Ideal forms of Coppersmith's theorem and Guruswami-Sudan list decoding

We develop a framework for solving polynomial equations with size constraints on solutions. We obtain our results by showing how to apply a technique of Coppersmith for finding small solutions of polynomial equations modulo integers to analogous problems over polynomial rings, number fields, and function fields. This gives us a unified view of several problems arising naturally in cryptography, coding theory, and the study of lattices. We give (1) a polynomial-time algorithm for finding small solutions of polynomial equations modulo ideals over algebraic number fields, (2) a faster variant of the Guruswami-Sudan algorithm for list decoding of Reed-Solomon codes, and (3) an algorithm for list decoding of algebraic-geometric codes that handles both single-point and multi-point codes. Coppersmith's algorithm uses lattice basis reduction to find a short vector in a carefully constructed lattice; powerful analogies from algebraic number theory allow us to identify the appropriate analogue of a lattice in each application and provide efficient algorithms to find a suitably short vector, thus allowing us to give completely parallel proofs of the above theorems.


Introduction
Many important problems in areas ranging from cryptanalysis to coding theory amount to solving polynomial equations with side constraints or partial information about the solutions.
One of the most important cases is solving equations given size bounds on the solutions. Coppersmith's algorithm is a celebrated technique for finding small solutions to polynomial equations modulo integers, and it has many important applications in cryptography, particularly in the cryptanalysis of RSA.
In this paper, we show how the ideas of Coppersmith's theorem can be extended to a more general framework encompassing the original number-theoretic problem, list decoding of Reed-Solomon and algebraic-geometric codes, and the problem of finding solutions to polynomial equations modulo ideals in rings of algebraic integers. These seemingly different problems are all perfectly analogous when viewed from the perspective of algebraic number theory.
Coppersmith's algorithm provides a key example of the power of lattice basis reduction. In order to extend the method beyond the integers, we illuminate the analogous structures for polynomial rings, number fields, and function fields. Ideals over number fields have a natural embedding into a lattice, and thus we can find a short vector simply by applying the LLL algorithm to this canonical embedding. In contrast to integer lattices, it turns out that lattice basis reduction is much easier over a lattice of polynomials, and in fact a shortest vector can always be found in polynomial time.
Recasting the list decoding problem in this framework allows us to take advantage of very efficient reduction algorithms and thus achieve the fastest known list decoding algorithm for Reed-Solomon codes.
Extending this approach to function fields involves numerous technical difficulties. In addition, we prove a much more general result about finding short vectors under arbitrary non-Archimedean norms, which may have further applications beyond list decoding of algebraic-geometric codes. As an illustration of the generality of our approach, we give the first list decoding algorithm that works for all algebraic-geometric codes, not just those defined using a single-point divisor.
In the remainder of the introduction, we set up our framework with a brief review of Coppersmith's theorem, and then state our theorems on polynomial rings, number fields, and function fields.
Theorem 1.1 ( [10,22,34]). Let f (x) be a monic polynomial of degree d with coefficients modulo an integer N > 1, and suppose 0 < β ≤ 1. In time polynomial in log N and d, one can find all integers w such that |w| ≤ N β 2 /d and gcd(f (w), N ) ≥ N β .
Note that when β = 1, this amounts to finding all sufficiently small solutions of f (w) ≡ 0 (mod N ), and the general theorem amounts to solving f (w) ≡ 0 (mod B), where B is a large factor of N .
We give a brief example to illustrate the power of this theorem in cryptography [10,22]. Imagine that an adversary has obtained through a side-channel attack some knowledge about one of the prime factors p of an RSA modulus N = pq, for example the high-order half of its bits. We denote this known quantity by r. Then we may write p = r + w where 0 ≤ w ≤ N 1/4+o(1) (we assume, as is typical, that p and q are both N 1/2+o (1) ). Now let f (x) = x + r and β = 1/2 + o(1). Theorem 1.1 tells us that we can in polynomial time learn w, and hence p, thereby factoring N .
Further applications of this theorem in cryptography include other partial key recovery attacks against RSA [7,5], attacks on stereotyped messages and improper padding [10], and the proof of security for the RSA-OAEP+ padding scheme [41]. See [35] for many other applications.
It is remarkable that Theorem 1.1 allows us to solve polynomial equations modulo N without knowing the factorization of N , and this fact is critical for the cryptanalytic applications. However, even if one already has the factorization, Theorem 1.1 remains nontrivial if N has many prime factors.
To solve an equation modulo a composite number, one generally solves the equation modulo each prime power factor of the modulus and uses the Chinese remainder theorem to construct solutions for the original modulus. (Recall that modulo a prime, such equations can be solved in polynomial time, and we can use Hensel's lemma to lift the solutions to prime power moduli.) The number of possible solutions can be exponential in the number of prime factors, in which case it is infeasible to enumerate all of the roots and then select those that are within the desired range. In fact, the problem of determining whether there is a root in an arbitrary given interval is NP-complete [32]. Of course, if N has only two prime factors, there can be only d 2 solutions modulo N , but our methods are incapable of distinguishing between numbers with two or many prime factors.
It is not even obvious that the number of roots modulo N of size at most N 1/d is polynomially bounded. From this perspective, the exponent 1/d is optimal without further assumptions, because f (x) = x d will have exponentially many roots modulo N = k d of absolute value at most N 1/d+ε (specifically, the 2N ε such multiples of k). Theorem 1.1 can be seen as a constructive bound on the number of solutions. See [11] for further discussion of this argument and [25] for non-constructive bounds.

A polynomial analogue
To introduce our analogies, we will begin with the simplest and most familiar case: polynomials.
There is an important analogy in number theory between the ring Z of integers and the ring F [z] of univariate polynomials over a field F . To formulate the analogue of Coppersmith's theorem, one just needs to recognize that the degree of a polynomial is the appropriate measure of its size. Thus, the polynomial version of Coppersmith's theorem should involve finding low-degree solutions of polynomial equations over F [z] modulo a polynomial p(z). That is, given a polynomial In the following theorem, we assume that we can efficiently represent and manipulate elements of F , and that we can find roots in F [z] of polynomials over F [z]. For example, that holds if we can factor bivariate polynomials over F in polynomial time. This assumption holds for many fields, including Q and even number fields [27] as well as all finite fields [18] (with a randomized algorithm in the latter case). Theorem 1.2. Let f (x) be a monic polynomial in x of degree d over F [z] with coefficients modulo p(z), where deg z p(z) = n > 0. In polynomial time, for 0 < β ≤ 1, one can find all w(z) ∈ F [z] such that deg z w(z) < β 2 n/d and deg z gcd(f (w(z)), p(z)) ≥ βn.
In the case when p(z) factors completely into linear factors, this theorem is equivalent to the influential Guruswami-Sudan theorem on list decoding of Reed-Solomon codes [21]. See Section 4.2 for the details of the equivalence. The above statement of Theorem 1.2, as well as the extension to higher-degree irreducible factors, appear to be new.
It has long been recognized that the Coppersmith and Guruswami-Sudan theorems are in some way analogous, although we are unaware of any previous, comparably explicit statement of the analogy. Boneh used Coppersmith's theorem in work on Chinese remainder theorem codes inspired by the Guruswami-Sudan theorem [6], and in a brief aside in the middle of [3], Bernstein noted that Guruswami-Sudan is the polynomial analogue of a related theorem of Coppersmith, Howgrave-Graham, and Nagaraj [12]. See also [20] for a general ideal-theoretic setting for coding theory, and [43] for a survey of relationships between list decoding and number-theoretic codes.

Number fields
A number field is a finite extension of the field Q of rational numbers. Thus it is natural to investigate how a statement over the rationals, the simplest number field, extends to more general number fields. We extend our analogy by adapting Coppersmith's theorem to the number field case.
Every number field K is of the form K = Q(α) = {a 0 + a 1 α + · · · + a n−1 α n−1 : a 0 , . . . , a n−1 ∈ Q}, where α is an algebraic number of degree n (i.e., a root of an irreducible polynomial of degree n over Q). The degree of K is defined to be n. Within K, there is a ring O K called the ring of algebraic integers in K. It plays the same role within the field K as the ring Z of integers plays within Q.
Sometimes O K is of the form Z[α], but sometimes it is more subtle.
Recall that an ideal in a ring is a non-empty subset closed under addition and under multiplication by arbitrary elements of the ring. (Intuitively, it is a subset modulo which one can reduce elements of the ring.) For example, the multiples of any fixed element form an ideal, called a principal ideal. In Z every ideal is of that form, but that is not usually true in O K .
In O K , we study the solutions of polynomial equations modulo ideals, the analogue of such equations modulo integers in Z. To measure the size of a nonzero ideal I in O K , we will use its norm N (I) = |O K /I|, i.e., the size of the quotient ring.
A final conceptual issue that makes this case more subtle is that a number field of degree n has n absolute values | · | i corresponding to its n embeddings into C (as we will explain in Section 5), and to obtain the theorem it is necessary to bound them all simultaneously.
The number field analogue of Coppersmith's theorem is as follows: a monic polynomial of degree d, and I O K an ideal in O K . Assume that we are given O K and I explicitly by integral bases. For 0 < β ≤ 1 and λ 1 , . . . , λ n > 0, in time polynomial in the input length and exponential in n 2 we can find all w ∈ O K with |w| i < λ i such that Furthermore, in polynomial time we can find all such w provided that Equivalently, we can find small solutions of equations f (x) ≡ 0 (mod J), where the ideal J is a large divisor of I. Using improved lattice basis reduction algorithms [2] we can achieve slightly subexponential behavior in n 2 . Note also that gcd(f (w)O K , I) is the largest ideal that contains both the principal ideal f (w)O K and I; in other words, it is their sum f (w)O K + I.
When n is fixed, our algorithm runs in polynomial time, but the dependence on n is exponential. That appears to be unavoidable using our techniques, but it is not a serious drawback. Many number-theoretic algorithms behave poorly for high-degree number fields, and most computations are therefore done in low-degree cases. Even for a fixed number field K, Theorem 1.3 remains of interest.
Several problems over number fields have been proposed as the basis for cryptosystems; see, for example, [8] for a survey of problems over quadratic number fields. More recently, Peikert and Rosen [37] and Lyubashevsky, Peikert, Regev [31] developed lattice-based cryptographic schemes using lattices representing the canonical embeddings of ideals in number fields. As a special case, Theorem 1.3 can be used to solve certain cases of the bounded-distance decoding problem for such lattices, and improving our approximation factor from (2 + o(1)) −n 2 /2 to 2 −n |∆ K |, where ∆ K is the discriminant of K, would solve the problem in general; see Section 5.3 for more details.
In addition, number fields have many applications to purely classical problems, the most prominent example being the number field sieve factoring algorithm. All sieve algorithms require generating smooth numbers, and in this context Boneh [6] showed how to use Coppersmith's theorem to find smooth integer solutions of polynomials in short intervals. Using Theorem 1.3 analogously, one can do the same over number fields.
We prove Theorem 1.3 in Section 5.

Function fields
Algebraic number theorists have developed a more sophisticated version of the analogy between the integers and polynomial rings. A global field is a finite extension of either the field Q of rational numbers (called a number field, as we have seen) or the field of rational functions on an algebraic curve over a finite field, called function fields (of curves, as opposed to higher-dimensional varieties). The parallels between number fields and function fields are truly astonishing, and this analogy has played a crucial role in the development of number theory over the last century. We now complete the analogy by extending Coppersmith's theorem to the function field case. See Section 6 for a more thorough review of the setting and notation. Theorem 1.4. Let X be a smooth, projective, absolutely irreducible algebraic curve over F q , and let K be its function field over F q . Let D be a divisor on X whose support supp(D) is contained in the F q -rational points X (F q ), let S be a subset of X (F q ) that properly contains supp(D), let O S denote the subring of K consisting of functions with poles only in S, and let L(D) be the Riemann-Roch space be a monic polynomial of degree d, and let I be a proper ideal in O S . Then in probabilistic polynomial time, we can find all w ∈ L(D) such that In the case when S contains only a single point, the function field version of Coppersmith's theorem is equivalent to the Guruswami-Sudan theorem on list-decoding of algebraic-geometric codes, as we will outline in Section 6. The Guruswami-Sudan theorem and the earlier Shokrollahi-Wasserman theorem in [40] are specialized to that case, which covers many but not all algebraic-geometric codes. Our theorem extends list decoding to the full range of such codes.
We assume that we can efficiently compute bases of Riemann-Roch spaces for divisors in X . That can be done in many important cases (for example, for a smooth plane curve, or even one with ordinary multiple points [23]), and it is a reasonable assumption because even the encoding problem for algebraic-geometric codes requires a basis of a Riemann-Roch space. Note also that although our algorithm is probabilistic, it is guaranteed to give the correct solution in expected polynomial time; in other words, it is a "Las Vegas" algorithm.
We prove Theorem 1.4 in Section 6.

Analogies in number theory
The connections we have described are not isolated phenomena. Many theorems in number theory and algebraic geometry have parallel versions for the integers and for polynomial rings, or more generally for number fields and function fields, and translating statements or techniques between these settings can lead to valuable insights. One particular advantage of this sort of arbitrage is that proving results for polynomial rings is usually easier. For example, the prime number theorem for Z is a deep theorem, but the analogue for the polynomial ring F q [z] over a finite field is much simpler. It says that asymptotically a 1/n fraction of the q n monic polynomials of degree n are irreducible, and in fact the error term is on the order of q n/2 (see Lemma 14.38 in [17]). Proving a similarly strong version of the prime number theorem for Z would amount to proving the Riemann hypothesis. Similarly, the ABC conjecture for Z is a profound unsolved problem, while for polynomials rings it has an elementary proof [33].
Thus, polynomial rings are worlds in which many of the fondest dreams of mathematicians have come true. If a result cannot be proved in such a setting, then it is probably not even worth trying to prove it in Z. If it can be proved for polynomial rings, then the techniques may not apply to the integers, but they often provide inspiration for how a proof might work if technical obstacles can be overcome.
Similarly, in computer science many computational problems that appear to be hard for integers are tractable for polynomials. For example, factoring polynomials can be done in polynomial time for many fields, while for the integers the problem seems to be hard. The polynomial analogue of the shortest vector problem for lattices can be solved exactly in polynomial time [16], while for integer lattices the problem is NP-hard [1]. This difference in the difficulty of lattice problems is at the root of the poor running time in Theorem 1.3 for number fields of high degree.

Preliminaries
One of the main steps in Coppersmith's theorem uses lattice basis reduction to find a short vector in a lattice. In this section, we will review preliminaries on integral lattices, and introduce the analogues that we will use in our generalizations.

Integer lattices
Recall that a lattice is a discrete subgroup of R m of rank m. Equivalently, it is the set of integer linear combinations of a basis of R m .
The determinant det(L) of a lattice L is the absolute value of the determinant of any basis matrix; it is not difficult to show that it is independent of the choice of basis. One way to see why is that the determinant is the volume of the quotient R m /L, or equivalently the volume of a fundamental parallelotope.
One of the fundamental problems in lattice theory is finding short vectors in lattices, with respect to the p norm Most often we use the 2 norm, which is of course the usual Euclidean distance. The LLL lattice basis reduction algorithm [29] can be used to find a short vector in a lattice.
. Given a basis of a lattice L in R m , a nonzero vector v ∈ L satisfying can be found in polynomial time.

Polynomial lattices
A lattice is a module over the ring Z of integers. In other words, not only is it an abelian group under addition, but we can also multiply lattice vectors by integers and thus take arbitrary integer combinations of them. More generally, a module for a ring R is an abelian group in which we can multiply by elements of R (in a way that satisfies the associative and distributive laws). In other words, an R-module is exactly like an R-vector space, except that R is not required to be a field, as it is in the definition of a vector space.
The module R m with componentwise scalar multiplication is called a free R-module of rank m. Every lattice is a free Z-module, and free R-modules will be the analogous structure for the ring R.
For example, if R is the polynomial ring F [z] over a field F , then we define a polynomial lattice to be a free module over F [z] of finite rank. A polynomial lattice will usually be generated by a basis of vectors whose coefficients are polynomials in z. Vectors in our polynomial lattice will be linear combinations of the basis vectors (where the coefficients are also polynomials in z).
As we will see later, an appropriate definition of the length (i.e., degree) of such a lattice vector is the maximum degree of its coordinates: This defines a non-Archimedean norm. In fact, for lattices with a norm defined as above, it is possible to find the exact shortest vector in polynomial time (see, for example, [16]). Lattices of polynomials have been well studied because of their applications to the study of linear systems [24]. There are several notions of basis reduction for such lattices. A basis is column-reduced (or, as appropriate, row-reduced) if the degree of the determinant of the lattice (i.e., of a basis matrix) is equal to the sum of the degrees of its basis vectors. Such bases always contain a minimal vector for the lattice, and m-dimensional column reduction can be carried out in m ω+o(1) D field operations [19], where ω is the exponent of matrix multiplication and D is the greatest degree occurring in the original basis of the lattice.
In particular, for an m-dimensional lattice L with the norm (2.1), the above algorithms are guaranteed to find a nonzero vector v for which where det L denotes the determinant of a lattice basis.

Finding short vectors under general non-Archimedean norms
The above algorithms are specialized to norms defined by (2.1), but there are other non-Archimedean norms, and we will need to use them in the proof of Theorem 1.4 in the function field setting. In fact, for all non-Archimedean norms, it is possible to find a short vector in a lattice simply by solving a system of linear equations. Solving such a system may be less efficient than a specialized algorithm, but it allows us to give a general approach that will work in polynomial time for any norm. Let R = F [z] be a polynomial ring over a field F , and for r ∈ R define for some arbitrary constant C > 1; we take |0| = 0 as a special case. Note that |z| = c, and thus we can write |r| = |z| deg z (r) . Suppose we have any norm | · | on R m that satisfies the following three properties: 3. For all v ∈ R m and r ∈ R, |rv| = |r||v|.
Note that taking defines such a norm, but the extra generality will prove useful in Section 6. Proof. We will construct a nonzero vector satisfying |v| ≤ q c for some constant c to be determined, and then we will optimize the choice of c. Let |b i | = |z| n i , and consider the space of polynomials Thus, there exists a nonzero element v of V that maps to zero in the d-dimensional quotient space R m /M and hence lies in M . It satisfies Proof. In the notation of the proof of Lemma 2.2, we will show that we can find small coefficients r 1 , . . . , r m ∈ R (not all zero) such that i r i b i is in M . Suppose w 1 , . . . , w m is an R-basis of M . Then the elements of M are those that can be written as s i w i with s i ∈ R. Given a polynomial bound for the degrees of s 1 , . . . , s m , we could determine the coefficients r i and s i by solving linear equations over F for their coefficients. To specify these equations, we write w 1 , . . . , w m as R-linear amounts to r = W s, where s and r are the column vectors with entries s i and r i , respectively.
Thus, s determines r in a simple way, and all we need is to choose s 1 , . . . , s m so that the relationship r = W s implies deg z r i ≤ c − n i , with c and n i defined as in the proof of Lemma 2.2. It is not difficult to bound the degrees of the polynomials s i as follows. Let W be the adjoint matrix of W (so W W = det(W )I). Then W r = det(W )s.
It follows that for each i, However, the entries W ij of W have degree bounded by m − 1 times the maximum degree of an entry of W (because they are given by determinants of (m − 1) × (m − 1) submatrices of W ). Thus, deg z s i is polynomially bounded, and we can locate a suitable vector v by solving a system of polynomially many linear equations over F .
Note that for a rank m submodule M of R m , the degree of the determinant of a basis matrix B for M is the dimension of the quotient R m /M . Thus, in Lemma 2.2, if |b 1 | = · · · = |b m | = 1, then the norm of a minimal vector is bounded by | det(B)| 1/m . The exponential approximation factor that occurs in LLL lattice basis reduction does not occur here.

Coppersmith's theorem
We now review how Coppersmith's method works over the integers, as this provides a template for the techniques we will apply later. We will follow the exposition of May [35].
Let f (x) be a monic univariate polynomial of degree d, and N an integer of potentially unknown factorization. We wish to find all small integers w such that gcd(f (w), N ) is large.
To do so, we will choose some positive integer k (to be determined later) and look at integer combinations of the polynomials and thus also any linear combination of such polynomials. Let for some coefficients a i,j and q i to be determined. We will choose Q so that the small solutions to our original congruence become actual solutions of Q(x) = 0 in the integers. This will allow us to find w by factoring Q(x) over the rationals. The construction of Q tells us that If in addition we have a lower bound N β on the size of B, and we can show that then Q(w) = 0 and we may find w by factoring Q. In fact, this observation tells us that we can find all such w in this way. A similar observation will appear in all of our proofs.
In the case of the integers, we introduce the bound |w| < X on our roots, and the triangle inequality tells us that To finish the theorem, we will show that we can choose Q so that its coefficients q i satisfy We are now ready to prove Coppersmith's theorem for the integers.
Proof of Theorem 1.1. Having outlined the general technique above, it remains to be shown that we can construct a polynomial Q(x) whose coefficients satisfy the bound in (3.4).
The polynomial Q(x) will be a linear combination of the polynomials The right-hand side of (3.3) is the 1 norm of the vector of coefficients of the polynomial Q(xX), which in turn will be a linear combination of the polynomials (xX) j f (xX) i N k−i . Finding our desired Q(x) is thus equivalent to finding a suitably short vector in the lattice L spanned by the coefficient vectors of the polynomials (xX) j f (xX) i N k−i .
To compute the determinant of this lattice, we can order the basis vectors by the degrees of the polynomials they represent to obtain an upper triangular matrix whose determinant is the product of the terms on the diagonal: We can use the LLL algorithm [29] to find a vector v whose 2 norm is bounded by By Cauchy-Schwarz, |v| 1 ≤ √ m |v| 2 , and hence for any |w| < X, We assume m ≥ 7, and use the weaker bound To prove inequality (3.2), we must show that This inequality is equivalent to Applying Lemma 3.1 below with = log 2X and n = log N , we obtain parameters k and t such that (3.5) holds for To eliminate ε from the statement of the theorem, take ε < 1 log 2 N . Then our bound becomes four intervals of width 2X and solve the problem for each interval by finding solutions for the polynomials f (x − 3X), f (x − X), f (x + X), and f (x + 3X). Thus, we achieve a bound of X ≤ N β 2 /d , as desired.
We end with a brief lemma that will tell us how to optimize our parameters in equation (3.5).
As intuition, note that if we set the two terms m−1 2k and nd k+1 2m roughly equal to nβ 2 , then we have m 2 ≈ ndk 2 ≈ nβmk and hence ≈ nβ 2 /d. The proof amounts to making this precise.
Proof. It suffices to show that these values of m and k satisfy n β 2 d − ε m−1 2k < nβ 2 and nd k+1 2m ≤ nβ 2 . The first inequality is equivalent to k m−1 > β d − ε β . Similarly, the second is equivalent to k+1 m ≤ β d . If we set k = βm d − 1 , then k+1 m ≤ β d , so the second inequality is satisfied. If in addition we take m ≥ 2β ε , then εm β ≥ 2 and hence k > βm d − 2 ≥ βm d − εm β . It follows that k m m−1 > βm d − εm β , which is equivalent to the first inequality.
It is also worth noting that improving the approximation factor for the length of the short lattice vector that we find will only improve the constants and running time of the theorem, but will not provide an asymptotic improvement to the bound N β 2 /d on |w|.

Polynomials and Reed-Solomon list decoding
In this section, we prove Theorem 1.2 using an approach analogous to that of the previous section. Guruswami and Sudan's technique for list decoding of Reed-Solomon codes [21] is similar in that it involves constructing a bivariate polynomial that vanishes to high degree at particular points. To construct such a polynomial, they write each vanishing condition as a set of linear equations on the coefficients of the polynomial under construction. The linear equations can be solved to obtain the desired polynomial, and the polynomial factored to obtain its roots.
Similarly, the polynomials used in Coppersmith's method are constructed in order to vanish to high degree, the condition ensured by equation (3.1). The conceptual difference is that this condition follows from the form of the lattice basis, rather than being imposed as linear constraints. With the right definition of lattice basis reduction in the polynomial setting, we can emulate the proof from the integer case.
We regard f (x) as a polynomial in x with coefficients that are polynomials in the variable z. To prove Theorem 1.2, we would like to construct a polynomial Q(x) over F [z] from the polynomials x j f (x) i p(z) k−i . If b(z) divides both p(z) and f (w(z)), then b(z) k divides w(z) j f (w(z)) i p(z) k−i and thus also any linear combination of such polynomials.
Instead of an integer combination of these polynomials, we will allow coefficients that are polynomials in z. Let If we have an upper bound on the degree of our root w(z), then the degree of Q(w(z)) will be If similarly we have a lower bound nβ on the degree of b(z), then if we know that both then we may conclude that Q(w(z)) = 0.

Proof of Theorem 1.2
We will show how finding a short vector in a lattice of polynomials will allow us to construct a polynomial Q(x) satisfying (4.1). Let be the upper bound on the degree of the roots w(z) we would like to find. Using the same idea to bound the length of the vector as in the integer case, we will form a lattice of the coefficient vectors of (z x) j f (z x) i p(z) k−i for 0 ≤ j < d and 0 ≤ i < k As always, we view them as polynomials in powers of x with coefficients that are polynomials in z.
Let M be the F [z]-module spanned by the coefficient vectors of these polynomials, with the degree of a vector defined by (2.1). The matrix of coefficient vectors of the basis is upper triangular, so its determinant is the product of the diagonal entries. Set m = kd + t. Hence Since the dimension of our lattice is m, by Theorem 2.3 we can find a vector of degree at most 1 m m(m − 1) 2 + nd k(k + 1) 2 .
To prove (4.1), we would like this bound to be less than βkn. By Lemma 3.1, we can achieve any ≤ n β 2 d − ε . If we set ε < 1 n 2 d then this becomes < β 2 n d , as desired, because β can be taken to have denominator n.
Note that we cannot achieve degree equal to β 2 n/d (as opposed to strict inequality): for the equation x d ≡ 0 (mod p(z) d ), there are infinitely many solutions x = c p(z) if F is infinite.

Reed-Solomon list decoding and noisy polynomial interpolation
A Reed-Solomon code is determined by evaluating a polynomial w(z) ∈ F q [z] of degree at most at a collection of points (x 1 , . . . , x n ) to obtain a codeword (w(x 1 ), . . . , w(x n )). In the Reed-Solomon decoding problem, we are provided with (y 1 , . . . , y n ), where at most e values have changed, and we want to recover w(z) by finding a polynomial of degree at most that fits at least n − e points (x i , y i ). Guruswami and Sudan [21] showed how to correct e < n − √ n errors by providing a list of all possible decodings.
A related problem is that of noisy polynomial interpolation, where at each location x i a set {y i1 , . . . , y id } of values is specified, and the goal is to find a low-degree polynomial passing through a point from each set. This problem has been proposed as a cryptographic primitive, for example by Naor and Pinkas [36], and studied by Bleichenbacher and Nguyen [4].
We can use Theorem 1.2 to solve both problems, and in particular recover the exact decoding rates of Guruswami-Sudan. The input to our problem is a collection of points We set p(z) = i (z − x i ), and we define a monic polynomial f (x) of degree d in x by We have constructed f (x) by interpolation so that f (x) ≡ j (x − y ij ) (mod (z − x i )). Thus, f (y ij ) = 0 whenever z = x i .
To correct e errors, we seek a polynomial w(z) of degree at most such that for at least n − e values of i, there exists a j such that w(x i ) = y ij . In other words, f (w(z)) must be divisible by at least n − e factors z − x i , which is equivalent to deg z gcd(f (w(z)), p(z)) ≥ n − e. Theorem 1.2 tells us that we can solve this problem in polynomial time if < n(1 − e/n) 2 /d (since β = 1 − e/n in the notation of the theorem). That is equivalent to the Guruswami-Sudan bound e < n − √ n d.

Running time
The Guruswami-Sudan algorithm consists of two parts: constructing the polynomial Q(x), and finding the roots of Q(x) in F q [z]. In this paper, we do not address the second part, but we improve the running time of the first part, which has been the bottleneck in the algorithm. The time to construct Q is dominated by the lattice basis reduction step, which depends on m the dimension of the lattice and the maximum degree D of a coefficient polynomial. Lemma 3.1 tells us that we have m = O(β/ε), where ε has been defined so that = n(β 2 /d − ε), and we can assume D < nk, since we can reduce the coefficients of Q(x) modulo p(z) k , which has degree nk. The parameter k is set to O(βm/d).

Background on number fields
See [28] for a beautiful introduction to computational algebraic number theory, or [9] for a more comprehensive treatment.
Recall that number fields are finite extensions of the field Q of rational numbers. Each number field K is generated by some algebraic number α, and the elements of the number field are polynomials in α with rational coefficients. If the minimal polynomial p(x) of α (the lowest-degree polynomial over Q, not identically zero, for which α is a root) has degree n, then every element of K = Q(α) will be a polynomial in α of degree at most n − 1. In other words, Q(α) = {a 0 + a 1 α + · · · + a n−1 α n−1 : a 0 , . . . , a n−1 ∈ Q}.
The degree of K is defined to be n. It is the dimension of K as a Q-vector space.
The minimal polynomial p(x) must be irreducible over Q, and thus it has n distinct complex roots α 1 , . . . , α n (one of which is α). Not all of these roots will necessarily be in the field K = Q(α).
For example, the field Q( 3 √ 2) is contained in R and thus does not contain either of the complex roots of x 3 − 2.
For each i from 1 to n, we can define an embedding σ i of K into C by mapping α to α i and extending by additivity and multiplicativity. All embeddings into C arise in this way. If p has r 1 real roots and r 2 pairs of complex conjugate (non-real) roots, then there will be r 1 real embeddings and 2r 2 complex embeddings.
The absolute values on K are defined by The norm is a natural measure of size for both ideals and individual elements in O K . It might be tempting to use the norm as our measure of the size of the roots of the polynomial in Theorem 1.3. However, that does not work, because O K typically has infinitely many units (elements of norm 1). For example, the powers of (1 + √ 5)/2 are units in Z[(1 + √ 5)/2], which means the equation x 2 ≡ 0 (mod 4) has infinitely many solutions of norm at most N (4) 1/2 = N (2) = 4, namely the numbers 2((1 + √ 5)/2) k for k ∈ Z. Thus, bounding the norm alone is insufficient even to guarantee that there will be only finitely many solutions, but bounding all the absolute values suffices.
The ring O K has an integral basis ω 1 , . . . , ω n (i.e., a basis such that every element of O K can be expressed uniquely in the form i a i ω i with a i ∈ Z). We assume we are given such a basis, because finding one is computationally difficult (see Theorem 4.4 in [28]). Any reasonably explicit description of O K will yield an integral basis. Fortunately, such a description is known for many concrete examples of number fields, such as cyclotomic fields. Furthermore, if we are working with a fixed number field, finding an integral basis for O K can be done with only a fixed amount of preprocessing. We also assume that ideals in O K are given in terms of integral bases. It is not difficult to convert any other description of an ideal (such as generators over O K ) to an integral basis.
If we do not know the full ring O K of integers, we could nevertheless work with an order in K, i.e., a finite-index subring of O K . Everything we need works just as well for orders, with one exception, namely that the norm is no longer multiplicative for ideals. Fortunately, it remains multiplicative for invertible ideals (see Proposition 4.6.8 in [9]), and Coppersmith's theorem generalizes to invertible ideals. Specifically, we can find small roots of polynomial equations modulo an invertible ideal I, or modulo any invertible ideal B that contains I and satisfies N (B) ≥ N (I) β .
Finally, polynomials over number fields can be factored in polynomial time [26].

Modules and canonical embeddings
The analogue of a lattice for O K is a finitely generated O K -submodule of the r-dimensional K-vector space K r . Recall that an O K -submodule is a non-empty subset that is closed under addition and under multiplication by any element in O K . Unlike the case of Z-lattices, O K -lattices may not have bases over O K . However, an O K -lattice Λ always has a pseudo-basis, i.e., a collection of vectors v 1 , . . . , v s ∈ Λ and ideals I 1 , . . . , I s ⊆ O K such that Λ = I 1 v 1 + · · · + I s v s .
The key difference from Z is that the ideals may not be principal (i.e., they may not simply be the multiples of single elements of O K ). A natural approach to finding a short vector in an O K -lattice would be to find an algorithm to reduce a pseudo-basis. Fieker and Pohst [14] developed an O K -analogue of the LLL lattice basis reduction algorithm, but they were unable to prove that their algorithm runs in polynomial time. More recently, Fieker and Stehlé [15] have given a polynomial-time algorithm to find a reduced pseudo-basis in an O K -module. Their algorithm runs in two parts. The first is to apply LLL to an embedding of the O K -module as a Z-lattice to find a full-rank set of short module elements, and the second uses this collection of module elements to reduce the pseudo-basis.
As our application only requires finding a short vector in the module, we do not need the second step of the Fieker-Stehlé algorithm. The remainder of this section describes how to use LLL to find a short vector in an O K -lattice.
Although O K -lattices are an algebraic analogue of Z-lattices, their geometry is not as easy to see directly from the definition. It might seem natural simply to use one of the absolute values to define the 2 norm for vectors, but that breaks the symmetry between them. Instead, it is important to treat each absolute value on an equal footing, and the canonical embedding (defined below) allows us to do so.
so O K is mapped to the Z-linear combinations of the rows. The discriminant ∆ K of K is defined by It is an integer that measures the size of the ring of integers in K.
The canonical embedding of the principal ideal generated by an element γ is generated by the rows of the matrix product More generally, suppose we have an ideal B generated by an integral basis b 1 , . . . , b n . Let M B be the matrix defined by The canonical embedding of B is generated by the rows of Note that the absolute value of the determinant of σ Finally, we can easily extend the canonical embedding from O K to O r K by embedding each of the r coordinates independently. Given a pseudo-basis v 1 , . . . , v r with corresponding ideals I 1 , . . . , I r , the canonical embedding of the lattice is generated by the rows of the block matrix whose ij block of size n × n is equal to where v ij is the j-th component of v i . The inner product on R r 1 ⊕ C 2r 2 is given by the usual dot product on R and the Hermitian inner product on C (i.e., x, y = xy for x, y ∈ C). Thus, it is positive definite.
The canonical embedding's image lies within an n-dimensional real subspace, because the complex embeddings come in conjugate pairs. In fact, we can transform it into a simple real embedding. To do so, consider the r 2 pairs of complex embeddings. For each pair (σ j (γ), σ k (γ)) of complex embeddings that are conjugates of each other, we can map the pair (σ j (γ), σ k (γ)) to ( √ 2 Re(σ j (γ)), √ 2 Im(σ j (γ))). The reason for the factor of √ 2 is to ensure that the inner product is preserved. Furthermore, the absolute value of the determinant is preserved.
Once we have a real embedding of our O K -lattice, we can apply the LLL algorithm to find a short vector in the real embedded lattice, which will correspond to a short vector in the original O K -lattice. Unfortunately, using LLL in the canonical embedding does not preserve the O K -structure, so it does not produce a reduced pseudo-basis over O K , but a short vector is sufficient for our purposes here.

Proof of the theorem for number fields
The following lemma is the analogue of the statement over the integers that a multiple of n that is strictly less than n in absolute value must be zero. Proof. Consider the principal ideal γO K generated by a nonzero element γ of I. The ideal I contains γO K , and thus |O K /I| ≤ |O K /γO K |. Because N (I) = |O K /I| and |N (γ)| = |O K /γO K |, we have |N (γ)| ≥ N (I), as desired.
Proof of Theorem 1.3. As in the previous proofs, we will construct a polynomial Q(x) in the O K -module generated by Note that because of the ideals I k−i , this is really a pseudo-basis rather than a basis. Let m = dk + t. To represent this module, we will write down an nm × nm matrix whose rows are a Z-basis for a weighted version of the module's canonical embedding. Finding a short vector in this lattice will correspond to finding a Q that satisfies our bounds.
Our lattice is constructed much as before, except that in place of a single entry for each coefficient of x j f (x) i I k−i , we will have an n × n block matrix. Let f sij be the coefficient of x s in x j f (x) i . Then we form the ideal f sij I k−i , which has an integral basis b 1 , . . . , b n . We incorporate the bounds λ i on each absolute value into our canonical embedding for the s-th coefficient of This is equal to the product of the matrix with λ s 1 , . . . , λ s n on the diagonal with the canonical embedding σ(b), so the absolute value of the determinant of the block is λ s 1 . . . λ s n |∆ K | |N (f sij )| N (I) k−i . Now consider a vector v in this lattice and the polynomial Q(x) = j q j x j that it represents. If |w| i < λ i for all i, then we can bound |N (Q(w))| using the 1 norm by applying the arithmetic mean-geometric mean inequality. We have Thus, As in the integer case, LLL produces a nonzero vector v whose 1 norm is bounded by Note that here, |v i | j denotes the j-th number field norm applied to the i-th entry of v. Now it remains to compute the determinant of our weighted canonical embedding. The lattice basis we produced in our construction is block upper triangular, so the determinant is the product of the blocks on the diagonal. Letting i λ i = X, we get Thus, we have Recall that if |w| i < λ i for all i, then |N (Q(w))| ≤ 1 n n |v| n 1 .
We will compute a c so that Then by the same analysis as in the proof of Theorem 1.1, we can prove the theorem with a bound of 1 c N (I) β 2 /d−ε on the product i λ i . A simple asymptotic analysis shows that we can take c = (2 + o(1)) n 2 /2 as m → ∞. Thus, we achieve a bound of As before, we can take ε = 1/ log N (I) to achieve in fact (2 + o(1)) −n 2 /2 N (I) β 2 /d . Note that so far, everything runs in polynomial time, with no exponential dependence on n. Unfortunately, removing the factor of (2 + o(1)) −n 2 /2 is computationally expensive. We can use the same trick as in Theorem 1.1. In the canonical embedding of O K , the region we would like to cover is a box of dimensions 2λ 1 × · · · × 2λ n (the factor of 2 comes from including positive and negative signs). The proof so far shows that we can deal with a box that is a factor of (2 + o(1)) −n/2 smaller in each coordinate. We can cover the large box with (2 + o(1)) n 2 /2 of the smaller ones and compute the solutions in each smaller box in polynomial time, but the total running time becomes exponential in n 2 .

Solving the closest vector problem in ideal lattices
In [37], Peikert and Rosen proposed using the closest vector problem for ideal lattices as a hard problem for use in constructing lattice-based cryptosystems. In [31], Lyubashevsky, Peikert, and Regev gave hardness reductions for such cryptosystems via the bounded-distance decoding problem, defined for the ∞ norm as follows. Given an ideal I in O K , a distance δ, and an element y ∈ K, find y + w ∈ I such that ||w|| ∞ < δ, where || · || ∞ denotes the ∞ norm on K (i.e., the maximum of the n absolute values).
(Of course, this is somewhat worse than using LLL directly.) Note also that if y ∈ O K , then we can rescale y and I by a positive integer to reduce to the previous case.
If the (2 + o(1)) −n 2 /2 could be improved to 2 −n |∆ K |, then we could solve the boundeddistance decoding problem up to half the minimal distance, by the same argument as above with λ 1 = · · · = λ n = |∆ K | 1/(2n) N (I) 1/n /2. This suggests that it will be difficult to remove the multiplicative factor entirely.

Function Fields
Much as number fields are finite extensions of Q, function fields are finite extensions of the field F q (x) of rational functions over a finite field F q . They arise naturally from algebraic curves over F q , as the field of rational functions on the curve. For example, for a plane curve defined by the polynomial equation f (x, y) = 0, the function field will be F q (x, y)/(f (x, y)) (i.e., rational functions of x and y, where the variables satisfy f (x, y) = 0). See [42] and [38] for background on function fields, and [30] for a beautiful account of the analogies between number fields and function fields.
More generally, let X be an algebraic curve over F q . Specifically, it must be a smooth, projective curve that remains irreducible over the algebraic closure of F q . Our function field K will be the field of rational functions on X defined over F q . (Note that we are assuming F q is the full field of constants in K; in other words, each element of K is either in F q or transcendental over F q .) Let X (F q ) be the set of points on X with coordinates in F q . Every point p ∈ X (F q ) gives a valuation v p on K, which measures the order of vanishing at that point. Poles are treated as zeros of negative order. The corresponding absolute value on K is defined by (Note that this is not the p norm on a vector; in this section, the p norm will not be used.) In other words, high-order zeros make a function small, while poles make it larger. Not every absolute value on K is of this form-there is a slight generalization that corresponds to points defined over finite extensions of F q (more precisely, Galois orbits of such points). For our purposes we can restrict our attention to the absolute values defined above, but in fact all our results generalize naturally to places of degree greater than 1.
In the number field case, the Archimedean absolute values (which come from the complex embeddings) play a special role, although there are infinitely many non-Archimedean absolute values as well, namely the p-adic absolute values measuring divisibility by primes. In the function field case, there are no Archimedean absolute values, and any set of absolute values can play the same role.
Let S be a nonempty subset of X (F q ), and let O S be the subring of K consisting of all rational functions whose poles are confined to the set S. The ring O S is analogous to the ring of algebraic integers in a number field; in this analogy, the condition of having no poles outside S amounts to the condition that an algebraic integer has no primes in its denominator, because the valuations from points outside S correspond to the p-adic valuations.
For example, if X is the projective line (i.e., the ordinary line completed with a point at infinity), then K is simply the field F q (z) of rational functions in one variable. If we let S = {∞} be the set consisting solely of the point at infinity, then O S is the set of rational functions that have poles only at infinity. In other words, it is the polynomial ring

Background on algebraic-geometric codes
Algebraic-geometric codes are a natural generalization of Reed-Solomon codes. They are of great importance in coding theory, because for certain finite fields they beat the Gilbert-Varshamov bound (which is the performance of a random code, and which aside from algebraic-geometric codes is the best bound known). See Section 8.4 in [42].
To define an algebraic-geometric code on X , we specify for each point in S the maximum allowable order of a pole there (and we allow no poles outside of S). The space of functions satisfying these restrictions is a finite-dimensional F q -vector space, and we can produce an error-correcting code by looking at the evaluations of these functions at a fixed set of points (disjoint from S). This is typically described using the language of algebraic geometry. A divisor D on X is a formal Z-linear combination of finitely many points on X ; the support of D is the set of points with nonzero coefficients. (We will restrict our attention to divisors supported at points in X (F q ).) The divisor D is called effective, denoted D 0, if all its coefficients are nonnegative. For every function f ∈ K * , the principal divisor (f ) is the sum of the zeros and poles of f , with their orders as coefficients. (The identically zero function does not define a principal divisor, since it has a zero of infinite order at every point.) The degree deg(D) of D to be the sum of its coefficients, and the degree of a principal divisor is always zero.
Given a divisor D, the Riemann-Roch space L(D) is defined by In other words, if the coefficient of p in D is k, then f can have a pole of order at most k at the point p. The space L(D) is a finite-dimensional F q -vector space, and the famous Riemann-Roch theorem describes its dimension: where g is a nonnegative integer called the genus of the curve and W is a particular divisor called the canonical divisor. It follows that dim Fq L(D) ≥ deg(D)−g +1, and equality holds if deg(D) > 2g −2.
To translate the definition of an algebraic-geometric code to this language, let D be the divisor with support in S whose coefficients specify the allowed order of a pole at each point, and let p 1 , . . . , p n be distinct points in X (F q ) but not in S. Then the corresponding algebraic-geometric code consists of the codewords (w(p 1 ), . . . , w(p n )) for w ∈ L(D).
In the case of the projective line, let S = {∞}, so O S = F q [z], and let D = d∞. Then L(D) is the space of polynomials in F q [z] of degree at most d. Thus, this construction yields Reed-Solomon codes as a special case. Theorem 1.4 corresponds to list decoding of algebraic-geometric codes in much the same way as Theorem 1.2 does for Reed-Solomon codes. The evaluation points p 1 , . . . , p n correspond to prime ideals P 1 , . . . , P n in O S , where P i consists of the functions vanishing at p i , and we can let I be the product P 1 . . . P n . If the received codeword is (y 1 , . . . , y n ) ∈ F n q , then we define the linear polynomial f so that f (x) ≡ x − y i (mod P i ) for all i.

Proof of Theorem 1.4
As in the number field case, we would like to deal with lattices over a simpler ring than O S ; there, we used the complex embeddings to construct a Z-module. Here, we will use F q [z]-modules instead, but there is a key conceptual difference, because there are many embeddings of F q [z] into O S and we must choose the correct one, while there is only one embedding of Z into O K .
The property we would like z to have is that |z| p should be independent of p, as long as p ∈ S. In that case, the absolute values | · | p with p ∈ S will all restrict to the same absolute value on the ring R = F q [z], which we will denote | · |.
When |S| = 1, we can choose any nonconstant element z of O S . When |S| > 1, it is not as trivial, but fortunately there is always such an element: Lemma 6.1. There exists an integer a ≥ 1 and an element z ∈ O S such that v p (z) = −a for all p ∈ S, and we can find such an element in probabilistic polynomial time.
Proof. Let ∆ a be the divisor p∈S ap with coefficient a for each p ∈ S, and let g be the genus of the curve X . If a|S| > 2g − 2, then by the Riemann-Roch theorem, dim Fq L(∆ a ) = a|S| − (g − 1).
Furthermore, if a|S| > 2g − 1, then for each p ∈ S, Thus, if |S| < q, then L(∆ a ) cannot be contained in the union of L(∆ a − p) over all p ∈ S, and therefore there exists a function with poles of order exactly a at each point in S. If |S| < q/2, then it is easy to find such a function by random sampling, since at least half the elements in L(∆ a ) will work. (Recall that as mentioned in Section 1.4, we assume that we can efficiently compute bases of Riemann-Roch spaces.) This proof requires |S| < q, but the same idea works if we pass to a finite extension F q i of F q , and it can handle |S| < q i . Thus, if we take i large enough, there exists a function defined over F q i with poles of equal order a at the points in S (and no poles elsewhere). Now multiplying the i conjugates of this function over F q produces such a function over F q , as desired, with poles of order ai. Taking q i > 2|S| gives an efficient algorithm as well.
For the rest of this section, let z be such a function and let R = F q [z]. Then the ring O S is a free R-module of rank a|S| by Theorem 1.4.11 in [42], as is every nonzero ideal in O S .
As in the previous proofs, we will construct a polynomial Q(x) in the O S -module M generated by The module M is a submodule of the O S -module P of polynomials of degree less than m, which is a free O S -module of rank m and hence a free R-module of rank ma|S|. Thus, as in the setting of Lemmas 2.2 and 2.3, we are working with an R-module contained in a free R-module.
We want Q(x) to have the property that for w ∈ L(D), N (Q(w)) < N (I) βk .
In fact, we will bound N (Q(w)) by and we will ensure that Let q 0 , . . . , q m−1 denote the coefficients of Q, so Then Suppose the divisor D is given by Then |w| p ≤ q λp for w ∈ L(D), and thus To emulate the analysis from Sections 3 and 4, we would like to find X ∈ O S such that v p (X) = −λ p for all p ∈ S. However, such an element does not always exist. Instead, we will construct an element with the desired valuations at all but one point in S. This approach is a special case of the strong approximation theorem (Theorem 1.6.5 in [42] or Theorem 6.13 in [38]), but as we need only a weaker conclusion and must consider computational feasibility, we will give a direct proof. Lemma 6.2. Suppose q ≥ 2|S|. Then for any point p 0 ∈ S and each divisor p∈S µ p p satisfying p∈S µ p ≥ 0 and µ p 0 = 0, there exists an element X ∈ O S such that v p (X) = −µ p for all p ∈ S \ {p 0 }, and v p 0 (X) = −2g, where g is the genus of X . Furthermore, we can construct such an X in probabilistic polynomial time.
Proof. Let ∆ = p∈S µ p p + 2gp 0 . Then deg(∆) ≥ 2g, and it follows from Riemann-Roch that dim Fq L(∆) = deg(∆) − (g − 1) and that dim Fq L(∆ − p) = dim Fq L(∆) − 1 for all p ∈ S. We are looking for an element X in L(∆) but not L(∆ − p) for any p ∈ S. By assumption we can construct these Riemann-Roch spaces, and because |S| ≤ q/2 at least half the elements of X will have the desired property, so we can find one by random sampling.
The assumption that q ≥ 2|S| will hold in most applications: most algebraic-geometric codes use a small set S, and in fact |S| cannot be much larger than q because S ⊆ X (F q ) and |X (F q )| ≤ q + 2g √ q + 1 (see Theorem 5.2.3 in [42]). However, if |S| > q/2, then we can simply pass to a finite extension of F q . Thus, without loss of generality we can assume that q ≥ 2|S|. By assumption in Theorem 1.4, the support of D is a proper subset of S, so we can let p 0 ∈ S be a point such that λ p 0 = 0. Because of the limitations of the strong approximation theorem, we require such a point to make the remainder of the proof work. This is not an obstacle to the applicability of the theorem, because algebraic-geometric codes will generally not use every point in X (F q ) for poles or evaluation points, and if they do we can pass to a finite extension of F q to generate more points. Note also that we can assume deg(D) ≥ 0, because otherwise L(D) is the empty set. Now, Lemma 6.2 lets us construct an element X ∈ O S such that v p (X) = −λ p for p ∈ S \ {p 0 }. This element has the property that v p (X i ) = −iλ p for p ∈ S \ {p 0 }. Unfortunately, the valuation at p 0 grows linearly with i as well, and that will damage our bounds. However, we can avoid that problem by applying Lemma 6.2 to construct elements X i so that v p (X i ) = −iλ p for p ∈ S \ {p 0 } while maintaining v p 0 (X i ) = −2g. Of course we set X 0 = 1.
In terms of the elements X i , we have for p ∈ S \ {p 0 }. Furthermore, this inequality holds for p = p 0 because v p 0 (w) ≥ 0 ≥ v p 0 (X i ).
Define the norm of a polynomial i c i x i ∈ P (with c i ∈ O S ) by Note that this defines a non-Archimedean norm on the free R-module P satisfying all three properties required in Section 2.3 (with the absolute value | · | on R). Here, we crucially use the fact that we have only one absolute value on R; if that were not the case, then property 3 would fail. Let T : P → P be the linear transformation that multiplies the degree i term by X i . Then Thus, it will suffice to construct a nonzero polynomial Q ∈ M such that |T Q| |S| < N (I) βk . Now we can apply Lemma 2.3. We need to determine two things: the geometric mean C of the norms of an R-basis of P and the dimension of the quotient P/T M. Then there exists a nonzero Q ∈ M such that |T Q| ≤ C|z| dim Fq (P/T M)/(a|S|m) = Cq dim Fq (P/T M)/(|S|m) , because these R-modules have rank a|S|m and |z| = q a .
Let b 1 , . . . , b a|S| be any R-basis of O S , and let Then the elements b i x j ∈ P (with 1 ≤ i ≤ a|S| and 0 ≤ j < m) form an R-basis of P, and the geometric mean of their norms is C because |b i x j | is independent of the degree j.
To compute the dimension of P/T M, note that the generators of M are triangular (i.e., given by polynomials of each degree). Thus, we merely need to add the dimensions of the quotients of O S by the modules of leading coefficients. From the polynomials X di+j x j f (x) i I k−i , we see that the leading coefficients form the ideal X di+j I k−i . Thus, We want to achieve |T Q| |S| < N (I) βk . Let N (I) = q n and = deg(D) + 2 m − 1 log q Cq 2g .
Then Lemma 3.1 applies, and shows that we can achieve |T Q| |S| < N (I) βk whenever < n β 2 d − ε , which is equivalent to We can take the denominator of β to be a divisor of n (because N (I) = q n ). Thus, N (I) β 2 /d is an integral power of q 1/(nd) , as of course is q deg(D) , and to prove the bound in Theorem 1.4 it suffices to prove it to within a factor of less than q 1/(nd) . Now let ε < 1/(2n 2 d) and m > 1 + 4nd(2g + log q C). Then N (I) ε and Cq 2g 2 m−1 are both strictly less than q 1/(2n 2 d) . Thus, our algorithm works as long as