The Polynomial Composition Problem in (
Z
/
n
Z
)[
X
]
Marc Joye1, David Naccache2, and St´ephanie Porte3
1 Thomson R&D, Security Competence Center
1 avenue de Belle Fontaine, 35576 Cesson-S´evign´e Cedex, France [email protected]
2 Ecole normale sup´erieure, D´epartement d’informatique
45 rue d’Ulm, 75230 Paris Cedex 05, France [email protected]
3 Smart Consulting
2 rue Louis Vignol, 13600 La Ciotat, France [email protected]
Abstract. Let n be an RSA modulus and let P,Q ∈ (Z/nZ)[X]. This
paper explores the following problem: Given polynomialsQandQ(P), find polynomialP. We shed light on the connections between the above problem and the RSA problem and derive from it new zero-knowledge protocols suited to smart-card applications.
Keywords: Polynomial composition, zero-knowledge protocols,
Fiat-Shamir protocol, Guillou-Quisquater protocol, smart cards.
1
Introduction
Smart cards play an active role in security systems. Their salient features make them attractive in numerous applications, including — to name a few — the ar-eas of banking, telephone, health, pay TV, home computers, and communication networks.
One of the primary use of smart cards resides in authentication. There exist basically two families of methods currently used for authenticating purposes. The first family relies on secret-key one-way functions while the second one makes use of public-key techniques. Both families have their own advantages. This paper focuses on the second family. In particular, we study zero-knowledge techniques. In a typical scenario, the smart card, characterized by a set of cre-dentials, plays the role of the proving entity.
The first practical zero-knowledge protocol is due to Fiat and Shamir [3].
Remarkably, the protocol is rather efficient, computation-wise. It amounts to at
most two modular multiplications per interaction. However, in order to reach
a level of confidence of (1−2−k), the basic protocol has to be repeatedktimes
— a typical value forkisk= 40. In order to reduce the communication
Guillou-Quisquater protocol [4] (a.k.a. GQ protocol). The GQ protocol features small storage requirements and needs a single interaction.
In this paper we introduce a new problem, thePolynomial Composition
Prob-lem, which can be stated as follows.
Let P and Q be two polynomials in (Z/nZ)[X] where n is an RSA
modulus. Given polynomialsQandS :=Q(P), findP.
Most public-key cryptographic schemes base their security on the difficulty of
solving a hard mathematical problem. Given that the number of hard problems harnessable to cryptographic applications is rather limited, the investigation of new problems is of central importance in cryptography. To understand the Polynomial Composition Problem and its variants, we explore in the following sections the way in which the PCP relates to the celebrated RSA problem.
The Polynomial Composition Problem in (Z/nZ)[X] does not imply the RSA
Problem, that is, the computation of roots inZ/nZ. Nevertheless, we exhibit
a related problem that we callReducible Polynomial Composition Problem(RPCP)
and prove that RPCP⇔RSA. In particular, we prove that whenQ(X)=Xqthen
the Polynomial Composition Problem is equivalent to the problem of extracting
qthroots in
Z/nZ.
These new problems allow us to broaden the view of existing cryptographic constructions. Namely, we describe a general PCP-based zero-knowledge pro-tocol of which the Fiat-Shamir and the Guillou-Quisquater propro-tocols are
par-ticular instances. As will be seen later, ifsdenotes the secret, they respectively
correspond to the casesQ(X)=vX2andQ(X)=vXν(ν≥3), withQ(s)=1.
The rest of this paper is organized as follows. In Section 2, we formally define the Polynomial Composition Problem and introduce the notations used throughout this paper. The hardness of the problem and its comparison with RSA are analyzed in Section 3. Finally, in Section 4, we show that the PCP allows one to generalize several zero-knowledge protocols.
2
The Polynomial Composition Problem
We suggest the following problem as a basis for building cryptographic proto-cols.
Problem 1 (Polynomial Composition Problem (PCP)).LetP andQ be two
polynomials in (Z/nZ)[X] wherenis an RSA modulus. Given polynomialsQ
andS :=Q(P), findP.
Throughout this paperpandqdenote the degrees ofPandQ, respectively.
Let
P(X)=
p
X
i=0
where theui’s denote the unknowns we are looking for. We assume that
Q(Y)=
q
X
j=0
kjYj
is known. Hence,
S(X)=
q
X
j=0
kj p
P
i=0
uiXi
!j .
If, given polynomialsQ0
(Y) :=Q(Y)−k0andS0
(X) :=Q0(P(
X)), an attacker
can recoverP then the same attacker can also recoverP from{Q,S}by first
forming polynomials Q0
(Y) = Q(Y)−k0 and S0
(X) = S(X)−k0. Therefore
the problem is reduced to that of decomposing polynomials whereQ has no
constant term, i.e., Q(Y) = Pq
j=1kjY
j. Similarly, once this has been done, the
attacker can divideQby a proper constant and replace one of the coefficients
kjby one. Consequently and without loss of generality we restrict our attention
to monic polynomialsQwith no constant term, that is,
Q(Y)=Yq+kq−1Yq−1+· · ·+k1Y . (1)
Noting thatq=1 implies thatS =Q(P)=P, we also assume thatq≥2.
3
Analyzing the Polynomial Composition Problem
As before, letP(X) = Pp
i=0uiX
i and letQ(Y) = Yq+Pq−1
j=1kjY
j. Generalizing
Newton’s binomial formula and lettingkq:=1, we get
S(X)=
q
X
j=1
kj p
P
i=0
uiXi
!j
=
pq
X
t=0
P
1≤i0+···+ip≤q
i1+2i2+···+pip=t
ki0+···+ip (i0+···+ip)!
i0!...ip! u0
i0· · ·upip
| {z } :=ct
Xt, (2)
where the second sum is extended over all nonnegative integersij satisfying
1≤Pp
j=0ij≤qand Pp
j=0j ij=t.
3.1 RSA Problem⇒Polynomial Composition Problem
We define polynomialsP0, . . . ,Ppq∈(Z/nZ)[U0, . . . ,Up] as
Pt(U0, . . . ,Up) :=
X
1≤i0+···+ip≤q
i1+2i2+···+pip=t
ki0+···+ip
(i0+· · ·+ip)!
i0!. . .ip! U0 i0· · ·U
pip−ct . (3)
Proposition 1. For all0 ≤r≤p,Ppq−r ∈ (Z/nZ)[Up−r, . . . ,Up]. Furthermore, for
all1≤r≤p,Ppq−ris of degree exactly one in variable Up−r.
Proof. Forr= 0, we havePpq(U0, . . . ,Up)= Upq−cpq. Forr =p, the condition
Ppq−r∈(Z/nZ)[Up−r, . . . ,Up] is trivially satisfied.
Fixrin [1,p). By contradiction, suppose thatPpq−r<(Z/nZ)[Up−r, . . . ,Up]. So
from Eq. (3), there exists someij,0 with 0≤ j≤p−r−1. Since 1≤i0+· · ·+ip≤q,
it follows thati1+2i2+· · ·+pip≤ j·1+p·(q−1)<pq−r; a contradiction because
i1+2i2+· · ·+pip=pq−rfor polynomialPpq−r.
Moreover, for all 1 ≤ r ≤ p, Ppq−r is of degree one in variable Up−r since
we cannot simultaneously have 1 ≤Pp
j=0ij ≤q, Pp
j=0j ij =pq−r, andip−r ≥ 2. Indeed,ip−r ≥ 2 implies i1+2i2+· · ·+pip ≤ (p−r)·2+p·(q−2) < pq−r, a
contradiction. Whenip−r=1,i1+2i2+· · ·+pip=pq−rifip=q−1 andij=0 for
all 0≤(j,p−r)≤p−1. This implies that the only term inUp−rappearing in
polynomialPpq−risqUp−rUpq
−1
, whatever the values of variableski’s are. ut
Corollary 1. If the value of up is known then the Polynomial Composition Problem
can be solved in time O(p).
Proof. Solving for Up−1 the relationPpq−1(Up−1,up) = 0 (which is a univariate
polynomial of degree exactly one inUp−1by virtue of the previous proposition),
the value ofup−1 is recovered. Next, the root ofPpq−2(Up−2,up−1,up) gives the
value ofup−2and so on until the value ofu0is found.
Note that the running time of the resolution process is O(p) and is thus
exponential in the bit-length ofp. ut
This means that for low degree polynomials, the Polynomial Composition
Problem inZ/nZis easier than the problem of computingqth roots inZ/nZ
because if an attacker is able to compute aqth modular root (i.e., to solve the
RSA Problem) then she can findupfromPpq(up)=upq−cpq=0 and then apply
the technique explained in the proof of Corollary 1 to recoverup−1, . . . ,u0. In
other words,
Corollary 2. RSA Problem⇒Polynomial Composition Problem. ut
There is a proposition similar to Proposition 1. It says that onceu0is known,
u1, . . . ,upcan be found successively thanks to polynomialsP1, . . . ,Pp,
respec-tively.
Proposition 2. For all0 ≤ r ≤ p, Pr ∈ (Z/nZ)[U0, . . . ,Ur]. Furthermore, for all
1≤r≤p,Pris of degree exactly one in variable Ur.
Proof. We haveP0(U0)=Pq
j=1kjU0
j−c
0.
Forr∈[1,p], suppose thatPr<(Z/nZ)[U0, . . . ,Ur]. Therefore,i1+2i2+· · ·+ pip≥(r+1)·1>r; a contradiction sincei1+2i2+· · ·+pip=r. Moreover, we can
easily see thatPr(U0, . . . ,Ur) = qUq
−1 0 Ur+
Pq−1
j=1kjj U0j−1Ur+Qr(U0, . . . ,Ur−1)
3.2 Reducible Polynomial Composition Problem⇒RSA Problem
The Polynomial Composition Problemcannotbe equivalent to the RSA Problem.
Consider for example the casep=2 andq=3: we haveP(X)=u2X2+u1X+u0
andQ(X)=X3+k
2X2+k1X, and
S(X)=c6X6+c5X5+c4X4+c3X3+c2X2+c1X+c0
with
c0=k1u0+k2u20+u30,
c1=k1u1+2k2u0u1+3u20u1,
c2=k2u21+3u0u21+k1u2+2k2u0u2+3u20u2,
c3=u31+2k2u1u2+6u0u1u2,
c4=3u21u2+k2u22+3u0u22,
c5=3u1u22,
c6=u32.
We define the polynomialsP0(U0) :=k1U0+k2U02+U30−c0,P1(U0,U1) :=
k1U1+2k2U0U1+3U20U1−c1, andP5(U1,U2) :=3U1U22−c5. Now we first compute
the resultant ofP0andP1with respect to variableU0and obtain a univariate
polynomial inU1, sayR0 =ResU0(P0,P1). Next we compute the resultant of
R0andP5with respect to variableU1and get a univariate polynomial inU2,
sayR1=ResU1(R0,P5). After computation, we get
R1(U2)=27c31U26+(27c21c5k1−9c21c5k22)U 4 2 +(−4c3
5k 3 1+c
3 5k
2 2b
2−18c
0c35k1k2+4c0c35k 3 2−27c
2 0c
3 5) .
Sinceu2is a root of bothR1(U2) andP6(U2) :=U32−c6,u2will be a root of their
greatest common divisor in (Z/nZ)[U2], which is given by
(27c21c5k1−9c21c5k22)c6U2 +(27c31c26−4c3
5k 3 1+c
3 5k
2 1k
2
2−18c0c35k1k2+4c0c35k 3 2−27c
2 0c
3 5),
from which we derive the value ofu2. Onceu2 is known, the values ofu1 and
u0trivially follow by Corollary 1.
We now introduce a harder problem: theReducedPolynomial Composition
Problem in (Z/nZ)[X].
Problem 2 (Reduced Polynomial Composition Problem (RPCP)).LetP and
Qbe two polynomials in (Z/nZ)[X] wherenis an RSA modulus. GivenQand
the deg(P)+1 most significant coefficients ofS :=Q(P), findP.
Definition 1. When the Polynomial Composition Problem is equivalent to the Reduced
Equivalently, the Polynomial Composition Problem is reducible when the values ofc0, . . . ,cp(q−1)−1can be derived fromcp(q−1), . . . ,cpqandk1, . . . ,kq−1. This
is for example the case whenp=q=2, that is, whenP(X)=u2X2+u1X+u0,
Q(X)=X2+k 1X, and
S(X)=c4X4+c3X3+c2X2+c1X+c0
with
c0=k1u0+u20,
c1=k1u1+2u0u1,
c2=k1u2+2u0u2+u21,
c3=2u1u2,
c4=u22.
An astute algebraic manipulation yields:
c1=
4c2c3c4−c33
8c2 4
(mod n) and c0=
4c2 1c4−c
2 3k
2 1 4c2
3
(mod n) .
If follows that we can omit the first two relations (the information included therein is anyway contained in the remaining three as we had just shown) and the problem amounts to solving the Reduced Polynomial Composition Problem:
c2 =k1u2+2u0u2+u21,
c3 =2u1u2,
c4 =u22.
Theorem 1. Reducible Polynomial Composition Problem⇒RSA Problem.
Proof. Assume that we are given an oracle OPCP(k
1, . . . ,kq−1;c0, . . . ,cpq) which
on input polynomialsQ(X)=Xq+Pq−1
j=1kjX
jandS(X)=Ppq
t=0ctX
treturns the
polynomialP(X)=Pp
i=0uiX
isuch thatS(X)=Q(P(X)). When the polynomial
composition is reducible, oracleOPCPcan be used to compute aqthroot of a given
x∈Z/nZ,i.e., compute aysatisfyingyq≡x (modn).
1. choosep+q−1 random valuesk1, . . . ,kq−1,cp(q−1), . . . ,cpq−1∈Z/nZ;
2. computec0, . . . ,cp(q−1)−1;
3. runOPCP(k
1, . . . ,kq−1;c0, . . . ,cpq−1,x); 4. getu0, . . . ,up;
5. sety:=upand soyq≡x (mod n).
Note that Step 2 can be executed since the composition is supposed to be re-ducible. Furthermore, note that the values ofcpq−1, . . . ,cp(q−1)uniquelydetermine the values ofup−1, . . . ,u0, respectively. Indeed, from Proposition 1,
Ppq−r(Up−r,up−r+1, . . . ,up)∈(Z/nZ)[Up−r]
3.3 A Practical Criterion
In this section, we present a simple criterion allowing to decide if a given composition problem is reducible.
During the proof of Proposition 1, we have shown that there exists a poly-nomialQpq−r∈(Z/nZ)[Up−r+1, . . . ,Up] such that
Ppq−r(Up−r, . . . ,Up)=qUp−rUpq
−1
+Qpq−r(Up−r+1, . . . ,Up)
for all 1≤r≤p. Fromcpq=(up)q, we infer:
up−r=
−Qpq−r(up−r+1, . . . ,up) q cpq
up, (1≤r≤p) . (4)
Using Eq. (4), for r = 1, . . . ,p, we now iteratively compute up−1, . . . ,u0 as a
polynomial function in up. We let Υp−r denote this polynomial function, i.e.,
up−r = Υp−r(up) for all 1 ≤ r ≤ p. We then respectively replaceu0, . . . ,up−1 by Υ0(up), . . . , Υp−1(up) in the expressions ofc0, . . . ,cpq−p−1. If, for eachci (0 ≤ i ≤
pq−p−1), the powers ofup cancel thanks to (up)q−1 =c
pq then the problem is
reducible.
We illustrate the technique with the exampleP(X)=u3X3+u2X2+u1X+u0
andQ(Y)=Y3. ThenS(X)=P9
t=0ctXtwith
c0=u30,
c1=3u20u1,
c2=3u20u2+3u0u21,
c3=3u20u3+6u0u1u2+u31,
c4=6u0u1u3+3u0u22+3u21u2,
c5=6u0u2u3+3u21u3+3u1u22,
c6=3u0u23+6u1u2u3+u32,
c7=3u1u32+3u22u3,
c8=3u2u23,
c9=u33.
From the respective expressions ofc8,c7andc6, we successively find
Υ2(u3)= c8 3c9
u3, Υ1(u3)= 3c7c9
−c8
9c2 9
u3, and
Υ0(u3)= 27c6c 2
9−6c8(3c7c9−c 2 8)−c
3 8
81c39 u3 .
Sincec0, . . . ,c5are homogeneous inu0,u1,u2,u3and of degree three, they can be evaluated by replacingu0,u1,u2byΥ0(u3), Υ1(u3), Υ2(u3), respectively, and then
c0, . . . ,c5can be inferred fromc6, . . . ,c9and the problem amounts to computing cubic roots inZ/nZ.
This is not fortuitous and can easily be generalized as follows.
Corollary 3. ForQ(Y)=Yq, the Polynomial Composition Problem in
Z/nZis equiv-alent to the RSA Problem,i.e.to the problem of extracting qthroots in
Z/nZ.
Proof. From Eq. (2), it follows thatS(X)=Ppq
t=0ctX
twith
ct=
X
i0+···+ip=q
i1+2i2+···+pip=t
q!
i0!· · ·ip!u0
i0· · ·u pip,
which is homogeneous in u0, . . . ,up and of degreei0+· · ·+ip = q. Moreover
since by induction, for 1≤r≤p,Υp−r(up)=Kp−r·upfor some constantKp−r, the
corollary follows. ut
4
Cryptographic Applications
Loosely speaking, a zero-knowledge protocol allows a prover to demonstrate the knowledge of a secret without revealing any useful information about the secret. We show how to construct such a protocol thanks to composition of polynomials.
4.1 A PCP-Based Zero-Knowledge Protocol
A trusted third party selects and publishes an RSA modulusn. Each proverP
chooses two polynomialsP,Qin (Z/nZ)[X] and computesS =Q(P).{Q,S}
isP’s public key given to the verifierVso as to ascertainP’s knowledge of the
secret keyP.
Execute`times the following protocol:
• Pselects a randomr∈Z/nZ.
• Pevaluatesc=S(r) and sendsctoV.
• Vsends toPa random bitb.
• Ifb=0,Prevealst=randVchecks thatS(t)=c.
• Ifb=1,Prevealst=P(r) andVchecks thatQ(t)=c.
PCP-Based Protocol.
4.2 Improvements
Efficiency can be increased by using the following trick:
P chooses ν polynomials P1, . . . ,Pν−1,Q in (Z/nZ)[X], with ν ≥ 3. Her
Q,S1=Q(Pν−1),S2 =Q(Pν−1(Pν−2)), . . . ,Sj=Q(Pν−1(. . .(Pν−j))), . . . ,Sν−1= Q(Pν−1(. . .(P1)))}.
The protocol is shown below:
• Pselects a randomr∈Z/nZ
• Pevaluatesc=Sν−1(r) and sendsctoV.
• Vsends toPa random integer 0≤b≤ν−1.
• Ifb=0,Prevealst=randVchecks thatSν−1(t)=c.
• Ifb,0,Prevealst=Pb(. . .(P1(r))) andVchecks thatSν−b−1(t)=c.
Nested PCP Protocol.
4.3 Relations with Other Zero-Knowledge Protocols
It is interesting to note that our first protocol coincides with the (simplified)
Fiat-Shamir protocol [3] (see also [5, Protocol 10.24]) when P(X) = sX and
Q(X)=vX2wherevs2≡1 (modn).
The nested variant may be seen as a generalization of the Guillou-Quisquater
protocol [4] by takingP1(X)=P2(X)=· · ·=Pν−1(X)=sXwheresis a secret
value andQ(X) = vXν so thatvsν ≡ 1 (modn). Indeed, in this case we have
Pν−1(. . .(Pν−j(X)))=sjXand henceSj(X)=v1−jXν.
An interesting research direction would be to extend the above protocols to Dickson polynomials.
5
Conclusion
This paper introduced the Polynomial Composition Problem (PCP) and the re-lated Reducible Polynomial Composition Problem (RPCP). Relations between these two problems and the RSA Problem were explored. Further, two con-crete zero-knowledge protocols suited to smart-card applications were given as particular instances of PCP-based constructs.
Acknowledgments We are grateful to Jesper Buus Nielsen (ETHZ) for attracting
our attention to an important detail in the proof of Corollary 1. We are also grateful to the anonymous referees for useful comments.
References
1. Henri Cohen. A Course in Computational Algebraic Number Theory, GTM 138, Springer-Verlag, 1993.
3. Amos Fiat, and Adi Shamir. How to prove yourself: Practical solutions to identi-fication and signature problems. In A. M. Odlyzko, ed.,Advances in Cryptology – CRYPTO ’86, LNCS 263, pp. 186–194, Springer-Verlag, 1987.
4. Louis C. Guillou and Jean-Jacques Quisquater. A practical zero-knowledge proto-col fitted to security microprocessor minimizing both transmission and memory. In C. G ¨unther, ed.,Advances in Cryptology – EUROCRYPT ’88, LNCS 330, pp. 123–128, Springer-Verlag, 1988.
5. Alfred J. Menezes, Paul C. van Oorschot, and Scott A. Vanstone.Handbook of Applied Cryptography, CRC Press, 1997.
A
Mathematical Background
LetRbe an integral domain with quotient fieldK.
Definition 2. Given two polynomialsA,B ∈ R[X], the resultant of A and B,
denoted byRes(A,B), is defined as
Res(A,B)=(am)n(bn)m
Y
1≤i≤m,1≤j≤n
(αi−βj) (5)
ifA(X)=amQ1≤i≤m(X−αi)andB(X)=bnQ1≤j≤n(X−βj)are the decompositions
ofA andBin the algebraic closure ofK.
From this definition, we see that Res(A,B)=0 if and only if polynomials
A andB have a common root (inK); hence if and only ifA and Bhave a
(non-trivial) common factor. Equivalently, we have
Res(A,B)=(am)n
Y
1≤i≤m
B(αi)=(bn)m
Y
1≤j≤n
A(βj) .
The resultant Res(A,B) can be evaluated without knowing the
decompo-sition of A and B. LettingA(X) = P
1≤i≤maiXi and B(X) = P1≤j≤nbjXj, we
have
Res(A,B)=det
amam−1 . . . a0 0 . . . 0 0 am am−1. . . a0 . . . 0 ... ... ... ... · · · ... ...
0 0 0 amam−1. . .a0
bn bn−1 . . . b0 0 . . . 0 0 bn bn−1 . . . b0 . . . 0 ... ... ... ... · · · ... ...
0 0 0 bn bn−1 . . .b0
nrows mrows .
This clearly shows that Res(A,B)∈ R.
Amultivariate polynomialA ∈ R[X1, . . . ,Xk] (withk≥2) may be viewed as
to compute the resultant of two multivariate polynomials with respect to one variable, sayXk. IfA,B∈ R[X1, . . . ,Xk], we let ResXk(A,B) denote the resultant
ofA andBwith respect toXk.
Lemma 1. LetA,B ∈ R[X1, . . . ,Xk](with k ≥ 2). Then(α1, . . . , αk)is a common
root (inK) ofA andBif and only if(α1, . . . , αk−1)is a root ofResXk(A,B).
B
Additional Examples
B.1 The casep=3 andq=2
Using the previous notations and simplifications, we write P(X) = u3X3 +
u2X2+u1X+u0andQ(Y)=Y2+k1Y. Expressing theci’s we get:
c0=k1u0+u20,
c1=k1u1+2u0u1,
c2=u21+k1u2+2u0u2,
c3=2u1u2+k1u3+2u0u3,
c4=u22+2u1u3,
c5=2u2u3,
c6=u23.
Now using the criterion of§3.3, we find u2 = c5
2c6u3,u1 = Vu3, and u0 =
−k 2 1
4 +Lu3withV:= 4c4c6−c25
8c2
6 andL:=
8c3c26−c5(4c4c6−c25)
16c3
6 . Hence, we derive:
c2=c6V2+c5L, c1=2c6LV, andc0=−
k2 1
4 +L
2c 6 .
Being reducible, this proves that solving the PCP forp=3 andq=2 amounts
to computing square roots inZ/nZ.
B.2 The casep=3 andq=3
We haveP(X)=u3X3+u2X2+u1X+u0andQ(X)=X3+k2X2+k1X. Defining
polynomials Pi as in Eq. (3), we successively compute R0 := ResU0(P0,P1),
R1:=ResU1(R0,P7), andR2=ResU2(R1,P8) wherefrom
R2(u3)=19683c3 1u
18
3 +(−6561c21c7k22+19683c21c7k1)u163 +(2187c21c28k22−6561c2
1c 2 8k1)u
13 3 +(2916c0c37k
3 2+729c
3 7k
2 1k
2
2−13122c0c37k2k1−2916c37k 3 1
−19683c3
7c 2 0)u123 +(−2916c0c2
7c28k32−729c 2
8c27k22k21+13122c 2
8c27c0k2k1+2916c28c27k31 +19683c28c27c20)u93
+(972c48c7c0k32+243c 4 8c7k21k
2
2−4374c 4
8c7c0k1k2−972c48c7k31
−6561c4
8c7c 2 0)u
6 3 +(−108c6
8c0k32−27c 6 8k
2 1k
2 2+486c
6
8c0k1k2+108c68k 3 1+729c
6 8c
2 0)u
So, we obtain the value ofu3by exploiting the additional relationc9 =u33 and hence the values ofu2,u1, andu0.
Note that if we choosek1 =k22/3 then the terms inu316 (= c59u3) and inu133 (= c4
9u3) disappear and consequently the value ofu3 cannot be recovered. In this case, the criterion shows again that the problem is equivalent to that of