On computation of the inverse of a polynomial map over finite fields using the reduced Koopman dual linear map
aa r X i v : . [ c s . S C ] N ov On computation of the inverse of a polynomial map over finite fieldsusing the reduced Koopman dual linear map
Ramachandran [email protected] Virendra [email protected] of Electrical Engineering,Indian Institute of Technology Bombay, India.November 6, 2020
Abstract
This paper proposes a symbolic representation of non-linear maps F in F n in terms of linearcombination of basis functions of a subspace of ( F n ) , the dual space of F n . Using this represen-tation, it is shown that the inverse of F whenever it exists can also be represented in a similarsymbolic form using the same basis functions (using different coefficients). This form of representa-tion should be of importance to solving many problems of iterations or compositions of non-linearmaps using linear algebraic methods which would otherwise require solving hard computationalproblems due to non-linear nature of F . Keywords:
Polynomial maps in finite fields, Inverse of a polynomial map, Koopman operator,Dynamical systems over finite fields, Permutation polynomials
Over a finite field F , maps F : F n → F n (defined as functions) arise in many practical situations suchas representing state update of a finite state dynamical system, defining recurring sequences, definingpermutations on F n and in models of stream ciphers and Biological networks. In such applications itis required to carry out computations such as deciding invertibility of F , computing fixed points andperiodic points of F , computing lengths of closed cycles and chains of the iterates of F , inversion of F by computing another map G : F n → F n such that F ◦ G = G ◦ F = Id F n . All such computationalproblems are known to be of N P class as the orders of sizes of sets in which the solutions belongare always of exponential order in the log of field size. Hence such computations are not practicallyfeasible in all instances over large F . Hence methods of computations are restricted to small finitefields. Hence it is of much interest in practice to know when such computations are feasible or doablein practical time . This paper addresses such a problem and presents a solution to the problem ofcomputing the inverse formula G by representing F and G both in terms of a linear space of functions. Although Dynamical systems with finite states (FSS), have been studied since long, known as finitestate machine (FSMs) in Computer Science, Communication and Biology, several of their Mathemati-cal issues can be formulated over finite fields. Some of the well known references which reported studyof these systems over finite fields are [3, 2, 4, 5]. The problem of inverse computation of polynomialmaps (as permutation polynomials in finite fields) has been studied independent of its connection withFSS, see [8] for comprehensive literature. In [12] inverses of permutation polynomials are listed overfinite fields of small degree, while inverses of linearized polynomials are studied in [10]. The problem ofinverting an image y = F ( x ) of a polynomial map is also an independent problem weaker than solving This is an issue of interest in practical computation as exemplified by practical records of computation of theTravelling Salesperson Problem although it is known to be NP complete F and has been studied using algebraic geometric approaches in[1]. The book [7] gives a comprehensive account of dynamical systems defined over graphs analyzed bycombinatorial methods. These are instances of special class of such finite state systems and termed asSequential Dynamical Systems. None of these references however have reported the methodology ofusing the dual map F ∗ for solving problems of these systems as proposed in this paper. In a companionpaper announced recently [9] application of the linear reduced Koopman operator has also been shownfor solving the observability problem of FSS with output maps.Purpose of this paper is to show that the dual map F ∗ acting in the vector space of functionsin F n denoted as ( F n ) also called Koopman operator of F , facilitates many of the computations inapplications by linear algebraic computations. Hence it especially turns out that if the dimension m of a specially defined invariant subspace of the Koopman operator is of practically small order in n (or the log of field size) then computation of the reduced Koopman operator obtained by restrictionto this space gives practically feasible computation of solutions to these problems. Such a possibilityof practically feasible computation is of enormous significance to several hard problems arising inCryptology and Biological networks. In this paper we show a representation of F in terms the invariantlinear subspace of functions and show how the inverse map G can also be represented in a similar way.The computation of the inverse formula is also feasible if m is not of exponential order in n . Inversesof permutation polynomials in finite fields have been determined in [12]. However none of the previousreferences to the best of knowledge of the authors have shown the connections of inverting non-linearmaps with the reduced dual operator F ∗ and its representation as shown in this paper. Apart fromthe concrete formula for inverse this paper also gives a constructive method for computing the inverseof a map and determine when this method is feasible in realistic constraints of computation. F q Consider the map f : F q → F q (defined by a function f ). The function f is a polynomial f ( X ) with F q co-efficients of degree at most q − X takes values x in F q . We assume that the polynomial f ( X ) is given when we say that the function f is given. Let F q denote the set of all functions from F q to F q . The dual map f ∗ : F q → F q is defined by the action f ∗ ( φ )( X ) = ( φ ◦ f )( X ) = φ ( f ( X )).In literature on dynamical systems this dual operator (on the space of functions on the state space ofthe dynamical system defined by F ) is known as Koopman operator.Let χ denote the co-ordinate function χ ( x ) = x , x ∈ F q . Construct the cyclic invariant subspace S ( f, χ ) of f ∗ generated by the co-ordinate function χ by action of ( f ∗ ) i , i = 1 , , . . . where f ∗ ( χ )( x ) = f ( x ). A natural basis of this subspace is B = { χ, f ∗ ( χ ) , ( f ∗ ) ( χ ) , . . . , ( f ∗ ) N − ( χ ) } which are linearly independent while ( f ∗ ) N ( χ ) is linearly dependent on the previous functions ( f ∗ ) i ( x ).Hence dim S ( f, χ ) = N . Let ( f ∗ ) N ( x ) = N − X i =0 α i ( f ∗ ) i ( x )be the representation of ( f ∗ ) N ( χ ) in the basis. Denote by K f = f ∗ | S ( f, χ ). We call K f the reducedKoopman operator of f . Let M denote the matrix representation of K f in the basis B , called as thematrix of the reduced Koopman operator. Let the basis set B be denoted as B = { ψ , ψ , . . . , ψ N } and ˆ ψ denote the N -tuple column ˆ ψ = [ ψ , . . . , ψ N ] T Then M and K f satisfy the relation K f ˆ ψ = [ K f ( ψ ) , . . . , K f ( ψ N )] T = M ˆ ψ is an N × N companion matrix over F q in the ordered basis ψ i = ( f ∗ ) ( i − ( χ ) denoted as M = . . . . . . . . . ... ...0 0 0 . . . α α α . . . α N − α N − (1)We show that M inherits important properties of f . f in terms of M First, it is easy to observe that if f is a permutation of F q then the dual map f ∗ is one to one on thespace of functions F q as F q vector space. This is because if f is one to one and there is a function φ such that f ∗ ( φ ) = 0 as a function, then φ ( f ( x )) = 0 for all x in F q which implies φ ( y ) = 0 for all y = f ( x ) hence φ = 0 as a function. However invertibility of f is inherited even by K f the reducedKoopman operator defined above. Lemma 1. f is a permutation of F q iff K f is non-singular equivalently iff M is a non-singular matrixequivalently α = 0 .Proof. Necessity. Let f be a permutation. Then as shown above f ∗ is one to one on F q hence therestriction K f = f ∗ | S is also one to one.Sufficiency. Conversely let f is not a permutation. Then there is a β ∈ F q such that β / ∈ im f .Since every function in K f ( S ) is of the form f ∗ ( φ ) = φ ◦ f for some φ in S , it follows that φ ( β ) is notin the image of f ∗ ( φ ) for any φ in S . However, im χ = F q and χ belongs to S hence χ cannot belongto K f ( S ) which implies K f is not surjective in S . This proves sufficiency.Statements on matrix representation M of K f follow easily. f in terms of the basis B A more general statement than relating invertibility of f to M is the representation of f facilitatedby any basis { ψ , ψ , . . . , ψ N − } of the invariant subspace S . S is f ∗ invariant and K f denotes theaction of f ∗ on S clearly χ has the representation in the basis as χ = h v , ˆ ψ ( x ) i = v T ˆ ψ Let h u, v i denote the dot product of N -tuples. In the basis B we get χ = h e , ˆ ψ i . Then the represen-tation of f itself in the basis B is f ( x ) = ( f ∗ )( χ )( x ) = h v , M ˆ ψ i = h M T v , ˆ ψ i = h v , ˆ ψ i while in the basis B the vector v = e and v = e . Hence it confirms that f ( x ) = h e , ˆ ψ i . f − When f is invertible and dim S ( f, χ ) = N , the inverse function g = f − is represented by the followingformula. Let c = ( c , c , . . . , c N − ) T denote the first column of K − . Proposition 1. g ( x ) = N − X i =0 c i ( f ( i ) )( x ) (2) where c i = − α ( i +1) /α for i = 0 , . . . , ( N − and c ( N − = 1 /α . (The representation of the inverse of f in terms of the basis functions B is given by the first columnof M − ). 3 roof. Since M is the companion matrix as in (1). The matrix M − is also a companion matrix M − = c c . . . c N − c N − . . . . . . ... ...0 0 . . . (3)Hence the following relations hold between the co-efficients α c + α = 0 α c + α = 0 α c + α = 0... ... ... α c N − + α N − = 0 α c N − = 1The inverse formula g ( x ) claimed is equivalent to g ( x ) = g ∗ ( χ )( x ) = N − X i =0 c i ( f ∗ ) i ( χ )( x )Hence the formula is verified as f ∗ g ( x ) = P N − i =0 c i ( f ∗ ) i +1 ( χ )( x )= P N − i =0 c i ( f ∗ ) i +1 + c N − P N − i =0 α i ( f ∗ ) i ( χ )( x )= χ ( x ) = x The last step follows from the relations between c i and α i above. Consider the map f ( x ) = x + 2 x + 3 x + 3 over F . The iterates of χ are given by functions, χ ( x ) = x, ( f ∗ )( χ )( x ) = x + 2 x + 3 x + 3 , ( f ∗ ) ( χ )( x ) = 2 x + 3 x + 4 x + 2while ( f ∗ ) ( χ )( x ) = 4 x + 3( f ∗ )( χ )( x ) + 3( f ∗ ) ( χ )( x )The basis functions of the cyclic subspace are B = { x, x + 2 x + 3 x + 3 , x + 3 x + 4 x + 2 } and the representation of Koopman operator restricted to this subspace with the basis B is K = and the inverse K − is given as K − = The representation of g ( x ) := f − in terms of the basis functions B is [3 , , T . It is computed to be g ( x ) = 3( x ) + 3( x + 2 x + 3 x + 3) + 4(2 x + 3 x + 4 x + 2)= x + 3 x + 3 x + 2It is verified to be the inverse as shown in the following table.4 f(x) g(f(x))0 3 01 4 12 0 23 2 34 1 4and as expected, g ( f ( x )) is an identity map over F F nq Consider a map F : F nq → F nq . Such a map is defined by an n -tuple of polynomial functions F ( x ) = ( f ( x , . . . , x n ) , . . . , f n ( x , . . . , x n ))where f i are polynomial functions in variables x i taking values in F q . The dual of F is the linear map F ∗ : ( F nq ) → ( F nq ) defined on F q valued functions of n -variables on F nq by the composition F ∗ ( φ )( x ) = φ ( F ( x , . . . , x n )) ∀ φ ∈ ( F nq ) The co-ordinate functions χ i are defined by χ i ( x ) = x i for x in F nq . Construct an invariant subspace W of F ∗ containing all the coordinate functions as shown by the algorithm 1. Algorithm 1
Construction of W : the F ∗ -invariant subspace containing all χ i ( x ) procedure F ∗ -Invariant subspace containing χ i ( x ) Outputs W - the F ∗ -invariant subspace which contains the coordinate functions. B - a basis for the subspace W Compute the cyclic subspace Z ( χ ; F ∗ ) = h χ , F ∗ χ , . . . , ( F ∗ ) l − χ i Choose a basis B = { χ , F ∗ χ , . . . , ( F ∗ ) l − χ } if χ , χ , . . . , χ n ∈ Span {B} then W ← Span {B} halt else Find the smallest i such that χ i / ∈ span {B} Compute the smallest l i such that( F ∗ ) l i χ i ∈ span {B} ∪ h χ i , F ∗ χ i , . . . , ( F ∗ ) l i − χ i i V i = { χ i , F ∗ χ i , . . . , ( F ∗ ) l i − χ i } Append the set V i to B go to F ∗ invariant subspace W is constructed, compute the matrix representation of F ∗ | W with respect to a basis of W . Let the dimension of this invariant subspace be N and a basis is chosenfor W denoted by B = { ψ , ψ , . . . , ψ N − } (4)Let the matrix representation of F ∗ | W in B be denoted M . Since each of the coordinate functionsare in the subspace spanned by B , every coordinate function χ i ( x ) corresponds uniquely to a vector v i ∈ F nq as the vector of co-efficients in the representation wrt B . First we observe,5 emma 2. F is invertible iff M is non-singularProof. Any function φ : F n → F satisfying F ∗ ( φ ) = 0 satisfies φ ( F ( x )) = 0 for all x . Hence when F is invertible φ ( x ) = 0 for all x which proves φ is the zero function hence F ∗ is one to one. Hence therestriction F ∗ | W is also one to one which implies M is nonsingular. This proves the necessity.Conversely, if F is not invertible, there is a point β ∈ F nq which is not in the image { F ( x ) , x ∈ F nq } .Since M is the matrix representation of F ∗ | W in the basis B , every element of F ∗ ( W ) is a function ofthe form φ = u T M ˆ ψ for some N -tuple u , which is expressed as φ ( x ) = N X i =1 u i ψ i ( F ( x )) = N X i =1 u i F ∗ ( ψ i )( x )for components u i of u . Hence ψ i ( β ) is not in the image of F ∗ ( ψ i ) for any i . Since W is an invariantsubspace of F ∗ all of these functions belong to W . But since all the co-ordinate functions χ i alsobelong to W and β = ˆ χ ( β ), it follows that F ∗ is not surjective on W . Hence the matrix representation M is singular. This proves sufficiencyNext we develop the form for inverse of F . Proposition 2. If F is invertible and G = F − then ( G ∗ )( χ i ) corresponds to co-efficient vector ( M − ) T v i where v i is the co-efficient vector of χ i in its representation in the basis B .Proof. The representation of χ i in B is given by ( v i ) T ˆ ψ where ˆ ψ = ( ψ , ψ , . . . , ψ N ) T where { ψ i , i =1 , . . . , N } is the basis B . Since M is non-singular when F invertible by previous lemma, it follows that( G ∗ )( χ i ) = ( F ∗ ) − ( χ i ) = ( v i ) T ( F ∗ ) − ˆ ψ = ( v i ) T ( M ) − ˆ ψ which proves the form of co-efficients of ( G ∗ )( χ i ). Theorem 1.
Let G = F − be denoted by G ( x ) = ( g ( x ) , . . . , g n ( x )) T where x denotes the variable point in F n . Then each g i ( x ) is given by g i ( x ) = ( v i ) T M − ˆ ψ (5) where ψ i is the ordered basis B of the F ∗ -invariant subspace W .Proof. From the formula of the G map it follows that g i ( x , . . . , x n ) = χ i ( G ( x , x − , . . . , x n ))= ( G ∗ )( χ i )( x )= ( v i ) T M − ˆ ψ ( x )the last step follows from the proposition 2 above. F in terms of basis functions The construction of G = F − above utilizes an important fact more general than just for invertiblemaps F , that of representation of F in terms of linear combinations of the basis functions ψ i . Sinceeach co-ordinate function has unique representation χ i ( x ) = v Ti ˆ ψ consider the matrix V V = v T v T ... v TN x = V ˆ ψ . Hence we also get F ( x ) = ˆ F ∗ ( χ i )( x ) = V M ˆ ψF − ( x ) = V M − ˆ ψ % when F is invertible (6)In the above formula ˆ F ∗ ( χ i ) denotes the n -tuple column of functions F ∗ ( χ i ) where χ i are co-ordinatefunctions. Such a formula for a map F should be valuable for a variety of computations. The inverseformula (5) proved above follows essentially from this representation. Moreover we have the formulafor correspondence with the composition F (2) ( x ) = ( F ◦ F )( x ) = V T M ˆ ψ (7)Finally the representation of F in (6) gives rise to a linear representation of the cyclic semigroupgenerated by F under compositions as followsˆ χ = V ˆ ψF ( i ) ( x ) = V M i ˆ ψF ( i ) ◦ F ( j ) ( x ) = V M ( i + j ) ˆ ψ (8)with respect to a fixed basis (4) of W . When F is invertible the above representation gives a repre-sentation of the cyclic group generated by F . The map σ which associated M to the map F satisfies σ ( f ( k ) ◦ F ( l ) ) = M k M l = σ ( F ( k ) ) σ ( F ( l ) )and that σ ( Id ) = σ ( F ◦ F − ) = I . Hence σ is a homomorphism from the cyclic group generated by F into the cyclic group generated by the matrix M which represents F . Thus the representation of themap F results into a linear representation of the cyclic group generated by F under composition overthe field F q . Further analysis of the representation of sets of maps and their relationship with moregeneral groups shall be pursued in a separate article. Consider the map F : F → F given by the following equation F ( x , x , x ) = x ( k ) x ( k ) x ( k ) + x ( k ) x ( k ) The cyclic subspace is constructed starting from χ ( x ) as follows χ ( x ) → χ ( x ) → χ ( x ) → χ ( x ) + χ ( x ) χ ( x ) → χ ( x ) + χ ( x ) χ ( x ) + χ ( x ) χ ( x ) → χ ( x ) + χ ( x ) χ ( x ) + χ ( x ) χ ( x ) → χ ( x ) + χ ( x ) χ ( x ) + χ ( x ) χ ( x )and the last function is linearly dependent on the previous function as follows χ + χ χ + χ χ = χ + χ + χ + ( χ + χ χ + χ χ ) + ( χ + χ χ + χ χ )and the basis functions are B = { χ , χ , χ , χ + χ χ , χ + χ χ + χ χ , χ + χ χ + χ χ } and the matrix representation of the Koopman operator on this subspace is given by M = M − = Each of the coordinate functions are represented in B as χ = e T ˆ ψχ = e T ˆ ψχ = e T ˆ ψ where e i are first three Cartesian vectors of F . Hence F has representation F ( x ) = e e e M ˆ ψ ( x ) = e e e χ χ χ + χ χ χ + χ χ + χ χ χ + χ χ + χ χ χ + χ χ + χ χ ( x )which verifies with the given F . The inverse map F − exists since M is nonsingular. In terms of M − the representation of F − is F − ( x ) = e e e M − ˆ ψ ( x )= e e e χ + χ χ χ χ ∗∗∗ ( x )= χ + χ χ χ χ ( x )= x + x x x x It is easily verified that F ∗ x + x x x x = x x x It is shown above how a symbolic inverse of a polynomial map F is computed using a restriction ofthe Koopman operator F ∗ on the invariant subspace W . The computation is mainly dominated bycomposition of polynomials and computation of linear dependence in the space of polynomial functionsin the underlying finite field. Such computations have been known to be of polynomial order [6, 11]in the field size. For a finite field F q and a one variable map f : F q → F q both of these operations areof polynomial order O ( m (log q ) k ) where m is the size of M (or the dimension of W ), when poweringof a polynomial is done by repeated squaring and and residues are computed with respect to the8olynomial X q − X , since degree of f is also at most q −
1. For the several variable map F : F nq → F nq the complexity will grow to the order O ( N n l q k ) for some k, l where N is the dimension of W . Incertain applications F q is itself of exponential order over a prime field of small characteristic as q = p m .In such case the computations required for the inverse are of exponential order in m . However for m small enough order in log( q n ) the dimension of the invariant subspace W needed in Theorem 1, maybe small enough for some instances of maps F . In such cases the computations can be practicallyfeasible. Such cases facilitate development of practical records of computation of inverses.The formula for inverse of a map F solves the problem of computing the inverse image x given y = F ( x ). Hence the problem of computing the inverse image is weaker than computing the inverseformula. However it is not clear how much simpler this problem is. In fact in general the problemof computing the inverse image is equivalent to computing a rational root of a polynomial over F p in several variables, or that of the one variable equation y − f ( x ) = 0 over F q when f is a functionof one variable. In general such a problem is known to be of N P class for general q . However forsmall q factorization of a polynomial in irreducible factors (Berlekamps’ algorithm) is known to be ofpolynomial order [11]. Hence whenever the dimension of the space W is not of exponential order over F p , both problems can be solved computationally in feasible time. This paper develops a formula for representation of a map F : F nq → F nq in a linear form in terms ofits dual F ∗ restricted to an invariant subspace called its reduced Koopman operatot and its matrixrepresentation. The form is extended to F − whenever F is invertible. When this invariant subspacehas dimension of small enough order in q and n , the computations are feasible in practice. Hence thisformula should be useful for feasible computation of inverse images of non-linear maps. Such a concreteformula for inverse of a polynomial map does not seem to have been formally published previouslyto the best of knowledge of the authors. However the form is obvious as a linear representation of anon-linear map on the space of functions. References [1] G. M. A. Cafure and A. Waissbein. Inverting bijective polynomial maps over finite fields.
IEEEInformation Theory Workshop - ITW ’06, Punta del Este , 2006.[2] A. R. Gill.
Introduction to the Theory of Finite State Machines . McGraw-Hill Inc.,US, 1962.[3] A. R. Gill.
Linear Sequential Circuits- Analysis, Synthesis and Applications . McGraw-Hill BookCompany, 1966.[4] S. W. Golomb.
Shift Register Sequences . Aegean Park Press, 1982.[5] M. A. Harrison.
Lectures on Linear Sequential Machines . Academic Press, New York and London,1969.[6] D. E. Knuth.
The art of Computer Programming: Vol.2, Seminumerical algorithms . Addison-Wesley, Reading, Massachusetts, 1981.[7] H. S. Mortveit and C. M. Reidys.
An Introduction to Sequential Dynamical Systems . Springer,2008.[8] G. L. Mullen and D. Panario.
Handbook of Finite Fields . CRC Press, 2013.[9] A. Ramachandran and V. Sule. Koopman operator approach for computing structure of solutionsand observability of non-linear finite state system. , 2020.[10] A. Tuxanidy and Q. Wang. On the inverses of some classes of permutations of finite fields.
FiniteFields and Their Applications , 28:244–281, 2014.911] J. von zur Gathen and J. Gerhard.
Modern Computer Algebra . Cambridge University Press,Cambridge, UK, 1999.[12] Y. Zheng, Q. Wang, and W. Wei. On inverses of permutation polynomials of smalldegree overfinite fields.