How to find a polynomial with small coefficients that has a given root over a prime field?

Question

Let $\mathbb{Z}_p$ be a prime field, $r \leftarrow \mathbb{Z}_p$ be a random number, $w=w_0w_1...w_{K-1}$ be a 0-1 string, and $$v = \sum_{k=0}^{K-1} r^kw_k \mod p.$$

Is it possible to find another length-$K$ binary string $\hat{w}$ such that $$\sum_{k=0}^{K-1} r^k \hat{w}_k =v \mod p$$

So we are trying to find a polynomial $$p(x) = \sum_k a_k x^k$$ with small coefficients $a_k \in \{0, \pm 1\}$ and require it to have a root $r$.

Is this problem related to SIS? In SIS, we look for a small solution to equation $$A_{n\times K} x = 0 \mod p.$$ Setting $n=1$ and replacing $K$ entries in $A$ by $r^k$'s leads to our problem, though now $A$ is not "really" random.

Answer 1

The problem can be solved by finding short (or close) vectors. Let's start with the case $v=0$. Given the lattice basis spanned by the rows $$ \begin{pmatrix} -r & 1 & 0 & 0 & \dots & 0 & 0 \\ -r^2 & 0 & 1 & 0 & \dots & 0 & 0 \\ -r^3 & 0 & 0 & 1 & \dots & 0 & 0 \\ \dots & 0 & 0 & 0 & \dots & 1 & 0 \\ -r^{n-1} & 0 & 0 & 0 & \dots & 0 & 1 \\ p & 0 & 0 & 0 & \dots & 0 & 0 \\ \end{pmatrix} $$ an element will be of the form $\left(-\sum_{i=1}^{n-1} c_{i}r^i \bmod p, c_1, c_2, \dots, c_{n-1}\right)$, corresponding to the polynomial $c_0 + c_1x + c_2x^2 + \dots + c_{n-1}x^{n-1}$. The leftmost column evaluates the polynomial and forces the constant coefficient $c_0$ to cancel out the contribution of the other coefficients, ensuring that any element of the lattice has a root $r$.

The determinant of the lattice is $p$, which means for dimension $n$ the shortest vectors will be at most $\sqrt{n}p^{1/n}$ in $L_2$ norm, and at most $p^{1/n}$ in $L_\infty$ norm. Here we're interested in the $L_\infty$ norm, since the maximum coefficient must be at most $1$ in absolute value.

For example, for $p=65537$ and $r=123$, we can choose $n=12$, build the above lattice, and using LLL reduction find the following vector (among several) $$ \left(-1,0,1,0,0,1,0,1,0,0,1,0\right)\,, $$ corresponding to the polynomial $x^{10} + x^7 + x^5 + x^2 - 1$. The Minkowski bound says that the shortest vector has coefficients of magnitude at most $65537^{1/12}\approx 2.52$, which is above our goal of $1$, but the bound is for the worst possible lattice and the average one will usually have shorter vectors. A reasonable dimension to try is $n \approx \log_2 p$, since $p^{1/\log_2 p} = 2$.

But we haven't solved the second problem yet, which is to evaluate at $r$ to an arbitrary value $v$. This can be accomplished by finding vectors close to $\left(-v, 0, \dots, 0\right)$ on the above lattice.

Using the above example, setting $v=321$, we find the vector $$ \left( -321, 1, -1, -1, 0, 1, 1, 1, 1, 0, 0, 0\right)\,, $$ corresponding to the polynomial $x^8 + x^7 + x^6 + x^5 - x^3 - x^2 + x + (-321+321)$ which evaluates to the desired value.