Sub-Linear Point Counting for Variable Separated Curves over Prime Power Rings
aa r X i v : . [ m a t h . N T ] F e b SUB-LINEAR POINT COUNTING FOR VARIABLE SEPARATEDCURVES OVER PRIME POWER RINGS
CALEB ROBELLE, J. MAURICE ROJAS, AND YUYU ZHU
Abstract.
Let k, p ∈ N with p prime and let f ∈ Z [ x , x ] be a bivariate polynomial withdegree d and all coefficients of absolute value at most p k . Suppose also that f is variable sep-arated, i.e., f = g + g for g i ∈ Z [ x i ]. We give the first algorithm, with complexity sub-linearin p , to count the number of roots of f over Z (cid:14)(cid:10) p k (cid:11) for arbitrary k : Our Las Vegas random-ized algorithm works in time ( dk log p ) O (1) √ p , and admits a quantum version for smoothcurves working in time ( d log p ) O (1) k . Save for some subtleties concerning non-isolated sin-gularities, our techniques generalize to counting roots of polynomials in Z [ x , . . . , x n ] over Z (cid:14)(cid:10) p k (cid:11) .Our techniques are a first step toward efficient point counting for varieties over Galoisrings (which is relevant to error correcting codes over higher-dimensional varieties), and alsoimply new speed-ups for computing Igusa zeta functions of curves. The latter zeta functionsare fundamental in arithmetic geometry. Current affiliation and address of authors: (Robelle):University of Maryland, Baltimore County1000 Hilltop CircleBaltimore, MD 21250(Rojas & Zhu):Texas A&M University, Department of MathematicsTAMU 3368College Station, TX 77845 emails: [email protected] , [email protected] , [email protected] C.B. was partially supported by NSF grant DMS-1757872.J.M.R. and Y.Z. were partially supported by NSF grants CCF-1900881 and DMS-1757872.
UB-LINEAR POINT COUNTING FOR CURVES OVER PRIME POWER RINGS 1 Introduction
Counting points on algebraic curves over finite fields is a seemingly simple problem thatnevertheless helped form the core of arithmetic geometry in the 20th century and now formsan important part of cryptography [Mil86, Kob87, GG16] and coding theory [vdG01]. Ef-ficient algorithms for this problem continue to be a lively part of computational numbertheory: The barest list of references would have to include [Sch85, Pil90, AH01, Ked01,CDV06, LW08, Wan08, CL08, Har15]. Here, we consider algorithms for the natural exten-sion of this problem to prime power rings, and find the first efficient algorithms for a broadclass of (not necessarily smooth) curves: See Theorem 1.1 below. It will be useful to firstdiscuss some motivation before covering further background.1.1.
A Connection to Error Correcting Codes.
Suppose k, p ∈ N with p prime, F p is thefield with p elements, and r ∈ Z [ x ] is a univariate polynomial of degree m that is irreduciblemod p . We call a quotient ring R of the form Z [ x ] (cid:14)(cid:10) p k , r ( x ) (cid:11) a Galois ring . Note that suchan R is finite, and can be the prime power ring Z (cid:14)(cid:10) p k (cid:11) (for m = 1) or the field F q (for k = 1and q = p m ), to name a few examples.Since numerous error correcting codes and cryptosystems are based on arithmetic over F q or F q [ x ], it has been observed (see, e.g., [GCM91, GSS00, BLQ13, CH15]) that one cangeneralize and improve these constructions by using arithmetic over R or R [ x ] instead. Forinstance, Guruswami and Sudan’s famous list-decoding method for error correcting codes[GS99] involves finding the roots in F q [ x ] of a polynomial in F q [ x , x ] as a key step, andhas a natural generalization to Galois rings (see, e.g., [HKC +
94, Sud97, BW10] and [BLQ13,Sec. 4]). Furthermore, counting solutions to equations like f ( x , . . . , x n ) = 0 over Galois ringsdetermines the weights of codewords in Reed-Muller codes over Galois rings, and the weightdistribution governs the quality of the underlying code (see, e.g., [KLP12]).1.2. Connections to Zeta Functions and Rational Points.
Efficiently counting rootsin (cid:0) Z (cid:14)(cid:10) p k (cid:11) (cid:1) of polynomials in Z [ x , x ] is a natural first step toward efficiently enumeratingthe roots in R for polynomials in R [ x , x ] for R a Galois ring. However, observe that thering of p -adic integers Z p is the inverse limit of Z (cid:14)(cid:10) p k (cid:11) as k −→ ∞ . It then turns out thatthe zero sets of polynomials over Z (cid:14)(cid:10) p k (cid:11) inform the zero sets of polynomials over Z p andbeyond.In particular, for any f ∈ Z [ x , . . . , x n ], one can form a fundamentally important generatingfunction, and a related zeta function, as follows: Let N p,k ( f ) denote the number of roots in (cid:0) Z (cid:14)(cid:10) p k (cid:11) (cid:1) n of the mod p k reduction of f and define the Poincare series of f to be P f ( t ) = P ∞ k =0 N p,k ( f ) p kn t k . Also, letting t := p − s , we define the Igusa local zeta function of f to be Z f ( t ) := R Z p | f ( x , . . . , x n ) | sp dx , where | · | p and dx respectively denote the standard p -adicabsolute value on Z p and Haar measure on Z p . (This function turns to be defined on theright open half-plane of C , possibly with the exception of finitely many poles.) The precisedefinitions of | · | p and dx won’t matter for our algorithmic results, but what does matter isthat Igusa discovered in the 1970s that P ( t ) = − tZ ( t )1 − t and proved that Z (and thus P ) is arational function of t [Igu07]. Also, major conferences such as ANTS consistently continue to feature papers on speeding up point-counting for various special families of curves and surfaces.
CALEB ROBELLE, J. MAURICE ROJAS, AND YUYU ZHU
Igusa defined his zeta function Z with the goal of generalizing earlier work of Siegel (oncounting representations of integers via quadratic forms) to high degree forms, e.g., howmany ways can one write 239 as a sum of cubes? However, the algorithmic computation ofthese zeta functions has received little attention, aside from some very specific cases. Ourresults imply that one can compute Z for certain bivariate f in time polynomial in dk log p .This extends earlier work on the univariate case [DMS20, Zhu20] to higher-dimensions andwill be pursued in a sequel to this paper.It should also be pointed out that recent algorithmic methods for finding rational points(over Q ) for curves of genus ≥ p -adic rational points on a related family of varieties (see, e.g., [BM20, Sec. 5.3]). So a longterm goal of this work is to improve the complexity of finding the p -adic rational points oncurves and surfaces, generalizing recent p -adic speed-ups in the univariate case [RZ20].1.3. From Finite Fields to Prime Power Rings.
Returning to point counting over primepower rings, the computation of N p,k ( f ) is subtle already for n = 1: This special case hasrecently been addressed from different perspectives in [BLQ13, CGRW18, KRRZ19, DMS19],and was just recently proved to admit a deterministic algorithm of complexity ( dk log p ) O (1) ,thanks to the last paper.The special case ( n, k ) = (2 ,
1) of computing N p, ( f ), just for f a cubic polynomial, isalready of considerable interest in the design of cryptosystems based on the elliptic curvediscrete logarithmic problem. In fact, even this very special case wasn’t known to admitan algorithm polynomial in log p until Schoof’s work in the 1980s [Sch85]. More recently,algorithms for computing N p, ( f ) for arbitrary f ∈ Z [ x , x ] of degree d , with complexity d (log p ) o (1) √ p , have been derived by Harvey [Har15] (see also [Zhu20, Ch. 5]), and similarcomplexity bounds hold for arbitrary finite fields.Our main result shows that counting points over Z (cid:14)(cid:10) p k (cid:11) for arbitrary k is slower than the k = 1 case only by a factor polynomial in k (neglecting the other parameters). Theorem 1.1.
Suppose f = g + g for some g i ∈ Z [ x i ] , deg f = d ≥ , and all the coefficientsof f are of absolute value at most p k . Then there is a Las Vegas randomized algorithm thatcomputes N p,k ( f ) in time d ε ( k log p ) ε p / ε . In particular, the number of random bitsneeded is O ( d k log( dk ) log p ) , and the space needed is O ( d k √ p log p ) . Furthermore, if thezero set of f over the algebraic closure ¯ F p is smooth and irreducible, then N p,k ( f ) can becomputed in quantum randomized time ( d (log p )) O (1) k . We prove Theorem 1.1 in Section 4.1. The central idea is to reduce to a moderate numberof moderately sized instances of point counting over F p . Recall that Las Vegas randomizedtime simply means that our algorithm needs random bits and gives an answer that is correctwith probability at least 1 / Quantum randomized time here will mean that we avail to a quantum computer, and instead obtainan algorithm that gives an answer that is correct with probability at least 2 /
3, but with nocorrectness guarantee.In what follows, we call a polynomial of the form f ζ ( x , x ) := p s f ( ζ + px , ζ + px ), with( ζ , ζ ) ∈ F p a singular point of the zero set of f in F p and s as large as possible with f ζ stillin Z [ x , x ], a perturbation of f . Our reduction to point counting over F p will involve findingall isolated singular points of the zero set of f (as well as its perturbations) in F p , in orderto categorize the base- p digits of the coordinates of the roots of f in (cid:0) Z (cid:14)(cid:10) p k (cid:11) (cid:1) . This yields UB-LINEAR POINT COUNTING FOR CURVES OVER PRIME POWER RINGS 3 a geometrically defined recurrence for N p,k ( f ) that is conveniently encoded by a tree. Wedetail this construction in Sections 2.2 and 4.1 below. Remark 1.2.
A classical algebraic geometer may propose simply applying resolution of sin-gularities, applying finite field point counting (with proper corrections at blown-up singularpoints), and then an application of Hensel’s Lemma. We use a more direct approach thatallows us to lift singular points individually and much more simply. In particular, it ap-pears (from [PR11] ) that resolution of singularities for a plane curve of degree d over F p has complexity O ( d ) (neglecting multiples depending on p ), while our algorithm (if lookedat more closely) has better dependence on d . More to the point, replacing an input bivariatepolynomial by a higher degree complete intersection (the latter being the output after doingresolution of singularities) results in a more complicated input when one needs to avail toprime field point counting, thus compounding the complexity even further. Furthermore, inhigher dimensions, resolution of singularities becomes completely impractical [BGMWo11] . ⋄ Remark 1.3.
We can extend Theorem 1.1 to more general curves. The key obstruction iswhether f , or one of its perturbations, fails to be square-free (see the final section of theAppendix). We hope to extend our methods to arbitrary curves in the near future. For now,we simply point out that many commonly used curves in practice are variable separated, e.g.,many hyperelliptic curves used in current cryptography are zero sets of polynomials of theform x − g ( x ) . ⋄ Background
Some Basics on Point Counting Over Finite Fields.
One of the most fundamentalresults on point counting for curves over finite fields dates back to work of Hasse and Weilin the 1940s. In what follows, we use | S | to denote the cardinality of a set S . Theorem 2.1. [Wei49]
Let F q be a finite field of order q = p m , and let C be an absolutelyirreducible smooth projective curve defined over F q . Let g denote the genus of C and C ( F q ) to be the set of F q -points of C . Then ||C ( F q ) | − q | ≤ g √ q . The error bound above is optimal, and can be derived by proving a set of technical statementsknown as the
Weil Conjectures (for curves) . The Weil Conjectures (along with correspondingpoint counts) were formulated for arbitrary varieties over finite fields and, in one of thecrowning achievements of 20th century mathematics, were ultimately proved by Deligne in1974 [Del74].Efficient methods for computing N p, ( f ) (and the number of points for a curve over anyfinite field) began to appear with the work of Schoof [Sch85], via so-called ℓ -adic methods.Let g denote the genus of the curve C . Via later work (e.g., [Pil90, AH01]) it was determinedthat N p, ( f ) can be computed in time (log p ) gO (1) for arbitrary curves. Kedlaya’s algorithm[Ked01] then lowered this complexity bound to ( g p ) o (1) for hyperelliptic curves, e.g., curveswith defining polynomials of the form x − g ( x ). Kedlaya observed later that, on a quantumcomputer, one could compute (finite field) zeta functions for non-singular curves in time( d log p ) O (1) [Ked06]. (The precise definition of these zeta functions need not concern us The precise definition of the genus need not concern us, so we will simply recall that it is a birationalinvariant of C (i.e., it is invariant under rational maps with rational inverse) and is at most ( d − d − / C the zero set of a degree d bivariate polynomial. CALEB ROBELLE, J. MAURICE ROJAS, AND YUYU ZHU here: Suffice it to say that the computation of the zeta function of a curve over a finite fieldincludes the computation of N p, ( f ) as a special case.) More recently, Harvey [Har15] gavean efficient (classical) deterministic algorithm which, although asymptotically slower thanKedlaya’s quantum algorithm, allows arbitrary input polynomials.2.2. The Central Recurrence for Bivariate Point Counting.
In this section, we gen-eralize the tools we used for root counting for univariate polynomials in [KRRZ19] to pointcounting for curves. It is not hard to see that these tools extend naturally to point countingfor hypersurfaces of arbitrary dimension. The only subtlety is maintaining low computationalcomplexity and keeping track of the underlying singular locus.Let x := ( x , x ) denote the tuple of two variables, and let f ( x ) ∈ Z [ x ] be a bivariatepolynomial with integer coefficients of total degree d ≥
1. Then for any ζ := ( ζ , ζ ) ∈ Z ,the Taylor expansion of f at ζ is f ( x ) = P j ,j D j ,j f ( ζ ) j ! j ! ( x − ζ ) j ( x − ζ ) j , where j , j arenon-negative integers and D j ,j f ( x ) := ∂ j j ∂x j ∂x j f ( x ).Let ˜ f ( x ) := ( f ( x ) mod p ) denotes the mod p reduction of f . Now let ζ = (0 ,
0) and write˜ f = g m + g m +1 + · · · + g n where g i is a (homogeneous) form in F p [ x ] of degree i and g m = 0.We then define m to be the multiplicity of ˜ f at ζ = (0 , m = m ζ ( ˜ f ). To extend thisdefinition to a point ζ = ( a, b ) = (0 , T be the translation that takes (0 ,
0) to ζ , i.e. T ( x , x ) = ( x + a, x + b ). Then ˜ f T := ˜ f ( x + a, x + b ) and we define m ζ ( ˜ f ) := m (0 , ( ˜ f T ).Then it is immediate from the definition that: Lemma 2.2. If ˜ f = Q ˜ f e r r ∈ F p [ x ] is a factorization of ˜ f into irreducible polynomials over F p then m ζ ( ˜ f ) = P m ζ ( ˜ f r ) . We say ζ is a smooth point of ˜ f if m ζ ( ˜ f ) = 1, and call it a singular point otherwise. Inparticular, by Lemma 2.2, a point ζ is a smooth point of ˜ f if and only if ζ belongs to justone irreducible component ˜ f r of ˜ f , the corresponding exponent e r = 1, and ζ is a smoothpoint of ˜ f r .Now we are ready to generalize the tools in [KRRZ19] for curves: Definition 2.3.
Let f ( x ) ∈ Z [ x ] and fix a prime p . Let ord p : Z −→ N ∪ { } denote the usual p -adic valuation with ord p ( p ) = 1 . We then define s ( f, ε ) := min j ,j ≥ n j + j + ord p D j ,j f ( ε ) j ! j ! o for any ε ∈ { , . . . , p − } . Finally, fixing k ∈ N , let us inductively define a set T p,k ( f ) ofpairs ( f i,ζ , k i,ζ ) ∈ Z [ x ] × N as follows: We set ( f , , k , ) := ( f, k ) . Then, for any i ≥ with ( f i − ,µ , k i − ,µ ) ∈ T p,k ( f ) and any singular point ζ i − ∈ ( Z /p Z ) of ˜ f i − ,µ with s i − := s ( f i − ,µ , ζ i − ) ∈ { , . . . , k i − ,µ − } , we define ζ := µ + p i − ζ i − , k i,ζ := k i − ,µ − s i − and f i,ζ ( x ) := h p si − f i − ,µ ( ζ i − + p x ) i mod p k i,ζ . Just as in the univariate case, the perturbations f i,ζ of f will help us keep track of howthe points of f in ( Z /p k Z ) cluster, in a p -adic metric sene, about the points of ˜ f . It isclear that D j ,j f ( ε ) j ! j ! is always an integer as the coefficient of x j x j in the Taylor expansion of f ( x + ε ) about x = (0 , T p,k ( f ) is associated with anatural tree structure. Moreover, T p,k ( f ) is always a finite set by definition, as only f i,ζ with i ≤ ⌊ ( k − / ⌋ and ζ ∈ ( Z /p Z ) are possible. UB-LINEAR POINT COUNTING FOR CURVES OVER PRIME POWER RINGS 5
Lemma 2.4.
Following the notation above, let n p ( f ) denote the number of smooth points of ˜ f in ( Z /p Z ) . Then provided k ≥ and ˜ f is not identically zero, we have N p,k ( f ) = p k − n p ( f ) + X ζ ∈ ( Z /p Z ) s ( f,ζ ) ≥ k p k − + X ζ ∈ ( Z /p Z ) s ( f,ζ ) ∈{ ,...,k − } p s ( f,ζ ) − N p,k − s ( f,ζ ) ( f ,ζ ) . We will prove Lemma 2.4 in the next section, where it will be clear how Lemma 2.4 appliesrecursively. Then we show how Lemma 2.4 leads to our recursive algorithm for computing N p,k ( f ).3. Generalized Hensel Lifting and the Proof of our Main Recurrence
Let us first prove the following alternative definition for multiplicity of a point on thecurve. We will mainly use this definition for the rest of the discussion.
Lemma 3.1.
For any ζ ∈ F p , m := m ζ ( ˜ f ) is the smallest nonnegative integer such thatthere exists j , j ≥ with j + j = m , and D j ,j f ( ζ ) = 0 mod p .Proof. Fix ζ ∈ F p , and let T be the translation that takes (0 ,
0) to ζ . Then for any j , j ≥ D j ,j ˜ f T (0 ,
0) = D j ,j ˜ f ( ζ ). So it suffices to prove the statement for the case when ζ = (0 , f = g m + g m +1 + · · · + g n , where g i is a homogeneous form in F p [ x ] of degree i and g m = 0. Then ˜ f must have a nonzero monomial term a r x r x m − r , for some integer r ≤ m ,and a r ∈ F × p . Note that as h m ∈ F p [ x ], we must have r, m − r < p as well. Then for any j , j ≥
0, we have D j ,j (cid:0) a r x r x m − r (cid:1) = a r (cid:0) rr − j (cid:1)(cid:0) m − rm − r − j (cid:1) x r − j x m − r − j . It is obvious that forany pair of nonnegative integers j , j with j + j < m , either r − j > m − r − j > a t x t x t of ˜ f must have t + t ≥ m and t ≥ r or t ≥ m − r . Hence t − j > t − j >
0. So for such a pair of j , j , we must have D j ,j ˜ f (0 ,
0) = 0 mod p . Now take j = r and j = m − r , then D j ,j ˜ f (0 ,
0) = a r (cid:18) rr − j (cid:19)(cid:18) m − rm − r − j (cid:19) = 0 mod p. Conversely, if m is the smallest nonnegative integer such that there exists j , j ≥ j + j = m and D j ,j f (0 , = 0 mod p , then there exists a j x j x j a nonzero monomialterm of ˜ f of smallest total degree. So m = m (0 , ( ˜ f ). (cid:3) The classical Hensel’s Lemma (see, e.g., [NZM91, Thm. 2.3, Pg. 87]) says that any non-degenerate root of a univariate polynomial in Z /p Z lifts uniquely into any larger prime powerring Z /p k Z . One expects similar nice behavior from a smooth point on a curve over Z /p Z .We prove the following analogue of Hensel’s Lemma for curves in the Appendix: Lemma 3.2.
Let f ( x ) ∈ Z [ x ] . If f ( σ ) ≡ p j for j ≥ , and (cid:0) ζ (0) ≡ σ mod p (cid:1) isa smooth point on ˜ f , then there are exactly p many t ∈ ( Z /p Z ) such that f ( σ + p j t ) ≡ p j +1 . For k > j ≥ σ ( j ) ∈ ( Z /p j Z ) such that f ( σ ( j ) ) ≡ p j , we call σ ( k ) ∈ ( Z /p k Z ) a lift of σ ( j ) , if f ( σ ( k ) ) ≡ p k and σ ( k ) ≡ σ ( j ) mod p j . Then by applyingLemma 3.2 inductively, we obtain: CALEB ROBELLE, J. MAURICE ROJAS, AND YUYU ZHU
Proposition 3.3.
Let f ( x ) ∈ Z [ x ] , and k > j ≥ . If f ( σ ( j ) ) ≡ p j , and ( σ ( j ) mod p ) is a smooth point of ˜ f , then σ ( j ) lifts to exactly p k − j many roots of ( f mod p k ) . Lemma 3.4.
Following the notation above, suppose instead ζ (0) ∈ ( Z /p Z ) is a point on ˜ f of (finite) multiplicity m ≥ . Suppose also that k ≥ and that there is a σ ( k ) ∈ ( Z /p k Z ) with σ ( k ) ≡ ζ (0) mod p and f ( σ ( k ) ) = 0 mod p k . Then s ( f, ζ (0) ) ∈ { , . . . , m } .Proof. As ζ (0) is a singular point on ˜ f , then ∂f∂x i ( ζ (0) ) = 0 mod p for every i = 1 , . . . , n .Then for σ ( k ) = ζ (0) + pτ ∈ ( Z /p k Z ) with τ := ( τ , τ ) ∈ ( Z /p k − Z ) , f ( σ ( k ) ) = f ( ζ (0) ) + p (cid:18) ∂f∂x ( ζ (0) ) τ + ∂f∂x ( ζ (0) ) τ (cid:19) + X i + i ≥ p i + i D i + i f ( ζ (0) ) τ i τ i (1) to have solutions mod p k , we need f ( ζ (0) ) ≡ p , as the second and the third summandin equation (1) has p -adic order at least 2.As ζ (0) is a singular point of multiplicity m on ˜ f , there exists an m -th Hasse derivative: D j ,j f ( ζ (0) ) = 0 mod p with j + j = m . So s ( f, ζ (0) ) ≤ ord p (cid:0) p j + j D j ,j f ( ζ (0) ) (cid:1) = m . (cid:3) We can now relate N p,k ( f ) to the recursive structure on T p,k ( f ). Proof of Lemma 2.4:
The lifting of smooth points of ˜ f follows from Proposition 3.3.Now assume that ζ ∈ ( Z /p Z ) is a singular point of ˜ f . Write ζ := ζ + pσ for σ := ζ + pζ + · · · + p k − ζ k − ∈ ( Z /p k Z ) , and let s := s ( f, ζ ). Note that by Lemma 3.4, s ≥ f ( ζ ) = p s f ,ζ ( σ ), for f ,ζ ∈ Z [ x ] and f ,ζ does not vanish identicallymod p .If s ≥ k , then f ( ζ ) = 0 mod p k regardless of choice of σ . So there are exactly p k − values of ζ ∈ ( Z /p k Z ) such that ζ ≡ ζ mod p and f ( ζ ) = 0 mod p k .If s ≤ k − ζ is a root of f if and only if f ,ζ ( σ ) ≡ p k − s . But then σ = ζ + pζ + . . . + p k − s − ζ k − s mod p k − s , i.e., the rest of the base p digits ζ k − s +1 , . . . , ζ k − do not appear in the preceding mod p k − s congruence. So the number of possible lifts ζ of ζ is exactly p s − times the number of roots ( ζ + pζ + . . . + p k − s − ζ k − s ) ∈ ( Z /p k − s Z ) of f ,ζ . This accounts for the third summand in our formula. (cid:3) Remark 3.5.
The algebraic preliminaries we concluded in this section and Definition 2.3can be extended transparently for point counting for hypersurfaces of arbitrary dimensions. ⋄ Bounding Sums of Multiplicities on Curves with at Worst IsolatedSingularities
Suppose F ∈ F p [ x ] is a nonconstant polynomial of total degree D . Then F factors into aproduct of irreducible components F = Q li =1 F e i i ∈ F p [ x ] where each F i ∈ F p [ x ] is irreducible,and e i ≥
1. We say F is squarefree if e i = 1 for every i . Suppose G = Q mj =1 G c i j ∈ F p [ x ] with G i ∈ F p [ x ] irreducible and c i ≥
1. We say F and G have no common component , if F i = G j for every pair of i, j . Lemma 4.1. (Corollary of B´ezout’s Theorem)
Let
F, G ∈ F p [ x ] be two curves with nocommon components, then P ζ m ζ ( F ) m ζ ( G ) ≤ deg( F ) deg( G ) . UB-LINEAR POINT COUNTING FOR CURVES OVER PRIME POWER RINGS 7
Now let F ′ = Q li =1 F i ∈ F p [ x ] be the square-free part of F . We say a singular point ζ on F is an isolated singular point if ζ is also singular on F ′ , and call it a non-isolated singularpoint if otherwise. Lemma 4.2.
Let F ∈ F p [ x ] be a curve with degree d , and let F ′ denote the square-free partof F . Then X ζ m ζ ( F ′ ) ( m ζ ( F ′ ) − ≤ d ( d − In particular, F has at most (cid:0) d (cid:1) many isolated singular points.Proof. As F ′ is squarefree, then F ′ and D , F ′ ( x ) have no common component. It is also easyto deduct from Lemma 3.1 that for any ζ ∈ F p , m ζ ( D , F ′ ) ≥ m ζ ( F ′ ) −
1. The conclusionthus follows by applying Lemma 4.1, and that m ζ ( F ′ ) ≥ F . (cid:3) Suppose F = Q li =1 F e i i ∈ F p [ x ] is a nonconstant polynomial. For each i , let d i := deg( F i )and let d := P d e i i be the total degree of F . Let I ⊆ { , . . . , l } be an nonempty subset ofindices, and let S I denote the set of points in the intersection T i ∈ I F i , and let T I = { ζ ∈ S I : ζ is smooth on F i for all i ∈ I } .We then prove the following more generalized statement of Lemma 4.2 in the Appendix: Lemma 4.3.
Using the notation above we have: (2) X ζ ∈ S I I = ∅ m ζ ( F )( m ζ ( F ) − X i ∈ I e i ) + X ζ ∈ T I | I |≥ m ζ ( F ) ≤ d ( d − . Observe that if ζ ∈ S I and ζ is an isolated singular points on F , then either ζ ∈ T I or m ζ ( F ) > P i ∈ I µ ζ ( F i ), and m ζ ( F ) = P i ∈ I µ ( F i ) if it is non-isolated. So only the partcorresponding to the isolated singular points contribute to the sum on the left hand side ofEquation 2. So we obtain the following: Theorem 4.4.
Let f ( x ) ∈ Z [ x ] be a nonconstant polynomial of degree d . Fix a prime p andsuppose that ˜ f does not vanish identically over Z /p Z . Then P ζ isolatedsingular on ˜ f deg ˜ f ,ζ ≤ d ( d − .Proof. This is immediate by observing that deg ˜ f ,ζ ≤ s ( f, ζ ) ≤ m ζ ( ˜ f ). (cid:3) However, bounding the degree of the perturbations ˜ f ,ζ corresponding to non-isolatedsingular points of ˜ f can be hard. This is evident in the discussion in the final section of theAppendix: lifting non-isolated singular points for certain families of curves requires extracare.4.1. Algorithms and Complexity Analysis: Proof of Theorem 1.1.
For this section,let us consider bivariate polynomials f ( x ) ∈ Z [ x ] of the form f ( x ) = g ( x ) + h ( x ). Onebroad family of examples of such bivariate polynomials is the family of superelliptic curves: f ( x ) = x d − g ( x ). Lemma 4.5.
Let F ( x , x ) = g ( x ) + h ( x ) ∈ F p [ x ] such that g, h are nonconstant polyno-mials. Then F is squarefree. CALEB ROBELLE, J. MAURICE ROJAS, AND YUYU ZHU
Proof.
Suppose F is not squarefree and let F = Q li =1 F e i i ∈ F p [ x ] be the irreducible factor-ization of F , and e i ≥
1. Without loss of generality assume e > g ′ ( x ) = D , F = 0.Let G = F/F e = Q li =2 F e i i . Differentiating F with respect to x , we have g ′ ( x ) = e F e − D , F · G + F e · D , G = F e − (cid:0) e D , F · G + F · D , G (cid:1) . So F ( x , x ) must divide g ′ ( x ), implying that h ( x ) is a constant, a contradiction. (cid:3) We now have enough ingredients to state our main algorithm:
Algorithm 4.6 ( PrimePowerPointCounting ( f, p, k )) .Input. ( f, p, k ) ∈ Z [ x ] × N × N with p prime and f ( x ) = g ( x ) + h ( x ). Output.
An integer M ≤ N p,k ( f ) that, with probability at least , is exactly N p,k ( f ). Description. Let v := s ( f ) and f , := f .2: If v ≥ k Let M := p k . Return .4: If v ∈ { , . . . , k − } Let M := p v PrimePowerPointCounting (cid:16) f , ( x ) p v , p, k − v (cid:17) . Return .6:
End(If) .7: If s ( g ) = s ( h ) = 08: Let M := p k − n p ( f ).9: For ζ (0) ∈ ( Z /p Z ) a singular point of ˜ f , do Let s := s ( f , , ζ (0) ).11: If s ≥ k Let M := M + p k − .13: Elseif s ∈ { , . . . , k − } Let M := M + p s − PrimePowerPointCounting (cid:0) f ,ζ (0) , p, k − s (cid:1) .15: End(If) .16:
End(For) .17:
Elseif s ( g ) ≥ s ( h ) ≥ Let M := p k n p ( g ) or p k n p ( h ).19: For ζ (0) ⊆ ( Z /p Z ) a set of singular points of ˜ f , from a degenerate root of ˜ g or ˜ h do Let s := s ( f , , ζ (0) ).21: If s ≥ k Let M := M + p k − .22: Elseif s ∈ { , . . . , k − } Let M := M + p s − PrimePowerPointCounting (cid:0) f ,ζ (0) , p, k − s (cid:1) .24: End(If) .25:
End(For) .26:
End(If) .27:
Return . There are some remaining details to clarify about our algorithm. First, let s ( f ) denotethe largest power of p that divides all the coefficients of f . Then by Definition 2.3, we seethat any polynomial in T p,k ( f ) should also be of the form g ( x ) + h ( x ) with s ( g ) = 0 or s ( h ) = 0. By Lemma 4.5, we see that when s ( g ) = s ( h ) = 0, then ˜ f mod p is squarefree.Now without loss of generality, suppose 0 = s ( g ) < s ( h ) = c , then ˜ f ( x ) = ˜ g ( x ) mod p .Then any singular point on ˜ f should be of the form ( ζ (0)1 , y ) for any degenerate root ζ (0)1 ofthe univariate polynomial ˜ g ( x ) ∈ F p [ x ] and any choice of y ∈ { , , . . . , p − } . So it makessense to consider the perturbation of f in the direction of x only. UB-LINEAR POINT COUNTING FOR CURVES OVER PRIME POWER RINGS 9
Let ζ (0)1 be any degenerate root of ˜ g . Abusing notation, let ζ (0) := { ζ (0)1 } × F p = { ( ζ (0)1 , y ) : y ∈ { , , . . . , p − }} , the set of singular points of ˜ f with the first coordinate being ζ (0)1 .Consider f ( ζ (0)1 + px , x ) = g ( ζ (0)1 + px ) + h ( x ). Let s ( f, ζ (0) ) := s ( f ( ζ (0)1 + px , x )) =min( s ( g, ζ (0)1 ) , c ), the largest p ’s power dividing all the coefficients of the perturbation, andlet f ,ζ (0) = p s ( f,ζ (0)) f ( ζ (0)1 + px , x ).We prove the following more specific version of Lemma 2.4 in the Appendix: Lemma 4.7.
Let f ( x ) = g ( x ) + h ( x ) with s ( g ) < s ( h ) = c . Let n p ( g ) denote thenumber of non-degenerate root of ˜ g in F p , and following the notation above: N p,k = p k n p ( g ) + X ζ (0) ⊆ ( Z /p Z ) s ( f,ζ (0) ) ≥ k p k − + X ζ (0) ⊆ ( Z /p Z ) s ( f,ζ (0) ) ≤ k − p s ( f,ζ (0) ) − N p,k − s ( f,ζ (0) ) ( f ,ζ (0) )By symmetry, a variant of our preceding lemma also holds when 0 = s ( h ) < s ( g ) = c .Similarly, for any degenerate root ζ (0)2 of the univariate polynomial ˜ h ( x ) ∈ F p , we denote ζ (0) := F p × { ζ (0)2 } to be the set of singular points of ˜ f with the second coordinate being ζ (0)2 . Notation 4.8.
Suppose ζ ( i − = { ζ ( i − } × F p is the set of singular points on ˜ f i − ,ζ for somepolynomial in T p,k ( f ) and ζ = ( ζ , ζ ) , we write ζ + p i − ζ ( i − = { ( x , x ) : x = ζ + p i − ζ ( i − , x ∈ { ζ + p i − · , . . . ζ + p i − · p − }} as element-wise operations for set. We also use this notation similarly when ζ ( i − = F p ×{ ζ ( i − } . We are now ready to prove the correctness of our main algorithm.
Proof of Correctness of Algorithm 4.6:
Assume temporarily that Algorithm 4.6 iscorrect when s ( f ) = 0, i.e. when f , is not identically 0 mod p . Since for any integers a with a ≤ k , and any elements x , y ∈ ( Z /p k Z ) , p a x = p a y mod p k ⇐⇒ x = y mod p k − a , Steps1–6 of our algorithm then dispose of the case where f is identically 0 in ( Z /p Z )[ x ]. So letus now prove correctness when f is not identically 0 in ( Z /p Z )[ x ].Recall from the discussion at the very beginning of this section, we see that any polynomialin T p,k ( f ) should be of the form f i,ζ ( i − ( x ) := g i ( x ) + h i ( x ) with s ( g i ) = 0 or s ( h i ) = 0.Applying Lemma 2.4 and Lemma 4.7 accordingly, we then see that it is enough to prove thatthe value of M is the value of our formula for N p,k ( f ) when the two For loops of Algorithm4.6 runs correctly.When s ( g ) = s ( h ) = 0, Steps 7–16 (once the For loop is completed) then simply addthe second and third summands of our formula in Lemma 2.4 to M thus ensuring that M = N p,k ( f ). On the other hand, when s ( g ) > s ( h ) >
0, Steps 17–26 (once the
For loopis completed) handles add the second and third summands of our formula in Lemma 4.7 to M thus ensuring that M = N p,k ( f ). So we are done. (cid:3) In [KRRZ19], we defined a recursive tree structure for root counting for univariate poly-nomial in Z /p k Z . We define similarly a recursive tree for f ( x ) = g ( x ) + h ( x ) that willenable our complexity analysis. Definition 4.9.
Let us identify the elements of T p,k ( f ) with nodes of a lablled rooted directedtree T p,k ( f ) . (1) We set f , := f , k , := k , and let ( f , , k , ) be the label of the root node of T p,k ( f ) . (2) There is an edge from node ( f i ′ ,ζ ′ , k i ′ ,ζ ′ ) to node ( f i,ζ , k i,ζ ) if and only if i ′ = i − and there is a (set of ) singular points ζ ( i − in ( Z /p Z ) of ˜ f i ′ ,ζ ′ with s ( f i ′ ,ζ ′ , ζ ( i − ) ≤ k i ′ ,ζ ′ − and ζ = ζ ′ + p i − ζ ( i − in ( Z /p i Z ) . (3) Suppose f i ′ ,ζ ′ = g i ′ ( x ) + h i ′ ( x ) . The label of a directed edge from node ( f i ′ ,ζ ′ , k i ′ ,ζ ′ ) to node ( f i,ζ , k i,ζ ) is p (cid:16) s (cid:16) f i ′ ,ζ ′ , ( ζ − ζ ′ ) /p i ′ (cid:17) − (cid:17) or p s (cid:16) f i ′ ,ζ ′ , ( ζ − ζ ′ ) /p i ′ (cid:17) − respectively when s ( g i ′ ) = s ( h i ′ ) = 0 or otherwise.In particular, the labels of the nodes lie in Z [ x ] × N . Remark 4.10.
1. Just as the tree structure for the univariate polynomial in [KRRZ19] , our trees T p,k ( · ) encode algebraic expressions for our desired root counts N p,k ( · ) . In particular, the childrenof a node labelled ( f i , k i ) yield terms that one sums to get the root count N p,k i ( f i ) , and theedge labels yield weights multiplying the corresponding terms.2. One main difference is that the correspondence between polynomials in T p,k ( f ) with thelabel in the tree T p,k ( f ) is no longer one-to-one. In particular, in the case when f i,ζ ( x ) = g i ( x ) + h i ( x ) with s ( g i ) > , its child node polynomial f i +1 ,ζ ′ for ζ ′ − ζ = { ζ ( i )1 } × F p ,correspond to a set of singular points of ˜ f i,ζ with the first coordinate equaling to a degenerateroot ζ ( i )1 of ˜ g i . ⋄ The following lemma, proved in the Appendix, will be central in our complexity analysis.
Lemma 4.11.
Let f ( x ) = g ( x ) + h ( x ) ∈ Z [ x ] be a nonconstant polynomial of degree d .Following the notation of Definition 4.9, we have that: (1) The depth of T p,k ( f ) is at most k . (2) The degree of the root node of T p,k ( f ) is at most (cid:0) d (cid:1) . (3) The degree of any non -root node of T p,k ( f ) labeled ( f i,ζ , k i,ζ ) , with parent ( f i − ,µ , k i − ,µ ) and ζ ( i − := ( ζ − µ ) /p i − , is at most s ( f i − ,µ , ζ ( i − ) . In particular, deg ˜ f i,ζ ≤ s ( f i − ,µ , ζ ( i − ) ≤ k i − ,µ − ≤ k − and X ( f i,ζ ,k i,ζ ) a childof ( f i − ,µ ,k i − ,µ ) deg ˜ f i,ζ (cid:16) deg ˜ f i,ζ − (cid:17) ≤ deg ˜ f i − ,µ (cid:16) deg ˜ f i − ,µ − (cid:17) (4) T p,k ( f ) has at most (cid:0) d (cid:1) nodes at depth i ≥ , and thus a total of no more than k − (cid:0) d (cid:1) nodes. Proof of Theorem 1.1:
Since we already proved that Algorithm 4.6, it suffices to prove thestated complexity bound for Algorithm 4.6. The proof consists of three parts: (a) the pointcounting algorithm over F p from [Har15], (b) the univariate reduction and the factorizationalgorithm, and (c) applying Lemma 4.11 to show that the number of necessary factorizationand point counting, and p -adic valuation calculations is well-bounded.More specifically the For loops and the recursive calls of Algorithm 4.6 can be seen as theprocess of building the tree T p,k ( f ). We begin at the root node by applying the algorithm in[Har15] to find the number of roots of ˜ f in F p . This computation takes time O ( d p / log ε p ) UB-LINEAR POINT COUNTING FOR CURVES OVER PRIME POWER RINGS 11 and space O ( d p / log p ) by [Har15]. (Specifically, one avails to Theorem 3.1, Lemmata 3.2and 3.4, and Proposition 4.4 from Harvey’s paper.)To find singular points of ˜ f , it suffices to find the roots of the 2 × F :=( ˜ f ( x ) , D , ˜ f ( x )) over F p . This is done by first transforming the problem to factorization of aunivariate polynomial U F via univariate reduction over the finite field (see, e.g. [Roj99]). Inparticular deg U F ≤ d and roots of U F will encode information on tuple ( x , x ) as solutionsto the polynomial system F . Computing U F can be done in time polynomial in the mixed area of the Newton polygons of F , and takes time ˜ O ( d ) and space O ( d ) ([Roj99]). Then we usethe fast randomized Kedlaya-Umans factoring algorithm in [KU08] to find solutions to U F in F p , and thereby the singular points of ˜ f . This takes time ( d log p ) o (1) + ( d log p ) o (1) and requires O ( d log p ) random bits.In order to continue the recursion, we need to compute p -adic valuations of polynomialcoefficients to determine s ( f , , ζ (0) ) and the edges emanating from the root node. Expanding f ( ζ (0) + p x ) mod p k takes time no worse than d ( k log p ) o (1) via Horner’s method and fastfinite ring arithmetic (see, e.g., [BS96, vzGG13]). Computing s ( f , , ζ (0) ) thus takes time d ( k log p ) o (1) by evaluating p -adic valuations using standard tools such as binary methods.By Assertion (2) of Lemma 4.11, there are no more than (cid:0) d (cid:1) many such ζ (0) . So the totalwork so far is d ε ( k log p ) o (1) p / ε . Note that computing the univariate reduction U F and N p, ( f ) via algorithm in [Har15] dominates the computation.The remaining work can also be well-bounded similarly by Lemma 4.11. In particular, thesum of the degress if ˜ f i,ζ at level i of the tree T p,k ( f ) is no greater than (cid:0) d (cid:1) .Now observe that for i ≥
2, the amount of work needed to determine the polynomials atlevel i via computing s ( f i − ,µ , ζ ( i − ) is no greater than (cid:0) d (cid:1) d ( k log p ) o (1) . As deg ˜ f ,ζ ≤ d forevery f i,ζ in the tree T p,k ( f ) and there are at most (cid:0) d (cid:1) many such polynomials for each i ≥ F p , univariate reduction and factorizationfor each subsequent level of T p,k ( f ) will be d ε ( k log p ) o (1) p / ε with O ( d log p ) randombits needed. The expansion of the f i,ζ at level i will take time no greater than d ( k log p ) o (1) to compute. So the total work at each subsequent level is d ε ( k log p ) o (1) p / ε .Therefore the total amount of work for our tree will be d ε ( k log p ) ε p / ε , and thenumber of random bits needed is O ( d k log p ).The argument proving the Las Vegas properties of our algorithm can be done similarlyas in [KRRZ19]. In particular, we run factorization algorithm for sufficiently many times toreduce the overall error probability to less than 2 /
3. Thanks to Lemma 4.11, it is enough toenforce a success probability of O ( d k ) for each application of factorization, and to run thealgorithm from [KU08] for O (log( dk )) times for each time we need univariate factorization.So a total of O ( d k log( dk ) log p ) many random bits is needed.Our algorithm proceeds with building the tree structure T p,k ( f ), so we only need to keeptrack of collections of f i,ζ . A bivariate polynomial of degree d with integer coefficients all ofabsolute value less than p k requires O ( dk log p ) bits to store, and there are no more than (cid:0) d (cid:1) k many polynomials in T p,k ( f ). Combining with the space needed from algorithm in [Har15],we only need O ( d kp / log p ) space.If ˜ f defines a smooth and irreducible curve over the algebraic closure ¯ F p of F p then thesecond part of the theorem follows immediately by combining our bivariate version of Hensel’sLemma (Lemma 3.2) with Kedlaya’s quantum point counting algorithm from [Ked06]. (cid:3) Appendix: Remaining Proofs and Finessing Exceptional Curves
Proof of Lemma 3.2 (Higher-Dimensional Hensel’s Lemma).
Consider the Tay-lor expansion of f at σ by p j x , f ( σ + p j x ) = f ( σ ) + p j (cid:18) ∂f∂x ( σ ) x + ∂f∂x ( σ ) x (cid:19) + X i + i ≥ p j ( i + i ) D i ,i f ( σ ) x i x i = f ( σ ) + p j (cid:18) ∂f∂x ( σ ) x + ∂f∂x ( σ ) x (cid:19) mod p j +1 , as j ( i + i ) ≥ j + 1 for all i + i ≥
2. Then t := ( t , t ) is such that ( σ + t p j ) is a solutionto f ≡ p j +1 if and only if ∂f∂x ( σ ) t + ∂f∂x ( σ ) t n = − f ( σ ) p j mod p. (3)As ( ζ (0) = σ mod p ) is a smooth point on ˜ f , then there exists an i such that ∂f∂x i ( σ ) = ∂f∂x i ( ζ (0) ) = 0 mod p . Then left hand side of (3) does not vanish identically, and thus definea nontrivial linear relation in ( Z /p Z ) . So fixing ζ , there are exactly p many t ∈ ( Z /p Z ) satisfying (3). (cid:3) The Proof of Lemma 4.3.
We prove by induction on the number of irreduciblecomponents of F .When l = 1, F = F e . By Lemma 2.2, m ζ ( F ) = e m ζ ( F ) for every ζ ∈ F p . Then byLemma 4.2 and expanding X ζ on F m ζ ( F ) e (cid:18) m ζ ( F ) e − (cid:19) ≤ d ( d − , the conclusion holds.Now suppose the inequality holds for l − >
1, and let F ′ = Q l − i =1 F e i i and d ′ be its degree,and F l is irreducible and has no common component with F ′ . Then P ζ on F l m ζ ( F e l l ) ( m ζ ( F e l l ) − e l ) ≤ e l d l ( e l d − e l ), and X J ⊆{ ,...,l − } X ζ ∈ S J m ζ ( F ′ ) m ζ ( F ′ ) − X j ∈ J e j ! + X ζ ∈ T J | J |≥ m ζ ( F ′ ) ≤ d ′ ( d ′ − P ζ m ζ ( F ′ ) m ζ ( F e l l ) ≤ d ′ d l e l . Summing over all J ⊆ { , . . . , l − } , we have X J X ζ ∈ S J m ζ ( F ′ ) m ζ ( F ′ ) − X j ∈ J e j + X ζ ∈ T J | J |≥ m ζ ( F ′ ) + 2 X ζ m ζ ( F ′ ) m ζ ( F e l l ) + X ζ on F l m ζ ( F e l l ) (cid:0) m ζ ( F e l l ) − e l (cid:1) ≤ d ′ ( d ′ −
1) + 2 d ′ d l e l + ( d l e l ) − e l d l ≤ ( d ′ + d l e l ) − d ′ − e l d l ≤ d ( d − . UB-LINEAR POINT COUNTING FOR CURVES OVER PRIME POWER RINGS 13
Note that for each J ⊆ { , . . . , l − } and each ζ ∈ S J such that ζ is not a point of F l , m ζ ( F ′ ) = m ζ ( F ). If ζ ∈ S J ∪{ l } \ T J ∪{ l } , then m ζ ( F e l l ) + m ζ ( F ′ ) > e l + P j ∈ J e j , and m ζ ( F ′ )( m ζ ( F ′ ) − X i ∈ J e i ) + 2 m ζ ( F e l l ) m p ( F ′ ) + m ζ ( F e l l )( m ζ ( F e l l ) − e l )= ( m ζ ( F ′ ) + m ζ ( F e l l )) − X i ∈ J e i m ζ ( F ′ ) − e l m ζ ( F e l l ) ≥ m ζ ( F )( m ζ ( F ) − X i ∈ J ∪{ l } e i )So we can rewrite A := X J ⊆{ ,...,l − } X ζ ∈ S J m ζ ( F ′ )( m ζ ( F ′ ) − X j ∈ J e j ) + 2 X ζ T J ∪{ l } m ζ ( F ′ ) m ζ ( F e l l ) + X ζ ∈ S { l } m ζ ( F e l l ) (cid:0) m ζ ( F e l l ) − e l (cid:1) ≥ X J ⊆{ ,...,l − } X ζ ∈ S J m ζ ( F )( m ζ ( F ) − X j ∈ J e j ) + X ζ ∈ S J ∪{ l } m ζ ( F )( m ζ ( F ) − X j ∈ J ∪{ l } e i ) + X ζ ∈ S { l } m ζ ( F )( m ζ ( F ) − e l )= X I ∈{ ,...,l } X ζ ∈ I m ζ ( F )( m ζ ( F ) − X i ∈ I e i ) . On the other hand, if ζ ∈ T J ∪{ l } , we must have m ζ ( F e l l ) + m ζ ( F ′ ) = e l + P j ∈ J e j . Thensumming over all J ⊆ { , . . . , l − } , and B := X J X ζ ∈ T J | J |≥ m ζ ( F ′ ) + 2 X ζ ∈ T J ∪{ l } m ζ ( F ′ ) m ζ ( F e l l )= X J X ζ ∈ T J | J |≥ m ζ ( F ) + 2 X ζ ∈ T J ∪{ l } | J |≥ m ζ ( F ′ ) m ζ ( F e l l ) + l − X i =1 X ζ ∈ T { i,l } m ζ ( F ′ ) m ζ ( F e l l ) ≥ X J X ζ ∈ T J | J |≥ m ζ ( F ) + X ζ ∈ T J ∪{ l } | J |≥ m ζ ( F ) + l − X i =1 X ζ ∈ T { i,l } m ζ ( F ′ ) = X I X ζ ∈ T I | I |≥ m ζ ( F ) . The last inequality holds because for a, b ≥
1, we must have 2 ab ≤ a + b .Combining all of above computations, we have X I X ζ ∈ S I m ζ ( F )( m ζ ( F ) − X i ∈ I e i ) + X ζ ∈ T I | I |≥ m ζ ( F ) ≤ A + B ≤ d ( d − . The conclusion thus follows. (cid:3)
The Proof of Lemma 4.11.Assertion (1):
By Definitions 2.3 and 4.9, each ( f i,ζ , k i,ζ ) whose parent node is ( f i − ,µ , k i − ,µ ),must satisfies 1 ≤ k i − ,µ − k i,ζ ≤ k i − ,µ −
1, and 1 ≤ k i,ζ ≤ k − i ≥
1. So considering any root to leaf path in T p,k ( f ), it is clear that the depth of T p,k ( f ) can be no greater than1 + ( k −
1) = k . Assertion (2): If s ( g ) = s ( h ) = 0, then by Lemma 4.5, ˜ f ( x ) ∈ F p [ x ] is square-free. Asthe multiplicity of any singular point is at least 2, by Lemma 4.2, ˜ f has at most (cid:0) d (cid:1) manysingular points. In this case, each edge emanating from the root of T p,k ( f ) corresponds to aunique singular point of ˜ f , .Suppose otherwise, and without loss of generality 0 = s ( g ) < s ( h ) = c , then each edgeemanating from the root node correspond to the set { ζ (0)1 } × F p for a unique degenerate root ζ (0)1 of the univariate polynomial ˜ g ( x ). As ˜ g has at most (cid:4) deg ˜ g (cid:5) ≤ (cid:4) d (cid:5) ≤ (cid:0) d (cid:1) degenerateroots, we are done. Assertion (3):
Suppose f i − ,µ = g i − ( x ) + h i − ( x ) ∈ Z [ x ] with s ( g i − ) = s ( h i − ) = 0.Then ζ ( i − is a singular point of ˜ f i − ,µ , and let s := s ( f i − ,µ , ζ ( i − ) = min ≤ i + i ≤ k i,ζ − (cid:8) ( i + i ) + ord p (cid:0) D i ,i f i − ,µ ( ζ ( i − ) (cid:1)(cid:9) So then for each pair of ( ℓ , ℓ ) with ℓ + ℓ ≥ s +1, the coefficient of x ℓ x ℓ in the perturbation f i − ,µ ( ζ ( i − + p x ) must be divisible by p s +1 . In other words, the coefficient of x ℓ x ℓ in f i,ζ ( x )must be divisible by p . So deg ˜ f i,ζ ≤ s .Now by Lemma 3.4, we know that the multiplicity of ζ ( i − on ˜ f i − ,µ : m ζ ( i − ( ˜ f i − ,µ ) ≥ s ( f i − ,µ , ζ ( i − ). Combining with 4.2, we have X ( f i,ζ ,k i,ζ ) a childof ( f i − ,µ ,k i − ,µ ) deg ˜ f i,ζ (cid:16) deg ˜ f i,ζ − (cid:17) ≤ X ζ ( i − sing.point on ˜ f i − ,µ m ζ ( i − ( ˜ f i − ,µ ) (cid:16) m ζ ( i − ( ˜ f i − ,µ ) − (cid:17) ≤ deg ˜ f i − ,µ (cid:16) deg ˜ f i − ,µ − (cid:17) . Suppose without loss of generality, 0 = s ( g i − ) < s ( h i − ) = c . Then by a similar argumentdeg ˜ f i,ζ ≤ s ( f i − ,µ , ζ ( i − ) = min( s (˜ g, ζ ( i − ) , c ) ≤ s (˜ g, ζ ( i − ). By Lemma 4.11 we have that P ζ ( i − a deg.root of ˜ g i − s (˜ g i − , ζ ( i − ) ≤ deg ˜ g i − , so then P ( f i,ζ ,k i,ζ ) a childof ( f i − ,µ ,k i − ,µ ) deg ˜ f i,ζ ≤ deg ˜ g i − . We are done,simply by observing that for deg ˜ f i,ζ ≥ a i >
2, we must have P a i ( a i − ≤ ( P a i ) ( P a i − Assertion (4):
This is immediate from Assertions (1) and (3). (cid:3)
The Proof of Lemma 4.7.
Any points over F p on ˜ f ( x ) is nonsingular if and only if D , ( ˜ f ) = ˜ g ′ ( x ) = 0 mod p , as h ( x ) is identically 0 mod p . In other words, any nonsingularpoint on ˜ f should be of the form ( ζ (0)1 , y ) where ζ (0)1 is a non-degenerate root of ˜ g , and anychoice of y ∈ { , , . . . , p − } . So the number of non-singular point on ˜ f is: n p ( f ) = p · n p ( g ).Then the first summand in the equation is obvious by plugging into the first summand inLemma 2.4.Now suppose ζ := ζ (0)1 is a degenerate root of the univariate polynomial ˜ g , and ζ (0) = { ζ } × F p . Write σ = ζ + pτ , where τ := ζ + . . . + p k − ζ k − ∈ Z /p k − Z via base- p expansion.Then by definition f ( ζ + px , x ) = p s ( f,ζ (0) ) f ,ζ (0) ( x , x ), where f ,ζ (0) ∈ Z [ x , x ] does notvanish identically mod p . UB-LINEAR POINT COUNTING FOR CURVES OVER PRIME POWER RINGS 15 If k ≥ s ( f, ζ (0) ), then f ( σ, y ) = 0 mod p k regardless of choice of τ ∈ Z /p k − Z and y ∈ Z /p k Z . So there are exactly p k − · p k = p k − many pairs of ( σ, y ) ∈ ( Z /p k Z ) such that σ = ζ mod p and f ( σ, y ) = 0 mod p k .If s ( f, ζ (0) ) ≤ k −
1, then f ( σ, y ) = 0 mod p k if and only if(4) f ,ζ (0) ( τ, y ) = 0 mod p k − s ( f,ζ (0) ) . Let s := s ( f, ζ (0) ), then τ = ζ + pζ + . . . + p k − s − ζ k − s mod p k − s and y := P k − i =0 p i y i = y + . . . + p k − s − y k − s − mod p k − s . So the rest of the base- p digits, ζ k − s +1 , . . . , ζ k − and y k − s , . . . , y k − respectively does not appear in Equality (4). The possible lifts ζ where the firstcoordinate mod p is ζ is thus exactly p s − · p s times the number of roots ( τ, y ) ∈ ( Z /p k − s Z ) of f ,ζ (0) . (cid:3) Exceptional Curves.
Let f ( x ) ∈ Z [ x ] be a nonconstant polynomial, and let s ( f )denote the largest p -th power dividing all the coefficients of f .Consider f ( x ) = g d ( x ) + p cd h ( x ) ∈ Z [ x ], with d ≥ c ≥
1. Moreover, f ( x ) ≡ g d ( x )mod p and f is irreducible mod p .For k ≤ cd , f ( x ) = g d ( x ) mod p k . Now suppose ζ (0) is a smooth point on ( g mod p ).Then by Hensel’s Lemma (Lemma 3.2), ζ (0) lifts to p ⌈ kd ⌉ − many roots of g mod p ⌈ kd ⌉ .Suppose σ is one of the lift, then σ + pτ for any τ ∈ ( Z /p k − ⌈ kd ⌉ Z ) is a root of ( g d mod p k ).So each ζ (0) lifts to p ⌈ kd ⌉ − · p k − ⌈ kd ⌉ ) = p k − ⌈ kd ⌉ − many roots of f mod p k .Now suppose k > cd , and let ζ be a root of f mod p cd such that ζ (0) ≡ ζ mod p is asmooth point on g . Consider the Taylor expansion of f at ζ : f ( ζ + p cd x ) = [ g ( ζ ) + T ( x )] d + p cd h ( ζ + p cd x )= (cid:2) g ( ζ ) d + p cd h ( ζ ) (cid:3) + d X l =1 g ( ζ ) d − l T ( x ) l + X i + i ≥ D i ,i h ( ζ ) p cd ( i + i +1) x i x i (5)where T ( x ) := g ( ζ + p cd x ) − g ( ζ ) = P i + i ≥ D i ,i g ( ζ ) p cd ( i + i ) x i x i . As ζ (0) is a smoothpoint on g , either D , g ( ζ ) or D , g ( ζ ) is not zero mod p . Then s ( T ) = cd , and each term inthe second summand of Equality (5) has valuation ( d − l ) ord p g ( ζ ) + lcd .If ζ (0) is also a point on h mod p , then ζ continues to lift, and by Lemma 4.1, there areat most d many such ζ (0) . However, there are cases when h ( ζ ) = 0 mod p , yet ζ continuesto lift to p k for k > cd .This could only happen when g ( ζ ) d + p cd h ( ζ ) ≡ p cd +1 , and in which case ord p g ( ζ ) = c . Now the second summand in Equality (5) must have order ( d − c + cd , whereas the thirdsummand has order ≥ cd . So now s ( f, ζ ) = min (cid:8) ord p (cid:0) g ( ζ ) d + p cd h ( ζ ) (cid:1) , ( d − c + cd (cid:9) . If s ( f, ζ ) < ( d − c + cd then ˜ f cd,ζ = f ( ζ + p cd x ) p s ( f,ζ ) mod p is a nonzero constant, and thus ζ doesnot lift. Suppose otherwise. Then˜ f cd,ζ = g ( ζ ) d + p cd h ( ζ ) p s ( f,ζ ) + dg ( ζ ) d − p ( d − c (cid:0) D , g ( ζ ) x + D , g ( ζ ) x (cid:1) mod p, which defines a line! By Hensel’s Lemma, we are done!So the problem boils down to determining a criterion for when ord p (cid:0) f ( ζ ) d + p cd h ( ζ ) (cid:1) ≥ ( d − c + cd and h ( ζ ) = 0 mod p happens. Also, we need to compute ord p (cid:0) f ( ζ ) d + p cd h ( ζ ) (cid:1) for every lift ζ mod p cd for each non-isolated singular points ζ (0) , and there are exactly p cd − many such ζ . In summary, computing perturbations for each and every singular point of ˜ f can be veryexpensive going into higher dimensions: the underlying singular locus might not be zero-dimensional, and thus imply the calclulation of a number of perturbations super-linear in p . It turns out for some families of curves, non-isolated singular points partitioned into groupsthat each lift uniformly. We will pursue this improvement in future work. Acknowledgements
We are grateful to Daqing Wan for helpful comments on curves and error correcting codes.
References [AH01] Leonard M. Adleman and Ming-Deh Huang. Counting points on curves and abelian varietiesover finite fields.
Journal of Symbolic Computation , 32(3):171 – 189, 2001.[BGMWo11] Edward Bierstone, Dima Grigoriev, Pierre Milman, and Jaros l aw W l odarczyk. Effective Hi-ronaka resolution and its complexity.
Asian J. Math. , 15(2):193–228, 2011.[BLQ13] J`er`emy Berthomieu, Gr`egoire Lecerf, and Guillaume Quintin. Polynomial root finding overlocal rings and application to error correcting codes.
Appl. Algebra Eng. Commun. Comput. ,24:413–443, 2013.[BM20] Jennifer S. Balakrishnan and J.˜Steffen M¨uller. Computational tools for quadratic chabauty.preprint, Boston University, 2020. draft of lecture notes for 2020 Arizona Winter School onNonabelian Chabauty.[BS96] Eric Bach and Jeff Shallit.
Algorithmic Number Theory, Vol. I: Efficient Algorithms . MITPress, Cambridge, MA, 1996.[BW10] Maheshanand Bhaintwal and Siri Krishan Wasan. Generalized Reed-Muller codes over Z q . Des.Codes Cryptogr. , 54(2):149–166, 2010.[CDV06] Wouter Castryck, Jan Denef, and Frederik Vercauteren. Computing zeta functions of nondegen-erate curves. Technical report, International Mathematics Research Papers, vol. 2006, articleID 72017, 2006.[CGRW18] Qi Cheng, Shuhong Gao, J. Maurice Rojas, and Daqing Wan. Counting roots for polynomialsmodulo prime powers. In
Proceedings of ANTS XIII (Algorithmic Number Theory Sympo-sium, July 16–20, 2018, University of Wisconsin, Madison) . Mathematical Sciences Publishers(Berkeley, California), 2018.[CH15] Henry Cohn and Nadia Heninger. Ideal forms of Coppersmith’s theorem and Guruswami-Sudanlist decoding.
Advances in Mathematics of Communications , 9(3):311–339, 2015.[CL08] Antoine Chambert-Loir. Computer (rapidement) le nombre de solutions d’´equations dans lescorps finis.
S´eminaire Bourbaki , 2006/2007:39–90, 2008.[Del74] Pierre Deligne. La conjecture de weil. i.
Publications Math´ematiques de l’Institut des Hautes´Etudes Scientifiques , 43(1):273–307, Dec 1974.[DMS19] Ashish Dwivedi, Rajat Mittal, and Nitin Saxena. Counting basic-irreducible factors mod p k in deterministic poly-time and p -adic applications. arXiv e-prints , page arXiv:1902.07785, Feb2019.[DMS20] Ashish Dwivedi, Rajat Mittal, and Nitin Saxena. Computing Igusa’s Local Zeta Function ofUnivariates in Determinstic Polynomial-Time. In S. K. Galbraith, editor, Proceedings of ANTS2020 (Algorithmic Number Theory Symposium) . Mathematical Sciences Publishers (Berkeley,California), 2020.[GCM91] Javier Gomez-Calderon and Gary L. Mullen. Galois rings and algebraic cryptography.
ActaArith. , 59(4):317–328, 1991.[GG16] Steven D. Galbraith and Pierrick Gaudry. Recent progress on the elliptic curve discrete loga-rithm problem.
Des. Codes Cryptogr. , 78(1):51–72, 2016.[GS99] V. Guruswami and M. Sudan. Improved decoding of reed-solomon and algebraic-geometrycodes.
IEEE Transactions on Information Theory , 45(6):1757–1767, Sep. 1999.
UB-LINEAR POINT COUNTING FOR CURVES OVER PRIME POWER RINGS 17 [GSS00] Venkatesan Guruswami, Amit Sahai, and Madhu Sudan. “Soft-decision” decoding of Chineseremainder codes. In , pages 159–168. IEEE Comput. Soc. Press, Los Alamitos, CA, 2000.[Har15] David Harvey. Computing zeta functions of arithmetic schemes.
Proceedings of the LondonMathematical Society , 111(6):1379–1401, 11 2015.[HKC +
94] A. Roger Hammons, Jr., P. Vijay Kumar, A. R. Calderbank, N. J. A. Sloane, and Patrick Sol´e.The Z -linearity of Kerdock, Preparata, Goethals, and related codes. IEEE Trans. Inform.Theory , 40(2):301–319, 1994.[Igu07] Jun-Ichi Igusa.
An Introduction to the Theory of Local Zeta Functions . AMS/IP Studies inPure Maths Rep Series. American Mathematical Society, 2007.[Ked01] Kiran S. Kedlaya. Counting points on hyperelliptic curves using Monsky-Washnitzer cohomol-ogy.
J. Ramanujan Math. Soc. , 16(4):323–338, 2001.[Ked06] Kiran S. Kedlaya. Quantum computation of zeta functions of curves.
Comput. Complexity ,15(1):1–19, 2006.[KLP12] Tali Kaufman, Shachar Lovett, and Ely Porat. Weight distribution and list-decoding size ofReed-Muller codes.
IEEE Trans. Inform. Theory , 58(5):2689–2696, 2012.[Kob87] Neal Koblitz. Elliptic curve cryptosystems.
Math. Comp. , 48(177):203–209, 1987.[KRRZ19] Leann Kopp, Natalie Randall, J. Maurice Rojas, and Yuyu Zhu. Randomized Polynomial-TimeRoot Counting in Prime Power Rings.
Mathematics of Computation , in production, 2019.[KU08] Kiran Kedlaya and Christopher Umans. Fast polynomial factorization and modular composi-tion. In P. Bro Miltersen, R. Reischuk, G. Schnitger, and D. van Melkebeek, editors,
Com-putational Complexity of Discrete Problems , number 08381 in Dagstuhl Seminar Proceedings,Dagstuhl, Germany, 2008. Schloss Dagstuhl - Leibniz-Zentrum fuer Informatik, Germany.[LW08] Alan G. B. Lauder and Daqing Wan. Counting points on varieties over finite fields of smallcharacteristic. In
Algorithmic number theory: lattices, number fields, curves and cryptography ,pages 579––612, Cambridge, 2008. Math. Sci. Res. Inst. Publ., 44, Univ. Press.[Mil86] Victor S. Miller. Use of elliptic curves in cryptography. In
Advances in cryptology—CRYPTO’85 (Santa Barbara, Calif., 1985) , volume 218 of
Lecture Notes in Comput. Sci. , pages 417–426.Springer, Berlin, 1986.[NZM91] I. Niven, H.S. Zuckerman, and H.L. Montgomery.
An Introduction to the Theory of Numbers .Wiley, 1991.[Pil90] J. Pila. Frobenius maps of abelian varieties and finding roots of unity in finite fields.
Mathe-matics of Computation , 55(192):745–763, 1990.[PR11] Adrien Poteaux and Marc Rybowicz. Complexity bounds for the rational Newton-Puiseuxalgorithm over finite fields.
Appl. Algebra Engrg. Comm. Comput. , 22(3):187–217, 2011.[Roj99] J. Maurice Rojas. Solving degenerate sparse polynomial systems faster.
Journal of SymbolicComputation , 28(1):155 – 186, 1999.[RZ20] J. Maurice Rojas and Yuyu Zhu. A complexity chasm for solving sparse polynomial equationsover p -adic fields. arXiv e-prints , page arXiv:2003.00314, 2020.[Sch85] Ren´e Schoof. Elliptic curves over finite fields and the computation of square roots mod p . Mathematics of Computation , 44(170):483–494, 1985.[Sud97] Madhu Sudan. Decoding of Reed Solomon codes beyond the error-correction bound.
J. Com-plexity , 13(1):180–193, 1997.[vdG01] Gerard van der Geer. Curves over finite fields and codes. In
European Congress of Mathematics,Vol. II (Barcelona, 2000) , volume 202 of
Progr. Math. , pages 225–238. Birkh¨auser, Basel, 2001.[vzGG13] Joachim von zur Gathen and J¨urgen Gerhard.
Modern Computer Algebra . Cambridge Univer-sity Press, 3rd edition, 2013.[Wan08] Daqing Wan. Algorithmic theory of zeta functions over finite fields. In
Algorithmic numbertheory: lattices, number fields, curves and cryptography , pages 551–578. Math. Sci. Res. Inst.Publ., 44, Univ. Press, Cambridge, 2008.[Wei49] Andr´e Weil. Numbers of solutions of equations in finite fields.