Subquadratic-Time Algorithms for Normal Bases
aa r X i v : . [ c s . S C ] M a y SUBQUADRATIC-TIMEALGORITHMS FOR NORMALBASES
Mark Giesbrecht, Armin Jamshidpey,and ´Eric Schost
May 8, 2020
Abstract.
For any finite Galois field extension K / F , with Galois group G = Gal( K / F ), there exists an element α ∈ K whose orbit G · α forms an F -basis of K . Such an α is called a normal element and G · α is a normalbasis . We introduce a probabilistic algorithm for testing whether a given α ∈ K is normal, when G is either a finite abelian or a metacyclic group.The algorithm is based on the fact that deciding whether α is normalcan be reduced to deciding whether P g ∈ G g ( α ) g ∈ K [ G ] is invertible; itrequires a slightly subquadratic number of operations. Once we knowthat α is normal, we show how to perform conversions between theworking basis of K / F and the normal basis with the same asymptoticcost. Keywords.
Normal bases; Galois groups; polycyclic groups; meta-cyclic groups; fast algorithms
Subject classification.
1. Introduction
For a finite Galois field extension K / F , with Galois group G =Gal( K / F ), an element α ∈ K is called normal if the set of its Galoisconjugates G · α = { g ( α ) : g ∈ G } forms a basis for K as a vectorspace over F . The existence of a normal element for any finiteGalois extension is classical, and constructive proofs are providedin most algebra texts (see, e.g., (Lang 2002, Section 6.13)). Giesbrecht, Jamshidpey & Schost
While there is a wide range of well-known applications of nor-mal bases in finite fields, such as fast exponentiation (e.g., (Gao et al. F q n / F q , where F q n is the finite field with q n ele-ments for any prime power q and integer n >
1, is presented byvon zur Gathen & Giesbrecht (1990), with a cost of O ( n + n log q )operations in F q . A faster randomized algorithm is introduced byKaltofen & Shoup (1998), with a cost of O ( n . log q ) operations in F q . In the bit complexity model, Kedlaya and Umans showed howto reduce the exponent of n to 1 .
63, by leveraging their quasi-lineartime algorithm for modular composition (Kedlaya & Umans 2011).Lenstra (1991) introduced a deterministic algorithm to construct anormal element which uses n O (1) operations in F q n / F q . To the bestof our knowledge, the algorithm of Augot & Camion (1994) is themost efficient deterministic method, with a cost of O ( n + n log q )operations in F q .In characteristic zero, Schlickewei & Stepanov (1993) gave analgorithm for finding a normal basis of a number field over Q with acyclic Galois group of cardinality n which requires n O (1) operationsin Q . Poli (1994) gives an algorithm for the more general case offinding a normal basis in an abelian extension K / F which requires n O (1) operations in F . More generally in characteristic zero, forany Galois extension K / F of degree n with Galois group given by acollection of n matrices, Girstmair (1999) gives an algorithm whichrequires O ( n ) operations in F to construct a normal element in K .In this paper we present a new randomized algorithm that de-cides whether a given element in either an abelian or a metacyclicextension is normal, with a runtime subquadratic in the degree n of ormal Bases arithmetic operations in F at unit cost. Questions related tothe bit-complexity of our algorithms are challenging, and beyondthe scope of this paper.Our main conventions are the following. Assumption 1.1.
Let K / F be a finite Galois extension presentedas K = F [ x ] / h P ( x ) i , for an irreducible polynomial P ∈ F [ x ] ofdegree n , with F of characteristic zero. Then, ◦ elements of K are written on the power basis , ξ, . . . , ξ n − ,where ξ := x mod P ; ◦ elements of G are represented by their action on ξ . In particular, for g ∈ G given by means of γ := g ( ξ ) ∈ K , and β = P ≤ i 3) that describes the cost of certain rectangularmatrix products (see the end of this section). Theorem 1.2. Under Assumption 1.1, if G is either abelian ormetacyclic, one can test whether α ∈ K is normal using ˜ O ( n (3 / · ω (4 / ) operations in F , where (3 / · ω (4 / < . . The algorithms arerandomized of the Monte Carlo type. Once α is known to be normal, we also discuss the cost of conversionbetween the power basis 1 , ξ, . . . , ξ n − of K and its normal basis G · α . Again inspired by previous work of Kaltofen & Shoup (1998),we obtain the following results. Theorem 1.3. Under Assumption 1.1, if G is either abelian ormetacyclic and α ∈ K is known to be normal, we can performbasis conversion between the power basis , ξ, . . . , ξ n − of K andits normal basis G · α using ˜ O ( n (3 / · ω (4 / ) operations in F . Thealgorithms are randomized of the Monte Carlo type. In both theorems, the runtime is barely subquadratic, and theexponent 1 . 99 is obtained through fast matrix multiplication algo-rithms that are most likely impractical for reasonable n . However,these results show in particular that we can perform basis conver-sions without writing down the normal basis itself (which wouldrequire Θ( n ) elements in F ). Remark 1.4. Both above algorithms are randomized of the MonteCarlo type. In our model, this means that they are allowed to draw ormal Bases random elements for a prescribed subset of K , and for a control pa-rameter ǫ , produce the correct answer with probability greater than − ǫ (see Remark 2.8). Section 2 of this paper is devoted to definitions and prelimi-nary discussions. In Section 3, a subquadratic-time algorithm ispresented for the randomized reduction of our main question to in-vertibility testing in F [ G ]; this algorithm applies to any finite poly-cyclic group, and in particular to abelian and metacyclic groups.In Section 4, we show that the problems of testing invertibility in F [ G ] and performing divisions can be solved in quasi-linear timefor an abelian group; for metacyclic groups, we give a subquadratictime algorithm based on structured linear algebra algorithms (thiswill finish the proof of Theorem 1.2). Finally, Section 5 provesTheorem 1.3.Our algorithms make extensive use of known algorithms forpolynomial and matrix arithmetic; in particular, we use repeat-edly the fact that polynomials of degree n in F [ x ], for any field F of characteristic zero, can be multiplied in ˜ O ( n ) operations in F (Sch¨onhage & Strassen 1971). As a result, arithmetic opera-tions (+ , × , ÷ ) in K can all be done using ˜ O ( n ) operations in F (von zur Gathen & Gerhard 2013). We also assume that gen-erating a random element in F takes constant time.For matrix arithmetic, we will rely on some non-trivial resultson rectangular matrix multiplication initiated by Lotti & Romani(1983). For k ∈ R , we denote by ω ( k ) a constant such thatover any ring, matrices of sizes ( n, n ) by ( n, ⌈ n k ⌉ ) can be multi-plied in O ( n ω ( k ) ) ring operations (so ω (1) is the usual exponentof square matrix multiplication, which we simply write ω ). Thesharpest values known to date for most rectangular formats areby Le Gall & Urrutia (2018); for k = 1, the best known value is ω ≤ . 373 by Le Gall (2014). Over a field, further matrix op-erations (such as inversion) can also be done in O ( n ω ) base fieldoperations.Part of the results of this paper (Theorem 1.2 for abelian groups)were already published in the conference paper (Giesbrecht et al. Giesbrecht, Jamshidpey & Schost 2. Preliminaries One of the well-known proofs of the existence of a normal elementfor a finite Galois extension, as for example reported by Lang (2002,Theorem 6.13.1), suggests a randomized algorithm for finding suchan element. Assume K / F is a finite Galois extension with Galoisgroup G = { g , . . . , g n } . If α ∈ K is a normal element, then(2.1) n X j =1 c j g j ( α ) = 0 , c j ∈ F implies c = · · · = c n = 0. For each i ∈ { , . . . , n } , applying g i toequation (2.1) yields(2.2) n X j =1 c j g i g j ( α ) = 0 . Using (2.1) and (2.2), one can form the linear system M c = ,with c = [ c · · · c n ] T and where, for α ∈ K ,(2.3) M = g g ( α ) g g ( α ) · · · g g n ( α ) g g ( α ) g g ( α ) · · · g g n ( α )... ... ... ... g n g ( α ) g n g ( α ) · · · g n g n ( α ) ∈ M n ( K ) . Classical proofs then proceed to show that there exists α ∈ K withdet( M ) = 0.This approach can be used as the basis of a procedure to testif a given α ∈ K is normal, by computing all the entries of thematrix M and using linear algebra to compute its determinant;using fast matrix arithmetic this requires O ( n ω ) operations in K ,that is ˜ O ( n ω +1 ) operations in F . This is at least cubic in n ; themain contribution of this paper is to show how to speed up thisverification.Before entering that discussion, we briefly comment on theprobability that α be a normal element: if we write α = a + · · · + a n − ξ n − , the determinant of M is a (not identically zero)homogeneous polynomial of degree n in ( a , . . . , a n − ). If the a i ’s ormal Bases X ⊂ F , the Lipton-DeMillo-Schwartz-Zippel lemma implies that the probability that α be normal is at least 1 − n/ | X | .If G is cyclic generated by an element g , with g = id and g i +1 = gg i for all i , von zur Gathen & Giesbrecht (1990) avoid computinga determinant by computing the GCD of S α := P ni =1 g i ( α ) x i − and x n − 1. In effect, this amounts to testing whether S α is invertiblein the group ring K [ G ], which is isomorphic to K [ x ] / h x n − i . Thisis a general fact: for any G , matrix M above is the matrix of leftmultiplication by the orbit sum S α := n X i =1 g i ( α ) g i ∈ K [ G ] , where we index rows by g , . . . , g n and columns by their inverses g − , . . . , g − n . In terms of notation, for any field L (typically, we willtake either L = F or L = K ), and β in L [ G ], we will write M L ( β )for the left multiplication matrix by β in L [ G ], using the two basesshown above. In other words, the matrix M of (2.3) is M K ( S α ).The previous discussion shows that α being normal is equivalentto S α being a unit in K [ G ]. This point of view may make it possibleto avoid linear algebra of size n over K , but writing S α itself stillinvolves Θ( n ) elements in F . The following lemma is the mainnew ingredient in our algorithm: it gives a randomized reductionto testing whether a suitable projection of S α in F [ G ] is a unit. Lemma 2.4. For α ∈ K , M K ( S α ) is invertible if and only if ℓ ( M K ( S α )) := [ ℓ ( g i g j ( α ))] ij ∈ M n ( F ) is invertible for a generic F -linear projection ℓ : K → F . Proof. ( ⇒ ) For a fixed α ∈ K , any entry of M K ( S α ) can bewritten as(2.5) n − X k =0 a ijk ξ k , and for ℓ : K → F , the corresponding entry in ℓ ( M K ( S α )) canbe written P n − k =0 a ijk ℓ k , with ℓ k = ℓ ( ξ k ). Replacing these ℓ k ’s by Giesbrecht, Jamshidpey & Schost indeterminates L k ’s, the determinant becomes a polynomial in P ∈ F [ L , . . . , L n ] . Viewing P in K [ L , . . . , L n ], we have P (1 , ξ, . . . , ξ n − )= det( M K ( S α )), which is non-zero by assumption. Hence, P is notidentically zero, and the conclusion follows.( ⇐ ) Assume M K ( S α ) is not invertible. Following the proof ofJamshidpey et al. (2018, Lemma 4), we first show that there existsa non-zero u ∈ F n in the kernel of M K ( S α ).The elements of G act on rows of M K ( S α ) entrywise and theaction permutes the rows the matrix. Assume ϕ : G → S n is thegroup homomorphism such that g ( M i ) = M ϕ ( g )( i ) for all i , where M i is the i -th row of M K ( S α ).Since M K ( S α ) is singular, there exists a non-zero v ∈ K n suchthat M K ( S α ) v = 0; we choose v having the minimum number ofnon-zero entries. Let i ∈ { , . . . , n } such that v i = 0. Define u = 1 /v i v . Then, M K ( S α ) u = 0 , which means M j u = 0 for j ∈ { , . . . , n } . For g ∈ G , we have g ( M j u ) = M ϕ ( g )( j ) g ( u ) = 0 . Since this holds for any j , we conclude that M K ( S α ) g ( u ) = 0,hence g ( u ) − u is in the kernel of M K ( S α ). On the other handsince the i -th entry of u is one, the i -th entry of g ( u ) − u is zero.Thus the minimality assumption on v shows that g ( u ) − u = 0,equivalently g ( u ) = u , and hence u ∈ F n .Now we show that ℓ ( M K ( S α )) is not invertible for all choices of ℓ . By Equation (2.5), we can write M K ( S α ) = n − X j =0 M ( j ) ξ j , M ( j ) ∈ M n ( F ) for all j. Since u has entries in F , M K ( S α ) u = 0 yields M ( j ) u = 0 for j ∈ { , . . . , n } . Hence, n − X j =0 M ( j ) ℓ j u = 0for any ℓ j ’s in F , and ℓ ( M K ( S α )) is not invertible for any ℓ . (cid:3) Our algorithm can be sketched as follows: given α in K , choose arandom ℓ : K → F , and let(2.6) s α,ℓ := n X i =1 ℓ ( g i ( α )) g i ∈ F [ G ] . ormal Bases ℓ ( M K ( S α )) is equal to M F ( s α,ℓ ), that is, the multipli-cation matrix by s α,ℓ in F [ G ], where, as above, we index rows by g , . . . , g n and columns by g − , . . . , g − n . Then, the previous lemmacan be rephrased as follows: Lemma 2.7. For α ∈ K , α is normal if and only if s α,ℓ is invertiblein F [ G ] for a generic F -linear projection ℓ : K → F . Thus, once s α,ℓ is known, we are left with testing whether it is aunit in F [ G ]. In the next two sections, we address the respectivequestions of computing s α,ℓ , and testing its invertibility in F [ G ]. Remark 2.8. If α is not normal, S α is not a unit. In this case,the proof of Lemma 2.4 established that s α,ℓ is not a unit for any ℓ , so our algorithm always returns the correct answer in this case.If α is normal, the polynomial P in the proof of Lemma 2.4, isa homogeneous polynomial of degree n in ( L , . . . , L n ) . Thus, if wechoose the coefficients of ℓ uniformly at random in any fixed finitesubset X ⊂ F , by the Lipton-DeMillo- Schwartz-Zippel lemma, wereturn the correct answer with probability at least − n/ | X | . 3. Computing projections of the orbit sum In this section we present an algorithm to compute s α,ℓ when G = { g , . . . , g n } is polycyclic (we give a definition of this fam-ily of groups and recall some well known results about them inSubsection 3.2). To motivate our algorithm, we start by the sim-ple case of a cyclic group. We will see that they follow closely ideasused by Kaltofen & Shoup (1998) over finite fields.Suppose G = h g i , so that given α in K and ℓ : K → F , our goalis to compute(3.1) ℓ ( g i ( α )) , for 0 ≤ i ≤ n − . Kaltofen & Shoup (1998) call this the automorphism projectionproblem and gave an algorithm to solve it in subquadratic time,when g is the q -power Frobenius F q n → F q n . The key idea intheir algorithm is to use the baby-steps/giant-steps technique: fora suitable parameter t , the values in (3.1) can be rewritten as( ℓ ◦ g tj )( g i ( α )) , for 0 ≤ j < m := ⌈ n/t ⌉ and 0 ≤ i < t. Giesbrecht, Jamshidpey & Schost First, we compute all G i := g i ( α ) for 0 ≤ i < t . Then we computeall L j := ℓ ◦ g tj for 0 ≤ j < m , where the L j ’s are themselveslinear mappings K → F . Finally, a matrix product yields all values L j ( G i ).The original algorithm of Kaltofen & Shoup (1998) relies on theproperties of the Frobenius mapping to achieve subquadratic run-time. In our case, we cannot apply these results directly; instead,we have to revisit the proofs of (Kaltofen & Shoup 1998, Lemmata3 and 4), now considering rectangular matrix multiplication. Ourexponents involve the constant ω (4 / ω (4 / < . ω (1 . 3) and ω (1 . 4) given by Le Gall & Urrutia (2018), and the factthat k ω ( k ) is convex (Lotti & Romani 1983). In particular,3 / · ω (4 / < . 99. Note also the inequality ω ( k ) ≥ k for k ≥ 1, since ω ( k ) describes products with input and output size O ( n k ). The key to the algorithms below is the remark following Assump-tion 1.1, which reduces automorphism evaluation to modular com-position of polynomials. Over finite fields, this idea goes backto von zur Gathen & Shoup (1992), where it is credited to Kaltofen.For instance, given g ∈ G (by means of γ := g ( ξ )), we can de-duce g ∈ G (again, by means of its image at ξ ) as γ ( γ ); this can bedone with ˜ O ( n ( ω +1) / ) operations in F using Brent and Kung’s mod-ular composition algorithm (Brent & Kung 1978). The algorithmsbelow describe similar operations along these lines, involving sev-eral simultaneous evaluations. In this subsection, we work underAssumption 1.1 and we make no special assumption on G . Lemma 3.2. Given α , . . . , α s in K and g in G = Gal( K / F ) , with s = O ( √ n ) , we can compute g ( α ) , . . . , g ( α s ) with ˜ O ( n (3 / · ω (4 / ) operations in F . Proof. (Compare (Kaltofen & Shoup 1998, Lemma 3)) As notedabove, for i ≤ s , g ( α i ) = α i ( γ ), with γ := g ( ξ ) ∈ K . Let ormal Bases t := ⌈ n / ⌉ , m := ⌈ n/t ⌉ , and rewrite α , . . . , α s as α i = X ≤ j 4, the leading exponent in all costsseen so far is (3 / · ω (4 / (cid:3) Lemma 3.3. Consider g , . . . g r in G = Gal( K / F ) , positive integers ( s , . . . s r ) and elements α i ,...,i r in K , for i m = 0 , . . . , s m , m =1 , . . . , r . If Q ri =1 s i = O ( √ n ) and r = O (log( n )) , we can compute g i r r · · · g i ( α i ,...,i r ) for i m = 0 , . . . , s m , m = 1 , . . . , r using ˜ O ( n (3 / · ω (4 / ) operations in F . Proof. Define I = { ( i , . . . , i r ) | i m = 0 , . . . , s m for m = 1 , . . . , r } .For ( i , . . . , i r ) in I and non-negative integers ℓ , . . . , ℓ r , define α ( ℓ ,...,ℓ r ) i ,...,i r = g ℓ r r · · · g ℓ ( α i ,...,i r ) . Assume then that for some t in { , . . . , r − } , we know S t = ( α ( i ,...,i t , ,..., i ,...,i r | ( i , . . . , i r ) ∈ I );2 Giesbrecht, Jamshidpey & Schost we show how to compute S t +1 = ( α ( i ,...,i t +1 , ,..., i ,...,i r | ( i , . . . , i r ) ∈ I ) . Since our input is S , it will be enough to go through this processfor all values of t to obtain the output S r of the algorithm.For a given index t , and for m ≥ S t,m = ( α ( i ,...,i t ,i t +1 mod 2 m , ,..., i ,...,i r | ( i , . . . , i r ) ∈ I );in particular, S t, = S t and S t, ⌊ log ( s t +1 ) ⌋ +1 = S t +1 . Hence, given S t,m , it is enough to show how to compute S t,m +1 , for indices m =0 , . . . , ⌊ log ( s t +1 ) ⌋ . This is done by writing S t,m +1 = ( β i ,...,i r ,t,m | ( i , . . . , i r ) ∈ I ) , with β i ,...,i r ,t,m = α ( i ,...,i t ,i t +1 mod 2 m , ,..., i ,...,i r if i t +1 mod 2 m +1 = i t +1 mod 2 m g m t +1 ( α ( i ,...,i t ,i t +1 mod 2 m , ,..., i ,...,i r ) otherwise.The automorphisms g m t +1 can be computed iteratively by modularcomposition; the bottleneck is the application of g m t +1 to a subset of S t,m . Using Lemma 3.2, since S t,m has O ( √ n ) elements, this takes˜ O ( n (3 / · ω (4 / ) operations in F .For a given index t , this is repeated ⌊ log ( s t +1 ) ⌋ ≤ log ( s t +1 )+1times. Adding up for all indices t , this amounts to O (log( s · · · s r )+ r ) repetitions, which is O (log( n )) by assumption; the conclusionfollows. (cid:3) We now present dual versions of the previous two lemmas (notethat Kaltofen & Shoup (1998) also have such a discussion). Seenas an F -linear map, the operator g : α g ( α ) admits a transpose,which maps an F -linear form ℓ : K → F to the F -linear form ℓ ◦ g : α ℓ ( g ( α )). The transposition principle (Canny et al. et al. F N → F M canbe computed in time T , its transpose can be computed in time T + O ( N + M ). In particular, given s linear forms ℓ , . . . , ℓ s and g in G , transposing Lemma 3.2 shows that we can compute ℓ ◦ g, . . . , ℓ s ◦ g in time ˜ O ( n (3 / · ω (4 / ). The following lemma sketchesthe construction. ormal Bases Lemma 3.4. Given F -linear forms ℓ , . . . , ℓ s : K → F and g in G = Gal( K / F ) , with s = O ( √ n ) , we can compute ℓ ◦ g, . . . , ℓ s ◦ g using ˜ O ( n (3 / · ω (4 / ) operations in F . Proof. Given ℓ i by its values on the power basis 1 , ξ, . . . , ξ n − , ℓ i ◦ g is represented by its values at 1 , γ, . . . , γ n − , with γ := g ( ξ ).Let t, m and γ , . . . , γ t be as in the proof of Lemma 3.2. Com-pute the “giant steps” γ jt = γ tj , j = 0 , . . . , m − i = 1 , . . . , s and j = 0 , . . . , m − 1, deduce the linear forms L i,j defined by L i,j ( α ) := ℓ i ( γ tj α ) for all α in K . Each of them can be obtained bya transposed multiplication in time ˜ O ( n ) (Shoup 1995, Section 4.1),so that the total cost thus far is ˜ O ( n / ).Finally, multiply the ( sm × n ) matrix with entries the coeffi-cients of all L i,j (as rows) by the ( n × t ) matrix with entries thecoefficients of γ , . . . , γ t − (as columns) to obtain all values ℓ i ( γ j ),for i = 1 , . . . , s an j = 0 , . . . , n − 1. This can be accomplished with O ( n (3 / · ω (4 / ) operations in F . (cid:3) From this, we deduce the transposed version of Lemma 3.3,whose proof follows the same pattern. Lemma 3.5. Consider g , . . . , g r in G = Gal( K / F ) , positive in-tegers ( s , . . . , s r ) and F -linear forms ℓ i ,...,i r , for i m = 0 , . . . , s m , m = 1 , . . . , r . If Q ri =1 s i = O ( √ n ) and r = O (log( n )) , we cancompute ℓ i ,...,i r ◦ g i r r · · · g i for i m = 0 , . . . , s m , m = 1 , . . . , r using ˜ O ( n (3 / · ω (4 / ) operations in F . Proof. We proceed as in Lemma 3.3, reversing the order of thesteps. Using the same index set I as before, define, for ( i , . . . , i r )in I and non-negative integers k , . . . , k r ℓ ( k ,...,k r ) i ,...,i r = ℓ i ,...,i r ◦ g k r r · · · g k . For t = r, . . . , 0, assuming that we know L t +1 = ( ℓ (0 ,..., ,i t +1 ,...,i r ) i ,...,i r | ( i , . . . , i r ) ∈ I ) , Giesbrecht, Jamshidpey & Schost we compute L t = ( ℓ (0 ,..., ,i t ,i t +1 ,...,i r ) i ,...,i r | ( i , . . . , i r ) ∈ I ) . This time, for m ≥ 0, we set L t +1 ,m = ( ℓ (0 ,..., , ⌊ i t ⌋ m ,i t +1 ,...,i r ) i ,...,i r | ( i , . . . , i r ) ∈ I ) , where for a non-negative integer x , ⌊ x ⌋ m = x − ( x mod (2 m − , , . . . , m − in thebase-two expansion of x .Starting from L t +1 = L t, ⌈ log ( s t ) ⌉ +1 , we compute all L t +1 ,m for m = ⌈ log ( s t ) ⌉ , . . . , 0, since L t +1 , = L t . This is done essentiallyas in Lemma 3.3, but using Lemma 3.4 this time, in order to doright-composition by g m t . The cost analysis is as in Lemma 3.3. (cid:3) Our main algorithm in this section applies to a familyof groups known as polycyclic ; see (Holt et al. G is called polycyclic if it has a normal series G = G r D G r − D · · · D G D G = 1 , where G j /G j − is cyclic; without loss of generality, we assume that G j − = G j holds for all j , so that r is O (log( n )), with n = | G | .Finitely generated nilpotent or abelian groups are polycyclic. Ingeneral any finite solvable group is polycyclic; our key families ofexamples in the next section (abelian and metacyclic groups) thusfit into this category.If G is polycyclic then, up to renumbering, its elements can bewritten as g i r r · · · g i , with 0 ≤ i j < e j for 1 ≤ j ≤ r, where G j /G j − = h g j G j − i and e j = | G j /G j − | . Elements of K [ G ],or F [ G ] are written as polynomials P i ,...,i r c i ,...,i r g ri r · · · g i , with0 ≤ i j < e j for all j , and coefficients in either K or F . ormal Bases Proposition 3.6. Suppose that G is polycyclic, with notation asabove. For α in K and ℓ : K → F , s α,ℓ ∈ F [ G ] , as defined in (2.6) ,can be computed using ˜ O ( n (3 / · ω (4 / ) operations in F . Proof. Our goal is to compute(3.7) ℓ ( g i r r . . . g i ( α )) , for all indices such that 0 ≤ i j < e j holds for 1 ≤ j ≤ r ; here, ℓ isan F -linear projection K → F .Our construction is inspired by that sketched in the cycliccase. Define z to be the unique index in { , . . . , r } such that e · · · e z − < √ n and e · · · e z ≥ √ n. Then, all elements in (3.7)can be computed with the following steps, the sum of whose costsproves the proposition. Step 1. Apply Lemma 3.3, with α i ,...,i r = α for all i , . . . , i r , toget G i z ,...,i = g i z z · · · g i ( α ) , for all indices i , . . . , i z such that 0 ≤ i m < e m holds for m =1 , . . . , z − ≤ i z < ⌈√ n/ ( e · · · e z − ) ⌉ . This amounts totaking s = e , . . . , s z − = e z − , s z = ⌈√ n/ ( e · · · e z − ) ⌉ and s m =1 for m > z in the lemma. For the lemma to apply, we have tocheck that the product of these indices s , . . . , s r is O ( √ n ). Indeed,this product is at most e · · · e z − (cid:18) √ ne · · · e z − + 1 (cid:19) ≤ √ n + e · · · e z − ≤ √ n. Hence, the lemma applies, and the cost of this step is ˜ O ( n (3 / · ω (4 / ). Step 2. Compute G z = g s z z , for s z as above. The cost is that of O (log( n )) modular compositions, which is negligible compared tothe cost of the previous step. Step 3. Use Lemma 3.5 with ℓ i r ,...,i = ℓ for all i , . . . , i r , tocompute L j r ,...,j z = ℓ ◦ ( g j r r · · · g j z +1 z +1 G j z z )= ℓ ◦ ( g j r r · · · g j z +1 z +1 g s z j z z ) , Giesbrecht, Jamshidpey & Schost for all indices 0 ≤ j z < ⌈ e z /s z ⌉ and 0 ≤ j m < e m for m > z . Thisamounts to using the lemma with indices s ′ = · · · = s ′ z − = 1, s ′ z = ⌈ e z /s z ⌉ and s ′ m = e m for m > z . Again, we have to verifythat s ′ · · · s ′ r is O ( √ n ). Indeed, we have s ′ · · · s ′ r = (cid:24) e z s z (cid:25) e z +1 · · · e r ≤ (cid:18) e z s z + 1 (cid:19) e z +1 · · · e r ≤ e z · · · e r s z + e z +1 · · · e r . By definition, we have s z ≥ √ n/ ( e · · · e z − ), so e z · · · e r /s z ≤ e · · · e r / √ n = √ n . Because we assume e · · · e z ≥ √ n , the sec-ond term is also at most √ n , so the product s ′ · · · s ′ r is at most2 √ n . Hence, Lemma 3.5 applies, and computes all L j r ,...,j z using˜ O ( n (3 / · ω (4 / ) operations in F . Step 4. Multiply the matrix with rows the coefficients of all L j r ,...,j z by the matrix whose columns are the coefficients of all G i z ,...,i . This yields the values ℓ ( g j r r · · · g j z +1 z +1 g s z j z + i z z g i z − z − · · · g i ( α )) , for indices as follows: • ≤ i m < e m for m = 0 , . . . , z − • ≤ i z < s z and 0 ≤ j z < ⌈ e z /s z ⌉ ; • ≤ j m < e m for m = z + 1 , . . . , r .This shows that we obtain all required values. We compute thisproduct in O ( n (1 / · ω (2) ) operations in F , which is in O ( n (3 / · ω (4 / ). (cid:3) 4. Arithmetic in the Group Algebra In this section we consider the problems of invertibility testing anddivision in F [ G ]: given elements β, η in F [ G ], for a field F and agroup G , determine whether β is a unit in F [ G ], and if so, compute β − η . We focus on two particular families of polycyclic groups,namely abelian and metacyclic groups G ; as well as being necessary ormal Bases F -algebra isomorphism (which we will referto as a Fourier Transform) F [ G ] → M d ( D ) × · · · × M d r ( D r ) , where all D i ’s are division algebras over F . If we were workingover F = C , all D i ’s would simply be C itself. A natural solutionto test the invertibility of β ∈ F [ G ] would then be to computeits Fourier transform and test whether all its components β ∈ M d ( C ) , . . . , β r ∈ M d r ( C ) are invertible. This boils down to linearalgebra over C , and takes O ( d ω + · · · + d ωr ) operations. Since d + · · · + d r = n , with n = | G | , this is O ( n ω/ ) operations in C .However, we do not wish to make such a strong assumptionas F = C . Since we measure the cost of our algorithms in F -operations, the direct approach that embeds F [ G ] into C [ G ] doesnot make it possible to obtain a subquadratic cost in general. If,for instance, F = Q and G is cyclic of order n = 2 k , computing theFourier Transform of β requires we work in a degree n/ Q , implying a quadratic runtime.In this section, we give algorithms for the problems of invertibil-ity testing and division for the two particular families of polycyclicgroups mentioned so far, namely abelian and metacyclic. For theformer, starting from a suitable presentation of G , we give a softlylinear-time algorithm to find an isomorphic image of β ∈ F [ G ] in aproduct of F -algebras of the form F [ z ] / h P i ( z ) i , for certain polyno-mials P i ∈ F [ z ] (recovering β from its image is softly-linear time aswell). Not only does this allow us to test whether β is invertible,this also makes it possible to find its inverse in F [ G ] (or to com-pute products in F [ G ]) in softly-linear time (we are not aware ofprevious results of this kind).For metacyclic groups, we rely on the block-Hankel structure ofthe matrix of multiplication by β . Through structured linear alge-bra algorithms, this allows us to solve both problems (invertibilityand division) in subquadratic (albeit not softly-linear time) time.8 Giesbrecht, Jamshidpey & Schost Because an abelian group is a product ofcyclic groups, the group algebra F [ G ] of such a group is the tensorproduct of cyclic algebras. Using this property, given an element β in F [ G ], our goal in this section is to determine whether β is aunit, and if so to compute expressions such as β − η , for η in F [ G ].The previous property implies that F [ G ] admits a descriptionof the form F [ x , . . . , x t ] / h x n − , . . . , x n t t − i , for some integers n , . . . , n t . The complexity of arithmetic operations in an F -algebrasuch as A := F [ x , . . . , x t ] / h P ( x ) , . . . , P t ( x t ) i is difficult to pindown precisely. For general P i ’s, the cost of multiplication in A is known to be O (dim( A ) ε ), for any ε > et al. et al. F [ z ] / h P i ( z ) i ,for various polynomials P i . Poli (1994) also discusses the factorsof algebras such as F [ x , . . . , x t ] / h x n − , . . . , x n t t − i , but the re-sulting algorithms are different (and the cost of the Poli’s (1994)algorithm is only known to be polynomial in n = | G | ). Tensor product of two cyclotomic rings: coprime orders. The following proposition will be the key to foregoing multivariatepolynomials, and replacing them by univariate ones. Let m, m ′ betwo coprime integers and define h := F [ x, x ′ ] / h Φ m ( x ) , Φ m ′ ( x ′ ) i , where for i ≥ 0, Φ i is the cyclotomic polynomial of order i . Inwhat follows, ϕ is Euler’s totient function, so that ϕ ( i ) = deg(Φ i )for all i . Lemma 4.1. There exists an F -algebra isomorphism γ : h → F [ z ] / h Φ mm ′ ( z ) i given by xx ′ z . Given Φ m and Φ m ′ , Φ mm ′ canbe computed in time ˜ O ( ϕ ( mm ′ )) ; given these polynomials, one canapply γ and its inverse to any input using ˜ O ( ϕ ( mm ′ )) operationsin F . ormal Bases Proof. Without loss of generality, we prove the first claim over Q ; the result over F follows by scalar extension. In the field Q [ x, x ′ ] / h Φ m ( x ) , Φ m ′ ( x ′ ) i , xx ′ is cancelled by Φ mm ′ . Since thispolynomial is irreducible, it is the minimal polynomial of xx ′ ,which is thus a primitive element for Q [ x, x ′ ] / h Φ m ( x ) , Φ m ′ ( x ′ ) i .This proves the first claim.For the second claim, we first determine the images of x and x ′ by γ . Start from a B´ezout relation am + a ′ m ′ = 1, for some a, a ′ in Z . Since x m = x ′ m ′ = 1 in h , we deduce that γ ( x ) = z u and γ ( x ′ ) = z v , with u := am mod mm ′ and v := a ′ m ′ mod mm ′ . Tocompute γ ( P ), for some P in h , we first compute P ( z u , z v ), keepingall exponents reduced modulo mm ′ . This requires no arithmeticoperations and results in a polynomial ¯ P of degree less than mm ′ ,which we eventually reduce modulo Φ mm ′ (the latter is obtained bythe composed product algorithm of Bostan et al. (2006) in quasi-linear time). By (Bach & Shallit 1996, Theorem 8.8.7), we have thebound s ∈ O ( ϕ ( s ) log(log( s ))), so that s is in ˜ O ( ϕ ( s )). Thus, wecan reduce ¯ P modulo Φ mm ′ in ˜ O ( ϕ ( mm ′ )) operations, establishingthe cost bound for γ .Conversely, given Q in F [ z ] / h Φ mm ′ ( z ) i , we obtain its preimageby replacing powers of z by powers of xx ′ , reducing all exponentsin x modulo m , and all exponents in x ′ modulo m ′ . We then reducethe result modulo both Φ m ( x ) and Φ m ′ ( x ′ ). By the same argumentas above, the cost is softly linear in ϕ ( mm ′ ). (cid:3) Extension to several cyclotomic rings. The natural general-ization of the algorithm above starts with pairwise distinct primes p = ( p , . . . , p t ), non-negative exponent c = ( c , . . . , c t ) and vari-ables x = ( x , . . . , x t ) over F . Now, we define H := F [ x , . . . , x t ] / h Φ p c ( x ) , . . . , Φ p tct ( x t ) i ;when needed, we will write H as H p , c , x . Finally, we let µ := p c · · · p tc t ; then, the dimension dim( H ) is ϕ ( µ ). Lemma 4.2. There exists an F -algebra isomorphism Γ : H → F [ z ] / h Φ µ ( z ) i given by x · · · x t z . One can apply Γ and itsinverse to any input using ˜ O (dim( H )) operations in F . Giesbrecht, Jamshidpey & Schost Proof. We proceed iteratively. First, note that the cyclotomicpolynomials Φ p ici can all be computed in time O ( ϕ ( µ )). The iso-morphism γ : F [ x , x ] / h Φ p c ( x ) , Φ p c ( x ) i → F [ z ] / h Φ p c p c ( z ) i given in the previous paragraph extends coordinate-wise to an iso-morphismΓ : H → F [ z, x , . . . , x t ] / h Φ p c p c ( z ) , Φ p c ( x ) , . . . , Φ p tct ( x t ) i . By the previous lemma, Γ and its inverse can be applied to anyinput in time ˜ O ( ϕ ( µ )). Iterate this process another t − t − ◦ · · · ◦ Γ . Since t is logarithmic in ϕ ( µ ),the proof is complete. (cid:3) Tensor product of two prime-power cyclotomic rings, same p . In the following two paragraphs, we discuss the opposite situa-tion as above: we now work with cyclotomic polynomials of primepower orders for a common prime p . As above, we start with twosuch polynomials.Let thus p be a prime. The key to the following algorithms isthe lemma below. Let c, c ′ be positive integers, with c ≥ c ′ , andlet x, y be indeterminates over F . Define a := F [ x ] / Φ p c ( x ) , (4.3) b := F [ x, y ] / h Φ p c ( x ) , Φ p c ′ ( y ) i = a [ y ] / Φ p c ′ ( y ) . (4.4)Note that a and b have respective dimensions ϕ ( p c ) and ϕ ( p c ) ϕ ( p c ′ ). Lemma 4.5. There is an F -algebra isomorphism θ : b → a ϕ ( p c ′ ) such that one can apply θ or its inverse to any inputs using ˜ O (dim( b )) operations in F . Proof. Let ξ be the residue class of x in A . Then, in a [ y ],Φ p c ′ ( y ) factors as Φ p c ′ ( y ) = Y ≤ i ≤ p c ′ − i,p )=1 ( y − ρ i ) , ormal Bases ρ i := ξ ip c − c ′ for all i . Even though a may not be a field, theChinese Remainder theorem implies that b is isomorphic to a ϕ ( p c ′ ) ;the isomorphism is given by θ : b → a × · · · × a ,P ( P ( ξ, ρ ) , . . . , P ( ξ, ρ ϕ ( p c ′ ) ) . In terms of complexity, arithmetic operations (+ , − , × ) in a canall be done in ˜ O ( ϕ ( p c )) operations in F . Starting from ρ ∈ a , allother roots ρ i can then be computed in O ( ϕ ( p c ′ )) operations in a ,that is, ˜ O (dim( b )) operations in F .Applying θ and its inverse is done by means of fast evaluationand interpolation (von zur Gathen & Gerhard 2013, Chapter 10)in ˜ O ( ϕ ( p c ′ )) operations in a , that is, ˜ O (deg( b )) operations in F (the algorithms do not require that a be a field). (cid:3) Extension to several cyclotomic rings. Let p be as before, andconsider now non-negative integers c = ( c , . . . , c t ) and variables x = ( x , . . . , x t ). We define the F -algebra A := F [ x , . . . , x t ] / h Φ p c ( x ) , . . . , Φ p ct ( x t ) i , which we will sometimes write A p, c , x to make the dependency on p and the c i ’s clear. Up to reordering the c i ’s, we can assume that c ≥ c i holds for all i , and define as before a := F [ x ] / Φ p c ( x ). Lemma 4.6. There exists an F -algebra isomorphism Θ : A → a dim( A ) / dim( a ) . This isomorphism and its inverse can be appliedto any inputs using ˜ O (dim( A )) operations in F . Proof. Without loss of generality, we can assume that all c i ’sare non-zero (since for c i = 0, Φ p ci ( x i ) = x i − 1, so F [ x i ] / h Φ p ci ( x i ) i = F ). We proceed iteratively. First, rewrite A as A = a [ x , x , . . . , x t ] / h Φ p c ( x ) , Φ p c ( x ) , . . . , Φ p tct ( x t ) i . The isomorphism θ : a [ x ] / Φ p c ( x ) → a ϕ ( p c ) introduced in theprevious paragraph extends coordinate-wise to an isomorphismΘ : A → ( a [ x , . . . , x t ] / h Φ p c ( x ) , . . . , Φ p ct ( x t ) i ) ϕ ( p c ) ;2 Giesbrecht, Jamshidpey & Schost Θ and its inverse can be evaluated in quasi-linear time ˜ O (dim( A )).We now work in all copies of a [ x , . . . , x t ] / h Φ p c ( x ) , . . . , Φ p ct ( x t ) i independently, and apply the procedure above to each of them.Altogether we have t − t − ◦ · · · ◦ Θ : A → a ϕ ( p c ) ··· ϕ ( p ct ) . The exponent can be rewritten as dim( A ) / dim( a ), as claimed. Interms of complexity, all Θ i ’s and their inverses can be computedin quasi-linear time ˜ O (dim( A )), and we do t − t is O (log(dim( A ))). (cid:3) Decomposing certain p -group algebras. The prime p andindeterminates x = ( x , . . . , x t ) are as before; we now considerpositive integers b = ( b , . . . , b t ), and the F -algebra B := F [ x , . . . , x t ] / h x p b − , . . . , x p bt t − i = F [ x ] / h x p b − i ⊗ · · · ⊗ F [ x t ] / h x p bt t − i . If needed, we will write B p, b , x to make the dependency on p andthe b i ’s clear. This is the F -group algebra of Z /p b Z × · · · × Z /p b t Z . Lemma 4.7. There exists a positive integer N , non-negative inte-gers c = ( c , . . . , c N ) and an F -algebra isomorphism Λ : B → D = F [ z ] / h Φ p c ( z ) i × · · · × F [ z ] / h Φ p cN ( z ) i . One can apply the isomorphism and its inverse to any input using ˜ O (dim( B )) operations in F . Proof. For i ≤ t , we have the factorization x p bi i − ( x i )Φ p ( x i )Φ p ( x i ) · · · Φ p bi ( x i );note that Φ ( x i ) = x i − 1. The factors may not be irreducible, butthey are pairwise coprime, so that we have a Chinese Remainderisomorphism λ i : F [ x i ] / h x p bi i − i → F [ x i ] / h Φ ( x i ) i × · · · × F [ x i ] / h Φ p bi ( x i ) i . ormal Bases O ( p b i ) oper-ations in F (von zur Gathen & Gerhard 2013, Chapter 10). Bydistributivity of the tensor product over direct products, this givesan F -algebra isomorphism λ : B → b Y c =0 · · · b t Y c t =0 A p, c , x , with c = ( c , . . . , c t ). Together with its inverse, λ can be com-puted in ˜ O (dim( B )) operations in F . Composing with the result inLemma 4.6, this gives us an isomorphismΛ : B → D := b Y c =0 · · · b t Y c t =0 a D c c , where a c = F [ z ] / h Φ p c ( z ) i , with c = max( c , . . . , c t ) and D c =dim( A t, c , x ) / dim( a c ). As before, Λ and its inverse can be computedin quasi-linear time ˜ O (dim( B )). (cid:3) As for B , we will write D p, b , x if needed; it is well-defined, up to theorder of the factors. Main result. Let G be an abelian group. We can write theelementary divisor decomposition of G as G = G × · · · × G s , whereeach G i is of prime power order p a i i , for pairwise distinct primes p , . . . , p s , so that n = | G | writes n = p a · · · p a s s . Each G i can itselfbe written as a product of cyclic groups, G i = G i, × · · · × G i,t i ,where the factor G i,j is cyclic of order p ib i,j , with b i, ≤ · · · ≤ b i,t i ;this is the invariant factor decomposition of G i , with b i, + · · · + b i,t i = a i .We henceforth assume that generators γ , , . . . , γ s,t s of respec-tively G , , . . . , G s,t s are known, and that elements of F [ G ] are givenon the power basis in γ , , . . . , γ s,t s . Were this not the case, givenarbitrary generators g , . . . , g r of G , with orders e , . . . , e r , a brute-force solution would factor each e i (factoring e i takes o ( e i ) bit op-erations on a standard RAM), so as to write h g i i as a productof cyclic groups of prime power orders, from which the requireddecomposition follows.4 Giesbrecht, Jamshidpey & Schost Proposition 4.8. Given β ∈ F [ G ] , written on the power basis γ , , . . . , γ s,t s , one can test if β is a unit in F [ G ] using ˜ O ( n ) opera-tions in F . If it is the case, given η in F [ G ] , one can compute β − η in the same asymptotic runtime. In view of Lemma 2.7, Proposition 3.6 and the claim on the cost ofinvertibility testing prove the first part of Theorem 1.2; the secondpart of this proposition will allow us to prove Theorem 1.3 in thenext section.The proof of the proposition occupies the rest of this para-graph. From the factorization G = G × · · · × G s , we deduce thatthe group algebra F [ G ] is the tensor product F [ G ] ⊗ · · · ⊗ F [ G s ].Furthermore, the factorization G i = G i, × · · · × G i,t i implies that F [ G i ] is isomorphic, as an F -algebra, to F [ x i, , . . . , x i,t i ] / (cid:28) x p b i i, − , . . . , x p bi,tii i,t i − (cid:29) = B p i , b i , x i , with b i = ( b i, , . . . , b i,t i ) and x i = ( x i, , . . . , x i,t i ). Given β on thepower basis in γ , , . . . , γ s,t s , we obtain its image B in B p , b , x ⊗· · · ⊗ B p s , b s , x s simply by renaming γ i,j as x i,j , for all i, j .For i ≤ s , by Lemma 4.7, there exist integers c i, , . . . , c i,N i such that B p i , b i , x i is isomorphic to an algebra D p i , b i ,z i , with fac-tors F [ z i ] / h Φ p ici,j ( z i ) i . By distributivity of the tensor product overdirect products, we deduce that B p , b , x ⊗ · · · ⊗ B p s , b s , x s is isomor-phic to the product of algebras(4.9) Y j F [ z , . . . , z s ] / h Φ p c ,j ( z ) , . . . , Φ p scs,js ( z s ) i , for indices j = ( j , . . . , j s ), with j = 1 , . . . , N , . . . , j s = 1 , . . . , N s ;call Γ the isomorphism. Given B in B p , b , x ⊗ · · · ⊗ B p s , b s , x s ,Lemma 4.7 also implies that B ′ := Γ( B ) can be computed insoftly linear time ˜ O ( n ) (apply the isomorphism corresponding to x coordinate-wise with respect to all other variables, then dealwith x , etc). The codomain in (4.9) is the product of all H p , c j , z ,with p = ( p , . . . , p s ) , c = ( c ,j , . . . , c s,j s ) , z = ( z , . . . , z s ) . ormal Bases H p , c j , z to obtain an F -algebra isomorphismΓ ′ : Y j H p , c j , z → Y j F [ z ] / h Φ d j ( z ) i , for certain integers d j . The lemma implies that given B ′ , B ′′ :=Γ ′ ( B ′ ) can be computed in softly linear time ˜ O ( n ) as well. In-vertibility of β ∈ F [ G ] is equivalent to B ′′ being invertible, thatis, to all its components being invertible in the respective fac-tors F [ z ] / h Φ d j ( z ) i . Invertibility in such an algebra can be testedin softly linear time by applying the fast extended GCD algo-rithm (von zur Gathen & Gerhard 2013, Chapter 11), so the firstpart of the proposition follows.Given η in F [ G ], we can similarly compute its image H ′′ in Q j F [ z ] / h Φ d j ( z ) i , with the same asymptotic runtime as for β . If wesuppose β (and thus B ′′ ) invertible, division in each F [ z ] / h Φ d j ( z ) i takes softly linear time in the degree φ d j ; as a result, we obtain B ′′− H ′′ in time ˜ O ( n ). One can finally invert all isomorphismswe applied, in order to recover β − η in F [ G ]; this also takes time˜ O ( n ). Summing all costs, this establishes the second part of theproposition. In this subsection, we study the in-vertibility and division problems for a metacyclic group G . A group G is metacyclic if it has a normal cyclic subgroup H such that G/H is cyclic: this is the case r = 2 in the definition we gave of poly-cyclic groups. For instance, any group with a squarefree order ismetacyclic (see (Johnson 1976, p. 88) or (Curtis & Reiner 1988,p. 334) for more background).For such groups, we will use a standard specific notation, ratherthan the general one introduced in (3.2) for arbitrary polycyclicones: we will write ( σ, τ ) instead of ( g , g ) and ( m, s ) instead of( e , e ). Then, a metacyclic group G can be presented as(4.10) h σ, τ : σ m = 1 , τ s = σ t , τ − στ = σ u i , for integers m, t, u, s , with u, t ≤ m and u s = 1 mod t , ut = t mod m . For example, the dihedral group D m = h σ, τ : σ m = 1 , τ = 1 , τ − στ = σ m − i , Giesbrecht, Jamshidpey & Schost is metacyclic, with s = 2. Generalized quaternion groups, whichcan be presented as Q m = h σ, τ : σ m = 1 , τ = σ m , τ − στ = σ m − i , are metacyclic, with s = 2 as well. Using the notation of (4.10), n = | G | is equal to ms , and all elements in a metacyclic group canbe presented uniquely as either(4.11) { σ i τ j , ≤ i ≤ m − , ≤ j ≤ s − } or(4.12) { τ j σ i , ≤ i ≤ m − , ≤ j ≤ s − } . Accordingly, elements in the group algebra F [ G ] can be written aseither X i 47) for algebraically closed F , or, when F = Q , (Vergara & Mart´ınez 2002) for dihedral andquaternion groups. Instead, we will highlight the structure of themultiplication matrices in F [ G ].Take β in F [ G ]. In eq. (2.3), we introduced the matrix M F ( β )of left multiplication by β in F [ G ], where columns and rows wereindexed using an arbitrary ordering of the group elements. Wewill now reorder the rows and columns of M F ( β ) using the twopresentations of G seen in (4.11) and (4.12), in order to highlightits block structure. In what follows, for non-negative integers a, b, c ,we will write β a,b,c for the coefficient of τ a σ b τ c in the expansion of β on the F -basis of F [ G ].We first rewrite M F ( β ) by reindexing its columns by (cid:2) ( σ τ ) − · · · ( σ m − τ ) − · · · ( σ τ s − ) − · · · ( σ m − τ s − ) − (cid:3) ormal Bases (cid:2) τ σ · · · τ σ m − · · · τ s − σ · · · τ s − σ m − (cid:3) . This matrix displays a s × s block structure. Each block has itselfsize m × m ; for 1 ≤ u, v ≤ s and 1 ≤ a, b ≤ m , the entry of index( a, b ) in the block of index ( u, v ) is the coefficient of τ u σ a σ b τ v in β , that is, β u,a + b,v . In other words, all blocks are Hankel matrices.Using the algorithm of Bostan et al. (2017) (see also (Eberly et al. M F ( β ) x = y in Las Vegas time ˜ O ( s ω − n ) (or raise an error ifthere is no solution). In addition, if the right-hand side is zero and M F ( β ) is not invertible, the algorithm returns a non-zero kernelelement. This last remark allows us to test whether β is invertiblein Las Vegas time ˜ O ( s ω − n ); if so, given the coefficient vector y of some η in F [ G ], we can compute β − η in the same asymptoticruntime.It is also possible to reorganize the rows and columns of M F ( β ),using indices (cid:2) ( τ σ ) − · · · ( τ σ m − ) − · · · ( τ s − σ ) − · · · ( τ s − σ m − ) − (cid:3) for its columns and (cid:2) σ τ · · · σ m − τ · · · σ τ s − · · · σ m − τ s − (cid:3) for its rows. The resulting matrix has an m × m block structure,where each s × s block is Hankel. As a result, it allows us tosolve the problems above, this time using ˜ O ( m ω − n ) operations in F . Since we have either s ≤ √ n or m ≤ √ n , this implies thefollowing. Proposition 4.13. Given β ∈ F [ G ] , one can test if β is a unit in F [ G ] using ˜ O ( n ( ω +1) / ) operations in F . If it is the case, given η in F [ G ] , one can compute β − η in the same asymptotic runtime. Combined with Proposition 3.6, the former statement provides thelast part of the proof of Theorem 1.2.8 Giesbrecht, Jamshidpey & Schost 5. Basis Conversion We conclude this paper with algorithms for basis conversion: as-suming we know that α is normal, we show how to perform thechange-of-basis between the power basis of K / F and the normalbasis G · α . The techniques used below are inspired by those usedby (Kaltofen & Shoup 1998, Section 4) in the case of extensions offinite fields. Suppose G = { g , . . . , g n } , α is a normal element of K / F and we are given u ∈ K as u = P ni =1 u i g i ( α ). In order to write u in the power basis, we have tocompute the matrix-vector product(5.1) (cid:2) γ · · · γ n (cid:3) · u ... u n , where for i = 1 , . . . , n , γ i ∈ F n × is the coefficient vector of g i ( α ).As already pointed out by Kaltofen and Shoup for finite fields, thisshows that conversion from normal to power basis is the transposeproblem of computing the “projected” orbit sum s α,ℓ , which wesolved in Section 3.The transposition principle then allows us to derive runtimeestimates for the conversion problem; below, we present an explicitprocedure derived from the algorithm in Subsection 3.2. As in thatsection, we give the algorithm in the general case of a polycyclicgroup G presented as G = { g i r r · · · g i , with 0 ≤ i j < e j for 1 ≤ j ≤ r } . With indices i , . . . , i r as above, we are given a family of coefficients u i ,...,i r in F , and we expand the sum u = P i ,...,i r u i ,...,i r g i r r · · · g i ( α )on the power basis of K / F . For this, we let z ∈ { , . . . , r } be theindex defined in Subsection 3.2. Step 1. Apply Lemma 3.3, with α i ,...,i r = α for all i , . . . , i r , toget G i z ,...,i = g i z z · · · g i ( α ) , ormal Bases i , . . . , i z such that 0 ≤ i m < e m holds for m =1 , . . . , z − ≤ i z < s z = ⌈√ n/ ( e · · · e z − ) ⌉ . As in Subsec-tion 3.2, the cost of this step is ˜ O ( n (3 / · ω (4 / ). Step 2. Compute G z = g s z z , for s z as above. The cost is isnegligible compared to the cost of the previous step. Step 3. Compute the matrix product UΓ , where • U is the matrix over F having ⌈ e z /s z ⌉ e z +1 · · · e r rows and e · · · e z − s z columns built as follows. Rows are indexed by( j z , . . . , j r ), with 0 ≤ j z < ⌈ e z /s z ⌉ and 0 ≤ j m < e m forall other indices; columns are indexed by ( i , . . . , i z ), with0 ≤ i z < s z and 0 ≤ i m < e m for all other indices; the entry atrows ( j z , . . . , j r ) and column ( i , . . . , i z ) is u i ,...,i z + s z j z ,j z +1 ,...,j r . • Γ is the matrix with e · · · e z − s z rows (indexed in the sameway as the columns of U ) and n columns, whose row of index( i , . . . , i z ) contains the coefficients of G i z ,...,i (on the powerbasis of K )As established in Subsection 3.2, the row and column dimensions of U are O ( √ n ), so this product can be computed in O ( n (1 / · ω (2) ) op-erations in F . The rows of the resulting matrix give the coefficientsof H j z +1 ,...,j r = X i ,...,i z u i ,...,i z + s z j z ,...,j r g i z z · · · g i ( α ) , for all indices ( j z , . . . , j r ) and ( i , . . . , i z ) as above. Step 4. Compute and add all g j r · · · g j z +1 z +1 G j z z ( H j z +1 ,...,j r ) , for indices ( j z , . . . , j r ) as above; their sum is precisely the input el-ement u = P i ,...,i r u i ,...,i r g i r r · · · g i ( α ), written on the power basis.This is done by a second call to Lemma 3.3, for the same asymp-totic cost as in Step 1. Summing all costs, we arrive at an overallruntime of ˜ O ( n (3 / · ω (4 / ) operations in F for the conversion fromnormal to power basis. This proves the first half of Theorem 1.3.0 Giesbrecht, Jamshidpey & Schost Now assume u ∈ K is givenin the power basis. Still writing the elements of G as g , . . . , g n ,the goal is to find coefficients c i ’s in F such that n X i =1 c i g i ( α ) = u. Starting from this equality, for any element g j of G , we have n X i =1 c i g j g i ( α ) = g j ( u ) . Then, if ℓ is a random F -linear projection K → F , we get n X i =1 c i ℓ ( g j g i ( α )) = ℓ ( g j ( u )) , ≤ j ≤ n. Introducing u ′ = n X i =1 c i g − i ∈ F [ G ]and writing as before s α,ℓ = n X j =1 ℓ ( g j ( α )) g j and s u,ℓ = n X j =1 ℓ ( g j ( u )) g j in F [ G ] , the n equations above are equivalent to the equality s α,ℓ u ′ = s u,ℓ in F [ G ].We use the algorithm of Section 3 to compute both s α,ℓ and s u,ℓ ; this takes ˜ O ( n (3 / · ω (4 / ) operations in F , for G polycyclic. If α is normal, s α,ℓ is a unit for a generic ℓ . Then, if we furtherassume that G is either abelian or metacyclic, it suffices to applythe division algorithms given in the previous section to recover u ′ ,and thus all coefficients c , . . . , c n . In both cases, the runtime ofthe division is negligible compared to the cost ˜ O ( n (3 / · ω (4 / ) of thefirst step. Altogether, this finishes the proof of Theorem 1.3. ormal Bases References D. Augot & P. Camion (1994). A deterministic algorithm for com-puting a normal basis in a finite field. In Proc. EUROCODE’94 , P. Charpin , editor. E. Bach & J. Shallit (1996). Algorithmic Number Theory, Volume1: Efficient Algorithms . MIT Press, Cambridge, MA. A. Bostan , P. Flajolet , B. Salvy & ´E. Schost (2006). Fast com-putation of special resultants. J. Symbolic Comput. (1), 1–29. A. Bostan , C.-P. Jeannerod , C. Mouilleron & ´E. Schost (2017).On Matrices With Displacement Structure: Generalized Operators andFaster Algorithms. SIAM Journal on Matrix Analysis and Applications (3), 733–775. R. P. Brent & H. T. Kung (1978). Fast algorithms for manipu-lating formal power series. Journal of the Association for ComputingMachinery (4), 581–595. J. Canny , E. Kaltofen & Y. Lakshman (1989). Solving systems ofnon-linear polynomial equations faster. In ISSAC’89 , 121–128. ACM. M. Clausen & M. M¨uller (2004). Generating fast Fourier transformsof solvable groups. J. Symbolic Comput. (2), 137–156. ISSN 0747-7171. C. Curtis & I. Reiner (1988). Representation theory of finite groupsand associative algebras . Wiley Classics Library. John Wiley & Sons,Inc., New York, New York. ISBN 0-471-60845-9, xiv+689 . X. Dahan , M. Moreno Maza , ´E. Schost & Y. Xie (2006). On thecomplexity of the D5 principle. In Proc. of Transgressive Computing2006. Granada, Spain. W. Eberly , M. Giesbrecht , P. Giorgi , A. Storjohann & G. Vil-lard (2007). Faster Inversion and Other Black Box Matrix Computa-tions Using Efficient Block Projections. In ISSAC ’07 , 143–150. ACM. S. Gao , J. von zur Gathen , D. Panario & V. Shoup (2000). Al-gorithms for exponentiation in finite fields. Journal of Symbolic Com-putation (6), 879–889. Giesbrecht, Jamshidpey & Schost J. von zur Gathen & J. Gerhard (2013). Modern Computer Algebra(third edition) . Cambridge University Press, Cambridge, U.K. ISBN9781107039032. J. von zur Gathen & M. Giesbrecht (1990). Constructing normalbases in finite fields. J. Symbolic Comput. (6), 547–570. ISSN 0747-7171. J. von zur Gathen & V. Shoup (1992). Computing Frobenius mapsand factoring polynomials. Computational Complexity (3), 187–224. M. Giesbrecht , A. Jamshidpey & ´E. Schost (2019). Quadratic-Time Algorithms for Normal Elements. In ISSAC ’19 , 179–186. ACM.URL http://doi.acm.org/10.1145/3326229.3326260 . K. Girstmair (1999). An algorithm for the construction of a normalbasis. J. Number Theory (1), 36–45. ISSN 0022-314X. D. Holt , B. Eick & E. O’Brien (2005). Handbook of computationalgroup theory . Discrete Mathematics and its Applications (Boca Raton).Chapman & Hall/CRC, Boca Raton, FL. ISBN 1-58488-372-3. A. Jamshidpey , N. Lemire & ´E. Schost (2018). Algebraic construc-tion of quasi-split algebraic tori. ArXiv: . D. L. Johnson (1976). Presentations of Groups . Cambridge UniversityPress, Cambridge-New York-Melbourne, v+204 . London MathematicalSociety Lecture Notes Series, No. 22. E. Kaltofen & V. Shoup (1998). Subquadratic-time factoring ofpolynomials over finite fields. Math. Comp. (223), 1179–1197. ISSN0025-5718. M. Kaminski , D.G. Kirkpatrick & N.H. Bshouty (1988). Additionrequirements for matrix and transposed matrix products. J. Algorithms (3), 354–364. K. Kedlaya & C. Umans (2011). Fast polynomial factorization andmodular composition. SICOMP (6), 1767–1802. S. Lang (2002). Algebra , volume 211 of Graduate Texts in Mathematics .Springer-Verlag, New York, 3rd edition.ormal Bases F. Le Gall (2014). Powers of tensors and fast matrix multiplication.In ISSAC’14 , 296–303. ACM, Kobe, Japan. F. Le Gall & F. Urrutia (2018). Improved rectangular matrix mul-tiplication using powers of the Coppersmith-Winograd tensor. In SODA’18 , 1029–1046. SIAM, New Orleans, USA. H. W. Lenstra, Jr. (1991). Finding isomorphisms between finitefields. Math. Comp. (193), 329–347. ISSN 0025-5718. X. Li , M. Moreno Maza & ´E. Schost (2009). Fast arithmetic fortriangular sets: from theory to practice. J. Symb. Comp. (7), 891–907. G. Lotti & F. Romani (1983). On the asymptotic complexity ofrectangular matrix multiplication. Theoretical Computer Science (2),171–185. D. Maslen , D. N. Rockmore & S. Wolff (2018). The efficientcomputation of Fourier transforms on semisimple algebras. J. FourierAnal. Appl. (5), 1377–1400. ISSN 1069-5869. A. Poli (1994). A deterministic construction for normal bases ofabelian extensions. Comm. Algebra (12), 4751–4757. ISSN 0092-7872. H. Schlickewei & S. Stepanov (1993). Algorithms to constructnormal bases of cyclic number fields. J. Number Theory (1), 30–40.ISSN 0022-314X. A. Sch¨onhage & V. Strassen (1971). Schnelle Multiplikation großerZahlen. Computing , 281–292. V. Shoup (1995). A new polynomial factorization algorithm and itsimplementation. J. Symbolic Comput. (4), 363–397. ISSN 0747-7171. C. Giraldo Vergara & F. Brochero Mart´ınez (2002). Wedder-burn decomposition of some special rational group algebras. Lect. Mat. (2), 99–106. ISSN 0120-1980.Manuscript received Giesbrecht, Jamshidpey & Schost Mark Giesbrecht Cheriton School of ComputerScience University of WaterlooWaterloo, ON, Canada N2L 3G1 [email protected] https://cs.uwaterloo.ca/~mwg/ Armin Jamshidpey Cheriton School of ComputerScience University of WaterlooWaterloo, ON, Canada N2L 3G1 [email protected] https://cs.uwaterloo.ca/~a5jamshi/ ´Eric Schost Cheriton School of ComputerScience University of WaterlooWaterloo, ON, Canada N2L 3G1 [email protected]@uwaterloo.ca