Polynomial expressions of $p$-ary auction functions
Shizuo Kaji, Toshiaki Maeno, Koji Nuida, Yasuhide Numata

TL;DR
This paper investigates the polynomial representations of functions related to auction and voting procedures over finite fields, focusing on deriving explicit minimal polynomial expressions for these functions.
Contribution
It provides explicit polynomial expressions for functions associated with auction and voting, expanding understanding of their algebraic structure over finite fields.
Findings
Derived minimal polynomial expressions for auction-related functions
Analyzed the algebraic structure of voting functions over finite fields
Extended polynomial representation techniques to practical decision procedures
Abstract
Let be the finite field of prime order . For any function , there exists a unique polynomial over having degree at most with respect to each variable which coincides with . We call it the minimal polynomial of . It is in general a non-trivial task to find a concrete expression of the minimal polynomial of a given function, which has only been worked out for limited classes of functions in the literature. In this paper, we study minimal polynomial expressions of several functions that are closely related to some practically important procedures such as auction and voting.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsCryptography and Data Security · Coding theory and cryptography · Complexity and Algorithms in Graphs
Polynomial expressions of -ary auction functions
Shizuo Kaji
Yamaguchi University, Japan Japan Science and Technology Agency (JST) PRESTO Researcher
,
Toshiaki Maeno
Meijo University, Japan
,
Koji Nuida
National Institute of Advanced Industrial Science and Technology (AIST), Japan Japan Science and Technology Agency (JST) PRESTO Researcher
and
Yasuhide Numata
Shinshu University, Japan
Abstract.
Let be the finite field of prime order . For any function , there exists a unique polynomial over having degree at most with respect to each variable which coincides with . We call it the minimal polynomial of . It is in general a non-trivial task to find a concrete expression of the minimal polynomial of a given function, which has only been worked out for limited classes of functions in the literature. In this paper, we study minimal polynomial expressions of several functions that are closely related to some practically important procedures such as auction and voting.
Key words and phrases:
Polynomial expression of functions, finite fields, cryptography
2010 Mathematics Subject Classification:
68R05, 12Y05
The fourth named author was partially supported by KAKENHI, Grant-in-Aid for Young Scientists (B) JP25800009.
1. Introduction
Let be a prime and the finite field of order . It is well-known that any function can be expressed as a polynomial with coefficients in , and such a polynomial is unique if its degree with respect to each variable is restricted to be at most ; we call the unique polynomial the minimal polynomial of the function . In theory, it is easy by Fermat’s Little Theorem to see that the polynomial is given by , where is the minimal polynomial for the Kronecker delta. This expression, however, has two shortcomings; it relies on the (often implicit) values of the function, and it in general contains many redundant terms to be cancelled out. As a result, it remains a non-trivial task to obtain an explicit and concise minimal polynomial expression for a given concrete function . For example, Sturtivant and Frandsen [8, Theorems 9.1(a) and 11.2] showed that the carry function in multiplication of -ary integers is expressed by using number-theoretic objects such as the Bernoulli numbers and Wilson’s quotient (see also [5] for a different approach to the result and an expression of the carry function in the case of addition of -ary integers). As this previous result suggests, the problem of computing minimal polynomial expressions of certain functions can lead to interesting theoretical results connecting different fields of mathematics.
On the other hand, this problem has potential applications in cryptography as well. There was recently a breakthrough in the area of cryptography, namely the discovery of fully homomorphic encryption (see [3, 7] for survey). One can compute in an encrypted form both addition and multiplication over the two-element field (see [4], etc.) and over even larger finite prime fields for (see [6]). It follows that one can compute any function provided the function is explicitly written as a polynomial over . For example, a recent work [2] on practical cryptographic systems based on fully homomorphic encryption relies on a recursive polynomial expression of the comparison function for two binary integers. To develop such practical systems, “efficient” polynomial expressions of various functions are useful, and in particular, the minimal degree condition is important since encrypted multiplication is in general computationally much more expensive than encrypted addition.
In this paper, we study minimal polynomial expressions of a certain kind of functions specified below. They are relevant to some practical procedures such as auction and voting. We chiefly discuss the function that takes an element of as input and returns the largest value among them, and the function that returns the least index of the largest component(s) in the input vector in . Here we clarify that, the finite field is naturally identified with the subset of integers, and comparison of elements (e.g., in the function ) is performed in the latter, while addition and multiplication are done in the former. The output of is an integer that may exceed the range of the field when . To handle this, we introduce an -valued function that returns the -th digit of the -ary expansion of .
In §2, we define and give the minimal polynomial for the “low-pass filtering function” and the Kronecker delta function , which are used as building blocks in the later sections. In §3, we give a minimal polynomial expression of the function in terms of and . However, these general expressions contain many terms. We derive more concise forms for and (Corollary 3.2 and Proposition 3.3). A duality between and allows us to deduce corresponding formulae for . §4 is devoted to the study of the function. First, we provide a way of reducing the computation for with any to the computation for by utilising the result on the function . We also provide a recursive formula for with respect to the input length. They are used to derive minimal polynomial expressions of when and of for and (Propositions 4.3, 4.4, and 4.6). The recursive formula for relies on the (minimal) polynomial expression of with input length of two. We give a minimal polynomial expression of for and any in §5, which also yields a minimal polynomial expression of with (Proposition 5.2 and Theorem 5.5).
In §6, we introduce and study two more functions that are also relevant to our problem. We recall that the definition of enforces the function to always output the first index when there are ties in the input vectors; this then loses the information on the other largest components of the input. To remedy this situation, we introduce the function “” that returns if the maximum value among the components of the input vector is equal to the other input value , and “” that returns the number of inputs which attain the tied maximum. Then, similarly to the cases of and , we provide a general formula for the minimal polynomial expression of and in terms of the low-pass filtering functions and the Kronecker delta functions, and also compute concise forms of minimal polynomial expressions of for and , and of for .
We conclude with a possible extension of our result to a multi-digit setting in §7.
Acknowledgement
The authors would like to thank Takuro Abe for fruitful discussions.
2. Notation and Basic functions
In this section, we fix some notations used throughout the paper. A vector of length over the field is denoted by . We introduce a linear ordering on via the natural identification of it with the subset of (with the usual ordering ). We denote by the -th elementary symmetric polynomial of so that .
For a logical formula with free variable , we define its truth function by
[TABLE]
which is often abbreviated as . We frequently use the same symbol for a function and its polynomial expression.
Example 2.1**.**
For , the minimal polynomial for the delta function is given by
[TABLE]
which follows from Fermat’s Little Theorem. Similarly, the minimal polynomial for the low-pass function is given by
[TABLE]
For an integer , its -th digit in the -ary expansion is denoted by ; that is, with for each .
3. Polynomial expressions of the and the functions
For a vector , let (respectively, ) denote the maximum (respectively, minimum) among the values .
Using the functions in Example 2.1, we immediately obtain the minimal polynomial of .
Proposition 3.1**.**
The minimal polynomial of is given by
[TABLE]
In particular, when this simplifies:
Corollary 3.2**.**
The minimal polynomial of for is given by
[TABLE]
However when , the expression in Proposition 3.1 consists of a lot of terms. We now compute a more concise expression for .
First we note that if for some . This implies that the minimal polynomial of has as a factor for every . Therefore, we have
[TABLE]
for some polynomial in which each variable has degree at most . In particular, this observation yields another proof of Corollary 3.2 (where ). For the case , we have the following result:
Proposition 3.3**.**
When , a minimal polynomial expression for is given by:
[TABLE]
Proof.
Denote the right hand side by . As the minimality condition on the degree is satisfied for , it suffices to verify for any . When , there exists such that . This implies and . Notice that
[TABLE]
by the definition of and the fact in . When , as and , we have . When , as and , we have . ∎
To obtain a minimal polynomial expression for , we exploit a duality between and . Define an involution on by and extend it coordinate-wisely on . Then, we have for any . Thus, a minimal polynomial expression for converts to one of and vice versa. For example, Corollary 3.2 and Proposition 3.3 imply the following:
Corollary 3.4**.**
When , a minimal polynomial expression for is given by
[TABLE]
When , a minimal polynomial expression for is given by
[TABLE]
For the next case of , minimal polynomial expressions of for small values of in terms of elementary symmetric polynomials can be determined by direct calculation:
Example 3.5**.**
When , the following are minimal polynomial expressions.
- •
- •
However, it seems to be difficult to obtain a general formula (such as Proposition3.3) for . The function with for any will be revisited in §4.
Remark 3.6**.**
The function is a symmetric function (in variables ), and satisfies and an “associativity” in the following sense:
[TABLE]
By using this property recursively, a minimal polynomial expression of the function with two variables (i.e., for the case ) yields a polynomial expression of with any number of variables (i.e., for any ). However, the polynomial thus obtained is not the minimal polynomial in general.
4. Polynomial expressions of the function
Let be the least integer such that . Note that takes values in so we define for
[TABLE]
where is the -th digit in the -ary expansion of .
Again using the functions in Example 2.1, we immediately obtain the minimal polynomial of .
Proposition 4.1**.**
The minimal polynomial for is given by
[TABLE]
Remark 4.2**.**
Let be the function which returns the least index with . A minimal polynomial expression of is obtained from one of via the duality similarly to the case of discussed in §3.
Observe by definition of the function that
[TABLE]
[TABLE]
The second equation follows from
[TABLE]
These formulae yield a (in general, not minimal) polynomial expression of from those of with and .
4.1. The case
When , we can derive a minimal polynomial expression of .
Proposition 4.3**.**
When and , the following are minimal polynomial expressions:
[TABLE]
Proof.
Notice that if and only if there is an odd index satisfying that for every and . So we have
[TABLE]
Combining this with (4.1) and Proposition 3.2, we obtain the first formula (note that the characteristic is now ). The second formula follows from the fact . ∎
We can also use (4.2) to give another formula:
Proposition 4.4**.**
When and , a minimal polynomial expression of is given as follows:
,
If for an integer (i.e., ), then we have
[TABLE]
If for an integer (i.e., ), then we have
[TABLE]
Proof.
Let denote the right-hand side of the claimed equality in the statement (we define when ). First we note that, in the present case we have
[TABLE]
since the only possibility to satisfy is that for every and , which then implies . Therefore, the recursive formula (4.2) now becomes
[TABLE]
It then suffices to show that instead of also satisfies the same recursive formula. This is obvious when satisfies the condition for the second case in the statement.
From now on, we focus on the other case where satisfies the condition for the first case in the statement. Since direct computation shows , by Proposition 3.2 we have
[TABLE]
therefore the recursive formula now becomes
[TABLE]
If , then also satisfies the same condition as with the same integer , and now we indeed have by the definition of (note that in this case). On the other hand, if , then we have by the definition of for the second case in the statement, while satisfies the condition for the first case in the statement with playing the role of . This implies that also holds in this case by the definition of (note that now ). Hence satisfies the desired recursive formula in any case, completing the proof. ∎
For Proposition 4.4, by noting that and now the characteristic is , the formula given there can be rewritten as follows.
Corollary 4.5**.**
Let be the set of integers defined by
[TABLE]
A minimal polynomial expression of is given by
[TABLE]
4.2. The case
When , a direct computation shows
[TABLE]
Combining this with the following formula from Proposition 3.3
[TABLE]
we obtain by (4.2):
[TABLE]
Although this formula does not yield a minimal polynomial expression for directly, we can still compute one at least when is not too large. For example, when the input vector has length (hence it suffices to consider only), the formula above (with and ) becomes
[TABLE]
A straightforward expansion of the polynomial in the right-hand side yields
[TABLE]
and, by applying the relations and several times (where means equivalence as functions over ), we finally obtain:
Proposition 4.6**.**
A minimal polynomial expression of for is given by
[TABLE]
5. Polynomial expressions of the and functions for two variables
First we note that if and only if and add up to an equal or greater integer than when considered as integers; that is, is equal to the carry by the -ary addition of two single-digit values and to the next digit. A minimal polynomial expression of this carry function, denoted by , has been determined in [5, 6]:
Lemma 5.1** ([5, 6]).**
For , we have
[TABLE]
where the in the right-hand side means the inverse of as an element of .
Combining this with , we obtain:
Proposition 5.2**.**
When , a minimal polynomial expression of is given by
[TABLE]
Example 5.3**.**
By using Proposition 5.2 (or direct calculation), we have the following minimal polynomial expressions of for small primes.
- •
When , .
- •
When , .
- •
When , .
- •
When ,
.
We also have the following relation between and deduced from their definitions:
Lemma 5.4**.**
We have . In particular, we have
[TABLE]
A straightforward substitution of the result of Proposition 5.2 into the right-hand side of Lemma 5.4 yields an almost, but not yet minimal, polynomial expression of . This expression can be converted to a minimal polynomial expression.
Theorem 5.5**.**
When , we have the following minimal polynomial expression of :
[TABLE]
Proof.
Throughout the proof, a notation means that and define an identical function on . First, since , Proposition 5.2 implies
[TABLE]
and we have for the last term above. Similarly, we have
[TABLE]
and, for the last two terms above, we have
[TABLE]
where we used and Wilson’s Theorem .
By combining these results to Lemma 5.4, we have
[TABLE]
and, for the second last term above, we have
[TABLE]
where we used Wilson’s Theorem again. Hence, we have
[TABLE]
which is our claim in the statement. ∎
6. Polynomial expressions of some other functions
In this section, we study the following two -valued functions that are related to and :
[TABLE]
where and . In practical applications, these functions are useful if there are “ties” in the vote.
By a careful interpretation of the definitions, we obtain minimal polynomials of these functions (which, however, consist of a lot of terms):
Proposition 6.1**.**
Using the notation from §2, the following are minimal polynomial expressions:
[TABLE]
Proof.
For the function , given a constant , we have if and only if there is an index satisfying that for every , , and for every ; such an index is unique if exists. This observation (in particular, the uniqueness of ) implies our claim.
For the function , the function value is obtained by first counting the number of indices with (or equivalently, ) and then taking the remainder of the number modulo (i.e., just considering the number in ). Moreover, given a constant , we have if and only if and for every . This observation implies our claim.
For the function , given an integer and a constant , we have and if and only if there is a -element set of indices satisfying that for every and for every ; such a set is unique if exists. This observation (in particular, the uniqueness of ) implies our claim (note that for any ). ∎
When and , we give the following explicit minimal polynomial expressions of :
Proposition 6.2**.**
When , a minimal polynomial expression of is given by
[TABLE]
When , a minimal polynomial expression of is given by
[TABLE]
Proof.
First, we note that by the definition of the function. When , the right-hand side becomes and now the claim follows from Proposition 3.2.
On the other hand, when , we have
[TABLE]
Now we have if for all , and otherwise. This implies that
[TABLE]
and now the claim follows from Proposition 3.3. ∎
Example 6.3**.**
When , a minimal polynomial expression of is given by
[TABLE]
This can be seen by the following argument. When , i.e., for all , we have for any , which accounts for the second term. As by the result of [1] (see also [5, Example 1]), we obtain the equation.
7. Future Subject: Multi-digit case
We note that the previous sections studied functions with single-digit input values taken from ; in such a formulation, to handle larger input values we have to choose a larger prime as well, which will result in polynomial expressions of the functions with higher degrees and much more involved structures. Another option to handle larger values is to express the input values in multi-digit forms; now each component of the input is identified with its -ary expansion, therefore the entire input is regarded as a two-dimensional matrix over rather than a one-dimensional vector (over a larger field). In the latter model, the base field can be kept small even if the input values become larger. On the other hand, a large input value will then increase the total number of components of the input matrix, but this shortcoming might sometimes be avoidable in practice by implementation techniques such as parallel computation. This suggests that polynomial expressions of functions with multi-digit inputs are important as well.
However, even if the polynomial expression of a given function is understood well for single-digit input cases, it is in general a non-trivial task to deduce a polynomial expression of the function for multi-digit input cases. We leave such multi-digit extensions of the results in this paper as a future research topic, and we just conclude this paper with an example:
Proposition 7.1**.**
Let , and consider two-bit inputs and for , where . Then the following is a minimal polynomial expression:
[TABLE]
Proof.
As the right-hand side of the statement satisfies the minimality conditions for the degrees, it suffices to verify that the values of both terms are equal for any input values.
First we note that, for any set of index pairs , we have
[TABLE]
Similarly, we have
[TABLE]
We divide the argument according to the values of and . When , we have if and only if for every index . Now the right-hand side of the statement becomes , which coincides with by the remark above.
When and , the right-hand side of the statement becomes . Now if at least one of is , then we have by definition, while the value of the polynomial becomes [math] as well by the remark above, as desired. In the remaining case where for every , we have if and only if for some ; while the polynomial now becomes . By the remark above, the value of the polynomial coincides with , as desired.
When and , the right-hand side of the statement becomes . Now if for every , then we have by definition, while the value of the polynomial becomes as well by the remark above, as desired. In the remaining case where for some , let denote the set of indices with (hence now ). In this case, we have if and only if for every ; while the polynomial now becomes . By the remark above, the value of the polynomial coincides with , as desired.
Finally, when , the right-hand side of the statement becomes . By the remark above, this polynomial takes the value if and only if for some index ; this condition is precisely the same as the condition for in the present case to take the value , by definition. This completes the proof. ∎
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[1] J. Boyar, R. Peralta, D. Pochuev: On the Multiplicative Complexity of Boolean Functions over the Basis (cap, +, 1). Theoretical Computer Science, vol.235(1) (2000) pp.43–57.
- 2[2] J. H. Cheon, M. Kim, M. Kim: Search-and-Compute on Encrypted Data. In: Proceedings of Financial Cryptography and Data Security 2015 (FC 2015), Springer Lecture Notes in Computer Science vol.8976, 2015, pp.142–159.
- 3[3] C. Gentry: Computing on the Edge of Chaos: Structure and Randomness in Encrypted Computation. The 2014 International Congress of Mathematicians (ICM 2014), Seoul, Korea, August 16, 2014. Proceedings available at: IACR Cryptology e Print Archive, report 2014/610, http://eprint.iacr.org/2014/610 (2014).
- 4[4] C. Gentry: Fully Homomorphic Encryption Using Ideal Lattices. In: Proceedings of STOC 2009, ACM, 2009, pp.169–178.
- 5[5] S. Kaji, T. Maeno, K. Nuida, Y. Numata: Polynomial Expressions of Carries in p-ary Arithmetics. Preprint, ar Xiv:1506.02742 (2015).
- 6[6] K. Nuida, K. Kurosawa: (Batch) Fully Homomorphic Encryption over Integers for Non-Binary Message Spaces. In: Proceedings of EUROCRYPT 2015 (Part I), Springer Lecture Notes in Computer Science vol.9056, 2015, pp.537–555.
- 7[7] A. Silverberg: Fully Homomorphic Encryption for Mathematicians. IACR Cryptology e Print Archive, report 2013/250, http://eprint.iacr.org/2013/250 (2013).
- 8[8] C. Sturtivant, G. S. Frandsen: The Computational Efficacy of Finite-Field Arithmetic. Theoretical Computer Science, vol.112 (1993) pp.291–309.
