Noisy polynomial interpolation modulo prime powers

06/10/2020 ∙ by Marek Karpinski, et al. ∙ UNSW University of Bonn 0

We consider the noisy polynomial interpolation problem of recovering an unknown s-sparse polynomial f(X) over the ring ℤ_p^k of residues modulo p^k, where p is a small prime and k is a large integer parameter, from approximate values of the residues of f(t) ∈ℤ_p^k. Similar results are known for residues modulo a large prime p, however the case of prime power modulus p^k, with small p and large k, is new and requires different techniques. We give a deterministic polynomials time algorithm, which for almost given more than a half bits of f(t) for sufficiently many randomly chosen points t ∈ℤ_p^k^*, recovers f(X).



There are no comments yet.


page 1

page 2

page 3

page 4

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1. Introduction

There is a long history and very extensive literature dedicated to algorithms on polynomials in finite fields, see, for example [12]. More recently, there was also increasing interest to algorithms for polynomials over residue rings, especially in residue rings modulo prime powers, see [5, 9, 10, 13, 17, 19, 31] and references therein. Here we continue this directions and consider the noisy polynomial interpolation problem modulo prime powers which is analogue to the same problem in finite fields [28, 30], which in turn is an extension of the  hidden number problem of Boneh and Venkatesan [2, 3].

To be more precise, for an integer we denore by the residue ring modulo an integer , and by the group of units of .

Then the noisy polynomial interpolation problem is the problem of finding an unknown -sparse polynomial


with monomials of degrees from approximations to the values of (treated as integers from the set ) at polynomially many points selected uniformly at random.

Several problems of this type are related to the so-called hidden number problem introduced by Boneh and Venkatesan [2, 3], which corresponds to a linear polynomial with unknown , and have already been studied intensively due to their cryptographic relevance, see the survey [29]. For sparse polynomials this problem has been studied in [28, 30], for some recent modifications motivated by cryptographic applications, see [11].

More precisely for integers and we denote by the remainder of on division by .

Furthermore. for integers , and a real we denote by any integer such that


Roughly speaking, gives most significant bits of the remainder on division of by . However, this definition is more flexible and suits better our purposes. In particular we remark that in the inequality (1.2) is not necessary an integer.

The sparse polynomial noisy interpolation problem is the problem of finding a polynomial of the form (1.1) with known exponents and unknown coefficients . from approximate values of at polynomially many points selected uniformly at random. We remark that we always assume that the exponents are positive since if is not very small, it is impossible to distinguish between and .

Here we are interested in the setting where the modulus is a large power of a fixed prime, for example , while previous works [2, 3, 11, 28, 29, 30], address the case when is a large prime. In the case of , we use the ideas of [28, 30] combined with new number theoretic tools, coming from [27], and give a polynomial time algorithm provided that for each a little bit more than a half of bits of is given.

We note that algorithm itself is deterministic, and the only randomness is in the choice of the points evaluation points , while the consecutive computation is deterministic.

2. Our results

Throughout the paper, the implied constants in the symbols ‘’, ‘’ and ‘’ may occasionally, where obvious, depend on the degrees of the polynomials involved and on the real parameter and are absolute, otherwise. We recall that the notations , and are all equivalent to the assertion that the inequality holds for some constant on the prime .

It is also convenient to define as the binary logarithm of real .

We always assume that

is the bit length of the modulus .

Our result depends on the -divisibility of the following determinant, formed by binomial coefficients

Finally, for an integer we denote by the -adic order of , that is, the largest integer with and by

the -adic valuation of .

Theorem 2.1.

Let be a sufficiently large -bit power of a fixed prime and let be a fixed integer. Assume that for the integers and real we have


for some fixed . Then there exists a deterministic polynomial time algorithm such that for any polynomial of the form (1.1), given integers



its output satisfies

if are chosen uniformly and independently at random from .

Analysing the proof of Theorem 2.1 one easily see that the value of can be reduced a little bit and in fact any value is suitable.

3. Congruences with sparse polynomials

For a polynomial in a residue ring modulo , and integers and , we denote by the numbber of solutions to the congruence


A natural and powerful tool to estimate

is given by bounds on exponential sums


In fact a bound on such sums for a sparse polynomial as in (1.1) has been given in [27, Theorem 1], which however requires that the is bounded (independently of ) and thus makes it is very restrictive for our applications. Bourgain [4] has given different versions of this result and relaxed the condition of however the corresponding bounds are weaker.

Here exploit the fact that the results and method of [27] allow us to obtain a bound on which depends on -divisibility of (which controls -adic properties of the differences between exponents ) rather than on .

First we need a slightly modified and explicit version of a result from [27].

Lemma 3.1.

Let be a power of a fixed prime and let

be a polynomial such that




We essentially follow the proof of [27, Lemma 5] and trace the dependence on . In particular, as in [27] we fix some and define and define the integer by the inequalities

Let us also define the following differential operators

Finally, let

By [27, Lemma 52], the inequality

holds, provided .

Then by [27, Equation (6)] we have



We can certainly assume that is large enough (in terms of ) and thus we are in the case of the proof of [27, Lemma 5]. In this case, by [27, Equation (8)], we have

provided that is fixed. We now trace the dependence on , which is explicit in the proof of [27, Lemma 5] till the very last step.

More precisely, it is shown in the proof of [27, Lemma 5] that for we have

Hence we see from (3.2) that the total contribution to the bound on from all such values of , which we denote by , is at most


Furthermore, in the case when it is shown in the proof of [27, Lemma 5] that for some constant which depends only on and (and thus only on and )

and also that the exponent satisfies the inequality

Hence we see from (3.2) that the total contribution to the bound on from all such values of , which we denote by , is at most


Combining (3.3) and (3.4) we see from (3.2) that

Since is arbitrary, this implies that

as . Clearly this bound is only nontrivial for , in which case the second term always dominates and the desired bound follows.    

Combining Lemma 3.1 with the classical Erdős–Turán inequality (see, for example, [8, Theorem 1.21]) , which links the irregularity of distribution of sequences to exponential sums, we immediately derive that is close to its expected value

where is the Euler function. More precisely, we recall that the discrepancy of a sequence in is defined as

where denotes the cardinality of (if it is finite), see [8] for background.

By the classical Erdős–Turán inequality (see, for instance, [8, Theorem 1.21]) we have.

Lemma 3.2.

Let , , be a sequence in . Then for any , we have

We now interpret the congruence (3.1) as a condition on the fractional parts to fall in a certain interval of a unit torus of length . This immediately implies the desired result.

Lemma 3.3.

Let be a power of a fixed prime and let

be a polynomial such that



Finally, it is convenient to have an upper bound on for polynomials with non-necessary co-prime with coefficients. Namely if for as in Lemma 3.3 we have

then provided we have

Corollary 3.4.

Let be a power of a fixed prime and let

be a polynomial such that



Note that in Corollary 3.4 we have abandoned the condition which is needed for (3.5) as for its bound is trivial.

4. Background on lattices

As in [2, 3], and then in [28, 30], our results rely on some lattice algorithms. We therefore review some relevant results and definitions, we refer to [7, 15, 16] for more details and the general theory.

Let be a set of linearly independent vectors in . The set of vectors

is called an -dimensional full rank lattice.

The set is called a basis of .

The volume of the parallelepiped defined by the vectors is called the volume of the lattice and denoted by . Typically, lattice problems are easier when the Euclidean norms of all basis vectors are close to .

Let denote the standard Euclidean norm in .

One of the most fundamental problems in this area is the closest vector problem, CVP: given a basis of a lattice in and a target vector , find a lattice vector which minimizes the Euclidean norm among all lattice vectors. It is well know that CVP is NP-hard when the dimension (see [21, 22, 23, 24, 25] for references).

There several approximate algorithms to find vectors in lattices which are close to a given target vector , see [1, 18, 26] which build on the classical lattice basis reduction algorithm of Lenstra, Lenstra and Lovász [20], we also refer to [22, 23, 24, 25] for possible improvements and further references.

However, it is important to observe that in our case, the dimension of the lattice is bounded so we can use one of the deterministic algorithms which find the closest vector exactly. For example, we appeal to the following result of Micciancio and Voulgaris [21, Corollary 5.6].

Lemma 4.1.

Assume that we are given a basis of a lattice , which consists of vectors of rational numbers and a vector such that their numerators and denominators of are at most -bits long. There is a deterministic algorithm which for a fixed , in time polynomial in , finds a lattice vector satisfying the inequality

5. Lattices and polynomial approximations

Let .

For , we denote by the -dimensional lattice generated by the rows of the following -matrix


The following result is a generalization of several previous results of similar flavour obtained for a large prime number , see [2, 28, 30].

Lemma 5.1.

Let be a sufficiently large -bit power of and let be a fixed integer. We assume that the conditions (2.1) hold and define

Let be a polynomial of the form (1.1) with known exponents , given integers of the form (1.1) with known exponents . Assume that

are chosen uniformly and independently at random. Then with probability

for any vector with

all vectors


are of the form

with some integers , .


As in [2] we define the modular distance between two integers and as

Let denote the set of polynomials

with .

For a polynomial we denote by the probability that


for selected uniformly at random. To estimate we consider the polynomial


Clearly, is not identical to zero in . Hence, if (5.2) is possible for some , then for

we have


We now set


We see from Corollary 3.4 that

Hence, recalling the bound (5.4) and the choice of in (5.5) we obtain

Recalling the inequalities (2.1), we obtain


Hence for any fixed , for example, for , we have

provided that is large enough.

Therefore, for any ,

where the probability is taken over chosen uniformly and independently at random.

Since , taking

we obtain

provided that is large enough.

The rest of the proof is essentially identical to the proof of [2, Theorem 5], see also the proof of [28, Theorem 8]. Indeed, we fix some integers with


Let be a lattice point satisfying

Clearly, since , there are some integers and such that

If , , then for all we have

since otherwise there is such that .

Now suppose that for some . In this case we have

that contradicts our assumption. As we have seen, the condition (5.6) holds with probability exceeding and the result follows.    

6. Proof of Theorem 2.1

As in all previous works, we follow the same arguments as in the proof of of [2, Theorem 1] which we briefly outline here for the sake of completeness. We refer to the first vectors in the matrix (5.1) as -vectors and we refer to the other vectors as power-vectors.

We recall (2.2) and consider the vector


We can certainly assume that

as otherwise the result is trivial. Then multiplying the th power-vector of the matrix (5.1) by and subtracting a certain multiple of the th -vector, , we obtain a lattice point

such that

where , . Therefore,

We can assume that is large enough so that . Therefore . Now we can use Lemma 4.1 to find in polynomial time a lattice vector such that

provided that is large enough, where

Applying Lemma 5.1 with in place of , and thus with in place of we see that with probability at least , and therefore the coefficients of can be recovered in polynomial time.


It seems like a natural idea to classify polynomials

in the proof of Theorem 2.1 depending on the size of where are as in (5.3), instead of using the worst case bound (5.4) We can then take into account that for a given there are at most polynomials with this values of . Unfortunately, this approach may only help to reduce slightly the value of in Theorem 2.1, which is not optimised anyway.

We remark that here we essentially consider the interpolation problem when the value of a polynomial are corrupted by an additive noise. That is, for any we are given for some which is not too large. For a large prime , in [14] the case of multiplicative noise has been studied, where for any we are given the residue modulo of for some rational with not too large numerator and denominator.


This work started during a very enjoyable visit of the second author to the University of Bonn, whose hospitality is very much appreciated. This visit was supported by the excellence grant EXC 2-1 of the Hausdorff Center for Mathematics.

During the preparation of this work the first author was supported in part by the Deutsche Forschungsgemeinschaft and the second author by the Australian Research Council.


  • [1] M. Ajtai, R. Kumar and D. Sivakumar, ‘A sieve algorithm for the shortest lattice vector problem’,

    Proc. 33rd ACM Symp. on Theory of Comput.

    , ACM, 2001, 601–610.
  • [2] D. Boneh and R. Venkatesan, ‘Hardness of computing the most significant bits of secret keys in Diffie–Hellman and related schemes’, Advances in Cryptology – CRYPTO ’96, Lect. Notes in Comp. Sci., Springer-Verlag, 1109 (1996), 129–142.
  • [3] D. Boneh and R. Venkatesan, ‘Rounding in lattices and its cryptographic applications’, Proc. 8th Annual ACM-SIAM Symp. on Discr. Algorithms, SIAM, 1997, 675–681.
  • [4] J. Bourgain, ‘Estimates on polynomial exponential sums’, Israel J. Math., 176 (2010), 221–240.
  • [5] Q. Cheng, S. Gao, J. M. Rojas and D. Wan, ‘Counting roots for polynomials modulo prime powers’, Proc. 13th Algorithmic Number Theory Symp., Open Book Ser., v.2, Math. Sci. Publ., Berkeley, CA, 2019, 191–205.
  • [6] H. Cheng and G. Labahn, ‘Computing all factorizations in ’, Proc. 2001 ACM Intern. Symp. Symb. Algebraic Comp., ACM, New York, 2001, 64–71.
  • [7] J. H. Conway and N. J. A. Sloane, Sphere packings, lattices and groups, 3rd edition. Grundlehren der Mathematischen Wissenschaften, v.290, Springer-Verlag, New York, 1999.
  • [8] M. Drmota and R. Tichy, Sequences, discrepancies and applications, Springer-Verlag, Berlin, 1997.
  • [9] A. Dwivedi, R. Mittal and N. Saxena, ‘Efficiently factoring polynomials modulo ’, Proc. 2019 ACM Intern. Symp. Symb. Algebraic Comp., ACM, 2019, 139-146
  • [10] A. Dwivedi, R. Mittal and N. Saxena, ‘Counting basic-irreducible factors in deterministic poly-time and -adic applications’, Proc. 34th Comp. Compl. Conf., Leibniz Int. Proc. Inform., v.137, Schloss Dagstuhl. Leibniz-Zent. Inform., Wadern, 2019. Art. 15, 1–29.
  • [11] O. Garcia-Morchon, R. Rietman, L. Tolhuizen and I. E. Shparlinski, ‘Interpolation and approximation of polynomials in finite fields over a short interval from noisy values’, Experimental Math., 23 (2014), 261–270.
  • [12] J. von zur Gathen and J. Gerhard, Modern computer algebra, Cambridge University Press, Cambridge, 2003.
  • [13] J. von zur Gathen and S. Hartlieb, ‘Factoring modular polynomials’, J. Symb. Comp., 26 (1998), 583–606.
  • [14] J. von zur Gathen and I. E. Shparlinski, ‘Polynomial Interpolation from multiples’, Proc. 15th ACM–SIAM Symp. on Discr. Algorithms, SIAM, 2004, 209–215.
  • [15] M. Grötschel, L. Lovász and A. Schrijver,

    Geometric algorithms and combinatorial optimization

    , Algorithms and Combinatorics: Study and Research Texts, v.2, Springer-Verlag, Berlin, 1993.
  • [16] P. M. Gruber and C. G. Lekkerkerker, ‘Geometry of numbers’, North-Holland Math. Library, v.37. North-Holland Publishing Co., Amsterdam, 1987.
  • [17] T. Hammonds, J. Johnson, A. Patini and R. M. Walker, ‘Counting roots of polynomials over ’, Houston J. Math., 44 (2018), 1111–1119.
  • [18] R. Kannan, ‘Algorithmic geometry of numbers’, Annual Review of Comp. Sci., 2 (1987), 231–267.
  • [19] L. Kopp, N. Randall, J. M. Rojas, and Y. Zhu, ‘Randomized polynomial-time root counting in prime power rings’, Math. Comp., 89 (2020), 373–385.
  • [20] A. K. Lenstra, H. W. Lenstra and L. Lovász, ‘Factoring polynomials with rational coefficients’, Math. Ann., 261 (1982), 515–534.
  • [21] D. Micciancio and P. Voulgaris, ‘A deterministic single exponential time algorithm for most lattice problems based on Voronoi cell computations’, SIAM J. Comp., 42 (2013), 1364–1391.
  • [22] P. Q. Nguyen, ‘Public-key cryptanalysis’, Recent Trends in Cryptography, Contemp. Math., v.477, Amer. Math. Soc., 2009, 67–119.
  • [23] P. Q. Nguyen and J. Stern, ‘Lattice reduction in cryptology: An update’, Proc. 13th Algorithmic Number Theory Symp., Lect. Notes in Comp. Sci., v.1838, Springer-Verlag, Berlin, 2000, 85–112.
  • [24] P. Q. Nguyen and J. Stern, ‘The two faces of lattices in cryptology’, Cryptography and Lattices, Lect. Notes in Comp. Sci., v.2146, Springer-Verlag, Berlin,2001, 146–180.
  • [25] O. Regev, ‘On the complexity of lattice problems with polynomial approximation factors’, The LLL Algorithm: Surveys and Applications, Springer-Verlag, 2010, 475–496.
  • [26] C. P. Schnorr, ‘A hierarchy of polynomial time basis reduction algorithms’, Theor. Comp. Sci., 53 (1987), 201–224.
  • [27] I. E. Shparlinski, ‘On exponential sums with sparse polynomials and rational functions’, J. Number Theory, 60 (1996), 233–244.
  • [28] I. E. Shparlinski, ‘Sparse polynomial approximation in finite fields’, Proc. 33rd ACM Symp. on Theory of Comput., ACM, 2001, 209–215.
  • [29] I. E. Shparlinski, ‘Playing “Hide-and-Seek” with numbers: The hidden number problem, lattices and exponential sums’, Public-Key Cryptography, Proc. Symp. in Appl. Math., Amer. Math. Soc., Providence, RI, 62 (2005), 153–177.
  • [30] I. E. Shparlinski and A. Winterhof, ‘Noisy interpolation of sparse polynomials in finite fields’, Appl. Algebra in Engin., Commun. and Computing, 16 (2005), 307–317.
  • [31] C. Sircana, ‘Factorization of polynomials over ’, Proc. 2019 ACM Intern. Symp. Algebraic Comp., ACM, 2019, 405–412.