new eth z · 2020. 6. 10. · diss. eth no. 22270 generating a lattice of a given genus a thesis...

Research Collection

Doctoral Thesis

Generating a Lattice of a given Genus

Author(s): Dubey, Chandan Kumar

Publication Date: 2014

Permanent Link: https://doi.org/10.3929/ethz-a-010381234

Rights / License: In Copyright - Non-Commercial Use Permitted

This page was generated automatically upon download from the ETH Zurich Research Collection. For moreinformation please consult the Terms of use.

ETH Library

https://doi.org/10.3929/ethz-a-010381234

http://rightsstatements.org/page/InC-NC/1.0/

https://www.research-collection.ethz.ch

https://www.research-collection.ethz.ch/terms-of-use

DISS. ETH NO. 22270

Generating a Lattice of a givenGenus

A thesis submitted to attain the degree of

DOCTOR OF SCIENCES of ETH ZURICH

(Dr. sc. ETH Zurich)

presented by

Chandan Kumar DubeyMSc in Computer Science and Mathematics

Weizmann Institute of Science, Israel

born on 14.01.1985

citizen of India

accepted on the recommendation of

Prof. Dr. Thomas Holenstein, examinerProf. Dr. Manindra Agrawal, co-examiner

Prof. Dr. Bernd Gärtner, co-examiner

2014

Abstract

A full-rank lattice L in Rn is a discrete subgroup of Rn which is the set of allinteger linear combinations of n-linearly independent vectors, say b1, · · · ,bn

i.e., L = ∑n

i=1 zibi | z1, · · · , zn ∈ Z. The matrix B = [b1, · · · ,bn] is calledthe basis of the lattice and the matrix Q = B′B is called a Gram matrix of thelattice. A lattice is integral if its Gram matrix has only integer entries.

Integral lattices have been studied by mathematicians as positive definitequadratic forms, defined by the equation x′Qx, where x = (x1, · · · , xn) andQ ∈ Zn×n. One of the classical problems in this area is the classification ofquadratic forms. Two quadratic forms are equivalent over Z if one can beobtained by the other using a unimodular transformation. If two quadraticforms are equivalent over Z then they are equivalent over the ring Z/pkZ, forall primes p and positive integers k. The converse is not true. This leads tothe classification of integral quadratic forms into equivalence classes, called thegenus. A genus is a set of quadratic forms which are equivalent over Z/pkZfor all primes p and positive integers k.

The main result of this thesis is to generate a quadratic form of a givengenus in randomized polynomial time. Of independent interest is a polynomialtime algorithm to generate a uniform random solution of the equation x′Qx ≡t mod pk.

i

Zusammenfassung

Ein Verband L in Rn mit vollem Rang ist eine diskrete Untergruppe vonRn, die alle ganzzahlingen Linearkombinationen von n-linear unabhängigenVektoren b1, · · · ,bn enthält. Das heißt L =

∑ni=1 zibi | z1, · · · , zn ∈ Z. Die

Matrix B = [b1, · · · ,bn] heißt Basis des Verbandes und die Matrix Q = B′Bheißt die Gramsche Matrix des Verbandes. Ein Verband is ganzzahlig wennseine Gramsche Matrix nur ganzzahlige Einträge besitzt.

Ganzzahlige Verbände wurden in der Mathematik als positiv definite quadratis-che Formen untersucht, die durch x′Qx definiert sind, wobei x = (x1, · · · , xn)und Q ∈ Zn×n ist. Ein bekanntes Problem in diesem Gebiet ist die Klassifika-tion von quadratischen Formen. Zwei quadratische Formen sind äquivalentbezüglich Z, wenn die Eine eine unimodulare Transformation der Andernenist. Sind zwei quadratische Formen äquivalent bezüglich Z, dann sind siefür alle Primzahlen p und alle natürlichen Zahlen k äquivalent bezüglich desRings Z/pkZ. Der Umkehrschluss ist nicht im Allgemeinen wahr. Dies führt zuder Einteilung von ganzzahlingen quadratischen Formen in Äquivalenzklassen,genannt das Geschlecht. Das Geschlecht ist eine Menge von quadratischen For-men die für alle Primzahlen p and natürlichen Zahlen k äquivalent bezüglichZ/pkZ sind.

Das Hauptresultat dieser Arbeit ist ein randomisierter polynomialzeit Al-gorithmus um eine eine quadratische Form zu einem gegebenen Geschlechtzu berechenen. Ein polynmialzeit Algorithmus um eine uniform zufällige Lö-sung der Gleichung x′Qx ≡ t mod pk zu berechnen ist für sich genommen vonbesonderer Bedeutung.

iii

Acknowledgements

This thesis, in its current form, would not have been possible without thehands on and competent supervision of my advisor Thomas Holenstein. Thequestion of generating quadratic forms in polynomial time was asked by himand because I am a Maple newbie, he wrote most of the code. The mostimportant thing I learned from him is the way of doing research. Insteadof trying to solve the general problem, his approach involves taking severalexamples of special cases and then using the gained intuition to come up witha partial solution. He then moves on to refine the solution by making it moregeneral. I also thank him for supporting me during the difficult years of 2012and 2013 when I was facing health problems.

I am grateful to Manindra Agrawal and Bernd Gärtner for co-refereeingmy thesis, and for their valuable feedback.

I would like to thank Divesh Aggarwal for our collaboration on lattice re-lated problems. Although they do not appear in this thesis, I gained immenselyfrom the discussions.

A special thanks goes to Robin Künzler for an incredible amount of supportduring my life at ETH and in Switzerland. The work and life would havesuffered a great deal without his presence. I also thank his family for hostingme several times during my stay at ETH. I thank Jan Hązła, my other officemate, for providing a fresh outlook on things, his book recommendations, andseveral enjoyable movie outings.

It was a pleasure working at ETH Zürich. I specially enjoyed borrowingbooks and learning about finance, investments, psychology, and philosophy. Ithank my colleagues at ETH for enjoyable converstaions. At the risk of forget-ting several names, I thank Nemanja Škorić, Stefano Tessaro, Kfir Barhum,David Adjiashvili, Sandro Coretti, Peter Gaži, Dominik Raub, Björn Tack-mann, Daniel Tschudi, Matthias Fitzi, Manuel Forster, Viktor Gaillard, Es-ther Hänggi, and Severin Winkler. I would like to thank Marianna Berger andBeate Bernhard for their great administrative support.

I am indebted to my parents, Remma and Radhe Shyam Dubey for theirindefatigable will to fight and prevail. They have managed to pull us from a

v

vi

certain life of penury and working the fields with their constant support andsupervision.

I thank my wife Ujjwala for her love and for always being there on myside. Without her support and encouragement, I would not have been able tocomplete my PhD studies. I also thank her for our daughter Aahna who wasborn during this time.

Finally, I thank my daughter Aahna for bringing a fresh ray of light in mylife.

Contents

1 Introduction 11.1 Generating a Quadratic Form . . . . . . . . . . . . . . . . . . . 11.2 Sampling a Uniform Solution . . . . . . . . . . . . . . . . . . . 3

2 Notation and Definitions 72.1 Basic Notation . . . . . . . . . . . . . . . . . . . . . . . . . . . 72.2 Basic Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . 7

2.2.1 Quadratic Form . . . . . . . . . . . . . . . . . . . . . . 102.2.2 Lattices . . . . . . . . . . . . . . . . . . . . . . . . . . . 112.2.3 Randomized Algorithms . . . . . . . . . . . . . . . . . . 112.2.4 Dirichlet’s Theorem . . . . . . . . . . . . . . . . . . . . 12

2.3 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

3 Representations Modulo pk 153.1 Technical Overview . . . . . . . . . . . . . . . . . . . . . . . . . 15

3.1.1 Simplifying the LHS . . . . . . . . . . . . . . . . . . . . 153.1.2 Simplifying the RHS . . . . . . . . . . . . . . . . . . . . 173.1.3 Overview of the Counting/Sampling Algorithm . . . . . 19

3.2 Squares over Quotient Rings . . . . . . . . . . . . . . . . . . . . 203.2.1 Squares Modulo pk; p odd . . . . . . . . . . . . . . . . . 213.2.2 Squares Modulo 2k . . . . . . . . . . . . . . . . . . . . . 21

3.3 Counting Representations . . . . . . . . . . . . . . . . . . . . . 223.3.1 Dimension = 1, Odd Prime . . . . . . . . . . . . . . . . 223.3.2 Dimension = 1, p = 2 . . . . . . . . . . . . . . . . . . . 243.3.3 Type II, p = 2 . . . . . . . . . . . . . . . . . . . . . . . 263.3.4 Calculating Split Size . . . . . . . . . . . . . . . . . . . 293.3.5 Dimension > 1, Any Prime . . . . . . . . . . . . . . . . 343.3.6 Computing Local Density . . . . . . . . . . . . . . . . . 35

3.4 Sampling a Uniform Representation . . . . . . . . . . . . . . . 353.4.1 Sampling Uniformly from a Split . . . . . . . . . . . . . 36

vii

viii CONTENTS

3.4.2 Sampling a Representation . . . . . . . . . . . . . . . . 383.4.3 Sampling modulo a Composite Integer . . . . . . . . . . 42

4 Canonical Form Modulo pk 454.1 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

4.1.1 Diagonalizing a Quadratic Form . . . . . . . . . . . . . 474.1.2 Oddity . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514.1.3 Canonical Blocks . . . . . . . . . . . . . . . . . . . . . . 514.1.4 Primitive Representations . . . . . . . . . . . . . . . . . 52

4.2 Symbol of a Quadratic Form . . . . . . . . . . . . . . . . . . . 534.2.1 p-symbol, p odd prime . . . . . . . . . . . . . . . . . . . 544.2.2 2-symbol . . . . . . . . . . . . . . . . . . . . . . . . . . 54

4.3 Canonicalization: p odd prime . . . . . . . . . . . . . . . . . . 564.4 Canonicalization: p = 2 . . . . . . . . . . . . . . . . . . . . . . 58

4.4.1 Type II Block . . . . . . . . . . . . . . . . . . . . . . . . 594.4.2 Dimension= 3, with one Type II block . . . . . . . . . . 604.4.3 Sign Walking . . . . . . . . . . . . . . . . . . . . . . . . 614.4.4 Oddity Fusion . . . . . . . . . . . . . . . . . . . . . . . 644.4.5 Canonicalizing a Single Compartment . . . . . . . . . . 664.4.6 Canonical Form, any dimension . . . . . . . . . . . . . . 68

5 Generating a Quadratic Form of a given Genus 715.1 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

5.1.1 Specification of the Input . . . . . . . . . . . . . . . . . 725.1.2 The Oddity Formula . . . . . . . . . . . . . . . . . . . . 745.1.3 q-equivalent forms, q composite . . . . . . . . . . . . . . 74

5.2 Existence of a Quadratic Form with a given Symbol . . . . . . 765.2.1 Existence for a Valid Symbol . . . . . . . . . . . . . . . 775.2.2 Comparisons to Hartung’s Algorithm. . . . . . . . . . . 83

5.3 Primitive Representation in a Genus . . . . . . . . . . . . . . . 845.3.1 Representation: n > 3 . . . . . . . . . . . . . . . . . . . 865.3.2 Representation: n = 3 . . . . . . . . . . . . . . . . . . . 885.3.3 Representation: n = 2, basics . . . . . . . . . . . . . . . 915.3.4 Representation: n = 2, Type II . . . . . . . . . . . . . . 945.3.5 Representation: n = 2, Type I, Even . . . . . . . . . . . 965.3.6 Representation: n = 2, Type I, Odd . . . . . . . . . . . 995.3.7 Representation: putting it together . . . . . . . . . . . . 102

5.4 Polynomial Time Algorithm . . . . . . . . . . . . . . . . . . . . 103

CONTENTS ix

A Appendix 113A.1 Missing Proofs . . . . . . . . . . . . . . . . . . . . . . . . . . . 113A.2 Computer Assisted Proofs . . . . . . . . . . . . . . . . . . . . . 115

Chapter 1

Introduction

A full-rank lattice L in Rn is a discrete subgroup of Rn which is the set of allinteger linear combinations of n-linearly independent vectors, say b1, · · · ,bn

i.e., L = ∑n

i=1 zibi | z1, · · · , zn ∈ Z. The matrix B = [b1, · · · ,bn] is calledthe basis of the lattice and the matrix Q = B′B is called a Gram matrix of thelattice. A lattice is integral if its Gram matrix has only integer entries.

Despite its simple grid like structure, lattices have wide and varied applica-tions in many areas of mathematics and after the discovery of LLL algorithm[LLL82] also in computer science. The scope of the application was furtheredby the breakthrough result of Ajtai [Ajt96], who showed that lattice problemshave a very desirable property for cryptography: a worst case to average casereduction.

Two lattices are called isomorphic if one can be transformed into anotherby an orthogonal linear transformation. A fundamental question, called theLattice Isomorphism Problem (LIP), is to decide if two given Gram matricescome from isomorphic lattices. In other words, given two Gram matricesQ1 and Q2 one has to decide if there exists a unimodular matrix U such thatQ2 = U′Q1U. For Gram matrices in dimension n and determinant d, the problemcan be solved using Minkowski Reduced Forms (see Section 10, Chapter 10[CS99]) in time O(dn2

). Other exhaustive search algorithms are known, see[Die03, Sie72]. Recently, Regev and Haviv [HR14] gave an algorithm with timecomplexity which is nO(n) times the size of the input.

1.1 Generating a Quadratic Form

Several problems related to lattices have been studied by mathematicians inthe context of integral quadratic forms.

An integral quadratic form is a uniform polynomial of degree 2 in severalvariables e.g., an n-ary integral quadratic form in variables x1, · · · , xn looks

1

2 Introduction

like∑

1≤i,j≤n aijxixj , where aij = aji ∈ Z. If one defines A = (aij) ∈ Zn×n,then the quadratic form can be written as (x1, · · · , xn)′A(x1, · · · , xn). Thesimilarity to the Gram matrix of a lattice is evident. A Gram matrix definesa quadratic form, and it can be shown that if A is positive definite then thereis a lattice with Gram matrix A.

One of the classical problems in mathematics of quadratic forms is theirclassification into equivalence classes. For the special case of n = 2 i.e., binaryquadratic form; Gauss [Gau86] gives concrete non-trivial algorithms for theIsomorphism problem and even constructs the explicit transformation. Notethat two lattices with Gram matrix Q1 and Q2 are isomorphic if there existsa unimodular matrix U such that Q2 = U′Q1U. These lattices are then calledequivalent over integers. Similarly, one may consider equivalence over the ringZ/qZ, for any positive integer q. In this case, two quadratic forms Q1, Q2

are said to be equivalent over Z/qZ if there exists V ∈ GLn(Z/qZ) such thatQ2 ≡ V′Q1V mod q. If two quadratic forms are equivalent over integers thenthey are equivalent over Z/qZ for any positive integer q. The converse is nottrue.

This leads to the definition of an equivalence class of quadratic forms,called the genus. Two forms are in the same genus if they are equivalent overR and also over Z/qZ for all positive integers q. In this thesis, we considerthe following problem: given a description of a non-empty genus, produce aquadratic form from this genus. A discussion of the problem can be found inConway and Sloane [CS99], page 403. The best algorithm for this problem isalso based on Minkowski Reduced forms and takes O(dn2

) time for genus indimension n with determinant d.

The skeleton of our algorithm is similar to the algorithm given by Hartung[Har08]. His thesis uses an equivalent but different approach based on Cassels[Cas78]. Unfortunately, there are several gaps in his construction. There arealso mistakes when dealing with prime 2. But, the most severe problem withthe algorithm is that its time complexity is proportional to nn i.e., it is notpolynomial. A discussion can be found in Section 5.2.2.

We mention a connection of this theory to the Shortest Vector Problem(SVP) in lattices. The shortest vector problem (SVP) is the problem of find-ing the shortest non-zero vector in a given lattice. The current best knownhardness for SVP is given by Regev-Haviv [HR07] and is based on tensoringlattice bases in the hope of amplifying the length of the shortest vector. Thisapproach fails in general. For large enough dimension n, there are self duallattices with shortest vector Ω(

√n). The usual tensoring among these lattices

fails to amplify the length of the shortest vector (Lemma 2.4, [HR07]). It isnot known how one can construct self-dual lattice with shortest vector lengthΩ(√

n) but it can be shown that such lattices exist in large dimensions. The

1.2 Sampling a Uniform Solution 3

proof of existence (see page 48, [MH73]) uses the Smith-Minkowski-Siegel massformula; which computes the average number vectors of a certain length in agenus. One way to generate a self-dual lattice with shortest vector Ω(

√n) is to

sample a lattice according to a certain distribution from a specific genus (seeMilnor-Husemoller [MH73]). Our result falls short in the following way. Giventhis specific genus, we can construct one lattice but we do not know how tosample according to the distribution specified in [MH73]. In this respect, ourwork can be seen as an important first step towards construction of self-duallattices with shortest vector Ω(

√n).

Our Contributions. Let d be the determinant of a genus in dimensionn. We present a poly(n, log d) Las Vegas algorithm that outputs a quadraticform in the genus with constant probability (Chapter 5). Our constructiontechnique is inspired by the proof of Smith-Minkowski-Siegel mass formulagiven by Siegel [Sie35] and uses similar notations as Conway-Sloane [CS99].

Several of the tools we develop are of independent interest for analyzinglattices and quadratic forms efficiently. Two quadratic forms are called p∗-equivalent if for every positive integer k they are equivalent over Z/pkZ. Ap-canonical form of a quadratic form has the property that two quadraticforms are p∗-equivalent iff they have the same p-canonical form. For oddprimes, the canonical forms are implicit in [CS99] and Jones [Jon44] providesthe canonical form for p = 2. But, we are not aware of any explicit polynomialtime algorithm that transforms a given quadratic form to its p-canonical form.See Chapter 4, where we provide a canonicalization algorithm.

Another feature of our work is the simplification achieved by not using p-adic numbers, a staple in the analysis of integral quadratic forms [CS99, Kit99,Kne02, Sie35].

1.2 Sampling a Uniform Solution

Several modern factorization algorithms, including Dixon’s algorithm [Dix81],the continued fractions method, and the quadratic sieve; try to solve x2 ≡t mod q, where q is the number being factorized. The general problem is tosolve quadratic equations of the form x′Qx ≡ t mod q in several variables,where q, t are integers. If the factorization of q is known then using ChineseRemainder Theorem one can show that it is enough to solve the equation whenq is a prime power i.e., q = pk for some prime p and positive integer k.

A closely related problem is to count the number of solutions of x′Qx ≡t mod pk. In his seminal work, titled “Geometry of Numbers” [Min10], Minkowskiproposed a geometric method to solve problems in number theory. He also

4 Introduction

succeeded in giving explicit formulae to calculate the number of solutionsx = (x1, · · · , xn) ∈ (Z/pkZ)n to the equation x′Qx ≡ t mod pk.

We remark that typically mathematicians are mainly interested in countingthe number of solutions if k is “large enough”. One reason for this is that oncek is large enough, increasing k by 1 simply multiplies the number of solutionsby pn−1. Another reason is that the corresponding normalized quantity (thelocal density, which is the number of solutions divided by pk(n−1) for k largeenough) seems to be the “mathematically natural quantity”. It arises in manyplaces, for example in (some forms of) the celebrated Siegel mass formula[Sie35].

Several alternatives are available for counting; mainly aimed towards com-puting the local density, which is a more general problem [Sie35, O’M73,Yan98, Kit99, CS99, GY00, Han04]. As an example, [Sie35] gives an inge-nious Gaussian sum technique to count solutions in case p does not divide2t det(Q).

The case of the prime p = 2 is tricky and needs careful analysis. Pall[Pal65] pointed out that the work of Minkowski omits many details, resultingin errors for the case of prime 2. Later, Watson [Wat76] found errors in thefixes suggested by Pall. It is believed by the community that the work byWatson does not contain any errors.

Coming back to our original problem of finding solutions, a few resultsare known. We are aware of two relevant results on the question of findingany solution (in contrast to sampling one, uniformly at random). The first[AEM87, PS87] solves x2 − ky2 ≡ m (mod q) for composite q, when the fac-torization of q is unknown. The second and more relevant is the work done byHartung [Har08]. For odd p, he gives a correct polynomial time algorithm tofind one solution of x′Qx ≡ t mod pk (though it seems to be safe to say that thepossibility of this was folklore before). Unfortunately, his construction seemsto contain errors for the case p = 2 (e.g., he divides by 2 in the ring Z/2kZwhile proving Lemma 3.3.1 pp. 47-48).

Our Contribution. Apart from the difficulty of giving correct formulaefor p = 2, the method of Minkowski (and others, including the Gaussiansum method) for counting the number of solutions of x′Qx ≡ t mod pk hasanother drawback. It is not constructive in the sense that it does not providea way to sample uniform solutions to the equation. In this work, we givean alternate way of counting solutions, and thus by the above remarks, analternate way to compute the local density. Our way of counting also yieldsa Las Vegas algorithm that, given an integral quadratic form Q, a prime p, apositive integer k and an integer t ∈ Z/pkZ, runs in time poly(n, k, log p) andsamples a uniform random solution of x′Qx ≡ t mod pk (Chapter 3).

1.2 Sampling a Uniform Solution 5

For the prime 2, a polynomial time solver was not known. In the caseof odd primes, our contributions are modest. A polynomial time solver wasalready provided by Hartung [Har08] for this case. Ours is an alternate andnew method of finding solutions which generalizes to the problem of samplinguniform random solutions. We use such a sampler as a sub-routine of ourquadratic form generation algorithm.

6 Introduction

Chapter 2

Notation and Definitions

2.1 Basic Notation

Integers and ring elements are denoted by lowercase letters, vectors by boldlowercase letters and matrices by typewriter uppercase letters. The i’th com-ponent of a vector v is denoted by vi. We use the notation (v1, · · · , vn) for acolumn vector and the transpose of matrix A is denoted by A′. The matrix An

will denote a n × n square matrix. The scalar product of two vectors will bedenoted v′w and equals

∑i viwi. The standard Euclidean norm of the vector

v is denoted by ||v|| and equals√

v′v.If Qn

1 , Qm2 are matrices, then the direct product of Q1 and Q2 is denoted by

Q1⊕Q2 and is defined as diag(Q1, Q2) =(Q1 00 Q2

). Given two matrices Q1 and

Q2 with the same number of rows, [Q1, Q2] is the matrix which is obtained byconcatenating the two matrices columnwise. A matrix is called unimodular ifit is an integer n× n matrix with determinant ±1.

Sets are denoted by upper case letters A,B, · · · , and their cardinalities byA,B, · · · . Functions are denoted by either f or lower case Greek letters α, · · · .If f : A→ B then we extend it to subsets of S = s1, · · · , sk ⊆ A in the usualway by defining f(S) = f(s1), · · · , f(sk). If Q = (Qij) is a matrix, then f(Q)is the matrix (f(Qij))ij . For example, if Qn is a n× n integer matrix and q isa positive integer then Q mod q is defined as the matrix with all entries of Qreduced modulo q.

2.2 Basic Definitions

Let R be a commutative ring with unity and R× be the set of units (i.e.,invertible elements) of R. If Q ∈ Rn×n is a square matrix, the adjugate of Qis defined as the transpose of the cofactor matrix and is denoted by adj(Q).

7

8 Notation and Definitions

The matrix Q is invertible if and only if det(Q) is a unit of R. In this case,adj(Q) = det(Q)Q−1. The set of invertible n × n matrices over R is denotedby GLn(R). The subset of matrices with determinant 1 will be denoted bySLn(R).Fact 1. A matrix U is in GLn(R) iff det(U) ∈ R×.

The set of odd primes is denoted by P. We define Q/(−1)Q = Z/(−1)Z :=R. For every prime p and positive integer k, we define the ring Z/pkZ =0, · · · , pk − 1, where product and addition is defined modulo pk.

Let p be a prime, and a, b be integers. Then, ordp(a) is the largest integerexponent of p such that pordp(a) divides a. We let ordp(0) =∞. The p-coprimepart of a is then cprp(a) = a

pordp(a) . Note that cprp(a) is, by definition, a unitof Z/pZ. For a

b , a rational number, we define ordp(ab ) = ordp(a) − ordp(b).

The p-coprime part of ab is denoted as cprp(

aa ) and equals a/pordp(a)

b/pordp(b) . For apositive integer q, one writes a ≡ b mod q, if q divides a− b. By x := a mod q,we mean that x is assigned the unique value b ∈ 0, · · · , q − 1 such thatb ≡ a mod q. An integer t is called a quadratic residue modulo q if gcd(t, q) = 1and x2 ≡ t mod q has a solution.

Definition 2.1. Let p be an odd prime, and t be a positive integer withgcd(t, p) = 1. Then, the Legendre-symbol of t with respect to p is defined asfollows. (

t

p

)=

1 if t is a quadratic residuemodulo p

−1 otherwise.

The Legendre symbol can also be computed by the Euler’s formula, given byt(p−1)/2 mod p. ♦

For the prime 2, there is an extension of Legendre symbol called the Kro-necker symbol. It is defined for odd integers t and

(t2

)equals 1 if t ≡ ±1 mod 8,

and −1 if t ≡ ±3 mod 8.The p-sign of t, denoted sgnp(t), is defined as

(cprp(t)

p

)for odd primes p

and cpr2(t) mod 8 otherwise. We also define sgnp(0) = 0, for all primes p.Thus,

sgnp(0) = 0 sgnp(t > 0) ∈+1,−1 if p is odd1, 3, 5, 7 otherwise

The following lemma is well known.

Lemma 2.2. Let p be an odd prime. Then, there are p−12 quadratic residues

and p−12 quadratic non-residues modulo p. Also, every quadratic residue in

Z/pZ can be written as a sum of two quadratic non-residues and every quadraticnon-residue can be written as a sum of two quadratic residues.

2.2 Basic Definitions 9

An integer t is a square modulo q if there exists an integer x such thatx2 ≡ t (mod q). The integer x is called the square root of t modulo q. If nosuch x exists, then t is a non-square modulo q.

The following lemma is folklore and gives the necessary and sufficient con-ditions for an integer t to be a square modulo pk.

Lemma 2.3. Let p be a prime, k be a positive integer and t ∈ Z/pkZ be anon-zero integer. Then, t is a square modulo pk if and only if ordp(t) is evenand sgnp(t) = 1.

Definition 2.4. Let p be a prime and xy be a rational number. Then, x

y canbe uniquely written as x

y = pα ab , where a, b are units of Z/pZ. We say that x

y

is a p-antisquare if α is odd and sgnp(a) 6= sgnp(b). ♦

Quadratic Reciprocity. The Law of Quadratic Reciprocity, conjectured byEuler and Legendre and proven by Gauss, says that if p1, p2 be distinct oddprimes then,

(p1

p2

)=

−(

p2p1

)if p1 ≡ p2 ≡ 3 (mod 4),(

p2p1

)otherwise.

(2.1)

A supplement to the law states that for all odd primes,(

p2

)=(

2p

). Also,

(−1p

)= 1 iff p ≡ 1 mod 4 (2.2)

For convenience we define integers kp, and a completion of an integer q(denoted q), as follows.

kp =

3 if p = 2, and1 p odd prime. q = q

∏p|2q

pkp (2.3)

Definition 2.5. Let pk be a prime power. A vector v ∈ (Z/pkZ)n is calledprimitive if there exists a component vi, i ∈ [n], of v such that gcd(vi, p) = 1.Otherwise, the vector v is non-primitive. ♦

Our definition of primitiveness of a vector is different but equivalent to theusual one in the literature. A vector v ∈ (Z/qZ)n is called primitive over Z/qZfor a composite integer q if it is primitive modulo pordp(q) for all primes thatdivide q.


Lemma 2.6. Let p be a prime, k be a positive integer and x ∈ (Z/pkZ)n be aprimitive vector. Then, an A can be found in O(n2) ring operation such that[x, A] ∈ SLn(Z/pkZ).

Proof. The column vector x = (x1, · · · , xn) is primitive, hence there exists axi, i ∈ [n] such that xi is invertible over Z/pkZ. It is easier to write the matrixU, which equal [x, A] where the row i and 1 or [x, A] are swapped.

U =(

xi 0x−i x−1

i mod pk ⊕ In−2

)x−i = (x1, · · · , xi−1, xi+1, · · · , xn)

The matrix U has determinant 1 modulo pk and hence is invertible over Z/pkZ.The lemma now follows from the fact that the swapped matrix is invertible iffthe original matrix is invertible.

Definition 2.7. Let p be a prime, k be a positive integer and x be an elementof Z/pkZ. The p-expansion of x is x written in base p i.e., x = x(0) + x(1) · p +· · ·+ x(k−1) · pk−1, where x(i) ∈ Z/pZ for i ∈ 0, · · · , k − 1, is called the i’thdigit of x. ♦

2.2.1 Quadratic Form

An n-ary quadratic form over a ring R is a symmetric matrix Q ∈ Rn×n,interpreted as the following polynomial in n formal variables x1, · · · , xn ofuniform degree 2.∑

1≤i,j≤n

Qijxixj = Q11x21 + Q12x1x2 + · · · = x′Qx

The quadratic form is called integral if it is defined over the ring Z. It is calledpositive definite if for all non-zero column vectors x, x′Qx > 0. This workdeals with integral quadratic forms, henceforth called simply quadratic forms.The determinant of the quadratic form is defined as det(Q). A quadratic formis called diagonal if Q is a diagonal matrix.

Given a set of formal variables x =(x1 · · · xn

)′ one can make a linearchange of variables to y =

(y1 · · · yn

)′ using a matrix U ∈ Rn×n by settingy = Ux. If additionally, U is invertible over R i.e., U ∈ GLn(R), then thischange of variables is reversible over the ring. We now define the equivalenceof quadratic forms over the ring R.

Definition 2.8. Let Qn1 , Qn

2 be quadratic forms over a ring R. They are calledR-equivalent if there exists a U ∈ GLn(R) such that Q2 = U′Q1U. ♦

2.2 Basic Definitions 11

If R = Z/qZ, for some positive integer q, then two integral quadratic formsQn1 and Qn

2 will be called q-equivalent (denoted, Q1q∼ Q2) if there exists a

matrix U ∈ GLn(Z/qZ) such that Q2 ≡ U′Q1U (mod q). For a prime p, they are

p∗-equivalent (denoted, Q1p∗∼ Q2) if they are pk-equivalent for every positive

integer k. Additionally, (−1)∗-equivalence as well as (−1)-equivalence meanequivalence over the reals R.

Definition 2.9. Let Qn1 , Qn

2 be two integral quadratic forms. They are said tobe in the same genus if they are p∗-equivalent for all p ∈ −1, 2 ∪ P. ♦

The genus of a quadratic form Q will be denoted by Gen(Q). Note that, alllattices of the same rank are equivalent over R. So, for two lattices to be inthe same genus they only need be p∗-equivalent for all primes p.

Let Qn be a n-ary integral quadratic form, and q, t be positive integers.If the equation x′Qx ≡ t (mod q) has a solution then we say that t has a q-representation in Q (or t has a representation in Q over Z/qZ). Solutions x ∈(Z/qZ)n to the equation are called q-representations of t in Q. We classify therepresentations into two categories: primitive and non-primitive, see Definition2.5. The set of non-primitive, primitive and all pk-representations of t in Qis denoted by Cpk(Q, t),Bpk(Q, t) and Apk(Q, t), respectively. Their sizes aredenoted by Cpk(Q, t),Bpk(Q, t) and Apk(Q, t), respectively.

2.2.2 Lattices

A full rank n-dimensional lattice is the set Bz | z ∈ Zn, all integer linearcombinations of n-linearly independent basis vectors B = [b1, · · · ,bn] ∈ Rn×n.The matrix G = B′B is called a Gram matrix of the lattice. The lattice is calledintegral if all entries of the Gram matrix are integers. Note that G is alwayspositive definite and for a lattice vector v =

∑i xibi the length of the vector

v can be calculated from G as follows; implicitly defining a positive definitequadratic (i.e., a homogeneous equation of uniform degree 2) form Gn.

v′v =∑i,j

b′ibjxixj = (x1, · · · , xn)′G(x1, · · · , xn) (2.4)

A lattice with Gram matrix Q1 is isomorphic to a lattice with Gram matrixQ2 if there exists a unimodular matrix U such that Q1 = U′Q2U. It can beshown that two lattices are isomorphic iff there exists an orthonormal lineartransformation, which maps a basis of one lattice to a basis of the other.

2.2.3 Randomized Algorithms

Our randomized algorithms are Las Vegas algorithms. They either fail andoutput nothing, or produce a correct answer. The probability of failure is


bounded by a constant. Thus, for any δ > 0, it is possible to repeat the algo-rithm O(log 1

δ ) times and succeed with probability at least 1− δ. Henceforth,these algorithms will be called randomized algorithms.

Our algorithms perform two kinds of operations. Ring operations e.g.,multiplication, additions, inversions over Z/pkZ and operations over integersZ e.g., multiplications, additions, divisions etc. The runtime for all theseoperations is treated as constant i.e., O(1) and the time complexity of thealgorithms is measured in terms of ring operations. For computing a uniformrepresentation, we also need to sample a uniform ring element from Z/pkZ.We adapt the convention that sampling a uniform ring elements also takesO(1) ring operations.

For example, the Legendre symbol of an integer a can be computed byfast exponentiation in O(log p) ring operations over Z/pZ while ordp(t) fort ∈ Z/pkZ can be computed by fast exponentiation in O(log k) ring operationsover Z/pkZ.

Let us suppose that multiplying two n×n matrices over Z/pkZ takes O(nω)ring operations.

2.2.4 Dirichlet’s Theorem

Let a, q be positive integers such that gcd(a, q) = 1. Dirichlet’s theorem statesthat there are infinitely many primes of the form a + zq, where z is a non-negative integer. The following theorem gives a quantitative version of Dirich-let’s theorem using Generalized Riemann Hypothesis (GRH). A proof of thetheorem can be found in any analytic number theory book, for example [IK04].

Theorem 2.10. Let a, q be integers such that gcd(a, q) = 1 and S be the seta + zq | z ∈ Z, a + zq ≤ q3. Then assuming GRH, there exists a constant c

such that S has c |S|log |S| primes.

Another implication of GRH is that the smallest quadratic non-residuemodulo p, for odd prime p; is a number less than 3(ln p)2/2, see [Ank52,Wed01]. Thus, assuming GRH, a quadratic residue modulo p can be founddeterministically in time O(log3 p) ring operations over Z/pZ by trying allintegers ≤ 3(ln p)2/2.

2.3 Terminology 13

2.3 Terminology

R,R× A commutative ring with unity, and the set of units of R,respectively.

Z, Q, R Set of integers, rationals and reals respectively.[k] The set 1, · · · , k.Z/qZ The ring (0, · · · , q − 1, ·,+), where · and + are defined

modulo q.P Set of odd primes.Pr The set 2 ∪ p | p divides rGLn(R) Set of invertible matrices in Rn×n.SLn(R) Set of invertible matrices in Rn×n with determinant of 1.In The n× n identity matrix.

diag(a, b) The matrix(

a 00 b

). Also, a⊕ b.

ordp(a) The highest exponent of p that divides a.cprp(a) The coprime part of a with respect to p.

sgnp(a) Equal to(

cprp(a)

p

)for p odd, and cpr2(a) mod 8 otherwise.

kp Equal to 1 if p is an odd prime, and 3 otherwise.det(A) Determinant of the square matrix A.(

ap

)The Legendre-Jacobi symbol of a with respect to a primep ∈ 2 ∪ P (Section 2.2, Definition 2.1).

Qn An integral symmetric n × n matrix, representing a n-aryquadratic form.

Gen(Q) The genus of the integral quadratic form Q (Definition 2.9).sig(Q) The (−1)-signature of Q (Section 4.1.2).

Chapter 3

Representations Modulo pk

Let Qn be an n-ary integral quadratic form, t be an integer, k be a positiveinteger and p be a prime. If x = (x1, · · · , xn) be a column vector of formalvariables, then this chapter deals with the equation x′Qx ≡ t mod pk. Here,we are interested in two problems: counting the number of solutions of theequation in Z/pkZ, and sampling a uniform random solution of the equation.

3.1 Technical Overview

This section will give a complete outline of our method to count solutions ofx′Qx ≡ t mod pk.

3.1.1 Simplifying the LHS

Recall the definition of equivalence of quadratic forms i.e., Definition 2.8. IfQn and Sn are equivalent over Z/pkZ then the following lemma show that thenumber of solutions of x′Qx ≡ t mod pk is the same as the number of solutionsof x′Sx ≡ t mod pk.

Lemma 3.1. Let p be a prime, k, t be positive integers, Qn be an integralquadratic form, U ∈ GLn(Z/pkZ) and S = U′QU mod pk. Then, Apk(Q, t) =Apk(S, t), Bpk(Q, t) = Bpk(S, t), and Cpk(Q, t) = Cpk(S, t).

Proof. Let V ∈ GLn(Z/pkZ) be such that UV ≡ I mod pk. The map f :(Z/pkZ)n → (Z/pkZ)n defined by f(x) := Vx mod pk is bĳective because U, Vare invertible over Z/pkZ.

If x is primitive then Vx is also primitive. We prove this by contradiction.Suppose Vx is not primitive. Then, Vx can be written as py, where y ∈(Z/pkZ)n. But, x ≡ UVx ≡ pUy mod pk, which implies that x is not primitive.

The lemma now follows from the equation (Vx)′S(Vx) ≡ x′Qx mod pk.

15

16 Representations Modulo pk

Thus, in order to count, we first transform Qn into a simpler quadraticform. We refer to this transformation procedure as “diagonalization”.

An intuitive description of the diagonalization procedure follows. Given aquadratic form over a ring R, one can classify them according to the followingequivalence. Two quadratic forms are equivalent over R if one can be obtainedfrom the other by an invertible linear change of variables over R. For example,x2 and 2y2 are equivalent over the field of reals R because the transformationsx→

√2y and y → 1√

2x are inverse of each other in R, are linear and transform

x2 to 2y2 and 2y2 to x2 respectively. Thus, over R instead of trying to solveboth x2 and 2y2 separately, one can instead solve x2 and then use the invertiblelinear transformation to map the solutions of x2 to the solutions of 2y2. It iswell known that every quadratic form in n-variables over R is equivalent to∑a

i=1 x2i −

∑ni=a+1 x2

i , for some a ∈ [n]. This is known as the Sylvester’s Lawof inertia.

For the ring Z/pkZ such that p is odd, there always exists an equivalentquadratic form which is also diagonal (see [CS99], Theorem 2, page 369).Additionally, one can explicitly find the invertible change of variables thatturns it into a diagonal quadratic form. The situation is tricky over the ringZ/2kZ. Here, it might not be possible to eliminate all mixed terms, i.e., termsof the form 2aijxixj with i 6= j. For example, consider the quadratic form 2xy

i.e.,(

0 11 0

)over Z/2kZ. An invertible linear change of variables over Z/2kZ

is of the following form.

x→ a1x1 + a2x2

y → b1x1 + b2x2

(a1 a2

b1 b2

)invertible over Z/2kZ

The mixed term after this transformation is 2(a1b2+a2b1). As a1b2+a2b1 mod2 is the same as the determinant of the change of variables above i.e., a1b2−a2b1

modulo 2; it is not possible for a transformation in GL2(Z/2kZ) to eliminatethe mixed term. Instead, one can show that over Z/2kZ it is possible to getan equivalent form where the mixed terms are disjoint i.e., both xixj and xixk

do not appear, where i, j, k are pairwise distinct. One captures this form bythe following definition.

Definition 3.2. A matrix Dn over integers is in a block diagonal form if it isa direct sum of type I and type II forms; where type I form is an integer while

type II is a matrix of the form(

2`+1a 2`b2`b 2`+1c

)with b odd. ♦

The following theorem is folklore and is also implicit in the proof of Theo-rem 2 on page 369 in [CS99].

3.1 Technical Overview 17

Theorem 3.3. Let Qn be an integral quadratic form, p be a prime, and k be apositive integer. Then, there is an algorithm that performs O(n1+ω log k) ringoperations and produces a matrix U ∈ SLn(Z/pkZ) such that U′QU (mod pk), isa diagonal matrix for odd primes p and a block diagonal matrix (in the senseof Definition 3.2) for p = 2.

The ring operation complexity is dependent on the complexity of the ma-trix multiplication algorithm. Recall that multiplying two n×n matrices overZ/pkZ is assumed to take O(nω) ring operations over Z/pkZ. For complete-ness, we provide a proof of Theorem 3.3 in Chapter 4.

3.1.2 Simplifying the RHS

Our next step is to simplify the right hand side of the equation x′Qx ≡ t mod pk

i.e., t.

Definition 3.4. The pk-symbol of an integer t is sympk(t) = (ordp(t modpk), sgnp(t mod pk)). ♦

A pk-symbol will be denoted as γ and ordp(γ) will denote the p-order of γand sgnp(γ) will denote the p-sign of γ. The next lemma shows the importanceof the pk-symbol.

Lemma 3.5. For integers a, b and prime p: bpk

∼ a iff sympk(a) = sympk(b).

Proof. The lemma is true if ordp(a) or ordp(b) is at least k. Hence, we assumethat ordp(a), ordp(b) < k.

We first show that bpk

∼ a implies sympk(a) = sympk(b). If bpk

∼ a then thereexists a u ∈ (Z/pkZ)× such that b ≡ u2a (mod pk). But, multiplying by asquare of a unit does not change the sign i.e., sgnp(a mod pk) = sgnp(u2a modpk) = sgnp(b mod pk). Also, ordp(u) = 0 implies that ordp(a) = ordp(b). Thisshows that sympk(a) = sympk(b).

We now show the converse. Suppose a and b be such that sympk(a) =sympk(b). Let ordp(a) = ordp(b) = α. By definition of pk-symbol, sgnp(a modpk) = sgnp(b mod pk). But then,

sgnp

(cprp(a) mod pk−α

)= sgnp

(cprp(b) mod pk−α

)⇐⇒ sgnp

(cprp(a) cprp(b)

−1 mod pk−α)

= 1

By Lemma 2.3, cprp(a) cprp(b)−1 mod pk−α is a quadratic residue modulopk−α. But then, there exists a unit u such that

u2 ≡ cprp(a) cprp(b)−1 (mod pk−α) .


Multiplying this equation by cprp(b)pα yields u2b ≡ a mod pk or bpk

∼ a.

The following lemma shows that the number of solutions only depend ontwo things: ordp(t mod pk), and sgnp(t mod pk).

Lemma 3.6. Let Qn be a quadratic form, p be a prime, k be a positive in-teger and t, s be integers such that sympk(t) = sympk(s). Then, Apk(Q, t) =Apk(Q, s), Bpk(Q, t) = Bpk(Q, s), and Cpk(Q, t) = Cpk(Q, s).

Proof. By Lemma 3.5, it follows that there exists a unit u ∈ (Z/pkZ)× suchthat s ≡ u2t mod pk. But then, t has a representation x ∈ (Z/pkZ)n in Q iff shas a representation ux ∈ (Z/pkZ)n in Q;

(ux)′Q(ux) ≡ u2x′Qx ≡ u2t ≡ s mod pk .

The function x → ux maps pk-representations of t in Q to pk-representationsof s in Q. Also, the map is bĳective, and preserves primitiveness; completingthe proof.

Let γ be a pk-symbol and t ∈ Z/pkZ be an integer such that sympk(t) = γ.Then, using Lemma 3.6, we can define the following quantities.

Apk(Q, γ) = Apk(Q, t) Bpk(Q, γ) = Bpk(Q, t) Cpk(Q, γ) = Cpk(Q, t)

There are pk different possible values for t over Z/pkZ i.e., exponential ink. But, for the pk-symbol γ, there are only (4k + 1) possibilities when p = 2,and (2k + 1) otherwise (the “+1” is for 0). Note that the p-order ∞ onlyappears with p-sign 0 and vice-versa.

For notational convenience, we define the following sets (the modulo pk

will be clear from the context, whenever we use this notation).

ord = ∞, 0, · · · , k − 1 sgn =0, 1,−1 p is an odd prime0, 1, 3, 5, 7 otherwise (3.1)

The following definition is useful in reducing the problem of counting rep-resentations in higher dimensions to the problem of counting representationsfor individual blocks in a block diagonal form.

Definition 3.7. Let p be a prime, k be a positive integer, t ∈ Z/pkZ be aninteger, and γ1, γ2 be pk-symbols. Then, the (γ1, γ2)-split size of t over Z/pkZ,denoted St

pk(γ1, γ2), is the size of the following set,

Stpk(γ1, γ2) =

(a, b) ∈ (Z/pkZ)2 | sympk(a) = γ1, sympk(b) = γ2,

t ≡ a + b mod pk

.♦

3.1 Technical Overview 19

Let γ, γ1, γ2 be pk-symbols and t ∈ Z/pkZ be an integer such that sympk(t) =γ. Then, the following lemma shows that we can define Sγ

pk(γ1, γ2) as Stpk(γ1, γ2).

Lemma 3.8. Let p be a prime, k be a positive integer, γ1, γ2 be pk-symbolsand t, s be integers such that sympk(t) = sympk(s). Then, St

pk(γ1, γ2) =Ss

pk(γ1, γ2).

Proof. By Lemma 3.5, there exists a u ∈ (Z/pkZ)× such that u2t ≡ s mod pk.If t ≡ a+b mod pk then u2t ≡ u2a+u2b mod pk with sympk(u2a) = sympk(a),and sympk(u2b) = sympk(b). The lemma now follows from the observation thatthe map x→ u2x is a bĳection from Z/pkZ to itself.

Lemma 3.9. Let Q = diag(Q1, Q2) be an integral quadratic form, p be a prime,k be a positive integer, and γ be a pk-symbol. Then,

Apk(Q, γ) =∑

γ1,γ2∈ord× sgn

Sγpk(γ1, γ2) · Apk(Q1, γ1) · Apk(Q2, γ2)

Cpk(Q, γ) =∑

γ1,γ2∈ord× sgn

Sγpk(γ1, γ2) · Cpk(Q1, γ1) · Cpk(Q2, γ2)

Proof. Let t ∈ Z/pkZ be such that sympk(t) = γ. The formula for the totalnumber of representations of γ by Q over Z/pkZ follows from the calculationsbelow.

Apk(Q, γ) = Apk(Q, t) =∑

a∈Z/pkZ

Apk(Q1, a) · Apk(Q2, t− a)

=∑

a∈Z/pkZ

Apk(Q1, sympk(a)) · Apk(Q2, sympk(t− a))

=∑

γ1,γ2∈ord× sgn

Stpk(γ1, γ2) · Apk(Q1, γ1) · Apk(Q2, γ2)

=∑

γ1,γ2∈ord× sgn

Sγpk(γ1, γ2) · Apk(Q1, γ1) · Apk(Q2, γ2)

The same calculation works for the number of non-primitive representationsbecause a representation of γ by Q is non-primitive iff every component of therepresentation is non-primitive.

3.1.3 Overview of the Counting/Sampling Algorithm

Given (Qn, p, k, t) our counting algorithm for finding Apk(Q, t) is analyzed indetail in Section 3.3.5. An overview of the algorithm is given below.


1. Block diagonalize Q over Z/pkZ using Theorem 3.3. Let Dn = D1⊕· · ·⊕Dm

be the block diagonal form returned by the algorithm. Recall, each Di iseither Type I i.e., an integer, or Type II (only when p = 2).

2. For each symbol γ ∈ ord× sgn and i ∈ [m], calculate Apk(Di, γ). Thecase of prime 2 is handled separately and needs careful analysis for TypeII blocks. (Sections 3.3.1, 3.3.2, and 3.3.3)

3. For each triple γ, γ1, γ2 ∈ ord× sgn compute the size of split classes(Section 3.3.4) i.e., Sγ

pk(γ1, γ2).

4. Compute Apk(D1⊕· · ·⊕Di, γ) for each γ ∈ ord× sgn and i ∈ [m], usingLemma 3.9.

5. Output Apk(D, sympk(t)).

As mentioned in the introduction of the thesis, this algorithm can also beused to compute what mathematicians call the “local density” (see Section3.3.6). Furthermore, this algorithm can be generalized to sample uniformrepresentations (details in Section 3.4). The following two theorems are themain contribution of this chapter (proved in Section 3.4.2).

Theorem 3.10. Let Qn be an integral quadratic form, k be a positive integer,and t be an element of Z/2kZ. Then, there exists a deterministic polynomialtime algorithm that performs O(n1+ω log k + nk3) ring operations over Z/2kZand samples a uniform (primitive/non-primitive) representation of t by Q overZ/2kZ, if such a representation exists.

Theorem 3.11. Let Qn be an integral quadratic form, p be an odd prime, kbe a positive integer, t be an element of Z/pkZ. Then, there is a polynomialtime algorithm Las Vegas algorithm that performs O(n1+ω log k+nk3+n log p)ring operations over Z/pkZ and fails with constant probability (say, at most13). Otherwise, the algorithm outputs a uniform (primitive/non-primitive) pk-representation of t by Q, if such a representation exists.

In other words, the algorithm is able to output a uniform representation, arepresentation which is uniform among the primitive ones, and a representationwhich is uniform among the non-primitive ones.

3.2 Squares over Quotient Rings

To understand quadratic forms and their equivalence, we need some elementaryresults from number theory and algebra. In particular, we want to know whenan integer t is a square over the ring Z/pkZ.

The prime 2 creates some technical complications. Thus, we chose to spiltthe results in two parts; for odd primes, and for the even prime. We remarkthat everything in this section is well-known.

3.2 Squares over Quotient Rings 21

3.2.1 Squares Modulo pk; p odd

A positive integer t is a quadratic residue modulo pk iff t is a quadratic residuemodulo p (see Theorem 2.30, [Sho09]). If t is a quadratic residue modulo pthen there are two solutions to the equation x2 ≡ t mod p. Furthermore, thereis a Las-Vegas algorithm due to Cippola and Lehmer which performs O(log p)ring operations over Z/pZ and computes the square root of a quadratic residuet over Z/pZ.

Given a positive integer t such that t is a quadratic residue modulo p bothsolutions to x2 ≡ t mod pk can be found using Hensel’s Lemma. We give asketch of the proof here and a full proof can be found on page 174, [Bac96].

Lemma 3.12. Let p be an odd prime, k a positive integer, and t be a quadraticresidue modulo p. Then, there is a randomized algorithm that performs O(log k+log p) ring operations and with constant probability outputs both solutions ofx2 ≡ t mod pk.

Proof. We use the Las Vegas algorithm by Cippola and Lehmer to first findthe solutions of x2 ≡ t mod p. We now show how to “lift” this solution fromZ/pZ to Z/pkZ. We do this incrementally by lifting solutions of x2 ≡ t mod pe

to solutions of x2 ≡ t mod p2e.Let a be a solution of x2 ≡ t mod pe i.e., a2 ≡ t mod pe. If b := (t−a2)/pe

2a modpk, then

(a + peb)2 ≡ a2 + 2abpe ≡ t (mod p2e) .

The computation of b takes O(1) ring operations and hence to lift a solutionmodulo p to a solution modulo pk, we need to perform O(log k) ring operations.

3.2.2 Squares Modulo 2k

There is only one non-zero element in Z/2Z i.e., 1 and by definition, it is aquadratic residue. This is the only quadratic residue in Z/4Z and Z/8Z.

Let t ∈ Z/2kZ be an integer. Then, t is a quadratic residue modulo 2k ifft ≡ 1 mod 8 (see Theorem 2, pp 49, [BS86]). A similar result as in Lemma3.12 can be shown. The “lifting” of solutions modulo pe to solutions modulop2e does not work in this case because 2 does not have an inverse (see theproof of Lemma 3.12).

Lemma 3.13. Let k be a positive integer, and t be an element of Z/2kZ suchthat t ≡ 1 (mod 8). Then, x2 ≡ t (mod 2k) has one solution for k = 1, twofor k = 2 and four otherwise. Additionally, all solutions can be found in O(k)ring operations.


Proof. The set of solutions is 1 in Z/2Z, 1, 3 in Z/4Z and 1, 3, 5, 7 inZ/8Z. For larger k, we prove the lemma by induction.

Let us assume that the lemma is true for k ≥ 3 and let b be a square rootof t modulo 2k. Then, b2 ≡ t mod 2k and 2k|(t − b2). By Definition 2.7, thek’th digit of t − b2 is d = (t − b2)/2k mod 2. Recall, x(k) is the k’th digit inthe p-expansion of x (see Definition 2.7, p = 2 here). Let c = b + 2k−1d. Fromb ≡ 1 (mod 2), we conclude that 2kbd ≡ 2kd (mod 2k+1). For k ≥ 3, it followsthat,

c2 ≡ b2 + 2kbd ≡ (k−1∑i=0

t(i)2i + (b2)(k)2k) + 2kd ≡ t (mod 2k+1)

Additionally, −c, 2k + c, 2k − c are all distinct solutions of x2 ≡ t (mod 2k+1).The fact that these are the only possible solutions is argued as follows. If x isa solution modulo 2k+1 then it is also a solution modulo 2k. So, there are onlyeight choices for x in Z/2k+1Z given four solutions modulo Z/2kZ. Only fourof these work. The proof is constructive i.e., given all solutions modulo 2k, allsolutions modulo 2k+1 can be found in constant number of ring operations.

3.3 Counting Representations

In this section, we count the number of solutions of the equation x′Qx ≡t mod pk.

3.3.1 Dimension = 1, Odd Prime

The following lemma gives the necessary and sufficient conditions for an inte-gral quadratic form Qn=1 to represent t over Z/pkZ, when k > ordp(t).

Lemma 3.14. If Q, t be integers, p be an odd prime and k > ordp(t). Then,t can be represented by Q over Z/pkZ if and only if ordp(t)− ordp(Q) is even,≥ 0, and

(cprp(Q) cprp(t)

p

)= 1.

Proof. Suppose that t can be represented by Q over Z/pkZ and k > ordp(t).Then, there exists integers x and a such that x2Q = t + apk. But then,

ordp(t) = ordp(t + apk) = ordp(x2Q) = 2 ordp(x) + ordp(Q) ,(cprp(t)

p

)=

(cprp(t + apk)

p

)=

(cprp(x2Q)

p

)=(

cprp(Q)p

).

Conversely, suppose that ordp(t)−ordp(Q) is even, ≥ 0 and(

cprp(Q) cprp(t)

p

)=

1. Then, by Lemma 3.5, there exists an integer u such that cprp(Q)u2 ≡ cprp(t)

3.3 Counting Representations 23

(mod pk). But then, multiplying this equation by pordp(t), we conclude thatx = p

ordp(t)−ordp(Q)2 u is a pk-representation of t; as follows.

(pordp(t)−ordp(Q)

2 u)2Q = pordp(t) cprp(Q)u2 ≡ pordp(t) cprp(t) (mod pk) .

Lemma 3.15. Let Q, t, k be integers, and p be an odd prime. Then, Algorithm1 performs O(log k+log p) ring operations and outputs the number of primitiveand non-primitive pk-representations of t in Q.

Proof. We want to count the number of primitive and non-primitive x ∈ Z/pkZsuch that x2Q ≡ t (mod pk). We distinguish between the following cases.

ordp(t) ≥ k. In this case, t mod pk is 0. Thus,

x2pordp(Q) ≡ 0 (mod pk) ⇐⇒ pk−ordp(Q)|x2 ⇐⇒ pdk−ordp(Q)

2 e|x

There are primitive representations iff ordp(Q) ≥ k. But then, every x ∈ Z/pkZis a representation. Recall, the p-expansion of x ∈ Z/pkZ (Definition 2.7). Bydefinition, x is primitive iff x(0) 6= 0. The rest of the k − 1 digits can bechosen freely. The number of primitive and non-primitive representations inthe case of ordp(Q) ≥ k is then (p− 1)pk−1 and pk−1 respectively. Otherwise,if ordp(Q) < k then there are no primitive representations and the numberof non-primitive representations is pk−d k−ordp(Q)

2 e. This completes the case ofordp(t) ≥ k.

ordp(t) < k. It follows from Lemma 3.14 that Q represents t over Z/pkZ iffordp(t)− ordp(Q) ≥ 0, is even and

(cprp(t) cprp(Q)

p

)= 1. But then,

x2Q ≡t (mod pk) ⇐⇒ x2 ≡ pordp(t)−ordp(Q) cprp(t) cprp(Q)−1 (mod pk−ordp(Q))

⇐⇒ x = pordp(t)−ordp(Q)

2 y, y ∈ Z/pk− ordp(t)−ordp(Q)2 Z,

y2 ≡ cprp(t) cprp(Q)−1 (mod pk−ordp(t)) .

The number of possible representations is the number of y ∈ Z/pk− ordp(t)−ordp(Q)2 Z

satisfying y2 ≡ cprp(t) cprp(Q)−1 mod pk−ordp(t). As cprp(t) cprp(Q)−1 is aquadratic residue modulo p, by Lemma 3.12, there are exactly two possible yover the ring Z/pk−ordp(t)Z. Recall, the p-expansion of y (definition 2.7). Inthe p-expansion of y, there are k− ordp(t)−ordp(Q)

2 digits; the first k− ordp(t) ofthose must be a solution of y2 = cprp(t) cprp(Q)−1 over the ring Z/pk−ordp(t)Z.


Hence, the remaining ordp(t)+ordp(Q)2 can be chosen freely from Z/pZ. Thus,

the number of pk-representation of t in Q is 2pordp(t)+ordp(Q)

2 . Note that there areprimitive representations iff ordp(t) = ordp(Q). But then, every representationx ∈ Z/pkZ is primitive. This completes the case of ordp(t) < k.

Algorithm 1: CountModpk1Dim(Qn=1, sympk(t), p, k)

1 if ordp(t) ≥ k then2 if ordp(Q) ≥ k then prim := (p− 1)pk−1; nprim := pk−1 ;3 else prim := 0; nprim := pk−d(k−ordp(Q))/2e ;4 else if ordp(t)− ordp(Q) < 0 or ordp(t)− ordp(Q) odd or(

cprp(t) cprp(Q)

p

)= −1 then prim := 0; nprim := 0 ;

5 else if ordp(Q) = ordp(t) then prim := 2pordp(Q); nprim := 0 ;6 else prim := 0; nprim := 2p(ordp(t)+ordp(Q))/2 ;

The algorithm works with numbers of size pk and makes only a constantnumber of operations. The Legendre symbol can be calculated using fast expo-nentiation (see Definition 2.1) in O(log p) ring operations and the computationsof p-orders take O(log k) ring operations. The algorithm hence, performs atmost O(log k + log p) ring operations.

3.3.2 Dimension = 1, p = 2

The following lemma gives the necessary and sufficient conditions for an inte-gral quadratic form Qn=1 to represent a non-zero t ∈ Z/2kZ over Z/2kZ.

Lemma 3.16. Let Q be an integer, and t be a non-zero integer from Z/2kZ.Then, t can be represented by Q over Z/2kZ if and only if ord2(t)− ord2(Q) iseven, ≥ 0, and cpr2(Q) ≡ cpr2(t) mod min8, 2k−ord2(t).

Proof. Suppose that t can be represented by Q over Z/2kZ and k > ord2(t).Then, there exists integers x and a such that x2Q = t + a2k. But then,

ord2(t) = ord2(t + a2k) = ord2(x2Q) = 2 ord2(x) + ord2(Q) ,

cpr2(t + a2k) = cpr2(x2Q) = cpr2(x)2 cpr2(Q) ≡ cpr2(Q) (mod 8) .

By assumption, ord2(t) < k and hence cpr2(t + a2k) ≡ cpr2(t) mod 2k−ord2(t).Conversely, suppose that ord2(t) − ord2(Q) is even, ≥ 0 and cpr2(t) ≡

cpr2(Q) mod min8, 2k−ord2(t). Then, by Lemma 3.5, there exists an integeru such that cpr2(Q)u2 ≡ cpr2(t) mod 2k−ord2(t). But then, multiplying this


equation by 2ord2(t), we conclude that x = 2ord2(t)−ord2(Q)

2 is a 2k-representationof t; as follows.

(2ord2(t)−ord2(Q)

2 u)2Q = 2ord2(t) cpr2(Q)u2 ≡ 2ord2(t) cpr2(t) mod 2k .

Lemma 3.17. Let Q, t, and k be integers. Algorithm 2 performs O(log k)ring operations and outputs the number of primitive and non-primitive 2k-representations of t in Q.

Proof. We want to count the number of primitive and non-primitive x ∈ Z/2kZsuch that x2Q ≡ t mod 2k. We distinguish between the following cases.

Algorithm 2: CountMod2k1Dim(Qn=1, k, sym2k(t))1 if ord2(t) ≥ k then2 if ord2(Q) ≥ k then prim := 2k−1; non-prim := 2k−1 ;3 else prim := 0; non-prim := 2k−d(k−ord2(Q))/2e ;4 else if ord2(t)− ord2(Q) < 0 or ord2(r)− ord2(Q) odd or

cpr2(r) 6≡ cpr2(Q) mod min8, 2k−ord2(t) then prim := 0; non-prim := 0;

5 else6 if k − ord2(t) ≥ 3 then rep := 4 · 2(ord2(t)+ord2(Q))/2;7 else rep := (k − ord2(t)) · 2(ord2(t)+ord2(Q))/2;8 if ord2(Q) = ord2(t) then prim := rep; non-prim := 0;9 else prim := 0; non-prim := rep;

10 return [prim, non-prim]

ord2(t) ≥ k. In this case, t mod 2k is 0 and hence,

x22ord2(Q) ≡ 0 mod 2k ⇐⇒ 2k−ord2(Q)|x2 ⇐⇒ 2dk−ord2(Q)

2 e|x

There are primitive representations iff ord2(Q) ≥ k. But then, every x ∈ Z/2kZis a representation. Recall, the 2-expansion of x ∈ Z/2kZ (definition 2.7). Bydefinition, x is primitive iff d0(x) = 1. The rest of the k−1 digits can be chosenfreely. The number of primitive and non-primitive representations in the caseof ord2(Q) ≥ k is then 2k−1 and 2k−1 respectively. Otherwise, if ord2(Q) < kthen there are no primitive representations and the number of non-primitiverepresentations is 2k−d k−ord2(Q)

2 e. This completes the case of ord2(t) ≥ k.


ord2(t) < k. In this case, t is a non-zero element of Z/2kZ. It follows fromLemma 3.16 that Q represents t over Z/2kZ iff ord2(t) − ord2(Q) ≥ 0, is evenand cpr2(t) ≡ cpr2(Q) mod min8, 2k−ord2(t). But then,

x2Q ≡t mod 2k ⇐⇒ x2 ≡ 2ord2(t)−ord2(Q) cpr2(t) cpr2(Q)−1 mod 2k−ord2(Q)

⇐⇒ x = 2ord2(t)−ord2(Q)

2 y, y ∈ Z/2k− ord2(t)−ord2(Q)2 Z,

y2 ≡ cpr2(t) cpr2(Q)−1 (mod 2k−ord2(t)) .

The number of possible representations is the number of y ∈ Z/2k− ord2(t)−ord2(Q)2 Z

satisfying y2 ≡ cpr2(t) cpr2(Q)−1 mod 2k−ord2(t). By Lemma 3.13, there areexactly four possible y over the ring Z/2k−ordp(t)Z if k − ord2(t) > 2, andk − ord2(t) otherwise. Recall, the 2-expansion of y ∈ Z/2kZ (definition 2.7).There are k− ord2(t)−ord2(Q)

2 digits in the 2-expansion; the first (k− ord2(t)) ofwhich must be a solution to y2 ≡ cpr2(t) cpr2(Q)−1 modulo 2k−ord2(t). The restof the ord2(t)+ord2(Q)

2 digits can be chosen freely from Z/2Z. Thus, the number

of representations of t by Q over Z/2kZ is 22+ordp(Q)+ord2(t)

2 if k − ord2(t) > 2and (k− ord2(t))2

ord2(Q)+ord2(t)2 otherwise. The correctness for ord2(t) < k now

follows from the fact that primitive representations exist iff ordp(t) = ordp(Q).The computation of ord2(Q) and ord2(t) by fast exponentiation takes O(log k)

ring operations.

3.3.3 Type II, p = 2

Recall, Definition 3.2, of a type II quadratic form. In this section, we solve therepresentation problem for Type II matrices over Z/2kZ. But first we definea scaled version of a type II matrix.

Definition 3.18. A two-by-two matrix of the following form is called type II∗matrix. (

a b/2b/2 c

)a, b, c ∈ Z, b odd

♦

Additionally, in this section we will think of type II∗ as the followingquadratic form in formal variables x1, x2 which take values in the ring Z/2kZ.

ax21 + bx1x2 + cx2

2 a, b, c ∈ Z, b odd . (3.2)

Lemma 3.19. Let Q∗ = (a, b, c), b odd be a type II∗ integral quadratic form,and t, k be positive integers. If a1, a2 ∈ Z/2Z be such that (a1, a2) representt over Z/2Z and either a1 or a2 is odd then there are exactly 2k−1 distinct


representations (x1, x2) of t over Z/2kZ such that x1 ≡ a1 (mod 2), x2 ≡ a2

(mod 2).

Proof. We prove this by induction on k. We show that given a representationy1, y2 of t over the ring Z/2iZ, for i ≥ 1, such that at least one of y1, y2 is oddthere are exactly two representations z1, z2 of t over the ring Z/2i+1Z suchthat z1 ≡ y1 (mod 2i), z2 ≡ y2 (mod 2i).

Let (y1, y2) be a representation of t by Q∗ over Z/2iZ. Then, the pair ofintegers (z1, z2) such that (z1, z2) ≡ (y1, y2) (mod 2i) is a representation of tover Z/2i+1Z iff

z1 ≡ y1 + b1 · 2i (mod 2i+1) z2 ≡ y2 + b2 · 2i (mod 2i+1)b1, b2 ∈ 0, 1 az2

1 + bz1z2 + cz22 ≡ t (mod 2i+1) (3.3)

Plugging in the values of z1 and z2 and re-arranging we get the followingequation.

(bb2y1 + bb1y2)2i ≡ t− (ay21 + by1y2 + cy2

2) (mod 2i+1) (3.4)

As b is odd, b is invertible over Z/2i+1Z. By assumption, y1, y2 represent tover Z/2iZ and hence 2i divides t − (ay2

1 + by1y2 + cy22). The Equation 3.4

reduces to the following equation.

b2y1 + b1y2 ≡t− (ay2

1 + by1y2 + cy22)

2ib(mod 2) (3.5)

We now split the proof in two cases: i) when y1 is odd, and ii) when y1 iseven and y2 is odd.

y1 odd. For each choice of b1 ∈ 0, 1 there is a unique choice for b2 becausey1 ≡ 1 (mod 2).

b1 ∈ 0, 1 b2 =t− (ay2

1 + by1y2 + cy22)

2ib− b1y2 (mod 2)

y1 even. In this case, y2 ≡ 1 (mod 2) and so b2 can be chosen freely.

b2 ∈ 0, 1 b1 =t− (ay2

1 + by1y2 + cy22)

2ib(mod 2)

Lemma 3.20. Let Qn=2 be a type II matrix and t, k be positive integers. Algo-rithm 3 performs O(k log k) ring operations and counts the number of primitiveand non-primitive representations of t by Q over Z/2kZ.


Proof. We want to count the number of primitive and non-primitive x =

(x1, x2) ∈ (Z/2kZ)2 such that x′Qx ≡ t mod 2k. Let Q =(

2`+1a 2`b2`b 2`+1c

),

b odd. Then,

x′Qx ≡ t mod 2k ⇐⇒ 2`+1(ax21 + bx1x2 + cx2

2) ≡ t mod 2k (3.6)

Recall, (x1, x2) ∈ (Z/2kZ)2 is non-primitive (definition 2.5) iff both x1 and x2

are even. We distinguish the following cases.

` + 1 ≥ k. In this case, Q is identically 0 over Z/2kZ and hence only repre-sents 0. If t is also 0 over Z/2kZ i.e., ord2(t) ≥ k then the number of primitiveand non-primitive representations of t over Z/2kZ is 3 · 4k−1 and 4k−1 respec-tively.

` + 1 > ord2(t). Everything Q represents is a multiple of 2`+1 and so Q cannotrepresent t in this case.

ord2(t) ≥ ` + 1. In this case, we divide Equation 3.6 by 2`+1.

2`+1(ax21 + bx1x2 + cx2

2) ≡ t mod 2k

⇐⇒ ax21 + bx1x2 + cx2

2 ≡ 2ord2(t)−`−1 cpr2(t) (mod 2k−`−1) (3.7)

Both x1 and x2 are elements of the ring Z/2kZ. But the Equation 3.7 isdefined modulo 2k−`−1. Recall, definition 2.7 of 2-expansion. From the equiv-alence relation (x mod q) · (y mod q) ≡ xy (mod q), it follows that the last2`+1 digits of both x1 and x2 can be chosen freely. The number of primitive(or non-primitive) representations of t by Q over Z/2kZ is equal to 4`+1 thenumber of primitive (resp., non-primitive) solution of the following equationover Z/2k−`−1Z.

ay21 + by1y2 + cy2

2 ≡ 2ord2(t)−`−1 cpr2(t) (mod 2k−`−1) . (3.8)

Every solution (y1, y2) of Equation 3.9 falls in two categories, i) at leastone of y1, y2 is odd, or ii) both are even.

y1 or y2 odd In this case, (a1, a2) = (y1, y2) (mod 2) represents t over Z/2Zand we can apply Lemma 3.19. By construction, these are primitivesolutions.

y1 and y2 even In this case, 4 must divide t and by definition every repre-sentation is non-primitive. We can divide the equation by 4 to get thefollowing equation (assume t∗ = t/2`+1, k∗ = k − `− 1).

a(y1/2)2 + b(y1/2)(y2/2) + c(y2/2)2 ≡ t∗/4 (mod 2k∗−2) (3.9)


Algorithm 3: CountTypeII(Qn=2, sym2k(t), k)1 ` := ord2(Q12);2 if ` + 1 ≥ k then3 if ord2(t) ≥ k then non-prim := 4k−1; prim := 4k − non-prim;4 else prim := 0; non-prim := 0;5 else if ordp(t) < ` + 1 then prim := 0; non-prim := 0;6 else7 prim := 0; non-prim := 0; k := k − `− 1; t := t/2`+1, Q∗ := Q/2`+1;8 for [a1, a2] ∈ [0, 1], [1, 0], [1, 1] do9 if (a1, a2)Q∗(a1, a2)′ ≡ t (mod 2) then prim+ = 2k−1 ;

10 if t ≡ 0 (mod 4) then11 if k = 1 then non-prim+ = 1;12 else13 [n1, n2] :=CountTypeII(Q∗, t/4, k − 2);14 non-prim+ = non-prim + 4(n1 + n2);

15 [prim, non-prim] := [4`+1 · prim, 4`+1 · non-prim]

16 return [prim, non-prim]

Again, y1/2, y2/2 are elements of Z/2k∗−1Z but the Equation 3.9 is definedmodulo 2k∗−2. Thus, the last bit of y1 and y2 can be chosen freely. So, wecan solve Equation 3.10 over Z/2k∗−2Z and then multiply by 4 to get thenumber of solutions of Equation 3.9 over Z/2k∗Z. This completes the proof ofcorrectness of Algorithm 3.

az21 + bz1z2 + cz2

2 ≡ t∗/4 (mod 2k∗−2) (3.10)

The algorithm works with k bit numbers and each recursive call reduces kby 2. One can compute ord2(t) as well as ord2(Q) once, costing O(log k) ringoperations. Thus, the algorithm takes O(k log k) ring operations in total.

3.3.4 Calculating Split Size

Let p be a prime, k be a positive integer and γ be a pk-symbol. For notationalconvenience, we define Ypk(γ) = x ∈ Z/pkZ | sympk(x) = γ and Ypk(γ)as the cardinality of Ypk(γ). Let γ, γ1, γ2 be pk-symbols. In this section, wecompute Sγ

pk(γ1, γ2) i.e., for a fixed t ∈ Ypk(γ) the cardinality of the followingset.

(a, b) ∈ (Z/pkZ)2 | sympk(a) = γ1, sympk(b) = γ2, a + b ≡ t mod pk


But first, we mention the following useful result from [Per52]. For com-pleteness, a proof is provided in the Appendix.

Lemma 3.21. For an odd prime p, and non-zero a ∈ Z/pZ the number oftuples (x, x + a) ∈ (Z/pZ)2 such that

(xp

)= s1,

(x+a

p

)= s2 and s1, s2 ∈

−1, 1 is given by the following formula.

14·

p− (p mod 4)−((

a

p

)+ s1

)·((−a

p

)+ s2

)(3.11)

Lemma 3.22. Let p be a prime, k be a positive integer, and γ1, γ2, γ bepk-symbols with ordp(γ) = ordp(γ1) = ordp(γ2) < k. Then, the size of theSγ

pk(γ1, γ2) is 0 for p = 2 and otherwise it is calculated by substituting(

ap

)=

sgnp(γ1), s1 = sgnp(γ2) and s2 = sgnp(γ) in Equation 3.11 and multiplyingthe result by pk−ordp(γ)−1.

Proof. The equality ordp(γ) = ordp(γ1) = ordp(γ2) is not possible in casep = 2 because the sum of two numbers of the same 2-order is always a numberof higher 2-order. For odd prime p, if t ∈ Z/pkZ be such that sympk(t) = γ,then we are looking for number of solutions in Z/pkZ of the following equation.

pordp(γ) cprp(a) + pordp(γ) cprp(b) ≡ pordp(γ) cprp(t) mod pk

⇐⇒ cprp(a) + cprp(b) ≡ cprp(γ) mod pk−ordp(γ) (3.12)

The number of solutions of Equation 3.12 modulo p is given by Lemma 3.21.The other (k− ordp(γ)− 1) digits in the p-expansion of cprp(a) can be chosenfreely. Thus, the number of possibilities multiply by pk−ordp(γ)−1.

It turns out that if ordp(γ) 6= ordp(γ1) then for every a ∈ Ypk(γ1), t ∈Ypk(γ) the value of sympk(t− a) does not depend on the specific choice of a,or t. The following lemma proves this assertion.

Lemma 3.23. Let p be a prime, k be a positive integer, γ1, γ2, γ be pk-symbolswith ordp(γ) 6= ordp(γ1). Then, for

γ3 =

γ if p 6= 2, ordp(γ) < ordp(γ1)(ordp(γ1),

(−1p

)sgnp(γ1)

)if p 6= 2, ordp(γ) > ordp(γ1)

(ord2(γ), s1) if p=2, ord2(γ) < ord2(γ1) and,(ord2(γ1), s2) if p=2, ord2(γ) > ord2(γ1), where,

s1 := sgn2(γ)− 2ord2(γ1)−ord2(γ) sgn2(γ1) mod 8

s2 := 2ord2(γ)−ord2(γ1) sgn2(γ)− sgn2(γ1) mod 8,


we have,

Sγpk(γ1, γ2) =

Ypk(γ1) if γ2 = γ3, and0 otherwise.

Proof. By the statement of the lemma, ordp(γ) 6= ordp(γ1). Let a ∈ Ypk(γ1)and t ∈ Ypk(γ) be arbitrary elements. Then, it suffices to show that sympk(t−a) = γ3.

By definition of p-order, ordp(t − a) = minordp(a), ordp(t). This showsthat ordp(t− a) = ordp(γ3). Next, we show that sgnp(t− a) = sgnp(γ3). Wedivide the proof of this fact in two parts, depending on the prime p.

p odd. By definition of p-sign, it follows that sgnp(t−a) = sgnp(γ3) from theequation below.

sgnp(t−a) =(

cprp(t− a)p

)=

(− cprp(a)

p

)if ordp(t) > ordp(a), and,(

cprp(t)

p

)otherwise.

p=2. By definition of 2-sign, it follows that sgn2(t − a) = sgn2(γ3) from theequality below.

sgn2(t− a) = cpr2(t− a) mod 8 =

s1 if ord2(γ) < ord2(γ1) and,s2 otherwise.

Next, we compute the cardinality of Ypk(γ) for an arbitrary pk-symbol γ.

Lemma 3.24. Let p be a prime, k be a positive integer and a ∈ Z/pkZ be anon-zero integer. Then,

Ypk(sympk(a)) =

max2k−ord2(a)−3, 1 if p = 2p−12 pk−ordp(a)−1 otherwise.

Proof. Let x ∈ Z/pkZ be an element with the same p-symbol as a. Then,ordp(x) = ordp(a) and sgnp(x) = sgnp(t). Recall the p-expansion of x i.e.,definition 2.7. There are k digits in the p-expansion of x for x ∈ Z/pkZ; firstordp(a) of which must be identically 0.

For odd prime p, sgnp(x) = sgnp(a) iff(

cprp(x) cprp(t)

p

)= 1. Thus, the

(ordp(a) + 1)’th digit of x must be a non-zero element of Z/pZ with the samesign as

(cprp(a)

p

). By Lemma 2.2, there are p−1

2 possibilities for the (ordp(a)+1)’th digit of x. The rest can be chosen freely from Z/pZ.

For the prime 2, sgn2(x) = sgn2(a) iff cpr2(x) ≡ cpr2(a) mod 8. Thus, thedigits (ordp(a) + 1), · · · , (ordp(a) + 2) of x must match those of a. The restcan be chosen freely from Z/2Z.


We are now ready to compute the size of the class Sγpk(γ1, γ2).

Lemma 3.25. Let p be a prime, k be an integer and γ, γ1, γ2 be pk-symbols.Then, Algorithm computes Sγ

pk(γ1, γ2) and performs only O(1) operations overintegers of size O(p2k).

Proof. Recall the definition of Sγpk(γ1, γ2). For any choice t ∈ Ypk(γ), it is the

size of the following set.

(a, b) | a ∈ Ypk(γ1), b ∈ Ypk(γ2), a + b ≡ t mod pk (3.13)

Consider the situation when ordp(γ) =∞. In this case, t ≡ 0 mod pk. ByEquation 3.13, it follows that ordp(γ1) = ordp(γ2). There are two possiblesub-cases.

ordp(γ1) =∞ In this case, ordp(γ2) =∞ and the only possible element in theset Sγ

pk(γ1, γ2) is (0, 0).

ordp(γ1) < k Note that ordp(γ1) = ordp(γ2)(= α), say. Then, we are lookingfor the number of solutions of the following equation.

pαν1 + pαν2 ≡ 0 mod pk ν1, ν2 ∈ (Z/pkZ)×

The number of solutions is equal to the number of possible elements inZ/pkZ with p-order α. This equals pk−α−1 times (p− 1).

Otherwise, ordp(γ) < k. If exactly one of ordp(γ1) and ordp(γ2) equals ∞then Sγ

pk(γ1, γ2) = 1. If both equal ∞, then the set Sγpk(γ1, γ2) is empty.

It remains to consider the case when ordp(γ), ordp(γ1), ordp(γ2) < k. Thereare three sub-cases.

ordp(γ) 6= ordp(γ1) The correctness follows from Lemma 3.23.

ordp(γ) 6= ordp(γ2) The correctness follows from Lemma 3.23.

ordp(γ) = ordp(γ1) = ordp(γ2) The correctness follows from Lemma 3.22.

The size of the set Sγpk(γ1, γ2) is bounded by the number of elements in

(Z/pkZ)2, which is p2k.


Algorithm 4: SplitClassSize(p, k, γ, γ1, γ2)1 if ordp(γ) =∞ then2 if ordp(γ1) 6= ordp(γ2) then return 0;3 else if ordp(γ1) = ordp(γ2) =∞ then return 1;4 else return (p− 1)pk−ordp(γ1)−1;5 if ordp(γ1) =∞ and ordp(γ2) =∞ then return 0;6 if ordp(γ1) =∞ or ordp(γ2) =∞ then return 1;7 if ordp(γ) = ordp(γ1) then swap(γ1, γ2);8 if ordp(γ) = ordp(γ1) then9 if p = 2 then return 0;

10 else11 x := (sgnp(γ2) + sgnp(γ1))

((−1p

)sgnp(γ1) + sgnp(γ)

);

12 return pk−ordp(γ)−1

4 (p− (p mod 4)− x)

13 else14 if p = 2 then15 if ordp(γ1) < ordp(γ) then

γ3 := (ordp(γ1), 2ordp(γ)−ordp(γ1) sgn2(γ)− sgn2(γ1) mod 8) ;16 else γ3 := (ordp(γ), sgn2(γ)− 2ordp(γ1)−ordp(γ) sgn2(γ1) mod 8) ;17 else18 if ordp(γ1) < ordp(γ) then γ3 := (ordp(γ1),

(−1p

)sgnp(γ1)) ;

19 else γ3 := γ ;

20 if γ3 = γ2 then return Ypk(γ1);21 else return 0;


3.3.5 Dimension > 1, Any Prime

Theorem 3.26. Let p be a prime, k be a positive integer, t ∈ Z/pkZ andQn be an integral quadratic form. Then, there is an algorithm that counts thetotal, primitive and non-primitive number of pk-representations of t by Q inO(n1+ω log k + nk3 + n log p) ring operations over Z/pkZ.

Proof. Let Dn = diag(D1, · · · , Da) be the block diagonal quadratic form (seeDefinition 3.2) equivalent to Q over the ring Z/pkZ, where each Di is either aType I or a Type II block (takes O(n1+ω log k) ring operations over Z/pkZ toblock diagonalize). From Theorem 3.3, Lemma 3.1 and Lemma 3.6, it followsthat

Apk(Q, t) = Apk(D, sympk(t))Bpk(Q, t) = Bpk(D, sympk(t))Cpk(Q, t) = Apk(D, sympk(t))

We show how to calculate Apk(D, sympk(t)), using dynamic programming.Let us define Qi, ord and sgn as follows.

Qi = diag(D1, . . . , Di)ord = ∞, 0, · · · , k − 1

sgn =0, 1, 3, 5, 7 if p = 20,+1,−1 Otherwise

One now proceeds as follows.

(i.) For each possible pk-symbol γ ∈ ord× sgn and each i ∈ [a]; computeApk(Di, γ). The calculation can be done using Lemma 3.15, Lemma3.17 or Lemma 3.20 depending on p and the type of Di. There areO(k) possible values for γ, a is bounded by n and the calculation ofApk(Di, γ) takes O(k log k + log p) ring operations. Thus, the number ofring operations needed for this step is O(nk log k + n log p).

(ii.) For each possible pk-symbol triples γ, γ1, γ2 ∈ ord× sgn compute thesplit set size Sγ

pk(γ1, γ2) by Lemma 3.22 and Lemma 3.23 taking O(1)each. In total, this step requires O(k3) operations over integers.

(iii.) Starting from i = 1, for each possible value of pk-symbol γ, use thefollowing formula (i.e., dynamic programming) to build the final resulti.e., Apk(D, sympk(t)).

Apk(Qi ⊕ Di+1, γ) =∑

γ1,γ2∈ord× sgn

Sγpk(γ1, γ2) · Apk(Qi, γ1) · Apk(Di+1, γ2)

(3.14)

3.4 Sampling a Uniform Representation 35

Note that Sγpk(γ1, γ2) and Apk(Di+1, γ2) have been pre-computed. For

each i, the summation in Equation 3.14 takes O(k2) operations over in-tegers. As the computation needs to be done for each possible pk-symbolγ, in total, this step takes O(k3) operations over Z. The final solutioncan then be built by dynamic programming in O(nk3) operations overthe integers.

The overall complexity of this algorithm is O(n1+ω log k + nk3 + n log p).The calculation for Cpk(Q, t) is the same i.e., replace Apk by Cpk . The

number Bpk(Q, t) can be calculated by taking the difference of Apk(Q, t) andCpk(Q, t).

3.3.6 Computing Local Density

Let Qn be a quadratic form, k, t be positive integers and p be a prime. Asdefined earlier, Apk(Q, t) is the number of solutions of x′Qx ≡ t mod pk over thering Z/pkZ. For sufficiently large k, the quantity Apk(Q, t) = αp(Q, t)pk(n−1),where αp(Q, t) is a function Q and t and is called the local density. Note thatthere are pkn possible choices for x ∈ (Z/pkZ)n and so one can interpretαp(Q, t)/pk as the probability that a random choice from (Z/pkZ)n will satisfythe equation x′Qx ≡ t mod pk.

There are several papers on computing the local density [Yan98]. Ourmethods give an alternative way to compute the local density in polynomialtime. It can be shown that k = 1 + ordp(8t det(Q)) suffices for computing thelocal density (pp 378-381, [CS99]). Thus,

αp(Q, t) =Aps(Q, t)ps(n−1)

s = 1 + ordp(8t det(Q))

This implies that the computation of Apk(Q, t) for k ≥ 1 + ordp(8t det(Q)) canbe done in number of ring operations over Z/pkZ that does not depend on k.Note that the bit complexity of the algorithm will still depend on k becausethe ring operations are performed in the ring Z/pkZ.

We are not aware if a similar idea works for Cpk(Q, t) or Bpk(Q, t).

3.4 Sampling a Uniform Representation

Let Qn be an integral quadratic form, p be a prime, k be a positive integer andt be an element of the ring Z/pkZ. In this section, we generate a uniformlyrandom primitive representation of t by Q over Z/pkZ. The algorithm runsin time poly(n, k, log p) and fails with constant probability. Otherwise, thealgorithm outputs a uniformly random primitive representation. A uniform


representation and a uniform non-primitive representation can also be gener-ated similarly. Note that we are assuming that a representation of the correctkind (primitive, non-primitive) exists.

3.4.1 Sampling Uniformly from a Split

Let p be a prime, k be a positive integer, t be an element of Z/pkZ andγ1, γ2 ∈ ord× sgn be a pair of pk-symbols. We show how to generate auniform pair (a, b) ∈ (Z/pkZ)2 from the following set;

(x, y) ∈ (Z/pkZ)2 | sympk(x) = γ1, sympk(y) = γ2, x + y ≡ t mod pk(3.15)

Recall Lemma 3.22 and Lemma 3.23. There are three possible cases andin each case a uniform pair can be generated as follows.

ordp(γ1) 6= ordp(t) In this case, by Lemma 3.23, a uniform pair can be gener-ated by picking a uniform a from Spk(γ1) (use Lemma 3.27), and out-putting (a, t− a mod pk).

ordp(γ1) = ordp(t) 6= ordp(γ2) Pick a uniform a from Spk(γ2) (use Lemma3.27), and output (t − a mod pk, a). Correctness follows from Lemma3.23.

ordp(γ1) = ordp(γ2) = ordp(t) Recall Lemma 3.22. This can never happenwhen p = 2. Otherwise, generate using Lemma 3.28.

Lemma 3.27. Let p be a prime, k be a positive integer, and γ be a pk-symbol.Then, there is an algorithm that performs O(log p) ring operations and (i) forp = 2, outputs a uniform element from the set Y2k(γ), and (ii) for p odd, withprobability 1/6 outputs a uniform element from the set Ypk(γ).

Proof. If γ is sympk(0) then output 0. Otherwise, proceed as follows. Letordp(γ) = i and sgnp(γ) = s. By Definition 3.4, s is in the set 1,−1 for oddprime p and 1, 3, 5, 7 otherwise. If r is an element of the set x ∈ Z/pkZ |sympk(x) = γ then r = pib, where 1 ≤ b < pk−i is a number coprime to pand sgnp(b) = s. Thus, it suffices to generate a uniform number in the set

S = y | 1 ≤ y < pk−i, gcd(y, p) = 1, sgnp(y) = s .

Consider the case of p odd. Recall Definition 2.7. The numbers in theset S are of the form dp + τ , where τ ∈ 1 ≤ x < p | sgnp(x) = s and d

is an integer satisfying 0 ≤ d ≤ pk−i−1−τp . A uniform element from S can


be chosen by picking a uniform integer d in the set 0, · · · , bpk−i−1−τp c and

picking a uniform non-zero integer from Z/pZ with sign s. Exactly half of thenon-zero elements of Z/pZ have sign s and so picking one at random has asuccess probability of exactly p−1

2p (we reject otherwise and output fail).Otherwise, p = 2. Additionally, assume that k− i > 2. Then, the numbers

in the set S are of the form 8d + s, where d is in the set 0, · · · , b 2k−i−s

8 c.If k − i ≤ 2 then there is only one possible element in Z/2kZ with symbol γ,which is 2k−is.

For p odd, the algorithm needs to generate a uniform non-zero elementin Z/pZ with sign s and an element from a set of size at most pk−i. Thisneeds O(log p) ring operations (for computing the Legendre symbol) and theprobability of success is at least 1

6 because p ≥ 3. In case of p = 2, thealgorithm only needs to generate an element in a set of size at most 2k−i,completing the proof.

Lemma 3.28. Let p be an odd prime, k, i be positive integers, t be an elementof Z/pkZ and γ1, γ2 be pk-symbols with ordp(t) = ordp(γ1) = ordp(γ2) =i. Then, there is an algorithm that performs O(log p) ring operations, andwith probability at least 1/12 outputs a uniform pair from the set S defined inEquation 3.15, if it is non-empty.

Proof. In case the set is empty, it can be detected by Lemma 3.22. We nowassume that the set is non-empty.

Any pair (a, b) ∈ (Z/pkZ)2 from the set S is of the following form

a = piτ1 b = piτ2 τ1, τ2 < pk−i (3.16)

τ1 + τ2 ≡ cprp(t) (mod pk−i) (3.17)(τ1

p

)= sgnp(γ1)

(τ2

p

)= sgnp(γ2) . (3.18)

The candidate algorithm is as follows. By construction, the algorithm returnsa valid and uniform pair from the set S, if it succeeds.

τ1 ←x | 1 ≤ x ≤ pk−i, gcd(x, p) = 1

τ2 = cprp(t)− τ1 mod pk

if(

τ1p

)6= sgnp(γ1) or

(τ2p

)6= sgnp(γ2) then: return ⊥

else: return (piτ1, piτ2)

The probability of failure of the algorithm can be calculated using Lemma3.21, as follows. The numbers τ1 and τ2 are both elements from the set

x | 1 ≤


x ≤ pk−i, gcd(x, p) = 1

. If τ1 is uniform, then so is τ2. Recall the definitionof p-expansion i.e., Definition 2.7. Both τ1 and τ2 are of the form dp+a, wherea is in the set 1, · · · , p−1 and d is in the set 0, · · · , bpk−i−a

p c. For the pairτ1 = d1p + a1 and τ2 = d2p + a2 to satisfy the Equation 3.18, it is necessaryand sufficient that

(a1p

)= sgnp(γ1) and

(a2p

)= sgnp(γ2). For a randomly

picked τ1, by Lemma 3.28 and Table A.1, this happens with probability atleast p−5

4(p−1) . The probability of failure, for one iteration, is at most 3p+14(p−1) ,

which is < 1112 for p > 7. For p ≤ 7, we find a1 and a2 by brute force.

One iteration of the algorithm performs O(log p) ring operations and failswith probability at most 11

12 .

3.4.2 Sampling a Representation

This section deals with sampling a uniform (primitive, non-primitive) repre-sentation of t by Q over Z/pkZ.

The base case is when Q is a single block (Definition 3.2). There are threedistinct possibilities. The block Q can be a Type II block (with p = 2), a onedimensional block (with p = 2) or a one dimensional block (with p odd). Ineach case, a uniform (primitive, non-primitive) representation can be sampled.The complexity of sampling is the same irrespective of primitiveness of therepresentation.

The following lemma samples a uniform representation when Q is of typeII (with p = 2).

Lemma 3.29. Let Q be a type II quadratic form, k be a positive integer and t bean element of Z/2kZ. Then, there exists an algorithm performing O(k2 log k)ring operations which outputs a uniform representation of t by Q over Z/2kZ.

Proof. Let Q =(

2`+1a 2`b2`b 2`+1c

), b odd. Then,

x′Qx ≡ t mod 2k ⇐⇒ 2`+1(ax21 + bx1x2 + cx2

2) ≡ t mod 2k (3.19)

We distinguish the following cases.

` + 1 ≥ k. In this case, Q is identically 0 over Z/2kZ and hence only repre-sents 0. If t is also 0 then a uniform representation can be found by samplingx1 and x2 independently at random from Z/2kZ.

` + 1 > ord2(t). No representations exist, see Lemma 3.20.


ord2(t) ≥ ` + 1. In this case, we divide Equation 3.19 by 2`+1.

2`+1(ax21 + bx1x2 + cx2

2) ≡ t mod 2k

⇐⇒ ax21 + bx1x2 + cx2

2 ≡ 2ord2(t)−`−1 cpr2(t) (mod 2k−`−1) (3.20)

Both x1 and x2 are elements of the ring Z/2kZ. But the Equation 3.20 isdefined modulo 2k−`−1. Recall, Definition 2.7 of 2-expansion. From the equiv-alence relation (x mod q) · (y mod q) ≡ xy (mod q), it follows that the last2`+1 digits of both x1 and x2 can be chosen freely. Hence, we pick them uni-formly at random. The problem then reduces to finding a uniform solution tothe following equation.

ay21 + by1y2 + cy2

2 ≡ 2ord2(t)−`−1 cpr2(t) (mod 2k−`−1) . (3.21)

Every solution (y1, y2) of Equation 3.21 falls in four categories, i) y1 odd,y2 is odd, ii) y1 even, y2 odd, (iii) y1 odd, y2 even, and (iv) y1 even, y2 even.

We calculate the number of representations of each kind. In the first threecases the number can be calculated by using Lemma 3.19. A solution with sayy1 odd and y2 even exists iff y1 = 1, y2 = 0 satisfies the Equation 3.21 modulo2. The number of solutions will be 2k−`−2 and 0 otherwise. The number ofsolutions in case (iv) i.e., both y1 and y2 are even, is 4 times the number ofsolutions to the following equation.

az21 + bz1z2 + cz2

2 ≡ 2ord2(t)−`−3 cpr2(t) (mod 2k−`−3) . (3.22)

The number of solutions of Equation 3.22 can be computed by Lemma 3.20.Once we have the number of solutions in each case, we pick a case with the

corresponding probability i.e., case (i) is picked with probability the numberof solutions in case (i) divided by the total number of solutions of Equation3.21.

In case (i), (ii) and (iii), a uniform solution can be constructed using Lemma3.19, bit by bit. In case (iv), we fix the first bit of y1 and y2 to be 0, dividethe equation by 4 and find a uniform solution of Equation 3.22 over Z/2k−`−3.This can be done recursively.

The algorithm performs O(k log k) ring operations in counting the numberof solutions corresponding the four cases and may recursively call itself. Incase a recursive call is made, k reduces by at least 3. Thus, the number of ringoperations is O(k2 log k).

From the proof of Lemma 3.29, it follows that a uniform primitive and auniform non-primitive representation can also be sampled in O(k2 log k) ringoperations.


The following lemmas show that a uniform representation, a uniform prim-itive representation and a uniform non-primitive representation of t by Q overZ/pkZ can also be sampled when Q is one dimensional.

Lemma 3.30. Let Q, t, k be integers, and p be an odd prime. Then, there existsan algorithm that performs O(log k + log p) ring operations, failing with con-stant probability. Otherwise, it outputs a uniform (primitive, non-primitive)representation of t by Q over Z/pkZ.

Proof. The proof of Lemma 3.15 is constructive and with minor modifications,it can be used to generate uniform representations.

When ordp(t) < k and the conditions in Lemma 3.14 are satisfied then wefind a square root of cprp(t) cprp(Q)−1 modulo pk−ordp(Q), see proof of Lemma3.15. This can be done in O(log k + log p) ring operations, using Lemma3.12.

Lemma 3.31. Let Q, t and k be positive integers. Then, there exists an algo-rithm that performs O(k) ring operations and outputs a uniform primitive (ornon-primitive) representation of t by Q over Z/2kZ.

Proof. The proof of Lemma 3.17 is constructive and with minor modifications,it can be used to generate uniform representations.

The square root of cpr2(t) cpr2(Q)−1 modulo 2k in Lemma 3.17 can befound by Lemma 3.13.

We now prove the main result of this chapter.

Proof. (Theorem 3.10, Theorem 3.11) The steps in the algorithm for generat-ing a uniform primitive representation of t by Qn over Z/pkZ are as follows.

(i.) Find U ∈ GLn(Z/pkZ) that block diagonalizes Q, using Theorem 3.3. LetD := U′QU (mod pk) and D = D1 ⊕ · · · ⊕ Dm, where Di, i ∈ [m] are singleblocks (see Definition 3.2).

(ii.) Fix the following notation, where Dn = Dn11 ⊕ Dn−n1

2+ .

D2+ = D2 ⊕ · · · ⊕ Dm

prim(x) =

1 if x is primitive and x′Dx ≡ t mod pk

0 Otherwise

Compute the total number of primitive representations of t by D overZ/pkZ i.e., Bpk(D, t) (see Theorem 3.26). For every pair of pk-symbolsγ1, γ2 ∈ ord× sgn calculate the following numbers (also using Theorem3.26).

Cpk(D1, γ1) Bpk(D1, γ1) Cpk(D2+, γ2) Bpk(D2+, γ2)


By definition of primitiveness (Definition 2.5), it follows that a vectorx = (xn1

1 , xn−n1) ∈ (Z/pkZ)n is primitive iff at least one of x1, x isprimitive. Thus, the probability that a random primitive representationx = (xn1

1 , xn−n1) of t by D satisfies the conditions sympk(x′1D1x1 modpk) = γ1 and sympk(x′D2+x mod pk) = γ2 can be calculated as follows.

Prprim(x=(x1,x))

[sympk(x′1D1x1) = γ1 ∧ (sympk(x′D2+x) = γ2)

]=(

Cpk(D1, γ1)Bpk(D2+, γ2) + Bpk(D1, γ1) Cpk(D2+, γ2) + Bpk(D1, γ1)Bpk(D2+, γ2))

Bpk(D, t)(3.23)

(iii.) There are three distinct cases here: (I) x1 is non-primitive, x is primitive,(II) x1 is primitive, x is non-primitive, and (III) x1, x are both primitive.The probability of the individual cases is the corresponding summandin Equation 3.23. Sample one of the three cases of the summand inEquation 3.23, with the corresponding probability.

(iv.) The next step is to sample a uniform pair (a, b) from the set Stpk(γ1, γ2)

given in Equation 3.15. Recall Lemma 3.22 and Lemma 3.23. There arethree possible cases and in each case a uniform pair can be generated asfollows.

ordp(γ1) 6= ordp(t) In this case, by Lemma 3.23, a uniform pair can begenerated by picking a uniform a from Spk(γ1) (use Lemma 3.27),and outputting (a, t− a mod pk).

ordp(γ1) = ordp(t) 6= ordp(γ2) Pick a uniform a from Spk(γ2) (use Lemma3.27), and output (t−a mod pk, a). Correctness follows from Lemma3.23.

ordp(γ1) = ordp(γ2) = ordp(t) Recall Lemma 3.22. This can never hap-pen when p = 2. Otherwise, generate using Lemma 3.28.

(v.) Depending on the cases, do one of the following: (I) generate a uni-form non-primitive representation of a by D1 and a uniform primitiverepresentation of b by D2+ recursively, (II) generate a uniform primitiverepresentation of a by D1 and a uniform non-primitive representation ofb by D2+ recursively, and (III) generate a uniform primitive represen-tation of a by D1 and b by D2+ recursively. Let the representations bex1 ∈ (Z/pkZ)n1 and x ∈ (Z/pkZ)n−n1 . Then, output U−1(x1, x).

By construction, this is a uniform primitive representation of t by Q over Z/pkZ.


The block diagonalization takes O(nω+1 log k) ring operations (Theorem3.3). By Theorem 3.26, the dynamic programming approach computes thenumber of primitive and non-primitive representation of every symbol modulopk for all intermediate diagonal forms D1 ⊕ · · · ⊕ Di, i ≤ m. The diagonal-ization and solution counting need only be done once. In total, this takesO(n1+ω log k + nk3 + n log p) ring operations over Z/pkZ.

In each recursive step, we need to compute the probabilities of the O(k2)symbol pairs, taking O(k2) operations over integers. Once we have picked apk-symbol pair (γ1, γ2) for which we are going to generate a solution, we sam-ple (a, b) from St

pk(γ1, γ2). This costs another O(log p) ring operations (Lemma3.27, Lemma 3.28). Then, we need to sample a uniform primitive/non-primitivepk-representation using a single block (Lemma 3.29, Lemma 3.31, Lemma3.30). This costs O(k2 log k + log p) at most. Finally, we need to recursivelysample a uniform primitive/non-primitive representation for block diagonalform with strictly smaller number of blocks. This takes a total of O(k2 log k +log p) ring operations for one step and O(nk2 log k + n log p) in total for theentire recursion. Thus, the algorithm performs O(n1+ω log k + nk3 + n log p)ring operations over Z/pkZ.

The sampling of a uniform non-primitive representation is relatively easierbecause for (x1, x) to be non-primitive, both x1 and x must be non-primitive.Thus, we go over all possible pk-symbol pairs (γ1, γ2) and compute the corre-sponding probability as in Equation 3.23 as follows.

Prx non-primitive

[sympk(x′1D1x1) = γ1 ∧ (sympk(x′D2+x) = γ2)

]=

Cpk(D1, γ1) · Cpk(D2+, γ2)Cpk(D, t)

Then, we need to sample a pair (a, b) ∈ Stpk(γ1, γ2); sample a uniform non-

primitive pk-representation of a by D1, recursively sample a uniform non-primitive pk-representation of b by D2+ and continue as in the non-primitivesampling case.

For sampling a uniform representation, after block diagonalization we com-pute Bpk(D, t) and Cpk(D, t). We then sample a uniform primitive representationwith probability Bpk(D, t)/Apk(D, t) and a uniform non-primitive representa-tion with probability Cpk(D, t)/Apk(D, t).

The computation of the number of ring operations (i.e., the ring operationcomplexity) remains the same.

3.4.3 Sampling modulo a Composite Integer

It is not very difficult to extend Theorem 3.11 to a composite integer modulusq using the Chinese Remainder Theorem. This argument is standard and was


already used in Siegel (Lemma 15, pp 544, [Sie35]).

Theorem 3.32. Let Qn be an integral quadratic form, t be an integer and q be apositive integer whose factorization is known. Then, there is a poly(n, log q, log t)algorithm that counts (also, samples) the solutions of x′Qx ≡ t mod q.

Proof. Given a quadratic form Qn, and positive integer t, q the task is to con-struct a uniform random solution of x′Qx ≡ t mod q. Suppose that the fac-torization of q is provided and q = pk1

1 · · · pkrr . Then, we proceed as follows.

For each i ∈ [r], sample a uniform random solution xi such that xi′Qxi ≡ t

(mod pkii ). Note that each xi is an n-dimensional vector i.e., xi ∈ (Z/pki

i Z)n.Now, we solve the set of congruences given below using the Chinese RemainderTheorem.

x ≡ x1 mod pk11

...

x ≡ xr mod pkrr

By construction, x′Qx ≡ t mod q and x is a uniform random solution. Also,

Aq(D, t) =∏i∈[r]

Ap

kii

(D, t) .

Given the factorization of q this algorithm runs in polynomial time i.e.,poly(n, log q, log t).

Chapter 4

Canonical Form Modulo pk

Let p be a prime, and Qn be an integral quadratic form. Then, the set ofintegral quadratic forms Sn | S p∗∼ Q is the set of p∗-equivalent forms of Q.In this chapter, we are interested in defining and computing a “canonical”quadratic form for the p∗-equivalence class of a given quadratic form Q. Inparticular, we are interested in showing the existence of a function canp such

that for all integral quadratic forms Q, canp(Q) ∈ S | Sp∗∼ Q; with the

property that if Q1p∗∼ Q2 then canp(Q1) = canp(Q2). We also consider a related

problem of coming up with a canonicalization procedure. In particular, wewant a polynomial time algorithm that given Q, p and a positive integer k,finds U ∈ GLn(Z/pkZ) such that U′QU ≡ canp(Q) mod pk.

It is not difficult to show the existence of a canonical form. For example,we can go over the p∗-equivalence class of Q and output the form which islexicographically the smallest one. But, this form gives us no meaningfulinformation about Q or the p∗-equivalence class of Q.

Gauss [Gau86] gives a complete classification of binary quadratic forms(i.e., n = 2). Mathematicians have been more interested in coming up with alist of necessary and sufficient conditions for p∗-equivalence (also called equiva-lence over the p-adic integers Zp). There are several competing but equivalentcandidates for the set of conditions [Cas78, O’M73, CS99, Kit99]. We chooseto use the same set of conditions as Conway-Sloane [CS99], called the p-symbolof a quadratic form.

For odd prime p, the p-canonical form is implicit in Conway-Sloane [CS99]and is also described explicitly by Hartung [Har08, Cas78]. The canonicaliza-tion algorithm in this case is not difficult (i.e., can be performed in polynomialtime) and can be claimed to be implicit in Cassels [Cas78].

The definition of canonical form for the case of prime 2 is quite involved and

45

46 Canonical Form Modulo pk

needs careful analysis1 [Jon44, CS99, Wat60]. Jones [Jon44] presents the mostcomplete description of the 2-canonical form. He comes up with a simple set of2-canonical forms and then shows that every quadratic form is 2∗-equivalent toone of these. Unfortunately, a few of his transformations are existential i.e., heshows that a transformations with certain properties exists without explicitlyfinding them.

Conway-Sloane [CS99], instead, compute a description of a quadratic form(called canonical 2-symbol) with the property that two quadratic forms are2∗-equivalent iff they have the same canonical 2-symbol. They do not providea 2-canonical form i.e., can2(Q) ∈ S | S

2∗∼ Q.

Our Contribution. We give polynomial time p-canonicalization algorithm.In particular, we present an algorithm that given an integral quadratic form Qruns in time poly(n, log det(Q)) and outputs canp(Q).

Given an integral quadratic form Q, a positive integer k and a prime p, wealso provide a randomized poly(n, log det(Q), log p, k) algorithm that outputs amatrix U ∈ GLn(Z/pkZ) such that U′QU ≡ canp(Q) (mod pk). This algorithmis especially useful if we want to find a transformation that maps Q1 to Q2

over Z/pkZ, where Q1pk

∼ Q2. In this case, the required transformation isU1U

−12 mod pk, where U′1Q1U1 ≡ canp(Q1) ≡ U′2Q2U2 (mod pk).

4.1 Preliminaries

In this section, we give several definition and known results.

Definition 4.1. Let p be an odd prime. Then, σp is the smallest quadraticnon-residue modulo p. ♦

Assuming GRH, σp is a number less than 3(ln p)2/2 [Ank52, Wed01] andhence can be found deterministically in O(log3 p) ring operations over Z/pZ.

We also introduce the following notations.

sgn× = 1, 3, 5, 7Q1 →

U,pkQ2 denotes Q2 ≡ U′Q1U mod pk

T+ =(

2 11 4

)T− =

(2 11 2

)T ∈ T−, T+

1 Cassels (page 117, Section 4, [Cas78]), referring to the canonical forms for p = 2 observesthat “only a masochist is invited to read the rest”.

4.1 Preliminaries 47

Definition 4.2. Let Dn = ⊕iDnii be a block diagonal quadratic form (Defini-

tion 3.2). A local transformation is a matrix U ∈ GLn(Z/pkZ) which appliesa sub-transformation V ∈ GLa(Z/pkZ) on a contiguous sequence of blocksBa = Dj⊕Dj+1⊕· · · turning it into V′BV mod pk, leaving rest of the blocks in Dunchanged. A local transformation transforms a block diagonal form to a pk-equivalent quadratic form. Given a matrix V ∈ GLa(Z/pkZ) and a contiguoussequence Ba = Dj⊕Dj+1⊕· · · of blocks, to apply V on; the local transformationU ∈ GLn(Z/pkZ) is given by U = In1+···+nj−1 ⊕ V⊕ Inj+2+···. ♦

4.1.1 Diagonalizing a Quadratic Form

In this section, we provide a proof of Theorem 3.3.

Module. There are quadratic forms which have no associated lattice e.g.,negative definite quadratic forms. To work with these, we define the conceptof free modules (henceforth, called module) which behave as vector space buthave no associated realization over the Euclidean space Rn.

If M is finitely generated R-module with generating set x1, · · · ,xn thenthe elements x ∈ M can be represented as

∑ni=1 rixi, such that ri ∈ R for

every i ∈ [n]. By construction, for all a, b ∈ R, and x,y ∈M ;

a(x + y) = ax + ay (a + b)x = ax + bx a(bx) = (ab)x 1x = x

Note that, if we replace R by a field in the definition then we get a vectorspace (instead of a module). Any inner product β : M ×M → R gives rise toa quadratic form Q ∈ Rn×n as follows;

Qij = β(xi,xj) .

Conversely, if R = Z then by definition, every symmetric matrix Q ∈ Zn×n

gives rise to an inner product β over every Z-module M ; as follows. Givenn-ary integral quadratic form Q and a Z-module M generated by the basisx1, · · · ,xn we define the corresponding inner product β : M ×M → Z as;

β(x,y) =∑i,j

cidjQij where, x =∑

i

cixi y =∑

j

djxj .

In particular, any integral quadratic form Qn can be interpreted as describingan inner product over a free module of dimension n.

For studying quadratic forms over Z/pkZ, where p is a prime and k is apositive integer; the first step is to find equivalent quadratic forms which haveas few mixed terms as possible (mixed terms are terms like x1x2).


Proof. (Theorem 3.3) The transformation of the matrix Q to a block diagonalform involves three different kinds of transformation. We first describe thesetransformations on Q with small dimensions (2 and 3).

(1) Let Q be a 2×2 integral quadratic form. Let us also assume that the entrywith smallest p-order in Q is a diagonal entry, say Q11. Then, Q is of thefollowing form; where α1, α2 and α3 are units of Z/pZ.

Q =(

piα1 pjα2

pjα2 psα3

)i ≤ j, s

The corresponding U ∈ SL2(Z/pkZ), that diagonalizes Q is given below.The number α1 is a unit of Z/pZ and so α1 has an inverse in Z/pkZ.

U =

(1 −pj−iα2

α1mod pk

0 1

)U′QU ≡

(piα1 0

0 psα3 − p2j−i α22

α1

)(mod pk)

(2) If Q2 does not satisfy the condition of item (1) i.e., the off diagonal entryis the one with smallest p-order, then we start by the following transfor-mation V ∈ SL2(Z/pkZ).

V =(

1 01 1

)V′QV =

(Q11 + 2Q12 + Q22 Q12 + Q22

Q12 + Q22 Q22

)If p is an odd prime then ordp(Q11 + 2Q12 + Q22) = ordp(Q12), becauseordp(Q11), ordp(Q22) > ordp(Q12). By definition, S = V′QV is equivalentto Q over the ring Z/pkZ. But now, S has the property that ordp(S11) =ordp(S12), and it can be diagonalized using the transformation in (1).The final transformation in this case is the product of V and the subse-quent transformation from item (1). The product of two matrices fromSL2(Z/pkZ) is also in SL2(Z/pkZ), completing the diagonalization in thiscase.

(3) If p = 2, then the transformation in item (2) fails. In this case, it ispossible to subtract a linear combination of these two rows/columns tomake everything else on the same row/column equal to zero over Z/2kZ.The simplest such transformation is in dimension 3. The situation is asfollows. Let Q3 be a quadratic form whose off diagonal entry has the lowestpossible power of 2, say 2` and all diagonal entries are divisible by at least2`+1. In this case, the matrix Q is of the following form.

Q =

2`+1a 2`b 2id2`b 2`+1c 2je2id 2je 2`+1f

b odd, ` ≤ i, j


In such a situation, we consider the matrix U ∈ SL3(Z/2kZ) of the formbelow such that if S = U′QU (mod 2k) then S13 = S23 = 0.

U =

1 0 −r0 1 −s0 0 1

(U′QU)13 ≡ 0 (mod 2k) =⇒ r2a + sb ≡ 2i−`d (mod 2k−`)

(U′QU)23 ≡ 0 mod 2k =⇒ rb + s2c ≡ 2j−è (mod 2k−`)

For i, j ≥ ` and b odd, the solution r and s can be found by the Cramer’s

rule, as below. The solutions exist because the matrix(

2a bb 2c

)has

determinant 4ac − b2, which is odd and hence invertible over the ringZ/2k−`Z.

r =det(

2i−`d s2j−è 2c

)det(

2a bb 2c

) (mod 2k−`) s =det(

2a 2i−`db 2j−è

)det(

2a bb 2c

) (mod 2k−`)

This completes the description of all the transformations we are going touse, albeit for n-dimensional Q they will be a bit technical. The full proof forthe case of odd prime follows.

Our proof will be a reduction of the problem of diagonalization from ndimensions to (n− 1)-dimensions, for the odd primes p. We now describe thereduction.

Given the matrix Qn, let M be the corresponding (Z/pkZ)-module withbasis B = [b1, · · · ,bn] i.e., Q = B′B. We first find a matrix entry with thesmallest p-order, say Qi∗j∗ . The reduction has two cases: (i) there is a diagonalentry in Q with the smallest p-order, and (ii) the smallest p-order occurs on anoff-diagonal entry.

We handle case (i) first. Suppose it is possible to pick Qii as the entry withthe smallest p-order. Our first transformation U1 ∈ SLn(Z/pkZ) is the onewhich makes the following transformation i.e., swaps b1 and bi.

[b1, · · · ,bn] →U1,pk

[bi,b2, · · · ,bi−1,b1,bi+1, · · · ,bn] (4.1)

Let us call the new set of elements B1 = [v1, · · · ,vn] and the new quadraticform Q1 = B′1B1 mod pk. Then, v′1v1 has the smallest p-order in Q1 and U′1QU1 ≡Q1 mod pk. The next transformation U2 ∈ SLn(Z/pkZ) is as follows.

wi =

v1 if i = 1vi − v′1vi

pordp((Q1)11) ·(

1cprp((Q1)11)

mod pk)· v1 otherwise . (4.2)


By assumption, (Q1)11 is the matrix entry with the smallest p-order and sopordp((Q1)11) divides v′1vi. Furthermore, cprp((Q1)11) is invertible modulo pk.Thus, the transformation in Equation 4.2 is well defined. Also note that it isa basis transformation, which maps one basis of B1 = [v1, · · · ,vn] to anotherbasis B2 = [w1, · · · ,wn]. Thus, the corresponding basis transformation U2

is a unimodular matrix over integers, and so U2 ∈ SLn(Z/pkZ). Let Q2 =U′2Q1U2 mod pk. Then, we show that the non-diagonal entries in the entire firstrow and first column of Q2 are 0.

(Q2)1i( 6=1) = (Q2)i1 = w′1wi mod pk

(4.2)≡ v′1vi −

v′1vi

pordp((Q1)11)·(

1cprp((Q1)11)

mod pk

)· v′1v1

≡ v′1vi −v′1vi

pordp((Q1)11)·(

1cprp((Q1)11)

mod pk

)· pordp((Q1)11) cprp((Q1)11)

≡ 0 mod pk

Thus, we have reduced the problem to (n− 1)-dimensions. We now recur-sively call this algorithm with the quadratic form S = [w2, · · · ,wn]′[w2, · · · ,wn] modpk and let V ∈ SLn−1(Z/pkZ) be the output of the recursion. Then, V′SV modpk is a diagonal matrix. Also, by consruction Q2 = diag((Q2)11, S). LetU3 = 1 ⊕ V, and U = U1U2U3, then, by construction, U′QU mod pk is a diag-onal matrix; as follows.

U′QU ≡ U′3U′2U

′1QU1U2U3 ≡ U′3Q2U3 ≡ (1⊕ V)′ diag((Q2)11)(1⊕ V)

≡ diag((Q2)11, V′SV) mod pk

Otherwise, we are in case (ii) i.e., the entry with smallest p-order in Q isan off diagonal entry, say Qi∗j∗ , i

∗ 6= j∗. Then, we make the following basistransformation from [b1, · · · ,bn] to [v1, · · · ,vn] as follows.

vi =

bi∗ + bj∗ if i = i∗

bi otherwise . (4.3)

The transformation matrix U0 is from SLn(Z/pkZ). Recall, ordp(Qi∗j∗) <ordp(Qi∗i∗), ordp(Qj∗j∗), and so ordp(v′i∗vi∗) = ordp(b′i∗bj∗). Furthermore,ordp(v′ivj) ≥ ordp(b′i∗bj∗), and so the minimum p-order does not changeafter the transformation in Equation (4.3). This transformation reduces theproblem to the case when the matrix entry with minimum p-order appears onthe diagonal. This completes the proof of the theorem for odd primes p.

For p = 2, exactly the same set of transformations works, unless the situ-ation in item (3) arises. In such a case, we use the type II block to eliminate


all other entries on the same rows/columns as the type II block. Thus, in thiscase, the problem reduces to one in dimension (n− 2).

The algorithm uses n iterations, reducing the dimension by 1 in each it-eration. In each iteration, we have to find the minimum p-order, costingO(n2 log k) ring operations and then 3 matrix multiplications costing O(n3)operations over Z/pkZ. Thus, the overall complexity is O(n4 + n3 log k) orO(n4 log k) ring operations.

4.1.2 Oddity

For the following result, see Theorem 2, [Jon50].

Theorem 4.3. An integral quadratic form Qn is equivalent to a quadraticform q1⊕· · ·⊕ qa⊕ qa+1⊕· · ·⊕ qn over the field of rationals Q, where a ∈ [n],q1, · · · , qa are positive rational numbers and qa+1, · · · , qn are negative rationalnumbers.

The signature (also, (−1)-signature) of the form Q (denoted sig(Q), alsosig(−1)(Q)) is defined as the number 2a−n, where a is the integer in Theorem4.3.

Let p be a prime. Then, each rational number qi in Theorem 4.3 can bewritten uniquely as pαiai, where αi = ordp(qi) and ai = cprp(qi). Let m be thenumber of p-antisquares among q1, · · · , qn. Then, we define the p-signature ofQ as follows.

sigp(Q) =

pα1 + pα2 + · · ·+ 4m (mod 8) p 6= 2a1 + a2 + · · ·+ 4m (mod 8) p = 2 (4.4)

The 2-signature is also known as the oddity and is denoted by odt(Q).Even though there are different ways to diagonalize a quadratic form over

Q, the signatures are an invariant for the quadratic form.

4.1.3 Canonical Blocks

In this section, we describe the canonical form for a single Type I and a singleType II block. For convenience, we introduce the following Type II matrices.

Definition 4.4. Let B = 2`

(2a bb 2c

)be a Type II block with b odd. Then,

ord2(B) = `. ♦

Let p be a prime and B be a single block, according to the Definition 3.2.If B is of Type I then B is an integer and the canonical function canp(B) is


defined as follows.

canp(B) =

pordp(B) if p odd,

(cprp(B)

p

)= 1

pordp(B)σp if p odd,(

cprp(B)

p

)= −1

2ord2(B)(cpr2(B) mod 8) if p = 2

The uniqueness of the canonical form follows from Lemma 3.5. Otherwise,

B is a Type II block and p = 2. Let B = 2`

(2a bb 2c

), b odd. The square

of an odd integer is always equal to 1 modulo 8. But then, the quantity4ac− b2 mod 8 ∈ 3, 7. The 2-canonical form for a Type II block B is definedas follows.

can2

(2`

(2a bb 2c

))=

2`T− 4ac− b2 ≡ 3 mod 82`T+ 4ac− b2 ≡ 7 mod 8

The uniqueness follows from Lemma 6, [Jon42].

4.1.4 Primitive Representations

The following theorem gives an algorithmic handle on the question of decidingif an integer t has a primitive p∗-representation in Qn. The theorem is implicitin Siegel [Sie35].

Theorem 4.5. Let Qn be an integral quadratic form, t be an integer, p bea prime and k = maxordp(Q), ordp(t) + kp. Then, if t has a primitive pk-

representation in Q then t has a primitive p∗-representation in Q for all Q p∗∼ Q.

Proof. We do the proof in two steps: (i) if t has a primitive pk- representationin Q then t has a primitive p∗-representation in Q, and (ii) if t has a primitivep∗-representation in Q then t has a primitive p∗-representation in Q for all Qsuch that Q p∗∼ Q.

The proof of (i) follows. By assumption, there exists a primitive x ∈(Z/pkZ)n such that x′Qx ≡ t (mod pk). Let a = x′Qx be an integer, then bydefinition of symbols a and t have the same p-symbol. This implies that forall i ≥ k there exists a unit ui ∈ Z/piZ such that u2

i a ≡ t (mod pi). It followsthat uix is a primitive representation of t in Z/piZ. But, if x is a primitiverepresentation of t by Q over Z/piZ then x is also a primitive representationof t by Q over Z/pjZ, for all positive integers j ≤ i. This completes the proofof (i).

The proof of (ii) follows. Let K be an arbitrary positive integer and x ∈(Z/pKZ)n be a primitive vector such that x′Qx ≡ t mod pK . As Q

p∗∼ Q, there

4.2 Symbol of a Quadratic Form 53

exists U ∈ GLn(Z/pKZ) such that Q ≡ U′QU mod pK . Thus, (Ux)′Q(Ux) ≡t mod pK and Ux is a pK-representation of t in Q. If x is primitive then so isUx. As K is arbitrary, the proof of (ii) and hence the theorem is complete.

4.2 Symbol of a Quadratic Form

There are several equivalent ways of giving a description of the p∗-equivalence[CS99, Kit99, O’M73, Cas78]. In this work, we go with a modified version ofthe Conway-Sloane description, called the p-symbol of a quadratic form. Ourmodification gets rid of the need to use the p-adic numbers. Note that p-adicnumbers are a staple in this area and we are not aware of any work which doesnot use them [Kit99, O’M73, Sie35].

By definition, two quadratic forms are p∗-equivalent if they are pk-equivalentfor all positive integers k. In an algorithmic sense, this is problematic becausethere are infinitely many possibilities for k. Recall the definition of kp. Itequals 1 if p is an odd prime and 3, otherwise. The following theorem showsthat it is enough to test equivalence for just one value of k.

Theorem 4.6. Let Qn be an integral quadratic form, p be a prime and k =ordp(det(Q)) + kp. If Dn is a block diagonal form which is equivalent to Q over

Z/pkZ, then Dp∗∼ Q.

Proof. Let Dn be the block diagonal form equivalent to Q over Z/pkZ; k =ordp(det(Q)) + kp. Then, we show that D is p`-equivalent to Q for all ` > k.

Let U ∈ GLn(Z/pkZ) be such that D ≡ U′QU mod pk. Then, every entryof U′QU − D must be divisible by pk. Let pkQ ≡ U′QU − D mod p`. Considerthe quadratic form D + pkQ. As k = ordp(det(Q)) + kp = ordp(det(D)) + kp,it follows that all off-diagonal entries have higher p-order than the diagonalentries. It is hence possible to diagonalize D + pkQ over Z/p`Z to a quadraticform D + pkD, where D is also a block diagonal form with matching Type i.e.,if the first block of D is Type II then so is the first block of D (see proof ofTheorem 3.3).

Let B, B be single Type I or Type II blocks. If k = ordp(d) + kp, then

B+ pkBp∗∼ B (see Lemma 3.5 for Type I blocks and Lemma 6, [Jon42] for Type

II blocks). Thus, we conclude that D + pkDp`

∼ D.

The rest of this section follows from Conway-Sloane [CS99] and Theorem4.6.

Let Qn be an integral quadratic form. For p = −1 the (−1)-symbol is thesame as the (−1)-signature of Q.


4.2.1 p-symbol, p odd prime

Let k = ordp(det(Q)) + 1 and D be the diagonal quadratic form which is pk-equivalent to Q (see Theorem 3.3). Then, D can be written as follows.

D = Dn00 ⊕ pDn1

1 · · · ⊕ piDnii ⊕ · · · i ≤ ordp(det(Q)) , (4.5)

where D0, · · · , Dk−1 are diagonal quadratic forms,∑

i ni = n and p does notdivide det(D0) · · ·det(Dk−1). Let Ip(Q) is the set of p-orders i with non-zero ni.Then, the p-symbol of Q is defined as the set of scales i occurring in Equation4.5 with non-zero ni, dimensions ni = dim(Di) and signs εi =

(det(Di)

p

).

symp(Q) =

(p, i,

(det(Di)

p

), ni) | i ∈ Ip(Q)

(4.6)

The following fundamental result follows from Theorem 9, page 379 [CS99]and Theorem 4.6.

Theorem 4.7. For p ∈ −1 ∪ P, two quadratic forms are p∗-equivalent iffthey have the same p-symbol.

4.2.2 2-symbol

Let k = ord2(det(Q)) + 3 and D be the block diagonal form which is 2k-equivalent to Q (Theorem 3.3). Then, D can be written as follows.

D = Dn00 ⊕ 2Dn1

1 · · · ⊕ 2iDnii ⊕ · · · i ≤ ord2(det(Q)) , (4.7)

where det(D0), · · · ,det(Di), · · · are odd,∑

i ni = n and each Di is in block diag-onal form according to Definition 3.2. The 2-symbol of 2iDi are the followingquantities.

i scale of Di

ni = dim(Di) dimension of Di

εi =(

det(Di)2

)sign of Di

typei = I or II type of Di I, iff there is an odd entry onthe main diagonal of thematrix Di

odti ∈ 0, · · · , 7 oddity of Di it typei =I, then it is equal tothe trace of Di read modulo 8,and is 0 otherwise.

(4.8)

4.2 Symbol of a Quadratic Form 55

Let the set of scales i, with non-zero ni, be denoted I2(Q). Then, the 2-symbolof Q is written as follows.

sym2(Q) = (2, i, εi, ni, typei, odti) | i ∈ I2(Q) (4.9)

In contrast to the p ∈ −1 ∪ P case, two 2∗-equivalent quadratic formsmay produce two different 2-symbols. These symbols are then said to be 2-equivalent. There is a transformation which maps all equivalent 2-symbols toa unique description (see Conway-Sloane [CS99], page 381). We repeat thistransformation for the sake of completeness.

Compartments and Trains. Let Υ2 be a 2-symbol. Let us define an inter-val as a consecutive sequence of forms 2iDi, even including those with dimension0. The form with dimension 0 is treated as a form with Type II and Legendresymbol +1. A compartment is then a maximal interval in which all forms areof Type I. A train is a maximal interval with the property that for each pair ofadjacent forms, at least one is Type I. There are two ways in which the symbolmaybe altered without changing the equivalence class.

(i) Oddity fusion. The oddities inside a compartment can be changed insuch a way that the total sum over any compartment remains the samei.e., the sum of oddities in a compartment is an invariant. For example,3⊕ 5 and 1⊕ 7 are 2∗-equivalent.

(ii) Sign walking. A 2-symbol remains in the same equivalence class if thesigns of any two terms in the same train are simultaneously changed,provided certain oddities are changed by 4. Let us suppose that we wantto flip the signs of terms at 2-scale i and 2-scale j, i < j. We imaginewalking the train from i to j, taking steps between adjacent forms ofscales r and r + 1. Because we are in the same train during the entirewalk, at least one of Dr and Dr+1 is of Type I. The rule is that the totaloddity of the compartment must be changed by 4 modulo 8, each timein the walk when either Dr or Dr+1 is in that compartment.

An example from Conway-Sloane is as follows. Here, instead of consid-ering the 2-symbol as a tuple (2, 2i, εi, ni, odti), it is easier to consider itas a list with the corresponding term (2i)εini

odti. Let us suppose that we

have the following symbol.

1+20 [2−24+3]38+0[16+1]132+2

0

The compartments have been denoted by square brackets [] and the sym-bol at scale 3 has dimension 0. Suppose we want to flip the signs at scale1 and 4. We have to take the steps 1 → 2 → 3 → 4. The steps 1 → 2


and 2 → 3 uses the first compartment while the step 3 → 4 uses thesecond. The oddity of the first compartment remains unchanged (usedtwice) and the oddity of the second changes by 4 modulo 8. The finalequivalent form is as follows.

1+20 [2+24+3]38+0[16−1]532+2

0

Using sign walking, one can show that 1⊕22 and 5⊕22·5 are 2∗-equivalent.

2-canonical symbol. Using these rules, a 2-canonical symbol can be com-puted. This is done as follows. Compute the 2-symbol and use oddity fu-sion and sign walking to make sure that there is at most one minus signper train and this is on the earliest nonzero dimensional form in the train.Using this convention and only mentioning the total oddities of the compart-ments, the resulting description is unique and can be taken as a canonicalsymbol for the form (see page 382, [CS99]). Thus, the 2-canonical symbol for1−20 [2+24+3]8+0[16+1]132+2

0 is 1−2[2243]7[16]1322.

4.3 Canonicalization: p odd prime

In this section, we describe the function canp which maps an integral quadraticform Q to its unique canonical form canp(Q). Then, we prove the followingtheorem.

Theorem 4.8. Let Qn be an integral quadratic form, p be an odd prime andk > ordp(det(Q)). Then, there is an algorithm (Las Vegas with constantprobability of success) that given (Qn, p, k) performs O(n1+ω log k + n log p)ring operations over Z/pkZ and outputs U ∈ GLn(Z/pkZ) such that U′QU ≡canp(Q) mod pk.

The canonical form for an odd prime p is defined as follows.

Definition 4.9. A quadratic form is p-canonical for an odd prime p, if it isof the form ⊕ip

iDnii , where Dni

i is a diagonal quadratic form equal to Ini orIni−1⊕σp, and the p-scales i of the diagonal entries of the quadratic form arenon-decreasing. ♦

The uniqueness of the p-canonical form follows directly from the definitionof p-symbol and Theorem 4.7.

We now describe the canonicalization algorithm. Let Qn be an integralquadratic form, p be a prime and k be a positive integer. For n = 1, thecanonicalization algorithm follows from the uniform sampling theorem i.e.,Lemma 3.30.

4.3 Canonicalization: p odd prime 57

Suppose n = 2 and the input Q2 is of the form τ1 ⊕ τ2, where τ1, τ2 areunits of Z/pZ. The p-canonical form of Q is 1⊕ 1, σp. The following lemmashows how to canonicalize in this case.

Lemma 4.10. Let τ1, τ2 ∈ (Z/pZ)×, p odd prime and k be a positive integer.Then, there is a U ∈ GL2(Z/pkZ) which transforms τ1 ⊕ τ2 to 1 ⊕ 1, σpmodulo pk. The transformation U can be found by a Las Vegas algorithm whichperforms O(log k + log p) ring operations over Z/pkZ and fails with constantprobability.

Proof. Consider the situation when τ1 is a quadratic residue modulo p. Then,we use Lemma 3.30 to find a primitive x such that x2τ1 ≡ 1 mod pk. Thenumber τ2 is either a non-residue or a residue modulo p. In either case, wefind a y using Theorem 3.11 again such that y2τ2 mod pk ∈ 1, σp.(

x 00 y

)(τ1 00 τ2

)(x 00 y

)≡(

1 00 1, σp

)mod pk

If τ2 is a quadratic residue then we make the following transformation andreduce to the previous case.(

0 11 0

)(τ1 00 τ2

)(0 11 0

)=(

τ2 00 τ1

)mod pk

Otherwise, both τ1 and τ2 are a quadratic non-residues. From Lemma2.2, 1 can be written as a sum of two non-residues. Let (τ−1 , τ−2 ) be one suchpair. Then, we can write 1 as (τ−1 )+(pk +1− τ−1 ) over Z/pkZ, where both τ−1

and pk +1− τ−1 are quadratic non-residues as(

pk+1−τ−1p

)=(

1−τ−1p

)=(

τ−2p

).

Thus, 1 has a primitive pk-representation in τ1 ⊕ τ2 over Z/pkZ.We now use τ1 to represent τ−1 primitively and τ2 to represent pk + 1− τ1

primitively over Z/pkZ (use Lemma 3.30). Let (x, y) ∈ (Z/pkZ)2 be the prim-

itive representation. Then, we extend it to a matrix(

x ay b

)∈ GL2(Z/pkZ),

using Lemma 2.6. Applying this transformation on τ1⊕ τ2 yields the followingmatrix. (

1 aτ1x + bτ2yaτ1x + bτ2y a2τ1 + b2τ2

)mod pk

This matrix can be diagonalized using Theorem 3.3, keeping the 1 unchanged;to a matrix of the following form.(

1 00 a

)mod pk


But all these transformation are from GL2(Z/pkZ) and hence do not changethe symbol of the matrix τ1 ⊕ τ2. Thus, a must be a unit of Z/pZ. One cannow use Lemma 3.30 to find a z such that z2a mod pk ∈ 1, σp. The U inthis case, is the product of all transformations in GL2(Z/pkZ) we have usedso far.

We are now ready to prove Theorem 4.8.

Proof. (Theorem 4.8) The algorithm makes a sequence of transformations,each from GLn(Z/pkZ).

(i.) Use Theorem 3.3 to find U0 ∈ GLn(Z/pkZ) such that U′0QU0 mod pk

is a diagonal matrix. Use transformations V1, · · · , Vn ∈ SLn(Z/pkZ)to transform the diagonal matrix to the form d1 ⊕ · · · ⊕ dn, such thatordp(d1) ≤ · · · ≤ ordp(dn). Note that each Vi exchanges two diagonal en-tries. The total number of ring operations for this step is O(n1+ω log k).

(ii.) The matrix is now of the form pi1Dn11 ⊕· · ·⊕pimDnm

m , where D1, · · · , Dm arediagonal matrices with unit determinants. We next use transformationsto transform Di to canp(Di). This is done as follows. If Di is of dimension 1then we use Lemma 3.30 to canonicalize it. Otherwise, Dni>1

i . Thematrix is of the form (τ1, · · · , τni), where τ1, · · · , τni are units of Z/pZ.We apply a transformation on τ1 ⊕ τ2 to turn it into 1⊕ τ over Z/pkZ,where τ ∈ 1, σp (Lemma 4.10). Continuing in a similar way, we end upwith the transformation Wi ∈ GLni

(Z/pkZ), for each i such that W′iDiWi ≡Ini−1⊕1, σp mod pk. Let Ui ∈ GLn(Z/pkZ) be the corresponding localtransformation (see Equation 4.2). This step takes O(n(log k + log p))ring operations over Z/pkZ.

Then, the transformation U = U0V1 . . . VnU1 · · · is a product of matrices,each from GLn(Z/pkZ) and turns Q to its canonical form. The algorithmperforms O(n1+ω log k + n log p) ring operations over Z/pkZ.

4.4 Canonicalization: p = 2

The 2-canonical form is non-trivial and requires care. We follow the sameprocedure (sign walking and oddity fusion) as Conway-Sloane [CS99] given inSection 4.2.2. Then, we prove the following theorem.

Theorem 4.11. Let Qn be an integral quadratic form, and k ≥ ord2(det(Q))+3. Then, there is an algorithm that given (Qn, k) performs O(n1+ω log k+nk3)ring operations over Z/2kZ and outputs U ∈ GLn(Z/2kZ) such that U′QU ≡can2(Q) mod 2k.

4.4 Canonicalization: p = 2 59

4.4.1 Type II Block

Our next step is to give a transformation which maps any Type II matrix toits canonical form. Recall that the canonical form of a Type II matrix Q iseither 2ord2(Q)T− or 2ord2(Q)T+.

Lemma 4.12. Let Q be a Type II matrix of 2-order 0. Then, there is analgorithm that given (Q, k ≥ 3) as input; performs O(k log k) ring operationsand outputs a U ∈ GL2(Z/2kZ) such that U′QU mod 2k ∈ T+, T−.

Proof. By definition, Q is of the form(

2a bb 2c

), where b is odd. The integer

b is odd and so b2 mod 8 = 1. Thus, det(Q) mod 4 = 4ac − b2 mod 4 = 3 anddet(Q) mod 8 ∈ 3, 7. For convenience, suppose that

λ = det(Q) mod 8, λ ∈ 3, 7 .

Let s = k+1. We now give a transformation which maps Q to its canonicalform.

(i.) From Lemma 3.19, 2 has a primitive representation in Q over Z/2sZ.Use Lemma 3.29 to find one such primitive representation (x1, x2) ∈(Z/2sZ)2. Without loss of generality assume x1 is odd and define U ∈GL2(Z/2sZ) as follows.

U =(

x1 0x2 x−1

1 mod 2s

), U′QU ≡

(2 b + 2cx2x

−11

b + 2cx2x−11 2cx−2

1

)mod 2s

(ii.) The matrix U is in GL2(Z/2sZ). Thus, det(U) is a unit of Z/2sZ anddet(U′QU) mod 8 = λ = det(Q) mod 8. Thus, the following equation hasa solution.

x2 det(U′QU) ≡ λ (mod 2s) (4.10)

(iii.) A primitive solution of Equation 4.10 can be found using Lemma 3.31.Let us denote the solution by x. Then, x is primitive and the matrix Vdefined by 1⊕ x is in GL2(Z/2sZ).

(iv.) Let S := V′U′QUV mod 2s. Then, by construction, S11 = 2 and det(S) =x2 det(U′QU) mod 2s which equals λ (Equation 4.10).

(v.) By assumption, b is odd. But then, S12 is odd and (1 − S12)/2 is an

element of Z/2sZ. It follows that the matrix W :=(

1 1−S122

0 1

)is in

GL2(Z/2sZ). But then, for some integer y,

W′SW ≡(

2 11 2y

)mod 2s (4.11)


(vi.) By construction, det(W) ≡ 1 mod 2s and from item (iv),

det(W′SW) ≡ det(S) ≡ λ (mod 2s) (4.12)

(vii.) By Equation 4.11 and Equation 4.12, 4y − 1 ≡ λ (mod 2s). Recallλ ∈ 3, 7. This implies that λ + 1 is divisible by 4 and

2y mod 2s ∈2, 2 + 2s−1 λ = 34, 4 + 2s−1 λ = 7 =⇒ 2y mod 2k =

2 λ = 34 λ = 7

(viii.) Thus, the transformation UVW is in GL2(Z/2kZ) and transforms Q to itscanonical form over Z/2kZ, by construction.

By Lemma 3.19 and Lemma 3.31, the transformation can be constructedin O(k log k) ring operations.

4.4.2 Dimension= 3, with one Type II block

Let us suppose that the input matrix Q3 is of the form τ ⊕ T, where τ is aunit of Z/2kZ. In this case, we show that the matrix can be transformed intoa diagonal matrix τ1 ⊕ τ2 ⊕ τ3 over Z/2kZ such that τ1, τ2, τ3 are all units ofZ/2kZ.

Lemma 4.13. Let k ≥ 3 be an integer and τ be a unit of Z/2kZ. Then, thereis an algorithm that performs O(k log k) ring operations and transforms τ ⊕ Tto τ1 ⊕ τ2 ⊕ τ3, where τ1, τ2, τ3 are units of Z/2kZ.

Proof. As usual, we provide a sequence of transformations, each from GL3(Z/2kZ).

(i.) Let V ∈ GL2(Z/2kZ) be the matrix that transforms(

8 11 2

)to T+ over

Z/2kZ. This matrix can be found using Lemma 4.12. Suppose U3 isdefined as follows.

U =

1⊕ U−11 mod 2k if T = T+

I3 otherwise

By construction, U transforms τ ⊕ T to the following form.

τ ⊕ T →U,2k

τ 0 00 x 10 1 2

, where x ∈ 2, 8


(ii.) Consider the matrix V defined as follows.

V =

1 1 1r 1 00 1 1

Whatever integer value r takes, the matrix V has determinant 1 andhence V ∈ GL3(Z/2kZ). The matrix V makes the following transforma-tion. τ 0 0

0 x 10 1 2

→V,2k

r2x + τ rx + r + τ τ + rrx + r + τ τ + 4 + x τ + 3

τ + r τ + 3 τ + 2

(iii.) The integer x ∈ 2, 8 and so (x + 1) is a unit of Z/2kZ. If we set

r := −τx+1 mod 2k, then rx + r + τ ≡ 0 mod 2k. Thus, the matrix has

been transformed into the following form, where τ1 = r2x + τ and τ2 =τ + 4 + x. τ1 0 τ + r

0 τ2 τ + 3τ + r τ + 3 τ + 2

(iv.) The numbers τ1 = r2x + τ as well as τ2 = τ + 4 + x are odd because

x ∈ 2, 8 and τ is odd. Thus, by Theorem 3.3, we can find a matrixW ∈ GL3(Z/2kZ) such that W transforms the matrix to the following finalform, where τ3 is also a unit of Z/2kZ.τ1 0 0

0 τ2 00 0 τ3

Lemma 4.13 implies that one does not need to have Type I and Type IImatrices on the same 2-scale. Thus, for every 2-symbol there is an equivalent2-symbol in which all 2-scales are either exclusively Type I or Type II.

4.4.3 Sign Walking

We now make the transformations required to perform sign walking. Notethat the sign walking is done on symbols but we make the correspondingtransformations between 2k-equivalent quadratic forms. Also, sign walkinginvolves a single train and hence, we never walk between two Type II forms.

By definition,(

τ2

)= 1 iff τ mod 8 ∈ 1, 7. Thus, τ + 4 always has the

opposite sign of τ . In the lemma below, notice that in every transformationthe negative sign propagates to the front.


Lemma 4.14. There exists invertible transformations over Z/2kZ, computablein O(k log k) ring operations, such that

(i.) τ1 ⊕ 4τ2 →2k

(τ1 + 4)⊕ 4(τ2 + 4) k ≥ 5

(ii.) τ ⊕ 2T− →2k

(τ + 4)⊕ 2T+ k ≥ 4

(iii.) T1 ⊕ 2τ−1 →2k

T2 ⊕ 2τ+2 k ≥ 4

(iv.) T1 ⊕ T →2k

T2 ⊕ T+ k ≥ 3

where τ1, τ2 ∈ 1, 3, 5, 7, τ−1 ∈ 3, 5, τ+2 ∈ 1, 7 and T1, T2 ∈ T−, T+.

Proof. We itemize the transformation and show how to find them under thecorresponding item.

(i.) By assumption, τ1 and τ2 are odd and so τ2 is invertible over Z/2kZ.Let U be defined as follows.

U :=(

1 41 − τ1

τ2mod 2k−2

)mod 2k (4.13)

Then, det(U) ≡ −4 − τ1τ2

mod 2k−2; det(U) is odd and U ∈ GL2(Z/2kZ).If x = − τ1

τ2mod 2k−2, then 4(τ2x+ τ1) ≡ 0 mod 2k. The transformation

U has the following effect on our input matrix τ1 + 4τ2.(τ1 00 4τ2

)→U,2k

(τ1 + 4τ2 0

0 4(τ2x2 + 4τ1)

)The integers τ1, τ2 are odd by hypothesis and x is odd by construction.But then,

τ1 + 4τ2 ≡ τ1 + 4 mod 8

τ2x2 + 4τ1 ≡ τ2 + 4 mod 8

Thus, we can find 2k-primitive transformations that map τ1+4τ2 to τ1+4and 4(τ2x

2 +4τ1) to 4(τ2 +4) using Lemma 3.31. These transformationstake the matrix to the final form.

(ii.) We first transform our input matrix τ⊕T− by the matrix V ∈ GL2(Z/pkZ)defined below.

V =

1 0 01 1 00 0 1

V′(τ ⊕ T−

)V =

τ + 4 4 24 4 22 2 4


This transformation brings the first entry to the correct sign. We blockdiagonalizing this matrix using our algorithm in the proof of Theorem3.3 and find a matrix U ∈ GL3(Z/2kZ) such that

U′

τ + 4 4 24 4 22 2 4

U ≡ (τ + 4)⊕ X (mod 2k) ,

where X is a Type II block. The transformations made so far are from

GL3(Z/2kZ), and so, det(τ1 ⊕ 2T−) 2k

∼ (τ + 4) det(X). In particular, thisimplies that ord2(det(X)) = 2 and

(cpr2(det(X))

2

)= +. Because, X is a

Type II block, it is 2∗-equivalent to 2T+ and such a transformation canbe found using Lemma 4.12.

(iii.) Given the input matrix T1 ⊕ 2τ−1 we apply the transformation V ∈GL3(Z/2kZ) given below.

V =

1 0 00 1 00 1 1

,

2 1 01 b ∈ 2, 4 00 0 2τ

→V,2k

2 1 01 b + 2τ 2τ0 2τ 2τ

This transformation maps b to b + 2τ , where τ is odd. But then,

det(T1) = 2b− 1 det(

2 11 b + 2τ

)= 2b− 1 + 4τ

Thus, the sign of the Type II matrix has been switched. Next we usethe block diagonalization algorithm from the proof of Theorem 3.3. If Uis the output then, for some integer x,

U′

2 1 01 b + 2τ 2τ0 2τ 2τ

U ≡

2 1 01 b + 2τ 00 0 x

(mod 2k)

As before, the 2k-symbol of the determinant of the quadratic form doesnot change when transformed by U ∈ GL3(Z/2kZ); implying, ord2(x) =1 and sgn2(cpr2(x)) = +. Using Lemma 4.12 and Lemma 3.31, thefollowing transformation over Z/2kZ can be found.2 1 0

1 b + 2τ 00 0 x

→ T2 ⊕ 2τ+2

where T2 has the opposite sign as T1 and τ+2 ∈ 1, 7.


(iv.) Let b ∈ 2, 4, then the input matrix T1 ⊕ T− is in the following form.(2 11 b

)⊕(

2 11 2

)If b = 4 then we swap the two matrices. Otherwise, we apply thefollowing transformation.

V =

1 0 0 00 1 0 00 1 1 00 0 0 1

, T− ⊕ T− →V,2k

2 1 0 01 4 2 10 2 2 10 1 1 2

Diagonalization (see Theorem 3.3) of this matrix from top down, willyield a quadratic form of the form T+ ⊕ Y, where Y is also equivalent toT+. We then make a local transformation to convert Y to T+.

4.4.4 Oddity Fusion

The transformations under the oddity fusion step deal with a single compart-ment. A compartment is a consecutive sequence of Type I forms. Two adjacentquadratic forms in the same compartment differ by at most 1 in terms of their2-scale. In this case, we want to find the minimum lexicographically possibleset of integers, that can be represented.

Lemma 4.15. Let τ, τ1, τ2, τ3 ∈ sgn×, i, i1, i2, i3 be positive integers and T ∈T−, T+ be a Type II matrix. If 2i1τ1 ⊕ 2i2τ2 ⊕ 2i3τ3

2∗∼ 2i1τ ⊕ 2iT, theni1 = i2 = i3 = i = 1.

Proof. Suppose that i1 = i2 = i2 = i is not true. Then, the 2-symbols (seeSection 4.2.2) of the first and the second quadratic form are not equivalentbecause one cannot be transformed into the other by a combination of oddityfusion and sign walking steps.

Lemma 4.16. Let τ1, τ2, τ3 be odd integers and k be a positive integer. Then,there is an algorithm that transforms D = τ1 ⊕ τ2 ⊕ τ3 to one of the formsin Table 4.1 in O(k2 log k) ring operations, where ε =

(τ1τ2τ3

2

)and odt :=

τ1 + τ2 + τ3 mod 8.

Proof. The forms listed in Table 4.1 are exhaustive. The transformation fromD to one of these forms can be done using Theorem 3.10 as follows.

(i.) Read the canonical form from Table 4.1 using the oddity and the valueof ε of the quadratic form D. Let it be τ1 ⊕ τ2 ⊕ τ3.


Table 4.1: Type I Canonical Forms for n = 3ε odt Form ε odt Form+ 1 1⊕ 1⊕ 7 − 1 3⊕ 3⊕ 3+ 3 1⊕ 1⊕ 1 − 3 1⊕ 3⊕ 7+ 5 3⊕ 3⊕ 7 − 5 1⊕ 1⊕ 3+ 7 1⊕ 3⊕ 3 − 7 1⊕ 1⊕ 5

(ii.) Use Theorem 3.10 to represent τ1 using D over Z/2kZ. Let x ∈ (Z/2kZ)3

be the representation and U ∈ GL3(Z/2kZ) be the corresponding primi-tive extension as in Lemma 2.6.

(iii.) The integer τ1 is odd and hence using Theorem 3.3 the matrix U′DU canbe block diagonalized over Z/2kZ by matrix V ∈ GL3(Z/2kZ) such that;

V′U′DUV ≡ τ1 ⊕ B, where B ∈ (Z/2kZ)2×2

(iv.) The oddity and Legendre symbol for the matrix B can be computedexhaustively using D and τ1 as follows.

odt(B) = odt(D)− τ1 mod 8(det(B)

2

)= ε

(τ1

2

)(v.) If odt(B) = 0 then B might be of Type II. The exhaustive list of such

matrices τ1 ⊕ B, where B is Type II is given in Table 4.2, below.

Table 4.2: Bad cases for n = 3Form with Type II Equivalent Form odt ε

1⊕ T− 3⊕ 3⊕ 3 1 −3⊕ T− 1⊕ 1⊕ 1 3 +5⊕ T− 3⊕ 3⊕ 7 5 +7⊕ T− 1⊕ 1⊕ 5 7 −1⊕ T+ 1⊕ 1⊕ 7 1 +3⊕ T+ 1⊕ 3⊕ 7 3 −5⊕ T+ 1⊕ 1⊕ 3 5 −7⊕ T+ 1⊕ 3⊕ 3 7 +

(vi.) The bad cases are problematic because it is impossible to transformT− or T+ to a form τ2 ⊕ τ3 using transformations from GL2(Z/2kZ).


Fortunately, the strategy to represent the smallest possible τ1 fails i.e.,results in one of the bad cases; only when D

2∗∼ 1 ⊕ 1 ⊕ 7. For all otherforms in Table 4.1 it can be checked that τ2 + τ3 mod 8 6= 0.

For the special case of 1⊕ 1⊕ 7, we represent 7 instead of 1 under item(ii.). Then, odt(B) = 1 + 1 = 2 and B is not of Type II.

(vii.) If B is not of Type II then we transform B to τ2 ⊕ τ3 using Theorem3.10 and Theorem 3.3. Note that the transformation exists because the2-symbol of B matches the 2-symbol of τ2 ⊕ τ3. In case of D = 1⊕ 1⊕ 7we end up with 7 ⊕ 1 ⊕ 1 instead. We then swap 7 and 1 using atransformation from GL3(Z/2kZ).

4.4.5 Canonicalizing a Single Compartment

By definition, all forms in a compartment are of scaled Type I i.e., the compart-ment is of the form 2i1τ1 ⊕ 2i2τ2 ⊕ · · · , where τ1, τ2, · · · ∈ sgn× and i1, i2, · · ·are positive integers.

Definition 4.17. Let D = 2i1τ1⊕2i2τ2⊕· · ·⊕2inτn be a single compartment,where τ1, · · · , τn ∈ sgn× and i1 ≤ · · · ≤ in are positive integers such that anytwo consecutive ones differ by at most 1. Then, the canonical form of D is2i1 τ1 ⊕ · · · ⊕ 2in τn, where (τ1, · · · , τn) is lexicographically minimum possibleoption in the 2∗-equivalence class of D. ♦

Lemma 4.18. Let k ≥ 3 be an integer, τ ∈ sgn× and Dn = τ1 ⊕ 2i2τ2 ⊕ · · · ⊕2inτn be a diagonal form with τ1, · · · , τn ∈ sgn×, and i2 ≤ · · · ≤ in. Then, τis primitively representable in D over Z/2kZ, if it is primitively representablein τ1 ⊕ · · · ⊕ 2i4τ4 over Z/2kZ.

Proof. A primitive representation of τ exists iff a primitive representation ex-ists modulo 8 (Theorem 4.5). Let A = τ1 ⊕ · · · ⊕ 2i4τ4. We can make twosimplifications to the form D: (i) we can only use Type I blocks for which2-order is ≤ 2, and (ii) there is no need to have more than 1 element of order 2as we can add at most 4 modulo 8 to the result using any number of suchelements. Item (ii) implies that if 2 ∈ i2, i3, i4 then we do not need to use2i5τ5, · · · , 2inτn i.e., the lemma is true in this case.

Thus, (i)+(ii) imply that the only possible values for the vector (i2, i3, i4)are (0, 0, 0), (0, 0, 1), (0, 1, 1), and (1, 1, 1). In all these cases, and for all possiblevalues of τ1, · · · , τ4 ∈ sgn×, we verify by brute-force that 1 can be representedmodulo 8. Let x ∈ (Z/2kZ)4 be a primitive 2k-representation of 1 and U ∈GL4(Z/2kZ) be an extension of x given by Lemma 2.6. By construction,


(U′AU)11 ≡ 1 mod 2k. Using Theorem 3.3 we can find V ∈ GL4(Z/2kZ) suchthat

V′U′AUV ≡ 1⊕ X mod 2k, where X is in block diagonal form.

If X does not have a Type II block then we are done. Depending on thevalue of (i2, i3, i4) we proceed as follows.

(0, 0, 0). If a Type II form appears within X then X = T⊕ τ , where T is a TypeII block of 2-order 0. In this case, we can locally get rid of the Type IIblock using Lemma 4.13 as follows.

1⊕ X→2k

1⊕ a⊕ b⊕ c (4.14)

(1, 1, 1). If a Type II form appears within X then X = 2T ⊕ 2τ , where T is aType II block of 2-order 0. We locally get rid of the Type II block usingLemma 4.13 as in Equation 4.14.

(0, 1, 1). It is impossible for X to contain a Type II form because then the2-symbols of A and 1 ⊕ X will not be equivalent i.e., they cannot betransformed using sign walking and oddity fusion.

(0, 1, 1). The matrix A is of the form τ1 ⊕ τ2 ⊕ τ3 ⊕ 2τ4, in this case. Ifτ1 + τ2 + τ3 mod 8 6∈ 3, 7 then we apply the following transformation.

W = I2×2 ⊕(

1 01 1

), (τ1 ⊕ τ2 ⊕ τ3 ⊕ 2τ4) →

W,2kτ1 ⊕ τ2 ⊕

(τ3 + 2τ4 2τ4

2τ4 2τ4

)Theorem 3.3→

2kτ1 ⊕ τ2 ⊕ (τ3 + 2τ4)⊕ 2τ5

But then, τ1+τ2+τ3+2τ4 ≡ τ1+τ2+τ3+2 mod 4. Thus, we may assumethat the sum of the first three Type I entries of the input quadratic formA is in the set 3, 7 modulo 8 i.e., if A = τ1 ⊕ τ2 ⊕ τ3 ⊕ 2τ4, thenτ1 + τ2 + τ3 mod 8 ∈ 3, 7. In this case, we exhaustively check that 1can be represented primitively using only τ1 ⊕ τ2 ⊕ τ3. It also followsthat the oddity of the leftover 2 × 2 matrix must be 2 or 6. But then,this matrix cannot be Type II.

Lemma 4.19. Let D = 2i1τ1 ⊕ · · · ⊕ 2inτn be a single compartment, whereτ1, · · · , τn ∈ sgn× and i1 ≤ · · · ≤ in, k are positive integers. Then, there isan algorithm that performs O(nk3) ring operations and finds U ∈ GLn(Z/2kZ)that transforms D into can2(D) over Z/2kZ.


Proof. We divide the proof in several cases, depending on the value of thedimension n.

n = 2. We exhaustively try to primitively represent the smallest integer of theform 2i1τ , where τ ∈ sgn× using Theorem 3.10. Let x ∈ (Z/2kZ)2 bea representation, U ∈ GL2(Z/2kZ) be the corresponding extension and Vbe the transformation given by the block diagonalization Theorem 3.3,then

V′U′AUV ≡ 2i1τ ⊕ 2i2 τ mod 2k, where τ is odd .

We now use Theorem 3.10 to transform τ locally to something from theset sgn× over Z/2kZ. By construction, the resulting matrix is in its2-canonical form.

n = 3. The sequence of transformations is as follows: (i) find the smallestprimitively 2k-representable integer of the form 2i1 τ1 with τ1 ∈ sgn×by doing an exhaustive search for primitive representation of τ1 by τ1 ⊕2i2−i1τ2 ⊕ 2i3−i1 τ3 over Z/8Z (Theorem 4.5), (ii) Find a primitive rep-resentation x ∈ (Z/2kZ)3 using Theorem 3.10 and extend it to U ∈GL3(Z/2kZ) using Lemma 2.6, (iii) Block diagonalize U′DU using V givenby Theorem 3.3. Then,

V′U′DUV ≡ 2i1 τ1 ⊕ X, where X ∈ (Z/2kZ)2×2

The type of X is II only when i1 = i2 = i3 (Lemma 4.15). If this is thecase, then we can apply Lemma 4.16 to canonicalize instead. Otherwise,X is of Type I and we have reduced to the case of n = 2.

n ≥ 4. By Lemma 4.18, we can represent the smallest possible integer of theform 2i1τ , with τ ∈ sgn×. This way we reduce to one smaller dimension.Finally, we reduce to the case of dimension 3.

The number of ring operations follows from using Theorem 3.10 at most O(n)times on diagonal matrices of dimensions at most 4.

4.4.6 Canonical Form, any dimension

We can now define the function can2(Qn). The uniqueness follows from Conway-Sloane [CS99], see Section 4.2.2.

Proof. (Theorem 4.11) We perform the following sequence of transformationsover Z/2kZ.

1. Block diagonalize the quadratic form.


2. For each type II block, apply the transform it to T+ or T− using Lemma4.12.

3. For each 2-scale, apply the transformation in Lemma 4.13 to transformthe matrix to a block diagonal form where all scales have either onlytype I matrices, or only type II matrices.

4. For each train, do a sign walk to move all minus signs to the front of thetrain (see Lemma 4.14). Also, from Lemma 4.14, the canonical form foreach type II part has at most one T− i.e., it is either 2i(T−, T+, · · · , T+)or 2i(T+, T+, · · · , T+).

5. Transform each compartment to its corresponding canonical form (Def-inition 4.17) using Lemma 4.19.

The final transformation is the multiplication of all the local transforma-tions which have been constructed above. The number of local transformationsis bounded by O(n). Thus, the algorithm performs at most O(n1+ω log k+nk3)ring operations.

Chapter 5

Generating a Quadratic Form of agiven Genus

Let d be the determinant of a genus in dimension n. We present a randomizedpoly(n, log d) algorithm that outputs an integral quadratic form in the genuswith constant probability.

Hartung, in his thesis [Har08], claims to have a polynomial time randomizedalgorithm for generating a form of a given genus. His construction has severalgaps, and is based on (a few) incorrect lemmas. It turns out that his algorithmis also not polynomial, as he claims, but has time complexity proportional toO(nn) (See Section 5.2.2).

Although we are interested in generating positive definite quadratic forms(or lattices), we solve the problem in its generalized form. More specifically,we generate quadratic forms in any genus, not only lattice genera.

Our lattice construction technique is inspired by Siegel’s paper [Sie35],which gives a proof of Smith-Minkowski-Siegel mass formula.

5.1 Preliminaries

In this section, we present several useful results taken from Conway-Sloane[CS99], Cassels [Cas78] and Hartung [Har08].

If t has a primitive p∗-representation in Q then, by Theorem 4.5, t hasa primitive p∗-representation in every quadratic form in the genus Gen(Q).Hence, the primitive representativeness of an integer t by a quadratic form Qonly depends on the symbol sym(Q).

Definition 5.1. We say that an integer t has a primitive representation in agenus Υ if t has a primitive p∗-representation in Υ for all p ∈ −1, 2 ∪ P. ♦

We need the following useful generalization of the function p-order.

71

72 Generating a Quadratic Form of a given Genus

Definition 5.2. Let p ∈ 2 ∪ P be a prime, and Υ be a symbol with Υp =(p, i, ni, εi, ∗, ∗), where ∗ is empty in case p is odd. Then, ordp(Υ) is definedas arg maxii ∈ Ip(Υ). ♦

5.1.1 Specification of the Input

This section describes the input to the algorithm which boils down to thequestion of a succinct representation of the genus.

One candidate is the set ∪p∈−1,2∪PΥp, where Υp is a p-symbol (see Section4.2). There are infinitely many odd primes and hence this description is toolong. The following lemma helps us in giving a shorter description.

Lemma 5.3. Let Qn be a lattice with determinant d and p be an odd primethat does not divide d. Then, Q p∗∼ d⊕ In−1.

Proof. Let p be an odd prime that does not divide d and D = d1 ⊕ · · · ⊕ dn

be the diagonal matrix which is equivalent to Q over Z/pZ. Then, p does notdivide d1 · · · dn and

symp(Q) =(

p, 0, n,

(det(D)

p

))By Theorem 4.6, D p∗∼ Q. It follows that there is a U ∈ GLn(Z/pZ) such thatD ≡ U′QU mod p. But then, det(D) ≡ det(Q) det(U)2 mod p and(

cprp(det(D))p

)=

(cprp(det(Q) det(U)2)

p

)=(

cprp(d)p

).

This implies that d⊕ In−1 has the same p-symbol as Q, completing the proof(Theorem 4.7).

Our input to the algorithm is the symbol of a genus, defined as follows.

Definition 5.4. Let Q be an integral quadratic form from a given genus. Then,the symbol the genus is defined as the set⋃

p∈−1∪p|ordp(2 det(Q))>0

symp(Q)

♦

From Theorem 4.7, it follows that two quadratic forms are in the samegenus if they are 2∗-equivalent and have the same p-symbol for each p ∈−1 ∪ P.

The following theorem is a direct implication of [Theorem 9, CS99, page 379],[Theorem 10, CS99, page 381], and Theorem 4.6.


Theorem 5.5. Let Qn1 and Qn

2 be two integral quadratic forms. Then, thefollowing statements are equivalent.

(a) Q1 ∈ Gen(Q2), (b) det(Q1) = det(Q2)(= d), Q1d∼ Q2, and Q1

R∼ Q2

(c) Q1p∗∼ Q2,∀ p ∈ −1 ∪ p | ordp(2 det(Q1Q2)) > 0.

Note that Theorem 5.5 implies that every quadratic form in a particulargenus has the same determinant (for a proof see page 139, Lemma 4.1, [Cas78]).The determinant of a genus can be computed from its symbol.

The notation Υn will denote both a genus and the symbol of the genus,depending on the context. The notation Υp will denote the p-symbol of thegenus Υ. The set of relevant primes for the symbol Υ is denoted by PΥ = p |ordp(2 det(Υ)) > 0. If symp(Q) is the p-symbol of Q then Ip(Q) denotes theset of p-scales of Q. The size of the symbol of a genus Υn of determinant d isO(n|PΥ| log d).

We simplify the input description further by introducing the notion ofreduced genus.

Definition 5.6. A genus Υ is reduced if for every relevant prime p ∈ PΥ thep-scale 0 appears in Ip(Υ). ♦

If ip = mini ∈ Ip(Υ) then Υ is pip-equivalent to a matrix which is

identically 0. Thus, if D is a quadratic form with Dp∗∼ Υ then every entry of D

is divisible by pip . Given a genus Υ, we define the following quantity.

gcd(Υ) =∏

p∈PΥ

pip where, ip = mini ∈ Ip(Υ) (5.1)

The reduced genus corresponding to the genus Υ can now be defined as follows.

red(Υ) =

symp

(D

pmini∈Ip(Υ)

)| p ∈ PΥ, D

p∗∼ Υp

∪ sym(−1)(Υ) (5.2)

To find a quadratic form from a genus Υ, it suffices to find a quadraticform in genus red(Υ), the proof of which is as follows.

Lemma 5.7. Let Υ be a genus, and for each prime p ∈ PΥ, ip be the integermini ∈ Ip(Υ). Then, Q ∈ red(Υ) iff gcd(Υ)Q ∈ Υ.

Proof. Let p ∈ PΥ be a prime. If S is a quadratic form such that sym(S) = Υthen every entry of S is divisible by pip . We define a quadratic form Q asfollows.

Q =S∏

p∈PΥpip


By definition of red(Υ), symp(Q) = symp(red(Υ)) for all p ∈ −1∪PΥ. Thus,Q ∈ red(Υ).

Conversely, if Q ∈ red(Υ) then pipQ has the same p-symbol as Υp. Thus,(∏p∈PΥ

pip

)Q has symbol Υ.

The input to our algorithm will be a reduced genus.

5.1.2 The Oddity Formula

Recall the definitions of p-signature of a quadratic form Q from Section 4.1.2.For each p ∈ −1, 2 ∪ P, we define the p-excess of Q as

exsp(Q) =

sigp(Q)− n p 6= 2n− sig2(Q) p = 2 (5.3)

Theorem 5.8. ([Cas78, page 76], [Jon50, Theorem 29]) Let Qn be an integralquadratic form. Then,∑

p∈−1,2∪P exsp(Q) ≡ 0 (mod 8) or equivalently,sig(Q) +

∑p∈P exsp(Q) ≡ odt(Q) (mod 8) .

(5.4)

The Equation 5.4 is also referred to as the oddity formula in the literature.

5.1.3 q-equivalent forms, q composite

Given a valid symbol Υn, it is useful to construct a quadratic form Qn whichis q-equivalent to Υ for a given positive integer q.

The following is a helper lemma which shows how to construct a quadraticform Q such that Q p∗∼ Υ.

Lemma 5.9. There exists a randomized algorithm that takes a symbol Υn ofdeterminant d, and a prime p as input; performs O(n+log3 p) ring operationsover Z/pordp(d)+kpZ; and outputs a block diagonal quadratic form Qn such that

Qp∗∼ Υ.

Proof. There are three different constructions: for the prime 2, for relevantodd prime and for the odd prime that does not divide det(Υ).

(1.) The first and simplest construction deals with odd primes p that do not

divide det(Υ). By Lemma 5.3, Υpp∗∼ det(Υ) ⊕ In−1. Hence, we set

Q = In−1 ⊕ det(Υ).


Table 5.1: Exhaustive List of Type I forms for n = 2Form ε odt1⊕ 7, 3⊕ 5 + 01⊕ 1, 5⊕ 5 + 23⊕ 3, 7⊕ 7 + 63⊕ 7 − 21⊕ 3, 5⊕ 7 − 41⊕ 5 − 6

(2.) The second type of primes are odd primes that divide det(Υ). Let Υp =(p, i, εi, ni) | i ∈ Ip(Υ). We use rejection sampling to find a quadraticnon-residue modulo p, say τp. Note that generating a random non-zeroelement from Z/pZ yields a quadratic non-residue with probability 1/2.The matrix Q, in this case, is generated as follows.

Q = ⊕i∈Ip(Υ)

piDi Di =

Ini if εi = 1Ini−1 ⊕ τp otherwise (5.5)

(3.) The only remaining case is of the prime 2. Let Υ2 = (2, i, εi, ni, typei, odti) |i ∈ I2(Υ). Then, the quadratic form Q is defined as Q = ⊕i∈I2(Υ)2iDni

i ,where Di is defined as follows.

Dnii =

T+ ⊕ · · · ⊕ T+︸︷︷︸

ni/2−1

⊕T− if εi = −1, odti = II

T+ ⊕ · · · ⊕ T+︸︷︷︸ni/2

if εi = 1, odti = II

Ini−3 ⊕ Dn=3 odti ∈ 0, · · · , 7, ni > 3

(5.6)

If ni = 1 then Di has to be equal to odti. For ni = 2, we exhaustivelylist all possible Type I forms in Table 5.1. We observe that two situationsare not possible: ε = +, odt = 4 and ε = −, odt = 0. For ni = 3, we listforms for all possible choices of ε and odt.

The D in Equation 5.6 is defined as follows. Suppose we are looking fora type I form in dimension ni > 3 with odti ∈ 0, · · · , 7 and Legendre-Jacobi symbol εi. In this case, we choose D as the form in Table 5.2 withodt = odti−(ni − 3) mod 8 and ε = εi.

By construction sym2(Q) = Υ2.

The algorithm needs to generate a quadratic non-residue modulo p andhence performs O(n + log3 p) ring operations.


Table 5.2: List of Type I forms for n = 3ε odt Form+ 1 1⊕ 1⊕ 7

3 1⊕ 1⊕ 15 7⊕ 7⊕ 77 1⊕ 7⊕ 7

− 1 3⊕ 3⊕ 33 3⊕ 3⊕ 55 1⊕ 1⊕ 37 1⊕ 1⊕ 5

Theorem 5.10. Let Υn be a symbol and q be a composite integer. Then,there is a randomized poly(n, log q) algorithm that takes (Υ, q), along with afactorization of q as input; and produces a quadratic form Q such that Q q∼ Υ.

Proof. For each p ∈ PΥ, we use Lemma 5.9 to generate Qp such that Qpp∗∼ Υ.

We now solve the following system of congruences using the Chinese RemainderTheorem.

Q ≡ Qp (mod pordp(q)) p ∈ Pq

By construction, Q q∼ Υ. The algorithm runs in time poly(n, log q)

5.2 Existence of a Quadratic Form with a given Symbol

In this section, we answer the following question. Given a symbol Υn, howdoes one verify that the genus corresponding to Υ is non-empty i.e., thereexists a quadratic form Qn such that sym(Q) = Υ.

Note that Υ = ∪Υp, and det(Υ), as well as, sigp(Υ) can be computed fromΥ. We now define the following three conditions on the symbol Υ.

Determinant Condition. For every prime p ∈ 2 ∪ P such that Υp =(p, i, εi, ni, ∗, ∗) | i ∈ Ip(Υ), where ∗ is empty for odd primes;(

cprp(det(Υ))p

)=

∏i∈Ip(Υ)

εi (5.7)

Oddity Condition. The symbol Υ satisfies the oddity equation i.e.,

sig(Υ) +∑p∈P

exsp(Υ) ≡ odt(Υ) mod 8 (5.8)

5.2 Existence of a Quadratic Form with a given Symbol 77

Jordan Condition. Let p be an odd prime and Υp = (p, i, εi, ni) | i ∈ Ip(Υ),then for each Jordan constituent (pi, εi, ni), we must have

if ni = 0 or p = −1 then ε = + (5.9)

For p = 2, let sym2(Q) = (2, i, εi, ni, typei, si) | i ∈ I2(Υ), then Υ satisfiesthe following conditions.

for ni = 0, typei =II and εi = +

for ni = 1,

εi = + =⇒ si ≡ ±1 mod 8εi = − =⇒ si ≡ ±3 mod 8

for ni = 2,typei =I

εi = + =⇒ si ≡ 0 or ± 2 mod 8εi = − =⇒ si ≡ 4 or ± 2 mod 8

(5.10)

The set of conditions are taken from [CS99, page 382-383]. A symbol Υwhich satisfies these three conditions will be called valid. In the rest of thissection, we prove the following theorem.

Theorem 5.11. Let Υn be a valid symbol (i.e., satisfies the determinant,oddity and the Jordan conditions); then there exists an integral quadratic formQ such that sym(Q) = Υ.

This is a well known theorem [Theorem 11, CS99, page 383]. A proof canalso be found in [O’M73]. Our algorithm, not only shows the existence, butalso generates a form in polynomial time.

5.2.1 Existence for a Valid Symbol

Proof. (Theorem 5.11) Let Υn be a valid input symbol. The following algo-rithm then generates an integral quadratic form Q.

GenSimple (input: Υn) output: Qn ∈ Υ

1. If n = 1 then Q = det(Υ).

2. Let t be an integer such that has a primitive representation in Υ. If Υ isvalid then, by Theorem 5.17, such an integer always exists.

3. Let q = tn−1 det(Υ). Find S such that S q∼ Υ.

4. Find a primitive q-representation x such that x′Sx ≡ t mod q.

5. Extend x by A so that [x, A] ∈ GLn(Z/qZ).

6. Compute the following quantities.

d := x′SA mod q H := (tA′SA− d′d) mod q (5.11)


7. Define the symbol Υn−1

as follows.

Υp =

sig(t) (sig(Υ)− sig(t)) if p = −1symp(H) if p divides qsymp(In−2 ⊕ tn−2 det(Υ)) otherwise

(5.12)

8. Let H = GenSimple(Υ).9. Find U ∈ GLn−1(Z/qZ) such that H ≡ U′HU mod q.

10. Output Q =(

t dU(dU)′ H+U′d′dU

t

), where the division in the lower right is

(usual) rational division.

Intuitive Description of the Algorithm For simplicity, we assume thatsig(−1)(Υ) = n i.e., the genus Υ is the genus of positive definite quadraticforms or Gram matrix of lattices.

In order to find a Gram matrix Q in the genus Υ, we start by finding avalue t such that Q has the following form.

Q =(

t ww′ Q

)(5.13)

It turns out that it suffices to find an integer t which has a primitive represen-tation in the genus Υ. The next step is best explained by thinking in terms oflattices.

The Gram matrix Q equals B′B, where B = [b1, · · · ,bn] is a basis of alattice with Gram matrix Q. Because Q has the form given in Equation 5.13,b′1b1 = t. Consider now the (possibly non-integral) lattice one obtains byprojecting [b1, · · · ,bn] onto the subspace orthogonal to b1. It is possible toshow that the Gram matrix of this lattice in (n − 1)-dimensions is given byQ− w′w

t .The matrix Q, and the matrix w′w are integral. Thus, tQ−w′w is a Gram

matrix of an integral lattice. To find Q, we therefore (a) find the symbol ofthe lattice tQ−w′w and recursively find a corresponding lattice, and (b) findw. To solve (a), the algorithm above constructs a locally equivalent quadraticform S, then finds a representation x of t into S, and transforms S with atransformation [x, A] ∈ GLn(Z/qZ) which maps t into the top left

[x, A]′S[x, A] =(

t dd′ A′SA

)mod q (5.14)

To solve (b), it is possible to show that one can recover w from the vector d.Finally, one can show that because of the way we chose q in the algorithm,

the expression H+U′d′dUt in the construction of Q is actually integral.


Proof of Correctness. We prove several claims regarding the matrices con-structed during the algorithm given in Section 5.2.1.

Claim 5.12. The determinant of the genus Υ is tn−2 det(Υ). Also, tn−2 det(Υ)divides det(H).

Proof. Recall that S is a quadratic form which is equivalent to Υ over Z/qZ.Let d be the row vector and H be the matrix defined in Equation 5.11. Notethat all entries of these matrices i.e., d, H are integers. Define the matrix

M =(

t dd′ (H + d′d)/t

). By definition, H + d′d ≡ tA′SA mod q. The integer

t divides q. But then, each entry in the matrix H + d′d is divisible by t i.e.,(H+d′d)/t is a matrix over integers. Thus, M is a matrix over integers and thefollowing equality implies that det(M) = det(H)/tn−2.

M =(


)=(

1 d/t0 I

)′(t 00 H/t

)(1 d/t0 I

)(5.15)

From Equation 5.11, it follows that (H+d′d)/t ≡ A′SA mod q/t. By definition,M ≡ (x A)′S(x A) mod q/t. Hence,

det((x A)′S(x A)) ≡ det(M) mod q/t =det(H)tn−2

mod q/t

tn−2 det(S) det(x A)2 ≡ det(H) mod qtn−3 (5.16)

Let p be a prime divisor of q. Recall (x A) ∈ GLn(Z/qZ). But then, p doesnot divide det(x A). From the fact that S is equivalent to Υ over Z/qZ, itfollows that ordp(det(S)) = ordp(det(Υ)). By definition of q, it follows thatordp(q) > ordp(det(Υ)tn−1). But then,

ordp(tn−2 det(S) det(x A)2) = ordp(tn−2) + ordp(det(S))

= ordp(tn−2) + ordp(det(Υ)) < ordp(q) (5.17)

From Equation 5.16 and Equation 5.17, we conclude that for all primes p thatdivide q, ordp(det(H)) = ordp(tn−2 det(S)) = ordp(tn−2 det(Υ)).

It also follows from the definition of the symbol that ordp(det(Υ)) =ordp(det(H)) for all relevant primes of symbol Υ. But we showed that ordp(det(H)) =ordp(tn−2 det(Υ)) for every relevant prime p of Υ. Thus, det(Υ) = tn−2 det(Υ).

We now show that Υ defined in Equation 5.12 is a valid symbol.


Theorem 5.13. Let Υn>1 be a valid symbol, t be a primitively representableinteger in Υ, q = tn−1 det(Υ), Sn be an integral quadratic form with S

q∼Υ, x ∈ (Z/qZ)n be a primitive vector with x′Sx ≡ t mod q, A be such that[x, A] ∈ GLn(Z/qZ), d := x′SA mod q, Hn−1 := (tA′SA − d′d) mod q and Υ beas defined in Equation 5.12; then Υ is a valid symbol.

Proof. We divide the proof in three items, one for each condition.

(i). (Oddity Condition) Consider the matrix M over integers (note that tdivides both q and H + d′d and so (H + d′d)/t is integral).

M =(


)=(

1 d/t0 I

)′(t 00 H/t

)(1 d/t0 I

)

The matrix V =(

1 d/t0 I

)is over rationals and has determinant 1.

Thus, M is equivalent to diag(t, H/t) over rationals. By construction,M

q∼ Sq∼ Υ. From [Theorem 3, CS99, page 372], it follows that for all

prime p that divides q,

exsp(Υ) = exsp(M) = exsp(t⊕ H/t) = exsp(t) + exsp(H/t) (5.18)

By the hypothesis of the theorem, the oddity condition holds for thesymbol Υ. And so,

0 ≡∑

p∈Pq∪−1

exsp(Υ) ≡ sig(Υ)− n +∑p|q

(exsp(t) + exsp(H/t))

≡ sig(Υ)− (n− 1)− sig(t) + (sig(t)− 1) +∑p|q

(exsp(t) + exsp(H/t))

≡ sig(t)(1 + sig(Υ))− (n− 1)− sig(t) +∑p|q

exsp(H/t)

≡ sig(t) sig(Υ)− (n− 1) +∑p|q

exsp(tH)

≡ sig(t) sig(Υ)− (n− 1) +∑p|q

exsp(tΥ) (mod 8)

From [Theorem 5, CS99, page 372], it follows that there exists a (ratio-nal) quadratic form X which is equivalent to Υ over rationals. This alsoimplies that Υ satisfies the oddity condition (Theorem 5.8).

(ii). (Determinant Condition) By definition, H q∼ Υ. By item (i), X is equiv-alent to Υ over rationals. Thus, det(H)

det(Υ)is a rational square modulo q


[Theorem 3, CS99, page 372]). From Claim 5.12, there exists an integerx such that

det(H) ≡ tn−2 det(Υ)x2 (mod q) (5.19)

But then, for all primes p that divide q,

∏i∈Ip(Υ)

εi =(

cprp (det(H))p

)=

cprp

(det(Υ)x2

)p

=

cprp

(det(Υ)

)p

This equality show that the determinant condition holds for all primesp that divide q. For all other primes, the determinant condition holdsby construction.

(iii). (Jordan Condition) The Jordan constituents of the H are the same asthe Jordan constituents of Υ for all relevant primes of det(Υ). This isbecause for all relevent primes p of Υ, Υp = symp(H). The quadraticform H is integral and so its Jordan constituents exist, proving that theJordan Condition is satisfied for Υ.

Claim 5.14. The matrix Q is an integral quadratic form with determinantdet(Υ) and signature sig(Υ).

Proof. The matrix Q is symmetric by construction. By Claim 5.12, the deter-minant of H equals tn−2 det(Υ). Thus, the following equality implies that thedeterminant of Q equals det(Υ).

Q =(

t dUU′d′ H+U′d′dU

t

)=(

1 dUt

0 I

)′(t 00 H

t

)(1 dU

t0 I

)(5.20)

Let H be the integral quadratic form with symbol Υ, H := tA′SA− d′d mod q,and U be such that U′HU ≡ H mod q. Then,(

1 00 U

)′(x A)′S(x A)

(1 00 U

)mod q =

(t dU

(dU)′ U′A′SAU

)mod q (5.21)

tU′A′SAU− U′d′dU ≡ U′HU ≡ H mod q (5.22)

The integer t divides q. By Equation 5.22, H + U′d′dU ≡ 0 mod t. But then, tdivides every entry of the matrix H + U′d′dU and so Q is an integral matrix.

Finally, by Equation 5.20, Q R∼ t⊕ Ht . Hence,

sig(Q) = sig(t) + sig(H) sig(t) = sig(t) + sig(Υ) sig(t)(5.12)= sig(Υ)


The proof of Theorem 5.11 now proceeds as follows.

(i). If the symbol Υ is valid, then there exists an integer t, which has aprimitive representation in Υ (see Theorem 5.16).

(ii). If Υn satisfies the determinant, oddity and the Jordan conditions i.e.,Equations (5.7)-(5.10); then so does Υ. (Theorem 5.13)

(iii). The symbol Υ is well defined and has a short description. In particular,by Claim 5.12, det(Υ) = tn−2 det(Υ) and Υ can equivalently be writtenas follows.

Υ =(∪p∈Pq symp(H)

)∪ sig(t)(sig(Υ)− sig(t)) (5.23)

(iv). The output matrix Q has determinant det(Υ). It also has the samesignature as sig(Υ). Thus, Q R∼ Υ.

(v). If n = 1 then det(Υ) is the unique matrix with determinant equal tothe determinant of the symbol Υ. This follows from the DeterminantCondition.

(vi). If n > 1 then, it remains to show that for every relevant prime of Υ,symp(Q) = Υp. Consider the following sequence of congruences.

tQ =(

t2 tdUt(dU)′ H + U′d′dU

)≡(

t2 tdUt(dU)′ U′HU + U′d′dU

)mod q

≡(

1 00 U

)′(t2 tdtd′ H + d′d

)(1 00 U

)mod q

(5.11)≡

(1 00 U

)′(t2 tdtd′ tA′SA

)(1 00 U

)mod q

(5.11)≡

(1 00 U

)′(tx′Sx tx′SAtA′Sx tA′SA

)(1 00 U

)mod q

≡(

1 00 U

)′ (x A

)′tS(x A

)(1 00 U

)mod q

Q ≡(

1 00 U

)′ (x A

)′S(x A

)(1 00 U

)mod q/t

Recall, U ∈ GLn−1(Z/qZ) and (x A) ∈ GLn(Z/qZ). This implies that

U = [x, A](1 ⊕ U) ∈ GLn(Z/qZ). But then, U ∈ GLn(Z/ qt Z) and Q

q/t∼ S.


Note that for every prime p that divides 2 det(Υ) the following holdsbecause ordp(q/t) > ordp(det(Q)) + kp.

ordp(det(Υ)) = ordp(det(Q)) = ordp(det(S))

Thus, by definition of p∗-equivalence one concludes that for every p thatdivides 2 det(Υ), Q p∗∼ S; completing the proof of Theorem 5.11.

5.2.2 Comparisons to Hartung’s Algorithm.

Our construction in Section 5.2.1 is similar to the algorithm given by Hartung[Har08]. This algorithm, as we will show, is not polynomial but O(nn). Thereare other severe problems with Hartung’s work (i) several lemmas are incorrectbecause of insufficient care while handling prime 2, and (ii) the constructionof t, in case of dimension 2, is short but unfortunately incorrect. This con-struction takes us several pages (page 91-102). A detailed discussion of thecomparison follows.

The first non-trivial step is to construct an integer t which is primitivelyrepresentatable in the genus Υ. Hartung constructs a t such that t = ℘s,where s divides det(Υ) and ℘ is an prime which does not divide det(Υ). Thisconstruction seems correct when n ≥ 3 but incorrect for n = 2. One of thereasons is the treatment of the prime 2; which is not thorough. The prime 2 hasbeen known to create problems, if not handled correctly [Pal65, Min10, Wat76].

For example, Lemma 3.3.1 [Har08] is incorrect for p = 2 because it is notpossible to divide by 2 over the ring Z/2kZ at the end of the proof. This leadsto an easy counter example for Lemma 3.3.2, which claims that a quadraticform Qn≥3 with det(Q) ∈ (Z/pZ)× represents every integer t primitively overZ/pkZ for all positive integers k. A counter example is (Q = x2 + y2 + z2, p =2, k = 3, t = 7). By exhaustive search, it can be verified that x2 + y2 + z2

does not represent 7 modulo 8. This mistake becomes more severe in theconstruction of t for Υn=2. The construction in this case is highly non-trivialand needs a separate treatment (page 91-102).

The construction of t for Υn≥3 seems to be correct [Har08]. Our construc-tion, though, gives smaller t. Hartung needs a prime ℘ which does not dividethe determinant, each time he needs to find a primitively representable integert. In contrast, we need such a prime only once. Note that the construction ofsuch a prime ℘ takes polynomial time if ERH holds.

The most serious issue is that the algorithm by Hartung is not polynomialtime. He argues that each step in the algorithm is polynomial and because eachrecursive step reduces the dimension by 1, overall the algorithm is polynomial.


This is not true because after finding t and reducing to one less dimension toa symbol Υ

n−1, det(Υ) = tn−2 det(Υ) (see Claim 5.12). The upper found on t

is det(Υ) and so det(Υ) can be as large as det(Υ)n−1; leading to a blowup ∼det(Υ)nn

if used n times recursively. As it is, the time complexity of Hartung’salgorithm is proportional to O(nn). In contrast, our construction represents tin a specific way and uses the property of this representation to show that thedeterminant blows up by 2n2

at most; resulting in a polynomial time algorithm(see Section 5.4).

5.3 Primitive Representation in a Genus

An important step in the algorithm of Section 5.2.1 is to find an integer twhich has a primitive representation in the genus Υ.

Recall Definition 5.1. The following lemma shows that if n ≥ 2 then thas a primitive p∗-representation in Υ for all primes p such that p does notdivide 2 det(Υ). A proof of this lemma can already be found in Siegel [Sie35],although in a different setting.

Lemma 5.15. Let Υn≥2 be a valid genus, t be an integer and p be an odd primewhich does not divide t det(Υ). Then, t has a primitive p∗-representation inΥ.

Proof. Let p be an odd prime which does not divide t det(Υ). Then, by Lemma

5.3, Υp∗∼ diag(det(Υ), 1, · · · , 1). It suffices to show that t has a primitive

representation in diag(det(Υ), 1) over Z/pZ (Theorem 4.5).By assumption, det(Υ) and 1 are invertible modulo p. If

(tp

)is the same

as the Legendre symbol of det(Υ) or 1 (say, det(Υ)) then x2 ≡ t det(Υ)−1

(mod p) has a non-trivial solution. Otherwise, det(Υ) and 1 have the sameLegendre symbol, different from t. But then the result follows from Lemma2.2.

Theorem 5.16. Let Υn≥2 be a valid genus and Q ∈ Υ. A positive integer thas a primitive representation in Υ if t has a primitive pKp-representation inQ for all p that divides 2t det(Υ), where Kp = maxordp(Q), ordp(t)+ kp.

Proof. Follows from Theorem 4.5, Lemma 5.15 and the definition of primitiverepresentations in a genus.

This simplifies our problem in the algorithmic sense. To find an integert which has a primitive representation in the genus Υn≥2, we only need tocheck all primes p that divide 2t det(Υ) and only over the ring Z/pKpZ forKp = maxordp(Υ), ordp(t)+ kp.

5.3 Primitive Representation in a Genus 85

For n > 3, it is comparatively easy to find a t; in fact, it is possible tofind a t which divides det(Υ). But for dimensions n = 3 and n = 2, theproof deteriorates to case analyses, especially for dimension 2. The proofs areconstructive in the sense that it is also possible to find a representation x suchthat x′Sx ≡ t mod q in time poly(n, log det(Υ)).

In this section, we prove the following theorem.

Theorem 5.17. Let Υn≥2 be a valid reduced genus. Then, there exists arandomized algorithm that takes Υ as input; runs in time poly(|PΥ|, log det(Υ))and outputs an integer t which has a primitive representation in the genus Υ.

Note that the run time of the algorithm does not depend on n. This isbecause for n = 4, we can already find a nice t which divides det(Υ) and weignore the later dimensions. When we want to find an x such that x′Sx ≡t mod q then we use the same trick and only represents t using at most 4× 4sub-form of S (see Section 5.2.1).

But before starting the construction of t, we prove two lemmas which aregoing to be useful.

Lemma 5.18. Let t be an odd integer, and 2i1τ1 ⊕ · · · ⊕ 2i4τ4 be an integralquadratic form with τ1, · · · , τ4 odd and i1 ≤ · · · ≤ i4. Then, 2i4t has a 2∗-primitive representation in D. Additionally, for every positive integer k thereexists a primitive 2k-representation (x1, · · · , x4) such that ord2(x4) = 0 andord2(2ij τjx

2i ) ≥ i4, for all j ∈ [4].

Proof. Let k = i4+3, then it suffices to show that the following has a primitivesolution (see Theorem 4.5).

2i1τ1x21 + · · ·+ 2i4τ4x

24 ≡ 2i4t (mod 2i4+4) (5.24)

We find a primitive solution where x4 is odd. For j ∈ [3], we set xj = 2di4−ij

2 eyj

and divide the entire Equation 5.24 by 2i4 . The equation then reduces to thefollowing. ∑

j∈[3]

2(i4−ij) mod 2τjy2j + τ4x

24 ≡ t (mod 16) (5.25)

An exhaustive search shows that for each possible choice of odd t in Z/16Z,τ1, · · · , τ4 ∈ 1, 3, 5, 7 and i4 − ij (mod 2), the Equation 5.25 always has asolution, where x4 is odd.

Lemma 5.19. Let p be an odd prime, D = τ1 ⊕ piτ2, where τ1, τ2 ∈ (Z/pZ)×,i even and t ∈ (Z/pZ)× such that

(tp

)6=(

τ1p

). Then, pit has a p∗-primitive

representation in D.


Proof. If(

tp

)=(

τ2p

), then pit has the same symbol as piτ1 and then pit has

a primitive p∗-representation in piτ2. Otherwise, from the statement of thelemma,

(tp

)6=(

τ1p

)=(

τ2p

).

In this case, t can always be written as t ≡ τ1y21 + τ2y

22 (mod p), where

both y1 and y2 are units of Z/pZ. But then,

pit ≡ piτ1y21 + piτ2y

22 (mod pi+1)

≡ τ1(pi/2y1)2 + piτ2y22 (mod pi+1).

It follows that pit has a primitive representation by τ1 ⊕ piτ2 over Z/pi+1Z.By Theorem 4.5, pit has a p∗-primitive representation in D.

5.3.1 Representation: n > 3

As mentioned earlier, we construct an integer t such that t divides det(Υ) andt has a primitive representation in the input genus Υ. It turns out that whenn > 3 we do not need to use the fact that the input symbol Υ is reduced.

Lemma 5.20. Let Υn>3 be a genus. Then, there exists an integer t such thatt divides det(Υ) and t has a primitive representation in the genus Υ.

Proof. Let us suppose that p is an odd prime that divides det(Υ). In this case,we construct a diagonal form using Lemma 5.9 as follows.

Υpp∗∼ pi1τ1 ⊕ pi2τ2 ⊕ · · · τ1, τ2, · · · ∈ (Z/pZ)×, i1 ≤ i2 ≤ · · · (5.26)

An integer can be equivalently written as∏

p∈−1,2∪P pep , where ep is thep-order of the integer. The construction of the integer t is as follows.

(i). For every odd prime that does not divide det(Υ), ep is identically 0.Also, if sig(Υ) > −n, then we set e−1 = 0. Otherwise, e−1 = 1.

(ii). For every odd prime p that divide det(Υ) our first step is to computethe value of ep mod 2. Consider a prime p that divides det(Υ). Considerthe quadratic form constructed in Equation 5.26 for the prime p. Then,

ep mod 2 := maj(i1 mod 2, i2 mod 2, i3 mod 2) (5.27)

(iii). Next we compute e2. If Υ2 has a type II block of 2-order `, then weset ord2(t) = ` + 1. Otherwise, Υ2 has only Type I blocks. Thus, Υ is2-equivalent to a diagonal matrix 2j1 τ1 ⊕ · · · , where τ1, · · · are odd andj1 ≤ j2 ≤ · · · . The value of j1, · · · , j4 can be read off the symbol Υ2 asthe four smallest possible 2-orders in Υ2. We set e2 = j4.


(iv). Once the parity of all p ∈ −1, 2 ∪ P is known (see item (i)-(iii)), wedefine an integer r as follows.

r =∏

p∈−1,2∪P

pep mod 2 (5.28)

(v). Finally, we compute ep for all odd primes p which divide det(Υ). Con-sider the diagonal form constructed in Equation 5.26 for the prime p.Out of (i1, i2), (i2, i3), and (i1, i3); let (ia, ib), a < b ∈ 1, 2, 3 be thepair with the same parity. Then,

ep =

ia if

(cprp(r)

p

)=(

τa

p

),

ib otherwise(5.29)

(vi). We now have ep for every p ∈ −1, 2 ∪ P. We define our integer t asfollows.

t =∏

p∈−1,2∪P

pep (5.30)

The next step is to show that t has a primitive representation in the genusΥ, or equivalently, t has a p∗-primitive representation in Υ for all p ∈ −1, 2∪P.

(i). (p = −1) By construction, t is negative iff sig(Υ) = −n. In this case Υis a genus of negative definite matrices and hence must represent everynegative integer over R. Otherwise, t is a positive integer and Υ is agenus of non-negative definite matrices i.e., Υ R∼ 1⊕· · · . Hence, Υ mustrepresent all positive integers over R. In either case, the constructed thas a primitive representation in Υ over R.

(ii). (p odd, p does not divide det(Υ)) In this case, p does not divide t. Hence,t has a p∗-primitive representation in Υ (Lemma 5.15).

(iii). (p = 2) If Υ2 has a Type II block then ord2(t) = ` + 1, where ` is the2-order of one of the Type II blocks. Then, the Type II block representsevery integer of 2-order ` + 1 (by Lemma 3.19). The existence of a2∗-primitive representation now follows from Lemma 5.15. Otherwise,there are only Type I blocks in Υ2 and the existence of a 2∗-primitiverepresentation follows from Lemma 5.18 and Theorem 4.5.


(iv). (p odd, p divides det(Υ)) By construction, ep has the same parity as iaand ib, see item (v) of the construction of t and Equation 5.29. Thus,ordp(t) ≡ ordp(r) (mod 2), or(

cprp(t)p

)=(

cprp(r)p

)By Equation 5.29, ep = ia if

(cprp(t)

p

)=(

τa

p

)and ep = ib, otherwise.

If(

cprp(t)

p

)=(

τa

p

)then t can be p∗-primitively represented by the

diagonal entry piaτa in Equation 5.26. Otherwise, t can be p∗-primitivelyrepresented by piaτa ⊕ pibτb (see Lemma 5.19). In either case, t has ap∗-primitive representation in Υp.

5.3.2 Representation: n = 3

In this case, we construct an integer t with the following properties. If theinput genus Υ2 has a Type II block then the constructed t divides det(Υ).Otherwise, t is of the form ℘t, where t divides det(Υ) and ℘ is an odd primethat does not divide det(Υ).

Lemma 5.21. Let Υn=3 be a genus. Then, there exists an integer ℘t suchthat t divides det(Υ), ℘ ∈ P \ PΥ and ℘t has a primitive representation in thegenus Υ.

Proof. Let us suppose that p is an odd prime that divides det(Υ). In this case,we construct a diagonal form using Lemma 5.9 as follows.

Υpp∗∼ pi1τ1 ⊕ pi2τ2 ⊕ pi3τ3 τ1, τ2, τ3 ∈ (Z/pZ)×, i1 ≤ i2 ≤ i3 (5.31)

An integer can be equivalently written as∏

p∈−1,2∪P pep , where ep is thep-order of the integer. The construction of the integer t is as follows.

(i). if sig(Υ) > −3, then we set e−1 = 0. Otherwise, e−1 = 1.

(ii). For every odd prime p that divides det(Υ), our first step is to com-pute the value of ep mod 2. Consider the quadratic form constructed inEquation 5.26 for the prime p. Then,

ep mod 2 := maji1 mod 2, i2 mod 2, i3 mod 2 (5.32)

(iii). If Υ2 has a type II block of 2-order `, then we set ord2(t) = ` + 1. Also,for all odd primes p 6∈ PΥ, we set ep = 0.


(iv). Otherwise, Υ2 has only Type I blocks. Thus,

Υ 2∗∼ 2j1 τ1 ⊕ 2j2 τ2 ⊕ 2j3 τ3, τ1, τ2, τ3 ∈ sgn×, i1 ≤ i2 ≤ i3 (5.33)

The value of j1 can be read off the symbol Υ2 as the smallest possible2-orders in Υ2. We set e2 = j1. We also pick an odd prime ℘ not in PΥ

satisfying the following equation. ∏p∈−1∪(PΥ\2)

pep mod 2

℘ ≡ τ1 (mod 8) (5.34)

Such a prime can be found by rejection sampling. A random odd primesatisfies the Equation 5.34 with probability 1/4. We set e℘ = 1. Also,for all primes p that do not divide 2℘ det(Υ), we set ep = 0.

(v). Once the parity of all p ∈ −1, 2 ∪ P is known (see item (i)-(iv) of theconstruction), we define an integer r as follows.

r =∏

p∈P∪−1,2

pep mod 2 (5.35)

(vi). Finally, we compute ep for all odd primes p which divide det(Υ). Con-sider the diagonal form constructed in Equation 5.26 for the prime p.Out of (i1, i2), (i2, i3), and (i1, i3); let (ia, ib), a < b ∈ 1, 2, 3 be thepair which has the same parity. Then,

ep =

ia if

(cprp(r)

p

)=(

τa

p

),

ib otherwise(5.36)

(vii). We now have ep for every p ∈ −1, 2 ∪ P. We define our integer t asfollows.

t =∏

p∈−1,2∪P

pep (5.37)

The next step is to show that t has a primitive representation in the genusΥ. Equivalently, it suffices to show that t has a p∗-primitive representationin Υ for all p ∈ −1, 2 ∪ P. Note that if Υ2 has a Type II block then theconstruction of t in this case is the same as the construction of t in the case ofLemma 5.20. The correctness of the construction also follows from the sameproof. In the rest, we assume that Υ2 has no Type II block.


(i). (p = −1) By construction, t is negative iff sig(Υ) = −3. In this case Υis a genus of negative definite matrices and hence must represent everynegative integer over R. Otherwise, t is a positive integer and Υ is agenus of non-negative definite matrices i.e., Υ R∼ 1⊕· · · . Hence, Υ mustrepresent all positive integers over R. In either case, the constructed thas a primitive representation in Υ over R.

(ii). (p odd, p does not divide ℘ det(Υ)) In this case, p does not divide t.Hence, t has a p∗-primitive representation in Υ (Lemma 5.15).

(iii). (p = 2) By assumption, there are only Type I blocks in Υ2. By con-struction of t, sym2k(2j1 τ1) = sym2k(t). But then, t has a 2∗-primitiverepresentation in 2j1 τ1 (Lemma 3.5).

(iv). (p odd, p divides det(Υ)) By construction, ep has the same parity as iaand ib, see item (vi) of the construction of t and Equation 5.36. Thus,ordp(t) ≡ ordp(r) (mod 2), or(

cprp(t)p

)=(

cprp(r)p

)

By Equation 5.36, ep = ia if(

cprp(t)

p

)=(

τa

p

)and ep = ib, otherwise. If(

cprp(t)

p

)=(

τa

p

)then t can be p∗-primitively represented by the diago-

nal entry piaτa (see Equation 5.31). Otherwise, t can be p∗-primitivelyrepresented by piaτa ⊕ pibτb (see Lemma 5.19). In either case, t has ap∗-primitive representation in Υp.

(v). (p = ℘) Finally, we show that t has a ℘∗-primitive representation inΥ. The prime ℘ does not divide det(Υ) and hence by Lemma 5.3,

Υ℘∗∼ det(Υ)⊕ 1⊕ 1. Consider the following equation.

det(Υ)x21 + x2

2 + x23 ≡ t (mod ℘2) . (5.38)

By Lemma 2.2, x22 +x3

3 represents t−det(Υ) over Z/℘Z. Also, det(Υ)x21

represents det(Υ) primitively over Z/℘2Z. Thus, Equation 5.38 has aprimitive solution. By Theorem 4.5, t has a ℘∗-primitive representationin Υ.


5.3.3 Representation: n = 2, basics

Finding an integer representation in dimension 2 is the most difficult. As withdimension 3, we may need a prime ℘ but it needs to satisfy more stringentconditions. In this case, we strongly use the fact that the input symbol Υ isreduced and valid.

Recall the definition of a reduced genus. In dimension 2 a reduced genusΥ has the following form.

Υ

p∗∼ ap ⊕ pipbp where ap, bp ∈ (Z/pZ)×, p odd,2∗∼ X ∈ a2 ⊕ 2ib2, T+, T+ where a2, b2 ∈ sgn×

(5.39)

Note that Υ is a symbol in dimension 2 and hence sig(Υ) ∈ 2, 0,−2.Define the quantities ε, ρ, and the function ξ : Z→ 0, 1, as follows.

ε = det(Υ)| det(Υ)|

ρ =

1 if sig(Υ) ∈ 0, 2−1 otherwise.

ξ(x) =

1 if(x2

)= x(x−1)

2 is odd, and0 otherwise.

(5.40)

Then, the signature and the oddity of Υ can be computed as follows.

sig(Υ) = ρ(1 + ε)

odt(Υ) =

0 if Υ2

2∗∼ T+ or Υ22∗∼ T−

a2 + b2 mod 8 if(

b22

)= 1, or i2 even

a2 + b2 + 4 mod 8 otherwise

(5.41)

For convenience, we define the set S as the set of odd primes p for whichip is odd i.e., S = p ∈ PΥ ∩ P | ip odd. Next, for each d ∈ 1, 3, 5, 7 andb ∈ −,+ we define sets,

Sdb =

p ∈ S | p ≡ d mod 8,

(ap

p

)= b

(5.42)

If we eliminate a subscript, it means a union of the sets with all possiblevalues of the subscript. For example, S3 = S3+ ∪ S3−. The calligraphicversions, as usual, will denote the size of the corresponding sets. For example,S3,5− is |S3−|+ |S5−|.

Lemma 5.22. Let Υn=2 be a valid reduced genus, ε = det(Υ)| det(Υ)| , and m be the

total number of antisquares in Υ. Then, ∑p∈P∩PΥ

exsp(Υ)

≡ 2S3 + 4S5 + 6S7 + 2(1− (−1)m) (mod 8)


where,

(−1)m =

(−1)S−+ξ(S3,7)εS3,7 if ord2(det(Υ)) is even(−1)S−+ξ(S3,7)+S3,5εS3,7 otherwise.

Proof. Let p be an odd prime from PΥ. To compute the p-excess, we need tocompute the number of p-antisquares in Υp. By construction, Υ

p∗∼ ap ⊕ pipbp

has a p-antisquare iff ip is odd and(

bp

p

)= −1. But then, det(Υ)

p∗∼ det(ap ⊕

pipbp) = apbppip and so

(bp

p

)=(

ap cprp(det(Υ))

p

). If m is the total number of

antisquares in Υ then,

(−1)m =∏p∈S

(bp

p

)=∏p∈S

(ap cprp(det(Υ))

p

)=∏p∈S

(cprp(det(Υ))

p

)∏p∈S

(ap

p

)

=

(−1)S−∏

p∈S

(εp

)∏pi 6=pj∈S

(pi

pj

)(pj

pi

)if ord2(det(Υ)) is even

(−1)S−∏

p∈S

(2εp

)∏pi 6=pj∈S

(pi

pj

)(pj

pi

)otherwise.

Note that(−1p

)= −1 iff p ≡ 3 mod 4 i.e.,

∏p∈S

(εp

)= εS3,7 . Also,

(2p

)=

−1 iff p mod 8 ∈ 3, 5 i.e.,∏

p∈S

(2p

)= (−1)S3,5 . By Quadratic Reciprocity,∏

pi 6=pj

(pi

pj

)(pj

pi

)= (−1)ξ(S3,7). Putting it together, we have,

(−1)m =

(−1)S−+ξ(S3,7)εS3,7 if ord2(det(Υ)) is even(−1)S−+ξ(S3,7)+S3,5εS3,7 otherwise.

By definition, if m is the total number of p-antisquares in Υ with p oddthen, ∑

p∈P∩PΥ

exsp(Υ) =∑p∈S

exsp(Υ) = 4m +∑p∈S

(p− 1) mod 8

= 2S3 + 4S5 + 6S7 + 4m (mod 8)

The expression 4m mod 8 evaluates to 4 iff m is odd. Equivalently, 4m mod8 evaluates to 4 iff (−1)m evaluates to −1; completing the proof.

Lemma 5.23. Let Υn=2 be a reduced genus, r be an integer and ℘ be an oddprime that does not divide r det(Υ). Then, r℘ has a ℘∗-primitive representa-tion in Υ iff

(− det(Υ)

℘

)= 1. If ord2(det(Υ)) is even, then

(−det(Υ)

℘

)=

∏

p∈S

(℘p

)if ℘ ≡ 1 mod 4

(−1)S3,7+1ε∏

p∈S

(℘p

)otherwise.


and if ord2(det(Υ)) is odd then,

(−det(Υ)

℘

)=

∏

p∈2∪S

(℘p

)if ℘ ≡ 1 mod 4

(−1)S3,7+1ε∏

p∈2∪S

(℘p

)otherwise.

Proof. By Lemma 5.3, Υ℘∗∼ diag(det(Υ), 1). By Theorem 4.5, r℘ has a ℘∗-

primitive representation in Υ iff the following equation has a primitive solution;

℘r ≡ det(Υ)x2 + y2 (mod ℘2) .

Both x and y must be units of Z/℘Z. But then,(−det(Υ)

℘

)=(

℘r − det(Υ)x2

℘

)=(

y2

℘

)= 1.

Convsersely, if(− det(Υ)

℘

)= 1 then, by Lemma 3.5, the following equation

has a solution.x2 ≡ −det(Υ) + ℘r (mod ℘2)

Thus, x2 + det(Υ) ≡ ℘r (mod ℘2) or ℘r has a ℘∗-primitive representation in1⊕ det(Υ).

Next, we write(− det(Υ)

℘

)in terms of ε, ρ, and Sdb using the Law of

Quadratic Reciprocity (Equation 2.1). If ord2(det(Υ)) is even then,(−det(Υ)

℘

)=(−ε

℘

)∏p∈S

(p

℘

)

=(−ε

℘

) ∏p∈S1,5

(℘

p

) ∏p∈S3,7

(p

℘

)

=

∏

p∈S

(℘p

)℘ ≡ 1 mod 4,

(−1)S3,7

(−ε℘

) ∏p∈S

(℘p

)otherwise.

On the other hand, if ord2(det(Υ)) is odd then(−det(Υ)

℘

)=(−2ε

℘

)∏p∈S

(p

℘

)

=

(

℘2

) ∏p∈S

(℘p

)℘ ≡ 1 mod 4,

(−1)S3,7(

℘2

) (−ε℘

) ∏p∈S

(℘p

)otherwise.


5.3.4 Representation: n = 2, Type II

In this section, we construct an integer t such that t has a primitive represen-tation in Υ, where Υ2

2∗∼ T+ or Υ22∗∼ T−. Note that, in this situation, 2 does

not divide det(Υ).

Lemma 5.24. Let Υn=2 be a valid reduced genus with Υ22∗∼ T− or Υ2

2∗∼ T+.Then, there exists an integer of the form 2℘r2 with primitive representation inΥ, where ℘ is an odd prime that does not divide det(Υ) and r2 is an integerthat divides det(Υ).

Proof. Recall the definition of ε, ρ ∈ −1, 1 as in Equation 5.40. Let us definethe following set of congruences.

℘ ≡ 2ρap (mod p) for all p ∈ S

℘ ≡

1 (mod 4) if ρ = +,S3,5 + S− even, orif ρ = −,S5,7 + S− even.

3 (mod 4) if ρ = +, ε = +,S5,7 + S− odd, orif ρ = +, ε = −,S5,7 + S− even, orif ρ = −, ε = −,S3,5 + S− even, orif ρ = −, ε = +,S3,5 + S− odd.

(5.43)

Note that the set of possibilities under which we can write a modulo 4congruence is not exhaustive. It is, as we show later, exhaustive for everyvalid symbol Υ.

It is possible to solve the congruence in such a way that ℘ is a prime(Dirichlet’s Theorem). Consider an integer r defined as follows.

r =∏

p∈PΥ

pep/2 ep =

0 if p ∈ 2 ∪ S

0 if p ∈ PΥ \ (2 ∪ S),(

ap

p

)=(

2ρ℘p

)ip if p ∈ PΥ \ (2 ∪ S),

(ap

p

)6=(

2ρ℘p

) (5.44)

Note that, if p is an odd prime not in S then ip is even. Thus, r is an integer.Define t = 2ρ℘r2. We next show that t has a primitive representation in thegenus Υ. For this, it suffices to show that t has a primitive p∗-representationin Υ for all p ∈ p | ordp(2t det(Υ)) > 0 ∪ −1 (see Lemma 5.15).

(i). (p = −1) By Equation 5.40, ρ = −1 iff sig(Υ) = −2. In this case,Υ is negative definite and represents all negative integers. Otherwise,Υ R∼ 1 ⊕ x and ρ = 1. But then, t is a positive integer and hence canbe represented by Υ over R. In either case, t has a representation in Υover R.


(ii). (p = 2) By construction, 2 does not divide ℘r2 and so ordp(t) = 1. By

assumption, Υ22∗∼ T+ or Υ2

2∗∼ T−. In either case, by Lemma 3.19 andTheorem 4.5, t has a 2∗-primitive representation in Υ2.

(iii). (p ∈ S) By definition of r, ordp(r) = 0 for all primes p ∈ S. By

construction in Equation 5.43,(

tp

)=(

2ρ℘p

)=(

ap

p

), where Υ

p∗∼ ap ⊕pipbp. But then, by Lemma 3.5, ap (and hence, Υ) represents t, p∗-primitively.

(iv). (p odd, p ∈ PΥ \ S) If Υp∗∼ ap ⊕ pipbp then, ip is even. If

(ap

p

)=(

2ρ℘p

)then, p does not divide 2ρ℘r2 and

(ap

p

)=(

tp

). Thus, t has a p∗-

primitive representation in Υ (Lemma 3.5 and Theorem 4.5). Otherwise,(ap

p

)6=(

2ρ℘p

). But then, ordp(t) = ordp(r2) = ip, and by Lemma 5.19

and Theorem 4.5, t has a p∗-primitive representation in ap ⊕ pipbp.

(v). (p = ℘) Finally, it remains to show that t has a ℘∗-primitive represen-tation in Υ. By Lemma 5.23, one needs to show that

(− det(Υ)

℘

)= 1.

Recall the Quadratic Reciprocity Laws in Equation 2.1. Also, note that(−1p

)= 1 iff p ≡ 1 mod 4. The computation of

(− det(Υ)

℘

)can be done

using Lemma 5.23, as follows.

∏p∈S

(℘

p

)=∏p∈S

(2ρap

p

)= (−1)S−ρS3,7

∏p∈S

(2p

)= (−1)S−ρS3,7

∏p∈S

(p

2

)= (−1)S−+S3,5ρS3,7

(−det(Υ)

℘

)=

(−1)S−+S3,5ρS3,7 ℘ ≡ 1 mod 4,(−1)S5,7+S−+1ερS3,7 otherwise.

=

(−1)S−+S3,5 ρ = +, ℘ ≡ 1 mod 4(−1)S−+S5,7 ρ = −, ℘ ≡ 1 mod 4(−1)S−+S5,7+1 ρ = +, ε = +, ℘ ≡ 3 mod 4(−1)S−+S5,7 ρ = +, ε = −, ℘ ≡ 3 mod 4(−1)S−+S3,5 ρ = −, ε = −, ℘ ≡ 3 mod 4(−1)S−+S3,5+1 ρ = −, ε = +, ℘ ≡ 3 mod 4

It turns out that ℘ mod 4 was defined to satisfy exactly this equation(see Equation 5.43).


This completes the proof of the claim that t has a primitive representationin the genus Υ.

Finally, we show that the set of possibilities under the modulo 4 congruencein Equation 5.43 is exhaustive, if the input symbol Υ is valid. The proof ofthis statement is computer assisted and the code can be found in AppendixA.2.

We design the test program as follows. For all possible choices of ε, ρ ∈1,−1, and Sdb ∈ 0, 1, 2, 3, we compute sig(Υ), odt(Υ) by Equation 5.41.We also compute

∑p∈P exsp(Υ) by Lemma 5.22. Then, we check the oddity

condition i.e,

sig(Υ) +∑p∈P

exsp(Υ) ≡ odt(Υ) (mod 8)

If the oddity condition is satisfied then we check if at least one of these condi-tions hold.

(ρ = +,S3,5 + S− even) (ρ = −,S5,7 + S− even)(ρ = +, ε = +,S5,7 + S− odd) (ρ = +, ε = −,S5,7 + S− even)(ρ = −, ε = −,S3,5 + S− even) (ρ = −, ε = +,S3,5 + S− odd)

(5.45)

In each of these cases, a ℘ and hence t exists by Equation 5.43. The test pro-gram never finds itself in a situation when none of the conditions in Equation5.45 are true. This completes the proof of existence of a primitively repre-sentable t.

5.3.5 Representation: n = 2, Type I, Even

This section deals with the case when Υ22∗∼ a2 ⊕ 2i2b2, where i2 is even, and

a2, b2 ∈ 1, 3, 5, 7.

Lemma 5.25. Let Υn=2 be valid reduced genus with Υ22∗∼ a2⊕2i2b2, where i2

is even and a2, b2 ∈ sgn×. Then, there exists an integer of the form ℘r2 withprimitive representation in Υ, where ℘ is an odd prime that does not dividedet(Υ) and r2 is an integer that divides det(Υ).

Proof. Recall the definition of ε, ρ ∈ −1, 1 as in Equation 5.40. Let us define


the following set of congruences.

℘ ≡ ρap (mod p) for all p ∈ S

℘ ≡

x (mod 8) if ρ = +,S− even and x ∈ X ∩ 1, 5 orif ρ = −,S3,7 + S− even and x ∈ X ∩ 1, 5 or

y (mod 8) if ρ = +, ε = +,S3,7 + S− odd and y ∈ X ∩ 3, 7 orif ρ = +, ε = −,S3,7 + S− even and y ∈ X ∩ 3, 7 orif ρ = −, ε = −,S− even and y ∈ X ∩ 3, 7 orif ρ = −, ε = +,S− odd and y ∈ X ∩ 3, 7

where, X = ρa2 mod 8, ρb2 mod 8(5.46)

A few word on notation. The modulo 8 congruences should be read as follows.Consider the first congruence “ρ ≡ x mod 8, if ρ = +,S− even and x ∈X ∩ 1, 5”. If X ∩ 1, 5 is empty then this statement is false. Otherwise, wepick any element x from the intersection. Also, x ≡ 1 mod 4 and y ≡ 3 mod 4.

Note that the set of possibilities under which we can write a modulo 8congruence is not exhaustive. It is, as we show later, exhaustive for everyvalid symbol Υ.

It is possible to solve the congruence in such a way that ℘ is a prime(Dirichlet’s Theorem). Consider an integer r defined as follows.

r =∏

p∈PΥ

pep/2 ep =

0 if (p ∈ S) or (p = 2, ℘ ≡ a2 mod 8)i2 if p = 2, ℘ ≡ b2 mod 80 if p ∈ PΥ \ (2 ∪ S),

(ap

p

)=(

ρ℘p

)ip if p ∈ PΥ \ (2 ∪ S),

(ap

p

)6=(

ρ℘p

) (5.47)

The exponent ep is always even and hence r is an integer. Define t = ρ℘r2.We next show that t has a primitive representation in the genus Υ. Forthis, it suffices to show that t has a primitive p∗-representation in Υ for allp ∈ p | ordp(2t det(Υ)) > 0 ∪ −1 (see Lemma 5.15).

(i). (p = −1) By Equation 5.40, ρ = −1 iff sig(Υ) = −2. In this case,Υ is negative definite and represents all negative integers. Otherwise,Υ R∼ 1 ⊕ x and ρ = 1. But then, t is a positive integer and hence canbe represented by Υ over R. In either case, t has a representation in Υover R.

(ii). (p ∈ S) By definition of r, ordp(r) = 0 for all primes p ∈ S. By

construction in Equation 5.46,(

tp

)=(

ρ℘p

)=(

ap

p

), where Υ

p∗∼ ap ⊕pipbp. But then, by Lemma 3.5, ap (and hence, Υ) represents t, p∗-primitively.


(iii). (p odd, p ∈ PΥ \ S) If Υp∗∼ ap ⊕ pipbp then, ip is even. If

(ap

p

)=(

ρ℘p

)then, p does not divide ρ℘r2 and

(ap

p

)=(

tp

). Thus, t has a p∗-

primitive representation in Υ (Lemma 3.5 and Theorem 4.5). Otherwise,(ap

p

)6=(

ρ℘p

). But then, ordp(t) = ordp(r2) = ip, and by Lemma 5.19

and Theorem 4.5, t has a p∗-primitive representation in ap ⊕ pipbp.

(iv). (p = ℘) Next, we show that t has a ℘∗-primitive representation in Υ.By Lemma 5.23, one needs to show that

(− det(Υ)

℘

)= 1. Recall the

Quadratic Reciprocity Laws in Equation 2.1. Also, note that(−1p

)= 1

iff p ≡ 1 mod 4. The computation of(− det(Υ)

℘

)can be done using

Lemma 5.23, as follows.

∏p∈S

(℘

p

)=∏p∈S

(ρap

p

)= (−1)S−ρS3,7

(−det(Υ)

℘

)=

(−1)S−ρS3,7 ℘ ≡ 1 mod 4,(−1)S3,7+S−+1ερS3,7 otherwise.

=

(−1)S− ρ = +, ℘ ≡ 1 mod 4(−1)S−+S3,7 ρ = −, ℘ ≡ 1 mod 4(−1)S−+S3,7+1 ρ = +, ε = +, ℘ ≡ 3 mod 4(−1)S−+S3,7 ρ = +, ε = −, ℘ ≡ 3 mod 4(−1)S− ρ = −, ε = −, ℘ ≡ 3 mod 4(−1)S−+1 ρ = −, ε = +, ℘ ≡ 3 mod 4

It turns out that ℘ mod 4 was defined to satisfy exactly this equation(see Equation 5.43).

(v). (p = 2) In this case, Υ22∗∼ a2 ⊕ 2i2b2, where a2, b2 ∈ 1, 3, 5, 7. From

Equation 5.46, either a22∗∼ t or 2i2b2

2∗∼ t. In either case, t has a 2∗-primitive representation in Υ.


Finally, we show that the set of possibilities under the modulo 8 congruencein Equation 5.46 is exhaustive, if the input symbol Υ is valid. The proof ofthis statement is computer assisted and the code can be found in AppendixA.2.


We design the test program as follows. For all possible choices of ε, ρ ∈1,−1, a2, b2 ∈ 1, 3, 5, 7 and Sdb ∈ 0, 1, 2, 3, we compute sig(Υ), odt(Υ)by Equation 5.41. We also compute

∑p∈P exsp(Υ) by Lemma 5.22. Then, we

check the oddity condition i.e,

sig(Υ) +∑p∈P


We next check the following determinant condition for Υ2.(a2b2

2

)= (−1)S3,5

If either of these conditions is not satisfied then the symbol Υ is not valid. Forthe others, we check if at least one of these condition holds.

(ρ = +,S− even, |X ∩ 1, 5| > 0)(ρ = −,S− + S3,7 even, |X ∩ 1, 5| > 0)(ρ = +, ε = +,S3,7 + S− odd, |X ∩ 3, 7| > 0)(ρ = +, ε = −,S3,7 + S− even, |X ∩ 3, 7| > 0)(ρ = −, ε = −,S− even, |X ∩ 3, 7| > 0)(ρ = −, ε = +,S− odd, |X ∩ 3, 7| > 0)

(5.48)

In each of these cases, a ℘ and hence t exists by Equation 5.46. The test pro-gram never finds itself in a situation when none of the conditions in Equation5.48 are true. This completes the proof of existence of a primitively repre-sentable t.

5.3.6 Representation: n = 2, Type I, Odd

This section deals with the case when Υ22∗∼ a2 ⊕ 2i2b2, where i2 is odd and

a2, b2 ∈ 1, 3, 5, 7.

Lemma 5.26. Let Υn=2 be a valid reduced genus with Υ22∗∼ a2⊕ 2i2b2, where

i2 is odd and a2, b2 ∈ sgn×. Then, there exists an integer of the form ℘r2 or2i2℘r2 with primitive representation in Υ, where ℘ is an odd prime that doesnot divide det(Υ) and r2 is an integer that divides det(Υ).

Proof. By assumption i2 is odd and hence an odd power of 2 divides det(Υ).Consider the following set of congruences, along with the construction of


the candidate primitively representable integer t.

if(ρa2 ≡ 1 mod 4 and (−1)S−ρS3,7

(a22

)= 1)

or(ρa2 ≡ 3 mod 4 and (−1)S−+S3,7+1ρS3,7ε

(a22

)= 1)

then℘ ≡ ρap mod p for all p ∈ S℘ ≡ ρa2 mod 8

ep =

0 if p ∈ 2 ∪ S

0 if p ∈ PΥ \ (2 ∪ S),(

ap

p

)=(

ρ℘p

)ip if p ∈ PΥ \ (2 ∪ S),

(ap

p

)6=(

ρ℘p

)t = ρ℘

( ∏p∈PΥ

pep

)elif

(ρb2 ≡ 1 mod 4 and (−1)S3,5+S−ρS3,7

(b22

)= 1)

or(ρb2 ≡ 3 mod 4 and (−1)S−+S5,7+1ρS3,7ε

(b22

)= 1)

then℘ ≡ 2ρap mod p for all p ∈ S℘ ≡ ρb2 mod 8

ep =

0 if p ∈ S

0 if p ∈ PΥ \ (2 ∪ S),(

ap

p

)=(

2ρ℘p

)ip if p ∈ PΥ \ (2 ∪ S),

(ap

p

)6=(

2ρ℘p

)t = ρ2i2℘

( ∏p∈PΥ∩P

pep

)

(5.49)

Note that the set of possibilities under which we can write the congruencefor ℘ is not exhaustive. It is, as we show later, exhaustive for every validsymbol Υ.

We show that t has a primitive representation in Υ, or equivalently, thas a p∗-primitive representation in Υ for all p ∈ −1, 2 ∪ P. For this, itsuffices to show that t has a primitive p∗-representation in Υ for all p ∈ p |ordp(2t det(Υ)) > 0 ∪ −1 (see Lemma 5.15).

(i). (p = −1) The value of ρ = −1 iff sig(Υ) = −2. Thus, t has a represen-tation over R in Υ.

(ii). (odd p ∈ PΥ \S) In this case, Υpp∗∼ ap⊕pipbp and ordp(t) = ip, where ip

is even. By Lemma 5.19, t has a primitive representation in ap ⊕ pipbp.

(iii). (p = 2) By construction, either t2∗∼ a2 or t

2∗∼ 2i2b2. In either case, t hasa primitive 2∗-representation in Υ (Lemma 3.5).


(iv). (p = ℘) In this case, we need to show that(− det(Υ)

℘

)= 1. We split the

proof into two sub-cases.

(a). (℘ ≡ ρa2 mod 8) We first compute the value of∏

p∈2∪S

(℘p

).

∏p∈2∪S

(℘

p

)=

∏p∈2∪S

(ρap

p

)= (−1)S−ρS3,7

(a2

2

)

And then, we insert it into the computation of(− det(Υ)

℘

)in Lemma

5.23.(−det(Υ)

℘

)=

(−1)S−ρS3,7(

a22

)if ℘ ≡ 1 mod 4

(−1)S−+S3,7+1ρS3,7ε(

a22

)otherwise

(b). (℘ ≡ ρb2 mod 8) Similarly, we compute,

∏p∈2∪S

(℘

p

)=(

ρb2

2

)∏p∈S

(2ρap

p

)= (−1)S−+S3,5ρS3,7

(b2

2

)

And then, we insert it into the computation of(− det(Υ)

℘

)in Lemma

5.23.(−det(Υ)

℘

)=

(−1)S−+S3,5ρS3,7(

b22

)if ℘ ≡ 1 mod 4

(−1)S−+S5,7+1ρS3,7ε(

b22

)otherwise

In either case,(− det(Υ)

℘

)= 1, proving the primitive ℘∗-representativeness.


Finally, we show that the set of possibilities when we can write a congruence(see Equation 5.49) is exhaustive, if the input symbol Υ is valid. The proofof this statement is computer assisted and the code can be found in AppendixA.2.

We design the test program as follows. For all possible choices of ε, ρ ∈1,−1, a2, b2 ∈ 1, 3, 5, 7 and Sdb ∈ 0, 1, 2, 3, we compute sig(Υ), odt(Υ)by Equation 5.41. We also compute

∑p∈P exsp(Υ) by Lemma 5.22. Then, we

check the oddity condition i.e,

sig(Υ) +∑p∈P



We next check the following determinant condition for Υ2.(a2b2

2

)= (−1)S3,5

If either of these conditions is not satisfied then the symbol Υ is not valid. Forthe others, we check if at least one of these condition holds.

(ρa2 ≡ 1 mod 4, (−1)S−ρS3,7(

a22

)= 1)

(ρa2 ≡ 3 mod 4, (−1)S−+S3,7+1ρS3,7ε(

a22

)= 1)

(ρb2 ≡ 1 mod 4, (−1)S3,5+S−ρS3,7(

b22

)= 1)

(ρb2 ≡ 3 mod 4, (−1)S−+S5,7+1ρS3,7ε(

b22

)= 1)

(5.50)

In each of these cases, a ℘ and hence t exists as in Figure 5.1. The test programnever finds itself in a situation when none of the conditions in Equation 5.50are true. This completes the proof of existence of a primitively representablet.

5.3.7 Representation: putting it together

Proof. (Theorem 5.17) The construction follows from the constructive natureof Lemma 5.20, Lemma 5.21 and the constructions for the case of dimension 2.The only remaining task in case of dimension 2, is to find a ℘ which satisfiesthe given set of congruence relations.

Assuming ERH, one can find σp i.e., the smallest non-residue modulo pin O(log3 p) ring operations over Z/pZ. If done for every prime that dividesdet(Υ), this takes O(|PΥ| log3 det(Υ)) ring operations over Z/ det(Υ)Z.

Let p1, · · · , ps be the primes which appear with odd parity in the symboland α = 8p1 · · · ps. Then, we form the required set of congruent equations i.e.,

x ≡

xpimod pi if εi = −1, where xpi

∈ (Z/pZ)×

τ mod 8 where τ ∈ 1, 3, 5, 7

Solve this set of congruence using the Chinese Remainder and let a be a solu-tion. Pick a b uniformly at random from the range [0, α2]. If S = a + zα |z ∈ Z, z ≤ α2, then a + bα is a uniformly random element of S. By Theo-rem 2.10 with probability 1

log |S| the number a + bα is prime. One then sets℘ = a + bα. If repeated O(log2 |S|) times, one can find ℘ with overwhelmingprobability. The time complexity of the algorithm follows from the fact that|S| ≤ α2 ≤ det(Υ)2.

The next step is to devise an algorithm that given the local form S, positiveinteger q and the generated t finds a primitive x such that x′Sx ≡ t mod q.

5.4 Polynomial Time Algorithm 103

Instead, we find primitive representations xp for all p that divides q such thatx′pSpxp ≡ t mod pk, where Sp is the p∗-equivalent form, k = ordp(q), and thencombining them using Chinese Remainder.

The construction of t used at most 4 diagonal entries of Sp and so to findxp we use Theorem 3.11 or 3.10 and constructs x by filling the rest of thedimensions with 0. The time taken by this algorithm does not not depend onn and is poly(k, log p), for each prime factor of q.

5.4 Polynomial Time Algorithm

In this section, we give the main contribution of this thesis.

Theorem 5.27. Let Υn be a valid genus. Then, there exists a randomizedpoly(n, log det(Υ)) algorithm that outputs a quadratic form Qn ∈ Υ with con-stant probability.

Proof. Recall definition of the reduced genus. By Lemma 5.7, it follows thatfinding a quadratic form in Υ∗ = red(Υ) suffices for generating a quadraticform in Υ.

The algorithm described in Section 5.2.1 is correct; but is not polynomialas it is. The analysis of the time complexity will be done on a different algo-rithm, the correctness of which will follow from the proof of correctness of thealgorithm in Section 5.2.1. We now describe the algorithm.

QFGenPoly(input: valid symbol Υn) output: Qn ∈ Υ

i. If n < 4 then return QFGen(Υ).

ii. Compute gcd(Υ) and let Υ∗ = Υ / gcd(Υ).

iii. Find t which has a primitive representation in Υ∗. Let q = tn−1 det(Υ∗)and Kp = ordp(q).

iv. For every p ∈ PΥ, we construct a block diagonal matrix Sp and a matrix[xp, Ap] ∈ Z/pKpZ as follows. Use Theorem 5.10 to find a block diagonal

matrix Dpp∗∼ Υ∗

p. Recall the construction of t in Lemma 5.20.

If p is odd then by construction, t has a primitive representation inZ/pKpZ of two different types; (a) t has a primitive representation bythe first entry of Dp. Let x be the primitive representation. Then, set

Sp = Dp and [xp, Ap] =(

x 00 x−1

)⊕ In−2 , (b) otherwise, t has a primi-

tive representation by two of the first three entries of Dp, say d1, d2 whereordp(d1) ≥ ordp(d2). If (x1, x2) is a primitive pKp representation of t then


in this case x1 is primitive. Let (Dp)3+ be the rest of the blocks in Dp then

we set Sp = d1 ⊕ d2 ⊕ (Dp)3+ and [xp, Ap] =(

x1 0x2 x−1

1

)⊕ In−2.

On the other hand, when p = 2 then too t has a primitive representationin Z/2K2Z of two different kinds; (a) when Υ∗

2 has a type II block then ifx1, x2 be the primitive representation with x1 odd then we set S2 as theblock diagonal form equivalent to Dp where the first block is the type II

block which was used to represent t. Then, we set [x2, A2] =(

x1 0x2 x−1

1

)⊕

In−2, (b) otherwise the first four Type I entries of D2 were used to representt and ord2((D2)4) = ordp(t), by construction. Also, if x1, x2, x3, x4 is theprimitive representation of t then x4 is primitive. In this case, we set S2

as (D2)4 ⊕ · · · ⊕ (D2)1 ⊕ (D2)4+, and [x2, A2] =

x4 0 0 0x3 x−1

4 0 0x2 0 1 0x1 0 0 1

⊕ In−4.

Property. The construction satisfies the property that for each p ∈ Υp,[xp, Ap] ∈ GLn(Z/pKpZ) and x′pSpxp ≡ t mod pKp .

v. For each p ∈ PΥ, let Υp = symp(Hp), where Hp is defined as follows.

dp = x′pSpAp mod pKp Hp = (tA′pSpAp − d′pdp) mod pKp (5.51)

vi. Let Υ = Υp : p ∈ PΥ, and Υ∗

= Υ/ gcd(Υ).

vii. Call this algorithm recursively with input Υ∗. Let us suppose that the

algorithm returns H∗ ∈ Gen(Υ∗). Then, set H = gcd(Υ)H∗.

viii. Use Chinese Remaindering to compute [x, A] from [xp, Ap] mod pKp : p ∈PΥ, S from Sp mod pKp : p ∈ PΥ and H from Hp mod pKp : p ∈ PΥ.

ix. Canonicalize both H and H over Z/qZ, i.e., we find U ∈ GLn−1(Z/qZ) suchthat H ≡ U′HU mod q.

x. Output the following quadratic form.

Q = gcd(Υ)(

t dU(dU)′ H+U′d′dU

t

)(5.52)

The correctness of this algorithm follows from the proof before.Let us compute the time complexity of this algorithm.Our first step is to show that the recursions do not blow up the size of the

symbol. Notice that to calculate the (n− 1)-dimensional symbol, we multiplyby t in Equation 5.51. The analysis is done below, separately for odd primesand p = 2.

5.4 Polynomial Time Algorithm 105

Odd primes. In this case, we show that ordp(Υ∗) = ordp(Υ∗).

For each odd p ∈ PΥ, x′pSpxp ≡ t mod pKp and [xp, Ap] ∈ GLn(Z/pKpZ).Recall the two cases discussed in the algorithm while constructing Sp and[xp, Ap].

Case 1: Suppose t is primitively representable by the first entry of Sp. Let xbe the primitive representation. Note that x is primitive and (Sp)1 hasp-scale 0 because Υ∗ is reduced. The computation for Hp (and ordp(Υ))is as follows.

[xp, Ap] ≡(

x 00 x−1

)⊕ In−2 mod pKp Sp = s1 ⊕ · · · ⊕ sn

[xp, Ap]′Sp[xp, Ap] ≡ x2s1 ⊕ s2x−2 diag(s3, · · · ) mod pKp

Hp ≡ tA′pSpAp − d′pdp ≡ s1s2 ⊕ x2s1 diag(s3, · · · , sn) mod pKp

ordp(Υ) = ordp(Hp) = ordp(x2s1sn) = ordp(sn) = ordp(Υ∗)

Case 2: Otherwise, the first two entries of Sp represent t. In this case, if Sp =s1⊕· · ·⊕sn, then by construction, ordp(s1) ≥ ordp(s2) and ordp(x1) = 0,where x1, x2 is the primitive representation of t in Sp. Then,

[xp, Ap] =(

x1 0x2 x−1

1

)⊕ In−2 Sp = s1 ⊕ · · · ⊕ sn

[xp, Ap]′Sp[xp, Ap] ≡(

s1x21 + s2x

22 s2x

−11 x2

s2x−11 x2 s2x

−21

)⊕ diag(s3, · · · , sn) mod pKp

Hp ≡ tA′pSpAp − d′pdp = s1s2 ⊕ (s1x21 + s2x

22) diag(s3 · · · sn) mod pKp

By construction, s1x21+s2x

22 ≡ t mod pKp , x1 is primitive and ordp(s2) =

ordp(t). Thus, each entry of Hp is divisible by pordp(t). When we reduceΥ to Υ

∗, we have ordp(Υ

∗) = ordp(sn) = ordp(Υ∗).

Thus, for odd prime p, in either case, ordp(Υ∗) = ordp(Υ∗).

Prime p = 2. Recall the two cases discussed in the algorithm. The first caseis when t has a primitive representation using a type II block. By constructionof S2 in Theorem 5.10, the block is either T+ or T−. Let i be the 2-order of


the block, then

[x2, A2] =(

x1 0x2 x−1

1

)⊕ In−2 S2 = 2i

(2 11 2c

)⊕ (Sp)3+

[x2, A2]′S2[x2, A2] ≡ 2i

(2x2

1 + 2x1x2 + 2cx22 1 + 2cx2x

−11

1 + 2cx2x−11 2cx−2

1

)⊕ (Sp)3+

H2 = 4i(4c− 1)⊕ 2i(2x21 + 2x1x2 + 2cx2

2)(Sp)3+

Hence, ord2(Υ∗) ≤ 1 + ord2(Υ∗). There could be at most n Type II blocks

in a quadratic form of dimension n, which can be generated during the recur-sion. Thus, the 2-order of the recursively generated reduced 2-symbols remainbounded by ordp(Υ∗) + n.

Otherwise, t has a primitive representation using the first four type I blocksof S2. In this case, the calculations are as follows.

[x2, A2] =

x4 0 0 0x3 x−1

4 0 0x2 0 1 0x1 0 0 1

⊕ In−4 S2 = diag(d4, · · · , d1, s5, · · · , sn)

t ≡ d4x24 + · · ·+ d1x

21 mod 2K2

[x2, A2]′S2[x2, A2] =

t d3x3x

−14 d2x2 d1x1

d3x3x−14 d3x

−24 0 0

d2x2 0 d2 0d1x1 0 0 d1

⊕ (S2)5+ mod 2K2

H2 =

d3d1x2

1+d2x22+d4x2

4x24

−x3d3x2d2x4

−x3d3x1d1x4

−x3d3x2d2x4

(d1x21 + d3x

23 + d4x

24)d2 −x2d2x1d1

−x3d3x1d1x4

−x2d2x1d1 (d2x22 + d3x

23 + d4x

24)d1

⊕t(S2)5+ mod 2K2

Recall Lemma 5.18. By construction of x1, · · · , x4 it follows that for eachi ∈ [4], ord2(dix

2i ) ≥ ord2(d4) = ord2(t), ord2(d4) ≥ · · · ≥ ord2(d1) and

ord2(x4) = 0. This implies that ord2(x1) ≥ · · · ≥ ord2(x4) = 0 and byinspection, every entry in the first 3×3 submatrix of H2 is divisible by 2ord2(t).Thus, ord2(Υ

∗) = ord2(Υ∗).

To recapitulate, ordp(Υ∗) is equal to ordp(Υ∗) unless we use a Type II

block to represent t modulo Z/2K2Z, in which case it increases by exactly 1.The step by step calculation of the time taken by the algorithm is as follows.

(i.) After calculating the reduced symbol Υ∗, the algorithm starts by com-puting a positive integer t which is primitively representable in Υ∗. For

Polynomial Time Algorithm 107

n ≥ 4 such an integer can be found by looking at the first 4 dimensionsof the symbol Υ, see Lemma 5.20. This takes time linear in the numberof relevant primes of Υ i.e., O(|PΥ|(log det(Υ∗))2).

(ii.) Next, we find a quadratic form S which is equivalent to Υ∗ over thering Z/qZ, for q = tn−1 det(Υ∗). By Lemma 5.20, the integer t has theproperty that t divides det(Υ∗). Thus, we do not introduce any newprimes and for every prime p ∈ PΥ;

ordp(q) ≤ n ordp(det(Υ∗)) + kp .

By Theorem 5.10, finding such an integral quadratic form Sp takes timepoly(n, log det(Υ), log p). There are |PΥ| relevant primes and hence thetotal time in this step is.

poly(|PΥ|, n, log det(Υ∗)) (5.53)

(iii.) Then, we find a primitive representation xp of t in Sp over Z/pkZ,k = ordp(q) ≤ n log det(Υ∗), for all p ∈ PΥ. Note that the represen-tation is done by Theorem 3.11 on a 4× 4 submatrix, which takes timepoly(k, log p). By the bound on k, we get the following expression.

O(|PΥ|, n, log det(Υ∗)) . (5.54)

(iv.) Then, we Chinese Remainder the matrices [xp, Ap], Sp and Hp entry-by-entry (≤ n2 entries in each matrix) to get [x, A], S and H, respec-tively. The modulus of the Chinese Remainder is q. This takes timepoly(|PΥ|, n, log q).

(v.) Finally, we canonicalize both H and H modulo q. This is again done bycanonicalizing for each prime that divides q and then Chinese Remain-dering the results. For each p, ordp(q) ≤ n log det(Υ∗). Thus, the timetaken for each p is bounded by poly(|PΥ|, n, log det(Υ∗)).

The next step is to calculate the reduced form Υ∗

and recurse. By thediscussion of the blowup above, it follows that det(Υ

∗) ≤ 2n−2 det(Υ∗). Or,

log det(Υ∗) ≤ (n− 2) log 2+ log det(Υ). Thus the total time complexity of the

algorithm can be written recursively as

T (n, det(Υ∗)) = T (n− 1, 2n−2 det(Υ∗)) + poly(|PΥ|, n, log det(Υ∗))

Although the blowup in the determinant is exponential, all our algorithmsrun in poly(log d, |PΥ|), where d is the determinant of the input genus. Forn ≤ 3, t ≤ ℘d, and ℘ ≤ d2. Thus, for any constant δ > 0 the generationalgorithm runs in time poly(n, log d, log 1

δ ) and succeeds with probability atleast 1− δ.

Bibliography

[AEM87] Leonard M Adleman, Dennis R Estes, and Kevin S McCurley. Solv-ing bivariate quadratic congruences in random polynomial time.Mathematics of Computation, 48(177):17–28, 1987.

[Ajt96] Miklós Ajtai. Generating hard instances of lattice problems. InProceedings of the twenty-eighth annual ACM symposium on Theoryof computing, pages 99–108. ACM, 1996.

[Ank52] NC Ankeny. The least quadratic non residue. Annals of mathemat-ics, pages 65–72, 1952.

[Bac96] Eric Bach. Algorithmic Number Theory: Efficient Algorithms, vol-ume 1. MIT press, 1996.

[BS86] Zenon Ivanovich Borevich and Igor Rostislavovich Shafarevich.Number theory, volume 20. Academic Press, 1986.

[Cas78] John WS Cassels. Rational quadratic forms. London and New York,1978.

[CS99] John Conway and Neil JA Sloane. Sphere packings, lattices andgroups, volume 290. Springer, 1999.

[Die03] Rainer Dietmann. Small solutions of quadratic diophantine equa-tions. Proceedings of the London Mathematical Society, 86(03):545–582, 2003.

[Dix81] John D Dixon. Asymptotically fast factorization of integers. Math-ematics of computation, 36(153):255–260, 1981.

[Gau86] Carl Friedrich Gauß. Disquisitiones arithmeticae, 1801. englishtranslation by arthur a. clarke, 1986.

[GY00] Wee Teck Gan and Jiu-Kang Yu. Group schemes and local densities.Duke Mathematical Journal, 105(3):497–524, 2000.

109

110 BIBLIOGRAPHY

[Han04] Jonathan Hanke. Local densities and explicit bounds for rep-resentability by a quadratic form. Duke Mathematical Journal,124(2):351–388, 2004.

[Har08] Rupert Hartung. Computational problems of quadratic forms: com-plexity and cryptographic perspectives. PhD thesis, Ph. D. the-sis, Goethe-Universität Frankfurt a. M., 2008, http://publikationen.ub. uni-frankfurt. de/volltexte/2008/5444/pdf/HartungRupert. pdf,2008.

[HR07] Ishay Haviv and Oded Regev. Tensor-based hardness of the shortestvector problem to within almost polynomial factors. In Proceedingsof the thirty-ninth annual ACM symposium on Theory of computing,pages 469–477. ACM, 2007.

[HR14] Ishay Haviv and Oded Regev. On the lattice isomorphism problem.SODA, pages 391–404, 2014.

[IK04] Henryk Iwaniec and Emmanuel Kowalski. Analytic number theory,volume 53. American Mathematical Society Providence, 2004.

[Jon42] Burton W Jones. Related genera of quadratic forms. Duke Mathe-matical Journal, 9(4):723–756, 1942.

[Jon44] Burton W Jones. A canonical quadratic form for the ring of 2-adicintegers. Duke Math. J, 11(715):e727, 1944.

[Jon50] Burton Wadsworth Jones. The arithmetic theory of quadratic forms,volume 10. Mathematical Association of America, distributed byWiley [New York, 1950.

[Kit99] Yoshiyuki Kitaoka. Arithmetic of quadratic forms, volume 106.Cambridge University Press, 1999.

[Kne02] Martin Kneser. Quadratische formen. Springer DE, 2002.

[LLL82] Arjen Klaas Lenstra, Hendrik Willem Lenstra, and László Lovász.Factoring polynomials with rational coefficients. Mathematische An-nalen, 261(4):515–534, 1982.

[MH73] John Willard Milnor and Dale Husemöller. Symmetric bilinearforms. Springer, 1973.

[Min10] Hermann Minkowski. Geometrie der zahlen. Berlin, 1910.

BIBLIOGRAPHY 111

[O’M73] Onorato Timothy O’Meara. Introduction to quadratic forms, volume117. Springer, 1973.

[Pal65] Gordon Pall. The weight of a genus of positive n-ary quadraticforms. In Proc. Sympos. Pure Math, volume 8, pages 95–105, 1965.

[Per52] Oskar Perron. Bemerkungen über die verteilung der quadratischenreste. Mathematische Zeitschrift, 56(2):122–130, 1952.

[PS87] J Pollard and C Schnorr. An efficient solution of the congruence.Information Theory, IEEE Transactions on, 33(5):702–709, 1987.

[Sho09] Victor Shoup. A computational introduction to number theory andalgebra. Cambridge University Press, 2009.

[Sie35] Carl Ludwig Siegel. Über die analytische theorie der quadratischenformen. The Annals of Mathematics, 36(3):527–606, 1935.

[Sie72] Carl Ludwig Siegel. Zur theorie der quadratischen formen. Vanden-hoeck und Ruprecht, 1972.

[Wat60] George Leo Watson. Integral quadratic forms. Cambridge, 1960.

[Wat76] GL Watson. The 2-adic density of a quadratic form. Mathematika,23(01):94–106, 1976.

[Wed01] Sebastian Wedeniwski. Primality Tests on Commutator Curves.PhD thesis, Eberhard-Karls-Universität Tübingen, 2001.

[Yan98] Tonghai Yang. An explicit formula for local densities of quadraticforms. Journal of Number Theory, 72(2):309–356, 1998.

112 BIBLIOGRAPHY

Appendix A

Appendix

A.1 Missing Proofs

Proof. (proof of Lemma 2.3) If 0 6= t ∈ Z/pkZ then ordp(t) < k. If t is a squaremodulo pk then there exists a x such that x2 ≡ t (mod pk). Thus, there existsa ∈ Z such that x2 = t + apk. But then, 2 ordp(x) = ordp(t + apk) = ordp(t).This implies that ordp(t) is even and ordp(x) = ordp(t)/2. Substituting thisinto x2 = t+apk and dividing the entire equation by pordp(t) yields that cprp(t)is a quadratic residue modulo p; as follows.

cprp(x)2 = cprp(t) + apk−ordp(t) ≡ cprp(t) (mod p)

Conversely, if cprp(t) is a quadratic residue modulo p then there exists au ∈ Z/pkZ such that u2 ≡ cprp(t) (mod pk), by Lemma 3.12. If ordp(t) iseven then x = pordp(t)/2u is a solution to the equation x2 ≡ t (mod pk).

Proof. (proof of Lemma 2.3) If 0 6= t ∈ Z/2kZ then ord2(t) < k. If t is asquare modulo 2k then there exists an integer x such that x2 ≡ t mod 2k.Thus, there exists an integer a such that x2 = t + a2k. But then, 2 ord2(x) =ord2(t + a2k) = ord2(t). This implies that ord2(t) is even and ord2(x) =ord2(t)/2. Substituting this into the equation x2 = t + a2k and dividing theentire equation by 2ord2(t) yields,

cpr2(x)2 = cpr2(t) + a2k−ord2(t) cpr2(t) < 2k−ord2(t) .

But cpr2(x) is odd and hence cpr2(x)2 ≡ 1 (mod 8). If k − ord2(t) > 2, thencpr2(t) ≡ 1 (mod 8). Otherwise, if k − ord2(t) ≤ 2 then cpr2(t) < 2k−ordp(t)

implies that cpr2(t) = 1.Conversely, if cpr2(t) ≡ 1 (mod 8) then there exists a u ∈ Z/2kZ such that

u2 ≡ cpr2(t) mod 2k, by Lemma 3.13. If ord2(t) is even then x = 2ord2(t)/2u isa solution to the equation x2 ≡ t mod 2k.

113

114 Appendix

Proof. (proof of Lemma 3.21) If [+,−] denotes the size of the set of tuples(x, x + a) such that

(xp

)= 1 and

(x+a

p

)= −1. Then, the following equality

yields one relation on these sets.p−1∑x=1

(x(x + a)

p

)=

p−1∑x=1

(x2(1 + ax−1)

p

)=

p−1∑y=1

(1 + y

p

)=

p−1∑y=1

(y

p

)−(

1p

)= −1

[+,+] + [−,−]− [+,−]− [−,+] = −1 (A.1)

If we consider all tuples (x, x + a) for x ∈ 0, · · · , p − 1 i.e., (0, a), (1, a +1), · · · , (p−1, a−1) then we observe that there are two tuples (0, a) and (p−a, 0)with one Legendre symbol 0. We denote these sets by [0,+], [0,−], [+, 0], [−, 0].The size of these sets only depend on

(ap

)and

(p−a

p

)=(−ap

).

[0,+] =1 +

(ap

)2

(A.2)

[0,−] =1−

(ap

)2

(A.3)

[+, 0] =1 +

(−ap

)2

(A.4)

[−, 0] =1−

(−ap

)2

(A.5)

There are exactly p tuples in total and exactly 2 of them have one symbol 0.This gives us the following relation.

[+,+] + [+,−] + [−,+] + [−,−] = p− 2 (A.6)

Furthermore, if p is an odd prime then there are exactly p−12 elements with

Legendre symbol +1.

[+,+] + [+,−] + [+, 0] =p− 1

2(A.7)

The bĳection (x, x + a) → (−(x + a),−x) modulo p maps the set [+,+] to[−,−] if

(−1p

)= −1 and the set [+,−] to [−,+] if

(−1p

)= 1. This gives us

the following relation.

[+,+] = [−,−] if(−1p

)= −1 (A.8)

[+,−] = [−,+] otherwise. (A.9)

Computer Assisted Proofs 115

In each case i.e.,(−1p

)= −1 or +1, we have four Equations i.e., (A.1, A.6,

A.7 ,A.8) or (A.1, A.6, A.7 ,A.9) in four variables. These when solved, resultin the following table of values, from which Equation (3.11) can be derived.

Table A.1: Size of split sets modulo p(ap

)[(

xp

),(

x+ap

)]

(−1p

)= 1

(−1p

)= −1

+1 [+1,+1] (p− 1)/4− 1 (p− 3)/4[−1,−1] (p− 1)/4 (p− 3)/4[+1,−1] (p− 1)/4 (p + 1)/4[−1,+1] (p− 1)/4 (p− 3)/4

−1 [+1,+1] (p− 1)/4 (p− 3)/4[−1,−1] (p− 1)/4− 1 (p− 3)/4[+1,−1] (p− 1)/4 (p− 3)/4[−1,+1] (p− 1)/4 (p + 1)/4

A.2 Computer Assisted Proofs

In this section, we provide the Maple code for the computer Assisted proofin Chapter 5. The procedure fxi computes the function ξ and the names ofthe other procedures are self-explanatory.

Following are the names of the variables that we use.

rh = ρa2 = a2

sdp = Sd+

s37 = S3,7sm37 = S− + S3,7lega =

`a22

´

eps = εb2 = b2

sdm = Sd−s35 = S3,5sm35 = S− + S3,7legb =

`b22

´When run on Maple, none of these codes output “FAIL!”.

116 Appendix

fxi:=proc(s ::integer)::integer;f = 1;if s mod 4 = 1 or s mod 4 = 0 then f := 0; end if :return f :

end proc:

TypeIIBruteForce := proc();for rh in −1, 1 do:for eps in −1, 1 do:

sig := rh · (1 + eps); odty := 0; pexs := (odty − sig) mod 8;

for s1p in 0, 1 do: for s1m in 0, 1 do:for s5p in 0, 1 do: for s5m in 0, 1 do:for s3p in 0, 1, 2, 3 do: for s3m in 0, 1, 2, 3 do:for s7p in 0, 1, 2, 3 do: for s7m in 0, 1, 2, 3 do:

s3 := s3p + s3m; s5 := s5p + s5m;

sm := s1m + s3m + s5m + s7m; s7 := s7p + s7m;

s37 := s3 + s7; sm35 := sm + s3 + s5; sm57 := sm + s5 + s7;

sx := 2 · s3 + 4 · s5 + 6 · s7;

if pexs = sx + 2 · (1 − epss37 · (−1)(sm+fxi(s37))) mod 8 thenif not (rh = 1 and type(sm35, even)) andnot (rh = −1 and type(sm57, even)) andnot (rh = 1 and eps = 1 and type(sm57, odd)) andnot (rh = 1 and eps = −1 and type(sm57, even)) andnot (rh = −1 and eps = −1 and type(sm35, even)) andnot (rh = −1 and eps = 1 and type(sm35, odd)) then

print(“FAIL!”);end if :

end if :end do: end do:end do: end do:end do: end do:end do: end do:

end do: end do:end proc:

Computer Assisted Proofs 117

TypeIEvenBruteForce := proc();for rh in −1, 1 do:for eps in −1, 1 do:for a2 in 1, 3, 5, 7 do:for b2 in 1, 3, 5, 7 do:

sig := rh · (1 + eps); odty := a2 + b2 mod 8; pexs := (odty − sig) mod 8;

leg :=numtheory[legendre](a2 · b2,2); X := rh · a2 mod 8, rh · b2 mod 8;for s1p in 0, 1 do: for s1m in 0, 1 do:for s5p in 0, 1 do: for s5m in 0, 1 do:for s3p in 0, 1, 2, 3 do: for s3m in 0, 1, 2, 3 do:for s7p in 0, 1, 2, 3 do: for s7m in 0, 1, 2, 3 do:

s3 := s3p + s3m; s5 := s5p + s5m; sx := 2 · s3 + 4 · s5 + 6 · s7;


s37 := s3 + s7; sm37 := sm + s37;

if pexs = sx + 2 · (1 − epss37 · (−1)sm+fxi(s37)) mod 8 and leg = (−1)s35 thenif not (rh = 1 and type(sm, even) andnops(X intersect 1, 5) > 0) andnot (rh = −1 and type(sm37, even) andnops(X intersect 1, 5) > 0) andnot (rh = 1 and eps = 1 and type(sm37, odd) andnops(X intersect 3, 7) > 0) andnot (rh = 1 and eps = −1 and type(sm37, even) andnops(X intersect 3, 7) > 0) andnot (rh = −1 and eps = −1 and type(sm, even) andnops(X intersect 3, 7) > 0) andnot (rh = −1 and eps = 1 and type(sm, odd) andnops(X intersect 3, 7) > 0) thenprint(“FAIL!”);

end if :end if :

end do: end do:end do:end do:end do: end do:end do:end do:

end do: end do:end do:end do:end proc:

118 Appendix

TypeIOddBruteForce := proc();for rh in −1, 1 do:for eps in −1, 1 do:for a2 in 1, 3, 5, 7 do:for b2 in 1, 3, 5, 7 do:

legb :=numtheory[legendre](b2, 2); lega :=numtheory[legendre](a2, 2);

if legb = −1 then odty := odty + 4 mod 8; end if :sig := rh · (1 + eps); pexs := (odty − sig) mod 8;

leg :=numtheory[legendre](a2 · b2, 2);for s1p in 0, 1 do: for s1m in 0, 1 do:for s5p in 0, 1 do: for s5m in 0, 1 do:for s3p in 0, 1, 2, 3 do: for s3m in 0, 1, 2, 3 do:for s7p in 0, 1, 2, 3 do: for s7m in 0, 1, 2, 3 do:

s3 := s3p + s3m; s5 := s5p + s5m; sx := 2 · s3 + 4 · s5 + 6 · s7;


s37 := s3 + s7; s35 := s3 + s5; sm37 := sm + s37; sm35 := sm + s35;

if pexs = sx + 2 · (1 − epss37 · (−1)(sm+fxi(s37))) mod 8 andleg = (−1)s35 thenif not (rh · a2 mod 4 = 1 and (−1)sm · rhs37 · lega = 1) andnot (rh · a2 mod 4 = 3 and (−1)(sm37+1) · rhs37 · eps · lega = 1) andnot (rh · b2 mod 4 = 1 and (−1)sm35 · rhs37 · legb = 1) andnot (rh · b2 mod 4 = 3 and (−1)(sm57+1) · rhs37 · eps · legb = 1) then

print(“FAIL!”);end if :

end if :end do: end do:end do:end do:end do: end do:end do:end do:

end do: end do:end do:end do:end proc:

Curriculum Vitae

Chandan Kumar DubeyIndian citizenBorn on January 14, 1985, in Narkatiaganj, Bihar, India

Doctor of Science 9/2009 - presentETH Zurich, Department of Computer ScienceThesis Title: Generating a Lattice of a given GenusAdvisor: Prof. Dr. Thomas HolensteinDegree: Doctor of Sciences (Dr. Sc. ETH)

Masters Studies 10/2006 - 01/2009Weizmann Institute of Science, Israel.Thesis Title: On Bandwidth Approximation of Graphs.Degree: Master of Science.

Internship 5/2004 - 7/2004PROTHEO Project.INRIA, Nancy, France.

Undergraduate Studies 07/2001 - 07/2005Indian Institute of Technology, Kanpur.Thesis Title: Critically Indecomposable Graphs.Degree: Bachelor of Technology in Computer Science and Engineering.

Intermediate 7/1999 - 7/2001T. P. Verma College, Narkatiaganj, Bihar, India.

119

new eth z · 2020. 6. 10. · diss. eth no. 22270 generating a lattice of a given genus a thesis...

Documents