1. Introduction
There is a long history and very extensive literature dedicated to algorithms on polynomials in finite fields, see, for example [12]. More recently, there was also increasing interest to algorithms for polynomials over residue rings, especially in residue rings modulo prime powers, see [5, 9, 10, 13, 17, 19, 31] and references therein. Here we continue this directions and consider the noisy polynomial interpolation problem modulo prime powers which is analogue to the same problem in finite fields [28, 30], which in turn is an extension of the hidden number problem of Boneh and Venkatesan [2, 3].
To be more precise, for an integer we denore by the residue ring modulo an integer , and by the group of units of .
Then the noisy polynomial interpolation problem is the problem of finding an unknown sparse polynomial
(1.1) 
with monomials of degrees from approximations to the values of (treated as integers from the set ) at polynomially many points selected uniformly at random.
Several problems of this type are related to the socalled hidden number problem introduced by Boneh and Venkatesan [2, 3], which corresponds to a linear polynomial with unknown , and have already been studied intensively due to their cryptographic relevance, see the survey [29]. For sparse polynomials this problem has been studied in [28, 30], for some recent modifications motivated by cryptographic applications, see [11].
More precisely for integers and we denote by the remainder of on division by .
Furthermore. for integers , and a real we denote by any integer such that
(1.2) 
Roughly speaking, gives most significant bits of the remainder on division of by . However, this definition is more flexible and suits better our purposes. In particular we remark that in the inequality (1.2) is not necessary an integer.
The sparse polynomial noisy interpolation problem is the problem of finding a polynomial of the form (1.1) with known exponents and unknown coefficients . from approximate values of at polynomially many points selected uniformly at random. We remark that we always assume that the exponents are positive since if is not very small, it is impossible to distinguish between and .
Here we are interested in the setting where the modulus is a large power of a fixed prime, for example , while previous works [2, 3, 11, 28, 29, 30], address the case when is a large prime. In the case of , we use the ideas of [28, 30] combined with new number theoretic tools, coming from [27], and give a polynomial time algorithm provided that for each a little bit more than a half of bits of is given.
We note that algorithm itself is deterministic, and the only randomness is in the choice of the points evaluation points , while the consecutive computation is deterministic.
2. Our results
Throughout the paper, the implied constants in the symbols ‘’, ‘’ and ‘’ may occasionally, where obvious, depend on the degrees of the polynomials involved and on the real parameter and are absolute, otherwise. We recall that the notations , and are all equivalent to the assertion that the inequality holds for some constant on the prime .
It is also convenient to define as the binary logarithm of real .
We always assume that
is the bit length of the modulus .
Our result depends on the divisibility of the following determinant, formed by binomial coefficients
Finally, for an integer we denote by the adic order of , that is, the largest integer with and by
the adic valuation of .
Theorem 2.1.
Let be a sufficiently large bit power of a fixed prime and let be a fixed integer. Assume that for the integers and real we have
(2.1) 
for some fixed . Then there exists a deterministic polynomial time algorithm such that for any polynomial of the form (1.1), given integers
(2.2) 
where
its output satisfies
if are chosen uniformly and independently at random from .
Analysing the proof of Theorem 2.1 one easily see that the value of can be reduced a little bit and in fact any value is suitable.
3. Congruences with sparse polynomials
For a polynomial in a residue ring modulo , and integers and , we denote by the numbber of solutions to the congruence
(3.1) 
In fact a bound on such sums for a sparse polynomial as in (1.1) has been given in [27, Theorem 1], which however requires that the is bounded (independently of ) and thus makes it is very restrictive for our applications. Bourgain [4] has given different versions of this result and relaxed the condition of however the corresponding bounds are weaker.
Here exploit the fact that the results and method of [27] allow us to obtain a bound on which depends on divisibility of (which controls adic properties of the differences between exponents ) rather than on .
First we need a slightly modified and explicit version of a result from [27].
Lemma 3.1.
Let be a power of a fixed prime and let
be a polynomial such that
Then
where
Proof.
We essentially follow the proof of [27, Lemma 5] and trace the dependence on . In particular, as in [27] we fix some and define and define the integer by the inequalities
Let us also define the following differential operators
Finally, let
By [27, Lemma 52], the inequality
holds, provided .
Then by [27, Equation (6)] we have
(3.2) 
where
We can certainly assume that is large enough (in terms of ) and thus we are in the case of the proof of [27, Lemma 5]. In this case, by [27, Equation (8)], we have
provided that is fixed. We now trace the dependence on , which is explicit in the proof of [27, Lemma 5] till the very last step.
More precisely, it is shown in the proof of [27, Lemma 5] that for we have
Hence we see from (3.2) that the total contribution to the bound on from all such values of , which we denote by , is at most
(3.3) 
Furthermore, in the case when it is shown in the proof of [27, Lemma 5] that for some constant which depends only on and (and thus only on and )
and also that the exponent satisfies the inequality
Hence we see from (3.2) that the total contribution to the bound on from all such values of , which we denote by , is at most
(3.4) 
Combining Lemma 3.1 with the classical Erdős–Turán inequality (see, for example, [8, Theorem 1.21]) , which links the irregularity of distribution of sequences to exponential sums, we immediately derive that is close to its expected value
where is the Euler function. More precisely, we recall that the discrepancy of a sequence in is defined as
where denotes the cardinality of (if it is finite), see [8] for background.
By the classical Erdős–Turán inequality (see, for instance, [8, Theorem 1.21]) we have.
Lemma 3.2.
Let , , be a sequence in . Then for any , we have
We now interpret the congruence (3.1) as a condition on the fractional parts to fall in a certain interval of a unit torus of length . This immediately implies the desired result.
Lemma 3.3.
Let be a power of a fixed prime and let
be a polynomial such that
Then
where
Finally, it is convenient to have an upper bound on for polynomials with nonnecessary coprime with coefficients. Namely if for as in Lemma 3.3 we have
then provided we have
(3.5) 
Corollary 3.4.
Let be a power of a fixed prime and let
be a polynomial such that
Then
where
4. Background on lattices
As in [2, 3], and then in [28, 30], our results rely on some lattice algorithms. We therefore review some relevant results and definitions, we refer to [7, 15, 16] for more details and the general theory.
Let be a set of linearly independent vectors in . The set of vectors
is called an dimensional full rank lattice.
The set is called a basis of .
The volume of the parallelepiped defined by the vectors is called the volume of the lattice and denoted by . Typically, lattice problems are easier when the Euclidean norms of all basis vectors are close to .
Let denote the standard Euclidean norm in .
One of the most fundamental problems in this area is the closest vector problem, CVP: given a basis of a lattice in and a target vector , find a lattice vector which minimizes the Euclidean norm among all lattice vectors. It is well know that CVP is NPhard when the dimension (see [21, 22, 23, 24, 25] for references).
There several approximate algorithms to find vectors in lattices which are close to a given target vector , see [1, 18, 26] which build on the classical lattice basis reduction algorithm of Lenstra, Lenstra and Lovász [20], we also refer to [22, 23, 24, 25] for possible improvements and further references.
However, it is important to observe that in our case, the dimension of the lattice is bounded so we can use one of the deterministic algorithms which find the closest vector exactly. For example, we appeal to the following result of Micciancio and Voulgaris [21, Corollary 5.6].
Lemma 4.1.
Assume that we are given a basis of a lattice , which consists of vectors of rational numbers and a vector such that their numerators and denominators of are at most bits long. There is a deterministic algorithm which for a fixed , in time polynomial in , finds a lattice vector satisfying the inequality
5. Lattices and polynomial approximations
Let .
For , we denote by the dimensional lattice generated by the rows of the following matrix
(5.1) 
The following result is a generalization of several previous results of similar flavour obtained for a large prime number , see [2, 28, 30].
Lemma 5.1.
Let be a sufficiently large bit power of and let be a fixed integer. We assume that the conditions (2.1) hold and define
Let be a polynomial of the form (1.1) with known exponents , given integers of the form (1.1) with known exponents . Assume that
are chosen uniformly and independently at random. Then with probability
for any vector withall vectors
satisfying
are of the form
with some integers , .
Proof.
As in [2] we define the modular distance between two integers and as
Let denote the set of polynomials
with .
For a polynomial we denote by the probability that
(5.2) 
for selected uniformly at random. To estimate we consider the polynomial
(5.3) 
Clearly, is not identical to zero in . Hence, if (5.2) is possible for some , then for
we have
(5.4) 
We now set
(5.5) 
We see from Corollary 3.4 that
Hence, recalling the bound (5.4) and the choice of in (5.5) we obtain
Recalling the inequalities (2.1), we obtain
and
Hence for any fixed , for example, for , we have
provided that is large enough.
Therefore, for any ,
where the probability is taken over chosen uniformly and independently at random.
Since , taking
we obtain
provided that is large enough.
The rest of the proof is essentially identical to the proof of [2, Theorem 5], see also the proof of [28, Theorem 8]. Indeed, we fix some integers with
(5.6) 
Let be a lattice point satisfying
Clearly, since , there are some integers and such that
If , , then for all we have
since otherwise there is such that .
Now suppose that for some . In this case we have
that contradicts our assumption. As we have seen, the condition (5.6) holds with probability exceeding and the result follows.
6. Proof of Theorem 2.1
As in all previous works, we follow the same arguments as in the proof of of [2, Theorem 1] which we briefly outline here for the sake of completeness. We refer to the first vectors in the matrix (5.1) as vectors and we refer to the other vectors as powervectors.
We can certainly assume that
as otherwise the result is trivial. Then multiplying the th powervector of the matrix (5.1) by and subtracting a certain multiple of the th vector, , we obtain a lattice point
such that
where , . Therefore,
We can assume that is large enough so that . Therefore . Now we can use Lemma 4.1 to find in polynomial time a lattice vector such that
provided that is large enough, where
Applying Lemma 5.1 with in place of , and thus with in place of we see that with probability at least , and therefore the coefficients of can be recovered in polynomial time.
7. Comments
It seems like a natural idea to classify polynomials
in the proof of Theorem 2.1 depending on the size of where are as in (5.3), instead of using the worst case bound (5.4) We can then take into account that for a given there are at most polynomials with this values of . Unfortunately, this approach may only help to reduce slightly the value of in Theorem 2.1, which is not optimised anyway.We remark that here we essentially consider the interpolation problem when the value of a polynomial are corrupted by an additive noise. That is, for any we are given for some which is not too large. For a large prime , in [14] the case of multiplicative noise has been studied, where for any we are given the residue modulo of for some rational with not too large numerator and denominator.
Acknowledgement
This work started during a very enjoyable visit of the second author to the University of Bonn, whose hospitality is very much appreciated. This visit was supported by the excellence grant EXC 21 of the Hausdorff Center for Mathematics.
During the preparation of this work the first author was supported in part by the Deutsche Forschungsgemeinschaft and the second author by the Australian Research Council.
References

[1]
M. Ajtai, R. Kumar and D. Sivakumar,
‘A sieve algorithm for the shortest lattice vector problem’,
Proc. 33rd ACM Symp. on Theory of Comput.
, ACM, 2001, 601–610.  [2] D. Boneh and R. Venkatesan, ‘Hardness of computing the most significant bits of secret keys in Diffie–Hellman and related schemes’, Advances in Cryptology – CRYPTO ’96, Lect. Notes in Comp. Sci., SpringerVerlag, 1109 (1996), 129–142.
 [3] D. Boneh and R. Venkatesan, ‘Rounding in lattices and its cryptographic applications’, Proc. 8th Annual ACMSIAM Symp. on Discr. Algorithms, SIAM, 1997, 675–681.
 [4] J. Bourgain, ‘Estimates on polynomial exponential sums’, Israel J. Math., 176 (2010), 221–240.
 [5] Q. Cheng, S. Gao, J. M. Rojas and D. Wan, ‘Counting roots for polynomials modulo prime powers’, Proc. 13th Algorithmic Number Theory Symp., Open Book Ser., v.2, Math. Sci. Publ., Berkeley, CA, 2019, 191–205.
 [6] H. Cheng and G. Labahn, ‘Computing all factorizations in ’, Proc. 2001 ACM Intern. Symp. Symb. Algebraic Comp., ACM, New York, 2001, 64–71.
 [7] J. H. Conway and N. J. A. Sloane, Sphere packings, lattices and groups, 3rd edition. Grundlehren der Mathematischen Wissenschaften, v.290, SpringerVerlag, New York, 1999.
 [8] M. Drmota and R. Tichy, Sequences, discrepancies and applications, SpringerVerlag, Berlin, 1997.
 [9] A. Dwivedi, R. Mittal and N. Saxena, ‘Efficiently factoring polynomials modulo ’, Proc. 2019 ACM Intern. Symp. Symb. Algebraic Comp., ACM, 2019, 139146
 [10] A. Dwivedi, R. Mittal and N. Saxena, ‘Counting basicirreducible factors in deterministic polytime and adic applications’, Proc. 34th Comp. Compl. Conf., Leibniz Int. Proc. Inform., v.137, Schloss Dagstuhl. LeibnizZent. Inform., Wadern, 2019. Art. 15, 1–29.
 [11] O. GarciaMorchon, R. Rietman, L. Tolhuizen and I. E. Shparlinski, ‘Interpolation and approximation of polynomials in finite fields over a short interval from noisy values’, Experimental Math., 23 (2014), 261–270.
 [12] J. von zur Gathen and J. Gerhard, Modern computer algebra, Cambridge University Press, Cambridge, 2003.
 [13] J. von zur Gathen and S. Hartlieb, ‘Factoring modular polynomials’, J. Symb. Comp., 26 (1998), 583–606.
 [14] J. von zur Gathen and I. E. Shparlinski, ‘Polynomial Interpolation from multiples’, Proc. 15th ACM–SIAM Symp. on Discr. Algorithms, SIAM, 2004, 209–215.

[15]
M. Grötschel, L. Lovász and A. Schrijver,
Geometric algorithms and combinatorial optimization
, Algorithms and Combinatorics: Study and Research Texts, v.2, SpringerVerlag, Berlin, 1993.  [16] P. M. Gruber and C. G. Lekkerkerker, ‘Geometry of numbers’, NorthHolland Math. Library, v.37. NorthHolland Publishing Co., Amsterdam, 1987.
 [17] T. Hammonds, J. Johnson, A. Patini and R. M. Walker, ‘Counting roots of polynomials over ’, Houston J. Math., 44 (2018), 1111–1119.
 [18] R. Kannan, ‘Algorithmic geometry of numbers’, Annual Review of Comp. Sci., 2 (1987), 231–267.
 [19] L. Kopp, N. Randall, J. M. Rojas, and Y. Zhu, ‘Randomized polynomialtime root counting in prime power rings’, Math. Comp., 89 (2020), 373–385.
 [20] A. K. Lenstra, H. W. Lenstra and L. Lovász, ‘Factoring polynomials with rational coefficients’, Math. Ann., 261 (1982), 515–534.
 [21] D. Micciancio and P. Voulgaris, ‘A deterministic single exponential time algorithm for most lattice problems based on Voronoi cell computations’, SIAM J. Comp., 42 (2013), 1364–1391.
 [22] P. Q. Nguyen, ‘Publickey cryptanalysis’, Recent Trends in Cryptography, Contemp. Math., v.477, Amer. Math. Soc., 2009, 67–119.
 [23] P. Q. Nguyen and J. Stern, ‘Lattice reduction in cryptology: An update’, Proc. 13th Algorithmic Number Theory Symp., Lect. Notes in Comp. Sci., v.1838, SpringerVerlag, Berlin, 2000, 85–112.
 [24] P. Q. Nguyen and J. Stern, ‘The two faces of lattices in cryptology’, Cryptography and Lattices, Lect. Notes in Comp. Sci., v.2146, SpringerVerlag, Berlin,2001, 146–180.
 [25] O. Regev, ‘On the complexity of lattice problems with polynomial approximation factors’, The LLL Algorithm: Surveys and Applications, SpringerVerlag, 2010, 475–496.
 [26] C. P. Schnorr, ‘A hierarchy of polynomial time basis reduction algorithms’, Theor. Comp. Sci., 53 (1987), 201–224.
 [27] I. E. Shparlinski, ‘On exponential sums with sparse polynomials and rational functions’, J. Number Theory, 60 (1996), 233–244.
 [28] I. E. Shparlinski, ‘Sparse polynomial approximation in finite fields’, Proc. 33rd ACM Symp. on Theory of Comput., ACM, 2001, 209–215.
 [29] I. E. Shparlinski, ‘Playing “HideandSeek” with numbers: The hidden number problem, lattices and exponential sums’, PublicKey Cryptography, Proc. Symp. in Appl. Math., Amer. Math. Soc., Providence, RI, 62 (2005), 153–177.
 [30] I. E. Shparlinski and A. Winterhof, ‘Noisy interpolation of sparse polynomials in finite fields’, Appl. Algebra in Engin., Commun. and Computing, 16 (2005), 307–317.
 [31] C. Sircana, ‘Factorization of polynomials over ’, Proc. 2019 ACM Intern. Symp. Algebraic Comp., ACM, 2019, 405–412.
Comments
There are no comments yet.