aa r X i v : . [ m a t h . G M ] O c t A simple algorithm for finding square root modulo p
Rajeev Kumar
Society for Natural Technology Research,Dept. of IT&E, Governemnt of West Bengal, India.rajeev.ips@nltr
Abstract
We propose a novel algorithm for finding square roots modulo pin finite field F ∗ p . Although there exists a direct formula to calculatesquare root of an element of field F ∗ p , for p ≡ p ≡ F ∗ p for all odd primes, which shows improve-ment over existing method in practical terms although asymptoticallygives the same run time as Tonelli-Shanks.Apart from equally efficient computation time, the proposed methoddoes not necessarily require availability of non-residue and can workwith ‘relative non-residue’ also. Such ‘relative non-residues’ are mucheasier to find ( probability ) compared to non-residues ( probability ). Keywords —
Quadratic residue/non-residue, Tonelli-Shanks, AMM, relativenon-residue
The first recorded reference of finding square root is found by Bhaskara Acharya(1150 AD) who considered the very special case x ≡
30 (mod 7). However tillpresent day, the task of computing square roots in any finite field F ∗ p remains aproblem of considerable importance with application in well-known cryptographicmechanisms, like the quadratic sieve factorization method, point counting on ellipticcurves, or the elliptic curve [18].The standard method of finding an element α in the finite field F ∗ p such that it isa quadratic residue, is done by checking Legendre symbol (cid:18) αp (cid:19) = 1 or α ( p − / ≡ p ).Once we have settled the issue that quadratic residue exists, finding thesquare root modulo p for p ≡ √ a (mod p ) ≡ ± a ( p +1) / . However finding square root of α , if it exists, for modulo p ≡ p ≡ p ≡ n the year 1891 Tonelli[1] published paper to find square roots modulo p, fol-lowed by Cipolla’s [2] algorithm in 1903. In the year 1972, Daniel shanks improvedupon Tonelli’s algorithm and presented an efficient Tonelli-Shanks [4] algorithm.This algorithm which has found wide spread acceptance finds square root by work-ing on better and better approximation of square root. Few other algorithms ofAdleman-Manders-miller [5], a generalisation of Tonelli-shanks for taking r th rootin 1977, followed by by M.O.Rabin in the year 1980, Berlekamp-Rabin [7] and inthe year 1986 Peralta [8] dealt with issue of finding square root. All these algo-rithms are efficient but require knowledge of one non residue for finding the squareroot, hence are considered probabilistic. However under the assumption that ERHis true, Ankeny [16] showed that the least quadratic non residue over F ∗ p is lessthan c log p for some constant c. This implies that all probabilistic algorithmsfor finding a quadratic non residue as mentioned previously can be improved to adeterministic polynomial time algorithm, if ERH is true. It can also be proved thatthe least quadratic non residue must be a prime [15].Schoof [14], in 1985, used elliptic curves to propose a deterministic algorithm tofind square roots modulo prime. This algorithm is efficient (polynomial time) forsome residues but not in general. In 2011, Tsz-Wo Sze [15] proposed a deterministicalgorithm to find square roots over finite fields without being given any quadraticnon-residue. However, run time of such an algorithm is O ( log p ) which becomescomputationally expensive and impractical for larger primes. Given a quadraticnon-residue, present method on average takes O ( r ) time and for only special primessuch that p = 2 r + 1 approaches O ( log p ).In this paper we propose an algorithm (probabilistic - as it require a non -residue ) to deal with square root of quadratic residue for all odd primes. In theproposed new algorithm, the traditional method of dealing with p ≡ p ≡ mod β ofthe same finite field F ∗ p . Please see the section with ’Future Ideas’ for more details.This new algorithm is much simpler , and equally efficient .In fact in some cases depending upon the element whose square root is sought,algorithm works even without the availability of strict non quadratic residue. The basic idea on which this algorithm is based on are -
We know that for square root of an element α of finite field F ∗ p to exist, Legndresymbol (cid:18) αp (cid:19) = 1 or α ( p − / ≡ p ). α is also called quadratic residue.Similarly an element β of finite field F ∗ p is a non residue if Legendre symbol (cid:18) βp (cid:19) = − β ( p − / ≡ − p ). It is also a proven fact there are only two square roots of unity in a finite field F ∗ p viz. { , p − } . .3 Conditions for Group Z ∗ p k It can be easily seen that for multiplicative group Z ∗ p k , roots of unity are onlytwo viz. { , p k − } . For any α ∈ Z ∗ p k , α is quadratic residue, i.e. √ α exists if α φ ( p k ) / ≡
1. Similarly for any β ∈ Z ∗ ( p k ) , β is quadratic non residue, i.e. √ β doesnot exist if β φ ( p k ) / ≡ −
1. Here φ ( p k ) is euler’s totient = ( p − p k − . Let α, β, γ, γ , γ ∈ F ∗ p and p − r d where r, d, i, j positive integers such that r, d ≥ d an odd integer. Also, let α be quadratic residue, β be non-residueand γ, γ , γ be any elements of F ∗ p . We define another function (domain = F ∗ p andrange {− , , , ..r − } ) - f ( γ ) = (cid:26) − γ d ≡ p ) i if γ i d ≡ − p )Let us call it f-value of element γ . Please note this is different than order ofelement in finite field F ∗ p . Also unlike order of an element, this function can beeasily calculated in log p time. if f ( α ) > f ( γ ) , we would say γ is ’relative’non-residue to α in field F ∗ p . We also note the following properties of thisfunction- • f ( β ) = r − β being non-residue means β r − d ≡ − f ( β ) = r − • − ≤ f ( α ) ≤ r − α being residue means α r − d ≡ f ( α ) < r − − ≤ f ( α ) ≤ r − • f ( β ) > f ( α ).As f ( β ) = r − − ≤ f ( α ) ≤ r − f ( β ) > f ( α ). • if f ( γ ) = 0 then f ( − γ ) = − f ( γ ) = 0 means γ d ≡ = −
1, this implies ( − γ ) d ≡ d is an odd integer.Hence f ( − γ ) = − • if f ( γ ) = − f ( − γ ) = 0. f ( γ ) = − γ d ≡ = 1, this implies ( − γ ) d ≡ − d is an odd integer.Hence f ( − γ ) =0 ( by function definition). • f ( γ ) = f ( − γ ) for f ( γ ) > f ( γ ) = i and i >
0, that would mean γ i d ≡ − f ( − γ ) = i as γ i d = ( − γ ) i d as i > f ( γ ) = f ( − γ ) for f ( γ ) > • if f ( α ) = − √ α ≡ α ( d +1) / . f ( α ) = − α d ≡ α d +1 ≡ α. Hence √ α ≡ α ( d +1) / . • f ( √ α ) = f ( α ) + 1 for f ( α ) ≥ f ( √ α ) = j that would mean ( √ α ) j d ≡ − . or j ≥
1, this would mean ( α ) j − d ≡ − f ( α ) = i and i ≥ α i d ≡ − . Comparing two expressions implies j − i , i.e. j = i + 1 for i ≥ f ( √ α ) = f ( α ) + 1 for f ( α ) ≥ • f ( γ γ ) < f ( γ ) if f ( γ ) = f ( γ ) for f ( γ ) , f ( γ ) ≥ f ( γ ) = f ( γ ) = i and i ≥
0. This implies γ i d ≡ γ i d ≡ − γ γ ) i d ≡
1. Hence f ( γ γ ) < i .Hence f ( γ γ ) < f ( γ ) if f ( γ ) = f ( γ ) ≥ f ( γ ) = −
1, nothing can be said about value of f ( γ γ ) in relation to valueof f ( γ ) , f ( γ ). • f ( γ γ ) = max. of ( f ( γ ) , f ( γ )) if f ( γ ) = f ( γ ).Let f ( γ ) = i and f ( γ ) = j where , i, j ≥ i = j .Without loss of generality we take i > j . Now γ i d ≡ − γ j d ≡ − i > j this implies γ i d ≡ γ γ ) i d ≡ γ i d γ i d ≡ − . ≡ − f ( γ γ ) = i = maximum of ( f ( γ ) , f ( γ )) . Let p ∈ P be an odd prime. Let p − p − r d where d oddinteger ( d ≥
1) and r be any integer ( r > α be a quadratic residue andlet β be quadratic non residue in the finite field F ∗ p . Then a positive integer m can always be found such that α d β md ≡ p ). This will imply α ( d +1) β md ≡ α (mod p ) and hence √ α ≡ ± ( α ) ( d +1) / β md (mod p ). Proof :
Given a non quadratic residue β and a quadratic residue α such that α r − d ≡ α r − d to α d by successive square rooting operation in ( r −
1) steps.Starting from α r − d ≡
1, square root will give α r − d ≡ ±
1. At each step wemultiply expression with β λ i r − d , where λ i ∈ { , } . we choose value of λ i = 0 ifsquare root was 1 and we choose λ i = 1 if square root was -1.We note that β r − d ≡ − β is non residue. hence after ( r −
1) steps we get thefollowing expression where λ i ∈ { , } :- α d ∗ β λ d ∗ β λ d ...β λ r − r − d ≡ α d ∗ β ( λ d + λ d + ...λ r − r − d ) ≡ α d ∗ β d ( λ + λ + ...λ r − r − ) ≡ α d ∗ β md ≡ m = ( λ + λ + ...λ r − r − ) and λ i ∈ { , } . Alsonote that for r = 1 theorem is true as m = 0. This proves the theorem. Let p ∈ P be an odd prime, such that p − r d where d be an odd integer( d ≥
1) and r be any integer ( r > α be a quadratic residue and let β bequadratic non residue in the finite field F ∗ p . Then √ α (mod p ) can always be foundin the set { α ( d +1) / β ( r − − k ) id for 0 ≤ i ≤ k − } where k , for which α k d ≡ ≤ k ≤ ( r − roof : Given a non quadratic residue β and a quadratic residue α such that α k d ≡ ≤ k ≤ ( r − α k d to α d by successive square rooting operationin k steps. Starting from α k d ≡ p ), square root will give α k − d ≡ ± p ). At each step we multiply expression with β λ i r − d , where λ i ∈ { , } . wechoose value of λ i = 0 if square root was 1 and we choose λ i = 1 if square root was-1.We note that β r − d ≡ − β is non residue. hence after k steps we get thefollowing expression where λ i ∈ { , } : − α d ∗ β λ r − k d ∗ β λ r − k +1 d ...β λ k r − d ≡ α d +1 ∗ β λ r − k d ∗ β λ r − k +1 d ...β λ k r − d ≡ α Implying √ α ≡ α ( d +1) / ∗ β λ r − k − d ∗ β λ r − k d ...β λ k r − d Rearranging terms √ α ≡ α ( d +1) / ∗ β λ k r − d ∗ β λ k − r − d ...β λ r − k − d It is easy to see that possible values of √ α can be all possible permutations of λ i . Asthere are only two possible values of λ i ∈ { , } , hence value of √ α has to be equalto one of these possible 2 k values. We also note that all other terms of β evaluateto 1(i.e. exponent=0, when λ i = 0) or can be obtained by successive squaring of β r − k − d .Basically it is k-bit number, where value of bit is either 1 (exponent of β = 0) or ( β r − k − d ) j ( j th place value ) for the j th placed bit, where 0 ≤ j ≤ k .Hence all possible solutions are β ( r − − k ) id for 0 ≤ i ≤ k −
1. Hence set of allpossible values of √ α is equal to { α ( d +1) / β ( r − − k ) id for 0 ≤ i ≤ k − } . We alsonote that as α is a quadratic residue, hence there exists a 0 ≤ k ≤ ( r −
1) such that α k d ≡ . This proves the theorem. p k Let p ∈ P be an odd prime and let k be an integer k >
0. Let φ ( p k ) = 2 R D whereD be an odd integer ( D ≥
1) and R be any integer (
R > α be a quadraticresidue and let β be quadratic non residue in the multiplicative group Z ∗ p k . Then apositive integer m ≥ can always be found such that α D β mD ≡ p k ).This will imply α ( D +1) β mD ≡ α (mod p k ) and hence √ α ≡ ± ( α ) ( D +1) / β mD (mod p k ). Proof :
Proof is similar to Theorem 1 by noting that roots of unity in multiplicative group Z ∗ p k are { , − } . Also α is a quadratic residue hence α φ ( p k ) / ≡
1. Similarly forany non residue β if β φ ( p k ) / ≡ −
1. Here φ ( p k ) is euler’s totient = p ( k − ( p − α D β mD ≡ p k ) where m ≥ p k Let p ∈ P be an odd prime and let k be an integer k >
0. Let φ ( p k ) = 2 R D whereD be an odd integer ( D ≥
1) and R be any integer (
R > α be a quadraticresidue and let β be quadratic non residue in the multiplicative group Z ∗ p k . Then √ α (mod p k ) can always be found in the set { ( α ) ( D +1) / β ( R − − j ) iD for 0 ≤ i ≤ j − } where j is such that for which α j D ≡ ≤ j ≤ ( R −
1) . roof : This can be proven on the same lines as Theorem 2. Here we try to prove it bynoting that here φ ( p k ) = 2 R D and also as given value of j for which α R − − j D ≡ √ α (mod p k ) can always be foundin the set { ( α ) ( D +1) / β ( R − − j ) iD for 0 ≤ i ≤ j − } where j is such that for which α j D ≡ ≤ j ≤ ( R − Let α, γ ∈ F ∗ p and p − r d where r, d ≥ d an odd integer. Also, let α be quadratic residue and γ be any element of F ∗ p . If f ( γ ) > f ( α ) ( function f asdefined under ’relative’ non-residue section), we can always find m > α d γ md ≡ √ α ≡ α d +1 / γ md . Proof :
Let f ( α ) = s and f ( γ ) = t . Given that t > s . Please refer to definition of functionf , given in section 2.4 ‘relative’ non-residue above , we note that f ( α ) = s implies α s d ≡ −
1. Also note γ t d ≡ − t > s . We will reduce α r − d ≡ α isquadratic residue) to α d by successive square rooting operation in ( r −
1) steps. Ateach step we multiply expression with γ λ i t d , where λ i ∈ { , } . we choose value of λ i = 0 if square root was 1 and we choose λ i = 1 if square root was -1.However as f ( α ) = s , hence λ i = 0 for 1 ≤ i < r − ( s + 1). Hence after (r-1) steps we get thefollowing expression where λ i ∈ { , } - α d ∗ γ λ r − s − t − s d ∗ γ λ r − s t − s +1 d ...γ λ r − t d ≡ α d ∗ γ ( λ r − s − t − s d + λ r − s t − s +1 d + ...λ r − t d ) ≡ α d ∗ γ d ( λ r − s − t − s − + λ r − s t − s + ...λ r − t − ) ≡ t > s ) , hence ( t − s − ≥ α d ∗ γ md ≡ m = ( λ r − s − t − s − + λ r − s t − s + ...λ r − t − ) and λ i ∈ { , } . This proves the theorem. Let α, γ ∈ F ∗ p and p − r d where r, d ≥ d an odd integer. Also, let α be quadratic residue and γ be any element of F ∗ p . Given a quadratic residue α probability that a randomly chosen element γ ∈ F ∗ p is a relative non-reside to α isapprox. averaged over all quadratic residues. Proof :
From the discussion under section ‘relative’ non-residue and using the same symbols,we note The possible values of f ( γ ) ∈ S v = {− , , , , , ..r − , r − } . ( fromdefinition of function)Let S f i denote the set all elements in F ∗ p having f-value= i , i.e. S f i = { x : x ∈ Z ∗ p such that f ( x ) = i } . Also it is easy to see that if x ∈ S f i then ±√ x ∈ S f i +1 for 0 ≤ i ≤ r −
2. And if x ∈ S f − then √ x ∈ S f − and −√ x ∈ S f .Using these facts it is easy to calculate the cardinality of set S f i . | S f i | = (cid:26) i d if i ≥ d if i = − P r − i = − | S f i | = P (cid:0) d + d + 2 d + 2 d + 2 d + .. r − d (cid:1) = d + (2 + 2 + 2 + .. r − ) = d + d (2 r −
1) = 2 r d = p −
1, equal to total elements infield F ∗ p .It is clear that probability of a random element having f-value equal to k is | S f k | / r d (=1 / r − k for k ≥ / r for k = − α (with f-value= k ) = (number of elements having f-value > k ) / (all elements of F ∗ p ) = P r − i = k +1 | S f i | / r d , where − ≤ f ( α ) = k ≤ r − α (a quadratic residue , whose square root is sought, pickingup a random γ ∈ F ∗ p , such that f ( γ ) > f ( α ) = k (say ), averaging it over all thepossible values of k( − ≤ k ≤ r − γ is suitable is=1 / (2 r − d )( P r − k = − P r − i = k +1 | S f k || S f i | / r d )= 1 / (2 r − d )((2 r d − d ) d/ r d + P r − k =0 P r − i = k +1 k d | S f i | / r d )= 1 / (2 r − d )((2 r d − d ) d/ r d + P r − k =0 (2 r d − k +1 d )2 k d/ r d )= 1 / (2 r − )((2 r − / r + P r − k =0 (2 r − k +1 ) / r )= 1 / (2 r − )((2 r − / r + P r − k =0 (2 r − k +1 )2 k / r )= (1 − / r ) where minimum possible value of r = 2 for primes 1 (mod 4). Henceprobability of finding suitable γ , is 0.625 ( for case r=2) and approaches for r > / r which approaches zero for r > γ , given an α , such that f ( γ ) >f ( α ) is much higher ≈ than (which is the case when we are searching for strictnon residue ). Once we have determined that α is indeed a quadratic residue, the core idea is tokeep taking square root starting from α ( p − / ≡
1. However when ever we get − β ( p − / ≡ −
1, where β is non residue.and continue the process again till we reach α d ∗ β d .. ≡ α (2 k +2) ∗ β d .. ≡ α (as d = 2 k + 1), giving us α ( k +1) ∗ β d ∗ β d ... ≡ √ α . It can be easily seen wewould be able to reduce the exponent of α to an odd number with exponent of β still being even. Once we achieve that, we multiply both sides by α and obtain anexpression which has even exponent of both α and β equal to α (mod p ) . Thisequation directly provides √ α .Please note that unlike previous approaches [4], [5], new proposed method is basi-cally top down traversal of binary tree. It starts from α ( p − / ≡ α at each step till it reaches α d β md ≡
1. Thisis achieved in just r − p − r d .Same methodology can be applied, so that it works for taking square root ofquadratic residues modulo p k . Please see example -’E’ later under the examples. The core of the algorithm is based on the fact that there are only two possiblesquare roots of any element α ∈ Z ∗ p and square root of 1 ∈ { , p − } . This allowsus to construct a set with at most 2 ( r − elements, where one of the elements mustbe the desired square root. Knowledge of the possible solution set, and its elementsavailable at the leaf nodes of binary tree of height at most ( r −
1) makes top downtraversal of such tree natural and fast. roposed algorithm , basically is an attempt to find square root of a quadraticresidue from set of all possible solution. This insight allows one to construct thesolution set with cardinality 2 r − − α ( for which α i d ≡ − i ) , we need another element γ , such that γ j d ≡ − j > i tocontinue with further steps in algorithm after obtaining α i d γ j d ≡
1. This conceptof ‘relative’ non-residue and why these are easier to locate than non-residue hasbeen explained in section 2.4 and Theorem 5 & Theorem 6.Runtime for this algorithm is O ( r ), which is asymptotically as good as Tonelli-Shanks but ability to move up and down the search tree makes more efficientimplementation than Tonelli-Shanks method. Please note pseudo code is illustrative and no extra optimisations have been used.
Algorithm 1:
Pseudo Code to calculate √ α (mod p ). Returns 0if none exits. Input: α, β ∈ F ∗ p , p ; β is non-residue and p a prime. Output: √ α , if it exists else 0. if ( p = 2) thenreturn α end ifif ( αp )= -1 thenreturn end if αpow ← ( p −
1) and βpow ← while ( αpow is even ) do αpow ← αpow/ βpow ← βpow/ if α αpow β βpow = − then βpow ← βpow + ( p − / end ifend while αpow ← ( αpow + 1) / βpow ← βpow/ return α αpow β βpow Please note that irrespective of value of α, β ‘While Loop’ is executed exactlyr-1 times. Essentially, total number of calculations inside the loop are same ( if α αpow β βpow = − α, β ) pairs remains essentiallythe same. Proposed method starts by recognising through Theorem 2, the possible solutionset, one of whose element must be square root of quadratic residue α . So, in this ase, algorithm has to basically search the set with maximum possible elementsequal to 2 ( r − , efficiently . This is done easily and naturally by a top down ap-proach. The proposed method has the mechanism of moving up-down thesearch tree while, Tonelli-Shanks [1] and Adleman, Manders & Millers[5] traverse the tree bottom up only.
In proposed method as we start withpre calculated set (by Theorem 2) which must contain root, each decision at anyintermediate node of the tree while travelling down the tree cuts the solution spaceby half. Also it is easy to climb up the tree by squaring the node. Hence imple-mentation of proposed method lends itself to much more efficient algorithm.In fact insight given by the proposed algorithm allows one to calculate √ α with out knowledge of strict non-residue. Availability of ‘relative non-residue’ to α would suffice for proposed method. Such ‘relative non-residue’ can be found withprobability of ( averaged over all possible values of α ) compared to . Please seesections 2.4 ,2.9 and 2.10 for ‘relative’ non-residue and example F in section 4.3.A little detailed analysis of Tonelli-Shanks, which starts with possible value of α d +1 / as the possible root, will make these difference clear. Tonelli-Shanks
Algorithm 2:
Tonell-Shanks Pseudo Code to calculate √ α (mod p ). Returns 0 if none exits. Taken from wikipedia. Input: α, β ∈ F ∗ p , p ; β is non-residue and p a prime. Output: √ α , if it exists else 0. if ( p = 2) thenreturn α end ifif ( αp )= -1 thenreturn end if M ← r, c ← β d , t ← α d and R ← α d +1 / while t do use repeated squaring to find minimum i(0 < i < M ) such that t i ≡ b ← c M − i − M ← i, c ← b , t ← tb and R ← Rb end whilereturn RIn Tonelli-Shanks algorithm the idea is to maintain, after each iteration,
R, α and t such that R ≡ αt (mod p ). α doesn’t change after each iteration (sinceit’s the quadratic residue whose root we’re attempting to find), but r and t areupdated. The heart of the algorithm lies in the fact that the order of t is strictlydecreasing over iterations, so eventually it will have the order of 1. Only the ele-ment 1 (mod p ) is order 1. Once t ≡ p ), then we’ve found R ≡ α (mod p ),where R is our solution. Please note in best case scenario , order of t decreasesquickly and becomes 1, however in worst case scenario order will decrease by 1 ineach iteration. In each iteration one needs to find i such that t i ≡ t till required i is found. This finding of i at each iteration makes theTonelli-Shanks algorithm’s average run time, for certain non-residues , little worsethan the proposed method. This difference can easily be felt for large values of r .Please note that number of times outer ‘While loop’ is executed depends on thevalue of β . The execution time depend upon how fast order of t decrease to 1. This s not only dependent on value of α but also on value of β . However it traverses thesearch tree bottom-up as is clear from the nested loop coloured in green , inside theouter ‘While loop’. Hence if chosen β is such that number of times outer ‘Whileloop’ is executed is around r − O ( r ).This is what we mean, by saying, Tonelli-shanks climbs the search tree and tra-verses the search tree bottom up. It needs to go up the tree ( with current valueof t) to the node where the t i ≡ β j d bywhich current estimate needs to be further scaled up. If you don’t have to climbthe tree , means you have already reached the estimate.Testing Tonelli-Shanks with pair ( α, β ) which yields square root at successive stepsas -1, most of the time, illustrates the point very well.In fact Tonelli-Shanks achieves optimum run-time or worst case run time dependsupon pair ( α, β ) i.e. it depends upon the value of non-residue provided as input .Adleman, Manders & Millers [5], is the generalisation of Tonelli-Shanks for cal-culating r th root and it also tries to find out α i dj ≡ α j , starting from the leaf till it reaches the next root of the search tree.Its mechanism to search the binary search tree to find out square root [5] is exactlysimilar to Tonelli-Shanks, hence also computationally expensive than the proposedmethod. We can implement proposed algorithm,in O ( r ) and in extreme cases (when r =log p ) to O (log p ) . This is achieved if we are ready to store ’r’ results of( α d , α d , ...α ( r − d ) and ( β d , β d , ...β ( r − d ) which we will need to calculate anyway to find out if α is indeed quadratic residue and β is indeed a quadratic nonresidue. The storage requirement would be O ( r ) and in worst case O (log p ) when p = 2 r + 1. The height of binary tree traversed would be at most ( r −
1) andhence loop would be executed ( r −
1) times. At each step in the loop, as valuesof α d , α d .. and β d , β d .. are available, no more than r multiplications would takeplace. Hence run time of O ( r ) which in worst case scenario would asymptoticallyapproach O (log p ) i.e. when r approaches log p .Total number of multiplicationsrequired in worst case scenario are approx. = 2 ∗ log p + r .However, algorithm can also be implemented with out any extra storage , in whichcase although loop executes (r-1) times but calculating α αpow ∗ β βpow should takearound (2 log p ) multiplications. Hence algorithm would have run time of O ( r log p )which in worst case scenario asymptotically approach O (log p ).It is easy to see from theorem 2 proved in preceding section that square rootof any quadratic residue α is necessarily element of the following set, if minimum i for which α i d ≡ i = r − j . Please note least value for j can be1. √ α ∈ { ( α ) ( d +1) / β ( r − − i ) kd } where 0 ≤ k ≤ i −
1; and 0 ≤ i ≤ ( r − √ α ∈ { ( α ) ( d +1) / β ( j − kd } where 0 ≤ k ≤ ( r − j ) −
1; and 1 ≤ j ≤ r ence for practical purposes where r − j is less than a suitable value (say 6) tryingall possible 2 ( r − j ) might be computationally cheaper.Hence for primes with smallervalues of r running time would be much faster with out any extra storage require-ments at all. Also, proposed algorithm is easily amenable to parallel computingas subsets of solution sets can be searched independently. This hasnot been practically tested though, linear improvement in run-time isexpected with proportional increase in number of threads/cpus.
Following is the table showing timings for checking first 10000 and 100000 ele-ments for quadratic residue and it it exists calculating the same. Each resultwas verified . The proposed algorithm was implemented in python with recur-sive function to traverse the tree. Idea was to roughly compare the run timewith standard python code of tonelli-shanks algorithm available at Rosetta code( http://rosettacode.org/wiki/Tonelli-Shanks_algorithm ), primes (50to 200 digits at https://primes.utm.edu/lists/small/ ). Both functions weregiven a non-residue as input too, so that comparison of basic algorithm can bemade.Timings are in seconds = Tonnel-shank/ Our-proposed method1. 50 digit prime (till 10000 residues) = 1.54/ 1.242. 50 digit prime (till 100000 residues)= 15.01/12.363. 110 digit prime (till 10000 residues) = 7.18/5.694. 110 digit prime (till 100000 residues)= 72.93/62.235. 120 digit prime (till 10000 residues) = 8.85/6.916. 120 digit prime (till 10000 residues) = 88.79/77.397. 130 digit prime (till 100000 residues)= 9.59/7.68. 130 digit prime (till 10000 residues) = 88.71/75.889. 140 digit prime (till 10000 residues) = 13.05/10.4310. 140 digit prime (till 100000 residues)= 128/106.111. 150 digit prime (till 10000 residues) = 12.76/10.4112. 150 digit prime (till 100000 residues)= 137.76/117.8113. 200 digit prime (till 5000 residues) = 13.72/11.0514. 200 digit prime (till 10000 residues) = 27.18/21.6215. 200 digit prime (till 100000 residues)= 304.93/247.73This improvement was noticed without factoring the advantage of ‘relative non-residue’ , which proposed method enjoys.
However this advantage can beattributed to , less work inside the loop compared to Tonelli Shanks andclever/efficient implementation of the proposed method.
More testing isrequired specially with larger value of r (proth’s prime) to see if the advantage visa vis Tonelli-shanks widen’s and by how much.It will not be out of place to mention here that for special type of large primeswith very large r , Cipolla-Lehmer method performs better as it has asymptoticallybetter run time. But the algorithm of Tonelli and Shanks for computing square oots modulo a prime number is the most used, and probably the fastest amongthe known algorithms when averaged over all prime numbers[19]. Calculations have been shown, as would be easier to understand for humans. Ex-actly implementing this process may not give most efficient computer program, asit calculates things over and over again. However process shows the simplicity ofthe process for humans to understand the algorithm.
First we check if 2 is indeed quadratic residue. we see 2 (mod 97) ≡ (mod 97) ≡ − (mod 97) ≡ = −
1, multiplying both sides by identity 5 (mod 97) ≡ − ∗ (mod 97) ≡ ∗ (mod 97) ≡ − (mod 97) ≡ − ∗ ∗ (mod 97) ≡ ∗ ∗ (mod 97) ≡ − ∗ ∗ (mod 97) ≡ −
1, multiplying both sides by identity 5 (mod 97) ≡− ∗ ∗ ∗ (mod 97) ≡ ∗ ∗ ∗ (mod 97) ≡ − (mod 97) ≡ − ∗ ∗ ∗ ∗ (mod 97) ≡ ∗ ∗ ∗ ∗ (mod 97) ≡ ± ∗ ∗ ∗ ∗ (mod 97) ≡ √ i.e √ ≡ ± ∗
83 (mod 97) ≡ First we check if 6 is indeed quadratic residue. we see 6 (mod 43) ≡ (mod 43) ≡ √ ≡ ± i.e. √ ≡ ± ∗
36 (mod 43) ≡ s true for all primes of type 3 (mod 4). First we check if 2 is indeed quadratic residue. we see 2 (mod 41) ≡ (mod 41) ≡ − ≡ − ∗ (mod 41) ≡ ∗ (mod 41) ≡ ∗ (mod 41) ≡ √ ≡ ± ∗ (mod 41)Implying √ ≡ ±
17 (mod 41)We find, indeed 17 ∗
17 (mod 41) ≡ First we check if -1 is indeed quadratic residue. we see ( − (mod 13) ≡ − (mod 13) ≡ − (mod 13) ≡ − − ∗ (mod 13) ≡ − ∗ (mod 13) ≡ − √− ≡ ± ( − ∗ (mod 13)implying √− ≡ ± ∗ ≡ ≡ − = 68921 (given non residue 3) We note φ (43 ) = 67240 .We check and find 5 is indeed quadratic residue 5 / =5 ≡ ) and 3 is indeed non residue 3 ≡ − mod ) . Now asexponent of 5 is even, we take square rootWe get 5 ≡ − ) As the result is -1, we multiply both sides by3 ≡ − )we get 5 ∗ ≡ )Now as exponent of 5 is even, we take square root e get 5 ∗ ≡ − )As the result is -1, we multiply both sides by 3 ≡ − )We get 5 ∗ ∗ ≡ )Now as exponent of 5 is odd we multiply both sides with 5 and take square rootfor the last timeWe get √ ) ≡ ∗ ∗ Implying √ ) ≡ ± ∗ ) ≡ First we check if 6 is indeed quadratic residue. we see 6 (mod 97) ≡ (mod 97) ≡ (mod 97) ≡ (mod 97) ≡ − ). We will deal it in different parts. Part 1 : (We get 2 as randomly selected number)
Although 2 is non residue but we see f (2) > f (6) (as f (2) = 3 and f (6) = 1),hence 2 is ‘relative non-residue’ and suitable. Also f (2) = 3 implies 2 ≡ − (mod 97) ≡ −
1, we multiply both sides by 2 ≡ − ∗ (mod 97) ≡ ∗ (mod 97) ≡ − ≡ − ∗ ∗ (mod 97) ≡ ∗ ∗ (mod 97) ≡ ∗ ∗ (mod 97) ≡ p (6)Implying √ ≡ ±
54 (mod 97)We find, indeed 54 ∗
54 (mod 97) ≡ Part 2 : (We get 9 as randomly selected number)
Although 9 is non residue but we see f (9) > f (6) (as f (9) = 2 and f (6) = 1),hence 9 is ‘relative non-residue’ and suitable. Also f (9) = 2 implies 9 ≡ − (mod 97) ≡ −
1, we multiply both sides by 9 ≡ − ∗ (mod 97) ≡ ∗ (mod 97) ≡ ∗ (mod 97) ≡ aking square root for the final time, We get 6 ∗ (mod 97) ≡ p (6)Implying √ ≡ ±
54 (mod 97)We find, indeed 54 ∗
54 (mod 97) ≡ Part 3 : (We get 22 as randomly selected number)
Although 22 is also non-residue but we see f (22) = f (6) (as f (22) = 1 and f (6) = 1), hence 22 is not suitable for calculating square root of 6. We will have tochoose another number and see if it fits the bill!The basic idea was to show that probability of finding a suitable ‘relative non-residue’ for calculating the square root of a given number, is greater ( by around17% , averaged over all residues ) than finding non-residues, as is required in otherstandard methods. The strength of this algorithm is its simplicity and general applicability to all oddprimes. However main drawback of this algorithm is the presupposition of thequadratic non-residue. But this can be over come to an extent. This algorithmdoes not necessarily demands a quadratic non residue. In fact given any element α whose square root is to be calculated with i α for which α iα d ≡ −
1, i.e. f ( α ) = i α ,availability of any γ (not necessarily a quadratic non residue ) with i γ for which γ iγ d ≡ − f ( γ ) = i γ , such that i γ > i α will suffice . It is easy to see that if γ is indeed non residue, this condition will always hold for any quadratic residue α .Please see example ’F’ in preceding sectionIt has been shown in one of the preceding section, ‘Discussion about relativenon-residue’ probability of finding such ‘relative non-residue’, averaged over allresidues, increases from to .However more fundamental area would be to find a way to avoid using quadraticnon residue altogether maintaining similar kind of run-time performance. Fromphilosophical point of view, mandatory requirement of an element whosesquare root can not be calculated (i.e. non residue), for finding squareroot of all other elements (quadratic residues), definitely begs a morefundamental answer.
Another area of exploration could be to quickly locate the desired solution giventhe solution set. Given an α whose square root is to be calculated , we know the setof possible solutions(cardinality = 2 r − ). Although it seems like discrete logarithmproblem at first glance, but a serious look may give better search time algorithms. Ability to find square roots efficiently, in a finite field has its application in cryptosystems as broader classes of elliptic and hyper-elliptic curve crypto systems can e set up more efficiently. Another idea could be to use it for efficient deterministicprimality testing for Proth primes as shown by Sze [15].I would like to thank Prof. Ritabarata Munshi, Prof. Palash Sarkar, Prof NeenaGupta of ISI Kolkata, Prof. G.P. Biswas of IIT Dhanbad, Shreesh Maharaj ofSwami Vivekanand University, Belur math and Malay Khandelwal of thinkC fornot only initiating me to number theory but also for motivation, guidance and en-couragement. Special thanks are due to my colleagues Gaurav Sinha, IRS and SyedWaquar Raza, IPS for discussing the paper, taking pains to read and re-read thepaper endless number of times and suggesting valuable improvements. References [1] Alberto Tonelli, 1891, “Bemerkung ¨uber die Aufl¨osung quadratis-char Congruenzen,” Nachrichten der Akademie der Wissenschaftenin G¨ottingen, pp. 344–346.[2] Michele Cipolla, 1903, “Un metodo per la risoluzione della con-gruenza di secondo grado,” Napoli Rend., 9, pp. 154–163.[3] Derrick H. Lehmer, 1969, “Computer Technology applied to the the-ory of numbers,” Studies in number theory (Englewood Cliffs, NewJersey) (William J.Leyeque, ed.), MAA studies in Mathematics, vol.6, Prentice Hall, pp. 117–151.[4] Daniel Shanks, 1972, “Five number theoretical algorithms,” Pro-ceedings, 2nd Manitoba Conference on Numerical Mathematics, pp.51–70, MR0371855(51:8072).[5] Leonard M. Adleman, Kenneth L. Manders and Gary L. Miller, 1977,“On taking roots in finite fields,” Proceedings of the 18th IEEE Sym-posium on Foundations of Computer Science, IEEE, pp. 175–178.MR0502224 (58:19339). MR0246815 (40:84).[6] Elwyn R. Berlekamp, 1970, “Factoring polynomials over large finitefields,” Math. Comp., 24, no. 111, pp. 713–735. MR0276200 (43:948).[7] Michael O. Rabin, 1980, “Probabilistic algorithms in finite fields,”SIAM J. Comput. 9, no. 2, pp. 273–280, MR568814 (81g:12002).[8] Ren´e C. Peralta, 1986, “A simple and fast probabilistic algorithmfor computing square roots modulo a prime number,” IEEE Trans-actions on Information Theory,32, no. 6, pp. 846–847, MR868931(87m:11125).[9] Eric Bach, 1990, “A note on square roots in finite fields,” IEEETransactions on Information Theory, 36, no. 6, pp. 1494–1498,MR1080838 (91h:11140).[10] Stephen M. Turner, 1994, “Square roots mod p,” The Ameri-can Mathematical Monthly, 101, no. 5, pp. 443–449, MR1272944(95c:11004).
11] Eric Bach and Klaus Huber, 1999, “Note on taking square-rootsmodulo N,”IEEE Transactions on Information Theory, 45, no. 2,pp. 807–809, MR1677049 (99j:94036).[12] Siguna M¨uller, 2000, “On probable prime testing and the computa-tion of square roots mod n,” Algorithmic Number Theory, 4th Inter-national Symposium, ANTSIV, Lecture Notes in Computer Science,1838, Springer Verlag, pp. 423–437, MR1850623 (2002h:11140).[13] Daniel J. Bernstein, 2001, “Faster square roots in annoying finitefields,” preprint. (http://cr.yp.to/papers/sqroot.pdf).[14] Ren´e Schoof, 1985, “Elliptic curves over finite field and the compu-tation of square roots mod p,” Mathematics of Computation, 44, no.170, pp. 483–494, MR777280.[15] Tsz-Wo Sze, 2011, “On Taking Square Roots without Quadratic non-residues overfinite fields,” Mathematics of Computation, 80, no. 275,pp. 1797–1811.[16] Nesmith C. Ankeny, ”The least quadratic non residue”, Ann. ofMath. 55 (1952), no. 1, 65–72[17] A. Uma Maheswari and Prabha Durairaj, 2017, ” An Algorithmto Find Square Roots of Quadratic Residues Modulo p ”, GlobalJournal of Pure and Applied Mathematics. ISSN 0973-1768 Volume13, Number 4 (2017), pp. 1223–1239[18] Z. Li, X. Dong and Z. Cao, ”Generalized Cipolla-Lehmer root com-putation in finite fields,” ICINS 2014 - 2014 International Conferenceon Information and Network Security, Beijing, 2014, pp. 163-168,doi: 10.1049/cp.2014.1281.[19] Tornar´ıa G. (2002) Square Roots Modulo p. In:Rajsbaum S.(eds) LATIN 2002: Theoretical Informatics. LATIN 2002. LectureNotes in Computer Science, vol 2286. Springer, Berlin, Heidelberg,doi:10.1007/3-540-45995-2 3811] Eric Bach and Klaus Huber, 1999, “Note on taking square-rootsmodulo N,”IEEE Transactions on Information Theory, 45, no. 2,pp. 807–809, MR1677049 (99j:94036).[12] Siguna M¨uller, 2000, “On probable prime testing and the computa-tion of square roots mod n,” Algorithmic Number Theory, 4th Inter-national Symposium, ANTSIV, Lecture Notes in Computer Science,1838, Springer Verlag, pp. 423–437, MR1850623 (2002h:11140).[13] Daniel J. Bernstein, 2001, “Faster square roots in annoying finitefields,” preprint. (http://cr.yp.to/papers/sqroot.pdf).[14] Ren´e Schoof, 1985, “Elliptic curves over finite field and the compu-tation of square roots mod p,” Mathematics of Computation, 44, no.170, pp. 483–494, MR777280.[15] Tsz-Wo Sze, 2011, “On Taking Square Roots without Quadratic non-residues overfinite fields,” Mathematics of Computation, 80, no. 275,pp. 1797–1811.[16] Nesmith C. Ankeny, ”The least quadratic non residue”, Ann. ofMath. 55 (1952), no. 1, 65–72[17] A. Uma Maheswari and Prabha Durairaj, 2017, ” An Algorithmto Find Square Roots of Quadratic Residues Modulo p ”, GlobalJournal of Pure and Applied Mathematics. ISSN 0973-1768 Volume13, Number 4 (2017), pp. 1223–1239[18] Z. Li, X. Dong and Z. Cao, ”Generalized Cipolla-Lehmer root com-putation in finite fields,” ICINS 2014 - 2014 International Conferenceon Information and Network Security, Beijing, 2014, pp. 163-168,doi: 10.1049/cp.2014.1281.[19] Tornar´ıa G. (2002) Square Roots Modulo p. In:Rajsbaum S.(eds) LATIN 2002: Theoretical Informatics. LATIN 2002. LectureNotes in Computer Science, vol 2286. Springer, Berlin, Heidelberg,doi:10.1007/3-540-45995-2 38