Point counting in families of hyperelliptic curves 7 0 0 Hendrik Hubrechts ∗ 2 n Department of mathematics, Katholieke Universiteit Leuven a Celestijnenlaan 200B, 3001 Leuven (Belgium) J [email protected] 9 2 29 January 2007 ] T N . Abstract h t Let EΓ be a family of hyperelliptic curves defined by Y2 = Q¯(X,Γ), a m where Q¯ is defined over a small finite field of odd characteristic. Then with γ¯ in an extension degree n field over this small field, we present a [ deterministic algorithm for computing the zeta function of the curve Eγ¯ 3 by using Dwork deformation in rigid cohomology. The time complexity v of the algorithm is O(n2.667) and it needs O(n2.5) bits of memory. A 8 slight adaptation requires only O(n2) space, but costs time Oe(n3). An 3 implementation of thislast result turnsout to bequiteefficient for n big 4 enough. 1 0 6 AMS (MOS) Subject Classification Codes: 11G20,11Y99,12H25,14F30, 0 14G50, 14Q05. / h t a 1 Introduction m : v The idea that it might be interesting to compute the number of solutions to i an algebraic equation over a finite field without actually trying to find these X solutions is an old one, as Gauss already introduced his so called Gauss sums r forit. Inlatertimesthistopicledtowonderfultheoreticalresultsasforexample a the Weil conjectures, the pursuit of a proof of which had a very big influence on number theory and algebraic geometry. In those days computers did not yetexistas everydayobjects,hence there wasno realinterestincomputing the number of points on very concrete varieties, and for example the ℓ-adic theory that led to the final proof of the Weil conjectures seems especially unsuited for implementations (except in the elliptic curve case). In the eighties the idea of Koblitz [18] and Miller [24] to use elliptic curves for cryptography created a new interest in the subject, but now on this more ∗ResearchAssistantoftheResearchFoundation -Flanders(FWO -Vlaanderen). 1 concrete level. Later on came also the suggestionof using jacobians of hyperel- liptic, C andother kinds of curves. Besides these concretereasonsthe matter ab should of course be interesting already in itself: given a very big but finite ob- ject with an easy defining relation and lots of structure: what is its size? But there are even more reasons for investing in point counting algorithms, e.g. in [1] a one-way function is constructed which uses such an algorithm, and [30] describes how to use jacobians in the context of sphere packing. The first interesting generalalgorithmthat saw the light was Schoof’s algo- rithm for calculating the number of points on an elliptic curve. This algorithm hasatime complexitypolynomialinthe logarithmofthe fieldsize,andwasop- timized by Elkies and Atkin, thus resulting in the well known SEA-algorithm, see [27]. It is possible to generalize this approach to higher genus curves, but the complexity is then exponential in the genus, and this has only been done for genus equal to 2. Ashighergenuscurvescameintoviewmorealgorithmsemerged. Inpractice we can distinguish two kinds of problems: for a field size pn (p prime), give an algorithm that works polynomially in log(pn) for small n, or one that works in time (np), hence for small p. The p-adic approach started with Satoh’s O canonical lift method for elliptic curves [26]. It was Kedlaya’s famous paper [15] that introduced the Monsky-Washnitzer cohomology in the computational worldbygivingageneralalgorithmforhyperellipticcurvesinoddcharacteristic. These p-adic algorithms solve problems of the second kind, namely they are polynomialinnpinsteadofnlogp. Butforlargefieldswithsmallcharacteristic they have proven to be very efficient. Denef and Vercauteren generalized this algorithm to even characteristic [6]. In the meantime LauderandWan presentedanapproach[21]that ledto an algorithm for very general varieties, and although not very practical, it works polynomiallyinthe extensiondegreeofthe field(but exponentiallyinthe num- ber of variables involved). Afterwards Lauder [22] used Dwork’s deformation theory to reduce the dependency on the dimension of hypersurfaces.1 The idea isto considerafamily ofhypersurfacesinoneparameterΓ,suchthatforexam- ple Γ = 1 gives the original problem, and Γ = 0 gives a special but easy case. Dwork’s theory allows then to recover the necessary information in an efficient way by enabling to skip the most elaborate steps in Kedlaya’s algorithm. We will make this more precise further on in this paper. Indeed, we develop a sug- gestionofLauder to combine the Monsky-Washnitzercohomology`a la Kedlaya withadeformation. Althoughforcurvesthedependency onthe dimensioncan- not decrease, for certain hyperelliptic curves the dependency on the extension degree n will. Namely, Kedlaya’s algorithm results in a time complexity2 of (n3) bit operations and (n3) as bit space requirements, whereas our algo- O O rithm requires respectively (n2.667) and (n2.5), or with a small adjustment O O e(n3) respectively (n2). It is worth noting that we can find the matrix of O O 1AsimilarideaisusedbyTsuzukiinthecomputationofKloostermansums[31]. e 2SeeSection2.4foranexplanationofthenotation Oe. 2 the pth power Frobenius automorphism in essentially quadratic time, and only the final step, taking the characteristic polynomial of the norm of this matrix, requires the above time estimates. As we consider only odd p, a next project is the even characteristic case, these results can be found in [13]. In [9] Gerkmann has followed roughly the same kind of ideas for the elliptic curve case, including a short description for characteristic two. An implemen- tation for Magma of this method is available on his website3. Thepaperisstructuredasfollows. WestartinSection2witharoughsketch of the method, and a formulation of our results, Theorems 1 and 2. Then we willconstructtheanalyticsettinginwhichtheMonsky-Washnitzercohomology withdeformationlives,alongwithallthetheoreticalproofs. Thistheoryimplies the correctness of the algorithm, which is explained in Section 4, if we should work with infinite p-adic precision. As this is impossible, Section 5 proves that our chosen precision suffices. Section 6 computes the complexity of the algo- rithm and hence proves Theorems 1 and 2. We then give some remarks and special interesting cases, and the final section presents results achievedwith an implementation of the algorithm. The author wishes to thank very much Jan Denef and Alan Lauder for proposing the topic. He also wants to thank Lauder for providing some crucial suggestions, Wouter Castryck and Joost van Hamel for the helpful discussions, Denef for the thorough reading of the paper and the correction of many small mistakes, and the anonymous referees for their many valuable suggestions and comments. 2 Overview of the method and results 2.1 Introducing notation and defining the problem Let p be an odd prime, a 1 an integer and q :=pa. We write F for the field q with q elements. For a fi≥eld F its algebraic closure is denoted by F¯. Let Z p and Q be respectively the p-adic integers and field, and Z and Q the unique p q q unramified extensions of degree a of Z and Q . If the field C is a completion p p p of Q¯ , then C is algebraically closed as well. The corresponding valuation on p p these rings is written as ord, normalizedto ordp=1. We will use σ for the pth power Frobenius automorphism on C . The projection Z F is denoted by p q q → x x¯, and the Teichmu¨ller lift of x¯ F is the unique lift x Z of x¯ that q q 7→ ∈ ∈ satisfies xq = x. For a polynomial α in X we denote with deg α the degree X with respect to X, and similarly we define deg α. Its derivatives are written Γ as α := ∂ α and α˙ := ∂ α. ′ ∂X ∂Γ 3http://wwwalt.mathematik.uni-mainz.de/~gerkmann/ellcurves.html 3 Suppose we are given an equation Y2 =Q¯(X,Γ) with Q¯ F [X,Γ], q ∈ whereQ¯ isamonicpolynomialofodddegree2g+1 3inX anddegreeκinΓ. If we suppose moreover that Q¯(X,0) has no double≥roots, then Y2 = Q¯(X,0) definesahyperellipticcurveE¯ ofgenusg inWeierstrassform. Letγ¯ F¯ ,letn 0 q be such that F (γ¯)=F and suppose that Q¯(X,γ¯) — which defines∈the curve q qn E¯ — has no double roots. Then our goal is to compute the zeta function and γ¯ hence the number of points of the curve E¯ . γ¯ 2.2 Deformation in a nutshell For those readers who are unfamiliar with the Monsky-Washnitzer cohomology as used by Kedlaya in order to count points on hyperelliptic curves, we refer to Kedlaya’s paper [15] or the course of Edixhoven [8]4. The idea of using deformation in the context of the Weil zeta function appears first in Dwork’s paper [7], where he derives the resulting differential equation. The cohomology type considered in this paper is rigid cohomology, for a general definition and properties we refer to Berthelot’s paper [3]. As Kedlaya we start with lifting everything to characteristic zero. Define Q(X,Γ) Z [X,Γ] as a degree preserving lift of Q¯(X,Γ). It is clear that for q somevalu∈esofγ¯ inF¯ the polynomialQ¯(X,γ¯)isnotsquarefree,orequivalently q Y2 = Q¯(X,γ¯) has affine singularities and hence does not define a hyperelliptic curve in Weierstrass form. With the resultant r(Γ):=ResX(Q(X,Γ);Q′(X,Γ)) we havethat r¯(γ¯)=0 if andonly if Q¯(X,γ¯) is squarefree,hence we willrequire 6 that r¯(0) = 0. We assume for a moment that the leading coefficient of r is a 6 unit in Z . Let the ring S and the S-module T be defined by q 1 † 1 1 † S :=Q Γ, and T :=Q Γ, ,X, . q q r(Γ) r(Γ) √Q (cid:20) (cid:21) (cid:20) (cid:21) NotethatthesetwostructuresarejustvariantsofKedlaya’sQ andA ,butwith q † the deformation parameter Γ inserted in the right way. We have a differential operator d := ∂ dX : T TdX, and TdX/dT is a free S-module with basis ∂X → X√idQX,XjQdX i=0,...,2g−1,j =0,...,2g . Let HM−W be the submodule gnenerated by (cid:12)(cid:12) := XidX i=0,...,2g 1o. There exist explicit formulae (cid:12)B √Q − ((1) and (2) in Sectionn 3.4)(cid:12)(cid:12)that enable us tooreduce elements in HM−W to this basis. (cid:12) On the module HM−W we have the operator Fp, a lift of the characteristicp Frobenius automorphism, and the connection ∂f ∇:HM−W →HM−WdΓ: f 7→ ∂ΓdΓ. 4Availableonhttp://www.math.leidenuniv.nl/~edix/oww/mathofcrypt/. 4 WithF(Γ)amatrixforF andG(Γ)for ,wewillprovethedifferentialequation p ∇ F˙(Γ)+F(Γ) G(Γ)=pΓp−1Gσ(Γp)F(Γ). · As the zeta function of E¯ is completely determined by F(γ), where γ is the γ¯ Teichmu¨llerliftofγ¯,thismatrixistheobjectthatwewanttocompute. Indeed, the characteristic polynomial of a matrix of Fan, which can be derived from p F(γ), will be precisely the numerator of the wanted zeta function. We will see thatweonly needto calculateeverythingup toa computablefinite precisionin order to find this zeta function exactly. 2.3 Overview of the algorithm We sketch briefly how the algorithm exploits the theory above. Note that we alwayswork with p-adics modulo a certain power of p and power series in Γ up to a certain power. 1. Lift Q¯ to characteristic zero, and compute the resultant r=αQ+βQ. ′ 2. DeterminethematrixGoftheconnection bydifferentiatingthebasis ∇ B with respect to Γ and using the reduction formulae (1) and (2) of Section 3.4. 3. DeducefromGthematrixC whoserowsformabasisofthelocalsolutions of =0 by solving the differential equation C˙ = C G. ∇ − · 4. Compute (Cσ(Γp))−1. 5. Compute F(0) by Kedlaya’s algorithm. 6. As F(Γ)=(Cσ(Γp))−1 F(0) C(Γ), we get a series expansion for F(Γ). · · 7. By representing F and Q as explained in Section 6.1, compute F(γ). qn qn 8. Determine the numerator of the zeta function of E¯ as the characteristic γ¯ polynomial of F(γ)σan−1 F(γ)σan−2 F(γ)σ F(γ). · ··· · 2.4 Results The main result of this paper is a ‘subcubic’ time algorithm for the compu- tation of the zeta function of certain families of hyperelliptic curves. Here we consider the extension degree n to be the crucial parameter. In the formula- tion of these results we use the -notation as defined e.g. in [34], which means O that we ignore logarithmic factors. The relevant examples are that (nlogn) O and (nlognloglogn) are bothe (n). Note that we ignore the dependency on O O p, and all complexities are to be seen bitwise: for time requirements we mean bit operations, and space is also meeant as number of bits. In these results the reader may take into account that a linear deformation will be most practical, which has κ=1. 5 Theorem 1 Let p be an odd prime and let E¯ be a hyperelliptic curve over γ¯ F obtained by a deformation of the kind described above: Y2 = Q¯(X,γ¯) pan with Q¯ defined over F . There exists a deterministic algorithmthat calculates pa the zeta function of E¯ in time γ¯ n2.667g6.376a3κ3 O andinmemory n2.5g5a3κ2leo(cid:0)g3g . Wecanals(cid:1)ocomputethesameobjectus- O ing n2g5a3κ2log3g memoryatthecostofatimeestimate n3g6.376a3κ3 . O (cid:0) (cid:1) O If we h(cid:0)ave done the ca(cid:1)lculation for one value of γ¯, it is faster to(cid:0)calculate mor(cid:1)e e zeta functions from the same family. Theorem 2 Supposewehaveasprecomputationcomputedasufficientapprox- imation of the matrix of Frobenius of a family as in Theorem 1. Then we can find the zeta function of a member of the family with parameter in F in de- pan terministic time n2.667g5a3κ and space n2.5g5a2κlogg ,or n3g5a3κ O O O respectively n2g5a2κlogg . O (cid:0) (cid:1) (cid:0) (cid:1) (cid:0) (cid:1) e e The proof of t(cid:0)hese theorems(cid:1)will be given in Section 6, after the complexity analysis. 3 Analytic theory We have tried to make this section self-contained, to have a clear exposition of the analytic theory behind the deformation. As a consequence we will reintro- duce somenotation,but sometimes ina moregeneralcontext,e.g.wewillwork over an algebraic closure F¯ of F . q q In [15, 16], Kedlaya presented a concrete computable form of the Monsky- Washnitzercohomology. Inthissectionwecombinethiswithaone-dimensional deformation as suggested by Lauder in [20]. As there are a lot of technical convergence results, we cannot present all the details of every calculation, but it will always be clear how to reconstruct those missing computations. 3.1 Sketch of the situation Let F be a finite field with q = pa elements, p an odd prime, and suppose q we are given a polynomial Q¯(X,Γ) F [X,Γ] with deg Q = 2g+1 for some integer g 1, and monic in X. Fo∈r evqery γ¯ F¯ we dXefine the curve E¯ as q γ¯ ≥ ∈ corresponding to the equation E¯ Y2 =Q¯(X,γ¯). γ¯ ←→ WeneedforourtheorythatY2 =Q¯(X,γ¯)isinWeierstrassform,hencewithout affine singularities. Suppose that E¯ satisfies this condition, the goal is then to 0 compute the zeta function of E¯ for certain ‘good’ γ¯ F¯ . We remind the γ¯ q ∈ reader of the rings Z , Q , Z , Q and C defined in Section 2.1. We take p p q q p 6 Q(X,Γ) Z [X,Γ]suchthatQ projects modulo p to Q¯, deg Q=deg Q¯ and deg Q =∈deqg Q¯. The resultant r(Γ) := Res (Q(X,Γ);Q(XX,Γ)) satXisfies an Γ Γ X ′ equality ∂Q r(Γ)=α(X,Γ) Q(X,Γ)+β(X,Γ) (X,Γ), or r =αQ+βQ′, · · ∂X for some α(Γ),β(Γ) Z [X,Γ]. From r(Γ) we can find the set of good parame- q ∈ ters S:= γ C γ is a Teichmu¨ller lift and r(γ)=0 . p ∈ 6 n (cid:12) o Thefollowingpropertyisob(cid:12)vious: forγ SthepolynomialQ¯(X,γ¯)issquarefree (cid:12) ∈ and thus determines a hyperelliptic curve in Weierstrass form. We also have 0 S and ord(r(γ))=0 for all γ S. ∈ ∈ Definition 3 Let ρ be the degree of r(Γ), B := max deg α,deg β , D := { Γ Γ } max deg α,deg β and κ:=deg Q. { X X } Γ Itis easyto seethatρ 4gκandthatwecanchooseαandβ suchthatD 2g ≤ ≤ and B (4g 1)κ. ≤ − 3.2 The base ring S We want as base ring an extension of Q that includes polynomials in Γ and q ensuresfurtheronfinitedimensionalityofacertainquotientmodule. Forr(Γ)= ρi=0riΓi let ρ′ be the largest index for which ord(rρ′)=0, and define R(Γ)= ρ′ r Γi. We assumeforamomentthatρ 1,seeNote 4forthe caseρ =0. Pi=0 i ′ ≥ ′ Define now the following overconvergentring, equal to Q [Γ, 1 ] : P q R(Γ) † b (Γ) ord(b ) S := k b (Γ) Q [Γ], degb (Γ)<ρ and liminf k >0 . (Xk∈ZR(Γ)k (cid:12)(cid:12)(cid:12) k ∈ q k ′ k |k| ) (cid:12) Here the order of (cid:12)a polynomial is the minimum of the orders of its coeffi- cients. It is easy to check that 1/r(Γ) S, and even b (Γ)r(Γ)k S when ∈ k k ∈ liminford(b (Γ))/k >0. We couldcallthe liminf in the definition the ‘radius k | | P of convergence’ of the series s(Γ). This is inspired by the fact that for series a Γi Q [[Γ]] the radius of convergence is pm with m = liminford(a )/i, i i ∈ q i and such a series is overconvergent if and only if m > 0. We define the valua- P tionof anelement ofS as ord(s(Γ)):=min ord(b ). We cangive a more exact k k interpretationofthisoverconvergence. AnelementsofS isconvergentonsome open disk strictly bigger than the unit disk, with finitely many smaller closed disks removed around the roots of r(Γ). As all these roots have norm 1, the closed disks are a subset of the unit circle. We could also define S as the set of all rigid analytic functions s on suchan ‘overconvergentdomain’ forwhichs(Q ) Q . Indeed,the completeness q q U ∩U ⊆ of Q implies then that s is defined over Q , see [4, p. 196]. q q 7 Note 4 The above definitions assume that ρ 1. If R(Γ) is a constant, then ′ ≥ thetheorywillstillwork,butwithalotofchanges(mostlysimplifications). For example the ring S will consist of all overconvergent power series a Γk. k 0 k Wewillnotcomebacktothissituation,asitisalwaysclearwhichresults≥require P a reformulation. New proofs are nowhere necessary. Lemma 5 (Euclidean division for overconvergent power series) Let f(Γ) = ∞i=0aiΓi ∈Cp[[Γ]] and δ >0, ε∈R such that ord(ai)≥δi+ε for all i. Then we can find q(Γ) C [[Γ]], g(Γ) C [Γ] such that f(Γ) = q(Γ)R(Γ)+g(Γ) p p P ∈ ∈ with q(Γ)= b Γj, degg <ρ, ord(g) ε and for every j we have ord(b ) j j ′ ≥ j ≥ δ (j+ρ)+ε. ′ · P Proof. It is clear that we can suppose that R is monic and ε = 0. Using Euclideandivisionwe find for everyi integralpolynomials q (Γ) and g (Γ) such i i thata Γi =q (Γ)R(Γ)+g (Γ). Thefollowingpropertieshold: ord(q ),ord(g ) i i i i i ≥ δi and degq = i ρ. The polynomials q and g from the lemma are now i ′ − q = q and g = g . For determining b we only need q for those i i i i i j i i which satisfy i ρ j, hence ord(b ) δ(j+ρ). (cid:4) ′ j ′ P − ≥P ≥ P Lemma 6 The ring S equals the set ∞ a Γi+ ∞ bj(Γ) a Q , b (Γ) Q [Γ], degb (Γ)<ρ, i R(Γ)j (cid:12) i ∈ q j ∈ q j ′ Xi=0 Xj=1 (cid:12)(cid:12) (cid:12) (cid:12) ord(cid:12)(a ) ord(b ) i j liminf >0 and liminf >0 . i i j j | | | | Proof. Weonlyneedtoshowthatf(Γ):= ∞i=0aiΓiwithliminford(ai)/i>0 can be written as ∞k=0bk(Γ)R(Γ)k with dePgbk <ρ′ and liminford(bk)/k >0, and vice versa. The latter implication is easy, for the former we use Lemma 5. P We know that for all i 0 we have ord(a ) δi+ε for some δ >0 and ε R. i ≥ ≥ ∈ Define the sequence f (Γ)= a Γi inductively by f (Γ)=f(Γ) and k i i,k 0 f (ΓP)=f (Γ)R(Γ)+b (Γ) k k+1 k as in the previous lemma. We know then that ord(a ) δi+kδρ +ε, and i,k ′ hence ord(b ) ε+kδρ. As f(Γ)= b (Γ)R(Γ)k we fi≥nd the lemma. (cid:4) k ≥ ′ k k P In order to be able to handle infinite sums of elements in S, we define a certain summation condition. Definition 7 Let (sk(Γ))k Z be a sequence of elements in S, and sk(Γ) = bkℓ(Γ). We define a s∈et of sequences as follows: (s ) belongs to if ℓ Z R(Γ)ℓ S k k S and∈only if there exist δ >0 and L N such that P ∈ ord(b ) kℓ inf >δ. k Z,ℓ L k + ℓ ∈ | |≥ | | | | 8 The following lemma is immediate. Lemma 8 Suppose we have a sequence (s ) as above. Then (s ) and k k k k ∈ S liminf ord(s )/k > 0 is equivalent to the following: there exist a constant k k | | c Q and δ >0 such that for all k,ℓ q ∈ ord(c b ) δ (k + ℓ). kℓ · ≥ · | | | | We now want to use the set to prove convergence of an infinite sum in S. S Lemma 9 Let (sk)k Z be a sequence in satisfying liminford(sk)/k > 0, ∈ S | | then the sum s converges to an element of S. k k Proof. The inequality in the lemma is easily seen to imply the convergence P of the infinite sum, more precisely, if s (Γ)= b (Γ)/R(Γ)ℓ for every k, the k ℓ kℓ sums b converge. We suppose that the inequalities with c and δ hold as k kℓ P in Lemma 8, then we have for every ℓ 1 that P ≥ ord(b )+ord(c) ord(c) ord(b ) kℓ kℓ δ inf +min , ≤k Z k + ℓ ≤ ℓ k Z ℓ ∈ | | | | | | ∈ | | so that liminf ord( b )/ℓ δ. (cid:4) ℓ k kℓ | |≥ P We will apply this lemma in the following technical result, where we write R and r for R(Γ) and r(Γ). Lemma 10 Suppose we havefor allintegerst 0 aseriess := p(t)/(Rℓ ≥ t k,ℓ kℓ · rk), a sum over ℓ Z and k 0, where p(t) Q [Γ], degp(t) A(k+t) and ∈ ≥ kℓ ∈ q kℓ ≤P ord(p(t)) δ(k +t + ℓ) for some constants A,δ > 0. Then (s ) and kℓ ≥ | | t t ∈ S s S. t t ∈ Proof. Fix a positive integer N. It is easy to verify that from r Rmodp it P ≡ follows that Rk+N/rk modpN is an integral polynomial of degree at most ρN. If we consider s modulo pN, we find that p(t) 0 as soon as k+t+ ℓ N/δ, t kℓ ≡ | |≥ so if we multiply s with (R r)N/δ we end up with a polynomial. We will now t · bound its degree. The worst possible degree comes from p(t) with k+t= N/δ kℓ andℓ=0,whichgivesadegreeofnomorethanAN/δ+(ρ+ρ)N/δ. Combining ′ this with the aboveresultfor RN+N/δ/rN/δ we conclude thats modpN equals t a polynomial of degree at most AN/δ+(ρ+ρ)N/δ+ρN =: c N divided by ′ 1 R2N/δ+N =:Rc2N. If we expand the numerator as a ‘polynomial in R’ we find that s modpN can only have a nonzero coefficient for Rm if m c N and t 2 ≥ − m c N/ρ c N, or m max c ,c /ρ c N =: c N. Note that the 1 ′ 2 2 1 ′ 2 3 ≤ − | | ≤ { − } coefficientofRm alsodisappearsifδt N. Ifwefinallywrites = d(t)/Rm ≥ t m m withdegd(t) <ρ,wefindthatord(d(t)) max m/c ;δt m/(2c )+(δ/2)t. This implimes that′ (s ) and usinmg Le≥mma 9{|we|co3nclu}d≥e t|ha|t P3s S. (cid:4) t t ∈S t t ∈ P It is clear that we can always substitute a Teichmu¨ller lift γ from S in a series s(Γ) S, because R(γ) has order 0. We conclude this section with a ∈ lemma that allows us to derive conclusions from such a substitution. 9 Lemma 11 Let s(Γ) = b (Γ)/R(Γ)k S such that degb < ρ for all k Z k ∈ k ′ k. Suppose we have for infini∈tely many γ S that ord(s(γ)) α for some real P ∈ ≥ number α, then also for every k Z we get ord(b ) α. k ∈ ≥ Proof. After multiplication by a constant we can suppose α = 0. Choose K largeenoughtoensurethatord(b )>0for k >K. Definethetruncatedseries k | | K g(Γ):= b (Γ)R(Γ)k, k k= K X− so that for all the γ S considered we have g(γ) f(γ)modp. We continue ∈ ≡ withcontraposition. ChooseT >0suchthatord(pTb ) 0 forallk,andforat k ≥ least one k we have ord(pTb )=0. Let N be the least of these k’s. Consider k − now K h(Γ):=pTR(Γ)N b (Γ)R(Γ)k. k k= N X− Then h¯(Γ) is nonzero polynomial over F , but h¯(γ¯) = 0 for every considered q γ S. This gives the required contradiction. (cid:4) ∈ We have two important consequences of this lemma. First, it will allow us to reduce to the situation described by Kedlaya if we substitute γ S. And ∈ second, it implies that for nonzero s S it is impossible to become zero in ∈ infinitely many γ S. ∈ 3.3 The “dagger algebra” T The Q -algebra A Q used in Kedlaya’s algorithm [15] will be replaced by q † q ⊗ an algebra T over the ring S. The following definition of T is motivated by two requirements. First, substituting some γ S should reduce T(γ) to the ∈ structureA Q consideredbyKedlaya. Andsecond,the cohomologymodule † q ⊗ TdX/dT should be finite dimensional. Therefore we take for T the overconver- gent completion of Q [Γ,1/R(Γ),X,1/√Q] as follows: q Definition 12 2g Xi ord(s ) ik T := s s S, liminf >0 and (s ) . (Xk∈ZXi=0 ik√Qk (cid:12)(cid:12)(cid:12) ik ∈ k |k| ik k ∈S) With this definition T is (cid:12)an S-algebra. An element t(X) of T will also be (cid:12) k denoted by t (X,Γ)/√Q . A more exact formulationof the second aim for k k T is as follows. Let γ S and suppose γ¯ F for n minimal. Then T with γ qn substitutedPfor Γ is pre∈cisely A† Qqn for∈the curve Y2 =Q¯(X,γ¯) over Fqn as ⊗ it appears in [15]. We denote T(γ) for the structure we obtain for T with the substitution Γ γ, hence in fact T(γ)=T Q /(Γ γ). qn ← ⊗ − We firstprovethat A†⊗Qqn ⊆T(γ). Choose k,iaikXi/√Qk ∈A†⊗Qqn, witha Q andliminf ord(a )/k >0. ThenQ (γ)=Q impliesthatwe ik qn k ik q qn ∈ | | P 10