We prove Theorem 6.1; let F be a finite field of q elements, and letn be a positive integer dividing q−1. The assumption that n divide the size of the multiplicative group is not a restriction (cf. Section 2.2), but serves only to simplify the complexity estimates. We are given a diagonal form
f =a0X0n+a1X1n+. . .+anXnn,
and we exhibit an algorithm for finding a nontrivial zero of this form.
Initialisation. The algorithm starts by computing elements y0, . . . , ym ∈F, with
y06= 0 andm≤n, whose nth powers sum to zero. This task is completed efficiently and deterministically by Algorithm 5.29, given in Section 5.5. We remove redundancy in theyiby checking thaty1n+. . .+ykn6= 0 fork= 1, . . . , m, and discardingy1, . . . , yk
forkas large as possible if the test fails.
Once computed, theyi obviously satisfy the following equations:
a0yn0 =−a0(yn1 +. . .+ynm) a1yn0 =−a1(yn1 +. . .+ynm) .. . ... anyn0 =−an(y1n+. . .+ymn) (6.5)
Data. The algorithm maintains at all times a system of equations of the form
a0xn0,0=−a0(y1n+. . .+ynm0)
a0xn1,0+a1xn1,1=−a1(yn1 +. . .+ynm1)
. .. . .. ... ... a0xn
n,0+a1xnn,1+. . .+anxnn,n =−an(y1n+. . .+ymnn),
(6.6)
where themi are integers satisfying 0≤mi≤m, theyi are the same as in (6.5), and
thexi,jare inF, and for eachi, at least onexi,j is nonzero. Because system (6.6) has
a trapezoid form, the current algorithm is called the “trapezium algorithm”.
The initial values for (6.6) are given by the system (6.5), with xi,i = y0 for all
i, and xi,j = 0 when 0 ≤ j < i; every round of the algorithm, in a way to be
described shortly, decreases one of themi. As soon as one of themi becomes zero,
the corresponding equation describes a nontrivial representation of zero by the form f, and we are done.
Reduction step. The reduction of themi is done as follows. Write Si for the left
hand sides of (6.6), so
6.2. The homogeneous trapezium algorithm 61
If any of these happens to be zero, then this also means thatyn
1 +. . .+ymni is zero,
and we already removed this kind of redundancy before.
As therefore all Si are nonzero, we apply Selective Root Extraction (Algorithm
3.12) to them, and find integersk andl, withk < l, and β∈F∗, such that
Sl=βnSk.
This means that we may replace the left hand side of equationl in (6.6) by the left hand side of equationk multiplied byβn. Equationl thus becomes
a0(βxk,0)n+. . .+ak(βxk,k)n+ak+10n+. . .+al0n=−al(y1n+. . .+ynml),
and we see that the last term on the right may be moved to the left without destroying the form of the equation. In other words, ml is decreased by 1. Note also that the
newxl,j are not all zero.
It follows that after at most n2 steps one of the m
i will become zero, and the
algorithm is finished. Here we use the fact that initially we havemi≤nfor alli, and
also thatm0remains unchanged throughout the algorithm.
Algorithm 6.7 (Trapezium; homogeneous case.)
Input: a finite field F having q elements, a positive integer n dividing q−1, and elementsa0, . . . , an∈F∗.
Output: elements (xi)ni=0 ofF, not all zero, such that
Pn
i=0aixni = 0.
1: [Compute zero sequence] Using Algorithm 5.29, compute a sequence (yi)mi=0 of elements of F∗, withy06= 0, such thatPm
i=0yin= 0.
2: [Remove redundancy] Letkbe maximal with 0≤k≤m−1 such thatPki=1yn i =
0; discardy1, . . . , yk, renumber the remainingyi, and replacembym−k. [When
k= 0, nothing happens.]
3: [Initialise trapezium] For i= 0, . . . , n:
a: Put mi=m,xi,i=y0, andSi =aiyn0. Forj= 0, . . . , i−1, putxi,j = 0.
4: [Finished?] Whilemi>0 for all i= 0, . . . , n:
a: [Compare left hand sides] Using Algorithm 3.12, find integers kandl and an elementβ ∈F∗ such that 0≤k < l≤nandS
l=βnSk.
b: [Replace big by small] For j = 0, . . . , k, replace xl,j by βxk,j. For j =
k+ 1, . . . , l−1, replace xl,j by 0.
c: [Move term to left] Replacexl,lbyyml, replaceSlbySl+aly
n
ml, and replace
ml byml−1.
5: [Result] Letibe such that mi= 0. Output (xi,j)ji=0, followed by (0)nj=+1i+1.
Proposition 6.8 Algorithm 6.7 is correct and deterministic, and finishes using
˜
Proof. After Step 2, the sequence (yi)mi=0 satisfies Pm i=0yin = 0, and Pk i=1yin 6= 0 fork= 1, . . . , m.
Step 3 computes the initial values of the variables of the system (6.6) and also the left hand sidesSj (for 0≤j ≤n). Initially, we haveSj 6= 0 for allj becausey0 and
the coefficientsai are nonzero.
From the discussion above, it follows easily that the system (6.6) holds whenever the algorithm enters the loop in Step 4, and also after Step 4 is finished. This includes the condition that for eachi(with 0≤i≤n) not all thexi,j are zero.
Only one of the equations in (6.6) is changed in every execution of Step 4, and it is equationl. Step 4c makes these changes.
The loop in Step 4 will terminate because one of themi is decreased during every
execution of it. If we havemi= 0 for somei, then we are finished.
Let us bound the running time of this algorithm; write q = |F|. Step 1 takes ˜
O(n2(logq)2) bit operations by Proposition 5.30. As we have m ≤ n by the same Proposition, and since m0 is never changed, it follows that Step 4 is executed at mostn2 times. Hence by Proposition 3.13, Step 4 takes ˜O n2·(n(logq) + (logq)2) operations inF, which is ˜O(n3(logq)2+n2(logq)3) bit operations.
Remark. If the prime factors of the exponent n occur only to a low order in the multiplicative group orderq−1 ofF∗, then we have a better bound for the running time
(see also the remarks after Proposition 3.13). Namely, ifvℓ(q−1) =O(
p
logq /logℓ) for all primesℓ|n, then by Lemma 3.14 we find a bound of ˜O(n3(logq)2) for Step 4, and thus for the entire Algorithm 6.7.
Proof of Theorem 6.1. Ifndoes not divideq−1, we first replacenby gcd(n, q−1) as described in Section 2.2. Now Algorithm 6.7 claims to solve the homogeneous diagonal equation (6.2). By Proposition 6.8, it is correct and deterministic, and its running time is polynomial innand logq. This proves Theorem 6.1.