On the tensor rank of multiplication in finite extensions of finite fields and related issues in algebraic geometry
St\'ephane Ballet, Jean Chaumine, Julia Pieltant, Matthieu, Rambaud, Hugues Randriambololona, Robert Rolland

TL;DR
This paper surveys the tensor rank of multiplication in finite field extensions, discusses recent and unpublished results, and explores connections to open problems in number theory, algebraic geometry, and coding theory.
Contribution
It provides a comprehensive overview of known results, clarifies unresolved issues, and links tensor rank problems to broader mathematical areas.
Findings
Summarizes known results on tensor rank in finite fields
Highlights unresolved problems and recent unpublished results
Connects tensor rank issues to open problems in algebraic geometry and number theory
Abstract
In this paper, we give a survey of the known results concerning the tensor rank of the multiplication in finite extensions of finite fields, enriched with some not published recent results as well as analyzes enhancing the qualitative understanding of the domain. In particular, we identify and clarify certain results not completely proved and we emphasis the link with open problems in number theory, algebraic geometry, and coding theory.
| 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | |
| 3 | 6 | 9 | 13 | 15 | 22 | 24 | 30 | 33 | 39 | 42 | 48 | 51 | 54 | 60 | 67 | 69 | |
| 3 | 6 | 9 | 11 | 15 | 19 | 21 | 26 | 27 | 34 | 36 | 42 | 45 | 50 | 54 | 58 | 62 | |
| 3 | 6 | 8 | 11 | 14 | 17 | 20 | 23 | 27 | 30 | 33 | 37 | 39 | 45 | 45 | 53 | 51 |
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsCoding theory and cryptography · Cryptography and Residue Arithmetic · Finite Group Theory Research
On the tensor rank
of multiplication in finite extensions of finite fields and related issues in algebraic geometry
Stéphane Ballet
Aix-Marseille Université, CNRS, Centrale Marseille, Institut de Mathématiques de Marseille
case 907, 163 avenue de Luminy, F13288 Marseille cedex 9
France
,
Jean Chaumine
Laboratoire Géométrie Algébrique et Applications à la Théorie de l’Information
Université de la Polynésie Française
B.P. 6570, 98702 Faa’a, Tahiti
France
,
Julia Pieltant
Conservatoire National des Arts et Métiers
Équipe en émergence Sécurité-Défense
EPN 15 STRATÉGIES
Pôle Sécurité Défense - Chaire de Criminologie
40 rue des Jeûneurs, F75002 Paris
France
,
Matthieu Rambaud
CNRS LCTI
Télécom ParisTech, 46 rue Barrault, F-75634 Paris cedex 13
France
,
Hugues Randriambololona
CNRS LCTI
Télécom ParisTech, 46 rue Barrault, F-75634 Paris cedex 13
France
and
Robert Rolland
Aix-Marseille Université, CNRS, Centrale Marseille, Institut de Mathématiques de Marseille
case 907, 163 avenue de Luminy, F13288 Marseille cedex 9
France
Abstract.
In this paper, we give a survey of the known results concerning the tensor rank of the multiplication in finite extensions of finite fields, enriched with some not published recent results as well as analyzes enhancing the qualitative understanding of the domain. In particular, we identify and clarify certain results not completely proved and we emphasis the link with open problems in number theory, algebraic geometry, and coding theory.
Key words and phrases:
finite field, tensor rank of the multiplication, function field
2010 Mathematics Subject Classification:
Primary 14H05; Secondary 12E20
Contents
-
3.1 The D.V. Chudnovsky and G.V. Chudnovsky algorithm (CCMA)
-
3.2 The linearity of the bilinear complexity of the multiplication
-
5.2 Evaluation at places of higher degree and with multiplicities
-
6.3.1 Intertwinning two recursive towers into a dense family
-
6.3.2 Problems of descent on Shimura curves and open questions
-
7 Obtaining a divisor of optimal degree for symmetric algorithms
-
10 Effective construction of bilinear multiplication algorithms
-
10.1.2 Parallel algorithms designed for multiplication and exponentiation
-
11 Appendix: proof of Theorem 8.21, Theorem 8.9 and Proposition 6.11.2
-
11.1 Repairing (and extending) the criterion of Cascudo & al
-
11.2 Deriving the bounds from the previous theorem and other criterions from the litterature
1. Introduction
This article proposes a survey on the tensor rank of the multiplication in finite fields. It is an update of the previous survey [26] published about ten years ago. The deep improvements done since then require a complete rewrite of the survey highlighting the current state of the art. In particular, we present the new techniques introduced in recent years. The growing importance of this topic has attracted many mathematicians and computer scientists who developed new ideas and obtained new results. At the same time, we report a number of non-trivial errors and solutions which testify to the vividness of the domain and the community concerned. The finite fields are an important area. They arise in many fields applications, particularly in areas related to information theory. In particular, the complexity of the multiplication in the finite fields is a central problem. It is a part of the algebraic complexity for which the best general reference is [36]. It turns out that studying this problem has raised many issues of number theory and algebraic geometry. Notably, it has revealed deep links between these different domains. So, one of the objectives of this article is also to explicit these links and to present current related open problems. In the same time we prove some new results not yet published.
Let us describe more precisely the problem: we suppose that we have the multiplication in a finite field and we want to construct an algorithm of multiplication in the extension which is the least expansive in terms of operations in . Let us remark that from this point of view the multiplication in is the multiplication of two polynomials of degree with coefficients in . We then distinguish in the algorithm two types of operations: those which are linear with respect to the variables that one multiply and those which are bilinear with respect to the two variables. More precisely, let be a basis of over . If et then a direct computation gives:
[TABLE]
where
[TABLE]
being constants. Then the problem of the algebraic complexity consists on determining the minimal number of elementary operations in required to compute the product of two elements . We can distinguish the following operations:
- •
addition : où ,
- •
scalar multiplication : where , and is a constant,
- •
non-scalar or bilinear multiplication : where depend on the elements and of which are multiplied.
So, to obtain the product by the direct computation, one counts:
- •
additions,
- •
scalar multiplications,
- •
non-scalar or bilinear multiplications.
The bilinear complexity of the algorithm of multiplication is given by the number of used bilinear multiplications. This complexity corresponds to the rank of the tensor of multiplication corresponding to this algorithm in as vector space over , as will be explained in the next section.
The bilinear complexity of multiplication in finite fields over is obtained by a tensor (resp. an algorithm) of minimal rank (resp. of minimal bilinear complexity). The survey emphases the study of this minimal complexity.
In this paper, it is a question of introducing the problem of the tensor rank of the multiplication in finite fields and of giving a statement of the results obtained in this part of algebraic complexity theory, as well as related issues.
1.1. Tensor rank and multiplication algorithm
Let us recall the notions of multiplication algorithm and associated bilinear complexity.
Definition 1.1**.**
Let be a field and be finite dimensional -vector spaces. A non zero element is said to be an elementary tensor, or a tensor of rank 1, if it can be written in the form for some . More generally, the rank of an arbitrary is defined as the minimal length of a decomposition of as a sum of elementary tensors.
Definition 1.2**.**
If
[TABLE]
is an -linear map, the -linear complexity of is defined as the tensor rank of the element
[TABLE]
where denotes the dual of as vector space over for any integer , naturally deduced from . In particular, the -linear complexity is called the bilinear complexity.
Definition 1.3**.**
Let be a finite-dimensional -algebra. We denote by
[TABLE]
the bilinear complexity of the multiplication map
[TABLE]
considered as a -bilinear map.
In particular, if and , we set:
[TABLE]
More concretely, is the smallest integer such that there exist linear forms , and elements , such that for all one has
[TABLE]
since such an expression is the same thing as a decomposition
[TABLE]
for the multiplication tensor of .
Definition 1.4**.**
We call multiplication algorithm of length for a collection of that satisfy (2) or equivalently a tensor decomposition
[TABLE]
for the multiplication tensor of . Such an algorithm is said symmetric if for all (this can happen only if is commutative).
Hence, when is commutative, it is interesting to study the minimal length of a symmetric multiplication algorithm.
Definition 1.5**.**
Let be a finite-dimensional commutative -algebra. The symmetric bilinear complexity
[TABLE]
is the minimal length of a symmetric multiplication algorithm.
In particular, if and , we set:
[TABLE]
Here are some basic properties of these quantities, taken from [72, Lemma 1.10]:
Lemma 1.6**.**
- (a)
If is a finite-dimensional -algebra and an extension field of , and if we let considered as an -algebra, then
[TABLE]
Moreover, if is commutative, we also have
[TABLE] 2. (b)
If is a finite-dimensional -algebra, where is an extension field of , then can also be considered as a -algebra, and
[TABLE]
Moreover, if is commutative, we also have
[TABLE] 3. (c)
If and are two finite-dimensional -algebras,
[TABLE]
Moreover, if and are commutative, we also have
[TABLE] 4. (d)
If and are two finite-dimensional -algebras,
[TABLE]
Moreover, if and are commutative, we also have
[TABLE]
In particular, the following lemma of Shparlinski, Tsfasman, and Vladut [78, Lemma 1.2], is especially useful. Actually, the right-hand inequality was already stated in the original paper of D.V. Chudnovsky and G.V.Chudnovsky [44, eq. (6.2)], so the new contribution of I. Shparlinski, M. Tsfasman, and S. Vladut is the left-hand inequality. This will be important when we will consider asymptotic complexities in Lemma 8.1.
Lemma 1.7**.**
For all we have
[TABLE]
Actually the same holds for symmetric complexity.
Lemma 1.8**.**
For all we have
[TABLE]
Proof.
The left-hand inequalities and are consequences of the inclusion . Then, for the right-hand inequalities and , we apply Lemma 1.6(b) with , , and . ∎
1.2. Organization of the paper
In Section 2, we present the classical results via the approach using the multiplication by polynomial interpolation. In Section 3, we give an historical record of results obtained from the pioneer works due to D.V. and G.V. Chudnovsky in [44] and later I. Shparlinski, M. Tsfasman and S. Vladut in [78]. In particular, we present the original algorithm. This modern approach uses the interpolation over algebraic curves defined over finite fields. This approach, which we recount the first success as well as the rocks on which the pionners came to grief, enables to end at a first complete proof of the linearity of the bilinear complexity of multiplication by S. Ballet in [6]. In Section 4, we present the code approach for the bilinear complexity and explain the connexion between the bilinear complexity of multiplication and the so-called (exact) supercodes, or equivalently multiplication friendly codes in the lexicon of certain authors. Then, in Section 5, we present the different generalizations of the original D.V. and G.V. Chudnovsky algorithm, in particular the most successful version of the algorithm of Chudnovsky–Chudnovsky type at the present time, due to H. Randriambololona in [72]. This part explains the links with algebraic geometry. In Section 8, we recall the known results on the asymptotic bounds about the symmetric and asymmetric bilinear complexity that have been established through the last 30 years. Then, in a same way, in Section 9, we give uniform bounds about the symmetric and asymmetric bilinear complexity. Finally, in Section 10 we present methods about the effective construction of bilinear multiplication algorithms in finite fields.
2. Old classical results
Let
[TABLE]
be a monic irreducible polynomial of degree with coefficients in a field . Let
[TABLE]
and
[TABLE]
be two polynomials of degree where the coefficients and are indeterminates.
C. Fiduccia and Y. Zalcstein (cf. [55], [36] p.367 Prop. 14.47) have studied the general problem of computing the coefficients of the product and they have shown that at least multiplications are needed. When the field is infinite, an algorithm reaching exactly this bound was previously given by A. Toom in [80]. S. Winograd described in [87] all the algorithms reaching the bound . Moreover, S. Winograd proved in [88] that up to some transformations every algorithm for computing the coefficients of which is of bilinear complexity , necessarily computes the coefficients of , and consequently uses one of the algorithms described in [87]. These algorithms use interpolation techniques and cannot be performed if the cardinality of the field is . In conclusion, we have the following result:
Theorem 2.1**.**
If the cardinality of is , every algorithm computing the coefficients of has a bilinear complexity .
Applying the results of S. Winograd and H. De Groote [47] and Theorem 2.1 to the multiplication in a finite extension of a finite field we obtain:
Theorem 2.2**.**
The bilinear complexity of the multiplication in the finite field over verifies
[TABLE]
with equality holding if and only if
[TABLE]
This result does not give any estimate of an upper bound for , when is large. In [62], A. Lempel, G. Seroussi and S. Winograd proved that has a quasi-linear upper bound. More precisely:
Theorem 2.3**.**
The bilinear complexity of the multiplication in the finite field over verifies:
[TABLE]
where is a very slowly growing function defined recursively by
[TABLE]
*, .
For , is defined as follows:*
[TABLE]
Corollary 2.4**.**
Asymptotically,
[TABLE]
for any .
Furthermore, extending and using more efficiently the technique developed in [35], N. Bshouty and M. Kaminski showed that
[TABLE]
for The proof of the above lower bound on the complexity of straight-line algorithms for polynomial multiplication is based on the analysis of Hankel matrices representing bilinear forms defined by linear combinations of the coefficients of the polynomial product.
3. The approach via algebraic curves
We have seen in the previous section that if the number of points of the ground field is too low, we cannot perform the multiplication by the Winograd interpolation method. D.V. and G.V. Chudnovsky have designed in [44] an algorithm where the interpolation is done on points of an algebraic curve over the groundfield with a sufficient number of rational points. We will denote by CCMA this Chudnovsky–Chudnovsky Multiplication Algorithm. Using this algorithm, D.V. and G.V. Chudnovsky claimed that the bilinear complexity of the multiplication in finite extensions of a finite field is asymptotically linear but later I. Shparlinski, M. Tsfasman and S. Vladut in [78] noted that they only proved that the quantity is bounded which does not enable to prove the linearity. To prove the linearity, it is also necessary to prove that is bounded which is the main aim of their paper. However, I. Cascudo, R. Cramer and C. Xing recently detected a mistake in the proof of I. Shparlinski, M. Tsfasman and S. Vladut. Unfortunately, this mistake that we will explain in details in this section, also had an effect on their improved estimations of .
After the above pioneer research, S. Ballet obtained in [6] (cf. also [5]) the first upper bounds uniformly with respect to for . The algorithm CCMA being clearly symmetric, these first uniform bounds also concerned . Moreover, these bounds not being affected by the same mistake enable at the same time to prove the linearity of the bilinear complexity of the multiplication in finite extensions of a finite field since it obviously implied that was finite. Subsequently, critical improvements were introduced: in [5][6], S. Ballet introduces simple numerical conditions on algebraic curves of an arbitrary genus giving a sufficient condition for the application of the algorithm CCMA (existence of places of certain degree, of non-special divisors of degree ) generalizing the result of A. Shokrollahi [77] for the elliptic curves; in [5][6] S. Ballet introduces the use of towers of algebraic functions fields and their densification in [8]; in [25] S. Ballet and R. Rolland introduce the use of places of higher degree; in [25] S. Ballet and R. Rolland introduce the descent over of the definition field of a densified tower defined over for any finite field with a caracteristic and in [19], S. Ballet, D. Le Brigand and R. Rolland generalize the method for any finite field; in [9] , S. Ballet derive optimal criterions for direct construction of the divisors satisfying the needed conditions and in [42][43], J. Chaumine proves that these criterions are always satisfied in the elliptic case, so improving the result of A. Shokrollahi [77]; in [18], thanks to an existence theorem of non-special divisors of degree , S. Ballet and D. Le Brigand improve sufficient conditions for the application of the algorithm CCMA for the extensions of arbitrary finite fields; in [1], N. Arnaud introduces the use of local expansion, called derivated evaluation; in [20] [66] S. Ballet and Julia Pieltant introduce the use of divisors of degree zero thanks to a existence result obtained in [24] by S. Ballet, C. Ritzenthaler and R. Rolland and combine it with local expansion. Then M. Cenk and F. Özbudak [40], and H. Randriambololona [72] gave improvements by using of local expansion and high degree places. These can be combined with the following other independent ingredients, also proposed in [72]: allowing asymmetry in the interpolation procedure, which establishes the announced Shparlinski-Tsfasman-Vladut estimates for and ; and using the best bilinear complexities recursively, an idea that was then also used in [15]. Last, two ideas can be used in order to deal with symmetric complexities: bounds involving the -torsion [89][70][37][38], and direct construction of the divisors satisfying the needed conditions [73][71][72]. Ultimately this allows to obtain for most cases the Shparlinski-Tsfasman-Vladut estimates also for and , as well as other related estimates for symmetric complexity.
3.1. The D.V. Chudnovsky and G.V. Chudnovsky algorithm (CCMA)
In this section, we recall the brilliant idea of D.V. Chudnovsky and G.V. Chudnovsky and give their main result. First, we present the original CCMA, which was established in 1987 in [44].
Theorem 3.1**.**
Let
- •
* be an algebraic function field,*
- •
* be a degree place of ,*
- •
* be a divisor of ,*
- •
* be a set of places of degree .*
We suppose that , are not in the support of and that:
- (a)
the evaluation map
[TABLE]
is onto (where is the residue class field of ), 2. (b)
the application
[TABLE]
is injective.
Then
[TABLE]
We presented this result as it was formulated in [44], in terms of the bilinear complexity . However closer inspection of the method shows that it produces symmetric algorithms, so the conclusion also holds for the symmetric bilinear complexity:
[TABLE]
3.2. The linearity of the bilinear complexity of the multiplication
As seen previously, I. Shparlinski, M. Tsfasman and S. Vladut have given in [78] many interesting remarks on CCMA and the bilinear complexity. In particular, they have considered asymptotic bounds111The families of curves used by the pioneers only gave asymptotic bounds. M. Tsfasman in a private communication asked for the question of finding uniform bounds to R. Rolland. for the bilinear complexity in order to prove the linearity of this complexity from CCMA. Following these authors, let us define
[TABLE]
and
[TABLE]
Moreover, we also have to consider the symmetric variants of these quantities which were not considered by I. Shparlinski, M. Tsfasman and S. Vladut, but were first introduced by H. Randriambololona in [72], and have become equally important since then:
[TABLE]
and
[TABLE]
It is clear that we have:
[TABLE]
and
[TABLE]
It is not obvious at all that either of these values is finite. Note that if (resp. ) is finite, then bilinear complexity (resp. the symmetric bilinear complexity) of multiplication is linear in the degree of extension, namely there exists a constant (resp. ) such that for any integer ,
[TABLE]
From Theorem 3.1, D.V. Chudnovsky and G.V. Chudnovsky derive [44, Theorem 7.7]222This result is originally formulated for . Although at this time most authors did not distinguish in the notation between bilinear complexity and symmetric bilinear complexity, it was known that the CCMA naturally produces symmetric algorithms (cf. [44, Definition p. 154 and Remark 2.2] and also more precisely [6, Proof of Theorem 1.1]), so the estimate also holds for the symmetric bilinear complexity .: for a square, as , we have
[TABLE]
However, as pointed out by I. Shparlinski, M. Tsfasman and S. Vladut, the proof given for Bound (4) is quite sketchy, with some important details missing. This made them question its validity.
More precisely, relying on Ihara’s work [61], D.V. Chudnovsky and G.V. Chudnovsky consider Shimura modular curves having an asymptotically maximal number of points over , and in the final step of their argument, they assert that, for some given constant and for all integers large enough, they can choose curves in this family of genus . Although it follows from [61] that this is possible for infinitely many , D.V. Chudnovsky and G.V. Chudnovsky need it to hold for all , for which they do not give justification. Because of this, I. Shparlinski, M. Tsfasman and S. Vladut explain that one should consider that, although D.V. Chudnovsky and G.V. Chudnovsky state an estimate for the limsup , their proof is valid only for the liminf .
But then, with [78, Claim, p. 163], I. Shparlinski, M. Tsfasman and S. Vladut precisely describe a family of Shimura curves that satisfy the conditions needed by D.V. Chudnovsky and G.V. Chudnovsky, which essentially completes the proof of (4). Unfortunately, at the same time, I. Shparlinski, M. Tsfasman and S. Vladut also propose to replace (4) with a sharper bound, and in doing so they introduce in the proof an unproved argument. The gap in their proof was found by I. Cascudo, R. Cramer and C. Xing (cf. personal communication in 2009 and [38, Section V]). They present the gap as follows: the mistake in [78] from 1992 is in the proof of their Lemma 3.3, page 161, the paragraph following formulas about the degrees of the divisor. It reads: “ Thus the number of linear equivalence classes of degree for which either Condition or Condition fails is at most .” This is incorrect; should be multiplied by the torsion. Hence the proof of their asympotic bound is incorrect. ». Note that a synthesis work enabling to fill the gap let in the proof of D.V and G. V. Chudnovsky with the approach of Shparlinski, Tsfasman and Vladut is possible but not direct. Anyway, independently, by using the strategy of D.V and G. V. Chudnovsky applied to the first tower333The advantage of this tower of algebraic function fields is that firstly one knows explicitly the number of rational points and the the genus for each step, secondly the ratio of rational points over the genus is very good. of Garcia-Stichtenoth [57] attaining the Drinfeld-Vladut bound, joint to a result concerning the existence of non-special divisors of degree , S. Ballet gives in [6] the first complete proof of the linearity of the bilinear complexity of the multiplication. More precisely, it was done by determining directly upper bounds for . From there, different works were done to improve the asymptotic bounds (cf. Section 8) and the uniform bounds (cf. Section 9).
4. The approach via codes
Initially, just after the pioneer work of D.V. and G.V. Chudnovsky [44], I. Shparlinski, M. Tsfasman and S. Vladut in [78] specified the link between certain codes and multiplication tensors. Then, they introduced the notion of exact supercodes also called multiplication friendly codes.
4.1. Connection with codes and asymptotic lower bounds
First, let us recall the link between the linear error-correcting codes and the decomposition of multiplication tensors.
Let us recall the following classical definition:
Definition 4.1**.**
A linear error-correcting code over of length , dimension and Hamming distance is called an -code. The rate of such a code is denoted by and its relative minimum distance by .
By [78], it is possible to construct a code using decomposition of into a sum of rank one tensors. Indeed, if
[TABLE]
where , , , then one defines an -linear map
[TABLE]
From [78], it follows that:
Proposition 4.2**.**
The -vector space is an -code such that .
Corollary 4.3**.**
Any decomposition of length of a tensor of multiplication in the finite field gives an -code such that . In particular, if is the minimum length of a linear -code then the tensor rank of multiplication in the finite field is such that .
Let us recall that there exists a continuous decreasing function on the segment which corresponds to the bound for the rate of the linear codes over with relative minimum distance at least (cf [82, 1.3.1]). Hence:
Corollary 4.4**.**
One has:
[TABLE]
where is the unique solution of the equation .
Any upper bound for gives an upper bound for and thus a lower bound for . So, from this corollary, it follows that we can obtain lower bounds of the asymptotic quantity from asymptotic parameters of codes. Now, let us summarize the known lower bounds concerning this quantity, namely the lower bound of obtained by R. Brockett, M. Brown and D. Dobkin in [32, 31] by using the bound of “four” [82, 1.3.2] for asymptotic parameters of binary codes, and the lower bound of for given by I. Shparlinski, M. Tsfasman and S. Vladut in [78] by using the asymptotic Plotkin bound [82, 1.3.2]. Note that this last bound is a straightforward consequence of Proposition 4.3 established by D.V. and G.V. Chudnovsky in [44].
Proposition 4.5**.**
One has:
[TABLE]
and
[TABLE]
4.2. Supercodes
Let us recall the notion of supercode introduced by Shparlinski, Tsfasman and Vladut in [78]. First, let us recall the idea leading to the emergence of the notion of supercode. By Section 4.1, any decomposition of the tensor into a sum of summands of rank one enables us to obtain an -code. In fact, the notion of supercode follows from the question to know when it is possible conversely to construct such a decomposition from a linear -code.
Definition 4.6**.**
Let be an -linear subspace. is called an -supercode if the following conditions are satisfied:
the first projection
[TABLE]
restricted to is surjective. 2. 2)
let where the multiplication is that in -algebra and let be the subspace in spanned by . The second projection
[TABLE]
restricted to is injective.
From Definition 4.6, it is now possible to obtain the following more restrictive notion, almost equivalent to the notion of symmetric decomposition of a multiplication tensor.
Definition 4.7**.**
An -supercode is said exact if is an isomorphism, i.e. if .
Proposition 4.8**.**
Let S be an -supercode and let , then:
- (1)
* is an -code.* 2. (2)
If S is exact then is an -code. 3. (3)
Any supercode contains an exact sub-supercode.
In fact, the notion of exact supercode is equivalent to that of symmetric decomposition of into a sum of rank one tensors, up to the representation of (i.e modulo the following equivalence relation):
Definition 4.9**.**
Let and be two symmetric decompositions of . We call and equivalent if for every .
Now, by considering the equivalence relation of Definition 4.9, we obtain the following result.
Theorem 4.10**.**
There is a bijection between the set of exact supercodes and the set of equivalence classes of symmetric decompositions of .
Then, by [78, Proposition 1.11 and Corollary 1.13], we obtain:
Corollary 4.11**.**
- (1)
Any exact supercode yields a symmetric multiplication algorithm of bilinear complexity and conversely. 2. (2)
Any supercode yields a symmetric multiplication algorithm of bilinear complexity .
Note that I. Shparlinski, M. Tsfasman and S. Vladut in [78] gave an explicit construction of a symmetric tensor of length performing the multiplication in a finite field from an exact supercode . Conversely, from an arbitrary symmetric decomposition, they explicitly obtain an exact supercode by [78, Proposition 1.11].
Remark 4.12**.**
Note that certain authors use the notion of multiplication friendly code which is equivalent to the notion of exact supercode. In particular, the results obtained by using the notion of multiplication friendly code only concern the symmetric bilinear complexity.
Open problems 4.13**.**
How can one characterize those -codes which are projections of supercodes?
5. Generalizations of the algorithm of Chudnovsky-Chudnovsky
5.1. Motivation
When using the original Chudnovsky-Chudnovsky method, one sees that the bounds that can be obtained on the bilinear complexity, as well as their effectivity or the practical implementation of the corresponding multiplication algorithms, highly depend on the choice of the geometric data on which Theorem 3.1 is applied. For instance, in order to get the best possible bounds, one needs curves having sufficiently many rational points with the smallest possible genus. This works well when one is considering a base field that is not too small, and of square order, so the celebrated Drinfeld-Vladut bound can be attained (see section 6 for details). But in other situations, the original Chudnovsky-Chudnovsky method presents certain limitations. Several improvements were then proposed to overcome these limitations.
In order to better understand these improvements, we will thus distinguish two steps in the construction of multiplication algorithms. The first step is to state a “generic” CCMA, which takes as input some geometric data (a function field or a curve, some places or points on it, and some divisors that satisfy adequate conditions), and gives as output an effective multiplication algorithm, or at least an upper bound on some bilinear complexity. The second step then is to specify the geometric objects on which this generic CCMA will be applied: choice of the curves, existence of the divisors, etc.
Concerning the first step (generic statement of the CCMA), successive generalizations were proposed by various authors, using several independent ingredients, among which we can cite:
- •
evaluation at places of higher degree and/or with multiplicities
- •
symmetric/asymmetric versions of the algorithm optimized for symmetric/asymmetric bilinear complexity respectively
- •
formulation adapted for an iterative use.
In this section we give more details on these lines of improvements, with emphasis on the first two (in sections 5.2 and 5.3), and we present the best finalized version of the CCMA [72, Theorem 3.5], which combines them all. We then explain how intermediate historical contributions can be retrieved as particular cases.
Concerning the second step (specification of the geometric objects), the most important ingredients are:
- •
careful choice of the curves, either explicit recursive towers, their densification and descent of base field (see section 6.2 for details), or more abstract modular, Shimura, or Drinfled modular curves (see section 6.3)
- •
techniques to ensure the existence, or even to effectively construct the divisor needed to perform interpolation, of best possible degree; this is especially important in the context of symmetric algorithms (see section 7).
Of course these two steps that we distinguished are closely intertwined: a suitably generalized generic CCMA will allow a broader choice for the geometric objects, hence lead to better bounds or a more effective implementation. In the other direction, it can happen that some geometric conditions (e.g. existence of points of given degree or of suitable divisors) can be replaced with simple numerical criteria, and get included in the statement of the generic CCMA.
5.2. Evaluation at places of higher degree and with multiplicities
Here one can cite several successive contributions.
- •
First S. Ballet and R. Rolland have generalized in [25] the algorithm using places of degree and .
- •
Then N. Arnaud [1] introduced, as in the interpolation of Lagrange-Sylvester, the use of derivatives (evaluation with multiplicities) to improve the interpolation process.
- •
These ideas are combined and extended in the work of M. Cenk and F. Özbudak in [40]. This generalization uses several coefficients in the local expansion at each place instead of just the first one. Due to the way it is obtained, their bound for the bilinear complexity involves a sum of local contributions, each of which is written as a product of two separate factors: one factor accounts for the degree of the place, the other factor accounts for the multiplicity.
- •
Last H. Randriambololona [72] refined this method by introducing a single quantity that combines both degree and multiplicity at the same time and leads to the sharpest bounds as presently known.
This quantity introduced in [72] can be defined in two variants, one for the bilinear complexity, the other for the symmetric bilinear complexity:
Definition 5.1**.**
For any integers we consider the -algebra of polynomials in one indeterminate with coefficients in , truncated at order , and we denote by
[TABLE]
its bilinear complexity over , and by
[TABLE]
its symmetric bilinear complexity over .
Note that for , we have and . While for , we have as defined by M. Cenk and F. Özbudak in [40] (we could set likewise , although this quantity is not considered in [40]).
The generalized evaluation maps that appear in the generalized CCMA can be described either in the language of modern algebraic geometry, as done in [72], or in the language of algebraic function fields, as done in previous works. Actually these two languages are equivalent, so we explain how to pass from one to the other.
Suppose we are given:
- •
a curve over (which corresponds to a function field )
- •
a closed point on of degree (which corresponds to a place of of degree )
- •
an integer .
This allows to consider the thickened point on , which is the closed subscheme defined by the sheaf of ideals .
Now, for any divisor on , we can define a generalized evaluation map, that evaluates sections of at with multiplicity . In geometric terms, this is just the natural restriction map
[TABLE]
After possibly replacing with a linearly equivalent divisor, we will assume is not in the support of . We then have a natural identification . Then, thanks to [72, Lemma 3.4], we have an isomorphism of algebras
[TABLE]
where corresponds to a local parameter at , and is identified with the residue field of . Last, in order to make everything explicit for computations, we can use the natural linear isomorphism
identifying a polynomial with its coefficients . Combining all this, the generalized evaluation map becomes
[TABLE]
where the are the coefficients of the local expansion
[TABLE]
of at with respect to . Sometimes this is also called a “derived evaluation map”, although one should be careful that for these are not precisely derivatives in the usual sense (at best they are “ times the derivative”).
5.3. Discussion on symmetry
In the broader context of bilinear algorithms over finite fields, the distinction between (general) bilinear complexity and symmetric bilinear complexity, together with some of the mathematical issues related specifically to the construction of symmetric algorithms, were first discussed in 1984 by Seroussi and Lempel with [76].
Focusing now on works based on the Chudnovsky-Chudnovsky method, it turns out that until 2011, all results (including those in [44][78][26][40][71]) were stated in terms of only (not ), although by construction the method always produced symmetric algorithms. Of course this does not mean that the authors were not aware of the distinction: indeed, for instance, I. Shparlinski, M. Tsfasman and S. Vladut explicitely mentioned the issue when they observed [78, p. 154] that their notion of supercode corresponds only to symmetric algorithms.
However the situation became unsatisfactory when I. Cascudo, R. Cramer and C. Xing discovered the gap in the construction of the divisor in [78], as already discussed in section 3. Indeed, it turns out that the difficulty of this construction, which they analyze in terms of the -torsion in the divisor class group of the curve (see section 7.1), is closely related to the symmetry requirement for the algorithm.
Finally, things were clarified by H. Randriambololona in [72]. Along with the contributions already discussed in section 5.2, this work introduced two further improvements to the method:
- •
one that solves the difficulty with the construction of the divisor in the symmetric case, at least for curves with sufficiently many rational points (see section 7.2 for details)
- •
another one that produces asymmetric algorithms instead, by allowing asymmetry in the CCMA; this is advantageous because asymmetric interpolation allows more freedom in the choice of the divisors, and ultimately, can lead to sharper bounds.
As a consequence of these developments, whenever possible, the generalized CCMA should be stated in two versions, one for bilinear complexity, the other for symmetric bilinear complexity. Likewise, the numerical bounds should be stated in two versions, accordingly.
Beside bilinear complexity and symmetric bilinear complexity , other refinements were introduced and studied in [76] and [74, Appendix A]: these are trisymmetric bilinear complexity , and normalized trisymmetric bilinear complexity .
It should be noted that it can happen that these quantities are not well defined for some values of and . More precisely, [74, Prop. A.14] shows that is well defined for all values of and except precisely for . Likewise [74, Prop. A.19] shows that is well defined for all values of and except precisely for and for .
In any case, when well defined, one has
[TABLE]
Also, [76, Th. 2] gives for , , and [74, Prop. A.19] gives for and . Joint with the linearity of , this gives the linearity of and for most .
But beside this, very few is known about these quantities.
Open problems 5.2**.**
What are the exact values of and for small and ?
Can some of the inequalities between , , and be strict? If so, for which values of ?
Can one give better asymptotic bounds on them?
5.4. The current generalized CCMA
Now we can state H. Randriambolona ’s result [72, Theorem 3.5], which provides the current most general CCMA. It makes use of the most elaborate form of derived evaluation, and it gives bounds both for asymmetric complexity and for symmetric complexity.
As already explained, this result was originally presented in the language of modern algebraic geometry, but here we give the equivalent translation in the language of function fields.
Theorem 5.3**.**
Let
- •
* be a prime power,*
- •
* be an algebraic function field,*
- •
* be a place of , of degree *
- •
* be a positive integer*
- •
* be two divisors of ,*
- •
* be a set of places of arbitrary degree ,*
- •
* be positive integers.*
We suppose that and all the places in are not in the support of and , and that:
- (a)
the maps
[TABLE]
and
[TABLE]
are onto, 2. (b)
the map
[TABLE]
is injective,
where the applications , , and are the derived evaluation maps from (5). Then
[TABLE]
Moreover, if , the same holds for the symmetric bilinear complexity:
[TABLE]
Existence of the objects satisfying the conditions above is ensured by the following numerical criteria:
- •
a sufficient condition for the existence of of degree is that , where is the genus of
- •
a sufficient condition for (a) is that the divisors and are nonspecial:
[TABLE]
where denotes index of speciality
- •
a necessary and sufficient condition for (b) is that the divisor is zero-dimensional:
[TABLE]
where .
The fact that (resp. ) appears on the left-hand side of the inequalities allows to apply the result recursively. For it also provides bounds for the quantity of M. Cenk and F. Özbudak (resp. for ).
However in most applications we are interested mostly in the case . If we restate the result in this particular case, and focus only on the symmetric part, this generalized version of CCMA algorithm then specializes to the following statement (special case of [72, Theorem 3.5]), which suffices for most applications:
Corollary 5.4**.**
Let
- •
* be a prime power,*
- •
* be an algebraic function field,*
- •
* be a place of , of degree and residue field *
- •
* be a divisor of ,*
- •
* be a set of places of arbitrary degree ,*
- •
* be positive integers.*
We suppose that and all the places in are not in the support of , and that:
- (a)
the evaluation map
[TABLE]
is onto 2. (b)
the map
[TABLE]
is injective, where is the derived evaluation map from (5).
Then
[TABLE]
This can be specialized still further. Indeed, first observe that for all we have the easy inequality
[TABLE]
This follows directly from Lemma 1.6(b) applied with , , . We deduce:
Corollary 5.5**.**
Under the same hypotheses as Corollary 5.4, we have
[TABLE]
Corollary 5.5 can be seen as a symmetric variant of M. Cenk and F. Özbudak’s version of the CCMA [40]. It is weaker than Corollary 5.4, since the inequality can be strict.
One should be careful that all bilinear complexities in the original statement of [40] (including the one for multiplicities) have to be replaced by symmetric bilinear complexities in order to get this valid symmetric reformulation.
Going further back in time, let us then remark that the algorithm given in [44] by D.V. and G.V. Chudnovsky corresponds to the case and for . The first generalization introduced by S. Ballet and R. Rolland in [25] concerns the case and for . Next, the generalization introduced by N. Arnaud in [1] concerns the case and for . In particular, as a corollary of Theorem 5.3, we have the following result obtained by N. Arnaud in [1] by gathering the places used with the same multiplicity; namely he sets for and and with .
Corollary 5.6**.**
Let
- •
* be a prime power,*
- •
* be an algebraic function field,*
- •
* be a degree place of ,*
- •
* be a divisor of ,*
- •
* be a set of places of degree*
one and places of degree two,
- •
* and be two integers.*
We suppose that and all the places in are not in the support of and that:
- (a)
the map
[TABLE]
is onto, 2. (b)
the map
[TABLE]
is injective.
Then
[TABLE]
I
6. Choice of the curves
6.1. Motivation and notations
As seen in Section 3 and 5, until now, the best method to quantify the bilinear complexity of multiplication in finite fields is the CCMA algorithm based upon the interpolation over algebraic curves defined over a finite field. So in this context, to get the best bounds on the upper-limit complexities and or the upper bounds and defined in Section 3.2, it is necessary to use sufficiently many different curves so as to deal with the worst cases. So let us give a name to the following requirement, formalized in [78, Claim p163]:
Definition 6.1**.**
Let be a family of curves over a field with genera . We say that the family is dense if and only if the genera tend to infinity and the ratio of two successive genera tends to 1.
As introduced in the last section, multiplication algorithms by interpolation on algebraic curves often require many points of higher degree . So let us study the best possible asymptotic ratios of the number of places of degree divided by the genus. The first definition is due to M. Tsfasman [81] (cf. also [27, definitions 1.1, 1.2 and 1.3]).
Definition 6.2**.**
Let be a sequence of curves defined over a finite field of genus . We suppose that the sequence of the genus is an increasing sequence growing to infinity. Then the sequence is said to be asymptotically exact if for all the limit , where denotes the number of closed points of degree of the curve , exists.
Definition 6.3**.**
Let be an integer and a prime power. For a curve over , let denote the number of closed points of degree . For an asymptotically exact sequence of curves , let us define
[TABLE]
Then, we respectively define :
[TABLE]
* running over all asymptotically exact sequences of curves (resp. dense asymptotically exact sequences of curves).*
Remark 6.4**.**
Note that the quantity is the classical Ihara Constant defined by Y. Ihara in [61]. The order Ihara constants were in particular defined in [27, definitions 1.3]. Concerning the quantities , note that the dense Ihara constant was first introduced (and noted ) by H. Randriambololona in [71] (cf. also [75]). The order dense Ihara constants were first introduced (and noted ) by M. Rambaud in [69].
The following is possibly well-known. It essentially follows from [39, Lemma IV.3], itself based on the generalized bound of Drinfeld-Vladuts (cf. [81, Theorem 1], see also [27, Definitions 1.2 and 1.3]).
Theorem 6.5**.**
Let be a family of curves over a finite field , with genera tending to infinity. Let be an integer, the number of closed points of degree and the number of points of in the extension . Then the following assertions are equivalent :
[TABLE]
As a corollary of Theorem 1 in [81], the following holds:
Theorem 6.6**.**
[TABLE]
6.2. Explicit towers, densification and descent
The pioneer papers [44] [78] having for objectives to prove the linearity (cf. Section 3.2) of this complexity with respect to the extension degree, required the use of infinite families of curves with many rational points relatively to the genus. However, the first exhibited families of curves (of type modular and Shimura) enable them to obtain uniquely purely asymptotic bounds. So, the objective of [5] (cf. also [6] and footnote 1 page 1) was to give the first uniform upper bounds with respect to . In this aim, it was necessary to use more explicit families of curves. The first tower of algebraic function fields of Garcia-Stichtenoth [57] fulfilled the required conditions: knowledge of fundamental invariants, namely the genus and the number of rational points of each step of the tower, which attains the Drinfeld-Vladut bound. From a general point of view, to obtain the best bounds by CCMA, we need to use families of curves of genus increasing the more slowly possible (cf. Section 5.1 and Theorem 9.5 in Section 9.2). But, a tower of algebraic function fields is composed of successive algebraic function fields whose genera increase as the extension degree between two consecutive steps by the Hurwitz formula. For example, the first Garcia-Stichtenoth tower defined over is an Artin-Schreier tower whose ratio of two consecutive genus is where is an arbitrary prime power. In this case, an interesting strategy to improve the bounds obtained with this type of tower consisted on densifying this tower by adding intermediate steps (cf. [7]). It is easily possible in this case, even without knowing the recursive equation of intermediate steps because the tower is a Galois tower. When the used towers are such that the value of is not sufficiently large (which is the case when the finite fields of definition are small or when the best known lower bound of the Ihara constant associated to the definition field is not sufficiently large), it is necessary to use places of degree because of the Drinfeld-Vladut bound (cf. [25], [20]). So, we need families of curves reaching the Drinfeld-Vladut Bound of order (cf. [26] and Assertion (ii) in Theorem 6.5). Until now, the only way to obtain such families is the technic of the descent of families of algebraic function fields defined over on the definition field , which was introduced in [25]. Of course, the descent of the original tower of Garcia-Stichtenoth is always possible since the coefficients of the recursive equation lie in . However, the problem arises as soon as we introduce intermediate steps. So, in [25], the descent was made explicit only for the characteristic two and because in this case the descended tower conserves the property to be Galois. Then, the generalization for any characteristic with was realized in [19] by using two different techniques: theoretically by using the action of the Galois group of on the intermediate steps of the tower defined on or by finding explicit equations of the intermediate steps. Then, having used all the possibilities of the towers, it became necessary to use families of algebraic function fields more dense than the towers. In this aim, it was natural to come back to the study of families of modular and Shimura curves, which is the subject of the following section.
6.3. Modular and Shimura curves
The previous section motivates the search for dense families of curves becoming optimal after a base field extension of (small) degree .
Firstly, the towers of Garcia-Stichtenoth [57][58] being actually defined over their prime field , then for any base extension degree , there exists non-dense towers reaching the previous bound (see next section):
[TABLE]
Now, in the particular case of quadratic extensions , the celebrated results of [61] and [83] (cf. also [78]) state that (see also the two original approaches of [49, Theorem IV.4.5]), for all prime power , there exists dense families of Shimura modular curves over that become optimal over . See also [85] for an introduction (in characteristic zero). Notice that classical modular curves over prime fields are a particular case of Shimura curves. Summing up, the Shimura curves mentionned above match the bound of Drinfeld-Vladuts over , which reads:
[TABLE]
Plus, taking into consideration that these curves are defined over , Theorem 6.5 implies :
[TABLE]
6.3.1. Intertwinning two recursive towers into a dense family
A recursive construction to obtain a dense family of curves consists in intertwinning two towers of modular curves defined over the same basis. Let us illustrate this with the classical modular curves . Let be a prime number, then we know from Igusa that there exists —canonical— models over for any , which have good reduction at any , and are asymptotically optimal over . The curves form a tower over that is recursively determined from the two first steps (actually the first step is enough, see historical notes and references below). More precisely, the tower is deduced by iterated fiber products from the two following data:
- •
the canonical morphisms over
[TABLE]
- •
the Atkin-Lehner involutions on for
Remark 6.7**.**
Actually the first step are enough to deduce the whole tower recursively (see historical notes and references below). Namely, one needs only the covering map and the Atkin-Lehner involutions , for . Caution must be taken since the fiber product of the first step with its Atkin-Lehner twist —in addition to be highly singular— contains a second irreducible component in addition to . This comes from degree reasons, [69, VI §2.3 & §3.2] (or modular interpretation reasons, if one prefers).
The genera in a single tower for any are tightly controled by the prime powers :
[TABLE]
(see [82, 4.1] or [48, Th 3.1.1 & p107]). So this single tower does not form a dense family.
Now let be another prime and consider the recursive tower . Both towers are defined over the same basis , and, by taking fiber products over , we obtain:
[TABLE]
for any and . By doing so for every indexes and we obtain the family \bigr{\{}X_{0}(l^{i}l^{\prime j})_{\mathbb{Q}}\bigl{\}}_{i,j}: let us call this family the "intertwinning" of the two recursive towers. This family has good reduction at any prime and is asymptotically optimal. The genera in this family are now closely controled by the prime products , as follows from
[TABLE]
The key observation is that the family of integers is dense, i.e. its growth rate tends to zero. So that the intertwinned family \bigr{\{}X_{0}(l^{i}l^{\prime j})_{\mathbb{Q}}\bigl{\}}_{i,j} is dense.
6.3.2. Problems of descent on Shimura curves and open questions
Let us shift to Shimura curves and consider three specific recursive towers defined over the same basis of genus zero. Let be the totally real number field of degree three, and the prime ideals over the inert primes and and the prime ideal over the split prime . Let be the quaternion algebra over , which is ramified exactly at two of the three real places and no finite place. contains one unique conjugacy class of Eichler orders of given level. In particular, "the" maximal order has its group of units which embeds into onto the celebrated triangle group (it is the hyperbolic group of smallest covolume). The Shimura curve uniformized by this group has a canonical model over of genus zero with three rational points, which precisely arise from the elliptic points, of orders , and . Above this base curve one has notably the three towers where and , which have canonical models over . They have good reduction at every prime of different from , and and, if furthermore comes from an inert prime, then the reductions modulo have an asymptotically optimal number of points over (see [49, Th IV.4.5], which is established from two independent methods).
Now, intertwinning the two towers and over gives a dense family \bigl{\{}X_{0}(\mathfrak{p}_{2}^{i}\mathfrak{p}_{7}^{j})_{F}\bigr{\}}_{i,j} over , with genera tightly controled by the products :
[TABLE]
(and similar formulas for smaller or : see [69, IV Corollary 2.12]). In particular it has good reduction modulo and yields an asymptotically optimal dense family over with many points in . Now, the interesting problem for bilinear multiplication over is: can we descend this family over ? Much of the work towards this result has been done, since it is proven in [69, VI §5.2] that the two first steps of the reductions modulo of the two towers descend over . But recall that, over , these two first steps are sufficient to build the whole family. So, the problem of descent of the family over falls back to the following general question:
Open problems 6.8**.**
Conjecture 6.8.1**.**
Are good reductions of towers of Shimura curves recursive ?
We are confident that this point falls back to the modular interpretation of integral models of Shimura curves —and not only models over number fields, such as —, which should be also well known to specialists.
Additional evidence supports the descent question that we are concerned with, since it is also established in [69, Th. V.5.14] that the family \bigl{\{}X_{0}(\mathfrak{p}_{2}^{i}\mathfrak{p}_{7}^{j})_{F}\bigr{\}}_{i,j} descends over , and that strong numerical evidence (the number of points) suggests that the third steps also descend ([69, VI §5.2]).
Recapitulating: descent of the previous family, as would be implied e.g. by Conjecture 6.8.1, would provide a dense family over with many points of degree , which would thus establish:
[TABLE]
which is (prematurely) claimed as "Theorem B" in [69].
Likewise, intertwinning the two towers and over gives a dense family \bigl{\{}X_{0}(\mathfrak{p}_{3}^{i}\mathfrak{p}_{7}^{j})_{F}\bigr{\}}_{i,j} over , with genera tightly controled by the products , good reduction modulo over and asymptotically many points in .
Open problems 6.9**.**
Similarly, we are concerned with descent of this dense family over , which if true would thus yield the value . Let us assume that the previous Conjecture 6.8.1 is true: then this would already imply that the tower descends over . So, we would then be left to show that the two first steps of the tower also descend. More precisely:
Conjecture 6.9.1**.**
The following morphisms descend over : the canonical branched cover , and the Atkin Lehner involution on .
Finally, notice that the first step of this tower was explicitly computed over in [54]: a Belyi map of degree . So, if it was true that good reduction of towers of Shimura curves were also recursive from the first step (see Remark 6.7), then one would be left with the easier problem of finding a good reduction modulo of this Belyi map of degree .
Open problems 6.10**.**
From a more general point of view, the so far known families of curves attaining the Drinfeld Vladuts bound over q are all defined over fields of square cardinal . The following conjecture states (under an equivalent form) that for all square , there exists such a dense optimal family over which descend over the prime field .
Conjecture 6.10.1**.**
Let be a prime number and an even integer. Then the following equality holds:
[TABLE]
Said otherwise: there exists a family of curves over with (increasing) genera tending to infinity such that
- (i)
* is, actually, defined over the prime field ;* 2. (ii)
* (maximal density condition)* 3. (iii)
* (Ihara constant over )*
Open problems 6.11**.**
The following conjecture was proposed in [70], to which we added a density requirement.
Conjecture 6.11.1**.**
Let be an odd prime. Then there exists a sequence of numbers , with (density condition), such that Hecke operator acting on the space of weight cusp forms , has an odd determinant.
Its consequence would be the asymptotic vanishing of two-torsion in classical modular curves:
Proposition 6.11.1**.**
Under Conjecture 6.11.1, then there exists a dense family of (classical modular) curves such that
[TABLE]
(i.e. that have no two torsion in their class group.)
This proposition is stated as Conjecture I 2.8 in [69]. Here, a detailed proof that it results from Conjecture 6.11.1 is given: in the discussion above Conjecture I 2.8 and, also, in §II.5 (for the key formula (2.6)). The following practical consequence will be proven in the Annex.
Proposition 6.11.2**.**
Let be a prime number such that Conjecture 6.11.1 holds for , and an integer such that \bigl{\{}q=p\hbox{ and }r=2\bigr{\}} or \bigl{\{}q=p^{2}\hbox{ and }r=1\bigr{\}}, then formula (a) in Theorem 8.21 also holds.
6.3.3. References and historical notes for section 6
a
Recursive modular towers: The recursivity of towers of classical modular curves was pointed in the seminal paper of N. Elkies [51, pp 1-3], where more details and a proof over can be found. The proof carries over the canonical models over since the moduli interpretation in terms of elliptic curves is the same. N. Elkies also claims –and uses– that towers of Shimura curves are recursive. The proof of this fact is formally analogous: see [49, Proposition IV.5.1]. But actually, extra care must be taken with the irreducibility of the tensor products involved: [69, VI §2.3 & §3.2], because the moduli interpretation is much more complicated. Intertwinning two towers over the same basis: this construction is already mentionned in [51, top of page 7]. The crucial observation that the resulting family is dense was pointed to us by N. Elkies in August 2015.
Recursivity from the first step: The fact that the first step of modular towers is actually enough to construct them recursively is already pointed in [51, footnote 4] and [53, p8], and brought to our attention by N. Elkies in 2017.
About conjecture 6.10.1: this conjecture was essentially stated as a Lemma IV.4 in [39] . For their proof, the authors claim that some specific Shimura curves, with Galois invariant parameters, descend over the rationals. This claim is unfortunately false: in [23, §3] we exhibited counterexamples to this claim, which evidence more generally that Shimura curves do not descend over their field of moduli. Consequences of Conjecture 6.10.1 on upper-limit asymptotic complexities are given M. Rambaud in [69, Table 2.2], lines "Conj Y". Notice that they improve a bit those claimed by [39], displayed in footnote 11 page 11.
More on explicit computations: Since the seminal works of [83] and [61] on Shimura curves with many points, many equations of curves of genus zero and one were computed in [52], [59] and [79]. Further examples of recursive towers of Shimura curves can be found in: [49, IV Example 5.3]; [60]; [69, VI §3] (defined over a totally real field of narrow class number two, with a record number of points over in genus 5). The (nonexplicit) list of Shimura curves of genus less than two can be found in [86]. From this data and the recent tools for Belyi maps developped in [64], one could access the dozen of recursive towers whose first step are covering map of of degree ramified above three points. Finally, when the first step is over a genus one curve, then a first example was computed in C. Levrat’s masters thesis [63].
7. Obtaining a divisor of optimal degree for symmetric algorithms
Using the numerical criteria at the end of Theorem 5.3, in the symmetric case , we meet the following problem: given
- •
a prime power
- •
a function field, of genus
- •
a divisor of , of degree
- •
a divisor of , of degree
does there exist a divisor such that the two conditions
[TABLE]
and
[TABLE]
are both satisfied?
Clearly the answer will depend on and . By Riemann-Roch’s theorem, condition (16) implies and condition (17) implies , so combining both we see
[TABLE]
is a necessary condition for the existence of a solution.
Observe that, in order to get the algorithm of best complexity for given , we need to be as small as possible.
In their original paper [44], D.V. Chudnovsky and G.V. Chudnovsky introduced a simple cardinality and degree argument, later made more explicit by S. Ballet in [6], which proved the existence of a solution under the less optimal condition
[TABLE]
As explained in section 3.2, Shparlinski-Tsfasman-Vladut tried to improve the original bound of Chudnovsky-Chudnovsky by proving the existence of under the optimal condition (18), instead of (19). For this they had to adapt the cardinality argument, but they failed to notice the consequence of the existence of -torsion in the class group when dealing with (17).
In order to repair their proof, two approaches were devised:
- •
choose curves with -torsion as small as possible
- •
directly construct under condition (18).
7.1. Bounding the -torsion
Bounds on torsion in the class group were first introduced in a very similar context, that of frameproof codes (also called linear intersecting codes), by C. Xing [89]. Indeed, in order to obtain a -frameproof code of high rate, one needs, given a divisor , to prove the existence of a divisor of high degree such that
[TABLE]
C. Xing proved the existence of such a using a cardinality argument similar to that of Chudnovsky-Chudnovsky and Shparlinski-Tsfasman-Vladut, while correctly recognizing the difficulty with -torsion. His result on the rate of -frameproof codes thus includes a term accounting for the size of the -torsion subgroup. Actually, C. Xing used the well known upper bound for the size of the -torsion subgroup in the Jacobian of curve of genus .
It is natural to ask for better bounds, especially in the asymptotic case . This problem was formalized and studied, independently,
- •
by H. Randriambolona, through the quantity in [70]
- •
by I. Cascudo, R. Cramer and C. Xing, through the torsion-limit in [37][38].
One of the questions asked by H. Randriambolona in [70] is the following: for given and , can one find an infinite sequence of curves having many rational points (ideally, matching the Ihara constant ), but whose class group has few -torsion?
How asymptotically small this -torsion can be is measured by the following quantity:
Definition 7.1**.**
Let be the smallest real number such that there exists a sequence of curves over , of increasing genus , having an asymptotically number of rational points:
[TABLE]
and such that the cardinal of the -torsion subgroup of the group of rational points over of the Jacobian satisfies
[TABLE]
Open problems 7.2**.**
Estimation of the quantity for an infinite sequence of curves attaining the Drinfeld-Vladut bound. H. Randriambololona conjectures that for all and , i.e. that there exists curves that have an asymptotically maximal number of points over and whose class groups have asymptotically negligible -torsion. Of special importance for us is the case , i.e. the case of -torsion. In [70] H. Randriambololona puts focus on classical modular curves, which have an asymptotically maximal number of points over (for prime). The size of the class group of such a curve is given by the determinant of a Hecke operator. This leads to deep number theoretic questions on the parity of these determinants, which remain conjectural at this time.
In [38], I. Cascudo, R. Cramer and C. Xing generalize conditions like (16)(17) or like (20) into what they name Riemann-Roch systems of equations. They adapt the cardinality argument of [44][78][89] in this more general framework. First, for a function field , let be its zero divisor class group. Let then be its -torsion subgroup, of cardinality . Their main result (see [38, Theorem 3.2]) is as follows :
Proposition 7.3**.**
Let:
- •
* be a prime power*
- •
* be a function field*
- •
* be the class number of *
- •
* the number of effective divisors of degree in the group of divisors for *
- •
* be an integer*
- •
* be divisors of *
- •
* be nonzero integers.*
Suppose that for some integer , the inequality
[TABLE]
holds, where . Then the system of conditions
[TABLE]
is satisfied by some divisor of degree .
In order to measure the size of the torsion subgroups, they introduce the notion of torsion-limit:
Definition 7.4**.**
For each family of function fields with increasing genus , we define the asymptotic limit
[TABLE]
For a prime power , an integer and a real number , let be a set of families of function fields over such that the genus in each family tends to and the Ihara limit satisfies for every . Then the asymptotic quantity is defined by
[TABLE]
Thanks to the equivalence between curves and function fields, where the group of rational points of the Jacobian corresponds to the zero divisor class group, we see that this torsion-limit is related to the constant by the relation:
[TABLE]
This torsion-limit can be introduced as a correcting term in the denominator of the bound claimed by Shparlinski, Tsfasman, and Vladut, as we will see in Section 8.2.
However, another approach is possible namely the direct construction.
7.2. Direct construction
The direct construction consists on finding the best divisors to apply CCMA, i.e divisors satisfying Conditions (16) and (17) for given and . The idea is explicitly introduced by S. Ballet in [9, Theorem 2.2] as we will see more precisely in Section 9.2. Then J. Chaumine proved in [42] (cf. also [43]) that the direct construction is optimal in the elliptic case, improving then the result of A. Shokrollahi [77] as we will see in Section 9.1. Then, H. Randriambolona introduces news ideas which originate in his work [73] for the construction of intersecting codes. The technique was then extended in [71] in order to solve more general Riemann-Roch systems of equations. In the case of the Riemann-Roch system associated with a CCMA, it allows the effective construction of a solution, in most cases up to optimal degree.
The key point is the following result [73, Lemma 9], which can be seen as a numerical variant of a generalized Plücker formula:
Lemma 7.5**.**
Let be a curve of genus over a perfect field , and let be a divisor on with and
[TABLE]
Then for all points except perhaps for at most of them, we have
[TABLE]
In [71] it is shown how the bound can be slightly improved when is a finite field. However the original Lemma 7.5 suffices to prove the following result [71, Corollary 20]:
Proposition 7.6**.**
Let:
- •
* be a prime power*
- •
* be a function field, of genus *
- •
* be a divisor of , of degree *
- •
* be a divisor of , of degree .*
Assume that the number of degree places of satisfies
[TABLE]
Then, provided
[TABLE]
there exists a divisor of such that is nonspecial of degree and is zero-dimensional:
- •
**
- •
**
- •
.
Observe that for a divisor of degree , nonspecial and zero-dimensional are equivalent, so here and are equivalent.
Observe also that Proposition 7.6 gives precisely what was required in the approach of Shparlinski, Tsfasman and Vladut, as described in section 3.2, with , , and . The only downside is the condition that should have sufficiently many rational places.
Beside [71], the proof of this Proposition 7.6 can also be found inside the proof of [72, Theorem 5.2(c)].
8. Asymptotic upper bounds
The asymptotic study of the bilinear complexity of the multiplication consists on evaluating the quantities , , , . The importance of this study comes from the fact that generally we have better estimations of these quantities than those of the constants and . Indeed, the best known families of curves suitable to the application of the D. V. and G. V. Chudnovsky algorithm are known asymptotically, in particular the families of Shimura curves used by I. Shparlinski, M. Tsfasman and S. Vladut in [78]. These latter establish the following general result which we can see as a direct consequence of Lemma 1.7 (or of [78, Lemma 1.2])444Their main motivation to introduce this lemma was, from the finiteness of for square, to deduce finiteness of for all ..
Lemma 8.1**.**
For any prime power and any positive integer we have
[TABLE]
[TABLE]
Actually, inequality (22) about is already implicit in the original paper of D. V. Chudnovsky and G. V. Chudnovsky (from [44, eq. (6.2)]). So, here, the important new contribution of I. Shparlinski, M. Tsfasman and S. Vladut is inequality (23) about . Note that these inequalities are also true in the symmetric case, as a consequence of Lemma 1.8:
Lemma 8.2**.**
[TABLE]
[TABLE]
By using Theorem 2.2 with Lemma 8.1 or Lemma 8.2, we trivially get the following useful corollary:
Corollary 8.3**.**
For every prime power , we have , , , and . If , then , , , and .
Let us recall that denotes the Ihara limit defined by where is the maximum number of rational places over all the algebraic function fields over of genus (cf. also Definition 7.1).
8.1. Upper bounds on and
Thanks to the asymmetric interpolation allowed by the generalized CCMA (cf. Section 5.3), H. Randriambololona [72, Theorem 6.3 and Theorem 6.4] obtains bounds for and . For , the bound reads:
Theorem 8.4**.**
Let be a prime power such that . Then
[TABLE]
For , it reads:
Theorem 8.5**.**
Let be a square prime power. Then
[TABLE]
Combined with Lemma 8.1 and , this implies at once:
Corollary 8.6**.**
Let be a prime or a nonsquare prime power. Then
[TABLE]
and
[TABLE]
Moreover, from Theorem 9.18, J. Pieltant and H. Randriambololona deduce the following asymptotic bounds in the general case:
Theorem 8.7**.**
[TABLE]
These bounds are the best published current asymptotic bounds in the general case. They are deduced from the best known uniform bounds. Indeed, the purely asymptotic bounds555These unproven bounds are:
for be a prime power and an integer such that is a square;
and
given in Theorem 5.3, Corollary 5.4, Corollary 5.5 of [67] are unproved as established in [23]. In addition, as corollary of uniform bounds in Theorem 9.19 (cf. Section 9.3), H. Randriambololona obtains recently the following result:
Theorem 8.8**.**
For , we have:
[TABLE]
Finally, in [69] M. Rambaud obtains the current best general upper-limit asymptotic bound, namely:
Theorem 8.9**.**
Let a prime power and , be two positive integers. Then, as long as , we have:
[TABLE]
In particular, this result enables to obtain the following value (with , by Table 1 and by Formula (7):
Corollary 8.10**.**
[TABLE]
8.2. Upper bounds on and
Initially, by using the original Chudnovsky and Chudnovsky, I. Shparlinski, M. Tsfasman and S. Vladut [78] obtain upper bounds666 These are following bounds:
where is defined in Proposition 8.14,
where is a perfect square
where with is a positive constant,
where
where is a perfect square,
where , and
given respectively in [78, Theorem 3.1], [78, Corollary 3.4], [78, Corollary 3.5], [78, Remark 3.6], [78, Corollary 3.7], [78, Corollary 3.8], [78, Theorem 3.9] and [78, Corollary 3.10] for the last two bounds. Note that these bounds are originally formulated with notation and , but for the same reasons that those mentioned in footnote 2 of Section 3.2, these bounds concern the quantities and . Note that there exist proved bounds exceeding the last bound (cf. Proposition 8.23). of and for any , which are not completely proved because of the gap mentioned in Section 3.2. H. Randriambololona in [72, Theorem 6.3 and Theorem 6.4] obtains the following results which prove the bounds of Shparlinsky-Tsfasman-Vladut with a slight restriction on the range of the values for and . For , the bound reads:
Theorem 8.11**.**
Let be a prime power such that . Then
[TABLE]
For , it reads:
Theorem 8.12**.**
Let be a square prime power. Then
[TABLE]
Combined with Lemma 8.2 and , this implies at once:
Corollary 8.13**.**
Leq be a prime or a nonsquare prime power. Then
[TABLE]
and
[TABLE]
In [17], S. Ballet, J. Chaumine and J. Pieltant obtain bounds slightly less accurate than the bounds of the above results but for a slightly larger range of values for and . They give the following propositions.
Proposition 8.14**.**
Let be a prime power such that . Then
[TABLE]
Corollary 8.15**.**
Let be a square prime power such that . Then
[TABLE]
Note that this corollary slightly improves the range of the bound (4) proved by D.V. and G.V. Chudnovsky. Now in the case of arbitrary , they obtain:
Corollary 8.16**.**
For any ,
[TABLE]
Moreover, for they obtain the same value for the same range than that of :
Proposition 8.17**.**
Let be a square prime power such that . Then
[TABLE]
Proposition 8.18**.**
Let be a prime power with odd such that . Then
[TABLE]
Remark 8.19**.**
For square, Bound (34) is better that Bound (35) except for .
When is a prime number, the uniform bounds of Proposition 9.14 obtained in [28, Proposition 10] by S. Ballet and A. Zykin lead to the asymptotic symmetric complexity given in the following proposition:
Proposition 8.20**.**
Let be a prime number. Then
[TABLE]
The following theorem due to M. Rambaud in [69] generalizes essentially all the known formulas providing the current best symmetric upper-limit asymptotic bounds.
Theorem 8.21**.**
Let a prime power and , be two positive integers. Then, as long as the respective denominators are positive, we have:
- (a)
if and is such that
[TABLE] 2. (b)
[TABLE] 3. (c)
if
[TABLE] 4. (d)
if
[TABLE]
Remark 8.22**.**
In comparison to the other known results :
- •
Bound (a) encompasses the upper-limit bounds of 8.4 8.6, where it adds multiplicities of evaluation. This additional tool was introduced in **[1]** and improved by **[40]**, then by **[72, Lemma 3.4]**;
- •
Bound (b) allows evaluation on points of arbitrary degree compared to **[17, Proposition 11]**;
- •
Bounds (c) and (d) allow evaluation on points of odd degree in **[38, Theorem 5.18]**, and adds multiplicities of evaluation. Also, instead of using the formula in loc. cit., which is unproven in the general case, they are replaced here by . Notice that bounds (b) and (c) give stricly better numerical values than Proposition 8.18 for all values of for which Proposition 8.18 holds777Proposition 8.18 is let for the simplicity of its expression.. Indeed, it suffices to use (and ), and to use the known value (10) of in Section 6.
The following bounds are deduced from theorem 8.21, except for . We indicate the criterions (a) (b), etc. from which they are deduced, and the parameters used. The values are directly taken from the known values given in Section 6.3.
We detail how the upper bounds of the are infered, because many where not directly published. Because of their interest, these bounds will be summarized in Section 9.2. To obtain these upper bounds we often use Formula (58) in [72, Lemma 3.2] given by Inequality (6) in Section 5.4:
[TABLE]
in particular
[TABLE]
(where the last two values are actually both equal to , as shown by S. Winograd.
The biggest emphasis must be put on the following upper bound:
[TABLE]
which is deduced from formula (37) and from the upper bound:
[TABLE]
which was only published in [68, Table 2], in the justification of entry (1,10). It is regrettable that this record bound was not more emphasized in [68]: this has been repaired in [69, Appendix §2.3], where an explicit formula attaining this bound is given. Even more regrettable, the entry for (1,10) in the loc cit [68, Table 1 & Table 2] is grossly false. One should not read but instead , as deduced from formula (37) above. This was corrected in [69, Table 3.1]. The error in [68, Table 1 & Table 2] comes from a grossly wrong application of formula (37).
Let us determine the values of the quantities and required in order to obtain Proposition 8.23. All these values will be summarized in Sections 9.2 and 9.3.
For : from (b) with with as emphasized above.
For : (b) with
[TABLE]
where the latter, , is from Karatsuba and the former, , from [41, Table 1 col. (2.4)] (note that is actually equal to the asymmetric complexity, by [29, Table 3]).
For : (c) with from [72, (88)] (which, as a side remark, we even claim to be an equality, as follows from an unpublished exhaustive search performed while working on [68, §1]).
For : (d) with ([72, (88)]).
For : (d) 888Let us recall that ..
For : (c) .
For : (d) .
For : (d) .
For apply Proposition 8.17 obtained in [17, Proposition 2]. 999Notice that the authors did not apply themselves their bound to , because it gives a higher value than the one from [38]: they did not know at the time that this latter bound was not actually proved. Note also that this bound is obtained by using the criterium in 9.5 with , obtained in [6, Theorem 1.1]..
Proposition 8.23**.**
[TABLE]
[TABLE]
[TABLE]
[TABLE]
[TABLE]
[TABLE]
[TABLE]
[TABLE]
[TABLE]
These previous asymptotic bounds are the best published current numerical ones in the symmetric case101010These bounds improve the following bounds: and , obtained for and for in [22, Theorem 4.9] (cf. also [21, Theorem 4.9]) and for in [23, Theorem 1.6 (i)]: , which already improved the old following results : obtained in [20, Theorem 4.1] and the old result obtained from [8, Remark of Corollary 3.1]..
Now, if equation (14) did hold: , as would be implied e.g. by Conjecture 6.8.1, then applying criterion (b) to (6,1), using from [40, table 1], would yield . And likewise for the couple of other bounds mentionned in [69, Table 2.2] on the two lines named "Adding theorem B". Similarly, conjectures 6.9.1, 6.10.1 and 6.11.1 would imply the bounds on the corresponding lines of [69, Table 2.2].
Then, using the general quantities linked to the -torsion (cf. Section 7.1), I. Cascudo, R. Cramer, and C. Xing in[38, Theorem 6.27] (cf. also [37]) obtain the following general result:
Theorem 8.24**.**
Let be a finite field. If there exists a real number with , then
[TABLE]
In particular, if , then
[TABLE]
Actually, Cascudo, Cramer and Xing stated their result in terms of , not of (cf. footnote 2 Section 3.2). Here we stated it in terms of because, as already explained, the -torsion really enters the play only when we restrict to symmetric algorithms.
In order to be useful, this result should be combined with upper bounds on the torsion-limit. Some upper-bounds of this sort can be easily deduced from Weil’s classical results on the torsion in Abelian varieties. However, Cascudo, Cramer and Xing obtain a spectacular improvement using the Deuring-Shafarevich theorem. This allows them to give an upper-bound on the -torsion-limit of certain explicit towers (such as the Garcia-Stichtenoth tower), as well as the following general result [38, Theorem 2.3(iii)]:
Theorem 8.25**.**
Let be an even power of a prime . Then we have
[TABLE]
Despite this important progress, at this time this approach does not allow to obtain the claimed bounds by Shparlinski-Tsfasman-Vladut bound for symmetric complexity. Indeed, for this, one has to show that the -torsion-limit is [math], or equivalently, that which is the open problem 7.2.
Note that all the upper bounds on obtained by I. Cascudo et al in [39] and [38] are unproved because the proofs are based on [39, Lemma IV] which is not completely correct as it is shown in [23, Section 3] (cf. also [69]). However, the bounds are correct under Conjecture 6.10.1 111111 The following results rely on the above unproven assumption: Theorem IV.6, Theorem IV.7 and the list of specific bounds in Corollary IV.8 of [39]. Also, Theorem 5.18 and the list of bounds in Corollary 5.19 of [37]. More precisely, here is the unproved bounds:
•
the symmetric bounds in Theorem IV.6, Theorem IV.7 and the list of specific bounds in Corollary IV.8 of [39]; namely the following:
for any as long as for a prime power;
for any as long as for a prime power which is a square.
\begin{array}[]{|c||c|c|c|c|c|c|c|c|c|}\hline\cr q&2&3&4&5&7&8&9&11&13\\ \hline\cr M^{\mathrm{sym}}_{q}&7.47&5.49&4.98&4.8&3.82&3.74&3.68&3.62&3.59\\ \hline\cr\end{array}
•
also, the symmetric bounds in Theorem V.18 and the list of bounds in Corollary V.19 of [38], namely:
M^{\mathrm{sym}}_{q}\leq\left\{\begin{array}[]{ll}\mu^{\mathrm{sym}}_{q}(2t)\frac{q^{t}-1}{t(q^{t}-2-\log_{q}2)}&\mbox{if }2|q\\ \mu^{\mathrm{sym}}_{q}(2t)\frac{q^{t}-1}{t(q^{t}-2-2\log_{q}2)}&\mbox{otherwise}\end{array}\right.
for a prime power and for any as long as for even ; and for odd .
\begin{array}[]{|c||c|c|c|c|}\hline\cr q&2&3&4&5\\ \hline\cr M^{\mathrm{sym}}_{q}&7.23&5.45&4.44&4.34\\ \hline\cr\end{array}
.
9. Uniform bounds
9.1. Some exact values for
Recall that by Theorem 2.2, we have if and only if . Applying CCMA with well fitted elliptic curves, Shokrollahi in [77] (for the strict inequality) and Chaumine in [43] have shown that:
Theorem 9.1**.**
If
[TABLE]
where is the function defined by:
[TABLE]
then the symmetric bilinear complexity of the multiplication in the finite extension of the finite field is equal to . In particular, in this case, we have:
[TABLE]
Open problems 9.2**.**
We still do not know if the converse is true. More precisely the question is: suppose that , are the inequalities (39) true?
Moreover, for the values of not concerned by Theorems 2.2 and 9.1, very few particular exact values are known and are all obtained in [44]:
Remark 9.3**.**
The bilinear complexity is obtained in [44, Example 3.2] by a personal computer program. It is easy to check this value can be obtained by a symmetric tensor corresponding to the iteration of the Karatsuba algorithm. Then . The bilinear complexity is obtained in [44, Example 3.3] thanks to Inequality (1.7) of Lemma 8.1 and a lower bound over the length of binary codes of dimension equal to the minimal distance.
Open problems 9.4**.**
Find exact values for and . Find examples where .
9.2. Upper bounds for and
From the results of [6] and the algorithm of Corollary 5.6 with , we obtain (cf. [6], [25]):
Theorem 9.5**.**
Let be a prime power and let be an integer . Let be an algebraic function field of genus and a number of places of degree in . If is such that there exists a place of degree (which is always the case if ) then:
if for some integer , then
[TABLE] 2. 2)
if there exists a non-special divisor of degree (which is always the case if ) and for some integers and , then
[TABLE] 3. 3)
if , then
[TABLE]
Remark 9.6**.**
The previous theorem enables to obtain general bounds on the bilinear complexity of the multiplication in sur from infinite families of algebraic function fields defined over . But a fixed finite field , if we want to obtain the best possible bound, we can search the best algebraic function field defined over (i.e with the possible smallest genus) satisfying the conditions of this theorem.
Finally, from good towers of algebraic functions fields satisfying Theorem 9.5, different improvements of the bounds of the symmetric bilinear complexity were successively obtained in [6], [8], [25], [19], [9], [16], [1], [22], and [23]:
Theorem 9.7**.**
Let be a power of the prime and let be an integer . Then the symmetric bilinear complexity of multiplication in any finite field is linear with respect to the extension degree ; more precisely, there exists a constant such that for any :
[TABLE]
The best current values of the constants are :
[TABLE]
Remark 9.8**.**
*Note that, from Corollary 5.6 applied on a Garcia-Stichtenoth tower, N. Arnaud obtained in [1] which is not published the bound (5) of Theorem 9.7. In [23], the authors give a detailed proof of Bound (5). In [23], it is also proved the two revised bounds (3) and (4) for and 121212In [1], N. Arnaud gives the two following bounds with no detailed calculation:
(3’)
If is a prime, then .
(4’)
If is a prime, then .
In fact, one can check that the denominators and are slightly overestimated under Arnaud’s hypotheses. .*
Note also that the upper bounds131313In [11] and [10], S. Ballet gives the unproved following bounds:
(1)
If is a prime power, then ,
(2)
If is a prime power, then ,
(3)
If is a prime power, then ,
(4)
If is a prime, then .
obtained successively in [11] and [10] are obtained by using the mistaken statements of I. Shparlinski, M. Tsfasman and S. Vladut [78] mentioned in the above section 3.2.
Moreover, for certain finite fields (in particular the cases of , and ), we have certain refined bounds for certain extensions obtained in [40, Table 1]. Let us recall this table:
Moreover, in [15, Tables 3 and 4], improving results obtained in [40] and [72, Example 4.7], bounds are given for certain particular extensions:
[TABLE]
[TABLE]
The bounds presented in the previous tables are the best published current bounds for . For the quantity , with , different values have been given by M. Rambaud in [69] and explained in Section 8.2. Let us summarize for these values (including the case l=1) in the following table 3.
For other values of let us summarize the known results, obtained in Section 8.2.
[TABLE]
[TABLE]
Recently in [28], S. Ballet and A. Zykin would improve all the known uniform upper bounds for and for a prime . Their approach consists on using dense families of modular curves which are not obtained asymptotically thanks to prime number density theorems of type Hoheisel, in particular a result due to Dudek [50]. Note that one of main ideas used in [28] was introduced in [11] by S. Ballet thanks to the use of the Chebyshev Theorem (or also called the Bertrand Postulat) to bound the gaps between prime numbers in order to construct families of modular curves as dense as possible. Later, motivated by [11], the approach of using such bounds on gaps between prime numbers (e.g. Baker-Harman-Pintz [4]) was also used by H. Randriambololona in the preprint [71] in order to improve the upper bounds of where is a prime number. In summary, let us give the new uniform bounds given there (and recalled in [75]).
In order to present these bounds, let us recall the following notation. For any infinite subset of and for any real , let
[TABLE]
be the smallest element of larger than or equal to . Also set:
[TABLE]
Now, we have:
Proposition 9.9**.**
Let be a prime number. Then:
- (1)
for all ,
[TABLE] 2. (2)
for all ,
[TABLE] 3. (3)
for all ,
[TABLE] 4. (4)
for all ,
[TABLE] 5. (5)
for all ,
[TABLE] 6. (6)
for large enough,
[TABLE]
Recently, combining his results of [71] with the result of A. Dudek [50] as in [28], H. Randriambolona improves in [75] almost all these bounds except for the case obtained in [28]. In summary, let us give the new uniform bound of the symmetric bilinear complexity given respectively in [75, Corollary 10] and [28, Proposition 7].
Proposition 9.10**.**
Let be a prime number. Then:
- (7)
for all ,
[TABLE]
Proposition 9.11**.**
Let be the constant defined in [28, Theorem 6] (recalled in Theorem 9.12). For any integer we have
[TABLE]
Let us recall the following key result as direct consequence of the results of Baker, Harman, and Pintz [4] and A. Dudek [50] on which Assertion (vi) in Proposition 9.9, Proposition 9.10 as well as Proposition 9.11 are essentially based on.
Their results concern explicit prime number density theorems, usually called theorems of type Hoheisel. In particular, by a result of Baker, Harman and Pintz [4, Theorem 1] established in 2001 and by a recent result established by Dudek [50, Theorem 1.1] in 2016, we directly deduce the following result [28, Theorem 6]:
Theorem 9.12**.**
Let be the -th prime number. Then there exist real numbers and such that the difference between two consecutive prime numbers and satisfies
[TABLE]
for any prime In particular, one can take with . Moreover, one could take with a value of that could in principle be determined effectively.
Open problems 9.13**.**
A problem which is highly not trivial consists on determining effectively a value of for . This problem is a typical problem of analytic number theory, said problem of type Hoheisel.
Then, the second result concerns the case of prime fields. The optimal method used by H. Randriambolona [75] for solving Riemann-Roch systems (cf. Section 7.1) does not work well for symmetric algorithms over prime fields. Instead, to prove [28, Proposition 10] Ballet and Zykin use a suboptimal method from [27] associated to descent technics (cf. Section 6.2) and obtain:
Proposition 9.14**.**
Let be a prime number, let be defined as in Theorem 9.12.
- (1)
If then for any integer we have
[TABLE]
where 2. (2)
For and we have
[TABLE]
where
9.3. Upper bounds for and
By using the asymmetric part of Theorem 5.3, J. Pieltant and H. Randriambololona obtained in [67] results about bilinear complexity not necessarily symmetric. In particular, they obtain the best bounds in the extensions of , and for all and and for all .
Proposition 9.15**.**
Let be a prime power and be an positive integer for which all proper divisors verify if , or if . Let be an algebraic function field of genus with places of degree and let be integers such that , for all . Suppose that:
- (i)
there exists a place of degree in , 2. (ii)
, where and for .
Then
[TABLE]
where and .
By choosing or , they obtain the two following corollaries:
Corollary 9.16**.**
Let be a prime power and be an algebraic function field of genus with places of degree . Let be integers such that . Suppose that:
- (i)
there is a place of degree in , 2. (ii)
, where and for .
Then
[TABLE]
[TABLE]
and for ,
[TABLE]
or in the particular case where
[TABLE]
Corollary 9.17**.**
Let be an algebraic function field of genus with places of degree and let be integers such that . Suppose that:
- (i)
there is a place of degree in , 2. (ii)
,
then
[TABLE]
Then, they establish new asymmetrical uniform bounds:
Theorem 9.18**.**
For ,
- (i)
if , then
[TABLE] 2. (ii)
if , then
[TABLE] 3. (iii)
if , then
[TABLE] 4. (iv)
if , then
[TABLE] 5. (v)
if , then
[TABLE] 6. (vi)
if , then
[TABLE] 7. (vii)
if , then
[TABLE] 8. (viii)
if , then
[TABLE]
Recently, by using the same dense families of modular curves defined over than the one used to get Theorem 9.9 in Section 9.2, H. Randriambololona obtains the following result.
Proposition 9.19**.**
Let be a prime number. Then:
- (1)
for all ,
[TABLE] 2. (2)
for all ,
[TABLE] 3. (3)
for large enough,
[TABLE]
Remark 9.20**.**
Note that the difficulty of solving the Riemann-Roch systems (cf. 7.2) in the context of symmetric algorithms using curves having not sufficiently rational points is avoided here, since the previous result is obtained by using the asymmetric version of type Chudnovsky algorithm (cf. Section Section 5.3 and Section 5.4) applied over places of degree two.
Now, let us recall some particular values of the quantities , obtained in Section 8.2:
[TABLE]
10. Effective construction of bilinear multiplication algorithms
In this section, we are interested by the study of the effective construction of bilinear multiplication algorithms in finite fields. Little few work has been done on the effective construction of the algorithms of type Chudnovky. They are mainly contained in the following articles: [30], [7], [40], [15], [2] and [3].
10.1. Non-asymptotic construction
10.1.1. Classical multiplication algorithms
- a)
Example of an effective symmetric construction using an elliptic curve.
This example developped by U. Baum and A. Shokrollahi in [30] is the first effective construction of an bilinear algorithm of multiplication which implements CCMA. It concerns a multiplication algorithm in the finite field over , namely and , using the maximal Fermat elliptic curve . The bilinear complexity of this symmetric algorithm is optimal and such that
[TABLE]
- b)
Example of effective symmetric constructions using an hyperelliptic curve.
This example developped by S. Ballet in [7] is the first effective construction of an bilinear algorithm of multiplication which implements CCMA for an algebraic curve of genus . It concerns a multiplication algorithm in the finite field over , more precisely and , using the maximal hyperelliptic curve . The bilinear complexity of this symmetric algorithm is quasi-optimal and such that
[TABLE]
which proves that .
Open problems 10.1**.**
Find the exact bilinear complexity in these finite fields over with , knowing that this complexity is or . Optimize the scalar complexity of these constructions.
- c)
Example of an effective symmetric construction using higher degree places and derivated evaluations on rational places on elliptic curves.
This example developped by M. Cenk and F. Özbudak in [40] is the first effective construction of an bilinear algorithm of multiplication which implements the combination of the generalizations of CCMA introduced in [25] using places of degree one and two and in [1] using derivated evaluations. Note that in this example, the derivated evaluations are only used on rational places at the order one. More precisely, it concerns a multiplication algorithm in the finite field over using the non-optimal elliptic curve . In this case, the authors use the evaluation on four rational places with derivated evaluation on two among them as well as the evaluation on six places of degree two. The bilinear complexity of this symmetric algorithm is such that
[TABLE]
- d)
Example of effective asymmetric construction using higher degree places on algebraic curves.
This example developped by S. Ballet, N. Baudru, A. Bonnecaze and M. Tukumuli in [12] (announced in [13]) and by Tukumuli in [84] is the first effective construction of bilinear algorithms of multiplication which implements the asymetric generalization of CCMA introduced in [72]. Note that these examples use two distinct Riemann-Roch spaces and without derivated evaluations. More precisely, in [12], three algorithms are constructed. The first example concerns a multiplication algorithm in the finite field over using the maximal hyperelliptic curve and only rational places on it. The second example concerns a multiplication algorithm in the finite field over using the optimal curve over . The third example concerns a multiplication algorithm in the finite field over using the optimal curve over .
10.1.2. Parallel algorithms designed for multiplication and exponentiation
In [2] and [3], thanks to a new construction of CCMA, K. Atighechi, S. Ballet, A. Bonnecaze, and R. Rolland design efficient algorithms for both the exponentiation and the multiplication in finite fields. They are tailored to hardware implementation and they allow computations to be parallelized while maintaining a low number of bilinear multiplications. Notice that so far, practical implementations of multiplication algorithms over finite fields have failed to simultaneously optimize the number of scalar multiplications, additions and bilinear multiplications. Regarding exponentiation algorithms, the use of a normal basis is of interest because the power of an element is just a cyclic shift of its coordinates. A remaining question is, how to implement multiplication efficiently in order to have simultaneously fast multiplication and fast exponentiation. In 2000, S. Gao et al. [56] show that fast multiplication methods can beadapted to normal bases constructed with Gauss periods. They show that if is represented by a normal basis over generated by a Gauss period of type , the multiplication in can be computed with \operatorname{O}\bigl{(}nk\log nk\log\log nk\bigr{)} and the exponentiation with \operatorname{O}\bigl{(}n^{2}k\log k\log\log nk\bigr{)} operations in ( being small). This result is valuable when is bounded. However, in the general case is upper-bounded by \operatorname{O}\bigl{(}n^{3}\log^{2}nq\bigr{)}.
In 2009, J.-M. Couveignes and R. Lercier construct in [46, Theorem 4] two families of basis (called elliptic and normal elliptic) for finite field extensions from which they obtain a model defined as follows. To every couple , they associate a model, , of the degree extension of such that the following holds: there is a positive constant such that the following are true:
-
Elements in are represented by vectors for which the number of components in is upper bounded by
-
There exists an algorithm that multiplies two elements at the expense of multiplications in .
-
Exponentiation by consists in a circular shift of the coordinates.
Therefore, for each extension of finite field, they show that there exists a model which allows both fast multiplication and fast application of the Frobenius automorphism. Their model has the advantage of existing for all extensions. However, the bilinear complexity of their algorithm is not competitive compared with the best known methods, as pointed out in [46, Section 4.3.4]. Indeed, it is clear that such a model requires at least bilinear multiplications.
The authors of [3] propose another model with the following characteristics:
-
The model is based on CCMA, thus the multiplication algorithm has a bilinear complexity in , which is optimal.
-
The model is tailored to parallel computation. Hence, the computation time used to perform a multiplication or any exponentiation can easily be reduced with an adequate number of processors. Since the method has a bilinear complexity of multiplication in , it can be parallelized to obtain a constant time complexity using \operatorname{O}\bigl{(}n\bigr{)} processors. The previous aforementioned works ([56] and [46]) do not give any parallel algorithm (such an algorithm is more difficult to conceive than a serial one).
-
Exponentiation by is a circular shift of the coordinates and can be considered free. Thus, efficient parallelization can be done when doing exponentiation.
-
The scalar complexity of their exponentiation algorithm is reduced, compare to a basic exponentiation using CCMA, thanks to a suitable basis representation of the Riemann-Roch space in the second evaluation map. More precisely, the normal basis representation of the residue class field is carried in the associated Riemann-roch space , and the exponentiation by consists in a circular shift of the first coordinates of the vectors lying in the Riemann-Roch space .
-
The model uses Coppersmith-Winograd [45] method (denoted CW) or any variants thereof to improve matrix products and to diminish the number of scalar operations.
Open problems 10.2**.**
The structure of the involved matrices in the algorithm CCMA should be looked at more closely but unfortunately, there are no theoretical means or criteria today to build the best matrices because they depend on the geometry of the curves, the field of definition of these curves, as well as the Riemann-Roch spaces involved. A study of suitable optimisation strategies of CCMA from this point of view can be found in [14]. In particular, the algorithm CCMA using an elliptic curve for multiplication in constructed by U. Baum and A. Shokrollahi [30] is improved. The remaining open question is how to choose the geometrical objects in order to minimise the number of zeroes in a matrix of the evaluation map on the rational points of a curve.
10.2. Asymptotic construction
D. V. and G.V. Chudnovsky claim in [44] that one can construct in polynomial time bilinear multiplication algorithm realizing a a bilinear complexity attaining the upper bound for . Then, I. Shparlinsky, M. Tsfasman and S. Vladut in [78] note that the argument of D. V. and G.V. Chudnovsky is insufficient. Indeed, the construction of such algorithms involves some random choice of divisors having prescribed properties over an exponentially large set of divisors.
I. Shparlinsky, M. Tsfasman and S. Vladut obtain a partial result concerning this polynomial construction by the following way. Let and let be the reduction of the classical modular curve, being the i-th prime (for ), or where is an irreducible polynomial over of odd degree coprime with (for ). Here, is the reduction of the Drinfeld modular curve. Note that is a family of absolutely irreducible smooth curves of genus with . Then, they prove the following result:
Proposition 10.3**.**
Suppose that for a family of modular curves described above for any there is given an explicit point of of some degree such that
[TABLE]
Let be defined by its coordinates in some projective embeddings. Then one can polynomially construct a sequence of bilinear multiplication algorithms in finite fields for the given sequence of such that
[TABLE]
This proposition means that to get a polynomially constructable algorithm with linear complexity, one needs to construct explicitly (i.e polynomially) points of corresponding degrees on modular curves (or on other curves with many points). Unfortunately, so far it is unknown how to produce such points.
In [72, Remark 6.6], H. Randriambololona improves this result under the same hypothesis concerning the construction of a point of degree . More precisely, up to this existence, he obtains a polynomial time (in ) construction of a multiplication algorithm (respect. a symmetric multiplication algorithm) in of length for (resp. ).
In [15], S. Ballet, A. Bonnecaze and M. Tukumuli obtain a polynomial construction of a symmetric multiplication algorithm of type elliptic Chudnovsky–Chudnovsky (i.e with the Chudnovsky-Chudnovky interpolation method on an elliptic curve) of length in where
[TABLE]
if the characteristic of is or and otherwise. Note that the length is only quasi-linear in . However, this construction is without the restriction linked to the construction of a point of degree . Moreover, this asymptotical construction is not realized from an infinite family of suitable curves as the above results but thanks to the use of a sequence of symmetric bilinear multiplication algorithms constructed from an arbitrary elliptic curve defined over and using high degree points of this curve.
In [33], N. Bshouty gives a deterministic polynomial time construction of a tester of type and of size where
[TABLE]
From [33], in [34, Corollary 2], N. Bshouty gives the first polynomial time construction of a multilinear multiplication algorithm with linear multiplicative complexity in for the multiplication of elements in any extension finite field . This solves the open problem of deterministic polynomial time constructing a bilinear algorithm (i.e with ) with linear bilinear complexity for the multiplication of two elements in finite fields [44][78][9]. However, it does not solve the problem of deterministic polynomial time constructing a bilinear algorithm of type Chudnovsky–Chudnovsky. Indeed, the method of N. Bshouty is only based upon the equivalence between an optimal tester size and multilinear complexity. More precisely, the minimal size of a tester for turns out to be equivalent to the rank of the tensor of the multiplication of elements in over . The minimal size of a tester for is equivalent to the symmetric rank of the tensor of multiplication of elements.
11. Appendix: proof of Theorem 8.21, Theorem 8.9 and Proposition 6.11.2
We compress here the proof in [69, II §1.2-3].
11.1. Repairing (and extending) the criterion of Cascudo & al
The following theorem does control for 2-torsion in the worst case. It is a straight generalization of [38, Theorem 5.18]. The parameters will be later specified in the next paragraph to derive criterions for asymptotic bounds.
Theorem 11.1**.**
Let be a curve of genus over , where is any prime power, and let be an integer.
Suppose that admits a closed point of degree (a sufficient condition for this is ).
Consider now a collection of integers (for ), such that almost all of them are zero, and that for any ,
[TABLE]
where denotes the number of closed points of of degree .
Let the smallest integer such that
[TABLE]
Then, provided
[TABLE]
we have
[TABLE]
The following proposition gathers the upper-bounding made in the proof. The first two follow from [65, p. 39 (or p. 64)] whereas the third one is borrowed from [38, Proposition 3.4].
Proposition 11.2**.**
Let be a finite field and a curve over of genus . Let be the Jacobian of and the rational class group.
- (1)
If is odd, then 2. (2)
If is even, then 3. (3)
Let be the class number of and, for any integer with , the number of -rational effective divisors of degree . Then
[TABLE]
Let us now follow the original proof of the theorem of Cascudo & al [only in the case even, the odd case being identic modulo using the corresponding upper-bound in Proposition 11.2]. Adding the terms and to both sides of the inequality (43) reads :
[TABLE]
Thus there exists an even integer between the two sides of the previous inequality. Raising to the inequalities and respectively gives:
[TABLE]
Using the upper-bound (3) of Proposition 11.2, and combining the two inequalities (46) and (47) above with the upper-bound 11.2, yields
[TABLE]
Now let us choose a collection of pairwise distinct thickened points on the curve such that, for each , there are exactly points among them of degree and multiplicity (this is possible by assumption). Let be their divisorial sum and a closed point of degree as in the assumption. being of degree greater than by assumption (11.1), the general criterion of [37, §4 Theorem 6] along with the inequality (11.1) imply the existence of a divisor of degree that satisfies the following system of Riemann-Roch spaces vanishing conditions (with being the canonical divisor of ):
[TABLE]
Thus criterions (i’) and (ii’) of Theorem [72, Theorem 3.5] are satisfied with the divisors and .
11.2. Deriving the bounds from the previous theorem and other criterions from the litterature
Let be a dense sequence of curves over with genera growing to infinity, and a ratio of points of degree matching . Noting , this reads :
[TABLE]
Let us prove first the bound (b) in 8.21, which generalizes [17, Proposition 3], but whose arguments were already introduced in [20, Theorem 3.2]. Given an integer , let be the smallest integer such that
[TABLE]
(d2) makes clear (or anyway it will be in the following equivalences), that such an integer exists as soon as the denominator in the criterion (b) of Theorem 8.21 is strictly positive.
Moreover being large enough, [24, Proposition 4.3 and Remark 4.4] state in general the existence of a zero-dimensional divisor of degree on . Thus the existence of a non-special divisor of degree (lower than) .
Therefore, Corollary [72, Proposition 5.1] applies to (11.2). Taking all null except equal to , this reads :
[TABLE]
Let us now tie the asymptotics behaviors of and . The minimality of satisfying (11.2) implies :
[TABLE]
Dividing the two inequalities by , and applying the asymptotic equivalences (d2) and (d3) (and (d1)) yields :
[TABLE]
hence the asymptotic equivalence :
[TABLE]
(which implies in particular that ). One can now divide both sides of the upper-bound (11.2) by the previous equality :
[TABLE]
Multiplying and dividing the RHS parenthesis by , then subtracting and adding to the numerator of the RHS, gives the result by letting tend to infinity.
The other bounds are derived similarly. Namely, given an integer , consider be the smallest integer such that the following inequalities hold, then apply the respective criterions with all the null excepted :
[TABLE]
[Justification for the latter: simply set in the proof of Theorem 11.1, thanks to Proposition 6.11.1]
[TABLE]
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[1] Nicolas Arnaud. Évaluations dérivées, multiplication dans les corps finis et codes correcteurs . Ph D thesis, Université de la Méditerranée, Institut de Mathématiques de Luminy, 2006.
- 2[2] Kevin Atighehchi, Stéphane Ballet, Alexis Bonnecaze, and Robert Rolland. Effective arithmetic in finite fields based on Chudnovsky’s multiplication algorithm. Comptes Rendus Mathematique , 354(2):137–141, February 2016.
- 3[3] Kevin Atighehchi, Stéphane Ballet, Alexis Bonnecaze, and Robert Rolland. Arithmetic in Finite Fields based on Chudnovsky’s multiplication algorithm. Mathematics of Computation , 86(308):2977–3000, 2017.
- 4[4] Roger Baker, Glyn Harman, and János Pintz. The difference between consecutive primes, II. Proceedings of the London Mathematical Society , 83(3):532–562, 2001.
- 5[5] Séphane Ballet. Complexité bilinéaire de la multiplication dans les corps finis par interpolation sur des courbes algébriques . Ph D thesis, Université de la Méditerranée, Institut de Mathématiques de Luminy, 1998.
- 6[6] Stéphane Ballet. Curves with Many Points and Multiplication Complexity in Any Extension of 𝔽 q subscript 𝔽 𝑞 \mathbb{F}_{q} . Finite Fields and Their Applications , 5:364–377, 1999.
- 7[7] Stéphane Ballet. Quasi-optimal Algorithms for Multiplication in the Extensions of 𝔽 16 subscript 𝔽 16 \mathbb{F}_{16} of degree 13 13 13 , 14 14 14 , and 15 15 15 . Journal of Pure and Applied Algebra , 171:149–164, 2002.
- 8[8] Stéphane Ballet. Low increasing tower of algebraic function fields and bilinear complexity of multiplication in any extension of 𝔽 q subscript 𝔽 𝑞 \mathbb{F}_{q} . Finite Fields and Their Applications , 9:472–478, 2003.
