Elimination-based certificates for triangular equivalence and rank profiles
Jean-Guillaume Dumas, Erich Kaltofen, David Lucas, Clément Pernet
EElimination-based certificates for triangular equivalence andrank profiles
Univ. Grenoble Alpes, CNRS, Grenoble INP , LJK, 38000 Grenoble, France Erich Kaltofen
North Carolina State University, Department of Mathematics,Raleigh, North Carolina 27695-8205, USA
David Lucas
Univ. Grenoble Alpes, CNRS, Grenoble INP , LJK, 38000 Grenoble, France Cl´ement Pernet
Univ. Grenoble Alpes, CNRS, Grenoble INP , LJK, 38000 Grenoble, France Abstract
In this paper, we give novel certificates for triangular equivalence and rank profiles. Thesecertificates enable somebody to verify the row or column rank profiles or the whole rankprofile matrix faster than recomputing them, with a negligible overall overhead. Wefirst provide quadratic time and space non-interactive certificates saving the logarithmicfactors of previously known ones. Then we propose interactive certificates for the sameproblems whose Monte Carlo verification complexity requires a small constant numberof matrix-vector multiplications, a linear space, and a linear number of extra field opera-tions, with a linear number of interactions. As an application we also give an interactiveprotocol, certifying the determinant or the signature of dense matrices, faster for theProver than the best previously known one. Finally we give linear space and constantround certificates for the row or column rank profiles. This work is partly funded by the OpenDreamKit Horizon 2020 European Research Infrastructuresproject ( Institute of Engineering Univ. Grenoble Alpes
Email addresses:
[email protected] (Jean-Guillaume Dumas), [email protected] (Erich Kaltofen),
[email protected] (David Lucas),
[email protected] (Cl´ement Pernet)
URL: (Jean-Guillaume Dumas), (Erich Kaltofen), (DavidLucas), (Cl´ement Pernet)
Preprint submitted to Elsevier September 13, 2019 a r X i v : . [ c s . S C ] S e p ontents1 Introduction 32 Non interactive and quadratic communication certificates 5 . Introduction Within the setting of verifiable computing, we propose in this paper interactive certifi-cates with the taxonomy of [3]. Indeed, we consider a protocol where a
Prover performsa computation and provides additional data structures or exchanges with a
Verifier whowill use these to check the validity of the result, faster than by just recomputing it. Moreprecisely, in an interactive certificate, the Prover submits a
Commitment , that is someresult of a computation; the Verifier answers by a
Challenge , usually some uniformly sam-pled random values; the Prover then answers with a
Response , that the Verifier can use toconvince himself of the validity of the commitment. Several rounds of challenge/responsemight be necessary for the Verifier to be fully convinced.By Prover (resp. Verifier) time , we thus mean bounds on the number of arithmeticoperations performed by the Prover (resp. Verifier) during the protocol, while by extra space , we mean bounds on the volume of data being exchanged, not counting the size ofthe input and output of the computation.Such protocols are said to be complete if the probability that a true statement isrejected by the Verifier can be made arbitrarily small; and sound if the probability thata false statement is accepted by the Verifier can be made arbitrarily small. In practice itis sufficient that those probabilities are <
1, as the protocols can always be run severaltimes. Some certificates will also be perfectly complete , that is a true statement is neverrejected by the Verifier. All these certificates can be simulated non-interactively by theFiat-Shamir heuristic [10]: publicly and uniformly sampled random values produced bythe Verifier are replaced by cryptographic hashes of the input and of previous messagesin the protocol. Complexities are preserved.Our protocols follow the proof-of-work protocols of [12, 13] in that they verify that theProver has performed some LU matrix factorization. However, they do so by verifying thefactorization and the triangularity of the factors, which remain stored on the Prover sideand are not communicated to the Verifier, rather than verifying the entire circuit thatcomputes those factors by Lund-Fortnow-Karloff-Nisan polylog-compressive sumcheckprotocols. In [6] we have applied [13] to matrices of exponential dimensions where theentries are computed from their indices by efficient circuits. Our version of the GKRproof-of-work protocol has a Verifier complexity that is, within a polylog factor, thedepth of a parallel circuit whose local structure can be compute in polylog time, plus onelinear scan of the input. The Prover complexity is within a polylog factor of the size ofthe circuit. The protocols here avoid those polylog factors.It is possible to reduce the communication complexity in [13] to a constant number ofrounds by when the space complexity is bounded [21] but it is not apparent to us how toasymptotically preserve the Prover’s time complexity then (it remains polynomial-time).We will consider an m × n matrix A of rank r over a field F . The row rank profile of A is the lexicographically minimal sequence of r indices of independent rows of A . Matrix A has generic row rank profile if its row rank profile is (1 , . . . , r ). The column rank profile is defined similarly on the columns of A . Matrix A has generic rank profile if its r firstleading principal minors are nonzero. The rank profile matrix of A , denoted by R A is theunique m × n { , } -matrix with r nonzero entries, of which every leading sub-matrix hasthe same rank as the corresponding sub-matrix of A . It is possible to compute R A witha deterministic algorithm in O ( mnr ω − ) or with a Monte-Carlo probabilistic algorithm3n ( r ω + m + n + µ ( A )) o (1) field operations [8], where µ ( A ) is the worst case arithmeticcost to multiply A by a vector.We first propose quadratic, space and verification time, non-interactive practical cer-tificates for the row or column rank profile and for the rank profile matrix that arerank-sensitive. Previously known certificates have additional logarithmic factors to thequadratic complexities: replacing matrix multiplications by quadratic verifications in re-cursive algorithms yields at least one log( n ) factor [15], graph-based approaches cumulatethis and other logarithmic factors, at least from a compression by magical graphs andfrom a dichotomic search [24].We then propose two linear space interactive certificates. The first certificate is usedto prove that two non-singular matrices are triangular equivalent (i.e. there is a triangularchange of basis from one to the other). The second certificate is used to prove that amatrix has a generic rank profile. These two certificates are then applied to certify therow or column rank profile, the P (permutation) and D (diagonal) factors of a LDUPfactorization, the determinant and the rank profile matrix. These certificates require,for the Verifier, between 1 and 4 applications of A to a vector and a linear number offield operations. They are still elimination-based for the Prover, but do not require tocommunicate the obtained triangular decomposition.An interesting setting would be for instance the case when the matrix A is sparse.Blackbox methods could then be used, when elimination-based method would suffer fromsome fill-in. Quite often though, elimination-based methods are then more limited by theavailable memory than by the number of computation. A Verifier could then outsourceits computations to a server, for which fill-in would not be an issue, and use only stillsparse matrix-vector multiplications to Verify the result.For instance, for the Determinant, our new certificates require the computation of aPLUQ decomposition for the Prover, linear communication and Verifier time, with norestriction on the field size. The previously best known certificate for the determinantrequired instead some characteristic polynomial ( CharPoly ) computations.With respect to [7] we propose a complete analysis of the rank profile matrix certifi-cate 11 only sketched there; an application to computing the signature of a symmetricintegral matrix; and a whole set of new certificates: for triangular equivalence, row andcolumn rank profile, we are now able to propose protocols that preserve Prover andVerifier efficiency, while reducing the number of rounds from linear to constant. Theconstant round complexity is an important additional bonus in the delegation scenario,where network latency can make communication rounds more expensive. Note that theprobabilistic analysis of [7, Theorem 4] omitted to account for several possibilities offailure, which is corrected here yielding a smaller probability of detecting a dishonestProver.We identify the symmetric group with the group of permutation matrices, and write P ∈ S n to denote that a matrix P is a permutation matrix. There, P [ i ] is the rowindex of the nonzero element of its i -th column; D n ( F ) is the group of invertible diagonalmatrices over the field F ; D (2) n ( F ) represents block diagonal matrices with diagonal oranti-diagonal blocks of size 1 or 2. For two subsets of row indices I and of columnindices J , A I , J denotes the submatrix extracted from A in these rows and columns.The set of prime numbers will be denoted by P . Lastly, x u.i.d. ←−−− - S denotes that x is4niformly independently randomly sampled from S . In what follows, while computingthe communication space, we consider that field elements and indices have the same size.
2. Non interactive and quadratic communication certificates
In this section, we propose two certificates, first for the column (resp. row) rankprofile, and, second, for the rank profile matrix. While the certificates have a quadraticspace communication complexity, they have the advantage of being non-interactive.
In this paper, we will use Freivalds’ certificate [11] to verify matrix multiplication.Considering three matrices
A, B and C in F n × n , such that A × B = C , a straightforwardway of verifying the equality would be to perform the multiplication A × B and to compareits result coefficient by coefficient with C . While this method is deterministic, it has atime complexity of O ( n ω ), which is the matrix multiplication complexity. As such, itcannot be a certificate, as there is no complexity difference between the computationand the verification. Prover Verifier A, B ∈ F n × n C = AB C −−−−−−→ Choose S ⊂ F v u.i.d. ←−−− - S n A ( Bv ) − Cv ? = 0Protocol 1: Freivalds’ certificate for matrix productFreivalds’ certificate proposes a probabilistic method to check this product in a timecomplexity of µ ( A ) + µ ( B ) + µ ( C ) using matrix/vector multiplication, as detailed inProtocol 1. We now propose a certificate for the column rank profile.Prover Verifier A ∈ F m × n a P LU Q decomposition of A s.t. U Q is in row echelon form
P,L,U,Q −−−−−−→
U Q row echelonized? A ? = P LU Q , by Protocol 1Extract Q [1] , . . . , Q [ r ]Protocol 2: Column rank profile, non-interactive Lemma 1.
Let A = P LU Q be the PLUQ decomposition of an m × n matrix A of rank r . If U Q is in row echelon form then ( Q [1] , . . . , Q [ r ]) is the column rank profile of A . roof. Write A = P (cid:2) L L (cid:3) [ U U ] Q , where L and U are r × r lower and upper triangularrespectively. If U Q is in echelon form, then R = h I r U − U ( m − r ) × n i is in reduced echelon form.Now (cid:20) U − I m − r (cid:21) (cid:20) L L I m − r (cid:21) − P T A = (cid:20) U − U Q ( m − r ) × n (cid:21) = R is left equivalent to A and is therefore the echelon form of A . Hence the sequence ofcolumn positions of the pivots in R , that is ( Q [1] , . . . , Q [ r ]), is the column rank profileof A .Lemma 1 provides a criterion to verify a column rank profile from a PLUQ decompo-sition. Such decompositions can be computed in practice by several variants of Gaussianelimination, with no arithmetic overhead, as shown in [14] or [8, § Theorem 1.
Let A ∈ F m × n with r = rank( A ) . Certificate 2, verifying the column rankprofile of A is sound, perfectly complete, with a communication bounded by O ( r ( m + n )) , aProver computation cost bounded by O ( mnr ω − ) and a Verifier computation cost boundedby O ( r ( m + n )) + µ ( A ) .Proof. If the Prover is honest, then,
U Q will be in row echelon form and A = P LU Q ,thus, by Lemma 1, the Verifier will be able to read the column rank profile of A from Q .If the Prover is dishonest, either A (cid:44) P LU Q , which will be caught by the Prover withprobability p ≥ − | S | using Freivalds’ certificate [11] or U Q is not in row echelon from,which will be caught every time by the Verifier.The Prover sends
P, L, U and Q to the Verifier, hence the communication cost of O ( r ( m + n )), as P and Q are permutation matrices and L, U , are respectively m × r and r × n matrices, with r = rank ( A ). Using algorithms provided in [14], one can compute theexpected P LU Q decomposition in O ( mnr ω − ). The Verifier has to check if A = P LU Q ,and if
U Q is in row echelon form, which can be done in O ( r ( m + n )).Note that this holds for the row rank profile of A : in that case, the Verifier has tocheck if P L is in column echelon form.
Lemma 2.
A decomposition A = P LU Q reveals the rank profile matrix, namely R A = P (cid:2) I r (cid:3) Q , if and only if P [ L ] P T is lower triangular and Q T [ U ] Q is upper triangular.Proof. The only if case is proven in [8, Th. 21]. Now suppose that P [ L m × ( m − r ) ] P T islower triangular. Then we must also have that L = P (cid:2) L I m − r (cid:3) P T is lower triangularand non-singular. Similarly suppose that Q T [ U ] Q is upper triangular so that U = Q T (cid:2) U I n − r (cid:3) Q is non-singular upper triangular. We have A = LP (cid:2) I r (cid:3) QU . Hencethe rank of any ( i, j ) leading submatrix of A is that of the ( i, j ) leading submatrix of P (cid:2) I r (cid:3) Q , thus proving that R A = P (cid:2) I r (cid:3) Q .We use this characterization to verify the computation of the rank profile matrix inthe following protocol: Once the Verifier receives P, L, U and Q , he has to check that A = P LU Q , using Freivalds’ certificate [11], and check that L is echelonized by P and U T by Q T . If successful, the Verifier can just compute the rank profile matrix of A from P and Q , as shown in Protocol 3. 6rover Verifier A ∈ F m × n a PLUQ decomp. of A revealing R A . P,L,U,Q −−−−−→ A ? = P LU Q by Protocol 12. Is
P LP T lower triangular?3. Is Q T U Q upper triangular?Extract R A = P h I r ( m − r ) × ( n − r ) i Q Protocol 3: Rank profile matrix, non-interactive
Theorem 2.
Certificate 3 verifies the rank profile matrix of A , it is sound and perfectlycomplete, with a communication cost bounded by O ( r ( m + n )) , a Prover computation costbounded by O ( mnr ω − ) and a Verifier computation cost bounded by O ( r ( m + n )) + µ ( A ) .Proof. If the Prover is honest, then, the provided
P LU Q decomposition is indeed afactorization of A , which means Freivalds’ certificate will pass. It also means this P LU Q decomposition reveals the rank profile matrix. According to Lemma 2,
P LP T will belower triangular and Q T U Q upper triangular. Hence the verification will succeeds and R A = P h I r ( m − r ) × ( n − r ) i Q is indeed the rank profile matrix of A . If the Prover isdishonest, either A (cid:44) P LU Q , which will be caught with probabilty p ≥ − | S | byFreivalds’ certificate or the P LU Q decomposition does not reveal the rank profile matrixof A . In that case, Lemma 2 implies that either P [ L ] P T is not lower triangular or P [ U ] Q is not upper triangular which will be detected.The Prover sends P, L, U and Q to the Verifier, hence the communication cost of O ( r ( m + n )). A rank profile matrix revealing P LU Q decomposition can be computedin O ( mnr ω − ) operations [4]. The Verifier has to check if A = P LU Q , which can beachieved in O ( r ( m + n )) + µ ( A ) field operations.
3. Linear communication certificate toolbox
Two matrices
A, B ∈ F m × n are right (resp. left) equivalent if there exist an invertible n × n matrix T such that AT = B (resp. T A = B ). If in addition T is a lower triangularmatrix, we say that A and B are lower triangular right (resp. left) equivalent. The uppertriangular right (resp. left ) equivalence is defined similarly. We propose a certificationprotocol that two matrices are left or right triangular equivalent. Here, A and B areinput, known by the Verifier and the Prover, and A is supposed to be regular (full rank).A simple certificate would be the matrix T itself, in which case the Verifier would checkthe product AT = B using Freivalds’ certificate. This certificate is non-interactive andrequires a quadratic number of communication. In what follows, we present a certifi-cate which allows to verify the one sided triangular equivalence without communicating T , requiring only 2 n communications. It is essentially a Freivalds’ certificate with aconstrained interaction pattern in the way the challenge vector and the response vectorare communicated. This pattern imposes a triangular structure in the way the Provers’responses depend on the Verifier challenges.7rover Verifier A, B ∈ F m × n A regular, m ≥ nT lower triangular matrixs.t. AT = B
1: T exists −−−−−−−→ y = T , ∗ h x ... i x ←−−− x i u.i.d. ←−−− - S ⊂ F y −−−→ ... ...y n = T n, ∗ (cid:20) x ...x n (cid:21) n : x n ←−−−− n + 1 : y n −−−−−−−→ y = (cid:2) y .. y n (cid:3) T Ay ? = Bx Protocol 4: Lower triang. right equivalence of regular matrices
Theorem 3.
Let
A, B ∈ F m × n , m ≥ n , and assume A is regular. Certificate 4 proves thatthere exists a lower triangular matrix T such that AT = B . This certificate is sound,with probabilty larger than − | S | , perfectly complete and occupies n communicationspace. The Prover complexity is O ( mn ω − ) field operations and the Verifier computationcost is µ ( A ) + µ ( B ) field operations.Proof. If the Prover is honest, then AT = B with T triangular and she just computes y = T x , so that Ay = AT x = Bx . If the Prover is dishonest, then she must try toconvince the Verifier even if the matrices are inequivalent. For the sake of the argument,replace the random values x , . . . , x n by algebraically independent variables X , . . . , X n .Then there are two cases, either AT (cid:44) B for any T or there exists at least one suchmatrix T but none of them are triangular.In the former case, AT (cid:44) B , there is thus at least one inconsistent column in B ,say the j -th. Then, there exists a Farkas’ certificate of inconsistency for that column (avector z such that z T A = 0 and z T B ∗ ,j (cid:44) z T Ay = 0 for any y , but z T B [ X , . . . , X n ] T is a not identically zero polynomial (at least the coefficient of X j is nonzero) of degree 1. Therefore, by the DeMillo-Lipton/Schwartz/Zippel lemma [2, 25, 23],its evaluation will be zero with probability at most 1 / | S | .In the latter case, AT = B but T is not triangular. Since A is regular, there is thusa unique n × n matrix T (that is, T = A − B , for any A − left inverse of A ) such that AT = B : indeed T = A − AT = A − B . For the same reason, the equality Ay = Bx = AT x implies y = T x . If T is not lower triangular, there is a row-index i such that theentry t i,j m (cid:44) j m > i . The test y = T x only succeeds if y i = P nj =0 t i,j x j . Nowthe Prover selects y i before x j m is revealed. Therefore, with probability no more than1 / | S | the Verifier selects the field element x j m = 1 /t i,j m ( y i − P j (cid:44) j m t i,j x j ), and the testsucceeds for false T .This certificate requires to transmit x and y , which costs 2 n in communication. TheVerifier has to compute Ay and Bx , whose computational cost is µ ( A )+ µ ( B ). The Proverhas to compute T , this can be done by a PLUQ elimination on A followed by a triangularsystem solve, both in O ( mn ω − ). Then y = T x requires only O ( n ) operations.8ote that the case where T is upper triangular works similarly: the Verifier needs totransmit x in reverse order, starting by x n . The problem here is to verify whether a non-singular input matrix A ∈ F m × n hasgeneric rank profile (to test non-singularity, one can apply beforehand the linear commu-nication certificate in [3, Fig. 2], see also Protocol 8 thereafter). A matrix A has genericrank profile if and only if it has an LU decomposition A = LU , with L non-singularlower triangular and U non-singular upper triangular. The protocol picks random vec-tors φ, ψ, λ and asks the Prover to provide the vectors z T = λ T L , x = U φ , y = U ψ onthe fly, while receiving the coefficients of the vectors φ, ψ, λ one at a time. These vectorssatisfy the fundamental equations z T x = λ T Aφ and z T y = λ T Aψ that will be checkedby the Verifier.Prover Verifier A ∈ F n × n non-singular A = LU A has g.r.p. −−−−−−−→ for i from n downto 1 (cid:2) x y (cid:3) = U (cid:2) φ ψ (cid:3) φ i ,ψ i ←−−− ( φ i , ψ i ) u.i.d. ←−−− - S ⊂ F x i ,y i −−−→ z T = λ T L λ i ←− λ i u.i.d. ←−−− - S ⊂ F z i −→ z T (cid:2) x y (cid:3) ? = ( λ T A ) (cid:2) φ ψ (cid:3) Protocol 5: Generic rank profile with linear communication
Theorem 4.
Certificate 5 verifying that a non-singular matrix has generic rank profileis sound, with probability ≥ (1 − | S | ) n , perfectly complete, communicates n field ele-ments, and can be computed in O ( n ω ) field operations for the Prover and µ ( A ) + 8 n fieldoperations for the Verifier.Proof of Theorem 4. The protocol is perfectly complete: if A = LU , then z T (cid:2) x y (cid:3) = λ T LU (cid:2) φ ψ (cid:3) = λ T A (cid:2) φ ψ (cid:3) , and the answer of any honest Prover will pass the Verifiertest.For any i such that the ( i − × ( i −
1) leading submatrix of A has generic rankprofile, we can write a partial LU decomposition of A with the following notations: A = (cid:20) L h i i B h i i I n − i +1 (cid:21)| (cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32) {z (cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32) } B (cid:20) U h i i V h i i C h i i (cid:21)| (cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32) {z (cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32) } C , (1)where L h i i ∈ F ( i − × ( i − is non-singular lower triangular, U h i i ∈ F ( i − × ( i − is non-singular upper triangular, B h i i ∈ F ( n − i +1) × ( i − , V h i i ∈ F ( i − × ( n − i +1) , C h i i ∈ F ( n − i +1) × ( n − i +1) . 9et v [ i...n ] = [ v i , . . . , v n ] T ∈ F n − i +1 for a vector v ∈ F n , and let η i = ( λ [ i...n ] ) T C h i i φ [ i...n ] , ξ i = ( λ [ i...n ] ) T C h i i ψ [ i...n ] . (2)Consider the following predicate: H i : η i =( z [ i...n ] ) T x [ i...n ] and ξ i =( z [ i...n ] ) T y [ i...n ] . (3)Note that H is what the Verifier checks because then B = I n . Note also that when A isin generic rank profile with A = LU and z T = λ T L and x = U φ and y = U ψ then H i istrue for all i . To see this consider an LU-factorization C h i i = ¯ L h i i ¯ U h i i and the identity A = (cid:20) L h i i B h i i I n − i +1 (cid:21) (cid:20) U h i i V h i i C h i i (cid:21) = (cid:20) L h i i B h i i ¯ L h i i (cid:21) (cid:20) U h i i V h i i U h i i (cid:21) = LU. (4)Then ( z [ i...n ] ) T = ( λ [ i...n ] ) T ¯ L h i i and x [ i...n ] = ¯ U h i i φ [ i...n ] and y [ i...n ] = ¯ U h i i ψ [ i...n ] verify H i . Note that the conditions are only tested by the Verifier for i = 1.At stage i , let Λ i , Φ i and Ψ i be variables for the random choices for λ i , φ i and ψ i and Z i be a variable for the Prover’s choice of z i . Then H i in (3) expands as: x i Z i = (cid:16) d Φ i + e z (cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32) }| (cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32) { n X j = i +1 C h i i ,j − i +1 φ j (cid:17) Λ i + a Φ i + f,y i Z i = (cid:16) d Ψ i + n X j = i +1 C h i i ,j − i +1 ψ j | (cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32) {z (cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32) } g (cid:17) Λ i + a Ψ i + h, (5)where d = C h i i , and a = P nk = i +1 λ k C h i i k − i +1 , , or equivalently (cid:20) − ( d Φ i + e ) x i − ( d Ψ i + g ) y i (cid:21) (cid:20) Λ i Z i (cid:21) = (cid:20) a Φ i + fa Ψ i + h (cid:21) . (6)Suppose now that A is not in generic rank profile, and let i be minimal such that theleading i × i minor of A is equal to 0. On any corresponding partial LU decompositionthis means that d = C h i i , = 0. Furthermore, because A is assumed to be non-singular,there exist indices k with 2 ≤ k ≤ n − i + 1, and j with 2 ≤ j ≤ n − i + 1 such that C h i i k , (cid:44) C h i i ,j (cid:44) H i is false with probability ≥ (1 − / | S | ) ;2. If H i +1 is false then H i is false with probability ≥ (1 − / | S | ) for 1 ≤ i < i .Informally, this means that the Prover cannot achieve H i with any choice of returnedvalues x , . . . , z i , with high probability and then this failure propagates with high prob-ability to H which is checked by the Verifier. By induction, this leads to a probabilityof ≥ (1 − / | S | ) i − that the Verifier check will fail when the matrix A is not in10eneric rank profile. Since A is non-singular, i ≤ n −
1, and therefore this probability is ≥ (1 − / | S | ) n .First, we prove Statement 1, that is the case when d = 0. The Verifier selects arandom λ i , and then the Prover a z i . If the coefficient matrix in (6) is non-singular,there is a unique solution for Λ i , which the Verifier will choose with probability ≤ / | S | .Otherwise, the coefficient matrix is singular and the only way for the system to have asolution is that the determinant∆ = (cid:12)(cid:12)(cid:12)(cid:12) − e a Φ i + f − g a Ψ i + h (cid:12)(cid:12)(cid:12)(cid:12) = − e ( a Ψ i + h ) + g ( a Φ i + f )is equal to 0, which exactly happens in the three following cases:a. (cid:2) e g (cid:3) = (cid:2) (cid:3) , which happens with probability ≤ / | S | as C h i i ,j (cid:44) a = 0 (which happens with probability ≤ / | S | as C h i i k , (cid:44)
0) and (cid:12)(cid:12)(cid:12)(cid:12) − e f − g h (cid:12)(cid:12)(cid:12)(cid:12) = 0;c. otherwise, ea (cid:44) ga (cid:44) i , Ψ i andevaluates to 0 for the random choices φ i , ψ i with probability ≤ / | S | .Overall, H i is false with probability ≥ (cid:0) − | S | (cid:1)(cid:0) − | S | (cid:1) ≥ (cid:0) − | S | (cid:1) ≥ − | S | based on the random choices of the Verifier: φ j , ψ j yield (cid:2) e g (cid:3) (cid:44) (cid:2) (cid:3) ; λ k yields a (cid:44) φ i , ψ i yield ∆ (cid:44) λ i avoids the unique solution to (6).For Statement 2, consider the predicate H i (3) at i < i , that is d (cid:44)
0. Similarly, ifthe coefficient matrix in (6) is non-singular, there is a unique solution for Λ i , which theVerifier will choose with probability ≤ / | S | . Otherwise, the coefficient matrix is singularand the only way for the system to have a solution is that the following determinant isequal 0:0 = ∆ = (cid:12)(cid:12)(cid:12)(cid:12) − ( d Φ i + e ) a Φ i + f − ( d Ψ i + g ) a Ψ i + h (cid:12)(cid:12)(cid:12)(cid:12) = ( df − ae )Ψ i − ( dh − ag )Φ i − eh + gf. We block decompose the bottom right block in the incomplete right factor in (1) C h i i = (cid:20) d r T s W (cid:21) , where d = C h i i , (cid:44)
0. We have C h i +1 i = W − d sr T . Now since a = ( λ [ i +1 ...n ] ) T s, e = r T φ [ i +1 ...n ] , we have ae = ( λ [ i +1 ...n ] ) T sr T φ [ i +1 ...n ] and f − aed = ( λ [ i +1 ...n ] ) T C h i +1 i φ [ i +1 ...n ] − ( z [ i +1 ...n ] ) T x [ i +1 ...n ] = η i +1 − ( z [ i +1 ...n ] ) T x [ i +1 ...n ] . Similarly, h − agd = ξ i +1 − ( z [ i +1 ...n ] ) T x [ i +1 ...n ] , and these two quantities are not equal to 0simultaneously, for otherwise H i +1 would be true. Therefore ∆ is a nonzero polynomialof degree 1 in Φ and Ψ. It is equal to 0 with probability ≤ / | S | . Overall, H i is falsewith probability ≥ (1 − / | S | ) based on the random choices for λ i , φ i and ψ i made bythe Verifier.Finally, for the complexity, the Prover needs one Gaussian elimination to compute LU in time O ( n ω ), then her extra work is just three triangular solve in O ( n ). The extra11ommunication is six vectors, φ, ψ, λ, x, y, z , and the Verifier’s work is four dot-productsand one multiplication by the initial matrix A (certifying the transposed to have a singlematrix times λ -vector product). With Protocol 5, when the matrix A does not have generic rank profile, any attempt toprove that it has generic rank profile will be detected w.h.p. (soundness). However whenit is the case, the verification will accept many possible vectors x, y, z : any scaling of z i by α i and x i , y i by 1 /α i would be equally accepted for any non zero constants α i . This slackcorresponds to our lack of specification of the diagonals in the used LU decomposition.Indeed, for any diagonal matrix with non zero elements, LD × D − U is also a valid LUdecomposition and yields x, y and z scaled as above. Specifying these diagonals is notnecessary to prove generic rank profileness, so we left it as is for this task.However, for the determinant or the rank profile matrix certificates of Sections 4.1and 4.3, we will need to ensure that this scaling is independent from the choice of thevectors φ, ψ, λ . Hence we propose an updated protocol, where L has to be unit triangular,and the Prover has to first commit the main diagonal D of U .For a non-singular upper triangular matrix U with diagonal D = Diag( d , . . . , d n ),the matrix U = D − U is unit triangular. Thus, for any ψ = (cid:20) ψ e ψ (cid:21) ∈ F n : U ψ = DU ψ = D (cid:16) ψ + h e U e ψ i(cid:17) , where f U = ( U − I n ) { ,...,n − } , { ,...,n } upper triangular in F ( n − × ( n − . So the idea is that the Prover will commit D beforehand, and that withina generic rank profile certificate, the Verifier will only communicate e φ, e ψ and e λ to obtain z = e λ T e L , x = e U e φ and y = e U e ψ , where e L = ( L − I n ) { ,...,n } , { ,...,n − } lower triangularin F ( n − × ( n − . Then the Verifier will compute by himself the complete vectors. Thisensures that L is unit triangular and that U = DU with U unit triangular.Finally, if an invertible matrix does not have generic rank profile, we note that itis also possible to incorporate the permutations, by committing them in the beginningand reapplying them to the matrix during the checks. The full certificate is given inProtocol 6. Theorem 5.
The Protocol 6 requires less than n extra communications. The computa-tional cost for the Prover is O ( n ω ) and the Verifier cost is bounded by µ ( A ) + 12 n + o ( n ) .The protocol is perfectly complete and fails the verification for a non generic rank profilematrix AP − = AP T with probability ≥ (1 − | S | ) n .Proof. If the Prover is honest, then A = LU P = LDU P , so that for any choice of λ and ψ we have: λ T AP T ψ = λ T LDU ψ , that is: z T Dy = ( λ T + (cid:2) z T (cid:3) ) D (cid:18) ψ + (cid:20) y (cid:21)(cid:19) = h λ e λ T i (cid:16) I + h e L i(cid:17) D (cid:16)h e U i + I (cid:17) (cid:20) ψ e ψ (cid:21) . The same is true for λ and φ , so that the protocol is perfectly complete.Now, the last part of the Protocol 6 is actually a verification that AP T has genericrank profile, in other words that there exists lower and upper triangular matrices L ∗ rover Verifier A ∈ F n × n non-singular A = LDU P P,D −−−−−−−→ P ? ∈ S n , D ? ∈ D n ( F ∗ ) f U = ( U − I n ) { ,...,n − } , { ,...,n } e L = ( L − I n ) { ,...,n } , { ,...,n − } Choose S ⊂ F for i from n downto 2: ... (cid:2) x y (cid:3) = e U (cid:2)e φ e ψ (cid:3) φ i ,ψ i ←−−−−−−− ( φ i , ψ i ) u.i.d. ←−−− - S x i − ,y i − −−−−−−−→ z = e λ T e L λ i ←−−−−−−− λ i u.i.d. ←−−− - S z i − −−−−−−−→ ... φ , ψ , λ ←−−− - S (cid:2) x y (cid:3) = (cid:2) φ ψ (cid:3) + (cid:20) x y (cid:21) z T = (cid:0) λ T + (cid:2) z T (cid:3)(cid:1) z T D (cid:2) x y (cid:3) ? = ( λ T A ) P T (cid:2) φ ψ (cid:3) Protocol 6: LDUP decomposition (linear communication)and U ∗ such that AP T = L ∗ U ∗ . This verification is sound by Theorem 4. Next, themultiplication by the diagonal D is performed by the Verifier, in order to be actuallyconvinced that there exists lower and upper triangular matrices L ∗ and U ∗ such that AP T = L ∗ DU ∗ . Finally, the construction of the vectors with the form a + he b i is alsodone by the Verifier, in order to have in fact a guarantee that L ∗ and U ∗ are unittriangular.Overall, if the matrix AP T does not have generic rank profile, the Verifier will catchhim with the probability of Theorem 4.Finally, for the complexity bounds, the extra communications are: one permutationmatrix P , a diagonal matrix D and 6 vectors e λ , e φ , e ψ and z , x and y . That is n non-negative integers lower than n and 6( n −
1) + n field elements. The arithmeticcomputations of the Verifier are one multiplication by a diagonal matrix, 3 vector sums,4 dot-products and one vector-matrix multiplication by A (for ( λ T A )), that is n + 3( n −
1) + 4(2 n − D and x, y, z : Proposition 1.
Let S be a finite subset of F in Protocol 6, if AP T is not in genericrank profile, or else if the committed D does not correspond to the unique decomposition AP T = LDU or (cid:2) x y (cid:3) (cid:44) U (cid:2) φ ψ (cid:3) or z T (cid:44) λ T L , then the verification will fail withprobability ≥ (1 − | S | ) n , and therefore Protocol 6 is sound. roof. For a dishonest Prover, either(i) AP T is not in generic rank profile, then Protocol 6 will detect it with the probabilityof Theorem 5;(ii) or she could still try, to send modified vectors x , y , z or diagonal D .Let then D ∗ , x ∗ = φ + (cid:2) x ∗ (cid:3) = U φ , y ∗ = ψ + (cid:2) y ∗ (cid:3) = U ψ and z ∗ = (cid:2) z ∗ (cid:3) + λ = L T λ bethe correct expected diagonal and vectors. Let also i ≤ n be the largest index such thatthere is at least one discrepancy in d i , x i , y i or z i that makes at least one of themrespectively different from d ∗ i , x ∗ i , y ∗ i or z ∗ i ( x n = x ∗ n = 0 , y n = y ∗ n = 0 , z n = z ∗ n = 0by default). Then H i of (3) is true for all i such that n ≥ i > i , and thus in particular H i +1 is true ( H n +1 is true by default). Now, H i is also true if and only if we have both: ( z i d i x i = z ∗ i d ∗ i x ∗ i ,z i d i y i = z ∗ i d ∗ i y ∗ i . (7)Indeed, H i is ( z [ i ...n ] ) T D [ i ...n ] x [ i ...n ] = ( z ∗ [ i ...n ] ) T D [ i ...n ] x ∗ [ i ...n ] and similarly H i +1 is ( z [ i +1 ...n ] ) T D [ i +1 ...n ] x [ i +1 ...n ] = ( z ∗ [ i +1 ...n ] ) T D [ i +1 ...n ] x ∗ [ i +1 ...n ] . Further, Equa-tions (7), with a = z ∗ i d ∗ i x ∗ i − z i d i x i , and b = z ∗ i d ∗ i y ∗ i − z i d i y i , is equivalentto: ( λ i φ i ( d i − d ∗ i ) + λ i ( d i x i − d ∗ i x ∗ i ) + φ i ( d i z i − d ∗ i z ∗ i ) − a = 0 ,λ i ψ i ( d i − d ∗ i ) + λ i ( d i y i − d ∗ i y ∗ i ) + ψ i ( d i z i − d ∗ i z ∗ i ) − b = 0 . (8)However, λ i , φ i , ψ i are chosen by the Verifier after d i , x i , y i and z i have beencommitted. Hence, on the one hand, if d i (cid:44) d ∗ i then the coefficient of λ i in one of the twopolynomials is not equal to 0 for a random φ i with probability ≥ − / | S | and then thatpolynomial does not vanish for a random λ i with probability ≥ (1 − / | S | )(1 − / | S | ),based on the random choices made by the Verifier, and H i is violated.On the other hand, if d i = d ∗ i (cid:44)
0, they can be removed from Equations (8) whichthen simplifies (for i < n ) as: ( λ i ( x i − x ∗ i ) + φ i ( z i − z ∗ i ) − ( z ∗ i x ∗ i − z i x i ) = 0 ,λ i ( y i − y ∗ i ) + ψ i ( z i − z ∗ i ) − ( z ∗ i y ∗ i − z i y i ) = 0 . (9)When there is at least one discrepancy with the expected vector coefficients, then Equa-tions (9) can be considered as 2 polynomials that are not simultaneously identically zero.Thus they both vanish with probability ≤ / | S | based on the random choices made bythe Verifier. H i is thus false with probability ≥ (1 − / | S | ). As in the proof of Theo-rem 4, this propagates with high probability, to H and the dishonest Prover is detectedwith probability ≥ (1 − / | S | ) n − (1 − / | S | )(1 − / | S | ) ≥ (1 − / | S | ) n .Overall, both (i), AP T is not GRP, or (ii), AP T is GRP but some diagonal or vectorelements is wrong, are detected with probability ≥ (1 − / | S | ) n .
4. Linear communication interactive certificates
In this section, we give linear space communication certificates for the determinant,the column/row rank profile of a matrix, and for the rank profile matrix.14 .1. Linear communication certificate for the determinant
Existing certificates for the determinant are either optimal for the Prover in the densecase, using the strategy of [15, Theorem 5] over a PLUQ decomposition, but quadratic incommunication; or linear in communication, using [5, Theorem 14], but using a reductionto the characteristic polynomial. In the sparse case the determinant and the characteris-tic polynomial both reduce to the same minimal polynomial computations and thereforethe latter certificate is currently optimal for the Prover. Now in the dense case, while thedeterminant and characteristic polynomial both reduce to matrix multiplication, the de-terminant, via a single PLUQ decomposition is more efficient in practice [20]. Therefore,we propose here an alternative in the dense case: use only one PLUQ decomposition forthe Prover while keeping linear extra communications and O ( n ) + µ ( A ) operations forthe Verifier. The idea is to extract the information of a LDUP decomposition withoutcommunicating it: one uses Protocol 6 for A = LDU P with L and U unitary, but kepton the Prover side, and then the Verifier only has to compute Det ( A ) = Det ( D ) Det ( P ),with n − Corollary 1.
For an n × n matrix, there exists a sound and perfectly complete proto-col for the determinant over a field using less than n extra communications and withcomputational cost for the Verifier bounded by µ ( A ) + 13 n + o ( n ) . As a comparison, the protocol of [5, Theorem 14] reduces to
CharPoly instead ofPLUQ for the Prover, requires 5 n extra communications and µ ( A )+13 n + o ( n ) operationsfor the Verifier as well. Also the new protocol requires 3 n random field elements for afield larger than 2 n , where that of [5, Theorem 14] requires 3 random elements but afield larger than n . Finally the new protocol requires O ( n ) rounds when 2 are sufficientin [5, Theorem 14].For instance, using the routines shown in Table 1 (one matrix-vector multiplicationwith a dense matrix is denoted fgemv ), the determinant of an 50 k × k random densematrix can be computed in about 24 minutes, where with the certificate of Protocol 6,the overhead of the Prover is less than 5s and the Verifier time is about 1s.Computations use the FFLAS-FFPACK library [16] on a single Intel Skylake [email protected], while we measured some communications between two workstations over anEthernet Cat. 6, @1Gb/s network cable. We see that a linear communication cost canbe masked by a quadratic number of computations, when a quadratic communicationcost could be up to two orders of magnitude worse.Dimension 2 k k k PLUQ 0.28s 17.99s 1448.16s
CharPoly fgemv
Table 1: Communication of 64 bit words versus computation modulo 131071 .2. Column or row rank profile certificate In Protocols 7 and 8, we first recall the two linear time and space certificates for anupper and a lower bound to the rank that constitute a rank certificate. We present herethe variant sketched in [9, §
2] of the certificates of [3]. An upper bound r on the rank iscertified by the capacity for the Prover to generate any vector sampled from the imageof A by a linear combination of r column of A ( k γ k denotes the Hamming weight ofthe vector γ ). A lower bound r is certified by the capacity for the Prover to recoverthe unique coefficients of a linear combination of r linearly independent columns of A . LINSYS ( r ) denotes a complexity bound for solving a linear system of rank r by theProver. Prover Verifier A ∈ F m × n R s.t. rank( A ) ≤ R R −−−−−−→ Choose S ⊂ F w ←−−−−−− v u.i.d. ←−−− - S n , w = AvAγ = w γ −−−−−−→ k γ k = RAγ ? = w Protocol 7: Upper bound on the rank of a matrix
Theorem 6.
Let A ∈ F m × n , and let S be a finite subset of F . The interactive certificate 7of an upper bound for the rank of A is sound, with probability larger than − | S | , perfectlycomplete, occupies m + n communication space, can be computed in LINSYS ( r ) andverified in µ ( A ) + n time. Prover Verifier A ∈ F m × n J = ( c , .., c ρ ) indep. cols of A c , .., c ρ −−−−−−→ Choose S ⊂ F ∗ v ←−−−−−− α = ( α c j u.i.d. ←−−− - S v = Aα Solve Aβ = v β −−−−−−→ β ? = α Protocol 8: Lower bound on the rank of a matrix
Theorem 7.
Let A ∈ F m × n , and let S be a finite subset of F . The interactive certificate 8of a lower bound for the rank of A is sound, , with probability larger than − | S | , perfectlycomplete and occupies m + 2 r communication space, can be computed in LINSYS ( r ) andverified in µ ( A ) + r operations. r indices for J , then m field elements for vector v , and only r field elements for vector β , as it has only r non-zerocoefficients which positions are already indicated by J . Hence the total communicationcost is m + 2 r .We now consider a column rank profile certificate: the Prover is given a matrix A , andanswers the column rank profile of A , J = ( c , . . . , c r ). In order to certify this columnrank profile, we need to certify two properties:1. the columns given by J are linearly independent;2. the columns given by J form the lexicographically smallest set of independentcolumns of A .Property 1 is verified by Certificate 8, as it checks whether a set of columns areindeed linearly independent. Property 2 could be certified by successive applications ofCertificate 7: at step i , checking that the rank of A ∗ , (0 ,...,c i − is at most i − c i − and c i in A which increases the rankof A . Hence, it would prove the minimality of J . However, this method requires O ( nr )communication space.Instead, one can reduce the communication by seeding all challenges from a single n dimensional vector, and by compressing the responses with a random projection. Theright triangular equivalence certificate plays here a central role, ensuring the lexicographicminimality of S . More precisely, the Verifier chooses a vector v ∈ F n uniformly at randomand sends it to the Prover. Then, for each index c k ∈ S the Prover computes the linearcombination of the first c k − A using the first c k − v andhas to prove that it can be generated from the k − c , . . . , c k − . This means,find a vector γ ( k ) solution to the system: (cid:2) A ∗ ,c A ∗ ,c . . . A ∗ ,c k − (cid:3) γ ( k ) = A v ...v ck − ... . Equivalently, find an upper triangular matrix Γ such that: (cid:2) A ∗ ,c A ∗ ,c . . . A ∗ ,c r − (cid:3) Γ = A v v ··· ··· v ... ... ... ... ...v c − ... ... ... ... v c − ... ... ... ... ... ... v cr − ... v n | (cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32) {z (cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32) } V . (10)Note that V = Diag( v , . . . , v n ) W where W = [ i For A ∈ F m × n and S ⊂ F , certificate 9 is sound, with probability largerthan − | S | , perfectly complete, with a Prover computational cost bounded by O ( mnr ω − ) ,a communication space complexity bounded by m + n + 4 r and a Verifier cost bounded by µ ( A ) + n + 3 r . A ∈ F m × n J = ( c , .., c r ) CRP of A Protocol 8 on A J = CRP ( A ) −−−−−−−−→ rank A ? ≥ r Choose S ⊂ F v ←−−− v u.i.d. ←−−− - S n V = Diag( v , . . . , v n ) W (see (10)) W = [ i AVy = Γ x x (Cert. 4) y ←−−−−−−−→ x u.i.d. ←−−− - S r z = Diag( v , . . . , v n )( W x ) z c j = z c j − y j for j = 1 ..rAz ? = 0Protocol 9: Certificate for the column rank profile Proof. If the Prover is honest, the protocol corresponds first to an application of The-orem 7 to certify that J is a set of independent columns. This certificate is perfectlycomplete. Second the protocol also uses challenges from Certificate 7, which is perfectlycomplete, together with Certificate 4, which is perfectly complete as well. The lattercertificate is used on A ∗ , J , a regular submatrix, as J is a set of independent columnsof A . The final check then corresponds to A ( D ( W x )) − A ∗ , { c ,..c r } y ? = 0 and, overall,Certificate 9 is perfectly complete.If the Prover is dishonest, then either the set of columns in J are not linearly in-dependent, which will be caught by the Verifier with probability at least 1 − | S | , fromTheorem 7, or J is not lexicographically minimal, or the rank of A is not r . If the rankis wrong, it will not be possible for the Prover to find a suitable Γ. This will be caughtby the Verifier verifier with probability 1 − | S | , from Theorem 3. Finally, if J is notlexicographically minimal, there exists at least one column c k (cid:60) J , c i < c k < c i +1 forsome fixed i such that { c , . . . , c i }∪{ c k } form a set of linearly independant columns of A .This means that rank( A ∗ , ,...,c i +1 − ) = i + 1, whereas it was expected to be i . Thus, theProver cannot reconstruct a suitable triangular Γ and this will be detected by the Verifieralso with probability 1 − | S | , as shown in Theorem 3.The Prover’s time complexity is that of computing a P LU Q decomposition of A . Thetransmission of v, x and y yields a communication cost of n + 2 r , which adds up to the m + 2 r communication cost of Protocol 8. Finally, in addition to Protocol 8, the Verifiercomputes W x as a prefix sum with r − D , then subtracts y i at the r correct positions and finally multiplies by A for a total cost bounded by2 µ ( A ) + n + 3 r − 1. 18 .3. Rank profile matrix certificate We propose an interactive certificate for the rank profile matrix based on [8, Algo-rithm 4]: first computing the row and column support of the rank profile matrix, usingCertificate 9 twice for the row and column rank profiles, then computing the rank profilematrix of the invertible submatrix of A lying on this grid.In the following we then only focus on a certificate for the rank profile matrix ofan invertible matrix. It relies on an LUP decomposition that reveals the rank profilematrix. From Theorem 2, this is the case if and only if P T U P is upper triangular.Protocol 10 thus gives an interactive certificate that combines Certificate 6 for a LDUPdecomposition with a certificate that P T U P is upper triangular. The latter is achievedby Certificate 4 showing that P T and P T U are left upper triangular equivalent, but since U is unknown to the Verifier, the verification is done on a random right projection withthe vector φ used in Certificate 6.Prover Verifier A ∈ F n × n invertible A = LDU P , with P = R A P,D −−−−→ P ? ∈ S n , D ? ∈ D n ( F )Protocol 4 : P T and P T U are left up. tri. equiv. with random proj. U = P T U P U is upper tri. −−−−−−−−−→ Choose S ⊂ F e ,...,e n ←−−−−− for i = 1 , . . . , n , e i u.i.d. ←−−− - Sf T = e T U f ,...,f n −−−−−→ Protocol 6 on A [ e φ e ψ ] ←−−−− [ e x e y ] −−−→ φ, ψ u.i.d. ←−−− - S n Now h x y i is U h φ ψ i e T P T x ? = f T P T φ Protocol 10: Rank profile matrix of an invertible matrix Theorem 9. Protocol 10 is sound, with probability ≥ (1 − | S | ) n , and perfectly complete.The Prover cost is O ( n ω ) field operations, the communication space is bounded by n and the Verifier cost is bounded by µ ( A ) + 16 n + o ( n ) .Proof. If the Prover is dishonest and U = P T U P is not upper triangular, then let ( i, j )be the lexicographically minimal coordinates such that i > j and U i,j (cid:44) 0. Now either (cid:2) x y (cid:3) (cid:44) U (cid:2) φ ψ (cid:3) , and the verification will then fail to detect it with probability less than(1 − | S | ) n , from Proposition 1. Or one can write e T P T x − f T P T φ = ( e T U − f T ) P φ = 0.If e T P T U P − f T = 0 . (11)19s not satisfied, then a random φ will fail to detect it with probability less than | S | , since e, U and f are set before choosing for φ . At the time of committing f j , the value of e i isstill unknown, hence f j is constant in the symbolic variable E i . Thus the j -th coordinatein (11) is a nonzero polynomial in E j and therefore vanishes with probability 1 / | S | whensampling the values of e uniformly. Hence, overall if P T U P is not upper triangular, theverification will detect it with probability ≥ (1 − | S | ) n .The Verifier’s cost is that of Protocol 6 with two additional dot products for the laststep, which is µ ( A ) + 16 n + o ( n ). Similarly, the communication cost is that of Protocol 6plus the size of e and f for a total of 10 n . The Prover remains unchanged.Finally, we use [8, Algorithm 4] to certify the rank profile matrix of any matrix,even a singular one. To do so, we need to verify the row rank profile and the columnrank profile of the input matrix, which can be done with two applications of Certificate 9.Then, we certify the rank profile matrix of the r × r selection of lexicographically minimalindependent rows and columns we obtained before. This is done by an application ofCertificate 10. We now define E m, { i ,...,i n } as the m × n matrix whose j -th column isthe i j -th vector of the m -dimensional canonical basis. This certificate is detailed inProtocol 11, in the case where m ≤ n . If n < m , one should first apply Protocol 9 on A to compute its column rank profile, and then apply the verification steps of the sameprotocol for the row rank profile of A . The application of Protocol 10 remains unchanged. Theorem 10. Protocol 11 is sound, with probability ≥ (1 − | S | ) n , and perfectly complete.The Prover cost is O ( mnr ω − ) field operations, the communication space is bounded by m + n + min( m, n ) + 17 r and the Verifier cost is bounded by µ ( A ) + m + n + 21 r .Proof. If the Prover is honest, I is the row rank profile of A and J is the column rankprofile of A . Then, the application of Protocol 10 will output the correct rank profilematrix of A I , J which will lead the Verifier to the correct rank profile matrix of A , asdescribed in [8, Theorem 37]. Note that one only needs to verify the lower bound on therank of A once, which is why Certificate 9 is fully executed once, while the second runonly verifies that the committed rank profile is a rank profile indeed.Now, for the soundness, Prover has a probability ≥ − / | S | to be caught whencheating while running Certificate 9, and a probability ≥ (1 − | S | ) n to be caught whencheating while running Certificate 10. Overall, this makes a probability ≥ (1 − | S | ) n forthe Verifier to catch a cheating Prover during the execution of Certificate 11.For the complexity, Prover time complexity is bounded by the complexity of perform-ing a PLUQ decomposition of the input matrix, O ( mnr ω − ). The Verifier complexity isthe one of one full application of Protocol 9 and one application of Protocol 9 withoutapplying Protocol 8, which makes 3 µ ( A ) + n + m + 5 r , plus one application of Protocol 10over an r × r matrix for a cost of µ ( A )+16 r + o ( r ), the computation of R A only consists ofmemory operations, hence a total cost of 4 µ ( A )+ m + n +21 r + o ( r ) field operations. Com-munication space is computed as follows: a full application of Protocol 9 on A if m ≥ n ,on A T otherwise, an application of the same Protocol without the underlying Protocol 8which makes n + m + min ( m, n ) + 7 r and the same application of Protocol 10 as above,for a cost of 10 r , hence a total communication space of m + n + min ( m, n ) + 17 r .20rover Verifier A ∈ F m × n (assuming m ≤ n w.l.o.g.) Protocol 9 on A T I = RRP ( A ) ∈ [[1 ,m ]] r −−−−−−−−−−−−−→ Now, I = RRP ( A )and rank( A ) ≥ r J = CRP ( A ) = ( c , . . . , c r ) J −−−−−−→ Choose S ⊂ F v ←−−−−− v u.i.d. ←−−− - S n V = Diag( v , . . . , v n ) W (see (10)) W = [ i AVy = Γ x x (Cert. 4) y ←−−−−−−−→ x u.i.d. ←−−− - S r z = Diag( v , . . . , v n )( W x ) z c j = z c j − y j for j = 1 ..rAz ? = 0 Protocol 10 on A I , J R r = RP M ( A I , J ) −−−−−−−−−−−→ R A = E m, I R r E Tn, J Protocol 11: Rank profile matrix21 . Certificate for the signature of an integer matrix The signature of a symmetric matrix is the triple ( n + , n − , n ) indicating the numberof positive, negative, and zero eigenvalues, respectively. Just like [3, Theorem 5], the ideais that the Prover commits the signature, and then certifies it modulo a Verifier chosenprime. This works directly for the signature algorithm in [15, Corollary 1] together withthe CharPoly protocol of [5, Theorem 14]. As in § CharPoly computation with a symmetric Gaussian elimination.Over the rationals, an algorithm for the Prover could be to first compute and certifythe rank of A , and to compute a permutation matrix P such that P T AP has genericrank profile: for instance compute a P L p ∆ p L Tp P T factorization modulo a sufficientlylarge prime p . Then B = [ I r | P T AP (cid:2) I r (cid:3) is symmetric and non-singular. It is thensufficient to lift or reconstruct only the block diagonal matrix ∆ over Q of a non-pivotingsymmetric factorization of B (the unit triangular matrix over Q need not be computed).Compared to an integer characteristic polynomial computation this gains in practice anorder of magnitude in efficiency for the Prover as shown on the logscale Figure 1, usingLinBox-1.5.1 [17].0 . . . . s ec o nd s matrix dimensionInteger characteristic polynomialRational lifting of the diagonal Figure 1: (Verifiable) signature computation on a single Intel Skylake core @3.4GHz. For the verification, the block diagonal matrix ∆, and the permutation P are commit-ted. The Verifier then randomly chooses a prime q and enters an interactive certificationprocess for P and ∆ mod q using Protocol 6, as shown on Protocol 12.From [3, Theorem 5], we let h = log ( √ n n || A || n ∞ ) be the logarithm of Hadamard’sbound for the invariant factors of A . There cannot be more than h primes reducingthe rank. Therefore it is possible to sample c · h distinct primes of magnitude boundedby O ( h log( h )) for any constant c > q from that set S . Once the rankis certified, the Prover can compute the permutation and lift the diagonal. Finally the22 rover Verifier A ∈ Z n × n symmetric I −−−−−−−→ q ←−−−−−−− q ←−−− - S ⊂ P . . . I ? = RRP ( A ) = CRP ( A ) mod q ,and |I| ? = rank ( A ) mod q by Cert. 9. P, ∆ −−−−−−−→ P ? ∈ S r , ∆ ? ∈ D (2) r ( Q ) q ←−−−−−−− q ←−−− - S ⊂ P Protocol 6 on P T A I P mod q [ e φ i e ψ i ] ←−−−−− [ e x i e y i ] −−−−−→ [ e λ i ] ←−−− [ e z i ] −−−→ ...z T ∆ (cid:2) x y (cid:3) ? = ( λ T P T A I ) P (cid:2) φ ψ (cid:3) mod q Extract ( n + (∆) , n − (∆) , n − r ) Protocol 12: Certificate for the signature of a symmetric matrixrational P L ∆ L T P T factorization of the full rank matrix can be similarly verified moduloa prime q . As for the determinant, no more than h primes can reduce the rank of ∆and q can be selected from the same kind of set. We have proven: Corollary 2. For a symmetric matrix A ∈ Z n × n , certificate 12 for its signature is soundand perfectly complete. The communication comprise that of the Certificate 6, the permutation matrix P ,all of size n , as well as small primes bounded by h , and finally ∆. Just like that of thecharacteristic polynomial, the size of ∆ can be quadratic and therefore the whole protocolis not linear. Thus a simpler quadratic certificate communicating the triangular matrix L modulo q , and checking the decomposition A − L ∆ L T via Freivalds’ certificate mightalso work. But then the communication and Verifier time would always be quadratic.Instead, Protocol 12, just like the Protocol using the characteristic polynomial, is betterif the size of the determinant is small, as then the size of ∆ might be much less than thatof L (for instance linear if the determinant is a constant). Protocol 12 is also interestingif µ ( A ) is less than quadratic. 6. Constant round certificates When delegating computations, the network latency can make communication roundsexpensive. It can therefore also be interesting not only to reduce the communicationvolume, but also the number of rounds. We therefore propose in this section a certificatewith a constant number of rounds for triangular equivalence, still preserving Prover23fficiency as well as linear communication volume and Verifier cost. This applies thendirectly, as previously shown, to row or column rank profiles. However it fails to applyto the generic rank profile, at least in a straightforward manner, and we were unable toproduce such a certificate in constant round for this task. Following a technique in [18], we first define the representative Laurent polynomial , P A ( X ) of an m × n matrix A as : P A ( X ) = (cid:2) X X . . . X m − (cid:3) · A · X − ...X − n = m X i =1 n X j =1 A i,j X i − j Therefore, if a matrix is lower triangular, then its representative Laurent polynomialcannot have negative powers and it is therefore a polynomial of degree at most m − A i,i +1 = 0 for all i except A , = − A , . Generically, if one pre-multiplies A on the right by a random non-zero diagonal matrix, these cancellations will not occuras in general d A , (cid:44) − d A , unless A , = A , = 0. From this representation we can obtain a triangular equivalence certificate that re-quires only a constant number of rounds: the Prover commits that polynomial, then theVerifier will evaluate the polynomial at a random point and compare this to the actualprojections. The counterpart is that the field size must be sufficiently large so that thepolynomial identity testing does not fail. The full certificate is given in Protocol 13.It requires that the Prover solves a regular system (this is checked deterministically byreapplying the resulting vector), and a preconditioning by a diagonal matrix to preventcancellations. Theorem 11. Let A, B ∈ F m × n , m ≥ n , and assume A is regular. Certificate 13 issound, with probability larger than − n − | S | and perfectly complete. The Prover costis dominated by one system solving, O ( mn ω − ) , the communication space is bounded by n + 1 and the Verifier cost is bounded by µ ( A ) + µ ( B ) + 7 n Proof. Let x = D λ − ...λ − n . As A is regular, there is only one solution y to Ay = Bx , and y = Lx . Therefore (cid:2) λ . . . λ n − (cid:3) · y = (cid:2) λ . . . λ n − (cid:3) · LD λ − ...λ − n = P LD ( λ ) and theprotocol is correct. For the soundness: 24rover Verifier A, B ∈ F m × n A is regular, m ≥ n ∃ L lower triang. s.t. AL = B ∃ L −−−−−−→ Choose S ⊂ F D ←−−−−−− D u.i.d. ←−−− - D n ( S \{ } ) g ( X ) = P LD ( X ) g ( X ) −−−−−−→ g ? ∈ F [ X ] deg ≤ n − λ ←−−−−−− λ u.i.d. ←−−− - Sy , s.t. A · y = B · D · λ − ...λ − n y −−−−−−→ A · y ? = B · D · λ − ...λ − n g ( λ ) ? = (cid:2) λ . . . λ n − (cid:3) · y Protocol 13: Constant round linear communication certificate for triangular equivalence • As A is regular, there is only one solution y to Ay = Bx , thus that check ensuresthat y is correct, unless not all columns in B are in the column space of A , whichis handled as in the proof of Theorem 3. • If L is not triangular then its upper part is not identically zero. Therefore byconsidering D as a diagonal matrix of indeterminates, at least one coefficient ofnegative degree of the representative rational fraction LD will be non identicallyzero. As those are of degree 1 in the indeterminates of D , for a random diagonal D ,the representative rational fraction of LD will not be a polynomial with probabilityat least 1 − | S |− . • If g is not a polynomial of degree at most n − 1, it is not the representative of atriangular matrix. • If g is not the representative polynomial of LD then by the DeMillo-Lipton/Schwartz/Zippel lemma [2, 25, 23], its evaluation at λ will fail with probability1 − n − | S | (since X n − ( g − P LD )( X ) is a polynomial of degree at most 2( n − L , in O ( mn ω − ). Then P LD ( X ) requires onepass over the coefficients of L , and finally y = LD λ − ...λ − n . The communication cost is D , g ( X ), y all of size n , and λ . The Verifier cost is, µ ( A ) + µ ( B ) to apply A and B , aswell as 2 n − (cid:2) λ . . . λ n − (cid:3) and their inverses, n − D ,2( n − 1) to evaluate g , and 2( n − 1) to compute the dotproduct (cid:2) λ . . . λ n − (cid:3) · y .25 .3. Constant round certificates for the row and column rank profiles Now we can combine the lower rank Certificate 8, with the constant-round Certifi-cate 13 for triangular equivalence, as a replacement of Certificate 4, within the columnrank profile Certificate 9, in order to get the constant-round Certificate 14 for columnrank profile. It remains Prover efficient, linear in communication volume and Verifiertime.Prover Verifier A ∈ F m × n J = ( c , .., c r ) CRP of A J −−−−−−→ Choose S ⊂ F β s.t. Aβ = ν Protocol 8 ν ←−−−−−− β −−−−−−→ α = E m, J ( u.i.d. ←−−− - S r ) ν = Aαβ ? = αV = Diag( v , . . . , v n ) W (see (10)) v ←−−−−−− v u.i.d. ←−−− - S n Γ upper tri. s.t. A ∗ , J Γ = AV W = [ i Corollary 3. For an m × n matrix of rank r , Certificate 14 is sound and perfectly com-plete. It requires rounds, a volume of communication of m + n + 5 r + 1 and less than µ ( A ) + n + 9 r operations for the Verifier. 7. Conclusion A summary of our contributions is given in Table 3, to be compared with the stateof the art in Table 2. 26 l go r i t h m R o und s P r o v e r C o mm un i c a t i o n P r o b a b ili s t i c | S | D e t e r m . T i m e V e r i fi e r T i m e R an k [ ] o v e r [ ] N o N o e O ( r ω + µ ( A )) e O ( r + m + n ) e O ( r + µ ( A )) ≥ [ ] N o O ( n ( µ ( A ) + n )) O ( m + n ) µ ( A ) + e O ( m + n ) Ω ( m i n { m , n } l og ( m n )) o r O ( m n r ω − ) [ ] Y e s O ( m n r ω − ) O ( n + r ) O ( µ ( A ) + n ) ≥ C R P / [ ] o v e r [ ] N o N o e O ( r ω + m + n + µ ( A )) e O ( r + m + n ) e O ( r + m + n + µ ( A )) Ω ( m i n { m , n } l og ( m n )) RR P [ ] o v e r [ ] N o Y e s O ( m n r ω − ) e O ( m n ) e O ( m n ) ≥ R P M [ ] o v e r [ ] N o N o e O ( r ω + m + n + µ ( A )) e O ( r + m + n ) e O ( r + m + n + µ ( A )) Ω ( m i n { m , n } l og ( m n )) [ ] o v e r [ ] N o Y e s O ( m n r ω − ) e O ( m n ) e O ( m n ) ≥ D e t [ ] & P L U Q N o Y e s O ( n ω ) O ( n ) O ( n ) + µ ( A ) ≥ [ ] & C ha r P o l y N o O ( n µ ( A )) O ( n ) µ ( A ) + O ( n ) ≥ n o r O ( n ω ) T a b l e : S t a t e o f t h e a r t ce r t i fi c a t e s f o r t h e r a n k , t h e r o w a nd c o l u m n r a n k p r o fi l e s , t h e r a n k p r o fi l e m a t r i x a nd t h e d e t e r m i n a n t A l go r i t h m R o und s P r o v e r C o mm un i c a t i o n P r o b a b ili s t i c | S | D e t e r m . T i m e V e r i fi e r T i m e C R P / RR P § . N o Y e s O ( m n r ω − ) O ( r ( m + n )) O ( r ( m + n )) + µ ( A ) ≥ § . O ( n ) Y e s O ( m n r ω − ) O ( m + n ) µ ( A ) + O ( m + n ) ≥ § . Y e s O ( m n r ω − ) O ( m + n ) µ ( A ) + O ( m + n ) ≥ n − R P M § . N o Y e s O ( m n r ω − ) O ( r ( m + n )) O ( r ( m + n )) + µ ( A ) ≥ § . O ( n ) Y e s O ( m n r ω − ) O ( m + n ) µ ( A ) + O ( m + n ) Ω ( n ) D e t § . & P L U Q O ( n ) Y e s O ( n ω ) O ( n ) µ ( A ) + O ( n ) Ω ( n ) T a b l e : T h i s p a p e r ’ s c o n t r i bu t i o n s 27e have provided certificates that can save overall computational time for the Proversand an order of magnitude in terms of communication volume or number of rounds.Table 1 compares linear and quadratic communications, as well as sub-cubic (PLUQ, CharPoly ) or quadratic matrix operations. These results show first that it is interestingto use linear space certificates even when they have quadratic Verification time. Thetable also presents a practical constant factor of about 5 between PLUQ and CharPoly computations.One key idea in our contribution is to certify the existence of a triangular matrix inan equivalence relation, by having an n round protocol where data dependency matchesthe triangular shape of the unknown matrix factor. This approach was successfullyadapted to the certificate of generic rank profileness, where now two triangular unknowntriangular factors are considered, in the LU decomposition.Mulmuley’s Laurent’s polynomial representation of a matrix successfully replaces theformer technique to certify triangular equivalence, and consequently row or column rankprofiles, reducing the number of rounds from linear to constant. However, we were unableto adapt this technique for the certificate for generic rank profileness, and consequentlyfor certifying a rank profile matrix.The use of symmetric Gaussian elimination allowed us to achieve a more practicalcertificate for the signature of symmetric integer matrices. Even though it is based onLDLT certificates with linear communication modulo a prime, the diagonal of rationaleigenvalues remains quadratic in size, and full precision was required to recover theirsign. Designing a linear communication, Prover efficient protocol to certify the signatureis the other major open problem which should be investigated in the continuation of thiswork. References [1] Ho Yee Cheung, Tsz Chiu Kwok, and Lap Chi Lau. Fast Matrix Rank Algorithms and Applications. Journal of the ACM , 60(5):31:1–31:25, October 2013. ISSN 0004-5411. doi: 10.1145/2528404 .[2] Richard A. DeMillo and Richard J. Lipton. A probabilistic remark on algebraic program testing. Inf. Process. Letters , 7(4):193–195, June 1978. doi: 10.1016/0020-0190(78)90067-4 .[3] Jean-Guillaume Dumas and Erich Kaltofen. Essentially optimal interactive certificates in linearalgebra. In Katsusuke Nabeshima, editor, ISSAC’2014 , pages 146–153. ACM Press, New York,July 2014. doi: 10.1145/2608628.2608644 .[4] Jean-Guillaume Dumas, Cl´ement Pernet, and Ziad Sultan. Simultaneous computation of the rowand column rank profiles. In Manuel Kauers, editor, ISSAC’2013 , pages 181–188. ACM Press, NewYork, June 2013. doi: 10.1145/2465506.2465517 .[5] Jean-Guillaume Dumas, Erich Kaltofen, Emmanuel Thom´e, and Gilles Villard. Linear time interac-tive certificates for the minimal polynomial and the determinant of a sparse matrix. In Xiao-ShanGao, editor, ISSAC’2016 , pages 199–206. ACM Press, New York, July 2016. ISBN 978-1-4503-4380-0. doi: 10.1145/2930889.2930908 .[6] Jean-Guillaume Dumas, Erich Kaltofen, Gilles Villard, and Lihoong Zhi. Polynomial time interac-tive proofs for linear algebra with exponential matrix dimensions and scalars given by polynomialtime circuits. In Safey El Din [22], pages 125–132. doi: 10.1145/3087604.3087640 .[7] Jean-Guillaume Dumas, David Lucas, and Cl´ement Pernet. Certificates for triangular equivalenceand rank profiles. In Safey El Din [22], pages 133–140. doi: 10.1145/3087604.3087609 .[8] Jean-Guillaume Dumas, Cl´ement Pernet, and Ziad Sultan. Fast computation of the rank profilematrix and the generalized Bruhat decomposition. Journal of Symbolic Computation , 83:187–210,November–December 2017. doi: 10.1016/j.jsc.2016.11.011 .[9] Wayne Eberly. A new interactive certificate for matrix rank. Technical Report 2015-1078-11,University of Calgary, June 2015. URL http://prism.ucalgary.ca/bitstream/1880/50543/1/2015-1078-11.pdf . 10] Amos Fiat and Adi Shamir. How to prove yourself: Practical solutions to identification and signatureproblems. In A. M. Odlyzko, editor, Advances in Cryptology - CRYPTO’86 , volume 263 of LNCS ,pages 186–194. Springer-Verlag, 1987, 11–15 August 1986. URL .[11] R. Freivalds. Fast probabilistic algorithms. Mathematical Foundations of Computer Science, LNCS ,74:57–69, Sept. 1979. doi: 10.1007/3-540-09526-8_5 .[12] Shafi Goldwasser, Yael Tauman Kalai, and Guy N. Rothblum. Delegating computation: interactiveproofs for muggles. In Cynthia Dwork, editor, STOC’2008 , pages 113–122. ACM Press, May 2008.ISBN 978-1-60558-047-0. doi: 10.1145/1374376.1374396 .[13] Shafi Goldwasser, Yael Tauman Kalai, and Guy N. Rothblum. Delegating computation: Interactiveproofs for muggles. J. ACM , 62(4):27:1–27:64, 2015. doi: 10.1145/2699436 .[14] C.-P. Jeannerod, C. Pernet, and A. Storjohann. Rank-profile revealing gaussian elimination and theCUP matrix decomposition. Journal of Symbolic Computation , 56:46–68, 2013. doi: 10.1016/j.jsc.2013.04.004 .[15] Erich L. Kaltofen, Michael Nehring, and B. David Saunders. Quadratic-time certificates in linearalgebra. In Anton Leykin, editor, ISSAC’2011 , pages 171–176. ACM Press, New York, June 2011.ISBN 978-1-4503-0675-1. doi: 10.1145/1993886.1993915 .[16] The LinBox group. FFLAS-FFPACK http://linbox-team.github.io/fflas-ffpack .[17] The LinBox group. LinBox http://linalg.org .[18] K Mulmuley. A Fast Parallel Algorithm to Compute the Rank of a Matrix over an Arbitrary Field. In Proceedings of the Eighteenth Annual ACM Symposium on Theory of Computing , STOC ’86, pages338–339, New York, NY, USA, 1986. ACM. ISBN 978-0-89791-193-1. doi: 10.1145/12130.12164 .[19] Edward W. Ng, editor. EUROSAM ’79, International Symposium on Symbolic and AlgebraicComputation, Marseille, France, June 1979, Proceedings , volume 72 of LNCS , 1979. Springer.ISBN 3-540-09519-5. doi: 10.1007/3-540-09519-5 .[20] Cl´ement Pernet and Arne Storjohann. Faster algorithms for the characteristic polynomial. InChristopher W. Brown, editor, ISSAC’2007 , pages 307–314. ACM Press, New York, July 29 –August 1 2007. doi: 10.1145/1277548.1277590 .[21] Omer Reingold, Guy N. Rothblum, and Ron D. Rothblum. Constant-round interactive proofs fordelegating computation. In Daniel Wichs and Yishay Mansour, editors, Proceedings of the 48thAnnual ACM SIGACT Symposium on Theory of Computing, STOC 2016, Cambridge, MA, USA,June 18-21, 2016 , pages 49–62. ACM, 2016. ISBN 978-1-4503-4132-5. doi: 10.1145/2897518.2897652 .[22] Mohab Safey El Din, editor. ISSAC’2017, Proceedings of the 2017 ACM International Symposiumon Symbolic and Algebraic Computation, Kaiserslautern, Deutschland , July 2017. ACM Press, NewYork.[23] Jacob T. Schwartz. Probabilistic algorithms for verification of polynomial identities. In Ng [19],pages 200–215. ISBN 3-540-09519-5. doi: 10.1007/3-540-09519-5_72 .[24] Arne Storjohann and Shiyun Yang. A Relaxed Algorithm for Online Matrix Inversion. In KazuhiroYokoyama, editor, ISSAC’2015 , pages 339–346. ACM Press, New York, July 2015. ISBN 978-1-4503-3435-8. doi: 10.1145/2755996.2756672 .[25] Richard Zippel. Probabilistic algorithms for sparse polynomials. In Ng [19], pages 216–226. ISBN3-540-09519-5. doi: 10.1007/3-540-09519-5_73 ..