An approach to create coprime polynomial pairs · We propose a method to generate pairs of...

An approach to create coprime polynomial pairs

Pasqualina Fragneto ([email protected])

STMicroelectronics, Advanced System Technology Agrate - Milano, Italy.

Anna Rimoldi ([email protected])Department of Mathematics and Appl., University of Milan-Bicocca, Italy.

Massimiliano Sala ([email protected])

Boole Centre for Research in Informatics, UCC Cork, Ireland

Abstract

We propose a method to generate pairs of relatively prime polynomials. The methodis deterministic and depends on Grobner basis techniques. A possible applicationto Cryptography is presented.

Keywords: Grobner bases, FGLM, discrete logarithm.

1 Introduction

It is easy to provide two arbitrary coprime polynomials, v and w, overany field K: take any v ∈ K[x] of positive degree and consider w = v + 1.These two polynomials have the same degree. Suppose instead that we wantto find two relatively prime polynomials v, w ∈ K[x] with some given degreedeg(v) = dv and deg(w) = dw. Without loss of generality we may supposedw ≥ dv. An obvious solution is to take any v ∈ K[x] s.t. deg(v) = dv andconstruct w = vλ + 1, with λ ∈ K[x] s.t. deg(λ) = dw − dv. If |K| = q = pr,with p prime and r ≥ 1, we obtain qdw−dv+1 “obvious solutions”. An alternativeapproach (which is often used in practice) is to take two random polynomials,v and w, of the required degrees and test whether they are relatively prime. Ifthey are not, discard them and try another couple. The test can obviously becarried out very efficiently ([Mor03]). Although in many cases the probabilityof success for the test is close to 1, this “test approach” is not deterministic.

The aim of the present paper is to show how coprime pairs can be pro-duced by another, completely different, technique. This is accomplished byan application of the FGLM algorithm ([FGLM93]) in polynomial modules,which results in a deterministic.technique. We developed it for a cryptanalytic

5/XII/2005 BCRI–CGC–preprint, http://www.bcri.ucc.ie

2 An approach to create coprime polynomial pairs

reason ([Cop84]) and its formulation has been inspired by the Coding Theoryapplication present in [Fit95].

The remainder of this paper is organized as follows:

• Section 2, where we provide preliminaries and notation, mainly on Grobnerbases for K[x]2 and circulant matrices,

• Section 3, where we show our technique, with several variations,

• Section 4, where we highlight a possible application to Cryptography,

• Section 5, where we draw some conclusions and present some possiblefurther research directions.

2 Preliminaries and notation

From now on K will denote an arbitrary field, p will denote a prime, qan integer of the form q = p ρ, where ρ ≥ 1, Fq will be the finite field with qelements and Zp will also denote the prime field Fp. As usual, K[x]r will denotethe product ring K[x]r = K[x] · · · ·K[x], which will be considered a moduleover K[x].

Given u, v ∈ K[x], u 6= 0 and v 6= 0, we will denote by gcd(u, v) theirmonic greatest common divisor.

2.1 Circulant matrices

Let m ≥ 1 be an integer. A circulant matrix A is a square m×m matrixin which each row of A is one right cyclic shift of the previous row. As aconsequence, each column of A is also a downward cyclic shift of the previouscolumn, as in the next example.

A =

1 1 0 0 1 0 0

0 1 1 0 0 1 0

0 0 1 1 0 0 1

1 0 0 1 1 0 0

0 1 0 0 1 1 0

0 0 1 0 0 1 1

1 0 0 1 0 0 1

(1)

Under the usual matrix operations, the m×m circulant matrices over Kform a sub-algebra of the algebra formed by all m×m matrices over K. Thealgebra of circulant m × m matrices over K is isomorphic to the algebra ofpolynomials in the quotient ring K[x]/(xm − 1), if any A = [ai,j] is mapped

CGC

P. Fragneto, A. Rimoldi, M. Sala 3

onto the polynomial ψA = a1,1 +a1,2x+ · · · a1,mxm−1. Using the example of the

circulant matrix in Equation 1, its polynomial representation is ψA = x4+x+1.We will say that ψA is the polynomial of A. An important role plays themain polynomial of A, i.e. the polynomial φA s.t. φA = gcd(ψA, x

m − 1).

Fact 2.1. Let A be an m ×m circulant matrix over K. Let φA be the mainpolynomial of A. Then

rk(A) = m− deg(φA) .

2.2 Grobner bases for modules in K[x]2

Notation and results presented here come mainly from [Fit95], but wewill state easy generalizations and consequences without proof. We focus onGrobner bases for sub-modules of K[x]2.

Given S ⊂ K[x]2, we denote by < S > the sub-module (over K[x]) gen-erated by S. A term t in K[x]2 is either (xi, 0) or (0, xj), where i, j ≥ 0. Wedenote by T the set of all terms of K[x]. If T is a set of terms, we denote by< T >T the term set

< T >T = {t ∈ T | ∃m ∈ T s.t.m|t} .

On terms in K[x]2 we can define a parametrized family of orders, as follows.For any r ∈ Z, order <r is defined by

(xi, 0) <r (xi′, 0) if i < i

′(0, xj) <r (0, xj

′) if j < j

′

(xi, 0) <r (0, xj) if i ≤ j + r

Its is easy to see that order <r is admissible. It is possible to characterize theprevious term orders by r positive or negative:

r ≥ 0 (1, 0) <r (x, 0) <r · · · (xr, 0) <r (0, 1) <r (xr+1, 0) <r (0, x) <r · · ·r < 0 (0, 1) <r (0, x) <r · · · (0, x−r−1) <r (1, 0) <r (0, x−r) <r (x, 0) <r · · ·

From now on we will keep one of the orders <r fixed, unless otherwise specified.Any element (a, b) of K[x]2 can always be seen as a linear combination (over

K) of terms. The greatest term of (a, b) with respect to the term order <r iscalled the leading term of (a, b) and is denoted by Lt(a, b). The coefficient ofLt(a, b) is called the leading coefficient of (a, b) and is denoted by Lc(a, b).Let M be a submodule of K[x]2. There is a unique element (a, b) of M s.t.Lt(a, b) is the least term in Lt(M) and b is monic. We will say that (a, b) is theminimal element of M (however, observe that no order on M is mentioned).

Any basis B of a submodule M satisfying < Lt(B) >T =< Lt(M) >T iscalled a Grobner basis of M . Furthermore, a Grobner basis B is called areduced Grobner basis if any element of B has the property that none of

CGC


its terms is divisible by the leading term of any other element of B. If anyelement of B is monic, we say that B is monic. It is well-known that there isa unique monic reduced Grobner basis for any M . For submodules of K[x]2,we can give the following characterization of their Grobner basis.

Theorem 2.2. Let M be a proper sub-module of K[x]2 and B any of itsreduced Grobner bases. Then one of the following three cases occur:

(1) Lt(B) = {(xi, 0)}, with i ≥ 0,

(2) Lt(B) = {(0, xj)}, with j ≥ 0,

(3) Lt(B) = {(0, xj), (xi, 0)}, with i+ j ≥ 1.

In particular, case 3 happens if and only if one of the following equivalentconditions holds:

• B ⊆ M is a two-element basis, whose elements have leading terms onopposite sides,

• B ⊆ M is a two-element basis, whose elements have leading terms onopposite sides and minimal exponents.

Let S = {(ai, bi) : 1 ≤ i ≤ m} be a finite subset of K[x]2. Given an orderon K[x], a well-known division algorithm allows to divide an arbitrary element(a, b) of K[x]2 by S, obtaining

(a, b) = f1(a1, b1) + f2(a2, b2) + · · ·+ fm(am, bm) + (u, v) ,

where the quotients fi are polynomials of K[x] and the remainder (u, v) is suchthat either no term of (u, v) is divisible by any Lt(ai, bi) or else (u, v) = (0, 0).In general, the remainder (u, v) produced by the division algorithm is notunique.

Theorem 2.3. Let M,M ′ be two proper sub-modules of K[x]2 and B,B′ theirrespective monic reduced Grobner bases. Then:

• the division of any (a, b) ∈ K[x] by B gives a uniquely defined remainder(with a given order),

• the smallest element of M must lie in B,

• M ′ = M if and only if B′ = B.

The unique remainder of a division by a Grobner basis B is called thenormal form (with respect to B) and is denoted by NfB(a, b). Normal formsare essential to perform the FGLM algorithm ([FGLM93]), which is the mainalgorithm to change a basis w.r.t. to an order into another basis w.r.t. anotherorder (Subsection 2.4).

CGC


2.3 A congruence module

We show some properties of a particular submodule of K[x]2, using simplegeneralizations of results from [Fit95].

Let n ∈ N, n ≥ 2. Let f and g be polynomials in K[x] of degree deg(f) = nand deg(g) ≤ n− 1. We will use a bar to denote reduction modulo f , as in x2.Let M be the following sub-module of K[x]2,

M = {(a, b) ∈ K[x] | a ≡ bg mod f} . (2)

In this sub-section M and its parameters will be understood, as they will beany time throughout the paper when we will refer to “a module of type (2)”.

It is easy to show that subsetB = {(g, 1), (f, 0)} ofM is a reduced Grobnerbasis relative to the term order <deg(g). The normal forms of terms in T w.r.t.B can be easily described as follows.The terms of the form (xk, 0) with k < n can be written as linear combinationof elements of B in this way:

(0, xk) = xk(g, 1)− (xkg, 0) = xk(g, 1)− λ(xn, 0)− (−xkg, 0) . (3)

Since B is a Grobner basis, from NfB(g, 1) = NfB(f, 0) = (0, 0) and (3), wehave that

NfB(0, xk) = (−xkg, 0) . (4)

On the other hand, the normal form of term (xk, 0) is clearly

NfB(xk, 0) = (xk, 0) . (5)

The interest in the study of a module M arises from a problem in Codingtheory, with K = Fq. The central computation in some decoding problems isthe determination of the particular solution of the congruence known as keyequation ([Fit95]), that is,

a ≡ bg mod (xn) (6)

(where the polynomial g of degree ≤ n− 1, is the syndrome polynomial)satisfying

deg a ≤ l, deg b ≤ m,

l +m < n, gcd(a, b) = 1 .

All possible solutions of the key equation form a sub-module M . The requiredsolution of equation (6) can be seen as the minimal element of the submoduleM w.r.t. a certain term order. To be more precise:

CGC


Theorem 2.4. The solution (a, b) of the above-mentioned key equation is theminimal element of M relative to the term order <r, where r = l −m.

Thus, one can start from the “natural” basis B = {(g, 1), (xn, 0)} and thencompute the basis w.r.t. to the desired order, obtaining the required solution,using FGLM (which is the main idea in [Fit95]).

Remark 2.5. Since polynomial g is a syndrome polynomial, the minimal solu-tion (a, b) is a pair of coprime polynomials. However, in general the minimalelement of an arbitrary M does not satisfy this property.

2.4 FGLM in K[x]2

In this subsection we briefly describe the FGLM algorithm ([FGLM93])applied to our cases.

Let B be a (two element) Grobner basis of a moduleM relative to a certainterm order <r . The FGLM algorithm allows to determine another Grobnerbasis B

′, relative to another order <r′ .

Let t1, t2 · · · ∈ K[x]2 be consecutive terms w.r.t. <r′ , t1 being the leastterm in T . Let j be the smallest positive integer s.t.

NfB(tj) =∑i<j

αiNfB(ti) , (7)

where the αi’s are in K. Then the first element of B′ will be(a1, b1) = tj −

∑i<j αiti. Omit all subsequent terms that are multiples of

tj and continue to consider the normal forms of the tj’s w.r.t. <′r. Let k be

the next index for which an equation of the form (7) holds. Then (a2, b2) =tk −

∑i<k αiti will be the second element of B′.

As a special case, let M be a module of type (2) (Subsection 2.3) andlet B = {(g, 1), (f, 0)} be its above-mentioned monic reduced Grobner basis.We are interested in finding the minimal element of M satisfying the degreeconstraints of (6) and so we apply the FGLM algorithm with a suitable r.

Example 2.6. Let K = F2.Let f = x7 + x + 1 and g = x6 + x5 + x3 + x + 1 be in Z2[x]. Note thatdeg(g) < deg(f). We choose a term order <r with r = 2 − 3 = −1 < 0,because we want the minimal solution (a, b) with degree deg(a) ≤ 2 anddeg(b) ≤ 3. We consider the normal form relative to basis B and then we needto determine the first normal form that is a linear combination of those thatprecede it. Observe that over Z2 a linear combination is just a sum.Then:

CGC


x6 x5 x4 x3 x2 x 1

Nf(0, 1) 1 1 0 1 0 1 1

Nf(1, 0) 1

Nf(0, x) 1 0 1 0 1 0 1

Nf(x, 0) 1

Nf(0, x2) 0 1 0 1 0 0 1

Nf(x2, 0) 1

Nf(0, x3) 1 0 1 0 0 1

We haveNf(0, x3) = Nf(1, 0) + Nf(0, x) + Nf(x, 0) + Nf(x2, 0),and hence the minimal element is: (a, b) = (x2 + x+ 1, x3 + x).

2.5 A preliminary result

Let us adopt the notation present in Subsection 2.3.If polynomials g and f are arbitrary, then the minimal element (a, b) of M

always satisfies the required degree conditions (with respect to a certain termorder), but it is possible that gcd(a, b) 6= 1 (Remark 2.5). It is fundamentalfor us to avoid this situation and so we present two simple preliminary results.

Theorem 2.7. Let (a, b) be the minimal element of submodule M as in (2).Then

gcd(a, b)|fProof. If gcd(a, b) = 1 there is nothing to prove. Otherwise let l ∈ K[x] be

an irreducible factor of gcd(a, b). Let ε ≥ 1 s.t. lε| gcd(a, b) and lε+1 - gcd(a, b).We clearly have a = lεa1 and b = lεb1, for some a1, b1 ∈ K[x]. Since (a, b) is anelement of M , we have

a− bg = fs ,

where s ∈ K[x]. But then lε(a1− b1g) = fs. As l is an irreducible polynomial,we deduce that either l|f or l|s (or both).If we suppose that l | s, then there is a polynomial s1 such that s = ls1. As aconsequence,

l(a1lε−1 − b1gl

ε−1) = fls1 ⇐⇒ a1lε−1 − b1gl

ε−1 = fs1 ,

from which we deduce that (a1lε−1, b1l

ε−1) is an element of M . This is impossi-ble because (a, b) is the minimal element of M and (a1l

ε−1, b1lε−1) is obviously

strictly smaller than (a, b) (w.r.t. any order!).Therefore, l - s and hence lε | f .

Since any factor of gcd(a, b) divides f , their product does, too.

CGC


From the previous result we have

Corollary 2.8. Let (a, b) be the minimal element of M . If f is an irreduciblepolynomial, then

gcd(a, b) = 1 .

In Example 2.6 f = x7 + x + 1 is irreducible and hence we expect theminimal element (a, b) to be s.t. gcd(a, b) = 1, which is indeed what happens.

3 Our techniques

In this section we show our techniques.

Corollary 2.8 is our starting point. The first technique we propose is thefollowing. We choose two integers, α, β ≥ 1, and a field K. We take any ns.t. n > α and n > β. We take any irreducible polynomial f ∈ K[x] s.t.deg(f) = n. We compute r = α − β. We take any g ∈ K[x] s.t. deg(g) < n.We compute the minimal element (a, b) of sub-module M defined in (2) usingFGLM as in Subsection 2.4.From our previous considerations it is clear that

Fact 3.1. Proceeding as above we get a pair (a, b) of polynomials in K[x] suchthat gcd(a, b) = 1 and deg(a) ≤ α, deg(b) ≤ β.

Our proposed method is an original way to provide pairs of coprime poly-nomials, but its effectiveness is strongly limited by the lack of control on thepolynomial degrees, apart from the weak bounds deg(a) ≤ α and deg(b) ≤ β.In practice, this may result in having trivial pairs, like (1, b); also, the choiceof f and g influences the outcome in a very unpredictable way. In order to beable to overcome these difficulties we need a deeper analysis of what happensduring the FGLM algorithm in our cases, so that we can force the outcome tosatisfy some strict degree requirements. This is done in the next subsections,where a matrix approach is presented.

3.1 A matrix interpretation

Since we only need the first linear combination that occurs in the FGLMalgorithm, it is possible to estimate how many terms are needed to get it.

Lemma 3.2. In the application of the FGLM algorithm to our case, we needat most the first α+ β + 2 terms.

Proof. Let (a, b) be our solution. We know that deg(a) ≤ α and deg(b) ≤ β.That means we need at least terms {(xh, 0), (0, xk) | 0 ≤ h ≤ α, 0 ≤ k ≤ β}, inthe worst case, which are α+β+2 terms. However, we have to list terms in K[x]according to the new ordering <r and we might need to consider other terms in

CGC


order to reach the greatest of the two (xα, 0) and (0, xβ). Fortunately, this doesnot happen thanks to the value chosen for the degree parameter r = α− β:

• if α ≥ β, we have (Subsection 2.2)(1, 0) <r (x, 0) <r · · · <r (xα−β, 0) <r (0, 1) <r (xα−β+1, 0) <r

<r (0, x) <r · · · < (xα, 0) <r (0, xβ),

• if β > α, we have (Subsection 2.2)(0, 1) <r (0, x) <r · · · <r (0, xβ−α−1) <r (1, 0) <r (0, xβ−α) <r

<r (x, 0) <r · · · <r (0, xβ) <r (xα, 0).

In Example 2.6 we have α = 2, β = 3, hence we would need 2 + 3 + 2 = 7terms, which is indeed what happens (since the highest possible degrees havebeen reached).

Given a polynomial v in K[x] of degree strictly less than n, we may asso-ciate to it a vector in Kn, as follows:

a0 + · · ·+ an−1xn−1 7→ (a0, . . . , an−1) . (8)

This correspondence is a vector space isomorphism over K. If we fix an irre-ducible monic polynomial f ∈ K[x] of degree n, we can extend this correspon-dence to the extension field K[x]/(f)

K[x]/(f) 7→ Kn, [a0 + · · ·+ an−1xn−1]≡ 7→ (a0, · · · , an−1) , (9)

where [v]≡ denotes an equivalence class in the quotient ring and v will alwaysbe a smallest-degree polynomial within the class (unique, up to associate el-ements). Now, we can define a map K[x]/(f) 7→ K[x]/(f) as v 7→ xv. Viacorrespondence (9), this map is extended to a map

Kn 7→ Kn, (v1, · · · , vn) 7→ (0, v1, · · · , vn−1) + vn(f0, · · · , fn−1) ,

where f = xn + fn−1xn−1 + . . .+ f0, and we call it a shift with reduction.

Observe that the normal form of any term has only a non-zero component,so that we may uniquely represent any with its left-hand polynomial, likeNfB(0, xk) 7→ −xkg(x) and NfB(xk, 0) 7→ xk. Through correspondence (9), itmeans that NfB(0, xk) is mapped to the corresponding shift with reduction ofg and that NfB(xk, 0) is mapped to the corresponding shift with reduction of(1, 0), which is only the usual shift (0, · · · , 0︸︷︷︸

k

, 1, 0, · · · , 0).

We are ready to introduce our matrix.

Definition 3.3. Let K be a field, n > α, β ≥ 1, f, g ∈ K[x] s.t. f and g aremonic, deg(f) = n, 1 ≤ deg(g) < n. Let M be the corresponding module (2)and B its natural basis. Let t1 <r . . . <r tα+β+2 be the first α+ β+ 2 terms inK[x]2 w.r.t <r, with r = α− β. Let (a, b) be the minimal element of M .

CGC


We denote by Af,g the solution matrix, i.e. the (α + β + 2) × n matrixover K s.t. its i-th row is NfB(ti), represented as a row vector via (9), for1 ≤ i ≤ α+β+2, and s.t. its first column contains the lowest degree coefficientsof any polynomial.We say that (a, b) is the solution of Af,g, that a is the left-solution and thatb is the right-solution. We say that row j of Af,g is the solution row if itis the row corresponding to (a, b).

Observe that the matrix representation given in Definition 3.3 has shiftson the right, while the representation given in Example 2.6 has shifts on theleft. Although the latter is more common in literature, we prefer the formerbecause it make proofs easier to write and understand.Remark 3.4. In the case r = −1, we have

(0, 1) <−1 (1, 0) <r−1 (0, x) <−1 (x, 0) <−1 (0, x2) <−1 (x2, 0) <−1 · · ·

and hence the even rows of Af,g correspond to the shifts of (1, 0, . . . , 0), whilethe odd rows correspond to the shifts (with reduction) of g.

The following fact is obvious.

Fact 3.5. Let M be as in (2) and let Af,g be the corresponding solution matrix.Then the first row in Af,g which is a linear combination of the previous rowsis the solution row.

Definition 3.6. Let β ≥ 1 and z ≥ 1 be integers s.t. z ≤ β. Let N ≥ 2β + 2and M ≥ β + 2 be integers. Let A be an N ×M matrix over K. We considerthe minor S of A formed by rows {2h + 1 | 0 ≤ h ≤ β} and the last β + 1columns. We say that A is β-circulant of rank z and that S is its circulantminor, if:

1 S is a circulant matrix of rank z and

2 the first z rows of S are linearly independent.

Let φS ∈ K[x] be the main polynomial of S. We say that φS is the circulantpolynomial of A.

Fact 3.7. Let Af,g be the solution matrix corresponding to a module M in (2).Assume Af,g is a β-circulant matrix of rank z. Suppose n = β + 1 + z andr = −1. Then row 2z + 1 of Af,g is the solution row. Moreover, deg(b) = z,where b is the right-solution of M .

Proof. Let S be the circulant minor of Af,g. Let row j be the solution row.We are going to show that j ≥ 2z + 1 and that row 2z + 1 is indeed a linearcombination of the previous rows.

We show j ≥ 2z + 1 by contradiction. If j < 2z + 1 we distinguish twocases: either j is odd or j is even.If j is even, j = 2h with 1 ≤ h ≤ z, it corresponds to NfB(xh, 0) and hence

CGC


it is the (h − 1)-th shift of (1, 0, . . . , 0), having a 1 in the h-th componentand zero in the other components. Since the previous even rows are smallershifts of (1, 0, . . . , 0), they do not contain a 1 in position h and so the j-throw cannot be a combination of the previous even rows only. Let 2k + 1 bethe largest odd integer such that the (2k+ 1)-th row is involved in this linearcombination, i.e. the (k + 1)-th odd row. By hypothesis we have k < z. Sincen = β + 1 + z, the even rows up to row 2z have all zero components in thelast β + 1 coordinates and so, if we restrict to the last β + 1 components, the(2k+ 1)-th row is a combination of the odd rows alone, which is equivalent tothe existence of a linearly dependent subset in the first k + 1 ≤ z rows of S,contradicting point 2 of Definition 3.6.If j is odd, j = 2k + 1, then we may argument as before, since again the(2k + 1)-th row is a combination of the odd rows only, when restricted to thelast β + 1 components.

We now explain why row 2z + 1 is a linear combination of the previousrows. If we restrict to the last β + 1 columns, we see that the even rows upto row 2z have only zero components and so we may consider only the firstz + 1 odd rows, i.e. the first z + 1 rows of S. Since S has rank z and its firstz rows are linearly independent, its (z + 1)-th row is a linear combination ofits previous rows.If we restrict to the first z columns, we see that the first z even rows are a setof generators for Kz and so whatever combination is needed on the odd rows(to get a combination on the last columns), it can be obviously extended toall rows of Af,g.

Since the solution row is row 2z + 1, it is obvious that deg(b) = z.

Fact 3.8. Let us adopt the same hypotheses of Fact 3.7. Let φ be the circulantpolynomial of Af,g. We have:

1 we can write g as g = φ∗xz + ψ, where deg(φ∗) ≤ β and deg(ψ) < z,

2 deg(φ) = β + 1− z, φ = gcd(φ∗, xβ+1 − 1),

3 φb = xβ+1 − 1, φ is monic.

Proof. Point 1 is obvious.Point 2 follows from Fact 2.1.Let (a, b) be the smallest element in M . Let b =

∑βi=0 αix

i, with {αi} ⊂ K.For any 1 ≤ i ≤ β + 1, let ri be the smallest degree polynomial s.t.

ri ≡ xiφ∗ mod (xβ+1 − 1) .

We have that the ri’s correspond to the odd rows of minor S, by elementaryproperties of circulant matrices. By construction of b we have

β∑i=0

αiri ≡ 0 mod (xβ+1 − 1) , (10)

CGC


since the even rows do not play any role for b and so we can ignore them whenwe restrict to S. Equation (10) implies clearly

β∑i=0

αiri ≡β∑

i=0

αixiφ∗ ≡ φ∗

( β∑i=0

αixi)≡ φ∗b ≡ φLb ≡ 0 mod (xβ+1 − 1) ,

where φ∗ = φL, with gcd(L, xβ+1 − 1) = 1. This is equivalent to

φLb = (xβ+1 − 1)η ,

for some η ∈ K[x]. Since gcd(L, xβ+1− 1) = 1, no factor of L divides xβ+1− 1and hence φb = (xβ+1 − 1)η′, for η = Lη′. Using point 2 we have

deg(φb) = deg(φ) + deg(b) = (β + 1− z) + z = β + 1 ⇒ η′ ∈ K .

Since φ and b are monic by constructions, we have η′ = 1.

Fact 3.7 and 3.8 guarantee some control on the outcome of our method, butwe need conditions on g and f to ensure that Af,g satisfies their hypotheses.There is one case when this is straightforward.We need a lemma first.

Lemma 3.9. Let ζ and m be integers with 1 ≤ ζ < m.Let A be a matrix over K of this kind

A =

a1,1 · · · a1,ζ a1,ζ+1 · · · a1,2ζ · · · a1,m+ζ

......

......

......

......

am,1 · · · am,ζ am,ζ+1 · · · am,2ζ · · · am,m+ζ

such that

ai,j = ai+1,j+1 1 ≤ i ≤ m− 1, 1 ≤ j ≤ ζ +m− 1 .

Let C be the m×m square submatrix formed by the last m columns. Then thefollowing three conditions are equivalent:

(1) a1,ζ−j = a1,ζ+m−j, for 0 ≤ j ≤ ζ − 1,

(2) aj,ζ = a1,ζ+m−j+1, for 1 ≤ j ≤ m.

(3) C is circulant.

Proof. Obvious.

Fact 3.10. Let β ≥ 1 and z ≥ 1 be integers s.t. z ≤ β. Let f ∈ K[x] bef = xn, where n = β + 1 + z. Let g ∈ K[x] be s.t z ≤ deg(g) ≤ z + β, so thatg = φ∗xz + ψ, where deg(φ∗) ≤ β and deg(ψ) < z. Let φ = gcd(φ∗, xβ+1 − 1).

CGC


Assume deg(φ) = β+1−z. Let ψ = ψz−1xz−1+. . .+ψ0 and φ∗ = φ∗βx

β+. . .+φ∗0.Let Af,g be the solution matrix corresponding to module M , with r = −1. Thenthe following two conditions are equivalent

(a) Af,g is a β-circulant matrix of rank z,

(b) ψz−1−i = φ∗β−i, for 0 ≤ i ≤ z − 1.

Proof. Let S be the circulant minor of Af,g. The odd rows of Af,g are simplythe shifts of g without reduction (because f = xn). Let A be the matrix formedby these rows. We clearly have that A satisfies the hypothesis of Lemma 3.9,with ζ = z, m = β + 1 and C = S. In addition, condition (b) is a rephrasingof condition (1) of Lemma 3.9.The result follows because if S is not circulant condition (b) cannot hold(Lemma 3.9) and if condition (b) holds then S is circulant (Lemma 3.9) andhence it must have rank z, since deg(φ) = β + 1− z.

Using Fact 3.7, 3.8 and 3.10, we might easily provide an algorithm togenerate pairs of polynomials, one of them with a fixed degree, but a pairwould not necessarily contain coprime polynomials, since xn is reducible (overany field). What we have to do is to adapt Fact 3.10 to a case when f isirreducible, but that brings the additional complication of reductions. Thefollowing lemma deals with the effect of successive shifts with reductions. Letv be a vector. We use a bracket notation v[i] for vector components, if i ≥ 1,and we use the convention that v[i] = 0 for any i ≤ 0.

Lemma 3.11. Let n ≥ 3. Let 1 ≤ σ ≤ n − 1. Let χ : Kn 7→ Kn be the shiftwith reduction associated to f = xn + fn−1x

n−1 + . . . + f0, with fn−h−1 = 0,0 ≤ h < σ. Let fj = 0 for j < 0. We have

(χfv)[i] = v[i− 1] + v[n]fi−1 (11)

(χσfv)[i] = v[i− σ] +

σ−1∑h=0

v[n− h]fi−σ+h (12)

Proof. We show (12) by induction on σ.

The case σ = 1 is equation (11), which is obvious.

Let χ = χf . We assume (12) to be true for a σ ≥ 1 and we show it forσ + 1. Let w = (χσv). By (11), we have

(χσ+1v)[i] = (χw)[i] = w[i− 1] + w[n]fi−1 .

We compute w[i− 1] and w[n], using (12) for σ, as follows

w[i− 1] = v[i− 1− σ] +σ−1∑h=0

v[n− h]fi−1−σ+h ,

CGC


w[n] = v[n− σ] +σ−1∑h=0

v[n− h]fn−σ+h = v[n− σ] ,

where the last equality comes from the hypothesis fn−h−1 = 0 for 0 ≤ h < σ.Putting together the three previous expressions, we get

(χσ+1v)[i] = v[i− 1− σ] +σ−1∑h=0

v[n− h]fi−1−σ+h + v[n− σ]fi−1 ,

which is, by a trivial regrouping,

(χσ+1v)[i] = v[i− (σ + 1)] +σ∑

h=0

v[n− h]fi−(σ+1)+h , (13)

and (13) is clearly (12) with σ + 1 instead of σ.

Note that (12) holds also in the case σ = 0.

Hypothesis fn−h−1 = 0 in Lemma 3.11 is essential to get an easy formulafor successive reduction and so we have to use f of the form xn+q, with a smalldeg(q). The strategy that we follow to adapt Fact 3.10 is then to determineg∗ such that Af,g and Af+f∗,g+g∗ have the same circulant minor S, for any f ∗

s.t. deg(f ∗) < z.

Fact 3.12. Let β ≥ 1 and z ≥ 1 be integers s.t. z ≤ β. Let n = β + 1 + z.Let f ∈ K[x] be s.t. f = xn + q, deg(q) < z. Let g ∈ K[x] be s.t. z ≤deg(g) ≤ z+β, so that g = φ∗xz +ψ, where deg(φ∗) ≤ β and deg(ψ) < z. Letφ = gcd(φ∗, xβ+1−1). Assume deg(φ) = β+1−z. Let ψ = ψz−1x

z−1 + . . .+ψ0

and φ∗ = φ∗βxβ + . . . + φ∗0. Let Af,g be the solution matrix corresponding to

module M , with r = −1.Suppose Af,g is a β-circulant matrix of rank z, with circulant minor S.Let f ∗, g∗ ∈ K[x] s.t. deg(f ∗) < z and deg(g∗) < z.Then the following conditions are equivalent:

(1) Af+f∗,g+g∗ is a β-circulant matrix,

(2) Af+f∗,g+g∗ is a β-circulant matrix of rank z,

(3) Af+f∗,g+g∗ is a β-circulant matrix of rank z and its circulant minor S ′ isS ′ = S,

(4) g∗z−i = −∑i−2

h=0 φ∗β−hf

∗z−i+h+1, for any 1 ≤ i ≤ β + 1.

Proof. Since the last β + 1 columns of the first row of Af+f∗,g+g∗ do notdepend on neither f ∗ nor g∗, the corresponding minor S ′ of Af+f∗,g+g∗ iscirculant if and only if S ′ = S and hence points 1,2 and 3 are equivalent.

Let q = qz−1xz−1 + . . . + q0. We have S = S ′ if and only if the odd

components of column z of the two matrices Af+f∗,g+g∗ and Af,g coincide,

CGC


thanks to Lemma 3.9. In other words, we have S = S ′ if and only if, for any0 ≤ j ≤ β,

Af,g[2j + 1, z] = Af+f∗,g+g∗ [2j + 1, z] . (14)

Since the odd rows are shifts with reduction, by Lemma 3.11 we have

Af,g[2j + 1, z] = (χjfg)[z] = g[z − j] +

j−1∑h=0

g[n− h]fz−j+h ,

Af+f∗,g+g∗ [2j + 1, z] = (χjf+f∗(g + g∗))[z] =

= (g + g∗)[z − j] +

j−1∑h=0

(g + g∗)[n− h] (fz−j+h + f ∗z−j+h) .

By (14) we can equate the two expressions and get

g[z−j]+j−1∑h=0

g[n−h]fz−j+h = (g+g∗)[z−j]+j−1∑h=0

(g+g∗)[n−h] (fz−j+h+f ∗z−j+h)

i.e., with a few simple operations,

g∗[z − j] +

j−1∑h=0

(g∗[n− h]fz−j+h + (g + g∗)[n− h]f ∗z−j+h

)= 0 . (15)

Since n − h in (15) is larger that z, we have g∗[n − h] = 0 and g[n − h] =φ∗[β + 1 − h]. so that (g + g∗)[n − h] f ∗z−j+h = φ∗[β + 1 − h] f ∗z−j+h. As aconsequence, (15) can be rewritten as

g∗[z − j] +

j−1∑h=0

φ∗[β + 1− h]f ∗z−j+h = 0 ,

which becomes the desired result, recalling that by our conventions we haveg∗[z − j] = g∗z−j−1 and φ∗[β + 1− h] = φ∗β−h (and using i = j + 1).

From Fact 3.7, 3.8, 3.10 and 3.12, we have the following theorem.

Theorem 3.13. Let β ≥ 1 and z ≥ 1 be integers s.t. z ≤ β. Let n = β+1+z.Let f ∈ K[x] be s.t. f = xn + q, deg(q) < z, f irreducible. Let g ∈ K[x] bes.t z < deg(g) ≤ z + β, so that g = φ∗xz + ψ, where deg(φ∗) ≤ β anddeg(ψ) < z. Let φ = gcd(φ∗, xβ+1 − 1). Assume deg(φ) = β + 1 − z. Letψ = ψz−1x

z−1 + . . . + ψ0 and φ∗ = φ∗βxβ + . . . + φ∗0. Assume ψz−1−i = φ∗β−i,

for 0 ≤ i ≤ z − 1. Let g = g + g∗, with g∗ ∈ K[x] s.t. deg(g∗) ≤ β andg∗z−i = −

∑i−2h=0 φ

∗β−hf

∗z−i+h+1, for any 1 ≤ i ≤ β + 1. Let Af,g be the solution

matrix corresponding to module M , with r = −1. Then

(1) Af,g is a β-circulant matrix of rank z,

CGC


(2) row 2z + 1 of Af,g is the solution row, corresponding to solution (a, b),

(3) deg(b) = z, deg(a) < z, b = xβ+1−1φ

,

(4) gcd(a, b) = 1.

We may use Theorem 3.13 to get a second technique (to be compared withthe one proposed at the beginning of Section 3.1), as follows.We choose an integers, z ≥ 1, and a field K. We take any β > z such thatthere is a polynomial φ with deg(φ) = β+1−z and φ|(xβ+1−1). Let φ∗ be anypolynomial in K[x] s.t. gcd(φ∗, xβ+1 − 1) = φ and deg(φ∗) ≤ β. We computen = β + 1 + z. We take any irreducible polynomial f ∈ K[x] s.t. f = xn + q,with deg(q) < z. We take g = g + g∗, with g∗ ∈ K[x] s.t. deg(g∗) ≤ β andg∗z−i = −

∑i−2h=0 φ

∗β−hf

∗z−i+h+1, for any 1 ≤ i ≤ β + 1. We compute the minimal

element (a, b) of sub-module M defined in (2) using FGLM as in Subsection2.4 and r = −1 (we may limit ourselves to search for a combination of oddrows, because we may easily know which even rows have to be used, since wemay compute b = xβ+1−1

φ). We return (a, b).

Fact 3.14. Previous technique outputs a pair (a, b) of polynomials in K[x] s.t.gcd(a, b) = 1 and deg(a) < z, deg(b) = z.

Proof. It is a direct application of Theorem 3.13.

We have improved on our first technique, because now we can guaranteethe degree of b, but still we have little control on the degree of a. To achievethat, we need a generalization of our previous arguments, which is done in thenext subsection.

3.2 A generalization

In Subsection 3.1, we have used only solution matrices with β + 1 + zcolumns and hence only polynomial g of type g = xzφ∗ + ψ, where ψ isindeed determined by φ∗. Polynomial φ gives rise to a circulant matrix inthe solution matrix. In vector notation, this means that g = (ψ|φ∗), where |denotes vector concatenation. In this subsection we depart from this schemeand we investigate a situation where g is the result of a multiple concatenation.

Definition 3.15. Let β ≥ z ≥ 1 and l ≥ 1 be integers. Let v, w ∈ K[x] s.t.deg(v) ≤ β and deg(w) < z. We denote by g(l, β, z, v, w) the polynomial inK[x] s.t.

g(l, β, z, v, w) = w + xzv + xz+β+1v + · · ·+ xz+(β+1)(l−1)v

CGC


In vector notation, Definition 3.15 means that

g(l, β, z, v, w) = (w| v| · · · |v︸︷︷︸l

) ,

but using z components to represent w and β + 1 components to represent v,irrespective of their actual degree.

Definition 3.16. Let l ≥ 1, β ≥ 1 and z ≥ 1 be integers s.t. z ≤ β. LetN ≥ 2β+2 and M ≥ l(β+1)+1 be integers. Let A be an N ×M matrix overK. We consider minor Si of A, 1 ≤ i ≤ l, formed by rows {2h+1 | 0 ≤ h ≤ β}and by columns {z + (i − 1)(β + 1) + h | 1 ≤ h ≤ β + 1}. We consider alsominor V of A formed by rows {2h+1 | 0 ≤ h ≤ β} and by the first z columns.

We say that A is an (l, β)-circulant matrix of rank z, that Sl is its circu-lant minor, and that V its vertical minor, if:

1 Sl is a circulant matrix of rank z,

2 the first z rows of Sl are linearly independent,

3 Si = Sl, for 1 ≤ i ≤ l.

Let φ be the main polynomial of Sl. We say that φ is the circulant polyno-mial of A.

Definition 3.16 is the natural generalization of Definition 3.6.

Fact 3.17. Let β ≥ z ≥ 1 be integers. Let Af,g be a solution matrix, with r =−1, f = xβ+1+z+q and g = (ψ|φ∗), where deg(q), deg(ψ) < z and deg(φ∗) ≤ β.Let l ≥ 1. Let Af ′,g′ be the solution matrix defined by f = xl(β+1)+z + q andg′ = g(l, β, z, φ∗, ψ), with r′ = r = −1.Then Af,g is a β-circulant matrix of rank z if and only if Af ′,g′ is an (l, β)-circulant matrix of rank z.

Proof. It is obvious by the arguments in the proof of Fact 3.7.

Consider Theorem 3.13. Since g = (ψ, φ∗), conditions

g = g + g∗, g∗ ∈ K[x], deg(g∗) ≤ β ,

g∗z−i = −i−2∑h=0

φ∗β−hf∗z−i+h+1, 1 ≤ i ≤ β + 1 ,

can be rephrased as

g = (ψ′, φ∗), ψ′z−i = ψz−i −

i−2∑h=0

φ∗β−hf∗z−i+h+1, 1 ≤ i ≤ β + 1 ,

which allows us to write in a compact form a generalization of Theorem 3.13,

CGC


which may proved by obvious extensions to the arguments provided in Sub-section 3.1.

Theorem 3.18. Let l ≥ 1, β ≥ 1 and z ≥ 1 be integers s.t. z ≤ β. Letn = l(β+1)+z. Let f ∈ K[x] be s.t. f = xn +q, deg(q) < z, f irreducible. Letφ∗, ψ ∈ K[x] be s.t deg(φ∗) ≤ β and deg(ψ) < z. Let g = g(l, β, z, φ∗, ψ). Letφ = gcd(φ∗, xβ+1−1). Assume deg(φ) = β+1−z. Let ψ = ψz−1x

z−1 + . . .+ψ0

and φ∗ = φ∗βxβ + . . .+ φ∗0. Assume ψz−1−i = φ∗β−i, for 0 ≤ i ≤ z − 1.

Let g ∈ K[x] be

g = g(l, β, z, φ∗, ψ′), ψ′z−i = ψz−i −

i−2∑h=0

φ∗β−hf∗z−i+h+1, 1 ≤ i ≤ β + 1 .

Let Af,g be the solution matrix corresponding to module M , with r = −1. Then

(1) Af,g is an (l, β)-circulant matrix of rank z,

(2) row 2z + 1 of Af,g is the solution row, corresponding to solution (a, b),

(3) deg(b) = z, deg(a) < z, b = xβ+1−1φ

,

(4) gcd(a, b) = 1.

To obtain more interesting results, we need to relax our requirements onour solution matrices.

Definition 3.19. Let l, β, z,N,M,A, V, {Si}1≤i≤l be as in Definition 3.16. LetH = (hi,j) be a square matrix in K of size β + 1 s.t. hi,j = 0 for j ≥ i ands.t hi+1,j+1 = hi,j, for 1 ≤ j < i ≤ β. We say that A is an (l, β)-weakly-circulant matrix of rank z, that Sl is its circulant minor, that V is itsvertical minor and that H is its deformation matrix, if:

1 Sl is a circulant matrix of rank z,

2 the first z rows of Sl are linearly independent,

3 Si = Sl, for 2 ≤ i ≤ l,

4 S1 = Sl +H.

Let φ be the main polynomial of Sl. Let d be 0 if H is zero, max{j | hz+1,j 6= 0},otherwise. We say that φ is the circulant polynomial of A and that d is thedeformation value of A.

It is obvious that an (l, β)-weakly-circulant matrix is (l, β)-circulant if andonly if its deformation matrix is the zero matrix (if and only if d = 0).

We may extend Fact 3.7 to these new situation in an non-obvious way,obtaining this time strict degree conditions also on a.

CGC


Fact 3.20. Let Af,g be the solution matrix corresponding to a module M in(2). Assume Af,g is an (l, β)-weakly-circulant matrix of rank z and l ≥ 2. LetS1, . . . , Sl be its circulant minors. Let 0 ≤ d ≤ z be its deformation value. Let(a, b) be the solution. Suppose n = l(β + 1) + z and r = −1. Let φ be thecirculant polynomial of Af,g. Let rs be row s of Af,g, for 1 ≤ s ≤ 2(β+1)+2z.Then:

(1) the solution row is r2z+1, if d = 0, r2z+2d otherwise,

(2) the linear combination of rows giving rise to a solution is of the form∑1≤m≤z

µmr2m +∑

1≤k≤z+1

αkr2k−1 +∑

1≤η≤d

γηr2z+2η = 0 , (16)

where

αz+1 6= 0, γd 6= 0, γη = −d∑

ξ=η

αz+1+η−ξ hz+1,ξ , 1 ≤ η ≤ d , (17)

and the {αk}1≤k≤z+1 do not depend on d, but only on Sl,

(3) the linear combination of rows giving rise to a solution is of the form∑1≤m≤z

µmr2m +∑

1≤k≤z+1

αkr2k−1 +∑

1≤η≤z

γηr2z+2η = 0 , (18)

where

αz+1 6= 0, γd 6= 0, γη = −z∑

ξ=η

αz+1+η−ξ hz+1,ξ , 1 ≤ η ≤ z , (19)

and the {αk}1≤k≤z+1 do not depend on d, but only on Sl,

(4) deg(b) = z, b = xβ+1−1φ

,

(5) deg(a) < z, if d = 0, deg(a) = z + d− 1, otherwise.

Proof. We first show that point (2) and point (3) are equivalent.From hz+1,ξ = 0 for ξ > d, we have

z∑ξ=η

αz+1+η−ξ hz+1,ξ =d∑

ξ=η

αz+1+η−ξ hz+1,ξ

and hence γη = 0 for η > d. This implies that (17) and (19) are equivalentand thus also (16) and (18) are equivalent, so that point (2) is equivalent topoint (3).

CGC


Point (1), (4) and (5) follow directly from point (2). So we have only toprove (2). We do so by induction on d, showing the cases d = 0, d = 1 andd ≥ 2. We fully adopt the notation of Definition 3.19.

If d = 0, the result follows from previous results.

Let d = 1. The first z rows of S1 and Sl are the same, but row z + 1 ofS1 is row z + 1 of Sl added to vector (λ, 0, . . . , 0) ∈ Kβ+1, where λ = hz+1,1.Let {αk}1≤k≤z+1 be the coefficients of the linear combination among the firstz + 1 rows of Sl. The {αk} cannot provide a linear combination for the firstz + 1 rows of S1. However, {αk}1≤k≤z+1 ∪ {−αz+1λ} are the coefficients of alinear combination among the following z+2 (β+1-dimensional) vectors: thefirst z + 1 rows of S1 and the restriction of r2z+2 to the same columns as S1.In fact row 2z + 2 is the z-th shift of (1, 0, . . . , 0) and so it has a one exactlywhere λ has been summed to row z + 1 of the minor. On the other hand,any linear combination with these coefficients can be obviously extended bothto the right-hand minors (which are still circulant) and also to the verticalminor on the left, where the first z shifts of (1, 0, . . . , 0) form a basis for Kz.By setting γ1 = −αz+1λ = −αz+1hz+1,1, we get our desired result.

Let d ≥ 2. We proceed as follows: we find a linear relation as required(using an induction argument) and then we show that said relation is minimal.

Let H = (hi,j) be the deformation matrix of Af,g. Let λ = hz+1,d. Let g beg = g0 + g1x + . . . + gl(β+1)+z−1x

l(β+1)+z−1. We consider a matrix A′ = Af,g′ ,where g′ = g−λxd−1. Let r′s be row s of A′. It is clear that the even rows of A′

are the same as the even rows of Af,g, so that r2s = r′2s, for any s. As regardsthe odd rows, the components of r′1 and r1 are the same except for positiond, where r′1[d] = r1[d] − λ. By shifting we have that the odd rows are equalexcept for position d + s− 1, where

r′2s−1[d + s− 1] = r2s−1[d + s− 1]− λ (20)

(observe that we have d + s − 1 ≤ z + β < n and so there is no effect givenby reductions). So all right-hand minors S2, . . . , Sl are not changed and minorS1 is changed by the adding of a square matrix L = (li,j) formed by all zeros,except for lz+2−d,1 = · · · = lz+1,d = · · · = lβ+1,d+β−z = −λ = −hz+1,d. This isequivalent to saying that also A′ is an (l, β)-weakly-circulant matrix and thatits circulant minors S ′1, . . . , S

′l are such that Sι = S ′ι for 2 ≤ ι ≤ l and that

S ′1 = S1 + L. In particular, if H ′ is the deformation matrix of A′ and d′ itsdeformation value, we have that H ′ = H+L and d′ ≤ d−1. As a consequence,A′ satisfies the hypotheses of Fact 3.20 for a deformation value smaller thand and hence by induction we may assume that point (3) holds, which meansthat the linear combination associated to the solution is of type∑

1≤m≤z

µ′mr′2m +∑

1≤k≤z+1

α′kr′2k−1 +

∑1≤η≤z

γ′ηr′2z+2η = 0 , (21)

CGC


where α′z+1 6= 0 and γd′ 6= 0. Moreover,

γ′η = −z∑

ξ=η

α′z+1+η−ξ h′z+1,ξ , 1 ≤ η ≤ z . (22)

Observe that h′z+1,d = 0 and h′z+1,δ = 0 for δ > d. We need to compare therows involved in (21) with the corresponding rows of Af,g. Even rows do notchange. As concerns odd rows, we need only worry about their restriction tothe columns of minor S1, because the other circulant minors do not changeand whatever happens in the first z columns will be dealt with by a suitablecombination of the even rows, since they form a basis of Kz. We may denote byr2s−1 and r′2s−1 the restrictions (to S1 and S ′1) of the odd rows of, respectively,Af,g and A′. Due to (20), we have

r2s−1[j] = r′2s−1[j] + λ, if and only if s = z − d + j + 1 ,

otherwise r2s−1[j] = r′2s−1[j]. If we substitute r2s−1 to r′2s−1 in (21), to get zeroagain for any column j of S1 (up to the d-th) we need to substract α′z−jλ timesthe corresponding even rows, i.e. α′z−jλr2z+2j. We thus obtain∑

1≤m≤z

µmr′2m +∑

1≤k≤z+1

α′kr2k−1 +∑

1≤η≤z

(γ′η − α′z−jλ)r′2z+2η = 0 ,

for some value sets {µm}. By setting γη = γ′η − α′z−jhz+1,d and αk = α′k, weobtain our desired relations for d.

To complete the proof for this case, we need to show that our relation isthe minimal possible. Suppose by contradiction that there is another linearrelation L among the rows of Af,g and such that it does involve neither rowr2z+2d−2 nor any successive row. Linear relation L must involve at least anodd row (because the even rows form a linearly independent set). We can thenrestrict L to the last β+1 columns, where the even rows up to r2z+2d−2 clearlyhave only zero components. This means that L is in particular a relation in Sl

and as such it must involve at least an odd row r2s′−1, with s′ ≥ z+1 (the firstz rows of Sl are independent). As a consequence, when we restrict L to thecolumns of S1, L on the odd rows is the same as on H. Since r2s′−1 is involvedand since r2s′−1[d + s′− z] = λ 6= 0, L must involve also a corresponding evenrow, necessarily successive to r2z+2d−2 , which is a contradiction.

Remark 3.21. Neither in (16) nor in (18) any row odd r2k−1 appears withk > z + 1. This is why b does not depend on d.

We can use Fact 3.20 to control the algorithm output even more, as in thefollowing theorem.

CGC


Theorem 3.22. Let A0, . . . , Az be solution matrices corresponding, respec-tively, to modules M0, . . . ,M z as in (2). Assume they all are (l, β)-weakly-circulant matrices of rank z. Let {Sδ

1 , . . . , Sδl }0≤δ≤z be their circulant minors

and {V δ}0≤δ≤z their vertical minors. Assume Sδl = S0

l for any 0 ≤ δ ≤ z.Let d(δ) be the deformation value of Aδ and Hδ be its deformation matrix, forany 0 ≤ δ ≤ z. Let d(0) = 0. Let Hδ = Hδ−1 + U δ, for 1 ≤ δ ≤ z, whereU δ = (ui,j) is a matrix with zero entries except possibly for a lower diagonalλδ = uz+1,δ = uz+2−δ,1 = · · · = uβ+1,β−z+δ.Let (aδ, bδ) be the solution of Aδ and let rδ

s be row s of Aδ, for 1 ≤ s ≤2(β + 1) + 2z. Suppose n = l(β + 1) + z and r = −1. Then

(1) if U δ = 0, then d(δ) = d(δ − 1), else d(δ) = δ, for 1 ≤ δ ≤ z,

(2) the solution row of A0 is r02z+1, that of Aδ is rδ

2z+2d(δ) for 1 ≤ δ ≤ z,

(3) the linear combination of rows giving rise to a solution for Aδ is of theform (for any 0 ≤ δ ≤ z)∑

1≤m≤z

µδmrδ

2m +∑

1≤k≤z+1

αδkr

δ2k−1 +

∑1≤j≤d(δ)

γδj r

δ2z+2j = 0 , (23)

where

αδz+1 6= 0, γδ

d(δ) 6= 0, γδj = −

d(δ)∑i=j

αδz+j−i+1 h

δz+1,i , 1 ≤ j ≤ d(δ), (24)

and the {αδk}1≤k≤z+1 do not depend on δ, i.e. αδ

k = α0k, for any δ and k,

(4) deg(b0) = deg(bδ) = z, deg(a0) < z, deg(aδ) = z+d(δ)−1, for 1 ≤ δ ≤ z,

(5) µδm = µδ−1

m − λδα0m−d(δ)+1, for 1 ≤ m ≤ z and 1 ≤ δ ≤ z, with the

convention that α0ι = 0 for any ι ≤ 0,

(6) (a) γδj = γδ−1

j − λδα0z+j−d(δ)+1, for 1 ≤ j ≤ d(δ − 1) and 1 ≤ δ ≤ z,

(b) γδj = −λδα0

z+j−d(δ)+1, for d(δ − 1) + 1 ≤ j ≤ d(δ) and 1 ≤ δ ≤ z,

(7) for any 1 ≤ δ ≤ z, bδ = b0 and

aδ = aδ−1 − λδxd(δ)−1b0, aδ = a0 −

( ∑1≤j≤δ

λjxd(j)−1

)b0

Proof. Since Hδ = Hδ−1 + U δ, we have for 1 ≤ δ ≤ z and any s

rδ2s−1 − rδ−1

2s−1 = (0, . . . , 0︸︷︷︸s+d(δ)−2

, λδ, 0, . . . , 0) = λδr02(s+d(δ)−1) . (25)

For the same reason, point (1) is obvious.

CGC


Points (2), (3) and (4) are direct applications of Fact 3.20.The right-hand side of point (7) comes from a recursive application of its

left-hand side. The left-hand side of point (7) comes from points (5) and (6),since

aδ =z∑

m=1

µδmx

m−1 +

d(δ)∑j=1

γδjx

z+j−1

=z∑

m=1

(µδ−1m − λδα0

m−d(δ)+1)xm−1 +

d(δ−1)∑j=1

(γδ−1j − λδα0

z+j−d(δ)+1)xz+j−1

+

d(δ)∑j=d(δ−1)+1

−λδα0z+j−d(δ)+1x

z+j−1

=z∑

m=1

µδ−1m xm−1 +

d(δ−1)∑j=1

γδ−1j xz+j−1 −

z+d(δ)∑m=1

λδα0m−d(δ)+1x

m−1

= aδ − λδxd(δ)−1

z+1∑h=1

α0hx

h−1 = aδ − λδxd(δ)−1b0

So we have only to prove points (5) and (6).

We now show point (6). Applying (24) with d(δ − 1) + 1 ≤ j ≤ d(δ) givespoint (6)− (b), since clearly hδ

z+1,i = 0 for any d(δ − 1) + 1 ≤ i ≤ d(δ)− 1.From (24) for δ and δ− 1 we get the following expression for 1 ≤ j ≤ d(δ− 1)and 1 ≤ δ ≤ z

γδj − γδ−1

j = −d(δ)∑i=j

αδz+1+j−i h

δz+1,i +

d(δ−1)∑i=j

αδ−1z+1+j−i h

δ−1z+1,i

= −

d(δ−1)∑i=j

α0z+1+j−i h

δz+1,i − α0

z+1+j−i hδ−1z+1,i

−

d(δ)−1∑i=d(δ−1)+1

α0z+1+j−i h

δz+1,i − α0

z+j−d(δ)+1 hδz+1,d(δ)

Since clearly hδz+1,i = hδ−1

z+1,i for any 1 ≤ i ≤ d(δ − 1) and hδz+1,i = 0 for any

d(δ−1)+1 ≤ i ≤ d(δ)−1, from the previous expression we get point (6)−(a).

We prove point (5) by showing separately case δ = 1 and case δ ≥ 2.We will use without mention the equality r0

2s = rδ2s = rδ−1

2s (for any δ and s).

We now show the case δ = 1.From point (1) we have that d(1) ≤ 1. If d(1) = 0, then A1 = A0 and hence

CGC


λ1 = 0, µ0m = µ1

m for any m, so that point (5) is trivially satisfied.Let d(1) = 1. By applying point (2) for δ = 0, 1, we get∑

1≤m≤z

µ0mr0

2m +∑

1≤k≤z+1

α0kr

02k−1 +

∑1≤j≤0

γ0j r

02z+2j = 0 ,

and ∑1≤m≤z

µ1mr1

2m +∑

1≤k≤z+1

α1kr

12k−1 +

∑1≤j≤1

γ1j r

12z+2j = 0 .

By equating the two expressions and simplifying, we get∑1≤m≤z

µ0mr0

2m +∑

1≤k≤z+1

α0k(r

02k−1 − r1

2k−1)−∑

1≤m≤z

µ1mr1

2m − γ11r

12z+2 = 0 .

Since γ11 = −α1

z+1λ1 (point (6)− b), we have∑

1≤m≤z

(µ0m − µ1

m)r02m +

∑1≤k≤z+1

α0k(r

02k−1 − r1

2k−1) + α1z+1λ

1r02z+2 = 0 .

Thanks to (25) the previous expression becomes∑1≤m≤z

(µ0m− µ1

m)r02m +

∑1≤k≤z

α0k(−λ1r0

2k) +α0z+1(−λ1r0

2z+2) +α0z+1λ

1r02z+2 = 0 ,

which is, after some obvious simplifications, a linear relation involving only aset of linearly independent rows, the {r0

2s}, as follows∑1≤m≤z

(µ0m − µ1

m − α0mλ

1) r02m = 0 .

This is possible if and only if all coefficients are zero, i.e. µ1m = µ0

m−α0mλ

1 for1 ≤ m ≤ z, which is precisely point (5) for δ = 1 and d(1) = 1.

We now show the case δ ≥ 2 proceeding similarly to the previous case.If d(δ) = d(δ − 1), then Aδ = Aδ−1 and hence λδ = 0 and µδ

m = µδ−1m for any

m, so that point (5) is trivially satisfied.Let d(δ) > d(δ − 1). By applying point (2) for δ − 1 and δ, we get∑

1≤m≤z

µδmrδ

2m +∑

1≤k≤z+1

αδkr

δ2k−1 +

∑1≤j≤d(δ)

γδj r

δ2z+2j = 0 ,

and ∑1≤m≤z

µδ−1m rδ−1

2m +∑

1≤k≤z+1

αδ−1k rδ−1

2k−1 +∑

1≤j≤d(δ−1)

γδ−1j rδ−1

2z+2j = 0 .

CGC


By equating the two expressions we obtain

z∑m=1

(µδm − µδ−1

m )r02m +

z+1∑k=1

αδk(r

δ2k−1 − rδ−1

2k−1)

+

d(δ−1)∑j=1

(γδj − γδ−1

j )r02z+2j +

d(δ)∑j=d(δ−1)+1

γδj r

02z+2j = 0 ,

which becomes, due to (25) and point (6),

z∑m=1

(µδm − µδ−1

m )r02m +

z+1∑k=1

αδkλ

δr02(k+d(δ)−1)

−d(δ−1)∑

j=1

λδα0z+j−d(δ)+1r

02z+2j −

d(δ)∑j=d(δ−1)+1


02z+2j = 0 . (26)

Since

z+1∑k=1

αδkλ

δr02(k+d(δ)−1) =

z−d(δ)+1∑k=1

αδkλ

δr02(k+d(δ)−1) +

z+1∑k=z−d(δ)+2

αδkλ

δr02(k+d(δ)−1)

=z∑

m=d(δ)

αδm−d(δ)+1λ

δr02m +

d(δ)∑l=1

αδz+l−d(δ)+1λ

δr02(z+l)

(where we have set l = k − z + d(δ) + 1 and m = k + d(δ)− 1), equation (26)can be written as

z∑m=1

(µδm − µδ−1

m )r02m +

z∑m=d(δ)

αδm−d(δ)+1λ

δr02m +

d(δ)∑l=1

αδz+l−d(δ)+1λ

δr02(z+l)

−d(δ)∑j=1


02z+2j =

z∑m=1

(µδm − µδ−1

m + αδm−d(δ)+1λ

δ)r02m = 0 .

This is a linear relations involving only a set of linearly independent rows,the {r0

2s}, which is possible if and only if all coefficients are zero, i.e. µδm =

µδ−1m − αδ

m−d(δ)+1λδ for 1 ≤ m ≤ z, which is our desired equality.

CGC


A direct consequence of Theorem 3.22 is the following theorem.

Theorem 3.23. Let l ≥ 2 and β ≥ z ≥ 1 be integers. Let 0 be the zerovector in Kz. Let φ∗, ψ ∈ K[x] be s.t. deg(φ∗) ≤ β and deg(ψ) < z. LetAf,g be an (l, β)-circulant solution matrix, with g = g(l, β, z, φ∗, ψ) and f =

xn + q, deg(q) < z, f irreducible. Let λ = (λ1, . . . , λz) be in Kz. Let 1 ≤d ≤ z be max{i |λi 6= 0}. Let gλ = g(l, β, z, φ∗, ψ + λ). Let Mλ be the module

corresponding to Af,gλ. Let (aλ, bλ) be the minimal element of Af,gλ

. Then:

aλ = a0 − (∑

1≤j≤z

λjxj−1)b0

Proof. It follows from Theorem 3.22, by setting M δ = Af,g+(λ1,...,λδ ,0,...,0), forany 0 ≤ δ ≤ z.

4 Application to cryptography

A possible application to cryptography is within the Coppersmith algo-rithm ([Cop84]), which is used to calculate the discrete logarithm over finitefields of type F2n . Many variations and extensions exist, see for example thefollowing [AD94,BFHMV84,Odl00,Tho01].

We briefly describe only the part of the algorithm which is of interestfor us, i.e. the part where pairs of coprime polynomials are used. As usual,we will identify F2n with F2[x]/(F ), where F is an irreducible polynomialof deg(F ) = n, so that any field element is from now on a polynomial (thesmallest degree one in its congruence class).Let h be in F2n and γ be a primitive element of F2n . We want to determinethe discrete logarithm logγ h. The main idea consists of precalculating thelogarithms of set S = {pi | pi irreducible and deg(pi) ≤ m}, where m < nis conveniently chosen. Once we have all these logarithms, it is possible tocompute quickly logγ(h) for any h (for details see [Cop84]). Actually, the mostexpensive phase is the computation of the logarithms of S. We accomplishthat as follows. Let k and h =

⌊n2−k

⌋+ 1 be positive integers. Pick a pair of

coprime polynomial (u1, u2) s.t. deg(u1), deg(u2) ≤ B, where B is of the orderof n1/3(logen

2/3) (in Coppersmith’s proposal this is done by taking randompairs and checking, we instead propose to use our techniques). Define w1, w2 ∈F2n as

w1 = u1xh + u2 , (27)

w2 ≡ (w1)2k

mod (F ), deg(w2) < n . (28)

If both w1 and w2 have all their irreducible factors in S, then we generate theinteger congruence:

logγ w2 ≡ 2k logγ w1 mod (2n − 1) ,

CGC


i.e.

logγ

∏vi∈S1

(vi)ci ≡ 2k logγ

∏vj∈S2

(vj)bj mod (2n − 1) ,

where S1, S2 ⊂ S and

w1 =∏

vi∈S1

vcii , w2 =

∏vj∈S2

vbj

j .

Otherwise, we need choose another pair of coprime polynomials (u1, u2) anditerate this process. In particular, we have to generate at least |S| such pairs ofpolynomials (w1, w2) and solve the following linear system (with the logarithmsof elements of S as unknowns):

logγ w2,1 ≡ 2k logγ w1,1 mod (2n − 1)

logγ w2,2 ≡ 2k logγ w1,2 mod (2n − 1)...

......

......

...

logγ w2,|S| ≡ 2k logγ w1,|S| mod (2n − 1)

5 Conclusions

In this paper some techniques to obtain pairs of coprime polynomials havebeen described. Even if we can provide large number of such pairs with aguaranteed degree, several problems still remain open:

• the technique efficiency relies too much on the factorization of some poly-nomials, that may have relatively high degree,

• it would be interesting to predict what happens if we consider a g whichis a multiple concatenation of a different type (this might deliver us fromthe factorization problem),

• it would very nice to specialize our technique directly to the cryptographicapplication above presented, skipping the classical approach,

• it is very difficult to predict other properties of our pairs, apart fromtheir degree, which would be extremely useful in many cases, like theirfactorization and their roots.

However, we believe that we have presented some techniques based on a newinteresting approach and that more results can be obtained if one investigatesdeeper in this direction.

CGC


Acknowledgements

The core part of this paper comes from the second author Master’s thesisand so she would like to thank her three supervisors: F. Dalla Volta and theother two authors.

The authors heartily thank, for their useful suggestions and comments, F.Fitzpatrick, T. Mora, M. Orsini, I. Simonetti and C. Traverso.

References

[AD94] Leonard M. Adleman and Jonathan DeMarrais, A subexponentialalgorithm for discrete logarithms over all finite fields, Advances incryptology—CRYPTO ’93 (Santa Barbara, CA, 1993), Lecture Notesin Comput. Sci., vol. 773, Springer, Berlin, 1994, pp. 147–158. MRMR1288966 (95d:94013)

[BFHMV84] I. F. Blake, R. Fuji-Hara, R. C. Mullin, and S. A. Vanstone, Computinglogarithms in finite fields of characteristic two, SIAM J. AlgebraicDiscrete Methods 5 (1984), no. 2, 276–285. MR MR745447 (86h:11109)

[Cop84] Don Coppersmith, Fast evaluation of logarithms in fields ofcharacteristic two, IEEE Trans. on Inf. Th. 30 (1984), no. 4, 587–594.MR MR755785 (85h:65041)

[FGLM93] J. C. Faugere, P. Gianni, D. Lazard, and T. Mora, Efficientcomputation of zero-dimensional Grobner bases by change of ordering,J. Symbolic Comput. 16 (1993), no. 4, 329–344. MR MR1263871(94k:68095)

[Fit95] Patrick Fitzpatrick, On the key equation, IEEE Trans. on Inf. Th. 41(1995), no. 5, 1290–1302. MR MR1366325 (96i:94033)

[Mor03] Teo Mora, Solving polynomial equation systems. I, Encyclopedia ofMathematics and its Applications, vol. 88, Cambridge University Press,Cambridge, 2003, The Kronecker-Duval philosophy. MR MR1966700(2004d:12001)

[Odl00] Andrew Odlyzko, Discrete logarithms: the past and the future, Des.Codes Cryptogr. 19 (2000), no. 2-3, 129–145, Towards a quarter-century of public key cryptography. MR MR1759614

[Tho01] Emmanuel Thome, Computation of discrete logarithms in F2607 ,Advances in cryptology—ASIACRYPT 2001 (Gold Coast), LectureNotes in Comput. Sci., vol. 2248, Springer, Berlin, 2001, pp. 107–124.MR MR1934518 (2003h:94051)

CGC

Date post:	17-Jul-2020
Category:	Documents
Upload:	others
View:	3 times
Download:	0 times

An approach to create coprime polynomial pairs · We propose a method to generate pairs of...

Documents