Computer Science

Galois field (GF) arithmetic circuits find numerous applications in communications, signal processing, and security engineering. Formal verification techniques of GF circuits are scarce and limited to circuits with known bit positions of the primary inputs and outputs. They also require knowledge of the irreducible polynomial P(x) , which affects final hardware implementation. This paper presents a computer algebra technique that performs verification and reverse engineering of GF( 2 m ) multipliers directly from the gate-level implementation. The approach is based on extracting a unique irreducible polynomial in a parallel fashion and proceeds in three steps: 1) determine the bit position of the output bits; 2) determine the bit position of the input bits; and 3) extract the irreducible polynomial used in the design. We demonstrate that this method is able to reverse engineer GF( 2 m ) multipliers in \textit{m} threads. Experiments performed on synthesized \textit{Mastrovito} and \textit{Montgomery} multipliers with different P(x) , including NIST-recommended polynomials, demonstrate high efficiency of the proposed method.

In cryptography, attacks that utilize a Gröbner basis have broken several cryptosystems. The complexity of computing a Gröbner basis dominates the overall computing and its estimation is important for such cryptanalysis. The complexity is given by using the solving degree, but it is hard to decide this value of a large scale system arisen from cryptography. Thus the degree of regularity and the first fall degree are used as proxies for the solving degree based on a wealth of experiments. If a given system is semi-regular, the complexity is estimated by using the degree of regularity derived from a certain power series, otherwise, by using the first fall degree derived from a construction of a syzygy. The degree of regularity is also defined on a non-semi-regular system and is experimentally larger than the first fall degree, but those relation is not clear theoretically. Moreover, in contrast to the degree of regularity, the first fall degree has been investigated specifically for each cryptosystem and its discussion on generic systems is not given. In this paper, we show an upper bound for the first fall degree of a polynomial system over a sufficiently large field. In detail, we prove that this upper bound for a non-semi-regular system is the degree of regularity. Moreover, we prove that the upper bound for a multi-graded polynomial system is a certain value only decided by its multi-degree. Furthermore, we show that the condition for the order of a field in our results is satisfied in attacks against actual multivariate cryptosystems. Consequently, under a reasonable condition for the order of a field, we clear a relation between the first fall degree and the degree of regularity and provide a theoretical method using a multivariate power series for cryptanalysis.

In this paper, we present an algorithm for computing a fundamental matrix of formal solutions of completely integrable Pfaffian systems with normal crossings in several variables. This algorithm is a generalization of a method developed for the bivariate case based on a combination of several reduction techniques and is implemented in the computer algebra system Maple.

We describe a simple method that produces automatically closed forms for the coefficients of continued fractions expansions of a large number of special functions. The function is specified by a non-linear differential equation and initial conditions. This is used to generate the first few coefficients and from there a conjectured formula. This formula is then proved automatically thanks to a linear recurrence satisfied by some remainder terms. Extensive experiments show that this simple approach and its straightforward generalization to difference and q -difference equations capture a large part of the formulas in the literature on continued fractions.

We discuss issues of problem formulation for algorithms in real algebraic geometry, focussing on quantifier elimination by cylindrical algebraic decomposition. We recall how the variable ordering used can have a profound effect on both performance and output and summarise what may be done to assist with this choice. We then survey other questions of problem formulation and algorithm optimisation that have become pertinent following advances in CAD theory, including both work that is already published and work that is currently underway. With implementations now in reach of real world applications and new theory meaning algorithms are far more sensitive to the input, our thesis is that intelligently formulating problems for algorithms, and indeed choosing the correct algorithm variant for a problem, is key to improving the practical use of both quantifier elimination and symbolic real algebraic geometry in general.

In ISSAC 2017, van der Hoeven and Larrieu showed that evaluating a polynomial P in GF(q)[x] of degree <n at all n-th roots of unity in GF( q d ) can essentially be computed d-time faster than evaluating Q in GF( q d )[x] at all these roots, assuming GF( q d ) contains a primitive n-th root of unity. Termed the Frobenius FFT, this discovery has a profound impact on polynomial multiplication, especially for multiplying binary polynomials, which finds ample application in coding theory and cryptography. In this paper, we show that the theory of Frobenius FFT beautifully generalizes to a class of additive FFT developed by Cantor and Gao-Mateer. Furthermore, we demonstrate the power of Frobenius additive FFT for q=2: to multiply two binary polynomials whose product is of degree <256, the new technique requires only 29,005 bit operations, while the best result previously reported was 33,397. To the best of our knowledge, this is the first time that FFT-based multiplication outperforms Karatsuba and the like at such a low degree in terms of bit-operation count.

Let f?�K(t) be a univariate rational function. It is well known that any non-trivial decomposition g?�h , with g,h?�K(t) , corresponds to a non-trivial subfield K(f(t))?�L?�K(t) and vice-versa. In this paper we use the idea of principal subfields and fast subfield-intersection techniques to compute the subfield lattice of K(t)/K(f(t)) . This yields a Las Vegas type algorithm with improved complexity and better run times for finding all non-equivalent complete decompositions of f .

This is a system paper about a new GPLv2 open source C library GBLA implementing and improving the idea of Faugère and Lachartre (GB reduction). We further exploit underlying structures in matrices generated during Gröbner basis computations in algorithms like F4 or F5 taking advantage of block patterns by using a special data structure called multilines. Moreover, we discuss a new order of operations for the reduction process. In various different experimental results we show that GBLA performs better than GB reduction or Magma in sequential computations (up to 40% faster) and scales much better than GB reduction for a higher number of cores: On 32 cores we reach a scaling of up to 26. GBLA is up to 7 times faster than GB reduction. Further, we compare different parallel schedulers GBLA can be used with. We also developed a new advanced storage format that exploits the fact that our matrices are coming from Gröbner basis computations, shrinking storage by a factor of up to 4. A huge database of our matrices is freely available with GBLA.

Deterministic recursive algorithms for the computation of generalized Bruhat decomposition of the matrix in commutative domain are presented. This method has the same complexity as the algorithm of matrix multiplication.

Hermite reduction is a classical algorithmic tool in symbolic integration. It is used to decompose a given rational function as a sum of a function with simple poles and the derivative of another rational function. We extend Hermite reduction to arbitrary linear differential operators instead of the pure derivative, and develop efficient algorithms for this reduction. We then apply the generalized Hermite reduction to the computation of linear operators satisfied by single definite integrals of D-finite functions of several continuous or discrete parameters. The resulting algorithm is a generalization of reduction-based methods for creative telescoping.