the block Wiedemann algorithm

ArtileSubmittedtoJournalofSymboliComputationSubquadratiomputationofvetorgeneratingpolynomialsandimprovementoftheblokWiedemannalgorithmEmmanuelThomØ11LIX(UMRCNRS7650),olepolytehnique,91128PALAISEAUCEDEX,FRANCEAbstratThispaperdesribesanewalgorithmforomputinglineargenerators(vetorgeneratingpolynomials)formatrixsequenes,runninginsubquad-ratitime.ThisalgorithmappliesinpartiulartothesequentialstageofCoppersmith’sblokWiedemannalgorithm.ExperimentsshowedthatourmethodanbesubstitutedinplaeofthequadrationeproposedbyCop-persmith,yieldingimportantspeedupsevenforrealistimatrixsizes.Thebaseeldswewereinterestedinwereniteeldsoflargeharateristi.Asanexample,wehavebeenabletoomputealineargeneratorforasequeneof44matriesoflength242;304denedoverF26071inlessthantwodaysonone667MHzalphaev67pu.1.IntrodutionAlthoughitanbestatedinarathergeneralontext,wewillhereenvisiontheproblemofndingalineargeneratorforamatrixsequeneinthelightofhowitappliestotheblokWiedemannalgorithm,desribedin[Coppersmith,1994℄.Thisalgorithmaddressestheproblemofndingoneorseveralsolutionstoalargesparselinearsystemdenedoveraniteeld,orinotherwords,solutionswtotheequationBw=0,whereBisasingularNNmatrixdenedovertheeldK=Fq,qbeingaprimepower,andBissparse:ithasonlyfewnon-zerooeientsperrow.TheblokWiedemannalgorithmtakesadvantageofthislastfat(thefewernon-zerooeientsBhas,thefastertheomputations).Manyothersparselinearalgebraalgorithmsexist[LaMahiaandOdlyzko,1990,Wiedemann,1986,Coppersmith,1993,Montgomery,1995℄.Thisisinontrasttomoregeneral-purposeproedures,likethewell-knownGaussianelimination,whihdoesnotonsidernorpreservethesparsityoftheinputmatrix.Sparselinearsystemsoverniteeldsourinavarietyofontexts,more1E.ThomØ:Subquadratiomputationofvetorgeneratingpolynomials2speiallyinomputationalalgebrainumbertheory.Weoriginallyenoun-teredtheproblemintheourseofsolvingdisretelogarithmproblemsoverF2nwiththeindex-alulusalgorithmofCoppersmith[1984℄.Thisomputationisdesribedin[ThomØ,2001b,2002℄.Generally,anyindex-alulus-typealgorithmforomputingdisretelogarithmsinanappropriategroupallsforthesolutionofasub-problemofthiskind:see[Odlyzko,1985℄andforinstane[Gaudry,2000a,b℄.HugesparselinearsystemsdenedoverthebinaryeldF2alsoo-urredintheourseofthereentreord-breakingfatorizationsofompositenumberswiththeNumberFieldSieve[Cavallaretal.,2000,CABAL,2000℄.Coppersmith’sblokWiedemannalgorithmisalevergeneralizationofanolderalgorithmproposedin[Wiedemann,1986℄.Inthelatteralgorithm,oneisinterestedatsomepointinndingalineargeneratorforagivensalarsequene.TheBerlekamp-MasseyortheextendedEulideanalgorithmsandothisinquadratitime.Subquadratialternativesexist,whihantakeadvantageoffastpolynomialmultipliationalgorithms.ThesearetheHGCD(half-gd)algorithmfrom[Ahoetal.,1974℄andthePRSDC(polynomialremaindersequenesbydivide-and-onquer)algorithmfrom[GustavsonandYun,1979℄.Coppersmith[1994℄introduesamulti-dimensionalvariantofWiedemann’salgorithm,whosemainadvantageisthatitallowspartialdistributionand/orparallelizationofpartoftheomputations.Inthisalgorithm,thelineargeneratorndingtaskistransformedintoamulti-dimensionalanalogue(denedpreiselyinsetion2),whihCoppersmithsolvesbyamatrixBerlekamp-Massey.TheworkinthispaperprovidesasubquadrativariantofCoppersmith’sma-trixBerlekamp-Massey.TheomplexityredutionisobtainedbytheuseoftheFastFourierTransform(FFT)method.Ourmethodisreursive,astheHGCDorPRSDCalgorithmsfromwhihitatuallyadapted.Othersubquadratialgo-rithmsexistforthistask[BekermanandLabahn,1994℄,alsousingFFT.WewilldisussmoredeeplytherespetiveomplexitiesandthedierenesbetweenouralgorithmandBekermannandLabahn’sinparagraph2.2,onetherequiredoneptshavebeendened.Anearlierversionofthisworkappearedin[ThomØ,2001a℄.Thispaperom-pletestheresultspresentedatISSAC’2001byprovidingabettertheoretialsettingandimprovingthepresentationofthealgorithm.Wehavealsonowim-plementedouralgorithmwithsuess,andproviderunningtimesthatouldbeemployedtodrawaomparisonwithBekermannandLabahn’smethod.Theorganizationofthispaperisasfollows.Setions2to4onentrateonthetaskofomputingalineargeneratorforamatrixsequene.Setion2denesthisentraloneptofgeneratorin2.1,explainswhihquantitiesareomputedbyouralgorithmandbyBekermannandLabahn’sin2.2.Setion3presentstheframeworkandrequirementsthataresharedbyCoppersmith’salgorithmforndinglineargeneratorsandours.Ournewalgorithmispresentedinsetion4.Setions5to7onentrateontheinueneofournewalgorithmontheblokWiedemannalgorithm.Setion5introduestheblokWiedemannalgorithm,anditsonnetionstothepresentationthatwemakeofthelineargeneratorE.ThomØ:Subquadratiomputationofvetorgeneratingpolynomials3ndingproblem.Insetion6,wedisusstheoverallostoftheblokWiedemannalgorithm,alongwiththeoptimalvalueofitsparameters.Setion7disussespratialonernsabouttheimplementationofourapproahinsideamoreex-tendedomputationlikethedisretelogarithmomputationin[ThomØ,2001b,2002℄.Setion8showstheresultsofourexperimentswiththenewalgorithm.2.Lineargeneratorsformatrixsequenes2.1.DenitionsThroughoutthispaper,Kdenotesaniteeld,andmandnaretwohosenintegers.Wemakenohypothesesontheh