Download Cipolla`s algorithm for finding square roots mod p Optional reading

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
Document related concepts

History of algebra wikipedia , lookup

Polynomial wikipedia , lookup

Horner's method wikipedia , lookup

Polynomial ring wikipedia , lookup

Polynomial greatest common divisor wikipedia , lookup

System of polynomial equations wikipedia , lookup

Cubic function wikipedia , lookup

Root of unity wikipedia , lookup

Quadratic form wikipedia , lookup

Factorization of polynomials over finite fields wikipedia , lookup

Eisenstein's criterion wikipedia , lookup

Quartic function wikipedia , lookup

Quadratic equation wikipedia , lookup

Factorization wikipedia , lookup

Fundamental theorem of algebra wikipedia , lookup

Transcript 
Cipolla’s algorithm for finding square roots mod p
Optional reading for Math 2803: Number Theory and Cryptography
Suppose we’re given an odd prime number p and a quadratic residue a ∈ (Z/pZ)∗ . We’ll
discuss a probabilistic method for efficiently computing a square root (and hence both square
roots) of a mod p which does not make any assumptions about p. (Recall that if p ≡ 3
(mod 4) then b := a(p+1)/4 (mod p) is a square root of a, so we’re mainly interested in the
case p ≡ 1 (mod 4).)
The first step is to find an integer t with 0 ≤ t ≤ p − 1 such that u := t2 − a is a quadratic
nonresidue mod p. The only known method to do this is probabilistic: for random values
of t, the number t2 − a will be a quadratic nonresidue with probability about 1/2. Thus,
if t1 , . . . , tn are chosen randomly, the probability that none of the t2i − a is a nonresidue is
about 1/2n . So in practice, we will always very quickly be able to find a suitable value of
t, since for any particular ti we can use Euler’s criterion to efficiently decide if t2i − a is a
quadratic residue or not.
Let Fp denote the set {0, 1, . . . , p − 1} endowed with the operations of multiplication and
addition modulo p. We define F as the set of all ordered pairs (x, y) with x, y ∈ Fp , together
with the addition and multiplication laws
(x1 , y1 ) + (x2 , y2 ) = (x1 + x2 , y1 + y2 )
and
(x1 , y1 ) · (x2 , y2 ) = (x1 x2 + y1 y2 u, x1 y2 + x2 y1 ).
The motivation for this is that we are secretly thinking of F as consisting of sums of the
form {x + ωy : x, y ∈ Fp }, where ω is a formal symbol representing a square root of u.
Of course, u doesn’t have a square root in Fp by assumption, so ω should be thought of as
analogous to the complex number i. We have identified x + yω with the ordered pair (x, y),
just as we often represent a complex number x + yi as a point (x, y) in the complex plane.
Two important facts are that (i) every element x + yω of F has an additive inverse x − yω,
and (ii) every nonzero x + yω ∈ F has a multiplicative inverse. To see (ii), note that if we
define
kx + yωk2 = (x + yω)(x − yω) = x2 − y 2 u,
then kx + yωk2 6= 0 for x + yω 6= 0 because u is a quadratic nonresidue. Thus
(x + yω)−1 =
x − yω
.
kx + yωk2
It follows that F is what mathematicians call a (finite) field. The importance of this is that
our “Polynomial Roots mod p Theorem” holds in any field, with essentially the same proof
as the one given in the book. In particular:
A nonzero polynomial of degree n with coefficients in F has at most n distinct
roots in F.
The other key fact we need about arithmetic in F is the following:
Lemma 1. For every element x + yω ∈ F, we have
(x + yω)p = x − yω.
Proof. Since u is a quadratic nonresidue, Euler’s criterion tells us that
ω p−1 = (ω 2 )
p−1
2
=u
p−1
2
= −1
in F. Thus ω p = −ω. From this, the fact that all binomial coefficients pj for 1 ≤ j ≤ p − 1
are divisible by p, and Fermat’s Little Theorem (which in this context says that xp = x for
all x ∈ Fp ), it follows that
(x + yω)p = xp + y p ω p = x + yω p = x − yω
as desired.
Our main result is the following theorem:
Theorem 1. Let b = (t + ω)
p+1
2
∈ F. Then:
(i) b2 = a in F.
(ii) b ∈ Fp .
Proof. We compute that
b2 = (t + ω)p+1 = (t + ω)(t + ω)p = (t + ω)(t − ω) = t2 − ω 2 = t2 − (t2 − a) = a.
This proves (i). Part (ii) follows from the fact that a nonzero polynomial of degree n with
coefficients in F has at most n distinct roots in F. Since we know that x2 − a has 2 roots
in Fp , these must be all of the roots in F. Since b and −b are both roots of x2 − a in F, we
must in fact have ±b ∈ Fp .
Cipolla’s algorithm: Compute x0 = (t + ω)
will be an element of Fp with x2 = a.
p+1
2
using repeated squaring in F. The result
Example: Find the square roots of 2 (mod 17).
By trial and error, we see√that 32 − 2 = 7 is√a quadratic nonresidue, so we
take t = 3
√ can
9
and u = 7. We have ω = 7 and F = {x + y 7}. We compute x0 = (3 + 7) :
√
√
(3 + √7)2 = 16 + 6 7√
√
(3 + √7)4 = (161 + 6√ 7)2 = 15 + 5√ 7
(3 + √7)8 = (15 +√5 7)2 = √
9 + 14 7
√
√
9
8
(3 + 7) = (3 + 7) (3 + 7) = (9 + 14 7)(3 + 7) = 6.
We conclude that 62 = 2 in F17 , so that 6 and −6 = 11 are the two square roots of 2 mod
17.
For a more elementary version of this algorithm, which does not make explicit use of the
theory of finite fields, see my blog post http://mattbakerblog.wordpress.com/2013/12/
07/lucas-sequences-and-chebyshev-polynomials/
Related documents
Slide 1
Slide 1
Name___________________________ Date______________ Mod
Name___________________________ Date______________ Mod
extras_03_1
extras_03_1
1. get the quadratic = 0
1. get the quadratic = 0
Lab51
Lab51
Lesson 96: Difference of Two Squares Theorem
Lesson 96: Difference of Two Squares Theorem
Complex Numbers
Complex Numbers
Test Alg2 Chap 5N
Test Alg2 Chap 5N
Solving Quadratic Equations Using Square Roots
Solving Quadratic Equations Using Square Roots
Square root?
Square root?