Fast multiplication for skew polynomials
aa r X i v : . [ c s . S C ] F e b Fast multiplication for skew polynomials
Xavier Caruso
IRMAR, CNRSCampus de Beaulieu263 avenue du Général Leclerc35042 RENNES Cedex [email protected] Jérémy Le Borgne
IRMAR, ENS Rennes, UBLCampus de Ker LannAvenue Robert Schuman35170 BRUZ [email protected]
ABSTRACT
We describe an algorithm for fast multiplication of skewpolynomials. It is based on fast modular multiplication ofsuch skew polynomials, for which we give an algorithm rely-ing on evaluation and interpolation on normal bases. Our al-gorithms improve the best known complexity for these prob-lems, and reach the optimal asymptotic complexity boundfor large degree. We also give an adaptation of our algorithmfor polynomials of small degree. Finally, we use our meth-ods to improve on the best known complexities for variousarithmetics problems.
Introduction
The present paper is dedicated to the description of algo-rithms for fast arithmetics in skew polynomial rings. Sincethey were first introduced by Ore, skew polynomials andtheir variants have been widely studied in several areas ofmathematics. In particular, skew polynomials over finitefields have various applications in coding theory [14], cryp-tography see [2], for p -adic Galois representations [10]. Fastarithmetics for manipulating these objects is useful for suchapplications, and has been improved over time since thefirst breakthrough paper on computational skew polynomi-als over finite fields, due to Giesbrecht [8].Let K be a field and let L be a finite extension of K ,endowed with the endomorphism σ . We assume that σ hasorder r ≥ K = L σ . We consider the ring L [ X, σ ]of skew polynomials with coefficients in L . This is a noncommutative ring where the relation Xa = σ ( a ) X holds forall a ∈ L (for more detail about the definitions, see section1.1). The main problem addressed in this paper is the fastmultiplication of elements of L [ X, σ ]. The complexity ofalgorithms is described in terms of the number of elementaryoperations in K with respect to the degree d of the skewpolynomials to be multiplied, and the degree r of L over K . State of the art.
The na¨ıve method for multiplication ofskew polynomials of degree ≤ d yields an algorithm that hascomplexity O ( d r ) operations in K . In [8], this complexity ACM ISBN 978-1-4503-2138-9.DOI: is improved to O ( dr + d r ). Let ω denote the exponentof matrix multiplication. The authors of the present papergave several algorithms for multiplication in [3], with bestcomplexity ˜ O ( dr ω − ) achieved for d > r . The most re-cent results by Puchinger and Wachter-Zeh [12] give a boundof ˜ O ( d ω +12 r ) operations in K for multiplication in L [ X, σ ],which improves on the previous results [3] when d ∈ Θ( r ),which is the most relevant case for applications in codingtheory (see [12], § O (min { d, r } ω − dr ) (see [1], Theorem 1) for multi-plication in L [ x ] h ∂ i . We expect that this complexity shouldbe doable in L [ X, σ ] as well, but we have only achieved itfor d ≥ r . Contributions of the paper.
This paper’s main algo-rithm improves the complexity of the best known algorithmsfor multiplication in L [ X, σ ] to ˜ O ( dr ω − ) when d ≥ r . For d ∈ Θ( r ), this gives a complexity of ˜ O ( r ω ) operations in K .This is quasi-optimal in the sense that matrix multiplicationcan be reduced to skew polynomial multiplication (this is forexample a consequence of Proposition 1.6 below), so thatany improvement on the exponent of skew polynomial mul-tiplication would lead to a similar improvement for matrixmultiplication. We also design a new algorithm for multi-plication of polynomials of small degree d ≪ r in L [ X, σ ],whose complexity is ˜ O ( d ω − r ).We also show that our method can be used to improve thebest known complexities of various related problems, such asmulti-point evaluation, minimal subspace polynomial, andinterpolation which are studied in [12]. We also improve thecomplexities for greatest common divisors and least commonmultiples. Organization of the paper.
The first section of the pa-per focuses on elementary operations for skew polynomialswith normal bases: evaluation and interpolation. More pre-cisely, if P ∈ L [ X, σ ], then P ( σ ) is an endomorphism of the K -algebra L , and the map P P ( σ ) is a morphism of K -algebras. In this section, we describe how we can computeefficiently P ( σ ) using a normal basis and, conversely, howto recover P (the reduction modulo X r − P from thedatum of P ( σ ) (see Proposition 1.6). We also look into moredetail how the can solve the same evaluation/interpolationproblems with P of small degree n at only the first n ele-ments of a normal basis.In the second section, we present our algorithm for fastmultiplication of skew polynomials. First, we study how theultiplication can be done efficiently modulo X r − Z ( X r ) for any irreducible polynomial Z ∈ K [ T ]. Thisallows us to give an algorithm for multiplication of skewpolynomials of degree d that works in O ( dr ω − ) operationsin K (where r ω denotes the complexity of multiplication ofsquare matrices of size r ).In the third section, we give several applications to fastarithmetics for skew polynomials. We show how we canperform general multi-point evaluation, minimal subspacepolynomial, and interpolation, as well as usual operationson skew polynomials such as (extended) Euclidean division,greatest common divisor, least common multiple.
1. FAST EVALUATIONAND INTERPOLATION
In this section, we present the notion of skew polynomials,and we study the problems of their evaluation and interpo-lation using normal bases.
Let K be a field and let L be an ´etale K -algebra (since K is a field, this just means that L is isomorphic to a product offield extensions of K ). Let σ be an automorphism of L . Weassume that σ has finite order r and that K = L σ . The ring L [ X, σ ] of skew polynomials with coefficients in K is the ringwhose underlying group is L [ X ] and whose multiplication isdetermined by the relation ∀ α ∈ L, Xα = σ ( α ) X. The ring L [ X, σ ] is not commutative unless r = 1. Examples.
The following situations are examples of thegeneral setting that we are considering: • L = K r , and σ is the shift operator ( x , . . . , x r − ) ( x , . . . , x r − , x ), • (Extensions of finite fields) K = F q , L = F q r and σ : x x q is the Frobenius endomorphism of L , • (Cyclotomic extensions) K = Q and L = Q ( ζ p n ) where ζ p n is a primitive p n -th root of unity and p is prime; σ isa generator of the Galois group Gal( L/K ) (which is thecyclic group ( Z /p n Z ) × ). • (Kummer extensions) K contains a primitive r -th root ζ r of 1, L = K ( r √ a ) for some suitable a ∈ K and σ takes r √ a to ζ r r √ a .The two last examples are addressed in [13] and have appli-cations to space-time codes. Remark 1.1.
Usually, L is assumed to be a field extensionof K . We are considering the more general context of an´etale K -algebra because it is stable under base change: if L/K is ´etale and K ′ is an extension of K , then L ′ = L ⊗ K K ′ is ´etale over K ′ (but it is not a field in general, even if L is).This feature is used mostly in Section 2.1.2, and does notmake the classical results any more difficult to prove. Definition 1.2. A normal basis of L/K is a basis ( b , . . . , b r − )of L over K such that σ ( b i +1 ) = b i (the indices being takenmodulo r ). Proposition 1.3 ([5], Satz 1) . Assuming σ has order r and K = L σ , L has a normal basis. The problem of the construction of normal bases has beenwidely studied, see for example [7] for the case of finite fields,and [9] for the case of number fields. In both cases of cy-clotomic extensions and Kummer extensions, it is easy toexhibit a normal basis: in the cyclotomic case, the basisstarting with b = ζ p n does the job while in the Kummercase, one can take: b = 1 + r √ a + r √ a + · · · + r √ a r − = a − r √ a − . From now on, we assume that we have fixed a normal basis( b , . . . , b r − ) of L together with a working basis in whichthe elements of L are represented. Let Ω be the matrix ofchange of basis from the working basis to the normal basis.We assume that the multiplication in L and the applicationof σ can be both performed in ˜ O ( r ) operations in K in theworking basis. We introduce a relation between polynomials that allowsto evaluate the linear map associated to a skew polynomialat the elements of the normal basis ( b , . . . , b r − ). Lemma 1.4.
The map: L [ X, σ ] → End K ( L ) A = P i ≥ a i X i A ( σ ) = P i ≥ a i σ i is a homomorphism of K -algebras. It induces an isomor-phism of K -algebras: ε : L [ X, σ ] / ( X r − ≃ End K ( L ) . Proof.
The first map is a homomorphism because for all a ∈ L , Xa = σ ( a ) X in L [ X, σ ]. Since σ has order r , X r − ε is well-defined. Both L [ X, σ ] / ( X r −
1) and End K ( L ) are K -vector spaces of di-mension r , hence it suffices to prove injectivity. By Artin’sLemma on independence of characters, { id, σ, . . . , σ r − } is alinearly independent family over L , so that if P ( σ ) = 0 forsome P ∈ L [ X, σ ] of degree < r , then P = 0.Lemma 1.4 shows that multiplication of skew polynomialsmodulo X r − r × r matrices over K , assuming that the isomorphism ε canbe computed efficiently (in both ways). We now address thisquestion. Notation 1.5.
Throughout this paper, we will denote P ( x )for P ( σ )( x ) = ε ( P )( x ) if P ∈ L [ X, σ ] and x ∈ L .Let T be a new (commutative) variable and consider theclassical polynomial ring L [ T ]. Let B = P r − i =0 b i T i ∈ L [ T ]be the polynomial whose coefficients are the elements of thenormal basis. Proposition 1.6.
Let A = P r − i =0 a i X i ∈ L [ X, σ ] and let ˜ A ( T ) = P a i T i ∈ L [ T ] . Let c j = A ( b j ) and let C ( T ) = P r − j =0 c j T j . Then C ( T ) = ˜ A ( T ) B ( T ) (mod T r − . Proof.
By linearity, it is enough to check that the relationholds when A = X i for 0 ≤ i ≤ r −
1. Let 0 ≤ i ≤ r − X i ( b j ) = σ i ( b j ) = b j − i , where indices are takenodulo r .On the other hand, doing the calculations modulo T r − T i B ( T ) = P r − j =0 b j − i T j .Proposition 1.6, although elementary, shows that the iso-morphism ε of Lemma 1.4 can be computed efficiently. More-over, it also shows how the inverse isomorphism can be com-puted. More precisely: Corollary 1.7.
Multiplication in L [ X, σ ] / ( X r − can beperformed in O ( r ω ) operations in K .Proof. Let A , A ∈ L [ X, σ ] / ( X r − A ( T ) , ˜ A ( T ) ∈ L [ T ] be the commutative polynomials with the same coeffi-cients as A , A respectively. Let C ( T ) = ˜ A ( T ) B ( T ) ∈ L [ T ] / ( T r −
1) and C ( T ) = ˜ A ( T ) B ( T ) ∈ L [ T ] / ( T r − C and C can be computed in ˜ O ( r ) operations in K . Now let M (resp. M ) be the matrix whose j -th col-umn is the decomposition of the j -th coefficient of C (resp. C ) in the working basis. By Proposition 1.6, M (resp M )is the matrix of ε ( A ) (resp. ε ( A )) where the codomain inendowed with the normal basis and the codomain is endowedwith the working basis. Set M = M Ω M ; this product canbe computed within O ( r ω ) operations in K . We know that M is the matrix of ε ( A A ) where again the codomain in en-dowed with the normal basis and the codomain is endowedwith the working basis. Let C ( T ) = (cid:0) b b · · · b r − (cid:1) M T ... T r − , and compute ˜ A ( T ) = C ( T ) B ( T ) − (mod T r −
1) = P r − i =0 a i T i ,which can also be computed in ˜ O ( r ) operations in K . Then,again by Proposition 1.6, A A = P r − i =1 a i X i . This showsthat the global complexity of this computation is O ( r ω ).In Section 2, we will generalize this algorithm and showhow it yields a fast multiplication algorithm for skew poly-nomials (not only in the modular case). Evaluation.
We shall see later how we can compute theproduct of two skew polynomials of small degree d by deter-mining how their product acts on 2 d elements of a normalbasis. With this motivation in mind, let us describe how wecan compute efficiently the image of the first few elementsof a normal basis under the action of the skew polynomial A ∈ L [ X, σ ]. Recall that, using Proposition 1.6 with λ = 1,and writing B ( T ) = P r − i =0 b i T i , we know that˜ A ( T ) B ( T ) ≡ C ( T ) (mod T r − , where C ( T ) = P r − i =0 A ( b i ) T i . Let n < r , and let A ∈ L [ X, σ ] of degree n . We are interested in computing only A ( b i ) for 0 ≤ i ≤ n − Lemma 1.8.
Let A ∈ L [ X, σ ] of degree n and let c i = A ( b i ) for ≤ i ≤ n − . Let U ( T ) = P ni =0 b i T i and V ( T ) = P ni =0 b r − i T r − i . Then, for ≤ i ≤ n : c i = γ i + ˜ γ i , where ˜ A ( T ) U ( T ) = P r − i =0 γ i T i and ˜ A ( T ) V ( T ) = P r − i =0 ˜ γ i T i (the products being taken modulo T r − ).Proof. Since c i = P j + j ′ = i (mod r ) a j b j ′ , and a j = 0 for j >n , we are left with the formula: c i = i X j ′ =0 a i − j ′ b j ′ + r − X j ′ = r − i a i − j ′ + r b j ′ , and both sums correspond precisely to the coefficients of ˜ AU and ˜ AV respectively. Corollary 1.9.
Let A ∈ L [ X, σ ] of degree ≤ n , then thecollection of A ( b ) , . . . , A ( b n − ) can be computed in ˜ O ( rn ) operations in K .Proof. By Lemma 1.8, the evaluation of A at b , . . . , b n − can be obtained by two multiplications of (classical) poly-nomials of degree n with coefficients in L , hence with com-plexity ˜ O ( nr ) operations in K . Interpolation.
Still bearing in mind the aim of multiplyingtwo skew polynomials by composing the corresponding linearmaps, we are interested in the following question of interpo-lation: given n values α , . . . , α n − ∈ L , find A ∈ L [ X, σ ] ofdegree n such that A ( b i ) = α i for all 0 ≤ i ≤ n − α = · · · = α n − = 0. In this case, the skewpolynomial we are looking for is the so-called minimal sub-space polynomial corresponding to the span h b , . . . , b n − i .A generic fast algorithm for solving this problem has beenproposed by Puchinger and Wachter-Zeh in [12], Theorem26; it has complexity ˜ O ( n max { log (3) , ω +12 } r ) operations in K .In the special case we are considering, we shall see that thiscan be improved to ˜ O ( nr ).Let B n ( T ) = P r − i =0 b i + n T i , so that B n ( T ) ≡ T − n B ( T )(mod T r − A is such that A ( b i ) = 0 for 0 ≤ i ≤ n − Q ∈ L [ T ] of degree ≤ r − n − A ( T ) B ( T ) ≡ T n Q ( T ) (mod T r − A ( T ) B n ( T ) ≡ Q ( T ) (mod T r − , with deg ˜ A ≤ n and deg Q ≤ r − n −
1. The latter equationcan be solved thanks to the extended Euclidean algorithm.Indeed, computing the gcd of T r − B n ( T ) and stoppingafter the first remainder of degree < r − i , we get a relationof the form: U i ( T ) B n ( T ) + V i ( T )( T r −
1) = Q i ( T ) , with deg U i ≤ i and deg Q i ≤ r − − i , which yields a solutionto the problem when i = n . This computation can be donein ˜ O ( nr ) operations in K thanks to the half-gcd algorithm(see [6], Theorem 11.5).In the general case, let α , . . . , α n − ∈ L , and let C ( T ) = P n − i =0 α i T i . We are looking for A ∈ L [ X, σ ] with degree ≤ n and Q ∈ L [ T ] with degree ≤ r − n − A ( T ) B ( T ) ≡ C ( T ) + T n Q ( T ) (mod T r − A ( T ) B n ( T ) ≡ P n − i =0 α i T r − n + i (mod T r − Lemma 1.10.
Let R ( T ) = T r − , R ( T ) = B ( T ) and for i ≥ , let R i be the remainder of the Euclidean division of R i − by R i − . Then for ≤ i ≤ r , deg R i = r − i .roof. Consider the map ϕ i : L [ T ]
Let n ≤ r and α , . . . , α n − ∈ L . Thenthere exists U, V, H ∈ L [ T ] , with deg U ≤ n − , deg V ≤ n and deg H ≤ r − n such that U ( T r − V B ( T ) = H ( T )+ T r − n +1 ( α + · · · + α n − T n − ) . Moreover, Algorithm
SmallDegreeInterpolation outputs U and V for a cost of ˜ O ( rn ) operations in K .Sketch of the proof. The result follows from the correctnessof Algorithm 1, but is also a theoretical consequence ofLemma 1.10. Indeed, this lemma shows that there existsa linear combination of R = T r − R = B ( T ) , . . . , R n − whose higher degree terms have coefficients c , . . . , c n − , andthe bounds on the degrees follow from the fact that for i ≤ n , R i = U i R + V i R with deg U i ≤ i −
1, deg V i ≤ i . Algorithm1 is an adaptation of the half-gcd algorithm, which com-putes simultaneously the sequence of the remainders in theextended Euclidean division or R and R , and the combina-tion of R and R that has the given higher degree terms.Thanks to Corollary 1.9, Theorem 1.11 and Algorithm 1,we can solve the problem of evaluation and interpolation atthe first n elements of an incomplete normal basis in ˜ O ( nr )operations in K .
2. FAST MULTIPLICATION
In this section, we study the problem of multiplying effi-ciently two elements A , A ∈ L [ X, σ ] both of degree ≤ d .The complexity is the number of operations in K , given asa function of d and r = dim K L . X r − a We consider the ring L [ X, σ ]. Let λ ∈ L × , and let a = N L/K ( λ ). We are now going to describe an algorithm formultiplication in L [ X, σ ] modulo X r − a . Proposition 2.1.
The map L [ X, σ ] −→ L [ X, σ ] / ( X r − A ( X ) = P a i X i A ( λX ) = P i λσ ( λ ) · · · σ i − ( λ ) a i X i factors as an isomorphism L [ X, σ ] / ( X r − a ) ≃ L [ X, σ ] / ( X r − . Algorithm 1:
SmallDegreeInterpolation
Input : R , R ∈ L [ T ], a , . . . , a k − ∈ L , with k ≤ n Output : M ∈ L [ T ] such that M (cid:18) R R (cid:19) = (cid:18) R k − R k (cid:19) and N ∈ L [ T ] × such that N (cid:18) R R (cid:19) = S k with deg S k − ( a k − + a k − T + · · · + a T k − ) T n − k +1 ≤ n − k h := ⌊ k/ ⌋ ˜ R = R quo T h , ˜ R = R quo T h − M , N = SmallDegreeInterpolation ( ˜ R , ˜ R , a , · · · a h − ) (cid:18) R h − R h (cid:19) := M (cid:18) R R (cid:19) , S := N (cid:18) R R (cid:19) = P n − hi =0 s i T i + P h − i =0 a i T n − i Make the Euclidean divisions: R h − = Q h R h + R h +1 R h − − a h T n − h = ˜ Q h R h + ˜ R h +1 M , N = SmallDegreeInterpolation ( R h , R h +1 , a h +1 − s n − h , · · · , a h − s n − h +1 ) return M (cid:18) − Q h (cid:19) M , N + (cid:0) − ˜ Q h (cid:1) M + M N Proof.
This maps X r to λσ ( λ ) · · · σ r − ( λ ) X r = aX r , thusmapping X r − a to a ( X r − Corollary 2.2.
Multiplication in L [ X, σ ] / ( X r − a ) can beperformed in O ( r ω ) operations in K .Proof. By Proposition 2.1 and Proposition 1.6, it is enoughto show that for A ∈ L [ X, σ ] / ( X r − a ), A ( λX ) can be com-puted in O ( r ω ) operations in K . For this we write λ i = λσ ( λ ) · · · σ i − ( λ ) and remark that the λ i ’s (0 ≤ i < r ) canbe all computed within ˜ O ( r ) operations in K thanks to therecurrence formula λ i +1 = λ · σ ( λ i ). Now evaluating theformula A ( λX ) = P i λ i a i X i allows us to compute A ( λX )in ˜ O ( r ) operations in K .We could use the proof of Corollary 2.2 directly to de-sign an algorithm for multiplication modulo X r − a . Suchan algorithm would require computing A ( λX ) and A ( λX )each time we use it to compute A A . Alternatively, we canslightly modify the basis on which we are evaluating the cor-responding maps, which can provide a gain if there are manymultiplications to do modulo X r − a .Let λ ∈ L × , and let σ a = λσ . Let ˜ b r − ∈ L , and for 0 ≤ i ≤ r −
2, ˜ b i = σ r − − ia (˜ b r − ), such that ˜ B = (˜ b , . . . , ˜ b r − )is a basis of L over K . By construction, we have for 1 ≤ i ≤ r − σ a (˜ b i ) = ˜ b i − , and σ a ( b ) = a ˜ b r − . For example,if B = ( b , . . . , b r − ) is a normal basis of L over K , then˜ b r − = b r − and ˜ b i = λσ ( λ ) · · · σ i − ( λ ) b i defines a suitablebasis. Now, let ˜ B = P r − i =0 ˜ b i T i ∈ L [ T ]. Proposition 2.3.
Let A = P r − i =0 a i X i ∈ L [ X, σ ] and let ˜ c j = A ( σ a )(˜ b j ) . Let ˜ A ( T ) = P a i T i ∈ L [ T ] . Let ˜ C a = P r − j =0 ˜ c j T j . Then ˜ C a ( T ) = ˜ A ( T ) ˜ B ( T ) (mod T r − a ) . roof. The proof is similar to that of Proposition 1.6. Bylinearity, it is enough to check that the relation holds for A = X i for 0 ≤ i ≤ r −
1. Let 0 ≤ i ≤ r −
1. We have : σ ia ( b j ) = (cid:26) b j − i if j ≥ iab r + j − i if i > j . On the other hand, doing the calculations modulo T r − a : T i B ( T ) = r − X j =0 b j T i + j = r − X j = i b j − i T i + i − X j =0 ab r + j − i T j . Hence, T i B ( T ) = C X i ( T ) for all 0 ≤ i ≤ r −
1, so C a ( T ) =˜ A ( T ) B ( T ) for all A ∈ L [ X, σ ] / ( X r − a ).Algorithm ModMult below makes precise the algorithmicalcontent of Proposition 2.3; it uses a primitive Mat work thattakes as input a tuple ( x , . . . , x r ) ∈ L r and outputs the r × r matrix whose j -th column are the coordinates of x j isthe working basis. Algorithm 2:
ModMult
Input : A , A ∈ L [ X, σ ], λ ∈ L × Output : A = A A (mod X r − a ) where a = N L/K ( λ ) a = N L/K ( λ ) { b , . . . , b r − } = NormalBasis ( L/K ) ˜ b r − = b r − for r − ≥ i ≥ do ˜ b i − = aσ (˜ b i ) P = Mat work (˜ b , . . . , ˜ b r − ) B = P r − i =0 ˜ b i T i for ≤ i ≤ do C i = A i B (mod T r − a ), write C i = P r − i =0 c i,j T j N i = Mat work ( c i, , . . . , c i,r − ) N = N P N C = ( β . . . β r − ) N T ... T r − A = CB − (mod T r − a ) return A ( X ) Proposition 2.4.
Algorithm
ModMult computes the product A A in L [ X, σ ] / ( X r − a ) in O ( r ω ) operations in K .Proof. Multiplication of polynomials in L modulo T r − a re-quires ˜ O ( r ) operations in K . Multiplication of matrices ofsize r in K requires O ( r ω ) operations in K . Hence the globalcomplexity is O ( r ω ) operations in K . Z ( X r )Let K ′ /K be a finite extension. Define L ′ = K ′ ⊗ L ;it is an ´etale K ′ -algebra endowed with the endomorphism σ ′ = id ⊗ σ that extends σ and has order r . Remark 2.5.
The algebra L ′ is not necessarily a field (forinstance, when K ′ = L , it splits as a product L r ). It isthe reason why we needed to place this paper in the moregeneral setting of ´etale algebras. Let λ ∈ ( L ′ ) × . Set a = N L ′ /K ′ ( λ ) = λσ ( λ ) · · · σ r − ( λ ) ∈ K ′ . We assume that K ′ = K ( a ). Let Z ∈ K [ T ] be theminimal polynomial of a . We want to generalize the resultsof § Z ( X r ) (in § K ′ = K , L ′ = L and λ ∈ L × ). Note that if ( b , . . . , b r − )is a normal basis of L/K , then (1 ⊗ b , . . . , ⊗ b r − ) is anormal basis of L ′ /K ′ . Lemma 2.6.
The canonical morphism ⊗ id : L [ X, σ ] → L ′ [ X, σ ] induces an isomorphism L [ X, σ ] /Z ( X r ) ≃ L ′ [ X, σ ′ ] / ( X r − a ) . Proof.
First note that ( X r − a ) is a two-sided ideal of L ′ [ X, σ ],and that the canonical morphism L [ X, σ ] → L ′ [ X, σ ] inducesa morphism L [ X, σ ] → L ′ [ X, σ ] / ( X r − a ) which maps X r to a , hence the latter surjective. Moreover, by K -linearity, Z ( X r ) lies in the kernel of this map. We then get a surjectivemorphism of K -algebras L [ X, σ ] /Z ( X r ) → L ′ [ X, σ ] / ( X r − a ).Since both sides have dimension r deg Z over K , this mor-phism is an isomorphism.We are now back exactly in the situation of Section 2.1.1,where K has been replaced by K ′ and L by L ′ : all the com-putations can be carried out the same way, and passing backthrough the isomorphism of Lemma 2.6, we can perform fastmultiplication modulo Z ( X r ). The algorithm is as follows: Algorithm 3:
ModMultZ
Input : A , A ∈ L [ X, σ ], K ′ /K a finite extension, λ ∈ L ′ = K ′ ⊗ L nonzero, a = N L ′ /K ′ ( λ ) ∈ K ′ such that K ′ = K ( a ), Z ∈ K [ T ] the minimalpolynomial of a over K . Output : A = A A (mod Z ( X r )) where Z is theminimal polynomial of a = N L ′ /K ′ ( λ ) over K . Write A = P r − i =0 α i ( X r ) X i , A = P r − i =0 β i ( X r ) X i Let ˜ A = P r − i =0 α i ( a ) X i , ˜ A = P r − i =0 β i ( a ) X i Compute ˜ A = ˜ A ˜ A using ModMult in L ′ [ X, σ ] / ( X r − a )endowed with the normal basis (1 ⊗ b i ) Write A = P ri =0 γ i ( a ) X i return A = P ri =0 γ i ( X r ) X i Proposition 2.7.
Algorithm 3 computes the product A A in L [ X, σ ] / ( Z ( X r )) with O ( r ω deg Z ) operations in K . Let A , A ∈ L [ X, σ ] be two skew polynomials. We recallthat our aim is to design a fast algorithm for computing theproduct P = A A . We set d = deg P . Multiplication in large degree.
We first assume that thepolynomial P = A A has degree larger than r . In this case,the idea is to evaluate the P modulo various Z i ( X r ) usingAlgorithm ModMultZ and then to reconstruct the result usinga non commutative version of the Chinese Remainder The-orem. The precise result we need is given by the followingProposition.
Proposition 2.8.
Let Z , . . . , Z m ∈ K [ T ] be pairwise co-prime polynomials, and let Z = Z · · · Z m . Then the naturalmap: L [ X, σ ] /Z ( X r ) → L [ X, σ ] /Z ( X r ) × · · · × L [ X, σ ] /Z m ( X r ) s an isomorphism of K -algebras.Proof. Since the domain and the codomain have the samedimension over K , it is enough to prove the surjectivity. For i between 1 and m , consider A i ∈ L [ X, σ ] /Z i ( X r ) and writeit: A i = A (0) i ( X r ) + A (1) i ( X r ) X + · · · + A ( r − i ( X r ) X r − where the A ( j ) i ’s are polynomials with coefficients in L . Fora fixed j ∈ { , . . . r − } , let A ( j ) ∈ L [ T ] be a polynomialsuch that the congruence A ( j ) ≡ A ( j ) i (mod Z i ) holds inthe commutative ring L ( T ). We can therefore write A ( j ) = A ( j ) i + Z i Q ( j ) i for some polynomials Q ( j ) i ∈ L [ T ]. Noting thatthe inclusion L [ T ] → L [ X, σ ], T X r is a ring homomor-phism ( i.e. the multiplication on L [ T ] agrees with that on L [ X, σ ]), we deduce that the equality A ( j ) ( X r ) = A ( j ) i ( X r ) + Z i ( X r ) · Q ( j ) i ( X r )holds in L [ X, σ ]. Multiplying it by X j on the right andsumming up over j , we end up with A ≡ A i (mod Z i ) forall i . Surjectivity is proved. Remark 2.9.
The above proof is constructive. More pre-cisely it shows that solving the Chinese Remainder problemof degree d in L [ X, σ ] with central moduli reduces to solving r independant Chinese Remainder problems of degree dr inthe commutative ring L [ X r ] and therefore can be achievedfor a cost of ˜ O ( d ) operations in L , corresponding to ˜ O ( dr )operations in K (see [6], § Z i ( X r )’s can beconstructed. We will do it in two different concrete contexts:first, the case of finite fields and second, the case of numberfields. The case of finite fields.
We assume that K and L are finitefields and write q for the cardinality of K . We consider anauxiliary finite extension K ′ of K of degree n and build thecompositum L ′ = K ′ ⊗ K L . We endow L ′ with the uniformmeasure. We assume that n is chosen sufficiently large sothat: q n ≥ max(64 n, r ) . (1)Asymptotically the latest condition is fulfiled as soon as n grows at least as fast as log r . Lemma 2.10.
Let t be an integer such that t ≤ nq n .Let λ ′ , . . . , λ ′ t be random independant elements of L ′ . Thenthe N L ′ /K ′ ( λ ′ i ) ’s all generate K ′ over K and are pairwisenon-conjugate over K with probability at least .Proof. The ´etale algebra L ′ splits as a product ( M ′ ) g where M ′ is a finite extension of K ′ of degree f and g is a positiveinteger. Moreover if x ∈ L ′ decomposes as x = ( x , . . . , x g ),we have: N L ′ /K ′ ( x ) = N M ′ /K ′ ( x ) · · · N M ′ /K ′ ( x g ) . Observe that the norm map N M ′ /K ′ takes the value 0 onlyat 0. Hence the probability that N M ′ /K ′ vanishes is q − nf .Therefore N L ′ /K ′ vanishes with probability 1 − (1 − q − nf ) g .As for the nonzero values of K ′ , they are reached by N L ′ /K ′ with uniform probability because N L ′ /K ′ is a surjective grouphomomorphism, i.e. Prob (cid:2) N L ′ /K ′ = a (cid:3) = (cid:18) − q nf (cid:19) g · q n − a ∈ K ′ , a = 0. Let c n be the number of elementsof K ′ that generate K ′ over K . The probability that afixed λ ′ i satisfy the requirement K (cid:0) N L ′ /K ′ ( λ ′ i ) (cid:1) = K ′ is then(1 − q − nf ) g · c n q n − . Assuming that this occurs, the probabilitythat the N L ′ /K ′ ( λ ′ i )’s are pairwise non-conjugate is: (cid:18) − nc n (cid:19) · (cid:18) − nc n (cid:19) · · · (cid:18) − t − nc n (cid:19) . Putting all together, we find the probability of success: (cid:18) − q nf (cid:19) g · c n q n − · (cid:18) − c n (cid:19) · · · (cid:18) − t − nc n (cid:19) which is at least: c n q n − (cid:18) − gq nf − t ( t − c n (cid:19) ≥ c n q n − rq n − t ( t − n q n . (2)Clearly q n − c n is the cardinality of the union of all strictsubextensions of K ′ . Therefore: q n − c n ≤ X m | n,m Mult Input : A , A ∈ L [ X, σ ] of degree ≤ d Output : P = A A Choose n and K ′ such that Eq. (1) holds and8 dnr · (cid:18) dnr + 1 (cid:19) ≤ nq n Set t = ⌈ dnr ⌉ Pick λ ′ , . . . , λ ′ t ∈ L ′ = K ′ ⊗ K L at random for ≤ i ≤ t do Compute the min. poly. Z i ∈ K [ T ] of N L ′ /K ′ ( λ ′ i ) Compute P i = A A ∈ L [ X, σ ] /Z i ( X r )// use Algorithm ModMultZ Compute P such that deg A ≤ d and P ≡ P i (mod Z i )// use Proposition 2.8 return P Theorem 2.11. Let A , A ∈ L [ X, σ ] of degree d ≥ r . ThenAlgorithm Mult computes the product A A within O ( dr ω − ) operations in K with probability of success at least .Proof. Observe first that n can be chosen such that n = O (log d + log r ). Computing the product in L [ X, σ ] /Z i ( X r )requires O ( r ω n ) = ˜ O ( r ω ) operations in K . Moreover byRemark 2.9, the reconstruction (line 7) can be done for acost of ˜ O ( rd ) operations in K . The overall cost of Mult isthen ˜ O ( dr ω − ) as announced. The fact that the probabilityof success is at least follows from Lemma 2.10. he case of number fields. We assume that K and L arenumber fields. It is then known that the image of the normmap N L/K : L ⋆ → K ⋆ has index r in K ⋆ . More precisely,class field theory teaches us that K ⋆ /N L/K ( L ⋆ ) is canoni-cally isomorphic to the Galois group of the abelian extension L/K , i.e. to Z /r Z . In particular, the image of N L/K is infi-nite meaning that if we take a finite set of random elements λ ∈ L , it is likely that the norm of the λ ’s will be pairwisedistinct. We can then reapply the strategy used in the caseof finite field without having to work with an auxiliary ex-tension K ′ . We end up this way with a probabilistic LasVegas algorithm whose complexity is ˜ O ( dr ω − ) operationsin K and whose probability of success is high. Multiplication in small degree. The idea for fast mul-tiplication in small degree is that if a skew polynomial hasdegree d ≪ r , it is determined by its values on d +1 linearlyindependent elements of L . Hence, starting with two skewpolynomials A , A whose degrees add up to d , we shouldbe able to compute their product by composing of two K -linear maps over vector spaces of dimension d +1. However,we know some efficient algorithm for evaluating A ( σ ) onlyon a subspace of L which is spanned by the first vectorsof a normal basis. For this reason, it order to compute A A ( b ) , . . . , A A ( b d − ), we shall need to know the wholeof the linear map A ( σ ) (because A ( b ) , . . . , A ( b d − ) arein general nothing to do with a truncated normal basis). Algorithm 5: SmallDegreeMultiplication Input : A , A ∈ L [ X, σ ], deg A + deg A < r Output : P = A A Set d = deg A + deg A Compute A ( b ) , . . . , A ( b d ) // use Corollary 1.9 Compute the matrix of P ( σ ) // use Proposition 1.6 Compute c = A A ( b ) , . . . , c d = A A ( b d )// matrix multiplication of sizes r × r by r × ( d +1) Compute P ∈ L [ X, σ ] s.t. P ( b i ) = c i and deg P ≤ d .// use Algorithm SmallDegreeInterpolation return P The complexity of the above algorithm is given by thenext Theorem whose proof is straightforward after what wehave already done (the bottleneck comes from the matrixmultiplication step). Theorem 2.12. Let A , A such that deg A + deg A ≤ d < r . Then Algorithm 5 computes the product A A with O ( d ω − r ) operations in K . Conclusion. As a conclusion, several algorithms with dif-ferent complexities are available for the multiplication ofskew polynomials. Precisely, we have designed in this pa-per one algorithm of complexity ˜ O ( dr ω − ) when d ≥ r and an another algorithm of complexity ˜ O ( d ω − r ) when d ≤ r . Apart from that, Wachter-Zeh’s algorithm [12] per-forms the same computation with complexity ˜ O ( d ( ω +1) / r )without any assumption on d . The corresponding complex-ity curves are represented on Figure 1. Putting all together,we find that the product in L [ X, σ ] can be performed within d cost • d ( ω +1) / r rr (5 − ω ) / r ω d ω − r dr ω − SM ≥ ( d, r ) Figure 1: Complexity profiles (log-log scale) ˜ O (SM( d, r )) operations in K where:SM( d, r ) = d ( ω +1) / r for d ≤ r (5 − ω ) / = d ω − r for r (5 − ω ) / ≤ d ≤ r = dr ω − for d ≥ r. As already discussed in the introduction, we expect to lowerthe complexity to ˜ O ( d ω − r ) in the range d ≤ r and, untilnow, we have not succeeded in doing so. 3. OTHER OPERATIONSAND APPLICATIONS Classically, fast multiplication algorithms can be used tospeed up many other computations. This general philoso-phy works for skew polynomials as well and was concretizedin [3], § ≥ defined by:SM ≥ ( d, r ) = sup d ′ ≤ d (cid:18) SM( d ′ , r ) · dd ′ (cid:19) . A direct computation shows that:SM ≥ ( d, r ) = d ( ω +1) / r for d ≤ r (5 − ω ) / = dr / (5 − ω ) for d ≥ r (5 − ω ) / . The function SM ≥ (viewed as a function of the variable d )is the smallest function above SM whose “log-log slope” isalways at least 1 (see Figure 1). The notation comes fromthis interpretation.With ω = 2 . 37, we have SM ≥ ( d, r ) ≈ d . r for d ≤ r . SM ≥ ( d, r ) ≈ dr . for larger d . Euclidean division. An algorithm that performs (right)Euclidean divisions in L [ X, σ ] and takes advantage of fastmultiplication algorithm is depicted in [3], § REuclideanDivision ). Proposition 3.2.3 of loc. cit. extendsreadily to the settings of this paper and shows that the afore-mentioned algorithm has a complexity cost of ˜ O (SM ≥ ( d, r ))operations in K . gcd and lcm computation. The classical half-gcd algo-rithm that we already mentioned above (see § § 11) works in the same way to compute left and right gcd ’sf skew polynomials. The precision corresponding algorithmis written in [3], § FastExtendedRGCD ). Proposition 3.1. The algorithm FastExtendedRGCD of [3], § ˜ O ( SM ≥ ( d, r )) opera-tions in K .Proof. A careful look at the algorithm FastExtendedRGCD shows that its complexity in operations in K is bounded by T ( d, r ) where T ( d, r ) satisfies the recurrence relation: T ( d, r ) ≤ T (cid:0) d , r (cid:1) + ˜ O (cid:0) SM( d , r ) (cid:1) . By induction, it follows that for m ≥ T ( d, r ) ≤ m T (cid:0) d m , r (cid:1) + ˜ O m X j =1 j SM (cid:0) d j , r (cid:1)! ≤ m T (cid:0) d m , r (cid:1) + ˜ O (cid:16) m · SM ≥ ( d, r ) (cid:17) . Taking m = ⌊ log d ⌋ , we get T ( d, r ) = ˜ O (SM ≥ ( d, r )) asexpected. Remark 3.2. A similar complexity is available for the com-putation of lcm ’s. Minimal subspace polynomial. Let ( x , . . . , x d ) be afamily of elements of L which is free over K . We are interest-ing in computing the unique monic polynomial P ∈ L [ X, σ ]of degree d such that P ( x i ) = 0 for all i ∈ { , . . . , d } . Lemma 3.3. For x ∈ L , x = 0 , the value P ( x ) x is the re-mainder in the right Euclidean division of P by X − σ ( x i ) x i .Proof. It is a direct computation.Lemma 3.3 shows that the polynomial P we are looking foris nothing but the left-lcm of the polynomials X − σ ( x i ) x i . As aconsequence, P can be computed for a cost of ˜ O (SM ≥ ( d, r ))operations in K using fast algorithms for lcm computationtogether with a “tree division strategy” [6], § General multievaluation. We consider again a free fam-ily ( x , . . . , x d ) of elements of K . The general multieval-uation problem consists in evaluating a given polynomial P ∈ K [ X, σ ] of degree d at the x i ’s. Thanks to Lemma 3.3,the value P ( x i ) agrees with x i times the remainder of theright division of P by We are then reduced to compute thereduction of a given polynomials modulo some given moduli.This can be done efficiently using the strategy of [6], § O (SM ≥ ( d, r )) operations in K . If d are r havethe same order of magnitude, one can preferably computethe matrix of P ( σ ) using the formula of Proposition 1.6 andderive from it the values of the P ( x i )’s thanks to a singlematrix multiplication. The cost of the resulting algorithmis O ( r ω ). Remark 3.4. If the x i ’s are the first vectors of a normalbasis of L over K , one can use directly the algorithm of § General interpolation. We keep the family ( x , . . . , x d )and consider in addition some values y , . . . , y d ∈ L . Weaddress the question of computing a polynomial P of degreeat most d − P ( x i ) = y i for all i . Thanks to Lemma 3.3, the above problem reduces to solve the followingChinese Remainder system: P ( x i ) ≡ x i y i (mod X − σ ( x i ) x i )which again can be done for a cost of ˜ O (SM ≥ ( d, r )) opera-tions in K . Remark 3.5. If the x i ’s are the first vectors of a normalbasis of L over K , one can use directly the Algorithm Small-DegreeInterpolation which has a better complexity. Gabulin codes. The solution sketched above to the generalmultievaluation problem allows us to encode messages in theframework of (generalized) Gabidulin codes [13] in complex-ity O ( n ω ) where n is the length of the code. (Better com-plexities are possible when the dimension of the code is muchsmaller than its length.) In the similar fashion, efficient de-coding is also possible using the key equation together withthe half- gcd algorithm. The resulting algorithms run in˜ O ( SM ≥ ( n, k )) operations in K where n and k denotes thelength and the dimension of the Gabidulin code respectively. 4. REFERENCES [1] A. Benoit, A. Bostan, J. van der Hoeven, Quasi-optimalMultiplication of Linear Differential Operators Proceedingsof the 2012 IEEE 53rd Annual Symposium on Foundationsof Computer Science (2012)[2] R. Burger, A. Heinle A Diffie-Hellman-like Key ExchangeProtocol Based on Multivariate Ore Polynomials, http://arxiv.org/abs/1407.1270 (preprint, 2014)[3] X. Caruso, J. Le Borgne, A new faster algorithm forfactoring skew polynomials over finite fields J. SymbolicComput. (2017), 411–443[4] J.-M. Couveignes, R. Lercier, Elliptic Periods for FiniteFields , Finite Fields Appl., (2009), 1–22[5] M. Deuring, Galoissche Theorie und Darstellungstheorie ,Math. Ann. (1932), 140–144[6] J. von zur Gathen, J. Gerhard, Modern Computer Algebra ,Cambridge University Press, Cambridge (2003)[7] J. von zur Gathen, M. Giesbrecht, Constructing normalbases in finite fields , J. Symbolic Comput. (1990),547–570[8] M. Giesbrecht, Factoring in skew-polynomial rings overfinite fields , J. Symbolic Comput. (1998), 463–486.[9] K. Girstmair, An Algorithm for the Construction of aNormal Basis , J. Number Theory (1999), 36–45[10] J. Le Borgne, Repr´esentation galoisiennes et ϕ -modules :aspects algorithmiques , PhD Thesis (2012)[11] O. Ore, Theory of non-commutative polynomials , Ann. ofMath. (1933), 480–508.[12] S. Puchinger, A. Wachter-Zeh, Sub-quadratic decoding ofGabidulin codes , IEEE Int. Symp. Inf. Theory (ISIT) (2016)[13] G. Robert, Codes de Gabidulin en caract´eristique nulle :application au codage espace-temps , PhD Thesis (2015)[14] D. Silva, F. R. Kschischang, Fast Encoding and Decoding ofGabidulin Codes , IEEE Int. Symp. Inf. Theory (ISIT)(2009)[15] F. Winkler,