A Fast Randomized Geometric Algorithm for Computing Riemann-Roch Spaces
aa r X i v : . [ c s . S C ] O c t Erratum
October 20, 2020
The formula on page 4, line 14, should read d = ( ⌊ (deg( D + ) + r ) / deg( C ) + (deg( C ) − / ⌋ if (cid:0) deg( C )+12 (cid:1) ≤ deg( D + ) + r ⌊ ( p D + ) + r ) − / ⌋ otherwise. Fast Randomized Geometric Algorithm for ComputingRiemann-Roch Spaces
Aude Le Gluher and Pierre-Jean Spaenlehauer
Université de Lorraine, CNRS, Inria
Abstract
We propose a probabilistic variant of Brill-Noether’s algorithm for computing a basisof the Riemann-Roch space L ( D ) associated to a divisor D on a projective nodal planecurve C over a sufficiently large perfect field k . Our main result shows that this algo-rithm requires at most O (max(deg( C ) ω , deg( D + ) ω )) arithmetic operations in k , where ω is a feasible exponent for matrix multiplication and D + is the smallest effective divi-sor such that D + ≥ D . This improves the best known upper bounds on the complexityof computing Riemann-Roch spaces. Our algorithm may fail, but we show that pro-vided that a few mild assumptions are satisfied, the failure probability is bounded by O (max(deg( C ) , deg( D + ) ) / |E| ), where E is a finite subset of k in which we pick elementsuniformly at random. We provide a freely available C++/NTL implementation of theproposed algorithm and we present experimental data. In particular, our implementationenjoys a speedup larger than 6 on many examples (and larger than 200 on some instancesover large finite fields) compared to the reference implementation in the Magma computeralgebra system. As a by-product, our algorithm also yields a method for computing thegroup law on the Jacobian of a smooth plane curve of genus g within O ( g ω ) operations in k , which equals the best known complexity for this problem. The Riemann-Roch theorem is a fundamental result in algebraic geometry. In its classical ver-sion for smooth projective curves, it provides information on the dimension of the linear spaceof functions with some prescribed zeros and poles. The computation of such Riemann-Rochspaces is a subroutine used in several areas of computer science and computational mathe-matics. One of its most proeminent applications is the construction of algebraico-geometricerror-correcting codes [11]: Such codes are precisely (subspaces of) Riemann-Roch spaces. An-other direct application is the computation of the group law on the Jacobian of a smooth curve:representing a point in the Jacobian of a genus- g curve C as D − gO , where D is an effectivedivisor of degree g and O is a fixed rational point (or more generally, a fixed divisor of degree 1),the sum of the classes of D − gO and D − gO can be computed by finding a function f inthe Riemann-Roch space L ( D + D − gO ). Indeed, by setting D = D + D − gO + ( f ), thedivisor D − gO is linearly equivalent to ( D − gO ) + ( D − gO ). State of the art and related works.
In this paper, we focus on the classical geometricapproach attributed to Brill and Noether for computing Riemann-Roch spaces. The generalalgorithmic setting for this approach is described by Goppa in his landmark paper [11, §4].Given a divisor D on a (not necessarily plane) smooth projective curve C , this method pro-ceeds by finding first a common denominator to all the functions in the Riemann-Roch space L ( D ). This is done by computing a form h on the curve such that the associated principaleffective divisor ( h ) satisfies ( h ) ≥ D . Then the residual divisor ( h ) − D is computed. Fromthis, a basis of the Riemann-Roch space is found by computing the kernel of a linear map.The correctness of this method is ensured by the residue theorem of Brill and Noether, whichworks even in the presence of ordinary singularities by using the technique of adjoint curves,1ee [23, §42][9, Sec. 8.1]. In its original version [11, §4], Goppa’s algorithm works only forfinite fields, and some parts of the algorithm use exhaustive search. During the 90s, severalversions of Goppa’s algorithm have been proposed, incorporating tools of modern computeralgebra. In particular, Huang and Ierardi provide in [15] a deterministic algorithm for com-puting Riemann-Roch spaces of plane curves C all singularities of which are ordinary within O (deg( C ) deg( D + ) ) arithmetic operations in the base field, where D + is the smallest effectivedivisor such that D + ≥ D . In fact, writing D − = D + − D , we can assume without loss of gen-erality that deg( D + ) ≥ deg( D − ), since L ( D ) = L ( D + − D − ) is reduced to zero if deg( D ) < D + ) is a relevant measure of the size of the divisor D . Haché [12] proposesthe first implementation of Brill-Noether’s approach in a computer algebra system, using lo-cal desingularizations to handle singularities encountered during the algorithm. For lines ofresearch closely related to this topic, we refer to [18, 13] and references therein.A few years later, a breakthrough is achieved by Hess [14]: He provides an arithmeticapproach to the Riemann-Roch problem, using fast algorithms for algebraic function fields.Hess’ algorithm is now considered as a reference method for computing Riemann-Roch spaces,and it is proved to be polynomial in the input size [14, Remark 6.2].An important special case of the computation of Riemann-Roch spaces is the computationof the group law on Jacobians of curves. Volcheck [27] describes an algorithm with complexity O (max(deg( C ) , g ) ) in this context. The best known complexity for computing the group lawon Jacobians of general curves is currently achieved by Khuri-Makdisi in [17], where he gives analgorithm which requires O ( g ω + ε ) operations in the base field, where ω is a feasible exponentfor matrix multiplication and ε is any fixed positive number. Actually, an anonymous reviewerinformed us that the ε in this complexity can be removed if the cardinality of the base fieldgrows polynomially in g , which is the case in this paper. Main results.
We propose a probabilistic algorithm for computing Riemann-Roch spaceson plane nodal projective curves
C ⊂ P defined over sufficiently large perfect fields. Weemphasize that any algebraic curve admits such a nodal model up to a birational map if thebase field is sufficiently large (see e.g. [1, Appendix A]), and that computing such a modeldepends only on the curve and not on the input divisor.Our main result is that the complexity of the algorithm for computing Riemann-Roch spacesis bounded by O (max(deg( C ) ω , deg( D + ) ω )) and that, provided that some mild assumptionsare satisfied, its failure probability is bounded above by O (max(deg( C ) , deg( D + ) ) / |E| ), where E is a finite subset of the base field k in which we can draw elements uniformly at random.Roughly speaking, these assumptions on the input require that the impact of the singularitiesduring the execution of the algorithm is minimal. In particular, they are always satisfiedfor smooth curves. If these mild assumptions are not satisfied, then the algorithm alwaysfail. Therefore, we provide at the end of Section 7 a Las Vegas procedure (in the sense of [3,Sec. 0.1]) with complexity O (max(deg( C ) , deg( D + ) / )) and probability of failure bounded by O (max(deg( C ) , deg( D + ) ) / |E| ) to decide whether these assumptions are satisfied. Combiningthis verification procedure with our main algorithm turns it into a complete Las Vegas method,at the cost of increasing slightly the complexity and the probability of failure.We also emphasize that our algorithm is geared towards curves defined over sufficientlylarge fields k , so that the probability of failure can be made small by choosing a large subset E ⊂ k . A possible workaround to decrease the probability of failure for curves defined oversmall finite fields is to do the computations in a field extension, although doing so induces anextra arithmetic cost.Up to our knowledge, the complexity that we obtain is the best bound for the generalproblem of computing Riemann-Roch spaces. In the special case of the group law on theJacobian of plane smooth curves where deg( D + ) = O ( g ) and deg( C ) = O ( √ g ) by the genus-degree formula, the complexity becomes O ( g ω ) which equals the best known complexity boundof Khuri-Makdisi’s algorithm. Moreover, the algorithm that we propose requires very fewassumptions, and its efficiency relies on classical building blocks in modern computer algebra:fast arithmetic of univariate polynomials and fast linear algebra. Consequently, it can be easilymade practical by using existing implementations of these building blocks. We have made a2++/NTL implementation of our algorithm which is freely distributed under LGPL-2.1+license and which is available at https://gitlab.inria.fr/pspaenle/rrspace . We alsoprovide experimental data which seem to indicate that our prototype software is competitivewith the reference implementation in the Magma computer algebra system [4]. Organization of the paper.
Section 2 provides an overview of the main algorithm. Sec-tion 3 focuses on the data structures used to represent effective divisors. Algorithms to performadditions and subtractions of divisors with this representation are described in Section 4. ThenSection 5 gives the details of the subroutines used in the main algorithm, and their correctnessis proved. Section 6 focuses on the complexity of the subroutines and of the main algorithm.Then Section 7 is devoted to the analysis of the failure probability. Finally, Section 8 presentsexperimental results obtained with our NTL/C++ implementation.
Acknowledgements.
We are grateful to Simon Abelard, Pierrick Gaudry, EmmanuelThomé and Paul Zimmermann for useful discussions and for pointing out important references.We thank Pierrick Gaudry for allowing us to use his code for the fast computation of resultantsand subresultants of univariate polynomials. We are also grateful to an anonymous referee whohelped us improve the paper.
This section is devoted to the description of the general setting of Brill-Noether’s method andof the algorithm that we propose, without giving yet all the details on the data structures thatwe use to represent mathematical objects.Throughout this paper, k is a perfect field and C ⊂ P is an absolutely irreducible projectivenodal curve defined over k with r nodes. By nodal curve, we mean that all the singularitiesof the curve have order 2 and are ordinary. We do not need any assumption about the k -rationality of the slopes of the tangents at the nodes. We emphasize that every algebraic curveadmits such a model (up to a field extension if k is a small finite field), which can be for instanceobtained by computing the image of a nonsingular projective model of the curve by a genericlinear projection to P [1, Appendix A]. We let k denote an algebraic closure of k . Also, weuse the notation e C to denote a nonsingular model of C which projects onto C (as denoted by X in [9, Ch. 8]). We assume that this implicit projection e C → C is one-to-one on nonsingularpoints of C and that it is two-to-one on nodes. By divisor, we always mean a Weil divisor onthe curve e C , i.e. a formal sum with integer coefficients of closed points of e C . When the supportof a divisor D involves only points of e C which project to nonsingular points of C , we call D a smooth divisor of C by slight abuse of terminology. More generally, we will often identifynonsingular closed points of C with their corresponding points on e C . We will use frequentlythe nodal divisor , denoted by E , which is the effective divisor of degree 2 r which is the sum ofall the closed points of e C which project to a node of C .Naming X, Y, Z homogeneous coordinates for P , the curve C ⊂ P is described by ahomogeneous polynomial Q ∈ k [ X, Y, Z ] and we let k [ C ] = k [ X, Y, Z ] /Q ( X, Y, Z ) denote itshomogeneous coordinate ring.Assuming (w.l.o.g. up to linear change of coordinate) that Q = Z , we let C ⊂ A n be theaffine curve obtained by intersecting C with the open subset { Z = 0 } ⊂ P . It is describedby the bivariate polynomial q ( X, Y ) = Q ( X, Y, C correspond to maximalideals in k [ C ] = k [ X, Y ] /q ( X, Y ). We assume (again w.l.o.g.) that all the nodes of the curvebelongs to its affine subset C .We shall also require that all the divisors that we consider are defined over k , i.e. that theyare invariant under the natural action of the Galois group Gal( K/k ) for any extension K of k .In this setting, smooth effective divisors on C can be thought of as nonzero ideals I in k [ C ]such that I + h ∂q/∂X, ∂q/∂Y i = k [ C ]. For two divisors D, D ′ on C , we write D ≤ D ′ if thevaluation of D at any place of k ( C ) is at most the valuation of D ′ . If g ∈ k [ C ] is a nonzero formon C , then we let ( g ) denote the associated effective principal divisor, as defined in [9, Sec. 8.1].If g ∈ k [ C ] is a nonzero regular function on C , then by abuse of notation, we overload the3otation ( g ) to denote the effective divisor associated to the form Z deg( g ) g ( X/Z, Y /Z, g ( X/Z, Y /Z, ∈ k ( C ).If f ∈ k ( C ) is a nonzero function on C , i.e. a quotient f = g/h of two nonzero forms g, h ∈ k [ C ] of the same degree, then again by abuse of notation we let ( f ) denote the associateddegree-0 principal divisor. Finally, for a divisor D we let L ( D ) = { f ∈ k ( C ) \ { } | ( f ) ≥− D } ∪ { } denote the Riemann-Roch space associated to D . Assumptions on the input divisor.
If the curve C is singular, then we need two mildassumptions on the input divisor D to ensure that our algorithm does not always fail. First,the divisor D should be smooth, and its support should be contained in the affine chart C .To describe the second assumption — which is more technical — we need some insight on thedata structure that we will use: The input divisor D will be given as a pair of effective divisors( D + , D − ) such that D = D + − D − . Set d = ( ⌊ deg( D + + E ) / deg( C ) + (deg( C ) − / ⌋ if (cid:0) deg( C )+12 (cid:1) ≤ deg( D + + E ) ⌊ ( p D + + E ) − / ⌋ otherwise.We will see in the sequel that this value of d is in fact the smallest integer which ensuresthe existence of a nonzero form h ∈ k [ C ] of degree d such that ( h ) ≥ D + + E . Our secondassumption is that there exists a form h of degree d such that ( h ) ≥ D + + E and ( h ) − E isa smooth divisor. This is mild assumption which is satisfied in most cases. In the rare caseswhere it is not satisfied, a workaround for practical computations — for which we do not proveany theoretical guarantee of success — is to increase slightly the value of d in Algorithm 6( Interpolate ) in order to increase the dimension of the space of such functions h . Function
RiemannRochBasis ; Data:
A curve C together with its nodal divisor E , and a divisor D = D + − D − on C such that D + and D − are smooth effective divisors. Result:
A basis of the Riemann-Roch space L ( D ). h ← Interpolate (deg( C ), D + , E ); D h ← CompPrincDiv ( C , h , E ); D res ← SubtractDivisors ( D h , D + ); D num ← AddDivisors ( D − , D res ); B ← NumeratorBasis (deg( C ), D num , deg( h ), E );Return { f /h | f ∈ B } . Algorithm 1:
A bird’s eye view of the algorithm.Algorithm 1 gives a bird’s eye view of our algorithm for computing Riemman-Roch spaces.We now describe briefly what is done at each step of the algorithm. The routine
Interpolate takes as input an effective divisor D + , and it returns a form h such that ( h ) ≥ D + + E .Then, CompPrincDiv computes from h a convenient representation of the divisor ( h ) − E .The routines used to perform addition and subtraction of divisors — namely, AddDivisors and
SubtractDivisors — will be described in Section 4. Then,
NumeratorBasis takes asinput the effective divisor D num and the degree of h , and it returns a basis of the vector spaceof all forms f ∈ k [ C ] of degree deg( h ) such that ( f ) ≥ D num + E . Finally, we divide this basisby the common denominator h in order to obtain a basis of the Riemann-Roch space.One of the cornerstones of the correctness of Algorithm 1 is the Brill-Noether’s residuetheorem. This theorem is one of the foundations of the theory of adjoint curves. In the caseof nodal plane curves, an adjoint curve is just a curve which goes through all the nodes of C ,and E is the adjoint divisor as defined in [9, Sec. 8.1]. Proposition 2.1. [9, Sec. 8.1] Let
D, D ′ be two linearly equivalent effective divisors on C . Let ∈ k [ C ] be a form such that ( h ) = D + E + A for some effective divisor A . Then there existsa form h ′ ∈ k [ C ] of the same degree as h such that ( h ′ ) = D ′ + E + A . We can now prove the general correctness of the main algorithm, assuming that all thesubroutines behave correctly.
Theorem 2.2.
If all the subroutines
Interpolate , CompPrincDiv , SubtractDivisors , AddDivisors , NumeratorBasis are correct, then Algorithm 1 is correct: It returns a basisof the space L ( D ) .Proof. We first prove that there exists a basis of L ( D ) such that any basis element f belongs tothe vector space spanned by the output of Algorithm 1. To this end, we must prove that f canbe written as g/h where h is the output of the subroutine Interpolate and g belongs to thevector space spanned by the output of the subroutine NumeratorBasis . Proposition 2.1 with D = D + , D ′ = D + + ( f ) and h implies that there exists a form g ∈ k [ C ] such that ( g/h ) = ( f ),where g has the same degree as h . Therefore, f = λg/h for some nonzero λ ∈ k . It remains toprove that g belongs to the vector space spanned by the output of NumeratorBasis . Since f ∈ L ( D ), we must have ( g ) = ( f ) + ( h ) ≥ ( h ) − D = ( D h + E − D + ) + D − = D res + D − + E = D num + E . But NumeratorBasis returns precisely a basis of the space of forms α of thesame degree as h such that ( α ) ≥ D num + E .Conversely, let f be a function returned by Algorithm 1. Then f · h belongs to B , andhence ( f · h ) = ( f ) + ( h ) ≥ D num + E = ( h ) − D . This implies that ( f ) ≥ − D and hence f ∈ L ( D ). Data structure for the curve C . We represent the projective curve
C ⊂ P by its affinemodel C in the affine chart Z = 0 which is described by a bivariate polynomial q ∈ k [ X, Y ].We assume that the degree of q in Y equals its total degree. This condition implies that C is in projective Noether position with respect to the projection on the line Y = 0, i.e. thatthe canonical map k [ X, Z ] → k [ C ] is injective and that it defines an integral ring extension.This also implies that the map k [ X ] → k [ C ] is an integral ring extension. We refer to [10,Sec. 3.1] for more details on the projective Noether position. We emphasize that the projectiveNoether position is achieved in generic coordinates. Hence this assumption does not lose anygenerality since it can be enforced by a harmless linear change of coordinates. More precisely,regarding a linear change of coordinate in P as a 3 × M = ( m ij ) ≤ i,j ≤ , the invertiblematrices which put the curve in projective Noether position are precisely the matrices the 9coefficients of which do not make a polynomial P ( m , . . . , m ) of degree deg( C ) + 3 vanish.This polynomial is the product of det( M ) — which has degree 3 — with the coefficient of Y deg( C ) in the new system of coordinates — which has degree deg( C ). Using Schwartz-Zippellemma [22, Coro. 1], this implies that the probability that the curve is not in projective Noetherposition after a linear change of coordinates given by a random matrix whose entries are pickeduniformly at random in a finite subset E ⊂ k is bounded above by (deg( C ) + 3) / |E| . Data structure for forms.
We will represent forms on C — namely elements in k [ C ] = k [ X, Y, Z ] / ( Z deg( q ) q ( X/Z, Y /Z )) — by their affine counterpart in the affine chart Z = 1. Con-sequently, we shall represent a form g ∈ k [ C ] as an element in k [ X, Y ] /q ( X, Y ), given by arepresentative e g ∈ k [ X, Y ] such that deg Y ( e g ) < deg( C ), using the fact that q is monic in Y .This representation is not faithful since it does not encode what happens on the line Z = 0 atinfinity. In order to encode the behaviour on this line and obtain a faithful representation, itis enough to adjoin to e g the degree d of the form g , since g is the class of Z d e g ( X/Z, Y /Z ) in k [ C ]. In the sequel of this paper, we do not mention further this issue and we often identify g with e g by slight abuse of notation when the context is clear.5 ata structure for smooth divisors on C . For representing divisors which do not involveany node, we use a data structure strongly inspired by the Mumford representation for divisorson hyperelliptic curves and by representations of algebraic sets by primitive elements as in [6].Our data structure requires a mild assumption on the divisor that we represent: None of thepoints in the support of the divisor should lie at infinity. In fact, this is not a strong restrictionsince all points can be brought to an affine chart via a projective change of coordinate. Ifone does not wish to change the coordinate system, another solution is to maintain threerepresentations, one for each of the three canonical affine charts covering P .We shall represent a smooth divisor D as a pair of smooth effective divisors ( D + , D − )such that D = D + − D − . One crucial point for the representation of effective divisors isthat the 0-dimensional algebraic set corresponding to the support (i.e. without consideringthe multiplicities) of an effective divisor D can be described by a finite étale algebra whichis a quotient of k [ C ] by a nonzero ideal. This étale algebra is isomorphic to a quotient ofa univariate polynomial ring if it admits a primitive element. Using primitive elements torepresent 0-dimensional algebraic sets is a classical technique in computer algebra, see e.g. [6,Sec. 2][10, Sec. 3.2]. Lemma 3.1.
Let R be a finite étale k -algebra, i.e. a finite product of finite extensions of k .Let z ∈ R be an element, and let m z denote the multiplication by z in R , seen as a k -linearendomorphism. The following statements are equivalent:1. The element z generates R as a k -algebra;2. The elements , z, z , . . . , z dim k ( R ) − are linearly independent over k ;3. The characteristic polynomial of m z equals its minimal polynomial;4. The characteristic polynomial of m z is squarefree.If z satisfies these four properties, then z is called a primitive element for R .Proof. (2) ⇒ (1): By definition, the element z generates R as a k -algebra if and only if itspowers generates R as a k -vector space. (1) ⇒ (2): Let n be the smallest positive integer suchthat 1 , z, z , . . . , z n are linearly dependent. The integer n must be finite since dim k ( R ) isfinite. Write z n = P n − i =0 a i z i for some a , . . . , a n ∈ k . By multiplying this relation by z n − n and by induction on n , we obtain that for any n ≥ n , z n belongs to the vector space generatedby 1 , z, . . . , z n − . This implies that the algebra generated by z has dimension n as a k -vectorspace. By (1), we obtain that n = dim k ( R ). (2) ⇒ (3): By (2), the minimal polynomial of m z has degree at least dim k ( R ), and hence it equals its characteristic polynomial. (3) ⇒ (2):The degree of the characteristic polynomial is dim k ( R ). (3) ⇒ (4): Let ξ be the squarefreepart of the characteristic polynomial of m z . By (3), ξ ( z ) must be nilpotent in R . But the onlynilpotent element in an étale algebra in 0, so ξ must be a multiple of the minimal polynomial of m z . Hence, by (3), ξ is the characteristic polynomial of m z . (4) ⇒ (3): This is a consequenceof the facts that the characteristic polynomial and the minimal polynomial have the same setof roots, and the minimal polynomial divides the characteristic polynomial.We are now ready to define the data structure that we will use to represent smooth effectivedivisors on the curve. A smooth effective divisor D on C supported on the affine chart Z = 0will be represented as:• A scalar λ ∈ k ;• Three univariate polynomials χ, u, v ∈ k [ S ], such that χ is monic, χ has degree deg( D )and u, v have degree at most deg( D ) − (Div-H1) q ( u ( S ) , v ( S )) ≡ χ ( S ); (Div-H2) λu ( S ) + v ( S ) = S ; (Div-H3) GCD( ∂q∂X ( u ( S ) , v ( S )) − λ ∂q∂Y ( u ( S ) , v ( S )) , χ ( S )) = 1.6e call the data structure above a primitive element representation . An important ingredi-ent of the primitive element representation is that (Div-H3) enables us to use Hensel’s lemmato encode the multiplicites. More precisely, (Div-H3) implies that at each of the closed pointsin the support of the divisor, the element λ ( X − ¯ x ) + ( Y − ¯ y ) is a uniformizing element for theassociated discrete valuation ring, where ¯ x, ¯ y denote the classes of X, Y in the residue field.Notice that this representation requires the existence of a primitive element of the form λX + Y which satisfies all the wanted properties. Fortunately, Proposition 3.2 below showsthat such a primitive element exists as soon as k contains more than (cid:0) deg( D )+12 (cid:1) elements. Data structure for the nodal divisor.
We shall represent the nodal divisor via an algebraicparametrization by the roots of a univariate polynomial. This algebraic structure is very similarto the representation of smooth divisors, except for a crucial difference: We shall not need torepresent multiplicities, so this representation does not need to satisfy condition (Div-H3) .More precisely, the nodal divisor E will be represented as:• A scalar λ E ∈ k ;• Three univariate polynomials χ E , u E , v E ∈ k [ S ] , such that χ E is monic and squarefree, χ E has degree r and u, v have degree at most r − ;• A monic univariate polynomial T E ∈ k [ S ] of degree at most r such that { ( u E ( ζ ) , v E ( ζ )) | ζ ∈ k, χ E ( ζ ) = 0 } ⊂ k is the set of nodes of C , ( NodDiv-H1 )and such that the roots of T E are the values λ ∈ k such that the vector (1 , − λ ) is tangent to C at a node. Notice that the roots of T E do not record vertical tangents at nodes, so the degreeof T E may be less than r .Such ( λ E , χ E , u E , v E ) satisfying (NodDiv-H1) exist as soon as k contains more than (cid:0) r (cid:1) elements by Proposition 3.3. Computing T E is also an easy task once ( λ E , χ E , u E , v E ) areknown. This polynomial can be for instance obtained by considering the homogeneous form Q ( X, Y, S ) of degree of the shifted polynomial q ( X + u E ( S ) , Y + v E ( S )) . Then T E ( λ ) =Resultant S ( Q (1 , − λ, S ) , χ E ( S )) satisfies the desired property. This polynomial T E will beuseful in Algorithm CompPrincDiv . Computing λ E , χ E , u E , v E , T E can be thought of as aprecomputation since this depends only on the curve C and not on the input divisor D .Before going any further, we summarize here the data structures for the input and theoutput of Algorithm 1 and the properties that they must satisfy.Input data:• A bivariate polynomial q ∈ k [ X, Y ] . This polynomial encodes the curve C ;• Data ( λ E , χ E , u E , v E , T E ) encoding the nodal divisor E ;• A smooth divisor D = D + − D − given by two tuples ( λ + , χ + , u + , v + ) and ( λ − , χ − , u − , v − ) with λ ± ∈ k , χ ± , u ± , v ± ∈ k [ S ] .The input data must satisfy the following constraints:1. The bivariate polynomial q ∈ k [ X, Y ] is absolutely irreducible, and its base field k isperfect;2. The total degree of q equals its degree with respect to Y ;3. The inequalities deg( u ± ) < deg( χ ± ) , deg( v ± ) < deg( χ ± ) , deg( u E ) < deg( χ E ) , deg( v E ) < deg( χ E ) hold;4. The polynomials χ ± , χ E and T E are monic;5. The polynomial χ E is squarefree;6. Both tuples ( λ + , χ + , u + , v + ) and ( λ − , χ − , u − , v − ) satisfy (Div-H1) to (Div-H3) ;7. The tuple ( λ E , χ E , u E , v E , T E ) satisfies (NodDiv-H1) ;8. The degree of T E is at most r ;9. The roots of the univariate polynomial T E are the values λ ∈ k such that the vector (1 , − λ ) is tangent to C at a node. 7utput data:• A bivariate polynomial h ∈ k [ X, Y ] ;• A finite set of bivariate polynomials B ⊂ k [ X, Y ] .The output data satisfies that the set { b/h | b ∈ B } is a basis of the Riemann-Roch spaceassociated to D on C .The rest of this section is devoted to technical proofs about the primitive element repre-sentation. The statements below will be used for proving the correctness of the subalgorithms,but they may be skipped without harming the general understanding of this paper.The two following propositions (whose proofs are postponed after Lemma 3.6) show thatprimitive representations of smooth effective divisors and of the nodal divisor exist providedthat the base field is large enough. Proposition 3.2.
Let J be a nonzero ideal of k [ C ] = k [ X, Y ] /q ( X, Y ) such that J + h ∂q∂X , ∂q∂Y i = k [ C ] . Assume that the cardinality of k is larger than (cid:0) dim k ( k [ C ] /J )+12 (cid:1) . Then there exist λ ∈ k and polynomials χ, u, v ∈ k [ S ] satisfying (Div-H1) to (Div-H3) such that the map k [ C ] /J → k [ S ] /χ ( S ) sending X and Y to the classes of u and v is an isomorphism of k -algebras. The following proposition states a similar result for radical ideals which do not satisfy thesmoothness assumption. This will be useful to represent the nodal divisor.
Proposition 3.3.
Let J be a nonzero radical ideal of k [ C ] = k [ X, Y ] /q ( X, Y ) . Assume thatthe cardinality of k is larger than (cid:0) dim k ( k [ C ] /J )2 (cid:1) . Then there exist λ E ∈ k and polynomials χ E , u E , v E ∈ k [ S ] satisfying (NodDiv-H1) such that the map k [ C ] /J → k [ S ] /χ ( S ) sending X and Y to the classes of u and v is an isomorphism of k -algebras. Before proving Propositions 3.2 and 3.3, we need some technical lemmas. First, the follow-ing lemma generalizes slightly the classical fact that ideals in the coordinate rings of smoothcurves admit a unique factorization. Here, we do not assume that C is nonsingular, but thefactorization property holds only for ideals of regular functions which do not vanish at anysingular point. Lemma 3.4.
Let I be a nonzero ideal of k [ C ] such that I + h ∂q/∂X, ∂q/∂Y i = k [ C ] . Thenthere exists a unique factorization I = Q ℓi =1 m α i i as a product of maximal ideals of k [ C ] .Proof. First, we prove the existence of such a factorization. Let m ⊂ k [ C ] be an ideal contain-ing I . If m is a nonsingular closed point of C , then the local ring k [ C ] m is a discrete valuationring by [9, Sec. 3.2, Thm. 1]. Let val m ( I ) ∈ Z ≥ denote the integer such that I = m val m ( I ) inthis local ring. Let J be the ideal J = Y m ⊃ I m val m ( I ) . By [2, Prop. 9.1], the equality I = J holdsif and only if it holds in all the local rings k [ C ] m where m ⊃ I . Since the maximal ideals m arenonsingular closed points of C , this equality holds true because the corresponding local ringsare discrete valuation rings, hence the equality of ideals is equivalent to the equality of their m -valuation.We now prove the unicity of this factorization: By contradiction, assume that I has twodistinct factorizations Q ≤ i ≤ ℓ m α i i and Q ≤ i ≤ ℓ ′ m ′ α ′ i i of the ideal. Without loss of generality,assume that m does not occur in the second factorization, or that it appears with a differentmultiplicity. This would lead to a contradiction since it would lead to distinct valuations ofthe same ideal in the local ring at m .An ideal I ⊂ k [ X, Y ] in a polynomial ring is called -dimensional if the dimension of k [ X, Y ] /I as a k -vector space is finite. The following lemma identifies values of λ for which λX + Y is not a primitive element for a -dimensional algebraic set.8 emma 3.5. Let I ⊂ k [ X, Y ] be a radical -dimensional ideal, with associated variety V = { α i } ≤ i ≤ dim k ( k [ X,Y ] /I ) ⊂ k and let u, v ∈ k [ X, Y ] be elements such that for any distinct points α i , α j ∈ V , u ( α i ) = u ( α j ) or v ( α i ) = v ( α j ) . Then the set of λ ∈ k such that λu + v isnot a primitive element for k [ X, Y ] /I is contained in the set of roots of a nonzero univariatepolynomial with coefficients in k of degree (cid:0) dim k ( k [ X,Y ] /I )2 (cid:1) .Proof. Writing α i = ( α i,x , α i,y ) , let K ⊂ k be a field extension of k where I factors as a productof degree- maximal ideals m i = h X − α i,x , Y − α i,y i . This provides an isomorphism of K -algebras between K [ X, Y ] /I and K dim k ( k [ X ,X ] /I ) sending polynomials to their evaluations at α , . . . , α dim k ( k [ X,Y ] /I ) . Using this isomorphism, and letting e i denote the i -th canonical vectorin K dim k ( k [ X ,X ] /I ) , we observe that e i is an eigenvector of the endomorphism of multiplicationby λu + v , with associated eigenvalue λu ( α i ) + v ( α i ) . Next, λu + v is a primitive element for k [ X, Y ] /I if all these eigenvalues are distinct by Lemma 3.1. This is the case if and only if thediscriminant of the characteristic polynomial is nonzero. Since the discriminant is the productof the squared differences of the roots, it equals Y ≤ i ≤ dim k ( k [ X,Y ] /I )1 ≤ j
K/k ) permute the points α i . Therefore the natural action of Gal(
K/k ) acts on ∆ bypermuting its linear factors, and hence it leaves ∆ invariant.In the following lemma, the notation red( R ) stands for the quotient of a ring R by itsJacobson radical (i.e. the intersection of its maximal ideals). If I is an ideal of R , we usethe notation √ I to denote the radical of I . The ring red( k [ C ] /J ) can be thought of as thecoordinate ring of the -dimensional algebraic set corresponding to the points in the supportof the effective divisor associated to J . Lemma 3.6.
Let J be a nonzero ideal of k [ C ] = k [ X, Y ] /q ( X, Y ) such that J + h ∂q/∂X, ∂q/∂Y i = k [ C ] . Then there exists a nonzero univariate polynomial ∆ with coefficients in k of degree atmost (cid:0) dim k ( k [ C ] /J )+12 (cid:1) , such that for any λ which is not a root of ∆ , the element λX + Y isprimitive for red( k [ C ] /J ) and ∂q/∂X − λ∂q/∂Y is invertible in red( k [ C ] /J ) .In particular, if k has cardinality larger than (cid:0) dim k ( k [ C ] /J )+12 (cid:1) , then there exists a value of λ in k which is not a root of ∆ .Proof. First, notice that k [ C ] /J is isomorphic to k [ X, Y ] / ( J + h q i ) , by using the classicalfact that ideals of a quotient ring R/I correspond to ideals of R containing I . Since q isirreducible, J + h q i ⊂ k [ X, Y ] is a zero-dimensional ideal, and hence red( k [ X, Y ] / ( J + h q i )) = k [ X, Y ] / p J + h q i . Notice that dim k ( k [ X, Y ] / p J + h q i ) ≤ dim k ( k [ C ] /J ) . Next, using thefact that two distinct points in the variety have distinct coordinates, Lemma 3.5 provides anonzero polynomial ∆ of degree at most (cid:0) dim k ( k [ C ] /J )2 (cid:1) such that λX + Y is not a primitiveelement for red( k [ C ] /J ) only if λ is a root of ∆ .Next, we notice that since p J + h q i ⊂ k [ X, Y ] is a radical -dimensional ideal, it can bedecomposed as a product Q ≤ i ≤ ℓ m i of maximal ideals. Consequently, ∂q/∂X − λ∂q/∂Y isinvertible in red( k [ C ] /J ) if and only if ∂q/∂X − λ∂q/∂Y does not belong to any of thesemaximal ideals. Equivalently, ∂q/∂X − λ∂q/∂Y must not vanish in any of the residue fields κ i = k [ C ] / m i . Notice that the norm N κ i /k ( ∂q/∂X − λ∂q/∂Y ) is a polynomial ∆ i in λ withcoefficients in k . It is nonzero since J + h ∂q/∂X, ∂q/∂Y i = k [ C ] and hence either ∂q/∂X or ∂q/∂Y is nonzero in κ i . Therefore ∆ i is either constant (if ∂q/∂Y vanishes in κ i ), orit has degree [ κ i : k ] . Finally, the proof is concluded by noticing that P ≤ i ≤ ℓ [ κ i : k ] = im k ( k [ X, Y ] / p J + h q i ) ≤ dim k ( k [ C ] /J ) , so that the product ∆ · Q ≤ i ≤ ℓ ∆ i has degree atmost (cid:0) dim k ( k [ C ] /J )+12 (cid:1) and satisfies all the desired properties.We now have all the tools that we need to prove Propositions 3.2 and 3.3. Proof of Proposition 3.2.
First, we assume that J = m α is a power of a maximal ideal in k [ C ] such that m + h ∂q/∂X, ∂q/∂Y i = k [ C ] . Then red( k [ C ] /J ) = k [ C ] / m . Let λ ∈ k be an elementwhich is not a root of the polynomial ∆ provided by Lemma 3.6. Such an element exists sincethe cardinality of k is larger than the degree of ∆ . Therefore, λX + Y is a primitive element for k [ C ] / m and hence there exist univariate polynomials e u, e v ∈ k [ S ] such that X = e u ( λX + Y ) and Y = e v ( λX + Y ) in k [ C ] / m . Let e χ ( S ) be the minimal polynomial of λX + Y in k [ C ] / m , whichis irreducible since k [ C ] / m is a field. Notice that the map k [ C ] / m → k [ S ] / e χ ( S ) sending theclasses of X, Y to e u, e v is an isomorphism of k -algebras. Next, set χ ( S ) = e χ ( S ) α and considerthe bivariate system ( q ( X, Y ) = 0 λX + Y − S = 0 . (1)By construction, this system has solution ( e u, e v ) over k [ S ] / e χ ( S ) . The Jacobian of this systemis ∂q∂X ( X, Y ) − λ ∂q∂Y ( X, Y ) , which is invertible in red( k [ C ] /J ) by Lemma 3.6, and therefore ∂q∂X ( e u ( S ) , e v ( S )) − λ ∂q∂Y ( e u ( S ) , e v ( S )) is invertible in k [ S ] / e χ ( S ) . By Hensel’s lemma, there existpolynomials u, v ∈ k [ S ] < deg( χ ) which are solutions of (1) over k [ S ] /χ ( S ) : Indeed, for i > , if ( b u, b v ) is a solution of (1) over k [ S ] / e χ ( S ) i , then a Taylor expansion of the system at order shows that (cid:20)b u b v (cid:21) − (cid:20) ∂q/∂X ∂q/∂Yλ (cid:21) − · (cid:20) q ( b u, b v ) λ b u + b v − S (cid:21) is a solution of Eq. (1) over k [ S ] / e χ ( S ) i .The map k [ C ] /J → k [ S ] /χ ( S ) is well-defined because m maps to modulo e χ and hence J = m α maps to modulo χ = e χ α . It is an isomorphism because k [ C ] /J and k [ S ] /χ ( S ) havethe same dimension as vector spaces over k and the map S λX + Y is the right inverse to themap ( X, Y ) ( u ( S ) , v ( S )) . It remains to prove that (Div-H3) is satisfied by χ, u, v , whichis a direct consequence of the fact that by Lemma 3.6, ∂q/∂X − λ∂q/∂Y does not belong to m and hence ∂q∂X ( u ( S ) , v ( S )) − λ ∂q∂Y ( u ( S ) , v ( S )) is invertible modulo χ ( S ) .Next, we consider the general case where J is a nonzero ideal in k [ C ] such that J + h ∂q/∂X, ∂q/∂Y i = k [ C ] . Again, let λ ∈ k be an element which is not a root of the polynomial ∆ provided by Lemma 3.6. Lemma 3.4 implies that J can be written as a product J = Q ℓi =1 m α i i of powers of maximal ideals. Then for all i , the element λX + Y is primitive for k [ C ] / m and ∂q/∂X − λ∂q/∂Y is invertible in k [ C ] / m . For each i , using the previous argument, wecan construct univariate polynomials χ i , u i , v i ∈ k [ S ] satisfying (Div-H1) to (Div-H3) withrespect to λ such that the maps k [ C ] / m α i i → k [ S ] /χ i ( S ) sending X, Y to u i ( S ) , v i ( S ) areisomorphisms of k -algebras. Setting χ ( S ) = Q ℓi =1 χ i ( S ) and using the CRT, let u, v ∈ k [ S ] < deg( χ ) be such that for all i , we have u ( S ) ≡ u i ( S ) mod χ i ( S ) and v ( S ) ≡ v i ( S ) mod χ i ( S ) .Then the fact that the CRT is a ring morphism allows us to conclude that the map k [ C ] /J → k [ S ] /χ ( S ) is an isomorphism and that χ, u, v satisfy (Div-H1) to (Div-H3) . Proof of Proposition 3.3.
The proof is similar to that of Proposition 3.2, by ignoring the argu-ment about multiplicities. Since the Jacobian ∂q∂X ( X, Y ) − λ ∂q∂Y ( X, Y ) need not be invertiblein red( k [ C ] /J ) , it is sufficient to choose a value of λ which is not a root of the univariatepolynomial constructed in Lemma 3.5 for J .The next lemma shows that any data satisfying (Div-H1) to (Div-H3) actually encodesa well-defined effective divisor with no singular point in its support. Lemma 3.7.
Let ( λ, χ, u, v ) be such that (Div-H1) to (Div-H3) are satisfied, and let I = h X − u ( S ) , Y − v ( S ) , χ ( S ) i ∩ k [ X, Y ] . Then k [ X, Y ] /I is isomorphic as a k -algebra to k [ C ] /J here J is a nonzero ideal in k [ C ] . Moreover, J + h ∂q/∂X, ∂q/∂Y i = k [ C ] , λX + Y is aprimitive element for red( k [ X, Y ] /I ) , and its minimal polynomial is the squarefree part of χ .Proof. Nonzero ideals of k [ C ] correspond to ideals of k [ X, Y ] containing properly the prin-cipal ideal h q ( X, Y ) i . First, notice that (Div-H1) implies that q ( X, Y ) ∈ I . Also, by (Div-H2) , we get that χ ( λX + Y ) ∈ I . Notice that χ ( λX + Y ) factors as a productof polynomials of degree over the algebraic closure of k . Since q is supposed to be ab-solutely irreducible and to have degree at least , this implies that χ ( λX + Y ) does notbelong to the principal ideal h q ( X, Y ) i . Consequently, I contains properly h q ( X, Y ) i andthis proves the isomorphism between k [ X, Y ] /I and k [ C ] /J . In particular, we obtain that dim k ( k [ C ] /J ) = dim k ( k [ X, Y ] /I ) = deg( χ ) . Next, (Div-H3) implies that ∂q/∂X − λ∂q/∂Y isinvertible in k [ C ] /J , and hence k [ C ] = J + h ∂q/∂X − λ∂q/∂Y i ⊂ J + h ∂q/∂X, ∂q/∂Y i . There-fore, J + h ∂q/∂X, ∂q/∂Y i = k [ C ] . Using the isomorphism between k [ C ] /J and k [ S ] /χ ( S ) described in Proposition 3.2, we obtain that red( k [ X, Y ] /I ) is isomorphic to red( k [ S ] /χ ( S )) ,which is in turn isomorphic to k [ S ] / e χ ( S ) , where e χ ( S ) is the squarefree part of χ ( S ) . Finally,the proof is concluded by noticing that S is a primitive element for k [ S ] / e χ ( S ) with minimalpolynomial e χ ( S ) .The following lemma explicits the link between the primitive element representation andthe ideal vanishing on the -dimensional algebraic set that it represents. Lemma 3.8.
Let ( λ, χ, u, v ) be data satisfying (Div-H2) . Set I = h χ ( S ) , X − u ( S ) , Y − v ( S ) i ⊂ k [ X, Y, S ] and J = h χ ( λX + Y ) , X − u ( λX + Y ) , Y − v ( λX + Y ) i . Then I ∩ k [ X, Y ] = J .Proof. By (Div-H2) and by using the fact that X − u ( S ) , Y − v ( S ) ∈ I , we deduce that S − ( λX + Y ) ∈ I . This implies that I ∩ k [ X, Y ] = { f ( X, Y, λX + Y ) | f ∈ I } .The primitive element representation of an effective divisor is not unique: Two tuples ( λ , χ , u , v ) and ( λ , χ , u , v ) may encode the same effective divisor. The cases where thishappens are detailed in the following proposition. Proposition 3.9.
Let ( λ , χ , u , v ) , ( λ , χ , u , v ) ∈ k × k [ S ] be data which satisfy (Div-H2) . Let I , I ⊂ k [ X, Y, S ] be the associated ideals I = h χ ( S ) , X − u ( S ) , Y − v ( S ) i , I = h χ ( S ) , X − u ( S ) , Y − v ( S ) i .Then I ∩ k [ X, Y ] = I ∩ k [ X, Y ] if and only if χ is the characteristic polynomial of λ u + v in k [ S ] /χ ( S ) , u ( λ u ( S ) + v ( S )) ≡ u ( S ) mod χ ( S ) and v ( λ u ( S ) + v ( S )) ≡ v ( S ) mod χ ( S ) .Proof. We first prove the “if” part of the statement. First, we notice that k [ X, Y ] / ( I ∩ k [ X, Y ]) and k [ X, Y ] / ( I ∩ k [ X, Y ]) are k -vector space of the same finite dimension, since deg( χ ) mustequal deg( χ ) . Therefore it is enough to show one inclusion to prove the equality. Let f ( X, Y ) ∈ I ∩ k [ X, Y ] . Using the equalities modulo χ , we obtain that f ( X, Y ) ≡ f ( u ( λ u ( S ) + v ( S )) , v ( λ u ( S ) + v ( S ))) mod I , which is divisible by χ ( λ u ( S ) + v ( S )) because f isin I and by using Cayley-Hamilton theorem. Finally, we use the fact that χ ( S ) is thecharacteristic polynomial of λ u ( S ) + v ( S ) and hence χ divides χ ( λ u ( S ) + v ( S )) , whichfinishes to prove that f ∈ I .Conversely, assume that I ∩ k [ X, Y ] = I ∩ k [ X, Y ] . By composing the isomorphisms k [ S ] /χ ( S ) → k [ X, Y ] / ( I ∩ k [ X, Y ]) S λ X + Y k [ X, Y ] / ( I ∩ k [ X, Y ]) → k [ S ] /χ ( S ) X u ( S ) Y v ( S ) we obtain that the map k [ S ] /χ ( S ) → k [ S ] /χ ( S ) which sends S to λ u ( S ) + v ( S ) is anisomorphism. This proves that χ is the characteristic polynomial of λ u ( S ) + v ( S ) in k [ S ] /χ ( S ) . To prove the two congruence relations, we observe that for all f ∈ k [ X, Y ] , f ( u , v ) ≡ χ if and only if f ( u , v ) ≡ χ . In particular, the polynomial P ( X, Y ) = u ( λ X + Y ) − X satisfies P ( u , v ) ≡ χ , and hence P ( u , v ) ≡ χ .The proof of the last congruence relation is similar.11 Divisor arithmetic for smooth divisors
The first step to perform arithmetic operations on smooth divisors given by primitive elementrepresentations is to agree on a common primitive element. In order to achieve this, the routine
ChangePrimElt (Algorithm 2) performs the necessary change of primitive element by usinglinear algebra. We will prove in Propositions 6.1 and 6.7 that the complexity of this step is thesame as the complexity of the subroutine
NumeratorBasis in the main algorithm. Therefore,decreasing the complexity of
ChangePrimElt would not change the global complexity andhence we make no effort to optimize it, although it might be possible to obtain a bettercomplexity for this step by using a method similar to [10, Algo. 5].Throughout this paper, for d > we let k [ S ] ChangePrimElt ; Data: A scalar e λ ∈ k and a primitive element representation ( λ, χ, u, v ) of a smootheffective divisor D . Result: Univariate polynomials ( e χ, e u, e v ) such that ( e λ, e χ, e u, e v ) is a primitive elementrepresentation of D or “fail”. if GCD( ∂q∂X ( u ( S ) , v ( S )) − e λ ∂q∂Y ( u ( S ) , v ( S )) , χ ( S )) = 1 then Return “fail”. end M ← deg( χ ) × deg( χ ) matrix representing the linear map ϕ : k [ S ] < deg( χ ) → k [ S ] < deg( χ ) such that ϕ ( f )( S ) ≡ f ( S ) · ( e λu ( S ) + v ( S )) mod χ ( S ) ; e χ ← CharacteristicPolynomial ( M ); N ← deg( χ ) × deg( χ ) invertible matrix representing the linear map ψ : k [ S ] < deg( e χ ) → k [ S ] < deg( χ ) such that ψ ( f )( S ) ≡ f ( e λu ( S ) + v ( S )) mod χ ( S ) ; if N is not invertible then Return “fail”. end e u ← ψ − ( u ) ; e v ← ψ − ( v ) ;Return ( e χ, e u, e v ) . Algorithm 2: Changing the primitive element in the representation of a smooth effec-tive divisor. Proposition 4.1. Algorithm 2 ( ChangePrimElt ) is correct: If it does not fail, then ( e λ, e χ, e u, e v ) satisfies properties (Div-H1) to (Div-H3) and it represents the same effective divisor as ( λ, χ, u, v ) .Proof. First, we prove that ( e λ, e χ, e u, e v ) satisfies Properties (Div-H1) to (Div-H3) . We noticethat the map ψ in Algorithm 2 can be extended to an isomorphism Ψ of k -algebras between k [ S ] / e χ ( S ) and k [ S ] /χ ( S ) . Property (Div-H1) follows from the fact that in k [ S ] /χ ( S ) , wehave q ( e u, e v ) = q (Ψ − ( u ) , Ψ − ( v )) = Ψ − ( q ( u, v )) = 0 . Property (Div-H2) follows from theequalities S = Ψ − (Ψ( S )) = Ψ − ( e λu + v ) = e λ ψ − ( u ( S )) + ψ − ( v ( S )) = e λ e u ( S ) + e v ( S ) in k [ S ] / e χ ( S ) . The fact that the equality e λ e u ( S ) + e v ( S ) = S also holds in k [ S ] is a consequence ofthe degree bounds deg( e u ) , deg( e v ) < deg( e χ ) . If the first test does not fail, then ∂q∂X ( u ( S ) , v ( S )) − e λ ∂q∂Y ( u ( S ) , v ( S )) is invertible modulo χ ( S ) . Applying Ψ − shows (Div-H3) .Finally, we must prove that both representations encode the same divisor. By Proposi-tion 3.9, this amounts to show that e χ is the characteristic polynomial of e λu ( S ) + v ( S ) e u ( e λu ( S ) + v ( S )) ≡ u ( S ) mod χ ( S ) and e v ( e λu ( S ) + v ( S )) ≡ v ( S ) mod χ ( S ) , Ψ − . Function HenselLiftingStep ; Data: A squarefree bivariate polynomial q ∈ k [ X, Y ] , ( λ, χ, u, v ) which satisfies (Div-H1) to (Div-H3) , and a univariate polynomial b χ which divides χ . Result: Two polynomials b u, b v ∈ k [ S ] < deg( b χ ) such that ( λ, b χ, b u, b v ) satisfies (Div-H1) to (Div-H3) . b u ( S ) ← u ( S ) − q ( u ( S ) , v ( S )) − ( λu ( S ) + v ( S ) − S ) ∂q∂Y ( u ( S ) , v ( S )) ∂q∂X ( u ( S ) , v ( S )) − λ ∂q∂Y ( u ( S ) , v ( S )) ! mod b χ ( S ) ; b v ( S ) ← v ( S ) − − λq ( u ( S ) , v ( S )) + ( λu ( S ) + v ( S ) − S ) ∂q∂X ( u ( S ) , v ( S )) ∂q∂X ( u ( S ) , v ( S )) − λ ∂q∂Y ( u ( S ) , v ( S )) ! mod b χ ( S ) ;Return ( b u, b v ) . Algorithm 3: A step of Newton-Hensel’s lifting. Proposition 4.2. Algorithm 3 ( HenselLiftingStep ) is correct: ( λ, b χ, b u, b v ) satisfies (Div-H1) to (Div-H3) .Proof. This is a special case of the Newton-Hensel’s lifting. Using Taylor expansion, (cid:20) q ( X, Y ) λX + Y − S (cid:21) = (cid:20) q ( u ( S ) , v ( S )) λu ( S ) + v ( S ) − S (cid:21) + (cid:20) ∂q∂X ( u ( S ) , v ( S )) ∂q∂Y ( u ( S ) , v ( S )) λ (cid:21) · (cid:20) X − u ( S ) Y − v ( S ) (cid:21) + ε ( X, Y, S ) , where ε is such that ε ( e u ( S ) , e v ( S ) , S ) ≡ χ ( S ) for any polynomials e u, e v ∈ k [ S ] suchthat e u ≡ u mod χ and e v ≡ v mod χ . Next, notice that the denominators in the definitionsof b u and b v are invertible modulo χ ( S ) because they are invertible modulo χ ( S ) . The proofof (Div-H1) and (Div-H2) follows from a direct computation by plugging the values of b u and b v in the Taylor expansion, and by noticing that b u ≡ u mod χ and b v ≡ v mod χ , so that ε ( b u ( S ) , b v ( S ) , S ) ≡ χ ( S ) and hence ε ( b u ( S ) , b v ( S ) , S ) ≡ b χ ( S ) . Finally, (Div-H3) is a direct consequence of the fact that ∂q∂X ( u ( S ) , v ( S )) − λ ∂q∂Y ( u ( S ) , v ( S )) is invertible modulo χ ( S ) . Function AddDivisors ; Data: A polynomial q ∈ k [ X, Y ] and two smooth effective divisors D , D given byprimitive element representations ( λ , χ , u , v ) and ( λ , χ , u , v ) . Result: A primitive element representation of the divisor D + D or “fail”. b λ ← Random ( k ); ( b χ , b u , b v ) ← ChangePrimElt ( b λ, λ , χ , u , v ); ( b χ , b u , b v ) ← ChangePrimElt ( b λ, λ , χ , u , v ); if b u b u mod GCD( b χ , b χ ) then Return “fail” end b χ ← b χ · b χ ; e χ ← LCM( b χ , b χ ) ; b u ← XCRT(( b χ , b χ ) , ( b u , b u )) ∈ k [ S ] < deg( e χ ) ; b v ← XCRT(( b χ , b χ ) , ( b v , b v )) ∈ k [ S ] < deg( e χ ) ; ( b u, b v ) ← HenselLiftingStep ( q, e χ, b λ, b u , b v , b χ );Return ( b λ, b χ, b u, b v ) . Algorithm 4: Computing the sum of two smooth effective divisors.13lgorithm 4 uses a variant of the CRT, which we call the Extended Chinese RemainderTheorem and which we abbreviate as XCRT . Given four univariate polynomials u , u , χ , χ ∈ k [ S ] such that u ≡ u mod GCD( χ , χ ) , it returns a polynomial u ∈ k [ S ] of degree less than deg(LCM( χ , χ )) such that u ≡ u mod χ and u ≡ u mod χ . The main difference with theclassical CRT is that we do not require χ and χ to be coprime. A minimal solution to the XCRT problem is given by XCRT(( χ , χ ) , ( u , u )) = ( u a ( χ /g ) + u a ( χ /g )) mod LCM( χ , χ ) , (2)where g = GCD( χ , χ ) and a , a ∈ k [ S ] are Bézout coefficients for χ , χ , i.e. they sat-isfy a χ + a χ = g . Notice that the XCRT is in fact a k -algebra isomorphism between k [ S ] / LCM( χ ( S ) , χ ( S )) and the subalgebra of k [ S ] /χ ( S ) × k [ S ] /χ ( S ) formed by pairs ( u , u ) such that u ≡ u mod GCD( χ , χ ) . Proposition 4.3. Algorithm 4 ( AddDivisors ) is correct: If it does not fail, then it returnsa primitive element representation of the smooth effective divisor D + D .Proof. Let I , I , J denote the three following ideals of k [ C ] : I = h χ ( λ X + Y ) , X − u ( λ X + Y ) , Y − v ( λ X + Y ) i ; I = h χ ( λ X + Y ) , X − u ( λ X + Y ) , Y − v ( λ X + Y ) i ; J = h b χ ( b λX + Y ) , X − b u ( b λX + Y ) , Y − b v ( b λX + Y ) i . Proving that Algorithm 4 is correct amounts to showing that I · I = J , and that (Div-H1) to (Div-H3) are satisfied by b λ, b χ, b u, b v . First, let I ′ , I ′ ⊂ k [ C ] be the ideals I ′ = h b χ ( b λX + Y ) , X − b u ( b λX + Y ) , Y − b v ( b λX + Y ) i ; I ′ = h b χ ( b λX + Y ) , X − b u ( b λX + Y ) , Y − b v ( b λX + Y ) i . By Proposition 4.1 and Lemma 3.8, the equalities I = I ′ and I = I ′ hold.We start by proving that b λ, b χ, b u, b v satisfy (Div-H1) to (Div-H3) . For (Div-H1) and (Div-H2) , Proposition 4.1 ensures that q ( b u i ( S ) , b v i ( S )) ≡ b χ i ( S ) for i ∈ { , } . Using thefact that the XCRT is a morphism, we get that q ( b u ( S ) , b v ( S )) ≡ b χ ( S ) , b χ ( S )) and b λ b u ( S )+ b v ( S ) ≡ S mod LCM( b χ ( S ) , b χ ( S )) . Next, Proposition 4.2 proves the equalities q ( e u ( S ) , e v ( S )) ≡ b χ ( S ) , b χ ( S )) and b λ e u ( S ) + e v ( S ) ≡ S mod LCM( b χ ( S ) , b χ ( S )) .Since b χ = b χ · b χ divides LCM( b χ ( S ) , b χ ( S )) , we get that q ( e u ( S ) , e v ( S )) ≡ b χ and λ b u ( S ) + b v ( S ) = S . For (Div-H3) , we observe that the fact that the XCRT is a ring morphismimplies that ∂q∂X ( b u ( S ) , b v ( S )) − λ ∂q∂Y ( b u ( S ) , b v ( S )) is invertible in k [ S ] / LCM( b χ ( S ) , b χ ( S )) .Consequently, ∂q∂X ( e u ( S ) , e v ( S )) − λ ∂q∂Y ( e u ( S ) , e v ( S )) is invertible in k [ S ] / LCM( b χ ( S ) , b χ ( S )) , andhence it is also invertible in k [ S ] / b χ ( S ) .We prove now that I ′ · I ′ = J . Using the factorization as a product of maximal ideals givenby Lemma 3.4, it is sufficient to prove that a power m ℓ ⊂ k [ C ] of a maximal ideal contains I ′ · I ′ if and only if it contains J . Notice that the powers of maximal ideals which contain I ′ (resp. I ′ ) are of the form h χ m ( b λX + Y ) ℓ , X − u , m ℓ ( b λX + Y ) , Y − v , m ℓ ( b λX + Y ) i (resp. h χ m ( b λX + Y ) ℓ , X − u , m ℓ ( b λX + Y ) , Y − v , m ℓ ( b λX + Y ) i ), where χ m is a prime polynomial such that χ ℓ m divides b χ (resp. b χ ), and u , m ℓ ( S ) ≡ b u ( S ) mod χ m ( S ) ℓ , v , m ℓ ( S ) ≡ b v ( S ) mod χ m ( S ) ℓ (resp. u , m ℓ ( S ) ≡ b u ( S ) mod χ m ( S ) ℓ , v , m ℓ ( S ) ≡ b v ( S ) mod χ m ( S ) ℓ ).Let m ℓ be a power of a maximal ideal which contains I ′ · I ′ . Using the unicity of thefactorization in Lemma 3.4, the powers of maximal ideals which contain I ′ · I ′ are those m ℓ + ℓ where I ′ ⊂ m ℓ and I ′ ⊂ m ℓ . This means that m ℓ has the form m ℓ = h χ m ( b λX + Y ) ℓ + ℓ , X − u ( b λX + Y ) , Y − v ( b λX + Y ) i , where u (resp. v ) is any polynomial such that u ( S ) ≡ u , m ℓ ( S ) mod χ m ( S ) ℓ , u ( S ) ≡ u , m ℓ ( S ) mod χ m ( S ) ℓ (resp. v ( S ) ≡ v , m ℓ ( S ) mod χ m ( S ) ℓ , v ( S ) ≡ v , m ℓ ( S ) mod χ m ( S ) ℓ ).14hen we notice that b χ = b χ · b χ , and therefore χ m ( S ) ℓ + ℓ divides b χ ( S ) . By using the propertiesof the XCRT and of the Hensel’s lifting, we get that b u ( S ) ≡ b u ( S ) mod b χ ( S ); b u ( S ) ≡ b u ( S ) mod b χ ( S ); b v ( S ) ≡ b v ( S ) mod b χ ( S ); b v ( S ) ≡ b v ( S ) mod b χ ( S ) . This implies that m ℓ = h χ m ( b λX + Y ) ℓ + ℓ , X − b u ( b λX + Y ) , Y − b v ( b λX + Y ) i , and hence m ℓ contains J .The proof that any power of maximal ideal which contains J also contains I ′ · I ′ is similar. Function SubtractDivisors ; Data: Two smooth effective divisors given by primitive element representations: D = ( λ , χ , u , v ) , D = ( λ , χ , u , v ) . Result: A primitive element representation of the smooth effective divisor [ D − D ] + or “fail”. b λ ← Random ( k ); ( b χ , b u , b v ) ← ChangePrimElt ( b λ, λ , χ , u , v ); ( b χ , b u , b v ) ← ChangePrimElt ( b λ, λ , χ , u , v ); if b u b u mod GCD( b χ , b χ ) then Return “fail” end b χ ← b χ / GCD( b χ , b χ ) ; b u ( S ) ← b u ( S ) mod b χ ( S ) ; b v ( S ) ← b v ( S ) mod b χ ( S ) ;Return ( b λ, b χ, b u, b v ) . Algorithm 5: Computing the subtraction of smooth effective divisors.Algorithm 5 ( SubtractDivisors ) provides a method for subtracting effective divisorsgiven by primitive element representations. We emphasize that the divisor returned is thesubtraction D − D only if the result is also effective, i.e. if D ≥ D . If this is not the case,then it returns the positive part of the subtraction. Proposition 4.4. Algorithm 5 ( SubtractDivisors ) is correct: If it does not fail, then itreturns a primitive element representation of the smooth effective divisor [ D − D ] + , wherethe notation [ D ] + denotes the positive part of the divisor D , i.e. the smallest effective divisor D ′ such that D ′ ≥ D .Proof. Let I , I , J denote the three following ideals of k [ C ] , using the notation in Algorithm 5: I = h χ ( λ X + Y ) , X − u ( λ X + Y ) , Y − v ( λ X + Y ) i ; I = h χ ( λ X + Y ) , X − u ( λ X + Y ) , Y − v ( λ X + Y ) i ; J = h b χ ( b λX + Y ) , X − b u ( b λX + Y ) , Y − b v ( b λX + Y ) i . The effective divisor [ D − D ] + corresponds to the colon ideal I : I = { f ∈ k [ C ] | f · I ⊂ I } .Consequently, we must prove that ( b λ, b χ, b u, b v ) satisfies (Div-H1) to (Div-H3) and that J = I : I . The equalities (Div-H1) to (Div-H3) for b λ, b χ , b u , b v are satisfied by Proposition 4.1.Regarding them modulo b χ shows that ( b λ, b χ, b u, b v ) satisfies (Div-H1) to (Div-H3) .In order to prove that J = I : I , we proceed as in the proof of Proposition 4.3, by noticingfirst that I and I can be rewritten as I = h b χ ( b λX + Y ) , X − b u ( b λX + Y ) , Y − b v ( b λX + Y ) i ; I = h b χ ( b λX + Y ) , X − b u ( b λX + Y ) , Y − b v ( b λX + Y ) i . D does not involve any singular point ofthe curve by (Div-H3) , the equality I : I = J holds if and only if the powers of maximalideals m ℓ ⊂ k [ C ] which contain I : I are exactly those which contain J . Equivalently, thismeans that if m ℓ is the largest power of m which contains I and if m ℓ is the largest powerof m which contains I , then m max( ℓ − ℓ , is the largest power of m which contains J . As inthe proof of Proposition 4.3, the maximal ideals m ⊂ k [ C ] which contain I have the form h χ m ( b λX + Y ) , X − u m ( b λX + Y ) , Y − v m ( b λX + Y ) i , where u m ≡ b u mod χ m , v m ≡ b v mod χ m .The proof is concluded by noticing that for any prime factor Φ of b χ , if Φ ℓ is the largest powerof Φ which divides b χ and Φ ℓ is the largest power of Φ which divides b χ , then the largestpower Φ which divides b χ = b χ / GCD( b χ , b χ ) is Φ max( ℓ − ℓ , . Function Interpolate ; Data: The degree δ of the curve, a smooth effective divisor given by a primitiveelement representation ( λ, χ, u, v ) , and the nodal divisor given by ( λ E , χ E , u E , v E , T E ) . Result: A polynomial h ∈ k [ X, Y ] representing a form in k [ C ] such that ( h ) ≥ D + E . if (cid:18) δ + 12 (cid:19) ≤ deg( χ ) + deg( χ E ) then d ← ⌊ (deg( χ ) + deg( χ E )) /δ + ( δ − / ⌋ else d ← ⌊ ( p χ ) + deg( χ E )) − / ⌋ end Construct the matrix representing the linear map ϕ : { f ∈ k [ X, Y ] | deg( f ) ≤ d, deg Y ( f ) < δ } → k [ S ] < deg( χ ) × k [ S ] < deg( χ E ) defined as ϕ ( f ( X, Y )) = ( f ( u ( S ) , v ( S )) mod χ ( S ) , f ( u E ( S ) , v E ( S )) mod χ E ( S )) ;Compute a basis b , . . . , b ℓ of the kernel of ϕ ; ( µ , . . . , µ ℓ ) ← Random ( k ℓ \ { } ) ;Return h = P ℓi =1 µ i b i . Algorithm 6: Computing a function h ∈ k [ C ] of small degree such that ( h ) ≥ D + E .This section focuses on the following interpolation problem: Given a smooth effective divisor D and the nodal divisor E , find a element h ∈ k [ C ] such that its associated principal divisor ( h ) satisfies ( h ) ≥ D + E . Proposition 5.1. Algorithm 6 ( Interpolate ) is correct: The kernel of ϕ has positive di-mension, and its nonzero elements h satisfy ( h ) ≥ D + E .Proof. The fact that the kernel ϕ has positive dimension follows from a dimension count,which is postponed to Lemma 5.2. We now prove the second part of the proposition. First,notice that deg Y ( h ) < deg Y ( q ) for any nonzero h in the kernel of ϕ , hence h cannot be amultiple of q , which implies that h i ( h h i ⊂ k [ C ] . Next, by Lemmas 3.7 and 3.8, the ideal I D + E = { f ∈ k [ C ] | ( f ) ≥ D + E } = { f ∈ k [ C ] | ( f ) ≥ D } ∩ { f ∈ k [ C ] | ( f ) ≥ E } equals h χ ( λX + Y ) , X − u ( λX + Y ) , Y − v ( λX + Y ) i∩h χ E ( λ E X + Y ) , X − u E ( λ E X + Y ) , Y − v E ( λX + Y ) i . By construction, h ( u ( S ) , v ( S )) ≡ χ ( S ) and h ( u E ( S ) , v E ( S )) ≡ χ E ( S ) for any h ∈ ker ϕ . The proof is concluded by noticing that the polynomials f in I D + E are exactlythose which satisfy f ( u ( S ) , v ( S )) ≡ χ ( S ) and f ( u E ( S ) , v E ( S )) ≡ χ E ( S ) , usingthe isomorphisms in Propositions 3.2 and 3.3.16he following lemma ensures that Algorithm 6 actually returns a nonzero element, i.e. thatthe kernel of ϕ has positive dimension. Lemma 5.2. With the notation in Algorithm 6, deg( χ ) + deg( χ E ) < dim k ( { f ∈ k [ X, Y ] | deg( f ) ≤ d, deg Y ( f ) < δ } ) ≤ χ ) + deg( χ E )) . Consequently, ϕ is not injective.Proof. Set w = deg( χ ) + deg( χ E ) . First, a direct dimension count gives dim k ( { f ∈ k [ X, Y ] | deg( f ) ≤ d, deg Y ( f ) < δ } ) = δ ( d − ( δ − / if d ≥ δ (cid:18) d + 22 (cid:19) otherwise . On one hand, if (cid:0) δ +12 (cid:1) ≤ w , then d = ⌊ w/δ + ( δ − / ⌋≥ j(cid:0) δ +12 (cid:1) /δ + ( δ − / k ≥ δ, and hence δ ( d − ( δ − / > δ ( w/δ + ( δ − / − − ( δ − / wδ ( d − ( δ − / ≤ δ ( w/δ + ( δ − / − ( δ − / ≤ w + δ ≤ w + (cid:0) δ +12 (cid:1) ≤ w. On the other hand, if (cid:0) δ +12 (cid:1) > w , then d = ⌊ ( √ w − / ⌋ < ⌊ ( p δ ( δ + 1) − / ⌋ = ⌊ ( p (2 δ + 1) − / ⌋ = δ Since (cid:0) x +22 (cid:1) − w > for any x > ( √ w − / , we get that w < (cid:0) d +22 (cid:1) as expected. Finally,the last inequality follows from (cid:18) ⌊ ( √ w − / ⌋ + 22 (cid:19) ≤ w + (1 + √ w ) / , and direct computations show that (1 + √ w ) / ≤ w . The section is devoted to the following problem: Given a polynomial h ∈ k [ C ] such that ( h ) = D h + E where D h is a smooth divisor on the curve, compute a primitive elementrepresentation of D h .Let us mention that it may happen that h vanishes at infinity. Therefore, the support of D h may contain points at infinity, but the primitive element representation only representspoints in the affine chart Z = 0 . Ignoring these zeros at infinity may lead to functions havingunauthorized poles at infinity in the basis returned by Algorithm 1. As we already mentionedin Section 3, handling what happens at infinity is not a problem: This issue can be solved forinstance by doing the computations in three affine spaces which cover P , which would multiply17he complexity by a constant factor. Notice also that it is easy to detect if h has zeroes atinfinity: This happens if and only if the degree of the resultant of h and q is strictly less than deg( h ) deg( C ) , thanks to the fact that we assumed that C is in projective Noether position. Forsimplicity, we will not discuss further this issue in the sequel of this paper.The central element of Algorithm CompPrincDiv is the computation of a resultant and ofthe associated first subresultant (as defined for instance in [8, Sec. 3]). However, a number ofextra steps are required to ensure that this computation satisfies genericity assumptions andreturns a correct result. First, a random direction of projection λ is selected for computingthe resultant. This direction of projection must satisfy some conditions. In particular, distinctpoint in the support of h must project on distinct points. Also, in order to exploit the Poissonformula for the resultant, we also ask that this direction is not a tangent at any node of thecurve, see Lemma 5.4. This condition about the tangents at the node is tested via the evaluationof the univariate polynomial T E . We also need a representation of the nodal divisor with respectto this λ . This is achieved by using a slightly modified version of Algorithm ChangePrimElt where the first test — which is not relevant for the nodal divisor — is removed. Finally,Algorithm CompPrincDiv must clean out the singular points: this is done by noticing thatthe roots of the resultant which correspond to the singular points appear with multiplicity atleast , see Lemma 5.4 below. Therefore these singular points are removed by dividing outby the square of the univariate polynomial b χ E whose roots parametrize the coordinates of thesingular points. Proposition 5.3. Algorithm 7 ( CompPrincDiv ) is correct: If it does not fail, then it returnsa primitive element representation of the smooth part of the principal divisor ( h ) . Before proving Proposition 5.3, we need the following technical lemma, which implies inparticular that nodes appear as roots of the resultant with multiplicity at least two. Lemma 5.4. With the notation in Algorithm 7, let s ∈ k and λ ∈ k \ { } . Let R , . . . , R ℓ bethe valuation rings in Frac( k [ X, Y ] /q ) associated to the points of e C above s , i.e. the points on C which project to s via the projection ( X, Y ) λX + Y . Assume that the vector (1 , − λ ) isnot tangent to C at any of these points and that the coefficient of Y deg( C ) in q (( S − Y ) /λ, Y ) is nonzero. Let m , . . . , m deg( C ) denote the valuations of h in these valuation rings. Then s isa root of multiplicity P ℓi =1 m i in Resultant Y ( q (( S − Y ) /λ, Y ) , h (( S − Y ) /λ, Y )) .Proof. Since we assumed that the curve is nodal, that the coefficient of Y deg( C ) in q (( S − Y ) /λ, Y ) is nonzero, and that the vector (1 , − λ ) is not tangent at any point above s , we getthat the polynomial q (( S − Y ) /λ, Y ) splits over the ring k [[ S − s ]] of power series at s as aproduct of deg( C ) factors, see e.g. [20] and references therein. Notice that this factorizationproperty holds even if some of the points above s are nodes. Let e y , . . . , e y deg( C ) denote its rootsin k [[ S − s ]] . Using the multiplicativity property of the resultant [16, Sec. 5.7], we get Resultant Y ( q (( S − Y ) /λ, Y ) , h (( S − Y ) /λ, Y )) = α ℓ Y i =1 h (( S − e y i ) /λ, e y i ) , where α ∈ k . The proof is concluded by noticing that S − s is a uniformizing element for allthe discrete valuation rings since the vector (1 , − λ ) is not tangent to the curve at any of thepoints above s , so that m i precisely corresponds to the largest integer γ such that ( S − s ) γ divides h (( s − e y i ) /λ, e y i ) . Proof of Proposition 5.3. In order to prove Proposition 5.3, we must prove that the output ( λ, χ, u, v ) satisfies (Div-H1) to (Div-H3) and that the two ideals h h i : I ∞ E ⊂ k [ C ] and h χ ( λX + Y ) , X − u ( λX + Y ) , Y − v ( λX + Y ) i ⊂ k [ C ] are equal, where I E is the radical idealof k [ C ] which encodes the algebraic set of the nodes. (Div-H2) follows directly from thedefinitions of u ( S ) and v ( S ) in Algorithm 7. To prove (Div-H1) , we shall prove that theequality holds modulo ( S − s ) γ for any root s ∈ k of χ of multiplicity γ . A classical property18 unction CompPrincDiv ; Data: A squarefree bivariate q ∈ k [ X, Y ] such that deg( q ) = deg Y ( q ) , a bivariatepolynomial h ∈ k [ X, Y ] , and a representation ( λ E , χ E , u E , v E , T E ) of the nodaldivisor. Result: A primitive element representation ( λ, χ ( S ) , u ( S ) , v ( S )) of the smooth part ofthe principal effective divisor ( h ) or “fail”. λ ← Random ( k ); if λ = 0 or if the coefficient of Y deg( q ) in q (( S − Y ) /λ, Y ) ∈ k [ S ][ Y ] is then Return “fail” endif T E ( λ ) = 0 then Return “fail”; /* Ensures that (1 , − λ ) is not tangent to the curve at any node. */ end ( b χ E , b u E , b v E ) ← ChangePrimEltNodal ( λ , λ E , χ E , u E , v E ); /* ChangePrimEltNodal is the same algorithm as ChangePrimElt , but weskip the first test (which would fail on the nodal divisor). */ e χ ( S ) ← Resultant Y ( q (( S − Y ) /λ, Y ) , h (( S − Y ) /λ, Y ) ); a ( S ) + Y a ( S ) ← FirstSubRes Y ( q (( S − Y ) /λ, Y ) , h (( S − Y ) /λ, Y ) ); χ ← e χ/ b χ E ; if GCD( χ, b χ E ) = 1 then Return “fail” endif GCD( a ( S ) , χ ( S )) = 1 then Return “fail” end v ( S ) ← − a ( S ) · a ( S ) − mod χ ( S ) ; u ( S ) ← ( S − v ( S )) /λ ; if GCD( ∂q∂X ( u ( S ) , v ( S )) − λ ∂q∂Y ( u ( S ) , v ( S )) , χ ( S )) = 1 then Return “fail” end Return ( λ, χ ( S ) , u ( S ) , v ( S )) . Algorithm 7: Computing a primitive element representation of the smooth part of ( h ) .19f the subresultants is that they belong to the ideal generated by the input polynomials. Thisimplies that for any root s ∈ k of e χ we have a ( S ) + Y a ( S ) ∈ h q (( S − Y ) /λ, Y ) , h (( S − Y ) /λ, Y ) i ⊂ k [[ S − s ]][ Y ] . If the algorithm does not fail, then a ( S ) is invertible modulo χ ( S ) . Consequently, it is alsoinvertible in k [[ S − s ]] for any root s ∈ k of χ and hence Y + a ( S ) a ( S ) − ∈ h q (( S − Y ) /λ, Y ) , h (( S − Y ) /λ, Y ) i ⊂ k [[ S − s ]][ Y ] . Therefore, the GCD of q (( S − Y ) /λ, Y ) and h (( S − Y ) /λ, Y ) in Frac( k [[ S − s ]])[ Y ] divides Y + a ( S ) a ( S ) − . But we also know that this GCD is nonconstant, since s is a root ofthe resultant e χ . By a degree argument, this GCD equals Y + a ( S ) a ( S ) − and hence q (( S + a ( S ) a ( S ) − ) /λ, − a ( S ) a ( S ) − ) = 0 in k [[ S − s ]] . Considering this equation modulo ( S − s ) γ and using the CRT over all the roots of χ finishes the proof of (Div-H1) . Finally, (Div-H3) is explicitely tested and hence it must be satisfied if the algorithm does not fail.It remains to prove the equality of the ideals h h i : I ∞ E ⊂ k [ C ] and h χ ( λX + Y ) , X − u ( λX + Y ) , Y − v ( λX + Y ) i ⊂ k [ C ] . Using the isomorphism between k [ X, Y ] / h χ ( λX + Y ) , X − u ( λX + Y ) , Y − v ( λX + Y ) i and k [ S ] /χ ( S ) (see Proposition 3.2), the elements in h χ ( λX + Y ) , X − u ( λX + Y ) , Y − v ( λX + Y ) i are precisely the classes of the bivariate polynomials ψ ( X, Y ) ∈ k [ X, Y ] such that ψ ( u ( S ) , v ( S )) ≡ χ ( S ) . Using a proof identical to thatof (Div-H1) we get that h ( u ( S ) , v ( S )) ≡ χ ( S ) which proves that h h i ⊂ h χ ( λX + Y ) , X − u ( λX + Y ) , Y − v ( λX + Y ) i . Saturating on both sides, we get that h h i : I ∞ E ⊂h χ ( λX + Y ) , X − u ( λX + Y ) , Y − v ( λX + Y ) i : I ∞ E = h χ ( λX + Y ) , X − u ( λX + Y ) , Y − v ( λX + Y ) i ,where the last equality comes from the fact that GCD( χ, b χ E ) = 1 . For the other inclusion, weuse [2, Prop. 9.1], which implies that h χ ( λX + Y ) , X − u ( λX + Y ) , Y − v ( λX + Y ) i ⊂ h h i : I ∞ E ifthis inclusion holds in the local ring associated to any maximal ideal m ⊂ k [ C ] which contains h χ ( λX + Y ) , X − u ( λX + Y ) , Y − v ( λX + Y ) i . Over k , these maximal ideals have the form h λX + Y − s, X − u ( s ) , Y − v ( s ) i , where s ∈ k is a root of χ . The assumption GCD( ∂q∂X ( u ( S ) , v ( S )) − λ ∂q∂Y ( u ( S ) , v ( S )) , χ ( S )) = 1 ensures that all these maximal ideals correspond to nonsingularpoints, and hence the associated local rings are discrete valuation rings. For s ∈ k a rootof χ , let y , . . . , y deg( C ) be the roots of the univariate polynomial q (( s − Y ) /λ, Y ) ∈ k [ Y ] .Let m i denote the intersection multiplicity of h at the point (( s − y i ) /λ, y i ) of C . Since GCD( ∂q∂X ( u ( S ) , v ( S )) − λ ∂q∂Y ( u ( S ) , v ( S )) , χ ( S )) = 1 , we obtain that the vector (1 , − λ ) is nottangent to C any of these points. Lemma 5.4 then gives that m + · · · + m deg( C ) = α , where α is the multiplicity of the root s in χ . Let k be the integer such that y k = v ( s ) . Then m k ≤ α ,which shows that we have h χ ( λX + Y ) , X − u ( λX + Y ) , Y − v ( λX + Y ) i ⊂ h h i : I ∞ E in the localring at the point ( u ( s ) , v ( s )) . The statement [2, Prop. 9.1] concludes the proof of the inclusion h χ ( λX + Y ) , X − u ( λX + Y ) , Y − v ( λX + Y ) i ⊂ h h i : I ∞ E . The task accomplished by Algorithm NumeratorBasis is similar to what Algorithm Inter-polate does: It computes a basis of the vector space of regular functions having prescribedzeros. The only difference with Algorithm Interpolate is that Algorithm NumeratorBasis returns a basis of this linear space. Proposition 5.5. Algorithm 8 ( NumeratorBasis ) is correct: the nonzero elements g in thekernel of ϕ are not divisible by q and they satisfy ( g ) ≥ D + E .Proof. The proof is similar to that of Proposition 5.1. All complexity bounds count the number of arithmetic operations (additions, subtractions,multiplications, divisions) in k , all at unit cost. We do not include in our complexity bounds20 unction NumeratorBasis ; Data: A positive integer δ , a smooth effective divisor given by a primitive elementrepresentation ( λ, χ ( S ) , u ( S ) , v ( S )) , a positive integer d , and the nodal divisorgiven by ( λ E , χ E , u E , v E , T E ) . Result: A basis of the space of polynomials g ∈ k [ X, Y ] such that deg( g ) ≤ d, deg Y ( g ) < δ and the associated divisor satisfies ( g ) ≥ D + E .Construct the matrix representing the linear map ϕ : { f ∈ k [ X, Y ] | deg( f ) ≤ d, deg Y ( f ) ≤ δ } → k [ S ] < deg( χ ) × k [ S ] < deg( χ E ) defined as ϕ ( f ( X, Y )) = ( f ( u ( S ) , v ( S )) mod χ ( S ) , f ( u E ( S ) , v E ( S )) mod χ E ( S )) ;Compute and return a basis of the kernel of ϕ . Algorithm 8: Computing a basis of the vector space of regular functions g ∈ k [ C ] ofdegree δ such that ( g ) ≥ D + E .the cost of generating random elements, nor the cost of monomial manipulations, nor multipli-cations by fixed integer constants. In particular, we do not include in our complexity boundsthe cost of computing the partial derivatives of a polynomial. We use the classical O () and e O () notation, see e.g. [28, Sec. 25.7]. The notation M( n ) stands for the number of arithmeticoperations required in k to compute the product of two univariate polynomials of degree n withcoefficients in k . By [7], M( n ) = O ( n log n log log n ) . In the sequel, ω is a feasible exponentfor matrix multiplication, i.e. ω is such that there is an algorithm for multiplying two N × N matrices with entries in k within O ( N ω ) arithmetic operations in k . The best known bound is ω < . [19]. In the following, we make the assumption that ω > . Proposition 6.1. Algorithm 2 ( ChangePrimElt ) requires at most O (deg( χ ) ω ) arithmeticoperations in k .Proof. In order to construct the matrix M in Algorithm 2, we must compute the remainders S i · ( e λu ( S ) + v ( S )) mod χ ( S ) for i ∈ { , . . . , deg( χ ) − } . Each of these computations costs O (M(deg( χ ))) arithmetic operations, so the total cost of constructing the matrix M is boundedby O (deg( χ ) M(deg( χ ))) , which is bounded above by O (deg( χ ) ω ) . Computing the characteristicpolynomial of M can be done within O (deg( χ ) ω ) arithmetic operations [21]. We emphasizethat in [21], it is assumed that the cardinality of k is at least χ ) , so that the probabilityof failure is bounded by / . In fact, using the same algorithm and the same proof as in [21],the assumption on the cardinality of k can be removed but the probability of failure will thenonly be bounded by deg( χ ) / |E| , where E ⊂ k is a finite subset in which we can draw elementsuniformly at random. We will incorporate this probability of failure for the computation ofthe characteristic polynomial in our bound for the probability of failure of the main algorithm,see the proof of Theorem 7.8.Constructing the matrix N is done by computing successively the remainders ( e λu ( S ) + v ( S )) i mod χ ( S ) for i ∈ { , . . . , deg( χ ) − } at a total cost of O (deg( χ ) M(deg( χ ))) which isagain bounded by O (deg( χ ) ω ) . Finally, inverting N and applying the inverse linear map canbe done using O (deg( χ ) ω ) operations in k by using [5]. Proposition 6.2. Algorithm 3 ( HenselLiftingStep ) requires at most O (deg( q ) M(deg( χ ))) arithmetic operations in k .Proof. Algorithm 3 consists in evaluations of q and its partial derivatives at ( u ( S ) , v ( S )) ,together with finitely many arithmetic operations in k [ S ] /χ ( S ) . Each of the arithmetic oper-ations modulo χ costs O (M(deg( χ ))) arithmetic operations in k . Evaluating q at ( u ( S ) , v ( S )) modulo χ ( S ) can be done by computing the remainders u ( S ) i v ( S ) j mod χ ( S ) for all ( i, j ) ∈ Z ≥ such that i + j ≤ deg( q ) , then by multiplying these evaluations by the correspondingcoefficients in q and by summing them. Computing all the modular products can be done If ω = 2, then the O () in Theorem 6.8 should be replaced by e O (). O (deg( q ) M(deg( χ ))) operations in k , by considering the pairs ( i, j ) in increasing lexico-graphical ordering. Multiplying by the coefficients and summing then costs O (deg( q ) deg( χ )) arithmetic operations in k . Computing the evaluations of the partial derivatives of q is donesimilarly and it has a similar cost. Proposition 6.3. Algorithm 4 ( AddDivisors ) requires at most O (deg( q ) M( ν ) + ν ω ) arith-metic operations in k , where ν = max(deg( χ ) , deg( χ )) .Proof. Algorithm 4 starts by two calls to the function ChangePrimElt , with respectivecosts O (deg( χ ) ω ) and O (deg( χ ) ω ) by Proposition 6.1. The polynomial GCD( b χ , b χ ) can becomputed at cost O (M( ν ) log( ν )) using the fast GCD algorithm [28, Coro. 11.9]. The product b χ in Algorithm 4 and the LCM are then also computed at costs O (M( ν )) and O (M( ν ) log( ν )) .The XCRT can be computed at cost O (M( ν ) log( ν )) by using Equation (2) together with thefact that Bézout coefficients can be computed within quasi-linear complexity [28, Coro. 11.9].Finally, the Hensel lifting step can be achieved at cost O (deg( q ) M( ν )) by Proposition 6.2. Proposition 6.4. Algorithm 5 ( SubtractDivisors ) requires at most O ( ν ω ) arithmetic op-erations in k , where ν = max(deg( χ ) , deg( χ )) .Proof. Most of the steps of Algorithm 5 are similar to steps of Algorithm 4, except that Hensellifting is not required here. The complexity analysis is similar and we refer to the proof ofProposition 6.3. The only step which does not appear in Algorithm 4 is the exact division of b χ by the GCD. The cost of this step does not hinder the global complexity since exact divisionof polynomials can be done in quasi-linear complexity [28, Thm. 9.1].In practice, if k is sufficiently large, then choosing a global value for λ and using the samevalue for all the representations of divisors would succeed with large probability. In this case,we do not need to call the function ChangePrimElt within Algorithms AddDivisors and SubtractDivisors . This would decrease significantly the complexities of AddDivisors and SubtractDivisors . In any case, this would not change the global asymptotic complexity ofAlgorithm 1. Proposition 6.5. Algorithm 6 ( Interpolate ) requires at most O ((deg( χ ) + r ) ω ) arithmeticoperations in k and it returns a polynomial of degree less than (deg( χ ) + r ) /δ + δ .Proof. First, we recall that deg( χ E ) = r . The computation of the degree d does not cost anyarithmetic operations in k . The construction of the matrix representing the linear map ϕ canbe done by computing all the modular products u ( S ) i v ( S ) j modulo χ ( S ) and χ E for pairs ( i, j ) such that i + j ≤ d and j < δ . Lemma 5.2 states that the number of such pairs is boundedabove by χ ) + r ) . By considering the pairs ( i, j ) in increasing lexicographical ordering,computing all these modular products can be done within O ((deg( χ ) + r ) M(deg( χ ) + r )) operations in k . Then, since both dimensions of the matrix are in O (deg( χ ) + r ) , computing abasis of the kernel can be done at cost O ((deg( χ ) + r ) ω ) (for instance via a row echelon formcomputation, see [24, Thm. 2.10]).Next, we show the bound on the degree of the polynomial returned. By construction, theinequality deg( h ) ≤ d holds so it suffices to show that d < (deg( χ ) + r ) /δ + δ . If (cid:0) δ +12 (cid:1) ≤ (deg( χ ) + r ) , we have d = ⌊ (deg( χ ) + r ) /δ + ( δ − / ⌋ < (deg( χ ) + r ) /δ + δ . Otherwise, d = ⌊ ( p χ ) + r ) − / ⌋ < δ < (deg( χ ) + r ) /δ + δ by direct computations. In bothcases, we have deg( h ) < (deg( χ ) + r ) /δ + δ . Proposition 6.6. Algorithm 7 ( CompPrincDiv ) requires at most e O (max(deg( q ) , deg( h )) · min(deg( q ) , deg( h ))) arithmetic operations in k .Proof. The two costly steps in Algorithm 7 are the computations of the resultant and of thesubresultant of two bivariate polynomials. This can be done within e O (max(deg( q ) , deg( h )) · min(deg( q ) , deg( h ))) operations using [28, Coro. 11.21]. The Bézout bound implies that the de-gree of the resultant e χ ( S ) is at most deg( q ) deg( h ) , hence the complexities of all the other steps22ivisor Degree D h < deg( C ) + deg( D + ) D res < deg( C ) D num < deg( C ) + deg( D + ) Subroutine Complexity Interpolate O ((deg( D + ) + r ) ω ) CompPrincDiv e O (max(deg( C ) , (deg( D + ) + r ) / deg( C ))) SubtractDivisors O (max(deg( C ) ω , (deg( D + )) ω )) AddDivisors O (max(deg( C ) ω , (deg( D + )) ω )) NumeratorBasis O (max(deg( C ) ω , deg( D + ) ω )) Table 1: Degrees of divisors and complexities of the subroutines in terms of the input size.are quasi-linear in deg( q ) deg( h ) , which is negligible compared to the cost of the computationof the resultant and the subresultant.We point out that the complexity of computing resultants and subresultants of bivariatepolynomials have been recently improved in [26, 25] under some genericity assumptions. How-ever, since the cost in Proposition 6.6 will be negligible in the global complexity estimate, wemake no effort to optimize it further. Proposition 6.7. Algorithm 8 ( NumeratorBasis ) requires at most O ((deg( χ ) + r ) ω ) arith-metic operations in k .Proof. By Lemma 5.2, the domain of the map ϕ has dimension O (deg( χ ) + r ) . Using themonomial basis, the matrix representing the map ϕ can be constructed within e O ((deg( χ )+ r ) ) operations by doing as in the proof of Proposition 6.5. Similarly to the proof of Proposition 6.5,a basis of the kernel of this matrix can be obtained by computing first a row echelon form ofthe matrix within O ((deg( χ ) + r ) ω ) operations [24, Thm. 2.10].All the complexities and the degree estimates computed in this section are summed up inTable 1. For bounding the degree of D num = D res + D − , we use the fact that we can assumewithout loss of generality that deg( D − ) ≤ deg( D + ) , since otherwise L ( D + − D − ) is reducedto . Summing all the complexity bounds yields the global complexity bound: Theorem 6.8. Algorithm 1 ( RiemannRochBasis ) requires at most O (max(deg( C ) ω , deg( D + ) ω )) arithmetic operations in k .Proof. A direct consequence of Propositions 6.3, 6.4, 6.5, 6.6 and 6.7 is that the complexityof Algorithm 1 is bounded by O (max(deg( C ) ω , (deg( D + ) + r ) ω )) . The proof is concluded bynoticing that r = O (deg( C ) ) since g = (cid:0) deg( C ) − (cid:1) − r is nonnegative. In this section, we examinate all possible sources of failures for the main algorithm. In fact,if the assumptions detailed in Section 2 are satisfied, then failure can only come from a badchoice of an element picked at random. More precisely, we show that these bad choices canbe characterized algebraically and that they are included in the set of roots of polynomials.Bounding the degrees of these polynomials provides us with lower bounds on the probabilityof success if random elements in k are picked uniformly at random in a finite subset E ⊂ k .First, we investigate which values of λ make Algorithm 2 ( ChangePrimElt ) fail: Theseare the values of λ such that there is a line of equation λX + Y + γ for some γ ∈ k which goeseither through two distinct points in the support of the input divisor, or which is tangent to C at a point in the support of the divisor. Proposition 7.1. Given an effective divisor D = ( λ, χ, u, v ) , the set of e λ ∈ k such thatAlgorithm 2 ( ChangePrimElt ) with input D, e λ fails is contained in the set of roots of anonzero univariate polynomial with coefficients in k of degree at most (cid:0) deg( χ )+12 (cid:1) . roof. There are two possible sources of failures for Algorithm 2: if the vector (1 , − e λ ) istangent to the curve C at one of the points in the support of the effective divisor (first test)or if e λX + Y is not a primitive element (second test).Let J = h χ ( λX + Y ) , X − u ( λX + Y ) , Y − v ( λX + Y ) i ⊂ k [ C ] be the ideal associated to theeffective divisor D , and let ∆ be the polynomial given by Lemma 3.6 for J . By construction,the polynomial ∆ satisfies the wanted properties.Before investigating Algorithms 4 and 5 ( AddDivisors and SubtractDivisors ), we needa technical lemma. Lemma 7.2. Let φ : R → S be a surjective morphism of finite k -algebras, and let z be aprimitive element for R . Then φ ( z ) is a primitive element for S .Proof. Since φ is surjective, any element y ∈ S equals φ ( x ) for some x ∈ R . Since z isprimitive, there exists a univariate polynomial w ( S ) ∈ k [ S ] such that x = w ( z ) . Consequently, y = φ ( w ( z )) = w ( φ ( z )) . Therefore, φ ( z ) is primitive for S . Proposition 7.3. For a given input ( q, D , D ) of Algorithm 4 ( AddDivisors ), the set of b λ which makes Algorithm 4 fail is contained in the set of roots of a nonzero univariate polynomialwith coefficients in k and of degree bounded by (cid:0) deg( χ )+deg( χ )+12 (cid:1) .Proof. For i ∈ { , } , consider I i = h U − u i ( S ) , V − v i ( S ) , χ i ( S ) i ∩ k [ U, V ] . Lemma 3.6 for theideal I · I + h q ( U, V ) i yields a nonzero polynomial ∆ of degree at most (cid:0) deg( χ )+deg( χ )+12 (cid:1) .We will prove that this polynomial satisfies the wanted properties.By definition, elements b λ ∈ k which are not roots of ∆ are such that b λU + V is a primitiveelement for red( k [ U, V ] / ( I · I )) and GCD (cid:18) ∂q∂X ( u ( S ) , v ( S )) − b λ ∂q∂Y ( u ( S ) , v ( S )) , χ ( S ) (cid:19) = 1 , GCD (cid:18) ∂q∂X ( u ( S ) , v ( S )) − b λ ∂q∂Y ( u ( S ) , v ( S )) , χ ( S ) (cid:19) = 1 . (3)There are three possible sources of failure for Algorithm 4: the two calls to ChangePrimElt ,and the conditional test. The fact that the calls to ChangePrimElt succeed is a direct con-sequence of Lemma 7.2, using the canonical projections red( k [ U, V ] / ( I · I )) → red( k [ U, V ] /I i ) for i ∈ { , } , see the proof of Proposition 7.1. By Lemma 3.8 and Proposition 4.1, we havethat for i ∈ { , } , I i = h U − b u i ( S ) , V − b v i ( S ) , b χ i ( S ) i ∩ k [ U, V ] . Then b λU + V must be aprimitive element for red( k [ U, V ] /I ) and for red( k [ U, V ] /I ) by Lemma 3.7. Let e χ and e χ denote the minimal polynomials of b λU + V in red( k [ U, V ] /I ) and red( k [ U, V ] /I ) . Also, set ξ = LCM( e χ , e χ ) . Consequently, e χ ( b λU + V ) · e χ ( b λU + V ) ∈ √ I · I and ξ is the minimalpolynomial of b λU + V in red( k [ U, V ] / ( I · I )) = k [ U, V ] / ( √ I ∩ √ I ) . Since b λU + V is aprimitive element for red ( k [ U, V ] / ( I · I )) , then the canonical map red ( k [ U, V ] / ( I · I )) → red( k [ U, V ] /I ) × red( k [ U, V ] /I ) becomes a map k [ S ] /ξ ( S ) → k [ S ] / e χ ( S ) × k [ S ] / e χ ( S ) . This implies that there exists an element e u ∈ k [ S ] /ξ ( S ) (which is in fact the class of U in red( k [ U, V ] / ( I · I )) ) such that e u ≡ b u mod e χ and e u ≡ b u mod e χ . As a consequence, b u ≡ b u mod GCD( e χ , e χ ) . Using Hensel’s lemma, the property (Div-H3) and the CRT, we obtainthat the equation q ( u ( S ) , S − λu ( S )) = 0 has a unique solution s in k [ S ] / GCD( b χ ( S ) , b χ ( S )) such that s ≡ b u ≡ b u mod GCD( e χ , e χ ) . By (Div-H1) , both b u and b u are solutions, andtherefore b u ≡ b u mod GCD( b χ , b χ ) , which shows that the last conditional test succeeds.24 roposition 7.4. For a given input ( q, D , D ) of Algorithm 5 ( SubtractDivisors ), theset of b λ which makes Algorithm 5 fail is contained in the set of roots of a nonzero univariatepolynomial with coefficients in k and of degree bounded by (cid:0) deg( χ )+deg( χ )+12 (cid:1) .Proof. The proof is similar to the first part of the proof of Proposition 7.3. With the samenotation as in the proof of Proposition 7.3, Algorithm 5 fails only if b λU + V is not a primitiveelement for red( k [ U, V ] / ( I · I )) or if the vector (1 , − e λ ) is tangent to the curve at one of thepoints in the support of one of the divisors. Using a proof similar to that of Proposition 7.3,this happens only when b λ is in the set of roots of the nonzero polynomial of degree at most (cid:0) deg( χ )+deg( χ )+12 (cid:1) provided by Lemma 3.6 for the ideal I · I + h q ( U, V ) i .Next, we wish to bound the probability that Algorithm 7 ( CompPrincDiv ) fails. Beforestating the next proposition, we recall the second assumption that we have made on the inputdivisor and which is described in Section 2. It ensures the existence of a form h ∈ k [ C ] of givendegree such that ( h ) ≥ D + + E and ( h ) − E is smooth. With the notation in the followingproposition, this assumption precisely means that A = ker( ϕ ) ⊗ k k . Proposition 7.5. Let A ⊂ ker( ϕ ) ⊗ k k ⊂ k [ X, Y ] be the subset of all the regular functions h in the kernel of ϕ in Algorithm 6 which are such that D h = ( h ) − E is not a smooth divisor.If A = ker( ϕ ) , then A is contained in the join of at most r hyperplanes in ker( ϕ ) ⊗ k k .Consequently, there is a nonzero polynomial in k [ Z , . . . , Z dim(ker( ϕ )) ] of degree at most r which vanishes at values ( µ , . . . , µ dim(ker( ϕ )) ) for which the third test in Algorithm 7 fails forall λ ∈ k .Proof. If D h involves a point P of e C which projects to a node, then ( h ) ≥ E + P . The setof regular functions h of a given degree which satisfy ( h ) ≥ E + P is a linear space. The setof such h in ker( ϕ ) ⊗ k k forms a proper subspace since A = ker( ϕ ) ⊗ k k . Consequently, itis contained in an hyperplane. Such a hyperplane H can be described by a linear form ψ in k [ Z , . . . , Z dim(ker( ϕ )) ] such that ψ ( µ , . . . , µ dim(ker( ϕ )) ) = 0 if and only if P dim(ker( ϕ )) i =1 µ i b i ∈ H ,where b , . . . , b dim(ker( ϕ )) is a basis of ker( ϕ ) .Iterating this argument over all the r points of the nonsingular model e C which projectto nodes, we obtain that A is contained in the join of r hyperspaces. Multiplying the r corresponding linear forms in k [ Z , . . . , Z dim(ker( ϕ )) ] proves the last sentence of the proposition. Proposition 7.6. The set of values of λ which make the first test in Algorithm 7 fail iscontained within the set of roots of a nonzero univariate polynomial with coefficients in k ofdegree deg( C ) + 1 . Proof. Writing e q ( S, Y ) = q (( S − Y ) /λ, Y ) , the first test fails if λ = 0 or if the coefficient ofthe monomial Y deg( C ) in e q vanishes. Writing explicitly the change of variables, we obtain thatthis coefficient equals P deg( C ) i =0 ( − /λ ) i q i, deg( C ) − i , where q i,j stands for the coefficient of X i Y j in q . Multiplying by λ deg( C )+1 clears the denominator and adds the root to exclude the case λ = 0 ; this provides a polynomial satisfying the desired properties. Proposition 7.7. Let h ∈ k [ C ] be a regular function such that the support of ( h ) − E doesnot contain any singular point. Then the set of λ which makes Algorithm 7 ( CompPrincDiv )with input q, h fail is contained in the set of roots of a nonzero univariate polynomial withcoefficients in k and of degree bounded by (cid:0) deg( C ) deg( h )+12 (cid:1) + 2 r + deg( C ) + 1 .Proof. First, let ∆ be the univariate polynomial constructed in Proposition 7.6. The first testin Algorithm 7 does not fail only if λ is not a root of ∆ .The second test in Algorithm 7 fails only if λ is a root of T E .By Bézout theorem, the effective divisor ( h ) has degree at most deg( C ) deg( h ) . Therefore,Lemma 3.5 for the ideal p h q, h i yields a nonzero polynomial ∆ of degree at most (cid:0) deg( C ) deg( h )2 (cid:1) such that the set of λ such that λX + Y is not a primitive element for red( k [ C ] / h h i ) . Since25lgorithm Failure probability Statement ChangePrimElt deg( D ) / |E| Prop. 7.1 AddDivisors O (max(deg( D ) , deg( D )) / |E| ) Prop. 7.3 SubtractDivisors O (max(deg( D ) , deg( D )) / |E| ) Prop. 7.4 CompPrincDiv O (deg( C ) deg( h ) / |E| ) Prop. 7.5Prop. 7.7Schwartz-Zippel lemma [22, Coro. 1]Table 2: Probabilities of failure. ( h ) ≥ E , the fact that ∆ ( λ ) = 0 implies that λX + Y is a primitive element for the k -algebraassociated to the nodal divisor, and hence the call to the function ChangePrimEltNodal inAlgorithm 7 does not fail. Since by assumption ( h ) − E is smooth, this also implies that theroots of b χ E are roots of χ with multiplicity exactly by Lemma 5.4. Consequently, if λ is nota root of ∆ , then GCD( χ, b χ E ) = 1 and therefore the third test in Algorithm 7 must succeed.Finally, Lemma 3.6 for the ideal p h q, h i : I ∞ E ⊂ k [ C ] yields a nonzero polynomial ∆ ofdegree at most (cid:0) deg( C ) deg( h )+12 (cid:1) such that the set of λ such that λX + Y is not a primitiveelement for red( k [ C ] / h h i ) or such that the last test in Algorithm 7 fails is contained withinthe set of roots of ∆ .We claim that the product ∆ · ∆ · ∆ · T E satisfies the required properties. To provethis claim, it remains to show that if λ is not a root of ∆ · ∆ · ∆ · T E , then the fourth testsucceeds, i.e. a ( S ) is invertible modulo χ ( S ) .To this end, we notice that a ( S ) is invertible modulo χ ( S ) if and only if a ( s ) is nonzerofor any root s ∈ k of χ ( S ) . By [8, Cor. 5.1], this is equivalent to the fact that the GCD of thepolynomials q (( s − Y ) /λ, Y ) , h (( s − Y ) /λ, Y ) has degree for any root s of χ ( S ) . Next, we notethat if λ is not a root of ∆ , then any common root y of q (( s − Y ) /λ, Y ) and h (( s − Y ) /λ, Y ) hasmultiplicity in q (( s − Y ) /λ, Y ) : Indeed, the vanishing of the derivative ∂/∂Y of q (( s − Y ) /λ, Y ) at Y = y would precisely mean that the vector (1 , − λ ) is tangent to the curve at the intersectionpoint, which is impossible by definition of ∆ . Consequently, the GCD of the polynomials q (( s − Y ) /λ, Y ) , h (( s − Y ) /λ, Y ) must be squarefree. Finally, let y , y ∈ k be two commonroots of q (( s − Y ) /λ, Y ) , h (( s − Y ) /λ, Y ) . This means that (( s − y ) /λ, y ) and (( s − y ) /λ, y ) are two common zeros of q ( X, Y ) and h ( X, Y ) . Since λ is not a root of ∆ , λX + Y is aprimitive element for red( k [ C ] / h h i ) = k [ X, Y ] / h q, h i , which implies that λX + Y takes distinctvalues at all points ( x, y ) in the variety associated to the system h ( X, Y ) = q ( X, Y ) = 0 (theendomorphism of multiplication by λX + Y must have distinct eigenvalues, see e.g. the proofof Lemma 3.5 for more details). In particular, this means that y = y , since λX + Y takes thesame value s at (( s − y ) /λ, y ) and (( s − y ) /λ, y ) . Consequently, the GCD of the polynomials q (( s − Y ) /λ, Y ) , h (( s − Y ) /λ, Y ) is a squarefree polynomial with at most one root, hence it hasdegree at most . Since Resultant( q (( s − Y ) /λ, Y ) , h (( s − Y ) /λ, Y )) vanishes and the coefficientof Y deg( q ) in q (( S − Y ) /λ, Y ) is nonzero because λ is not a root of ∆ , this GCD must havedegree at least . Therefore, this GCD has degree exactly , and hence a ( S ) is invertiblemodulo χ ( S ) .Finally, we can derive our bound on the probability that the toplevel algorithm fails bysumming the probabilities that the subroutines fail. Theorem 7.8. Let E ⊂ k be a finite set. Assume that each call to the function Random ( k ) isdone by picking an element uniformly at random in E . Then the probability that Algorithm 1fails is bounded above by O (max(deg( C ) , deg( D + ) ) / |E| ) . Proof. Propositions 7.3, 7.4, together with the fact that the number of roots in k of a univariatepolynomial is bounded by its degree, directly imply that the probabilities of failure of Algo-rithms AddDivisors and SubtractDivisors are bounded by O (max(deg( D ) , deg( D )) / |E| ) ,26f the computation of the characteristic polynomial in Algorithm ChangePrimElt succeeds.Following [21] (see also the remark in the proof of Proposition 6.1), the probability that thecomputation of the characteristic polynomial in ChangePrim fails is bounded by deg( χ ) / |E| .Therefore, the probabilities that Algorithms AddDivisors and SubtractDivisors fail arestill bounded by O (max(deg( D , D )) / |E| ) when we take into account the probability thatthe computations of the characteristic polynomials fail. Notice that our second technical as-sumption (described in Section 2) on the input divisor ensures that A = ker( ϕ ) in Proposi-tion 7.5. Using Proposition 7.5, Schwartz-Zippel lemma [22, Coro. 1], Proposition 7.7, togetherwith the fact that r ≤ (cid:0) deg( C ) − (cid:1) , we bound the probability that CompPrincDiv fails by O (deg( C ) deg( h ) / |E| ) .The failure probabilities are summed up in Table 2. Next, notice that the probabilityof failure of Algorithm 1 is bounded by the sum of the probabilities of the subroutines. Fi-nally, the proof is concluded by using the inequality deg( h ) < (deg( D + ) + r ) / deg( C ) + deg( C ) (Proposition 6.5) and the degree bounds in Table 1 for the divisors arising in Algorithm 1. Deciding whether the assumptions on the input divisor are satisfied. The resultin Theorem 7.8 only holds true if the assumptions on the input divisor described in Section 2are satisfied. The first assumption — namely, the smoothness of the input divisor — canbe easily checked, so we focus here on deciding whether the second assumption is satisfiedor not. Namely, this assumption requires the existence of a form h ∈ k [ C ] of degree d —where d is the value computed during the execution of Algorithm Interpolate — such that ( h ) ≥ D + + E and ( h ) − E is smooth. In order to have a complete Las Vegas algorithm, weneed to be able to check whether this condition is satisfied. To this end, instead of return-ing only one form during Algorithm Interpolate , we can return a basis ( h , . . . , h ℓ ) of theforms h such that ( h ) ≥ D + + E . Then, we check if there exists a point above a node whichis simultaneously in the support of all the divisors { ( h i ) − E } i ∈{ ,...,ℓ } . This boils down tocomputing primitive element representations of the principal divisors ( h ) , . . . , ( h ℓ ) , which isdone by running on these ℓ forms a modified version of Algorithm CompPrincDiv where thelast test is removed in order to allow singular points. Each execution of Algorithm Comp-PrincDiv costs e O (max(deg( C ) , (deg( D + ) + r ) / deg( C ))) operations in k , and thus — usingthe fact that ℓ = O (deg( D + ) + deg( C ) ) — the total cost of the procedure is bounded above by e O (max(deg( C ) , deg( D + ) / )) . Therefore, in theory, running this decision procedure increasesthe overall complexity stated in Theorem 6.8 since the best known value of ω is less than / .However, in practice this does not change the asymptotic complexity since practical algorithmsfor linear algebra rely on Gauss or Strassen approaches; In this case, ω > / , and hence thecost of this verification procedure is negligible compared to the global complexity of our algo-rithm. Multiplying the probability of failure of Algorithm CompPrincDiv by the number ofbasis vectors yields the bound O (max(deg( D + ) , deg( C ) ) / |E| ) for the probability of failure ofthis verification procedure. We have implemented Algorithm 1 in C++ for k = Z /p Z , relying on the NTL library forall operations on univariate polynomials and for linear algebra. We have also implementedthe group law on the Jacobian of a curve via Riemann-Roch space computations. Our soft-ware rrspace is freely available at https://gitlab.inria.fr/pspaenle/rrspace and it isdistributed under the LGPL-2.1+ license.All the experiments presented below have been conducted on a Intel(R) Core(TM) i5-6500 [email protected] with 16GB RAM. The comparisons with the computer algebra systemMagma have been done with its version V2.23-8.Our first experimental data is generated as follows. We set k = Z / Z . For i from 10to 100, we consider a curve C defined by a random bivariate polynomial of degree over k ,and we generate i random irreducible k -defined effective divisors D , . . . , D i of degree on27 − − Degree of the divisor T i m e i n s ec o nd s Magmarrspace − − Degree of the divisor Magmarrspace Figure 1: Comparison of the time required by rrspace and Magma to compute a basis of L ( D ) on a fixed smooth curve of degree over Z / Z . On the left, D is the sum of randomirreducible effective divisors of degree . On the right, D is a multiple of an irreductibledivisor of degree . Both axes are in logarithmic scale. − − Degree of the divisor T i m e i n s ec o nd s Magmarrspace − − Degree of the divisor Magmarrspace Figure 2: Comparison of the time required by rrspace and Magma to compute a basis of L ( D ) on a fixed curve of degree , where D is the sum of random irreducible effective divisors ofdegree . On the left, the base field is Z / Z and the curve is nodal. On the right, thebase field is Z / (2 − Z and the curve is smooth. Both axes are in logarithmic scale.28 by using the RandomPlace() function in Magma . Then we set D = D + · · · + D i and wemeasure the time used for computing a basis of L ( D ) by using either Magma via its function RiemannRochSpace() or the software rrspace . The experimental results are displayed in theleft part of Figure 1. For these parameters, we observe that rrspace has a speed-up largerthan compared to Magma . Since we do not have access to the implementation of the function RiemannRochSpace() in Magma , we cannot explain the small variations which appear in the Magma timings.Our second experimental data investigate the behavior of our algorithm when the inputdivisor contains multiplicities. To this end, we generate the input divisor as a multiple of arandom place of degree on the curve. The experimental results are displayed in the rightpart of Figure 1. For these parameters, we observe that rrspace has a speed-up larger than compared to Magma .Our third experimental data study the behavior of our algorithm in the presence of nodes.To this end, we fix the following nodal curve defined by the equation Q ( X, Y, Z ) = − Y Z + X Z + Y Z − X Z + X − Y + 3 X Y which has a node at the origin and we generate input divisors as for the first experimentaldata. The experimental results are displayed in the left part of Figure 2. For these parameters,we observe that rrspace has a speed-up larger than compared to Magma .Finally, since the timings are very sensible to the efficiency of the linear algebra routines,we study what happens for larger finite fields. The fourth experimental data are generated asfor our first experimental data, but we replace the field Z / Z by the field Z / (2 − Z .Here, the size of the field is out of the range of the highly optimized arithmetic in Magma forsmall finite fields, and consequently we observe speedups larger than (the speedup goes upto more than for some examples). The experimental results are displayed in the right partof Figure 2. References [1] E. Arbarello, M. Cornalba, P. Griffiths, and J. Harris. Geometry of algebraic curves:volume I . Springer Science & Business Media, 1985.[2] M. Atiyah and I. Macdonald. Introduction to commutative algebra . Addison-Wesley, 1969.[3] L. Babai. Monte-Carlo algorithms in graph isomorphism testing. Université de Montréal,Technical Report , 1979.[4] W. Bosma, J. Cannon, and C. Playoust. The Magma algebra system. I. The user language. J. of Symbolic Computation , 24(3-4):235–265, 1997.[5] J. R. Bunch and J. E. Hopcroft. Triangular factorization and inversion by fast matrixmultiplication. Mathematics of Computation , 28(125):231–236, 1974.[6] J. Canny. Some algebraic and geometric computations in PSPACE. In Proc. of thetwentieth annual ACM Symposium on Theory of Computing (STOC) , pages 460–467.ACM, 1988.[7] D. G. Cantor and E. Kaltofen. On fast multiplication of polynomials over arbitraryalgebras. Acta Informatica , 28(7):693–701, 1991.[8] M. El Kahoui. An elementary approach to subresultants theory. J. of Symbolic Compu-tation , 35(3):281–292, 2003.[9] W. Fulton. Algebraic curves: an introduction to algebraic geometry. Version of Jan. 28,2008. 2910] M. Giusti, G. Lecerf, and B. Salvy. A Gröbner free alternative for polynomial systemsolving. J. of Complexity , 17(1):154–211, 2001.[11] V. D. Goppa. Algebraico-geometric codes. Izvestiya: Mathematics , 21(1):75–91, 1983.[12] G. Haché. Computation in algebraic function fields for effective construction of algebraic-geometric codes. In Int. Symp. on Applied Algebra, Algebraic Algorithms, and Error-Correcting Codes , pages 262–278. Springer, 1995.[13] G. Haché and D. Le Brigand. Effective construction of algebraic geometry codes. IEEETransactions on Information Theory , 41(6):1615–1628, 1995.[14] F. Hess. Computing Riemann–Roch spaces in algebraic function fields and related topics. J. of Symbolic Computation , 33(4):425–445, 2002.[15] M.-D. Huang and D. Ierardi. Efficient algorithms for the Riemann-Roch problem and foraddition in the Jacobian of a curve. J. of Symbolic Computation , 18(6):519–539, 1994.[16] J.-P. Jouanolou. Le formalisme du résultant. Advances in Mathematics , 90(2):117–263,1991.[17] K. Khuri-Makdisi. Asymptotically fast group operations on Jacobians of general curves. Mathematics of Computation , 76(260):2213–2239, 2007.[18] D. Le Brigand and J.-J. Risler. Algorithme de Brill-Noether et codes de Goppa. Bulletinde la Société Mathématique de France , 116(2):231–253, 1988.[19] F. Le Gall. Powers of tensors and fast matrix multiplication. In Proc. of the 39th Int.Symposium on Symbolic and Algebraic Computation , pages 296–303. ACM, 2014.[20] V. Neiger, J. Rosenkilde, and É. Schost. Fast computation of the roots of polynomials overthe ring of power series. In Proc. of the 42nd Int. Symposium on Symbolic and AlgebraicComputation , pages 349–356. ACM, 2017.[21] C. Pernet and A. Storjohann. Faster algorithms for the characteristic polynomial. In Proc.of the 32th Int. Symposium on Symbolic and Algebraic Computation , pages 307–314. ACM,2007.[22] J. T. Schwartz. Probabilistic algorithms for verification of polynomial identities. In EU-ROSAM: Symbolic and Algebraic Computation , pages 200–215. Springer, 1979.[23] F. Severi. Vorlesungen über algebraische Geometrie . Springer, 1921.[24] A. Storjohann. Algorithms for matrix canonical forms . PhD thesis, ETH Zurich, 2000.[25] J. Van Der Hoeven and G. Lecerf. Fast computation of generic bivariate resultants.Preprint, 2019.[26] G. Villard. On computing the resultant of generic bivariate polynomials. In Proc. of the43rd Int. Symposium on Symbolic and Algebraic Computation , pages 391–398. ACM, 2018.[27] E. J. Volcheck. Computing in the Jacobian of a plane algebraic curve. In Int. AlgorithmicNumber Theory Symposium , pages 221–233. Springer, 1994.[28] J. Von Zur Gathen and J. Gerhard. Modern computer algebra . Cambridge universitypress, 2013. Third edition. Authors’ addresses: Aude Le Gluher, CARAMBA project, Université de Lorraine; Inria Nancy – Grand Est; CNRS, UMR 7503;LORIA, Nancy, France, [email protected] Pierre-Jean Spaenlehauer, CARAMBA project, INRIA Nancy – Grand Est; Université de Lorraine; CNRS,UMR 7503; LORIA, Nancy, France, [email protected]@inria.fr