Revisiting sums and products in countable and finite fields

Concretely efficient interactive oracle proofs (IOPs) are of interest due to their applications to scaling blockchains, their minimal security assumptions, and their potential future-proof resistance to quantum attacks.Scalable IOPs, in which prover time scales quasilinearly with the computation size and verifier time scales poly-logarithmically with it, have been known to exist thus far only over a set of finite fields of negligible density, namely, over “FFT-friendly” fields that contain a sub-group of size \(2^\mathsf{{k}} \).Our main result is to show that scalable IOPs can be constructed over any sufficiently large finite field, of size that is at least quadratic in the length of computation whose integrity is proved by the IOP. This result has practical applications as well, because it reduces the proving and verification complexity of cryptographic statements that are naturally stated over pre-defined finite fields which are not “FFT-friendly”. Prior state-of-the-art scalable IOPs relied heavily on arithmetization via univariate polynomials and Reed–Solomon codes over FFT-friendly fields. To prove our main result and extend scalability to all large finite fields, we generalize the prior techniques and use new algebraic geometry codes evaluated on sub-groups of elliptic curves (elliptic curve codes). We also show a new arithmetization scheme that uses the rich and well-understood group structure of elliptic curves to reduce statements of computational integrity to other statements about the proximity of functions evaluated on the elliptic curve to the new family of elliptic curve codes.

In Chen-Cramer Crypto 2006 paper \cite{cc} algebraic geometric secret sharing schemes were proposed such that the Fundamental Theorem in Information-Theoretically Secure Multiparty Computation by Ben-Or, Goldwasser and Wigderson \cite{BGW88} and Chaum, Crepeau and Damgard \cite{CCD88} can be established over constant-size base finite fields. These algebraic geometric secret sharing schemes defined by a curve of genus $g$ over a constant size finite field ${\bf F}_q$ is quasi-threshold in the following sense, any subset of $u \leq T-1$ players (non qualified) has no information of the secret and any subset of $u \geq T+2g$ players (qualified) can reconstruct the secret. It is natural to ask that how far from the threshold these quasi-threshold secret sharing schemes are? How many subsets of $u \in [T, T+2g-1]$ players can recover the secret or have no information of the secret? In this paper it is proved that almost all subsets of $u \in [T,T+g-1]$ players have no information of the secret and almost all subsets of $u \in [T+g,T+2g-1]$ players can reconstruct the secret when the size $q$ goes to the infinity and the genus satisfies $\lim \frac{g}{\sqrt{q}}=0$. Then algebraic geometric secret sharing schemes over large finite fields are asymptotically threshold in this case. We also analyze the case when the size $q$ of the base field is fixed and the genus goes to the infinity.

For a vector space \({\mathbb{F}^n}\) over a field \(\mathbb{F}\), an (η, β)-dimension expander of degree d is a collection of d linear maps \({\Gamma _j}:{\mathbb{F}^n} \rightarrow {\mathbb{F}^n}\) such that for every subspace U of \({\mathbb{F}^n}\) of dimension at most ηn, the image of U under all the maps, ∑ dj=1 Γj(U), has dimension at least α dim(U). Over a finite field, a random collection of d = O(1) maps Γj offers excellent “lossless” expansion whp: β≈d for η ≥ Ω(1/d). When it comes to a family of explicit constructions (for growing n), however, achieving even modest expansion factor β = 1+ ε with constant degree is a non-trivial goal.We present an explicit construction of dimension expanders over finite fields based on linearized polynomials and subspace designs, drawing inspiration from recent progress on list decoding in the rank metric. Our approach yields the following: Lossless expansion over large fields; more precisely β ≥ (1 − ε)d and \(\eta \ge {{1 - \varepsilon} \over d}\) with d = Oε(1), when \(\left| \mathbb{F} \right| \ge \Omega \left(n \right)\). Optimal up to constant factors expansion over fields of arbitrarily small polynomial size; more precisely β ≥ Ω(δd) and η ≥ Ω(1/(δd)) with d = Oδ(1), when \(\left| \mathbb{F} \right| \ge {n^\delta}\). Previously, an approach reducing to monotone expanders (a form of vertex expansion that is highly non-trivial to establish) gave (Ω(1), 1 + Ω(1))-dimension expanders of constant degree over all fields. An approach based on “rank condensing via subspace designs” led to dimension expanders with \(\beta \mathbin{\lower.3ex\hbox{$\buildrel>\over {\smash{\scriptstyle\sim}\vphantom{_x}}$}} \sqrt d \) over large finite fields. Ours is the first construction to achieve lossless dimension expansion, or even expansion proportional to the degree.

In an acyclic multicast network, it is well known that a linear network\ncoding solution over GF($q$) exists when $q$ is sufficiently large. In\nparticular, for each prime power $q$ no smaller than the number of receivers, a\nlinear solution over GF($q$) can be efficiently constructed. In this work, we\nreveal that a linear solution over a given finite field does \\emph{not}\nnecessarily imply the existence of a linear solution over all larger finite\nfields. Specifically, we prove by construction that: (i) For every source\ndimension no smaller than 3, there is a multicast network linearly solvable\nover GF(7) but not over GF(8), and another multicast network linearly solvable\nover GF(16) but not over GF(17); (ii) There is a multicast network linearly\nsolvable over GF(5) but not over such GF($q$) that $q > 5$ is a Mersenne prime\nplus 1, which can be extremely large; (iii) A multicast network linearly\nsolvable over GF($q^{m_1}$) and over GF($q^{m_2}$) is \\emph{not} necessarily\nlinearly solvable over GF($q^{m_1+m_2}$); (iv) There exists a class of\nmulticast networks with a set $T$ of receivers such that the minimum field size\n$q_{min}$ for a linear solution over GF($q_{min}$) is lower bounded by\n$\\Theta(\\sqrt{|T|})$, but not every larger field than GF($q_{min}$) suffices to\nyield a linear solution. The insight brought from this work is that not only\nthe field size, but also the order of subgroups in the multiplicative group of\na finite field affects the linear solvability of a multicast network.\n

The workshop Finite Fields: Theory and Applications was organized by Joachim von zur Gathen (Bonn), Igor Shparlinski (Sydney), and Henning Stichtenoth (Essen), and ran from 5 to 11 December 2004. Its forty participants, with a wide geographical distribution, enjoyed the hospitality of the Mathematical Research Institute, and its beautiful surroundings. Two previous meetings on the topic had been held in 1997 and 2001. The schedule consisted of three plenary talks each morning, and specialized sessions later in the day, with vast time for discussions and collaborative work. The traditional Wednesday afternoon hike was blessed with wonderful sunny weather and the compulsory Black Forest cake reward at the end. Very broadly, we can distinguish seven subject areas: Of course, many of the results presented bridge between two or more of these areas. The abstracts that follow speak for themselves. Avoiding an exhaustive discussion, we now mention one particular talk from each of the seven areas. The structure theory includes questions about polynomials. The well-known Hansen–Mullen conjecture (whose second author was in the audience) was stated in 1992 and asserts that for any finite field \mathbb F_{q} , integers n and m with 0 < m < n and a \in \mathbb F_{q} , there exists a monic primitive polynomial in \mathbb F_{q}[x] of degree n having a as the coefficient of x^{m} ; there are a few well-known exceptional cases where this fails to hold. Cohen presented a proof of this conjecture at degrees n \ge 9 , assuring the audience that smaller values of n are also under consideration. Towers of function fields are of great interest because they may yield good algebraic-geometric codes. Beelen introduced a recursive construction of such towers, using a certain type of Fuchsian differential equations. They can be obtained from modular curves, and in some cases can be shown to be asymptotically optimal (in terms of the parameters of the resulting codes). A conjecture concerning points on varieties was stated by Heath–Brown. Namely, he considers a nonsingular nonlinear hypersurface X in \mathbb P^{n} defined over \mathbb Q , considers the number N(B) of points on X with rational integral coefficients absolutely bounded by B , and conjectures that this number is O(B^{n-1+\epsilon}) for any positive \epsilon . Browning presented his proof of this conjecture in all cases, with the possible exceptions d = 3,4 and n = 7,8 . In the theory of error-correcting codes , finite fields were fundamental from its beginning in the 1940s. Their importance was heightened by the construction of codes from algebraic curves over finite fields. Voloch discussed a different connection: the quadratic residue codes. It is unknown whether subfamilies of them can yield asymptotically good codes. Voloch showed that there exist subfamilies that do not yield good codes. This is based on an expression of the minimal distance by exponential sums, due to Helleseth, and estimates on the smallest prime that splits completely in a number field. For computation , a difficult class of objects are bivariate polynomials presented in a particularly generous format, namely as a sum of terms where the exponents are written in binary (or decimal). Thus we look at polynomials of humongous degrees. Kaltofen presented two results which illuminate the wide range of behavior for questions about such polynomials. Over the rational numbers, he can compute the linear and quadratic factors in polynomial time. Over a large finite field, testing irreducibility is NP-hard (under randomized reductions). As a question from combinatorics , we give the following illustrative example. A sum-free set A in an additive group G is such that x+y \not= z for all x, y, z \in A . For instance the additive group G = \mathbb Z_{p} for a prime p and A=\{n, n+1, \ldots, 2n-1\} for n= \lfloor (p+1)/3 \rfloor is a sum-free set. We can also multiply each element of A by a fixed nonzero element of \mathbb Z_{p} . When p \equiv 2 \bmod 3 , no other sum-free subsets of \mathbb Z_{p} exist. Lev shows that assumption \#A \geq 0.33p implies that A is contained in the corresponding interval or a dilation of it. In cryptography , a central question is the conjectured difficulty of computing the discrete logarithm in certain groups. The method of index calculus provides a subexponential algorithm in the unit groups of finite fields. Elliptic curves owe their popularity in cryptography to the absence, so far, of any discrete logarithm computation of comparable efficiency. Semaev presented an approach, rather speculative at this point, aimed at finding such a method; it works with the new notion of summation polynomials which vanish at the x -coordinates of points that sum to 0 on the curve.

Finite fields are widely used in constructing error-correcting codes and cryptographic algorithms. In practice, error-correcting codes use small finite fields to achieve high-throughput encoding and decoding. Conversely, cryptographic systems employ considerably larger finite fields to achieve high levels of security. We focus on developing efficient software implementations of arithmetic operations in reasonably large finite fields as needed by secure storage applications. In this article, we study several arithmetic operation implementations for finite fields ranging from GF (2 32 ) to GF (2 128 ). We implement multiplication and division in these finite fields by making use of precomputed tables in smaller fields, and several techniques of extending smaller field arithmetic into larger field operations. We show that by exploiting known techniques, as well as new optimizations, we are able to efficiently support operations over finite fields of interest. We perform a detailed evaluation of several techniques, and show that we achieve very practical performance for both multiplication and division. Finally, we show how these techniques find applications in the implementation of HAIL, a highly available distributed cloud storage layer. Using the newly implemented arithmetic operations in GF (2 64 ), HAIL improves its performance by a factor of two, while simultaneously providing a higher level of security.

We consider polynomials of the formwith non-zero coefficients ai in a finite field F. For any finite extension field K ⊇ F, let fk:Kn → K be the mapping defined by f. We say f is universal over K if fK is surjective, and f is isotropic over K if fK has a non-trivial “kernel“; the latter means fK(X) = 0 for some 0 ≠ x ∊ Kn.We show (Theorem 1) that f is universal over K provided |K| (the cardinality of K) is larger than a certain explicit bound given in terms of the exponents d1,…, dn. The analogous fact for isotropy is Theorem 2.It should be noted that in studying diagonal equationswe fix both the number of variables n and the exponents di, and ask how large the field must be to guarantee a solution.

A simple probabilistic algorithm is presented to find the irreducible factors of a bivariate polynomial over a large finite field. For a polynomial f ( x , y ) f(x,y) over F q {F_q} of total degree n, our algorithm takes at most \[ n 4.89 log 2 n log ⁡ q {n^{4.89}}{\log ^2}n\log q \] operations in F q {F_q} to factor f ( x , y ) f(x,y) completely. This improves a probabilistic factorization algorithm of von zur Gathen and Kaltofen, which takes \[ O ( n 11 log ⁡ n log ⁡ q ) O({n^{11}}\log n\log q) \] operations to factor f ( x , y ) f(x,y) completely over F q {F_q} . The algorithm can be easily generalized to factor multivariate polynomials over finite fields. We shall give two further applications of the idea involved in the algorithm. One is concerned with exponential sums; the other is related to permutational polynomials over finite fields (a conjecture of Chowla and Zassenhaus).

Interpolation of Sparse Multivariate Polynomials over Large Finite Fields with Applications

We study the question of algebraic rank or transcendence degree preserving homomorphisms over finite fields. This concept was first introduced by Beecken et al. [ 3 ] and exploited by them, and Agrawal et al. [ 2 ] to design algebraic independence–based identity tests using the Jacobian criterion over characteristic zero fields. An analogue of such constructions over finite characteristic fields was unknown due to the failure of the Jacobian criterion over finite characteristic fields. Building on a recent criterion of Pandey et al. [ 15 ], we construct explicit faithful maps for some natural classes of polynomials in the positive characteristic field setting, when a certain parameter called the inseparable degree of the underlying polynomials is bounded (this parameter is always 1 in fields of characteristic zero). This presents the first generalisation of some of the results of Beecken et al. [ 3 ] and Agrawal et al. [ 2 ] in the positive characteristic setting.

The notion of privacy in the probing model, introduced by Ishai, Sahai, and Wagner in 2003, is nowadays frequently involved to assess the security of circuits manipulating sensitive information. However, provable security in this model still comes at the cost of a significant overhead both in terms of arithmetic complexity and randomness complexity. In this paper, we deal with this issue for circuits processing multiplication over finite fields. Our contributions are manifold. Extending the work of Belaid, Benhamouda, Passelegue, Prouff, Thillard, and Vergnaud at Eurocrypt 2016, we introduce an algebraic characterization of the privacy for multiplication in any finite field and we propose a novel algebraic characterization for non-interference (a stronger security notion in this setting). Then, we present two generic constructions of multiplication circuits in finite fields that achieve non-interference in the probing model. Denoting by d the number of probes used by the adversary, the first proposal reduces the number of bilinear multiplications (i.e., of general multiplications of two non-constant values in the finite field) to only \(2d+1\) whereas the state-of-the-art was \(O(d^2)\). The second proposal reduces the randomness complexity to d random elements in the underlying finite field, hence improving the \(O(d \log d)\) randomness complexity achieved by Belaid et al. in their paper. This construction is almost optimal since we also prove that d / 2 is a lower bound. Eventually, we show that both algebraic constructions can always be instantiated in large enough finite fields. Furthermore, for the important cases \(d \in \{2,3\}\), we illustrate that they perform well in practice by presenting explicit realizations for finite fields of practical interest.

Self-dual codes and orthogonal matrices over large finite fields

Constructions of optimal LCD codes over large finite fields

In this paper, the decoding failure probability for sparse random linear network coding in a probabilistic network model is analyzed. The network transfer matrix is modeled by a random matrix consisting of independently and identically distributed elements chosen from a large finite field, and the probability of choosing each nonzero field element tends to zero, as the finite field size tends to infinity. In the case of a constant dimension subspace code over a large finite field with bounded distance decoding, the decoding failure probability is given by the rank distribution of a random transfer matrix. We prove that the latter can be completely characterized by the zero pattern of the matrix, i.e., where the zeros are located in the matrix. This insight allows us to use counting arguments to derive useful upper and lower bounds on the rank distribution and hence the decoding failure probability. Our rank distribution analysis not only sheds some light on how to minimize network resource in a sparse random linear network coding application, but is also of theoretical interest due to its connection with probabilistic combinatorics.

A procedure is developed for constructing elliptic curves with given group order over large finite fields. The generality of the construction allows an arbitrary choice of the parameters involved. For instance, it is possible to specify the finite field, the group order or the class number of the endomorphism ring of the elliptic curve. This is important for various applications in computational number theory and cryptography. Moreover, we give a method that yields all representations of a given integer as a norm in an imaginary quadratic field.