Finding the 1 of a finite field

Question

I was thinking about the following question: Alice and Bob play a game. There is a set $X$ of $p^k$ elements known to both of them, $p$ being a prime number. Alice has two binary operations on the set, "$+$" and "$*$". It is known to both players that $X$ equipped with Alice's operations is a field. In each turn of the game, Bob can choose two elements from $X$, and ask Alice what is the result of adding them or multiplying them (Bob chooses if he wants to add or multiply), and Alice tells him the right result. What is the minimal amount of turns Bob needs to find out what element of the set is 1 (the multiplicative identity).

I found the naive bound of $k\log(p)+1$, by choosing a random element $a$, checking it is not zero by adding to it a different element (which takes only 1 turn), and if it is not zero (if it is just choose a different element), calculate $a^{p^k-1}$ which by lagrange's theorem should give us 1, and this can be done in $k\log(p)$ with binary exponentiation.

I could not find a better way to do it, nor a good lower bound (except the fact that this clearly cannot be done in $O(1)$). That being said, I believe that there is a better bound, since my bound only uses the fact this is a multiplicative group, and doesn't use the exact structure of $\Bbb F_{p^k}$.

I understand that that the question largely depends on $p$ and $k$, but results that are probabilistic/ work only on certain primes would also be welcome.

Answer 1

We show your bound $\mathcal O(k\log_2 p)$ is optimal with some unjustified heuristics.

The key idea is no polynomial of degree at most $k\log_2p -2$ can produce $1$ with high probability.

Suppose there is a protocol that finds $1$ in at most $n$ rounds.

For each round, each of the two elements Bob sent to Alice is either a result returned by Alice earlier or selected by Bob randomly. Let $x_1, x_2, \cdots, x_m$ be the random elements selected by Bob, and the total computation is just a polynomial $f(x_1, \cdots, x_m)$ (all coefficients are actually in $\mathbb N$ equivalently $\mathbb F_p$) that can be made up by at most $n$ operations.

For this to work, we need the polynomial $f(x_1, \cdots, x_m)=1$ with high probability (greater than $\frac{1}{2}$). Note that Bob can test whether any element $a$ is $1$ in two rounds: first ask Alice what $a^2$ is and if $a^2=a$, then test whether $a+a\not=a$. Hence, Bob can determine whether $f(x_1, \cdots, x_m)$ is the correct solution and then decide whether to repeat the process or not.

There is a slight gap in this argument. That is, Bob might find some pattern (such as $x_1^2=x_1$), hence goes on to execute a different computation (to evaluate a different polynomial). However, the probability of producing any element seen before is marginal, and hence there is no reliable condition to branch the computation. I believe this is convincing, but don't know how to completely formalize the argument.

The degree of $x_m$ in the polynomial is at most $2^n$. Hence for fixed $x_1, \cdots, x_{m-1}$, there are at most $2^n$ solutions to $f(x_1, \cdots, x_{m-1}, x_m) = 1$ (unless $f(x_1, \cdots, x_{m-1}, x_m)\equiv 1$ for all $x_m$. In other words, the problem was solved in $m-1$ variables. If necessary we can do an induction on $m$ to handle the issue.) hence the probability of $f=1$ is at most

$$\frac{(p^k)^{m-1}2^n}{(p^k)^{m}}>\frac{1}{2}\Rightarrow n>k\log_2 p - 1$$

Answer 2

I'll add another answer that is significantly different and much more rigorous, instead of modifying the old one of mine, which has its own merit, despite its incompleteness. New readers may read the old one first to gain some intuition about the solution.

---

First we show rigorously that if $f(x_1, \cdots, x_n)\in \mathbb N[x]=\mathbb F_p[x]$ is a nonconstant polynomial, then for uniform i.i.d $x_1, \cdots, x_n\in\mathbb F_q$, the probability $\mathbb P(f(x_1, \cdots, x_n)=0)\le \frac{\deg f}{q}$.

We can do induction on $n$. When $n=1$, $f=0$ has at most $\deg f$ solutions. When $n\ge 2$, suppose $f(x) = f_{\alpha}(x_1, \cdots, x_{n-1}) x_n^{\alpha}+\text{other terms}$, where $x_n^{\alpha}$ is the highest power of $x_n$ in $f(x)$ where $\alpha\ge 1$ (otherwise $f$ doesn't contain $x_n$, so induction hypothesis applies directly.)

Hence

$$\begin{align}\mathbb P(f=0)& \le \mathbb P(f_{\alpha}=0) + \mathbb P(f_{\alpha}\not=0)\mathbb P(f=0|f_{\alpha}\not=0) \\ & \le \mathbb P(f_{\alpha}=0) + \mathbb P(f=0|f_{\alpha}\not=0) \\ &\le \frac{\deg f_{\alpha}}{q} +\frac{\alpha}{q}\le\frac{\deg f}{q}\end{align}$$

---

The problem is essentially a computational one, not a communication one. We set up a computational model, similar to the Blum–Shub–Smale machine presented in Complexity and Real Computation. A computation is represented by a directed acyclic graph with four types of nodes: input, output, computation and branch. Computation nodes take two inputs (from input nodes or other computation nodes) and produce the sum or product of two elements (multiple edges between two nodes are allowed for doubling and squaring). Branch nodes test if its two inputs are equal, and according to the result, leading to two different paths of computation. The input nodes are random elements from $\mathbb F_q$ sampled by Bob, and the outputs nodes mean to produce $1$ with high probability. There is a designated computation node as the entry point of computation (whose last layer contains only input nodes).

Let $G$ with $n$ computational nodes be a minimal computational graph that produces $1$ with high probability. Let $B$ be the first branch node, then $B$ is asking if $f=g$ where $f,g$ are two polynomials, equivalently if $0=h:=f-g$. If $h\equiv 0$ (for example $f=px_1, g=px_2$), then the node can be eliminated, contradicting minimality of $G$. Hence the probability of $B$ saying YES is at most $\frac{\deg h}{q}$. Now we consider the line of computation by following the NO path for each branch node, and call it the main line. The output of the main line is just to evaluate a polynomial of degree at most $2^n$ with random inputs, since no information is gained during the computation. In other words, if the main line is executed, it may produce $1$ with probability at most $\frac{2^n}{q}$ (while the sublines if executed may succeed with probability $1$ as it may condition on patterns such as $x_i^2=x_i$.).

Note that in the original setup, Bob can obtain at most $3n$ elements (he could choose at most two random ones on each round and get one back from Alice), this translates to there could be at most ${3n \choose 2}=\mathcal O(n^2)$ meaningful branch nodes in $G$. Each branch node is asking if a polynomial of degree at most $2^n$ is $0$. Let those polynomials be $h_1, \cdots, h_m$, where $m=\mathcal O(n^2)$, then

$$\begin{align}\mathbb P(h_1\not=0 \wedge h_2\not=0 \wedge \cdots \wedge h_m\not=0) &=\mathbb P(h_1h_2\cdots h_m\not=0) \\ &=1-\mathbb P(h_1h_2\cdots h_m=0)\\ &\ge 1- \frac{\deg(h_1)+\cdots+\deg(h_m)}{q}\\ &=1-\mathcal O(\frac{2^n n^2}{q})\end{align}$$

Therefore, we have $$\begin{align} \mathbb P(\text{success}) = & \mathbb P(\text{Sublines succeed}) + \mathbb P(\text{Main line succeeds})\\ \le & \mathcal O(\frac{2^nn^2}{q})+\frac{2^n}{q}= \mathcal O(\frac{2^nn^2}{q})\le \mathcal O(\frac{4^n}{q}) \end{align}$$

For the probability of success bigger than a half, we have $\mathcal O(\frac{4^n}{q})>\frac{1}{2}$, and take log, we have $n\ge \mathcal O(\log q)$.

So we have shown $$n=\Theta(\log q)$$

---

Note that in the whole argument, we could even allow Bob to get addition for free, but the number of comparisons he's allowed must be bounded as well. Otherwise, Bob could randomly choose $x_1, \cdots, x_k$ from $\mathbb F_q$, and with high probability this forms a $\mathbb F_p$-basis, hence with only $\mathcal O(k^2)$ queries of multiplications, he could build the multiplication table, then find $1$ by brute force the solution of $(a_1x_1+\cdots a_nx_n)x_1=x_1$ with only addition (and a large number of comparisons).