On the Complexity Exponent of Polynomial System Solving

Abstract

We present a probabilistic Las Vegas algorithm for solving sufficiently generic square polynomial systems over finite fields. We achieve a nearly quadratic running time in the number of solutions, for densely represented input polynomials. We also prove a nearly linear bit complexity bound for polynomial systems with rational coefficients. Our results are obtained using the combination of the Kronecker solver and a new improved algorithm for fast multivariate modular composition.

Linear Changes of Variables

This appendix is devoted to subjecting a multivariate polynomial f to a linear change of variables. More precisely, given \(f \in \mathbb {A} [x_1, \ldots , x_n]\) and an \(n \times n\) matrix \(N = (N_{i, j})_{1 \leqslant i \leqslant n, 1 \leqslant j \leqslant n}\) over a commutative ring \(\mathbb {A}\), then we wish to compute

$$\begin{aligned} (f \circ N) (x_1, \ldots , x_n) :=f (N_{1, 1} x_1 + \cdots + N_{1, n} x_n, \ldots , N_{n, 1} x_1 + \cdots + N_{n, n} x_n) . \end{aligned}$$

The fast algorithms that we propose below do not seem to be available in the literature. They are suitable for any coefficient ring with sufficiently many elements, and they are also well suited for homogeneous polynomials.

1.1 Algebraic Complexity Model

In this subsection we focus on the algebraic model (computation trees for instance), we let \(\mathbb {A}\) be an effective commutative ring, and \(\mathsf {M}\) is a cost function such that two polynomials in \(\mathbb {A} [x]_{< \ell }\) may be multiplied with cost \(\mathsf {M} (\ell )\). The evaluation of a multivariate polynomial at points in a block of points \(S^n\), where S is a finite subset of \(\mathbb {A}\), is usually achieved by the successive use of fast univariate evaluations, as recalled in the following lemma.

Lemma 27

Let \(\ell \geqslant 1\), let \(f \in \mathbb {A} [x_1, \ldots , x_n]\) be of partial degree \(< \ell \) in \(x_i\) for \(i = 1, \ldots , n\), and let S be a subset of \(\mathbb {A}\) of cardinality \(\ell \). Then, all the values of f at \(S^n\) can be computed with \(O (n \ell ^{n - 1} {{\textsf {{M}} }} (\ell ) \log \ell )\) arithmetic operations in \(\mathbb {A}\).

Proof

We interpret \(f \in \mathbb {A} [x_1, \ldots , x_n]\) as a univariate polynomial in \(x_n\),

$$\begin{aligned} f (x_1, \ldots , x_n) = f_0 (x_1, \ldots , x_{n - 1}) + \cdots + f_{\ell - 1} (x_1, \ldots , x_{n - 1}) x_n^{\ell - 1} . \end{aligned}$$

We evaluate \(f_0, \ldots , {f_{\ell - 1}}\) at \(S^{n - 1}\) recursively. Then, for each \((\alpha _1, \ldots , \alpha _{n - 1}) \in S^{n - 1}\), we evaluate \(f (\alpha _1, \ldots , \alpha _{n - 1}, x_n)\) at all the points of S, with a total cost \(O (\ell ^{n - 1} {{\textsf {{M}} }} (\ell ) \log \ell )\). Denoting by \(\mathsf {T} (n, \ell )\) the cost of the algorithm in terms of operations in \(\mathbb {A}\), we thus obtain

$$\begin{aligned} \mathsf {T} (n, \ell )= & {} \ell \mathsf {T} (n - 1, \ell ) + O (\ell ^{n - 1} {{\textsf {{M}} }} (\ell ) \log \ell ) . \end{aligned}$$

By induction over n, it follows that

$$\begin{aligned} \mathsf {T} (n, \ell )= & {} O (n \ell ^{n - 1} {{\textsf {{M}} }} (\ell ) \log \ell ), \end{aligned}$$

which implies the claimed bound. \(\square \)

The next lemma, also well known, concerns the corresponding interpolation problem.

Lemma 28

Let \(\ell \geqslant 1\), let \(\alpha _1, \ldots , \alpha _{\ell }\) be pairwise distinct points in \(\mathbb {A}\) such that \(\alpha _i - \alpha _j\) is invertible whenever \(i \ne j\), let \(\beta _{i_1, \ldots , i_n}\) be a family of values in \(\mathbb {A}\) for \((i_1, \ldots , i_n)\) running over \(\{ 1, \ldots , \ell \}^n\). The unique polynomial \(f \in \mathbb {A} [x_1, \ldots , x_n]\) of partial degrees \(< \ell \) and such that \(f (\alpha _{i_1}, \ldots , \alpha _{i_n}) = \beta _{i_1, \ldots , i_n}\) for all \((i_1, \ldots , i_n) \in \{ 1, \ldots , \ell \}^n\) can be computed with \(O (n \ell ^{n - 1} {{\textsf {{M}} }} (\ell ) \log \ell )\) arithmetic operations in \(\mathbb {A}\), including inversions.

Proof

Again we interpret \(f \in \mathbb {A} [x_1, \ldots , x_n]\) as a univariate polynomial in \(x_n\),

$$\begin{aligned} f (x_1, \ldots , x_n) = f_0 (x_1, \ldots , x_{n - 1}) + \cdots + f_{\ell - 1} (x_1, \ldots , x_{n - 1}) x_n^{\ell - 1} . \end{aligned}$$

(17)

For all \((i_1, \ldots , i_{n - 1}) \in \{ 0, \ldots , \ell - 1 \}^{n - 1}\) we interpolate the values \(f_0 (\alpha _{i_1}, \ldots , \alpha _{i_{n - 1}})\), \(\ldots , {f_{\ell - 1} (\alpha _{i_1}, \ldots , \alpha _{i_{n - 1}})}\) with \(\ell ^{n - 1} O ({{\textsf {{M}} }} (\ell ) \log \ell )\) operations in \(\mathbb {A}\). We then recursively interpolate \(f_0, \ldots , f_{\ell - 1}\) and form f as in (17). The total cost is obtained as in the proof of the previous lemma. \(\square \)

The aim of the following proposition is the fast evaluation of f at a set of points of the form \(N (S^n) + B\), for any matrix N and any vector B.

Proposition 8

Let \(\ell \geqslant 1\), let \(f \in \mathbb {A} [x_1, \ldots , x_n]\) be of partial degree \(< \ell \) in \(x_i\) for \(i = 1, \ldots , n\), let \(S = \{ \alpha _1, \ldots , \alpha _{\ell } \}\) be a subset of \(\mathbb {A}\) of cardinality \(\ell \) such that \(\alpha _i - \alpha _j\) is invertible whenever \(i \ne j\), let N be a \(n \times n\) matrix over \(\mathbb {A}\), and let \(B \in \mathbb {A}^n\). Let X be the column vector with entries \(x_1, \ldots , x_n\). If an LU-decomposition of N is given, then \(f (N (S^n) + B)\) and \(f (NX + B)\) can be computed with \(O (n \ell ^{n - 1} {{\textsf {{M}} }} (\ell ) \log \ell + n^{\omega })\) arithmetic operations in \(\mathbb {A}\), including inversions.

Proof

We write \(B =:(\beta _1, \ldots , \beta _n)\). We first assume that \(N = (N_{i, j})_{1 \leqslant i \leqslant n, 1 \leqslant j \leqslant n}\) is upper triangular, and we partition \(N (S^n) + B\) into

$$\begin{aligned} N (S^n) + B= & {} \bigsqcup _{i = 1}^{\ell } N (S^{n - 1} \times \{ \alpha _i \}) + B\\= & {} \bigsqcup _{i = 1}^{\ell } (\tilde{N} (S^{n - 1}) + \tilde{B}_i) \times \{ N_{n, n} \alpha _i + \beta _n \}, \end{aligned}$$

where \(\tilde{N} :=(N_{i, j})_{1 \leqslant i \leqslant n - 1, 1 \leqslant j \leqslant n - 1}\) and \(\tilde{B}_i :=\alpha _i \left( \begin{array}{c} N_{1, n}\\ \vdots \\ N_{n - 1, n} \end{array}\right) + \left( \begin{array}{c} \beta _1\\ \vdots \\ \beta _{n - 1} \end{array}\right) \). We compute

$$\begin{aligned} g_i (x_1, \ldots , x_{n - 1}) :=_{} f (x_1, \ldots , x_{n - 1}, N_{n, n} \alpha _i + \beta _n) \end{aligned}$$

for \(i = 1, \ldots , \ell \) using \(O (\ell ^{n - 1} {{\textsf {{M}} }} (\ell ) \log \ell )\) operations in \(\mathbb {A}\). For \(i = 1, \ldots , \ell \), we then evaluate \(g_i (x_1, \ldots , x_{n - 1})\) at \(\tilde{N} (S^{n - 1}) + \tilde{B}_i\) by induction. The base case \(n = 0\) takes constant time O(1). Consequently, for any n, the total number of operations in \(\mathbb {A}\) is \(O (n \ell ^{n - 1} {{\textsf {{M}} }} (\ell ) \log \ell )\), by the same argument as in the proof of Lemma 27. We recover \(f (N (x_1, \ldots , x_n) + B)\) with \(O (n \ell ^{n - 1} {{\textsf {{M}} }} (\ell ) \log \ell )\) operations in \(\mathbb {A}\) by Lemma 28.

If N is lower triangular then we may revert of the variables in f and the columns of N in order to reduce to the upper triangular case. Alternatively, we may adapt the latter decomposition of the set of points, as follows:

$$\begin{aligned} N (S^n) + B= & {} \bigsqcup _{i = 1}^{\ell } N (\{ \alpha _i \} \times S^{n - 1}) + B\\= & {} \bigsqcup _{i = 1}^{\ell } \{ N_{1, 1} \alpha _i + \beta _1 \} \times (\tilde{N} (S^{n - 1}) + \tilde{B}_i), \end{aligned}$$

where \(\tilde{N} :=(N_{i, j})_{2 \leqslant i \leqslant n, 2 \leqslant j \leqslant n}\) and \(\tilde{B}_i :=\alpha _i \left( \begin{array}{c} N_{2, 1}\\ \vdots \\ N_{n, 1} \end{array}\right) + \left( \begin{array}{c} \beta _2\\ \vdots \\ \beta _n \end{array}\right) \). So we compute

$$\begin{aligned} g_i (x_2, \ldots , x_n) :=_{} f (N_{1, 1} \alpha _i + \beta _1, x_2, \ldots , x_n) \end{aligned}$$

and evaluate \(g_i (x_2, \ldots , x_n)\) at \(\tilde{N} (S^{n - 1}) + \tilde{B}_i\) by induction, for \(i = 1, \ldots , \ell \).

Finally if N is general, then it suffices to use the given LU-decomposition, where L is lower triangular with 1 on the diagonal, and U is upper triangular. In fact we have \(f (LU (S^n) + B) = (f \circ L) (U (S^n) + L^{- 1} B)\), so we compute \(f \circ L\) and then \((f \circ L) (U (S^n) + L^{- 1} B)\) and \((f \circ L) (UX + L^{- 1} B)\). \(\square \)

In the next lemma, the same technique is adapted to homogeneous polynomials.

Lemma 29

Let \(f \in \mathbb {A} [x_0, \ldots , x_n]\) be homogeneous of degree \(d \geqslant 1\), let N be a \((n + 1) \times (n + 1)\) matrix over \(\mathbb {A}\), and let \(S = \{ \alpha _0, \ldots , \alpha _d \}\) be a subset of \(\mathbb {A}\) of cardinality \(d + 1\) such that \(\alpha _i - \alpha _j\) is invertible whenever \(i \ne j\). If an LU-decomposition of N is given, then \(f \circ N\) can be computed with \(O (n (d + 1)^{n - 1} {{\textsf {{M}} }} (d) \log d)\) arithmetic operations in \(\mathbb {A}\).

Proof

Assume first that \(N = (N_{i, j})_{0 \leqslant i \leqslant n, 0 \leqslant j \leqslant n}\) is lower triangular and let \(\tilde{N} :=(N_{i, j})_{1 \leqslant i \leqslant n, 1 \leqslant j \leqslant n}\). We are led to compose \(f (N_{0, 0}, x_1, \ldots , x_n)\) with

$$\begin{aligned} \tilde{N} \left( \begin{array}{c} x_1\\ \vdots \\ x_n \end{array}\right) + \left( \begin{array}{c} N_{1, 0}\\ \vdots \\ N_{n, 0} \end{array}\right) \end{aligned}$$

by means of Proposition 8. If N is upper triangular then it suffices to revert the variables \(x_0, \ldots , x_n\) in f, and the columns of N, in order to reduce to the lower triangular case. Alternatively, we may set \(\tilde{N} :=(N_{i, j})_{0 \leqslant i \leqslant n - 1, 0 \leqslant j \leqslant n - 1}\) and compose \(f (x_0, \ldots , x_{n - 1}, N_{n, n})\) with

$$\begin{aligned} \tilde{N} \left( \begin{array}{c} x_1\\ \vdots \\ x_n \end{array}\right) + \left( \begin{array}{c} N_{0, n}\\ \vdots \\ N_{n - 1, n} \end{array}\right) , \end{aligned}$$

in order to obtain \((f \circ N) (x_0, \ldots , x_{n - 1}, 1)\). Finally, for any N, it suffices to use the given LU-decomposition. \(\square \)

Proposition 9

Let \(f \in \mathbb {A} [x_0, \ldots , x_n]\) be homogeneous of degree \(d \geqslant 2\), let N be a \({(n + 1)} \times {(n + 1)}\) matrix over \(\mathbb {A}\), and let \(S = \{ \alpha _0, \ldots , \alpha _d \}\) be a subset of \(\mathbb {A}\) of cardinality \(d + 1\) such that \(\alpha _i - \alpha _j\) is invertible whenever \(i \ne j\). If an LU-decomposition of N is given, then \(f \circ N\) can be computed with \(O (n^2 d^{n - 1} {{\textsf {{M}} }} (d) \log d)\) arithmetic operations in \(\mathbb {A}\).

Proof

The total number of coefficients in f is \(O (d^n)\) by inequality (2). We decompose

$$\begin{aligned} f = x_0 g_0 + x_1 g_1 + \cdots + x_n g_n, \end{aligned}$$

(18)

where \(x_n g_n (x_0, x_1, \ldots , x_n)\) is made of the terms of f which are multiple of \(x_n\), then \(x_{n - 1} g_{n - 1}\) is made of the terms of \(f - x_n g_n\) which are multiple of \(x_{n - 1}\), ..., and finally \(x_0 g_0\) is made of the terms of \(f - (x_1 g_1 + \cdots + x_n g_n)\) which are multiple of \(x_0\) (that is a \(\mathbb {A}\)-multiple of a power of \(x_0\)). In this way, we are led to compute \(g_i \circ N\) for \(i = 0, \ldots , n\), with \(g_i\) of degree \(\leqslant d - 1\); this requires \(O (n^2 d^{n - 1} {{\textsf {{M}} }} (d) \log d)\) operations in \(\mathbb {A}\), by Lemma 29. Then \(f \circ N\) can be recovered with further \(\tilde{O} (n^2 d^n)\) operations. \(\square \)

Remark 4

If one can use specific sequences of points \(\alpha _i\), for instance in geometric progressions, then multi-point evaluations and interpolations in one variable and in degree d over \(\mathbb {A}\) cost \(O ({{\textsf {{M}} }} (d))\) by means of [10], that saves a factor of \(\log d\) in the above complexity estimates.

1.2 Coefficients in a Galois Ring

For the purpose of the present paper, we need to adapt the results of the previous subsection to the case when \(\mathbb {A}\) is the Galois Ring \({\text {GR}}\, (p^{\kappa }, k)\), and in the context of Turing machines. In the next lemmas we use the lexicographic order on \(\mathbb {N}^n\), written \(<_{{\text {lex}}\,}\), defined by

$$\begin{aligned} \alpha<_{{\text {lex}}\,} \beta \quad \Leftrightarrow \quad \left( \exists j \in \{ 1, \ldots , n \}, \quad \alpha _n = \beta _n \wedge \cdots \wedge \alpha _{j + 1} = \beta _{j + 1} \wedge \alpha _j < \beta _j \right) . \end{aligned}$$

In terms of Turing machines, we need the following variants of Lemmas 27 and 28.

Lemma 30

Let \(\ell \geqslant 1\), let \(f \in {\text {GR}}\, (p^{\kappa }, k) [x_1, \ldots , x_n]\) be of partial degree \(< \ell \) in \(x_i\) for \(i = 1, \ldots , n\), and let \(\alpha _1, \ldots , \alpha _{\ell }\) be values in \({\text {GR}}\, (p^{\kappa }, k)\). Then, the values \(f (\alpha _{i_1}, \ldots , \alpha _{i_n})\) for \((i_1, \ldots , i_n)\) running over \(\{ 1, \ldots , \ell \}^n\) in the lexicographic order \(<_{{\text {lex}}\,}\) can be computed in time

$$\begin{aligned} n \ell ^n \tilde{O} (\log ^2 \ell \kappa k \log p) . \end{aligned}$$

Proof

The proof follows the one of Lemma 27 while taking data reorganizations into account. More precisely, using one \(\ell ^{n - 1} \times \ell \) matrix transposition, we reorganize the values of the \(f_i\) after the recursive calls into the sequence of

$$\begin{aligned} f_0 (\alpha _{i_1}, \ldots , \alpha _{i_{n - 1}}), \ldots , f_{\ell - 1} (\alpha _{i_1}, \ldots , \alpha _{i_{n - 1}}) \end{aligned}$$

for \((i_1, \ldots , i_{n - 1})\) running over \(\{ 1, \ldots , \ell \}^{n - 1}\) in the lexicographic order \(<_{{\text {lex}}\,}\). Then, after the multi-point evaluations of \(f (\alpha _{i_1}, \ldots , \alpha _{i_{n - 1}}, x_n)\), we need to transpose the \(\ell \times \ell ^{n - 1}\) array made of the values of f, in order to ensure the lexicographic ordering in the output. The cost of these transpositions is \(O (\ell ^n \log \ell \kappa k \log p)\) by Lemma 1, which is negligible. \(\square \)

Lemma 31

Assume \(\ell \geqslant 1\) and \(p^k \geqslant \ell \). Let \(\alpha _1, \ldots , \alpha _{\ell }\) be pairwise distinct values in \({\text {GR}}\, (p^{\kappa }, k)\) such that \(\alpha _i - \alpha _j\) is invertible modulo p for all \(i \ne j\), and let \(\beta _{i_1, \ldots , i_n}\) be a family of values in \({\text {GR}}\, (p^{\kappa }, k)\) for \((i_1, \ldots , i_n)\) running over \(\{ 1, \ldots , \ell \}^n\) in the lexicographic order \(<_{{\text {lex}}\,}\). The unique polynomial \(f \in {\text {GR}}\, (p^{\kappa }, k) [x_1, \ldots , x_n]\) of partial degree \(< \ell \) in \(x_i\) for \(i = 1, \ldots , n\), and such that \(f (\alpha _{i_1}, \ldots , \alpha _{i_n}) = \beta _{i_1, \ldots , i_n}\) for all \((i_1, \ldots , i_n)\) in \(\{ 1, \ldots , \ell \}^n\), can be computed in time

$$\begin{aligned} n \ell ^n \tilde{O} (\log ^2 \ell \kappa k \log p) . \end{aligned}$$

Proof

The proof follows the one of Lemma 28, by doing the data reorganizations in the opposite direction from the one in the proof of Lemma 30. \(\square \)

From now, for convenience, we discard the case \(\ell = 1\). In this way, whenever \(\ell \geqslant 2\), we may use \(n^{O (1)} = \log ^{O (1)} (\ell ^n)\).

Proposition 10

Assume \(\ell \geqslant 2\) and \(p^k \geqslant \ell \). Let \(f \in {\text {GR}}\, (p^{\kappa }, k) [x_1, \ldots , x_n]\) be of partial degree \(< \ell \) in \(x_i\) for \(i = 1, \ldots , n\), and let N be a \(n \times n\) matrix over \({\text {GR}}\, (p^{\kappa }, k)\). If an LU-decomposition of N is given, then \(f \circ N\) can be computed in time \(\tilde{O} (\ell ^n \kappa k \log p)\).

Proof

We first generate a subset \(S :=\{ \alpha _1, \ldots , \alpha _{\ell } \}\) of \({\text {GR}}\, (p, k)\) of cardinality \(\ell \) in time \(\tilde{O} (\ell k \log p)\); this ensures the invertibility of \(\alpha _i - \alpha _j\) for \(i \ne j\). The proof then follows the one of Proposition 8 while taking data reorganizations into account. When N is upper triangular, the computation of \(g_1, \ldots , g_{\ell }\) requires the multi-point evaluation of f regarded in \({\text {GR}}\, (p^{\kappa }, k) [x_1, \ldots , x_{n - 1}] [x_n]\): we may simply appeal to the fast univariate algorithm because it only involves additions, subtractions and products by elements of \({\text {GR}}\, (p^{\kappa }, k)\) over the ground ring \({\text {GR}}\, (p^{\kappa }, k) [x_1, \ldots , x_{n - 1}]\). Consequently \(g_1, \ldots , g_{\ell }\) may be obtained in time \(\ell ^{n - 1} \tilde{O} (\ell \kappa k \log p)\), by Lemma 4. In addition, the \(\ell ^{n - 1} \times \ell \) array of values of the \(g_i\) must be transposed at the end, in order to guarantee the lexicographic ordering necessary to interpolate \(f \circ N\).

When N is lower triangular, the data reorganization costs essentially the same, except that the computation of \(g_1, \ldots , g_{\ell }\) takes time \(\ell ^{n - 1} \tilde{O} (\ell \kappa k \log p)\) by Lemmas 10 and 4. \(\square \)

Before achieving the proof of Proposition 1, we further need the following lemma in order to change the representation of a homogeneous polynomial.

Lemma 32

Let f be a homogeneous polynomial of degree \(d \geqslant 2\) in \({\text {GR}}\, (p^{\kappa }, k) [x_0\), \(\ldots , x_n]\), represented as before by \(f^{\flat } (x_1, \ldots , x_n) :=f (1, x_1, \ldots , x_n)\) and d, and let \(i \in \{ 0, \ldots , n \}\). Then, for any \(\alpha \in {\text {GR}}\, (p^{\kappa }, k)\) we can compute \(f^{\diamond } (x_0, \ldots , x_{i - 1}, x_{i + 1}\), \(\ldots , x_{n - 1}) :=f (x_0, \ldots , x_{i - 1},\alpha \), \(x_{i + 1}, \ldots , x_{n - 1})\) in time \(\tilde{O} (d^n \kappa k \log p)\).

Proof

For simplicity the proof is done for \(i = n\), but it extends in a coefficientwise manner to any i. A sparse representation of f is made of a sequence of pairs of coefficients and vector exponents. More precisely, if \(f = \sum _{e \in \mathbb {N}^{n + 1}} f_e x_0^{e_0} \cdots x_n^{e_n}\) then a sparse representation of it is the sequence of the pairs \((f_e, e)\), for all the nonzero coefficients \(f_e\). The bit size of a vector exponent is \(O (n + \log d)\), and therefore the bit size of a sparse representation of f is \(O (d^n (n + \log d) \kappa k \log p)\) by (2).

In order to prove the lemma, we first convert f, given in dense representation, into a sparse representation. When \(n = 1\) the sparse representation of \(f^{\flat }\) may be obtained in time \(O (d \log d \kappa k \log p)\). Otherwise \(n \geqslant 2\) and we regard \(f^{\flat }\) in \({\text {GR}}\, (p^{\kappa }, k) [x_1, \ldots , x_{n - 1}] [x_n]\),

$$\begin{aligned} f^{\flat } (x_1, \ldots , x_n) = f_0^{\flat } (x_1, \ldots , x_{n - 1}) + \cdots + f_d^{\flat } (x_1, \ldots , x_{n - 1}) x_n^d, \end{aligned}$$

and recursively compute the sparse representation of \(f_i^{\flat }\) for \(i = 0, \ldots , d\). These representations may naturally be glued together into a sparse representation of \(f^{\flat }\), in time \(O (d^n (n + \log d) \kappa k \log p)\), by adding the exponent of \(x_n\) into each exponent vector. A straightforward induction leads to a total time \(O (d^n (n + \log d) \kappa k \log p)\) for the change of representation of \(f^{\flat }\). Then the sparse representation of f may be deduced with additional time \(O (d^n (n + \log d) \kappa k \log p)\) by appending the exponent of \(x_0\) needed for homogenization.

Second, from the latter sparse representation of f we may simply discard the exponents of \(x_n\) and multiply the coefficients with the corresponding powers of \(\alpha \), in order to obtain a sparse representation of \(f^{\diamond }\) in time \(\tilde{O} (d^n \kappa k \log p)\).

Finally it remains to construct the dense representation of \(f^{\diamond }\) from its sparse representation. To this aim we sort the sparse representation in increasing lexicographic order on the exponent vectors in time \(O (d^n \log (d^n) (n + \log d) \kappa k \log p)\). We next compute the dense representation by induction over n. Writing

$$\begin{aligned} f^{\diamond } (x_0, \ldots , x_{n - 1}) = f_0^{\diamond } (x_0, \ldots , x_{n - 2}) + \cdots + f_{\ell - 1}^{\diamond } (x_0, \ldots , x_{n - 2}) x_{n - 1}^{\ell - 1}, \end{aligned}$$

the sparse representations of \(f_0^{\diamond }, \ldots , f_{\ell - 1}^{\diamond }\) are computed by induction, after removal of the powers of \(x_{n - 1}\). The induction ends when \(n = 0\), in which case the conversion to dense representation requires time \(O (d \log d \kappa k \log p)\). In total, the dense representation of \(f^{\diamond }\) can be computed in time \(O (d^n \log (d^n) (n + \log d) \kappa k \log p)\). \(\square \)

Proof of Proposition 1

We follow the proofs of Lemma 29 and Proposition 9, still while taking into account the cost of data reorganizations.

In the proof of Lemma 29, the cost of obtaining \(f (N_{0, 0}, x_1, \ldots , x_n)\) and \(f (x_0, \ldots , x_{n - 1}, N_{n, n})\) is given by Lemma 32, that is \(\tilde{O} (d^n \kappa k \log p)\).

In the proof of Proposition 9 we first need to compute the decomposition (18) of f. The polynomial

$$\begin{aligned} g_n (x_0, \ldots , x_n)= & {} f_1 (x_0, \ldots , x_{n - 1}) + f_2 (x_0, \ldots , x_{n - 1}) x_n + \cdots \\&+ f_d (x_0, \ldots , x_{n - 1}) x_n^{d - 1} \end{aligned}$$

is represented by

$$\begin{aligned} g_n^{\flat } (x_1, \ldots , x_n):= & {} f_1^{\flat } (x_1, \ldots , x_{n - 1}) + f_2^{\flat } (x_1, \ldots , x_{n - 1}) x_n + \cdots \\&+ f_d^{\flat } (x_1, \ldots , x_{n - 1}) x_n^{d - 1} \end{aligned}$$

and \(d - 1\). Consequently \(g_n^{\flat }\) may be easily obtained in time \(O (d^n \kappa k \log p)\). Then the rest of the decomposition \(g_{n - 1}^{\flat }, \ldots , g_0^{\flat }\) is obtained from \(f_0^{\flat } (x_1, \ldots , x_{n - 1})\), recursively. The total cost for obtaining all the \(g_i^{\flat }\) is therefore bounded by \(\tilde{O} (d^n \kappa k \log p)\).

For any \(c \in {\text {GR}}\, (p^{\kappa }, k)\), any \(i \in \{ 0, \ldots , n \}\), and any \(j \in \{ 1, \ldots , n \}\), the computations of \({c (g_i \circ N)} (1, x_1, \ldots , x_n)\) and of \(cx_j (g_i \circ N) (1, x_1, \ldots , x_n)\) take time \(d^n \tilde{O} (\kappa k \log p)\) since their supports have cardinality \(O (d^n)\) by (2).

Finally, from

$$\begin{aligned} f \circ N = \sum _{i = 0}^n \left( \sum _{j = 0}^n N_{i, j} x_j \right) (g_i \circ N) \end{aligned}$$

we obtain the representation of \(f \circ N\) as

$$\begin{aligned} (f \circ N) (1, x_1, \ldots , x_n) = \sum _{i = 0}^n \left( N_{i, 0} + \sum _{j = 1}^n N_{i, j} x_j \right) (g_i \circ N) (1, x_1, \ldots , x_n), \end{aligned}$$

using additional time \(\tilde{O} (d^n \kappa k \log p)\). The cost of the data reorganizations in the proof of Proposition 9 is negligible. \(\square \)