1 Introduction
Secure multi-party computation (or simply secure computation) is a cryptographic technology that enables two or more parties to jointly compute some function value(s) from their local inputs in a way that, during a computation, each party can know the party’s local output value but cannot learn anything about the other parties’ local inputs/outputs.
Among several existing frameworks to realize secure computation, some of the major directions in this area are those based on fully homomorphic encryption (FHE) [5] and on secret sharing (SS) [8].
In FHE-based secure computation (e.g., [2, 4]), the primitive data type is usually the binary field 𝔽2, and a target function to be securely computed has to be implemented by combining the addition and multiplication in 𝔽2 (each being equivalent to bit operations XOR and AND, respectively).
On the other hand, in SS-based secure computation (e.g., [1]), a major primitive data type is again 𝔽2 and a target function has also to be implemented by combining the addition and multiplication.
We note that there is also an FHE scheme that can directly handle the finite prime field 𝔽p for small prime p>2 as well [7]; and the basic idea of SS-based secure computation can be extended straightforwardly to the primitive data type 𝔽p instead of 𝔽2.
Regarding this, in this paper we treat 𝔽p for a general prime p (not just 𝔽2) as the base field of the argument.
In the two frameworks for secure computation mentioned above, a target function is supposed to be decomposed into a combination of addition and multiplication in the field 𝔽p; this is (in theory) equivalent to expressing the function as a polynomial over the field 𝔽p.
Moreover, the multiplication in 𝔽p is significantly more expensive than the addition in 𝔽p when realized as secure computation.
Indeed, in the FHE-based framework, the multiplication increases the “noise” of the ciphertexts (to be cancelled later by an inefficient “bootstrapping” procedure) much more rapidly than the addition; while in the SS-based framework, the multiplication requires communication between the parties, in contrast to the addition which can be done by local computation at each party only.
Hence, we may naively expect that an expression of the target function as a low degree polynomial would involve less multiplications, and thus yield efficient secure computation for the function.
On the other hand, it is known that any function over the prime field 𝔽p can be expressed, in a unique manner, as a polynomial over 𝔽p having degree at most p-1 with respect to each input variable.
We refer to such a polynomial as the minimal polynomial of the function.
However, such minimal polynomial expressions for practical functions were not studied well in the literature.
One of the aims of this paper is to trigger intensive studies on this subject.
We emphasize that, though the existence of the minimal polynomial expression of any function over 𝔽p is theoretically guaranteed, it is still a non-trivial task to concretely compute the minimal polynomial expression.
Among the rare studies of the minimal polynomials in the literature, the most successful and theoretically interesting result to the authors’ best knowledge is the one by Sturtivant and Frandsen [9, Theorems 9.1 (a) and 11.2]; they showed that the carry function in multiplication of p-ary integers has a polynomial expression consisting of significantly fewer monomials, which uses number-theoretic objects such as the Bernoulli numbers and Wilson’s quotient.
(See also [6] for a different approach to the result and also for an expression of the carry function in the case of addition of p-ary integers.)
In this paper, we study minimal polynomial expressions of a certain kind of functions specified below.
These functions are expected to be useful in some practical procedures such as auction and voting; here we refer to those functions as “auction functions”.
The types of auction functions considered in this paper and our results are summarized as follows.
In Section 3, we deal with the maximum function max(x) for inputs x=(x0,x1,…,xn-1)∈(𝔽p)n.
We provide a general (but less concrete) formula for the minimal polynomial for max(x) for any prime p, and also give more concrete minimal polynomial expressions of max(x) for p=2,3.
Similar results are also given for the minimum function min(x).
In Section 4, we deal with the function argmax(x) that returns the least index i satisfying xi=max(x).
More precisely, to handle the integer-valued function argmax(x), we consider each, say r-th, digit argmax(r)(x) of the p-ary expression of the value argmax(x).
We provide a general formula for the minimal polynomial for argmax(r)(x) for any r≥0 and any prime p, and also write down the formula for the special cases p=2,3.
Similar results are also given for the function argmin(x) that returns the least index i satisfying xi=min(x).
In Section 5, we focus on the case of two inputs, x=(x0,x1), and provide minimal polynomial expressions of argmax(x0,x1)=argmax(0)(x0,x1) and max(x0,x1) for any p.
(We note that, only the cases for small p such as p=2,3 for the function max(x) are discussed in Section 3.)
In Section 6, we briefly study two other functions ismax(y;x) and nummax(x), where ismax(y;x) for y∈𝔽p and x=(x0,…,xn-1)∈(𝔽p)n returns 1 if y=max(x) and returns 0 otherwise, and nummax(x) returns the number of indices i satisfying xi=max(x).
We also discuss the cases for small p such as p=2,3 in slightly more detail.
Finally, in Section 7, we discuss about the possible extension of our results on the auction functions with single-digit inputs xi∈𝔽p to the case of multi-digit inputs such as xi=(xi,0,xi,1,…,xi,ℓ-1)∈(𝔽p)ℓ which is regarded as an integer xi,0+xi,1p+⋯+xi,ℓ-1pℓ-1.
While leaving most of the cases as future research topics, in Section 7 we provide as an example a general formula for the multi-digit version of the function argmax(x) and write down the minimal polynomial expression for the smallest case p=ℓ=2.
We also give the minimal polynomial expression for the multi-digit version of the function ismax(y;x) for the smallest case p=ℓ=2 as well.
2 Notation and Basic functions
In this section, we fix some notations used throughout the paper.
Let p be a prime.
A vector (x0,x1,…,xn-1) of length n over the field 𝔽p is often denoted by x.
We introduce a linear ordering < on 𝔽p by naturally identifying 𝔽p with the (naturally ordered) subset {0,1,…,p-1} of ℤ.
We define an involution on 𝔽p by x¯=p-1-x for x∈𝔽p, and extend it coordinate-wisely on (𝔽p)n.
We denote by ei(x) the i-th elementary symmetric polynomial of x0,x1,…,xn-1 so that ∏i=0n-1(1+xi)=∑i=0nei(x).
For an integer k≥0, its r-th digit in the p-ary expansion is denoted by k(r);
that is, k=∑r=0∞k(r)pr with k(r)∈{0,1,…,p-1} for each r.
Given any logical proposition P(x) for an object x, we define its truth function by
χP(x)={1(P(x) is true),0(otherwise),
which is often abbreviated as χP(x)=χ(P).
We frequently use the same symbol for a function and its polynomial expression; see below for some examples.
Example 2.1.
For t∈𝔽p and a variable x, Fermat’s little theorem implies that the minimal polynomial for the delta functionδt(x)=χ(x=t) is given by
δt(x)=1-(x-t)p-1=-∏i=1p-1(x-t+i)
(the last equality follows from Wilson’s theorem: (p-1)!≡-1(modp)).
Similarly, the minimal polynomial for the low-pass functionLt(x)=χ(x<t) is given by
Lt(x)=∑0≤k<tδk(x)=∑0≤k<t(1-(x-k)p-1).
For notational convenience, we extend the definition of the low-pass function Lt(x) to the case t=p, by setting Lp(x)=1 (note that the relation x<pas integers holds for any x∈𝔽p).
3 Polynomial expressions of the max and the min functions
For a vector x=(x0,x1,…,xn-1)∈(𝔽p)n, let max(x) (respectively, min(x)) denote the maximum (respectively, minimum) among the n values x0,x1,…,xn-1.
First, we note that for each a∈𝔽p, the condition a≥t is satisfied for precisely a of the p-1 values t=1,…,p-1.
Based on this fact and using the functions in Example 2.1, we obtain the minimal polynomial of max(x) as follows.
Proposition 3.1.
The minimal polynomial of max is given by
max(x)=∑1≤t≤p-1χ(xi≥t for some i)=∑1≤t≤p-1(1-∏i=0n-1Lt(xi)).
In particular, when p=2 this simplifies (by noticing L1(xi)=1+xi):
Corollary 3.2.
When p=2, the minimal polynomial of max(x) is given by
max(x)=∏i=0n-1(1+xi)-1=∑i=1nei(x).
However, when p>2, the general expression in Proposition 3.1 consists of a lot of terms.
We compute a more concise expression for p=3 later.
On the other hand, we note that max(x)+1=0 if xi=p-1 for some xi.
This implies that the minimal polynomial of max(x)+1 has 1+xi as a factor for every i. Therefore, we have
max(x)=fn(x)∏i=0n-1(1+xi)-1=fn(x)∑i=0nei(x)-1
for some polynomial fn(x) in which each variable xi has degree at most p-2.
In particular, this observation yields another proof of Corollary 3.2 (where p=2).
Now we give the following result for the case p=3.
Proposition 3.3.
When p=3, a minimal polynomial expression for max(x) is given by
max(x)=∑i=0⌊n/2⌋e2i(x)∑i=0nei(x)-1.
Proof.
Write the right-hand side as P(x).
As the minimality condition on the degree is satisfied for P(x), it suffices to verify max(x)=P(x) for any x∈(𝔽p)n.
First note that ∏i=0n-1(1-xi)=∑i=0nei(-x)=∑i=0n(-1)iei(x), where we write -x=(-x0,-x1,…,-xn-1), therefore ∏i=0n-1(1+xi)+∏i=0n-1(1-xi)=2∑i=0⌊n/2⌋e2i(x).
This implies (since 2-1=2 in 𝔽3)
P(x)=∑i=0⌊n/2⌋e2i(x)∑i=0nei(x)-1=2(∏i=0n-1(1+xi)2+∏i=0n-1(1-xi2))-1.
When max(x)=2, there exists an index i with xi=2, and we have 1+xi=0 and 1-xi2=0 for such i.
This implies that P(x)=-1=2 in this case.
When max(x)=1, we have ∏i=0n-1(1+xi)2=1 as xi∈{0,1} for every i, and ∏i=0n-1(1-xi2)=0 as xi=1 for at least one i.
This implies that P(x)=2-1=1 in this case.
Finally, when max(x)=0, we have ∏i=0n-1(1+xi)2=1 and ∏i=0n-1(1-xi2)=1 as xi=0 for every i.
This implies that P(x)=2⋅2-1=0 in this case.
Hence, the claim holds.
∎
To obtain a minimal polynomial expression for min(x), we exploit the following duality between the functions max and min: min(x)¯=max(x¯) for any x∈(𝔽p)n.
Thus, a minimal polynomial expression for max converts to that of min and vice versa.
For example, Corollary 3.2 and Proposition 3.3 imply the following.
Corollary 3.4.
When p=2, a minimal polynomial expression for min(x) is given by
min(x)=∏i=0n-1xi=en(x).
When p=3, a minimal polynomial expression for min(x) is given by
min(x)=∏i=0n-1xi2+∏i=0n-1xi(1-xi)=en(1+∑i=1n(-1)iei+en).
For the next case p=5, minimal polynomial expressions of max(x) for small values of n in terms of elementary symmetric polynomials can be determined by direct calculation:
Example 3.5.
When p=5, the following are minimal polynomial expressions:
max(x0,x1)=(1+e1+e2)(1+2e12e2+4e1e2+e2)-1,
max(x0,x1,x2)=(1+e1+e2+e3)(1+2e12e2+e1e2e3+2e1e32+e22e3
+2e2e32+4e1e2+3e1e3+e2e3+3e32+e2)-1.
However, it seems to be difficult to obtain a general formula (such as Proposition 3.3) for p≥5.
The function max(x) with n=2 for any p will be revisited in Section 4.
Remark 3.6.
The function max(x) is a symmetric function (in the variables x0,x1,…,xn-1), and satisfies max(x,0)=max(x) and an “associativity” in the following sense:
max(x0,x1,…,xn-1,xn)=max(max(x0,…,xn-1),xn)=max(x0,max(x1,…,xn)).
By using this property recursively, a minimal polynomial expression of the function max with two variables (i.e., for n=2) yields a polynomial expression of the function max with any number of variables (i.e., for any n).
However, the polynomial thus obtained is not the minimal polynomial for max(x) in general.
4 Polynomial expressions of the argmax function
Let argmax(x) be the least integer i≥0 with xi=max(x).
Note that argmax(x) takes a value in {0,1,…,n-1}; to handle this function as a function over 𝔽p, we define, for r≥0,
argmax(r):(𝔽p)n→𝔽p,argmax(r)(x)=argmax(x)(r),
where argmax(x)(r) is the r-th digit in the p-ary expansion of argmax(x).
We note that argmax(x) is equal to the number of integers 0≤i≤n-2 such that xj<max(x) for every 0≤j≤i; indeed, the latter condition is satisfied if and only if 0≤i≤argmax(x)-1.
This implies (since argmax(x)=0 if max(x)=0) that
argmax(x)=∑t=1p-1(χ(max(x)=t)∑i=0n-2∏j≤iχ(xj<t))=∑t=1p-1∑i=0n-2χ(max(x)=t)∏j≤iχ(xj<t),
which is considered as an integer rather than an element of 𝔽p.
We note moreover that, conditioned on the case where xj<t for every j≤i, we have max(x)=t if and only if xj<t+1 for every j>i and xj=t for some j>i.
Now the equality above implies
(4.1)argmax(x)=∑t=1p-1∑i=0n-2(∏j≤iχ(xj<t)∏j>iχ(xj<t+1)-∏j=0n-1χ(xj<t)),
again as an integer rather than an element of 𝔽p.
Considering the right-hand side of (4.1) in 𝔽p yields the minimal polynomial of argmax(0)(x).
Now we also have the following fact implied directly by the definition of argmax(r)(x):
(4.2)argmax(r)(x)=argmax(0)(max(x0,x1,…,xpr-1),…,max(xi⋅pr,xi⋅pr+1,…,x(i+1)⋅pr-1),…),
where, in the right-hand side, the tuple x=(x0,…,xn-1) is divided into blocks of pr consecutive components (the last block may consist of less than pr elements).
Let S(r,n) be the set of indices for the last elements of all but the last blocks in x, namely,
S(r,n)={h⋅pr-1∣1≤h≤⌊(n-1)/pr⌋}.
Then, by combining (4.2) with (4.1), we have (in 𝔽p)
argmax(r)(x)=∑t=1p-1∑i∈S(r,n)(∏j≤iχ(xj<t)∏j>iχ(xj<t+1)-∏j=0n-1χ(xj<t))
where we used the fact (for any h, h′, and s) that max(xh,xh+1,…,xh′)<s if and only if xj<s for every h≤j≤h′.
Since |S(r,n)|≡(n-1)(r)(modp), the equality above can be rewritten as
argmax(r)(x)=∑t=1p-1(∑i∈S(r,n)∏j≤iχ(xj<t)∏j>iχ(xj<t+1)-(n-1)(r)⋅∏j=0n-1χ(xj<t)).
Hence, we have the following result.
Proposition 4.1.
Let S(r,n)={h⋅pr-1∣1≤h≤⌊(n-1)/pr⌋}.
Then for x=(x0,…,xn-1), the minimal polynomial for argmax(r)(x) is given by
argmax(r)(x)=∑t=1p-1(∑i∈S(r,n)∏j=0iLt(xj)∏k=i+1n-1Lt+1(xk)-(n-1)(r)⋅∏j=0n-1Lt(xj)).
Remark 4.2.
Let argmin(x) be the function that returns the least index i with min(x)=xi.
A minimal polynomial expression of the function argmin is obtained from that of the function argmax via the duality argmin(x)=argmax(x¯), similar to the case of the function min discussed in Section 3.
Below we write down the general formula in Proposition 4.1 for the case p∈{2,3}.
Example 4.3.
We consider the case p=2.
Now the set S(r,n) is S(r,n)={h⋅2r-1∣1≤h≤⌊(n-1)/2r⌋}, and the relations L1(xj)=1+xj and L2(xj)=1 hold.
Then Proposition 4.1 implies (since the characteristic of 𝔽p is now 2)
argmax(r)(x)=∑i∈S(r,n)∏j=0iL1(xj)+χ((n-1)(r)=1)⋅∏j=0n-1L1(xj).
Moreover, by setting S′(r,n)=S(r,n) if (n-1)(r)=0 and S′(r,n)=S(r,n)∪{n-1} if (n-1)(r)=1, we have the following minimal polynomial expression of argmax(r):
argmax(r)(x0,x1,…,xn-1)=∑i∈S′(r,n)(1+x0)(1+x1)⋯(1+xi).
Example 4.4.
We consider the case p=3.
Now the set S(r,n) is S(r,n)={h⋅3r-1∣1≤h≤⌊(n-1)/3r⌋}, and the relations L1(xj)=1-xj2, L2(xj)=(1+xj)2 and L3(xj)=1 hold.
Then Proposition 4.1 yields the following minimal polynomial expression of argmax(r):
argmax(r)(x0,x1,…,xn-1)=∑i∈S(r,n)∏j=0i(1-xj2)∏k=i+1n-1(1+xk)2-(n-1)(r)⋅∏j=0n-1(1-xj2)
+∑i∈S(r,n)∏j=0i(1+xj)2-(n-1)(r)⋅∏j=0n-1(1+xj)2,
or, equivalently,
argmax(r)(x0,x1,…,xn-1)=∑i∈S(r,n)(∏j=0i(1-xj2)∏k=i+1n-1(1+xk)2+∏j=0i(1+xj)2)
-(n-1)(r)(∏j=0n-1(1-xj2)+∏j=0n-1(1+xj)2).
Finally, we also mention the following recursive relation:
argmax(r)(x0,…,xn-1,xn)=argmax(r)(x0,…,xn-1)⋅(1-argmax(0)(max(x0,…,xn-1),xn))
+n(r)⋅argmax(0)(max(x0,…,xn-1),xn),
implied by the definition of argmax(r) and the following fact:
argmax(x0,…,xn-1,xn)={argmax(x0,…,xn-1)if max(x0,…,xn-1)≥xn,nif max(x0,…,xn-1)<xn.
This formula yields a (in general, not minimal) polynomial expression of argmax(r)(x) from those of argmax(0)(x0,x1) and max(x).
5 Polynomial expressions of max and argmax functions for two variables
First we note that x0<x1 if and only if we have (as integers) x0¯+x1≥p, that is, argmax(0)(x0,x1) is equal to the carry to the next digit by the p-ary addition of two single-digit values x0¯ and x1.
A minimal polynomial expression of this carry function, denoted by φ1, has been determined in [6, 7].
Lemma 5.1 ([6, 7]).
For y0,y1∈Fp, we have
φ1(y0,y1)=∑d=1p-1(-1)dd-1y0(y0-1)⋯(y0-d+1)y1(y1-1)⋯(y1-(p-d)+1),
where the d-1 in the right-hand side means the inverse of d as an element of Fp.
Combining this with argmax(0)(x0,x1)=φ1(x0¯,x1), we obtain the following proposition.
Proposition 5.2.
When n=2, a minimal polynomial expression of argmax(0)(x0,x1) is given by
argmax(0)(x0,x1)=∑d=1p-1d-1(x0+1)(x0+2)⋯(x0+d)x1(x1-1)⋯(x1-(p-d)+1).
Example 5.3.
By using Proposition 5.2, for small primes p, we have the following minimal polynomial expressions of argmax(0)(x0,x1):
when p=2, argmax(0)(x0,x1)=(x0+1)x1,
when p=3, argmax(0)(x0,x1)=-(x0+1)(x0-x1)x1,
when p=5, argmax(0)(x0,x1)=-(x0+1)(x02-x0x1+x0+x12)(x0-x1)x1,
when p=7, argmax(0)(x0,x1)=-(x04+5x03x1+2x03+3x02x12+x02x1+4x02+5x0x13
+6x0x12+3x0+x14)(x0+1)(x0-x1)x1.
We also have the following relation between the functions max and argmax deduced from their definitions.
Lemma 5.4.
We have
max(x)=∑i=0n-1xi⋅χ(argmax(x)=i)
for any n.
In particular, we have
max(x0,x1)=x0⋅(1-argmax(x0,x1))+x1⋅argmax(x0,x1).
A straightforward substitution of the result of Proposition 5.2 into the right-hand side of Lemma 5.4 yields an almost, but not yet minimal, polynomial expression of max(x0,x1).
This expression can be converted to a minimal polynomial expression.
Indeed, for p=2, the results above imply that max(x0,x1)=x0⋅(1-(x0+1)x1)+x1⋅(x0+1)x1, which is equal to the correct value x0+x1+x0x1 for any x0,x1∈𝔽p due to the relations x02=x0 and x12=x1.
On the other hand, we have the following result for p>2.
Theorem 5.5.
When p≥3, we have the following minimal polynomial expression of max(x0,x1):
max(x0,x1)=(x1-x0)∑d=2p-2d-1(x0+1)(x0+2)⋯(x0+d)x1(x1-1)⋯(x1-(p-d)+1)
+x0+(x0+1)2(1-(x1+1)p-1)+(1-x0p-1)x12.
Proof.
Throughout the proof, a notation f≡g means that f and g define an identical function on 𝔽p.
First, since p≥3, Proposition 5.2 implies
x0argmax(x0,x1)=x0∑d=1p-1d-1(x0+1)(x0+2)⋯(x0+d)x1(x1-1)⋯(x1-(p-d)+1)
=x0∑d=2p-2d-1(x0+1)(x0+2)⋯(x0+d)x1(x1-1)⋯(x1-(p-d)+1)
+x0(x0+1)x1(x1-1)⋯(x1-(p-2))
-x0(x0+1)(x0+2)⋯(x0+p-1)x1,
and we have x0(x0+1)(x0+2)⋯(x0+p-1)x1≡0 for the last term above.
Similarly, we have
x1argmax(x0,x1)=x1∑d=1p-1d-1(x0+1)(x0+2)⋯(x0+d)x1(x1-1)⋯(x1-(p-d)+1)
=x1∑d=2p-2d-1(x0+1)(x0+2)⋯(x0+d)x1(x1-1)⋯(x1-(p-d)+1)
+(x0+1)x12(x1-1)⋯(x1-(p-2))
-(x0+1)(x0+2)⋯(x0+p-1)x12,
and, for the last two terms above, we have
(x0+1)x12(x1-1)⋯(x1-(p-2))≡-(x0+1)x1(x1-1)⋯(x1-(p-2)),
(x0+1)(x0+2)⋯(x0+p-1)x12≡(p-1)!⋅δ0(x0)x12=-(1-x0p-1)x12,
where we used x12≡x1((xi-(p-1))-1) and Wilson’s theorem (p-1)!≡-1(modp).
By combining these results to Lemma 5.4, we have
max(x0,x1)=x0-x0argmax(x0,x1)+x1argmax(x0,x1)
≡(x1-x0)∑d=2p-2d-1(x0+1)(x0+2)⋯(x0+d)x1(x1-1)⋯(x1-(p-d)+1)
+x0-x0(x0+1)x1(x1-1)⋯(x1-(p-2))
-(x0+1)x1(x1-1)⋯(x1-(p-2))+(1-x0p-1)x12
=(x1-x0)∑d=2p-2d-1(x0+1)(x0+2)⋯(x0+d)x1(x1-1)⋯(x1-(p-d)+1)
+x0-(x0+1)2x1(x1-1)⋯(x1-(p-2))+(1-x0p-1)x12,
and, for the second last term above, we have
(x0+1)2x1(x1-1)⋯(x1-(p-2))≡(x0+1)2⋅(p-1)!⋅δp-1(x1)=-(x0+1)2(1-(x1+1)p-1),
where we used Wilson’s theorem again.
Hence, we have
max(x0,x1)≡(x1-x0)∑d=2p-2d-1(x0+1)(x0+2)⋯(x0+d)x1(x1-1)⋯(x1-(p-d)+1)
+x0+(x0+1)2(1-(x1+1)p-1)+(1-x0p-1)x12,
which is our claim in the statement.
∎
6 Polynomial expressions of some other functions
In this section, we study the following two 𝔽p-valued functions relevant to functions max and argmax:
ismax(y;x)=χ(max(x)=y),
nummax(r)(x)=#{xi∣max(x)=xi)}(r),
where x∈(𝔽p)n and y∈𝔽p.
These functions would be useful in practical situations where there can be “ties” in the vote.
By a careful interpretation of the definitions,
we obtain minimal polynomials of these functions (which, however, consist of a lot of terms).
Proposition 6.1.
Using the notation from Section 2, the following are minimal polynomial expressions:
ismax(y;x)=∑t=0p-1δt(y)∑i=0n-1(∏j<iLt(xj)⋅δt(xi)⋅∏k>iLt+1(xk)),
nummax(0)(x)=∑i=0n-1χ(max(x)=xi)
=∑i=0n-1∑0≤t≤p-1(δt(xi)∏j≠iLt+1(xj)),
nummax(r)(x)=∑k=1nk(r)⋅χ(#{i∣max(x)=xi}=k)
=∑k=1nk(r)(∑I∈(nk)∑0≤t≤p-1(∏i∈Iδt(xi)∏j∉ILt(xj))),
where the notation “I∈(nk)” means that I is a k-element subset of {0,1,…,n-1}.
Proof.
For the function ismax, given a constant t∈𝔽p, we have max(x)=t if and only if there is an index i such that xj<t for every j<i, xi=t, and xk≤t for every k>i; such an index i is unique if it exists.
This observation (in particular, the uniqueness of i) implies our claim.
For the function nummax(0), the function value is obtained by first counting the number of indices i with max(x)=xi (or equivalently, χ(max(x)=xi)=1) and then taking the remainder of the number modulo p (i.e., just considering the number in 𝔽p).
Moreover, given a constant t∈𝔽p, we have max(x)=xi=t if and only if xi=t and xj≤t for every j≠i.
This observation implies our claim.
For the function nummax(r), given an integer k≥1 and a constant t∈𝔽p, we have max(x)=t and #{i∣max(x)=xi}=k if and only if there is a k-element set I of indices such that xi=t for every i∈I and xj<t for every j∉I; such a set I is unique if it exists.
This observation (in particular, the uniqueness of I) implies our claim (note that 0(r)=0 for any r).
∎
When p∈{2,3}, we give the following explicit minimal polynomial expressions of ismax(y;x).
Proposition 6.2.
When p=2, a minimal polynomial expression of ismax(y;x) is given by
ismax(y;x)=y+∏i=0n-1(1+xi).
When p=3, a minimal polynomial expression of ismax(y;x) is given by
ismax(y;x)=-y2+y(∏i=0n-1(1+xi)2+∏i=0n-1(1-xi2)+1)+∏i=0n-1(1-xi2).
Proof.
First, we note that ismax(y;x)=1-(y-max(x))p-1, by the definition of the function.
When p=2, the right-hand side becomes y+max(x)+1 and now the claim follows from Corollary 3.2.
On the other hand, when p=3, we have
ismax(y;x)=1-(y-max(x))2=-y2-ymax(x)+1-max(x)2.
Now we have 1-max(x)2=1 if xi=0 for all i, and =0 otherwise.
This implies that
1-max(x)2=∏i=0n-1δ0(xi)=∏i=0n-1(1-xi2),
and now the claim follows from Proposition 3.3.
∎
Example 6.3.
When p=2, a minimal polynomial expression of nummax(r)(x) is given by
nummax(r)(x)=e2r+n(r)∏i=0n-1(1-xi).
This can be seen by the following argument.
When max(x)=0, i.e., xi=0 for all i, we have nummax(r)=n(r) for any r, which accounts for the second term.
As (∑i=0n-1xi)(r)≡e2r(x)mod2 by the result of [3] (see also [6, Example 1]), we obtain the equality.
7 Future subject: Multi-digit cases
We note that the previous sections studied functions with single-digit input values taken from 𝔽p; in such a formulation, to handle larger input values we have to choose a larger prime p as well, which will result in polynomial expressions of the functions with higher degrees and much more involved structures.
Another option to handle larger values is to express the input values in multi-digit forms; now each component of the input is identified with its p-ary expansion, therefore the entire input is regarded as a two-dimensional matrix over 𝔽p rather than a one-dimensional vector (over a larger field).
In the latter model, the base field 𝔽p can be kept small even if the input values become larger.
On the other hand, a large input value will then increase the total number of components of the input matrix, but this shortcoming might sometimes be avoidable in practice by implementation techniques such as parallel computation.
This suggests that polynomial expressions of functions with multi-digit inputs are important as well.
However, even if the polynomial expression of a given function is understood well for single-digit input cases, it is in general a non-trivial task to deduce a polynomial expression of the function for multi-digit input cases.
To study multi-digit versions of the functions, for an ℓ-digit parameter t=tℓ-1pℓ-1+⋯+t1p+t0∈{0,…,pℓ-1}, with t0,t1,…,tℓ-1∈{0,…,p-1}, and a tuple z of ℓ variables z0,z1,…,zℓ-1 over 𝔽p, we define the multi-digit low-pass function Lt(z) by
Lt(z)=χ(zℓ-1pℓ-1+⋯+z1p+z0<t as integers).
We also extend the definition to the case t=pℓ by setting Lpℓ(z)=1 for any z.
Here we consider the multi-digit version of the function argmax(r) as an example that is relatively easier to handle.
For ℓ≥1 and for ℓ-digit input values 0≤xi≤pℓ-1 (i=0,…,n-1), argmax(r)(x0,…,xn-1) is defined to be the r-th digit of the least index i with xi=max(x0,…,xn-1).
Then the same argument as that in Section 4 implies the following result.
Proposition 7.1.
Let ℓ≥1.
For 0≤i≤n-1, let the i-th component xi of the input be given by xi=xi,ℓ-1pℓ-1+⋯+xi,1p+xi,0, with xi,0,xi,1,…,xi,ℓ-1∈Fp(naturally identified with {0,1,…,p-1}).
Let S(r,n)={h⋅pr-1∣1≤h≤⌊(n-1)/pr⌋}.
Then we have
argmax(r)(x)=∑1≤t≤pℓ-1(∑i∈S(r,n)∏0≤j≤iLt(xj)∏i+1≤k≤n-1Lt+1(xk)-(n-1)(r)⋅∏0≤j≤n-1Lt(xj)).
To obtain a polynomial expression of argmax(r)(x) in terms of the input components xi,j, we study polynomial expressions of the ℓ-digit low-pass function Lt(z), where t=(t0,t1,…,tℓ-1) and z=(z0,z1,…,zℓ-1) are naturally identified with t0+t1p+⋯+tℓ-1pℓ-1 and z0+z1p+⋯+zℓ-1pℓ-1, respectively.
We note that, we have z<t if and only if there is an integer h∈{0,…,ℓ-1} such that zj=tj for any h+1≤j≤ℓ-1 and zh<th; and this condition is satisfied for at most one h.
This implies that
(7.1)Lt(z)=∑h=0ℓ-1Lth(zh)∏j=h+1ℓ-1δtj(zj)
and, similarly,
(7.2)Lt+1(z)=Lt0+1(z0)∏j=1ℓ-1δtj(zj)+∑h=1ℓ-1Lth(zh)∏j=h+1ℓ-1δtj(zj)
(we recall that we have extended the definition of the single-digit low-pass function as Lp(zj)=1).
Substituting the minimal polynomials for Lt(z) and Lt+1(z) in (7.1) and (7.2) into the equality in Proposition 7.1 yields the minimal polynomial for the multi-digit version of argmax(r).
However, the expression thus obtained will consist of too many terms as the number ℓ of input digits increases; we give an example only for a small case below and leave a more concise expression for the function in the general case as a future research topic.
Example 7.2.
Let p=2 and ℓ=2.
Then the set S(r,n) is S(r,n)={h⋅2r-1∣1≤h≤⌊(n-1)/2r⌋}.
By setting S′(r,n)=S(r,n) if (n-1)(r)=0 and S′(r,n)=S(r,n)∪{n-1} if (n-1)(r)=1, in the same way as Example 4.3, it follows from Proposition 7.1 and relations (7.1) and (7.2) that
argmax(r)(x)
(7.3)=∑1≤t≤3(∑i∈S′(r,n)∏0≤j≤i(Lt0(xj,0)δt1(xj,1)+Lt1(xj,1))∏i+1≤k≤n-1(Lt0+1(xk,0)δt1(xk,1)+Lt1(xk,1))).
By the relations L0(xj,h)=0, δ0(xj,h)=L1(xj,h)=1+xj,h, δ1(xj,h)=xj,h and L2(xj,h)=1, the summand in the right-hand side of (7.3) for each t∈{1,2,3} is: when t=1 (i.e., (t0,t1)=(1,0)),
∑i∈S′(r,n)∏0≤j≤i(L1(xj,0)δ0(xj,1)+L0(xj,1))∏i+1≤k≤n-1(L2(xk,0)δ0(xk,1)+L0(xk,1))
=∑i∈S′(r,n)∏0≤j≤i(1+xj,0)(1+xj,1)∏i+1≤k≤n-1(1+xk,1),
when t=2 (i.e., (t0,t1)=(0,1)),
∑i∈S′(r,n)∏0≤j≤i(L0(xj,0)δ1(xj,1)+L1(xj,1))∏i+1≤k≤n-1(L1(xk,0)δ1(xj,1)+L1(xj,1))
=∑i∈S′(r,n)∏0≤j≤i(1+xj,1)∏i+1≤k≤n-1(1+xk,0xk,1),
when t=3 (i.e., (t0,t1)=(1,1)),
∑i∈S′(r,n)∏0≤j≤i(L1(xj,0)δ1(xj,1)+L1(xj,1))∏i+1≤k≤n-1(L2(xk,0)δ1(xk,1)+L1(xk,1))=∑i∈S′(r,n)∏0≤j≤i(1+xj,0xj,1).
Summarizing, we have the following minimal polynomial expression for argmax(r)(x):
argmax(r)(x)=∑i∈S′(r,n)(∏0≤j≤i(1+xj,0)(1+xj,1)∏i+1≤k≤n-1(1+xk,1)
+∏0≤j≤i(1+xj,1)∏i+1≤k≤n-1(1+xk,0xk,1)+∏0≤j≤i(1+xj,0xj,1)).
Such multi-digit extensions of the results on the other functions in this paper seem to be difficult, which we leave as a future research topic.
Here we just conclude this section with a small example.
Proposition 7.3.
Let p=2, and consider the two-bit inputs y=2y1+y0∈{0,1,2,3} and xi=2xi,1+xi,0∈{0,1,2,3} for 0≤i≤n-1,
where yj,xi,j∈F2.
Then the following is a minimal polynomial expression of the two-bit version of the function ismax:
ismax(y;x)=ismax(y;x0,x1,…,xn-1)
=y1y0+y1∏i=0n-1(1+xi,1xi,0)+(y1+y0)∏i=0n-1(1+xi,1)+(y1+1)∏i=0n-1(1+xi,1)(1+xi,0).
Proof.
As the right-hand side of the statement satisfies the minimality conditions for the degrees, it suffices to verify that the values of both terms are equal for any input values.
First we note that, for any set I of index pairs (i,j), we have
∏(i,j)∈I(1+xi,j)=χ(xi,j=0 for all (i,j)∈I).
Similarly, we have
∏i(1+xi,1xi,0)=χ(for any i, either xi,1=0 or xi,0=0 holds).
We divide the argument according to the values of y1 and y0.
When y1=y0=0, we have ismax(y;x)=1 if and only if xi,1=xi,0=0 for every index i.
Now the right-hand side of the statement becomes ∏i=0n-1(1+xi,1)⋅(1+xi,0), which coincides with ismax(y;x) by the remark above.
When y1=0 and y0=1, the right-hand side of the statement becomes ∏i=0n-1(1+xi,1)+∏i=0n-1(1+xi,1)⋅(1+xi,0).
Now if at least one of xi,1 is 1, then we have ismax(y;x)=0 by definition, while the value of the polynomial becomes 0 as well, by the remark above, as desired.
In the remaining case where xi,1=0 for every i, we have ismax(y;x)=1 if and only if xi,0=1 for some i; while the polynomial now becomes 1+∏i=0n-1(1+xi,0).
By the remark above, the value of the polynomial coincides with ismax(y;x), as desired.
When y1=1 and y0=0, the right-hand side of the statement becomes ∏i=0n-1(1+xi,1xi,0)+∏i=0n-1(1+xi,1).
Now if xi,1=0 for every i, then we have ismax(y;x)=0 by definition, while the value of the polynomial becomes 1+1=0 as well, by the remark above, as desired.
In the remaining case where xi,1=1 for some i, let I denote the set of indices i with xi,1=1 (hence now I≠∅).
In this case, we have ismax(y;x)=1 if and only if xi,0=0 for every i∈I; while the polynomial now becomes ∏i∈I(1+xi,0).
By the remark above, the value of the polynomial coincides with ismax(y;x), as desired.
Finally, when y1=y0=1, the right-hand side of the statement becomes 1+∏i=0n-1(1+xi,1xi,0).
By the remark above, this polynomial takes the value 1 if and only if xi,1=xi,0=1 for some index i; this condition is precisely the same as the condition for ismax(y;x) in the present case to take the value 1, by definition.
This completes the proof.
∎
