Computing coefficients of modular forms

by

Peter Bruin

Abstrat. Weprovethat oeients of

q

-expansionsof modularforms anbeomputed in polynomial timeunder ertain assumptions, the most important of whih is the Riemann

hypothesisfor

ζ

^{-funtionsofnumberelds. Wegive}appliationstoomputingHekeoperators, ountingpointsonmodularurvesoverniteelds,and omputingthenumberofrepresenta-

tionsofanintegerasasumofagivennumberofsquares.

Résumé (Sur lealul desoeients desformes modulaires). Ondémontreque

les oeients des

q

-développements des formes modulaires peuvent être alulés en temps polynomialsousertainesonditions,dontlaplusimportanteestl'hypothèsedeRiemannpour

lesfontions

ζ

^{desorpsdenombres.Ondonnedes}appliationsauxproblèmessuivants:aluler desopérateursdeHeke;ompterlenombredepointsd'uneourbemodulairesurunorpsni;

alulerlenombredereprésentationsd'unentierommesommed'unnombredonnédearrés.

1. Introdution

Let

n

^and

k

^{be positive integers, and let}

M _k (Γ ₁ (n))

^{be theomplex vetor spaeof modular}

formsof weight

k

^{for thegroup}

Γ ₁ (n)

^{. Amodularform}

f ∈ M _k (Γ ₁ (n))

^{isdeterminedby}

n

^,

k

and its

q

^{-expansion oeients}

a m (f)

^for

0 ≤ m ≤ k · d(Γ 1 (n))

^,where

d(Γ 1 (n))

^{isa funtion}

growing roughlyquadratially in

n

^.

Anaturalquestiontoaskiswhether,given

a _m (f )

^for

0 ≤ m ≤ k · d(Γ ₁ (n))

^{,oneaneiently}

ompute

a _m (f )

^{for large}

m

^{. In the ase}

n = 1

^, Couveignes, Edixhoven et al. [2℄ desribed a deterministi algorithm that aomplishes this in time polynomial in

log m

^{for xed}

k

^.

Under the generalised Riemann hypothesis, their algorithm runs in time polynomial in

k

and

log m

^{. Earlier}algorithms, basedonmodularsymbols,requiretimepolynomialin

m

^{. The}

2000 MathematisSubjetClassiation. 11E25,11F11,11F30,11F80,11Y16.

Key wordsand phrases. Algorithms,Hekealgebras,modularforms,sumsofsquares.

The results of this artile are based on those of my thesis [1 ℄. I am muh indebted to my advisors Bas

Edixhovenand RobindeJong for theirsupport. I wouldalso like tothanktheorganisers ofthe onferene

Théorie des nombres et appliations for theopportunity to speak about thissubjet, whihhas ledto this

artile.

TheresearhforthisartilewassupportedbytheNetherlandsOrganisationforSientiResearh.

method of [2℄ is, very briey, to ompute two-dimensional Galois representations assoiated

toeigenforms of level

1

^{overnite elds.}

Inthisartile,resultsfromtheauthor'sthesis[1℄onomputingGaloisrepresentationsassoi-

atedto eigenforms ofhigherlevels areusedto generalisetheresultofCouveignes,Edixhoven

et al., be it that we an urrently only give a probabilisti algorithm. The preise result

from[1℄ thatweneed isTheorem3.1below. We willusethisto proveour mainresult,whih

readsasfollows.

Theorem 1.1. Let

n ₀

^{be a positive integer. There exists a} probabilisti algorithm that, given

a positive integer

k

^,

a squarefree positive integer

n ₁

^{oprime to}

n ₀

^,

a number eld

K

^,

a modular form

f

^{of weight}

k

^for

Γ ₁ (n)

^over

K

^,where

n = n ₀ n ₁

^{, and}

a positive integer

m

^{in fatored form,}

omputes

a _m (f )

^{, and whose expeted running time is bounded by a polynomial in the length}

of the inputunder the Riemann hypothesis for

ζ

^{-funtionsof number elds.}

Letusmakepreisehowthenumbereld

K

^{andthe form}

f

^{shouldbegiventothealgorithm}

and how it returns

a _m (f)

^{. We represent}

K

^{by its} multipliation table with respet to some

Q

^-basis

(b ₁ , . . . , b _r )

^of

K

^{. By this we mean the rational numbers}

c _i,j,k

^with

1 ≤ i, j, k ≤ r

suhthat

b _i b _j = X r k=1

c _i,j,k b _k .

We represent elements of

K

^as

Q

^-linear ombinations of

(b ₁ , . . . , b _r )

^{. We represent}

f

^{by its}

oeients

a 0 (f )

^,...,

a _{k · d(Γ 1 (n))} (f )

^{;these,aswellasthe output}

a m (f )

^{,areelementsof}

K

^.

Weshouldalsomakepreisewhattheword`probabilisti'inTheorem1.1means. Theorret

interpretationisthattheresultisguaranteedtobeorret,butthattherunningtimedepends

on random hoies made during exeution. Probabilisti algorithms with this property are

ommonlyalled Las Vegas algorithms. These areto be ontrasted with Monte Carlo algo-

rithms,where therandomnessinuenesthe orretnessoftheoutputinsteadoftherunning

time. It is worth emphasising that the expeted running time is dened by averaging only

over the randomhoies made duringexeution, not over thepossible inputs. For any input

x

^{, the atual running time of the algorithm given this input an be modelled as a random}

variable

T _x

^{. The laim that the expeted running time is polynomial in the length of the}

inputmeansthatthereexistsapolynomial

P

^{suhthatforanyinput}

x

^{,theexpetationof}

T _x

isat most

P (

^lengthof

x)

^{. We refer to Lenstra andPomerane [10,}

§

^{12℄ for an} enlightening disussionofprobabilisti algorithms.

Remark 1.2. The length of theinput depends not only on

k

^,

n ₀

^,

n ₁

^,

log m

^and

K

^,but

alsoon theomplexityofthe given oeientsof the modularform

f

^{. For example,if}

f

^isa

primitiveform

f 0

^{multipliedbyaninteger}

A

^,thenforxed

f 0

^and

A

^tendingto

∞

^,thelength

of the input inreases approximately by a multiple of

log A

^{,and the running time inreases}

approximately byapolynomialin

log A

^.

Remark 1.3. Without the generalised Riemann hypothesis, we are only able to prove

thattherunningtimeofouralgorithm ispolynomialin

exp(n ₁ )

^,

exp(k)

^{andthelengthofthe}

input. Inother words, we arestill ableto prove unonditionally that ifnot only

n ₀

^{,but also}

n ₁

^and

k

^{are xed,thentheexpetedrunning timeispolynomialinthelength of theinput.}

Remark 1.4. Omitting the onditionthat

m

^{be given in fatored form would be equiv-}

alent to laiming that integers that are produts of two prime numbers an be fatored in

polynomialtime. Namely,suppose thatthe theoremholds without this ondition. Applying

thehypothetial strongerversionof the theoremwith

k

^{axedeven integergreaterthan}

2

^,

n 0 = n 1 = 1

^,

K = Q

^,

f = E _k

^{,the lassial Eisensteinseries}

E _k

^ofweight

k

^for

Γ ₁ (1) = SL ₂ (Z)

^,and

m = pq

^,where

p

^and

q

^{aretwo distint prime numbers,}

we onlude that there existsa probabilisti algorithm that omputes

a _m (E _k )

^{intime poly-}

nomialin

log m

^{. From the formula}

a _m (E _k ) = X

d | m

d ^k−1

= 1 + p ^{k − 1} + q ^{k − 1} + m ^{k − 1} ,

it follows that

{ p ^{k − 1} , q ^{k − 1} }

^{an be omputed quikly as the set of roots of the polynomial}

x ² − (a _m (E _k ) − m ^k−1 − 1)x + m ^k−1 ∈ Z[x]

^{. Henewe wouldbeabletoompute}

{ p, q }

^from

m

intimepolynomialin

log m

^{,whih isa laimwe ertainlydo not wishto make.}

Remark 1.5. The reason why our algorithm is probabilisti is that this is the urrent

state of aairs for the algorithm to whih Theorem 3.1 refers. This algorithm an perhaps

be turned into a deterministi one by replaing the arithmeti over nite elds that is used

in[1℄byapproximatearithmeti overtheomplex numbers. Thelatterapproah istaken by

Couveignes,Edixhovenetal.[2,Chapter12℄formodularformsoflevel1. Thereareurrently

still some diulties with this approah for modular forms of higher level. We refer to [1,

Introdution℄for adisussion ofthese.

Remark 1.6. It wouldbemore satisfatoryifwe ouldprove thetheoremwiththelevel

ranging over all positive integers

n

^{. We urrently annot do this for the following reason.}

The modular urve

X 1 (n)

^{has a regular and} semi-stable model over thering of integers

Z L

of asuitable numbereld

L

^{,but ingeneral we do not knowa good bound on thenumberof}

irreduibleomponentsofthegeometribresofsuhamodelatprimesof

Z _L

^thatdivide

n

^.

Ifweouldprovethetheoreminthismoregeneralform, thentherestritiontomodularforms

forongruenesubgroupsoftheform

Γ ₁ (n)

^{ouldalsoberemoved. Thereasonforthisisthat}

thespaeofmodular formsofweight

k

^{fortheprinipalongruene subgroup}

Γ(n) ⊆ SL ₂ (Z)

anbe embedded into

M _k (Γ ₁ (n ² ))

^{byamapthat on}

q

-expansions isgivenby

q 7→ q ⁿ

^.

Wenowturnto someappliationsof Theorem1.1. Wewill prove thatthereexistprobabilis-

ti algorithms that solve the following problems in expeted polynomial time in the input,

assumingtheRiemann hypothesisfor

ζ

^{-funtionsof numberelds:}

Given a positive integer

k

^{, a squarefree positive integer}

n

^{and a positive integer}

m

ⁱⁿ

fatored form, ompute the matrix of the Heke operator

T m

ⁱⁿ

T(M _k (Γ 1 (n)))

^with

respetto a xed

Z

^-basisof

T(M _k (Γ ₁ (n)))

^.

Given a squarefree positive integer

n

^{and a prime number}

p ∤ n

^{, ompute the zeta}

funtion of the modularurve

X ₁ (n)

^over

F _p

^.

Givenanevenpositive integer

k

^{andapositiveinteger}

m

^{infatored form,ompute the}

number ofways inwhih

m

^{an be written asa sumof}

k

^{squaresof integers.}

Atually, we do not prove our results in exatly the same order as presented above. We

rst prove Theorem 1.1 in the speial ase where

f

^{is an Eisenstein series or a primitive}

usp form. This sues to solve (a slightly more general version of) the above problem of

omputingHekeoperators. Wethenprove Theorem1.1ingeneral. Finally,weshowhowto

solvetheproblems ofomputing zetafuntionsofmodularurves andndingthenumberof

representationsof aninteger asa sumof squares.

To onlude this introdution, we remark that in order to keep this artile at a reasonable

length, we have omitted, or only briey touhed upon, muh material that an be found in

[1℄and [2℄. Thismeans thatthe ontents of this artile arelargely disjoint from thoseof [1℄

and[2℄.

2. Bakground

We begin by olletingthe neessary preliminaries and introduing our notation. For deni-

tionsand more bakground, we referto the manytextson modular forms, suh asDiamond

andIm [5℄ or Diamondand Shurman [6℄.

2.1. Modular forms. Let

n

^and

k

^{be positive integers. Let}

M _k (Γ ₁ (n))

^{denote the}

C

^{-vetorspae ofmodular forms ofweight}

k

^{for the group}

Γ ₁ (n) = a

c b d

∈ SL ₂ (Z)

a ≡ d ≡ 1 (mod n), c ≡ 0 (mod n)

.

For every

f ∈ M _k (Γ ₁ (n))

^{and every}

m ≥ 0

^{, we write}

a _m (f)

^{for the oeient of}

q ^m

^{in the}

q

^{-expansion of}

f

^{, so the}

q

^{-expansion of}

f

^{is the power series}

P _∞

m=0 a m (f)q ^m

ⁱⁿ

K [[q]]

^{. For}

everydivisor

d

^of

n

^{and every divisor}

e

^of

n/d

^{,thereexistsan injetive}

C

^{-linear map}

b ^d,n _e : M _k (Γ ₁ (d)) ֌ M _k (Γ ₁ (n))

that,on

q

-expansions, hasthe eet ofsending

q

^to

q ^e

^.

We dene

(1)

d(Γ ₁ (n)) = 1

12 [SL ₂ (Z) : {± 1 } Γ ₁ (n)].

This

d(Γ ₁ (n))

^{grows roughly}quadratially in

n

^{. A basi fat that we will need oftenis the}

following.

Lemma 2.1. Any

f ∈ M _k (Γ ₁ (n))

^{is determined by}

n

^,

k

^{and the oeients}

a _m (f)

^for

0 ≤ m ≤ k · d(Γ ₁ (n))

^.

Proof. If

n ≥ 5

^{, then}

d(Γ 1 (n))

^{is the degree of the line bundle}

ω

^{of modular forms of}

weight

1

^{on the modular urve}

X ₁ (n)

^{. In that ase, we an view modular forms as global}

setions of

ω ^⊗k

^{. If}

f, g ∈ M _k (Γ ₁ (n))

^{aresuh that}

a _m (f ) = a _m (g)

^for

0 ≤ m ≤ k · d(Γ ₁ (n))

^,

then

f − g

^{hasazerooforderat least}

k · d(Γ ₁ (n)) + 1

^attheusp

∞

^of

X ₁ (n)

^,andweonlude

that

f = g

^{. Onean prove the lemmaingeneral byreduing to thease}

n ≥ 5

^{. We refer to}

Sturm [14℄for afull proof.

2.2. Heke algebras. Let

T(M _k (Γ ₁ (n)))

^{be the Heke algebra on}

M _k (Γ ₁ (n))

^{. This is}

a ommutative ring, free of nite rank as a

Z

^{-module and generated as a}

Z

^{-algebra by the}

Heke operators

T m

^for

m ∈ { 1, 2, . . . }

^{and thediamond operators}

h d i

^for

d ∈ (Z/nZ) ^×

^{. It}

atson the

C

^{-vetor spae}

M _k (Γ ₁ (n))

^{of modularforms.}

Letus give someuseful formulae. We have

(2)

T _{m 1 m 2} = T _{m 1} T _{m 2}

^if

gcd(m ₁ , m ₂ ) = 1

and

(3)

T _p ⁱ⁺² = T p T _p ⁱ⁺¹ − p ^{k − 1} h p i T _p ⁱ (p

^primeand

i ≥ 0),

where

h p i

^{is to be} interpretedas

0

^if

p

^divides

n

^{. For all}

f ∈ M _k (Γ ₁ (n))

^{,we have}

(4)

a _m (T _p (f )) = a _pm (f ) + p ^{k − 1} a _m/p ( h p i f ) (p

^primeand

m ≥ 1),

where theseond termis

0

^if

p

^divides

n

^{or if}

p

^{doesnot divide}

m

^,and

(5)

a ₁ (T _m f ) = a _m (f ) (m ≥ 1).

There existsaanonial bilinear map

T(M _k (Γ ₁ (n))) × M _k (Γ ₁ (n)) −→ C (t, f ) 7−→ a ₁ (tf ),

induing an isomorphism

(6)

M _k (Γ ₁ (n)) −→ ^∼ Hom _Z-modules (T(M _k (Γ ₁ (n))), C)

of

C ⊗ Z T(M _k (Γ 1 (n)))

^-modules.

An eigenform of weight

k

^for

Γ ₁ (n)

^{is an element of}

M _k (Γ ₁ (n))

^{spanning a} one-dimensional eigenspae for the ation of

T(M _k (Γ ₁ (n)))

^{. Let}

f

^{be suh a form. Then}

a ₁ (f ) 6 = 0

^{, and we}

maysale

f

^suhthat

a ₁ (f ) = 1

^{. Now (5)impliesthat}

T _m f = a _m (f )f

^forall

m ≥ 1.

Furthermore,there existsaunique grouphomomorphism

ǫ: (Z/nZ) ^× → C ^× ,

alledtheharater of

f

^,suhthat

h d i f = ǫ(d)f

^{for all}

d ∈ (Z/nZ) ^× .

Underthe isomorphism (6), the eigenforms

f ∈ M _k (Γ ₁ (n))

^with

a ₁ (f) = 1

^{orrespond to the}

ring homomorphisms

T(M _k (Γ ₁ (n))) → C

^.

The

C

^{-vetor spae}

M _k (Γ 1 (n))

^{an be written asadiret sum}

M _k (Γ ₁ (n)) = E _k (Γ ₁ (n)) ⊕ S _k (Γ ₁ (n)).

Here

S _k (Γ ₁ (n))

^{denotes the subspae of usp forms and}

E _k (Γ ₁ (n))

^{denotes the subspae}

of Eisenstein series. The ation of

T(M _k (Γ 1 (n)))

^{respets these subspaes, and we get a}

orrespondingdeomposition

T(M _k (Γ ₁ (n))) = T(E _k (Γ ₁ (n))) × T(S _k (Γ ₁ (n)))

of

Z

^-algebras.

2.3. Eisenstein series. Let

d ₁

^and

d ₂

^{bepositiveintegerssuhthat}

d ₁ d ₂

^divides

n

^,and

onsiderprimitive haraters

ǫ ₁ : (Z/d ₁ Z) ^× → C ^× , ǫ ₂ : (Z/d ₂ Z) ^× → C ^× .

(Aharater

ǫ : (Z/dZ) ^× → C ^×

^{, with}

d

^{a positive integer, is alled primitive ifthere is no}

stritdivisor

e | d

^{suh that}

ǫ

^{fatorsthroughthe quotient}

(Z/dZ) ^× → (Z/eZ) ^×

^{.) We dene}

theformal powerseries

(7)

E _k ^{ǫ 1 ,ǫ 2} (q) = − δ _{d 1 ,1} B _k ^{ǫ 2} 2k +

X ∞ m=1

X

d|m

ǫ 1 (m/d)ǫ 2 (d)d ^{k − 1}

!

q ^m ∈ C[[q]].

Here

B _k ^{ǫ 2}

^{is a} generalised Bernoullinumber and

δ _{d 1 ,1}

^is

1

^or

0

^{depending on whether}

d ₁ = 1

or

d ₁ > 1

^.

If

k 6 = 2

^{, or if}

k = 2

^{and at least one of}

ǫ 1

^and

ǫ 2

^is non-trivial, then

E _k ^{ǫ 1 ,ǫ 2} (q)

^{is the}

q

^-

expansionofan eigenformin

E _k (Γ ₁ (d ₁ d ₂ ))

^withharater

ǫ ₁ ǫ ₂

^{. Foranydivisor}

e

^of

n/(d ₁ d ₂ )

^,

themap

b ^d e ^{1 d 2 ,n} : M _k (Γ ₁ (d ₁ d ₂ )) → M _k (Γ ₁ (n))

^{sendsthisformtoanelementof}

M _k (Γ ₁ (n))

^with

q

^-expansion

E _k ^{ǫ 1 ,ǫ 2} (q ^e )

^{. Asfor thease where}

k = 2

^{and both}

ǫ ₁

^and

ǫ ₂

^{are trivial, for every}

divisor

e | n

^with

e > 1

^{there is an element of}

E ₂ (Γ ₁ (n))

^with

q

^-expansion

E ₂ (q) − eE ₂ (q ^e )

^,

where

E ₂ (q)

^{isthepowerseries}

(8)

E ₂ (q) = − 1

24 + X ∞ m=1

X

d | m

d

! q ^m .

For

k 6 = 2

^,theniteset

(9)

F _k (Γ ₁ (n)) = G

d 1 d 2 |n

G

e|(n/d 1 d 2 )

E _k ^{ǫ 1 ,ǫ 2} (q ^e ) | ǫ _i : (Z/d _i Z) ^× → C ^×

^primitive

isa

C

^-basisof

E _k (Γ ₁ (n))

^{. For}

k = 2

^,wetakeall

E _k ^{ǫ 1 ǫ 2} (q ^e )

^for

ǫ ₁

^,

ǫ ₂

^{not both trivial,together}

withthe

E ₂ (q) − eE ₂ (q ^e )

^{for all}

e | n

^with

e > 1

^.

2.4. Cusp forms. We write

S ^new _k (Γ 1 (n))

^{for the orthogonal omplement, with respet}

to the Petersson inner produt, of the subspae of

S _k (Γ ₁ (n))

^{spanned by the images of}

all the

b ^d,n e

^with

d

^{stritly dividing}

n

^{. The spae}

S ^new _k (Γ ₁ (n))

^{is preserved by the ation}

of

T(S _k (Γ ₁ (n)))

^{. Theunique quotient of}

T(S _k (Γ ₁ (n)))

^{thatats faithfullyon}

S ^new _k (Γ ₁ (n))

^is

denotedby

T(S ^new _k (Γ 1 (n)))

^.

An eigenform

f ∈ S ^new _k (Γ ₁ (n))

^with

a ₁ (f ) = 1

^{isalleda primitive uspform. The niteset}

(10)

B _k (Γ 1 (n)) = G

d|n

G

e|(n/d)

b ^d,n _e

primitive uspforms in

S ^new _k (Γ 1 (n))

isa

C

^-basisfor

S _k (Γ ₁ (n))

^.

2.5. Modular forms over other rings. We dene

M ^int _k (Γ ₁ (n)) = {

^{forms in}

M _k (Γ ₁ (n))

^with

q

^{-expansion in}

Z[[q]] } .

Thisisa

T(M _k (Γ ₁ (n)))

^{-modulethatisfreeofniterankasa}

Z

^{-module. Foranyommutative}

Z[1/n]

^-algebra

R

^{, we dene the}

R

^{-module of modular forms of weight}

k

^for

Γ ₁ (n)

^with

oeientsin

R

^as

M _k (Γ ₁ (n), R) = R ⊗ Z M ^int _k (Γ ₁ (n)).

Apartfromthe omplexnumbers, the important examplesforus arenumberelds andnite

elds of harateristi not dividing

n

^{. If}

R

^{is any eld of} harateristi not dividing

n

^{, we}

dene eigenforms over

R

^{inthesame wayasin thease}

R = C

^.

If

R

^isasub-

Z[1/n]

^-algebraof

C

^,weidentify

M _k (Γ ₁ (n), R)

^{withthesubmoduleof}

M _k (Γ ₁ (n))

onsistingof forms with

q

^{-expansion in}

R[[q]]

^.

3. Modular Galois representations

Let

n

^and

k

^{be positive integers, let}

F

^{be a nite eldof} harateristi not dividing

n

^{, and}

let

f ∈ M _k (Γ ₁ (n), F)

^{bean eigenformover}

F

^.

Itfollows fromwork ofEihler,Shimura, Igusa,Deligne andSerre thatthere existsa ontin-

uoussemi-simple representation

ρ _f : Gal(Q/Q) → Aut F V _f ,

where

V _f

^{is a}two-dimensional

F

^{-vetor spae,with thefollowing} properties:

ρ _f

^{isunramied at allprimenumbers}

p

^{not dividing}

nl

^;

if

p

^{issuh a prime number, thenthe}harateristi polynomialof theFrobenius onju- gay lassat

p

^equals

t ² − a _p (f )t + ǫ(p)p ^k−1

^,where

ǫ

^{istheharater of}

f

^.

This

ρ _f

^{isunique upto} isomorphism.

The end produt of [1℄ is a probabilisti algorithm for omputing representations of the

form

ρ _f

^{, where}

f

^{is an eigenform over a nite eld}

F

^{. This allows us to state thefollowing}

theorem.

Theorem 3.1. Let

n ₀

^{be a positive integer. There exists a} probabilisti algorithm that, given

a positive integer

k

^,

a squarefree positive integer

n ₁

^{oprime to}

n ₀

^,

a niteeld

F

^of harateristi greater than

k

^{, and}

an eigenform

f ∈ M _k (Γ 1 (n))

^{, given by its oeients}

a m (f )

^for

0 ≤ m ≤ k · d(Γ 1 (n))

^,

omputes

ρ _f

^{in the form of the followingdata:}

the nite Galois extension

K _f

^of

Q

^{suh that}

ρ _f

^{fators as}

Gal(Q/Q) ։ Gal(K _f /Q) ֌ Aut F V _f ,

given by the multipliationtable of some

Q

^-basis

(b ₁ , . . . , b _r )

^of

K _f

^;

for every

σ ∈ Gal(K _f /Q)

^{, the matrix of}

σ

^{with respet to the basis}

(b 1 , . . . , b r )

^andthe

matrix of

ρ _f (σ)

^{withrespet tosome xed}

F

^{-basis of}

V _f

^,

andthat runs in expeted time polynomial in

k

^,

n ₁

^and

#F

^.

Moreover, one

ρ _f

^{has been omputed, one an ompute}

ρ _f (Frob p )

^{using a} deterministi al- gorithmin time polynomialin

k

^,

n ₁

^,

#F

^and

log p

^.

Remark 3.2. Thisrunningtimeisoptimalfromaertainperspetive,giventhefatthat

thelengthof theinput andoutput ofsuh an algorithm isneessarily at leastpolynomial in

k

^,

n 1

^and

#F

^(and

log p

^{for theseondpart).}

4. Some bounds

Inthis setionwe olletsome boundsthatwe will need in

§

^{5belowto prove Theorem 1.1.}

4.1. The disriminant of the new quotient of the Heke algebra. Let

n

^and

k

be positive integers. The

Z

^-algebra

T(S ^new _k (Γ ₁ (n)))

^{is redued, beause there is a basis of}

eigenformsfor itsation on

S ^new _k (Γ ₁ (n))

^{. F}urthermore, itis freeof niterankasa

Z

^-module.

Inpartiular,it hasanon-zero disriminant

disc T(S ^new _k (Γ 1 (n)))

^.

Lemma 4.1. The logarithm of

| disc T(S ^new _k (Γ 1 (n))) |

^{is bounded by a polynomial in}

n

and

k

^.

Proof. ThemethodofUllmo[15℄,whoonsidereduspformsofweight 2for

Γ ₀ (n)

^with

n

squarefree,extends without diulty to our situation. For ompleteness, let us give a proof

inthis more general setting.

Weabbreviate

T = T(S ^new _k (Γ ₁ (n)))

and

r = dim _C S ^new _k (Γ ₁ (n))

= rank _Z T.

ItfollowsfromLemma2.1and(6 )thatthe

Q

^-vetorspae

Q ⊗ Z T

^{isspannedbytheelements}

T ₁

^,...,

T _{k · d(Γ 1 (n))}

^,with

d(Γ ₁ (n))

^{asin(1). Wean thereforehooseintegers}

1 ≤ m 1 ≤ · · · ≤ m r ≤ k · d(Γ 1 (n))

suh thattheelements

T _{m 1}

^,...,

T _{m r}

^of

T

^are

Z

^-linearly independent. Welet

T ^′

^denotethe

subgroup of

T

^spannedby

T _{m 1}

^,...,

T _{m r}

^{. This}

T ^′

^{is free of rank}

r

^asa

Z

^{-module, so ithas}

nite index

(T : T ^′ )

ⁱⁿ

T

^,and

disc T = disc T ^′ (T ^′ : T) ² .

Inpartiular, this implies

| disc T | ≤ disc T ^′ .

We next usethe denitionof thedisriminant:

disc T ^′ = det tr(T _{m u} T _{m v} ) ^r _u,v=1 ,

where

tr(e)

^{denotes the trae of the}

Z

^{-linear map}

T ^′ → T ^′

^sending

t

^to

et

^{. Now the trae}

ofan endomorphism

e

^of

T ^′

^{equalsthe trae ofthe}endomorphism dualto

e

^{on the}

C

^-vetor

spae

Hom _Z-modules (T ^′ , C) ∼ = S ^new _k (Γ ₁ (n)).

We let

f ₁

^,...,

f _r

^{be the primitive uspforms in}

S ^new _k (Γ ₁ (n))

^{,andweabbreviate}

α _t,u = a _{m t} (f _u ).

Thenweget

tr(T _{m u} T _{m v} ) = X r t=1

α _t,u α _t,v .

We thenompute

disc T ^′

^asfollows:

disc T ^′ = det X r

t=1

α _t,u α _t,v r

u,v=1

= det



 

 



 

 

α 1,1 α 2,1 . . . α r,1

α _1,2 α _2,2 . . . α _r,2

.

.

. .

.

. .

.

. .

.

.

α _1,r α _2,r . . . α _r,r



 

 



 

 

α 1,1 α 1,2 . . . α 1,r

α _2,1 α _2,2 . . . α _2,r

.

.

. .

.

. .

.

. .

.

.

α _r,1 α _r,2 . . . α _r,r



 

 



 

 

= det (α _t,u ) ^r _t,u=1 2

.

Deligne'sboundfortheoeientsofeigenforms,provedin[3℄ and[4℄,impliestheinequality

| α t,u | = | a m t (f u ) |

≤ σ ₀ (m _t )m ^(k _t ^{− 1)/2} .

Here

σ ₀ (m)

^{denotes the number of positive divisors of}

m

^{. Elementary estimates now show}

that

log | disc T |

^{is bounded byapolynomialin}

n

^and

k

^.

4.2. Primes of small norm in number elds. The Riemann hypothesis for the

ζ

^-

funtionof anumbereld

K

^{hasthe following well-knownimpliation offor theexisteneof}

primeidealsofsmall normin thering ofintegers of

K

^.

Lemma 4.2. Let

ǫ

^and

δ

^{be positive real numbers. There exist positive real numbers}

A

^and

B

^{suh that the following holds. Let}

K

^{be an number eld suh that the Riemann}

hypothesis is true for the

ζ

^{-funtion of}

K

^{. Let}

Z _K

^{denote the ring of integers of}

K

^{, andfor}

everyprimenumber

p

^let

λ _K (p)

^{denotethe numberof primeidealsof}

Z _K

^{of normequal to}

p

^.

Thenfor all real numbers

x ≥ 2

^suhthat

x ^δ

(log x) ² ≥ A[K : Q]

^and

x ^δ

log x ≥ B log | disc Z _K |

wehave

X

p ≤ x

^prime

λ _K (p) log p − x

≤ ǫx ^1/2+δ .

Proof. For every prime number

p

^{andeverypositiveinteger}

m

^,wedene

Λ K (p ^m ) = X

t|m

t · # {

^{prime idealsof norm}

p ^t

ⁱⁿ

Z K } · log p.

Inpartiular,thisimplies

Λ _K (p) = λ _K (p) log p

^{foreveryprimenumber}

p

^{. Wedene}

Λ _K (n) = 0

^if

n

^{is not aprimepower. Therelation between}

ζ _K

^and

Λ _K

^{istheDirihlet series}

− ζ _K ^′ (s) ζ _K (s) =

X ∞ n=1

Λ _K (n)n ^{− s} .

Wedene

ψ K : [1, ∞ ) −→ R x 7→ X

n≤x

Λ _K (n).

Now there existsa positive real number

c

^, independent of

K

^{, suh thatthe} generalisedRie- mannhypothesis for

ζ _K

^{impliestheestimate}

| ψ _K (x) − x | ≤ c √

x log(x) log x ^[K:Q] | disc Z _K |

for all

x ≥ 2;

seeIwanieand Kowalski [9, Theorem 5.15℄. Byelementary arguments, it follows thatthere

existsapositive realnumber

c ^′

^,alsoindependent of

K

^{,suh that}

X

p ≤ x

^prime

λ _K (p) log p − x ≤ c ^′ √

x log(x) log x ^[K:Q] | disc Z _K |

forall

x ≥ 2.

It isnowstraightforward to hekthattaking

A = B = 2c ^′ /ǫ

^works.

5. Proof of Theorem 1.1

Asalready mentioned brieyintheintrodution, Theorem1.1 willbe proved asfollows. We

rstprove thefollowing basi ases:

f

^{is anelement of theform}

E _k ^{ǫ 1 ,ǫ 2}

ⁱⁿ

E _k (Γ ₁ (d ₁ d ₂ ))

^,where

ǫ ₁ : (Z/d ₁ Z) ^× → C ^×

^and

ǫ ₂ : (Z/d ₂ Z) ^× → C ^×

^{areprimitiveharaters;}

f

^{is aprimitive uspformin}

S _k (Γ ₁ (n))

^.

In eah ase, we take

K

^{to be the number eld generated by the oeients of}

f

^{, and we}

assume that

m

^{is a prime number. After proving these speial ases, we show that we an}

ompute theHeke algebra

T(M _k (Γ 1 (n)))

^{ina sense thatwillbe explainedin}

§

^{5.3below. It}

isthenstraightforward to dedueTheorem 1.1ingeneral.

5.1. Eisenstein series. We start by onsidering the Eisenstein series

E _k ^{ǫ 1 ,ǫ 2}

^{, where}

ǫ ₁ : (Z/d ₁ Z) ^× → C ^×

^and

ǫ ₂ : (Z/d ₂ Z) ^× → C ^×

^{are primitive haraters and}

e

^{is a divisor}

of

n/(d ₁ d ₂ )

^{. For onveniene, we alsoallow thease of the}`pseudo-Eisenstein series'

E ₂

^de-

nedby(8 ). Let

K

^{betheylotomiextensionof}

Q

^{generatedbytheimagesof}

ǫ ₁

^and

ǫ ₂

^{. The}

formula(7)showsthatforeveryprimenumber

p

^{,weanomputetheelement}

a _p (E _k ^{ǫ 1 ,ǫ 2} ) ∈ K

intimepolynomialin

n

^,

k

^and

log p

^.

5.2. Primitive forms. We ontinue with the ase where

f

^{is a primitive usp form}

in

S ^new _k (Γ ₁ (n))

^and

K

^{isthe number eld generated bythe oeientsof}

f

^{. Let}

Z _K

^denote

thering ofintegersof

K

^{. There existsaunique ring}homomorphism

e _f : T(S ^new _k (Γ ₁ (n))) → Z _K

sending eah Heke operator to its eigenvalue on

f

^{. Let}

A

^{denote the image of}

e _f

^{. It is of}

nite index

(Z _K : A)

ⁱⁿ

Z _K

^{,and we have}

disc A = (Z _K : A) ² disc Z _K .

Furthermore, we have

| disc A | ≤ | disc T(S ^new _k (Γ ₁ (n))) |

^and

[K : Q] ≤ rank _Z T(S ^new _k (Γ ₁ (n))).

Lemma 4.1 now implies that

log | disc A |

^{, and hene also}

log | disc Z _K |

^and

log(Z _K : A)

^{, are}

boundedbya polynomial in

n

^and

k

^{. The same learly holdsfor}

[K : Q]

^.

Nowlet

p

^{beaprimenumber. Wehavetoshowthatweanompute}

a _p (f )

^{intimepolynomial}

in

n

^,

k

^and

log p

^{. In} Couveignes, Edixhoven et al. [2,

§

^{15.2℄ it is explained indetail how to}

dothis. We only givea sketh.

Wemayassumethat

p

^{doesnot divide}

n

^;namely,if

p

^doesdivide

n

^{,thenwe an spendtime}

polynomial in

p

^{,sousingmodular symbolsisfast enough;see}

§

^5.3below.

ByLemma 4.2 applied to

K

^{and thefatthat}

log(Z _K : A)

^{isbounded bya polynomial in}

n

and

k

^{,wean hoose}

x

^{suiently large,butboundedbyapolynomial in}

n

^and

k

^{,suh that}

if

M

^{is the set of maximal ideals of}

A

^{whose norm is a prime number lying in the interval}

(k, x]

^{and dierent from}

p

^{,we have}

(11)

Y

m ∈ M

Norm(m) ≥

2 ([K:Q]+1)/2 · 2p ^{(k − 1)/2} [K:Q]

.

An explanation for the right-hand side will be given below. We ompute

a _p (f )

^{using the}

following algorithm.

1. Compute a

Z

^-basisfor

A

^.

2. Compute abound

x

^{and the set}

M

^{ofmaximal idealsof}

A

^{suhthat theset}

M

^dened

above satises(11 ).

3. For all

m ∈ M

^{,ompute the Galois} representation

ρ _{f mod m} : Gal(Q/Q) → GL ₂ (A/m)

using Theorem 3.1 .

4. For all

m ∈ M

^,ompute

(a p (f ) mod m) = tr(ρ _{f mod m} (Frob p )) ∈ A/m,

again using Theorem3.1.

5. Compute an LLL-redued

Z

^{-basisfor theideal}

a = Q

m∈M m

^of

A

^.

6. Fromthe

a _p (f ) mod m

^{,omputethe image of}

a _p (f )

ⁱⁿ

A/a

^.

7. Using the LLL algorithm, reonstrut

a _p (f )

^{as the shortest} representative in

A

^{of the}

image of

a p (f )

ⁱⁿ

A/a

^{. Thisworksbeause ofthe inequality (11) .}

5.3. ComputingHeke operators. Werepresent

T(M _k (Γ ₁ (n)))

^{inthefollowingform:}

we speify its multipliation table with respet to a suitable

Z

^-basis

(b 1 , . . . , b r )

^{, together}

with the Heke operators

T _m

^for

1 ≤ m ≤ k · d(Γ ₁ (n))

^{and the diamond operators}

h d i

^for

all

d ∈ (Z/nZ) ^×

^as

Z

^-linear ombinations of

(b ₁ , . . . , b _r )

^{. These data speify}

T(M _k (Γ ₁ (n)))

uniquely beause the above operators generate

T(M _k (Γ ₁ (n)))

^{. In other words, if the same}

data are given with respet to a dierent basis of

T(M _k (Γ ₁ (n)))

^{, there exists exatly one}

hange of

Z

^{-basis ompatible withthegiven}

T m

^and

h d i

^.

Theorem 5.1. Let

n ₀

^{be a positive integer. There exists a} probabilisti algorithm that, given

a positive integer

k

^,

a squarefree positive integer

n ₁

^{oprime to}

n ₀

^{, and}

a positive integer

m

^{in fatored form,}

omputes

the Heke algebra

T(M _k (Γ ₁ (n)))

^{as above, where}

n = n ₀ n ₁

^{, and}

the element

T _m

^{on the basis}

(b ₁ , . . . , b _r )

^,

and that runs in expeted time polynomial in

k

^,

n ₁

^and

log m

^{under the Riemann hypothesis}

for

ζ

^{-funtions of number elds.}

Proof. We need some more information about the ation of Heke operators on

q

^-

expansions. Asa basisfor

M _k (Γ ₁ (n))

^{we take the union ofthe basis}

F _k (Γ ₁ (n))

^of

E _k (Γ ₁ (n))

dened by (9 )and the basis

B _k (Γ ₁ (n))

^of

S _k (Γ ₁ (n))

^{dened by(10 ).}

Let

f

^{be either an Eisenstein series}

E _k ^{ǫ 1 ,ǫ 2} ∈ E _k (Γ ₁ (d ₁ d ₂ ))

^{as above or a primitive form}

in

S _k (Γ ₁ (d))

^{. In the rst ase, we put}

d = d ₁ d ₂

^{. Theformula(4) for theation oftheHeke}

operator

T _p

^{shows thattherelationbetween}

T _p

^{andthe maps}

b ^d,n e : M _k (Γ ₁ (d)) → M _k (Γ ₁ (n))

^,

where

e

^{runsthrough thedivisorsof}

n/d

^{,is asfollows:}

(12)

T _p (b ^d,n _e f ) =

 

 

 

 

 



a _p · b ^d,n _e f

^if

p ∤ n;

b ^d,n _e/p f

^if

p | e;

a p · b ^d,n e f − p ^{k − 1} ǫ(p)b ^d,n pe f

^if

p ∤ d

^,

p ∤ e

^and

p | n;

a _p · b ^d,n _e f

^if

p | d

^and

p ∤ e.

Thisformulagivesthematrix of

T p

^{withrespettothebasis}

F _k (Γ 1 (n))

^of

E _k (Γ 1 (n))

^andthe

basis

B _k (Γ ₁ (n))

^of

S _k (Γ ₁ (n))

^.

We rst ompute the

q

-expansions of the Eisenstein series

E _k ^{ǫ 1 ,ǫ 2} ∈ E _k (Γ ₁ (d ₁ d ₂ ))

^{, with}

ǫ _i : (Z/d _i Z) ^× → C ^×

^{primitive haraters suh that}

d ₁ d ₂ | n

^{, as in}

§

^{2.3 . From these}

q

^-

expansionsand(12 )wethenompute theHekealgebra

T(E _k (Γ ₁ (n)))

^{intheform desribed}

above intime polynomialin

n

^and

k

^.

Given a prime number

p

^{, we ompute all the}

a _p (E _k ^{ǫ 1 ,ǫ 2} )

^{as in}

§

^{5.1 , and we nd the matrix}

of

T _p

^{using (12). Wethenexpress}

T _p

^{on thebasisof}

T(E _k (Γ ₁ (n)))

^{thatweomputed earlier.}

Inthis way,we anompute theHeke operator

T p ∈ T(E _k (Γ 1 (n)))

^{intimepolynomialin}

n

^,

k

^and

log p

^.

For uspforms, the

q

-expansions areomputed fromtheHeke algebra insteadofvieversa.

We ompute theHekealgebras

T(S _k (Γ ₁ (d)))

^,where

d

^{runsthrough thedivisorsof}

n

^,inthe

form desribed above. These data an be omputed in time polynomial in

n

^and

k

^using

deterministialgorithmsbasedonmodularsymbolsandtheLLLlattiebasisredutionalgo-

rithm;seeStein[13,Chapter8℄andtheauthor'sthesis[1,

§

^{IV.4.1℄. Fromeah}

T(S _k (Γ ₁ (d)))

^,

we ompute the

q

-expansionsof the primitiveusp formsin

S _k (Γ ₁ (d))

^.

Sofar,wehaveonlyusedexistingmethods. ToomputetheHekeoperator

T p ∈ T(S _k (Γ 1 (n)))

for a primenumber

p

^{in timepolynomial in}

log p

^{,we need our new tools. For every divisor}

d

^of

n

^{and every primitive form}

f ∈ S _k (Γ ₁ (d))

^,weompute

a _p (f )

^{as in}

§

^{5.2 . Using (12),we}

obtain the matrix of

T _p

^{with respet to the basis}

B _k (Γ ₁ (n))

^{. We nally express}

T _p

^{on the}

basisof

T(S _k (Γ ₁ (n)))

^{thatweomputed earlier.}

Nowlet

m

^{beanarbitrarypositive integer,andsupposethatwe knowthe}fatorisation of

m

^.

Thenwe an ompute the element

T _m ∈ T(M _k (Γ ₁ (n))) = T(E _k (Γ ₁ (n))) × T(S _k (Γ ₁ (n)))

fromthe

T _p

^forfor

p | m

^{primeintimepolynomialin}

log m

^{usingtheidentities(2 )and(3).}

5.4. Proof of Theorem 1.1 in general. Given

n

^,

k

^,

K

^,

f

^and

m

^{as in thetheorem,}

weompute

a m (f )

^{asfollows. We rstompute}

T(M _k (Γ 1 (n)))

^{usingmodularsymbols. From}

f

^{we thendetermine the unique}

Z

^{-linear map}

e _f : T(M _k (Γ ₁ (n))) → K

sending

T i

^to

a i (f )

^{for all}

i

^with

1 ≤ i ≤ k · d(Γ 1 (n))

^{. Using Theorem5.1 , we thenompute}

theHeke operator

T _m

^{. Finally,we ompute}

a _m (f )

^as

a _m (f ) = e _f (T _m ).

Itis straightforward to hekthat allthese omputationsan be done intimepolynomial in

thelength of theinput.

Remark 5.2. The proof shows that the Riemann hypothesis only needs to be assumed

forthe

ζ

^{-funtionsofnumberelds thatariseaseldsof oeients ofprimitive uspforms.}

6. Appliations

6.1. Counting points on modular urves. Thease

k = 2

^{ofTheorem 5.1impliesa}

newresulton ountingpointson modularurvesovernite elds.

Theorem 6.1. There exists a probabilisti algorithm that, given a squarefree positive in-

teger

n

^{and a prime number}

p ∤ n

^{, omputes the zeta funtion of the modular urve}

X 1 (n)

over

F _p

^{, andthat runs in time polynomial in}

n

^and

log p

^{under the Riemann hypothesisfor}

ζ

^{-funtionsof number elds.}

Proof. Let

J ₁ (n) _{F p}

^{denotetheJaobianof}

X ₁ (n) _{F p}

^{. Let}

χ

^betheharateristipolynomial of the Frobenius endomorphism of the

l

^{-adi Tate module}

T _l J 1 (n) F p

^{, where}

l

^{is any prime}

number dierent from

p

^{; then}

χ

^{hasintegral oeients and doesnot depend on the hoie}

of

l

^{. Beauseof thewell-knownidentity}

Z _{X 1 (n)/F p} (t) = χ ^∗ (t) (1 − t)(1 − pt) ,

where

χ ^∗ (t) = t ^{deg χ} χ(1/t)

^{isthe reiproal polynomial of}

χ

^{,itsuesto ompute}

χ

^.

Let

T ₁ (n)

^{denote the Heke algebra ating on}

J ₁ (n) _{F p}

^{. Then}

Q _l ⊗ Z l T _l J ₁ (n) _{F p}

^{is a free}

Q _l ⊗ Z T ₁ (n)

^{-moduleofrank2. Bythe}EihlerShimurarelation,theharateristipolynomial of

Frob p

^onitequals

x ² − T p x+p h p i ∈ T 1 (n)[x]

^{. Thisimpliesthatthe}harateristipolynomial of

Frob _p

^{viewed asa}

Q _l

^{-linear mapequals}

χ = Norm _{T 1} (n)[x]/Z[x] (x ² − T _p x + p h p i ) ∈ Z[x].