Identity Testing from High Powers of Polynomials of Large Degree over Finite Fields

08/30/2017 ∙ by Marek Karpinski, et al. ∙ UNSW University of Bonn 0

We consider the problem of identity testing of two "hidden" monic polynomials f and g, given an oracle access to f(x)^e and g(x)^e for x∈ F_q, where F_q is the finite field of q elements (an extension fields access is not permitted). The naive interpolation algorithm needs de+1 queries, where d ={deg f, deg g} and thus requires de<q. For a prime q = p. we design an algorithm that is asymptotically better in certain cases, especially when d is large. The algorithm is based on a result of independent interest in spirit of additive combinatorics. It gives an upper bound on the number of values of a rational function of large degree, evaluated on a short sequence of consecutive integers, that belong to a small subgroup of F_p^*.



There are no comments yet.


page 1

page 2

page 3

page 4

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1. Introduction

1.1. Background and previous results

The following variant of polynomial identity problem has been motivated by some cryptographic applications, see [2, 12] for further discussion and the references.

Let be the finite field of elements of characteristic . We consider the Identity Testing from Powers for two “hidden” monic polynomials :

given oracles and that on every input output and for some large positive integer , decide whether .

We also consider the following problem Interpolation from Powers for a “hidden” monic polynomials :

given oracle that on every input outputs for some large positive integer , recover .

In particular, for a linear polynomial , with a ‘hidden’ , we denote . We remark that in this case there are two naive algorithms that work for linear polynomials:

  • One can query at arbitrary points and then using a fast interpolation algorithm, see [10], obtain a deterministic algorithm of complexity (as in [10], we measure the complexity of an algorithm by the number of bit operations in the standard RAM model of computation).

  • For probabilistic testing one can query (and ) at randomly chosen elements until the desired level of confidence is achieved (note that the equation has at most solutions ).

These naive algorithms have been improved by Bourgain, Garaev, Konyagin and Shparlinski [2] in several cases (with respect to both the time complexity and the number of queries).

Furthermore, for linear polynomials , Dam, Hallgren and Ip [9] provide a quantum polynomial time algorithm to find , see also [8], in the case of the oracle oracles , with

(and odd

). We remark that querring this oracle is equivalent to asking for the quadratic character of the computed value. Thus the oracle returns only one bit of information, making this the hardest case.

Russell and Shparlinski [15] have initiated the study of this question for non-linear monic polynomials and, in the case of the oracle , for a prime , have designed several classical and quantum algorithms. More recently, several other algorithms, for an arbitrary , have been given in [12]. The algorithms from [12] usually improve on the above trivial interpolation and random sampling algorithms. However in the settings of [12] the degree of the polynomials is assumed to be small.

Here we concentrate on the case of polynomials large degree and fields of large characteristic , in particular, on the case of prime fields , and use a different approach to obtain new results in this case.

We also observe that if

then the above naive interpolation and random sampling algorithms both fail. Indeed, since queries from an extension field are not permitted, and may not have enough elements to make these algorithms work. This indicates that the difficulty of the problem grows with the degrees of polynomials involved.

Our approach is based on a new upper bound on the size of an intersection of value set on consecutive integers of a rational function of large degree with a small subgroup of a finite field. Results of this type, complementing this of [11, 12, 17] are of independent interest, see also  [2, 3, 4, 5, 6, 14, 16] for further results on related problems.

2. Main results

First we consider the identity testing case of two unknown monic polynomials of degree given the oracles and . We remark that if is an -th power of a rational function over then it is impossible to distinguish between and from the oracles and .

We however impose a slightly stronger condition that is not a perfect power of a rational function.

Definition 2.1.

We see say that a rational function is a nontrivial perfect power if for some rational function of positive degree and some positive integer .

Theorem 2.2.

There are absolute constants such that for a prime and a positive integer , given two oracles and for some unknown monic polynomials of degree such that


such that is a nontrivial perfect power, there is a deterministic algorithm to decide whether in at most

queries to the oracles and .

Next, we consider the interpolation problem for square-free polynomials.

Theorem 2.3.

For any fixed there are constants such that for a prime and a positive integer , , given an oracle for some unknown monic square-free polynomial of degree such that

there is a deterministic algorithm which makes at most

queries to the oracle and recovers the polynomial in time

3. Points with coordinates from subgroups on plane curves over

We recall that the notations , and are all equivalent to the statement that the inequality holds with some constant

. Throughout the paper, any implied constants in these symbols are absolute, in particular, all estimates are uniform with respect to the degree

, the exponent and the field characteristic .

Our argument relies on a result of Corvaja and Zannier [7, Corollary 2].

We also use for the algebraic closure of

We also write and for the degree of in and respectively, and reserve for the total degree.

We say that is a torsion polynomial it is of the form


We remark that as we work over the algebraically closed field , the notions of irreducibility and absolute irreducibility coincide.

Lemma 3.1.

Assume that is an irreducible polynomial with which is not a torsion polynomial. For any multiplicative subgroups , we have



To apply [7, Corollary 2] we need to estimate the Euler characteristic of the curve in terms of . For the genus we have the well-known estimate . The set from [7, Theorem 2] corresponding to the scenario of [7, Corollary 2] is the set of poles and zeros of coordinate functions and and thuse . The result now follows.    

We now need a version of Lemma 3.1 which applies to any curve.

Lemma 3.2.

Assume that is of degree and is not divisible by a torsion polynomial. For any mutltiplicative subgroups , we have



If is an irreducible polynomial then the bound is immediate frow Lemma 3.1. Otherwise we factor into irreducible (over components of degrees, say, and then we obtain

where, by the convexity argument,

which concludes the proof.    

4. Non-vanishing of some resultants

We recall the following well-known statement, see for example [13, Lemma 6.54] (the proof extends from polynomials to rational functions without any changes).

Lemma 4.1.

Let be such that is not a perfect power of a rational function. Then for any integer the polynomial is irreducible.

Lemma 4.2.

Let be polynomials of degrees at most and be such that is not a perfect power of a rational function. Then for any integers the system of equations

with defines a zero dimensional variety, unless , and pairs are from a set of cardinality at most .


If the result is trivial

Changing the roles of and , we can always assume that .

Now, let . Since by Lemma 4.1 both polynomials are irreducible, they may have a common factor if and only if they are equal up to a factor from and thus . Furthermore comparing the coefficient at the front of we conclude that

Hence . Now, comparing the parts which do not depend on we obtain hence and then .

We now consider the case and rewrite the equations as

Again, by Lemma 4.1, the polynomials involved are irreducible again, hence . Comparing the parts which do not depend on we see that is uniquely defined and then is uniquely defined as well.    

Lemma 4.3.

Let be polynomials of degrees at most and be such that is not a perfect power of a rational function. Then there is a set of cardinality such that for the resultant

with respect to , is not divisible by a torsion polynomial.


Assuming that

is divisible by a polynomial of the form (3.1), we easily derive that there is a variety of the type considered in Lemma 4.2 which is of positive dimension. Since and , the result follows.    

5. Intersection of polynomial images of intervals and subgroups

For a rational function with two relatively primes polynomials and a set , we use to denote the value set

Given an interval with a positive and a subgroup we consider the size of the intersection of and , that is,

Bounds on this quantity for various functions is in the background of the algorithms of [2, 12]. These bounds are also of independent interest as they are natural analogues of the problem of bounding

for two intervals and and similar sets, which has recently been actively investigated, see [3, 4, 5, 6, 11, 14, 16, 17] and references therein.

Lemma 5.1.

Let with two relatively primes polynomials of degrees at most and such that is not a perfect power of a rational function. Then for any interval of length and any subgroup of order , we have


Denote . Let . Clearly the system of equations (over ):

has at least solutions. Let be the number of solutions with a fixed . The

We choose

and consider the set of with . Using that we write

Now if , where is as in Lemma 4.3. then and thus , which is stronger than the desired bound.

Hence we can assume that and thus there is . We now fix any and consider the systeof equations

Using the resultant to eliminate we obtain for each solution, where is as in Lemma 4.3. Due to choice of , we see that the bound of Lemma 3.2 applies, and since for every fixed there are at most values of we obtain

Recalling the definition of we obtain

and the result follows.    

6. Finding solutions to binomial equations

Consider the equation in for some . There exists a polynomial time (polynomial in ) probabilistic algorithm which finds all solutions of this equation, see, for example,[1, Theorem 7.3.1].

If the equation satisfies some additional restriction one can derandomize [1, Theorem 7.3.1]. Namely, let denote the index (discrete logarithm) of with respect to a fixed primitive root modulo , that is the unique integer with . Combining [2, Lemma 11] and [2, Corollary 40] we derive:

Lemma 6.1.

Let , then there exist constants with the following properties. For a prime and with , there exist an integer with and a deterministic algorithm such that for a given it finds all solutions of the equation satisfying in time . One can find and in time .

7. Number of interpolating polynomials

In this section we estimate the number of polynomials such that () for some pairwise distinct and arbitrary .

The following result is a special case of [18, Lemma 4.1].

Lemma 7.1.

Assume that for a fixed integer we have


Then for pairwise distinct and arbitrary the bound

holds, where the implied constant depends on .

Lemma 7.2.

Let . For any fixed there exist an integer and a constant such that for a prime and a positive integer with , for any pairwise distinct and arbitrary the number of monic polynomials of degree at most such that

is at most .


Choose such that the it satisfies (7.1) with .

For let , be the th Lagrange interpolation polynomial on the points , that is


Define , , as . Then has the form

for some .

Consider the rational function

If it is the zero function, then by (7.2), a contradiction. As both the numerator and the denominator have degree at most , it takes each value at most times. Thus, there are points , such that takes different values in these points.

For we have

for some . Then



For fixed , there are at most choices for by Lemma 7.1. As for each monic polynomials there are exactly non-monic polynomials with the same property, we obtain the result.    

Lemma 7.3.

Let . For any pairwise distinct , arbitrary and , there is at most one monic polynomial of degree at most such that


If and are two distinct polynomials with (7.3), then

vanishes on . As the degree of the nominator is at most , we have .    

Lemma 7.4.

Let . For any pairwise distinct , arbitrary and consider the matrices

for . If has rank , then has rank either for at most one or all choices of .


Consider the submatrices of which are not submatrices of . The determinant is either does not depend on , or a linear polynomial of it. If all such determinants are zero, then has rank independently of the choice of . Otherwise, there is only one value for such that the determinant of a submatrix vanishes.    

8. Proof of Theorem 2.2

First we note that there are absolute constants such that if the condition (2.1) is satisfied then for


we have and then under the conditions of Lemma 5.1 we have


for any rational function of degree at most , which is a nontrivial perfect power.

Now, since is a nontrivial perfect power Lemma 5.1 applies to . Hence taking as in (8.1), so the inequality (8.2) is satisfied, we see that querring and for , we have unless .

9. Proof of Theorem 2.3

Step 1.

Let and be as in Lemma 6.1

We call the oracle on the inputs and let for . Then we recover all the polynomials such that

If for some , then must be a zero of , thus it is enough to find all of degree at most such that . Thus we can assume, that

For all with , by the pigeonhole principle there are and with such that

Specially, , so there is a subset of size and such that for , that is,

To find , we just try all pairs .

By Lemma 6.1, we can extract all such that for .

Step 2.

In order to obtain candidates for , we consider the system of equations for the coefficients of


for some and fixed , where .

Now we proceed by induction on to obtain a full rank system of equations (9.1).

For we choose . As , (9.1) is nontrivilal for any choice of .

Next, assume that we have fixed the values for some such that the (9.1) has a full rank. In the following we choose the index and the value such that the system of equations (9.1) remains full rank.

We start with . If the system of equations (9.1) is singular independently of the choice of , we increase the index . Otherwise, we fix the value of . If (9.1) becomes singular with this choice, we also increase the index . Then we obtain either a full rank system of equations  (9.1), or , but (9.1) is singular. In the latter case the system of equations does not have solution by Lemma 7.3, so we terminate.

Finally, we terminate if we reach .

If we have a regular linear system of equations with , we solve it for and test whether for every .

When we terminate, we have fixed the values with . Let be the set of indices such that appears in (9.1), let be the set of indices such that is fixed, but the equation belongs to this index leads to a singular system of equations. Finally, let be the set of indices such that is not fixed. Then .

By Lemma 7.4, the value , , is uniquely determined by and . Thus for fixed , , there are at most choices for the tuples . We can choose in at most ways. Thus the running time of this step is .

Step 3. Let be the set of all possible polynomials obtained in the previous step and let as in Lemma 7.2. Let the output of the oracle for and put

By Lemma 7.2 we have . We can assume, that all of them are square-free. This reduction is done in time . Finally, we use the identity testing algorithm of Theorem 2.2 for the oracles and for all .

The running time of the first step is bounded by

of the second step is bounded by

and of the third step is bounded by

Replacing with and having , we obtain the result.


The authors are very grateful to Umberto Zannier for some clarifications concerning the results of [7].

The the research of M.K. was supported in part by DFG grants and the Hausdorff grant EXC’59-1, of L.M. was is supported by the Austrian Science Fund (FWF): Project I1751-N26, and of I.S. was supported in part by the Australian Research Council Grant DP170100786.


  • [1] E. Bach and J. Shallit, Algorithmic Number Theory, MIT Press, Cambridge, MA, 1996.
  • [2] J. Bourgain, M. Z. Garaev, S. V. Konyagin and I. E. Shparlinski, ‘On the hidden shifted power problem’, SIAM J. Comp., 41 (2012), 1524–1557.
  • [3] M.-C. Chang, ‘Sparsity of the intersection of polynomial images of an interval’, Acta Arith., 165 (2014), 243–249.
  • [4] M.-C. Chang, J. Cilleruelo, M. Z. Garaev, J. Hernández, I. E. Shparlinski and A. Zumalacárregui, ‘Points on curves in small boxes and applications’, Michigan Math. J. , 63 (2014), 503–534.
  • [5] J. Cilleruelo, M. Z. Garaev, A. Ostafe and I. E. Shparlinski, ‘On the concentration of points of polynomial maps and applications’, Math. Zeit., 272 (2012), 825–837.
  • [6] J. Cilleruelo, I. E. Shparlinski and A. Zumalacárregui, ‘Isomorphism classes of elliptic curves over a finite field in some thin families’, Math. Res. Letters, 19 (2012), 335–343.
  • [7] P. Corvaja and U. Zannier, ‘Greatest common divisors of , in positive characteristic and rational points on curves over finite fields’, J. Eur. Math. Soc. 15 (2013), 1927–1942.
  • [8] W. van Dam, ‘Quantum algorithms for weighing matrices and quadratic residues’, Algorithmica, 34 (2002), 413–428.
  • [9] W. van Dam, S. Hallgren and L. Ip, ‘Quantum algorithms for some hidden shift problems’, SIAM J. Comp., 6 (2006), 763–778.
  • [10] J. von zur Gathen and J. Gerhard, Modern computer algebra, Cambridge University Press, Cambridge, 2013.
  • [11] D. Gómez-Pérez and I. E. Shparlinski, ‘Subgroups generated by rational functions in finite fields’, Monat. Math., 176 (2015), 241–253.
  • [12] G. Ivanyos, M. Karpinski, M. Santha, N. Saxena and I. E. Shparlinski, ‘Polynomial interpolation and identity testing from high powers over finite fields’, Algorithmica, 80 (2018), 560–575.
  • [13] R. Lidl and H. Niederreiter, Finite Fields, Cambridge Univ. Press, Cambridge, 1997.
  • [14] A. Ostafe, Polynomial values in affine subspaces over finite fields, J. D’Analyse Math., (to appear).
  • [15] A. C. Russell and I. E. Shparlinski, ‘Classical and quantum algorithms for function reconstruction via character evaluation’, J. Compl., 20 (2004), 404–422.
  • [16] I. E. Shparlinski, ‘Products with variables from low-dimensional affine spaces and shifted power identity testing in finite fields’, J. Symb. Comp., 64 (2014), 35–41.
  • [17] I. E. Shparlinski, ‘Polynomial values in small subgroups of finite fields’, Revista Matem. Iber., 32 (2016), 1127–1136.
  • [18] I. V. Vyugin and I. D. Shkredov, ‘On additive shifts of multiplicative subgroups’, Mat. Sb. 203 (2012), no. 6, 81–100