Fast amortized multi-point evaluation

(1)

HAL Id: hal-02508529

https://hal.archives-ouvertes.fr/hal-02508529

Submitted on 14 Mar 2020

HAL is a multi-disciplinary open access archive for the deposit and dissemination of sci- entific research documents, whether they are pub- lished or not. The documents may come from teaching and research institutions in France or abroad, or from public or private research centers.

L’archive ouverte pluridisciplinaire HAL, est destinée au dépôt et à la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des établissements d’enseignement et de recherche français ou étrangers, des laboratoires publics ou privés.

Joris van der Hoeven, Grégoire Lecerf

To cite this version:

Joris van der Hoeven, Grégoire Lecerf. Fast amortized multi-point evaluation. Journal of Complexity, Elsevier, In press, �10.1016/j.jco.2021.101574�. �hal-02508529�

(2)

JORIS VAN DERHOEVEN^abc, GRÉGOIRELECERF^bd

a. CNRS (UMI 3069, PIMS) Department of Mathematics

Simon Fraser University 8888 University Drive Burnaby, British Columbia

V5A 1S6, Canada

b. CNRS, École polytechnique, Institut Polytechnique de Paris Laboratoire d'informatique de l'École polytechnique (LIX, UMR 7161)

1, rue Honoré d'Estienne d'Orves Bâtiment Alan Turing, CS35003

91120 Palaiseau, France

c. Email:[email protected] d. Email:[email protected]

Preliminary version of March 14, 2020

The efficient evaluation of multivariate polynomials at many points is an important operation for polynomial system solving. Kedlaya and Umans have recently devised a theoretically efficient algorithm for this task when the coefficients are integers or when they lie in a finite field. In this paper, we assume that the set of points where we need to evaluate is fixed and “sufficiently generic”. Under these restrictions, we present a quasi-optimal algorithm for multi-point evaluation over general fields. We also present a quasi-optimal algorithm for the opposite interpolation task.

1. I

NTRODUCTION

Let𝕂be an effective field, so that we have algorithms for the field operations. Given a polynomialP∈ 𝕂[x1, . . . ,xn]and a tuple𝜶 = (𝛼₁, . . . , 𝛼_d) ∈ (𝕂ⁿ)^dof points, the computation ofP(𝜶) = (P(𝛼₁), . . . ,P(𝛼_d)) ∈ 𝕂^dis called the problem ofmulti-point evaluation. The converse problem is calledinterpolationand takes a candidate support ofPas input.

This problem naturally relates to several areas of applied algebra, including polynomial system solving, since we may use it to verify whether all points in a given set are solutions to a system of polynomial equations. In [16], it has even be shown that efficient algorithms for multi-point evaluation lead to efficient algorithms for polynomial system solving. As an other more specific application, bivariate polynomial evaluation inter- venes in computing generator matrices of geometric error correcting codes [20].

An important particular case of interpolation concerns polynomials with prescribed supports and that vanish at a given set of points. This happens in list decoding algorithms for Reed–Solomon error correcting codes; see recent complexity bounds in [7].

In the bivariate case, this task also occurs in the Brill–Noether strategy for computing Riemann–Roch spaces; see recent advances in [2]. Further applications can be found in [24].

∗. This paper is part of a project that has received funding from the French “Agence de l'innovation de défense”.

†. This article has been written using GNU TEXMACS[18].

1

(3)

1.1. Related work

In the univariate case whenn= 1, it is well known that one may use so-called “remainder trees” to compute multi-point evaluations in quasi-optimal time [3, 9, 23]. More pre- cisely, ifM(d)stands for the cost to multiply two univariate polynomials of degree<d (in terms of the number of ﬁeld operations in𝕂), then the multi-point evaluation of a polynomial of degree<d at d points can be computed in time O(M(d) logd). A similar complexity bound holds for the opposite operation of interpolation. The constants hidden in the latter “O” have been studied in [5]. Recently, and under suitable technical assumptions, it has been shown that the cost of univariate multi-point evaluation (and interpolation) drops toO(M(d)logd/log logd)if the set of evaluation points is ﬁxed [13].

In this case, we do not count the cost of certain precomputations that only depend on the evaluation points and not on the polynomials to evaluate. We may also speak about the

“amortized cost” of multi-point evaluation.

In the multivariate case whenn⩾ 2, no quasi-optimal algorithms are currently known for multi-point evaluation. From a theoretical point of view, the best bit-complexity bounds are due to Kedlaya and Umans, in the special cases when the coefficients of our polynomials are modular integers or when they lie in a finite field [19]. They also related the problem to other important operations such as modular composition and power pro- jection. Their results have recently been refined in [17]. Over general fields and forn= 2, the best known bound isO(deg_x₁P(deg_x₂P)^1.667); due to Nüsken and Ziegler [26].

The multivariate interpolation problem turns out to be more intricate than evaluation, and fewer eﬃcient algorithms are known. Using naive linear algebra, one may design polynomial time algorithms, but with costs that are higher than quadratic ind. To our knowledge no interpolation method has been designed in the vein of the Kedlaya–Umans evaluation algorithms. Several methods are surveyed in [10] for instance, but, here, we will focus on symbolic approaches and their asymptotical complexity bounds.

Concerning the computation of polynomials that vanish at a given set of points, with suitable constraints on the supports, early methods can be found in [1,22,24]: Gröbner bases of the ideal made of these polynomials are obtained with cost at least cubic ind.

After a generic change of coordinates the lexicographic basis satisﬁes the “shape lemma”

and it can be computed in softly linear time by means of univariate interpolations. In other words, our set of points is the solution set of a system𝜒(x1) = 0andxi=vi(x1)for i= 2,...,n, wheredeg 𝜒 =danddegvi<d. From𝜒and thevi, a Gröbner basis for any other monomial ordering can be recovered withO˜(d^𝜔)ﬁeld operations thanks to the algorithm designed in [8].

In the bivariate case, with generic coordinates, from the latter univariate parame- trization, and given𝛿₁⩽d, we may compute a basis of the𝕂[x1]-module of polynomials of degree<𝛿₁inx2that vanish at𝛼₁, . . . , 𝛼_d. Indeed this reduces to computing a basis of the kernel of the map

𝕂[x1][x2]_<𝛿₁ → 𝕂[x1]/(𝜒(x1))

a0(x1) + ⋅ ⋅ ⋅ +a𝛿₁−1(x1)x₂^𝛿¹⁻¹ ↦ a0(x1) + ⋅ ⋅ ⋅ +a𝛿₁−1(x1)v2(x1)^𝛿¹⁻¹.

This kernel is a free𝕂[X1]-module of rank𝛿₁. The basis in Popov form can be computed withO˜(𝛿₁^𝜔−1d) operations in 𝕂; this complexity bound is due to Neiger [25]. Taking 𝛿₁≍ d, the latter cost rewritesO˜(d^(𝜔+1)/2). The bivariate interpolation problem can be solved with the same kind of complexity bound by means of linear algebra algorithms that exploit displacement ranks [4].

(4)

In a more general setting, one may consider evaluation at “multisets of points” in the sense that values of polynomials and of certain of its derivatives are involved. The converse problem is usually called Hermite interpolation, so values for the polynomial and its derivative are prescribed. We will not address these extended problems in the present paper.

1.2. Our contributions

In this paper, we turn our attention to the amortized cost of multivariate multi-point evaluation. Given a “suﬃciently generic” tuple𝜶of evaluation points, we ﬁrst construct a suitable “evaluation tree” that is similar to the remainder trees from the univariate case.

After this precomputation, we next show how to evaluate polynomials at𝜶 in quasi- optimal time. For instance, for a fixed dimensionn, a sufficiently large base field 𝕂, and a polynomialPof partial degreesdeg_x_iP<ⁿdfori= 1, . . . ,n, we show how to com- puteP(𝜶) in timeO(M(d) log³d). We also show how to do the opposite operation of interpolation with a similar complexity. It can be shown that the “constant factors” in the big-Oh hide a factorial dependence inn.

Our algorithms rely on suitable genericity hypotheses that ensure the existence of Gröbner bases of a speciﬁc shape for the vanishing idealI𝜶at the evaluation points. This will be detailed in section3. Another key ingredient is an algorithm from [14] for the relaxed reduction of polynomials with respect to such Gröbner bases or more general sets of polynomials. In this paper, all reductions will be done with respect to so-called

“axial bases”, which provide sufficiently good approximations of the actual Gröbner bases ofI𝜶. This will be detailed in section4.

Having an eﬃcient algorithm for reducing polynomials with respect to I_𝜶, we may use it as a generalization of Euclidean division. In sections5and6, this allows us to gen- eralize the remainder tree technique to higher dimensions, and establish our complexity bounds for amortized multi-point evaluation and interpolation. It is also noteworthy that the necessary precomputations can be done using linear algebra in timeO(d^𝜔), where 𝜔 > 2is a feasible exponent for matrix multiplication.

When comparing our new amortized boundO(M(d)log³d)with the traditional bound O(M(d) logd)in the univariate case, we note that we lose a factorlog²d. This is due to the fact that we rely on relaxed computations for our polynomial reductions. With a bit of work, a factorlogdmight be removed by exploiting the fact that our polynomials are not really sparse, so that we may takeSM(s) =O(M(s))in the proof of Theorem6(under our assumption thatnis ﬁxed and with the notationSMdeﬁned in [14]). It is plausible that the second logarithmic factor can be further reduced using techniques from [12]

or a clever Newton iteration.

Our genericity assumptions can also be weakened significantly: with the notations from section4, it is essentially sufficient to assume that|ℜ_d| =O(d). Another interesting question is whether the costO(d^𝜔)of the precomputations can be lowered. Under additional genericity assumptions, this is indeed possible whenn= 2: using the probabilistic algorithm of type Las Vegas from [4], the precomputations take an expected number of O(d(𝜔+1)/2+o(1))field operations.

2. P

RELIMINARIES

For complexity analyses, we will only consider algebraic complexity models (such as computation trees). In other words we will simply count numbers of arithmetic operations and zero-tests in𝕂.

(5)

Throughout this paper, we assume𝜔to be a feasible exponent for matrix multiplication with𝜔 > 2. This means that twon×nmatrices in𝕂^n×ncan be multiplied in time O(n^𝜔). Le Gall has shown in [21] that one may take𝜔 < 2.373.

We denote byM(d)the time that is needed to compute a productP Qof two polynomials P,Q∈ 𝕂[x] of degree <d. We make the usual assumption that M(d) /d is non-decreasing as a function ofd. It is also convenient to assume thatM(kd) =O(kM(d)) fork=O(logd). Using a variant of Schönhage–Strassen's algorithm [6,28,29], it is well known thatM(d) =O(dlogdlog logd). If we restrict our attention to ﬁelds 𝕂 of positive characteristic, then we may takeM(d) =O dlogd4^log^∗ⁿ [11].

In order to use the extended multivariate reduction algorithms from [14], sparse polynomial arithmetic is needed. Asparse representationof a polynomialF in 𝕂[x1, . . . ,xn] is a data structure that stores the set of the non-zero terms ofF. Each such term is a pair made of a coeﬃcient and a degree vector. In an algebraic complexity model the bit size of the exponents counts for free, so the relevant size of such a polynomial is the cardinality of its support.

Consider two polynomialsFandGof𝕂[x1,...,xn]in sparse representation. An exten- sive literature exists on the general problem of multiplyingFandG; see [27] for a recent survey. For the purposes of this paper, a superset𝒮for the support ofFGwill always be known. Then we deﬁneSM(s)to be the cost to computeFG, wheresis the maximum of the sizes of such a superset𝒮and the supports ofFandG. Under suitable assumptions, the following proposition will allow us to takeSM(s) =O(M(s) logs)in our multivariate evaluation and interpolation algorithms.

PROPOSITION1. Let𝜋₁, . . . , 𝜋_nbe positive integers and let𝜃in𝕂be of multiplicative order at least𝜋 ≔ 𝜋₁⋅ ⋅ ⋅ 𝜋_n.

i. The set𝒫made of the products𝜃ê¹𝜃ê²^𝜋¹⋅ ⋅ ⋅ 𝜃êⁿ^𝜋¹^{⋅ ⋅ ⋅𝜋}ⁿ⁻¹ for(e1, . . . ,en) ∈ ∏_i=1ⁿ {0, . . . , 𝜋_i−1} can be computed using O(𝜋)operations in𝕂.

ii. Let F and G be in𝕂[x₁,...,x_n], in sparse representation, and let𝒮be a superset of the support of FG. Assume thatdegx_i(FG) < 𝜋ifor i= 1, . . . ,n, and that𝒫has been precomputed. Then the product FG can be computed using O(M(s) logs)operations in𝕂, where s denotes the maximum of the sizes of 𝒮and the supports of F and G.

Proof.The ﬁrst statement is straightforward. The second one is simply adapted from [15,

Proposition 6]. □

Computing an element of sufficiently large multiplicative order depends on the ground field𝕂. In characteristic zero, any integer different from0and1will do. For finite ﬁelds𝔽_qof characteristic p> 0, working in an algebraic extension 𝔽_q^𝜆 yields elements of order up toq^𝜆−1. In the context of Proposition1, we may take 𝜆 =O(log 𝜋 /logq).

In infinite fields𝕂of positive charactersitic p> 0, elements of arbitrarily large orders exist, but they may be hard to access without prior knowledge. However, this is mostly a theoretical problem: in practice, we usually either know a transcendental element of infinite order or a way to construct arbitrarily large finite fields inside𝕂.

3. G

RÖBNER BASES FOR GENERIC SETS OF POINTS

For variables𝒙 = (x1, . . . ,xn)and exponents𝒊 = (i1, . . . ,in) ∈ ℕⁿ, we deﬁne𝒙^𝒊≔x₁ⁱ¹⋅ ⋅ ⋅x_nⁱⁿ, 𝔐 ≔ {𝒙^𝒊: 𝒊 ∈ ℕⁿ}, and𝕂[𝒙] ≔ 𝕂[x1, . . . ,xn]. The monoid𝔐comes with a natural partial ordering⩽that is deﬁned by

𝒙^𝒊⩽ 𝒙^𝒋⇔i₁⩽j₁∧ ⋅ ⋅ ⋅ ∧i_n⩽j_n.

(6)

We also assume that we ﬁxed a total admissible ordering≼on𝔐 that extends⩽and which turns𝔐into a totally ordered monoid. Given a polynomial

P=

𝔪∈𝔐

P𝔪𝔪 ∈ 𝕂[x],

we callsuppP≔ {𝔪 ∈ 𝔐 :P_𝔪≠ 0}itssupport. IfP≠ 0, then we deﬁne 𝔡_P≔ max

≼ supp f to be thedominant monomialofP.

3.1. Polynomials that vanish on a ﬁnite set of points

Let𝔉 = {𝔪₁,..., 𝔪_d}be a ﬁnite set of monomials. Given a polynomialP=c1𝔪₁+ ⋅⋅⋅ +cd𝔪_d and a ﬁnite tuple of points𝜶 = (𝛼₁, . . . , 𝛼_d) ∈ (𝕂ⁿ)^d, we have

((((((((((((

(

^P(𝛼¹⁾

P(𝛼⋅⋅⋅d)

)))))))))))) )))))))))))) ) )

₌

((((((((((((

(

^𝔪¹^(𝛼¹^{) ⋅ ⋅ ⋅ 𝔪}^d^(𝛼¹⁾

⋅⋅⋅ ⋅⋅⋅

𝔪₁(𝛼_d) ⋅ ⋅ ⋅ 𝔪_d(𝛼_d)

)))))))))))) )))))))))))) ) ) ((((((((((((

((((((((((((

(

^c¹

c⋅⋅⋅d

)))))))))))) )))))))))))) ) )

_.

The set of tuples of points for which the matrix M_𝜶,𝔉 ≔

((((((((((((

(

^𝔪¹^(𝛼¹^{) ⋅ ⋅ ⋅ 𝔪}^d^(𝛼¹⁾

⋅⋅⋅ ⋅⋅⋅

𝔪₁(𝛼_d) ⋅ ⋅ ⋅ 𝔪_d(𝛼_d)

)))))))))))) )))))))))))) ) )

is non-invertible forms a proper Zariski closed subset of (𝕂ⁿ)^d. If 𝕂 is algebraically closed, then its open complement is actually non-empty:

LEMMA2. Assume that𝕂is algebraically closed. Then there exists a tuple of points𝜶 ∈ (𝕂ⁿ)^d for which M𝜶,𝔉is invertible.

Proof. Lett= (t1, . . . ,tn) ∈ 𝕂ⁿbe a point such that𝔪₁(t), . . . , 𝔪d(t)are pairwise distinct;

such a pointtexists since𝕂is algebraically closed. Now take𝛼_k= (t1k,...,tnk)fork= 1,...,d.

Then have

M_𝜶,𝔉 =

(((((((((((((

( (

(

^𝔪¹^(𝛼¹^{) ⋅ ⋅ ⋅ 𝔪}^d^(𝛼¹⁾

⋅⋅⋅ ⋅⋅⋅

𝔪₁(𝛼₁)^d ⋅ ⋅ ⋅ 𝔪_d(𝛼₁)^d

))))))))))))) ))))))))))))) ) )

)

,

whenceM𝜶,𝔉is an invertible Vandermonde matrix. □

The lemma shows that M𝜶,𝔉 is invertible for a “generic” tuple of points𝜶 ∈ (𝕂ⁿ)^d. Assume from now on that this is indeed the case and let us writeI_𝜶for the ideal of poly- nomialsP∈ 𝕂[𝒙]such thatP(𝛼1) = ⋅⋅⋅ =P(𝛼d) = 0. For any other monomial𝔫 ∈ 𝔐 ∖ 𝔉and P= 𝔫−(c1𝔪₁+ ⋅ ⋅ ⋅ +cd𝔪_d), we have

((((((((((((

(

^P(𝛼¹⁾

P(𝛼⋅⋅⋅d)

)))))))))))) )))))))))))) ) )

₌

((((((((((((

(

^𝔫(𝛼¹⁾

𝔫(𝛼⋅⋅⋅_d)

)))))))))))) )))))))))))) ) )

₋_M

𝜶,𝔉

(((((((((((( (((((((((((( ( (

^c¹

c⋅⋅⋅d

)))))))))))) )))))))))))) ) )

_,

whenceP∈I𝜶if and only if

((((((((((((

(

^c¹

c⋅⋅⋅d

)))))))))))) )))))))))))) ) )

₌ _M

𝜶,𝔉−1

((((((((((((

(

^𝔫(𝛼¹⁾

𝔫(𝛼⋅⋅⋅_d)

)))))))))))) )))))))))))) ) )

_. ₍₁₎

This shows that𝔪₁+I𝜶, . . . , 𝔪_d+I𝜶 form a basis for the quotient algebra𝕂[𝒙]/I𝜶and it provides us with a formula to express𝔫 +I_𝜶in terms of these basis elements.

(7)

3.2. Gröbner bases

Let1 = 𝔪₁≺ 𝔪₂≺ 𝔪₃≺ ⋅ ⋅ ⋅be such that𝔐_d≔ {𝔪₁, . . . , 𝔪_d}is the set ofdsmallest elements of𝔐for eachd∈ ℕand with respect to the total ordering≼. We deﬁne𝔊_dto be the set of smallest elements of the complement𝔐 ∖ 𝔐_dfor⩽. By Dickson's lemma, this set is ﬁnite and it forms an antichain for⩽. Let𝜶 ∈ (𝕂ⁿ)^d be a generic tuple of points in the sense thatM𝜶,𝔐dis invertible.

PROPOSITION3. For each𝔫 ∈ 𝔊_d, let

G𝜶,𝔫 = 𝔫−(c1𝔪1+ ⋅ ⋅ ⋅ +c_d𝔪_d), (2) where c₁,...,c_dsatisfy(1) for𝔉 = 𝔐_d. Then𝑮_𝜶≔ {G_𝜶,𝔫: 𝔫 ∈ 𝔊_d} forms the reduced Gröbner basis of I𝜶with respect to≼.

Proof. Let𝔇 ⊆ 𝔐be the set of dominant monomials of non-zero elements ofI_𝜶. Given i∈ {1, . . . ,d}, we have 𝔪_i∉ 𝔇: otherwise,P= 𝔪_i+ci−1𝔪_i−1+ ⋅ ⋅ ⋅ +c1𝔪₁∈IΑ for certain c1, . . .,ci−1∈ 𝕂, which is impossible sinceM𝜶,𝔐dis invertible. Conversely, (1) implies that 𝔫 ∈ 𝔇for all𝔫 ∈ 𝔐 ∖ 𝔐_d, whence𝔇 = 𝔐 ∖ 𝔐_d.

Now it is well known that 𝔇is a ﬁnite segment of𝔐for ⩽and that each minimal element𝔫corresponds to exactly one polynomialR_𝔫in the reduced Gröbner basis with dominant monomial𝔡_R_𝔫= 𝔫. Now such a reduced polynomial is by deﬁnition of the form R𝔫= 𝔫 + Δwithsupp Δ ⊆ 𝔐 ∖ 𝔇 = 𝔐_d. But (2) shows how to compute the unique polyno-

mialR𝔫=G𝜶,𝔫of that form. □

Example 4. Let≼be a graded ordering forn⩾ 2. For anyd⩾n+ 1, we have𝔪₁= 1and 𝔪_i+1=xifori= 1, . . . ,n. The(i+ 1)-th column ofM𝜶,𝔉contains thei-th coordinates of the points of𝜶. If these columns are not linearly independent then M𝜶,𝔉 is not invertible.

If A is any n×n invertible matrix over 𝕂, and if A(𝜶) denotes A𝛼₁, . . . ,A𝛼_d then the columns from2 to n+ 1of MA(𝜶),𝔉 are linearly dependent, soMA(𝜶),𝔉 is not invertible.

This example illustrates that the genericity of a tuple of points𝜶 ∈ (𝕂ⁿ)^dcannot be nec- essarily recovered after a linear change of the coordinates.

4. R

ELAXED REDUCTION WITH RESPECT TO AXIAL BASES

Let𝔐 = {𝒙^𝒊: 𝒊 ∈ ℕⁿ}be as in the previous section, with a total admissible ordering≼, and let𝜶 ∈ (ℝⁿ)^dbe a generic tuple of points. We need a way to eﬃciently reduce polyno- mialsP∈ 𝕂[𝒙]with respect to the Gröbner basis𝑮_𝜶. Since the entire Gröbner basis can be voluminous to store, we will only reduce with respect to a special subset𝑨_𝜶of “axial”

basis elements. This also requires us to work with respect to a weighted total degree ordering≼.

4.1. Axial bases

Fori= 1, . . . ,d, we deﬁne

𝛿_d,i ≔ min {k∈ ℕ :xik∉ 𝔐_d},

so that𝑮_𝜶contains a unique elementA_𝜶,i≔G_𝜶,𝔞_iwith dominant monomial𝔞_i≔x_i^𝛿^d,i. We deﬁne𝑨_𝜶≔ {A𝜶,i:i= 1, . . . ,n}to be theaxial basisof𝑨_𝜶. Although this set is not a “basis”

ofI𝜶, it forms a suﬃciently good approximation of𝑮_𝜶for the purposes of this paper. We deﬁne

ℜ_d ≔ {𝒙^𝒊:i₁< 𝛿_d,1∧ ⋅ ⋅ ⋅ ∧i_n< 𝛿_d,n}

to be the set of monomials that are not divisible by any of the monomials𝔞₁, . . . , 𝔞_n. We also deﬁneRed_dto be the𝕂-vector spaced spanned by the elements ofℜ_d.

(8)

4.2. Weighted total degree orderings

In all what follows, we assume that the ordering is graded by a weighted total degree.

This means that there exist positive real weightsw1, . . . ,wn> 0such that for all𝒙^𝒊, 𝒙^𝒋∈ 𝔐, we have

𝒘 ⋅ 𝒊 < 𝒘 ⋅ 𝒋 ⟹ 𝒙^𝒊≺ 𝒙^𝒋.

Here𝒘 = (w1, . . . ,wn)and “⋅” stands for the dot product:𝒘 ⋅ 𝒊 =w1i1+ ⋅ ⋅ ⋅ +wnin. Let s ≔ max {𝒘 ⋅ 𝒊 : 𝒙^𝒊∈ 𝔐_d}.

Then

{𝒙^𝒊: 𝒘 ⋅ 𝒊 <s} ⊆/𝔐_d⊆ {𝒙^𝒊: 𝒘 ⋅ 𝒊 ⩽s}.

Geometrically speaking, the exponents𝒊with𝒙^𝒊∈ 𝔐_dcorrespond to lattice points inside or on the boundary of the simplex with vertices(0,...,0),(s/w1,0,...,0),(0,s/w2,0,...,0),..., (0, . . . , 0,s/wn). For ﬁxednand larged(whences), it follows that

d ∼ sⁿ

n!w1⋅ ⋅ ⋅w_n 𝛿_d,i ∼ s

wi ∼ nn!w1⋅ ⋅ ⋅wn

wi (i= 1, . . . ,n)

|ℜ_d| ∼ sⁿ

w1⋅ ⋅ ⋅wn ∼ n!d,

where|ℜ_d| stands for the cardinality ofℜ_d. In the remainder of this paper, we assume thatnandw1, . . . ,wnhave been ﬁxed once and for all. Our asymptotic complexity esti- mates hold for largedand under this assumption.

Remark 5. Ifw1= ⋅ ⋅ ⋅ =wn= 1, then one may take≼to be the usual graded reverse lexicographic ordering. In that case, the𝛿_d,iare of the same order of magnitude andℜ_dis approximately a hypercube. Considering general weights gives us more ﬂexibility in the choice of≼and allows us to deal with more general hyperrectangular supports.

4.3. Relaxed reduction

Given a polynomialP∈ 𝕂[𝒙], anextended reductionof Pwith respect toA𝜶,1, . . . ,A𝜶,nis a relation

P = Q1A𝜶,1+ ⋅ ⋅ ⋅ +QnA𝜶,n+R, (3)

withQ1, . . . ,Qn∈ 𝕂[𝒙]andR∈ Red_d. Extended reductions are computed by reducingP with respect toA𝜶,ias long as there exists an indexifor which𝔡_A_𝜶,idivides𝔡_P. There are many ways to compute extended reductions ofPdepending on the way we chose the indexiin case of multiple options. If we always privilege the lowest possible indexi, then the process is deterministic and we call (3) “the” extended reduction of Pwith respect to 𝑨_𝜶. In that case, we deﬁne Prem 𝑨_𝜶≔R and call it the remainder of P with respect to𝑨_𝜶. Using relaxed evaluation, this remainder can be computed eﬃciently:

THEOREM6. Let𝜋₁⩾ 𝛿_d,1, . . . , 𝜋_n⩾ 𝛿_d,nbe integers, let𝜋 ≔ 𝜋₁⋅ ⋅ ⋅ 𝜋_n, and let P∈ 𝕂[𝒙]be such thatdeg_x_iP< 𝜋_ifor i= 1, . . . ,n. Then an extended reduction(3)can be computed in time

O(M(𝜋) log²𝜋),

whenever an element of multiplicative order⩾(n+ 1)! 𝜋is given in𝕂.

Proof.Without loss of generality, we may assume that w₁𝜋₁⩽ ⋅ ⋅ ⋅ ⩽w_n𝜋_n.

(9)

We use the reduction algorithm from [14] with the reduction strategy that always reduces with respect to the axial elementA𝜶,k for which k is minimal. Then we claim that the supports of the successive reductions ofPare all contained in the set

𝔖 ≔ {𝒙^𝒊: ∀j∈ {1, . . . ,n},w1i1+ ⋅ ⋅ ⋅ +wjij<w1𝜋₁+ ⋅ ⋅ ⋅ +wj𝜋_j+wj𝛿_d,j}.

Indeed, let𝒙^𝒆∈ 𝔖, letkbe minimal such thatx_k^𝛿^d,kdivides𝒙^𝒆, and consider a monimial𝒙^𝒄 in the support of T≔x_k^−𝛿^d,k𝒙^𝒆A𝜶,k. It suﬃces to show that𝒙^𝒄∈ 𝔖. Let 𝒆′ be such that 𝒙^𝒆′=x_k^−𝛿^d,k𝒙^𝒆. Forj= 1, . . . ,k−1, the relations𝒙^𝒆′| 𝒙^𝒄and𝒙^{𝒄−𝒆′}≺x_j^𝛿^d,jimply

w₁(c₁−e₁) + ⋅ ⋅ ⋅ +w_j(c_j−e_j) = w₁(c₁−e₁′) + ⋅ ⋅ ⋅ +w_j(c_j−e_j′)

⩽ w₁(c₁−e₁′) + ⋅ ⋅ ⋅ +w_n(c_n−e_n′) < w_j𝛿_d,j. Nowe1< 𝛿_d,1⩽ 𝜋₁, . . . ,ek−1< 𝛿_d,k−1⩽ 𝜋_k−1, whence

w1c1+ ⋅ ⋅ ⋅ +wjcj<w1e1+ ⋅ ⋅ ⋅ +wjej+wj𝛿_d,j<w1𝜋₁+ ⋅ ⋅ ⋅ +wj𝜋_j+wj𝛿_d,j. Forj=k, . . . ,n, we directly have

w1c1+ ⋅ ⋅ ⋅ +wjcj⩽w1e1+ ⋅ ⋅ ⋅ +wjej<w1𝜋₁+ ⋅ ⋅ ⋅ +wj𝜋_j+wj𝛿_d,_j.

Having shown our claim, we next observe thatw_ke_k<k w_k𝜋_k+w_k𝛿_d,kfor all𝒙^𝒆∈ 𝔖and k= 1, . . . ,n, whenceek< (k+ 1) 𝜋_k ande1⋅ ⋅ ⋅en< (n+ 1)! 𝜋. In particular, the size of the support of theQiA𝜶,iandRin the extended reduction (3) is bounded by(n+ 1)! 𝜋. The theorem now becomes a consequence of [14, Theorem 4] and Proposition1, by taking

SM(s) ≔O(M(s) logs). □

Remark 7.If𝕂is the ﬁnite ﬁeld𝔽_qand ifq−1 < (n+ 1)! 𝜋, then we can apply Theorem6 over an algebraic extension𝔽_q^𝜆of degree

𝜆 ≔ ⌈log ((n+ 1)! 𝜋)/logq⌉.

Constructing this extension can be done using O˜( 𝜋√ ) operations in 𝕂 by [30, The- orem 3.2]. The primitive root of𝔽_q×𝜆can be obtained in negligible expected time using a probabilistic algorithm of Las Vegas type. Then the complexity bound in Theorem6 becomes

O

((((((((((((((

^M^(𝜋)^log

3𝜋

logq

))))))))))))))

^.

5. M

ULTI

-

POINT EVALUATION

The fast algorithms for multi-point evaluation of univariate polynomials make use of the technique ofremainder trees[3,9,23]. For instance, the remainder tree for four points 𝛼₁, 𝛼₂, 𝛼₃, 𝛼₄∈ 𝕂is the labeled binary tree given by

(x−𝛼₁) (x−𝛼₂) (x−𝛼₃) (x−𝛼₄) (x−𝛼₁) (x−𝛼₂)

x−𝛼₁ x−𝛼₂

(x−𝛼₃) (x−𝛼₄) x−𝛼₃ x−𝛼₄

(4)

Given a polynomialP∈ 𝕂[x]to evaluate at these four points, we compute the remain- ders ofPwith respect to each of the polynomials at the nodes, in a top-down fashion. For instance, the value at𝛼₁is obtained as

P(𝛼₁) = ((Prem (x−𝛼₁) (x−𝛼₂) (x−𝛼₃) (x−𝛼₄)) rem (x−𝛼₁) (x−𝛼₂)) rem (x−𝛼₁).

(10)

Using Theorem6, we may use a similar technique for multivariate polynomials and points 𝛼₁,𝛼₂,𝛼₃,𝛼₄∈𝕂ⁿ: we replace each polynomial(x−𝛼i)⋅⋅⋅ (x−𝛼_j)by the axial basis𝑨_(𝛼_i_{, . . . ,𝛼}_j₎:

𝑨_(𝛼₁_,𝛼₂_,𝛼₃_,𝛼₄₎ 𝑨_(𝛼₁_,𝛼₂₎

𝑨_(𝛼₁₎ 𝑨_(𝛼₂₎

𝑨_(𝛼₃_,𝛼₄₎ 𝑨_(𝛼₃₎ 𝑨_(𝛼₄₎

(5)

We may then compute the evaluation ofPat𝛼1using

P(𝛼1) = ((Prem 𝑨_(𝛼₁_,𝛼₂_,𝛼₃_,𝛼₄₎) rem 𝑨_(𝛼₁_,𝛼₂₎) rem 𝑨_(𝛼₁₎. We will call (5) anevaluation tree.

5.1. Evaluation trees and multi-point evaluation

In order to specify our general algorithms for multi-point evaluation and the computation of evaluation trees, it is convenient to introduce a few more notations. Given a vector 𝒗 = (v1, . . . ,vd), we will write

𝒗_⊲ ≔ (v1, . . . ,v⌊d/2⌋), 𝒗_⊳ ≔ (v⌊d/2⌋+1, . . . ,vd),

where⌊a⌋represents the largest integer smaller or equal toa. The least integer larger or equal toais written⌈a⌉.

Given vectors𝒖 = (u1, . . . ,uc)and𝒗 = (v1, . . . ,vd), we also write 𝒖 ⋈ 𝒗 ≔ (u1, . . . ,uc,v1, . . . ,vd)

for their concatenation. Given𝜶 ∈ (𝕂ⁿ)^d, we may use the following recursive algorithm to compute the evaluation tree for𝜶:

Algorithm EvalTree(𝜶)

Input:a vector of points𝜶 ∈ (𝕂ⁿ)^d. Output:an evaluation tree for𝜶.

Compute the axial basis𝑨_𝜶forI𝜶. Ifd= 1, then return a leaf, labeled by𝑨_𝜶.

LetT_⊲≔EvalTree(𝜶_⊲)andT_⊳≔EvalTree(𝜶_⊳).

Return the tree with root labeled by𝑨_𝛼and childrenT⊲,T⊳.

We regard the computation of an evaluation tree as a precomputation. Given an evaluation treeTfor𝜶, we may eﬃciently evaluate polynomialsP∈ 𝕂[𝒙]at all points𝛼₁,..., 𝛼_d using the following algorithm:

Algorithm Eval(P,T)

Input:a polynomialP∈ 𝕂[𝒙]and an evaluation treeTfor𝜶 ∈ (𝕂ⁿ)^d. Output:the vectorP(𝜶) = (P(𝛼1), . . . ,P(𝛼d)).

Let𝑨𝜶be the axial basis attached to the root ofT.

LetR≔Prem 𝑨_𝜶. Ifd= 1, then return(R).

LetT⊲andT⊳be the two children of the root ofT.

ReturnEval(R,T⊲) ⋈Eval(R,T⊳).

(11)

5.2. Complexity analysis

The algorithmsEvalTreeandEvalactually work for arbitrary point vectors𝜶 ∈ (𝕂ⁿ)^d: it suﬃces to use a general purpose algorithm to compute Gröbner bases for the idealsI𝜶, from which we can then extract the required axial bases. We say that𝜶is hereditarily genericifM(𝛼_i, . . . ,𝛼_j),𝔐_j+1−iis invertible for all1 ⩽i⩽j⩽d. In that case, each of the required axial bases during recursive calls can be computed using Proposition3.

THEOREM8. The algorithmsEvalTreeandEvalare correct. Let P∈ 𝕂[𝒙]withdeg_x_iP< 𝜋_i and𝜋_i⩾ 𝛿_d,ifor i= 1,...,n, and𝜋 ≔ 𝜋₁⋅⋅⋅ 𝜋_n. If 𝜶is hereditarily generic, then the running times of EvalTreeandEvalare respectively bounded by

T_EvalTree(d) = O(d^𝜔)

T_Eval(d, 𝜋₁, . . . , 𝜋_n) = O(M(d) log³d+M(𝜋) log²𝜋), whenever an element of multiplicative order⩾(n+ 1)! 𝜋is given in𝕂.

Proof. By induction ond, the algorithmsEvalTreeandEvalare clearly correct. Using Proposition3and linear algebra, we see that the computation of 𝑨_𝜶 in the ﬁrst step of EvalTree can be done in timeC d^𝜔, for some constant C. The running time EvalTree therefore satisﬁes

T_EvalTree(1) ⩽ C

T_EvalTree(d) ⩽ Cd^𝜔+T_EvalTree(⌊d/2⌋) +T_EvalTree(⌈d/2⌉), d⩾ 2.

By induction ond, this yieldsTEvalTree(d) ⩽T^¯EvalTree(d), where T^¯_EvalTree(1) = C

T^¯_EvalTree(d) = Cd^𝜔+T^¯_EvalTree(⌊d/2⌋) +T^¯_EvalTree(⌈d/2⌉), d⩾ 2.

Again using induction on d, we also note that T^¯_EvalTree is increasing. It follows that T^¯_EvalTree(d) ⩽T^¯_EvalTree(d¯)ford¯ =2⌈logd/log2⌉⩽ 2d. Unrolling the equation

T^¯EvalTree(1) = C

T^¯EvalTree(d¯) = Cd¯^𝜔+ 2T^¯EvalTree(d¯/2), d¯ ⩾2, we ﬁnd

T^¯_EvalTree(d¯)⩽Cd¯^𝜔+ 2C ^d₂^¯ ^𝜔+ 4C ^d₄^¯ ^𝜔+ ⋅ ⋅ ⋅ = C

1−2^1−𝜔d¯^𝜔=O(d^𝜔).

As to the running time TEvalof Eval, we recall that |ℜ_d| ∼n!d, whence|ℜ_d| ⩽K dfor some constantKthat depends onn. Theorem6also implies the existence of a constantC such that

T_Eval(d, 𝜋₁, . . . , 𝜋_n) ⩽ CM(𝜋) log²𝜋 +T_Eval(d, 𝛿_d,1, . . . , 𝛿_d,n) T_Eval(1, 1, . . . , 1) ⩽ CM(K)

T_Eval(d, 𝛿_d,1, . . . , 𝛿_d,n) ⩽ CM(Kd) log²(Kd) +T_Eval(⌊d/2⌋, 𝛿_d,1, . . . , 𝛿_d,n) +T_Eval(⌈d/2⌉, 𝛿_d,1, . . . , 𝛿_d,n), d⩾ 2.

Modulo a further increase ofC, the ﬁrst and third relation may be combined such as to replace the third relation by

T_Eval(d, 𝛿_d,1, . . . , 𝛿_d,n) ⩽ CM(Kd) log²(Kd) +T_Eval(⌊d/2⌋, 𝛿_⌊d/2⌋,1, . . . , 𝛿_⌊d/2⌋,n) +T_Eval(⌈d/2⌉, 𝛿_⌈d/2⌉,1, . . . , 𝛿_⌈d/2⌉,n), d⩾ 2.

(12)

By unrolling the latter inequality in a similar way as above for powers of two, we obtain T^¯_Eval(d¯, 𝛿_d,1, . . . , 𝛿_d,n) ⩽CM(Kd¯) (log(Kd¯) + 1)³, while using our assumption thatM(d)/d

is non-decreasing. □

Remark 9.Ifn= 2and the ﬁrst coordinates of the evaluation points are pairwise distinct, then precomputations can be handled more eﬃciently as follows. The annihilating polynomial takesO(M(d) logd)operations in𝕂, using the formula

𝜒(x1) ≔

i=1 d

(x1−𝛼_i,1).

With a similar cost we can also interpolate the polynomialv2(x1)of degree<dsatisfying 𝛼_i,2=v2(𝛼_i,1)fori= 1, . . . ,d.

Setting𝜈_j≔ max (deg_x₁𝔪_i: deg_x₂𝔪_i=j,i= 1, . . . ,n) + 1forj= 0, . . . , 𝛿_d,2−1, we note that 𝜈₀+ ⋅⋅⋅ + 𝜈_𝛿_d,2₋₁=d. Determining the coordinates of𝔫∈ 𝔐 ∖ 𝔉in the basis𝔉of the quotient ring ofI𝜶reduces to computing polynomialsg0, . . . ,g𝛿d,2−1in𝕂[x1]of respective degree less than𝜈0, . . . , 𝜈𝛿_d,2−1and a scalarc∈ 𝕂such that

g0(x1) +g1v2(x1) + ⋅ ⋅ ⋅ +g𝛿d,2−1(x1)v2(x1)^𝛿^d,2⁻¹+c𝔫(x1,v2(x1)) = 0 mod 𝜒(x1).

Assuming that |𝕂| ⩾ 2d², a non-trivial solution can be computed in expected time O(𝛿_d,2^𝜔−1M(d) log²d) =O˜(d^(𝜔+1)/2) using the probabilistic algorithm of Las Vegas type underlying [4, Corollary 1]. SinceM𝜶,𝔉is invertible, the value found forccannot be zero, and we obtain the solution of (1) in this way.

6. I

NTERPOLATION

In the univariate case, the technique of remainder trees can also be used to eﬃciently reconstruct a polynomialP∈ 𝕂[x]from its values atddistinct points𝛼₁,..., 𝛼_d. This basi- cally amounts to reversing the evaluation process, while using the Chinese remainder theorem to reconstructPrem (A⊲A⊳)fromPremA⊲andPremA⊳for coprime polynomials A⊲ and A⊳. For such reconstructions using the Chinese remainder theorem, it is useful to precompute the “cofactors” C⊲,C⊳∈ 𝕂[x] with C⊲A⊲remA⊳= 1, C⊳A⊳remA⊲= 1,degC⊲< degA⊳, anddegC⊳< degA⊲, after which

Prem (A⊲A⊳) = ((PremA⊳)C⊲A⊲+ (PremA⊲)C⊳A⊳) rem (A⊲A⊳).

These cofactors are typically stored in an upgraded version of the remainder tree.

In our multivariate setting, a similar idea works, modulo some additional precau- tions when computing the cofactors. The cofactors are most easily constructedviatheir evaluations. Indeed, consider a tuple of points𝜶∈(𝕂ⁿ)^dwithd⩾2and its decomposition 𝜶 = 𝜶_⊲⋈ 𝜶_⊳. Then the ﬁrst elementA_⊲≔A_𝜶_⊲_,1of the axial basis ofI_𝜶_⊲certainly vanishes at𝜶_⊲and we wish to let it play the same role asA⊲above. The corresponding cofactor C⊲should satisfy (C⊲A⊲)(𝜶_⊳) = 1, so we may compute it through interpolation from its evaluationA⊲(𝜶_⊳)⁻¹ at 𝜶_⊳. However, this requires A⊲ not to vanish at any of the entries of𝜶_⊳. Now the set of tuples of points𝜶 ∈ (𝕂ⁿ)^d for which one of the entries of A⊲(𝜶_⊳)vanishes forms a Zariski closed subset of dimensionnd−1; for a “generic” tuple of points, bothA⊲(𝜶_⊳)andA⊳(𝜶_⊲)(whereA⊳≔A𝜶⊳,1) are therefore invertible. Given P∈ 𝕂[𝒙], this allows us to reconstructPrem 𝑨𝜶fromPrem 𝑨𝜶_⊳andPrem 𝑨𝜶_⊲using

Prem 𝑨_𝜶= ((Prem 𝑨_𝜶_⊳)C⊲A⊲+ (Prem 𝑨_𝜶_⊲)C⊳A⊳) rem 𝑨_𝜶.

(13)

More generally, we deﬁne 𝜶to be super-genericif it is hereditarily generic and, for all 1 ⩽i⩽j⩽dandk∈ {1, . . . ,n} ∖ {i, . . . ,j}, we haveA(𝛼i, . . . ,𝛼j),1(𝛼_k) ≠ 0.

6.1. Interpolation trees and interpolation

Let us now detail the interpolation algorithm that was summarized and explained above.

Similarly to the case of multi-point evaluation, it relies on the construction of aninter- polation tree, which contains the required cofactors. Contrary to before, the construction of this tree recursively involves interpolations (in order to reconstruct the cofactors from their evaluations).

Algorithm IpolTree(T)

Input:an evaluation treeTfor a super-generic vector𝜶 ∈ (𝕂ⁿ)^d. Output:an interpolation treeUfor𝜶.

Ifd= 1, then return a leaf.

Let𝑨_𝜶be the axial Gröbner basis attached to the root ofT.

Recursively apply the algorithm to the childrenT⊲,T⊳ofT, yieldingU⊲,U⊳. LetA_⊲,A_⊳be the ﬁrst entries of the axial bases associated to the roots ofT_⊲,T_⊳. ComputeE⊲≔Eval(A⊲,T⊳)andE⊳≔Eval(A⊳,T⊲).

ComputeC⊲≔Ipol(E⊲−1,U⊳)andC⊳≔Ipol(E⊳−1,U⊲).

Return the tree with root labeled by(𝑨_𝜶,C⊲,C⊳)and childrenU⊲,U⊳. Algorithm Ipol(v,U)

Input:𝒗 ∈ 𝕂^dand the interpolation treeUfor𝜶 ∈ (𝕂ⁿ)^d. Output:P∈ Red_dwithP(𝜶) = 𝒗.

Ifd= 1, then returnv₁.

LetA⊲,A⊳be the ﬁrst entries of the axial bases associated to the roots ofT⊲,T⊳. LetU⊲,U⊳be the children ofU.

Let(𝑨_𝜶,C_⊲,C_⊳)be the label of the root ofU.

LetP⊲≔Ipol(𝒗⊲,U⊲)andP⊳≔Ipol(𝒗⊳,U⊳).

Return((P⊳C⊲rem 𝑨_𝜶_⊳)A⊲+ (P⊲C⊳rem 𝑨_𝜶_⊲)A⊳) rem 𝑨_𝜶.

6.2. Complexity analysis

THEOREM10. The algorithms IpolTreeand Ipolare correct. If 𝜶 is super generic, then the running times of IpolTreeandIpolare respectively bounded by

T_IpolTree(d) = O(M(d) log⁴d) T_Ipol(d) = O(M(d) log³d),

whenever an element of multiplicative order⩾(n+ 1)! 2ⁿ𝛿is given in𝕂, where𝛿 ≔ 𝛿_d,1⋅ ⋅ ⋅ 𝛿_d,n. Proof. By induction ond, the algorithmsIpolTree andIpol are clearly correct. Let us start with the complexity bound forIpol. We havedeg_x_i(P⊳C⊲) < 2 𝛿_d,i,deg_x_i(P⊲C⊳) <

2 𝛿_d,i,deg_x_i((P_⊳C_⊲rem 𝑨_𝜶_⊳)A_⊲) < 2 𝛿_d,i, and deg_x_i((P_⊲C_⊳rem 𝑨_𝜶_⊲)A_⊳), for i= 1, . . . ,n, where(2 𝛿_d,1) ⋅ ⋅ ⋅ (2 𝛿_d,n) =O(2ⁿn!d) =O(d). Theorem6therefore implies the existence of constantsCandKwith

T_Ipol(1) ⩽ CM(K)

TIpol(d) ⩽ CM(Kd) log²(Kd) +TIpol(⌊d/2⌋) +TIpol(⌈d/2⌉), d⩾ 2.

(14)

By unrolling the latter inequality in a similar way as in the proof of Theorem8for powers of two, we obtainT^¯_Ipol(d¯) ⩽CM(K d¯) (log(K d¯) + 1)³, while using our assumption that M(d)/dnon-decreasing.

As to the construction of the interpolation tree, Theorem6, together with the bound forT_Evalof Theorem8, andT_Ipolimply the existence of other constantsCandKwith

T_IpolTree(1) ⩽ CM(K)

T_IpolTree(d) ⩽ CM(Kd) log³(Kd) +T_IpolTree(⌊d/2⌋) +T_IpolTree(⌈d/2⌉), d⩾ 2.

Unrolling the latter inequality yieldsT^¯_IpolTree(d¯)⩽CM(Kd¯)(log(Kd¯)+1)⁴. □

B

IBLIOGRAPHY

[1] J. Abbott, A. Bigatti, M. Kreuzer, and L. Robbiano. Computing ideals of points. J. Symbolic Comput., 30(4):341–356, 2000.

[2] S. Abelard, A. Couvreur, and G. Lecerf. Sub-quadratic time for Riemann–Roch spaces. The case of smooth divisors over nodal plane projective curves. Technical Report, HAL, 2020. https://

hal.archives-ouvertes.fr/hal-02477371.

[3] A. Borodin and R. T. Moenck. Fast modular transforms. J. Comput. System Sci., 8:366–386, 1974.

[4] A. Bostan, C.-P. Jeannerod, and É. Schost. Solving structured linear systems with large displacement rank. Theor. Comput. Sci., 407(1):155–181, 2008.

[5] A. Bostan, G. Lecerf, and É. Schost. Tellegen's principle into practice. InProceedings of the 2003 Interna- tional Symposium on Symbolic and Algebraic Computation, ISSAC '03, pages 37–44. New York, NY, USA, 2003. ACM.

[6] D. G. Cantor and E. Kaltofen. On fast multiplication of polynomials over arbitrary algebras. Acta Inform., 28:693–701, 1991.

[7] M. F. I. Chowdhury, C. Jeannerod, V. Neiger, É. Schost, and G. Villard. Faster algorithms for multivariate interpolation with multiplicities and simultaneous polynomial approximations. IEEE Trans.

Inf. Theory, 61(5):2370–2387, 2015.

[8] J.-C. Faugère, P. Gaudry, L. Huot, and G. Renault. Sub-cubic change of ordering for Gröbner basis:

a probabilistic approach. In Proceedings of the 39th International Symposium on Symbolic and Algebraic Computation, ISSAC '14, pages 170–177. New York, NY, USA, 2014. ACM.

[9] C. M. Fiduccia. Polynomial evaluation via the division algorithm: the fast Fourier transform revisited.

In Proceedings of the Fourth Annual ACM Symposium on Theory of Computing, STOC '72, pages 88–93.

New York, NY, USA, 1972. ACM.

[10] M. Gasca and T. Sauer. Polynomial interpolation in several variables. Adv. Comput. Math., 12(4):377, 2000.

[11] D. Harvey and J. van der Hoeven. Faster polynomial multiplication over finite fields using cyclotomic coefficient rings. J. Complexity, 54:101404, 2019.

[12] J. van der Hoeven. Faster relaxed multiplication. InProceedings of the 39th International Symposium on Symbolic and Algebraic Computation, ISSAC '14, pages 405–412. New York, NY, USA, 2014. ACM.

[13] J. van der Hoeven. Faster Chinese remaindering. Technical Report, CNRS & École polytechnique, 2016.http://hal.archives-ouvertes.fr/hal-01403810.

[14] J. van der Hoeven. On the complexity of multivariate polynomial division. In I. S. Kotsireas and E. Martínez-Moro, editors,Applications of Computer Algebra. Kalamata, Greece, July 20–23, 2015, volume 198 of Springer Proceedings in Mathematics & Statistics, pages 447–458. Cham, 2017. Springer Inter- national Publishing.

[15] J. van der Hoeven and G. Lecerf. On the bit-complexity of sparse polynomial multiplication. J. Sym- bolic Comput., 50:227–254, 2013.

[16] J. van der Hoeven and G. Lecerf. On the complexity exponent of polynomial system solving. Technical Report, HAL, 2018. http://hal.archives-ouvertes.fr/hal-01848572.

[17] J. van der Hoeven and G. Lecerf. Fast multivariate multi-point evaluation revisited. J. Complexity, 56:101405, 2020.

[18] J. van der Hoeven et al. GNU TeXmacs. http://www.texmacs.org, 1998.

[19] K. S. Kedlaya and C. Umans. Fast polynomial factorization and modular composition.SIAM J.Comput., 40(6):1767–1802, 2011.