1. Introduction
1.1. Background and previous results
The following variant of polynomial identity problem has been motivated by some cryptographic applications, see [2, 12] for further discussion and the references.
Let be the finite field of elements of characteristic . We consider the Identity Testing from Powers for two “hidden” monic polynomials :
given oracles and that on every input output and for some large positive integer , decide whether .
We also consider the following problem Interpolation from Powers for a “hidden” monic polynomials :
given oracle that on every input outputs for some large positive integer , recover .
In particular, for a linear polynomial , with a ‘hidden’ , we denote . We remark that in this case there are two naive algorithms that work for linear polynomials:

For probabilistic testing one can query (and ) at randomly chosen elements until the desired level of confidence is achieved (note that the equation has at most solutions ).
These naive algorithms have been improved by Bourgain, Garaev, Konyagin and Shparlinski [2] in several cases (with respect to both the time complexity and the number of queries).
Furthermore, for linear polynomials , Dam, Hallgren and Ip [9] provide a quantum polynomial time algorithm to find , see also [8], in the case of the oracle oracles , with
(and odd
). We remark that querring this oracle is equivalent to asking for the quadratic character of the computed value. Thus the oracle returns only one bit of information, making this the hardest case.Russell and Shparlinski [15] have initiated the study of this question for nonlinear monic polynomials and, in the case of the oracle , for a prime , have designed several classical and quantum algorithms. More recently, several other algorithms, for an arbitrary , have been given in [12]. The algorithms from [12] usually improve on the above trivial interpolation and random sampling algorithms. However in the settings of [12] the degree of the polynomials is assumed to be small.
Here we concentrate on the case of polynomials large degree and fields of large characteristic , in particular, on the case of prime fields , and use a different approach to obtain new results in this case.
We also observe that if
then the above naive interpolation and random sampling algorithms both fail. Indeed, since queries from an extension field are not permitted, and may not have enough elements to make these algorithms work. This indicates that the difficulty of the problem grows with the degrees of polynomials involved.
Our approach is based on a new upper bound on the size of an intersection of value set on consecutive integers of a rational function of large degree with a small subgroup of a finite field. Results of this type, complementing this of [11, 12, 17] are of independent interest, see also [2, 3, 4, 5, 6, 14, 16] for further results on related problems.
2. Main results
First we consider the identity testing case of two unknown monic polynomials of degree given the oracles and . We remark that if is an th power of a rational function over then it is impossible to distinguish between and from the oracles and .
We however impose a slightly stronger condition that is not a perfect power of a rational function.
Definition 2.1.
We see say that a rational function is a nontrivial perfect power if for some rational function of positive degree and some positive integer .
Theorem 2.2.
There are absolute constants such that for a prime and a positive integer , given two oracles and for some unknown monic polynomials of degree such that
(2.1) 
such that is a nontrivial perfect power, there is a deterministic algorithm to decide whether in at most
queries to the oracles and .
Next, we consider the interpolation problem for squarefree polynomials.
Theorem 2.3.
For any fixed there are constants such that for a prime and a positive integer , , given an oracle for some unknown monic squarefree polynomial of degree such that
there is a deterministic algorithm which makes at most
queries to the oracle and recovers the polynomial in time
3. Points with coordinates from subgroups on plane curves over
We recall that the notations , and are all equivalent to the statement that the inequality holds with some constant
. Throughout the paper, any implied constants in these symbols are absolute, in particular, all estimates are uniform with respect to the degree
, the exponent and the field characteristic .Our argument relies on a result of Corvaja and Zannier [7, Corollary 2].
We also use for the algebraic closure of
We also write and for the degree of in and respectively, and reserve for the total degree.
We say that is a torsion polynomial it is of the form
(3.1) 
We remark that as we work over the algebraically closed field , the notions of irreducibility and absolute irreducibility coincide.
Lemma 3.1.
Assume that is an irreducible polynomial with which is not a torsion polynomial. For any multiplicative subgroups , we have
where
Proof.
To apply [7, Corollary 2] we need to estimate the Euler characteristic of the curve in terms of . For the genus we have the wellknown estimate . The set from [7, Theorem 2] corresponding to the scenario of [7, Corollary 2] is the set of poles and zeros of coordinate functions and and thuse . The result now follows.
We now need a version of Lemma 3.1 which applies to any curve.
Lemma 3.2.
Assume that is of degree and is not divisible by a torsion polynomial. For any mutltiplicative subgroups , we have
where
Proof.
If is an irreducible polynomial then the bound is immediate frow Lemma 3.1. Otherwise we factor into irreducible (over components of degrees, say, and then we obtain
where, by the convexity argument,
which concludes the proof.
4. Nonvanishing of some resultants
We recall the following wellknown statement, see for example [13, Lemma 6.54] (the proof extends from polynomials to rational functions without any changes).
Lemma 4.1.
Let be such that is not a perfect power of a rational function. Then for any integer the polynomial is irreducible.
Lemma 4.2.
Let be polynomials of degrees at most and be such that is not a perfect power of a rational function. Then for any integers the system of equations
with defines a zero dimensional variety, unless , and pairs are from a set of cardinality at most .
Proof.
If the result is trivial
Changing the roles of and , we can always assume that .
Now, let . Since by Lemma 4.1 both polynomials are irreducible, they may have a common factor if and only if they are equal up to a factor from and thus . Furthermore comparing the coefficient at the front of we conclude that
Hence . Now, comparing the parts which do not depend on we obtain hence and then .
We now consider the case and rewrite the equations as
Again, by Lemma 4.1, the polynomials involved are irreducible again, hence . Comparing the parts which do not depend on we see that is uniquely defined and then is uniquely defined as well.
Lemma 4.3.
Let be polynomials of degrees at most and be such that is not a perfect power of a rational function. Then there is a set of cardinality such that for the resultant
with respect to , is not divisible by a torsion polynomial.
5. Intersection of polynomial images of intervals and subgroups
For a rational function with two relatively primes polynomials and a set , we use to denote the value set
Given an interval with a positive and a subgroup we consider the size of the intersection of and , that is,
Bounds on this quantity for various functions is in the background of the algorithms of [2, 12]. These bounds are also of independent interest as they are natural analogues of the problem of bounding
for two intervals and and similar sets, which has recently been actively investigated, see [3, 4, 5, 6, 11, 14, 16, 17] and references therein.
Lemma 5.1.
Let with two relatively primes polynomials of degrees at most and such that is not a perfect power of a rational function. Then for any interval of length and any subgroup of order , we have
Proof.
Denote . Let . Clearly the system of equations (over ):
has at least solutions. Let be the number of solutions with a fixed . The
We choose
and consider the set of with . Using that we write
Now if , where is as in Lemma 4.3. then and thus , which is stronger than the desired bound.
Hence we can assume that and thus there is . We now fix any and consider the systeof equations
Using the resultant to eliminate we obtain for each solution, where is as in Lemma 4.3. Due to choice of , we see that the bound of Lemma 3.2 applies, and since for every fixed there are at most values of we obtain
Recalling the definition of we obtain
and the result follows.
6. Finding solutions to binomial equations
Consider the equation in for some . There exists a polynomial time (polynomial in ) probabilistic algorithm which finds all solutions of this equation, see, for example,[1, Theorem 7.3.1].
If the equation satisfies some additional restriction one can derandomize [1, Theorem 7.3.1]. Namely, let denote the index (discrete logarithm) of with respect to a fixed primitive root modulo , that is the unique integer with . Combining [2, Lemma 11] and [2, Corollary 40] we derive:
Lemma 6.1.
Let , then there exist constants with the following properties. For a prime and with , there exist an integer with and a deterministic algorithm such that for a given it finds all solutions of the equation satisfying in time . One can find and in time .
7. Number of interpolating polynomials
In this section we estimate the number of polynomials such that () for some pairwise distinct and arbitrary .
The following result is a special case of [18, Lemma 4.1].
Lemma 7.1.
Assume that for a fixed integer we have
(7.1) 
Then for pairwise distinct and arbitrary the bound
holds, where the implied constant depends on .
Lemma 7.2.
Let . For any fixed there exist an integer and a constant such that for a prime and a positive integer with , for any pairwise distinct and arbitrary the number of monic polynomials of degree at most such that
is at most .
Proof.
Choose such that the it satisfies (7.1) with .
For let , be the th Lagrange interpolation polynomial on the points , that is
(7.2) 
Define , , as . Then has the form
for some .
Consider the rational function
If it is the zero function, then by (7.2), a contradiction. As both the numerator and the denominator have degree at most , it takes each value at most times. Thus, there are points , such that takes different values in these points.
For we have
for some . Then
so
with
For fixed , there are at most choices for by Lemma 7.1. As for each monic polynomials there are exactly nonmonic polynomials with the same property, we obtain the result.
Lemma 7.3.
Let . For any pairwise distinct , arbitrary and , there is at most one monic polynomial of degree at most such that
(7.3) 
Proof.
If and are two distinct polynomials with (7.3), then
vanishes on . As the degree of the nominator is at most , we have .
Lemma 7.4.
Let . For any pairwise distinct , arbitrary and consider the matrices
for . If has rank , then has rank either for at most one or all choices of .
Proof.
Consider the submatrices of which are not submatrices of . The determinant is either does not depend on , or a linear polynomial of it. If all such determinants are zero, then has rank independently of the choice of . Otherwise, there is only one value for such that the determinant of a submatrix vanishes.
8. Proof of Theorem 2.2
9. Proof of Theorem 2.3
Step 1.
Let and be as in Lemma 6.1
We call the oracle on the inputs and let for . Then we recover all the polynomials such that
If for some , then must be a zero of , thus it is enough to find all of degree at most such that . Thus we can assume, that
For all with , by the pigeonhole principle there are and with such that
Specially, , so there is a subset of size and such that for , that is,
To find , we just try all pairs .
By Lemma 6.1, we can extract all such that for .
Step 2.
In order to obtain candidates for , we consider the system of equations for the coefficients of
(9.1) 
for some and fixed , where .
Now we proceed by induction on to obtain a full rank system of equations (9.1).
For we choose . As , (9.1) is nontrivilal for any choice of .
Next, assume that we have fixed the values for some such that the (9.1) has a full rank. In the following we choose the index and the value such that the system of equations (9.1) remains full rank.
We start with . If the system of equations (9.1) is singular independently of the choice of , we increase the index . Otherwise, we fix the value of . If (9.1) becomes singular with this choice, we also increase the index . Then we obtain either a full rank system of equations (9.1), or , but (9.1) is singular. In the latter case the system of equations does not have solution by Lemma 7.3, so we terminate.
Finally, we terminate if we reach .
If we have a regular linear system of equations with , we solve it for and test whether for every .
When we terminate, we have fixed the values with . Let be the set of indices such that appears in (9.1), let be the set of indices such that is fixed, but the equation belongs to this index leads to a singular system of equations. Finally, let be the set of indices such that is not fixed. Then .
By Lemma 7.4, the value , , is uniquely determined by and . Thus for fixed , , there are at most choices for the tuples . We can choose in at most ways. Thus the running time of this step is .
Step 3. Let be the set of all possible polynomials obtained in the previous step and let as in Lemma 7.2. Let the output of the oracle for and put
By Lemma 7.2 we have . We can assume, that all of them are squarefree. This reduction is done in time . Finally, we use the identity testing algorithm of Theorem 2.2 for the oracles and for all .
The running time of the first step is bounded by
of the second step is bounded by
and of the third step is bounded by
Replacing with and having , we obtain the result.
Acknowledgement
The authors are very grateful to Umberto Zannier for some clarifications concerning the results of [7].
The the research of M.K. was supported in part by DFG grants and the Hausdorff grant EXC’591, of L.M. was is supported by the Austrian Science Fund (FWF): Project I1751N26, and of I.S. was supported in part by the Australian Research Council Grant DP170100786.
References
 [1] E. Bach and J. Shallit, Algorithmic Number Theory, MIT Press, Cambridge, MA, 1996.
 [2] J. Bourgain, M. Z. Garaev, S. V. Konyagin and I. E. Shparlinski, ‘On the hidden shifted power problem’, SIAM J. Comp., 41 (2012), 1524–1557.
 [3] M.C. Chang, ‘Sparsity of the intersection of polynomial images of an interval’, Acta Arith., 165 (2014), 243–249.
 [4] M.C. Chang, J. Cilleruelo, M. Z. Garaev, J. Hernández, I. E. Shparlinski and A. Zumalacárregui, ‘Points on curves in small boxes and applications’, Michigan Math. J. , 63 (2014), 503–534.
 [5] J. Cilleruelo, M. Z. Garaev, A. Ostafe and I. E. Shparlinski, ‘On the concentration of points of polynomial maps and applications’, Math. Zeit., 272 (2012), 825–837.
 [6] J. Cilleruelo, I. E. Shparlinski and A. Zumalacárregui, ‘Isomorphism classes of elliptic curves over a finite field in some thin families’, Math. Res. Letters, 19 (2012), 335–343.
 [7] P. Corvaja and U. Zannier, ‘Greatest common divisors of , in positive characteristic and rational points on curves over finite fields’, J. Eur. Math. Soc. 15 (2013), 1927–1942.
 [8] W. van Dam, ‘Quantum algorithms for weighing matrices and quadratic residues’, Algorithmica, 34 (2002), 413–428.
 [9] W. van Dam, S. Hallgren and L. Ip, ‘Quantum algorithms for some hidden shift problems’, SIAM J. Comp., 6 (2006), 763–778.
 [10] J. von zur Gathen and J. Gerhard, Modern computer algebra, Cambridge University Press, Cambridge, 2013.
 [11] D. GómezPérez and I. E. Shparlinski, ‘Subgroups generated by rational functions in finite fields’, Monat. Math., 176 (2015), 241–253.
 [12] G. Ivanyos, M. Karpinski, M. Santha, N. Saxena and I. E. Shparlinski, ‘Polynomial interpolation and identity testing from high powers over finite fields’, Algorithmica, 80 (2018), 560–575.
 [13] R. Lidl and H. Niederreiter, Finite Fields, Cambridge Univ. Press, Cambridge, 1997.
 [14] A. Ostafe, Polynomial values in affine subspaces over finite fields, J. D’Analyse Math., (to appear).
 [15] A. C. Russell and I. E. Shparlinski, ‘Classical and quantum algorithms for function reconstruction via character evaluation’, J. Compl., 20 (2004), 404–422.
 [16] I. E. Shparlinski, ‘Products with variables from lowdimensional affine spaces and shifted power identity testing in finite fields’, J. Symb. Comp., 64 (2014), 35–41.
 [17] I. E. Shparlinski, ‘Polynomial values in small subgroups of finite fields’, Revista Matem. Iber., 32 (2016), 1127–1136.
 [18] I. V. Vyugin and I. D. Shkredov, ‘On additive shifts of multiplicative subgroups’, Mat. Sb. 203 (2012), no. 6, 81–100
Comments
There are no comments yet.