Generating sets for the multiplicative groups of algebras over finite fields and expander graphs

Generating sets for the multiplicative groups of algebras over finite fields and expander graphs

JID:YJSCO AID:1804 /FLA [m1G; v1.219; Prn:18/07/2017; 11:08] P.1 (1-18) Journal of Symbolic Computation ••• (••••) •••–••• Contents lists availabl...
Download PDF
1MB Sizes 3 Downloads 74 Views
Report

JID:YJSCO

AID:1804 /FLA

[m1G; v1.219; Prn:18/07/2017; 11:08] P.1 (1-18)

Journal of Symbolic Computation ••• (••••) •••–•••

Contents lists available at ScienceDirect

Journal of Symbolic Computation www.elsevier.com/locate/jsc

Generating sets for the multiplicative groups of algebras over finite fields and expander graphs Ming-Deh Huang, Lian Liu University of Southern California, United States

a r t i c l e

i n f o

Article history: Received 30 November 2016 Accepted 1 April 2017 Available online xxxx Keywords: Generating set Expander graph Cayley graph Algebra Character sum

a b s t r a c t We consider computational problems concerning algebras over finite fields. In particular, we propose an algorithm for finding a small generating set for the multiplicative group of Fq [x]/ F , where q = pn is a prime power and F ∈ Fq [x] is a polynomial not necessarily irreducible. Based on this result, a new set of expander graphs can be explicitly constructed. In addition, we present algorithms for basis construction and decomposition of a given element with respect to the basis. © 2017 Elsevier Ltd. All rights reserved.

1. Introduction In computational algebra, it is often desired to find small generating sets for given groups. One of the most important applications of small generating sets is in explicit construction of expander graphs (Chung, 1989; Lu et al., 2014). Informally, expander graphs are graphs with strong expansion properties. Expander graphs have been applied in many areas such as computational complexity theory, coding theory and communication networks (Hoory et al., 2006). For example, in complexity theory, expanders are an essential tool for Dinur’s well-known proof of the PCP theorem (Dinur, 2007). Small generating sets have also been applied to other areas. For example, in the index calculus method for solving the discrete logarithm problem over the multiplicative groups of finite fields, one is interested in finding a reasonably small generating set over which enough relations can be found (see, for examples, Adleman and Huang, 1999; Joux, 2013).

E-mail addresses: [email protected] (M.-D. Huang), [email protected] (L. Liu). URLs: http://www-bcf.usc.edu/~mdhuang/ (M.-D. Huang), http://www-scf.usc.edu/~lianliu/ (L. Liu). http://dx.doi.org/10.1016/j.jsc.2017.07.008 0747-7171/© 2017 Elsevier Ltd. All rights reserved.

JID:YJSCO

AID:1804 /FLA

2

[m1G; v1.219; Prn:18/07/2017; 11:08] P.2 (1-18)

M.-D. Huang, L. Liu / Journal of Symbolic Computation ••• (••••) •••–•••

A fundamental result of Chung (1989) states that if f ∈ F p [x] is an irreducible polynomial of √ degree n and p > n − 1, then the set x + F p := {x + t : t ∈ F p } forms a generating set for ∗ ∗ Fq  (F p [x]/ f ) , where q = pn . Moreover, the Cayley graph built on Fq∗ with the generating set x + F p forms an expander graph. This result was generalized to algebras of the form F p [x]/ F , where F ∈ F p [x] is not necessarily irreducible, in Huang and Liu (2016). In that paper, we presented algorithms for constructing small generating sets for the multiplicative group (F p [x]/ F )∗ . Similar to Chung’s situation, we also showed that the Cayley graphs built on (F p [x]/ F )∗ with these small generating sets are good expanders. In this paper, we further generalize these results to algebras of the form B := Fq [x]/ F where q = pn is a power of a prime integer, and F ∈ Fq [x] is not necessarily irreducible. Interestingly, we demonstrate that these algebras offer even more flexibility for constructing regular directed expander graphs in the sense that for many of the graphs that we create, the degrees do not have to be a power of a prime integer, which makes the structure of our graphs significantly different from those in Chung (1989). We also consider the construction of a basis for B ∗ and the decomposition of elements in B ∗ with respect to the basis. In the special case where F is irreducible, the problem of finding a basis for B ∗ := (Fq [x]/ F )∗ is also called finding a primitive element for the finite field Fq [x]/ F . The problem is known to be hard in general. However, there are existing algorithms for solving its relaxations or special cases under certain assumptions. One relaxation is to find elements of sufficiently large orders. When there is no restriction on the degree of F , few results are known (see, for example, Gao, 1999, and Voloch, 2007). If one can choose the degree of F , elements of large orders can be found through Gauss periods (Gao and Vanstone, 1995; von zur Gathen and Shparlinski, 1998; Ahmadi et al., 2007). When both p and deg F are special, more results are known (Shoup, 1992; Huang and Narayanan, 2013; Bhowmick and Lê, 2015). The decomposition problem in this special case is better known as the discrete logarithm problem, which has been extensively studied. Recent breakthroughs including Gölo˘glu et al. (2013) and Joux (2013) have led to an expected quasi-polynomial time algorithm (Barbulescu et al., 2014) for discrete logarithms in finite fields of small characteristics under certain heuristics. In Section 4, we analyze the structure of B ∗ . We propose algorithms for finding a basis for B ∗ as well as decomposing elements with respect to this basis when p is relatively large. Both algorithms require an existing primitive element or discrete logarithm algorithm as their subroutine. The results in this section are natural extensions of similar results in Huang and Liu (2016). One of the goals of designing these algorithms is to validate the generating sets we proposed in Section 3. Since these algorithms enable us to test whether a given set of elements generates B ∗ , we would be able to see whether or not our theoretically proven generating sets are actually larger than necessary. Our experimental results in Section 5 suggest that a square-root number of elements in our generating sets might already be sufficient to generate the entire group. However further investigation is required to determine whether this is indeed the case. 2. Preliminaries 2.1. Characters A character of a group G is a group homomorphism χ : G → C∗ . Clearly, sending all elements to 1 yields a character, which is called a trivial character, while all other characters are said to be nontrivial. We use X (G ) to denote the set of all distinct characters of G, and let X˜ (G ) denote the set of all nontrivial characters of G. When G is a finite abelian group, we have | X (G )| = |G |, and the following fundamental property is known (see Hoory et al., 2006, Proposition 8.5): Proposition 1. Assume a fixed order g 1 , . . . , g |G | ∈ G on the elements of G, then the set of vectors {(χ ( g 1 ), . . . , χ ( g |G | ))|χ ∈ X } forms an orthogonal basis for Cn , where n = |G |. In theory and practice, it is important to estimate the sum of the characters over a subset of group elements, which is often referred to as character sums. Many previous works have shown a strong connection between character sums and explicit construction of expander graphs

JID:YJSCO

AID:1804 /FLA

[m1G; v1.219; Prn:18/07/2017; 11:08] P.3 (1-18)

M.-D. Huang, L. Liu / Journal of Symbolic Computation ••• (••••) •••–•••

3

(Katz, 1989; Chung, 1994; Mullen and Panario, 2013; Lu et al., 2014). Our algorithms rely on the following bound for character sums over finite commutative Fq -algebras: Proposition 2. Let B be an arbitrary finite n-dimensional commutative Fq -algebra and x be an element of B. If χ is a character of the multiplicative group B ∗ (extended by zero to all of B) which is non-trivial on Fq [x], then

        ≤ (n − 1)√q χ ( x + t )   t ∈Fq 

Proposition 2 was initially conjectured by Katz (1989). Subsequently, Lenstra observed in an unpublished note that this proposition can be proved using the Riemann hypothesis for L-functions over finite fields (which is a theorem). An exposition of Lenstra’s proof of the proposition can be found in Wan (1997). 2.2. Expanders and Cayley graphs Informally speaking, expander graphs (abbr. expanders) are graphs which are well-connected, where every small subset of vertices has a relatively large neighborhood. The expansion of a k-regular graph (or k-regular directed graph)  can be measured by its spectral gap, which is defined as k − λ, where λ is the second largest eigenvalue (in absolute value) of the adjacency matrix of  (Hoory et al., 2006). We say  is an (n, k, γ )-expander if it is a k-regular graph (or k-regular directed graph) with n vertices and its spectral gap is at least γ . In this paper, we simply call  an expander if the parameters n, k, γ are clear from the context. Cayley graphs have been used as a general tool for explicit expander graph construction. For example, Margulis graphs (Alon et al., 1987), Coset graphs (Chung, 1989) and Ramanujan graphs (Lubotzky et al., 1988) are all based on Cayley graphs. Let G be a finite abelian group and S ⊆ G be a subset of elements, the Cayley graph induced by G and S, denoted by (G , S ), is the directed graph where

• For all g ∈ G, there is a vertex labeled by g; • For all g , h ∈ (G , S ), there is a directed edge g → h if and only if sg = h for some s ∈ S. For simplicity, we call (G , S ) a Cayley graph over G. By construction, Cayley graphs are | S |-regular directed graphs, meaning that all vertices have the same in-degree and out-degree, both equaling | S |. In addition, S is a generating set of G if and only if (G , S ) is strongly connected, or in other words, (G , S ) has a finite diameter. Chung (1989) showed that the diameter of a directed graph is related to the eigenvalues of its adjacency matrix: Proposition 3. If a directed regular graph  with N vertices has out-degree k and the eigenvectors of its adjacency matrix M form an orthogonal basis, then



diam() ≤

log( N − 1)



log( λk )

where λ is the second largest eigenvalue (in absolute value) of M. It is worth mentioning that Shparlinski (2015) showed that in the special case where  is a Cayley graph over Fq∗ induced by certain types of generating sets, this diameter bound can be improved. The following proposition states that the eigenvalues of a Cayley can be expressed as character sums (see Chung, 1989; Hoory et al., 2006). Proposition 4. Let M be the adjacency matrix of (G , S ). Assume the rows and columns are both indexed by g 1 , . . . , g |G | , then the eigenvectors of M are {(χ ( g 1 ), . . . , χ ( g |G | ))|χ ∈ X (G )} corresponding to the eigenvalues { s∈ S χ (s)|χ ∈ X (G )}.

JID:YJSCO

AID:1804 /FLA

[m1G; v1.219; Prn:18/07/2017; 11:08] P.4 (1-18)

M.-D. Huang, L. Liu / Journal of Symbolic Computation ••• (••••) •••–•••

4



Combining Propositions 1, 3 and 4, we can see that S generates G if | s∈ S χ ( S )| < | S | for all nontrivial characters in X (G ). In expander graph construction, we want the resulting graph, (G , S ), to be sparse, so a small cardinality of S is desired. On the other hand, the spectral gap γ = | S | − λ = | S | − maxχ ∈ X˜ (G ) | s∈ S χ (s)| should be large in order to guarantee a “large” expansion. In this paper, our goal is to find such a small generating set S for B ∗ so that the resulting Cayley graph ( B ∗ , S ) has a nonzero spectral gap. 3. Generating sets and expanders

m

e

Given the standard factorization of F = i =1 f i i where for all 1 ≤ i ≤ m, f i is irreducible, by Chinese Remainder Theorem, we have the isomorphism

ψ:

m  ∼ e (Fq [x]/ f i i )∗ − → (Fq [x]/ F )∗ ,

(1)

i =1

where ψ can be computed using standard Chinese Remainder Theorem algorithms. We may first consider a simplified problem of finding a small generating set for each component on the left-hand ei ∗ side before handling the general case. Let v m ∈ m i =1 A i , where A i := Fq [x]/ f i , be an m-dimensional i ,s vector with s in the i-th entry and zeros elsewhere. That is,

vm i ,s := 0 ⊕ . . . ⊕ 0 ⊕s ⊕ 0 ⊕ . . . ⊕ 0 .





i −1





m −i

Suppose a generating set S i for A ∗i is given for all 1 ≤ i ≤ m, then clearly, {ψ( v m i ,s )|1 ≤ i ≤ m, s ∈ S i } would be a generating set for B ∗ . Therefore, in Sections 3.1, 3.2 and 3.3, we will focus our discussion on finding a small generating set for the multiplicative groups of algebras A := Fq [x]/ f e , where f ∈ Fq [x] stands for an irreducible polynomial of degree d ≥ 1, and e ≥ 1 is an integer. Note that we will use A as the abbreviation for Fq [x]/ f e throughout this paper. 3.1. Regarding A as a GF (q)-algebra A can be naturally regarded as an Fq -algebra. Based on this observation, we obtain the first type of small generating sets for A ∗ , which is similar to Chung’s situation:



Theorem 5. If q > de − 1, then (x + Fq ) ∩ A ∗ is a generating set for A ∗ . Furthermore, every element in A ∗ t can be written as i =1 (x + ai ) where ai ∈ Fq with

t < 2de + 1 +

4de log(de − 1) log q − 2 log(de − 1)

.

Proof. A = Fq [x]/ f e is an Fq -algebra having dimension de. Since A is generated by x as an Fq -algebra, Proposition 2 applies to every nontrivial character χ of A ∗ (extended by zero to all of A), and we have

        ≤ (de − 1)√q. χ ( x + t )   t ∈Fq 

The rest of the proof follows from Propositions 3 and 4.



(2)

2

Theorem 6. If q > de − 1, then ( A ∗ , S ), where S = (x + Fq ) ∩ A ∗ , is an expander with spectral gap at least √ q − (de − 1) q.

JID:YJSCO

AID:1804 /FLA

[m1G; v1.219; Prn:18/07/2017; 11:08] P.5 (1-18)

M.-D. Huang, L. Liu / Journal of Symbolic Computation ••• (••••) •••–•••

γ satisfies       √ γ = q − max  χ (x + t ) ≥ q − (de − 1) q > 0 χ ∈ X˜ ( A ∗ ) t ∈F  q

5

Proof. The spectral gap

where the first inequality follows from Equation (2).

(3)

2

3.2. Extending the base field of A



Theorem 5 requires q > de − 1, which may not always be satisfied. In situations where q is small, it turns out that we can still construct small generating sets, and the first step is to extend the ground field of A. Let L := Fq [x]/ f be the field of order qd , where d := deg f . In the following, we show that A can also be regarded as a L-algebra. Lemma 7. Let a ∈ A be written in the form a = a ∈ A ∗ if and only if a0 = 0 (mod f ).

e−1 i =0

ai f i with each ai ∈ A having degree less than d. Then

e−1 Proof. For necessity, since a ∈ A ∗ , there is an inverse element b = i =0 b i f i such that ab = 1. That is,

 e −1 

ai f

i

  e −1 

i =0

 bi f

i

= a0 b0 + (a0 b1 + a1 b0 ) f + . . .

i =0

=1

(4)

e

(mod f ),

so a0 b0 = 1 (mod f ) ⇒ a0 = 0 (mod f ). suppose a0 = 0 (mod f ), then it suffices to show the existence of b = a−1 . Assume For esufficiency, −1 i b = i =0 b i f (deg b i < d for all i), then

 e −1 

ai f

i

  e −1 

i =0

 bi f

i

= a0 b0 + (a0 b1 + a1 b0 ) f + . . .

i =0

(5)

= c0 + c1 f + . . . . Since a0 = 0 (mod f ), there is b0 such that a0 b0 = 1 (mod f ) and b0 = 0 (mod f ). Suppose b0 is given, then b1 is uniquely determined by the linear equation a0 b1 + a1 b0 = 0 (mod f ) over L. In general, each b i (1 ≤ i ≤ e − 1) is uniquely determined by the linear equation c i = 0 (mod f ) for b0 , . . . , b i −1 values that have been determined in previous steps. Therefore, there is a unique b such that ab = 1, and thus a ∈ A ∗ . 2

e−1 Lemma 8. For each a0 ∈ L ∗ , there exists a unique a ∈ A ∗ which can be written as a = i =0 ai f i , where each

d ai ∈ A has degree less than d, and aq −1 = 1 (mod f e ).

Proof. Since a0 ∈ L ∗ , a ∈ A ∗ by Lemma 7. Write a = We want a

a

q −1 d

q d −1

=

= 1 (mod f ), so we need

e−1 i =0

ai f i , with each ai has degree less than d.

e

 e −1  i =0 q d −1

= a0 =1

qd −1 ai f

i

  d q −2 + qd − 1 a 0 a 1 f + . . .

(mod f e ).

(6)

JID:YJSCO

AID:1804 /FLA

[m1G; v1.219; Prn:18/07/2017; 11:08] P.6 (1-18)

M.-D. Huang, L. Liu / Journal of Symbolic Computation ••• (••••) •••–•••

6

From Equation (6), we get q d −1

a0

  d q −2 + qd − 1 a 0 a 1 f = 1

qd −1

Because a0

q −1 d

a0

(mod f 2 ).

(7)

= 1 (mod f ), we know there is some A 0 ∈ A with deg A 0 < d such that

(mod f 2 ).

= 1 + A0 f

(8)

Combining Equations (7) and (8), we see that a1 is uniquely determined by the linear equation





q d −2

A 0 + qd − 1 a 0

a1 = 0

(mod f )

(9)

d over K . Inductively, assume a0 , a1 , . . . , ak−1 are uniquely determined. In order to guarantee aq −1 = e 1 (mod f ), we need

 e −1 

qd −1 ai f

i

i =0

⎞qd −1 ⎛ k −1 e −1   =⎝ ai f i + ak f k + ai f i ⎠ i =0

=

 k −1 

i =k+1

qd −1 i

ai f + ak f

i =0

=

 k −1 

k

(mod f

qd −1 ai f i

(10)



+ qd − 1

 k −1  

i =0

= 1

(mod f k+1 )

k +1

) qd −2

ai f i

ak f k

(mod f k+1 )

i =0

(mod f k+1 ).

By induction, the first term can be written as

 k −1 

qd −1 ai f

i

= 1 + A k −1 f k

(11)

i =0

for some A k−1 ∈ A with deg A k−1 < d. Then ak is uniquely determined by the linear equation

A k−1 + (qd − 1)

 k −1 

qd −2 ai f i

ak = 0

(mod f )

(12)

i =0

over L, and that completes the proof.

2

Lemma 8 yields a well-defined function π : L ∗ → A ∗ , which can be extended to all of L by forcing π (0) = 0. We proved that π is essentially an embedding of L into A. Lemma 9. Let π : L → A be the function where for all a0 ∈ L,



π (a0 ) =

0,

a=

e−1

then π ( L )  L as fields.

i =0

if a0 = 0 ai f ∈ A s.t. a i

q d −1

= 1, otherwise

JID:YJSCO

AID:1804 /FLA

[m1G; v1.219; Prn:18/07/2017; 11:08] P.7 (1-18)

M.-D. Huang, L. Liu / Journal of Symbolic Computation ••• (••••) •••–•••

7

Proof. First  of all, we have π (0) = 0, and we also have π (1) = 1. Given a0 , b0 ∈ L, and assume that π (a0 ) = ei=−01 ai f i , π (b0 ) = ei=−01 bi f i with deg ai , deg bi < d for all i. We start by showing π (a0 b0 ) = π (a0 )π (b0 ). When a0 = 0 or b0 = 0, this is obvious. Otherwise, notice that the first term of both sides are a0 b0 , and we have

(π (a0 )π (b0 ))q By Lemma 8, q −2 d

a0−1 = a0

d

−1

= π (a0 )q

d

−1

π (b0 )q

d

−1

= 1.

(13)

π (a0 b0 ) = π (a0 )π (b0 ). Next, we verify π (a0−1 ) = π (a0 )−1 for all a0 = 0. Since aq0 −1 = 1, d

. Therefore,

q −2 1 π (a− ) = π (a0 )q 0 ) = π (a0 d

d

−2

(14)

.

Since π (a0 )q −1 = 1, π (a0 )q −2 = π (a0 )−1 . Now it remains to show π (a0 + b0 ) = π (a0 ) + π (b0 ). If a0 = 0 or b0 = 0, this is obvious. Otherwise, since the first term of both sides is a0 + b0 , by Lemma 8, d

d

d d it suffices to show (π (a0 ) + π (b0 ))q −1 = 1. Denote the set T = {a ∈ A : aq −1 = 1} and the set T  = d

{a ∈ A : aq = a} = T ∪ {0}. Since A has characteristic p, d

d

d

(π (a0 ) + π (b0 ))q = π (a0 )q + π (b0 )q = π (a0 ) + π (b0 ).

(15)

T  , and hence either

That is, π (a0 ) + π (b0 ) ∈ π (a0 ) + π (b0 ) ∈ T or π (a0 ) + π (b0 ) = 0. In the first case, we are done; in the latter case, a0 = −b0 , so we also have π (a0 + b0 ) = π (0) = 0 = π (a0 ) + π (b0 ). 2 The proofs for Lemmas 7, 8 and 9 actually describe an algorithm for computing the embedding of L into A, and the pseudo code is shown in Algorithm 1. Taking q, f , e and a polynomial a0 ∈ Fq [x] with degree less than d as input, the algorithm computes a ∈ Fq [x] that corresponds to π (a0 ) in Fq [x]/ f e . We comment that in Line 8, by inverse, we mean finding the inverse element in L. Algorithm 1 Embed(a0 , q, f , e ). 1: if a0 = 0 then 2: return 0 3: else 4: d := deg f , s := qd 5: a := a0 6: for k = 1, . . . , e − 1 do 7: A k−1 := ((as−1 mod f k+1 ) − 1)/ f k 8: ak := ((s − 1)(as−2 mod f ))−1 (− A k−1 ) 9: a := a + ak f k 10: end for 11: return a 12: end if

Lemma 10. A is a L-algebra of dimension e. Proof. A is an L-algebra through the embedding π , in the sense that the action of b ∈ L on A is such that for all a ∈ A, b · a := π (b) · a where the product in the right hand side is the one in A. 2 ∗ ∗ Theorem 11. If qd/2 > e − 1, then t the set (x + π ( L )) ∩ A is a generating set for A . Furthermore, every element of A ∗ can be written as i =1 (x + π (ai )) where ai ∈ L and

t < 2e + 1 +

4e log(e − 1) d log q − 2 log(e − 1)

.

Proof. By Lemma 10, A can be regarded as a L-algebra of dimension e. By Proposition 2, for all nontrivial character χ of A ∗ (extended by zero to all of A),

JID:YJSCO

AID:1804 /FLA

[m1G; v1.219; Prn:18/07/2017; 11:08] P.8 (1-18)

M.-D. Huang, L. Liu / Journal of Symbolic Computation ••• (••••) •••–•••

8

      χ (x + π (t )) ≤ (e − 1) | L |.   

(16)

t ∈L

The rest of the proof follows from Propositions 3 and 4.

2

Theorem 12. If qd/2 > e − 1, then ( A ∗ , S ), where S = (x + π ( L )) ∩ A ∗ , is an expander with spectral gap at least qd − (e − 1)qd/2 .

γ satisfies       d γ = q − max  χ (x + π (t )) ≥ qd − (e − 1)qd/2 > 0,   ∗ ˜ χ∈X(A )

Proof. The spectral gap

(17)

t ∈L

where the first inequality follows from Equation (16).

2

3.3. Constructing small generating sets Theorem 11 relaxes the restriction on q, but this generating set is of size qd , which might be more than necessary. Only a small fraction of this set might already be sufficient to generate the group. Besides, in terms of expander graphs construction, the resulting graphs might be dense. Thus, in this section, we go one step further to find generating sets of smaller sizes. Let K ⊂ L be a subfield of size qc , where c |d. We have Theorem 13. If K is a subfield of L of size qc and qc /2 > (de /c ) − 1, then (x + π ( K )) ∩ A ∗ is a generating set t ∗ ∗ for A . Furthermore, every element of A can be written as i =1 (x + π (ai )), where ai ∈ K and

t<2

de c

+1+

4 de log( de − 1) c c d c

log q − 2 log( de − 1) c

.

Proof. By Lemma 10, A can be regarded as a K -algebra of dimension de /c. By Proposition 2, for all nontrivial character χ of A ∗ (extended by zero to all of A),

      de  χ (x + π (t )) ≤ − 1 qc/2 .    c

(18)

t∈K

The rest of the proof follows from Propositions 3 and 4.

2

Theorem 14. Let K ⊂ L be a subfield of L of size qc where c |d. If qc /2 > (de /c ) − 1, then ( A ∗ , S ), where S = (x + π ( K )) ∩ A ∗ , is an expander with spectral gap at least qc − (de /c − 1)qc /2 .

γ satisfies       c γ = q − max  χ (x + π (t ))  χ ∈ X˜ ( A ∗ )  t ∈ K   de − 1 qc/2 > 0 ≥ qc −

Proof. The spectral gap

(19)

c

where the first inequality follows from Equation (18).

2

Based on the above discussion, we present the pseudo code of our algorithm for finding a small generating set for A ∗ , as shown in Algorithm 2. It takes q, f and e as input, and the output will be the small subset S ⊂ A, and ( A ∗ , S ) is provably an expander. Notice that Line 3 in this pseudo code

JID:YJSCO

AID:1804 /FLA

[m1G; v1.219; Prn:18/07/2017; 11:08] P.9 (1-18)

M.-D. Huang, L. Liu / Journal of Symbolic Computation ••• (••••) •••–•••

9

is used to find a subfield of L of size qc , which is available in some algebraic programming languages such as Sage (2016), and hence we omit the details. Algorithm 2 Genset(q, f , e). 1: 2: 3: 4:

Let d := deg f , factorize d (if not provided) Find c such that c |d and qc /2 > (de /c ) − 1 Let φ : Fqc → Fq [x]/ f a finite field homomorphism return (x + Embed(φ(Fqc ))) ∩ A ∗

A downside of this construction is that when d has few divisors, for example, d is a prime number, then c = 1 and c = d are the only two options. On the other extreme, when d has abundant divisors, we may be able to construct better generating sets. In practice, one may want to choose a perfect power as the value for d, say d = b w for some small number b. In this scenario, we have Corollary 15. If q and e are fixed and d = b w is a perfect power, where b fixed. Then Algorithm 2 returns a generating set of A ∗ of size q O (log d) . Proof. Notice that c ≥ 2 logq d + 2 would be sufficient for the condition of Theorem 13, qc /2 > (de /

c ) − 1, to hold. Let w 0 ∈ R be such that b w 0 = 2 logq d + 2. Then c = b w 0  ≤ b w 0 +1 = b(2 logq d + 2).

2

3.4. Extending to the general case In Sections 3.1, 3.2 and 3.3, we considered algebras of the form A := Fq [x]/ f e . In this section, we are going to extend existing results to the more general case, where the algebra is of the form B := Fq [x]/ F , where F ∈ Fq [x] is an arbitrary monic polynomial. At the beginning of Section 3, we have seen the overall idea of our algorithm: with Algorithm 2, we generate a small generating set for each component; the union of these sets are then “pulled back” to B ∗ via the Chinese Remainder Theorem isomorphism ψ to get our final generating set for B ∗ . It is straightforward to show that the resulting set  obtained by this method forms a generating set for B ∗ . In the rest of this paper, we will e m assume F = i =1 f i i where each f i ∈ Fq [x] is an irreducible polynomial of degree di . We will use the e abbreviation A i := Fq [x]/ f i i below. Theorem 16. Let K i be a subfield of Fq [x]/ f i of size qc i , and πi be an embedding of K i into A i . If qc i /2 > (di e i /c i ) − 1 for all 1 ≤ i ≤ m, then {ψ( v m )|s ∈ (x + πi ( K i )) ∩ A ∗i , 1 ≤ i ≤ m} is a generating set for B ∗ . i ,s Proof. By Theorem 13, each x + πi ( K i ) is a generating set for the component A ∗i , so their union m m ∗ x + i =1 πi ( K i ) generates i =1 A i . Since ψ is an isomorphism, we can see the claim. 2 The pseudo code is shown in Algorithm 3. Taking q and F as its input, Algorithm 3 finds a small generating set having the form described in Theorem 16 for B ∗ . Algorithm 3 FinalGenset(q, F ). 2: 3: 4: 5: 6: 7: 8: 9: 10:

m

ei i =1 f i (if not provided), where each f i is an ei ∗ ∼ → (Fq [x]/ F )∗ be the C.R.T. isomorphism i =1 (Fq [x]/ f i ) −

1: Factorize F into F =

m

Let ψ : S := ∅ for i = 1, . . . , m do S i := Genset(q, f i , e i ) for each s ∈ S i do S := S ∪ {ψ( v m i ,s )} end for end for return S

irreducible polynomial of degree di

JID:YJSCO

AID:1804 /FLA

[m1G; v1.219; Prn:18/07/2017; 11:08] P.10 (1-18)

M.-D. Huang, L. Liu / Journal of Symbolic Computation ••• (••••) •••–•••

10

wi

Corollary 17. If q is fixed and for all 1 ≤ i ≤ m, e i is fixed and di = b i fixed, then Algorithm 3 returns a generating set of B ∗ of size

m

is a perfect power, where each b i is

O (log di ) . i =1 q

Proof. This can be seen by applying Corollary 15 to each component A ∗i .

2

Now it only remains to show that graphs of the form ( B ∗ , S ), where S is found by Algorithm 3, are a set of expanders. Theorem 18. Let K i be a subfield of Fq [x]/ f i of size qc i , and πi be an embedding of K i into A i . If qc i /2 > (di e i /c i ) − 1 for all 1 ≤ i ≤ m, then ( B ∗ , S ), where S := {ψ( v m )|i ∈ (x + πi ( K i )) ∩ A ∗i , 1 ≤ i ≤ m}, is an i ,s expander with spectral gap at least

m

i =1 q

ci



m

i =1 (d i e i /c i

Proof. Define S i := x + πi ( K i ), 1 ≤ i ≤ m. Since B ∗ 

m

X˜ ( A ∗i ) (1 ≤ i ≤ m) such that

∀b 

m 

b i ∈ B ∗ : χ (b) =

i =1

m 

− 1)qci /2 . i =1

A ∗i , for all

χ ∈ X˜ ( B ∗ ), there exists χi ∈

χi (bi ).

(20)

i =1

∗ ) are the characConsider an arbitrary character χ ∈ X˜ ( B ∗ ), and assume χ1 ∈ X˜ ( A ∗1 ), . . . , χm ∈ X˜ ( A m ters that satisfy Equation (20). For all elements b ∈ B ∗ of the form b  v m , all but the i-th coordinate i ,s are zeros, so

χ (ψ( v m i ,s )) = χi (s)



χ j (0) = χi (s).

(21)

j =i

Combining Equation (21) with Proposition 2, we obtain

   m           χ (s) =  χ (s)      s∈ S  i =1 s∈{ψ( v mi,s )|s∈ S i }      m   m           = χi (s) ≤ χi (s)   i =1 s ∈ S i  i =1  s ∈ S i    m  di e i − 1 qci /2 . ≤ i =1

(22)

ci

Given that qc i /2 > (di e i /c i ) − 1 for all 1 ≤ i ≤ m, the spectral gap

      γ≥ | S i | − max  χ (s)   ∗ ˜ χ ∈ X ( B ) s∈ S i =1   m m   di e i qc i − − 1 qci /2 ≥

γ of the Cayley graph satisfies

m 

i =1

> 0.

i =1

ci

(23)

2

3.5. Constructing expander graphs of special degrees Theorem 18 implies that our method can be used as a general technique for constructing regular directed expander graphs of special degrees, where by “special”, we mean degrees that are not prime powers. To see why this happens, we notice that according to Theorem 16, the degree of the graph

JID:YJSCO

AID:1804 /FLA

[m1G; v1.219; Prn:18/07/2017; 11:08] P.11 (1-18)

M.-D. Huang, L. Liu / Journal of Symbolic Computation ••• (••••) •••–•••

11

m

equals | S | = i |(x + πi ( K i )) ∩ A ∗i |. For each K i , we have | K i | = qc i , which is a prime power. However, it may be the case that not all elements in x + πi ( K i ) are units, and hence |(x + πi ( K i )) ∩ A ∗i | ≤ | K i | = ci q feature allows us to build many regular directed expanders with degree less than or equal to m. This ci i q . Example 19. Suppose we want to construct an expander of degree 6. We √ can choose n = 1, m = 1, p = 7 and c = 1, ensuring that qc ≥ 6. Theorem 18 requires that de < 7 + 1, so the pairs (e , d) which satisfy this constraint are (1, 1), (1, 2), (1, 3), (2, 1) and (3, 1). Notice that the first three pairs have e = 1, which cannot generate any graph whose degree is not a prime power. So we only need to try the last two combinations. Since d = 1 for both cases, we can simply choose, for example, f = x − 1. For both cases, after running Algorithm 3, the generating set for (Fq [x]/ f e )∗ will be S = {¯x, x¯ + 1, x¯ + 2, x¯ + 3, x¯ + 4, x¯ + 5}. Notice that x¯ + 6 is clearly not a unit, and thus it is eliminated from S. Simple calculation shows that when e = 2, the resulting graph consists of 42 vertices, and when e = 3, the number is 294. Our experiments also show that the spectral gaps of these two graphs are 3.354 and 1.187, respectively. In Section 5.2, we will see more examples of such expander constructions. 4. Basis and decomposition 4.1. Finding a basis In order to find a basis for B ∗ , we first decide the structure of the group, so that the size of a basis be determined. As we have already seen from Equation (1), B ∗ can first be decomposed into m can ∗ (recall that A := F [x]/ f e i ). Therefore, we will focus on finding out the decomposition of A q i i =1 i i the group A ∗ := (Fq [x]/ f e )∗ , with f and e defined the same as in Section 3. Lemma 20. If p ≥ e, then

⎛ A ∗  Z/(qd − 1)Z ⊕ ⎝





Z/ p Z⎠ .

nd(e −1)



∗

Proof. Consider the map ϕ : A ∗ → Fq [x]/ f where for each a ∈ A ∗ , surjective. We can see that the kernel of the map is precisely

ϕ (a) = a (mod f ). Clearly, ϕ is

ker ϕ = {1 + bf : b ∈ A where 0 ≤ deg b ≤ de − d − 1}.

(24)

For every 1 + bf ∈ ker ϕ , since A as a ring has characteristic p, its p-th power is given by

(1 + bf ) p = 1 + b p f p

(mod f e ).

(25)

Given the condition that p ≥ e, we have

1 + bp f p = 1

(mod f e ).

(26)

Recall that q = pn , by the structure theorem of finite abelian groups, we have

ker ϕ 



Z/ p Z.

(27)

nd(e −1)

In addition, notice that | ker ϕ | = pnd(e−1) , which is relatively prime to |imϕ | = pnd − 1. It follows that A ∗ is isomorphic to their direct product. 2

JID:YJSCO

AID:1804 /FLA

[m1G; v1.219; Prn:18/07/2017; 11:08] P.12 (1-18)

M.-D. Huang, L. Liu / Journal of Symbolic Computation ••• (••••) •••–•••

12

Theorem 21. If p ≥ maxm e , then i =1 i

B∗ 

m 



⎝Z/(qdi − 1)Z ⊕

i =1





Z/ p Z⎠ .

ndi (e i −1)

Proof. It follows from Lemma 20 and Equation (1).

2

Theorem 21 holds if and only if p ≥ maxm i =1 e i , and thus our basis construction and decomposition algorithms will only deal with this situation. Assuming this condition, it suffices to find a basis for the group A ∗ . From the proof for Lemma 20, we can see that

A ∗ = π ( L ∗ ) × ker ϕ ,

(28)



and as we have seen in Lemma 20, π ( L ∗ )  Z/(qd − 1)Z and ker ϕ  nd(e−1) Z/ p Z. For the former component π ( L ∗ ), we will simply use an existing algorithm such as Huang and Narayanan (2013) to find a generator. We then consider the latter component ker ϕ . Let K j (1 ≤ j ≤ e) denote the subset of A ∗ of the form {1 + hf j mod f e : h ∈ Fq [x]}. By definition, K 1 = ker ϕ and K e = {1}. One may verify that each K j is actually a subgroup of ker ϕ (where the inverse of 1 + hf following filtration of subgroups:

j

is 1 +

e−1

k=1 (−hf

j k

) ). Consider the

K1  K2  . . .  Ke. Assume q = pn with Fq  F p [θ], then Lemma 22. For each 1 ≤ j ≤ e − 1,

K j / K j +1 =

d −1 n −1

1 + θ l xk f j  

k =0 l =0

d −1  n −1 

Z/ p Z

k =0 l =0

Proof. Consider the map K j → Fq [x]/ f sending 1 + hf j to h mod f . It is easy to verify that this is a group homomorphism with K j +1 as the kernel. Therefore, we have

K j / K j +1  Fq [x]/ f 

n −1 d −1  

Z/ p Z,

(29)

k =0 l =0

d−1 d−1 n−1 h if h (mod f ) is written in the form h = k=0 hk xk and kn=−01 l=0l k,l each hk ∈ Fq is written as hk = l=0 hk,l θ . Under this isomorphism, the basis {θ l xk |0 ≤ k ≤ d − 1, 0 ≤ l ≤ n − 1} for Fq [x]/ f corresponds to the basis {1 + θ l xk f j |k = 0, ..., d − 1} for K j / K j +1 . 2 whereby 1 + hf

j

is mapped to

Lemma 23. The set of polynomials {1 + θ l xk f j |0 ≤ l ≤ n − 1, 0 ≤ k ≤ d − 1, 1 ≤ j ≤ e − 1} forms a basis for ker ϕ . Proof. Clearly, this set contains nd(e − 1) elements, which is consistent with Equation (27). So it suffices to show that it generates ker ϕ . Given any element k j ∈ K j , we first write it into the form kj = 1 +

e−1 t= j

ht f t , where each ht has degree less than d. Under the isomorphism between K j / K j +1

h j,k,l d−1 n−1  1 + θ l xk f j k=0 ld=−01 are all in the same class in K j / K j +1 assuming h j is written in the form h j = k=0 h j ,k xk and each n−1 h j ,k ∈ Fq is written as h j ,k = l=0 h j ,k,l θ l . By Lemma 22, the class of k j modulo K j +1 is mapped to d−1 n−1 and Fq [x]/ f in the proof of Lemma 22, we see that k j , 1 + h j f j , and

k=0

l=0

h j ,k,l . So

JID:YJSCO

AID:1804 /FLA

[m1G; v1.219; Prn:18/07/2017; 11:08] P.13 (1-18)

M.-D. Huang, L. Liu / Journal of Symbolic Computation ••• (••••) •••–•••

13

d−1 n−1   l k j h j ,k,l kj = (1 + θ x f ) k j +1 ,

(30)

k =0 l =0

e−1

where k j +1 ∈ K j +1 is uniquely determined. Therefore, any element k1 = 1 + t =1 ht f t ∈ K 1 = ker ϕ can be decomposed recursively via Equation (30) for all 1 ≤ i ≤ e − 1, so k1 can be written as a product of elements from the set. 2 Therefore, if p ≥ e, then we can use Z := {π ( g )} ∪ {1 + θ l xk f j |0 ≤ l ≤ n − 1, 0 ≤ k ≤ d − 1, 1 ≤ j ≤ e − 1} as a basis for A ∗ , where g is a generator for (Fq [x]/ f )∗ . Obviously, this claim can be quickly extended to the general case, B ∗ . Theorem 24. Let g i be a generator of (Fq [x]/ f i )∗ and πi be the embedding map from Fq [x]/ f i into A i . If p ≥

m

m ∗ l k maxm i =1 {ψ( v i , z )| z ∈ Z i } forms a basis for B , where Z i := πi ( g i ) ∪ {1 + θ x f i |0 ≤ i =1 e i , then the set Z := l ≤ n − 1, 0 ≤ k ≤ di − 1, 1 ≤ j ≤ e i − 1}. j

Proof. By Lemma 20 and Lemma 23, each Z i is a basis for A ∗i . And B ∗  m i =1 { v i , z | z ∈ Z i } forms a basis for the right-hand side. 2

m

m

i =1

A ∗i . The union

Based on Theorem 24, we developed Algorithm 4. Given the input q = pn and F , if p ≥ maxm i =1 e i , it outputs a basis for B ∗ ; otherwise, it reports failure in finding a basis. Algorithm 4 Basis(q, F ).

m

e

1: Factorize q into pn and F into F = i =1 f i i (if not provided), where each f i is an irreducible polynomial of degree di 2: if p ≥ maxm i =1 e i then 3: Z := ∅ 4: for i = 1, . . . , m do 5: Find a generator g for (Fq [x]/ f i )∗ using existing algorithms 6: z := Embed( g , q, f i , e i ) 7: Z := Z ∪ {ψ( v m i , z )} 8: for all 0 ≤ l ≤ n − 1, 0 ≤ k ≤ d − 1 and all 1 ≤ j ≤ e − 1 do j

9: z := 1 + θ l xk f i 10: Z := Z ∪ {ψ( v m i , z )} 11: end for 12: end for 13: else 14: return unknown 15: end if

4.2. Decomposition In the proof for Theorem 23, we have seen an outline of our algorithm for decomposition. The pseudo code for this algorithm is shown in Algorithm 5. Given an element b ∈ Fq [x] corresponding to an element in B ∗ , the algorithm either outputs its coordinates

m

i =1 (b i ,0



ndi (ei −1) j =1

b i , j ) with

respect to Theorem 21 (if p ≥ maxm i =1 e i ), or claims a failure in decomposition. We comment that in Line 6 and 13, the inverse element is found in A ∗i . 5. Experiments 5.1. Experimental study of the generating sets An interesting question about the generating sets we presented in Section 3 is whether a small subset may already be sufficient to generate the group. Thus, we ran experiments to see whether the

JID:YJSCO

14

AID:1804 /FLA

[m1G; v1.219; Prn:18/07/2017; 11:08] P.14 (1-18)

M.-D. Huang, L. Liu / Journal of Symbolic Computation ••• (••••) •••–•••

Algorithm 5 Decompose(q, F , b). 1: 2: 3: 4: 5: 6: 7: 8: 9: 10: 11: 12: 13: 14: 15: 16: 17: 18: 19:

m

e

Factorize q into pn and F into F = i =1 f i i (if not provided), where each f i is an irreducible polynomial of degree di if p ≥ maxm e then i =1 i for i = 1, . . . , m do e a := b mod f i i η := Embed(a mod f i , q, f i , e i ) κ := η−1 a b i ,0 := discrete-log of (a mod f i ) in (Fq [x]/ f i )∗ for j = 1, . . . , e − 1 do d−1 n−1 h j := (κ mod f j +1 − 1)/ f j , and assume h j = k=0 ( l=0 h j ,k,l θ l )xk for k = 0, . . . , d − 1, l = 0, . . . , n − 1 do b i , j ,k,l := h j ,k,l end for  −1 n−1 l k j h j ,k,l −1 κ := ( kd= ) κ 0 l=0 (1 + θ x f i ) end for end for m e−1 d−1 n−1 return i =1 (b i ,0 ⊕ j =1 k=0 l=0 h i , j ,k,l ) else return unknown end if

Fig. 1. The growth of c and d.

size of the generating sets can be substantially reduced by drawing random subsets from our original construction. For simplicity, we only run experiments on algebras of the form A := F p [x]/ f e , where f ∈ F p [x] is irreducible of degree d. We compare the sizes of three types of generating sets for A ∗ . The first type having the form x + π (Fq ) corresponds to Theorem 11. It size equals pd . The second type of generating sets are of the form x + π ( K ) corresponding to Theorem 13, where K ⊂ Fq is a subfield of size p c . The third type of generating sets are constructed by adding random elements of x + π ( K ) to the empty set one by one, until it generates A ∗ . We write its size as p r where r ∈ R. Clearly, we have the relationship r ≤ c ≤ d. Our first experiment compares the growth of c and d. In this experiment, we fix p = 7, e = 5 and d = 21 , 22 , 23 , . . . . From Fig. 1, we see that c is a step function that grows linearly with log d, or in other words, c ∈ (log d), as stated in Corollary 15. In the second set of experiments, we compare r and c with different choices of parameters. We first test the effect of p. We fix e = 5 and d = 21 , 22 , 23 , . . . and then increase p from 5 to 23. From Fig. 2, we observe that both c and r grows at the speed of (log d). In addition, we can see that when p increases, the growing speed of c and r decreases. The third set of experiments studies the effect of e while fixing the value of p = 13, and the results are shown in Fig. 3. This set of experiments shows that when e increases from 3 to 12, the growing speed of both c and r increases. Interestingly, from all the experimental results shown in Figs. 2 and 3, we see that it is roughly the case that c ≈ 2r, which implies that a square root number of random elements from x + π ( K )

JID:YJSCO

AID:1804 /FLA

[m1G; v1.219; Prn:18/07/2017; 11:08] P.15 (1-18)

M.-D. Huang, L. Liu / Journal of Symbolic Computation ••• (••••) •••–•••

15

Fig. 2. The effect of p.

might already be sufficient as a generating set for A ∗ . However, how to find a subsets of this size and whether they can be used for expander graph construction remain as open problems. 5.2. Experimental study of the expander graphs In Table 1, we enumerate all expander graphs of degrees less than 12 which can be constructed over groups of the form (F p [x]/ f e )∗ under our framework, where f is irreducible. When e = 1, our construction degenerates to Chung’s construction (see Chung, 1989), and when e > 1, our algorithm produces new expander graphs that differ from all existing constructions. In the table, we highlight these constructions using boldface. The first column of the table shows the degree of vertices of the regular directed graph (denoted by  ), and the last three columns show the number of vertices, the diameter and the spectral gap of the graph, respectively. From the table, we can see that our approach offers some degree of flexibility in explicit construction of expander graphs. Notice that using our approach, we are able to construct expander graphs of some special degrees (such as 6 and 10) that are not prime powers, which is not possible for Chung’s construction. We also observe that these new constructions are comparable with Chung’s constructions in terms of the graph diameters and spectral gaps. Sometimes, the flexibility of our approach may be utilized to build better expanders for specific applications. For example, when the degree of the graph equals 11, by choosing p = 11, d = 4, Chung’s framework produces an expander graph with 14,640 vertices having spectral gap 1.652. Using our approach, we may choose p = 11, e = 2, c = 1 and d = 2 instead. In this case, the expander graph has 14,520 vertices, which might be close

JID:YJSCO

16

AID:1804 /FLA

[m1G; v1.219; Prn:18/07/2017; 11:08] P.16 (1-18)

M.-D. Huang, L. Liu / Journal of Symbolic Computation ••• (••••) •••–•••

Fig. 3. The effect of e.

enough to 14,640 for a specific application, and we have achieved a better spectral gap with the value of 2.203. 6. Conclusion and future work In this paper, we generalize Chung (1989) to the case of Fq [x]/ F where F ∈ Fq [x] is not necessarily irreducible. We present algorithms for finding different types of small generating sets for B ∗ which can be applied to explicit construction of expander graphs. We demonstrated that our approach provides a more flexible framework for constructing expander graphs. In particular expander graphs of degrees that are not prime powers can be constructed. We also analyze the algebraic structure of B ∗ and propose algorithms for finding a basis for B ∗ and decomposing elements with respect to this basis. It will be interesting to study new features and applications of the expander graphs constructed using our approach. As mentioned before, the diameter bound of Cayley graphs over the multiplicative groups of finite fields has been improved by Shparlinski (2015). Although this result does not directly apply to our situation, it will be interesting to see if Shparlinski’s techniques can be adapted to give a better upper bound for the diameters of our expanders. In the computation, we observe that a square root number of elements in the constructed generating set are usually sufficient to generate the whole group. Whether a generating set of such sizes can be used for expander graph construction remains open. Finally, basis construction and decomposition for B ∗ when p < e is an interesting problem for further investigation.

JID:YJSCO

AID:1804 /FLA

[m1G; v1.219; Prn:18/07/2017; 11:08] P.17 (1-18)

M.-D. Huang, L. Liu / Journal of Symbolic Computation ••• (••••) •••–•••

17

Table 1 Expander graphs over (F p [x]/ f e )∗ of low degrees. deg()

p

c

e

d

| V ()|

diam()

γ ()

2

2

1

1

1 2

1 3

0 1

–† 1.000

3

1

2

1

6

3

0.268

3

1

1

1 2

2 8

1 3

2.000 1.268

2

2

2

2

12

3

1.000

2

2

1

2 4

3 15

1 3

3.000 2.000

5

1

2 3

1 1

20 100

4 7

1.764 0.196

5

5

1

1

1 2 3

4 24 124

1 3 6

4.000 2.764 0.976

6

7

1

2 3

1 1

42 294

4 7

3.354 1.187

7

7

1

1

1 2 3

6 48 342

1 3 6

6.000 4.354 1.975

2

3

2 3

2 3

56 448

3 6

4.172 2.313

2

3

1

3 6 9

7 63 511

1 3 6

7.000 5.172 2.421

3

2

2 3

2 2

72 648

3 6

5.000 2.000

9

3

2

1

2 4 6

8 80 728

1 3 6

8.000 6.000 3.094

10

11

1

2 3

1 1

110 1210

3 6

6.683 3.487

11

11

1

1

1 2 3 4

10 120 1330 14640

1 3 6 9

10.000 7.683 4.557 1.652

2

2

14520

9

2.203

3

4

8



This graph has only one node, where the second eigenvalue is not defined.

References Adleman, L.M., Huang, M.-D.A., 1999. Function field sieve method for discrete logarithms over finite fields. Inf. Comput. 151 (1–2), 5–16. http://www.sciencedirect.com/science/article/pii/S0890540198927614. Ahmadi, O., Shparlinski, I.E., Voloch, J.F., 2007. Multiplicative Order of Gauss Periods. Tech. Rep. Alon, N., Galil, Z., Milman, V., 1987. Better expanders and superconcentrators. J. Algorithms 8 (3), 337–347. http://www. sciencedirect.com/science/article/pii/0196677487900149. Barbulescu, R., Gaudry, P., Joux, A., Thomé, E., 2014. A heuristic quasi-polynomial algorithm for discrete logarithm in finite fields of small characteristic. In: Nguyen, P.Q., Oswald, E. (Eds.), Eurocrypt 2014, vol. 8441. Springer, Copenhagen, Denmark, pp. 1–16. https://hal.inria.fr/hal-00835446. Bhowmick, A., Lê, T.H., 2015. On primitive elements in finite fields of low characteristic. Finite Fields Appl. 35, 64–77. http://www.sciencedirect.com/science/article/pii/S1071579715000386. Chung, F.R.K., 1989. Diameters and eigenvalues. J. Am. Math. Soc. 2 (2), 187–196. Chung, F.R.K., 1994. Several generalizations of Weil sums. J. Number Theory 49, 95–106. Dinur, I., 2007. The PCP theorem by gap amplification. J. ACM 54 (3). http://dx.doi.org/10.1145/1236457.1236459. Gao, S., 1999. Elements of provable high orders in finite fields. Proc. Am. Math. Soc. 127 (6), 1615–1623. http://www.jstor.org/ stable/119470. Gao, S., Vanstone, S.A., 1995. On orders of optimal normal basis generators. Math. Comput. 64 (211), 1227–1233. http:// dx.doi.org/10.2307/2153492.

JID:YJSCO

18

AID:1804 /FLA

[m1G; v1.219; Prn:18/07/2017; 11:08] P.18 (1-18)

M.-D. Huang, L. Liu / Journal of Symbolic Computation ••• (••••) •••–•••

Gölo˘glu, F., Granger, R., McGuire, G., Zumbrägel, J., 2013. In: Advances in Cryptology – CRYPTO 2013: Proceedings of the 33rd Annual Cryptology Conference, Part II. Santa Barbara, CA, USA, August 18–22, 2013. Springer Berlin Heidelberg, Berlin, Heidelberg, pp. 109–128. Hoory, S., Linial, N., Wigderson, A., 2006. Expander graphs and their applications. Bull. Am. Math. Soc. 43 (4), 439–561. Huang, M.-D., Liu, L., 2016. Constructing small generating sets for the multiplicative groups of algebras over finite fields. In: Proceedings of the ACM on International Symposium on Symbolic and Algebraic Computation. ISSAC ’16. ACM, New York, NY, USA, pp. 287–294. Huang, M., Narayanan, A.K., 2013. Finding primitive elements in finite fields of small characteristic. CoRR arXiv:1304.1206. Joux, A., 2013. A New Index Calculus Algorithm with Complexity l(1/4 + o(1)) in Very Small Characteristic. Cryptology ePrint Archive, Report 2013/095. Katz, N.M., 1989. An estimate for character sums. J. Am. Math. Soc. 2 (2), 197–200. http://www.jstor.org/stable/1990974. Lu, M., Wan, D., Wang, L.-P., Zhang, X.-D., 2014. Algebraic Cayley graphs over finite fields. Finite Fields Appl. 28, 43–56. http://www.sciencedirect.com/science/article/pii/S1071579714000252. Lubotzky, A., Phillips, R., Sarnak, P., 1988. Ramanujan graphs. Combinatorica 8 (3), 261–277. http://dx.doi.org/10.1007/ BF02126799. Mullen, G.L., Panario, D., 2013. Handbook of Finite Fields, 1st edition. Chapman & Hall/CRC. Sage, 2016. Sage reference manual: finite rings. Sagemath.org. Shoup, V., 1992. Searching for primitive roots in finite fields. Math. Comput. 58 (197), 369–380. http://www.jstor.org/stable/ 2153041. Shparlinski, I.E., 2015. Cayley graphs generated by small degree polynomials over finite fields. SIAM J. Discrete Math. 29 (1), 376–381. http://dx.doi.org/10.1137/14095813X. Voloch, J.F., 2007. On the order of points on curves over finite fields. Integers 7 (1), A49 (electronic only). http://eudml.org/ doc/128845. von zur Gathen, J., Shparlinski, I., 1998. Orders of Gauss periods in finite fields. Appl. Algebra Eng. Commun. Comput. 9 (1), 15–24. http://dx.doi.org/10.1007/s002000050093. Wan, D., 1997. Generators and irreducible polynomials over finite fields. Math. Comput. 66, 1195–1212.