Solving systems of linear equations over finite fields

Similar documents
On the Unique Games Conjecture

(67902) Topics in Theory and Complexity Nov 2, Lecture 7

1 Formulating The Low Degree Testing Problem

Linearity and Group Homomorphism Testing / Testing Hadamard Codes

Mathematical finance and linear programming (optimization)

A Working Knowledge of Computational Complexity for an Optimizer

U.C. Berkeley CS276: Cryptography Handout 0.1 Luca Trevisan January, Notes on Algebra

Lecture 13 - Basic Number Theory.

Chapter Load Balancing. Approximation Algorithms. Load Balancing. Load Balancing on 2 Machines. Load Balancing: Greedy Scheduling

7 Gaussian Elimination and LU Factorization

! Solve problem to optimality. ! Solve problem in poly-time. ! Solve arbitrary instances of the problem. !-approximation algorithm.

Factoring & Primality

5.1 Bipartite Matching

5 INTEGER LINEAR PROGRAMMING (ILP) E. Amaldi Fondamenti di R.O. Politecnico di Milano 1

Discuss the size of the instance for the minimum spanning tree problem.

Applied Algorithm Design Lecture 5

Algorithm Design and Analysis

Faster deterministic integer factorisation

We shall turn our attention to solving linear systems of equations. Ax = b

! Solve problem to optimality. ! Solve problem in poly-time. ! Solve arbitrary instances of the problem. #-approximation algorithm.

Complexity Theory. IE 661: Scheduling Theory Fall 2003 Satyaki Ghosh Dastidar

LS.6 Solution Matrices

Approximation Algorithms

1 Solving LPs: The Simplex Algorithm of George Dantzig

CHAPTER 5. Number Theory. 1. Integers and Division. Discussion

HOMEWORK 5 SOLUTIONS. n!f n (1) lim. ln x n! + xn x. 1 = G n 1 (x). (2) k + 1 n. (n 1)!

Tutorial 8. NP-Complete Problems

OHJ-2306 Introduction to Theoretical Computer Science, Fall

Computational complexity theory

NP-Completeness I. Lecture Overview Introduction: Reduction and Expressiveness

Vector and Matrix Norms

8 Primes and Modular Arithmetic

The application of prime numbers to RSA encryption

CMPSCI611: Approximating MAX-CUT Lecture 20

Public Key Cryptography: RSA and Lots of Number Theory

The Classes P and NP

P versus NP, and More

SECURITY EVALUATION OF ENCRYPTION USING RANDOM NOISE GENERATED BY LCG

NP-complete? NP-hard? Some Foundations of Complexity. Prof. Sven Hartmann Clausthal University of Technology Department of Informatics

SOLVING LINEAR SYSTEMS

An Overview Of Software For Convex Optimization. Brian Borchers Department of Mathematics New Mexico Tech Socorro, NM

I. GROUPS: BASIC DEFINITIONS AND EXAMPLES

Advanced Cryptography

Definition Given a graph G on n vertices, we define the following quantities:

Partial Fractions. Combining fractions over a common denominator is a familiar operation from algebra:

Lecture 3: Finding integer solutions to systems of linear equations

Introduction to computer science

The p-norm generalization of the LMS algorithm for adaptive filtering

1 The Line vs Point Test

RSA Question 2. Bob thinks that p and q are primes but p isn t. Then, Bob thinks Φ Bob :=(p-1)(q-1) = φ(n). Is this true?

Lecture 13: Factoring Integers

Support Vector Machine (SVM)

Lecture 1: Course overview, circuits, and formulas

Arithmetic algorithms for cryptology 5 October 2015, Paris. Sieves. Razvan Barbulescu CNRS and IMJ-PRG. R. Barbulescu Sieves 0 / 28

Solutions to Problem Set 1

MATH10212 Linear Algebra. Systems of Linear Equations. Definition. An n-dimensional vector is a row or a column of n numbers (or letters): a 1.

Permutation Betting Markets: Singleton Betting with Extra Information

Number Theory. Proof. Suppose otherwise. Then there would be a finite number n of primes, which we may

Private Approximation of Clustering and Vertex Cover

160 CHAPTER 4. VECTOR SPACES

Proofs in Cryptography

FACTORING SPARSE POLYNOMIALS

THE NUMBER OF GRAPHS AND A RANDOM GRAPH WITH A GIVEN DEGREE SEQUENCE. Alexander Barvinok

a 11 x 1 + a 12 x a 1n x n = b 1 a 21 x 1 + a 22 x a 2n x n = b 2.

The Steepest Descent Algorithm for Unconstrained Optimization and a Bisection Line-search Method

THE DIMENSION OF A VECTOR SPACE

How To Prove The Dirichlet Unit Theorem

11 Multivariate Polynomials

NP-Completeness. CptS 223 Advanced Data Structures. Larry Holder School of Electrical Engineering and Computer Science Washington State University

MATH 304 Linear Algebra Lecture 20: Inner product spaces. Orthogonal sets.

Classification - Examples

Lecture Topic: Low-Rank Approximations

Lecture 2: Universality

Guessing Game: NP-Complete?

CHAPTER 9. Integer Programming

Computing exponents modulo a number: Repeated squaring

Page 1. CSCE 310J Data Structures & Algorithms. CSCE 310J Data Structures & Algorithms. P, NP, and NP-Complete. Polynomial-Time Algorithms

Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur

Binary Image Reconstruction

1 VECTOR SPACES AND SUBSPACES

Modélisation et résolutions numérique et symbolique

ON THE COMPLEXITY OF THE GAME OF SET.

NOTES ON LINEAR TRANSFORMATIONS

CSC2420 Fall 2012: Algorithm Design, Analysis and Theory

Lectures notes on orthogonal matrices (with exercises) Linear Algebra II - Spring 2004 by D. Klain

Chapter 6. Orthogonality

Discrete Optimization

Integer Factorization using the Quadratic Sieve

by the matrix A results in a vector which is a reflection of the given

Inner Product Spaces

University of Lille I PC first year list of exercises n 7. Review

Transportation Polytopes: a Twenty year Update

Modern Optimization Methods for Big Data Problems MATH11146 The University of Edinburgh

Lecture 3: One-Way Encryption, RSA Example

IRREDUCIBLE OPERATOR SEMIGROUPS SUCH THAT AB AND BA ARE PROPORTIONAL. 1. Introduction

Post-Quantum Cryptography #4

Factoring Algorithms

Polynomial Invariants

Numerical Methods I Solving Linear Systems: Sparse Matrices, Iterative Methods and Non-Square Systems

Energy Efficient Monitoring in Sensor Networks

Transcription:

Solving systems of linear equations over finite fields June 1, 2007

1 Introduction 2 3 4

Basic problem Introduction x 1 + x 2 + x 3 = 1 x 1 + x 2 = 1 x 1 + x 2 + x 4 = 1 x 2 + x 4 = 0 x 1 + x 3 + x 4 = 0 x 2 + x 3 + x 4 = 1 x 1 + x 3 = 0 mod 2 Satisfy as many equations as possible (or K). Max-k-Lin-2, m equations n variables and k variables in each equation. (m = 7, n = 4, k = 3). Abstract claimed that I would discuss general p instead of 2 but this will happen only briefly at the end.

My angle: efficient computation Efficient in theory: Time polynomial in the input size. Used most of the time. Input size mk. Efficient in practice. What we can run on our machines, about 2 50 10 15 operations and 2 35 30 10 9 memory.

Motivation Introduction 1. Basic computational problem. 2. Applications in cryptography: Factoring large integers, breaking RSA. Removing non-linearity by making some equations incorrect breaking symmetric encryption.

Obvious algorithms Try to satisfy all using Gaussian elimination. Time mn 2. Try all possible assignments and take the best. Time mk2 n.

Satisfying all equations Gaussian elimination in time O(mn 2 ) closes the theoretical question but problems remain in practice. Recent factorization of 2 1039 1 used m n 66 10 6 and k 150. Cannot even store the matrix in dense form and time mn 2 2 78 is much too large! Different algorithms running in time O(mnk) and memory O(mk) are used.

Learning parity with noise If you want to space out and think consider m = 10000, n = 200, k = n/2. Construct left hand side of each equation randomly. Have a hidden solution x 0 and set right hand side to be correct for x 0 with probability 2 3. Given resulting system, find x 0 (the key to a cryptosystem).

One approach in theory Use equations that behave in the same way on a large set of variables to eliminate these variables simultaneously. Gets equations in fewer variables that are less likely to be correct. In theory m = 2 n/ log n can be solved in time 2 O(n/ log n) [BKW]. Beats 2 n time of exhaustive search but not by much...

Can we prove impossibility results? Is O(nmk) best possible when all equations can be simultaneously satisfied? For over-determined systems can we find optimal solutions in polynomial time?

Can we prove impossibility results? Is O(nmk) best possible when all equations can be simultaneously satisfied? No lower bound higher beyond reading the input is known and seems beyond current technique. For over-determined systems can we find optimal solutions in polynomial time? Not known, but NP-complete.

NP and P Introduction NP: Decision problems where a positive solution can be verified in polynomial time. P: Decision problems that can be solved in polynomial time. Believed that NP P but we are very far from proving this. Typical example of NP, satisfiability of Boolean formulas: ϕ(x) = (x 1 x 2 ) ( x 1 x 2 ) ( x 2 x 3 ) (x 1 x 3 )

NP-complete and NP-hard A problem X NP is NP-complete if X P is equivalent to P = NP. A problem Y is NP-hard if Y P implies P = NP. Computational problems that are not decision problems cannot be NP-complete as they do not belong to NP, but can be NP-hard. Satisfiability (Sat) was the first problem to be proved NP-complete by Cook in 1971.

Max-Lin-2 is NP-hard Finding the maximal number of simultaneously satisfiable equations is NP-hard by a very simple reduction (exercise for undergraduates). If NP P, Max-k-Lin-2 cannot be solved optimally in polynomial time, for any k 2. If Sat requires time 2 cn then so does Max-Lin-2.

Approximation Introduction Idea: If we cannot find the best solutions efficiently maybe we can find the second best or a reasonably good solution.

Approximation Introduction Idea: If we cannot find the best solutions efficiently maybe we can find the second best or a reasonably good solution. An algorithm has approximation ratio α if for any instance Value of found solution Value of optimal solution α

(trivial) Positive results Can easily find a solution that satisfies m/2 equations, in fact a random assignment does this on the average. No solution satisfies more than all m equations. This gives an approximation ratio of 1/2.

Real results Introduction Theorem [H] : For any ɛ > 0 and any k 3 it is NP-hard to approximate Max-k-Lin-2 within 1 2 + ɛ.

Real results Introduction Theorem [H] : For any ɛ > 0 and any k 3 it is NP-hard to approximate Max-k-Lin-2 within 1 2 + ɛ. Theorem [GW] : It is possible to approximate Max-2-Lin-2 within.8785 in polynomial time.

Real results Introduction Theorem [H] : For any ɛ > 0 and any k 3 it is NP-hard to approximate Max-k-Lin-2 within 1 2 + ɛ. Proof by a reduction (with several steps). Theorem [GW] : It is possible to approximate Max-2-Lin-2 within.8785 in polynomial time.

Real results Introduction Theorem [H] : For any ɛ > 0 and any k 3 it is NP-hard to approximate Max-k-Lin-2 within 1 2 + ɛ. Proof by a reduction (with several steps). Theorem [GW] : It is possible to approximate Max-2-Lin-2 within.8785 in polynomial time. Proof by an algorithm relying on semidefinite programming.

Hardness proof Introduction Given a formula ϕ(x) produce a system of m linear equations Ay = b such that If ϕ satisfiable then can satisfy (1 ɛ)m equations. If ϕ not satisfiable then can only satisfy ( 1 2 + ɛ)m equations.

Hardness proof Introduction Given a formula ϕ(x) produce a system of m linear equations Ay = b such that If ϕ satisfiable then can satisfy (1 ɛ)m equations. If ϕ not satisfiable then can only satisfy ( 1 2 + ɛ)m equations. We can decide whether ϕ is satisfiable by approximating within 1 2 + ɛ 1 ɛ + δ.

Probabilistically checkable proof Details are complicated and omitted but uses something called on probabilistically checkable proofs (PCPs).

Probabilistically checkable proof Details are complicated and omitted but uses something called on probabilistically checkable proofs (PCPs). NP: A computationally limited (P-time) verifier checks a proof of a statement it cannot verify on its own. For Sat the verifier reads n bits, the number of variables.

Probabilistically checkable proof Details are complicated and omitted but uses something called on probabilistically checkable proofs (PCPs). NP: A computationally limited (P-time) verifier checks a proof of a statement it cannot verify on its own. For Sat the verifier reads n bits, the number of variables. We want to limit the verifier to reading three bits.

PCP from reduction Given ϕ(x) to be checked for system create Ay = b as in reduction with k = 3.

PCP from reduction Given ϕ(x) to be checked for system create Ay = b as in reduction with k = 3. ϕ satisfiable can satisfy (1 ɛ)m equations. ϕ not satisfiable can only satisfy ( 1 2 + ɛ)m equations.

PCP from reduction Given ϕ(x) to be checked for system create Ay = b as in reduction with k = 3. ϕ satisfiable can satisfy (1 ɛ)m equations. ϕ not satisfiable can only satisfy ( 1 2 + ɛ)m equations. Traditional proof, good assignment to x. Reading n bits to get anything.

PCP from reduction Given ϕ(x) to be checked for system create Ay = b as in reduction with k = 3. ϕ satisfiable can satisfy (1 ɛ)m equations. ϕ not satisfiable can only satisfy ( 1 2 + ɛ)m equations. Traditional proof, good assignment to x. Reading n bits to get anything. PCP, good assignment to y. Pick one random equation and check only this equation.

Parameters of PCP Reads only three bits.

Parameters of PCP Reads only three bits. Completeness: If ϕ satisfiable, exists proof that makes verifier accept with probability (1 ɛ).

Parameters of PCP Reads only three bits. Completeness: If ϕ satisfiable, exists proof that makes verifier accept with probability (1 ɛ). Soundness: If ϕ not satisfiable, no proof makes verifier accept with probability ( 1 2 + ɛ).

Extensions Introduction Can make verifier always accept correct proof of correct statement but cannot maintain reading three bits and soundness 1 2.

Extensions Introduction Can make verifier always accept correct proof of correct statement but cannot maintain reading three bits and soundness 1 2. Reading more bits improves completeness and soundness. Can do better than independent repetitions and in fact q bits read Completeness one (always accept). Soundness 2 q+o( q) is possible.

for k = 2 x i + x j = b modulo 2 with x i, x j {0, 1} is the same as with y i, y j { 1, 1}. 1 + ( 1) b y i y j 2

The task is thus max y { 1,1} n (i,j) Q 1 + ( 1) b ij y i y j 2

The task is thus max y { 1,1} n (i,j) Q 1 + ( 1) b ij y i y j 2 Relax by setting z ij = y i y j and requiring that Z is a positive semidefinite matrix with z ii = 1.

Positive semidefinite matrices? Z symmetric matrix is positive semidefinite iff one of the following is true All eigenvalues λ i 0. w T Zw 0 for any vector w R n. Z = V T V for some matrix V. z ij = y i y j is in matrix language Z = yy T.

By a result by Alizadeh we can to any desired accuracy solve max ij c ij z ij subject to aijz k ij b k and Z positive semidefinite. ij

By a result by Alizadeh we can to any desired accuracy solve max ij c ij z ij subject to and Z positive semidefinite. aijz k ij b k ij Intuitive reason, the set of PSD matrices is convex and we should be able to find optimum of linear function as we have no local optima (as is true for LP).

Want to solve Introduction max y { 1,1} n (i,j) Q 1 + ( 1) b ij y i y j 2 but as Z = V T V we do max v i =1 (i,j) Q 1 + ( 1) b ij (v i, v j ), 2 i.e. optimizing over vectors instead of real numbers.

Going vector to Boolean The vector problem accepts a more general set of solutions. Gives higher objective value.

Going vector to Boolean The vector problem accepts a more general set of solutions. Gives higher objective value. Key question: How to use the vector solution to get back a Boolean solution that does almost as well.

Rounding vectors to Boolean values Great suggestion by GW. Given vector solution v i pick random vector r and set y i = Sign((v i, r)), where (v i, r) is the inner product.

Intuition of rounding Assume b ij = 1. Contribution to objective function large, 1 (v i, v j ) 2 large implying angle between v i, v j large, Sign((v i, r)) Sign((v j, r)) likely v i v j

Analyzing GW Introduction Do term by term, θ angle between vectors. Contribution to semi-definite objective function 1 (v i, v j ) 2 Probability of satisfying equation = 1 cos θ 2 Pr[Sign((v i, r)) Sign((v j, r))] = θ π Minimal quotient gives approximation ratio α GW = min θ 2θ π(1 cos θ).8785

Other finite fields Inapproximability results extend to any field getting ratio 1 p + ɛ for Max-k-Lin-p and 1 p d + ɛ in GF [p d ] for k 3. SDP can be used to get non-trivial approximation when k = 2, again in any field.

Other finite fields Inapproximability results extend to any field getting ratio 1 p + ɛ for Max-k-Lin-p and 1 p d + ɛ in GF [p d ] for k 3. SDP can be used to get non-trivial approximation when k = 2, again in any field. Extremely important problem: Consider Max-2-Lin-p. Is it true that for any ɛ > 0 there is a p = p(ɛ) such it is hard to distinguish cases where we can satisfy (1 ɛ)m of the equations from cases where we can only satisfy ɛm of the equations? Unique games conjecture [K].

Some final words Possible cases to improve algorithms Large sparse systems where we want to satisfy all equations. Random linear systems with clear champion satisfying a fraction p > 1 2 of the equations.

Some final words Possible cases to improve algorithms Large sparse systems where we want to satisfy all equations. Random linear systems with clear champion satisfying a fraction p > 1 2 of the equations. Other point: PCPs gives a very efficient way to check NP-statements that at least I find surprising.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information