I`m wondering if we evaluate a polynomial on many points picked uniformly at random. Can we say the output values Y's are uniformly at random?
Asked
Active
Viewed 507 times
1
-
A polynomial exists over the entire real line. Is your uniform distribution bounded? – Phonon Sep 26 '14 at 17:06
-
Over finite field. – user153438 Sep 26 '14 at 17:07
-
I did not understood the question in the part where you are saying picking uniformly and randomly at the same time. Can you elaborate this. – Jasser Sep 26 '14 at 17:10
-
1Over a finite field - say the one with seven elements, consider $p(x)=x^7-x$ – Mark Bennet Sep 26 '14 at 17:12
-
@user153438, The phrase finite field means something special in math, which is what Andre was referring to. I think you meant over a finite range. – Mike Earnest Sep 26 '14 at 17:16
-
@MikeEarnest, I'm mainly considering a field in security sense. – user153438 Sep 26 '14 at 17:18
-
Sorry, my mistake! – Mike Earnest Sep 26 '14 at 17:19
-
Since it's very active forum, I'd like to ask this question, if you don't mind. I have a d degree polynomial P1, I pick 2d+1 (or more) points uniformly at random and evaluate P1 on these points. I give away only Y's value to the server. You have P2, with the same degree as mine. You evaluate P2 on the same points as I did and you only send your Y's to the server. Now the question is 1) Can the server learn any of our polynomial having only Y's. 2) Can he infer even a few roots of our polynomial? All operation is on field. – user153438 Sep 26 '14 at 17:24
-
Could anyone please answer the above question in the comment. – user153438 Sep 26 '14 at 17:51
2 Answers
2
In a comment it is specified that we are working in a finite field. Here is a simple counterexample.
Consider the field of $3$ elements, and the polynomial $p(x)=x^2$. If we evaluate at points in the field chosen at random, we get that $p(x)=0$ with probability $\frac{1}{3}$, and $p(x)=1$ with probability $\frac{2}{3}$.
André Nicolas
- 514,336
-
What if we first multiply the polynomial by a random polynomial then we do evaluation. Do you think it can make any differences,please? – user153438 Sep 30 '14 at 16:33
-
If the original polynomial induces a bijection, there is no need to multiply. If the original polynomial does not induce a bijection, multiplying by a random polynomial will not fix that. – André Nicolas Sep 30 '14 at 16:46
-
Is there any way to convert any normal polynomial to bijective? As only the roots of the polynomial are important to me, so the polynomial can have any form. – user153438 Sep 30 '14 at 17:36
-
I do not have a suggestion for that, and don't understand the general theme of your questions. If you already have a way of generating "random" elements of the field, why pass these random elements through a polynomial? – André Nicolas Sep 30 '14 at 17:46
0
A fixed polynomial over a finite field$~F$ will rarely transform uniformly chosen inputs into uniformly chosen outputs: this will happen if and only if the polynomial function $F\to F$ it defines is a bijection. This can certainly happen (every function $F\to F$ is a polynomial function, and uniquely so if one limits the degree to be less than $|F|$; moreover every polynomial of degree$~1$ defines a bijective polynomial function), but as $|F|$ increases this is a vanishing proportion of all functions, and if the sport is to permute the elements of your field, it is not clear wat advantage there is in describing that permutation by a polynomial.
Marc van Leeuwen
- 119,547
-
It goes back to my main problem (stated in the comment). I was wondering if the adversary can obtain any advantage by observing only the value Y's. Please consider the last comment I made. – user153438 Sep 26 '14 at 17:34
-
what if we fist multiply the original polynomial by a random polynomial whose degree is equal to less than the original polynomial, then evaluate the result on these random X's; do you think this can make the Y's distributed at random? – user153438 Sep 30 '14 at 16:39
-
-
Infinitely many polynomials over a finite field are bijective, since $x^q=x$ for any $x\in\Bbb F_q$ allows you to raise exponents while retaining the same polynomial function. A more interesting question is what fraction of polynomials (up to some given high degree) are bijective. This can be easily answered for polynomials up to degree$~q$ (exclusive) since these polynomials are in bijection with (their polynomial) functions $\Bbb F_q\to\Bbb F_q$. So the question becomes which fraction of such functions are bijective; the answer is $\frac{q!}{q^q}\approx\exp(-q)$, quite small indeed. – Marc van Leeuwen Nov 07 '14 at 13:46
-
Many thanks, could you please give me a reference proving the last part you stated please. – user153438 Nov 07 '14 at 14:23
-
Which part? That there are $q!$ bijections among $q^q$ functions is obvious, the $\exp(-q)$ comes from Stirlings approximation (I omitted a factor $\sqrt{2\pi q}$ since my comment was near the character limit). For the bijectiveness of the correspondence, see this anwser. – Marc van Leeuwen Nov 07 '14 at 14:31
-
I do appreciate for all your answers. I have one more question, please. In a finite field of q elements how many bijective polynomials exist whose degree are smaller than d ? – user153438 Nov 11 '14 at 13:56