An Improvement over the GVW Algorithm for Inhomogeneous Polynomial Systems
aa r X i v : . [ c s . S C ] A p r An Improvement over the GVW Algorithm for InhomogeneousPolynomial Systems ✩ Yao Sun a , Dongdai Lin a , Dingkang Wang b a SKLOIS, Institute of Information Engineering, CAS, Beijing 100093, China b KLMM, Academy of Mathematics and Systems Science, CAS, Beijing 100190, China
Abstract
The GVW algorithm is a signature-based algorithm for computing Gr¨obner bases. If theinput system is not homogeneous, some J-pairs with higher signatures but lower degreesare rejected by GVW’s Syzygy Criterion, instead, GVW have to compute some J-pairs withlower signatures but higher degrees. Consequently, degrees of polynomials appearing duringthe computations may unnecessarily grow up higher and the computation become moreexpensive. In this paper, a variant of the GVW algorithm, called M-GVW, is proposedand mutant pairs are introduced to overcome inconveniences brought by inhomogeneousinput polynomials. Some techniques from linear algebra are used to improve the efficiency.Both GVW and M-GVW have been implemented in C++ and tested by many examplesfrom boolean polynomial rings. The timings show M-GVW usually performs much betterthan the original GVW algorithm when mutant pairs are found. Besides, M-GVW is alsocompared with intrinsic Gr¨obner bases functions on Maple, Singular and Magma. Due tothe efficient routines from the M4RI library, the experimental results show that M-GVW isvery efficient.
Keywords:
Gr¨obner basis, the GVW algorithm, signature-based algorithm, linear algebra,boolean polynomial ring.
1. Introduction
Gr¨obner bases, proposed by Buchberger in 1965 (Buchberger, 1965), have been proven tobe very useful in many aspects of algebra. In the past forty years, many efficient algorithmshave been proposed to compute Gr¨obner bases. One important improvement is that Lazardpointed out the strong relation between Gr¨obner bases and linear algebra (Lazard, 1983). ✩ The authors are supported by National Key Basic Research Program of China (No. 2013CB834203),National Natrue Science Foundation of China (No. 11301523), the Strategic Priority Research Program ofthe Chinese Academy of Sciences (No. XDA06010701), and IEE’s Research Project on Cryptography (No.Y3Z0013102).
Email addresses: [email protected] (Yao Sun), [email protected] (Dongdai Lin), [email protected] (Dingkang Wang)
Preprint submitted to Elsevier April 16, 2014 his idea has been implemented in F4 by Faug`ere(Faug`ere, 1999), and also as XL typealgorithms by Courtois et al. (Courtois, 2000) and Ding et al. (Ding et al., 2008).Faug`ere introduced the concept of signatures for polynomials and presented the famousF5 algorithm (Faug`ere, 2002). Since then, signature-based algorithms have been widely in-vestigated, and several variants of F5 have been presented, including F5C (Eder and Perry,2010), extended F5 (Hashemi and Ars, 2010), F5 with revised criterion (the AP algo-rithm) (Arri and Perry, 2011), and RB (Eder and Roune, 2013). Gao et al. proposed an-other signature based algorithm G2V (Gao et al., 2010) in a different way from F5, andGVW(Gao et al., 2010) (which is unpublished) is an extended version of G2V. The authorsalso studied generalized criteria and signature-based algorithms in solvable polynomial al-gebra in (Sun and Wang, 2011; Sun et al., 2012).In GVW, criteria reject J-pairs with higher signatures, and process J-pairs with lowersignatures instead. However, when input systems are inhomogeneous, J-pairs with highersignatures do not always have higher degrees, where by saying degrees of polynomials, wemean the total degrees of polynomials. This is not good for Gr¨obner basis computations,and particularly not good for an implementation of GVW using linear algebra, because assuggested by Faug`ere in (Faug`ere, 1999, 2002), a good strategy of dealing with critical pairs(equivalent to J-pairs in GVW) in a batch is to select all critical pairs with the minimaldegree. The reason is that critical pairs with higher degrees usually lead to larger matrices,which will cost much more time for eliminations. Some influences of inhomogeneous inputsystems were also discussed by Eder (Eder, 2013).We find that with GVW’s Syzygy Criterion is possible to reject J-pairs with highersignatures but lower degrees such that GVW has to compute J-pairs with lower signaturesbut higher degrees. After analysis, we find that such phenomenons are caused by somemutant pairs, which will be defined in Section 2, and then we propose a variant of theGVW algorithm (called M-GVW). In M-GVW, when mutant pairs are found during thecomputations, we will append them to the initial input system and assign new signatures tosuch mutant pairs. In this way, J-pairs generated by mutant pairs will not be all rejected byGVW’s Syzygy Criterion, and hence, the maximal degree of polynomials appearing in thecomputations will not become too high. Particularly, for homogeneous polynomial systems,no mutant pairs will be generated and M-GVW is exactly the GVW algorithm.For implementations of signature-based algorithms, Roune and Stillman efficiently im-plemented GVW and AP without using linear algebra (Roune and Stillman, 2012). Faug`erementioned a matrix F5 in (Faug`ere and Rahmany, 2009). A matrix F5 was described inmore detail in an unpublished paper by Albrecht and Perry (Albrecht and Perry, 2010). Wehave implemented both the original GVW and M-GVW with linear algebra over booleanpolynomial rings. For eliminations of matrices, we hope to take the advantage of fast arith-metics of dense matrices over GF(2) provided by the library M4RI (Albrecht and Bard,2013). However, reductions in signature-based algorithms must be done in one direction,i.e. rows with higher signatures can only be eliminated by rows with lower signatures. Sofunctions from M4RI cannot be used directly. We propose a method to do such one-directioneliminations for dense matrices by modifying functions from M4RI in our implementations.The timings show M-GVW usually performs much better than the original GVW al-2orithm when mutant pairs are found. Besides, M-GVW is also compared with intrinsicGr¨obner bases functions on Maple, Singular and Magma. The experimental results showthat M-GVW is very efficient.This paper is organized as follows. In Section 2, we revisit the GVW algorithm andpresent M-GVW on a theoretical level. In Section 3, we discuss details on implementingM-GVW over boolean polynomial rings. Some experimental results are shown in Section 4.Conclusion remarks follow in Section 5.
2. A variant of the GVW algorithm
In this section, we present a variant of GVW (M-GVW) in theoretical level. We give thisnew algorithm over general polynomial rings, i.e. with no special assumptions on groundfields and monomial orderings.
Most of notations and definitions are inherited from Gao et al.’s original paper. For moredetails, please see (Gao et al., 2010).Let R = K[ x , . . . , x n ] be a polynomial ring over a field K with n variables, and { f , · · · , f m } is a finite subset of R . We want to compute a Gr¨obner basis for the ideal I = h f , · · · , f m i = { p f + · · · + p m f m | p , · · · , p m ∈ R } with respect to some monomial ordering on R .Let F = ( f , · · · , f m ) ∈ R m , and consider the following R -module of R m × R : M = { ( u , f ) ∈ R m × R | u · F = f } . Let e i be the i -th unit vector of R m , i.e. ( e i ) j = δ ij where δ ij is the Kronecker delta. Thenthe R -module M is generated by { ( e , f ) , · · · , ( e m , f m ) } . A monomial in R has the form x α = Π ni =1 x a i i , where α = ( a , . . . , a n ) ∈ N n and N is theset of all non-negative integers. A monomial in R m is of the form x α e i , where 1 ≤ i ≤ m and α ∈ N n . For monomials in R n , we say x α e i divides x β e j (or x α e i | x β e j for short), if i = j and x α divides x β , and the quotient is defined as ( x β e i ) / ( x α e i ) = x β − α ∈ R .Fix any monomial ordering ≺ p on R and any monomial ordering ≺ s on R m (subscripts p and s stand for polynomial and signature respectively). Please note that ≺ s may or maynot be related to ≺ p in theory, although we always assume ≺ s is compatible with ≺ p practically, i.e. x α ≺ p x β if and only if x α e i ≺ s x β e i for 1 ≤ i ≤ m . To make descriptionssimpler, we use the following notations for leading monomials:lm( f ) = lm ≺ p ( f ) and lm( u ) = lm ≺ s ( u ) , for any f ∈ R and any u ∈ R m . Leading monomials of f ∈ R and u ∈ R m are monomialswithout coefficients in R and R m respectively. We define lm( f ) = 0 if f = 0, and 0 ≺ p x α for any non-zero monomial x α in R ; similarly for monomials in R m . In the rest of this paper,we use ≺ to represent ≺ p and ≺ s for short, if no confusion occurs.3or a pair ( u , f ) ∈ M , lm( u ) is called the signature of ( u , f ). This definition is thesame as that used in GVW, but different from those used in (Faug`ere, 2002; Arri and Perry,2011). The difference is discussed in (Gao et al., 2010).Let ( u , f ) ∈ M and B ⊂ M , we say ( u , f ) is top-reducible by B , if there exists ( v , g ) ∈ B with g = 0, such that lm( g ) divides lm( f ) and lm( u ) (cid:23) lm( t v ) where t = lm( f ) / lm( g ).The corresponding top-reduction is then( u , f ) − ct ( v , g ) = ( u − ct v , f − ctg ) , where c = lc( f ) / lc( g ). Particularly, this top-reduction is called regular , if lm( u ) ≻ lm( t v );and super if lm( u ) = lm( t v ). Clearly, ( u − ct v , f − ctg ) is also an element in M .A subset G of M is called a strong Gr¨obner basis for M if every nonzero pair (pairs = ( , M is top-reducible by G . By Proposition 2.2 of (Gao et al., 2010), let G = { ( v i , g i ) | ≤ i ≤ s } be a strong Gr¨obner basis for M . Then { g i : 1 ≤ i ≤ s } is a Gr¨obnerbasis for I = h f , . . . , f m i .Next, we define joint pairs/J-pairs . Suppose ( u , f ) , ( v , g ) ∈ M are two pairs with f and g both nonzero. Let t = lcm(lm( f ) , lm( g )), t f = t/ lm( f ) and t g = t/ lm( g ). Thenthe J-pair of ( u , f ) and ( v , g ) is defined as: t f ( u , f ) (or t g ( v , g )), if lm( t f u ) ≻ lm( t g v ) (orlm( t f u ) ≺ lm( t g v )). For the case lm( t f u ) = lm( t g v ), the J-pair is not defined. Note thatthe J-pair of ( u , f ) , ( v , g ) ∈ M is also a pair in M . Assume t f ( u , f ) is the J-pair of ( u , f )and ( v , g ), the degree of t f ( u , f ) is defined as deg( t f f ), i.e. the degree of the polynomialpart. For convenience, we call a J-pair is of G ⊂ M , if this J-pair is the J-pair of two pairsin G .For a pair ( u , f ) ∈ M and a set G ⊂ M , we say ( u , f ) is covered by G , if there is apair ( v , g ) ∈ G , such that lm( v ) divides lm( u ) and t lm( g ) ≺ lm( f ) (strictly smaller) where t = lm( u ) / lm( v ).Two criteria are used in the GVW algorithm. [Syzygy Criterion] For a J-pair t f ( u , f ) of a set G ∈ M , if there exist ( v , ∈ G suchthat lm( v ) divides t f lm( u ), then this J-pair can be discarded. [Second Criterion] For a J-pair of a set G ∈ M , if this J-pair is covered by G , then thisJ-pair can be discarded.In this paper, we call the second criterion Rewriting Criterion . Arri and Perry pro-posed a quite similar criterion to Rewriting Criterion in (Arri and Perry, 2011). Com-ments on Arri-Perry’s criterion and Rewriting Criterion can be found in (Gao et al., 2010;Roune and Stillman, 2012).The following GVW algorithm is slightly modified from its original version. We deletethe output of a Gr¨obner basis for the syzygy module of input polynomials, because we onlycare about the Gr¨obner basis of input polynomials in current paper. We emphasize that fora pair ( u , f ) ∈ M , only (lm( u ) , f ) is stored in the latest version of the GVW algorithm.Related conceptions, such as top-reduction, J-pairs and cover , are defined similarly. Pleasesee (Gao et al., 2010) for more details. Regular top-reduction defined here is slightly different from its original version in (Gao et al., 2010),but this will not affect proofs of related propositions and theorems. lgorithm 1: The GVW algorithm
Input : f , . . . , f m ∈ R = K [ x , . . . , x n ], monomial orderings for R and R m . Output : A Gr¨obner basis of I = h f , . . . , f m i . begin H ←−{ lm( f j e i − f i e j ) | ≤ i, j ≤ m } G ←−{ (lm( e i ) , f i ) | ≤ i ≤ m } JP ←−{ all J-pairs of G } while JP = ∅ do Let t ( x α e i , f ) ∈ JP ( ⋆ ) JP ←− JP \ { t ( x α e i , f ) } if tx α e i is divisible by monomials in H then GotoStep if t ( x α e i , f ) is covered by G then GotoStep ( x γ e i , h ) ←− Regular top-reduce ( tx α e i , tf ) by G . if h = 0 then H ←− H ∪ { x γ e i } GotoStep for ( x β e j , g ) ∈ G s.t. lm( g ) x γ e i = lm( h ) x β e j do H ←− H ∪ { max(lm( g ) x γ e i , lm( h ) x β e j ) } JP ←− JP ∪ { J-pair of ( x γ e i , h ) and ( x β e j , g ) } G ←− G ∪ { ( x γ e i , h ) } return { g | ( x β e j , g ) ∈ G } There are some remarks on the GVW algorithm.1. At Step 6 (marked with black star), a J-pair can be selected from JP in any order. InSection 3, we prefer to choosing J-pairs with minimal degrees first.2. Proposition 2.2 in (Gao et al., 2010) ensures correctness of GVW when J-pairs arecomputed in any order.3. The finite termination of GVW is proved by Theorem 3.1 in (Gao et al., 2010) whenmonomial orderings of R and R m are compatible. Particularly, GVW also terminatesin finite steps when J-pairs are computed in any order. This proof is first given byTheorem 3.5 in (Sun et al., 2012).4. The GVW algorithm in (Gao et al., 2010) retains only one J-pair (the one with theminimal polynomial part) when there are several J-pairs having the same signature.This process can be implied by the “cover check” at step 10.5 .2. Motivation and main ideas The motivation of varying GVW arises when we are implementing GVW with linearalgebra in boolean polynomial rings. To control the size of appearing matrices as small aspossible, we deal with J-pairs with the minimal degree first. That is, at Step 6 of GVW,we find the minimal degree of all J-pairs in JP first, and then choose the J-pair with thesmallest signature among J-pairs with the minimal degree.However, we are quite surprised to find that when computing a Gr¨obner basis forHFE 25 96 from (Steel, 2004), degrees of matrices always grow up to 5, this makes ourimplementation much less efficient, because the sizes of matrices with degree 5 are muchlarger than those with degree 4, and moreover, it has been shown in (Faug`ere and Joux,2003) that Gr¨obner basis of this example can definitely be obtained with degrees of matricessmaller than 5. Here the degree of a matrix is the maximal degree of the polynomials toconstruct this matrix.We find the above phenomenon does not depend on the computing orders of J-pairs. Inorder to illustrate this phenomenon clearly, we finally get the following example after testingmany examples.
Example 2.1.
Let { f , f , . . . , f } ⊂ R = F [ x , x , . . . , x ] , where F is the Galois Field GF (2) , and f = x x x x + x x x x + x , f = x x x x + x x x ,f i +2 = x i + x i , for ≤ i ≤ . Monomial ordering ≺ p in R is the Graded Reverse Lexicographic ordering, and ≺ s in R isa position over term extension of ≺ p : x α e i ≺ s x β e j iff i > j, or i = j and x α ≺ p x β . Thus, e ≻ e ≻ · · · ≻ e . For this example, GVW needs to deal with J-pairs having degree bigger than 5, whilethe maximal degree of matrices in the F4 algorithm with criteria from (Buchberger, 1979) isonly 5. This implies some “useful” J-pairs with degrees not bigger than 5 have been rejectedby GVW’s criteria.Now, we will discuss this example in details. We compute a Gr¨obner basis for h f , . . . , f i by GVW with the following strategy for selecting J-pairs at Step 6:1. deg ←− the minimal degree of J-pairs in JP.2. ( x α e i , f ) ←− J-pair with the smallest signature in the set { ( x β e j , g ) ∈ JP | deg( g ) = deg } .Since the f i ’s are all inhomogeneous, the above strategy leads to that J-pairs are not handledin an increasing order on signatures . Even dealing with J-pairs in an increasing order on signatures, GVW still has to reduce J-pairs withdegrees bigger than 5 before a strong Gr¨obner basis is obtained. G = { ( e , f ) , ( e , f ) , . . . , ( e , f ) } . Before dealing with J-pairs with degree 6, the followingpolynomials are generated one by one:( x e , f = x x x x + x x x ),( x e , f = x x x x + x x x x ) , ( x e , f = x x x x + x x x x ),( x e , f = x x x x + x x x x ),( x e , f = x x x x x + x x x x + x x ),( x e , f = x x x x x + x x x x + x x ),( x e , f = x x x x x + x x x x + x x ),( x e , f = x x + x ),( x e , f = x x x x x + x x x x + x x ),( x x x x e , f = x x x x + x x x x + x x ),( x x x x e , f = x x x x + x x x + x x + x ),( x x x x e , f = x x x x + x x x + x x + x ),( x x x x e , f = x x x x + x x x x + x x + x ).During computations, many leading monomial of syzygies in M are generated, amongthem the one x x x e (obtained before f ) is important, since it has been used to rejectmany other J-pairs.So far, all J-pairs with degrees not bigger than 5 have been considered. It is easyto check { f , f , . . . , f } is not a Gr¨obner basis of h f , f , . . . , f i . However, for the sameideal, F4 algorithm with criteria from (Buchberger, 1979) can obtain a Gr¨obner basis withoutcomputing any critical pairs with degrees bigger than 5. Comparing GVW and F4 algorithmstep by step, finally, we find the following J-pairs: x ( x x x x e , f ), x ( x x x x e , f ), x ( x x x x e , f ), x x x ( x e , f ), x x x ( x e , f ), x ( x x x x e , f ), x ( x x x x e , f ), x ( x x x x e , f ), x ( x x x x e , f ), x ( x x x x e , f ), x ( x x x x e , f ), x ( x x x x e , f ), x ( x x x x e , f ),which are rejected by GVW’s criteria but not rejected by Buchberger’s criteria in F4.Reducing these J-pairs, we get 9 polynomials with degree 3 and 4 polynomials with 4.These polynomials are computed in F4, and prevent F4 to deal with critical pairs withdegree bigger than 5.Next, we analyze why GVW is possible to reject J-pairs with lower degrees and preferto reducing higher degree J-pairs.Take J-pair x ( x x x x e , f ) for example. Reducing this J-pair, we get( x x x x e , x x x + x x + x x + x ) . But this J-pair is rejected by (( x + x ) e − f e , ∈ M in GVW, which is the principalsyzygy of f and f . While running GVW forward, we find the polynomial x x x + x x +7 x + x is obtained from the J-pair x ( x e , f ), which is a J-pair of degree 6. Com-bined with our experiences of proving F5 in (Sun and Wang, 2013), we have the followingobservation. Remark 2.2.
GVW’s criteria alway reject J-pairs with higher signatures, and proceed someJ-pairs with smaller signatures instead.When input systems are inhomogeneous, J-pairs with bigger signatures may have lower degrees than J-pairs with smaller signatures.
Consider the degree-5 J-pair x ( x x x x e , f ) again. The syzygy (( x + x ) e − f e , ∈ M , which rejects this J-pair, corresponds to the equation f f − f f = 0 , in which monomials with degree 6 appear. Thus, we believe that if we use the syzygy(( x + x ) e − f e ,
0) to reject this degree-5 J-pair, it is possible to deal with some J-pairsinvolving polynomials of degree 6 instead later. On seeing this, our basic idea is to preventGVW rejecting J-pairs like x ( x x x x e , f ) by using syzygy like (( x + x ) e − f e , t ( x α e , f j ) that is listed, we find thatdeg( x α ) + deg( f ) > deg( f j ) . The second property makes the degree of x ( x x x x e , f ) lower than the degree of f f .In order to prevent this J-pair to be rejected, there are two possible method: (1) treat thesyzygy ( f e − f e ,
0) specially; and (2) treat the pair ( x x x x e , f ) specially.For the first method, we can store the degree of f f together with the syzygy ( f e − f e ,
0) and prevent it to reject J-pairs that have lower degrees than deg( f f ). But we donot use the first method in our implementation, because the second method seems to besimpler.We find the pairs satisfying the property 2 are similar to mutant polynomials defined in(Ding et al., 2008), so we give the following definition. Definition 2.3.
Let M be an R -module generated by { ( e , f ) , . . . , ( e m , f m ) } . A pair ( u , f ) ∈ M with lm( u ) = x α e i and f = 0 , is called mutant , if deg( x α ) + deg( f i ) > deg( f ) . Due to the existence of syzygy pairs, there are lots of mutant pairs in M . But mutantpairs appearing in GVW are not so many, since the Syzygy Criterion is used. The basic idea of M-GVW is to append mutant pairs to the initial input system andassign new signatures to such pairs so that the J-pairs generated by mutant pairs will notbe all rejected by GVW’s Syzygy Criterion, and hence, the maximal degree of polynomialsappearing in the computations will not become too high.8pecifically, let M be generated by { ( e , f ), . . . , ( e m , f m ) } , and ( u , f ) with lm( u ) = x α e k be the first mutant pair that we meet during computations where e i ∈ R m . Then we adda pair ( e m +1 , f ) as a new generator and the module is expanded to the module generatedby { ( e , f ), . . . , ( e m , f m ), ( e m +1 , f m +1 = f ) } . Please note that dimensions of e , . . . , e m areenlarged to m + 1 by appending 0’s to last entry, and now e i ∈ R m +1 . We emphasize that,after appending ( e m +1 , f m +1 ), we always require x α e k ≻ s e m +1 . (1)That is, signature of a new appended generator ( e m +1 , f m +1 ) should be smaller than thesignature of the mutant pair ( u , f ), such that ( e m +1 , f m +1 ) will not be reduced to 0. Next,when the second mutant pair is obtained, we append it as the ( m + 2)th generator, and soon. This appending method was mentioned in (Sun and Wang, 2009) by authors.In order to ensure termination of this variant algorithm, when we meet a mutant polyno-mial ( u , f ), we usually do not append f as the k -th generator directly. Instead, we computethe remainder of f w.r.t. the previous k − { f , . . . , f k − } by polynomialdivision first (defined in (Cox et al., 2006)) without consideration of signatures, and denotethe remainder as f ′ . If f ′ = 0, then lm( f ′ ) is not divisible by any lm( f i ) where 1 ≤ i < k ,and then we add ( e k , f ′ ) as the k -th generator. Please note that f ′ is in the ideal generatedby { f , . . . , f k − } .Next we give M-GVW below. Function Rem ( f, F ) computes a remainder of f w.r.t. F by polynomial division. Theorem 2.4.
The M-GVW algorithm terminates in finite steps, if monomial orderings in R m and R are compatible.Proof. At step 17-20 of M-GVW, a new generator is appended when ( tx α e i , h ) is mu-tant and the remainder of h , say h ′ , w.r.t. { f , . . . , f index } is not 0. If h ′ = 0, the ideal h lm( f ) , . . . , lm( f index ) i is strictly smaller than h lm( f ), . . . , lm( f index ) , lm( h ′ ) i . Ascendingchain condition of ideals (Cox et al., 2006) implies M-GVW can only append finite manynew generators. That is, after appending some generator ( e l , f l ), no more generators willbe appended. In this case, M-GVW turns to be GVW, and the termination is ensured byTheorem 3.1 of (Gao et al., 2010). Theorem 2.5.
The M-GVW algorithm is correct.Proof.
Clearly, we have f index +1 ∈ h f , . . . , f index i for index ≥ m . Assume ( e l , f l ) is the lastgenerator appended in M-GVW. In this case, M-GVW turns to be GVW, and M-GVWcomputs a Gr¨obner basis for h f , . . . , f l i = h f , . . . , f m i by Theorem 2.2 of (Gao et al.,2010).There are some remarks on M-GVW.1. Since we always make requirement like (1), we prefer ≺ s to be a position over termextension of ≺ p in M-GVW with e ≻ e ≻ · · · ≻ e m ≻ · · · .9 lgorithm 2: The M-GVW algorithm
Input : f , . . . , f m ∈ R = K [ x , . . . , x n ], monomial orderings for R and R m . Output : A Gr¨obner basis of I = h f , . . . , f m i . begin H ←−{ lm( f j e i − f i e j ) | ≤ i, j ≤ m } G ←−{ (lm( e i ) , f i ) | ≤ i ≤ m } index ←− m JP ←−{ all J-pairs of G } while JP = ∅ do Let t ( x α e i , f ) ∈ JP JP ←− JP \ { t ( x α e i , f ) } if tx α e i is divisible by monomials in H then GotoStep if t ( x α e i , f ) is covered by G then GotoStep ( tx α e i , h ) ←− Regular top-reduce t ( x α e i , f ) by G . if h = 0 then H ←− H ∪ { tx α e i } GotoStep if deg( tx α ) + deg( f i ) > deg( h ) and Rem ( h, { f , . . . , f index } ) = 0 then f index +1 ←− Rem ( h, { f , . . . , f index } ) index ←− index + 1 Denote ( e index , f index ) as ( x γ e k , p ) else Denote ( tx α e i , h ) as ( x γ e k , p ) for ( x β e j , g ) ∈ G , lm( g ) x γ e k = lm( p ) x β e j do H ←− H ∪ { max(lm( g ) x γ e k , lm( p ) x β e j ) } JP ←− JP ∪ { J-pair of ( x γ e k , p ) and ( x β e j , g ) } G ←− G ∪ { ( x γ e k , p ) } return { g | ( x β e j , g ) ∈ G }
2. In practical implementation, we usually do not append all mutant pairs as new genera-tors. Because appending generators with high degrees often make the implementationless efficient, and too many generators will also weaken the power of Syzygy Criterion.So we usually add a constraint “deg( h ) < Deg-Limit ” at Step 17, where Deg-Limit isa given constant.3. Mutant pairs cannot be found in M-GVW when input systems are homogeneous . Inthis case, M-GVW is just the GVW algorithm.10 . An implementation with linear algebra over boolean polynomial rings
In this section, we give an implementation of M-GVW based on the dense matrix libraryM4RI, and show some details in our implementation.The polynomial ring is specialized as R = F [ x , x , . . . , x n ] with n variables over theGalois Field GF (2). Polynomials E = { x + x , . . . , x n + x n } are called field polynomials.Let F = { f , . . . , f m } be a subset of R . Then computing a Gr¨obner basis for the idealgenerated by F over the boolean polynomial ring R/ h E i , is equivalent to computing aGr¨obner basis for the ideal generated by F ∪ E over R . In our implementation, we aimto compute Gr¨obner bases for F ∪ E over R , so all the operations are done in R . Infact, since field polynomials have quite special forms, we do not need to store them inpractical implementations, moreover, normal forms of polynomials in R w.r.t. E are alsodone automatically.We specialize the monomial ordering ≺ p on R to be the Graded Reverse Lexicographicordering . And monomial ordering ≺ s on modules is a position over term extension of ≺ p ,such that e ≻ s e ≻ s · · · . Note that e j ’s corresponding to field polynomials are alwayssmaller than other non-field polynomials, even if new generators are appended, such thatfield polynomials can always be used for reductions.In Subsection 3.1, we write M-GVW in a matrix style. In Subsection 3.2, we show howto do reductions efficiently based on matrices. The matrix version of M-GVW is quite similar to the F4 algorithm. The main functionis given below.Function
SymbolicP rocess ( J P deg ′ , G ) will do three things. First, compute J-pairs from J P deg ′ . Second, for each monomial that is not a leading monomial, search polynomialsfrom G to reduce it. Third, sort all pairs according their signatures, and if there are severalpairs having the same signature, retain only one of them. Denote M ( P ) be the set of allmonomials in h for any ( x γ e k , h ) ∈ P .This function is a bit different from Albrecht-Perry’s version (Albrecht and Perry, 2010).First, any monomial m can be selected from M ( P ) \ Done , while in (Albrecht and Perry,2010) the maximal one is selected each time. Second, for any selected monomial m , we donot need to know any signature information about it.Function Elimination ( P ) will also do three things. First, write pairs in P as rows ofa matrix. Second, compute the echelon form of this matrix. Third, read polynomials fromrows of this matrix. In the first step, building matrices from boolean polynomials is differentfrom building matrices from general polynomials, because the product of a monomial anda boolean polynomial should be reduced by field polynomials automatically. We report ourmethod in (Sun et al., 2013) and omit details here. The second step is critical. We do notuse naive Gaussian eliminations, and want to use efficient divide-and-conquer eliminatingmethods from M4RI to improve efficiencies. However, in signature-based algorithms, sincerows with higher signatures can only be eliminated by rows with lower signatures, functions11 lgorithm 3: M-GVW in matrix style
Input : f , . . . , f m ∈ R = K [ x , . . . , x n ], monomial orderings for R and R m . Output : A Gr¨obner basis of I = h f , . . . , f m i . begin H ←−{ lm( f j e i − f i e j ) | ≤ i, j ≤ m } G ←−{ (lm( e i ) , f i ) | ≤ i ≤ m } index ←− m JP ←−{ all J-pairs of G } while JP = ∅ do deg ←− the minimal degree of J-pairs in JP JPdeg ←− all J-pairs with degree deg in JP JP ←− JP \ JPdeg JPdeg ′ ←− discard J-pairs that are rejected by Syzygy and RewrittingCriteiron from JP P ←− SymbolicProcess ( JPdeg ′ , G ) (element in P has a form of ( x α e i , f )) F ←− Elimination ( P ) (element in F has a form of ( x α e i , h )) F + ←− F \ { pairs are super top-reducible by G } for each ( x α e i , h ) ∈ F + s.t. h = 0 do H ←− H ∪ { x α e i } for each ( x α e i , h ) ∈ F + s.t. h = 0 do if deg( tx α ) + deg( f i ) > deg( h ) and deg( h ) < Deg-Limit and
Rem ( h, { f , . . . , f index } ) = 0 then f index +1 ←− Rem ( h, { f , . . . , f index } ) index ←− index + 1 Denote ( e index , f index ) as ( x γ e k , p ) else Denote ( tx α e i , h ) as ( x γ e k , p ) for ( x β e j , g ) ∈ G , lm( g ) x γ e k = lm( p ) x β e j do H ←− H ∪ { max(lm( g ) x γ e k , lm( h ) x β e j ) } JP ←− JP ∪ { J-pair of ( x γ e k , p ), ( x β e j , g ) } G ←− G ∪ { ( x γ e k , p ) } return { g | ( x β e j , g ) ∈ G } from M4RI can not be used directly. So we use a special kind of row swaps to replace originalrow swaps in M4RI, which will be discussed in the next subsection.For doing criteria check, similarly as discussed in (Albrecht and Perry, 2010), we main-tain two arrays of “rules” for Syzygy and Rewriting Criteria respectively. In “rules” ofRewritting Criterion, we sort pairs according to “ratios” of pairs, which is first introducedin (Roune and Stillman, 2012). 12 lgorithm 4: SymbolicProcess
Input : JP , a set of J-pairs, G , a set of pairs. Output : P , element in P has a form of ( x α e i , f ). begin P ←−∅ for each t ( x α e i , f ) in JP do P ←− P ∪ { ( tx α e i , tf ) } Done ←−{ lm( h ) | ( x γ e k , h ) ∈ P } while M ( P ) = Done do m ←− an element of M ( P ) \ Done Done ←− Done ∪ { m } if ∃ ( x β e j , g ) ∈ G s.t. (1) lm( g ) | m , and (2) t ( x β e j , g ) are not rejected bySyzygy and Rewritting Criterion, where t = m/ lm( g ) then P ←− P ∪ { t ( x β e j , g ) } Sort P by an increasing order on signatures, and if there are several pairs havingthe same signature, retain only one of them. return P Unlike eliminations in F4, eliminations in signature-based algorithm can only be donefrom one side. That is, each row of matrix has a signature, and rows with higher signaturescan only be reduced by rows with lower signatures. Naive Gaussian eliminations can controleliminating directions easily. But to use efficient divide-and-conquer strategy as well asefficient implementation of matrices multiplications in the library M4RI (Albrecht and Bard,2013), we allow eliminations to swap rows in a special manner. This strategy is a bit similarto the ideas in (Dumas et al., 2013).Let A be a matrix with entries in F . Assume A has the following form: S S S S S S ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ , where “ ∗ ” may be 1 or 0, S i is the signature of each row, and we assume S ≺ s S ≺ s · · · ≺ s S . To reduce A to row-echelon form, we first find the pivot entry in the first column. We must search the pivot entry from top to bottom (i.e. from lower signatures to highersignatures) . Then we find the entry at row 5 and col 1 is a pivot. If we use general methodsof elimination, we need to swap row 1 and row 5 directly, and clear entries at column 1 by13he row with signature S . Next, when doing elimination in the second column, the rowwith signature S is selected as pivot row, and needs to eliminate other rows. However, thiswill leads to errors in signature-based algorithms, because the row with signature S has asmaller signature than S and cannot be eliminated by the row with signature S . So wecannot swap row 1 and row 5 directly.So to make further eliminations correct, we swap row 1 and row 5 in a special manner.First, we pick up the row 5 with signature S . Second, we move rows 4, 3, 2, and 1 to rows5, 4, 3, and 2 respectively. At last, we put the row with signature S at row 1. After thisswap, matrix A becomes the following form. S S S S S S ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ . Next, we use the row with S to clear all entries at column 1 below this row, and thencolumn 1 is done. For column 2, we find pivots from rows with S , ..., S and S , and repeatthe above processes. Elimination terminates when the matrix becomes an upper triangularform.This swap makes eliminations correct in signature-based algorithm for the followingreasons. On one hand, since pivot rows (e.g. row of S ) are finding from low signatures tohigh signatures, rows with smaller signature (e.g. rows of S , . . . , S ) cannot be reduced bypivot rows (e.g. row of S ). On the other hand, after swaps, rows below pivot rows (e.g.rows of S , . . . , S and S ) are still in an increasing order on signatures.Using this special swap, the echelon form of A is in an upper triangular form, suchthat divide-and-conquer methods of PLE decomposition (Albrecht and Pernet, 2011) canbe used, and hence, the eliminations can be speeded up significantly.In our implementation, we modify many subroutines of mzd ple () in M4RI library touse this swap. The new function with the special swap is called gvw ple (). We compare theefficiency of mzd ple () and gvw ple () in the next section. The results show both functionsalmost have the same efficiency.
4. Timings
M-GVW over boolean polynomial rings has been implemented in C++ and the libraryM4RI (version 20130416) is used (Albrecht and Bard, 2013). The codes will be available at sooner.In Table 1, we test the efficiency of the function gvw ple (), which is modified from mzd ple () by using the new swap method. Examples with density ≈
50% are generatedrandomly by routines from M4RI. Since the densities of matrices in Gr¨obner basis computa-tions are usually very small, we also generate some randomized matrices with density ≈ ≈
50% density ≈ , × ,
000 0.378 0.382 0.345 0.35410 , × ,
000 1.342 1.301 1.268 1.26230 , × ,
000 1.432 1.443 1.403 1.41830 , × ,
000 7.661 7.655 7.604 7.57730 , × ,
000 18.684 18.671 18.651 18.63460 , × ,
000 19.396 19.296 19.282 19.29860 , × ,
000 58.373 58.636 54.509 54.26360 , × ,
000 123.321 123.298 119.479 122.523100 , × ,
000 119.991 118.388 108.565 108.501100 , × ,
000 266.817 267.191 237.401 237.560150 , × ,
000 817.682 817.750 700.032 700.781
Table 1: mzd ple() vs gvw ple()
From the above table, we can see the function mzd ple () and gvw ple () almost have thesame efficiency. So the new swapping method presented in the last section does not slowdown the efficiency of elimination.In Table 2, we compare our implementations of the algorithm GVW and M-GVW. Thesize of maximal matrices generated during the computation and the timings are given indetails, and the numbers of mutants pairs are also listed. In both implementations, orderingsof signatures are both position over term extensions of the Graded Reverse Lexicographicordering. In M-GVW, the parameter Deg-Limit is set to 4. In the column of Exam., n × n means that the input polynomial system has n polynomials with n variables. These squarepolynomial systems were generated by Courtois in (Courtois, 2013). The left three HFEsystems are from (Steel, 2004). The Computer we used is MacBook Pro with 2.6 GHz IntelCore i7, 16 GB memory. 15xam. GVW M-GVWmax mat.(deg) time(sec) max mat.(deg) time(sec) mutant pairs16 ×
16 9378 × × ×
17 12012 × × ×
18 15240 × × ×
19 19043 × × ×
20 23478 × × ×
21 28718 × × ×
22 34777 × × × × × × × > h × Table 2:
GVW vs M-GVW
From this table, we can find that the maximal size of the matrix generated duringthe computations are exactly the same for Courtois’ examples except 21 ×
21, and thecorresponding computing time are also almost the same. This is because we can not findmutant polynomials with degree lower than 4 for these examples. It is a little bit surprisedthat we find 924 mutant pairs with degree smaller than 4 in the example 21 ×
21. For the HFEexamples, M-GVW performs much better than GVW because many mutant polynomialshave been found in M-GVW and the maximal size of the matrix in M-GVW become muchsmaller than that in GVW, which leads that M-GVW cost less computing time.We also test the same examples as in Table 2 for M-GVW and some intrinsic imple-mentations on public softwares, including Gr¨obner basis functions on Maple (version 17,setting “method = fgb”), Singular (version 3-1-6), and Magma (version 2.12-16) , and thecomputing times in seconds are listed in Table 3.Exam. Maple Singular Magma M-GVW16 ×
16 4.088 5.210 0.484 0.54317 ×
17 9.891 12.886 0.874 0.89518 ×
18 22.340 31.590 1.513 1.58819 ×
19 48.314 84.771 2.792 2.72820 ×
20 107.064 265.325 5.226 4.66421 ×
21 218.479 724.886 10.468 8.22622 ×
22 839.067 > h > h > h > h out mem. 57.988 Table 3:
Maple, Singular and Magma vs M-GVW Magma 2.12-16 is an old version, and we are trying to buy the latest one.
5. Conclusions
In this paper, we present M-GVW to avoid criteria rejecting J-pairs with lower degrees.M-GVW is exactly the same as GVW when input systems are homogeneous, but have abetter performance when input systems are inhomogeneous. Due to the efficient routinesfrom M4RI, we also give an efficient implementation of M-GVW using linear algebra overboolean polynomial rings. We think our implementation can be optimized further, and wewill try to use sparse linear algebra to improve the performance of M-GVW in the future.
References
M. Albrecht and J. Perry. F4/5. Preprint, arXiv:1006.4933v2 [math.AC], 2010.M. Albrecht and C. Pernet. Efficient decomposition of dense matrices over GF(2). Arxiv.org: 1006.1744,2011.M. Albrecht and G. Bard. The M4RI library – Version 20130416. 2013. http://m4ri.sagemath.org .A. Arri and J. Perry. The F5 criterion revised. J. Symb. Comput. vol 46, 1017-1029, 2011.B. Buchberger. Ein Algorithmus zum auffinden der Basiselemente des Restklassenringes nach einemnulldimensionalen Polynomideal. PhD thesis, 1965.B. Buchberger. A criterion for detecting unnecessary reductions in the construction of Gr¨obner basis. InProceedings of EUROSAM’79, Lect. Notes in Comp. Sci., Springer, Berlin, vol. 72, 3-21, 1979.N. Courtois, A. Klimov, J. Patarin, and A. Shamir. Efficient algorithms for solving overdefined systemsof multivariate polynomial equations. In proc. EUROCRYPT’00, Lect. Notes in Comp. Sci., Springer,Berlin, vol. 1807, 392-407, 2000.N. Courtois. Benchmarking algebraic, logical and constraint solvers and study of selected hard problems,2013. .D. Cox, J. Little, and D. O’Shea. Ideals, Varieties and Algorithms. Springer, New York, third edition, 2006.J. Ding, J. Buchmann, M.S.E. Mohamed, W.S.A.E. Mohamed, and R.-P. Weinmann. MutantXL. In Proceed-ings of the 1st international conference on Symbolic Computation and Cryptography (SCC08), Beijing,China, 16-22, 2008.J-G Dumas, C. Pernet, and Z. Sultan. Simultaneous computation of the row and column rank profiles. InProc. In proc. ISSAC’13, ACM Press, New York, USA, 2013.C. Eder and J. Perry. F5C: a variant of Faug`ere’s F5 algorithm with reduced Gr¨obner bases. J. Symb.Comput., vol. 45(12), 1442-1458, 2010.C. Eder. An analysis of inhomogeneous signature-based Gr¨obner basis computations. J. Symb. Comput., vol59, 21-35, 2013.C. Eder and B.H. Roune. Signature rewriting in Gr¨obner basis computation. In proc. ISSAC’13, ACM Press,New York, USA, 331-338, 2013.J.-C. Faug`ere. A new effcient algorithm for computing Gr¨obner bases ( F ). J. Pure Appl. Algebra, vol.139(1-3), 61-88, 1999.J.-C. Faug`ere. A new efficient algorithm for computing Gr¨obner bases without reduction to zero ( F ). Inproc. ISSAC’02, ACM Press, New York, USA, 75-82, 2002.J.-C. Faug`ere and A. Joux. Algebraic cryptanalysis of Hidden Field Equation (HFE) cryptosystems usingGr¨obner bases. In proc. CRYPTO’03, LNCS, vol. 2729, 44-60, springer Berlin/Heidelberg, 2003. .-C. Faug`ere and S. Rahmany. Solving systems of polynomial equations with symmetries using SAGBI-Gr¨obner bases. In proc. ISSAC ’09, ACM Press, New York, USA, 151-158, 2009.J.-C. Faug`ere and S. Lachartre. Parallel Gaussian elimination for Gr¨obner bases computations in finite fields.In proc. PASCO’10, ACM Press, 89-97, 2010.S.H. Gao, Y.H. Guan, and F. Volny. A new incremental algorithm for computing Gr¨obner bases. In proc.ISSAC’10, ACM Press, New York, USA, 13-19, 2010.S.H. Gao, F. Volny, and M.S. Wang. A new algorithm for computing Gr¨obner bases. CryptologyePrint Archive, Report 2010/641, 2010. Latest version is given in July, 2013, and downloaded from .A. Hashemi and G. Ars. Extended F5 criteria. J. Symb. Comput., vol. 45(12), 1330-1340, 2010.D. Lazard. Gr¨obner bases, Gaussian elimination and resolution of systems of algebraic equations. In proc.EUROCAL’83, Lect. Notes in Comp. Sci., Springer, Berlin, vol. 162, 146-156, 1983.B.H. Roune and M. Stillman. Practical Gr¨obner basis computation. In proc. ISSAC’12, ACM Press, 2012.A. Steel. Allan Steel’s Gr¨obner basis timings page. 2004. http://magma.maths.usyd.edu.au/~allan/gb/ .Y. Sun and D.K. Wang. The implementation and complexity analysis of the branch Gr¨obner bases algorithmover Boolean ring. In proc. ASCM 2009, 191-200, 2009.Y. Sun and D.K. Wang. A generalized criterion for signature related Gr¨obner basis algorithms. In Proc.ISSAC’11, ACM Press, 337-344, 2011.Y. Sun, D.K. Wang, D.X. Ma, and Y. Zhang. A signature-based algorithm for computing Gr¨obner bases insolvable polynomial algebras. In Proc. ISSAC’12, ACM Press, 351-358, 2012.Y. Sun and D.K. Wang. A new proof for the correctness of the F5 algorithm. Sci. China Math., vol. 56(4),745-756, 2013.Y. Sun, D.D. Lin, and D.K. Wang. On Implementing the Symbolic Preprocessing Function over BooleanPolynomial Rings in Gr¨obner Basis Algorithms Using Linear Algebra. Preprint, 2014..Y. Sun and D.K. Wang. The implementation and complexity analysis of the branch Gr¨obner bases algorithmover Boolean ring. In proc. ASCM 2009, 191-200, 2009.Y. Sun and D.K. Wang. A generalized criterion for signature related Gr¨obner basis algorithms. In Proc.ISSAC’11, ACM Press, 337-344, 2011.Y. Sun, D.K. Wang, D.X. Ma, and Y. Zhang. A signature-based algorithm for computing Gr¨obner bases insolvable polynomial algebras. In Proc. ISSAC’12, ACM Press, 351-358, 2012.Y. Sun and D.K. Wang. A new proof for the correctness of the F5 algorithm. Sci. China Math., vol. 56(4),745-756, 2013.Y. Sun, D.D. Lin, and D.K. Wang. On Implementing the Symbolic Preprocessing Function over BooleanPolynomial Rings in Gr¨obner Basis Algorithms Using Linear Algebra. Preprint, 2014.