Abstract
The Chudnovsky-Chudnovsky method provides today’s best known upper bounds on the bilinear complexity of multiplication in large extension of finite fields. It is grounded on interpolation on algebraic curves: we give a theoretical lower threshold for the smallest bounds that one can expect from this method (with exceptions). This threshold appears often reachable: we moreover provide an explicit method for this purpose.
We also provide new bounds for the multiplication in small- algebras over \(\mathbf {F}_2\). Building on these ingredients, we:
-
explain how far elliptic curves can provide upper bounds for the multiplication over \(\mathbf {F}_2\);
-
using these curves, improve the bounds for the multiplication in the NIST-size extensions of \(\mathbf {F}_2\);
-
thus, turning to curves of higher genus, further improve these bounds with the well known family of classical modular curves.
Although illustrated only over \(\mathbf {F}_2\), the techniques introduced apply to all characteristics.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Which will here always be considered associative, commutative and unitary.
- 2.
Which is, in other words, the partially-symmetric tensor rank of \(m_\mathcal {A}\), seen as an element of \((\mathcal {A}^*\otimes \mathcal {A}^*)^\mathrm {Sym}\otimes \mathcal {A}\) (this issue is addressed in general in [1]).
- 3.
- 4.
It is the symmetric complexity of the multiplication in the finite field extension \(\mathbf {F}_{q^m}\).
- 5.
Note in particular that the first row shows the best known bounds for the multiplication in small finite field extensions of \(\mathbf {F}_2\). On the opposite, the first column shows the best known bounds for the multiplication of polynomials modulo \(x^l\) over \(\mathbf {F}_2\).
- 6.
The most noteworthy might be \(\mu _2^{\mathrm {sym}}(3,2)\), because its (exact) value, 16, is strictly lower than the upper bound 18=\(\mu _{2^3}^{\mathrm {sym}}(1,2)\mu _2^{\mathrm {sym}}(3,1)\).
- 7.
This could be seen as a “tensor-flattening map”, but we ignore how far this helps.
- 8.
This leads to noticing that, for algebras of dimension greater than 7, let \(k\) be the known upper bound for the tensor rank of multiplication, then a general subspace \(W\) of dimension \(k\) in \((\mathcal {A}^*\otimes \mathcal {A}^*)^\mathrm {Sym}\) will a priori contain less than 0.01 rank-one tensor. Thus, it would be interesting to know how to restrain the search to subspaces with a higher density of rank-one tensors.
- 9.
This method might be an elementary case of tensor decomposition methods. (It originated thanks to an apparently innocuous lecture of G. Cohen on cyclic codes.).
- 10.
We do not claim either to having first drawn the consequences which follow.
- 11.
The following inequality bounds below the complexity of a multiplication algorithm by interpolation on a given curve. Indeed, recall that the degree of \(G\), bounds below this complexity. This bound is more constraining than the general lower bound, \(2m-1\), for the bilinear rank of multiplication in integral algebras (cf. [3] Lemma 1.9). Indeed, one considers here only a particular category of multiplication algorithms: the interpolation on curves method (here, the sub-category satisfying (ii’), but this restriction will be lifted, as soon as \(g<m\)).
- 12.
It is to be noted that today’s best uniform and asymptotic bounds, over \(\mathbf {F}_2\), are obtained: (1) with curves of genus \(g\geqslant m\) (one gets \(g\approx 2.5m\) from the proof of [10] Theorem 4.1) (2) but with degrees of \(G\) still greater than \(2m+g-1\). It would thus be interesting to know if one can improve this threshold.
- 13.
Actually, both computations for (i’) (“Step 1”) and (ii’) (“Step 2”) will occur, here, in \(\mathrm {Cl}^{g-1}\), so one can remove the factor 2, as soon as one keeps in memory all the classes of divisors already tested.
- 14.
Enumerating the (classes of) numerically optimal divisors on \(X\) is performed in two steps: (1) enumerate each collections of integers \((n_{d,u})_{d,u}\) (where \(n_{d,u}\) stands for the number of points of degree \(d\) involved with multiplicity \(u\) in \(G\)), that (a) minimisethe upper bound of Theorem 8: \(\sum _{d,u}n_{d,u}\mu _q^\mathrm {sym}(d,u)\), under the constraints that (b) the total degree \(\sum _{d,u}n_{d,u}du\) (is greater or) equal to the above lower bound \(2m+g-1\), and (c) for each \(d\), \(\sum _u n_{d,u}\) is lower or equal to the number of points of degree \(d\) in \(X\). (2) for each collection \((n_{d,u})_{d,u}\), enumerate the divisors involving exactly \(n_{d,u}\) points of degree \(d\) with multiplicity \(u\).
- 15.
This involves at most \(\#\mathrm {Cl}^0(X)\) Riemann-Roch spaces emptiness checkings in \(\mathrm {Cl}^{g-1}(X)\) (minus those already performed in the previous runs).
- 16.
This involves at most \(\#\mathrm {Cl}^0(X)\) Riemann-Roch spaces checkings in \(\mathrm {Cl}^{g-1}\). (Notice here that, \(D-Q\) being of degree \(g-1\), the Riemann-Roch theorem implies that this condition is equivalent to \(l(D-Q)=0\)).
- 17.
Under the additional assumption where points \(Q\) of degree \(m\) would exist in every single class \(\mathrm {Cl}^m (X)\), then the first run of Step 3 always returns a solution as soon as an optimal interpolation system exists. Thus, if no solution is returned, this is a proof that no optimal interpolation system of degree \(m\) does exist on \(X\). It is to be noted that, even if the case of genus one curves can be treated directly, a proof of the assumption in this case does exist. More precisely, [11] Theorem 27 states that, for \(q\geqslant 7\) (and presumably \(\geqslant 4\) for \(m\) sufficiently large), for \(m\leqslant 2^{4096}\), there exists a prime divisor of degree \(m\) in every class. Any analogous proof in higher genus would be of interest. [There is actually a mistake in Lem. 19: in the first line of (2), \(\mu \) is actually meant to be \(n/v_r\). Thus, in the last but one line, \(\mu \) can actually be equal to 1 when \(n\) has no square factors. This is compensated when, e.g. , \(m\) is greater than \(6!=720\)].
- 18.
A sufficient condition for that is \(m\geqslant 7\) cf. for example [12] V.2.10 c).
- 19.
The proofs and results for this column are the same on a general base field \(\mathbf {F}_q\). And regarding the discussion on the divisor \(G\) for the full 2-torsion curve (15), such cases of curves arise in finite number (indeed, it is a basic fact that the \(2\)-torsion group of an elliptic curve is included in \(\mathbf {Z}/2\mathbf {Z}\times \mathbf {Z}/2\mathbf {Z}\), and on the other hand, curves have enough points for \(q\) sufficiently large). Furthermore, the classification provided by [13] shows that this number is small.
- 20.
And were probably known since Shokrollahi 1992.
- 21.
For the proof: one adapts the estimations in [11] that lead to Theorem 16 (1), paying attention to a small mistake in the proof (see footnote 17), replacing \(q\) and the \(p_i\)-torsion by their values, taking \(m\) great enough to compensate the new positive terms, and computationally check the values of \(m\) below this threshold.
- 22.
Indeed, the possible degrees \(\deg G=m_i\) for which this swapping is not possible, lie among those for which all the points \(P_i\) of \(X\) -up to a certain degree \(n_i\)- occur in \(G\) with equal multiplicities. Therefore, the gaps in the sequence of the excluded degrees \((m_i)_i\) take values in the (growing) set \(\{B_j,j\in \{1,\cdots ,n_i\}\}\).
- 23.
Indeed, there exists a basis of holomorphic forms \(H^0(\varOmega _{X_0(N)},\mathbf {C})\) such that the Hecke operators \(T_n\) act by matrices with coefficients in \(\mathbf {Q}\). An elementary way to see this is to consider the \(\mathbf {Q}\)-algebra \(\mathbf {T}'\subset \mathrm {End}(H^0(\varOmega _{X_0(N)},\mathbf {C}))\) generated by the Hecke operators acting on holomorphic forms. Then, noting \(\mathbf {T}'^*=\mathrm {Hom}_\mathbf {Q}(\mathbf {T}',\mathbf {Q})\) the dual algebra, and extending the scalars by \(\mathbf {C}\), Proposition 3.24 of [18] establishes a natural isomorphism between \(\mathbf {T}'^*_\mathbf {C}\) and \(H^0(\varOmega _{X_0(N)},\mathbf {C})\). To conclude, one can check that this isomorphism transports the natural action of \(\mathbf {T}'\) on \(\mathbf {T}'^*\), when extended over \(\mathbf {C}\), to the action of \(\mathbf {T}'\) on \(H^0(\varOmega _{X_0(N)},\mathbf {C})\).
- 24.
For the genus \(4\) hyperelliptic curve \(X_0(47)_\mathbf {Q}\), the plane integral model provided in [20], appeared to have good reduction over \(2\).
- 25.
It then results from (8) that a numerically optimal \(G\) would lead to 900.
- 26.
This is currently achieved by splitting only the place at infinity, so we do not know if this leads to every possible class for points of degree \(m\).
References
Bernardi, A., Brachat, J., Comon, P., Mourrain, B.: General tensor decomposition, moment matrices and applications. J. Symbolic Comput. 52, 51–71 (2013)
Chudnovsky, D., Chudnovsky, G.V.: Algebraic complexities and algebraic curves over finite fields. J. Complex. 4, 285–316 (1988)
Randriambololona, H.: Bilinear complexity of algebras and the Chudnovsky-Chudnovsky interpolation method. J. Complex. 28, 489–517 (2012)
Montgomery, P.L.: Five, six and seven-term Karatsuba-like formulae. IEEE Trans. Comput. 54, 362–370 (2005)
Barbulescu, R., Detrey, J., Estibals, N., Zimmermann, P.: Finding optimal formulae for bilinear maps. In: Özbudak, F., Rodríguez-Henríquez, F. (eds.) WAIFI 2012. LNCS, vol. 7369, pp. 168–186. Springer, Heidelberg (2012)
Cenk, M., Özbudak, F.: Improved polynomial multiplication formulas over \(\mathbf{F}_2\) using CRT. IEEE Trans. Comput.- Brief Contributions 58, 572–577 (2009)
Oceledets, I.: Optimal Karatsuba-like formulae for certain bilinear forms in GF(2). Linear Algebra Appl. 429, 2052–2066 (2008)
Cenk, M., Özbudak, F.: Multiplication of polynomials modulo \(x^n\). Theoret. Comput. Sci. 412, 3451–3462 (2011)
Albrecht, M.: The M4rie library for dense linear algebra over small fields with even characteristic. Arxiv 1111.6900 (2011)
Pieltant, J., Randriambololona, H.: New uniform and asymptotic upper bounds on the tensor rank of multiplication in extensions of finite fields (2013)
Shokrollahi, M.A.: Counting prime divisors on elliptic curves and multiplication in finite fields. In: Joyner, D. (ed.) Coding theory and Cryptography, pp. 180–201. Springer, Heidelberg (2000)
Stichtenoth, H.: Algebraic Function Fields and Codes. Springer, Heidelberg (1993)
Ballet, S., Bonnecaze, A., Tukumuli, M.: On the construction of Chudnovsky-type algorithms for multiplication in large extensions of finite fields (2013)
NIST: FIPS 186–4 (2013)
Diamond, F., Shurman, J.: A First Course in Modular Forms. Springer, New York (2004)
Moreno, C.J.: Algebraic Curves on Finite Fields. Cambridge University Press, Cambridge (1993)
Stein, W., et al.: Sage mathematics software (Version 6.3). The Sage development team (2014). http://www.sagemath.org
Stein, W.: Modular Forms, a Computational Approach. AMS, Providence (2006)
Galbraith, S.D.: Equations For Modular Curves. Ph.D. Thesis, Oxford (1996)
Yang, Y.: Defining equations of modular curves. Adv. Math. 204, 481–508 (2006)
Bosma, W., Cannon, J., Playoust, C.: The magma algebra system. i. the user language. J. Symbolic Comput. 24, 235–265 (1997)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Rambaud, M. (2015). Finding Optimal Chudnovsky-Chudnovsky Multiplication Algorithms. In: Koç, Ç., Mesnager, S., Savaş, E. (eds) Arithmetic of Finite Fields. WAIFI 2014. Lecture Notes in Computer Science(), vol 9061. Springer, Cham. https://doi.org/10.1007/978-3-319-16277-5_3
Download citation
DOI: https://doi.org/10.1007/978-3-319-16277-5_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-16276-8
Online ISBN: 978-3-319-16277-5
eBook Packages: Computer ScienceComputer Science (R0)