Block Wiedemann algorithm

Last updated August 14, 2023

The block Wiedemann algorithm for computing kernel vectors of a matrix over a finite field is a generalization by Don Coppersmith of an algorithm due to Doug Wiedemann.

Wiedemann's algorithm

Let $M$ be an $n\times n$ square matrix over some finite field F, let $x_{\mathrm {base} }$ be a random vector of length $n$ , and let $x=Mx_{\mathrm {base} }$ . Consider the sequence of vectors $S=\left[x,Mx,M^{2}x,\ldots \right]$ obtained by repeatedly multiplying the vector by the matrix $M$ ; let $y$ be any other vector of length $n$ , and consider the sequence of finite-field elements $S_{y}=\left[y\cdot x,y\cdot Mx,y\cdot M^{2}x\ldots \right]$

We know that the matrix $M$ has a minimal polynomial; by the Cayley–Hamilton theorem we know that this polynomial is of degree (which we will call $n_{0}$ ) no more than $n$ . Say $\sum _{r=0}^{n_{0}}p_{r}M^{r}=0$ . Then $\sum _{r=0}^{n_{0}}y\cdot (p_{r}(M^{r}x))=0$ ; so the minimal polynomial of the matrix annihilates the sequence $S$ and hence $S_{y}$ .

But the Berlekamp–Massey algorithm allows us to calculate relatively efficiently some sequence $q_{0}\ldots q_{L}$ with $\sum _{i=0}^{L}q_{i}S_{y}[{i+r}]=0\;\forall \;r$ . Our hope is that this sequence, which by construction annihilates $y\cdot S$ , actually annihilates $S$ ; so we have $\sum _{i=0}^{L}q_{i}M^{i}x=0$ . We then take advantage of the initial definition of $x$ to say $M\sum _{i=0}^{L}q_{i}M^{i}x_{\mathrm {base} }=0$ and so $\sum _{i=0}^{L}q_{i}M^{i}x_{\mathrm {base} }$ is a hopefully non-zero kernel vector of $M$ .

The block Wiedemann (or Coppersmith-Wiedemann) algorithm

The natural implementation of sparse matrix arithmetic on a computer makes it easy to compute the sequence S in parallel for a number of vectors equal to the width of a machine word – indeed, it will normally take no longer to compute for that many vectors than for one. If you have several processors, you can compute the sequence S for a different set of random vectors in parallel on all the computers.

It turns out, by a generalization of the Berlekamp–Massey algorithm to provide a sequence of small matrices, that you can take the sequence produced for a large number of vectors and generate a kernel vector of the original large matrix. You need to compute $y_{i}\cdot M^{t}x_{j}$ for some $i=0\ldots i_{\max },j=0\ldots j_{\max },t=0\ldots t_{\max }$ where $i_{\max },j_{\max },t_{\max }$ need to satisfy $t_{\max }>{\frac {d}{i_{\max }}}+{\frac {d}{j_{\max }}}+O(1)$ and $y_{i}$ are a series of vectors of length n; but in practice you can take $y_{i}$ as a sequence of unit vectors and simply write out the first $i_{\max }$ entries in your vectors at each time t.

Invariant Factor Calculation

The block Wiedemann algorithm can be used to calculate the leading invariant factors of the matrix, ie, the largest blocks of the Frobenius normal form. Given $M\in F_{q}^{n\times n}$ and $U,V\in F_{q}^{b\times n}$ where $F_{q}$ is a finite field of size $q$ , the probability $p$ that the leading $k<b$ invariant factors of $M$ are preserved in $\sum _{i=0}^{2n-1}UM^{i}V^{T}x^{i}$ is

$p\geq {\begin{cases}1/64,&{\text{if }}b=k+1{\text{ and }}q=2\\\left(1-{\frac {3}{2^{b-k}}}\right)^{2}\geq 1/16&{\text{if }}b\geq k+2{\text{ and }}q=2\\\left(1-{\frac {2}{q^{b-k}}}\right)^{2}\geq 1/9&{\text{if }}b\geq k+1{\text{ and }}q>2\end{cases}}$ .^[1]

Related Research Articles

In mathematics, the discrete Fourier transform (DFT) converts a finite sequence of equally-spaced samples of a function into a same-length sequence of equally-spaced samples of the discrete-time Fourier transform (DTFT), which is a complex-valued function of frequency. The interval at which the DTFT is sampled is the reciprocal of the duration of the input sequence. An inverse DFT (IDFT) is a Fourier series, using the DTFT samples as coefficients of complex sinusoids at the corresponding DTFT frequencies. It has the same sample-values as the original input sequence. The DFT is therefore said to be a frequency domain representation of the original input sequence. If the original sequence spans all the non-zero values of a function, its DTFT is continuous, and the DFT provides discrete samples of one cycle. If the original sequence is one cycle of a periodic function, the DFT provides all the non-zero values of one DTFT cycle.

In machine learning, support vector machines are supervised learning models with associated learning algorithms that analyze data for classification and regression analysis. Developed at AT&T Bell Laboratories by Vladimir Vapnik with colleagues SVMs are one of the most robust prediction methods, being based on statistical learning frameworks or VC theory proposed by Vapnik and Chervonenkis (1974). Given a set of training examples, each marked as belonging to one of two categories, an SVM training algorithm builds a model that assigns new examples to one category or the other, making it a non-probabilistic binary linear classifier. SVM maps training examples to points in space so as to maximise the width of the gap between the two categories. New examples are then mapped into that same space and predicted to belong to a category based on which side of the gap they fall.

In numerical analysis, polynomial interpolation is the interpolation of a given bivariate data set by the polynomial of lowest possible degree that passes through the points of the dataset.

In mathematics, and more specifically in computer algebra, computational algebraic geometry, and computational commutative algebra, a Gröbner basis is a particular kind of generating set of an ideal in a polynomial ring $K [x 1, ..., x n]$ over a field $K$ . A Gröbner basis allows many important properties of the ideal and the associated algebraic variety to be deduced easily, such as the dimension and the number of zeros when it is finite. Gröbner basis computation is one of the main practical tools for solving systems of polynomial equations and computing the images of algebraic varieties under projections or rational maps.

In mathematics, especially in the field of algebra, a polynomial ring or polynomial algebra is a ring formed from the set of polynomials in one or more indeterminates with coefficients in another ring, often a field.

In linear algebra, a Hankel matrix, named after Hermann Hankel, is a square matrix in which each ascending skew-diagonal from left to right is constant, e.g.:

In linear algebra and functional analysis, a projection is a linear transformation $from a vector space to itself such that . That is, whenever is applied twice to any vector, it gives the same result as if it were applied once. It leaves its image unchanged. This definition of "projection" formalizes and generalizes the idea of graphical projection. One can also consider the effect of a projection on a geometrical object by examining the effect of the projection on points in the object.$

In linear algebra, the Gram matrix of a set of vectors $in an inner product space is the Hermitian matrix of inner products, whose entries are given by the inner product . If the vectors are the columns of matrix then the Gram matrix is in the general case that the vector coordinates are complex numbers, which simplifies to for the case that the vector coordinates are real numbers.$

In mathematics, differential algebra is, broadly speaking, the area of mathematics consisting in the study of differential equations and differential operators as algebraic objects in view of deriving properties of differential equations and operators without computing the solutions, similarly as polynomial algebras are used for the study of algebraic varieties, which are solution sets of systems of polynomial equations. Weyl algebras and Lie algebras may be considered as belonging to differential algebra.

In mathematics, the resultant of two polynomials is a polynomial expression of their coefficients that is equal to zero if and only if the polynomials have a common root, or, equivalently, a common factor. In some older texts, the resultant is also called the eliminant.

The Lanczos algorithm is an iterative method devised by Cornelius Lanczos that is an adaptation of power methods to find the $"most useful" eigenvalues and eigenvectors of an Hermitian matrix, where is often but not necessarily much smaller than . Although computationally efficient in principle, the method as initially formulated was not useful, due to its numerical instability.$

Semidefinite programming (SDP) is a subfield of convex optimization concerned with the optimization of a linear objective function over the intersection of the cone of positive semidefinite matrices with an affine space, i.e., a spectrahedron.

In mathematics, a Witt vector is an infinite sequence of elements of a commutative ring. Ernst Witt showed how to put a ring structure on the set of Witt vectors, in such a way that the ring of Witt vectors $over the finite field of order is isomorphic to, the ring of -adic integers . They have a highly non-intuitive structure upon first glance because their additive and multiplicative structure depends on an infinite set of recursive formulas which do not behave like addition and multiplication formulas for standard p-adic integers.$

In commutative algebra, the Hilbert function, the Hilbert polynomial, and the Hilbert series of a graded commutative algebra finitely generated over a field are three strongly related notions which measure the growth of the dimension of the homogeneous components of the algebra.

In mathematics, the Grothendieck inequality states that there is a universal constant $with the following property. If M ij is an n \times n matrix with$

In mathematics, the discrete Fourier transform over a ring generalizes the discrete Fourier transform (DFT), of a function whose values are commonly complex numbers, over an arbitrary ring.

For certain applications in linear algebra, it is useful to know properties of the probability distribution of the largest eigenvalue of a finite sum of random matrices. Suppose $is a finite sequence of random matrices. Analogous to the well-known Chernoff bound for sums of scalars, a bound on the following is sought for a given parameter t :$

The cyclotomic fast Fourier transform is a type of fast Fourier transform algorithm over finite fields. This algorithm first decomposes a DFT into several circular convolutions, and then derives the DFT results from the circular convolution results. When applied to a DFT over $, this algorithm has a very low multiplicative complexity. In practice, since there usually exist efficient algorithms for circular convolutions with specific lengths, this algorithm is very efficient.$

<span class="mw-page-title-main">Constant-recursive sequence</span> Infinite sequence of numbers satisfying a linear equation

In mathematics and theoretical computer science, a constant-recursive sequence is an infinite sequence of numbers where each number in the sequence is equal to a fixed linear combination of one or more of its immediate predecessors. A constant-recursive sequence is also known as a linear recurrence sequence, linear-recursive sequence, linear-recurrent sequence, a C-finite sequence, or a solution to a linear recurrence with constant coefficients.

Short integer solution (SIS) and ring-SIS problems are two average-case problems that are used in lattice-based cryptography constructions. Lattice-based cryptography began in 1996 from a seminal work by Miklós Ajtai who presented a family of one-way functions based on SIS problem. He showed that it is secure in an average case if the shortest vector problem $(where for some constant) is hard in a worst-case scenario.$

References

↑ Harrison, Gavin; Johnson, Jeremy; Saunders, B. David (2022-01-01). "Probabilistic analysis of block Wiedemann for leading invariant factors". Journal of Symbolic Computation. 108: 98–116. arXiv: 1803.03864 . doi:10.1016/j.jsc.2021.06.005. ISSN 0747-7171.

Wiedemann, D., "Solving sparse linear equations over finite fields," IEEE Trans. Inf. Theory IT-32, pp. 54-62, 1986.

D. Coppersmith, Solving homogeneous linear equations over GF(2) via block Wiedemann algorithm, Math. Comp. 62 (1994), 333-350.

Villard's 1997 research report 'A study of Coppersmith's block Wiedemann algorithm using matrix polynomials' (the cover material is in French but the content in English) is a reasonable description.

Thomé's paper 'Subquadratic computation of vector generating polynomials and improvement of the block Wiedemann algorithm' uses a more sophisticated FFT-based algorithm for computing the vector generating polynomials, and describes a practical implementation with i_max = j_max = 4 used to compute a kernel vector of a 484603×484603 matrix of entries modulo 2⁶⁰⁷−1, and hence to compute discrete logarithms in the field GF(2⁶⁰⁷).

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] Harrison, Gavin; Johnson, Jeremy; Saunders, B. David (2022-01-01). "Probabilistic analysis of block Wiedemann for leading invariant factors". Journal of Symbolic Computation. 108: 98–116. arXiv: 1803.03864 . doi:10.1016/j.jsc.2021.06.005. ISSN 0747-7171.

[1]

v t e Numerical linear algebra
Key concepts	Floating point Numerical stability
Problems	System of linear equations Matrix decompositions Matrix multiplication (algorithms) Matrix splitting Sparse problems
Hardware	CPU cache TLB Cache-oblivious algorithm SIMD Multiprocessing
Software	MATLAB Basic Linear Algebra Subprograms (BLAS) LAPACK Specialized libraries General purpose software