PreprintPDF Available

Sub-Linear Point Counting for Variable Separated Curves over Prime Power Rings

Authors:
Preprints and early-stage research may not have been peer reviewed yet.

Abstract

Let $k,p\in \mathbb{N}$ with $p$ prime and let $f\in\mathbb{Z}[x_1,x_2]$ be a bivariate polynomial with degree $d$ and all coefficients of absolute value at most $p^k$. Suppose also that $f$ is variable separated, i.e., $f=g_1+g_2$ for $g_i\in\mathbb{Z}[x_i]$. We give the first algorithm, with complexity sub-linear in $p$, to count the number of roots of $f$ over $\mathbb{Z}$ mod $p^k$ for arbitrary $k$: Our Las Vegas randomized algorithm works in time $(dk\log p)^{O(1)}\sqrt{p}$, and admits a quantum version for smooth curves working in time $(d\log p)^{O(1)}k$. Save for some subtleties concerning non-isolated singularities, our techniques generalize to counting roots of polynomials in $\mathbb{Z}[x_1,\ldots,x_n]$ over $\mathbb{Z}$ mod $p^k$. Our techniques are a first step toward efficient point counting for varieties over Galois rings (which is relevant to error correcting codes over higher-dimensional varieties), and also imply new speed-ups for computing Igusa zeta functions of curves. The latter zeta functions are fundamental in arithmetic geometry.
arXiv:2102.01626v1 [math.NT] 2 Feb 2021
SUB-LINEAR POINT COUNTING FOR VARIABLE SEPARATED
CURVES OVER PRIME POWER RINGS
CALEB ROBELLE, J. MAURICE ROJAS, AND YUYU ZHU
Abstract. Let k, p Nwith pprime and let fZ[x1, x2] be a bivariate polynomial with
degree dand all coeﬃcients of absolute value at most pk. Suppose also that fis variable sep-
arated, i.e., f=g1+g2for giZ[xi]. We give the ﬁrst algorithm, with complexity sub-linear
in p, to count the number of roots of fover Zpkfor arbitrary k: Our Las Vegas random-
ized algorithm works in time (dk log p)O(1) p, and admits a quantum version for smooth
curves working in time (dlog p)O(1) k. Save for some subtleties concerning non-isolated sin-
gularities, our techniques generalize to counting roots of polynomials in Z[x1,...,xn] over
Zpk.
Our techniques are a ﬁrst step toward eﬃcient point counting for varieties over Galois
rings (which is relevant to error correcting codes over higher-dimensional varieties), and also
imply new speed-ups for computing Igusa zeta functions of curves. The latter zeta functions
are fundamental in arithmetic geometry.
Current affiliation and address of authors:
(Robelle):
University of Maryland, Baltimore County
1000 Hilltop Circle
Baltimore, MD 21250
(Rojas & Zhu):
Texas A&M University, Department of Mathematics
TAMU 3368
College Station, TX 77845
emails: carobel1@umbc.edu ,rojas@math.tamu.edu ,zhuyuyu@math.tamu.edu
C.B. was partially supported by NSF grant DMS-1757872.
J.M.R. and Y.Z. were partially supported by NSF grants CCF-1900881 and DMS-1757872.
SUB-LINEAR POINT COUNTING FOR CURVES OVER PRIME POWER RINGS 1
1. Introduction
Counting points on algebraic curves over ﬁnite ﬁelds is a seemingly simple problem that
nevertheless helped form the core of arithmetic geometry in the 20th century and now forms
an important part of cryptography [Mil86, Kob87, GG16] and coding theory [vdG01]. Ef-
ﬁcient algorithms for this problem continue to be a lively part of computational number
theory: The barest list of references would have to include [Sch85, Pil90, AH01, Ked01,
CDV06, LW08, Wan08, CL08, Har15].1Here, we consider algorithms for the natural exten-
sion of this problem to prime power rings, and ﬁnd the ﬁrst eﬃcient algorithms for a broad
class of (not necessarily smooth) curves: See Theorem 1.1 below. It will be useful to ﬁrst
discuss some motivation before covering further background.
1.1. A Connection to Error Correcting Codes. Suppose k, p Nwith pprime, Fpis the
ﬁeld with pelements, and rZ[x1] is a univariate polynomial of degree mthat is irreducible
mod p. We call a quotient ring Rof the form Z[x1]pk, r(x1)aGalois ring. Note that such
an Ris ﬁnite, and can be the prime power ring Zpk(for m= 1) or the ﬁeld Fq(for k= 1
and q=pm), to name a few examples.
Since numerous error correcting codes and cryptosystems are based on arithmetic over
Fqor Fq[x1], it has been observed (see, e.g., [GCM91, GSS00, BLQ13, CH15]) that one can
generalize and improve these constructions by using arithmetic over Ror R[x1] instead. For
instance, Guruswami and Sudan’s famous list-decoding method for error correcting codes
[GS99] involves ﬁnding the roots in Fq[x1] of a polynomial in Fq[x1, x2] as a key step, and
has a natural generalization to Galois rings (see, e.g., [HKC+94, Sud97, BW10] and [BLQ13,
Sec. 4]). Furthermore, counting solutions to equations like f(x1,...,xn) =0 over Galois rings
determines the weights of codewords in Reed-Muller codes over Galois rings, and the weight
distribution governs the quality of the underlying code (see, e.g., [KLP12]).
1.2. Connections to Zeta Functions and Rational Points. Eﬃciently counting roots
in Zpk2of polynomials in Z[x1, x2] is a natural ﬁrst step toward eﬃciently enumerating
the roots in R2for polynomials in R[x1, x2] for Ra Galois ring. However, observe that the
ring of p-adic integers Zpis the inverse limit of Zpkas k→ ∞. It then turns out that
the zero sets of polynomials over Zpkinform the zero sets of polynomials over Zpand
beyond.
In particular, for any fZ[x1,...,xn], one can form a fundamentally important generating
function, and a related zeta function, as follows: Let Np,k(f) denote the number of roots in
Zpknof the mod pkreduction of fand deﬁne the Poincare series of fto be Pf(t) =
P
k=0
Np,k(f)
pkn tk. Also, letting t:= ps, we deﬁne the Igusa local zeta function of fto be
Zf(t) := RZp|f(x1,...,xn)|s
pdx, where |·|pand dx respectively denote the standard p-adic
absolute value on Zpand Haar measure on Zp. (This function turns to be deﬁned on the
right open half-plane of C, possibly with the exception of ﬁnitely many poles.) The precise
deﬁnitions of | · |pand dx won’t matter for our algorithmic results, but what does matter is
that Igusa discovered in the 1970s that P(t) = 1tZ(t)
1tand proved that Z(and thus P) is a
rational function of t[Igu07].
1Also, major conferences such as ANTS consistently continue to feature papers on speeding up point-
counting for various special families of curves and surfaces.
2 CALEB ROBELLE, J. MAURICE ROJAS, AND YUYU ZHU
Igusa deﬁned his zeta function Zwith the goal of generalizing earlier work of Siegel (on
counting representations of integers via quadratic forms) to high degree forms, e.g., how
many ways can one write 239 as a sum of cubes? However, the algorithmic computation of
these zeta functions has received little attention, aside from some very speciﬁc cases. Our
results imply that one can compute Zfor certain bivariate fin time polynomial in dk log p.
This extends earlier work on the univariate case [DMS20, Zhu20] to higher-dimensions and
will be pursued in a sequel to this paper.
It should also be pointed out that recent algorithmic methods for ﬁnding rational points
(over Q) for curves of genus 2 proceed (among many other diﬃcult steps) by ﬁnding the
p-adic rational points on a related family of varieties (see, e.g., [BM20, Sec. 5.3]). So a long
term goal of this work is to improve the complexity of ﬁnding the p-adic rational points on
curves and surfaces, generalizing recent p-adic speed-ups in the univariate case [RZ20].
1.3. From Finite Fields to Prime Power Rings. Returning to point counting over prime
power rings, the computation of Np,k (f) is subtle already for n= 1: This special case has
recently been addressed from diﬀerent perspectives in [BLQ13, CGRW18, KRRZ19, DMS19],
and was just recently proved to admit a deterministic algorithm of complexity (dk log p)O(1),
thanks to the last paper.
The special case (n, k) = (2,1) of computing Np,1(f), just for fa cubic polynomial, is
already of considerable interest in the design of cryptosystems based on the elliptic curve
discrete logarithmic problem. In fact, even this very special case wasn’t known to admit
an algorithm polynomial in log puntil Schoof’s work in the 1980s [Sch85]. More recently,
algorithms for computing Np,1(f) for arbitrary fZ[x1, x2] of degree d, with complexity
d8(log p)2+o(1)p, have been derived by Harvey [Har15] (see also [Zhu20, Ch. 5]), and similar
complexity bounds hold for arbitrary ﬁnite ﬁelds.
Our main result shows that counting points over Zpkfor arbitrary kis slower than the
k=1 case only by a factor polynomial in k(neglecting the other parameters).
Theorem 1.1. Suppose f=g1+g2for some giZ[xi],deg f=d1, and all the coeﬃcients
of fare of absolute value at most pk. Then there is a Las Vegas randomized algorithm that
computes Np,k(f)in time d17+ε(klog p)2+εp1/2+ε. In particular, the number of random bits
needed is O(d2klog(dk) log p), and the space needed is O(d4kplog p). Furthermore, if the
zero set of fover the algebraic closure ¯
Fpis smooth and irreducible, then Np,k (f)can be
computed in quantum randomized time (d(log p))O(1)k.
We prove Theorem 1.1 in Section 4.1. The central idea is to reduce to a moderate number
of moderately sized instances of point counting over Fp. Recall that Las Vegas randomized
time simply means that our algorithm needs random bits and gives an answer that is correct
with probability at least 1/2 and, in case of error, states that an error has occured. Quantum
randomized time here will mean that we avail to a quantum computer, and instead obtain
an algorithm that gives an answer that is correct with probability at least 2/3, but with no
correctness guarantee.
In what follows, we call a polynomial of the form fζ(x1, x2) := 1
psf(ζ1+px1, ζ2+px2), with
(ζ1, ζ2)F2
pa singular point of the zero set of fin F2
pand sas large as possible with fζstill
in Z[x1, x2], a perturbation of f. Our reduction to point counting over Fpwill involve ﬁnding
all isolated singular points of the zero set of f(as well as its perturbations) in F2
p, in order
to categorize the base-pdigits of the coordinates of the roots of fin Zpk2. This yields
SUB-LINEAR POINT COUNTING FOR CURVES OVER PRIME POWER RINGS 3
a geometrically deﬁned recurrence for Np,k (f) that is conveniently encoded by a tree. We
detail this construction in Sections 2.2 and 4.1 below.
Remark 1.2. A classical algebraic geometer may propose simply applying resolution of sin-
gularities, applying ﬁnite ﬁeld point counting (with proper corrections at blown-up singular
points), and then an application of Hensel’s Lemma. We use a more direct approach that
allows us to lift singular points individually and much more simply. In particular, it ap-
pears (from [PR11]) that resolution of singularities for a plane curve of degree dover Fp
has complexity O(d5)(neglecting multiples depending on p), while our algorithm (if looked
at more closely) has better dependence on d. More to the point, replacing an input bivariate
polynomial by a higher degree complete intersection (the latter being the output after doing
resolution of singularities) results in a more complicated input when one needs to avail to
prime ﬁeld point counting, thus compounding the complexity even further. Furthermore, in
higher dimensions, resolution of singularities becomes completely impractical [BGMWo11].
Remark 1.3. We can extend Theorem 1.1 to more general curves. The key obstruction is
whether f, or one of its perturbations, fails to be square-free (see the ﬁnal section of the
Appendix). We hope to extend our methods to arbitrary curves in the near future. For now,
we simply point out that many commonly used curves in practice are variable separated, e.g.,
many hyperelliptic curves used in current cryptography are zero sets of polynomials of the
form x2
2g(x1).
2. Background
2.1. Some Basics on Point Counting Over Finite Fields. One of the most fundamental
results on point counting for curves over ﬁnite ﬁelds dates back to work of Hasse and Weil
in the 1940s. In what follows, we use |S|to denote the cardinality of a set S.
Theorem 2.1. [Wei49] Let Fqbe a ﬁnite ﬁeld of order q=pm, and let Cbe an absolutely
irreducible smooth projective curve deﬁned over Fq. Let gdenote the genus of Cand C(Fq)
to be the set of Fq-points of C. Then ||C(Fq)| − q| ≤ 2gq.
The error bound above is optimal, and can be derived by proving a set of technical statements
known as the Weil Conjectures (for curves). The Weil Conjectures (along with corresponding
point counts) were formulated for arbitrary varieties over ﬁnite ﬁelds and, in one of the
crowning achievements of 20th century mathematics, were ultimately proved by Deligne in
1974 [Del74].
Eﬃcient methods for computing Np,1(f) (and the number of points for a curve over any
ﬁnite ﬁeld) began to appear with the work of Schoof [Sch85], via so-called -adic methods.
Let gdenote the genus2of the curve C. Via later work (e.g., [Pil90, AH01]) it was determined
that Np,1(f) can be computed in time (log p)2gO(1) for arbitrary curves. Kedlaya’s algorithm
[Ked01] then lowered this complexity bound to (g4p)1+o(1) for hyperelliptic curves, e.g., curves
with deﬁning polynomials of the form x2
2g(x1). Kedlaya observed later that, on a quantum
computer, one could compute (ﬁnite ﬁeld) zeta functions for non-singular curves in time
(dlog p)O(1) [Ked06]. (The precise deﬁnition of these zeta functions need not concern us
2The precise deﬁnition of the genus need not concern us, so we will simply recall that it is a birational
invariant of C(i.e., it is invariant under rational maps with rational inverse) and is at most (d1)(d2)/2
for Cthe zero set of a degree dbivariate polynomial.
4 CALEB ROBELLE, J. MAURICE ROJAS, AND YUYU ZHU
here: Suﬃce it to say that the computation of the zeta function of a curve over a ﬁnite ﬁeld
includes the computation of Np,1(f) as a special case.) More recently, Harvey [Har15] gave
an eﬃcient (classical) deterministic algorithm which, although asymptotically slower than
Kedlaya’s quantum algorithm, allows arbitrary input polynomials.
2.2. The Central Recurrence for Bivariate Point Counting. In this section, we gen-
eralize the tools we used for root counting for univariate polynomials in [KRRZ19] to point
counting for curves. It is not hard to see that these tools extend naturally to point counting
for hypersurfaces of arbitrary dimension. The only subtlety is maintaining low computational
complexity and keeping track of the underlying singular locus.
Let x:= (x1, x2) denote the tuple of two variables, and let f(x)Z[x] be a bivariate
polynomial with integer coeﬃcients of total degree d1. Then for any ζ:= (ζ1, ζ2)Z2,
the Taylor expansion of fat ζis f(x) = Pj1,j2
Dj1,j2f(ζ)
j1!j2!(x1ζ1)j1(x2ζ2)j2, where j1, j2are
non-negative integers and Dj1,j2f(x) := j1+j2
∂xj1
1∂xj2
2
f(x).
Let ˜
f(x) := (f(x) mod p) denotes the mod preduction of f. Now let ζ= (0,0) and write
˜
f=gm+gm+1 +···+gnwhere giis a (homogeneous) form in Fp[x] of degree iand gm6= 0.
We then deﬁne mto be the multiplicity of ˜
fat ζ= (0,0). Write m=mζ(˜
f). To extend this
deﬁnition to a point ζ= (a, b)6= (0,0), let Tbe the translation that takes (0,0) to ζ, i.e.
T(x1, x2) = (x1+a, x2+b). Then ˜
fT:= ˜
f(x1+a, x2+b) and we deﬁne mζ(˜
f) := m(0,0)(˜
fT).
Then it is immediate from the deﬁnition that:
Lemma 2.2. If ˜
f=Q˜
fer
rFp[x]is a factorization of ˜
finto irreducible polynomials over
Fpthen mζ(˜
f) = Pmζ(˜
fr).
We say ζis a smooth point of ˜
fif mζ(˜
f) = 1, and call it a singular point otherwise. In
particular, by Lemma 2.2, a point ζis a smooth point of ˜
fif and only if ζbelongs to just
one irreducible component ˜
frof ˜
f, the corresponding exponent er= 1, and ζis a smooth
point of ˜
fr.
Now we are ready to generalize the tools in [KRRZ19] for curves:
Deﬁnition 2.3. Let f(x)Z[x]and ﬁx a prime p. Let ordp:ZN{0}denote the usual
p-adic valuation with ordp(p) =1. We then deﬁne s(f, ε) := minj1,j20nj1+j2+ ordpDj1,j2f(ε)
j1!j2!o
for any ε∈ {0,...,p1}2. Finally, ﬁxing kN, let us inductively deﬁne a set Tp,k(f)of
pairs (fi,ζ, ki,ζ )Z[x]×Nas follows: We set (f0,0, k0,0) := (f, k). Then, for any i1
with (fi1, ki1 )Tp,k (f)and any singular point ζi1(Z/pZ)2of ˜
fi1with si1:=
s(fi1, ζi1)∈ {2,...,ki11}, we deﬁne ζ:= µ+pi1ζi1,ki,ζ := ki1si1and
fi,ζ (x) := h1
psi1fi1(ζi1+px)imod pki,ζ .
Just as in the univariate case, the perturbations fi,ζ of fwill help us keep track of how
the points of fin (Z/pkZ)2cluster, in a p-adic metric sene, about the points of ˜
f. It is
clear that Dj1,j2f(ε)
j1!j2!is always an integer as the coeﬃcient of xj1
1xj2
2in the Taylor expansion of
f(x+ε) about x= (0,0). We will see in the next section how Tp,k(f) is associated with a
natural tree structure. Moreover, Tp,k(f) is always a ﬁnite set by deﬁnition, as only fi,ζ with
i≤ ⌊(k1)/2and ζ(Z/pZ)2are possible.
SUB-LINEAR POINT COUNTING FOR CURVES OVER PRIME POWER RINGS 5
Lemma 2.4. Following the notation above, let np(f)denote the number of smooth points of
˜
fin (Z/pZ)2. Then provided k0and ˜
fis not identically zero, we have
Np,k(f) = pk1np(f) +
X
ζ0(Z/pZ)2
s(f,ζ0)k
p2(k1)
+X
ζ0(Z/pZ)2
s(f,ζ0)∈{2,...,k1}
p2(s(f,ζ0)1)Np,ks(f0)(f10).
We will prove Lemma 2.4 in the next section, where it will be clear how Lemma 2.4 applies
recursively. Then we show how Lemma 2.4 leads to our recursive algorithm for computing
Np,k(f).
3. Generalized Hensel Lifting and the Proof of our Main Recurrence
Let us ﬁrst prove the following alternative deﬁnition for multiplicity of a point on the
curve. We will mainly use this deﬁnition for the rest of the discussion.
Lemma 3.1. For any ζF2
p,m:= mζ(˜
f)is the smallest nonnegative integer such that
there exists j1, j20with j1+j2=m, and Dj1,j2f(ζ)6= 0 mod p.
Proof. Fix ζF2
p, and let Tbe the translation that takes (0,0) to ζ. Then for any j1, j20,
Dj1,j2˜
fT(0,0) = Dj1,j2˜
f(ζ). So it suﬃces to prove the statement for the case when ζ= (0,0).
Suppose ˜
f=gm+gm+1 +···+gn, where giis a homogeneous form in Fp[x] of degree i
and gm6= 0. Then ˜
fmust have a nonzero monomial term arxr
1xmr
2, for some integer rm,
and arF×
p. Note that as hmFp[x], we must have r, m r < p as well. Then for any
j1, j20, we have Dj1,j2arxr
1xmr
2=arr
rj1 mr
mrj2xrj1
1xmrj2
2. It is obvious that for
any pair of nonnegative integers j1, j2with j1+j2< m, either rj1>0 or mrj2>0.
Moreover, any other nonzero monomial term atxt1
1xt2
2of ˜
fmust have t1+t2mand t1r
or t2mr. Hence t1j1>0 or t2j2>0. So for such a pair of j1, j2, we must have
Dj1,j2˜
f(0,0) = 0 mod p. Now take j1=rand j2=mr, then
Dj1,j2˜
f(0,0) = arr
rj1 mr
mrj26= 0 mod p.
Conversely, if mis the smallest nonnegative integer such that there exists j1, j20 with
j1+j2=mand Dj1,j2f(0,0) 6= 0 mod p, then there exists ajxj1
1xj2
2a nonzero monomial
term of ˜
fof smallest total degree. So m=m(0,0)(˜
f).
The classical Hensel’s Lemma (see, e.g., [NZM91, Thm. 2.3, Pg. 87]) says that any non-
degenerate root of a univariate polynomial in Z/pZlifts uniquely into any larger prime power
ring Z/pkZ. One expects similar nice behavior from a smooth point on a curve over Z/pZ.
We prove the following analogue of Hensel’s Lemma for curves in the Appendix:
Lemma 3.2. Let f(x)Z[x]. If f(σ)0 mod pjfor j1, and ζ(0) σmod pis
a smooth point on ˜
f, then there are exactly pmany t(Z/pZ)2such that f(σ+pjt)0
mod pj+1.
For k > j 1 and any σ(j)(Z/pjZ)2such that f(σ(j))0 mod pj, we call σ(k)
(Z/pkZ)2alift of σ(j), if f(σ(k))0 mod pkand σ(k)σ(j)mod pj. Then by applying
Lemma 3.2 inductively, we obtain:
6 CALEB ROBELLE, J. MAURICE ROJAS, AND YUYU ZHU
Proposition 3.3. Let f(x)Z[x], and k > j 1. If f(σ(j))0 mod pj, and (σ(j)
mod p)is a smooth point of ˜
f, then σ(j)lifts to exactly pkjmany roots of (fmod pk).
Lemma 3.4. Following the notation above, suppose instead ζ(0) (Z/pZ)2is a point on ˜
f
of (ﬁnite) multiplicity m2. Suppose also that k2and that there is a σ(k)(Z/pkZ)2
with σ(k)ζ(0) mod pand f(σ(k)) = 0 mod pk. Then s(f, ζ(0))∈ {2,...,m}.
Proof. As ζ(0) is a singular point on ˜
f, then ∂f
∂xi(ζ(0)) = 0 mod pfor every i= 1,...,n.
Then for σ(k)=ζ(0) +(Z/pkZ)2with τ:= (τ1, τ2)(Z/pk1Z)2,
f(σ(k)) = f(ζ(0)) + pf
∂x1
(ζ(0))τ1+f
∂x2
(ζ(0))τ2+X
i1+i22
pi1+i2Di1+i2f(ζ(0))τi1
1τi2
2
(1)
to have solutions mod pk, we need f(ζ(0))0 mod p2, as the second and the third summand
in equation (1) has p-adic order at least 2.
As ζ(0) is a singular point of multiplicity mon ˜
f, there exists an m-th Hasse derivative:
Dj1,j2f(ζ(0))6= 0 mod pwith j1+j2=m. So s(f, ζ(0))ordppj1+j2Dj1,j2f(ζ(0))=m.
We can now relate Np,k (f) to the recursive structure on Tp,k(f).
Proof of Lemma 2.4: The lifting of smooth points of ˜
ffollows from Proposition 3.3.
Now assume that ζ0(Z/pZ)2is a singular point of ˜
f. Write ζ:= ζ0+for σ:=
ζ1+2+···+pk2ζk1(Z/pkZ)2, and let s:= s(f, ζ0). Note that by Lemma 3.4, s2.
Then by deﬁnition, f(ζ) = psf10(σ), for f10Z[x] and f10does not vanish identically
mod p.
If sk, then f(ζ) = 0 mod pkregardless of choice of σ. So there are exactly p2(k1)
values of ζ(Z/pkZ)2such that ζζ0mod pand f(ζ) = 0 mod pk.
If sk1 then ζis a root of fif and only if f10(σ)0 mod pks. But then
σ=ζ1+2+...+pks1ζksmod pks, i.e., the rest of the base pdigits ζks+1,...,ζk1
do not appear in the preceding mod pkscongruence. So the number of possible lifts ζof
ζ0is exactly p2(s1) times the number of roots (ζ1+2+...+pks1ζks)(Z/pksZ)2of
f10. This accounts for the third summand in our formula.
Remark 3.5. The algebraic preliminaries we concluded in this section and Deﬁnition 2.3
can be extended transparently for point counting for hypersurfaces of arbitrary dimensions.
4. Bounding Sums of Multiplicities on Curves with at Worst Isolated
Singularities
Suppose FFp[x] is a nonconstant polynomial of total degree D. Then Ffactors into a
product of irreducible components F=Ql
i=1 Fei
iFp[x] where each FiFp[x] is irreducible,
and ei1. We say Fis squarefree if ei= 1 for every i. Suppose G=Qm
j=1 Gci
jFp[x] with
GiFp[x] irreducible and ci1. We say Fand Ghave no common component, if Fi6=Gj
for every pair of i, j.
Lemma 4.1. (Corollary of ezout’s Theorem) Let F, G Fp[x]be two curves with no
common components, then Pζmζ(F)mζ(G)deg(F) deg(G).
SUB-LINEAR POINT COUNTING FOR CURVES OVER PRIME POWER RINGS 7
Now let F=Ql
i=1 FiFp[x] be the square-free part of F. We say a singular point ζon
Fis an isolated singular point if ζis also singular on F, and call it a non-isolated singular
point if otherwise.
Lemma 4.2. Let FFp[x]be a curve with degree d, and let Fdenote the square-free part
of F. Then
X
ζ
mζ(F) (mζ(F)1) d(d1)
In particular, Fhas at most d
2many isolated singular points.
Proof. As Fis squarefree, then Fand D1,0F(x) have no common component. It is also easy
to deduct from Lemma 3.1 that for any ζF2
p,mζ(D1,0F)mζ(F)1. The conclusion
thus follows by applying Lemma 4.1, and that mζ(F)2 for any isolated singular points
of F.
Suppose F=Ql
i=1 Fei
iFp[x] is a nonconstant polynomial. For each i, let di:= deg(Fi)
and let d:= Pdei
ibe the total degree of F. Let I⊆ {1,...,l}be an nonempty subset of
indices, and let SIdenote the set of points in the intersection TiIFi, and let TI={ζSI:
ζis smooth on Fifor all iI}.
We then prove the following more generalized statement of Lemma 4.2 in the Appendix:
Lemma 4.3. Using the notation above we have:
(2) X
ζSI
I6=
mζ(F)(mζ(F)X
iI
ei) + X
ζTI
|I|≥2
mζ(F)d(d1).
Observe that if ζSIand ζis an isolated singular points on F, then either ζTI
or mζ(F)>PiIµζ(Fi), and mζ(F) = PiIµ(Fi) if it is non-isolated. So only the part
corresponding to the isolated singular points contribute to the sum on the left hand side of
Equation 2. So we obtain the following:
Theorem 4.4. Let f(x)Z[x]be a nonconstant polynomial of degree d. Fix a prime pand
suppose that ˜
fdoes not vanish identically over Z/pZ. Then P
ζisolated
singular on ˜
f
deg ˜
f1d(d1).
Proof. This is immediate by observing that deg ˜
f1s(f, ζ )mζ(˜
f).
However, bounding the degree of the perturbations ˜
f1corresponding to non-isolated
singular points of ˜
fcan be hard. This is evident in the discussion in the ﬁnal section of the
Appendix: lifting non-isolated singular points for certain families of curves requires extra
care.
4.1. Algorithms and Complexity Analysis: Proof of Theorem 1.1. For this section,
let us consider bivariate polynomials f(x)Z[x] of the form f(x) = g(x1) + h(x2). One
broad family of examples of such bivariate polynomials is the family of superelliptic curves:
f(x) = xd
2g(x1).
Lemma 4.5. Let F(x1, x2) = g(x1) + h(x2)Fp[x]such that g, h are nonconstant polyno-
mials. Then Fis squarefree.
8 CALEB ROBELLE, J. MAURICE ROJAS, AND YUYU ZHU
Proof. Suppose Fis not squarefree and let F=Ql
i=1 Fei
iFp[x] be the irreducible factor-
ization of F, and ei1. Without loss of generality assume e1>1 and g(x1) = D1,0F6= 0.
Let G=F /F e1
1=Ql
i=2 Fei
i. Diﬀerentiating Fwith respect to x1, we have
g(x1) = e1Fe11
1D1,0F·G+Fe1
1·D1,0G
=Fe11
1e1D1,0F·G+F1·D1,0G.
So F1(x1, x2) must divide g(x1), implying that h(x2) is a constant, a contradiction.
We now have enough ingredients to state our main algorithm:
Algorithm 4.6 (PrimePowerPointCounting(f, p, k)).
Input. (f, p, k)Z[x]×N×Nwith pprime and f(x) = g(x1) + h(x2).
Output. An integer MNp,k(f) that, with probability at least 2
3, is exactly Np,k(f).
Description.
1: Let v:= s(f) and f0,0:=f.
2: If vk
3: Let M:=p2k.Return.
4: If v{1,...,k1}
5: Let M:=p2vPrimePowerPointCountingf0,0(x)
pv, p, k v.Return.
6: End(If).
7: If s(g) = s(h) = 0
8: Let M:= pk1np(f).
9: For ζ(0) (Z/pZ)2a singular point of ˜
f0,0do2
10: Let s:=s(f0,0, ζ (0)).
11: If sk
12: Let M:=M+p2(k1).
13: Elseif s∈ {2,...,k1}
14: Let M:=M+p2(s1)PrimePowerPointCountingf1(0) , p, k s.
15: End(If).
16: End(For).
17: Elseif s(g)0 or s(h)0 accordingly
18: Let M:= pknp(g) or pknp(h).
19: For ζ(0) (Z/pZ)2a set of singular points of ˜
f0,0from a degenerate root of ˜gor ˜
hdo
20: Let s:=s(f0,0, ζ (0)).
21: If sk
22: Let M:=M+p2k1.
22: Elseif s∈ {2,...,k1}
23: Let M:=M+p2s1PrimePowerPointCountingf1(0) , p, k s.
24: End(If).
25: End(For).
26: End(If).
27: Return.
There are some remaining details to clarify about our algorithm. First, let s(f) denote
the largest power of pthat divides all the coeﬃcients of f. Then by Deﬁnition 2.3, we see
that any polynomial in Tp,k (f) should also be of the form g(x1) + h(x2) with s(g) = 0 or
s(h) = 0. By Lemma 4.5, we see that when s(g) = s(h) = 0, then ˜
fmod pis squarefree.
Now without loss of generality, suppose 0 = s(g)< s(h) = c, then ˜
f(x) = ˜g(x1) mod p.
Then any singular point on ˜
fshould be of the form (ζ(0)
1, y) for any degenerate root ζ(0)
1of
the univariate polynomial ˜g(x1)Fp[x1] and any choice of y∈ {0,1,...,p1}. So it makes
sense to consider the perturbation of fin the direction of x1only.
SUB-LINEAR POINT COUNTING FOR CURVES OVER PRIME POWER RINGS 9
Let ζ(0)
1be any degenerate root of ˜g. Abusing notation, let ζ(0) := {ζ(0)
1}×Fp={(ζ(0)
1, y) :
y∈ {0,1,...,p1}}, the set of singular points of ˜
fwith the ﬁrst coordinate being ζ(0)
1.
Consider f(ζ(0)
1+px1, x2) = g(ζ(0)
1+px1) + h(x2). Let s(f, ζ (0)) := s(f(ζ(0)
1+px1, x2)) =
min(s(g, ζ (0)
1), c), the largest p’s power dividing all the coeﬃcients of the perturbation, and
let f1(0) =1
ps(f,ζ(0) )f(ζ(0)
1+px1, x2).
We prove the following more speciﬁc version of Lemma 2.4 in the Appendix:
Lemma 4.7. Let f(x) = g(x1) + h(x2)with 0 = s(g)< s(h) = c. Let np(g)denote the
number of non-degenerate root of ˜gin Fp, and following the notation above:
Np,k =pknp(g) +
X
ζ(0)(Z/pZ)2
s(f,ζ(0) )k
p2k1
+X
ζ(0)(Z/pZ)2
s(f,ζ(0))k1
p2s(f,ζ(0))1Np,ks(f,ζ (0))(f1 (0) )
By symmetry, a variant of our preceding lemma also holds when 0 = s(h)< s(g) = c.
Similarly, for any degenerate root ζ(0)
2of the univariate polynomial ˜
h(x2)Fp, we denote
ζ(0) := Fp×{ζ(0)
2}to be the set of singular points of ˜
fwith the second coordinate being ζ(0)
2.
Notation 4.8. Suppose ζ(i1) ={ζ(i1)
1}×Fpis the set of singular points on ˜
fi1for some
polynomial in Tp,k(f)and ζ= (ζ1, ζ2), we write
ζ+pi1ζ(i1) ={(x1, x2) : x1=ζ1+pi1ζ(i1)
1, x2∈ {ζ2+pi1·0,...ζ2+pi1·p1}}
as element-wise operations for set. We also use this notation similarly when ζ(i1) =Fp×
{ζ(i1)
2}.
We are now ready to prove the correctness of our main algorithm.
Proof of Correctness of Algorithm 4.6: Assume temporarily that Algorithm 4.6 is
correct when s(f) = 0, i.e. when f0,0is not identically 0 mod p. Since for any integers a
with ak, and any elements x,y(Z/pkZ)2,pax=paymod pkx=ymod pka, Steps
1–6 of our algorithm then dispose of the case where fis identically 0 in (Z/pZ)[x]. So let
us now prove correctness when fis not identically 0 in (Z/pZ)[x].
Recall from the discussion at the very beginning of this section, we see that any polynomial
in Tp,k(f) should be of the form fi,ζ(i1) (x) := gi(x1) + hi(x2) with s(gi) = 0 or s(hi) = 0.
Applying Lemma 2.4 and Lemma 4.7 accordingly, we then see that it is enough to prove that
the value of Mis the value of our formula for Np,k(f) when the two For loops of Algorithm
4.6 runs correctly.
When s(g) = s(h) = 0, Steps 7–16 (once the For loop is completed) then simply add
the second and third summands of our formula in Lemma 2.4 to Mthus ensuring that
M=Np,k(f). On the other hand, when s(g)>0 or s(h)>0, Steps 17–26 (once the For loop
is completed) handles add the second and third summands of our formula in Lemma 4.7 to
Mthus ensuring that M=Np,k(f). So we are done.
In [KRRZ19], we deﬁned a recursive tree structure for root counting for univariate poly-
nomial in Z/pkZ. We deﬁne similarly a recursive tree for f(x) = g(x1) + h(x2) that will
enable our complexity analysis.
10 CALEB ROBELLE, J. MAURICE ROJAS, AND YUYU ZHU
Deﬁnition 4.9. Let us identify the elements of Tp,k(f)with nodes of a lablled rooted directed
tree Tp,k(f).
(1) We set f0,0:=f,k0,0:= k, and let (f0,0, k0,0)be the label of the root node of Tp,k(f).
(2) There is an edge from node (fi, ki )to node (fi,ζ, ki,ζ )if and only if i=i1
and there is a (set of) singular points ζ(i1) in (Z/pZ)2of ˜
fiwith s(fi , ζ (i1))
ki1and ζ=ζ+pi1ζ(i1) in (Z/piZ)2.
(3) Suppose fi=gi(x1) + hi(x2). The label of a directed edge from node (fi, ki)
to node (fi,ζ, ki,ζ )is p2sfi ,(ζζ)/pi1or p2sfi,(ζζ)/pi1respectively when
s(gi) = s(hi) = 0 or otherwise.
In particular, the labels of the nodes lie in Z[x]×N.
Remark 4.10.
1. Just as the tree structure for the univariate polynomial in [KRRZ19], our trees Tp,k(·)
encode algebraic expressions for our desired root counts Np,k(·). In particular, the children
of a node labelled (fi, ki)yield terms that one sums to get the root count Np,ki(fi), and the
edge labels yield weights multiplying the corresponding terms.
2. One main diﬀerence is that the correspondence between polynomials in Tp,k(f)with the
label in the tree Tp,k(f)is no longer one-to-one. In particular, in the case when fi,ζ (x) =
gi(x1) + hi(x2)with s(gi)>0, its child node polynomial fi+1for ζζ={ζ(i)
1} × Fp,
correspond to a set of singular points of ˜
fi,ζ with the ﬁrst coordinate equaling to a degenerate
root ζ(i)
1of ˜gi.
The following lemma, proved in the Appendix, will be central in our complexity analysis.
Lemma 4.11. Let f(x) = g(x1) + h(x2)Z[x]be a nonconstant polynomial of degree d.
Following the notation of Deﬁnition 4.9, we have that:
(1) The depth of Tp,k(f)is at most k.
(2) The degree of the root node of Tp,k(f)is at most d
2.
(3) The degree of any non-root node of Tp,k(f)labeled (fi,ζ, ki,ζ ), with parent (fi1 , ki1)
and ζ(i1) := (ζµ)/pi1, is at most s(fi1 , ζ (i1) ). In particular,
deg ˜
fi,ζ s(fi1, ζ (i1))ki11k1and
X
(fi,ζ ,ki,ζ )a child
of (fi1,ki1 )
deg ˜
fi,ζ deg ˜
fi,ζ 1deg ˜
fi1deg ˜
fi11
(4) Tp,k(f)has at most d
2nodes at depth i1, and thus a total of no more than
1 + (k1)d
2nodes.
Proof of Theorem 1.1: Since we already proved that Algorithm 4.6, it suﬃces to prove the
stated complexity bound for Algorithm 4.6. The proof consists of three parts: (a) the point
counting algorithm over Fpfrom [Har15], (b) the univariate reduction and the factorization
algorithm, and (c) applying Lemma 4.11 to show that the number of necessary factorization
and point counting, and p-adic valuation calculations is well-bounded.
More speciﬁcally the For loops and the recursive calls of Algorithm 4.6 can be seen as the
process of building the tree Tp,k (f). We begin at the root node by applying the algorithm in
[Har15] to ﬁnd the number of roots of ˜
fin Fp. This computation takes time O(d8p1/2log2+εp)
SUB-LINEAR POINT COUNTING FOR CURVES OVER PRIME POWER RINGS 11
and space O(d4p1/2log p) by [Har15]. (Speciﬁcally, one avails to Theorem 3.1, Lemmata 3.2
and 3.4, and Proposition 4.4 from Harvey’s paper.)
To ﬁnd singular points of ˜
f, it suﬃces to ﬁnd the roots of the 2×2 polynomial system F:=
(˜
f(x), D1,0˜
f(x)) over Fp. This is done by ﬁrst transforming the problem to factorization of a
univariate polynomial UFvia univariate reduction over the ﬁnite ﬁeld (see, e.g. [Roj99]). In
particular deg UFd2and roots of UFwill encode information on tuple (x1, x2) as solutions
to the polynomial system F. Computing UFcan be done in time polynomial in the mixed area
of the Newton polygons of F, and takes time ˜
O(d15) and space O(d4) ([Roj99]). Then we use
the fast randomized Kedlaya-Umans factoring algorithm in [KU08] to ﬁnd solutions to UF
in Fp, and thereby the singular points of ˜
f. This takes time (d3log p)1+o(1) + (d2log2p)1+o(1)
and requires O(d2log p) random bits.
In order to continue the recursion, we need to compute p-adic valuations of polynomial
coeﬃcients to determine s(f0,0, ζ (0) ) and the edges emanating from the root node. Expanding
f(ζ(0) +px) mod pktakes time no worse than d2(klog p)1+o(1) via Horner’s method and fast
ﬁnite ring arithmetic (see, e.g., [BS96, vzGG13]). Computing s(f0,0, ζ(0)) thus takes time
d(klog p)1+o(1) by evaluating p-adic valuations using standard tools such as binary methods.
By Assertion (2) of Lemma 4.11, there are no more than d
2many such ζ(0). So the total
work so far is d15+ε(klog p)1+o(1)p1/2+ε. Note that computing the univariate reduction UF
and Np,1(f) via algorithm in [Har15] dominates the computation.
The remaining work can also be well-bounded similarly by Lemma 4.11. In particular, the
sum of the degress if ˜
fi,ζ at level iof the tree Tp,k(f) is no greater than d
2.
Now observe that for i2, the amount of work needed to determine the polynomials at
level ivia computing s(fi1, ζ(i1)) is no greater than d
2d(klog p)1+o(1). As deg ˜
f1dfor
every fi,ζ in the tree Tp,k(f) and there are at most d
2many such polynomials for each i1,
the total amount of work for point counting over Fp, univariate reduction and factorization
for each subsequent level of Tp,k (f) will be d17+ε(klog p)1+o(1)p1/2+εwith O(d2log p) random
bits needed. The expansion of the fi,ζ at level iwill take time no greater than d3(klog p)1+o(1)
to compute. So the total work at each subsequent level is d17+ε(klog p)1+o(1)p1/2+ε.
Therefore the total amount of work for our tree will be d17+ε(klog p)2+εp1/2+ε, and the
number of random bits needed is O(d2klog p).
The argument proving the Las Vegas properties of our algorithm can be done similarly
as in [KRRZ19]. In particular, we run factorization algorithm for suﬃciently many times to
reduce the overall error probability to less than 2/3. Thanks to Lemma 4.11, it is enough to
enforce a success probability of O(1
d2k) for each application of factorization, and to run the
algorithm from [KU08] for O(log(dk)) times for each time we need univariate factorization.
So a total of O(d2klog(dk) log p) many random bits is needed.
Our algorithm proceeds with building the tree structure Tp,k (f), so we only need to keep
track of collections of fi,ζ . A bivariate polynomial of degree dwith integer coeﬃcients all of
absolute value less than pkrequires O(dk log p) bits to store, and there are no more than d
2k
many polynomials in Tp,k(f). Combining with the space needed from algorithm in [Har15],
we only need O(d4kp1/2log p) space.
If ˜
fdeﬁnes a smooth and irreducible curve over the algebraic closure ¯
Fpof Fpthen the
second part of the theorem follows immediately by combining our bivariate version of Hensel’s
Lemma (Lemma 3.2) with Kedlaya’s quantum point counting algorithm from [Ked06].
12 CALEB ROBELLE, J. MAURICE ROJAS, AND YUYU ZHU
5. Appendix: Remaining Proofs and Finessing Exceptional Curves
5.1. Proof of Lemma 3.2 (Higher-Dimensional Hensel’s Lemma). Consider the Tay-
lor expansion of fat σby pjx,
f(σ+pjx) = f(σ) + pj∂f
∂x1
(σ)x1+∂f
∂x2
(σ)x2+X
i1+i22
pj(i1+i2)Di1,i2f(σ)xi1
1xi2
2
=f(σ) + pj∂f
∂x1
(σ)x1+∂f
∂x2
(σ)x2mod pj+1,
as j(i1+i2)j+ 1 for all i1+i22. Then t:= (t1, t2) is such that (σ+tpj) is a solution
to f0 mod pj+1 if and only if
∂f
∂x1
(σ)t1+∂f
∂x2
(σ)tn=f(σ)
pjmod p.(3)
As (ζ(0) =σmod p) is a smooth point on ˜
f, then there exists an isuch that ∂f
∂xi(σ) =
∂f
∂xi(ζ(0))6= 0 mod p. Then left hand side of (3) does not vanish identically, and thus deﬁne
a nontrivial linear relation in (Z/pZ)2. So ﬁxing ζ, there are exactly pmany t(Z/pZ)2
satisfying (3).
5.2. The Proof of Lemma 4.3. We prove by induction on the number of irreducible
components of F.
When l= 1, F=Fe1
1. By Lemma 2.2, mζ(F) = e1mζ(F1) for every ζF2
p. Then by
Lemma 4.2 and expanding
X
ζon F1
mζ(F)
e1mζ(F)
e11d1(d11),
the conclusion holds.
Now suppose the inequality holds for l1>1, and let F=Ql1
i=1 Fei
iand dbe its degree,
and Flis irreducible and has no common component with F. Then Pζon Flmζ(Fel
l) (mζ(Fel
l)el)
eldl(eld1el), and
X
J⊆{1,...,l1}
X
ζSJ
mζ(F) mζ(F)X
jJ
ej!+X
ζTJ
|J|≥2
mζ(F)
d(d1)
By Lemma 4.1, we must have Pζmζ(F)mζ(Fel
l)ddlel. Summing over all J⊆ {1,...,l
1}, we have
X
J
X
ζSJ
mζ(F)
mζ(F)X
jJ
ej
+X
ζTJ
|J|≥2
mζ(F)
+ 2 X
ζ
mζ(F)mζ(Fel
l) + X
ζon Fl
mζ(Fel
l)mζ(Fel
l)el
d(d1) + 2ddlel+ (dlel)2e2
ldl(d+dlel)2de2
ldld(d1).
SUB-LINEAR POINT COUNTING FOR CURVES OVER PRIME POWER RINGS 13
Note that for each J⊆ {1,...,l1}and each ζSJsuch that ζis not a point of Fl,
mζ(F) = mζ(F). If ζSJ∪{l}\TJ∪{l}, then mζ(Fel
l) + mζ(F)> el+PjJej, and
mζ(F)(mζ(F)X
iJ
ei) + 2mζ(Fel
l)mp(F) + mζ(Fel
l)(mζ(Fel
l)el)
= (mζ(F) + mζ(Fel
l))2X
iJ
eimζ(F)elmζ(Fel
l)
mζ(F)(mζ(F)X
iJ∪{l}
ei)
So we can rewrite
A:= X
J⊆{1,...,l1}
X
ζSJ
mζ(F)(mζ(F)X
jJ
ej) + 2 X
ζ6∈TJ∪{l}
mζ(F)mζ(Fel
l)
+X
ζS{l}
mζ(Fel
l)mζ(Fel
l)el
X
J⊆{1,...,l1}
X
ζSJ
mζ(F)(mζ(F)X
jJ
ej) + X
ζSJ∪{l}
mζ(F)(mζ(F)X
jJ∪{l}
ei)
+X
ζS{l}
mζ(F)(mζ(F)el)
=X
I∈{1,...,l}X
ζI
mζ(F)(mζ(F)X
iI
ei).
On the other hand, if ζTJ∪{l}, we must have mζ(Fel
l) + mζ(F) = el+PjJej. Then
summing over all J⊆ {1, . . ., l 1}, and
B:= X
JX
ζTJ
|J|≥2
mζ(F) + 2 X
ζTJ∪{l}
mζ(F)mζ(Fel
l)
=X
J
X
ζTJ
|J|≥2
mζ(F) + 2 X
ζTJ∪{l}
|J|≥2
mζ(F)mζ(Fel
l)
+
l1
X
i=1 X
ζT{i,l}
mζ(F)mζ(Fel
l)
X
J
X
ζTJ
|J|≥2
mζ(F) + X
ζTJ∪{l}
|J|≥2
mζ(F)
+
l1
X
i=1 X
ζT{i,l}
mζ(F) = X
IX
ζTI
|I|≥2
mζ(F).
The last inequality holds because for a, b 1, we must have 2ab a+b.
Combining all of above computations, we have
X
I
X
ζSI
mζ(F)(mζ(F)X
iI
ei) + X
ζTI
|I|≥2
mζ(F)
A+Bd(d1).
The conclusion thus follows.
5.3. The Proof of Lemma 4.11.
Assertion (1): By Deﬁnitions 2.3 and 4.9, each (fi,ζ , ki,ζ ) whose parent node is (fi1, ki1),
must satisﬁes 1 ki1ki,ζ ki11, and 1 ki,ζ k1 for all i1. So considering
14 CALEB ROBELLE, J. MAURICE ROJAS, AND YUYU ZHU
any root to leaf path in Tp,k (f), it is clear that the depth of Tp,k(f) can be no greater than
1 + (k1) = k.
Assertion (2): If s(g) = s(h) = 0, then by Lemma 4.5, ˜
f(x)Fp[x] is square-free. As
the multiplicity of any singular point is at least 2, by Lemma 4.2, ˜
fhas at most d
2many
singular points. In this case, each edge emanating from the root of Tp,k (f) corresponds to a
unique singular point of ˜
f0,0.
Suppose otherwise, and without loss of generality 0 = s(g)< s(h) = c, then each edge
emanating from the root node correspond to the set {ζ(0)
1}×Fpfor a unique degenerate root
ζ(0)
1of the univariate polynomial ˜g(x1). As ˜ghas at most deg ˜g
2d
2d
2degenerate
roots, we are done.
Assertion (3): Suppose fi1=gi1(x1) + hi1(x2)Z[x] with s(gi1) = s(hi1) = 0.
Then ζ(i1) is a singular point of ˜
fi1, and let
s:= s(fi1, ζ (i1)) = min
0i1+i2ki,ζ1(i1+i2) + ordpDi1,i2fi1(ζ(i1))
So then for each pair of (1, ℓ2) with 1+2s+1, the coeﬃcient of x1
1x2
2in the perturbation
fi1(ζ(i1) +px) must be divisible by ps+1. In other words, the coeﬃcient of x1
1x2
2in fi,ζ (x)
must be divisible by p. So deg ˜
fi,ζ s.
Now by Lemma 3.4, we know that the multiplicity of ζ(i1) on ˜
fi1:mζ(i1) (˜
fi1)
s(fi1, ζ (i1)). Combining with 4.2, we have
X
(fi,ζ ,ki,ζ ) a child
of (fi1,ki1 )
deg ˜
fi,ζ deg ˜
fi,ζ 1X
ζ(i1) sing.
point on ˜
fi1
mζ(i1) (˜
fi1)mζ(i1) (˜
fi1)1
deg ˜
fi1deg ˜
fi11.
Suppose without loss of generality, 0 = s(gi1)< s(hi1) = c. Then by a similar argument
deg ˜
fi,ζ s(fi1, ζ (i1)) = min(sg, ζ (i1)
1), c)sg, ζ (i1)
1). By Lemma 4.11 we have that
P
ζ(i1)
1a deg.
root of ˜gi1
sgi1, ζ(i1)
1)deg ˜gi1, so then P
(fi,ζ ,ki,ζ ) a child
of (fi1,ki1 )
deg ˜
fi,ζ deg ˜gi1. We are done,
simply by observing that for deg ˜
fi,ζ 2 and any collections of ai>2, we must have
Pai(ai1) (Pai) (Pai1).
Assertion (4): This is immediate from Assertions (1) and (3).
5.4. The Proof of Lemma 4.7. Any points over Fpon ˜
f(x) is nonsingular if and only if
D1,0(˜
f) = ˜g(x1)6= 0 mod p, as h(x2) is identically 0 mod p. In other words, any nonsingular
point on ˜
fshould be of the form (ζ(0)
1, y) where ζ(0)
1is a non-degenerate root of ˜g, and any
choice of y∈ {0,1,...,p1}. So the number of non-singular point on ˜
fis: np(f) = p·np(g).
Then the ﬁrst summand in the equation is obvious by plugging into the ﬁrst summand in
Lemma 2.4.
Now suppose ζ0:= ζ(0)
1is a degenerate root of the univariate polynomial ˜g, and ζ(0) =
{ζ0}×Fp. Write σ=ζ0+ , where τ:= ζ1+...+pk2ζk1Z/pk1Zvia base-pexpansion.
Then by deﬁnition f(ζ0+px1, x2) = ps(f,ζ(0) )f1(0) (x1, x2), where f1 (0) Z[x1, x2] does not
vanish identically mod p.
SUB-LINEAR POINT COUNTING FOR CURVES OVER PRIME POWER RINGS 15
If ks(f, ζ (0)), then f(σ, y) = 0 mod pkregardless of choice of τZ/pk1Zand
yZ/pkZ. So there are exactly pk1·pk=p2k1many pairs of (σ, y)(Z/pkZ)2such that
σ=ζ0mod pand f(σ, y) = 0 mod pk.
If s(f, ζ (0))k1, then f(σ, y) = 0 mod pkif and only if
(4) f1(0) (τ , y) = 0 mod pks(f,ζ (0)).
Let s:= s(f, ζ (0)), then τ=ζ1+2+...+pks1ζksmod pksand y:= Pk1
i=0 piyi=
y0+... +pks1yks1mod pks. So the rest of the base-pdigits, ζks+1,...,ζk1and
yks,...,yk1respectively does not appear in Equality (4). The possible lifts ζwhere the ﬁrst
coordinate mod pis ζ0is thus exactly ps1·pstimes the number of roots (τ, y)(Z/pksZ)2
of f1(0) .
5.5. Exceptional Curves. Let f(x)Z[x] be a nonconstant polynomial, and let s(f)
denote the largest p-th power dividing all the coeﬃcients of f.
Consider f(x) = gd(x) + pcdh(x)Z[x], with d2 and c1. Moreover, f(x)gd(x)
mod pand fis irreducible mod p.
For kcd,f(x) = gd(x) mod pk. Now suppose ζ(0) is a smooth point on (gmod p).
Then by Hensel’s Lemma (Lemma 3.2), ζ(0) lifts to pk
d1many roots of gmod pk
d.
Suppose σis one of the lift, then σ+for any τ(Z/pkk
dZ)2is a root of (gdmod pk).
So each ζ(0) lifts to pk
d1·p2(kk
d)=p2kk
d1many roots of fmod pk.
Now suppose k > cd, and let ζbe a root of fmod pcd such that ζ(0) ζmod pis a
smooth point on g. Consider the Taylor expansion of fat ζ:
f(ζ+pcdx) = [g(ζ) + T(x)]d+pcdh(ζ+pcdx)
=g(ζ)d+pcdh(ζ)+
d
X
l=1
g(ζ)dlT(x)l+X
i1+i21
Di1,i2h(ζ)pcd(i1+i2+1)xi1
1xi2
2
(5)
where T(x) := g(ζ+pcdx)g(ζ) = Pi1+i21Di1,i2g(ζ)pcd(i1+i2)xi1
1xi2
2. As ζ(0) is a smooth
point on g, either D1,0g(ζ) or D0,1g(ζ) is not zero mod p. Then s(T) = cd, and each term in
the second summand of Equality (5) has valuation (dl) ordpg(ζ) + lcd.
If ζ(0) is also a point on hmod p, then ζcontinues to lift, and by Lemma 4.1, there are
at most d2many such ζ(0) . However, there are cases when h(ζ)6= 0 mod p, yet ζcontinues
to lift to pkfor k > cd.
This could only happen when g(ζ)d+pcd h(ζ)0 mod pcd+1, and in which case ordpg(ζ) =
c. Now the second summand in Equality (5) must have order (d1)c+cd, whereas the third
summand has order 2cd. So now s(f, ζ ) = min ordpg(ζ)d+pcd h(ζ),(d1)c+cd. If
s(f, ζ )<(d1)c+cd then ˜
fcd,ζ =f(ζ+pcdx)
ps(f,ζ)mod pis a nonzero constant, and thus ζdoes
not lift. Suppose otherwise. Then
˜
fcd,ζ =g(ζ)d+pcdh(ζ)
ps(f,ζ)+dg(ζ)d1
p(d1)cD1,0g(ζ)x1+D0,1g(ζ)x2mod p,
which deﬁnes a line! By Hensel’s Lemma, we are done!
So the problem boils down to determining a criterion for when ordpf(ζ)d+pcdh(ζ)
(d1)c+cd and h(ζ)6= 0 mod phappens. Also, we need to compute ordpf(ζ)d+pcdh(ζ)
for every lift ζmod pcd for each non-isolated singular points ζ(0), and there are exactly pcd1
many such ζ.
16 CALEB ROBELLE, J. MAURICE ROJAS, AND YUYU ZHU
In summary, computing perturbations for each and every singular point of ˜
fcan be very
expensive going into higher dimensions: the underlying singular locus might not be zero-
dimensional, and thus imply the calclulation of a number of perturbations super-linear in
p.
It turns out for some families of curves, non-isolated singular points partitioned into groups
that each lift uniformly. We will pursue this improvement in future work.
Acknowledgements
We are grateful to Daqing Wan for helpful comments on curves and error correcting codes.
References
[AH01] Leonard M. Adleman and Ming-Deh Huang. Counting points on curves and abelian varieties
over ﬁnite ﬁelds. Journal of Symbolic Computation, 32(3):171 – 189, 2001.
[BGMWo11] Edward Bierstone, Dima Grigoriev, Pierre Milman, and Jaros l aw W l odarczyk. Eﬀective Hi-
ronaka resolution and its complexity. Asian J. Math., 15(2):193–228, 2011.
[BLQ13] Jeremy Berthomieu, Gr`egoire Lecerf, and Guillaume Quintin. Polynomial root ﬁnding over
local rings and application to error correcting codes. Appl. Algebra Eng. Commun. Comput.,
24:413–443, 2013.
[BM20] Jennifer S. Balakrishnan and J.˜
Steﬀen M¨uller. Computational tools for quadratic chabauty.
preprint, Boston University, 2020. draft of lecture notes for 2020 Arizona Winter School on
Nonabelian Chabauty.
[BS96] Eric Bach and Jeﬀ Shallit. Algorithmic Number Theory, Vol. I: Eﬃcient Algorithms. MIT
Press, Cambridge, MA, 1996.
[BW10] Maheshanand Bhaintwal and Siri Krishan Wasan. Generalized Reed-Muller codes over Zq.Des.
Codes Cryptogr., 54(2):149–166, 2010.
[CDV06] Wouter Castryck, Jan Denef, and Frederik Vercauteren. Computing zeta functions of nondegen-
erate curves. Technical report, International Mathematics Research Papers, vol. 2006, article
ID 72017, 2006.
[CGRW18] Qi Cheng, Shuhong Gao, J. Maurice Rojas, and Daqing Wan. Counting roots for polynomials
modulo prime powers. In Proceedings of ANTS XIII (Algorithmic Number Theory Sympo-
sium, July 16–20, 2018, University of Wisconsin, Madison). Mathematical Sciences Publishers
(Berkeley, California), 2018.
[CH15] Henry Cohn and Nadia Heninger. Ideal forms of Coppersmith’s theorem and Guruswami-Sudan
list decoding. Advances in Mathematics of Communications, 9(3):311–339, 2015.
[CL08] Antoine Chambert-Loir. Computer (rapidement) le nombre de solutions d’´equations dans les
corps ﬁnis. eminaire Bourbaki, 2006/2007:39–90, 2008.
[Del74] Pierre Deligne. La conjecture de weil. i. Publications Math´ematiques de l’Institut des Hautes
´
Etudes Scientiﬁques, 43(1):273–307, Dec 1974.
[DMS19] Ashish Dwivedi, Rajat Mittal, and Nitin Saxena. Counting basic-irreducible factors mod pk
in deterministic poly-time and p-adic applications. arXiv e-prints, page arXiv:1902.07785, Feb
2019.
[DMS20] Ashish Dwivedi, Rajat Mittal, and Nitin Saxena. Computing Igusa’s Local Zeta Function of
Univariates in Determinstic Polynomial-Time. In S. K. Galbraith, editor, Proceedings of ANTS
2020 (Algorithmic Number Theory Symposium). Mathematical Sciences Publishers (Berkeley,
California), 2020.
[GCM91] Javier Gomez-Calderon and Gary L. Mullen. Galois rings and algebraic cryptography. Acta
Arith., 59(4):317–328, 1991.
[GG16] Steven D. Galbraith and Pierrick Gaudry. Recent progress on the elliptic curve discrete loga-
rithm problem. Des. Codes Cryptogr., 78(1):51–72, 2016.
[GS99] V. Guruswami and M. Sudan. Improved decoding of reed-solomon and algebraic-geometry
codes. IEEE Transactions on Information Theory, 45(6):1757–1767, Sep. 1999.
SUB-LINEAR POINT COUNTING FOR CURVES OVER PRIME POWER RINGS 17
[GSS00] Venkatesan Guruswami, Amit Sahai, and Madhu Sudan. “Soft-decision” decoding of Chinese
remainder codes. In 41st Annual Symposium on Foundations of Computer Science (Redondo
Beach, CA, 2000), pages 159–168. IEEE Comput. Soc. Press, Los Alamitos, CA, 2000.
[Har15] David Harvey. Computing zeta functions of arithmetic schemes. Proceedings of the London
Mathematical Society, 111(6):1379–1401, 11 2015.
[HKC+94] A. Roger Hammons, Jr., P. Vijay Kumar, A. R. Calderbank, N. J. A. Sloane, and Patrick Sol´e.
The Z4-linearity of Kerdock, Preparata, Goethals, and related codes. IEEE Trans. Inform.
Theory, 40(2):301–319, 1994.
[Igu07] Jun-Ichi Igusa. An Introduction to the Theory of Local Zeta Functions. AMS/IP Studies in
Pure Maths Rep Series. American Mathematical Society, 2007.
[Ked01] Kiran S. Kedlaya. Counting points on hyperelliptic curves using Monsky-Washnitzer cohomol-
ogy. J. Ramanujan Math. Soc., 16(4):323–338, 2001.
[Ked06] Kiran S. Kedlaya. Quantum computation of zeta functions of curves. Comput. Complexity,
15(1):1–19, 2006.
[KLP12] Tali Kaufman, Shachar Lovett, and Ely Porat. Weight distribution and list-decoding size of
Reed-Muller codes. IEEE Trans. Inform. Theory, 58(5):2689–2696, 2012.
[Kob87] Neal Koblitz. Elliptic curve cryptosystems. Math. Comp., 48(177):203–209, 1987.
[KRRZ19] Leann Kopp, Natalie Randall, J. Maurice Rojas, and Yuyu Zhu. Randomized Polynomial-Time
Root Counting in Prime Power Rings. Mathematics of Computation, in production, 2019.
[KU08] Kiran Kedlaya and Christopher Umans. Fast polynomial factorization and modular composi-
tion. In P. Bro Miltersen, R. Reischuk, G. Schnitger, and D. van Melkebeek, editors, Com-
putational Complexity of Discrete Problems, number 08381 in Dagstuhl Seminar Proceedings,
Dagstuhl, Germany, 2008. Schloss Dagstuhl - Leibniz-Zentrum fuer Informatik, Germany.
[LW08] Alan G. B. Lauder and Daqing Wan. Counting points on varieties over ﬁnite ﬁelds of small
characteristic. In Algorithmic number theory: lattices, number ﬁelds, curves and cryptography,
pages 579––612, Cambridge, 2008. Math. Sci. Res. Inst. Publ., 44, Univ. Press.
[Mil86] Victor S. Miller. Use of elliptic curves in cryptography. In Advances in cryptology—CRYPTO
’85 (Santa Barbara, Calif., 1985), volume 218 of Lecture Notes in Comput. Sci., pages 417–426.
Springer, Berlin, 1986.
[NZM91] I. Niven, H.S. Zuckerman, and H.L. Montgomery. An Introduction to the Theory of Numbers.
Wiley, 1991.
[Pil90] J. Pila. Frobenius maps of abelian varieties and ﬁnding roots of unity in ﬁnite ﬁelds. Mathe-
matics of Computation, 55(192):745–763, 1990.
[PR11] Adrien Poteaux and Marc Rybowicz. Complexity bounds for the rational Newton-Puiseux
algorithm over ﬁnite ﬁelds. Appl. Algebra Engrg. Comm. Comput., 22(3):187–217, 2011.
[Roj99] J. Maurice Rojas. Solving degenerate sparse polynomial systems faster. Journal of Symbolic
Computation, 28(1):155 – 186, 1999.
[RZ20] J. Maurice Rojas and Yuyu Zhu. A complexity chasm for solving sparse polynomial equations
over p-adic ﬁelds. arXiv e-prints, page arXiv:2003.00314, 2020.
[Sch85] Ren´e Schoof. Elliptic curves over ﬁnite ﬁelds and the computation of square ro ots mod p.
Mathematics of Computation, 44(170):483–494, 1985.
[Sud97] Madhu Sudan. Decoding of Reed Solomon codes beyond the error-correction bound. J. Com-
plexity, 13(1):180–193, 1997.
[vdG01] Gerard van der Geer. Curves over ﬁnite ﬁelds and codes. In European Congress of Mathematics,
Vol. II (Barcelona, 2000), volume 202 of Progr. Math., pages 225–238. Birkh¨auser, Basel, 2001.
[vzGG13] Joachim von zur Gathen and J¨urgen Gerhard. Modern Computer Algebra. Cambridge Univer-
sity Press, 3rd edition, 2013.
[Wan08] Daqing Wan. Algorithmic theory of zeta functions over ﬁnite ﬁelds. In Algorithmic number
theory: lattices, number ﬁelds, curves and cryptography, pages 551–578. Math. Sci. Res. Inst.
Publ., 44, Univ. Press, Cambridge, 2008.
[Wei49] Andr´e Weil. Numbers of solutions of equations in ﬁnite ﬁelds. Bull. Amer. Math. Soc.,
55(5):497–508, May 1949.
[Zhu20] Yuyu Zhu. Trees, point counting beyond ﬁelds, and root separation. Ph.d. thesis, Texas A&
University, 2020.
ResearchGate has not been able to resolve any citations for this publication.
Article
Full-text available
We survey recent work on the elliptic curve discrete logarithm problem. In particular we review index calculus algorithms using summation polynomials, and claims about their complexity.
Article
The applications of solving systems of polynomial equations are legion: The real case permeates all of non-linear optimization as well as numerous problems in engineering. The p -adic case leads to many classical questions in number theory, and is close to many applications in cryptography, coding theory, and computational number theory. As such, it is important to understand the complexity of solving systems of polynomial equations over local fields. Furthermore, the complexity of solving structured systems --- such as those with a fixed number of monomial terms or invariance with respect to a group action --- arises naturally in many computational geometric applications and is closely related to a deeper understanding of circuit complexity (see, e.g., [8]). Clearly, if we are to fully understand the complexity of solving sparse polynomial systems, then we should at least be able to settle the univariate case, e.g., classify when it is possible to separate and approximate roots in deterministic time polynomial in the input size.
Article
We discuss analogs based on elliptic curves over finite fields of public key cryptosystems which use the multiplicative group of a finite field. These elliptic curve cryptosystems may be more secure, because the analog of the discrete logarithm problem on elliptic curves is likely to be harder than the classical discrete logarithm problem, especially over GF ( 2 n ) {\text {GF}}({2^n}) . We discuss the question of primitive points on an elliptic curve modulo p , and give a theorem on nonsmoothness of the order of the cyclic subgroup generated by a global point.
Article
This paper gives a review of recent developments in this field and discusses some questions.
Article
Computer algebra systems are now ubiquitous in all areas of science and engineering. This highly successful textbook, widely regarded as the 'bible of computer algebra', gives a thorough introduction to the algorithmic basis of the mathematical engine in computer algebra systems. Designed to accompany one- or two-semester courses for advanced undergraduate or graduate students in computer science or mathematics, its comprehensiveness and reliability has also made it an essential reference for professionals in the area. Special features include: detailed study of algorithms including time analysis; implementation reports on several topics; complete proofs of the mathematical underpinnings; and a wide variety of applications (among others, in chemistry, coding theory, cryptography, computational logic, and the design of calendars and musical scales). A great deal of historical information and illustration enlivens the text. In this third edition, errors have been corrected and much of the Fast Euclidean Algorithm chapter has been renovated.
Article
We present new algorithms for computing zeta functions of algebraic varieties over finite fields. In particular, let X be an arithmetic scheme (scheme of finite type over Z), and for a prime p let zeta_{X_p}(s) be the local factor of its zeta function. We present an algorithm that computes zeta_{X_p}(s) for a single prime p in time p^(1/2+o(1)), and another algorithm that computes zeta_{X_p}(s) for all primes p < N in time N (log N)^(3+o(1)). These generalise previous results of the author from hyperelliptic curves to completely arbitrary varieties.
Article
We have given a generalization of Reed–Muller codes over the prime power integer residue ring ${\mathbb{Z}_q}$ . These codes are analogs of generalized Reed–Muller (GRM) codes over finite fields. We mainly focus on primitive GRM codes, which are basically a generalization of Quaternary Reed–Muller (QRM) codes. We have also given a multivariate representation of these codes. Non-primitive GRM codes over ${\mathbb{Z}_q}$ are also briefly discussed. It has been shown that GRM codes over ${\mathbb{Z}_q}$ are free extended cyclic codes. A trace description of these codes is also given. We have obtained formulas for their ranks and also obtained expressions for their minimum Hamming distances.