Fast Arithmetics in Artin-Schreier Towers over Finite Fields

Transcription

1 Fast Arthmetcs n Artn-Schreer Towers over Fnte Felds Luca De Feo LIX, École Polytechnque Palaseau, France luca.defeo@polytechnque.edu Érc Schost ORCCA and CSD The Unversty of Western Ontaro, London, ON eschost@uwo.ca ABSTRACT An Artn-Schreer tower over the fnte feld F p s a tower of feld extensons generated by polynomals of the form X p X α. Followng Cantor and Couvegnes, we gve algorthms wth quas-lnear tme complexty for arthmetc operatons n such towers. As an applcaton, we present an mplementaton of Couvegnes algorthm for computng sogenes between ellptc curves usng the p-torson. Algo- Categores and Subject Descrptors: I.1.2 [Symbolc and Algebrac Manpulaton]: rthms Algebrac Algorthms General Terms: Algorthms, Theory Keywords: Algorthms, complexty, Artn-Schreer 1. INTRODUCTION Defntons. If U s a feld of characterstc p, polynomals of the form P = X p X α wth α U are called Artn-Schreer polynomals; a feld extenson U /U s Artn- Schreer f t s of the form U = U[X]/P, wth P an Artn- Schreer polynomal. An Artn-Schreer tower of heght k s a sequence of Artn- Schreer extensons U /U 1, for 1 k; t s denoted by (U 0,..., U k ). In what follows, we only consder extensons of fnte degree over F p. Thus, U s of degree p over U 0, and of degree p d over F p, wth d = [U 0 : F p ]. The mportance of ths concept comes from the fact that all Galos extensons of degree p are Artn-Schreer. As such, they arse frequently, e.g., n number theory (for nstance, when computng p k -torson groups of Abelan varetes over F p ). The need for fast arthmetcs n these towers s motvated n partcular by applcatons to sogeny computaton and pont-countng n cryptology, as n [7]. Our contrbuton. We gve fast algorthms for arthmetc operatons n Artn-Schreer towers. Pror results for ths task are due to Cantor [6] and Couvegnes [8]. However, the algorthms of [8] need as a prerequste a fast multplcaton algorthm n some towers of a specal knd (called Cantor Permsson to make dgtal or hard copes of all or part of ths work for personal or classroom use s granted wthout fee provded that copes are not made or dstrbuted for proft or commercal advantage and that copes bear ths notce and the full ctaton on the frst page. To copy otherwse, to republsh, to post on servers or to redstrbute to lsts, requres pror specfc permsson and/or a fee. ISSAC 09, July 28 31, 2009, Seoul, Republc of Korea. Copyrght 2009 ACM /09/07...$ towers n [8]). Such an algorthm s unfortunately not n the lterature, makng the results of [8] non practcal. Ths paper flls the gap. Techncally, our man algorthmc contrbuton s a fast change-of-bass algorthm; t makes t possble to obtan fast multplcaton routnes, and by extenson completely explct versons of all algorthms of [8]. Along the way, we also extend constructons of Cantor to the case of a general fnte base feld U 0, where Cantor had U 0 = F p. As an applcaton, we put to practce Couvegnes sogeny computaton algorthm [7]. Complexty notaton. We count tme complexty n number of operatons n F p. Then, notaton beng as before, optmal algorthms n U k would have complexty O(p k d); most of our results are (up to logarthmc factors) of the form O(p k+α d 1+β ), for small constants α, β such as 0, 1, 2 or 3. Many algorthms below rely on fast multplcaton; thus, we let M : N N be a multplcaton functon, such that polynomals of degree less than n can be multpled n M(n) operatons, under the condtons of [11, Ch. 8.3]. Typcal orders of magntude for M(n) are O(n log 2 3 ) for Karatsuba multplcaton or O(n log n log log n) for FFT multplcaton. Usng fast multplcaton, fast algorthms are avalable for Eucldean dvson or extended GCD [11, Ch. 9 & 11]. For several operatons, dfferent algorthms wll be avalable, and ther relatve effcences can depend on the values of p, d and k. In these stuatons, we always gve detals for the case where p s small, snce cases such as p = 2 or p = 3 are especally useful n practce. Some of our algorthms could be slghtly mproved, but we usually prefer gvng the smpler solutons. Prevous work. As sad above, ths paper bulds on former results of Cantor [6] and Couvegnes [8, 7]; to our knowledge, pror to ths paper, no prevous work provded the mssng ngredents to put Couvegnes algorthms to practce. Part of Cantor s results were ndependently dscovered by Wang and Zhu [26] and have been extended n another drecton (fast polynomal multplcaton over arbtrary fnte felds) by von zur Gathen and Gerhard [12] and Mateer [20]. Organzaton of the paper. Secton 2 conssts n prelmnares: trace computatons, dualty, bascs on Artn-Schreer extensons. In Secton 3, we defne a specfc Artn-Schreer tower, where arthmetc operatons wll be fast. Our key change-of-bass algorthm for ths tower s n Secton 4. In Sectons 5 and 6, we revst Couvegnes somorphsm algorthm [8] n our context, gvng fast arthmetcs for any Artn-Schreer tower. Fnally, Secton 7 gves expermental results obtaned by applyng our algorthms to Couvegnes sogeny algorthm [7] for ellptc curves.

2 2. PRELIMINARIES As a general rule, varables and polynomals are n upper case; elements algebrac over F p (or some other feld, that wll be clear from the context) are n lower case. 2.1 Element representaton Let Q 0 be n F p[x 0] and let (G ) 0 <k be a sequence of polynomals over F p, wth G n F p[x 0,..., X ]. We say that the sequence (G ) 0 <k defnes the tower (U 0,..., U k ) f for 0, U = F p [X 0,..., X ]/K, where K s the deal generated by P = X p X G 1 (X 0,..., X 1 ). P 1 = X p 1 X 1 G 0 (X 0 ) Q 0(X 0) n F p [X 0,..., X ], and f U s a feld. The resdue class of X (resp. G ) n U, and thus n U +1,..., s wrtten x (resp. γ ), so that we have x p x = γ 1. Fndng a sutable F p-bass to represent elements of a tower (U 0,..., U k ) s a crucal queston. If d = deg(q 0), a natural bass of U s the multvarate bass B = {x e 0 0 xe wth 0 e 0 < d and 0 e j < p for 1 j. However, n ths bass, we do not have very effcent arthmetc operatons, startng from multplcaton. See [18] for detals. As a workaround, we ntroduce the noton of a prmtve tower, where for all, x generates U over F p. In ths case, we let Q F p [X] be ts mnmal polynomal, of degree p d. In a prmtve tower, unless otherwse stated, we represent the elements of U on the F p -bass C = (1, x,..., x p d 1 ). To stress the fact that v U s represented on the bass C, we wrte v U. In ths bass, addtons and subtractons are done n tme p d, multplcatons n tme O(M(p d)) [11, Ch. 9] and nversons n tme O(M(p d) log(p d)) [11, Ch. 11]. 2.2 Trace and pseudotrace We contnue wth a few useful facts on traces. Let U be a feld and let U = U[X]/Q be a separable feld extenson of U, wth deg(q) = d. For a U, the trace Tr(a) s the trace of the U-lnear map M a of multplcaton by a n U. The trace s a U-lnear form; n other words, Tr s n the dual space U of the U-vector space U ; we wrte t Tr U /U when the context requres t. In fnte felds, we also have the followng well-known propertes: Tr Fq n /F q } : a P n 1 l=0 aql, (P 1) Tr Fq mn /F q = Tr Fq m /F q Tr Fq mn /F q m. (P 2 ) Besdes, f U /U s an Artn-Schreer extenson generated by a polynomal Q and x s a root of Q n U, then Tr U /U(x j )=0 for j < p 1; Tr U /U(x p 1 )= 1. (P 3) Followng [8], we also use a generalzaton of the trace. The nth pseudotrace of order m s the F p m-lnear operator T (n,m) : a P n 1 l=0 apml ; for m = 1, we call t the nth pseudotrace and wrte T n. In our context, for n = [U : U j] = p j and m = [U j : F p] = p j d, T (n,m) (v) concdes wth Tr U /U j (v) for v n U ; however T (n,m) (v) remans defned for v not n U, whereas Tr U /U j (v) s not. 2.3 Dualty Fnally, we dscuss two useful topcs related to dualty, startng wth the transposton of algorthms. Introduced by Kaltofen and Shoup, the transposton prncple relates the cost of computng an F p -lnear map f : V W to that of computng the transposed map f : W V. Explctly, from an algorthm that performs an r s matrxvector product b Mb, one can deduce an algorthm wth the same complexty, up to O(r+s), that performs the transposed product c M t c; see [5, 14, 1]. We gve here frst consequences of ths prncple, after [24, 25]. Consder a feld extenson U U = U[X]/Q. For w n U, recall that M w : U U s the multplcaton map M w(v) = vw. Its dual M w : U U acts on l U by M w(l)(v) = l (M w (v)) = l(vw) for v n U. We prefer to denote the lnear form M w(l) by w l, keepng n mnd that (w l)(v) = l(vw). Suppose then that D s a U-bass of U, n whch we can perform multplcaton n tme T. Then by the transposton prncple, gven w on D and l on the dual bass D, we can compute w l on the dual bass D n tme T + O(deg(Q)). We wll dscuss ths n more detal n Secton 4. Suppose fnally that U s separable over U and that b U generates U over U; gven w n U, we want to fnd an expresson w = A(b), for some A U[X]. Hereafter, for P U[X] of degree at most e, we wrte rev e (P ) = X e P (1/X) U[X]. Then, we defne l = w Tr U /U U and M = P j<d l(bj )X j, N =M rev d (Q) mod X d. (1) Ths constructon solves our problem: Theorem 3.1 n [22] shows that w = A(b), wth A = rev d 1 (N)Q 1 mod Q. We wll hereafter denote by FndParametrzaton(b, w) a subroutne that computes ths polynomal A. If Q s Artn- Schreer, the cost of FndParametrzaton s O(p 2 ) operatons (+, ) n U: fndng the requested values of l fts nto ths bound, by the proof of [24, Th. 4]; the remanng operatons are cheaper (and nvolve no dvson), snce Q = 1 n the Artn-Schreer case. 3. A PRIMITIVE TOWER Our frst task n ths secton s to descrbe a specfc Artn- Schreer tower where arthmetcs wll be fast; then, we explan how to construct ths tower. Ths extends results by Cantor [6, Th. 1.2], who dealt wth the case U 0 = F p. Theorem 1. Let U 0 = F p [X 0 ]/Q 0, wth Q 0 rreducble of degree d, let x 0 = X 0 mod Q 0 and assume that Tr U0 /F p (x 0) 0. Let (G ) 0 <k be defned by 8 >< G 0 = X 0 G 1 = X 1 f p = 2 and d s odd, >: G = X 2p 1 n any other case. Then, (G ) 0 <k defnes a prmtve tower (U 0,..., U k ). As before, for 1, let P = X p X G 1 and for 0, let K be the deal Q 0, P 1,..., P n F p [X 0,..., X ]. Then the theorem says that for 0, U = F p [X 0,..., X ]/K s a feld, and that x = X mod K generates t over F p. Hereafter, recall that we wrte γ = G mod K. We frst prove the case p 2; we then ndcate the modfcatons to brng for p = 2.

3 Lemma 2. For 0, U s a feld and, for 1, Tr U /U 1 (γ ) = γ 1. Proof. Inducton on : for = 0, ths s true by hypothess. For 1, assumng that U s a feld, we prove that Tr U /F p (γ ) 0, whch, by [19, Th. 2.25], mples that X p +1 X +1 γ s rreducble n U [X +1 ]. For = 0, Tr U0 /F p (γ 0 ) = Tr U0 /F p (x 0 ) s non-zero. For 1, we know that γ = x 2p 1 (x + γ 1 )x p 1 = x p xp 1, whch rewrtes = x p + γ 1x p 1 = γ 1 + x + γ 1 x p 1. By P 3, we get Tr U /U 1 (γ ) = γ 1 and by P 2, we deduce Tr U /F p (γ ) = Tr U 1 /F p (γ 1 ). The nducton assumpton mples that ths s non-zero, and the clam follows. Lemma 3. For 0, γ generates U over F p. Proof. Let d = [F p [γ ] : F p ], we want to prove that d = p d. Let d = p s r wth r prme to p, then p +s d ; ndeed, f t s not the case, Tr U /F p [γ ](γ ) = p+s r d γ = 0, whch contradcts Lemma 2. Furthermore, d d, n fact Tr U /U 0 (γ ) F p[γ ], but by Lemma 2 and by P 3, Tr U /U 0 (γ ) = ( 1) γ 0, whch generates U 0 by hypothess. Snce (p +s, d) = p s, d p d and the clam follows. The theorem s now an easy consequence of Lemmas 2 and 3 snce clearly F p[γ ] F p[x ]. For p = 2, the same formulas prove Tr U /U 1 (γ ) = 1 + γ 1 for 2 and ( 1 + γ 0 f d even, Tr U /U 0 (γ ) = 1 f d odd. In both cases Tr U /F p (γ ) = 1, provng the analogue of Lemma 2. Lemma 3 s shown the same way by observng that γ 0 F p[γ ], for any d. Composton. We gve next an algorthm for polynomal composton, to be used n the constructon of the tower defned before. Gven P and R n F p [X], we want to compute P (R). For the cost analyss, t wll be useful later on to consder both the degree k and the number of terms l of R. Compose s a recursve process that cuts P nto c+1 slces of degree less than p n, recursvely composes them wth R, and concludes usng Horner s scheme and the lnearty of the p-power. At the leaves of the recurson tree, we use a nave algorthm of cost O(deg(P ) 2 kl). Compose Input P, R F p[x] and c, n N. Output P (R). 1. let n = log p (deg(p )) and c = deg(p ) dv p n 2. If n = 0, return NaveCompose(P, R) 3. wrte P = P c =0 P X pn, wth P F p [X], deg P < p n 4. for [0,..., c], let Q =Compose(P, R) 5. let Q = 0 6. for [c,..., 0], let Q = QR(X pn ) + Q 7. return Q Theorem 4. If R has degree k and l non-zero coeffcents and f deg(p ) = s, then Compose(P, R) outputs P (R) n tme O(ps log p (s)kl). Proof. Correctness s clear, snce R pn = R(X pn ). To analyze the cost, we let C(c, n) be the cost of Compose when deg(p ) (c+1)p n, wth c < p. Then C(c, 0) O(c 2 kl). For n > 0, at each pass n the loop at step 6, deg(q) < cp n k, so that the multplcaton (usng the nave algorthm) and addton take tme O(cp n kl). Thus the tme spent n the loop s O(c 2 p n kl), and the runnng tme satsfes C(c, n) (c + 1)C(p 1, n 1) + O(c 2 p n kl). Let then C (n) = C(p 1, n), so that we have C (0) O(p 2 kl), C (n) pc (n 1) + O(p n+2 kl). We deduce that C (n) O(p n+2 nkl), and fnally C(c, n) O(cp n+1 nkl + c 2 p n kl). The values c, n computed at step 1 of the top-level call to Compose satsfy cp n s and n log p (s); ths gves our concluson. A bnary dvde-and-conquer algorthm [11, Ex. 9.20] has cost O(M(sk) log(s)). Our algorthm has a slghtly better dependency on s, but adds a polynomal cost n p and l. However, we have n mnd cases wth p small and l = 2, where the latter soluton s advantageous. Computng the mnmal polynomals. Theorem 1 shows that we have defned a prmtve tower. To be able to work wth t, we explan now how to compute the mnmal polynomal Q of x over F p. Ths s done by extendng Cantor s constructon [6], whch had U 0 = F p. For = 0, we are gven Q 0 F p[x 0] such that U 0 = F p[x 0]/Q 0(X 0), so there s nothng to do; we assume that Tr U0 /F p (x 0 ) 0 to meet the hypotheses of Theorem 1. Remark that f ths trace was zero, assumng gcd(d, p) = 1, we could replace Q 0 by Q 0 (X 0 1); ths s done by takng R = X 0 1 n algorthm Compose, so by Theorem 4 the cost s O(pd log p (d)). For = 1, we know that x p 1 x 1 = x 0, so x 1 s a root of Q 0 (X p 1 X 1). Snce Q 0 (X p 1 X 1) s monc of degree pd, we deduce that Q 1 = Q 0(X p 1 X1). To compute t, we use algorthm Compose wth arguments Q 0 and R = X p 1 X 1; the cost s O(p 2 d log p (d)) by Theorem 4. The same arguments hold for = 2 when p = 2 and d s odd. To deal wth other ndexes, we follow Cantor s constructon. Let Φ F p[x] be the reducton modulo p of the (2p 1)th cyclotomc polynomal. Cantor mplctly works modulo an rreducble factor of Φ. The followng shows that we can avod factorzaton, by workng modulo Φ. Lemma 5. Let A = F p [X]/Φ and let x = X mod Φ. For Q F p[y ], defne Q = Q 2p 2 =0 Q(x Y ). Then Q s n F p[y ] and there exsts q F p[y ] such that Q = q (Y 2p 1 ). Proof. Let F 1,..., F e be the rreducble factors of Φ and let f be ther common degree. To prove that Q s n F p [Y ], we prove that for j e, Q j = Q mod F j s n F p[y ] and ndependent from j; the clam follows by Chnese Remanderng. For j e, let a j be a root of F j n the algebrac closure of F p, so that Q j = Q 2p 2 =0 Q(a jy ). Snce gcd(p f, 2p 1) = 1, Q j s nvarant under Gal(F p f /F p), and thus n F p[y ]. Besdes, for j, j e, a j = a k j, for some k coprme to 2p 1, so that Q j = Q j, as needed. To conclude, note that for j e, Q j (a j Y ) = Q j (Y ), so that all coeffcents of degree not a multple of 2p 1 are zero. Thus, Q j has the form qj (Y 2p 1 ); by Chnese Remanderng, ths proves the exstence of the polynomal q. We conclude as n [6]: supposng that we know the mnmal polynomal Q of x over F p, we compute Q +1 as follows. Snce x s a root of Q, t s a root of Q, so γ = x 2p 1 s a root of q and x +1 s a root of q (Y p Y ). Snce the latter polynomal s monc of degree p +1 d, t s the mnmal polynomal Q +1 of x +1 over F p.

4 Theorem 6. Gven Q, one can compute Q +1 n tme O(p +2 d log p (p d) + M(p +2 d) log(p)). Proof. Let A = F p [X]/Φ. The algorthm of [3] computes Φ n tme O(p 2 ); then, polynomal multplcatons n degree s n A[Y ] can be done n tme O(M(sp)) by Kronecker substtuton. The overall cost of computng Q s O(M(p +2 d) log p) usng [11, Algo. 10.3]. To get Q +1 we use algorthm Compose wth R = Y p Y, whch costs O(p +2 d log p (p d)). The former cost s lnear n p +2 d, up to logarthmc factors, for an nput of sze p d and an output of sze p +1 d. Some further operatons wll be performed when we construct the tower: we wll precompute quanttes that wll be of use n the algorthms of the next sectons. Detals are gven n the next sectons, when needed. 4. LEVEL EMBEDDING We dscuss here change-of-bass algorthms for the tower (U 0,..., U k ) of the prevous secton; these algorthms are needed for most further operatons. We detal the man case where P = X p X X2p 1 1 ; the case P1 = Xp 1 X1 X0 (and P 2 = X2 2 + X 2 + X 1 for p = 2 and d odd) s easer. By Theorem 1, U equals F p[x 1, X ]/I, where the deal I admts the followng Gröbner bases, for respectvely the lexcographc orders X > X 1 and X 1 > X : Xp X X 2p 1 1 Q 1(X 1) and X 1 R(X) Q (X ), wth R n F p [X ]. Snce deg(q 1 ) = p 1 d and deg(q ) = p d, we assocate the followng F p-bases of U to each system: D C = (x j, x 1x j,..., d 1 xp 1 x j ) 0 j<p, = (1, x,..., x p d 1 ). (2) We descrbe an algorthm called Push-down whch takes v wrtten on the bass C and returns ts coordnates on the bass D ; we also descrbe the nverse operaton, called Lftup. In other words, Push-down nputs v U and outputs the representaton of v as v = v 0 + v 1 x + + v p 1 x p 1, wth all v j U 1 (3) and Lft-up does the opposte. Hereafter, we let L : N {0} N be such that both Pushdown and Lft-up can be performed n tme L(); to smplfy some expressons appearng later on, we add the mld constrants that p L() L( + 1) and p M(p d) O(L()). To reflect the mplementaton s behavor, we also allow precomputatons. These precomputatons are performed when we buld the tower; further detals are at the end of ths secton. Theorem 7. One can take L() n O(p +1 d log p (p d) 2 + p M(p d)). Remark that the nput and output have sze p d; usng fast multplcaton, the cost s lnear n p +1 d, up to logarthmc factors. The rest of ths secton s devoted to provng ths theorem. Push-down s a dvde-and-conquer process, adapted to the shape of our tower; Lft-up uses classcal deas of trace computatons (as n 2.3); the values we need wll be obtaned usng the transposed verson Push-down. As sad before, the algorthms of ths secton (and of the followng ones) use precomputed quanttes. To keep the pseudo-code smple, we do not explctly lst them n the nputs of the algorthms; we show, later, that the precomputaton s fast too. 4.1 Modular multplcaton We frst dscuss a routne for multplcaton by X pn n F p[y, X ]/(X p X Y ), and ts transpose. We start by remarkng that X pn = X + R n mod X p X Y, wth R n = P n 1 j=0 Y pj. (4) Then, precsely, for k n N, we are nterested n the operaton MulMod k,n : A (X + R n)a mod X p X Y, wth A F p[y, X ], deg(a, Y ) < k and deg(a, X ) < p. Snce R n s sparse, t s advantageous to use the nave algorthm; besdes, to make transposton easy, we explctly gve the matrx of MulMod k,n. Let m 0 be the (k + p n 1 ) k matrx havng 1 s on the dagonal only, and for l p n 1, let m l be the matrx obtaned from m 0 by shftng the dagonal down by l places. Let fnally m be the sum Σ n 1 j=0 m p j. Then one verfes that the matrx of MulMod k,n s 2 m 3 m 1 m 0 m m 0 m 0 m, m 0 m wth columns ndexed by (X j,..., Y k 1 X j ) j<p and rows by (X j,..., Y k+pn 1 1 X j )j<p. Snce ths matrx has O(pnk) non-zero entres, we can compute both MulMod k,n and ts dual MulMod k,n n tme O(pnk). 4.2 Push-down The nput of Push-down s v U, that s, gven on the bass C ; we see t as a polynomal V F p[x ] of degree less than p d. The output s the normal form of V modulo X p X X 2p 1 1 and Q 1 (X 1 ). We frst use a dvde-andconquer subroutne to reduce V modulo X p X X2p 1 1 ; then, the result s reduced modulo Q 1 (X 1 ) coeffcentwse. To reduce V modulo X p X X2p 1 1, we frst compute W = V mod X p X Y, then we replace Y by X 2p 1 1 n W. Because our algorthm wll be recursve, we let deg(v ) be arbtrary; then, we have the followng estmate for W. Lemma 8. We have deg(w, Y ) deg(v )/p. Proof. Consder the matrx M of multplcaton by X p modulo X p X Y ; t has entres n F p [Y ]. Due to the sparseness of the modulus, one sees that M has degree at most 1, and so M k has coeffcents of degree at most k. Thus, the remanders of X pk,..., X pk+p 1 modulo X p X Y have degree at most k n Y. We compute W by a recursve subroutne Push-down-rec, smlar to Compose. As before, we let c, n be such that 1 c < p and deg(v ) < (c + 1)p n, so that we have V = V 0 + V 1X pn + + V cx cpn, wth all V j n F p [X ] of degree less than p n. Frst, we recursvely reduce V 0,..., V c modulo X p X Y, to obtan bvarate polynomals W 0,..., W c. Let R n be the polynomal defned n Equaton (4). Then, we get W by computng Σ c j=0w j(x + R n) j modulo X p X Y, usng Horner s scheme as n Compose. Multplcatons by X + R n modulo X p X Y are done usng MulMod.

5 Push-down-rec Input V F p [X ] and c, n N. Output W F p [Y, X ]. 1. f n = 0 return V 2. wrte V = P c j=0 V jx jpn, wth V j F p [X ], deg V j < p n 3. for j [0,..., c], let W j = Push-down-rec(V j, p 1, n 1) 4. W = 0 5. for j [c,..., 0], let W = MulMod (c+1)p n 1,n (W ) + W j 6. return W Push-down Input v U. Output v wrtten as v v p 1 x p 1 wth v j U let V be the canoncal premage of v n F p [X ] 2. let n = log p (p d 1) and c = (p d 1) dv p n 3. let W = Push-down-rec(V, c, n) 4. let Z = Evaluate(W, [X 2p 1 1, X ]) 5. let Z = Z mod Q 1 6. return the resdue class of Z mod (X p X X 2p 1 1, Q 1) Proposton 9. Algorthm Push-down s correct and takes tme O(p +1 d log p (p d) 2 + p M(p d)). Proof. Correctness s straghtforward; note that at step 5 of Push-down-rec, deg(w, Y ) < (c + 1)p n 1, so our call to MulMod (c+1)p n 1,n s justfed. By the clam of Subsecton 4.1 on the cost of MulMod, the total tme spent n that loop s O(nc 2 p n ). As n Theorem 4, we deduce that the tme spent n Push-down-rec s O(n 2 c 2 p n ). In Push-down, we have cp n < p d and n < log p (p d), so the prevous cost s O(p +1 d log p (p d) 2 ). Reducng one coeffcent of Z modulo Q 1 takes tme O(M(p d)), so step 5 has cost O(p M(p d)). Step 6 s free, snce at ths stage Z s already reduced. 4.3 Transposed push-down We dscuss here the transpose of Push-down. Push-down s the F p-lnear change-of-bass from the bass C to D, so ts transpose takes an F p-lnear form l U gven by ts values on D, and outputs ts values on C. The nput s the (fnte) generatng seres L = Σ a<p 1 d, b<p l(x a 1x b )X 1X a b ; the output s M = Σ a<p d l(x a )X a. As n [1], the transposed algorthm s obtaned by reversng the ntal algorthm step by step, and replacng subroutnes by ther transposes. The overall cost remans the same; we revew here the man transformatons. In Push-down-rec, the ntal loop at step 5 s a Horner scheme; the transposed loop s run backward, and ts core becomes L j = L mod Y n 1 and L = MulMod (c+1)p n 1,n (L); a small smplfcaton yelds the pseudo-code we gve. In Push-down, after callng Push-down-rec, we evaluate W at [X 2p 1 1, X]: the transposed operaton Evaluate maps the seres Σ a,b l a,b X 1X a b to Σ a,b l (2p 1)a,b Y a X b. Then, orgnally, we perform a Eucldean dvson by Q 1 on Z: the transposed algorthm mod s n [1, Sect. 5.2]. Push-down-rec Input L F p [Y, X ] and c, n N. Output M F p[x ] 1. If n = 0 return L 2. for j [c,..., 0], let L j = L mod Y n 1 let M j = Push-down-rec (L j, p 1, n 1) let L = MulMod (c+1)p n 1,n (L) 3. return P c j=0 M jx jpn Push-down Input L F p [X 1, X ] Output M F p [X ] 1. let n = log p (p d 1) and c = (p d 1) dv p n 2. let P = mod (L, Q 1 ) 3. let M = Evaluate (P, [X 2p 1 1, X ]) 4. return Push-down-rec (M, c, n) Lft-up Input v wrtten as v v p 1 x p 1 wth v j U 1. Output v U. 1. let W be the canoncal premage of v n F p[x 1, X ] 2. let L = TransposedMul(W, S ) 3. let M = Push-down (L) 4. let N = M rev p d (Q ) mod X p d 5. let V = rev p d 1 (N)Q 1 mod Q 6. return the resdue class of V modulo Q 4.4 Lft-up Let v be gven on the bass D and let W be ts canoncal premage n F p [X 1, X ]. The lft-up algorthm fnds V n F p[x ] such that W = V mod (X p X X2p 1 1, Q 1) and outputs the resdue class of V modulo Q. Hereafter, we assume that both Q 1 mod Q and S = P a<p 1 d, b<p Tr U /F p (x a 1x b )X a 1X b are known (see the dscusson below). Then, the algorthm mplements the trace formulas gven n Subsecton 2.3 Proposton 10. Algorthm Lft-up s correct and takes tme O(p +1 d log p (p d) 2 + p M(p d)). Proof. As sad n Subsecton 2.3, the transposed multplcaton of W wth S gves values of l = v Tr U /F p by means of L = Σ a<p 1 d, b<p l(x a 1x b )X 1X a b. Ths s wrtten TransposedMul n the pseudo-code; an algorthm of cost O(M(p d)) for ths s n [21, Coro. 2]. The last subsecton showed that step 3 gves M = Σ a<p d l(x a )X a. Then, correctness follows from Equatons (1); the costs of steps 4 and 5 are O(M(p d)) and step 6 s free snce V s reduced. Propostons 9 and 10 prove Theorem 7. The precomputatons, that are done at the constructon of U, are as follows. Frst, we need the values of the trace on the bass D ; they are obtaned n tme O(M(p d)) by [21, Prop. 8]. Then, we need Q 1 mod Q ; ths takes tme O(M(p d) log(p d)) by fast extended GCD computaton. These precomputatons save logarthmc factors at best, but are useful n practce. 5. FROBENIUS AND PSEUDOTRACE In ths secton, we descrbe algorthms computng Frobenus and pseudotrace operators, specfc to the tower of Secton 3; they are the keys to the algorthms of the next secton. The algorthms n ths secton and the next one closely follow Couvegnes [8]. However, the latter assumed the exstence of a quas-lnear tme algorthm for multplcaton n some specfc towers n the multvarate bass B of Subsecton 2.1. To our knowledge, no such algorthm exsts. We use here the unvarate bass C ntroduced prevously, whch makes multplcaton straghtforward. However, several push-down and lft-up operatons are now requred to accommodate the recursve nature of the algorthm. Our man purpose here s to compute the pseudotrace T n : x P n 1 l=0 xpl, for n of the form p j d. Frst, however,

6 we descrbe how to compute values of the terated Frobenus operator x x ppj d. Any v Uj s left nvarant by ths latter map. For j <, we get, smlarly to (4): x ppj d = x + β 1,j, wth β 1,j = T p j d(γ 1). (5) The Frobenus algorthm follows: startng from v U, we frst wrte v = v v p 1 x p 1, wth v h U 1 ; by (5) and the lnearty of the Frobenus, we deduce that v ppj d = P p 1 h=0 vpp j d h (x + β 1,j ) h. Then, we compute all v ppj d h recursvely; the fnal sum s computed usng Horner s scheme. Ths algorthm requres the values β,j for < : we suppose that they are precomputed (the dscusson of how we precompute them follows). To analyze costs, we use the functon L of Secton 4. IterFrobenus Input v,, j wth v U and j 0. Output v ppj d U. 1. f j, return v 2. let v 0 + v 1 x + + v p 1 x p 1 = Push-down(v) 3. for h [0,..., p 1], let t h = IterFrobenus(v h, 1, j) 4. let F = 0 5. for h [p 1,..., 0], let F = t h + (x + β 1,j )F 6. return Lft-up(F ) Theorem 11. Algorthm IterFrobenus s correct and takes tme O( L()). Proof. Correctness s clear. We note F(, j) for the cost for v U, so that F(0, j) = = F(j, j) = 0. Each pass through step 5 nvolves a multplcaton by x + β 1,j, of cost of O(pM(p 1 d)), assumng β 1,j U 1 s known. Altogether, we deduce the recurrence relaton F(, j) p F( 1, j) + 2 L() + O(p 2 M(p 1 d)), so F(, j) p F( 1, j) + O(L()), by assumptons on M and L. The concluson follows, agan by assumptons on L. Next, we compute pseudotraces. Gven v U, the nave algorthm dong repeated squarng takes tme O(nM(p d) log p) for computng T n(v). In partcular, wth n = d, we use a functon NavePseudotrace wth that cost n our pseudo-code. For hgher values of n of the form p j d, we use the followng relaton, whose verfcaton s straghtforward: T p j d(v) = P p 1 l=0 T p j 1 d(v) pp j 1 dl. Pseudotrace Input v,, j wth v U. Output T p j d (v) U. 1. f j = 0 return NavePseudotrace(v, d) 2. t 0 =Pseudotrace(v,, j 1) 3. for h [1,..., p 1], let t h = IterFrobenus(t h 1,, j 1) 4. return t 0 + t t p 1 Theorem 12. Algorthm Pseudotrace s correct and takes tme PT() = O(p 2 L() + dm(p d) log p) for j. Proof. Correctness s clear. For the cost analyss, we wrte PT(, j) for the cost on nput and j, so the nave algorthm gves PT(, 0) = O(dM(p d) log p). For j > 0, step 2 costs PT(, j 1), step 3 costs O(pL()) by Theorem 11 and step 4 costs O(p +1 d). Ths gves PT(, j) = PT(, j 1)+O(pL()), and thus PT(, j) O(pjL()) + PT(, 0). The cost s thus O(p +2 d + p d 2 ), up to logarthmc factors, for an nput and output sze of p d. Better could be done wth respect to d, usng fast modular composton algorthms n the NavePseudotrace algorthm, as n [13]. Fnally, we dscuss precomputatons. When we construct U +1, we compute all β,j = T p j d(γ ) U, for j, usng the Pseudotrace algorthm. The nner calls to IterFrobenus only use pseudotraces that are already known. Besdes, a sngle call to Pseudotrace(γ,, ) actually computes all T p j d(γ ) for j, n tme O(p 2 L() + dm(p d) log p). 6. ARBITRARY TOWERS Fnally, we brng our prevous algorthms to an arbtrary tower, usng Couvegnes somorphsm algorthm [8]. As n the prevous secton, we adapt ths algorthm to our context, by addng sutable push-down and lft-up operatons. Let Q 0 be rreducble of degree d n F p[x 0], such that Tr U0 /F p (x 0 ) 0, wth as before U 0 = F p [X 0 ]/Q 0. We let (G ) 0 <k and (U 0,..., U k ) be as n Secton 3. We also consder another sequence (G ) 0 <k, that defnes another tower (U 0,..., U k). Snce (U 0,..., U k) s not necessarly prmtve, we fall back to the multvarate bass of Subsecton 2.1: we wrte elements of U on the bass B = {x 0e0 x e }, wth x 0 = x 0, 0 e 0 < d and 0 e j < p for 1 j. To compute n U, we wll use an somorphsm U U. Such an somorphsm s determned by the mages s = (s 0,..., s ) of (x 0,..., x ), wth s U (we always take s 0 = x 0 ). Ths somorphsm, denoted by σ s, takes as nput v wrtten on the bass B and outputs σ s (v) U. To analyze costs, we use the functons L and PT ntroduced n the prevous sectons. We also let 2 ω 3 be a feasble exponent for lnear algebra over F p [11, Ch. 12]. Theorem 13. Gven Q 0 and (G ) 0 <k, one can fnd s k = (s 0,..., s k ) n tme O(d ω k+pt(k)+m(p k+1 d) log(p)). Once they are known, one can apply σ sk and σs 1 k n tme O(k L(k)). Thus, we can compute products, nverses, etc, n U k for the cost of the correspondng operaton n U k, plus O(k L(k)). 6.1 Solvng Artn-Schreer equatons As a prelmnary, gven α U, we dscuss how to solve the Artn-Schreer equaton X p X = α n U. We assume that Tr U /F p (α) = 0, so ths equaton has solutons n U. Because X p X s F p-lnear, the equaton can be drectly solved by lnear algebra, but ths s too costly. In [8], Couvegnes gves a soluton adapted to our settng, that reduces the problem to solvng Artn-Schreer equatons n U 0. Gven a soluton δ U of the equaton X p X = α, he observes that any soluton µ of X pp 1 d X = η, wth η = Tp 1 d(α). (6) s of the form µ = δ wth U 1, hence s a root of X p X α + µ p µ. (7) Ths equaton has solutons n U 1 by hypothess and hence t can be solved recursvely. Frst, however, we tackle the problem of fndng a soluton of (6). For ths purpose, observe that the left hand sde of (6) s

7 U 1 -lnear and ts matrx on the bass (1,..., x p 1 ) s 2 0 `1 `p 1... βp β 1, 1 0 1, `p p 2 β 1, 1 0 Then, algorthm ApproxmateAS fnds the requred soluton. ApproxmateAS Input η U such that (6) has a soluton. Output µ U soluton of (6). 1. let η 0 + η 1 x + + η p 2 x p 2 = Push-down(η) 2. for j [p 1,..., 1], let µ j = 1 η jt j 1 P p 1 ` h βh j+1 h=j+1 j 1 1, 1 µ h 3. return Lft-up(µ 1 x µ p 1 x p 1 ) Theorem 14. Algorthm ApproxmateAS s correct and takes tme O(L()). Proof. Correctness s clear from Gaussan elmnaton. For the cost analyss, remark that β 1, 1 has already been precomputed to permt terated Frobenus and pseudotrace computatons. Step 2 takes O(p 2 ) addtons and scalar operatons n U 1 ; the overall cost s domnated by that of the push-down and lft-up by assumptons on L. Wrtng the recursve algorthm s now straghtforward. To solve Artn-Schreer equatons n U 0, we use a nave algorthm based on lnear algebra, wrtten NaveSolve. Artn-Schreer Input α, such that α U and Tr U /F p (α) = 0. Output δ U such that δ p δ = α. 1. f = 0, return NaveSolve(X p X α) 2. let η = Pseudotrace(α,, 1) 3. let µ = ApproxmateAS(η) 4. let α 0 = Push-down(α µ p + µ) 5. let = Artn-Schreer(α 0, 1) 6. return µ + Lft-up( ) Theorem 15. Algorthm Artn-Schreer s correct and takes tme O(d ω + PT()). Proof. Correctness follows from the prevous dscusson. For the complexty, note AS() the cost for α U. The cost AS(0) of the nave algorthm s O(M(d) log(p) + d ω ), where the frst term s the cost of computng x p 0 and the second one the cost of lnear algebra. When 1, step 2 has cost PT(), steps 3, 4 and 6 all contrbute O(L()) and step 5 contrbutes AS( 1). The most mportant contrbuton s at step 2, hence AS() = AS( 1) + O(PT()). The assumptons on L mply that the sum PT(1) + + PT() s O(PT()). 6.2 Applyng the somorphsm We get back to the somorphsm queston. We assume that s = (s 0,..., s ) s known and we gve the cost of applyng σ s and ts nverse. We frst dscuss the forward drecton. As nput, v U s wrtten on the multvarate bass B of U ; the output s t = σ s (v) U. As before, the algorthm s recursve: we wrte v = Σ j<pv j(x 0,..., x 1)x j, whence σ s (v) = P j<p σ s (v j )s j = P j<p σ s 1 (v j )s j ; the sum s computed by Horner s scheme. To speed-up the computaton, t s better to perform the latter step n a bvarate bass, that s, through a push-down and a lft-up. Gven t U, to compute v = σs 1 (t), we run the prevous algorthm backward. We frst push-down t, obtanng t = t t p 1x p 1, wth all t j U 1. Next, we rewrte ths as t = t t p 1s p 1, wth all t j U 1, and t suffces to apply σs 1 (or equvalently σs 1 1 ) to all t. The non-trval part s the computaton of the t j: ths s done by applyng the algorthm FndParametrzaton mentoned n Subsecton 2.3, n the extenson U = U 1 [X ]/P. ApplyIsomorphsm Input v, wth v U wrtten on the bass B. Output σ s (v) U. 1. f = 0 then return v 2. wrte v = Σ j<p v j (x 0,..., x 1 )x j 3. let s,0 + + s,p 1 x p 1 = Push-down(s ) 4. for j [0,..., p 1] let t j = ApplyIsomorphsm(v j, 1) 5. let t = 0 6. for j [p 1,..., 0] let t = (s,0 + + s,p 1 x p 1 )t + t j 7. return Lft-up(t) ApplyInverse Input t, wth t U. Output σs 1 (t) U wrtten on the bass B 1. f = 0 then return t. 2. let t t p 1 x p 1 = Push-down(t) 3. let s,0 + + s,p 1 x p 1 = Push-down(s ) 4. let t t p 1 Xp 1 = FndParametrzaton(t t p 1 x p 1, s,0 + + s,p 1 x p 1 ) 5. return Σ j<p ApplyInverse(t j, 1)x j Proposton 16. Algorthms ApplyIsomorphsm and ApplyInverse are correct and both take tme O(L()). Proof. In both cases, correctness s clear, snce the algorthms translate the former dscusson. As to complexty, n both cases, we do p recursve calls, O(1) push-downs and lft-ups, and a few extra operatons: for ApplyIsomorphsm, these are p multplcatons / addtons n the bvarate bass D of Secton 4; for ApplyInverse, ths s callng the algorthm FndParametrzaton of Subsecton 2.3. The costs are O(pM(p d)) and O(p 2 M(p 1 d)), whch are n O(L()) by assumpton on L. We conclude as n Theorem Proof of Theorem 13 Fnally, assumng that only (s 0,..., s 1) are known, we descrbe how to determne s. Several choces are possble: the only constrant s that s should be a root of X p X σ s (γ 1) = X p X σ s 1 (γ 1) n U. Usng Proposton 16, we can compute α = σ s 1 (γ 1) U 1 n tme O(( 1)L( 1)) O(L()). Applyng a lftup to α, we are then n the condtons of Theorem 15, so we can fnd s for an extra O(d ω + PT()) operatons. We can then summarze the cost of all precomputatons: to the cost of determnng s, we add the costs related to the tower (U 0,..., U ), gven n Sectons 3, 4 and 5. After a few smplfcatons, we obtan the upper bound O(d ω + PT() + M(p +1 d) log(p)). Summng over gves the frst clam of the theorem. The second s a restatement of Proposton EXPERIMENTAL RESULTS We descrbe here the mplementaton of our algorthms and an applcaton comng from ellptc curve cryptology. Expermental results. The prevous algorthms are mplemented on top the NTL C++ lbrary [23] compled wth

8 the gf2x package [4], whch provde the basc unvarate polynomal arthmetc needed here. Our mplementaton handles three NTL classes of fnte felds: GF2 for p = 2, zz_p for word-sze p and ZZ_p for arbtrary p. We compare our tmngs wth those obtaned n Magma [2]. We take p = 2 and d = 1 (that s, U 0 = F p ); the x-coordnate gves the number of levels we construct and the y-coordnate gves tmngs n seconds, n logarthmc scale. All results are obtaned on an AMD Opteron 250 (2.4GHz). We have two ways of dong arthmetc modulo 2 n NTL: GF2 s specalzed to p = 2; zz_p s more general. In Magma, there exst several ways to buld feld extensons: quo<u P> bulds the quotent of the unvarate polynomal rng U by P U (wrtten magma(1) hereafter); ext<k P> bulds the extenson of the feld k by P k[x] (magma(2)); ext<k p> bulds an extenson of degree p of k (magma(3)). 1e e+04 seconds 1e zz_p GF2 magma(1) magma(2) magma(3) heght zz_p GF2 magma(2) heght Our frst graph gves tmngs for the constructon of the tower of Secton 3; the second one gves tmngs for constructng an somorphsm wth an arbtrary tower (n Magma, only the magma(2) approach was meanngful). The tmngs of our code are sgnfcantly better. Isogeny algorthm. An sogeny s a regular map between two ellptc curves E and E that s also a group morphsm. Our nterest s Couvegnes sogeny algorthm [7], whch computes sogenes of degree p k. Couvegnes later paper [8] descrbed mprovements to speed up the computaton, but as we already mentoned, a key component, fast arthmetc n Artn-Schreer towers, was stll mssng. The orgnal algorthm of [7] was frst mplemented n [16]; usng ths paper s algorthms, t now becomes possble to have a completely explct verson of the fast varant. The algorthm reles on the nterpolaton of a ratonal functon at specal ponts n an Artn-Schreer tower; the Master thess [9] descrbes mproved algorthms for ths task, along the lnes of [10]. Its runnng tme s probablstc; we plot the average runnng tmes wth bars around them for mnmum/maxmum tmes; the dstrbuton s unform e+06 seconds zz p GF2 magma(2) sogeny degree To hghlght the benefts of ths paper, we compare a Magma mplementaton to our C++ code, for the same varant of the sogeny algorthm, on an Intel Xeon E5430 (2.6GHz). For p = 2, t should be noted that Lercer s sogeny algorthm [15] has better performance; for generc, small, p we menton as well a new algorthm by Lercer and Srvent [17] whch stll lacks an mplementaton. Acknowledgments. We thank J.-M. Couvegnes and F. Moran for useful dscussons. We acknowledge fnancal support from the INRIA Équpes assocées ECHECS team, NSERC and the Canada Research Char program. 8. REFERENCES [1] A. Bostan, G. Lecerf, and É. Schost. Tellegen s prncple nto practce. In ISSAC 03, pages ACM, [2] W. Bosma, J. Cannon, C. Playoust. The Magma algebra system. I. The user language. J. Symb. Comp., 24(3-4): , [3] R. P. Brent. On computng factors of cyclotomc polynomals. Math. Comp. 61: , [4] R. Brent, P. Gaudry, E. Thomé, P. Zmmermann. Faster multplcaton n GF(2)[x]. In ANTS 08, Sprnger, [5] P. Bürgsser, M. Clausen, and A. Shokrollah. Algebrac complexty theory. Sprnger Verlag, [6] D. G. Cantor. On arthmetcal algorthms over fnte felds. Journal of Combnatoral Theory, Seres A 50, , [7] J.-M. Couvegnes. Computng l-sogenes usng the p-torson. n ANTS II, Sprnger, [8] J.-M. Couvegnes. Isomorphsms between Artn-Schreer towers. Math. Comp. 69(232): , [9] L. De Feo. Calculs d sogénes. M. Sc. Thess, École polytechnque, 2007, [10] A. Enge and F. Moran, Fast decomposton of polynomals wth known Galos group. n AAECC-15, Sprnger, [11] J. von zur Gathen and J. Gerhard. Modern Computer Algebra. Cambrdge Unversty Press, [12] J. von zur Gathen and J. Gerhard, Arthmetc and factorzaton of polynomals over F 2. In ISSAC 96, pages 1 9. ACM, [13] J. von zur Gathen and V. Shoup. Computng Frobenus maps and factorng polynomals. Comp. Complex., 2(3): , [14] E. Kaltofen. Challenges of symbolc computaton: my favorte open problems. J. Symb. Comp., 29(6): , [15] R. Lercer. Computng sogenes n GF(2 n ). In ANTS-II, LNCS vol 1122, pages Sprnger, [16] R. Lercer. Algorthmque des courbes ellptques dans les corps fns. Ph.D. Thess, École polytechnque, [17] R. Lercer, T. Srvent. On Elkes subgroups of l-torson ponts n curves defned over a fnte feld. To appear n J. Théor. Nombres Bordeaux. [18] X. L, M. Moreno Maza, and É. Schost. Fast arthmetc for trangular sets: from theory to practce. In ISSAC 07, pages ACM, [19] R. Ldl and H. Nederreter. Fnte Felds, second edton. Cambrdge Unversty Press, [20] T. Mateer. Fast Fourer transform algorthms wth applcatons. Ph.D. Thess, Clemson Unversty, August [21] C. Pascal and É. Schost. Change of order for bvarate trangular sets. In ISSAC 06, pages ACM, [22] F. Rouller. Solvng zero-dmensonal systems through the Ratonal Unvarate Representaton. Appl. Alg. n Eng. Comm. Comput., 9(5): , [23] V. Shoup. NTL: A lbrary for dong number theory. [24] V. Shoup. Fast constructon of rreducble polynomals over fnte felds. J. Symb. Comp. 17: , [25] V. Shoup. Effcent computaton of mnmal polynomals n algebrac extensons of fnte felds. In ISSAC 99, pages 53 58, ACM, [26] Y. Wang and X. Zhu. A Fast Algorthm for Fourer Transform Over Fnte Felds and ts VLSI Implementaton. IEEE Journal on Selected Areas n Communcatons, 6 (3):572-7, 1988.