A
1
, . . . , A
k
)
.Anequivalent(viathe remarkabove)denition ofnaturalrepresentationan require
s
3
values
γ
(
l
)
ij
∈
K
suhthat[
q
i
q
j
] =
X
l
γ
ij
(
l
)
[
q
l]
for eah
i, j, l,
1
≤
i, j, l
≤
s.
Thisnotionwasintroduedin[Tra92b,Tra92a℄andreonsideredin[AMM03 ℄,[Mor05,
Denition 29.3.3℄under the name of Gröbner representation.
Theendomorphism
Φf
anditsrepresentionM
([
f
]
,
b
)
wereintrodued,withf
alinear form,in [AS88℄ asa tool foreient solving 0-dimensional ideals.If
J
is given by its Gröbner basis wrt a term-ordering<
its natural (atually: lin-ear with the denition below) representation an be obtained via [FGLM93,Proe-dure 3.1℄.
If
J
isananeompleteintersetiondenedbyr
polynomialsanaturalrepresentation ofitanbeeientlyomputedviaCardinal-MourrenAlgorithm[J.P93,Mou05℄. Wewillassume that both the input and the output idealsof the algorithmare given via
a naturalrepresentation.
A Gröbner-free approah to natural representation
Realling that a set
N
⊂ M
is alled an esalier if it is anorder ideal, i.e. if for eahλ, τ
∈ M
,λτ
∈
N =
⇒
τ
∈
N
andproperlyextending[Mor05,Denition29.3.3℄ we setDenition1.4.2. Anaturalrepresentation isalledalinearrepresentationi
q
= N
is an esalier.
If
N =
{
υ
1
, . . . , υ
s
}
isanesalierthen[Mor09℄T
:=
M\
N
isasemigroupordering, i.e.τ
∈
T
=
⇒
τ λ
∈
T
for eahλ, τ
∈ M
;we setG
:=
{
τ
1
, . . . , τ
u
} ⊂
T
the minimal basis ofT
.1.4.2 Traverso's Algorithm
Traverso introdued his algorithm in a talk at MEGA-1992, [Tra92b℄ and in
[Tra92a℄, in a senario related to Gröbner bases omputation of a zero-dimensional
ideal
I
. The assumption is that, in the ourse of the omputation, one produes anesalier
N
⊃
N<(
J
)
and a nite listg
1
, . . . , g
r
of S-polynomialsto be redued.Thesettingwasreformulatedin[AMM03 ℄,[Mor05,Algorithm29.3.8℄asfollows: given
a zero-dimensionalideal
I
⊂
K[
X
]
via its naturalrepresentationb
=
{
b
1
, . . . , b
s
}
, b
1
= 1
,
M
:=
n
and a nite set of elements
F
:=
{
g
1
, . . . , g
r
} ⊂
K[
X
]
, given via their Gröbner de-sriptionsc
(
i
)
= (
c
(
1
i
)
, . . . , c
(
s
i
)
)
, c
(
j
i
)
=
γ
(
g
i
, b
j
,
b
)
∀
i, j,
1
≤
i
≤
r,
1
≤
j
≤
s,
so that
g
i
−
P
s
j
=1
c
(
i
)
j
b
j
∈
I
,
for eahi
, ompute with good omplexity the linear representation of the idealJ
:=
I
∪ h
F
i
.
The basi idea of the algorithm(Algorithm 1)is the following: if we onsider an
element
g
∈
F
,having the Gröbnerdesriptiong
−
ι
X
j
=1
c
j
b
j
∈
I
,
c
ι
6
= 0
,
and we enlarge
I
by addingg
toit, then we obtainthe relationb
ι
≡ −
ι
−
1
X
j
=1
c
−
ι
1
c
j
b
j
mod
I
∪ {
g
}
;
the deomposition
K[
X
] =
I
⊕
span
K
(
b
)
ofK[
X
]
intodisjointK
-vetorspaes is then transformed intoK[
X
] = (
I
∪ {
g
}
)
⊕
span
K
(
q
\ {
q
ι
}
)
,
and we only have to substitute, in eah Gröbner desription
P
s
j
=1
d
j
b
j
of the poly-nomialsg
i
andx
h
b
l
whih are respetively enoded in the vetorsc
(
i
)
and in the
rows
a
(
l
1
h
)
, . . . , a
(
ls
h
)
of the matriesofM
the instanes ofb
ι
with−
P
ι
−
1
j
=1
c
−
ι
1
c
j
b
j
thus gettingP
j
(
d
j
−
c
−
ι
1
c
j
d
ι)
b
j
.Sine
J
is anideal,the inlusionin itofg
impliesthatJ
neessarilyontains alsothe polynomialsx
h
g
;note that, if the urrent naturalrepresentation is(
b
′
,
M
′
) :
b
′
:=
{
b
′
1
, . . . , b
′
σ
}
,
M
′
=
M
(
b
′
) :=
n
d
(
lj
h
)
o
and
g
=
P
s
l
=1
c
l
b
′
l
thenx
h
g
=
s
X
l
=1
c
l
x
h
b
′
l
=
s
X
j
=1
s
X
l
=1
c
l
d
(
lj
h
)
!
b
j
whihmust be inserted inthe list
F
inorder to betreated inthe same way.At termination, if
I
⊂ {
1
, . . . , n
}
denotes the set of indies of the elementsb
j
whih have not being removed fromb
in this proedure, thenJ
is desribed by the naturalrepresentation
b
′
=
{
b
j
, i
∈
I
}
,
M
′
=
{
Note that Traverso's Algorithm needs to perform at most
s
While-loops, eah ostingO
(
ns
2
)
.
Algorithm 1 (Traverso) To ompute the natural representation of
J
:=
I
∪
h
g
1
, . . . , g
r
i ⊂
K[
X
]
fromthe natural representation ofI
⊂
K[
X
]
. Input:I
⊂
K[
X
]
,a zero-dimensional ideal,deg(
I
) =
s
b
:=
{
[
b
1
]
, . . . ,
[
b
s]
} ⊂
A
:=
K[
X
]
/
I
,b
1
, . . . , b
s
∈
K[
X
]
M
:=
n
a
(
ij
h
)
=
M
([
x
h]
,
b
)
∈
K
s
2
,
1
≤
h
≤
k
o
(
b,
M
)
, naturalrepresentation ofI
J
:=
I
∪ h
g
1
, . . . , g
r
i ⊂
K[
X
]
, σ
:= deg(
J
)
,[
g
i] :=
P
s
j
=1
c
i
j
[
b
j
]
,
for eahi,
1
≤
i
≤
r
B
:=
{
c
(1)
, . . . ,
c
(
r
)
}
,
c
(
i
)
:= (
c
i
1
, . . . , c
i
s
)
∈
K
s
Output:b,
M
naturalrepresentation ofJ
1: while
B
6
=
∅
do2: Choose
c
:= (
c
1
, . . . , c
s)
∈
B
3:B
:=
B
\ {
c
}
4:
B
:=
B
∪ {
cM
:
M
∈
M
∧
cM
6
= (0
, . . . ,
0)
}
5:ι
:= max
{
j
∈ {
1
, . . . , s
}
:
c
j
6
= 0
}
6: Remove
[
b
ι
]
fromb
; 7:s
:=
s
−
1
8: for
h
= 1
..k
do 9:ˆ
a
(
h
)
:= (
a
ι
1
, . . . , a
ι,ι
−
1
, a
ι,ι
+1
, . . . , a
ι,s)
10: Remove
ι
-th olumnand row fromA
h
∈
M
11:c
ˆ
:=
c
ι
12: Remove
ι
-thomponent fromc
13: forh
= 1
..k
,j
= 1
..s
,l
= 1
..s
do14:
a
(
h
)
lj
:=
a
(
h
)
lj
−
ˆ
c
−
1
c
jˆ
a
(
h
)
l
15:
B
′
:=
B
,
B
:=
∅
16: for
d
:= (
d
1
, . . . , d
s
+1
)
∈
B
′
do
17:
d
ˆ
:=
d
ι
18: Remove
ι
-th omponentfromd
19: forj
= 1
..s
do20:
d
j
:=
d
j
−
c
ˆ
−
1
c
j
d
ˆ
21: ifd
6
= (0
, . . . ,
0)
then 22:B
:=
B
∪ {
d
}
23: return
b,
M
Example 1.4.3. Let
k
= 2
,
K
=
F
2
,
I
=
h
x
2
The basis
b
= N(
I
)
ofK[
x
1
, x
2
]
/
I
isb
=
{
q
1
, q
2
, q
3
, q
4
}
=
{
1
, x
2
, x
1
, x
1
x
2
}
.
Suppose we want to nd the basis
b
′
of the algebra
K[
x
1
, x
2
]
/
(
I
∪
J
)
, whereJ
=
h
g
1
, g
2
i
=
h
x
2
+ 1
, x
1
x
2
+
x
1
+
x
2
+ 1
i
.Consider
g
1
=
x
2
+ 1 = 0
as a new relation, i.e.I
=
I
∪ h
g
1
i
. This means that from now on, whenever we ndx
2
in elements ofb
andJ
we an apply the substitutionx
2
= 1
.Weremove
g
1
fromI
,i.e.J
=
J
\ {
g
}
=
h
x
1
x
2
+
x
1
+
x
2
+ 1
i
.
Weupdate the base
b
q
1
= 1
q
2
=
x
2
redues to1
q
3
=
x
1
q
4
=
x
1
x
2
redues tox
1
.
Thusnow
b
=
{
q
1
, q
3
}
=
{
1
, x
1
}
.Weupdate the polynomialin
J
=
h
x
1
x
2
+
x
1
+
x
2
+ 1
i
x
1
x
2
+
x
1
+
x
2
+ 1
redues tox
1
+
x
1
+ 1 + 1 = 0
.
Thus now
J
=
∅
, i.e. we an stop the omputation and returnb
=
{
1
, x
1
}
, whih shows that the polynomialsystem
x
2
1
+
x
1
= 0
x
2
2
+
x
2
= 0
x
2
+ 1 = 0
x
1
x
2
+
x
1
+
x
2
+ 1 = 0
has only two solutionsover
(F
2
)
2
,whih happen tobe
(0
,
1)
,
(1
,
1)
. We nowreportthe same examplewith vetorial notation.Example 1.4.4. Let
I
=
h
x
2
1
+
x
1
, x
2
2
+
x
2
i ∈
F[
x
1
, x
2
]
, x
1
> x
2
with respet to DegRevLex order.The linear representation of
I
is given byb
=
{
1
, x
2
, x
1
, x
1
x
2
}
M
=
{
x
1
b, x
2
b
}
=
0 0 1 0
0 0 0 1
0 0 1 0
0 0 0 1
,
0 1 0 0
0 1 0 0
0 0 0 1
0 0 0 1
Let
g
1
=
x
2
+ 1
, g
2
=
x
1
x
2
+
x
1
+
x
2
+ 1
and letus ompute the linearrepresentation ofJ
=
I
∪ h
g
1
, g
2
i
using Traverso's algorithm.The linear desriptions of
g
1
, g
2
areB
=
{
(1
,
1
,
0
,
0)
,
(1
,
1
,
1
,
1)
}
.
Sine
B
6
=
∅
we hoosec
= (1
,
1
,
0
,
0)
. We haveB
=
B
\ {
c
} ∪ {
cM
:
M
∈
M
}
=
{
(1
,
1
,
1
,
1)
,
(0
,
0
,
1
,
1)
}
ι
= max
{
j
∈ {
1
, . . . , s
}
:
c
j
6
= 0
}
= 2
.
Wean removethe seondelement
x
2
fromb
, and updateM
:b
=
{
1
, x
1
, x
1
x
2
}
M
=
0 1 0
0 1 0
0 0 1
,
1 0 0
0 0 1
0 0 1
c
= (1
,
0
,
0)
.
Sine we have that
(1
,
1
,
1
,
1)
redues to(0
,
1
,
1)
(0
,
0
,
1
,
1)
redues to(0
,
1
,
1)
then
B
=
{
(0
,
1
,
1)
}
, whih is stillnot empty. Wehoosec
= (0
,
1
,
1)
.Wehave
B
=
B
\ {
c
} ∪ {
cM
:
M
∈
M
}
=
{
(0
,
1
,
1)
}
ι
= max
{
j
∈ {
1
, . . . , s
}
:
c
j
6
= 0
}
= 3
.
Wean removethe third element
x
1
x
2
fromb
, and updateM
:b
=
{
1
, x
1
}
M
=
(
0 1
0 1
!
,
1 0
0 1
!)
c
= (1
,
0)
.
Sine we have that
(0
,
1
,
1)
redues to(0
,
0)
Determining if a solution exists
In Chapter 7 and 8 we need to know if a system of polynomial equations has
a solution or not, rather than nding all the solutions. This is somehow a simpler
problem and an besolved with a simplerversion of Traverso's algorithm. The idea
is briey desribed in Algorithm 2, where
T
(
g
)
denotes the leading term ofg
andq
(
g
) =
g
−
T
(
g
)
.Algorithm 2 Toknow if
1
∈
J
:=
h
x
q
1
−
x
1
, . . . , x
q
k
−
x
k
, g
1
, . . . , g
r
i ⊆
K[
X
]
Input:S
:=
{
g
1
, . . . , g
r
}
, g
i
∈
K[
X
]
Output: TRUE if
1
∈
J
, FALSE otherwise 1:N
:=
N
(
J
)
2:
R
:=
∅
3: forg
∈
S
do4: Remove
g
fromS
5: Add(
T
(
g
)
, q
(
g
))
toR
6: forf
∈
S
do7: Replae
T
(
g
)
withq
(
g
)
inf
8: for(
t, q
)
∈
R
do9: Replae
T
(
g
)
withq
(
g
)
inq
10: forx
∈
X
do11: Compute
h
:=
xg
mod
h
x
q
1
−
x
1
, . . . , x
q
k
−
x
k
i
12: ifh
ontains a termt
suh thatt /
∈
N
then 13: Find(
t, q
)
inR
// suh pair must exists inR
14: Replae
t
withq
inh
15: RemoveT
(
g
)
fromN
16: return TRUE if
N
=
∅
, FALSEotherwise1.4.3 Hybrid approah
In [BFP09℄, the authorspresenta hybridapproahwhihan improve theway of
solving zero-dimensional multivariate systems over nite elds with at least
2
2
ele-ments. This approahuses Gröbner basestehniques and exhaustivesearh. A more
aurate analysis of the hybridapproah isgiven in [BFP12℄ by the same authors.
In general, when we want to solve a system whih has oeients over a nite eld
Fq
,wean always ndallthe solutionsinthe groundeldby exhaustive searh. Theompletesearhshouldtake
O
(
q
k
)
operationsif
k
isthenumberofvariables. Theidea ofthehybridapproahistomixexhaustivesearhwithGröbnerbases omputations.Gröbner bases of
q
r
subsystems obtained by xing
r
variables. The intuition is that the gain obtained by working on systems with less variables may overome the lossdue to the exhaustive searhon the xed variables.
The main problem is to realize if suh a trade-o may exists and in that ase to
hoose the best one. Thatistohoose properlythe value of
r
makingthe omplexity of the hybrid approah minimal. IfC
GB
(
A
)
is the omplexity of solving a Gröbner basis using algorithmA
, then the omplexityof the hybridapproah islearlyO
(
q
r
C
GB(
A
))
.
In [BFP09℄ an algorithmto nd the best trade-o when using F
5
algorithmto solveeahGröbner basis is given.
1.4.4 XL family of algorithms
One partiular algorithm has reeived onsiderable attention from the
rypto-graphi ommunity: the XL algorithm [CKPS00 ℄ (and its several variants, e.g.,
[Cou04℄, [CP03℄, [CP02℄) was originally proposed by ryptographers to takle
prob-lems arising speially from ryptology. In partiular XL was introdued as an
eient algorithmfor solving polynomialequations inase asingle solution exist.
OthermoregeneralvariantsofXLalgorithm,suhasMutantXL[BDMM09 ℄,[BCDM10 ℄,
MXL
2
[MMDB08 ℄, MXL3
[MCD+
10℄,have been proposed.
Though,in[ACFP12℄,itislaimedthattheXLfamilyofalgorithmsanbesimulated
using redundant variants of
F
4
algorithm.1.4.5 Boolean polynomial systems
In [BD09℄,the authorsintrodue aspeializeddatastruture forBoolean
polyno-mialsbasedonzero-suppressedbinarydeisiondiagrams(ZDDs),whihareapableof
handlingthesepolynomialsmoreeientlywithrespettomemoryonsumptionand
also omputational speed. Furthermore, they onentrate on high-level algorithmi
aspets, taking intoaount the new data strutures as wellas strutural properties
of Boolean polynomials. For example, a new useless-pair riterionfor Gröbner basis
omputationsin Booleanrings is introdued.
Theauthorsprovideanentireframework,i.e. aC++libraryalledPolyBoRi (Polynomials
overBoolean Rings), toeiently omputeGröbnerbasisoverBooleanpolynomials.
The authors point out that the advantage of PolyBoRi grows with the number of
1.4.6 Magma approah
The software Magma implements various optimized versions of Buhberger
algo-rithmandF
4
algorithm,see[CBFS13℄fordetails. Visitalso[Ste13℄forsomepratialtimings.
In partiular, sine Version 2.15, a speial type of polynomial ring is available: the
boolean polynomial ring in
k
variables. Suh a ring is a multivariate polynomial ring dened overF
2
but suh that all monomials are redued modulo the eldre-lations
x
2
i
=
x
i
for eah1
≤
i
≤
k
(so a bit vetor representation an be used for monomials). As we have already mentioned, the ring is the quotient algebraF
2
[
x
1
, . . . , x
k
]
/
h
x
2
1
+
x
1
, . . . , x
2
k
+
x
k
i
. This partiular struture allows very fast om-putations,thoughitisnot delaredwhihpartiularalgorithmsare usedinthis ase.Furthermore, sine Version 2.20, Magma inludes a new dense variant of the F
4
al-gorithm.
Quotingfrom Magma doumentation[CBFS13℄:
Thedense variantisurrentlyonly pratiallyappliabletoinput systems
over a nite eld where the input polynomials are onsidered dense; that
is, if the input polynomials are written as a matrix with olumns labeled by
the monomials, then the input matrix should be dense. Equivalently: if the
eld size is q and the set of allmonomials ourring in the input has size m,
thenthenumberof monomialsineah inputpolynomialshouldbereasonably
lose to (1- 1/q)m.
Also,aordingtoMagmadoumentation,anewexperimentaloptional
heuris-ti whih an be seleted for the algorithm when solving systems of
equa-tionsoverGF(2), alledthe RedutionHeuristi,whihan giveaneven
greater redutionin time and memory usage forsome largeexamples.
TheRedutionHeuristiisanewexperimentalheuristiwhihanbeseleted
in the dense variantof F4 when attemptingto solve ertain kinds of systems
ofequationsoverGF(2)where itisassumedthatthereisaverysmallnumber
of solutions, so the Groebner basis will onsist of mostly linear polynomials
