CS70 - Lecture 13 - Feb 16, 2011 - 10 Evans

Goal for Notes 7 & 8:  Review basic properties of polynomials

Use them to "share secrets"

Use them for error-correcting-codes

sending data reliably over unreliable networks

(like the internet)

Def: A polynomial is p(x) = sum_{i=0}^d  a_i * x^i

We say p(x) has degree d if a_d neq 0.

(We also say that the polynomial p(x) = 0 has degree 0).

Ex:  p(x) = x+1,   p(x) = x^2 - 2x +1 = (x-1)^2,   p(x) = 0

Def: A root s of a polynomial satisfies p( s ) = 0.

Note that we can think of the coefficients  of a polynomial

as real numbers, rational numbers, integers, or integers mod p, p prime

Since we ultimately need to use integers mod p, everything we

say about polynomials will apply to all these possibilities.

Property 1: A nonzero degree-d polynomial p(x) has at most d distinct roots.

"2 points determine a straight line y = a1*x + a0";

what about higher degree polynomials?

Property 2: Given d+1 points (x_1,y_1),…,(x_{d+1},y_{d+1})

where all the x_i are distinct, there is exactly one  polynomial p(x),

of degree at most d, that "interpolates" all these points, i.e. p(x_i) = y_i

for i = 1,…,d+1

To prove these, let us recall how to divide one polynomial

by another: given a polynomial p(x) of degree d, and a constant c,

we can divide p(x) by x-c and write p(x) = (x-c)*q(x) + r, where

q(x) has degree d-1, and r is the remainder, another constant.

For example

_____________

x - 3  )  4*x^2 - 3*x + 7

4*x^2-12*x         4*x

---------------------

9*x + 7

9*x-27    9

--------------------

34

so p(x) = 4*x^2 - 3*x + 7 = (x-3)*(4x+9)  + 34

Note that we can do this

if the coefficients of p(x) are real numbers, in which case

so are the coefficients of the quotient q(x) and remainder r

if the coefficients are rational numbers, we get rational numbers

if the coefficients are integers, we get integers

if the coefficients are integers mod p, we get integers mod p

The point is: everything we say will apply to all these different

sets of numbers.

Proof of Property 1: Suppose s is a root so p( s ) = 0.

Now divide p(x)  by x-s, and write p(x) = (x-s)*q(x) + r.

Since 0 = p(s) = (s-s)*q(s) + r, we get r=0 and

p(x) = (x-s)*q(x).

Now suppose we have k distinct roots s_1,…,s_k.

Repeatedly dividing:

Since 0 = p(s_1), we get p(s_1) = (x - s_1)*q_1(x)

where q_1(x) has degree d-1

Since 0 = p(s_2) = (s_2 - s_1)*q_1(s_2), so 0 = q_1(s_2)

we get q_1(x) = (x - s_2)*q_2(x) where q_2(x) has degree d-2, so

p(x) = (x - s_1)*(x - s_2)*q_2(x)

Since 0 = p(s_3) = (s_3 - s_1)*(s_3 - s_2)*q_2(s_3), so q_2(s_3)=0,

we get q_2(x) = (x - s_3)*q_3(x) where q_3(x) has degree d-3, so

p(x) = (x - s_1)*(x - s_2)*(x - s_3)*q_3(x)

Repeating, we get

p(x) = (x - s_1)*…*(x - s_k)*q_k(x) where q_k(x) has degree d-k

Since the degree can't be negative we get d>=k, i.e.

the number of distinct roots k is at most the degree d.

Note that if if p(x) has d distinct roots, then

p(x) = (x - s_1)*… *(x - s_d)*q_d(x)

where q_d(x) has degree 0 , i.e. is a nonzero constant, call it c, so

p(x) = c*(x - s_1)*…*(x - s_d)

This proof works whether or not the numbers are real, rational,

integers, or integers mod p.

ASK&WAIT:  Where did we depend on the fact that we were using

integers mod p, where p is prime?

Hint: How do we know that if

p(s_2) == (s_2 - s_1)*q_1(s_2) == 0 mod p ,

then q_1(s_2) == 0 mod p?

How do we know that if

p(s_3) == (s_3 - s_1)*(s_3 - s_2)*q_2(s_3) == 0,

then q_2(s_3) == 0 mod p?

Proof of Property 2: Lagrange Interpolation:

Suppose we had degree-d polynomials p_i(x) with the properties that

p_1(x_1) = 1 and p_1(x_2) = p_1(x_3) = … = p_1(x_{d+1}) = 0

p_2(x_2) = 1 and p_2(x_1) = p_2(x_3) = … = p_2(x_{d+1}) = 0

p_i(x_i) = 1 and p_i(x_j) = 0 for all j neq i

Then consider the degree-d polynomial

p(x) = sum_{i=1}^{d+1} y_i*p_i(x)

Then it is easy to see that

p(x_j) = y_j*p_j(x_j) + sum_{i neq j} y_j*p_i(x_j)

= y_j*p_j(x_j) + sum_{i neq j} y_j*0

= y_j*1 = y_j

solves our "interpolation" problem.

How do we build p_i(x)? Consider p_1(x) for simplicity. Let

q_1(x) = (x-x_2)*(x-x_3)*…*(x-x_{d+1})

Clearly q_1(x_j) = 0 if j>1, and q_1(x_1) neq 0. Thus

p_1(x) = q_1(x)/q_1(x_1)

satisfies our desired properties. Similarly, let

q_i(x) = prod_{j neq i} (x-x_j)

and

p_i(x) = q_i(x)/q_i(x_i)

It remains to show that the interpolating polynomial is unique.

So suppose there are two: p(x) and r(x).  Then f(x) = p(x)-r(x)

is a nonzero polynomial of degree <= d that is zero at all d+1 points x_i,

That is f(x) has d+1 distinct roots x_1,…,x_{d+1}. This contradicts

Property 1, so f(x) can't be nonzero. Thus 0 = p(x)-r(x) and p(x) = r(x),

i.e. the interpolating polynomial is unique.

ASK&WAIT: How does this work if we are doing arithmetic modulo p, p prime?

How do we know q_i(x_i) is nonzero, and how do we divide by it?

Notation:  we write x^(-1) to denote the integer that is the multiplicative inverse

of x, modulo p. In other words x*x^(-1) == 1 mod p.

(picture for d=1, d=2)

For secret sharing, here is the problem statement:

There are n people, each of whom has a "part" of a secret.

We want to arrange so that if any k (or more) of them share their data

with one another, they can all discover the secret.

However, if any k-1 (or fewer) of them share their data with

one another, they learn *nothing* about the secret, not one bit of information.

This guarantees that k of them have to agree to divulge the secret.

A motivating example from the Cold War was wanting to have at least

k political and military leaders having to agree to launch a nuclear missile,

but k-1 or fewer could not; in this case the secret would be the launch code.

We will use polynomials mod p for some prime p.

How many polynomials of degree <= k-1 are there, where coefficients are integers mod p?

(1)   each coefficient can have p values and there are k coefficients so p^k polynomials

(2)   Given k points (x_1,y_1),…,(x_k,y_k), there is a unique polynomial of degree <= k-1

that interpolates them. Since each y_i can have p different values, the number

of different polynomials is p^k, the same answer as before (it better be).

Here is the secret sharing scheme

The secret is some nonnegative number s

We pick a large prime p > s and p > n

We pick a degree k-1 polynomial P(x) = sum_{i=0}^{k-1} a_i*x^i mod p where

a_0 = s, so P(0) = s

the other a_i are chosen randomly (mod p)

We give person i the value of P(i) as his/her "part" of the secret.

Now suppose any subset of k people get together and share their

parts of the secret, that is person i provides P(i) for k different values of i.

Since we know P(x) has degree <= k-1, by Property 2 these k points of the

form (i,P(i)) define P(x) uniquely. In particular, we can compute P(0) = s,

and reveal the secret.

But suppose only k-1 people choose to share their values of (i,P(i));

what can we learn about s = P(0)? Nothing, because for every possible

value of P(0), there is a degree k-1 polynomial P(x) that goes

through the k-1 points (i,P(i)) as well as (0,P(0))

Ex:  s = 1,  n = 5, k = 3, p = 7,

That is a majority (3 out of 5) people have to agree to divulge the secret (s=1),

otherwise any number (mod p=7) is possible.

Choose P(x) = 3*x^2 + 5*x + 1, so

Person 1 gets P(1) mod 7 = 9 mod 7 = 2

Person 2 gets P(2) mod 7 = 23 mod 7 = 2

Person 3 gets P(3) mod 7 = 43 mod 7 = 1

Person 4 gets P(4) mod 7 = 6

Person 5 gets P(5) mod 7 = 3

If Persons 3, 4 and 5 get together, they can do Lagrange Interpolation:

p_3(x) == (x-4)*(x-5)*((3-4)*(3-5))^(-1) == (x-4)*(x-5)*2^(-1) == (x-4)*(x-5)*4  mod 7

p_4(x) == (x-3)*(x-5)*((4-3)*(4-5))^(-1) == (x-3)*(x-5)*(-1)^(-1)== -(x-3)*(x-5) mod 7

p_5(x) == (x-3)*(x-4)*((5-3)*(5-4))^(-1) == (x-3)*(x-4)*2^(-1) == (x-3)*(x-4)*4 mod 7

and get

P(x) = 1*p_3(x) + 6*p_4(x) + 3*p_5(x) == 3*x^2 + 5*x + 1 mod 7 as expected

so P(0) = 1 is revealed! In fact we only need the constant term:

1*(-4)*(-5)*4 + 6*(-(-3)*(-5)) + 3*(-3)*(-4)*4 == 134 == -6 == 1 mod 7

The next application (Note 8) is for Error-Correcting-Codes (ECCs),

which use polynomials mod p to send data reliably over unreliable

networks (like the internet), which can lose parts of a message.

We want to be able to send some extra data in a message, so that even

if part of the message is lost, the whole message can be reconstructed

from what it left.

More formally, we will take a message, and break it into a sequence

of integers m_1, m_2,…, each in the range 0 <= m_i < q for some prime q.

(We used the same idea for RSA cryptography in an earlier Note.)

We will break this sequence up into groups of n integers (or "packets") each.

So (m_1,…,m_n) is the first group, (m_{n+1},…,m_{2n}) is the second

group and so on. The trouble is that some of these integers may

be lost by the network, so that instead of (m_1,m_2,m_3) arriving

(when n=3, for example), we might only get (m_1,X,m_3) where X is

an indication that m_2 is lost or somehow corrupted, so we can't use it.

More than 1 integer m_i may be lost from a longer message (n>3).

Our goal is to send a little more information in each group, n+k words

instead of just n, so that even if we lose up to k words in the group,

no matter which one we lose, we can reconstruct the n words that

were sent (we will assume that we can find out which ones we lose,

i.e. each word is marked "trustworthy" or "X = not trustworthy" by the network).

So how do we store n+k words of information so that any subset of

n of them can be used to reconstruct a certain other set of n words

(the original message)? We will use polynomial interpolation as before

(all arithmetic is done mod q):

(1) Using the original message (m_1,…,m_n) we will construct a

degree n-1 polynomial

p(x) = m_n*x^(n-1) + m_{n-1}*x^(n-2) + … + m_2*x + m_1

(2) We will evaluate this polynomial at n+k points, namely

c_1 = p(1) mod q

c_2 = p(2) mod q

c_{n+k} = p(n+k) mod q

ASK&WAIT: what does this tell us about how large we have to choose q?

(3) We send the message C = (c_1,….,c_{n+k}) over the network

(4) Suppose any subset of n words of C arrives, i.e. at most k words

are lost in transmission, so we know the value of the degree n-1

polynomial p(x) at these n points. Then by Property 2, we can

find a unique interpolating polynomial of degree <= n that agrees

with p(x) at these n points; therefore this polynomial must be p(x),

and the original, uncorrupted message is encoded as its

coefficients.

Example: Suppose we want to sent n=4 integers, and guard against

the loss of up to k=2 integers. We let q=7, and so encode each message

as an integer from 0 to 6. Let the message to be sent be

(m_1,m_2,m_3,m_4) = (5,0,4,1). Following the above scheme:

(1) We encode the message as p(x) = 1*x^3 + 4*x^2 + 0*x + 5.

(2) We evaluate p(x) at 4+2 = 6 points

c_1 = p(1) == 3 mod 7

c_2 = p(2) == 1 mod 7

c_3 = p(3) == 5 mod 7

c_4 = p(4) == 0 mod 7

c_5 = p(5) == 6 mod 7

c_6 = p(6) == 1 mod 7

(3) We send the message C = (c_1,c_2,c_3,c_4,c_5,c_6) =  (3,1,5,0,6,1)

(4) Suppose c_2 and c_6 are lost in transmission. Then we can

reconstruct p(x) by knowing p(1), p(3), p(4), and p(5):

p_1(x) = (x-3)*(x-4)*(x-5) * a   where

a*(1-3)*(1-4)*(1-5) == a*(-24) == a*4 == 1 mod 7,  so a = 2

p_3(x) = (x-1)*(x-4)*(x-5) * b   where

b*(3-1)*(3-4)*(3-5) == b*(-4) == a*3 == 1 mod 7, so b = 5

p_4(x) = (x-1)*(x-3)*(x-5) * c where

c*(4-1)*(4-3)*(4-5) == c*(-3) == c*4 == 1 mod 7, so c = 2

p_5(x) = (x-1)*(x-3)*(x-4) * d where

d*(5-1)*(5-3)*(5-4) == d*(8) == d*1 == 1 mod 7, so d=1, and so

p(x) = c_1*p_1(x) + c_3*p_3(x) + c_4*p_4(x) + c_5*p_5(x)

= 3*p_1(x) + 5*p_3(x) + 0*p_4(x) + 6*p_5(x)

= x^3 + 4x^2 + 5

and   so we can recover the lost parts of the message

c_2 == p(2) == 29 == 1 mod 7

c_6 == p(6) == 365 == 1 mod 7

Note that this scheme only works for up to k lost packets, but what

if up to packets arrive corrupted, but not marked as such? It turns out

a similar scheme can deal with this, but we need more redundant

information: it turns out sending n+2*k packets will work, but the

algorithm is more complicated.