Available via license: CC BY 4.0

Content may be subject to copyright.

arXiv:2102.01626v1 [math.NT] 2 Feb 2021

SUB-LINEAR POINT COUNTING FOR VARIABLE SEPARATED

CURVES OVER PRIME POWER RINGS

CALEB ROBELLE, J. MAURICE ROJAS, AND YUYU ZHU

Abstract. Let k, p ∈Nwith pprime and let f∈Z[x1, x2] be a bivariate polynomial with

degree dand all coeﬃcients of absolute value at most pk. Suppose also that fis variable sep-

arated, i.e., f=g1+g2for gi∈Z[xi]. We give the ﬁrst algorithm, with complexity sub-linear

in p, to count the number of roots of fover Zpkfor arbitrary k: Our Las Vegas random-

ized algorithm works in time (dk log p)O(1) √p, and admits a quantum version for smooth

curves working in time (dlog p)O(1) k. Save for some subtleties concerning non-isolated sin-

gularities, our techniques generalize to counting roots of polynomials in Z[x1,...,xn] over

Zpk.

Our techniques are a ﬁrst step toward eﬃcient point counting for varieties over Galois

rings (which is relevant to error correcting codes over higher-dimensional varieties), and also

imply new speed-ups for computing Igusa zeta functions of curves. The latter zeta functions

are fundamental in arithmetic geometry.

Current affiliation and address of authors:

(Robelle):

University of Maryland, Baltimore County

1000 Hilltop Circle

Baltimore, MD 21250

(Rojas & Zhu):

Texas A&M University, Department of Mathematics

TAMU 3368

College Station, TX 77845

emails: carobel1@umbc.edu ,rojas@math.tamu.edu ,zhuyuyu@math.tamu.edu

C.B. was partially supported by NSF grant DMS-1757872.

J.M.R. and Y.Z. were partially supported by NSF grants CCF-1900881 and DMS-1757872.

SUB-LINEAR POINT COUNTING FOR CURVES OVER PRIME POWER RINGS 1

1. Introduction

Counting points on algebraic curves over ﬁnite ﬁelds is a seemingly simple problem that

nevertheless helped form the core of arithmetic geometry in the 20th century and now forms

an important part of cryptography [Mil86, Kob87, GG16] and coding theory [vdG01]. Ef-

ﬁcient algorithms for this problem continue to be a lively part of computational number

theory: The barest list of references would have to include [Sch85, Pil90, AH01, Ked01,

CDV06, LW08, Wan08, CL08, Har15].1Here, we consider algorithms for the natural exten-

sion of this problem to prime power rings, and ﬁnd the ﬁrst eﬃcient algorithms for a broad

class of (not necessarily smooth) curves: See Theorem 1.1 below. It will be useful to ﬁrst

discuss some motivation before covering further background.

1.1. A Connection to Error Correcting Codes. Suppose k, p ∈Nwith pprime, Fpis the

ﬁeld with pelements, and r∈Z[x1] is a univariate polynomial of degree mthat is irreducible

mod p. We call a quotient ring Rof the form Z[x1]pk, r(x1)aGalois ring. Note that such

an Ris ﬁnite, and can be the prime power ring Zpk(for m= 1) or the ﬁeld Fq(for k= 1

and q=pm), to name a few examples.

Since numerous error correcting codes and cryptosystems are based on arithmetic over

Fqor Fq[x1], it has been observed (see, e.g., [GCM91, GSS00, BLQ13, CH15]) that one can

generalize and improve these constructions by using arithmetic over Ror R[x1] instead. For

instance, Guruswami and Sudan’s famous list-decoding method for error correcting codes

[GS99] involves ﬁnding the roots in Fq[x1] of a polynomial in Fq[x1, x2] as a key step, and

has a natural generalization to Galois rings (see, e.g., [HKC+94, Sud97, BW10] and [BLQ13,

Sec. 4]). Furthermore, counting solutions to equations like f(x1,...,xn) =0 over Galois rings

determines the weights of codewords in Reed-Muller codes over Galois rings, and the weight

distribution governs the quality of the underlying code (see, e.g., [KLP12]).

1.2. Connections to Zeta Functions and Rational Points. Eﬃciently counting roots

in Zpk2of polynomials in Z[x1, x2] is a natural ﬁrst step toward eﬃciently enumerating

the roots in R2for polynomials in R[x1, x2] for Ra Galois ring. However, observe that the

ring of p-adic integers Zpis the inverse limit of Zpkas k−→ ∞. It then turns out that

the zero sets of polynomials over Zpkinform the zero sets of polynomials over Zpand

beyond.

In particular, for any f∈Z[x1,...,xn], one can form a fundamentally important generating

function, and a related zeta function, as follows: Let Np,k(f) denote the number of roots in

Zpknof the mod pkreduction of fand deﬁne the Poincare series of fto be Pf(t) =

P∞

k=0

Np,k(f)

pkn tk. Also, letting t:= p−s, we deﬁne the Igusa local zeta function of fto be

Zf(t) := RZp|f(x1,...,xn)|s

pdx, where |·|pand dx respectively denote the standard p-adic

absolute value on Zpand Haar measure on Zp. (This function turns to be deﬁned on the

right open half-plane of C, possibly with the exception of ﬁnitely many poles.) The precise

deﬁnitions of | · |pand dx won’t matter for our algorithmic results, but what does matter is

that Igusa discovered in the 1970s that P(t) = 1−tZ(t)

1−tand proved that Z(and thus P) is a

rational function of t[Igu07].

1Also, major conferences such as ANTS consistently continue to feature papers on speeding up point-

counting for various special families of curves and surfaces.

2 CALEB ROBELLE, J. MAURICE ROJAS, AND YUYU ZHU

Igusa deﬁned his zeta function Zwith the goal of generalizing earlier work of Siegel (on

counting representations of integers via quadratic forms) to high degree forms, e.g., how

many ways can one write 239 as a sum of cubes? However, the algorithmic computation of

these zeta functions has received little attention, aside from some very speciﬁc cases. Our

results imply that one can compute Zfor certain bivariate fin time polynomial in dk log p.

This extends earlier work on the univariate case [DMS20, Zhu20] to higher-dimensions and

will be pursued in a sequel to this paper.

It should also be pointed out that recent algorithmic methods for ﬁnding rational points

(over Q) for curves of genus ≥2 proceed (among many other diﬃcult steps) by ﬁnding the

p-adic rational points on a related family of varieties (see, e.g., [BM20, Sec. 5.3]). So a long

term goal of this work is to improve the complexity of ﬁnding the p-adic rational points on

curves and surfaces, generalizing recent p-adic speed-ups in the univariate case [RZ20].

1.3. From Finite Fields to Prime Power Rings. Returning to point counting over prime

power rings, the computation of Np,k (f) is subtle already for n= 1: This special case has

recently been addressed from diﬀerent perspectives in [BLQ13, CGRW18, KRRZ19, DMS19],

and was just recently proved to admit a deterministic algorithm of complexity (dk log p)O(1),

thanks to the last paper.

The special case (n, k) = (2,1) of computing Np,1(f), just for fa cubic polynomial, is

already of considerable interest in the design of cryptosystems based on the elliptic curve

discrete logarithmic problem. In fact, even this very special case wasn’t known to admit

an algorithm polynomial in log puntil Schoof’s work in the 1980s [Sch85]. More recently,

algorithms for computing Np,1(f) for arbitrary f∈Z[x1, x2] of degree d, with complexity

d8(log p)2+o(1)√p, have been derived by Harvey [Har15] (see also [Zhu20, Ch. 5]), and similar

complexity bounds hold for arbitrary ﬁnite ﬁelds.

Our main result shows that counting points over Zpkfor arbitrary kis slower than the

k=1 case only by a factor polynomial in k(neglecting the other parameters).

Theorem 1.1. Suppose f=g1+g2for some gi∈Z[xi],deg f=d≥1, and all the coeﬃcients

of fare of absolute value at most pk. Then there is a Las Vegas randomized algorithm that

computes Np,k(f)in time d17+ε(klog p)2+εp1/2+ε. In particular, the number of random bits

needed is O(d2klog(dk) log p), and the space needed is O(d4k√plog p). Furthermore, if the

zero set of fover the algebraic closure ¯

Fpis smooth and irreducible, then Np,k (f)can be

computed in quantum randomized time (d(log p))O(1)k.

We prove Theorem 1.1 in Section 4.1. The central idea is to reduce to a moderate number

of moderately sized instances of point counting over Fp. Recall that Las Vegas randomized

time simply means that our algorithm needs random bits and gives an answer that is correct

with probability at least 1/2 and, in case of error, states that an error has occured. Quantum

randomized time here will mean that we avail to a quantum computer, and instead obtain

an algorithm that gives an answer that is correct with probability at least 2/3, but with no

correctness guarantee.

In what follows, we call a polynomial of the form fζ(x1, x2) := 1

psf(ζ1+px1, ζ2+px2), with

(ζ1, ζ2)∈F2

pa singular point of the zero set of fin F2

pand sas large as possible with fζstill

in Z[x1, x2], a perturbation of f. Our reduction to point counting over Fpwill involve ﬁnding

all isolated singular points of the zero set of f(as well as its perturbations) in F2

p, in order

to categorize the base-pdigits of the coordinates of the roots of fin Zpk2. This yields

SUB-LINEAR POINT COUNTING FOR CURVES OVER PRIME POWER RINGS 3

a geometrically deﬁned recurrence for Np,k (f) that is conveniently encoded by a tree. We

detail this construction in Sections 2.2 and 4.1 below.

Remark 1.2. A classical algebraic geometer may propose simply applying resolution of sin-

gularities, applying ﬁnite ﬁeld point counting (with proper corrections at blown-up singular

points), and then an application of Hensel’s Lemma. We use a more direct approach that

allows us to lift singular points individually and much more simply. In particular, it ap-

pears (from [PR11]) that resolution of singularities for a plane curve of degree dover Fp

has complexity O(d5)(neglecting multiples depending on p), while our algorithm (if looked

at more closely) has better dependence on d. More to the point, replacing an input bivariate

polynomial by a higher degree complete intersection (the latter being the output after doing

resolution of singularities) results in a more complicated input when one needs to avail to

prime ﬁeld point counting, thus compounding the complexity even further. Furthermore, in

higher dimensions, resolution of singularities becomes completely impractical [BGMWo11].

⋄

Remark 1.3. We can extend Theorem 1.1 to more general curves. The key obstruction is

whether f, or one of its perturbations, fails to be square-free (see the ﬁnal section of the

Appendix). We hope to extend our methods to arbitrary curves in the near future. For now,

we simply point out that many commonly used curves in practice are variable separated, e.g.,

many hyperelliptic curves used in current cryptography are zero sets of polynomials of the

form x2

2−g(x1).⋄

2. Background

2.1. Some Basics on Point Counting Over Finite Fields. One of the most fundamental

results on point counting for curves over ﬁnite ﬁelds dates back to work of Hasse and Weil

in the 1940s. In what follows, we use |S|to denote the cardinality of a set S.

Theorem 2.1. [Wei49] Let Fqbe a ﬁnite ﬁeld of order q=pm, and let Cbe an absolutely

irreducible smooth projective curve deﬁned over Fq. Let gdenote the genus of Cand C(Fq)

to be the set of Fq-points of C. Then ||C(Fq)| − q| ≤ 2g√q.

The error bound above is optimal, and can be derived by proving a set of technical statements

known as the Weil Conjectures (for curves). The Weil Conjectures (along with corresponding

point counts) were formulated for arbitrary varieties over ﬁnite ﬁelds and, in one of the

crowning achievements of 20th century mathematics, were ultimately proved by Deligne in

1974 [Del74].

Eﬃcient methods for computing Np,1(f) (and the number of points for a curve over any

ﬁnite ﬁeld) began to appear with the work of Schoof [Sch85], via so-called ℓ-adic methods.

Let gdenote the genus2of the curve C. Via later work (e.g., [Pil90, AH01]) it was determined

that Np,1(f) can be computed in time (log p)2gO(1) for arbitrary curves. Kedlaya’s algorithm

[Ked01] then lowered this complexity bound to (g4p)1+o(1) for hyperelliptic curves, e.g., curves

with deﬁning polynomials of the form x2

2−g(x1). Kedlaya observed later that, on a quantum

computer, one could compute (ﬁnite ﬁeld) zeta functions for non-singular curves in time

(dlog p)O(1) [Ked06]. (The precise deﬁnition of these zeta functions need not concern us

2The precise deﬁnition of the genus need not concern us, so we will simply recall that it is a birational

invariant of C(i.e., it is invariant under rational maps with rational inverse) and is at most (d−1)(d−2)/2

for Cthe zero set of a degree dbivariate polynomial.

4 CALEB ROBELLE, J. MAURICE ROJAS, AND YUYU ZHU

here: Suﬃce it to say that the computation of the zeta function of a curve over a ﬁnite ﬁeld

includes the computation of Np,1(f) as a special case.) More recently, Harvey [Har15] gave

an eﬃcient (classical) deterministic algorithm which, although asymptotically slower than

Kedlaya’s quantum algorithm, allows arbitrary input polynomials.

2.2. The Central Recurrence for Bivariate Point Counting. In this section, we gen-

eralize the tools we used for root counting for univariate polynomials in [KRRZ19] to point

counting for curves. It is not hard to see that these tools extend naturally to point counting

for hypersurfaces of arbitrary dimension. The only subtlety is maintaining low computational

complexity and keeping track of the underlying singular locus.

Let x:= (x1, x2) denote the tuple of two variables, and let f(x)∈Z[x] be a bivariate

polynomial with integer coeﬃcients of total degree d≥1. Then for any ζ:= (ζ1, ζ2)∈Z2,

the Taylor expansion of fat ζis f(x) = Pj1,j2

Dj1,j2f(ζ)

j1!j2!(x1−ζ1)j1(x2−ζ2)j2, where j1, j2are

non-negative integers and Dj1,j2f(x) := ∂j1+j2

∂xj1

1∂xj2

2

f(x).

Let ˜

f(x) := (f(x) mod p) denotes the mod preduction of f. Now let ζ= (0,0) and write

˜

f=gm+gm+1 +···+gnwhere giis a (homogeneous) form in Fp[x] of degree iand gm6= 0.

We then deﬁne mto be the multiplicity of ˜

fat ζ= (0,0). Write m=mζ(˜

f). To extend this

deﬁnition to a point ζ= (a, b)6= (0,0), let Tbe the translation that takes (0,0) to ζ, i.e.

T(x1, x2) = (x1+a, x2+b). Then ˜

fT:= ˜

f(x1+a, x2+b) and we deﬁne mζ(˜

f) := m(0,0)(˜

fT).

Then it is immediate from the deﬁnition that:

Lemma 2.2. If ˜

f=Q˜

fer

r∈Fp[x]is a factorization of ˜

finto irreducible polynomials over

Fpthen mζ(˜

f) = Pmζ(˜

fr).

We say ζis a smooth point of ˜

fif mζ(˜

f) = 1, and call it a singular point otherwise. In

particular, by Lemma 2.2, a point ζis a smooth point of ˜

fif and only if ζbelongs to just

one irreducible component ˜

frof ˜

f, the corresponding exponent er= 1, and ζis a smooth

point of ˜

fr.

Now we are ready to generalize the tools in [KRRZ19] for curves:

Deﬁnition 2.3. Let f(x)∈Z[x]and ﬁx a prime p. Let ordp:Z−→ N∪{0}denote the usual

p-adic valuation with ordp(p) =1. We then deﬁne s(f, ε) := minj1,j2≥0nj1+j2+ ordpDj1,j2f(ε)

j1!j2!o

for any ε∈ {0,...,p−1}2. Finally, ﬁxing k∈N, let us inductively deﬁne a set Tp,k(f)of

pairs (fi,ζ, ki,ζ )∈Z[x]×Nas follows: We set (f0,0, k0,0) := (f, k). Then, for any i≥1

with (fi−1,µ, ki−1,µ )∈Tp,k (f)and any singular point ζi−1∈(Z/pZ)2of ˜

fi−1,µ with si−1:=

s(fi−1,µ, ζi−1)∈ {2,...,ki−1,µ −1}, we deﬁne ζ:= µ+pi−1ζi−1,ki,ζ := ki−1,µ −si−1and

fi,ζ (x) := h1

psi−1fi−1,µ(ζi−1+px)imod pki,ζ .

Just as in the univariate case, the perturbations fi,ζ of fwill help us keep track of how

the points of fin (Z/pkZ)2cluster, in a p-adic metric sene, about the points of ˜

f. It is

clear that Dj1,j2f(ε)

j1!j2!is always an integer as the coeﬃcient of xj1

1xj2

2in the Taylor expansion of

f(x+ε) about x= (0,0). We will see in the next section how Tp,k(f) is associated with a

natural tree structure. Moreover, Tp,k(f) is always a ﬁnite set by deﬁnition, as only fi,ζ with

i≤ ⌊(k−1)/2⌋and ζ∈(Z/pZ)2are possible.

SUB-LINEAR POINT COUNTING FOR CURVES OVER PRIME POWER RINGS 5

Lemma 2.4. Following the notation above, let np(f)denote the number of smooth points of

˜

fin (Z/pZ)2. Then provided k≥0and ˜

fis not identically zero, we have

Np,k(f) = pk−1np(f) +

X

ζ0∈(Z/pZ)2

s(f,ζ0)≥k

p2(k−1)

+X

ζ0∈(Z/pZ)2

s(f,ζ0)∈{2,...,k−1}

p2(s(f,ζ0)−1)Np,k−s(f,ζ0)(f1,ζ0).

We will prove Lemma 2.4 in the next section, where it will be clear how Lemma 2.4 applies

recursively. Then we show how Lemma 2.4 leads to our recursive algorithm for computing

Np,k(f).

3. Generalized Hensel Lifting and the Proof of our Main Recurrence

Let us ﬁrst prove the following alternative deﬁnition for multiplicity of a point on the

curve. We will mainly use this deﬁnition for the rest of the discussion.

Lemma 3.1. For any ζ∈F2

p,m:= mζ(˜

f)is the smallest nonnegative integer such that

there exists j1, j2≥0with j1+j2=m, and Dj1,j2f(ζ)6= 0 mod p.

Proof. Fix ζ∈F2

p, and let Tbe the translation that takes (0,0) to ζ. Then for any j1, j2≥0,

Dj1,j2˜

fT(0,0) = Dj1,j2˜

f(ζ). So it suﬃces to prove the statement for the case when ζ= (0,0).

Suppose ˜

f=gm+gm+1 +···+gn, where giis a homogeneous form in Fp[x] of degree i

and gm6= 0. Then ˜

fmust have a nonzero monomial term arxr

1xm−r

2, for some integer r≤m,

and ar∈F×

p. Note that as hm∈Fp[x], we must have r, m −r < p as well. Then for any

j1, j2≥0, we have Dj1,j2arxr

1xm−r

2=arr

r−j1 m−r

m−r−j2xr−j1

1xm−r−j2

2. It is obvious that for

any pair of nonnegative integers j1, j2with j1+j2< m, either r−j1>0 or m−r−j2>0.

Moreover, any other nonzero monomial term atxt1

1xt2

2of ˜

fmust have t1+t2≥mand t1≥r

or t2≥m−r. Hence t1−j1>0 or t2−j2>0. So for such a pair of j1, j2, we must have

Dj1,j2˜

f(0,0) = 0 mod p. Now take j1=rand j2=m−r, then

Dj1,j2˜

f(0,0) = arr

r−j1 m−r

m−r−j26= 0 mod p.

Conversely, if mis the smallest nonnegative integer such that there exists j1, j2≥0 with

j1+j2=mand Dj1,j2f(0,0) 6= 0 mod p, then there exists ajxj1

1xj2

2a nonzero monomial

term of ˜

fof smallest total degree. So m=m(0,0)(˜

f).

The classical Hensel’s Lemma (see, e.g., [NZM91, Thm. 2.3, Pg. 87]) says that any non-

degenerate root of a univariate polynomial in Z/pZlifts uniquely into any larger prime power

ring Z/pkZ. One expects similar nice behavior from a smooth point on a curve over Z/pZ.

We prove the following analogue of Hensel’s Lemma for curves in the Appendix:

Lemma 3.2. Let f(x)∈Z[x]. If f(σ)≡0 mod pjfor j≥1, and ζ(0) ≡σmod pis

a smooth point on ˜

f, then there are exactly pmany t∈(Z/pZ)2such that f(σ+pjt)≡0

mod pj+1.

For k > j ≥1 and any σ(j)∈(Z/pjZ)2such that f(σ(j))≡0 mod pj, we call σ(k)∈

(Z/pkZ)2alift of σ(j), if f(σ(k))≡0 mod pkand σ(k)≡σ(j)mod pj. Then by applying

Lemma 3.2 inductively, we obtain:

6 CALEB ROBELLE, J. MAURICE ROJAS, AND YUYU ZHU

Proposition 3.3. Let f(x)∈Z[x], and k > j ≥1. If f(σ(j))≡0 mod pj, and (σ(j)

mod p)is a smooth point of ˜

f, then σ(j)lifts to exactly pk−jmany roots of (fmod pk).

Lemma 3.4. Following the notation above, suppose instead ζ(0) ∈(Z/pZ)2is a point on ˜

f

of (ﬁnite) multiplicity m≥2. Suppose also that k≥2and that there is a σ(k)∈(Z/pkZ)2

with σ(k)≡ζ(0) mod pand f(σ(k)) = 0 mod pk. Then s(f, ζ(0))∈ {2,...,m}.

Proof. As ζ(0) is a singular point on ˜

f, then ∂f

∂xi(ζ(0)) = 0 mod pfor every i= 1,...,n.

Then for σ(k)=ζ(0) +pτ ∈(Z/pkZ)2with τ:= (τ1, τ2)∈(Z/pk−1Z)2,

f(σ(k)) = f(ζ(0)) + p∂f

∂x1

(ζ(0))τ1+∂f

∂x2

(ζ(0))τ2+X

i1+i2≥2

pi1+i2Di1+i2f(ζ(0))τi1

1τi2

2

(1)

to have solutions mod pk, we need f(ζ(0))≡0 mod p2, as the second and the third summand

in equation (1) has p-adic order at least 2.

As ζ(0) is a singular point of multiplicity mon ˜

f, there exists an m-th Hasse derivative:

Dj1,j2f(ζ(0))6= 0 mod pwith j1+j2=m. So s(f, ζ(0))≤ordppj1+j2Dj1,j2f(ζ(0))=m.

We can now relate Np,k (f) to the recursive structure on Tp,k(f).

Proof of Lemma 2.4: The lifting of smooth points of ˜

ffollows from Proposition 3.3.

Now assume that ζ0∈(Z/pZ)2is a singular point of ˜

f. Write ζ:= ζ0+pσ for σ:=

ζ1+pζ2+···+pk−2ζk−1∈(Z/pkZ)2, and let s:= s(f, ζ0). Note that by Lemma 3.4, s≥2.

Then by deﬁnition, f(ζ) = psf1,ζ0(σ), for f1,ζ0∈Z[x] and f1,ζ0does not vanish identically

mod p.

If s≥k, then f(ζ) = 0 mod pkregardless of choice of σ. So there are exactly p2(k−1)

values of ζ∈(Z/pkZ)2such that ζ≡ζ0mod pand f(ζ) = 0 mod pk.

If s≤k−1 then ζis a root of fif and only if f1,ζ0(σ)≡0 mod pk−s. But then

σ=ζ1+pζ2+...+pk−s−1ζk−smod pk−s, i.e., the rest of the base pdigits ζk−s+1,...,ζk−1

do not appear in the preceding mod pk−scongruence. So the number of possible lifts ζof

ζ0is exactly p2(s−1) times the number of roots (ζ1+pζ2+...+pk−s−1ζk−s)∈(Z/pk−sZ)2of

f1,ζ0. This accounts for the third summand in our formula.

Remark 3.5. The algebraic preliminaries we concluded in this section and Deﬁnition 2.3

can be extended transparently for point counting for hypersurfaces of arbitrary dimensions.

⋄

4. Bounding Sums of Multiplicities on Curves with at Worst Isolated

Singularities

Suppose F∈Fp[x] is a nonconstant polynomial of total degree D. Then Ffactors into a

product of irreducible components F=Ql

i=1 Fei

i∈Fp[x] where each Fi∈Fp[x] is irreducible,

and ei≥1. We say Fis squarefree if ei= 1 for every i. Suppose G=Qm

j=1 Gci

j∈Fp[x] with

Gi∈Fp[x] irreducible and ci≥1. We say Fand Ghave no common component, if Fi6=Gj

for every pair of i, j.

Lemma 4.1. (Corollary of B´ezout’s Theorem) Let F, G ∈Fp[x]be two curves with no

common components, then Pζmζ(F)mζ(G)≤deg(F) deg(G).

SUB-LINEAR POINT COUNTING FOR CURVES OVER PRIME POWER RINGS 7

Now let F′=Ql

i=1 Fi∈Fp[x] be the square-free part of F. We say a singular point ζon

Fis an isolated singular point if ζis also singular on F′, and call it a non-isolated singular

point if otherwise.

Lemma 4.2. Let F∈Fp[x]be a curve with degree d, and let F′denote the square-free part

of F. Then

X

ζ

mζ(F′) (mζ(F′)−1) ≤d(d−1)

In particular, Fhas at most d

2many isolated singular points.

Proof. As F′is squarefree, then F′and D1,0F′(x) have no common component. It is also easy

to deduct from Lemma 3.1 that for any ζ∈F2

p,mζ(D1,0F′)≥mζ(F′)−1. The conclusion

thus follows by applying Lemma 4.1, and that mζ(F′)≥2 for any isolated singular points

of F.

Suppose F=Ql

i=1 Fei

i∈Fp[x] is a nonconstant polynomial. For each i, let di:= deg(Fi)

and let d:= Pdei

ibe the total degree of F. Let I⊆ {1,...,l}be an nonempty subset of

indices, and let SIdenote the set of points in the intersection Ti∈IFi, and let TI={ζ∈SI:

ζis smooth on Fifor all i∈I}.

We then prove the following more generalized statement of Lemma 4.2 in the Appendix:

Lemma 4.3. Using the notation above we have:

(2) X

ζ∈SI

I6=∅

mζ(F)(mζ(F)−X

i∈I

ei) + X

ζ∈TI

|I|≥2

mζ(F)≤d(d−1).

Observe that if ζ∈SIand ζis an isolated singular points on F, then either ζ∈TI

or mζ(F)>Pi∈Iµζ(Fi), and mζ(F) = Pi∈Iµ(Fi) if it is non-isolated. So only the part

corresponding to the isolated singular points contribute to the sum on the left hand side of

Equation 2. So we obtain the following:

Theorem 4.4. Let f(x)∈Z[x]be a nonconstant polynomial of degree d. Fix a prime pand

suppose that ˜

fdoes not vanish identically over Z/pZ. Then P

ζisolated

singular on ˜

f

deg ˜

f1,ζ ≤d(d−1).

Proof. This is immediate by observing that deg ˜

f1,ζ ≤s(f, ζ )≤mζ(˜

f).

However, bounding the degree of the perturbations ˜

f1,ζ corresponding to non-isolated

singular points of ˜

fcan be hard. This is evident in the discussion in the ﬁnal section of the

Appendix: lifting non-isolated singular points for certain families of curves requires extra

care.

4.1. Algorithms and Complexity Analysis: Proof of Theorem 1.1. For this section,

let us consider bivariate polynomials f(x)∈Z[x] of the form f(x) = g(x1) + h(x2). One

broad family of examples of such bivariate polynomials is the family of superelliptic curves:

f(x) = xd

2−g(x1).

Lemma 4.5. Let F(x1, x2) = g(x1) + h(x2)∈Fp[x]such that g, h are nonconstant polyno-

mials. Then Fis squarefree.

8 CALEB ROBELLE, J. MAURICE ROJAS, AND YUYU ZHU

Proof. Suppose Fis not squarefree and let F=Ql

i=1 Fei

i∈Fp[x] be the irreducible factor-

ization of F, and ei≥1. Without loss of generality assume e1>1 and g′(x1) = D1,0F6= 0.

Let G=F /F e1

1=Ql

i=2 Fei

i. Diﬀerentiating Fwith respect to x1, we have

g′(x1) = e1Fe1−1

1D1,0F·G+Fe1

1·D1,0G

=Fe1−1

1e1D1,0F·G+F1·D1,0G.

So F1(x1, x2) must divide g′(x1), implying that h(x2) is a constant, a contradiction.

We now have enough ingredients to state our main algorithm:

Algorithm 4.6 (PrimePowerPointCounting(f, p, k)).

Input. (f, p, k)∈Z[x]×N×Nwith pprime and f(x) = g(x1) + h(x2).

Output. An integer M≤Np,k(f) that, with probability at least 2

3, is exactly Np,k(f).

Description.

1: Let v:= s(f) and f0,0:=f.

2: If v≥k

3: Let M:=p2k.Return.

4: If v∈{1,...,k−1}

5: Let M:=p2vPrimePowerPointCountingf0,0(x)

pv, p, k −v.Return.

6: End(If).

7: If s(g) = s(h) = 0

8: Let M:= pk−1np(f).

9: For ζ(0) ∈(Z/pZ)2a singular point of ˜

f0,0do2

10: Let s:=s(f0,0, ζ (0)).

11: If s≥k

12: Let M:=M+p2(k−1).

13: Elseif s∈ {2,...,k−1}

14: Let M:=M+p2(s−1)PrimePowerPointCountingf1,ζ(0) , p, k −s.

15: End(If).

16: End(For).

17: Elseif s(g)≥0 or s(h)≥0 accordingly

18: Let M:= pknp(g) or pknp(h).

19: For ζ(0) ⊆(Z/pZ)2a set of singular points of ˜

f0,0from a degenerate root of ˜gor ˜

hdo

20: Let s:=s(f0,0, ζ (0)).

21: If s≥k

22: Let M:=M+p2k−1.

22: Elseif s∈ {2,...,k−1}

23: Let M:=M+p2s−1PrimePowerPointCountingf1,ζ(0) , p, k −s.

24: End(If).

25: End(For).

26: End(If).

27: Return.

There are some remaining details to clarify about our algorithm. First, let s(f) denote

the largest power of pthat divides all the coeﬃcients of f. Then by Deﬁnition 2.3, we see

that any polynomial in Tp,k (f) should also be of the form g(x1) + h(x2) with s(g) = 0 or

s(h) = 0. By Lemma 4.5, we see that when s(g) = s(h) = 0, then ˜

fmod pis squarefree.

Now without loss of generality, suppose 0 = s(g)< s(h) = c, then ˜

f(x) = ˜g(x1) mod p.

Then any singular point on ˜

fshould be of the form (ζ(0)

1, y) for any degenerate root ζ(0)

1of

the univariate polynomial ˜g(x1)∈Fp[x1] and any choice of y∈ {0,1,...,p−1}. So it makes

sense to consider the perturbation of fin the direction of x1only.

SUB-LINEAR POINT COUNTING FOR CURVES OVER PRIME POWER RINGS 9

Let ζ(0)

1be any degenerate root of ˜g. Abusing notation, let ζ(0) := {ζ(0)

1}×Fp={(ζ(0)

1, y) :

y∈ {0,1,...,p−1}}, the set of singular points of ˜

fwith the ﬁrst coordinate being ζ(0)

1.

Consider f(ζ(0)

1+px1, x2) = g(ζ(0)

1+px1) + h(x2). Let s(f, ζ (0)) := s(f(ζ(0)

1+px1, x2)) =

min(s(g, ζ (0)

1), c), the largest p’s power dividing all the coeﬃcients of the perturbation, and

let f1,ζ(0) =1

ps(f,ζ(0) )f(ζ(0)

1+px1, x2).

We prove the following more speciﬁc version of Lemma 2.4 in the Appendix:

Lemma 4.7. Let f(x) = g(x1) + h(x2)with 0 = s(g)< s(h) = c. Let np(g)denote the

number of non-degenerate root of ˜gin Fp, and following the notation above:

Np,k =pknp(g) +

X

ζ(0)⊆(Z/pZ)2

s(f,ζ(0) )≥k

p2k−1

+X

ζ(0)⊆(Z/pZ)2

s(f,ζ(0))≤k−1

p2s(f,ζ(0))−1Np,k−s(f,ζ (0))(f1,ζ (0) )

By symmetry, a variant of our preceding lemma also holds when 0 = s(h)< s(g) = c.

Similarly, for any degenerate root ζ(0)

2of the univariate polynomial ˜

h(x2)∈Fp, we denote

ζ(0) := Fp×{ζ(0)

2}to be the set of singular points of ˜

fwith the second coordinate being ζ(0)

2.

Notation 4.8. Suppose ζ(i−1) ={ζ(i−1)

1}×Fpis the set of singular points on ˜

fi−1,ζ for some

polynomial in Tp,k(f)and ζ= (ζ1, ζ2), we write

ζ+pi−1ζ(i−1) ={(x1, x2) : x1=ζ1+pi−1ζ(i−1)

1, x2∈ {ζ2+pi−1·0,...ζ2+pi−1·p−1}}

as element-wise operations for set. We also use this notation similarly when ζ(i−1) =Fp×

{ζ(i−1)

2}.

We are now ready to prove the correctness of our main algorithm.

Proof of Correctness of Algorithm 4.6: Assume temporarily that Algorithm 4.6 is

correct when s(f) = 0, i.e. when f0,0is not identically 0 mod p. Since for any integers a

with a≤k, and any elements x,y∈(Z/pkZ)2,pax=paymod pk⇐⇒ x=ymod pk−a, Steps

1–6 of our algorithm then dispose of the case where fis identically 0 in (Z/pZ)[x]. So let

us now prove correctness when fis not identically 0 in (Z/pZ)[x].

Recall from the discussion at the very beginning of this section, we see that any polynomial

in Tp,k(f) should be of the form fi,ζ(i−1) (x) := gi(x1) + hi(x2) with s(gi) = 0 or s(hi) = 0.

Applying Lemma 2.4 and Lemma 4.7 accordingly, we then see that it is enough to prove that

the value of Mis the value of our formula for Np,k(f) when the two For loops of Algorithm

4.6 runs correctly.

When s(g) = s(h) = 0, Steps 7–16 (once the For loop is completed) then simply add

the second and third summands of our formula in Lemma 2.4 to Mthus ensuring that

M=Np,k(f). On the other hand, when s(g)>0 or s(h)>0, Steps 17–26 (once the For loop

is completed) handles add the second and third summands of our formula in Lemma 4.7 to

Mthus ensuring that M=Np,k(f). So we are done.

In [KRRZ19], we deﬁned a recursive tree structure for root counting for univariate poly-

nomial in Z/pkZ. We deﬁne similarly a recursive tree for f(x) = g(x1) + h(x2) that will

enable our complexity analysis.

10 CALEB ROBELLE, J. MAURICE ROJAS, AND YUYU ZHU

Deﬁnition 4.9. Let us identify the elements of Tp,k(f)with nodes of a lablled rooted directed

tree Tp,k(f).

(1) We set f0,0:=f,k0,0:= k, and let (f0,0, k0,0)be the label of the root node of Tp,k(f).

(2) There is an edge from node (fi′,ζ′, ki′,ζ ′)to node (fi,ζ, ki,ζ )if and only if i′=i−1

and there is a (set of) singular points ζ(i−1) in (Z/pZ)2of ˜

fi′,ζ′with s(fi′,ζ ′, ζ (i−1))≤

ki′,ζ′−1and ζ=ζ′+pi−1ζ(i−1) in (Z/piZ)2.

(3) Suppose fi′,ζ′=gi′(x1) + hi′(x2). The label of a directed edge from node (fi′,ζ′, ki′,ζ′)

to node (fi,ζ, ki,ζ )is p2sfi′,ζ ′,(ζ−ζ′)/pi′−1or p2sfi′,ζ′,(ζ−ζ′)/pi′−1respectively when

s(gi′) = s(hi′) = 0 or otherwise.

In particular, the labels of the nodes lie in Z[x]×N.

Remark 4.10.

1. Just as the tree structure for the univariate polynomial in [KRRZ19], our trees Tp,k(·)

encode algebraic expressions for our desired root counts Np,k(·). In particular, the children

of a node labelled (fi, ki)yield terms that one sums to get the root count Np,ki(fi), and the

edge labels yield weights multiplying the corresponding terms.

2. One main diﬀerence is that the correspondence between polynomials in Tp,k(f)with the

label in the tree Tp,k(f)is no longer one-to-one. In particular, in the case when fi,ζ (x) =

gi(x1) + hi(x2)with s(gi)>0, its child node polynomial fi+1,ζ′for ζ′−ζ={ζ(i)

1} × Fp,

correspond to a set of singular points of ˜

fi,ζ with the ﬁrst coordinate equaling to a degenerate

root ζ(i)

1of ˜gi.⋄

The following lemma, proved in the Appendix, will be central in our complexity analysis.

Lemma 4.11. Let f(x) = g(x1) + h(x2)∈Z[x]be a nonconstant polynomial of degree d.

Following the notation of Deﬁnition 4.9, we have that:

(1) The depth of Tp,k(f)is at most k.

(2) The degree of the root node of Tp,k(f)is at most d

2.

(3) The degree of any non-root node of Tp,k(f)labeled (fi,ζ, ki,ζ ), with parent (fi−1,µ , ki−1,µ)

and ζ(i−1) := (ζ−µ)/pi−1, is at most s(fi−1,µ , ζ (i−1) ). In particular,

deg ˜

fi,ζ ≤s(fi−1,µ, ζ (i−1))≤ki−1,µ −1≤k−1and

X

(fi,ζ ,ki,ζ )a child

of (fi−1,µ,ki−1,µ )

deg ˜

fi,ζ deg ˜

fi,ζ −1≤deg ˜

fi−1,µ deg ˜

fi−1,µ −1

(4) Tp,k(f)has at most d

2nodes at depth i≥1, and thus a total of no more than

1 + (k−1)d

2nodes.

Proof of Theorem 1.1: Since we already proved that Algorithm 4.6, it suﬃces to prove the

stated complexity bound for Algorithm 4.6. The proof consists of three parts: (a) the point

counting algorithm over Fpfrom [Har15], (b) the univariate reduction and the factorization

algorithm, and (c) applying Lemma 4.11 to show that the number of necessary factorization

and point counting, and p-adic valuation calculations is well-bounded.

More speciﬁcally the For loops and the recursive calls of Algorithm 4.6 can be seen as the

process of building the tree Tp,k (f). We begin at the root node by applying the algorithm in

[Har15] to ﬁnd the number of roots of ˜

fin Fp. This computation takes time O(d8p1/2log2+εp)

SUB-LINEAR POINT COUNTING FOR CURVES OVER PRIME POWER RINGS 11

and space O(d4p1/2log p) by [Har15]. (Speciﬁcally, one avails to Theorem 3.1, Lemmata 3.2

and 3.4, and Proposition 4.4 from Harvey’s paper.)

To ﬁnd singular points of ˜

f, it suﬃces to ﬁnd the roots of the 2×2 polynomial system F:=

(˜

f(x), D1,0˜

f(x)) over Fp. This is done by ﬁrst transforming the problem to factorization of a

univariate polynomial UFvia univariate reduction over the ﬁnite ﬁeld (see, e.g. [Roj99]). In

particular deg UF≤d2and roots of UFwill encode information on tuple (x1, x2) as solutions

to the polynomial system F. Computing UFcan be done in time polynomial in the mixed area

of the Newton polygons of F, and takes time ˜

O(d15) and space O(d4) ([Roj99]). Then we use

the fast randomized Kedlaya-Umans factoring algorithm in [KU08] to ﬁnd solutions to UF

in Fp, and thereby the singular points of ˜

f. This takes time (d3log p)1+o(1) + (d2log2p)1+o(1)

and requires O(d2log p) random bits.

In order to continue the recursion, we need to compute p-adic valuations of polynomial

coeﬃcients to determine s(f0,0, ζ (0) ) and the edges emanating from the root node. Expanding

f(ζ(0) +px) mod pktakes time no worse than d2(klog p)1+o(1) via Horner’s method and fast

ﬁnite ring arithmetic (see, e.g., [BS96, vzGG13]). Computing s(f0,0, ζ(0)) thus takes time

d(klog p)1+o(1) by evaluating p-adic valuations using standard tools such as binary methods.

By Assertion (2) of Lemma 4.11, there are no more than d

2many such ζ(0). So the total

work so far is d15+ε(klog p)1+o(1)p1/2+ε. Note that computing the univariate reduction UF

and Np,1(f) via algorithm in [Har15] dominates the computation.

The remaining work can also be well-bounded similarly by Lemma 4.11. In particular, the

sum of the degress if ˜

fi,ζ at level iof the tree Tp,k(f) is no greater than d

2.

Now observe that for i≥2, the amount of work needed to determine the polynomials at

level ivia computing s(fi−1,µ, ζ(i−1)) is no greater than d

2d(klog p)1+o(1). As deg ˜

f1,ζ ≤dfor

every fi,ζ in the tree Tp,k(f) and there are at most d

2many such polynomials for each i≥1,

the total amount of work for point counting over Fp, univariate reduction and factorization

for each subsequent level of Tp,k (f) will be d17+ε(klog p)1+o(1)p1/2+εwith O(d2log p) random

bits needed. The expansion of the fi,ζ at level iwill take time no greater than d3(klog p)1+o(1)

to compute. So the total work at each subsequent level is d17+ε(klog p)1+o(1)p1/2+ε.

Therefore the total amount of work for our tree will be d17+ε(klog p)2+εp1/2+ε, and the

number of random bits needed is O(d2klog p).

The argument proving the Las Vegas properties of our algorithm can be done similarly

as in [KRRZ19]. In particular, we run factorization algorithm for suﬃciently many times to

reduce the overall error probability to less than 2/3. Thanks to Lemma 4.11, it is enough to

enforce a success probability of O(1

d2k) for each application of factorization, and to run the

algorithm from [KU08] for O(log(dk)) times for each time we need univariate factorization.

So a total of O(d2klog(dk) log p) many random bits is needed.

Our algorithm proceeds with building the tree structure Tp,k (f), so we only need to keep

track of collections of fi,ζ . A bivariate polynomial of degree dwith integer coeﬃcients all of

absolute value less than pkrequires O(dk log p) bits to store, and there are no more than d

2k

many polynomials in Tp,k(f). Combining with the space needed from algorithm in [Har15],

we only need O(d4kp1/2log p) space.

If ˜

fdeﬁnes a smooth and irreducible curve over the algebraic closure ¯

Fpof Fpthen the

second part of the theorem follows immediately by combining our bivariate version of Hensel’s

Lemma (Lemma 3.2) with Kedlaya’s quantum point counting algorithm from [Ked06].

12 CALEB ROBELLE, J. MAURICE ROJAS, AND YUYU ZHU

5. Appendix: Remaining Proofs and Finessing Exceptional Curves

5.1. Proof of Lemma 3.2 (Higher-Dimensional Hensel’s Lemma). Consider the Tay-

lor expansion of fat σby pjx,

f(σ+pjx) = f(σ) + pj∂f

∂x1

(σ)x1+∂f

∂x2

(σ)x2+X

i1+i2≥2

pj(i1+i2)Di1,i2f(σ)xi1

1xi2

2

=f(σ) + pj∂f

∂x1

(σ)x1+∂f

∂x2

(σ)x2mod pj+1,

as j(i1+i2)≥j+ 1 for all i1+i2≥2. Then t:= (t1, t2) is such that (σ+tpj) is a solution

to f≡0 mod pj+1 if and only if

∂f

∂x1

(σ)t1+∂f

∂x2

(σ)tn=−f(σ)

pjmod p.(3)

As (ζ(0) =σmod p) is a smooth point on ˜

f, then there exists an isuch that ∂f

∂xi(σ) =

∂f

∂xi(ζ(0))6= 0 mod p. Then left hand side of (3) does not vanish identically, and thus deﬁne

a nontrivial linear relation in (Z/pZ)2. So ﬁxing ζ, there are exactly pmany t∈(Z/pZ)2

satisfying (3).

5.2. The Proof of Lemma 4.3. We prove by induction on the number of irreducible

components of F.

When l= 1, F=Fe1

1. By Lemma 2.2, mζ(F) = e1mζ(F1) for every ζ∈F2

p. Then by

Lemma 4.2 and expanding

X

ζon F1

mζ(F)

e1mζ(F)

e1−1≤d1(d1−1),

the conclusion holds.

Now suppose the inequality holds for l−1>1, and let F′=Ql−1

i=1 Fei

iand d′be its degree,

and Flis irreducible and has no common component with F′. Then Pζon Flmζ(Fel

l) (mζ(Fel

l)−el)≤

eldl(eld1−el), and

X

J⊆{1,...,l−1}

X

ζ∈SJ

mζ(F′) mζ(F′)−X

j∈J

ej!+X

ζ∈TJ

|J|≥2

mζ(F′)

≤d′(d′−1)

By Lemma 4.1, we must have Pζmζ(F′)mζ(Fel

l)≤d′dlel. Summing over all J⊆ {1,...,l−

1}, we have

X

J

X

ζ∈SJ

mζ(F′)

mζ(F′)−X

j∈J

ej

+X

ζ∈TJ

|J|≥2

mζ(F′)

+ 2 X

ζ

mζ(F′)mζ(Fel

l) + X

ζon Fl

mζ(Fel

l)mζ(Fel

l)−el

≤d′(d′−1) + 2d′dlel+ (dlel)2−e2

ldl≤(d′+dlel)2−d′−e2

ldl≤d(d−1).

SUB-LINEAR POINT COUNTING FOR CURVES OVER PRIME POWER RINGS 13

Note that for each J⊆ {1,...,l−1}and each ζ∈SJsuch that ζis not a point of Fl,

mζ(F′) = mζ(F). If ζ∈SJ∪{l}\TJ∪{l}, then mζ(Fel

l) + mζ(F′)> el+Pj∈Jej, and

mζ(F′)(mζ(F′)−X

i∈J

ei) + 2mζ(Fel

l)mp(F′) + mζ(Fel

l)(mζ(Fel

l)−el)

= (mζ(F′) + mζ(Fel

l))2−X

i∈J

eimζ(F′)−elmζ(Fel

l)

≥mζ(F)(mζ(F)−X

i∈J∪{l}

ei)

So we can rewrite

A:= X

J⊆{1,...,l−1}

X

ζ∈SJ

mζ(F′)(mζ(F′)−X

j∈J

ej) + 2 X

ζ6∈TJ∪{l}

mζ(F′)mζ(Fel

l)

+X

ζ∈S{l}

mζ(Fel

l)mζ(Fel

l)−el

≥X

J⊆{1,...,l−1}

X

ζ∈SJ

mζ(F)(mζ(F)−X

j∈J

ej) + X

ζ∈SJ∪{l}

mζ(F)(mζ(F)−X

j∈J∪{l}

ei)

+X

ζ∈S{l}

mζ(F)(mζ(F)−el)

=X

I∈{1,...,l}X

ζ∈I

mζ(F)(mζ(F)−X

i∈I

ei).

On the other hand, if ζ∈TJ∪{l}, we must have mζ(Fel

l) + mζ(F′) = el+Pj∈Jej. Then

summing over all J⊆ {1, . . ., l −1}, and

B:= X

JX

ζ∈TJ

|J|≥2

mζ(F′) + 2 X

ζ∈TJ∪{l}

mζ(F′)mζ(Fel

l)

=X

J

X

ζ∈TJ

|J|≥2

mζ(F) + 2 X

ζ∈TJ∪{l}

|J|≥2

mζ(F′)mζ(Fel

l)

+

l−1

X

i=1 X

ζ∈T{i,l}

mζ(F′)mζ(Fel

l)

≥X

J

X

ζ∈TJ

|J|≥2

mζ(F) + X

ζ∈TJ∪{l}

|J|≥2

mζ(F)

+

l−1

X

i=1 X

ζ∈T{i,l}

mζ(F′) = X

IX

ζ∈TI

|I|≥2

mζ(F).

The last inequality holds because for a, b ≥1, we must have 2ab ≤a+b.

Combining all of above computations, we have

X

I

X

ζ∈SI

mζ(F)(mζ(F)−X

i∈I

ei) + X

ζ∈TI

|I|≥2

mζ(F)

≤A+B≤d(d−1).

The conclusion thus follows.

5.3. The Proof of Lemma 4.11.

Assertion (1): By Deﬁnitions 2.3 and 4.9, each (fi,ζ , ki,ζ ) whose parent node is (fi−1,µ, ki−1,µ),

must satisﬁes 1 ≤ki−1,µ −ki,ζ ≤ki−1,µ −1, and 1 ≤ki,ζ ≤k−1 for all i≥1. So considering

14 CALEB ROBELLE, J. MAURICE ROJAS, AND YUYU ZHU

any root to leaf path in Tp,k (f), it is clear that the depth of Tp,k(f) can be no greater than

1 + (k−1) = k.

Assertion (2): If s(g) = s(h) = 0, then by Lemma 4.5, ˜

f(x)∈Fp[x] is square-free. As

the multiplicity of any singular point is at least 2, by Lemma 4.2, ˜

fhas at most d

2many

singular points. In this case, each edge emanating from the root of Tp,k (f) corresponds to a

unique singular point of ˜

f0,0.

Suppose otherwise, and without loss of generality 0 = s(g)< s(h) = c, then each edge

emanating from the root node correspond to the set {ζ(0)

1}×Fpfor a unique degenerate root

ζ(0)

1of the univariate polynomial ˜g(x1). As ˜ghas at most deg ˜g

2≤d

2≤d

2degenerate

roots, we are done.

Assertion (3): Suppose fi−1,µ =gi−1(x1) + hi−1(x2)∈Z[x] with s(gi−1) = s(hi−1) = 0.

Then ζ(i−1) is a singular point of ˜

fi−1,µ, and let

s:= s(fi−1,µ, ζ (i−1)) = min

0≤i1+i2≤ki,ζ−1(i1+i2) + ordpDi1,i2fi−1,µ(ζ(i−1))

So then for each pair of (ℓ1, ℓ2) with ℓ1+ℓ2≥s+1, the coeﬃcient of xℓ1

1xℓ2

2in the perturbation

fi−1,µ(ζ(i−1) +px) must be divisible by ps+1. In other words, the coeﬃcient of xℓ1

1xℓ2

2in fi,ζ (x)

must be divisible by p. So deg ˜

fi,ζ ≤s.

Now by Lemma 3.4, we know that the multiplicity of ζ(i−1) on ˜

fi−1,µ:mζ(i−1) (˜

fi−1,µ)≥

s(fi−1,µ, ζ (i−1)). Combining with 4.2, we have

X

(fi,ζ ,ki,ζ ) a child

of (fi−1,µ,ki−1,µ )

deg ˜

fi,ζ deg ˜

fi,ζ −1≤X

ζ(i−1) sing.

point on ˜

fi−1,µ

mζ(i−1) (˜

fi−1,µ)mζ(i−1) (˜

fi−1,µ)−1

≤deg ˜

fi−1,µ deg ˜

fi−1,µ −1.

Suppose without loss of generality, 0 = s(gi−1)< s(hi−1) = c. Then by a similar argument

deg ˜

fi,ζ ≤s(fi−1,µ, ζ (i−1)) = min(s(˜g, ζ (i−1)

1), c)≤s(˜g, ζ (i−1)

1). By Lemma 4.11 we have that

P

ζ(i−1)

1a deg.

root of ˜gi−1

s(˜gi−1, ζ(i−1)

1)≤deg ˜gi−1, so then P

(fi,ζ ,ki,ζ ) a child

of (fi−1,µ,ki−1,µ )

deg ˜

fi,ζ ≤deg ˜gi−1. We are done,

simply by observing that for deg ˜

fi,ζ ≥2 and any collections of ai>2, we must have

Pai(ai−1) ≤(Pai) (Pai−1).

Assertion (4): This is immediate from Assertions (1) and (3).

5.4. The Proof of Lemma 4.7. Any points over Fpon ˜

f(x) is nonsingular if and only if

D1,0(˜

f) = ˜g′(x1)6= 0 mod p, as h(x2) is identically 0 mod p. In other words, any nonsingular

point on ˜

fshould be of the form (ζ(0)

1, y) where ζ(0)

1is a non-degenerate root of ˜g, and any

choice of y∈ {0,1,...,p−1}. So the number of non-singular point on ˜

fis: np(f) = p·np(g).

Then the ﬁrst summand in the equation is obvious by plugging into the ﬁrst summand in

Lemma 2.4.

Now suppose ζ0:= ζ(0)

1is a degenerate root of the univariate polynomial ˜g, and ζ(0) =

{ζ0}×Fp. Write σ=ζ0+pτ , where τ:= ζ1+...+pk−2ζk−1∈Z/pk−1Zvia base-pexpansion.

Then by deﬁnition f(ζ0+px1, x2) = ps(f,ζ(0) )f1,ζ(0) (x1, x2), where f1,ζ (0) ∈Z[x1, x2] does not

vanish identically mod p.

SUB-LINEAR POINT COUNTING FOR CURVES OVER PRIME POWER RINGS 15

If k≥s(f, ζ (0)), then f(σ, y) = 0 mod pkregardless of choice of τ∈Z/pk−1Zand

y∈Z/pkZ. So there are exactly pk−1·pk=p2k−1many pairs of (σ, y)∈(Z/pkZ)2such that

σ=ζ0mod pand f(σ, y) = 0 mod pk.

If s(f, ζ (0))≤k−1, then f(σ, y) = 0 mod pkif and only if

(4) f1,ζ(0) (τ , y) = 0 mod pk−s(f,ζ (0)).

Let s:= s(f, ζ (0)), then τ=ζ1+pζ2+...+pk−s−1ζk−smod pk−sand y:= Pk−1

i=0 piyi=

y0+... +pk−s−1yk−s−1mod pk−s. So the rest of the base-pdigits, ζk−s+1,...,ζk−1and

yk−s,...,yk−1respectively does not appear in Equality (4). The possible lifts ζwhere the ﬁrst

coordinate mod pis ζ0is thus exactly ps−1·pstimes the number of roots (τ, y)∈(Z/pk−sZ)2

of f1,ζ(0) .

5.5. Exceptional Curves. Let f(x)∈Z[x] be a nonconstant polynomial, and let s(f)

denote the largest p-th power dividing all the coeﬃcients of f.

Consider f(x) = gd(x) + pcdh(x)∈Z[x], with d≥2 and c≥1. Moreover, f(x)≡gd(x)

mod pand fis irreducible mod p.

For k≤cd,f(x) = gd(x) mod pk. Now suppose ζ(0) is a smooth point on (gmod p).

Then by Hensel’s Lemma (Lemma 3.2), ζ(0) lifts to p⌈k

d⌉−1many roots of gmod p⌈k

d⌉.

Suppose σis one of the lift, then σ+pτ for any τ∈(Z/pk−⌈k

d⌉Z)2is a root of (gdmod pk).

So each ζ(0) lifts to p⌈k

d⌉−1·p2(k−⌈k

d⌉)=p2k−⌈k

d⌉−1many roots of fmod pk.

Now suppose k > cd, and let ζbe a root of fmod pcd such that ζ(0) ≡ζmod pis a

smooth point on g. Consider the Taylor expansion of fat ζ:

f(ζ+pcdx) = [g(ζ) + T(x)]d+pcdh(ζ+pcdx)

=g(ζ)d+pcdh(ζ)+

d

X

l=1

g(ζ)d−lT(x)l+X

i1+i2≥1

Di1,i2h(ζ)pcd(i1+i2+1)xi1

1xi2

2

(5)

where T(x) := g(ζ+pcdx)−g(ζ) = Pi1+i2≥1Di1,i2g(ζ)pcd(i1+i2)xi1

1xi2

2. As ζ(0) is a smooth

point on g, either D1,0g(ζ) or D0,1g(ζ) is not zero mod p. Then s(T) = cd, and each term in

the second summand of Equality (5) has valuation (d−l) ordpg(ζ) + lcd.

If ζ(0) is also a point on hmod p, then ζcontinues to lift, and by Lemma 4.1, there are

at most d2many such ζ(0) . However, there are cases when h(ζ)6= 0 mod p, yet ζcontinues

to lift to pkfor k > cd.

This could only happen when g(ζ)d+pcd h(ζ)≡0 mod pcd+1, and in which case ordpg(ζ) =

c. Now the second summand in Equality (5) must have order (d−1)c+cd, whereas the third

summand has order ≥2cd. So now s(f, ζ ) = min ordpg(ζ)d+pcd h(ζ),(d−1)c+cd. If

s(f, ζ )<(d−1)c+cd then ˜

fcd,ζ =f(ζ+pcdx)

ps(f,ζ)mod pis a nonzero constant, and thus ζdoes

not lift. Suppose otherwise. Then

˜

fcd,ζ =g(ζ)d+pcdh(ζ)

ps(f,ζ)+dg(ζ)d−1

p(d−1)cD1,0g(ζ)x1+D0,1g(ζ)x2mod p,

which deﬁnes a line! By Hensel’s Lemma, we are done!

So the problem boils down to determining a criterion for when ordpf(ζ)d+pcdh(ζ)

≥(d−1)c+cd and h(ζ)6= 0 mod phappens. Also, we need to compute ordpf(ζ)d+pcdh(ζ)

for every lift ζmod pcd for each non-isolated singular points ζ(0), and there are exactly pcd−1

many such ζ.

16 CALEB ROBELLE, J. MAURICE ROJAS, AND YUYU ZHU

In summary, computing perturbations for each and every singular point of ˜

fcan be very

expensive going into higher dimensions: the underlying singular locus might not be zero-

dimensional, and thus imply the calclulation of a number of perturbations super-linear in

p.

It turns out for some families of curves, non-isolated singular points partitioned into groups

that each lift uniformly. We will pursue this improvement in future work.

Acknowledgements

We are grateful to Daqing Wan for helpful comments on curves and error correcting codes.

References

[AH01] Leonard M. Adleman and Ming-Deh Huang. Counting points on curves and abelian varieties

over ﬁnite ﬁelds. Journal of Symbolic Computation, 32(3):171 – 189, 2001.

[BGMWo11] Edward Bierstone, Dima Grigoriev, Pierre Milman, and Jaros l aw W l odarczyk. Eﬀective Hi-

ronaka resolution and its complexity. Asian J. Math., 15(2):193–228, 2011.

[BLQ13] J`er`emy Berthomieu, Gr`egoire Lecerf, and Guillaume Quintin. Polynomial root ﬁnding over

local rings and application to error correcting codes. Appl. Algebra Eng. Commun. Comput.,

24:413–443, 2013.

[BM20] Jennifer S. Balakrishnan and J.˜

Steﬀen M¨uller. Computational tools for quadratic chabauty.

preprint, Boston University, 2020. draft of lecture notes for 2020 Arizona Winter School on

Nonabelian Chabauty.

[BS96] Eric Bach and Jeﬀ Shallit. Algorithmic Number Theory, Vol. I: Eﬃcient Algorithms. MIT

Press, Cambridge, MA, 1996.

[BW10] Maheshanand Bhaintwal and Siri Krishan Wasan. Generalized Reed-Muller codes over Zq.Des.

Codes Cryptogr., 54(2):149–166, 2010.

[CDV06] Wouter Castryck, Jan Denef, and Frederik Vercauteren. Computing zeta functions of nondegen-

erate curves. Technical report, International Mathematics Research Papers, vol. 2006, article

ID 72017, 2006.

[CGRW18] Qi Cheng, Shuhong Gao, J. Maurice Rojas, and Daqing Wan. Counting roots for polynomials

modulo prime powers. In Proceedings of ANTS XIII (Algorithmic Number Theory Sympo-

sium, July 16–20, 2018, University of Wisconsin, Madison). Mathematical Sciences Publishers

(Berkeley, California), 2018.

[CH15] Henry Cohn and Nadia Heninger. Ideal forms of Coppersmith’s theorem and Guruswami-Sudan

list decoding. Advances in Mathematics of Communications, 9(3):311–339, 2015.

[CL08] Antoine Chambert-Loir. Computer (rapidement) le nombre de solutions d’´equations dans les

corps ﬁnis. S´eminaire Bourbaki, 2006/2007:39–90, 2008.

[Del74] Pierre Deligne. La conjecture de weil. i. Publications Math´ematiques de l’Institut des Hautes

´

Etudes Scientiﬁques, 43(1):273–307, Dec 1974.

[DMS19] Ashish Dwivedi, Rajat Mittal, and Nitin Saxena. Counting basic-irreducible factors mod pk

in deterministic poly-time and p-adic applications. arXiv e-prints, page arXiv:1902.07785, Feb

2019.

[DMS20] Ashish Dwivedi, Rajat Mittal, and Nitin Saxena. Computing Igusa’s Local Zeta Function of

Univariates in Determinstic Polynomial-Time. In S. K. Galbraith, editor, Proceedings of ANTS

2020 (Algorithmic Number Theory Symposium). Mathematical Sciences Publishers (Berkeley,

California), 2020.

[GCM91] Javier Gomez-Calderon and Gary L. Mullen. Galois rings and algebraic cryptography. Acta

Arith., 59(4):317–328, 1991.

[GG16] Steven D. Galbraith and Pierrick Gaudry. Recent progress on the elliptic curve discrete loga-

rithm problem. Des. Codes Cryptogr., 78(1):51–72, 2016.

[GS99] V. Guruswami and M. Sudan. Improved decoding of reed-solomon and algebraic-geometry

codes. IEEE Transactions on Information Theory, 45(6):1757–1767, Sep. 1999.

SUB-LINEAR POINT COUNTING FOR CURVES OVER PRIME POWER RINGS 17

[GSS00] Venkatesan Guruswami, Amit Sahai, and Madhu Sudan. “Soft-decision” decoding of Chinese

remainder codes. In 41st Annual Symposium on Foundations of Computer Science (Redondo

Beach, CA, 2000), pages 159–168. IEEE Comput. Soc. Press, Los Alamitos, CA, 2000.

[Har15] David Harvey. Computing zeta functions of arithmetic schemes. Proceedings of the London

Mathematical Society, 111(6):1379–1401, 11 2015.

[HKC+94] A. Roger Hammons, Jr., P. Vijay Kumar, A. R. Calderbank, N. J. A. Sloane, and Patrick Sol´e.

The Z4-linearity of Kerdock, Preparata, Goethals, and related codes. IEEE Trans. Inform.

Theory, 40(2):301–319, 1994.

[Igu07] Jun-Ichi Igusa. An Introduction to the Theory of Local Zeta Functions. AMS/IP Studies in

Pure Maths Rep Series. American Mathematical Society, 2007.

[Ked01] Kiran S. Kedlaya. Counting points on hyperelliptic curves using Monsky-Washnitzer cohomol-

ogy. J. Ramanujan Math. Soc., 16(4):323–338, 2001.

[Ked06] Kiran S. Kedlaya. Quantum computation of zeta functions of curves. Comput. Complexity,

15(1):1–19, 2006.

[KLP12] Tali Kaufman, Shachar Lovett, and Ely Porat. Weight distribution and list-decoding size of

Reed-Muller codes. IEEE Trans. Inform. Theory, 58(5):2689–2696, 2012.

[Kob87] Neal Koblitz. Elliptic curve cryptosystems. Math. Comp., 48(177):203–209, 1987.

[KRRZ19] Leann Kopp, Natalie Randall, J. Maurice Rojas, and Yuyu Zhu. Randomized Polynomial-Time

Root Counting in Prime Power Rings. Mathematics of Computation, in production, 2019.

[KU08] Kiran Kedlaya and Christopher Umans. Fast polynomial factorization and modular composi-

tion. In P. Bro Miltersen, R. Reischuk, G. Schnitger, and D. van Melkebeek, editors, Com-

putational Complexity of Discrete Problems, number 08381 in Dagstuhl Seminar Proceedings,

Dagstuhl, Germany, 2008. Schloss Dagstuhl - Leibniz-Zentrum fuer Informatik, Germany.

[LW08] Alan G. B. Lauder and Daqing Wan. Counting points on varieties over ﬁnite ﬁelds of small

characteristic. In Algorithmic number theory: lattices, number ﬁelds, curves and cryptography,

pages 579––612, Cambridge, 2008. Math. Sci. Res. Inst. Publ., 44, Univ. Press.

[Mil86] Victor S. Miller. Use of elliptic curves in cryptography. In Advances in cryptology—CRYPTO

’85 (Santa Barbara, Calif., 1985), volume 218 of Lecture Notes in Comput. Sci., pages 417–426.

Springer, Berlin, 1986.

[NZM91] I. Niven, H.S. Zuckerman, and H.L. Montgomery. An Introduction to the Theory of Numbers.

Wiley, 1991.

[Pil90] J. Pila. Frobenius maps of abelian varieties and ﬁnding roots of unity in ﬁnite ﬁelds. Mathe-

matics of Computation, 55(192):745–763, 1990.

[PR11] Adrien Poteaux and Marc Rybowicz. Complexity bounds for the rational Newton-Puiseux

algorithm over ﬁnite ﬁelds. Appl. Algebra Engrg. Comm. Comput., 22(3):187–217, 2011.

[Roj99] J. Maurice Rojas. Solving degenerate sparse polynomial systems faster. Journal of Symbolic

Computation, 28(1):155 – 186, 1999.

[RZ20] J. Maurice Rojas and Yuyu Zhu. A complexity chasm for solving sparse polynomial equations

over p-adic ﬁelds. arXiv e-prints, page arXiv:2003.00314, 2020.

[Sch85] Ren´e Schoof. Elliptic curves over ﬁnite ﬁelds and the computation of square ro ots mod p.

Mathematics of Computation, 44(170):483–494, 1985.

[Sud97] Madhu Sudan. Decoding of Reed Solomon codes beyond the error-correction bound. J. Com-

plexity, 13(1):180–193, 1997.

[vdG01] Gerard van der Geer. Curves over ﬁnite ﬁelds and codes. In European Congress of Mathematics,

Vol. II (Barcelona, 2000), volume 202 of Progr. Math., pages 225–238. Birkh¨auser, Basel, 2001.

[vzGG13] Joachim von zur Gathen and J¨urgen Gerhard. Modern Computer Algebra. Cambridge Univer-

sity Press, 3rd edition, 2013.

[Wan08] Daqing Wan. Algorithmic theory of zeta functions over ﬁnite ﬁelds. In Algorithmic number

theory: lattices, number ﬁelds, curves and cryptography, pages 551–578. Math. Sci. Res. Inst.

Publ., 44, Univ. Press, Cambridge, 2008.

[Wei49] Andr´e Weil. Numbers of solutions of equations in ﬁnite ﬁelds. Bull. Amer. Math. Soc.,

55(5):497–508, May 1949.

[Zhu20] Yuyu Zhu. Trees, point counting beyond ﬁelds, and root separation. Ph.d. thesis, Texas A&

University, 2020.