Computing the Characteristic Polynomial of a Finite Rank Two Drinfeld Module
CComputing the Characteristic Polynomial of a Finite Rank TwoDrinfeld Module
Yossef Musleh
Cheriton School of Computer ScienceUniversity of WaterlooWaterloo, Ontario, [email protected]
Éric Schost
Cheriton School of Computer ScienceUniversity of WaterlooWaterloo, Ontario, [email protected]
Abstract
Motivated by finding analogues of elliptic curve point countingtechniques, we introduce one deterministic and two new MonteCarlo randomized algorithms to compute the characteristic poly-nomial of a finite rank-two Drinfeld module. We compare theirasymptotic complexity to that of previous algorithms given byGekeler, Narayanan and Garai-Papikian and discuss their practicalbehavior. In particular, we find that all three approaches representeither an improvement in complexity or an expansion of the pa-rameter space over which the algorithm may be applied. Someexperimental results are also presented.
CCS Concepts • Computing methodologies → Symbolic and algebraic algo-rithms ; Keywords
Drinfeld module; algorithms; complexity.
ACM Reference Format:
Yossef Musleh and Éric Schost. 2019. Computing the Characteristic Polyno-mial of a Finite Rank Two Drinfeld Module. In
International Symposium onSymbolic and Algebraic Computation (ISSAC ’19), July 15–18, 2019, Beijing,China.
ACM, New York, NY, USA, 8 pages. https://doi.org/10.1145/3326229.3326256
Drinfeld modules were introduced by Drinfeld in [8] (under thename elliptic modules ) to prove certain conjectures pertaining to theLanglands program; they are themselves extensions of a previousconstruction known as the
Carlitz module [3].In this paper, we consider so-called Drinfeld modules of ranktwo over a finite field L . Precise definitions are given below, but thismeans that we will study the properties of ring homomorphismsfrom F q [ x ] to the skew polynomial ring L { τ } , where τ satisfies thecommutation relation τu = u q τ for u in L . Here, the rank of such amorphism φ is the degree in τ of φ ( x ) . Permission to make digital or hard copies of all or part of this work for personal orclassroom use is granted without fee provided that copies are not made or distributedfor profit or commercial advantage and that copies bear this notice and the full citationon the first page. Copyrights for components of this work owned by others than theauthor(s) must be honored. Abstracting with credit is permitted. To copy otherwise, orrepublish, to post on servers or to redistribute to lists, requires prior specific permissionand/or a fee. Request permissions from [email protected].
ISSAC ’19, July 15–18, 2019, Beijing, China © 2019 Copyright held by the owner/author(s). Publication rights licensed to ACM.ACM ISBN 978-1-4503-6084-5/19/07...$15.00https://doi.org/10.1145/3326229.3326256
Rank two Drinfeld modules enjoy remarkable similarities withelliptic curves: analogues exist of good reduction, complex multi-plication, etc. Based in part on these similarities, Drinfeld moduleshave recently started being considered under the algorithmic view-point. For instance, they have been proved to be unsuitable for usualforms of public key cryptography [34]; they have also been used todesign several polynomial factorization algorithms [7, 29, 30, 38];recent work by Garai and Papikian discusses the computation oftheir endomorphism rings [9]. Our goal is to study in detail thecomplexity of computing the characteristic polynomial of a ranktwo Drinfeld module over a finite field.A fundamental object attached to an elliptic curve E definedover a finite field F q is its Frobenius endomorphism π : ( x , y ) (cid:55)→( x q , y q ) ; it is known to satisfy a degree-two relation with integercoefficients called its characteristic polynomial . Much is knownabout this polynomial: it takes the form T − hT + q , for someinteger h called the trace of π , with log (| h |) ≤ log ( q )/ + n extension L of F q , one can define its Frobenius endomor-phism, and prove that it satisfies a degree-two relation T − AT + B ,where A and B are now in F q [ x ] . As in the elliptic case, B is rathereasy to determine, and of degree n . Hence, our main question is thedetermination of the polynomial A , which is known to have degreeat most n / Θ ( n ) coefficients of a , which areknown to satisfy certain linear relations. Gekeler detailed such analgorithm in [12]; we will briefly revisit it in order to analyse its com-plexity, which turns out to be cubic in n . Our main contributions inthis paper are several new algorithms with improved runtimes; wealso present experimental results obtained by an implementationbased on NTL [37].An implementation of Gekeler’s algorithm was described in [18]and used to study the distribution of characteristic polynomials ofDrinfeld modules by computing several thousands of them. In this section, we introduce notation to be used throughout thepaper; we recall the basic definition of Drinfeld modules and stateprecisely our main problem. For a general reference on these ques-tions, see for instance [15]. a r X i v : . [ c s . S C ] J u l .1 The Fields F q , K and L In all the paper, F q is a given finite field, of order a prime power q ,and L ⊃ F q is another finite field of degree n over F q . Explicitly, weassume that L is given as L = F q [ z ]/ f , for some monic irreducible f ∈ F q [ z ] of degree n . When needed, we will denote by ζ ∈ L theclass ( z mod f ) .In addition, we suppose that we are given a ring homomorphism γ : F q [ x ] → L . The kernel ker ( γ ) of the mapping γ : F q [ x ] → L isa prime ideal of F q [ x ] generated by a monic irreducible polynomial p , referred to as the F q [ x ] - characteristic of L . Then, γ induces anembedding K : = F q [ x ]/ p → L ; we will write m : = [ L : K ] , so that n = md , with d = deg p . When needed, we will denote by ξ ∈ K the class ( x mod p ) .Although it may not seem justified yet, we may draw a parallelwith this setting and that of elliptic curves over finite fields. Assaid before, one should see F q [ x ] playing here the role of Z in theelliptic theory. The irreducible p is the analogue of a prime integer p , so that the field K = F q [ x ]/ p is often thought of as the “primefield”, justifying the term “characteristic” for p . The field extension L will be the “field of definition” of our Drinfeld modules.We denote by π : L → L the q -power Frobenius u (cid:55)→ u q ; for i ≥
0, the i th iterate π i : L → L is thus u (cid:55)→ u q i ; for i ≤ π i isthe i th iterate of π − . We write L { τ } for the ring of so-called skew polynomials L { τ } = { U = u + u τ + · · · + u s τ s | s ∈ N , u , . . . , u s ∈ L } . (1)This ring is endowed with the multiplication induced by the relation τu = u q τ , for all u in L . Elements of L { τ } are sometimes calledlinearized polynomials, since there exists an isomorphism mapping L { τ } to polynomials of the form u x + u x q + · · · + u s x q s , whichform a ring for the operations of addition and composition.A non-zero element U of L { τ } admits a unique representation asin (1) with u s non-zero. Its degree deg U is the integer s (as usual, weset deg 0 = −∞ ). The ring L { τ } admits a right Euclidean division:given U and V in L { τ } , with V non-zero, there exists a unique pair ( Q , R ) in L { τ } such that U = QV + R and deg R < deg V .There is a ring homomorphism ι : L { τ } → End F q [ L ] given by ι : u + u τ + · · · + u s τ s (cid:55)→ u Id + u π + · · · + u s π s , where Id : L → L is the identity operator and π and its powers areas defined above. This mapping allows us to interpret elements in L { τ } as F q -linear operators L → L . Drinfeld modules can be defined in a quite general setting, involvingprojective curves defined over F q ; we will be concerned with thefollowing special case (where the projective curve in question issimply P ).Definition 1. Let L and γ be as above. A rank r Drinfeld module over ( L , γ ) is a ring homomorphism φ : F q [ x ] → L { τ } such that φ ( x ) = γ ( x ) + u τ + · · · + u r τ r , with u , . . . , u r in L and u r non-zero. For U in F q [ x ] , we will abide by the convention of writing φ U in place of φ ( U ) . Since φ is a ring homomorphism, we have φ U V = φ U φ V and φ U + V = φ U + φ V for all U , V in F q [ x ] ; hence, theDrinfeld module φ is determined entirely by φ x ; precisely, for U in F q [ x ] , we have φ U = U ( φ x ) .We will restrict our considerations to rank two Drinfeld modules.In particular, we will use the now-standard convention of writing φ x = γ ( x ) + дτ + ∆ τ . Hence, for a given ( L , γ ) , we can representany rank two Drinfeld module over ( L , γ ) by the pair ( д , ∆ ) ∈ L .Example 1. Let q = , f = z + z + z + and L = F [ z ]/ f = F ,so that n = ; we let ζ be the class of z in L . Let γ : F [ x ] → F begiven by x (cid:55)→ ζ , so that p = f , K = L = F and m = . We definethe Drinfeld module φ : F [ x ] → F { τ } by φ x = ζ + τ + τ , so that ( д , ∆ ) = ( , ) . Suppose φ is a rank two Drinfeld module over ( L , γ ) . A centralelement in L { τ } is called an endormorphism of φ . Since u q n = u for all u in L , τ n is such an endomorphism. The following keytheorem [12, Cor. 3.4] defines the main objects we wish to compute.Theorem 1. There is a polynomial T − AT + B ∈ F q [ x ][ T ] suchthat τ n satisfies the equation τ n − φ A τ n + φ B = , (2) with deg A ≤ n / and deg B = n . The polynomials A and B are respectively referred to as the Frobenius trace and
Frobenius norm of φ . Note in particular thesimilarity with Hasse’s theorem for elliptic curves over finite fieldsregarding the respective “sizes” (degree, here) of the Frobeniustrace and norm. The main goal of this paper is then to find efficientalgorithms to solve the following problem.Problem 1. Given a rank two Drinfeld module φ = ( д , ∆ ) , computeits Frobenius trace A and Frobenius norm B . Example 2.
In the previous example, we have A = x + x + and B = x + x + x + . By composing φ : F q [ x ] → L { τ } and ι : L { τ } → End F q [ L ] asdefined in the previous subsection, we obtain another ring homo-morphism Φ : F q [ x ] → End F q [ L ] ; we will use the same conventionof writing Φ U = Φ ( U ) for U in F q [ x ] . Thus, we see that a Drinfeldmodule equips L with a new structure as an F q [ x ] -module, inducedby the choice of Φ x = γ ( x ) Id + дπ + ∆ π , with π : L → L the q -power Frobenius mapApplying ι to the equality in Theorem 1, we obtain that π n + Φ A π n + Φ B is the zero linear mapping L → L . Since π n is the iden-tity map, and since we have Φ A = A ( Φ x ) , Φ B = B ( Φ x ) , this impliesthat the polynomial 1 − A + B ∈ F q [ x ] cancels the F q -endormorphism Φ x . Actually, more is true: 1 − A + B is the characteristic polyno-mial of this endomorphism [12, Th. 5.1]. As it turns out, findingthe Frobenius norm B is a rather easy task (see Section 4); as aresult, Problem 1 can be reduced to computing the characteristicpolynomial of Φ x .This shows in particular that finding A and B can be done in ( n log q ) O ( ) bit operations (in all the paper, we will use a booleancomplexity model, which counts the bit complexity of all operationson a standard RAM). The questions that interest us are to makehis cost estimate more precise, and to demonstrate algorithmicimprovements in practice, whenever possible. Our main results areas follows.Theorem 2. One can solve Problem 1 • in Monte Carlo time ( n . log q + n log q ) + o ( ) , if the min-imal polynomial of Φ x has degree n (Section 5); • in time ( n + ε log q + n log q ) + o ( ) , for any ε > (Section 6); • in Monte Carlo time ( n log q ) + o ( ) (Section 7). Section 4 reviews previous work; it shows that our results arethe best to date, except when K = L (the “prime field case”), wherea runtime ( n . + ε log q + n + ϵ log q ) + o ( ) is possible for any ε > K = L , where the above-mentioned result of [7] is superior.Input and output sizes are Θ ( n log q ) bits, so the best we couldhope for is a runtime quasi-linear in n log q ; as the theorem shows,we are rather far from this, since the best unconditional resultsare quadratic in n . On the other hand, Problem 1 is very similarto questions encountered when factoring polynomials over finitefields, and it was not until the work of Kaltofen and Shoup [21] thatsubquadratic factorization algorithms were discovered. We believethat finding an algorithm of unconditional subquadratic time in n for Problem 1 is an interesting and challenging question.The algorithm of Section 6 was directly inspired by Schoof’salgorithm for elliptic curves. We believe this interaction has thepotential to yield further algorithms of interest, perhaps using other“elliptic” techniques, such as p -adic approaches [33] or Harvey’samortization techniques [16]. We now discuss the cost of operations in L and L { τ } with runtimesgiven in bit operations. Notation ( F q , L , . . . ) is as in 2.1. To simplifycost analyses, we assume that x q mod p is known ; we will see belowthe cost of computing it once and for all, at the beginning of ouralgorithms. Elements of L are written on the power basis 1 , ζ , . . . , ζ n − .On occasion, we use F q -linear forms L → F q ; they are given onthe dual basis, that is, by their values at 1 , ζ , . . . , ζ n − .Using FFT-based multiplication, polynomial multiplication, di-vision and extended GCD in degree n , and thus addition, multipli-cation and inversion in L , can be done in ( n log q ) + o ( ) bit opera-tions [10]. In particular, computing x q mod p by means of repeatedsquaring takes ( n log q ) + o ( ) bit operations. We let ω be such that over any ring, square matrix multiplica-tion in size s can be done in O ( s ω ) ring operations; the best knownvalue to date is ω ≤ .
373 [6, 26]. Using block techniques, multipli-cation in sizes ( s , t ) × ( t , u ) takes O ( stu min ( s , t , u ) ω − ) ring opera-tions. For matrices over F q , this is ( stu min ( s , t , u ) ω − log q ) + o ( ) bit operations; over L , it becomes ( stu min ( s , t , u ) ω − n log q ) + o ( ) .We could sharpen our results using the so-called exponent ω ofrectangular matrix multiplication in size ( s , s ) × ( s , s ) . We can of course take ω ≤ ω + ≤ . ω ≤ .
252 isknown [27]. We will not use these refinments in this paper.
Of particular interest is an operation called modular composi-tion , which maps ( F , G , H ) ∈ F q [ x ] to F ( G ) mod H , with deg H = n and deg F , deg G < n . Let θ ∈ [ , ] be such that this can be donein ( n θ log q ) + o ( ) bit operations for inputs of degree O ( n ) .Modular composition is linear in F ; we also require that its trans-pose map can be computed in the same runtime ( n θ log q ) + o ( ) . Inan algebraic model, counting F q -operations at unit cost, the trans-position principle [23] guarantees this, but this is not necessarilythe case in our bit model, hence our extra requirement.For long, the best known value for θ was Brent and Kung’s θ = ( ω + )/ θ = + ε , for any ε > θ iseither ( ω + )/ ( ω + )/
3, and ω itself is either 3 or Strassen’s log ≃ . A useful application of modular composition is the applica-tion of any power of the Frobenius map π : given x q mod p , forany α in L and i ∈ {−( n − ) , . . . , n − } , we can compute π i ( α ) for O ( log n ) modular compositions, that is, in ( n θ log q ) + o ( ) bitoperations. See for instance [11, Algorithm 5.2] or Section 2.2 in [7].For small values of i , say i = O ( ) , the computation of π i ( α ) canalso be done by repeated squaring, in ( n log q ) + o ( ) bit operations.Since for all implementations we are aware of, θ = ( ω + )/
2, thisapproach may be preferred for moderate values of log q (this alsoapplies to the operation in the next paragraph). The previous item implies that if φ = ( д , ∆ ) is a rank twoDrinfeld module over ( L , γ ) , given α in L , we can compute Φ x ( α ) = γ ( x ) α + дπ ( α ) + ∆ π ( α ) in time ( n θ log q ) + o ( ) . Because of ourrequirements on θ , the same holds for the transpose of Φ x : given an F q -linear form ℓ : L → F q , with the convention of , we cancompute the linear form Φ ⊥ x ( ℓ ) : α (cid:55)→ ℓ ( Φ x ( α )) for the same cost. We continue with skew polynomial multiplication. This isan intricate question, with several algorithms co-existing; whichone is the most efficient depends on the input degree. We will beconcerned with multiplication in degree k , for some k ≪ n ; inthis case, the best algorithm to date is from [32, Th. 7]. For any k , that algorithm uses O ( k ( ω + )/ ) operations + , × in L , togetherwith O ( k / ) applications of powers of the Frobenius, for a totalof ( k ( ω + )/ n θ log q ) + o ( ) bit operations. For higher degrees k , thealgorithms in [4] have a better runtime. Our next question is to compute φ x k , for some k ≥
0; thispolynomial has Θ ( k ) coefficients in L , so it uses Θ ( kn log q ) bits.Since φ x k = φ x k φ x k and φ x k + = φ x φ x k , we can obtain φ x k from φ x ⌊ k / ⌋ using ( k ( ω + )/ n θ log q ) + o ( ) bit operations. The cumulatedtime to obtain φ x k from φ x admits the same upper bound. We consider now the cost of computing φ C , for some C in F q [ x ] . To this end, we adapt the divide-and-conquer algorithmof [10, Ch. 9], which applies to commutative polynomials.1) First, choose a power of two k such that k / ≤ deg C < k .We compute φ x i , for all i powers of two up to k /
2; using , the cost is ( k ( ω + )/ n θ log q ) + o ( ) .(2) Write C = C + x k / C , with deg C , deg C < k /
2. Computerecursively φ C and φ C , and return φ C = φ C + φ x k / φ C .The cumulated cost of all recursive calls is ( k ( ω + )/ n θ log q ) + o ( ) ,which is ( deg ( C ) ( ω + )/ n θ log q ) + o ( ) . Next, we analyze the cost of computing φ , φ x , . . . , φ x k , forsome k ≥
0. In this, we essentially follow a procedure used byGekeler [13, Sec. 3], although the cost analysis is not done in thatreference. These polynomials satisfy the following recurrence: φ x i + = φ x φ x i = ( γ ( x ) + дτ + ∆ τ ) φ x i . For i ≥
0, write φ x i = (cid:213) ≤ j ≤ i f i , j τ j , for some coefficients f i , j ∈ L to be determined. We obtain (cid:213) ≤ j ≤ i f i , j τ j = (cid:213) ≤ j ≤ i γ ( x ) f i , j τ j + (cid:213) j ≤ i дf qi , j τ j + + (cid:213) j ≤ i ∆ f q i , j τ j + , so the f i , j satisfy the recurrence f i + , j = γ ( x ) f i , j + дf qi , j − + ∆ f q i , j − with known initial conditions f , = f , = γ ( x ) , f , = д , and f , = ∆ . Evaluating one instance of the recurrence involves O ( ) multiplications / additions in L and applications of the Frobeniusmap π , for ( n θ log q ) + o ( ) bit operations. Given φ x i , there are Θ ( i ) choices of j , so the overall cost to obtain φ , φ x , . . . , φ x k is ( k n θ log q ) + o ( ) bit operations. In particular, taking θ = + ε , wesee that the runtime here is essentially linear in the output size,which is Θ ( k n log q ) bits; this was not the case for the algorithmsin - - .However, in , we pointed out that in practice, Brent andKung’s modular composition algorithm is widely used, with θ = ( ω + )/
2. In this case, for moderate values of log q , one may use thestraightforward repeated squaring method to apply the Frobeniusmap; this leads to a runtime of ( k n log q ) + o ( ) bit operations,which may be acceptable in practice. This also applies to Proposi-tion 4 below, and underlies the design of the algorithm in Section 7. We deduce from this an algorithm for inverting φ . Given φ C = (cid:205) ≤ i ≤ k α i τ i , we want to recover C = (cid:205) ≤ i ≤ k c i x i in F q [ x ] .Writing the expansion φ C = (cid:213) ≤ i ≤ k c i (cid:213) ≤ j ≤ i f i , j τ j = (cid:213) ≤ j ≤ k (cid:169)(cid:173)(cid:171) (cid:213) ⌊ j / ⌋ ≤ i ≤ k c i f i , j (cid:170)(cid:174)(cid:172) τ j . gives us 2 k + k + k + L , f , f , . . . f k , f , . . . f k , ... ... . . . ... . . . f k , k c c ... c k = α α ... α k . (3)Its diagonal entries are of the form f i , i ; these are the coefficientsof the leading terms of φ x i , so that for all i , f i , i = ∆ e i for some exponent e i . In particular, since ∆ (cid:44)
0, the diagonal terms are non-zero, which allows us to find c , . . . , c k . Once we know all f i , j ’s,the cost for solving the system is O ( k ) operations in L , so the totalis ( k n θ log q ) + o ( ) bit operations. Finally, we give an algorithm to evaluate a degree k skewpolynomial U at µ elements α , . . . , α µ in L . This algorithm will beused only in Section 5, so it can be skipped on first reading.In the case of commutative polynomials, one can compute all U ( α i ) faster than by successive evaluation of U at α , α , . . . ; see [10,Ch. 10]. The same holds for skew polynomial evaluation: in [32,Th. 15], Puchinger and Wachter-Zeh gave an algorithm that uses O ( k max ( log , ω / ) log k ) operations in L (including Frobenius-powersapplications) in the case µ = k , where ω ≤ ω + .We propose a baby-step / giant-step procedure that applies toany µ and k (but the cost analysis depends on whether µ ≤ √ k ornot). Suppose without loss of generality that our input polynomial U = u + · · · + u k − τ k − has degree less than k , for some perfectsquare k , and let s = √ k .(1) Commute powers of τ with the coefficients of U to rewriteit as U = U ∗ + τ s U ∗ + · · · + τ s ( s − ) U ∗ s − . with all U ∗ i in L { τ } of degree less than s . This is O ( k ) applications of Frobeniuspowers in L .(2) Compute α i , j : = π i ( α j ) , for i = , . . . , s − j = , . . . , µ ;this is O ( sµ ) applications of Frobenius powers.(3) For i < s , let u ∗ i , , . . . , u ∗ i , s − be the coefficients of U ∗ i . Com-pute the matrix ( s , s ) × ( s , µ ) product u ∗ , · · · u ∗ , s − ... ... u ∗ s − , · · · u ∗ s − , s − α , · · · α , µ ... ... α s − , · · · α s − , µ , whose entries are the values β i , j : = U ∗ i ( α j ) . When we applythis result, we will have µ ≤ s = √ k , so the cost is O ( kµ ω − ) operations in L , by . For completeness, we mention thatif µ ≥ √ k , the cost is O ( k ( ω − )/ µ ) operations in L .(4) Using Horner’s scheme, for j = , . . . , µ , recover U ( α j ) using U ( α j ) = β , j + τ s ( β , j + τ s ( β , j + · · · )) . The total is another O ( sµ ) operations in L , including Frobenius powers.When µ ≤ √ k , the cost is ( kµ ω − n θ log q ) + o ( ) bit operations. Ifwe take µ ≥ √ k , the cost becomes ( k ( ω − )/ µn θ log q ) + o ( ) . Next, we briefly review existing algorithms for solving Problem 1,and comment on their runtime. Notation are still from Section 2.1.
As with elliptic curves, determining the Frobenius norm B of Theo-rem 1 is simply done using the following result from [13, Th. 2.11].Proposition 3. Let N L / F q be the norm L → F q . The Frobeniusnorm B of a rank two Drinfeld module φ = ( д , ∆ ) over ( L , γ ) is B = (− ) n N L / F q ( ∆ ) − p m . In particular, B can be computed in ( n log q ) + o ( ) bit operations.Indeed, p m is a degree n polynomial, and we can compute it inhe prescribed time by repeated squaring. Moreover N L / F q ( ∆ ) = resultant ( f , ∆ ) [31], so we can compute it in the same time [10].Gekeler also gave in [13, Sec. 3] an algorithm that determinesthe Frobenius trace A by solving a linear system for the coefficientsof A . The key subroutines used in this algorithm were describedin the previous section, and imply the following result (the costanalysis is not provided in the original paper).Proposition 4. One can solve Problem 1 using ( n θ + log q + n log q ) + o ( ) bit operations. Proof. The algorithm is as follows.(1) We compute x q mod p with ( n log q ) + o ( ) bit operations.(2) Find φ , . . . , φ x n in ( n θ + log q ) + o ( ) bit operations ( ).(3) Compute B and deduce φ B ; this takes comparatively neg-ligible time (see above and ) and gives us φ A , sinceTheorem 1 implies that τ n φ A = τ n + φ B . (4) Recover A in ( n θ + log q ) + o ( ) bit operations by . □ The cost of this procedure is at least cubic in n , due to the needto compute the Θ ( n ) coefficients f i , j of φ , . . . , φ x n in L . L = K The case where L = K , that is, when γ : F q [ x ] → L is onto, allowsfor some faster algorithms, based on two observations: we canrecover A from its image γ ( A ) in this case (since deg A ≤ ⌊ n / ⌋ ),and γ ( A ) can be easily derived from the Hasse Invariant of φ , whichis the coefficient of τ n in φ p = p ( φ x ) .From this, Hsia and Yu [17] and Garai and Papikian [9] sketchedalgorithms that compute A . When φ p is computed in a direct manner,they take Θ ( n ) additions, multiplications and Frobenius applica-tions in L , so Ω ( n ) bit operations.Gekeler [13, Prop. 3.7] gave an algorithm inspired by an analogywith the elliptic case, where the Hasse invariant can be computedas a suitable term in a recurrent sequence (with non-constant co-efficients). A direct application of this result does not improve onthe runtime above. However, using techniques inspired by boththe elliptic case [1] and the polynomial factorization algorithmof [21], it was shown in [7] how to reduce the cost to ( n θ + / log q + n log q ) + o ( ) bit operations, which is subquadratic in n . In [29, Sec. 3.1], Narayanan gives the sketch of a Monte Carloalgorithm to solve Problem 1 for odd q , which applies to thoseDrinfeld modules ( д , ∆ ) for which the minimal polynomial Γ of Φ x = γ ( x ) Id + дπ + ∆ π has degree n . In this case, it must coincidewith the characteristic polynomial of Φ x , which we saw is equal to1 − A + B (this assumption on Γ holds for more than half of elementsof the parameter domain [29, Th. 3.6]). Since B is easy to compute,knowing 1 − A + B gives us A readily.Narayanan’s algorithm computes the minimal polynomial Γ ℓ, α of a sequence of the form ( r k ) k ≥ = ( ℓ ( Φ kx ( α )) k ≥ ∈ F q N , for a ran-dom F q -linear map ℓ : L → F q and a random α ∈ L . Using Wiede-mann’s analysis [39], one can bound below the fraction of ℓ and α for which Γ ℓ, α = Γ . The bottleneck of this algorithm is the compu-tation of sufficiently many elements of the above sequence: the first2 n terms are needed, after which applying Berlekamp-Massey’s algorithm gives us Γ ℓ, α . To compute ( r k ) ≤ k < n , Narayanan statesthat we can adapt the automorphism projection algorithm of Kaltofenand Shoup [21] and enjoy its subquadratic complexity. Indeed,Kaltofen and Shoup’s algorithm computes terms in a similar se-quence, namely ℓ ( π k ( α )) k ≥ , where π is the Frobenius map. How-ever, that algorithm actively uses the fact that π is a field automor-phism, whereas Φ x is not. Hence, whether a direct adaptation ofKaltofen and Shoup’s algorithm is possible remains unclear to us.We propose an alternative Monte Carlo algorithm, which estab-lishes the first point in Theorem 2; it is inspired by Coppersmith’sblock Wiedemann algorithm [5].The sequence ( ℓ ( Φ kx ( α )) k ≥ used in Wiedemann’s algorithm islinearly recurrent, so that its generating series is rational, with Γ as denominator for generic choices of ℓ and α . In Coppersmith’sblock version, we consider a sequence of µ × µ matrices ( R k ) k ≥ over F q instead, for some given parameter µ . These matrices aredefined by choosing µ many F q -linear mappings L → F q , say ℓ = ( ℓ , . . . , ℓ µ ) , and µ elements α = ( α , . . . , α µ ) in L . They definesequences ( r i , j , k ) k ≥ : = ( ℓ i ( Φ kx ( α j ))) k ≥ , which form the entriesof a sequence of µ × µ matrices ( R k ) k ≥ . The generating series (cid:205) k ≥ R k / z k + can be written as Q − N , for some Q and N in F q [ z ] µ × µ . For generic choices of ℓ and α , Q has degree at most ⌈ n / µ ⌉ and can be computed in ( µ ω − n log q ) + o ( ) bit operationsfrom ( R k ) k ≤ n / µ , using the PM basis algorithm of [14]. Finally, wewill see that we can deduce the minimal polynomial Γ from thedeterminant of Q .Thus, Coppersmith’s algorithm requires fewer values of the ma-trix sequence than Wiedemann’s (roughly 2 n / µ instead of 2 n ). Aswe will see, the multipoint evaluation algorithm in makes itpossible to compute all required matrices in subquadratic time. Theoverview of the algorithm is thus the following.(1) Fix µ = ⌊ n b ⌋ , for some exponent b to be determined later;choose µ many F q -linear mappings L → F q , ℓ = ( ℓ , . . . , ℓ µ ) ,and µ elements α = ( α , . . . , α µ ) in L .(2) Compute ( R k ) ≤ k ≤ n / µ , for R k as defined above. We willdiscuss the cost of this operation below.(3) Compute Q ; this takes ( µ ω − n log q ) + o ( ) bit operations.(4) Compute the determinant Γ ∗ of Q . The cost of this stepis another ( µ ω − n log q ) + o ( ) bit operations [25]. By [22,Th. 2.12], Γ ∗ divides the characteristic polynomial of Φ x ,which we assume coincides with Γ . For generic ℓ and α ,the minimal polynomial of ( r , , k ) k ≥ is Γ . If this is the case,since Γ ∗ cancels that sequence, Γ divides Γ ∗ , so that Γ = Γ ∗ .Regarding the probabilistic aspects, combining the last para-graphs of [22, Sec. 2.1] (that deal with the properties of Q ) andthe analysis in [19, 20] (for Step 4) shows that there is a non-zeropolynomial D in F q [ L , . . . , L µ , A , . . . , A µ ] , where each boldfacesymbol is a vector of n indeterminates, such that deg D ≤ n , andsuch that if D ( ℓ , . . . , ℓ µ , α , . . . , α µ ) (cid:44)
0, all properties above hold.By the DeMillo-Lipton-Zippel-Schwartz lemma, the probability offailure is thus at most 4 n / q . If q < n , we may have to choose thecoefficients of ℓ and α in an extension of F q of degree O ( log n ) ; thisaffects the runtime only with respect to logarithmic factors.It remains to explain how to compute the required matrix values ( R k ) k ≤ n / µ at step (2). This is done by adapting the baby-steps /giant steps techniques of [21, Algorithm AP ] to the context of thelock-Wiedemann algorithm, and leveraging multipoint evaluation.Let K : = ⌊( n / µ ) c ⌋ , for another constant c to be determined, and K ′ : = ⌈ n /( Kµ )⌉ ; remark that K ′ µ ≤ n . For our final choices ofparameters, we will also have the inequalities K ′ ≤ K , µ ≤ √ K .(2.1) For i ≤ µ and u < K , compute the linear mapping ℓ i , u : = Φ ⊥ x u ( ℓ i ) , so that ℓ i , u ( β ) = ℓ i ( Φ ux ( β )) for β in L . By , thistakes ( Kµn θ log q ) + o ( ) bit operations.(2.2) Compute φ x K ∈ L { τ } ; this takes ( K ( ω + )/ n θ log q ) + o ( ) bit operations, by .(2.3) For j ≤ µ and v < K ′ , compute α j , v : = Φ Kvx ( α j ) , so that wehave ℓ i , u ( α j , v ) = ℓ i ( Φ u + Kvx ( α j )) for all i , j , u , v .Starting from ( α , v , . . . , α µ , v ) , the application of φ x K gives ( α , v + , . . . , α µ , v + ) . This takes ( Kµ ω − n θ log q ) + o ( ) bitoperations per index v (by ), so that the total cost is ( µ ω − n θ + log q ) + o ( ) (note that µ ≤ √ K ).(2.4) Multiply the ( Kµ , n ) × ( n , K ′ µ ) matrices with entries the co-efficients of ( ℓ , , . . . , ℓ µ , K − ) , resp. ( α , , . . . , α µ , K ′ − ) , toobtain all needed values r i , j , u + Kv . The inequalities aboveimply that the smallest dimension is K ′ µ so by , thecost is ( K − ω µn ω − log q ) + o ( ) bit operations.We know that we can take θ = + ε , for any ε >
0. To find b and c that minimize the overall exponent in n , we can thus replace θ by 1 and disregard the exponent 1 + o ( ) and the terms dependingon log q ; we will then round up the final result. The relevant termsare { Kµn , K ( ω + )/ n , µ ω − n , K − ω µn ω − , µ ω − n } . For ω = . b = .
183 and c = . ( n . log q ) + o ( ) bit operations.Taking into account the initial cost of computing x q in L , thisproves the first point in our main theorem. It should however beobvious from the presentation of the algorithm that we make noclaims as to its practical behavior (for instance, parameters b , c were determined using an exponent 2 .
373 for matrix multiplication,which is currently unrealistic in practice).
We present next an alternative approach inspired by Schoof’s algo-rithm for elliptic curves, establishing the second item in our maintheorem: we can solve Problem 1 in time ( n + ε log q + n log q ) + o ( ) ,for any ε > . As before, we assume that we know x q mod p . We first compute the Frobenius norm B . The idea of the al-gorithm is then to compute A i : = A mod E i , for some pairwisedistinct irreducible polynomials E , . . . , E s in F q [ x ] and recover A by Chinese remaindering. Thus, we need deg ( E · · · E s ) > n /
2, andwe will also impose that deg E i ∈ O ( log n ) for all i . First, we showthat we can find such E i ’s in ( n log q ) + o ( ) bit operations.If q > n /
2, it is enough to take E i = x − e i , for pairwise dis-tinct elements e i in F q ; enumerating n / + F q takes ( n log q ) + o ( ) bit operations.Otherwise, let t = ⌈ log q ( n + )⌉ . The sum of the degrees of themonic irreducible polynomials of degree t over F q is at least ( / ) q t ,which is greater than n /
2. Thus, we test all monic polynomials ofdegree t for irreducibility. There are q t < q ( n + ) ≤ n suchpolynomials (note that here q ≤ n /
2) and each irreducibility testtakes log O ( ) n bit operations [11] (a term log q usually appears insuch runtime estimates, but here log q is in O ( log n ) ). Without loss of generality, we assume that no polynomial E i issuch that E i ( γ ( x )) = γ is the structural homomorphism F q [ x ] → L ). Only one irreducible polynomial may satisfy thisequality, so we discard it and find a replacement if needed. Let F ∈ L { τ } be of degree δ and L { τ } δ be the set of all elementsin L { τ } of degree less than δ . Our main algorithm will rely on thefollowing operation: define the operator T : L { τ } δ → L { τ } δ by T ( U ) : = τU mod F . We are interested in computing T r ( U ) , for some r ≥ U in L { τ } δ .The operator T is F q -linear but not L -linear; the coefficient vectorof T ( U ) is M π ( v U ) , where M is the companion matrix of F (seenas a commutative polynomial), v U is the coefficient vector of U and where we still denote by π the entry-wise application of theFrobenius to a vector (or to a matrix). As a result, the coefficientvector of T r ( U ) is M π ( M ) · · · π r − ( M ) π r ( v U ) .Lemma 5.3 in [11] shows how to compute such an expression in O ( log r ) applications of Frobenius powers (to matrices) and matrixproducts (the original reference deals with scalars, but there isno difference in the matrix case). When r is O ( n ) , the runtime is ( δ n θ log q ) + o ( ) bit operations ( δ will be small later on, so thereis no need to use fast matrix arithmetic). We will also have to invert T . In order to be able do so, weassume that the constant coefficient of F is non-zero; as a result, M is invertible. Given V = T ( U ) , we can recover the coefficient vectorof U = T − ( V ) as N π − ( v V ) , where N = π − ( M − ) . For r in O ( n ) ,we can compute T − r ( V ) in ( δ n θ log q ) + o ( ) bit operations as well,replacing the applications of powers of π by powers of π − . Using the results in and , let us show how to compute A mod E , for some irreducible E in F q [ x ] . As input, assume thatwe know E and B mod E . We let F = φ E ∈ L { τ } and δ : = deg F = E . We suppose that E ( γ ( x )) (cid:44)
0; as a result, the constantcoefficient of F is non-zero, so applies.Start from the characteristic equation τ n − τ n φ A + φ B =
0, whichwe rewrite as τ n φ A = τ n + φ B and reduce both sides modulo F = φ E . On the left, we obtain ( τ n φ A ) mod F = T n ( φ A mod F ) , that is, T n ( φ A mod E ) . Similarly, on the right, we obtain T n ( ) + φ B mod E . Thus, we can proceed as follows:(1) Compute F : = φ E and V : = φ B mod E . By , the cost is ( δ ( ω + )/ n θ log q ) + o ( ) bit operations.(2) Compute the companion matrix M of F in ( δ n log q ) + o ( ) bit operations.(3) Compute V : = T n ( ) in ( δ n θ log q ) + o ( ) bit operations( ).(4) Compute φ A mod E = T − n ( V + V ) in ( δ n θ log q ) + o ( ) bitoperations ( ).(5) Deduce A mod E in ( δ n θ log q ) + o ( ) bit operations ( ).The overall runtime is ( δ n θ log q ) + o ( ) bit operations. We can finally present the whole algorithm.(1) Compute the Frobenius norm B (Proposition 3)(2) Compute polynomials E , . . . , E s as in .(3) For i = , . . . , s , compute B i : = B mod E i .(4) For i = , . . . , s , compute A i : = A mod E i by .(5) Recover A by the Chinese remainder map.Steps (1), (2), (3) and (5) take a total of ( n log q ) + o ( ) bit operations.Since the degrees of all polynomials E i are O ( log n ) , the time spentt Step (4) is ( n θ + log q ) + o ( ) bit operations. Since we can take θ = + ε for any ε >
0, and adding the cost ( n log q ) + o ( ) of computing x q mod p , this establishes the second statement in Theorem 2. We now prove the last item in our main theorem: there exists aMonte Carlo algorithm that solves Problem 1 in ( n log q ) + o ( ) bitoperations. The runtime is now quadratic in log q , but truly qua-dratic in n , not of the form n + ε . The point is that we avoid applyinghigh powers of the Frobenius (and thus modular composition); theapplications of Φ x = γ ( x ) Id + дπ + ∆ π are done by repeated squar-ing. This algorithm behaves well in practice, whereas the behaviorof modular composition significantly hinders the implementationof the algorithms in the previous sections; see and .The algorithm is inspired by [36, Th. 5]; it bears similarities withNarayanan’s, but does not require the assumption that the minimalpolynomial Γ of Φ x = γ ( x ) Id + дπ + ∆ π have degree n . Whetherthe subquadratic runtime obtained in Section 5 can be carried overto the approach presented here is of course an interesting question. When n is even, we may need to determine the leading coef-ficient a n / of the Frobenius trace A separately. We will use thefollowing result, due to Jung [13, 18]: a n / = Tr F q / F q ( N L / F q ( ∆ ) − ) , where F q is the unique degree 2 extension of F q contained in L ,and Tr and N are (finite field) trace and norm. Using repeated squar-ing for exponentation, a n / can be computed in ( n log q ) + o ( ) operations in F q , so ( n log q ) + o ( ) bit operations. Let Γ ∈ F q [ x ] be the minimal polynomial of Φ x and let ν ≤ n its degree. We prove here that the inequality ν ≥ n / i , j with 0 ≤ i < j < n , π i (cid:44) π j . There-fore, by independence of characters, Id , π , . . . , π n − satisfy no non-trivial L -linear relation; that is, there are no constants c , . . . , c n − in L , with at least one c i (cid:44)
0, such that c + c π + . . . + c n − π n − = F q [ L ] .Assume by way of contradiction that 2 ν ≤ n −
1. We knowthat Γ ( Φ x ) =
0; since Γ has degree ν , we may write is as Γ = c + · · · + c ν − x ν − + x ν . Evaluating at Φ x = γ ( x ) Id + дπ + ∆ π ,we obtain a relation of the form ¯ c Id + ¯ c π + · · · + ¯ c ν π ν = L , where all exponents are at most n −
1. The leadingcoefficient ¯ c ν is given by ¯ c ν = ∆ ( − q ν )/( − q ) , so it is non-zero, acontradiction. Thus, 2 ν ≥ n , as claimed. The first step in the algorithm computes the minimal polyno-mial Γ of Φ x . To do so, choose at random α in L and an F q -linearprojection map ℓ : L → F q . The sequence ( ℓ ( Φ ix ( α ))) i ≥ is linearlygenerated, and its minimal polynomial Γ ℓ, α divides Γ . Given 2 n entries in the sequence ℓ ( Φ ix ( α )) , we apply the Berlekamp-Masseyalgorithm to obtain Γ ℓ, α .Assuming that ℓ and α are chosen uniformly at random, Wiede-mann proved [39] that the probability that Γ ℓ, α = Γ is at least1 /(
12 max ( , log q ν )) . Using the DeMillo-Lipton-Zippel-Schwartzlemma gives another lower bound for the probability that Γ ℓ, α equals Γ , namely 1 − n / q [19, 20]. We will assume henceforth thatthis is the case (as in Section 5, we can work over an extension fieldof F q of degree O ( log n ) if q < n ). We start from A = (cid:205) ⌊ n / ⌋ i = a i x i ∈ F q [ x ] , for some unknowncoefficients a i . Since n / ≤ ν (by ), we must have ⌊ n / ⌋ ≤ ν − n is even and n / = ν . Hence, we may rewrite A as A = ν − (cid:213) i = a i x i + a ν x ν , where a i = i = ⌊ n / ⌋ + , . . . , ν − a ν = ⌊ n / ⌋ ≤ ν −
1) or a ν can be determined as in (if ⌊ n / ⌋ = ν ). Inany case, a ν is known.Theorem 1 implies that for α as above, we have Φ A ( α ) = r with r : = α + Φ B ( α ) ∈ L . Using the expression of A given above, thisyields ν − (cid:213) i = a i Φ x i ( α ) = ˜ r , with ˜ r = r − a ν Φ ν ( α ) . For j ≥
0, applying Φ x j to this equality gives ν − (cid:213) i = a i Φ x i + j ( α ) = Φ x j ( ˜ r ) . Finally, we can apply ℓ to both sides of such equalities, for j = , . . . , ν −
1. This yields the following Hankel system: ℓ ( α ) . . . ℓ ( Φ x ν − ( α )) ... ...ℓ ( Φ x ν − ( α )) . . . ℓ ( Φ x ν − ( α )) a ... a ν − = ℓ ( ˜ r ) ...ℓ ( Φ x ν − ( ˜ r )) . (4)Since we assumed that Γ ℓ, α = Γ , applying for instance Lemma 1in [19], we deduce that the matrix of the system is invertible, allow-ing us to recover a , . . . , a ν − . We can now summarize the algorithm and analyze its runtime.(1) Compute the Frobenius norm B = (cid:205) i ≤ n b i x i (Proposition 3);this takes ( n log q ) + o ( ) bit operations.(2) Compute the sequence ( Φ x i ( α )) i < n using the recurrencerelation Φ x i + ( α ) = ( γ ( x ) Id + дπ + ∆ π )( Φ x i ( α )) . Using re-peated squaring to apply the Frobenius, we get all terms in ( n log q ) + o ( ) bit operations.(3) Apply ℓ to all terms of the sequence and deduce Γ ℓ, α by theBerlekamp-Massey algorithm. This takes ( n log q ) + o ( ) bitoperations. We assume Γ ℓ, α = Γ and let ν be its degree.(4) If n is even and ν = n /
2, compute a ν as in ; otherwise, set a ν =
0. This takes ( n log q ) + o ( ) bit operations.(5) Compute ˜ r = α + (cid:205) i ≤ n b i Φ x i ( α ) − a ν Φ ν ( α ) ; this takes ( n log q ) + o ( ) bit operations.(6) Compute the sequence ( Φ x i ( ˜ r )) i < ν and apply ℓ to all entriesin this sequence. As above, this takes ( n log q ) + o ( ) bitoperations.(7) Solve (4); since the matrix is Hankel and non-singular, thistakes ( n log q ) + o ( ) bit operations.Altogether, this takes ( n log q ) + o ( ) bit operations, as claimed. In support of our theoretical analysis, the algorithms presented insections 6 and 7, as well as Gekeler’s algorithm in [13, Section 3],were implemented in C++ using Shoup’s NTL library [37]; ourimplementation currently supports prime q . When m =
1, we alsocompare our implementation with that of the algorithm in [7].able 1 provides sample runtimes for several parameters. Figure1 is made up of 24 data points for q = m =
2, and varied n , averaged over 4 runs. The randomized algorithm of section 7demonstrated a significant runtime advantage over both Gekeler’soriginal algorithm and the deterministic alternative. Due to itsheavy dependency on modular composition, and a lack of read-ily available implementations of the Kedlaya-Umans algorithm onwhich we rely, the deterministic algorithm demonstrates a signifi-cantly higher complexity than expected. For m =
1, as predicted bythe cost analysis, the algorithm in [7] is overall the fastest.The code used to generate these results is publicly available athttps://github.com/ymusleh/Drinfeld-paper/tree/master/code.Randomized Deterministic Gekeler Hasse [7] q = n = m = q = n = m = q = n = m = q = n = m = Table 1: Various parameter test cases; time in seconds.Figure 1: Log-log plot of n versus runtime with q = , m = Acknowledgments
We wish to thank Jason Bell and Mark Giesbrecht for their com-ments on Musleh’s MMath thesis [28], which is the basis of thiswork, and Anand Kumar Narayanan for answering many of ourquestions. Schost was supported by an NSERC Discovery Grant.
References [1] A. Bostan, P. Gaudry, and É. Schost. 2007. Linear recurrences with polynomialcoefficients and application to integer factorization and Cartier-Manin operator.
SIAM J. Comput.
36, 6 (2007), 1777–1806.[2] R. P. Brent and H. T. Kung. 1978. Fast Algorithms for Manipulating Formal PowerSeries.
J. ACM
25, 4 (1978), 581–595.[3] L. Carlitz. 1935. On certain functions connected with polynomials in a Galoisfield.
Duke Math. J.
1, 2 (1935), 137–168.[4] X. Caruso and J. Le Borgne. 2017. Fast multiplication for skew polynomials. In
ISSAC’17 . ACM, 77–84.[5] D. Coppersmith. 1994. Solving homogeneous linear equations over GF ( ) viablock Wiedemann algorithm. Math. Comp.
62, 205 (1994), 333–350. [6] D. Coppersmith and S. Winograd. 1990. Matrix multiplication via arithmeticprogressions.
J. Symb. Comput.
9, 3 (1990), 251–280.[7] J. Doliskani, A. K. Narayanan, and É. Schost. 2017. Drinfeld modules withcomplex multiplication, Hasse invariants and factoring polynomials over finitefields. arXiv:1712.00669[8] V. G. Drinfel’d. 1974. Elliptic modules.
Matematicheskii Sbornik
94, 23 (1974),561–593.[9] S. Garai and M. Papikian. 2018. Endomorphism rings of reductions of Drinfeldmodules. arXiv:1804.07904[10] J. von zur Gathen and J. Gerhard. 2013.
Modern Computer Algebra (3 ed.). Cam-bridge University Press, New York, NY, USA.[11] J. von zur Gathen and V. Shoup. 1992. Computing Frobenius maps and factoringpolynomials.
Computational Complexity
2, 3 (1992), 187–224.[12] E.-U. Gekeler. 1991. On finite Drinfeld modules.
Journal of Algebra
Trans. Amer. Math. Soc.
360 (04 2008), 1695–1721.[14] P. Giorgi, C.-P. Jeannerod, and G. Villard. 2003. On the complexity of polynomialmatrix computations. In
ISSAC’03 . ACM, 135–142.[15] D. Goss. 1996.
Basic Structures of Function Field Arithmetic . Springer BerlinHeidelberg.[16] David Harvey. 2014. Counting points on hyperelliptic curves in average polyno-mial time.
Annals of Mathematics
Compositio Mathematica
SPAA ’91 . ACM, 180–191.[20] E. Kaltofen and B. D. Saunders. 1991. On Wiedemann’s method of solving sparselinear systems. In
AAECC-9 . Springer-Verlag, 29–38.[21] E. Kaltofen and V. Shoup. 1998. Subquadratic-time factoring of polynomials overfinite fields.
Math. Comp.
67, 223 (1998), 1179–1197.[22] E. Kaltofen and G. Villard. 2004. On the complexity of computing determinants.
Computational Complexity
13, 3-4 (2004), 91–130.[23] M. Kaminski, D.G. Kirkpatrick, and N.H. Bshouty. 1988. Addition requirementsfor matrix and transposed matrix products.
J. Algorithms
9, 3 (1988), 354–364.[24] K. S. Kedlaya and C. Umans. 2011. Fast polynomial factorization and modularcomposition.
SIAM J. Comput.
40, 6 (2011), 1767–1802.[25] G. Labahn, V. Neiger, and W. Zhou. 2017. Fast, deterministic computation of theHermite normal form and determinant of a polynomial matrix.
J. Complexity
ISSAC’14 .ACM, 296–303.[27] F. Le Gall and F. Urrutia. 2018. Improved rectangular matrix multiplication usingpowers of the Coppersmith-Winograd tensor. In
SODA ’18 . SIAM, 1029–1046.[28] Musleh, Yossef. 2018. Fast Algorithms for Finding the Characteristic Polynomialof a Rank-2 Drinfeld Module. http://hdl.handle.net/10012/13889[29] A. K. Narayanan. 2018. Polynomial factorization over finite fields by computingEuler-Poincaré characteristics of Drinfeld modules.
Finite Fields Appl.
54 (2018),335–365.[30] A. Panchishkin and I Potemine. 1989. An algorithm for the factorization ofpolynomials using elliptic modules. In
Constructive methods and algorithms innumber theory . 117.[31] M. Pohst and H. Zassenhaus (Eds.). 1989.
Algorithmic Algebraic Number Theory .Cambridge University Press.[32] S. Puchinger and A. Wachter-Zeh. 2017. Fast operations on linearized polynomialsand their applications in coding theory.
J. Symb. Comput. (2017).[33] T Satoh. 2000. The canonical lift of an ordinary elliptic curve over a finite fieldand its point counting.
J. Ramanujan Math. Soc.
15 (2000), 247–270.[34] T. Scanlon. 2001. Public Key cryptosystems based on Drinfeld modules Areinsecure.
Journal of Cryptology
14, 4 (2001), 225–230.[35] R. Schoof. 1985. Elliptic curves over finite fields and the computation of squareroots mod p . Math. Comp.
44, 170 (1985), 483–494.[36] V. Shoup. 1994. Fast construction of irreducible polynomials over finite fields.
J.Symb. Comput.
Math. Comp.
73 (2004), 317–322.[39] D H Wiedemann. 1986. Solving Sparse Linear Equations over Finite Fields.