Interactive Certificates for Polynomial Matrices with Sub-Linear Communication

07/03/2018
by   David Lucas, et al.
0

We develop and analyze new protocols to verify the correctness of various computations on matrices over F[x], where F is a field. The properties we verify concern an F[x]-module and therefore cannot simply rely on previously-developed linear algebra certificates which work only for vector spaces. Our protocols are interactive certificates, often randomized, and featuring a constant number of rounds of communication between the prover and verifier. We seek to minimize the communication cost so that the amount of data sent during the protocol is significantly smaller than the size of the result being verified, which can be useful when combining protocols or in some multi-party settings. The main tools we use are reductions to existing linear algebra certificates and a new protocol to verify that a given vector is in the F[x]-linear span of a given matrix.

READ FULL TEXT VIEW PDF
POST COMMENT

Comments

There are no comments yet.

Authors

page 1

page 2

page 3

page 4

07/03/2018

Verification Protocols with Sub-Linear Communication for Polynomial Matrix Operations

We design and analyze new protocols to verify the correctness of various...
12/28/2018

The Power of Distributed Verifiers in Interactive Proofs

We explore the power of interactive proofs with a distributed verifier. ...
03/20/2021

Round and Communication Balanced Protocols for Oblivious Evaluation of Finite State Machines

We propose protocols for obliviously evaluating finite-state machines, i...
02/13/2017

Certificates for triangular equivalence and rank profiles

In this paper, we give novel certificates for triangular equivalence and...
07/08/2018

Coalgebraic Tools for Randomness-Conserving Protocols

We propose a coalgebraic model for constructing and reasoning about stat...
06/29/2018

Proof-of-work certificates that can be efficiently computed in the cloud

In an emerging computing paradigm, computational capabilities, from proc...
12/21/2018

An identification system based on the explicit isomorphism problem

We propose various zero knowledge protocols based on the algorithmic pro...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

Increasingly, users or institutions with large computational needs are relying on untrusted sources of computational results, which could be remote (“cloud”) servers, unreliable hardware, or even just Monte Carlo randomized algorithms. The rising area of verifiable computing seeks to maintain the benefits in cost or speed of using such untrusted sources, without sacrificing accuracy. Generally speaking, the goal is to develop certificates for the correctness of some result, which can be verified much more efficiently than re-computing the result itself.

1.1 Interactive certificates

In this paper, we propose new interactive certificates for computations performed on univariate polynomial matrices; we refer to [Dumas and Kaltofen, 2014, Kaltofen et al., 2011, 2012] for definitions related to such certificates. Generically, we consider protocols where a Prover performs computations and provides additional data structures or exchanges to a Verifier, who will use these to check the validity of a result, at a cheaper cost than by recomputing it.

The general flow of an interactive certificate is as follows.

  1. The Prover first publishes a Commitment, which is the result of some computation.

  2. The Verifier then answers with a Challenge, usually consisting of some uniformly sampled random values.

  3. The Prover replies with a Response, used by the Verifier to ensure the validity of the commitment

  4. In some cases, several additional rounds of Challenge/Response might be necessary for the Verifier to accept an answer.

These certificates can be simulated non-interactively in a single round following the Fiat-Shamir heuristic derandomization 

[Fiat and Shamir, 1987]: random values produced by the Verifier are replaced by cryptographic hashes of the input and previous messages, and the Prover publishes once both the Commitment and Response to the derandomized Challenge.

There are several metrics to assess the efficiency of an interactive certificate, namely

Communication:

the volume of data exchanged throughout the protocol;

Verifier cost:

the worst-case number of arithmetic operations performed by the Verifier in the protocol, no matter what data was sent by the Prover;

Prover cost:

the number of arithmetic operations performed by an honest Prover that is trying to prove a statement which is actually true without fooling the Verifier.

Note that some data, namely the input and output to the original problem, are considered as public data and do not count towards the communication cost. This is to remove those parts which are somehow inherent in the problem itself, as well as to separate the functions of computing and verifying a result, which can be quite useful when verification protocols are combined, as we will see.

Such protocols are said complete if the probability that a true statement is rejected by a Verifier can be made arbitrarily small; they are said perfectly complete if true statements are never rejected. For simplicity’s sake, as all the protocols in this paper are perfectly complete, we will sometimes just describe them as complete. Similarly, a protocol is sound if the probability that a false statement is accepted by the Verifier can be made arbitrarily small. Note that all our protocols are probabilistically sound, which means the Verifier may be tricked into accepting a wrong answer. This is not an issue, as in practice this probability can be reduced by simply repeating the protocol with new randomness, or by computing over a larger field. As our protocols are perfectly complete, any single failure means that the Prover did something wrong; the Verifier is never to blame.

Several approaches to verified computation exist: generic approaches based on protocol check circuits [Goldwasser et al., 2008] or on homomorphic encryption [Costello et al., 2015]; approaches working for any protocol where the Prover uses specific operations, as [Kaltofen et al., 2011, Section 5] which certifies any protocol where matrix multiplications are performed. Another approach consists in designing problem-specific certificates, as for instance [Freivalds, 1979, Kaltofen et al., 2011, Dumas et al., 2017] on dense linear algebra and [Dumas and Kaltofen, 2014, Dumas et al., 2016] on sparse linear algebra.

1.2 Polynomial matrices

This paper concerns computations on matrices whose entries are univariate polynomials. While certification for matrices over fields and over integer rings have been studied over the past twenty years, there are only few results on polynomial matrices [Giorgi and Neiger, 2018], and to the best of our knowledge, there are no certificates on most classical results for polynomial matrices.

Formally, a polynomial matrix is a matrix whose entries are univariate polynomials over a field . There is an isomorphism with matrix polynomials (univariate polynomials with matrices as coefficients) which we will sometimes use implicitly, such as when considering the evaluation of at a point .

Computations with polynomial matrices are of central importance in computer algebra and symbolic computation, and many efficient algorithms for polynomial matrix computations have been developed.

One general approach for computing with polynomial matrices is based on evaluation and interpolation. The basic idea is to first evaluate the polynomial matrix, say

at a set of points in the ground field, then to separately perform the desired computation on each over , and finally reconstruct the entries of the result using fast polynomial interpolation. This kind of approach works well for computations such as (nonsingular) system solving [Dixon, 1982], matrix multiplication [Bostan and Schost, 2005, Section 5.4], or determinant computation. These computations essentially concern the vector space in the sense that may as well be seen as a matrix over the fractions without impact on the results of the computations.

Other computational problems with polynomial matrices intrinsically concern -modules and thus cannot merely rely on evaluation and interpolation. Classic and important such examples are that of computing normal forms such as the Popov form and the Hermite form [Popov, 1972, Villard, 1996, Neiger et al., 2018] and that of computing modules of relations such as approximant bases [Beckermann and Labahn, 1994, Giorgi et al., 2003, Neiger and Vu, 2017]. The algorithms in this case must preserve the module structure attached to the matrix and thus deal with the actual polynomials in some way; in particular, an algorithm which works with evaluations of the matrix at points is oblivious of this module structure.

1.3 Our contributions

In this paper, after giving some preliminary material in section 2, we propose certificates for classical properties on polynomial matrices — singularity, rank, determinant and matrix product — with sub-linear communication space with respect to the input size (section 3). Those certificates are based on evaluating considered matrices at random points, which allows us to reduce the communication space and to use existing certificates for matrices over fields. Then, in section 4 we give the main result of this paper, which is certifying that a given polynomial row vector is in the row space of a given polynomial matrix, which can either have full rank or be rank-deficient. section 5 shows how to use this result to certify that for two given polynomial matrices and , the row space of is contained in the row space of ; and then gives certificates for some classical normal forms of polynomial matrices. In section 6, we present certificates related to saturations and kernels of polynomial matrices. Finally, section 7 gives a conclusion and comments on a few perspectives.

A summary of our contributions is given in table 1, based on the following notations: the input matrix has rank and size if it is square or if it can be rectangular; if there are several input matrices, then stands for the maximum of their ranks, for the maximum of their row dimensions, and for the maximum of their column dimensions. Where appropriate, is the maximum of the actual ranks of the matrices and the claimed rank by the prover. We write for the maximum degree of any input matrix or vector. Finally, stands for the cardinality of the finite subset from which we choose random evaluation points. The last column of the table specifies a lower bound on which is needed to ensure both perfect completeness of the protocol and soundness with probability at least . (Iterating any protocol improves the soundness probability exponentially.)

The Prover and Verifier costs are in arithmetic operations over the base field . We use for asymptotic cost bounds with hidden logarithmic factors, and is the exponent of matrix multiplication, so that the multiplication of two matrices over uses operations in ; see Section 2 for more details and references.

Prover Comm. Verifier #S Deter. Cost Cost Singularity Yes NonSingularity No RankLowerBound No RankUpperBound No Rank No Determinant Yes SystemSolve N/A N/A 0 MatMul N/A N/A 0 FullRankRowSpaceMembership Yes RowSpaceMembership No RowSpaceSubset No RowSpaceEquality No RowBasis No HermiteForm No ShiftedPopovForm No Saturated () No Saturated () No SaturationBasis No UnimodularCompletable No KernelBasis No

Table 1: This paper’s contributions

2 Preliminaries

Fields and rings.

We use to indicate an arbitrary field, for the ring of polynomials in one variable with coefficients in , and for the field of rational fractions, i.e., the fraction field of . The ring of matrices, for example over , is denoted by .

Asymptotic complexity bounds.

We use the “soft-oh” notation to represent big-oh hiding logarithmic factors. Specifically, for two cost functions , we say that if and only if for some constant .

We write for the exponent of matrix multiplication over , so that any two matrices can be multiplied using field operations; we have and one may take [Coppersmith and Winograd, 1990, Le Gall, 2014].

Cantor and Kaltofen [1991] have showed that multiplying two univariate polynomials of degree over any algebra uses additions, multiplications, and divisions in that algebra. In particular, multiplying two matrices in of degree at most uses operations in .

Schwartz-Zippel lemma.

Many of our protocols rely on the fact that when picking an element uniformly at random from a sufficiently large finite subset of the field, this element is unlikely to be a root of some given polynomial. This was stated formally in [Schwartz, 1980, Zippel, 1979, DeMillo and Lipton, 1978] and is customarily referred to as the Schwartz-Zippel lemma.

Specifically, it states that for any nonzero -variate polynomial with coefficients in a field , and any finite subset , if an evaluation point has entries chosen at random uniformly and independently from S, then the probability that is at most where is the total degree of .

Rational fractions.

For a rational fraction , define its denominator to be the unique monic polynomial of minimal degree such that . Correspondingly, define its numerator . Note that if and only if . More generally, for a matrix of rational fractions , define to be the unique monic polynomial of minimal degree such that , and again write this polynomial matrix as . Note that we have the identity .

Row space, kernel, and row basis.

For a given matrix , two basic sets associated to it are its row space

and its left kernel

Accordingly, a row basis of is a matrix in whose rows form a basis of the former set, where is the rank of , while a left kernel basis of is a matrix in whose rows form a basis of the latter set. We use similar notions and notations for column spaces and column bases, and for right kernels and right kernel bases. We will also often consider the -row space of , denoted by , which is an -vector space.

Matrices which preserve the row space under left-multiplication, that is, such that the -row space of is the same as that of , are said to be unimodular. They are characterized by the fact that their determinant is a nonzero constant; or equivalently that their inverse has polynomial entries.

Protocols.

In protocols, S is always a finite subset of the base field , which we use to sample field elements uniformly and independently at random. One may use if the field is finite. We denote by

the actions of drawing a field element uniformly at random from S and of drawing a vector of field elements uniformly and independently at random from S.

To ensure that they are perfectly complete, our protocols require lower bounds on the cardinality of this subset; when this bound exceeds the cardinality of then one may use a field extension, possibly causing an increase by a logarithmic factor in the Prover/Verifier/communication costs.

Besides, many of our analyzes of protocols use the notation

for any polynomial matrix that appears in this protocol.

3 Vector space computations

In this section, we give some certificates to compute classical linear algebra properties on polynomial matrices. The certificates we present here all rely on the same general idea, which consists in picking a random point and evaluating the input polynomial matrix (or matrices) at that point. This allows us to achieve sub-linear communication space. Note that this technique has been used before by Kaltofen et al. [2011] to certify the same properties for integer matrices: in that setup, computations were performed modulo some prime number, while, in our context, this translates into evaluating polynomials at some element of the base field.

In several of our certificates, the Prover has to solve a linear system over the base field. For a linear system whose matrix is in and has rank , this can be done in operations in , see [Jeannerod et al., 2013, Algorithm 6].

The following lemma will be frequently used when analyzing protocols: it bounds the probability of picking a “bad” evaluation point.

Lemma 3.1.

Let with rank at least . For any finite subset and for a point chosen uniformly at random, the probability that is at most .

Proof.

Any minor of has degree at most , and at least one must be nonzero since . On the other hand, if and only if is a root of every such determinant. ∎

3.1 Certificates for the singularity of polynomial matrices

We start by certifying the singularity of a matrix. Here, the Verifier picks a random evaluation point and sends it to the Prover, who evaluates the input matrix at that point and sends back a nontrivial kernel vector, which the Prover will always be able to compute since a singular polynomial matrix is still singular when evaluated at any point. Then, all the Verifier needs to do is to check that the vector received is indeed a kernel vector. Note that the evaluation trick here is really what allows us to have a sub-linear — with respect to the input size — communication space, as the answer the Prover provides to the challenge is a vector over the base field, and not over the polynomials.

Protocol 1 Singularity

Public:

Certifies: is singular

Prover Verifier
1.
2. Find s.t.
3.

In the next theorem, and for the remainder of the section, for convenience we write .

Theorem 3.2.

Protocol 1 is a complete and probabilistically sound interactive protocol which requires communication and Verifier cost . The probability that the Verifier incorrectly accepts is at most . If is singular, there is an algorithm for the Prover which costs .

Proof.

If is singular, must also be singular and there exists a nontrivial nullspace vector that the Verifier will accept.

If is nonsingular, then the Prover will be able to cheat if the Verifier picked an such that is singular which happens only with probability according to lemma 3.1.

Now, for the complexities: the Prover will have to evaluate at , which costs and to find a nullspace vector over the base field, which costs , hence the Prover cost. The Verifier computes the evaluation and a vector-matrix product over , for a total cost of operations. Finally, a vector over and a scalar are communicated, which yields a communication cost of

We now present a certificate for nonsingularity. This relies on the same evaluation-based approach, with one variation: here, we let the Prover provide the evaluation point. Indeed, if the Verifier picked a random point, they could choose an “unlucky” point for which a nonsingular matrix evaluates to a singular one, and in that case, the protocol would be incomplete as the Prover will not be able to convince the Verifier of nonsingularity. Instead, we let the Prover pick a point as they have the computational power to find a suitable point (Protocol 2 in NonSingularity). Once this value is committed to the Verifier, in Protocols 2 to 2 we use the certificate for nonsingularity over a field due to Dumas and Kaltofen [2014, Theorem 3].

Protocol 2 NonSingularity

Public:

Certifies: is nonsingular

Prover Verifier
1. Find s.t.
2.
3. Find s.t.
4.
Theorem 3.3.

Protocol 2 is a probabilistically sound interactive protocol and is complete assuming that It requires communication and Verifier cost . The probability that the Verifier incorrectly accepts is at most . There is a deterministic algorithm for the Prover with cost .

Proof.

If is nonsingular, then, as the field is large enough, there exists an for which the rank of does not drop, and as Protocols 2 to 2 form a complete certificate, NonSingularity is complete.

If is singular, it is not possible to find an such that is nonsingular. This means the Prover successfully cheats if they manage to convince the Verifier that is nonsingular, which only happens with probability  [Dumas and Kaltofen, 2014, Theorem 3], hence the soundness of NonSingularity.

Now, for the complexities: the Prover needs to find a suitable . The Prover first computes the using the deterministic algorithm of Labahn et al. [2017, Theorem 1.1] in time. Then, using fast multipoint evaluation, the determinant is evaluated at points from S in time  [von zur Gathen and Gerhard, 2003, Corollary 10.8]; since , at least one evaluation will be nonzero. Computing this determinant dominates the later cost for the Prover to evaluate and solve a linear system over the base field, hence a total cost of .

The Verifier needs to evaluate at and to perform a matrix-vector multiplication over the base field, hence a cost of . Finally, total communications are two vectors of size over the base field and a scalar, hence the cost of . ∎

3.2 Certificates for the rank of polynomial matrices

From the certificate for nonsingularity, we can immediately infer one for a lower bound on the rank: the Prover commits a set of indices which locate a submatrix which is nonsingular, and then the certificate for nonsingularity is run on this submatrix.

Protocol 3 RankLowerBound

Public: ,

Certifies:

Prover Verifier
1. Find , two sets of size such that is nonsingular
2. ,
3.

Use NonSingularity()
Theorem 3.4.

Let be the actual rank of . Protocol 3 is a probabilistically sound interactive protocol and is complete assuming in its subprotocol. It requires communication and Verifier cost . If is indeed a lower bound on the rank of , then there is a Las Vegas randomized algorithm for the Prover with expected cost . Otherwise, the probability that the Verifier incorrectly accepts is at most .

Proof.

If is indeed a lower bound on the rank of , there exist two sets and of size such that is nonsingular, and since NonSingularity is complete, so is this certificate. Note that the completeness of the subcertificate is ensured only if .

If is not a lower bound on the rank of , meaning , then the Prover will not be able to find suitable and and hence the sets provided by a cheating Prover yield a singular submatrix . Now, if the Prover provided sets which do not contain elements or which contain elements outside the allowed dimension bounds, this will always be detected by the Verifier. If the Prover provided sets with enough elements, the Verifier incorrectly accepts with the same probability as in NonSingularity, which is .

Regarding the complexities, the Prover has to find a nonsingular submatrix of an degree matrix. This can be achieved, by first computing the rank using a Las Vegas randomized algorithm [Storjohann and Villard, 2005] which runs in , with the actual rank of and then picking a random evaluation point, random sets and and checking that those sets are still made of linearly independent elements over the base field by using Jeannerod et al. [2013]. Because , running the subprotocol NonSingularity on a matrix does not dominate the complexity, and the total Prover cost is . From theorem 3.3, the Verifier cost is . Finally, here two sets of integers are transmitted, which with the communications in NonSingularity adds up to a communication cost of . ∎

Now, we give a certificate for an upper bound on the rank. Note that Protocols 4 and 4 come from the certificate for an upper bound on the rank for matrices over a field [see Dumas and Kaltofen, 2014, Theorem 4]. In this protocol, we use the notation to refer to the Hamming weight: means that the vector as at most nonzero entries.

Protocol 4 RankUpperBound

Public: ,

Certifies:

Prover Verifier
1.
2. Find such that and
3.
Theorem 3.5.

Let be the actual rank of . Then, Protocol 4 is a complete and probabilistically sound interactive protocol which requires communication and Verifier cost . If is indeed an upper bound on the rank of , then there is a Las Vegas randomized algorithm for the Prover with expected cost . Otherwise, the probability that the Verifier incorrectly accepts is at most .

Proof.

If is indeed an upper bound on the rank of , then, whichever evaluation point the Verifier picked, will be an upper bound on the rank of and, as the certificate from [Dumas and Kaltofen, 2014, Theorem 4] is complete, this certificate is complete.

If is not an upper bound on the rank of , there are two possibilities of failure. Either the Verifier picked an evaluation point for which the rank of drops, which happens with probability at most by Lemma 3.1; or the Prover managed to cheat during the execution of Protocols 4 to 4 which happens with probability at most  [Dumas and Kaltofen, 2014, Theorem 4]. Then, the union bound gives a total probability of for the Verifier to accept a wrong answer.

The Prover has to evaluate the matrix at for a cost of , and to find at most linearly independent rows of the matrix over the base field, which costs , hence a total cost of . The Verifier has to evaluate the matrix at and to perform two matrix-vector products over the base field, which yields a cost of . The communication cost is the one of sending a scalar and two vectors of size over the base field, that is, . ∎

From those two certificates, one can immediately infer a certificate for the rank.

Protocol 5 Rank

Public: ,

Certifies:

Prover Verifier
1.

Use RankLowerBound()
2.

Use RankUpperBound()
Corollary 3.6.

Let be the actual rank of . Protocol 5 is a probabilistically sound interactive protocol and is complete assuming in its subprotocol. It requires communication and Verifier cost . If is indeed the rank of , then there is a Las Vegas randomized algorithm for the Prover with expected cost . Otherwise, the probability that the Verifier incorrectly accepts is at most .

3.3 Determinant of polynomial matrices

We follow with a certificate for the determinant of a polynomial matrix. The trick is still the same: the Verifier checks the degree of the provided determinant in order to ensure it is suitable, and then a random evaluation point is sampled and the actual verification occurs on evaluated input. There are two choices available for the certificate to use over the base field: either Dumas et al. [2016, Section 2], which runs in a constant number of rounds, but requires a minimum field size of , or Dumas et al. [2017, Section 4.1] which runs in rounds but only requires a minimum field size of . Whichever certificate is chosen here, this has no impact on the asymptotic complexities, which are the same for both or on the completeness, as both are complete.

Protocol 6 Determinant

Public:

Certifies:

Prover Verifier
1.
2.

Use FieldDeterminant()
Theorem 3.7.

Protocol 6 is a complete and probabilistically sound interactive protocol which requires communication and Verifier cost . If is indeed the determinant of , there is an algorithm for the Prover which costs . Otherwise, the probability that the Verifier incorrectly accepts is at most .

Proof.

For the sake of the proof, write as the actual determinant of .

If and therefore , then it must be the case that . Then, as FieldDeterminant is complete, the final check will hold.

If and therefore , there are two possibilities of failure. Either the Verifier picked an such that , and in that case the checks from FieldDeterminant will always pass. This is the case if is a root of , which, by Schwartz-Zippel lemma, happens with probability ; or the Verifier picked an which is not a root of which means they will accept as the determinant with the probability of failure of FieldDeterminant, . Overall, the probability that the Verifier accepts a wrong statement is at most by union bound.

The Prover has to evaluate the matrix at and to compute a determinant over the base field, hence the cost of , the Verifier has to evaluate at , which yields a cost of and the communication cost is the one of FieldDeterminant, . ∎

3.4 Certificates based on matrix multiplication

Finally, we propose some certificates related to matrix multiplication. While they are once again based on evaluation techniques, unlike the previous certificates, the ones given here are non-interactive and thus have no Prover or communication cost. We first give a certificate for linear system solving:

Protocol 7 SystemSolve

Public:

Certifies:

Prover Verifier
1.
Theorem 3.8.

Let be an upper bound on the degree of , , , and . Then, Protocol 7 is a complete and probabilistically sound non-interactive protocol which has Verifier cost . The probability that the Verifier incorrectly accepts is at most .

Proof.

If , then the same holds when evaluating at which leads to the completeness of this certificate.

Otherwise, we have for some nonzero polynomial vector . If the Prover manages to cheat, it means the Verifier picked an which is a root of every entry of . The probability of this event is at most the probability of being a root of one nonzero entry of . Now, let be a nonzero element of . Its degree must be at least one, for the Verifier to be tricked, and can be at most . Then, by the Schwartz-Zippel lemma, the Verifier picked an such that with probability at most .

The dominating step in the Verifier’s checks is evaluating at , which costs using Horner’s rule. ∎

Similarly, we propose a certificate for matrix multiplication following an approach from [Freivalds, 1979].

Protocol 8 MatMul

Public:

Certifies:

Prover Verifier
1.
Theorem 3.9.

Let and similarly for . Protocol 8 is a complete and probabilistically sound non-interactive protocol which has Verifier cost . The probability that the Verifier incorrectly accepts is at most .

Proof.

Let be the actual result of , and denote by the matrix . Note that the value computed on the left hand side on the final check by the Verifier is exactly .

If , then and whichever evaluation point the Verifier picks, will always be . The degree bound checked initially by the Verifier is also valid whenever , hence this certificate is complete.

If , then is a nonzero matrix with degree at most . There are two events that would lead to the Verifier accepting a wrong answer: either the Verifier picked an evaluation point which cancels each coefficient in , which is at most the probability that is a root of a single entry, namely by the Schwartz-Zippel lemma and in that case, whichever verification vector is picked afterwards, the Verifier will always accept; or the Verifier picked an evaluation point for which but they picked a unlucky verification vector in the right kernel of , which happens with probability by Freivalds [1979]. The union bound of these two events gives the stated probability that the Verifier incorrectly accepts.

The cost for the Verifier comes from evaluating all three matrices at using Horner’s rule and then performing three matrix-vector products over the base field. ∎

Verifying a matrix inverse is a straightforward application of the previous protocol.

Corollary 3.10.

For and , there exists a non-interactive protocol which certifies that is the inverse of in Verifier cost , where . If , the probability that the Verifier incorrectly accepts is at most .

4 Row space membership

In this section we present the main tool for verification problems that are essentially about -modules, which is to determine whether a given row vector is in the -linear row span of a given matrix .

The approach is in two steps. First, FullRankRowSpaceMembership shows how to solve the problem in case has full row rank. Then, in RowSpaceMembership, we extend this to the general setting by means of two calls to the full row rank case.

4.1 Full row rank case

Protocol 9 FullRankRowSpaceMembership

Public: with full row rank,

Certifies:

Prover Verifier
1.
2.
3.
4.
5.

In order to prove the soundness of this protocol, we start with a few simple lemmas. The first is a standard extension of the soundness proof of Freivalds’ algorithm [1979].

Lemma 4.1.

Let be an arbitrary matrix with at least one nonzero entry. If and has its entries chosen uniformly at random from S, then .

Proof.

Consider each of the entries of as an indeterminate. Because is not zero, has at least one nonzero entry, which is a nonzero polynomial in variables with total degree 1. Then a trivial application of the Schwartz-Zippel lemma gives the stated result. ∎

Lemma 4.2.

Let be a rational function vector with , and . For a vector of scalars chosen uniformly at random, the probability that their inner product is a polynomial, i.e., that , is at most .

Proof.

Write and . By the condition of the lemma we know that . We see that the inner product of and is a polynomial if and only if the inner product of and is divisible by .

Now let be any irreducible factor of , and consider the inner product over the extension field . Because , we know that is not zero; otherwise the degree of the denominator is not mininal.

Then, since , the stated bound follows from lemma 4.1. ∎

The final ingredient in our full row space membership algorithm is a subroutine the Prover may use to actually compute the solution to the linear system, shown in algorithm 1. It will also used in the non-full-rank protocol presented in the next section.

Input:
Output: Either LOW_RANK, NO_SOLUTION, or a vector such that
column rank profile of if  then return LOW_RANK columns from columns from if  then return NO_SOLUTION return
Algorithm 1 Rational linear solving with full row rank

To simplify the cost bounds, for the remainder of this section we write and .

Lemma 4.3.

Algorithm 1 has worst-case cost bound . If , then LOW_RANK is returned. Otherwise, if , then the unique rational solution to is returned.

Proof.

[Zhou, 2012, Chapter 11] presents a deterministic algorithm to compute the column rank profile on algorithm 1 using field operations. This guarantees that LOW_RANK is returned whenever does not have full row rank.

Now assume that . Then is nonsingular, [Gupta et al., 2012] showed how to de-randomize the high-order lifting technique in order to solve the rational linear system on algorithm 1 deterministically using operations. Let be the rational solution to computed on algorithm 1.

Assume that there exists some rational solution such that . Then also. But because is nonsingular, the solution is unique; hence and . ∎

Finally, we present the main result of this subsection.

Theorem 4.4.

Protocol 9 is a complete and probabilistically sound interactive protocol which requires communication and with Verifier cost . If and , there is a deterministic algorithm for the Prover with cost . Otherwise, the probability that the Verifier incorrectly accepts is at most .

Proof.

If is the zero vector, then the protocol easily succeeds when the Prover sends all zeros for and . And if , the implication being verified is vacuously true. So assume for the remainder of the proof that is nonzero and has full row rank .

The degree check by the Verifier assures that contains at most field elements, bringing the total communication over Protocols 9 to 9 to at most field elements.

The work of the verifier is dominated by computing the evaluations and on the last step. Using Horner’s rule the total cost for these is , as claimed.

We now divide the proof into three cases, depending on whether is in the polynomial row span of (as checked by the protocol), the rational row span of , or neither.

Case 1: .

Here we want to prove that an honest Prover and Verifier succeed with costs as stated in the theorem.

The vector as defined in Protocol 9 must exist by the definition of , and computing can be completed by the Verifier according to lemma 4.3 in the stated cost bound.

If the computations of and are performed correctly by the Prover on Protocol 9, then the Verifier’s checks on Protocol 9 will succeed for any choice of .

This proves the completeness of the protocol.

Case 2: .

In this case, the assertion of the protocol is false, and we want to show probabilistic soundness.

Let be the random vector chosen by the Verifier on Protocol 9. By the assumption of this case, there is a unique rational solution with , and lemma 4.2 tells us the probability that is a polynomial is at most . If is not a polynomial, then is a nonzero rational function with numerator degree at most

(4.1)

From lemma 3.1, the probability that is singular is at most . Otherwise, the vector is the unique solution to , so the Prover is obliged to send this on Protocol 9.

If the Verifier incorrectly accepts, we must have , which means that . The degree bound in (4.1) gives an upper bound on the number of which could satisfy this equation.

Therefore the Verifier accepts only when either , or is singular, or is a root of , which by the union bound has probability at most , as stated.

Case 3: .

Again, the assertion of the protocol is false, and our goal is to prove probabilistic soundness. As with the last case, assume by way of contradiction that the Verifier accepts.

Consider the augmented system

By the assumption of this case, . But the solution vector provided to solve on the last step corresponds to a nonzero vector in the left kernel of , which therefore has rank at most .

The proof of lemma 3.1 shows that the probability that is at most . ∎

4.2 Arbitrary rank case

Now we move to the general case that .

The idea of the protocol is inspired by Mulders and Storjohann [2004]. Consider a matrix such that has full row rank and therefore the same rational row span as . Then there is a unique rational vector such that . If , the verification is already complete.

But even when has nontrivial denominator, this approach can still be used for verification by considering multiple such matrices and rational solutions . In fact, the greatest common divisor of all such rational solutions is 1 if and only if , as we show in the next lemma.

Lemma 4.5.

Let with , , , and , such that, for every , we have:

  • ; and

  • .

If , then .

Proof.

Let be the set . We see that is an ideal in .

For each , there exists a polynomial vector such that . Then is also a polynomial vector, which shows that each .

Because is a principal ideal domain, also, and therefore . By the definition of , this means that . ∎

Before giving the full protocol for row membership, we first present a sub-protocol in CoPrime to confirm that the greatest common divisor of a set of polynomials is 1.

Protocol 10 CoPrime

Public:

Certifies:

Prover Verifier
1.