Certiﬁcation of Minimal Approximant Bases

(1)

Certification of Minimal Approximant Bases

Pascal Giorgi ¹, Vincent Neiger²

1Universit´e de Montpellier, France ²Universit´e de Limoges, France

ISSAC’2018, New York, USA July 17, 2018

(2)

Approximant Bases

LetF ∈K[X]^m×n a matrix of power series truncated at orderd= (d₁, . . . ,d_n) columnwise :∀1≤j≤n,degF_∗,j<dj

approximant ofFat order d:

p∈K[X]^1×m s.t. pF = [0, . . . ,0] modX^(d¹^,...,dⁿ⁾

the setAd(F)of all approximants ofF forms a freeK[X]-module of rank m[Van Barel, Bultheel 1992].

A basisP∈K[X]^m×m ofAd(F)is called an approximant basis

(3)

Minimal Approximant Bases

Minimality

row-reduced overK[X], i.e. minimal row degree among all bases

P=





3x³ 2x² x+ 3

x³+ 4x² 2x³+ 3x² 5x² x³+ 6x²+ 4x 2x³+ 8x²+ 5 6x²+ 3



,rdeg(P) =



 3 3 3





⇒row-reduction is related to therdeg-leading matrix ofP



 1

1

−1 1



P=R=





3x³ 2x² x+ 3

x³+ 4x² 2x³+ 3x² 5x² 2x²+ 4x 5x²+ 5 x²+ 3



,rdeg(R) =



 3 3 2





(4)

Minimal Approximant Bases

Minimality

row-reduced overK[X], i.e. minimal row degree among all bases

P=





3x³ 2x² x+ 3

x³+ 4x² 2x³+ 3x² 5x² x³+ 6x²+ 4x 2x³+ 8x²+ 5 6x²+ 3



,rdeg(P) =



 3 3 3





⇒row-reduction is related to therdeg-leading matrix ofP



 1

1

−1 1



P=R=





3x³ 2x² x+ 3

x³+ 4x² 2x³+ 3x² 5x² 2x²+ 4x 5x²+ 5 x²+ 3



,rdeg(R) =



 3 3 2





(5)

Shifted Minimal Approximant Bases

Shifted row degree (ors-row degree)

degree measure for weighting the columns with a shift s = (s1, . . . ,sm)

rdeg_s(P) =rdeg(PX^s) =rdeg(P





 X^s¹

. .. X^s^m





)

s-minimal approximant bases

bases ofAd(F)that have minimals-row degree among all bases (s-reduced)

s-Popov approximant bases (uniqueness)

rdeg_s-leading matrix→unitary lower triangular matrix cdeg-leading matrix→identity

(6)

Shifted Minimal Approximant Bases

Shifted row degree (ors-row degree)

degree measure for weighting the columns with a shift s = (s1, . . . ,sm)

rdeg_s(P) =rdeg(PX^s) =rdeg(P





 X^s¹

. .. X^s^m





)

s-minimal approximant bases

bases ofAd(F)that have minimals-row degree among all bases (s-reduced)

s-Popov approximant bases (uniqueness)

rdeg_s-leading matrix→unitary lower triangular matrix cdeg-leading matrix→identity

(7)

Algorithms for Approximant Bases

- polynomial matrix F∈K[X]^m×n

- orderd= (d1, . . . ,dn)∈Zⁿ>0withD=|d|=P

jdj

- shifts∈Z^m

Best known algorithms to date cost inO˜(m^ωD/m) =O˜(m^ω−1D)

minimal bases (unique order, no shift) [G., Jeannerod, Villard ISSAC’03]

s-minimal bases (unique order, small shifts) [Zhou, Labahn ISSAC’12]

s-Popov bases (all orders/shifts) [Jeannerod et al. ISSAC’16]

These are deterministic non-optimal algorithms, i.e.Size(F) =mD

when delegating computation→hope for faster verification

(8)

Algorithms for Approximant Bases

- polynomial matrix F∈K[X]^m×n

- orderd= (d1, . . . ,dn)∈Zⁿ>0withD=|d|=P

jdj

- shifts∈Z^m

Best known algorithms to date cost inO˜(m^ωD/m) =O˜(m^ω−1D)

minimal bases (unique order, no shift) [G., Jeannerod, Villard ISSAC’03]

s-minimal bases (unique order, small shifts) [Zhou, Labahn ISSAC’12]

s-Popov bases (all orders/shifts) [Jeannerod et al. ISSAC’16]

These are deterministic non-optimal algorithms, i.e.Size(F) =mD

when delegating computation→hope for faster verification

(9)

Verifying outsourced computation

Verifier

Prover

F

^{, x}

y=

F

(x), proof

generating the proof must be negiglible

verifying the proof must be easier than computing

F

(x)

→different models : interactive or static

Sometimes the proof is unnecessary :

→Freivalds’ verification of matrix mul.(uA)B =uC

(10)

Verifying outsourced computation

Verifier

Prover

F

^{, x}

y=

F

(x), proof

generating the proof must be negiglible

verifying the proof must be easier than computing

F

(x)

→different models : interactive or static

Sometimes the proof is unnecessary :

→Freivalds’ verification of matrix mul.(uA)B =uC

(11)

Certifying linear algebra

Generic approaches exist

Interactive proof for boolean circuits[Goldwasser, Kalai, Rothblum ’08 ; Thaler ’13]

matrix mul. reduction→rerun with Freivalds[Kaltofen, Nehrig, Saunders ISSAC’11]

7 prover or verifier time might not be optimal

Optimal ad’hoc verifications exist[Dumas,Kaltofen ISSAC’14]

3 prover and verifier time can be “optimal”

3 independent of the circuit (certifying result rather than execution)

How to optimally certify/verify approximant bases ?

(12)

Certifying linear algebra

(13)

Certifying linear algebra

(14)

Main result

GivenP as-minimal basis ofAd(F)withSize(P) =O(mD)

Static proof fors-minimal approximant bases

additional effort :O(m^ω−1D) prover

Monte Carlo verification :O(mD+m^ω−1(m+n)) verifier probability of error≤ _#S^D forS ⊂K.

⇒almost optimal certificate (Dm² often the case in practice)

⇒total prover time remains inO˜(m^ω−1D)

(15)

Main result

GivenP as-minimal basis ofAd(F)withSize(P) =O(mD)

Size(P) =O(mD) not in general

⇒but bases computed by best known algorithms have such property

|rdeg(P)| ∈O(D) [Van Barel, Bultheel ’92 ; Zhou, Labahn ISSAC’12]

|cdeg(P)| ≤D (s-Popov) [Jeannerod et al. ISSAC’16]

(16)

How to certify approximant basis

1 Minimal :Pis s-reduced

2 Approximant :PF = 0 modX^(d¹^,...,dⁿ⁾

3 Basis : rows ofP generateAd(F)

(17)

How to certify approximant basis

This amounts to check non-singularity of therdeg_s-leading matrix ofP

⇒can be done at a costO(m^ω)

(18)

How to certify approximant basis

not trivial→computingPF modX^(d¹^,...,dⁿ⁾ costsO˜(m^ω−1D).

check(uP)F =uG modX^(d¹^,...,dⁿ⁾ for a random vectoru check for a randomα∈S ⊂K,δ= max (d1, . . . ,dn)that

(19)

How to certify approximant basis

Proposition : Freivalds +[G. ’18]

verifyPF =G modX^(d¹^,...,dⁿ⁾ at optimal costO(mD)

check(uP)F =uG modX^(d¹^,...,dⁿ⁾ for a random vectoru check for a randomα∈S ⊂K,δ= max (d1, . . . ,dn)that

(20)

How to certify approximant basis

verifyPF =G modX^(d¹^,...,dⁿ⁾ at optimal costO(mD) check(uP)F =uG modX^(d¹^,...,dⁿ⁾ for a random vectoru

check for a randomα∈S ⊂K,δ= max (d1, . . . ,dn)that

(21)

How to certify approximant basis

verifyPF =G modX^(d¹^,...,dⁿ⁾ at optimal costO(mD) check(uP)F =uG modX^(d¹^,...,dⁿ⁾ for a random vectoru check for a randomα∈S⊂K,δ= max (d1, . . . ,dn)that

1 α . . . α^δ−1





 uP0

uP1 . .. ... . .. . .. uP_δ−1 . . . uP1 uP0











 F₀ F1

... F_δ−1







=

1 α . . . α^δ−1





 uG₀ uG1

... uG_δ−1







(22)

How to certify approximant basis

1 α . . . α^δ−1





 uP0

uP1 . .. ... . .. . .. uP_δ−1 . . . uP1 uP0











 F₀ F1

... F_δ−1







=uG(α)

(23)

How to certify approximant basis

uP(α) . . . α^δ−ju(PremX^j)(α) . . . α^δ−1uP₀





 F0

F1

... F_δ−1







=uG(α)

Horner’s intermediate values forα^δ−1rev(uP)onX =α⁻¹

(24)

How to certify approximant basis

(25)

How to certify approximant basis

Proposed lemma

rows ofP generateAd(F)if and only if PF = 0 modX^d

det(P) =X^δ for0< δ≤D [Beckermann, Labahn ’97]

the matrix

P(0) C

∈K^m×(m+n) has full rank, where

C =PFX^−dmodX (our certificate)

(26)

How to certify approximant basis

Proposed lemma

rows ofP generateAd(F)if and only if PF = 0 modX^d

det(P) =X^δ for0< δ≤D [Beckermann, Labahn ’97]

the matrix

P(0) C

∈K^m×(m+n) has full rank, where

C =PFX^−dmodX (our certificate)

Idea of proof :

Ad(F) ' ker(

F

−X^d

)

PF = 0 modX^d ⇐⇒

P PFX^−d F

−X^d

= 0

(27)

Our protocol for certifying approximant bases

Prover (compute)

1 computePas-minimal basis ofAd(F)

2 computeC=PFX^−d modX

⇒send(P,C)to the verifier

O˜(m^ω−1D)

,→O˜(m^ω−1D)

? ? ?

Verifier (check)

1 non-singularity ofleadmatrdeg_s(P)

2 full rank of

P(0) C

3 det(P(α)) = det(P(1))α^|rdeg^s^(P)|−|s|

withαrandom inS⊂K

4 PF=CX^dmodX^(d¹^+1,...,dⁿ⁺¹⁾

O(mD+m^ω−1(m+n))

,→O(m^ω) ,→O(m^ω−1n) ,→O(mD+m^ω) ,→O(mD)

(28)

How to efficiently generate the certificate

ComputeC as the term of degree0inPFX^−d:

→goal : no more thanO˜(m^ω−1D)

Easy whenn=mandd= (D/m, . . . ,D/m),

C =

D/m

X

k=1

P_kF_D/m−k

⇒this costs at mostD/m·O(m^ω) =O(m^ω−1D)

(29)

How to efficiently generate the certificate

Extracting non-zero values according to the degrees

#of rows in P with degree≥k is no more than D/k

#of columns inF with degree≥k is no more thanD/k

C =

max(d)

X

k=1

P_k^∗F_d−k^∗ -∀k<D/meach product costsO(m^ω)

-∀k≥D/meach product costsO((D/k)^ω−1m)

Total cost inO(m^ω−1D)

1. similar idea with|cdeg(P)| ≤D

(30)

How to efficiently generate the certificate

Extracting non-zero values according to the degrees

#of rows in Pwith degree ≥k is no more than D/k

#of columns inF with degree≥k is no more thanD/k

C =

max(d)

X

k=1

P_k^∗F_d−k^∗ -∀k<D/m each product costsO(m^ω)

-∀k≥D/m each product costsO((D/k)^ω−1m)

Total cost inO(m^ω−1D)

1. similar idea with|cdeg(P)| ≤D

(31)

Our protocol for certifying approximant bases

Prover

1 computePas-minimal basis ofAd(F)

2 computeC=PFX^−dmodX

⇒send(P,C)to the verifier

O˜(m^ω−1D)

,→O˜(m^ω−1D) ,→O(m^ω−1D)

Verifier

1 check non-singularity ofleadmatrdeg_s(P)

2 check full rank of

P(0) C

3 checkdet(P(α)) = det(P(1))α^|rdeg^s^(P)|−|s|

withαrandom inS⊂K

4 checkPF=CX^dmodX^(d¹^+1,...,dⁿ⁺¹⁾

O(mD+m^ω−1(m+n))

,→O(m^ω) ,→O(m^ω−1n) ,→O(mD+m^ω) ,→O(mD)

(32)

Conclusion

Almost optimal non-interactive certificate

negligeable overhead for theProver, onlyO(m^ω−1D) verification time inO(mD)+ checking rank/det overK probability of error≤ ^D_S forS ⊂K[Freivalds ; Schwartz, Zippel]

certificate space is small, i.e.O(mn)

Remark

turn “easily” into optimal interactive protocol by[Dumas, Kaltofen ISSAC’14]

a LinBox’s implementation should be available soon

(33)

Conclusion

Almost optimal non-interactive certificate

negligeable overhead for theProver, onlyO(m^ω−1D) verification time inO(mD)+ checking rank/det overK probability of error≤ ^D_S forS ⊂K[Freivalds ; Schwartz, Zippel]

certificate space is small, i.e.O(mn)

Remark

turn “easily” into optimal interactive protocol by[Dumas, Kaltofen ISSAC’14]

a LinBox’s implementation should be available soon

(34)

Thank You

(35)

Certificate : sketch of proof

[Zhou, Labahn ISSAC’13, Neiger’s PhD ’16]

Ad(F) ' ker(

F

−X^d

)

PF = 0 modX^d ⇐⇒

P Q F

−X^d

= 0 Column image of kernel bases :

ker(

F

−X^d

) =

0_m×n I_m

V with V ∈GL_m+n(K[X])

P basis : P Q

= ker(

F

−X^d

) =⇒rank(

P Q

) = rank(

P(0) Q(0) ) =m P not basis :

P Q

=U

A AFX^−d

withdet(U) =X^δ

=⇒rank(

P(0) Q(0) )<m

(36)

Verifying truncated polynomial matrix product

The polynomial case[G. ’18]

Let A = a₀+a₁X +· · ·+a_k−1X^k−1 and B = b₀+b₁X +· · ·+b_k−1X^k⁻¹, sampling random value X = α in C = AB modX^k corresponds to :

1 α . . . α^k−1





 a0

a1 . .. ... . .. . .. a_k−1 . . . a1 a0











 b0

b₁ ... b_k₋₁







=

1 α . . . α^k⁻¹





 c0

c1

... c_k−1







(37)

Verifying truncated polynomial matrix product

1 α . . . α^k−1





 a0

a₁ . .. ... . .. . .. ak−1 . . . a1 a0











 b0

b₁ ... b_k−1







=C(α)

(38)

Verifying truncated polynomial matrix product

A(α) . . . α^k−j(AremX^j)(α). . . α^k⁻¹a0





 b0

b₁ ... b_k







=C(α)

(39)

Verifying truncated polynomial matrix product

A(α) . . . α^k−j(AremX^j)(α). . . α^k⁻¹a0





 b0

b₁ ... b_k







=C(α)

⇒verification inO(k)using Horner’s algo. onα^k−1rev(A)withX =α⁻¹

⇒proba error<_#S^k forS ⊂K[Schwartz, Zippel ’79]

(40)

Verifying truncated polynomial matrix product

The polynomial matrix case

LetP∈K[X]^m×m, F,G ∈K[X]^m×n,t= (t1, . . . ,tn)andδ= max(t) How to checkPF =G modX^t?

1 shrink matrix row dimensiona la Freidvalds, randomu∈K^1×m

→p=uP ∈K[x]^1×m andg =uG∈K[X]^1×n

2 apply idea of[G. ’18]with vector/matrix

1 α . . . α^δ−1





 p0

p1 . .. ... . .. . .. p_δ−1 . . . p₁ p₀











 F0

F1

... F_δ−1







=g(α)

(41)

Verifying truncated polynomial matrix product

p(α) . . . α^δ−j(premX^j)(α) . . . α^δ−1p0

| {z }

∈K^1×mδ





 F0

F1

... F_δ−1







=g(α)

(42)

Verifying truncated polynomial matrix product

p(α) . . . α^δ−j(premX^j)(α) . . . α^δ−1p0

| {z }

∈K^1×mδ





 F0

F1

... F_δ−1







=g(α)

⇒verification inO(size(P) +mP ti)

⇒proba error<_#S^δ forS ⊂K