The Polynomial Composition Problem in (ℤ/nℤ)[X]

(1)

HAL Id: hal-01056103

https://hal.inria.fr/hal-01056103

Submitted on 14 Aug 2014

HAL is a multi-disciplinary open access archive for the deposit and dissemination of sci- entific research documents, whether they are pub- lished or not. The documents may come from teaching and research institutions in France or abroad, or from public or private research centers.

L’archive ouverte pluridisciplinaire HAL, est destinée au dépôt et à la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des établissements d’enseignement et de recherche français ou étrangers, des laboratoires publics ou privés.

Distributed under a Creative Commons Attribution| 4.0 International License

The Polynomial Composition Problem in (�/n�)[X]

Marc Joye, David Naccache, Stéphanie Porte

To cite this version:

Marc Joye, David Naccache, Stéphanie Porte. The Polynomial Composition Problem in (�/n�)[X].

9th IFIP WG 8.8/11.2 International Conference on Smart Card Research and Advanced Applications

(CARDIS), Apr 2010, Passau, Germany. pp.1-12, �10.1007/978-3-642-12510-2_1�. �hal-01056103�

(2)

The Polynomial Composition Problem in ( Z /n Z )[X]

Marc Joye¹, David Naccache², and St´ephanie Porte³

1 Thomson R&D, Security Competence Center

1 avenue de Belle Fontaine, 35576 Cesson-S´evign´e Cedex, France [email protected]

2 Ecole normale sup´erieure, D´epartement d’informatique 45 rue d’Ulm, 75230 Paris Cedex 05, France

[email protected]

3 Smart Consulting

2 rue Louis Vignol, 13600 La Ciotat, France [email protected]

Abstract. Let n be an RSA modulus and let P,Q ∈ (Z/nZ)[X]. This paper explores the following problem: Given polynomialsQandQ(P), find polynomialP. We shed light on the connections between the above problem and the RSA problem and derive from it new zero-knowledge protocols suited to smart-card applications.

Keywords: Polynomial composition, zero-knowledge protocols, Fiat- Shamir protocol, Guillou-Quisquater protocol, smart cards.

1 Introduction

Smart cards play an active role in security systems. Their salient features make them attractive in numerous applications, including — to name a few — the ar- eas of banking, telephone, health, pay TV, home computers, and communication networks.

One of the primary use of smart cards resides in authentication. There exist basically two families of methods currently used for authenticating purposes.

The first family relies on secret-key one-way functions while the second one makes use of public-key techniques. Both families have their own advantages.

This paper focuses on the second family. In particular, we study zero-knowledge techniques. In a typical scenario, the smart card, characterized by a set of cre- dentials, plays the role of the proving entity.

The first practical zero-knowledge protocol is due to Fiat and Shamir [3].

Remarkably, the protocol is rather efficient, computation-wise. It amounts to at most two modular multiplications per interaction. However, in order to reach a level of confidence of (1−2^−k), the basic protocol has to be repeatedktimes

— a typical value forkisk= 40. In order to reduce the communication over- head, there is also a multiple-key protocol, at the expense of more key material.

Another zero-knowledge protocol well suited to smart-card applications is the

(3)

Guillou-Quisquater protocol [4] (a.k.a. GQ protocol). The GQ protocol features small storage requirements and needs a single interaction.

In this paper we introduce a new problem, thePolynomial Composition Prob- lem, which can be stated as follows.

Let P and Q be two polynomials in (Z/nZ)[X] where n is an RSA modulus. Given polynomialsQandS :=Q(P), findP.

Most public-key cryptographic schemes base their security on the difficulty of solving a hard mathematical problem. Given that the number of hard problems harnessable to cryptographic applications is rather limited, the investigation of new problems is of central importance in cryptography. To understand the Polynomial Composition Problem and its variants, we explore in the following sections the way in which the PCP relates to the celebrated RSA problem.

The Polynomial Composition Problem in (Z/nZ)[X] does not imply the RSA Problem, that is, the computation of roots inZ/nZ. Nevertheless, we exhibit a related problem that we callReducible Polynomial Composition Problem(RPCP) and prove that RPCP⇔RSA. In particular, we prove that whenQ(X)=X^qthen the Polynomial Composition Problem is equivalent to the problem of extracting q^throots inZ/nZ.

These new problems allow us to broaden the view of existing cryptographic constructions. Namely, we describe a general PCP-based zero-knowledge protocol of which the Fiat-Shamir and the Guillou-Quisquater protocols are particular instances. As will be seen later, ifsdenotes the secret, they respectively correspond to the casesQ(X)=vX²andQ(X)=vX^ν(ν≥3), withQ(s)=1.

The rest of this paper is organized as follows. In Section 2, we formally define the Polynomial Composition Problem and introduce the notations used throughout this paper. The hardness of the problem and its comparison with RSA are analyzed in Section 3. Finally, in Section 4, we show that the PCP allows one to generalize several zero-knowledge protocols.

2 The Polynomial Composition Problem

We suggest the following problem as a basis for building cryptographic protocols.

Problem 1 (Polynomial Composition Problem (PCP)).LetP andQ be two polynomials in (Z/nZ)[X] wherenis an RSA modulus. Given polynomialsQ andS :=Q(P), findP.

Throughout this paperpandqdenote the degrees ofPandQ, respectively.

Let

P(X)= Xp

i=0

u_iXⁱ

(4)

where theui’s denote the unknowns we are looking for. We assume that Q(Y)=

Xq

j=0

k_jY^j

is known. Hence,

S(X)= Xq

j=0

kj

Pp

i=0

uiXⁱ

!j

.

If, given polynomialsQ^′(Y) :=Q(Y)−k0andS^′(X) :=Q^′(P(X)), an attacker can recoverP then the same attacker can also recoverP from{Q,S}by first forming polynomials Q^′(Y) = Q(Y)−k0 and S^′(X) = S(X)−k0. Therefore the problem is reduced to that of decomposing polynomials whereQ has no constant term, i.e., Q(Y) = Pq

j=1kjY^j. Similarly, once this has been done, the attacker can divideQby a proper constant and replace one of the coefficients k_jby one. Consequently and without loss of generality we restrict our attention to monic polynomialsQwith no constant term, that is,

Q(Y)=Y^q+kq−1Y^q−1+· · ·+k1Y . (1) Noting thatq=1 implies thatS =Q(P)=P, we also assume thatq≥2.

3 Analyzing the Polynomial Composition Problem

As before, letP(X) = Pp

i=0u_iXⁱ and letQ(Y) = Y^q+Pq−1

j=1k_jY^j. Generalizing Newton’s binomial formula and lettingk_q:=1, we get

S(X)= Xq

j=1

k_j Pp

i=0

u_iXⁱ

!j

= Xpq

t=0





 P

1≤i0+···+ip≤q i1+2i2+···+pip=t

ki0+···+ip

(i0+···+ip)!

i0!...ip! u0i0· · ·upip







| {z }

:=ct

X^t, (2)

where the second sum is extended over all nonnegative integersi_j satisfying 1≤Pp

j=0i_j≤qandPp

j=0j i_j=t.

3.1 RSA Problem⇒Polynomial Composition Problem We define polynomialsP₀, . . . ,P_pq∈(Z/nZ)[U₀, . . . ,U_p] as

P_t(U0, . . . ,Up) := X

1≤i0+···+ip≤q i1+2i2+···+pip=t

ki0+···+ip

(i₀+· · ·+i_p)!

i0!. . .ip! U0i0· · ·Upip−ct . (3)

Note thatP_t(u₀, . . . ,u_p)=0 for all 0≤t≤pq.

(5)

Proposition 1. For all0 ≤r≤p,P_pq−r ∈ (Z/nZ)[Up−r, . . . ,Up]. Furthermore, for all1≤r≤p,P_pq−ris of degree exactly one in variable Up−r.

Proof. Forr= 0, we haveP_pq(U₀, . . . ,Up)= Upq−cpq. Forr =p, the condition P_pq−r∈(Z/nZ)[Up−r, . . . ,Up] is trivially satisfied.

Fixrin [1,p). By contradiction, suppose thatP_pq−r<(Z/nZ)[Up−r, . . . ,Up]. So from Eq. (3), there exists someij,0 with 0≤ j≤p−r−1. Since 1≤i0+· · ·+ip≤q, it follows thati1+2i2+· · ·+pip≤ j·1+p·(q−1)<pq−r; a contradiction because i1+2i2+· · ·+pip=pq−rfor polynomialP_pq−r.

Moreover, for all 1 ≤ r ≤ p, P_pq−r is of degree one in variable Up−r since we cannot simultaneously have 1 ≤Pp

j=0i_j ≤q,Pp

j=0j i_j =pq−r, andi_p−r ≥ 2.

Indeed,i_p−r ≥ 2 implies i₁+2i₂+· · ·+pi_p ≤ (p−r)·2+p·(q−2) < pq−r, a contradiction. Wheni_p−r=1,i₁+2i₂+· · ·+pi_p=pq−rifi_p=q−1 andi_j=0 for all 0≤(j,p−r)≤p−1. This implies that the only term inU_p−rappearing in polynomialP_pq−risqU_p−rU_p^q−1, whatever the values of variablesk_i’s are. ⊓⊔ Corollary 1. If the value of up is known then the Polynomial Composition Problem can be solved in time O(p).

Proof. Solving for Up−1 the relationP_pq−1(Up−1,up) = 0 (which is a univariate polynomial of degree exactly one inUp−1by virtue of the previous proposition), the value ofup−1 is recovered. Next, the root ofP_pq−2(Up−2,up−1,up) gives the value ofup−2and so on until the value ofu0is found.

Note that the running time of the resolution process is O(p) and is thus

exponential in the bit-length ofp. ⊓⊔

This means that for low degree polynomials, the Polynomial Composition Problem inZ/nZis easier than the problem of computingq^th roots inZ/nZ because if an attacker is able to compute aq^th modular root (i.e., to solve the RSA Problem) then she can findu_pfromP_pq(u_p)=u_p^q−c_pq=0 and then apply the technique explained in the proof of Corollary 1 to recoveru_p−1, . . . ,u₀. In other words,

Corollary 2. RSA Problem⇒Polynomial Composition Problem. ⊓⊔ There is a proposition similar to Proposition 1. It says that onceu₀is known, u1, . . . ,upcan be found successively thanks to polynomialsP₁, . . . ,P_p, respectively.

Proposition 2. For all0 ≤ r ≤ p, P_r ∈ (Z/nZ)[U₀, . . . ,U_r]. Furthermore, for all 1≤r≤p,P_ris of degree exactly one in variable U_r.

Proof. We haveP₀(U₀)=Pq

j=1k_jU₀^j−c₀.

Forr∈[1,p], suppose thatP_r<(Z/nZ)[U₀, . . . ,U_r]. Therefore,i₁+2i₂+· · ·+ pi_p≥(r+1)·1>r; a contradiction sincei₁+2i₂+· · ·+pi_p=r. Moreover, we can easily see thatP_r(U₀, . . . ,U_r) = qU₀^q⁻¹U_r+Pq−1

j=1k_jj U₀^j−¹U_r+Q_r(U₀, . . . ,U_r−1) for some polynomialQ_r∈(Z/nZ)[U₀, . . . ,U_r−1]. ⊓⊔

(6)

3.2 Reducible Polynomial Composition Problem⇒RSA Problem

The Polynomial Composition Problemcannotbe equivalent to the RSA Problem.

Consider for example the casep=2 andq=3: we haveP(X)=u2X²+u1X+u0

andQ(X)=X³+k2X²+k1X, and

S(X)=c₆X⁶+c₅X⁵+c₄X⁴+c₃X³+c₂X²+c₁X+c₀

with











c₀=k₁u₀+k₂u²₀+u³₀, c1=k1u1+2k2u0u1+3u²₀u1,

c₂=k₂u²₁+3u₀u²₁+k₁u₂+2k₂u₀u₂+3u²₀u₂, c₃=u³₁+2k₂u₁u₂+6u₀u₁u₂,

c4=3u²₁u2+k2u²₂+3u0u²₂, c₅=3u₁u²₂,

c₆=u³₂.

We define the polynomialsP₀(U₀) :=k₁U₀+k₂U²₀+U³₀−c₀,P₁(U₀,U₁) := k₁U₁+2k₂U₀U₁+3U²₀U₁−c₁, andP₅(U₁,U₂) :=3U₁U²₂−c₅. Now we first compute the resultant ofP₀andP₁with respect to variableU₀and obtain a univariate polynomial inU₁, sayR₀ =Res_U₀(P₀,P₁). Next we compute the resultant of R₀andP₅with respect to variableU₁and get a univariate polynomial inU₂, sayR₁=ResU1(R₀,P₅). After computation, we get

R₁(U2)=27c³₁U₂⁶+(27c²₁c5k1−9c²₁c5k²₂)U₂⁴

+(−4c³₅k³₁+c³₅k²₂b²−18c₀c³₅k₁k₂+4c₀c³₅k³₂−27c²₀c³₅) .

Sinceu₂is a root of bothR₁(U₂) andP₆(U₂) :=U³₂−c₆,u₂will be a root of their greatest common divisor in (Z/nZ)[U₂], which is given by

(27c²₁c5k1−9c²₁c5k²₂)c6U2

+(27c³₁c²₆−4c³₅k³₁+c³₅k²₁k²₂−18c₀c³₅k₁k₂+4c₀c³₅k³₂−27c²₀c³₅),

from which we derive the value ofu2. Onceu2 is known, the values ofu1 and u0trivially follow by Corollary 1.

We now introduce a harder problem: theReducedPolynomial Composition Problem in (Z/nZ)[X].

Problem 2 (Reduced Polynomial Composition Problem (RPCP)).LetP and Qbe two polynomials in (Z/nZ)[X] wherenis an RSA modulus. GivenQand the deg(P)+1 most significant coefficients ofS :=Q(P), findP.

Definition 1. When the Polynomial Composition Problem is equivalent to the Reduced Polynomial Composition Problem, it is said to bereducible.

(7)

Equivalently, the Polynomial Composition Problem is reducible when the values ofc0, . . . ,cp(q−1)−1can be derived fromcp(q−1), . . . ,cpqandk1, . . . ,kq−1. This is for example the case whenp=q=2, that is, whenP(X)=u2X²+u1X+u0, Q(X)=X²+k1X, and

S(X)=c4X⁴+c3X³+c2X²+c1X+c0

with











c₀=k₁u₀+u²₀, c₁=k₁u₁+2u₀u₁, c2=k1u2+2u0u2+u²₁, c₃=2u₁u₂,

c₄=u²₂.

An astute algebraic manipulation yields:

c1= 4c₂c₃c₄−c³₃

8c²₄ (mod n) and c0= 4c²₁c₄−c²₃k²₁

4c²₃ (mod n) .

If follows that we can omit the first two relations (the information included therein is anyway contained in the remaining three as we had just shown) and the problem amounts to solving the Reduced Polynomial Composition Problem:











c2 =k1u2+2u0u2+u²₁, c₃ =2u₁u₂,

c4 =u²₂.

Theorem 1. Reducible Polynomial Composition Problem⇒RSA Problem.

Proof. Assume that we are given an oracle O^PCP(k₁, . . . ,kq−1;c₀, . . . ,cpq) which on input polynomialsQ(X)=X^q+Pq−1

j=1k_jX^jandS(X)=Ppq

t=0c_tX^treturns the polynomialP(X)=Pp

i=0u_iXⁱsuch thatS(X)=Q(P(X)). When the polynomial composition is reducible, oracleO^PCPcan be used to compute aq^throot of a given x∈Z/nZ,i.e., compute aysatisfyingy^q≡x (modn).

1. choosep+q−1 random valuesk1, . . . ,kq−1,cp(q−1), . . . ,cpq−1∈Z/nZ; 2. computec0, . . . ,cp(q−1)−1;

3. runO^PCP(k1, . . . ,kq−1;c0, . . . ,cpq−1,x);

4. getu0, . . . ,up;

5. sety:=upand soy^q≡x (mod n).

Note that Step 2 can be executed since the composition is supposed to be reducible. Furthermore, note that the values ofcpq−1, . . . ,cp(q−1)uniquelydetermine the values ofup−1, . . . ,u0, respectively. Indeed, from Proposition 1,

P_pq₋_r(U_p−r,u_p−r+1, . . . ,u_p)∈(Z/nZ)[U_p−r]

is a polynomial of degree exactly one of whichu_p−ris root, for all 1≤r≤p. ⊓⊔

(8)

3.3 A Practical Criterion

In this section, we present a simple criterion allowing to decide if a given composition problem is reducible.

During the proof of Proposition 1, we have shown that there exists a poly- nomialQ_pq−r∈(Z/nZ)[U_p−r+1, . . . ,U_p] such that

P_pq−r(U_p−r, . . . ,U_p)=qU_p−rU_p^q−1+Q_pq−r(U_p−r+1, . . . ,U_p) for all 1≤r≤p. Fromcpq=(up)^q, we infer:

u_p−r= −Q_pq₋_r(u_p−r+1, . . . ,u_p)

q c_pq u_p, (1≤r≤p) . (4) Using Eq. (4), for r = 1, . . . ,p, we now iteratively compute up−1, . . . ,u0 as a polynomial function in u_p. We let Υp−r denote this polynomial function, i.e., u_p−r = Υp−r(u_p) for all 1 ≤ r ≤ p. We then respectively replaceu₀, . . . ,u_p−1 by Υ0(u_p), . . . , Υ_p−1(u_p) in the expressions ofc₀, . . . ,c_pq−p−1. If, for eachc_i (0 ≤ i ≤ pq−p−1), the powers ofu_p cancel thanks to (u_p)^q−1 =c_pq then the problem is reducible.

We illustrate the technique with the exampleP(X)=u3X³+u2X²+u1X+u0

andQ(Y)=Y³. ThenS(X)=P₉

t=0ctX^twith











c₀=u³₀, c₁=3u²₀u₁,

c2=3u²₀u2+3u0u²₁, c₃=3u²₀u₃+6u₀u₁u₂+u³₁, c₄=6u₀u₁u₃+3u₀u²₂+3u²₁u₂, c5=6u0u2u3+3u²₁u3+3u1u²₂, c₆=3u₀u²₃+6u₁u₂u₃+u³₂, c₇=3u₁u²₃+3u²₂u₃, c8=3u2u²₃,

c9=u³₃.

From the respective expressions ofc8,c7andc6, we successively find Υ2(u3)= c8

3c9 u3, Υ1(u3)= 3c7c9−c8

9c²₉ u3, and Υ0(u3)= 27c₆c²₉−6c₈(3c₇c₉−c²₈)−c³₈

81c³₉ u3 .

Sincec0, . . . ,c5are homogeneous inu0,u1,u2,u3and of degree three, they can be evaluated by replacingu₀,u₁,u₂byΥ0(u₃), Υ1(u₃), Υ2(u₃), respectively, and then replacing (u₃)³byc₉. Consequently, the composition is reducible: the values of

(9)

c0, . . . ,c5can be inferred fromc6, . . . ,c9and the problem amounts to computing cubic roots inZ/nZ.

This is not fortuitous and can easily be generalized as follows.

Corollary 3. ForQ(Y)=Y^q, the Polynomial Composition Problem inZ/nZis equivalent to the RSA Problem,i.e.to the problem of extracting q^throots inZ/nZ.

Proof. From Eq. (2), it follows thatS(X)=Ppq

t=0c_tX^twith ct= X

i0+···+ip=q i1+2i2+···+pip=t

q!

i₀!· · ·i_p!u0i0· · ·upip,

which is homogeneous in u0, . . . ,up and of degreei0+· · ·+ip = q. Moreover since by induction, for 1≤r≤p,Υp−r(up)=Kp−r·upfor some constantKp−r, the

corollary follows. ⊓⊔

4 Cryptographic Applications

Loosely speaking, a zero-knowledge protocol allows a prover to demonstrate the knowledge of a secret without revealing any useful information about the secret. We show how to construct such a protocol thanks to composition of polynomials.

4.1 A PCP-Based Zero-Knowledge Protocol

A trusted third party selects and publishes an RSA modulusn. Each proverP chooses two polynomialsP,Qin (Z/nZ)[X] and computesS =Q(P).{Q,S} isP’s public key given to the verifierVso as to ascertainP’s knowledge of the secret keyP.

Executeℓtimes the following protocol:

• Pselects a randomr∈Z/nZ.

• Pevaluatesc=S(r) and sendsctoV.

• Vsends toPa random bitb.

• Ifb=0,Prevealst=randVchecks thatS(t)=c.

• Ifb=1,Prevealst=P(r) andVchecks thatQ(t)=c.

PCP-Based Protocol.

4.2 Improvements

Efficiency can be increased by using the following trick:

P chooses ν polynomials P₁, . . . ,P_ν−1,Q in (Z/nZ)[X], with ν ≥ 3. Her secret key is the set{P₁, . . . ,P_ν−1}while her public key consists of the set{S₀=

(10)

Q,S₁=Q(P_ν−1),S₂ =Q(P_ν−1(P_ν−2)), . . . ,S_j=Q(P_ν−1(. . .(P_ν−j))), . . . ,S_ν−1= Q(P_ν−1(. . .(P₁)))}.

The protocol is shown below:

• Pselects a randomr∈Z/nZ

• Pevaluatesc=S_ν−1(r) and sendsctoV.

• Vsends toPa random integer 0≤b≤ν−1.

• Ifb=0,Prevealst=randVchecks thatS_ν−₁(t)=c.

• Ifb,0,Prevealst=P_b(. . .(P₁(r))) andVchecks thatS_ν−b−1(t)=c.

Nested PCP Protocol.

4.3 Relations with Other Zero-Knowledge Protocols

It is interesting to note that our first protocol coincides with the (simplified) Fiat-Shamir protocol [3] (see also [5, Protocol 10.24]) when P(X) = sX and Q(X)=vX²wherevs²≡1 (modn).

The nested variant may be seen as a generalization of the Guillou-Quisquater protocol [4] by takingP₁(X)=P₂(X)=· · ·=P_ν−₁(X)=sXwheresis a secret value andQ(X) = vX^ν so thatvs^ν ≡ 1 (modn). Indeed, in this case we have P_ν−1(. . .(P_ν−j(X)))=s^jXand henceS_j(X)=v^1−jX^ν.

An interesting research direction would be to extend the above protocols to Dickson polynomials.

5 Conclusion

This paper introduced the Polynomial Composition Problem (PCP) and the related Reducible Polynomial Composition Problem (RPCP). Relations between these two problems and the RSA Problem were explored. Further, two con- crete zero-knowledge protocols suited to smart-card applications were given as particular instances of PCP-based constructs.

Acknowledgments We are grateful to Jesper Buus Nielsen (ETHZ) for attracting our attention to an important detail in the proof of Corollary 1. We are also grateful to the anonymous referees for useful comments.

References

1. Henri Cohen. A Course in Computational Algebraic Number Theory, GTM 138, Springer-Verlag, 1993.

2. Don Coppersmith, Matthew Franklin, Jacques Patarin, and Michael Reiter. Low- exponent RSA with related messages. In U. Maurer, ed.,Advances in Cryptology – EUROCRYPT ’96, LNCS 1070, pp. 1–9, Springer-Verlag, 1996.

(11)

3. Amos Fiat, and Adi Shamir. How to prove yourself: Practical solutions to identi- fication and signature problems. In A. M. Odlyzko, ed.,Advances in Cryptology – CRYPTO ’86, LNCS 263, pp. 186–194, Springer-Verlag, 1987.

4. Louis C. Guillou and Jean-Jacques Quisquater. A practical zero-knowledge protocol fitted to security microprocessor minimizing both transmission and memory. In C. G ¨unther, ed.,Advances in Cryptology – EUROCRYPT ’88, LNCS 330, pp. 123–128, Springer-Verlag, 1988.

5. Alfred J. Menezes, Paul C. van Oorschot, and Scott A. Vanstone.Handbook of Applied Cryptography, CRC Press, 1997.

A Mathematical Background

LetRbe an integral domain with quotient fieldK.

Definition 2. Given two polynomialsA,B ∈ R[X], the resultant of A and B, denoted byRes(A,B), is defined as

Res(A,B)=(a_m)ⁿ(b_n)^m Y

1≤i≤m,1≤j≤n

(α_i−β_j) (5)

ifA(X)=a_mQ

1≤i≤m(X−αi)andB(X)=b_nQ

1≤j≤n(X−βj)are the decompositions ofA andBin the algebraic closure ofK.

From this definition, we see that Res(A,B)=0 if and only if polynomials A andB have a common root (inK); hence if and only ifA and Bhave a (non-trivial) common factor. Equivalently, we have

Res(A,B)=(a_m)ⁿ Y

1≤i≤m

B(α_i)=(b_n)^m Y

1≤j≤n

A(β_j) .

The resultant Res(A,B) can be evaluated without knowing the decompo- sition of A and B. LettingA(X) = P

1≤i≤maiXⁱ and B(X) = P

1≤j≤nbjX^j, we have

Res(A,B)=det







amam−1 . . . a₀ 0 . . . 0 0 a_m a_m−1. . . a₀ . . . 0 ... ... . .. ... · · · . .. ...

0 0 0 a_ma_m−1. . .a₀

bn bn−1 . . . b0 0 . . . 0 0 bn bn−1 . . . b0 . . . 0 ... ... . .. ... · · · . .. ...

0 0 0 bn bn−1 . . .b0















 nrows











mrows .

This clearly shows that Res(A,B)∈ R.

Amultivariate polynomialA ∈ R[X₁, . . . ,X_k] (withk≥2) may be viewed as a univariate polynomial in R[X₁, . . . ,X_k−1][X_k]. Consequently, it makes sense

(12)

to compute the resultant of two multivariate polynomials with respect to one variable, sayXk. IfA,B∈ R[X₁, . . . ,Xk], we let ResXk(A,B) denote the resultant ofA andBwith respect toXk.

Lemma 1. LetA,B ∈ R[X₁, . . . ,X_k](with k ≥ 2). Then(α₁, . . . , αk)is a common root (inK) ofA andBif and only if(α1, . . . , α_k−1)is a root ofResXk(A,B).

B Additional Examples

B.1 The casep=3 andq=2

Using the previous notations and simplifications, we write P(X) = u3X³ + u2X²+u1X+u0andQ(Y)=Y²+k1Y. Expressing theci’s we get:











c₀=k₁u₀+u²₀, c₁=k₁u₁+2u₀u₁, c2=u²₁+k1u2+2u0u2, c₃=2u₁u₂+k₁u₃+2u₀u₃, c₄=u²₂+2u₁u₃,

c5=2u2u3, c6=u²₃.

Now using the criterion of§3.3, we find u2 = ^c⁵

2c6u3,u1 = Vu3, and u0 =

−^k₄²¹+Lu3withV:= ^4c⁴^c⁶^−c²⁵

8c²₆ andL:= ^8c³^c²⁶^−c⁵^(4c⁴^c⁶^−c²⁵⁾

16c³₆ . Hence, we derive:

c₂=c₆V²+c₅L, c₁=2c₆LV, andc₀=−k²₁

4 +L²c₆ .

Being reducible, this proves that solving the PCP forp=3 andq=2 amounts to computing square roots inZ/nZ.

B.2 The casep=3 andq=3

We haveP(X)=u₃X³+u₂X²+u₁X+u₀andQ(X)=X³+k₂X²+k₁X. Defining polynomials P_i as in Eq. (3), we successively compute R₀ := ResU0(P₀,P₁), R₁:=ResU1(R₀,P₇), andR₂=ResU2(R₁,P₈) wherefrom

R₂(u₃)=19683c³₁u¹⁸₃ +(−6561c²₁c₇k²₂+19683c²₁c₇k₁)u¹⁶₃ +(2187c²₁c²₈k²₂−6561c²₁c²₈k1)u¹³₃

+(2916c0c³₇k³₂+729c³₇k²₁k²₂−13122c0c³₇k2k1−2916c³₇k³₁

−19683c³₇c²₀)u¹²₃

+(−2916c₀c²₇c²₈k³₂−729c²₈c²₇k²₂k²₁+13122c²₈c²₇c₀k₂k₁+2916c²₈c²₇k³₁ +19683c²₈c²₇c²₀)u⁹₃

+(972c⁴₈c₇c₀k³₂+243c⁴₈c₇k²₁k²₂−4374c⁴₈c₇c₀k₁k₂−972c⁴₈c₇k³₁

−6561c⁴₈c7c²₀)u⁶₃

+(−108c⁶₈c0k³₂−27c⁶₈k₁²k²₂+486c⁶₈c0k1k2+108c⁶₈k³₁+729c⁶₈c²₀)u³₃

=0 .

(13)

So, we obtain the value ofu3by exploiting the additional relationc9 =u³₃ and hence the values ofu2,u1, andu0.

Note that if we choosek1 =k²₂/3 then the terms inu¹⁶₃ (= c⁵₉u3) and inu¹³₃ (= c⁴₉u3) disappear and consequently the value ofu3 cannot be recovered. In this case, the criterion shows again that the problem is equivalent to that of computing cubic roots inZ/nZ.