CS70 - Lecture 13 - Feb 16, 2011 - 10 Evans
Goal for Notes 7 & 8: Review basic properties of polynomials
Use them to "share secrets"
Use them for error-correcting-codes
sending data reliably over unreliable networks
(like the internet)
Def: A polynomial is p(x) = sum_{i=0}^d a_i * x^i
We say p(x) has degree d if a_d neq 0.
(We also say that the polynomial p(x) = 0 has degree 0).
Ex: p(x) = x+1, p(x) = x^2 - 2x +1 = (x-1)^2, p(x) = 0
Def: A root s of a polynomial satisfies p( s ) = 0.
Note that we can think of the coefficients of a polynomial
as real numbers, rational numbers, integers, or integers mod p, p prime
Since we ultimately need to use integers mod p, everything we
say about polynomials will apply to all these possibilities.
Property 1: A nonzero degree-d polynomial p(x) has at most d distinct roots.
"2 points determine a straight line y = a1*x + a0";
what about higher degree polynomials?
Property 2: Given d+1 points (x_1,y_1),…,(x_{d+1},y_{d+1})
where all the x_i are distinct, there is exactly one polynomial p(x),
of degree at most d, that "interpolates" all these points, i.e. p(x_i) = y_i
for i = 1,…,d+1
To prove these, let us recall how to divide one polynomial
by another: given a polynomial p(x) of degree d, and a constant c,
we can divide p(x) by x-c and write p(x) = (x-c)*q(x) + r, where
q(x) has degree d-1, and r is the remainder, another constant.
For example
_____________
x - 3 ) 4*x^2 - 3*x + 7
4*x^2-12*x 4*x
---------------------
9*x + 7
9*x-27 9
--------------------
34
so p(x) = 4*x^2 - 3*x + 7 = (x-3)*(4x+9) + 34
Note that we can do this
if the coefficients of p(x) are real numbers, in which case
so are the coefficients of the quotient q(x) and remainder r
if the coefficients are rational numbers, we get rational numbers
if the coefficients are integers, we get integers
if the coefficients are integers mod p, we get integers mod p
The point is: everything we say will apply to all these different
sets of numbers.
Proof of Property 1: Suppose s is a root so p( s ) = 0.
Now divide p(x) by x-s, and write p(x) = (x-s)*q(x) + r.
Since 0 = p(s) = (s-s)*q(s) + r, we get r=0 and
p(x) = (x-s)*q(x).
Now suppose we have k distinct roots s_1,…,s_k.
Repeatedly dividing:
Since 0 = p(s_1), we get p(s_1) = (x - s_1)*q_1(x)
where q_1(x) has degree d-1
Since 0 = p(s_2) = (s_2 - s_1)*q_1(s_2), so 0 = q_1(s_2)
we get q_1(x) = (x - s_2)*q_2(x) where q_2(x) has degree d-2, so
p(x) = (x - s_1)*(x - s_2)*q_2(x)
Since 0 = p(s_3) = (s_3 - s_1)*(s_3 - s_2)*q_2(s_3), so q_2(s_3)=0,
we get q_2(x) = (x - s_3)*q_3(x) where q_3(x) has degree d-3, so
p(x) = (x - s_1)*(x - s_2)*(x - s_3)*q_3(x)
Repeating, we get
p(x) = (x - s_1)*…*(x - s_k)*q_k(x) where q_k(x) has degree d-k
Since the degree can't be negative we get d>=k, i.e.
the number of distinct roots k is at most the degree d.
Note that if if p(x) has d distinct roots, then
p(x) = (x - s_1)*… *(x - s_d)*q_d(x)
where q_d(x) has degree 0 , i.e. is a nonzero constant, call it c, so
p(x) = c*(x - s_1)*…*(x - s_d)
This proof works whether or not the numbers are real, rational,
integers, or integers mod p.
ASK&WAIT: Where did we depend on the fact that we were using
integers mod p, where p is prime?
Hint: How do we know that if
p(s_2) == (s_2 - s_1)*q_1(s_2) == 0 mod p ,
then q_1(s_2) == 0 mod p?
How do we know that if
p(s_3) == (s_3 - s_1)*(s_3 - s_2)*q_2(s_3) == 0,
then q_2(s_3) == 0 mod p?
Proof of Property 2: Lagrange Interpolation:
Suppose we had degree-d polynomials p_i(x) with the properties that
p_1(x_1) = 1 and p_1(x_2) = p_1(x_3) = … = p_1(x_{d+1}) = 0
p_2(x_2) = 1 and p_2(x_1) = p_2(x_3) = … = p_2(x_{d+1}) = 0
…
p_i(x_i) = 1 and p_i(x_j) = 0 for all j neq i
Then consider the degree-d polynomial
p(x) = sum_{i=1}^{d+1} y_i*p_i(x)
Then it is easy to see that
p(x_j) = y_j*p_j(x_j) + sum_{i neq j} y_j*p_i(x_j)
= y_j*p_j(x_j) + sum_{i neq j} y_j*0
= y_j*1 = y_j
solves our "interpolation" problem.
How do we build p_i(x)? Consider p_1(x) for simplicity. Let
q_1(x) = (x-x_2)*(x-x_3)*…*(x-x_{d+1})
Clearly q_1(x_j) = 0 if j>1, and q_1(x_1) neq 0. Thus
p_1(x) = q_1(x)/q_1(x_1)
satisfies our desired properties. Similarly, let
q_i(x) = prod_{j neq i} (x-x_j)
and
p_i(x) = q_i(x)/q_i(x_i)
It remains to show that the interpolating polynomial is unique.
So suppose there are two: p(x) and r(x). Then f(x) = p(x)-r(x)
is a nonzero polynomial of degree <= d that is zero at all d+1 points x_i,
That is f(x) has d+1 distinct roots x_1,…,x_{d+1}. This contradicts
Property 1, so f(x) can't be nonzero. Thus 0 = p(x)-r(x) and p(x) = r(x),
i.e. the interpolating polynomial is unique.
ASK&WAIT: How does this work if we are doing arithmetic modulo p, p prime?
How do we know q_i(x_i) is nonzero, and how do we divide by it?
Notation: we write x^(-1) to denote the integer that is the multiplicative inverse
of x, modulo p. In other words x*x^(-1) == 1 mod p.
(picture for d=1, d=2)
For secret sharing, here is the problem statement:
There are n people, each of whom has a "part" of a secret.
We want to arrange so that if any k (or more) of them share their data
with one another, they can all discover the secret.
However, if any k-1 (or fewer) of them share their data with
one another, they learn *nothing* about the secret, not one bit of information.
This guarantees that k of them have to agree to divulge the secret.
A motivating example from the Cold War was wanting to have at least
k political and military leaders having to agree to launch a nuclear missile,
but k-1 or fewer could not; in this case the secret would be the launch code.
We will use polynomials mod p for some prime p.
How many polynomials of degree <= k-1 are there, where coefficients are integers mod p?
(1) each coefficient can have p values and there are k coefficients so p^k polynomials
(2) Given k points (x_1,y_1),…,(x_k,y_k), there is a unique polynomial of degree <= k-1
that interpolates them. Since each y_i can have p different values, the number
of different polynomials is p^k, the same answer as before (it better be).
Here is the secret sharing scheme
The secret is some nonnegative number s
We pick a large prime p > s and p > n
We pick a degree k-1 polynomial P(x) = sum_{i=0}^{k-1} a_i*x^i mod p where
a_0 = s, so P(0) = s
the other a_i are chosen randomly (mod p)
We give person i the value of P(i) as his/her "part" of the secret.
Now suppose any subset of k people get together and share their
parts of the secret, that is person i provides P(i) for k different values of i.
Since we know P(x) has degree <= k-1, by Property 2 these k points of the
form (i,P(i)) define P(x) uniquely. In particular, we can compute P(0) = s,
and reveal the secret.
But suppose only k-1 people choose to share their values of (i,P(i));
what can we learn about s = P(0)? Nothing, because for every possible
value of P(0), there is a degree k-1 polynomial P(x) that goes
through the k-1 points (i,P(i)) as well as (0,P(0))
Ex: s = 1, n = 5, k = 3, p = 7,
That is a majority (3 out of 5) people have to agree to divulge the secret (s=1),
otherwise any number (mod p=7) is possible.
Choose P(x) = 3*x^2 + 5*x + 1, so
Person 1 gets P(1) mod 7 = 9 mod 7 = 2
Person 2 gets P(2) mod 7 = 23 mod 7 = 2
Person 3 gets P(3) mod 7 = 43 mod 7 = 1
Person 4 gets P(4) mod 7 = 6
Person 5 gets P(5) mod 7 = 3
If Persons 3, 4 and 5 get together, they can do Lagrange Interpolation:
p_3(x) == (x-4)*(x-5)*((3-4)*(3-5))^(-1) == (x-4)*(x-5)*2^(-1) == (x-4)*(x-5)*4 mod 7
p_4(x) == (x-3)*(x-5)*((4-3)*(4-5))^(-1) == (x-3)*(x-5)*(-1)^(-1)== -(x-3)*(x-5) mod 7
p_5(x) == (x-3)*(x-4)*((5-3)*(5-4))^(-1) == (x-3)*(x-4)*2^(-1) == (x-3)*(x-4)*4 mod 7
and get
P(x) = 1*p_3(x) + 6*p_4(x) + 3*p_5(x) == 3*x^2 + 5*x + 1 mod 7 as expected
so P(0) = 1 is revealed! In fact we only need the constant term:
1*(-4)*(-5)*4 + 6*(-(-3)*(-5)) + 3*(-3)*(-4)*4 == 134 == -6 == 1 mod 7
The next application (Note 8) is for Error-Correcting-Codes (ECCs),
which use polynomials mod p to send data reliably over unreliable
networks (like the internet), which can lose parts of a message.
We want to be able to send some extra data in a message, so that even
if part of the message is lost, the whole message can be reconstructed
from what it left.
More formally, we will take a message, and break it into a sequence
of integers m_1, m_2,…, each in the range 0 <= m_i < q for some prime q.
(We used the same idea for RSA cryptography in an earlier Note.)
We will break this sequence up into groups of n integers (or "packets") each.
So (m_1,…,m_n) is the first group, (m_{n+1},…,m_{2n}) is the second
group and so on. The trouble is that some of these integers may
be lost by the network, so that instead of (m_1,m_2,m_3) arriving
(when n=3, for example), we might only get (m_1,X,m_3) where X is
an indication that m_2 is lost or somehow corrupted, so we can't use it.
More than 1 integer m_i may be lost from a longer message (n>3).
Our goal is to send a little more information in each group, n+k words
instead of just n, so that even if we lose up to k words in the group,
no matter which one we lose, we can reconstruct the n words that
were sent (we will assume that we can find out which ones we lose,
i.e. each word is marked "trustworthy" or "X = not trustworthy" by the network).
So how do we store n+k words of information so that any subset of
n of them can be used to reconstruct a certain other set of n words
(the original message)? We will use polynomial interpolation as before
(all arithmetic is done mod q):
(1) Using the original message (m_1,…,m_n) we will construct a
degree n-1 polynomial
p(x) = m_n*x^(n-1) + m_{n-1}*x^(n-2) + … + m_2*x + m_1
(2) We will evaluate this polynomial at n+k points, namely
c_1 = p(1) mod q
c_2 = p(2) mod q
…
c_{n+k} = p(n+k) mod q
ASK&WAIT: what does this tell us about how large we have to choose q?
(3) We send the message C = (c_1,….,c_{n+k}) over the network
(4) Suppose any subset of n words of C arrives, i.e. at most k words
are lost in transmission, so we know the value of the degree n-1
polynomial p(x) at these n points. Then by Property 2, we can
find a unique interpolating polynomial of degree <= n that agrees
with p(x) at these n points; therefore this polynomial must be p(x),
and the original, uncorrupted message is encoded as its
coefficients.
Example: Suppose we want to sent n=4 integers, and guard against
the loss of up to k=2 integers. We let q=7, and so encode each message
as an integer from 0 to 6. Let the message to be sent be
(m_1,m_2,m_3,m_4) = (5,0,4,1). Following the above scheme:
(1) We encode the message as p(x) = 1*x^3 + 4*x^2 + 0*x + 5.
(2) We evaluate p(x) at 4+2 = 6 points
c_1 = p(1) == 3 mod 7
c_2 = p(2) == 1 mod 7
c_3 = p(3) == 5 mod 7
c_4 = p(4) == 0 mod 7
c_5 = p(5) == 6 mod 7
c_6 = p(6) == 1 mod 7
(3) We send the message C = (c_1,c_2,c_3,c_4,c_5,c_6) = (3,1,5,0,6,1)
(4) Suppose c_2 and c_6 are lost in transmission. Then we can
reconstruct p(x) by knowing p(1), p(3), p(4), and p(5):
p_1(x) = (x-3)*(x-4)*(x-5) * a where
a*(1-3)*(1-4)*(1-5) == a*(-24) == a*4 == 1 mod 7, so a = 2
p_3(x) = (x-1)*(x-4)*(x-5) * b where
b*(3-1)*(3-4)*(3-5) == b*(-4) == a*3 == 1 mod 7, so b = 5
p_4(x) = (x-1)*(x-3)*(x-5) * c where
c*(4-1)*(4-3)*(4-5) == c*(-3) == c*4 == 1 mod 7, so c = 2
p_5(x) = (x-1)*(x-3)*(x-4) * d where
d*(5-1)*(5-3)*(5-4) == d*(8) == d*1 == 1 mod 7, so d=1, and so
p(x) = c_1*p_1(x) + c_3*p_3(x) + c_4*p_4(x) + c_5*p_5(x)
= 3*p_1(x) + 5*p_3(x) + 0*p_4(x) + 6*p_5(x)
= x^3 + 4x^2 + 5
and so we can recover the lost parts of the message
c_2 == p(2) == 29 == 1 mod 7
c_6 == p(6) == 365 == 1 mod 7
Note that this scheme only works for up to k lost packets, but what
if up to packets arrive corrupted, but not marked as such? It turns out
a similar scheme can deal with this, but we need more redundant
information: it turns out sending n+2*k packets will work, but the
algorithm is more complicated.