On Taking r-th Roots without r-th Nonresidues over Finite Fields and Its Applications
aa r X i v : . [ m a t h . N T ] M a y On Taking r -th Roots without r -th Nonresiduesover Finite Fields and Its Applications Tsz-Wo Sze ( [email protected] )Preliminary version, November 21, 2018
Abstract
We first show a deterministic algorithm for taking r -th roots over F q without being given any r -th nonresidue, where F q is a finite field with q elements and r is a small prime such that r divides of q −
1. As appli-cations, we illustrate deterministic algorithms over F q for constructing r -th nonresidues, constructing primitive elements, solving polynomialequations and computing elliptic curve “ n -th roots”, and a determin-istic primality test for the generalized Proth numbers. All algorithmsare proved without assuming any unproven hypothesis. They are effi-cient only if all the factors of q − F q . In some cases, they arethe fastest among the known deterministic algorithms. Let F q be a finite field with q elements and r be a prime. Similar to the rela-tionship between taking square roots and constructing quadratic nonresidues over F q , taking r -th roots over F q , for r a divisor of q −
1, is polynomial-timeequivalent to constructing r -th nonresidues over F q . Clearly, if r -th rootscan be computed efficiently, an r -th nonresidue can be constructed by taking r -th roots repeatedly on a non-zero, non-identity element. For the converse,Tonelli-Shanks square root algorithm [21, 18] can be generalized to take r -throot, provided that an r -th nonresidue is given as an input.Without an r -th nonresidue as an input, there is no known uncondition-ally deterministic polynomial-time r -th root algorithms over finite fields ingeneral except for some easy cases such as (cid:0) r, q − (cid:1) = 1 or r k q − k -th power nonresidues over finite fields [6].For taking square roots over F q , if a quadratic nonresidue is given, we mayuse deterministic polynomial-time square root algorithms such as Tonelli-Shanks [21, 18], Adleman-Manders-Miller [1] and Cipolla-Lehmer [8, 14].Without quadratic nonresidues, we have Schoof’s square root algorithmover prime fields [17], and our square root algorithm over any finite field[20]. Note that these two algorithms run in polynomial-time only in somecases. Obviously, taking square roots and solving quadratic equations arepolynomial-time equivalent.A general problem is solving polynomial equations over F q , which is ageneralization of the following problems, • taking r -th roots, • constructing primitive r -th roots of unity, • constructing r -th nonresidues, • constructing primitive elements (generators of F × q ),where r is a prime divisor of q −
1. It is clear that a primitive r -th root ofunity can be computed efficiently from any r -th nonresidue. By definition,a primitive element is also an r -th nonresidue.A more general problem is polynomial factoring over F q . Althoughthere is a deterministic polynomial-time algorithm, the celebrated Lenstra-Lenstra-Lov´asz algorithm, for factoring polynomials over rational numbers[15], there are no known unconditionally finite field counterparts in general.For deterministic polynomial factoring over finite fields, we have Berlekamp’salgorithm, which is efficient only for q small [4]. For q large, there are prob-abilistic algorithms such as the probabilistic version of Berlekamp’s algo-rithm [5], Cantor and Zassenhaus [7], von zur Gathen and Shoup [24], andKaltofen and Shoup [12]. Under some generalizations of Riemann hypoth-esis, there is a subexponential-time algorithm by Evdokimov for any finitefield [9], and there are deterministic polynomial-time algorithms for somespecial cases. For a survey, see [23].The problem of solving polynomial equations is to find solutions of f ( x ) = 0over F q , where f ( x ) ∈ F q [ x ] is a polynomial. Without loss of generality,we may assume f is a product of distinct linear factors because squarefree actorization and distinct degree factorization can be computed efficiently;see [13, 23, 27]. If f has a multiple root, then (cid:0) f, f ′ (cid:1) (1.1)is a non-trivial factor of f , where f ′ denotes the derivative of f . Since x q − x is the product of all monic linear polynomials in F q [ x ], the non-linear factorscan be removed by computing (cid:0) f ( x ) , x q − x (cid:1) . (1.2)Let E ( F q ) be an elliptic curve defined over F q . An analogy of taking r -th roots over F q is taking “ n -th root” over E ( F q ). Consider the following:given a point Q ∈ E ( F q ) and a positive integer n ,(E1) decide whether Q = nP (1.3)for some ∞ 6 = P ∈ E ( F q );(E2) find P if such P exists.Note that, when Q = ∞ , the trivial solution P = ∞ is excluded. Althoughusually the elliptic curve group operation is written additively, the natureof the problems above is closer to finite field n -th root than finite fieldmultiplicative inverse.In this paper, the main results are presented in §
2. We extend theideas in [20] to design a deterministic r -th root algorithm in §
3. Then, wedemonstrate applications on primality testing, solving polynomial equationsand taking elliptic curve “ n -th roots” in § § §
6, respectively.
The main results are summarized by the theorems at the end of the section.All theorems can be proved without assuming any unproven hypothesis.All running times are given in term of bit operations. We ignore loga-rithmic factors in running time and adopt the ˜ O ( · ) notation. Polynomialmultiplication, division with remainder, greatest common divisor over F q can be computed using fast Fourier transforms and other fast methods in˜ O ( d log q )3it operations for degree d polynomials. See [13] and [22].Let q = r e · · · r e m m t + 1 (2.1)where r , . . . , r m are distinct primes and e , . . . , e m , t ≥ r · · · r m , t ) =1. Define sets of prime powers as follow. Definition 2.1.
Let Q t be a set of prime powers. For all q ∈ Q t , q can bewritten as the form in equation (2.1) such that r + · · · + r m + t = O (poly(log q )) and, for ≤ j ≤ m , a primitive z j -th root of unity ζ z j ∈ F q can be computedin polynomial-time, where z j def = ( , if r j = 2; r j , otherwise. (2.2)Informally, for q ∈ Q t , t and all the prime factors of q − z j -th root of unity over F q can be computed efficiently for anyprime factor r j of ( q − /t . Note that the factorization of q − Q t for t ≥ Q def = [ t ≥ Q t . (2.3)The main results are summarized below. Theorem 2.2.
Let q ∈ Q . For r ∈ { r , . . . , r m } , there is a determinis-tic polynomial-time algorithm computing an r -th root of any r -th residueover F q . Equivalently, there is a deterministic polynomial-time algorithmconstructing an r -th nonresidue over F q . Theorem 2.3.
Let q ∈ Q . There is a deterministic polynomial-time algo-rithm constructing a primitive element over F q . Definition 2.4.
A generalized Proth number is a positive integer of the form N = r e t + 1 (2.4) for prime r , positive integers e and t such that r e > t . heorem 2.5. Let N be a generalized Proth number. There is a determin-istic algorithm, which runs in ˜ O (( r ( r + t ) + log N ) r log N ) bit operations for deciding the primality of N . Further, if r is a small con-stant and t = O (log N ) , the running time is ˜ O (log N ) bit operations. Theorem 2.6.
Let q ∈ Q . There is a deterministic ˜ O (poly( d log q )) algorithm to solve polynomial equation f ( x ) = 0 over F q for any degree d polynomial f ( x ) ∈ F q [ x ] . Theorem 2.7.
Let q ∈ Q . There is a deterministic polynomial-time algo-rithm computing elliptic curve “ n -th roots” over F q for any positive integer n = O (poly(log q )) . r -th Roots Let F q be a finite field with q elements. Suppose β = α r ∈ F q (3.1)for some α ∈ F q and some integer r >
1. The problem of taking r -th roots over F q is to find α , given a finite field F q , an element β and an integer r . If r does not divide q −
1, the problem is easy. If r is a composite number, wemay first compute γ , an n -th root of β for n a prime factor of r , and thencompute an ( r/n )-th root of γ to obtain α . Therefore, assume that r is aprime divisor of q − r -th roots is reduced to finding a non-trivialfactor of x r − β over F q . We label the following input items and then showAlgorithm 3.1 below. (F): F q , which is a finite field with q elements. (R): r , which is a prime divisor of q − B): β , which is an r -th residue in F q . Algorithm 3.1 (Compute an r -th root of β ) . The inputs are the onesspecified in (F), (R) and (B); and f ( x ) , where f ( x ) ∈ F q [ x ] is a monicnon-trivial factor of x r − β . This algorithm returns an r -th root of β .
1. Let n = deg f and c ∈ F q be the constant term of f ( x ),2. Find integers u, v by the Euclidean algorithm such that un + vr = 1.3. Return ( − nu c u β v . Lemma 3.2.
Algorithm 3.1 is correct.Proof.
Let ρ be a primitive r -th root of unity in F q . Since x r − β = r − Y j =0 ( x − ρ j α ) , we have c = ( − n ρ k α n for some integer k . We also have ( n, r ) = 1 because0 < n < r and r is a prime. There exist integers u, v such that un + vr = 1.Finally, ( − nu c u β v = ρ ku α, is an r -th root of β . The lemma follows. x r − β We extend the square root algorithm in [20] to show a deterministic algo-rithm, Algorithm 3.3, for finding a non-trivial factor of x r − β . Unlike otheralgorithms, such as the generalized Shanks’s algorithm, Algorithm 3.3 doesnot require any r -th nonresidue as an input and the associated proofs donot assume any unproven hypothesis. Similar to [20], Algorithm 3.3 requiresfinding primitive roots of unity. It is obvious that finding an N -th primitiveroot of unity is not harder than finding an N -th nonresidue because, givenan N -th nonresidue, an N -th primitive root of unity can be easily computed.Below are some known cases that primitive roots of unity can be computedefficiently; see [20] for more details. Let p be the characteristic of F q . Denotea fixed primitive k -th root of unity in F q by ζ k .(i) ζ or ζ when p ≡ ζ · n +1 for n ≥ · n + 1 is a prime and p ≡ ,
25 (mod 36).6iii) ζ r when q = r e t + 1 with t small.The arithmetic of the square root algorithm in [20] is carried out overa specially constructed group, G α , which is isomorphic to F × q and a degen-erated elliptic curve. Taking square root is obviously equivalent to findinga non-trivial factor of x − β . It is possible to formulate the algorithm in[20] so that the arithmetic is carried out over the ring F q [ x ] / ( x − β ) forfactoring the polynomial x − β . We generalize this idea and work on thering F q [ x ] / ( x r − β ) in Algorithm 3.3. When r = 2, Algorithm 3.3 and thealgorithm in [20] are essentially the same.The “problem” of working on the ring F q [ x ] / ( x r − β ) is that there arezero divisors. However, if we have a zero divisor f ( x ), then (cid:0) f ( x ) , x r − β (cid:1) is a non-trivial factor of x r − β . This idea is similar to Lenstra’s ellipticcurve integer factoring algorithm [10]. He works on the ring Z /n Z for somecomposite integer n , try to find a zero divisor z in Z /n Z and then ( z, n ) isa non-trivial factor of n .If q − r , it is easy to compute α . Thus, assume r | ( q − . (3.2)As in equation (2.1), write q − r e · · · r e m m t. Without loss of generality, assume r = r . Note that e ≥ r j ’s are fixed, the partial factorization of q − q ∈ Q ; see definition (2.3). We present Algorithm 3.3 below and dis-cuss the details in the following sections. Note that it returns immediatelyonce Algorithms 3.6, 3.8 or 3.10 have returned a non-trivial factor of x r − β . (R’): r which satisfies (R) and (3.2). (Q): r , . . . , r m , e , . . . , e m and t such that r = r and q − r e · · · r e m m t is the partial factorization satisfied equation (2.1). Algorithm 3.3 (Find a non-trivial factor of x r − β ) . The inputs are theones specified in assumptions (Q), (F), (R’) and (B). This algorithm returnsa non-trivial factor of x r − β .
7: If r = 2 and β = 1, return x + 1.If r = 2 and β = −
1, return x + √− ρ = ζ r , a primitive r -th root of unity.II: Find a by Algorithm 3.6 with k = rt .III: Find ℓ by Algorithm 3.8.IV: Find k by Algorithm 3.10.V: Find a non-trivial factor f ( x ) of x r − β by Algorithm 3.14.Return f ( x ). a such that (cid:0) g a,k ( x ) , x r − β (cid:1) = 1For a ∈ F q , a r = β , define a rational function ψ a ( x ) def = a − xa − ρx ∈ F q ( x ) . (3.3)For 0 ≤ i < r , let c i def = ψ a ( ρ i α ) ∈ F × q ; (3.4) d i def = ord c i , (3.5)the order of c i over F × q . In other words, we have ψ a ( x ) ≡ c i (mod x − ρ i α ); ψ a ( x ) d i ≡ x − ρ i α ) . Instead of working with the rational function ψ a directly, define polynomials, g k ( x, y, z ) def = ( y − x ) k − z ( y − ρx ) k ∈ F q [ x, y, z ]; (3.6) g a,k ( x ) def = g k ( x, a, ∈ F q [ x ] , (3.7)for k >
0. We have the following lemma.
Lemma 3.4.
Let k be a positive integer.(1) d i divides k for all ≤ i < r if and only if g a,k ( x ) ≡ x r − β ) .
2) There exists i , j such that d i divides k but d j does not divide k if andonly if (cid:0) g a,k ( x ) , x r − β (cid:1) is a non-trivial factor of x r − β .(3) d i does not divide k for all ≤ i < r if and only if (cid:0) g a,k ( x ) , x r − β (cid:1) = 1 . Proof.
It is straightforward.For the cases in Lemma 3.4, case (1) is not useful to our algorithm. Weshow in the lemma below that the number of possible values of a ’s falling intothis case is bounded above by k . If case (2) occurs, we are done. Otherwise,we find an a falling into case (3) in Algorithm 3.6. Lemma 3.5.
There are at most k distinct a ∈ F q such that a r = β and g a,k ( x ) ≡ x r − β ) . Proof.
Suppose that, for 1 ≤ i ≤ k + 1, we have a i ∈ F q , a ri = β and g a i ,k ( x ) ≡ x r − β ). Then, g a i ,k ( α ) = 0 and so ψ a i ( α ) k = 1. Since ψ a ( α ) = ψ b ( α ) whenever a = b , there are k + 1 distinct elements in F q such that the multiplicative orders of all these elements divide k . It is acontradiction. The lemma follows.We show Algorithm 3.6 below. Note that the ρ , which is computed inAlgorithm 3.3 Step I, is used for computing g a i ,k ( x ) in II.2. (Z): ρ , where ρ = ζ r ∈ F q is a primitive r -th root of unity. Algorithm 3.6 (Find a ) . The inputs are the ones specified in (F), (R’),(B) and (Z); and k , where k > is an integer. This algorithm either returnsa non-trivial factor of x r − β , or returns a ∈ F q such that a r = β and (cid:0) g a,k ( x ) , x r − β (cid:1) = 1 . (3.8)II: Consider k + 1 distinct elements a , . . . , a k +1 ∈ F q .II.1: If there exists i such that a ri = β ,return x − a i . 9I.2: If there exists i such that f ( x ) = (cid:0) g a i ,k ( x ) , x r − β (cid:1) is a non-trivial factor x r − β ,return f ( x ).II.3: Set a = a j for some 1 ≤ j ≤ k +1 such that (cid:0) g a j ,k ( x ) , x r − β (cid:1) = 1.Return a . Lemma 3.7.
Algorithm 3.6 is correct.Proof.
The algorithm is obviously correct if it returns at II.1 or II.2. Oth-erwise, there exist 1 ≤ j ≤ k + 1 such that (cid:0) g a j ,k ( x ) , x r − β (cid:1) = 1 by Lemma3.5. The lemma follows. ℓ = r j such that (cid:0) g a,h j ( x ) , x r − β (cid:1) = 1Let h j def = ( ( q − /r e − , if j = 1;( q − /r e j j , otherwise.Algorithm 3.6 is executed with k = rt in Algorithm 3.3 Step II. Algo-rithm 3.8 is shown below. (A): a , where a ∈ F q satisfies condition (3.8) with k = rt . (L): ℓ , where ℓ = r j for some 1 ≤ j ≤ m such that (cid:0) g a,h j ( x ) , x r − β (cid:1) = 1 . Algorithm 3.8 (Find ℓ ) . The inputs are the ones specified in (Q), (F),(R’), (B), (Z) and (A). This algorithm either returns a non-trivial factor of x r − β , or returns an integer ℓ satisfying (L). III.1: If there exist 1 ≤ j ≤ m such that f ( x ) = (cid:0) g a,h j ( x ) , x r − β (cid:1) is a non-trivial factor of x r − β ,return f ( x ).III.2: Set ℓ = r j for some 1 ≤ j ≤ m such that (cid:0) g a,h j ( x ) , x r − β (cid:1) = 1.Return ℓ . Lemma 3.9.
Algorithm 3.8 is correct. roof. The algorithm is obviously correct if it returns at III.1. Otherwise, (cid:0) g a,h j ( x ) , x r − β (cid:1) for 1 ≤ j ≤ m are trivial factors of x r − β .Suppose, for all 1 ≤ j ≤ m , g a,h j ( x ) ≡ x r − β ) . Then, ψ a ( x ) h ≡ · · · ≡ ψ a ( x ) h m ≡ x r − β ) , or equivalently, ψ a ( ρ i α ) h j = 1for all 0 ≤ i < r and all 1 ≤ j ≤ m . Recall that d i is the multiplicativeorder of ψ a ( ρ i α ) in F × q defined in equation (3.5). For all 0 ≤ i < r and all1 ≤ j ≤ m , we have d i | h j . Since rt = gcd( h , . . . , h m ), we have d i | rt. It is a contradiction because d i does not divide rt for all 0 ≤ i < r byassumption (A) and Lemma 3.4 case (3). The lemma follows. k such that D k ′ ( x ) = x r − β for ≤ k ′ ≤ k and D k ′′ ( x ) = 1 for k < k ′′ ≤ e ′ Let e ′ def = ( e − , if ℓ = r ; e j , otherwise . (3.9)Define polynomials D i ( x ) def = (cid:0) g a, ( q − /ℓ i ( x ) , x r − β (cid:1) ∈ F q [ x ] (3.10)for 0 ≤ i ≤ e ′ . By Lemma 3.4 case (1) with k = q − D ( x ) = x r − β and, by assumption (L), D e ′ ( x ) = 1 . We show Algorithm 3.10 below. 11
K): k such that, for all 0 ≤ k ′ ≤ k and all k < k ′′ ≤ e ′ , D k ′ ( x ) = x r − β and D k ′′ ( x ) = 1 . Algorithm 3.10 (Find k ) . The inputs are the ones specified in (Q), (F),(R’), (B), (Z), (A) and (L). This algorithm either returns a non-trivialfactor of x r − β , or returns an integer k satisfying (K). IV.1: Compute D k ( x ) by definition (3.10) for all 0 ≤ k ≤ e ′ .IV.2: If there exist 0 < k < e ′ such that D k ( x ) is a non-trivial factor of x r − β ,return D k ( x ).IV.3: Set k to be the largest k such that D k ( x ) = x r − β .Return k . Lemma 3.11.
Algorithm 3.10 is correct.Proof.
The algorithm is obviously correct if it returns at IV.2. Supposeall D k ( x ) are trivial factors of x r − β . By Lemma 3.12 below, there exists0 ≤ k < e ′ satisfying (K). The lemma follows. Lemma 3.12. If D i ( x ) = x r − β for some ≤ i < e ′ , then D k ′ ( x ) = x r − β for all ≤ k ′ ≤ i .Proof. It follows from the case (1) of Lemma 3.4. x r − β Equipped with conditions (A), (L) and (K), we are ready to split x r − β .Below is the key lemma. Lemma 3.13.
Let
N > be a prime power such that N = r . Let D be apositive integer. Suppose, for ≤ i < r , ψ a ( ρ i α ) D = ζ n i N for some integer n i ∈ ( Z /N Z ) × , where a ∈ F q such that a r = β , and ζ N isa primitive N -th root of unity. There exist i and j such that n i = n j . roof. Suppose n = · · · = n r − = n for some integer n with ( n, N ) = 1. Let ζ = ζ nN . We have ψ a ( α ) D = ψ a ( ρα ) D = · · · = ψ a ( ρ r − α ) D = ζ, which is equivalent to g D ( α, a, ζ ) = g D ( ρα, a, ζ ) = · · · = g D ( ρ r − α, a, ζ ) = 0 . By definition (3.6), g D ( ρ i α, a, ζ ) = ( a − ρ i α ) D − ζ ( a − ρ i +1 α ) D . Then, ( a − α ) D (1 − ζ r ) = r − X i =0 ζ i g D ( ρ i α, a, ζ ) = 0 . Thus, ζ r = 1 since a = α . It is a contradiction because N does not divide r . The lemma follows.We show Algorithm 3.14 below. Define d def = ( ( q − /ℓ k +2 , if ℓ = r ;( q − /ℓ k +1 , otherwise . Algorithm 3.14 (Split x r − β ) . The inputs are the ones specified in (Q),(F), (R’), (B), (Z), (A), (L) and (K). In addition, assume r = 2 when β r = 1 . This algorithm returns a non-trivial factor of x r − β . V.1: Case ℓ = r :V.1.1: Compute ζ ℓ , a primitive ℓ -th root of unity.V.1.2: For each 0 < n < ℓ ,compute f n ( x ) = (cid:0) g d ( x, a, ζ nℓ ) , x r − β (cid:1) ,return f n ( x ) if f n ( x ) is a non-trivial factor of x r − β .V.2: Case ℓ = r and β r = 1:V.2.1: Compute ζ r , a primitive r -th root of unity, recursively. In otherwords, use Algorithm 3.1 and Algorithm 3.3 with β = ζ r .13.2.2: For each n ∈ ( Z /r Z ) × ,compute f n ( x ) = (cid:0) g d ( x, a, ζ nr ) , x r − β (cid:1) ,return f n ( x ) if f n ( x ) is a non-trivial factor of x r − β .V.3: Case ℓ = r = 2 and β r = 1:V.3.1: For each n ∈ ( Z /r Z ) × ,compute f n ( x ) = (cid:0) g d ( x, a, x n ) , x r − β (cid:1) ,return f n ( x ) if f n ( x ) is a non-trivial factor of x r − β . Lemma 3.15.
Algorithm 3.14 Step V.1 is correct.Proof.
Recall that d i is defined in equation (3.5). For all 0 ≤ i < r , we have d i | ℓd and d i ∤ d by assumption (K). Since F × q is cyclic, ψ a ( ρ i α ) d = ζ n i ℓ for some 0 < n i < ℓ . Let g n ( x ) def = g d ( x, a, ζ nℓ ) ∈ F q [ x ]. Then, g n ( x ) ≡ x − α ) . By Lemma 3.13 with N = ℓ and D = d , there exists 0 < j < r such that g n ( x ) x − ρ j α ) . Therefore, (cid:0) g n ( x ) , x r − β (cid:1) is a non-trivial factor of x r − β . The remainingquestion is how to find n ? It is not required. For 0 < n < ℓ , compute (cid:0) g n ( x ) , x r − β (cid:1) in order to find a non-trivial factor of x r − β . The lemma follows. Lemma 3.16.
Algorithm 3.14 Step V.2 is correct.Proof.
Similar to the proof of the previous lemma, for all 0 ≤ i < r , d i | r d and d i ∤ rd by assumption (K). We have ψ a ( ρ i α ) d = ζ n i r n i ∈ ( Z /r Z ) × . Let g n ( x ) def = g d ( x, a, ζ nr ) ∈ F q [ x ]. Then, g n ( x ) ≡ x − α ); g n ( x ) x − ρ j α )for some 0 < j < r by Lemma 3.13 with N = r and D = d . For each n ∈ ( Z /r Z ) × , compute (cid:0) g n ( x ) , x r − β (cid:1) to find a non-trivial factor of x r − β . The lemma follows.In the case ℓ = r , a primitive r -th root of unity, ζ r , is required. In-terestingly, ζ r can be computed recursively — by taking r -th root of ρ , orequivalently, by finding a non-trivial factor of x r − ρ . Execute Algorithm 3.3with β = ρ and denote the output of Step III by ℓ ′ . If ℓ ′ = r , we proceedwith Step V.1. Otherwise, we have ℓ ′ = r . Then, (cid:0) g d ( x, a, ζ nr ) , x r − ρ (cid:1) (3.11)is a non-trivial factor of x r − ρ for some n . Nevertheless, the gcd cannot becomputed directly because ζ r is not available. The idea is to replace ζ r with x . In other words, use g d ( x, a, x n ), instead of g d ( x, a, ζ nr ), in (3.11).This idea does not work for the case ℓ = r = 2 and β r = 1, which is handledseparately in Step I. We have the following lemma. Lemma 3.17.
Suppose r is an odd prime. If g d ( x, a, x n ) ≡ x − ζ r ) for some n ∈ ( Z /r Z ) × , there exists < i < r such that g d ( x, a, x n ) x − ρ i ζ r ) . Proof.
Let ζ = ζ r . Suppose g d ( x, a, x n ) ≡ x − ρ i ζ )for all 0 ≤ i < r . Then, g d (cid:0) ζ, a, ζ n (cid:1) = g d (cid:0) ρζ, a, ( ρζ ) n (cid:1) = · · · = g d (cid:0) ρ r − ζ, a, ( ρ r − ζ ) n (cid:1) = 0 . Let s k def = k − X i =0 i = k ( k − / . r divides s r . By definition (3.6), g d (cid:0) ρ i ζ, a, ( ρ i ζ ) n (cid:1) = ( a − ρ i ζ ) d − ρ in ζ n ( a − ρ i +1 ζ ) d . Then, 0 = r − X i =0 ρ s i n ζ in g d (cid:0) ρ i ζ, a, ( ρ i ζ ) n (cid:1) = ( a − ζ ) d (1 − ρ s r n ζ rn )= ( a − ζ ) d (1 − ζ rn ) . Since a = ζ , we have ζ rn = 1. It is a contradiction. The lemma follows. Lemma 3.18.
Algorithm 3.14 Step V.3 is correct.Proof.
Suppose, for 0 ≤ i < r , ψ a ( ρ i ζ r ) d = ζ n i r for some integer n i ∈ ( Z /r Z ) × . Let g n ( x ) def = g d ( x, a, x n ) ∈ F q [ x ]. Considerthe polynomial g n ( x ). We have g n ( x ) ≡ x − ζ r ); g n ( x ) x − ρ j ζ r )for some 0 < j < r by Lemma 3.17. For each n ∈ ( Z /r Z ) × , compute (cid:0) g n ( x ) , x r − ρ (cid:1) to find a non-trivial factor of x r − ρ . The lemma follows. We analyze the running time of Algorithms 3.1 and 3.3 below.
Lemma 3.19.
Algorithm 3.1 runs in ˜ O (log r log q ) bit operations.Proof. The Euclidean algorithm can be executed in ˜ O (log r ) and the laststep can be evaluated in ˜ O (log r log q ). The lemma follows.16n Algorithm 3.3, a common operation is to compute (cid:0) g k ( x, y, z n ) , x r − β (cid:1) for some fixed k >
0, some fixed N and all 1 ≤ n ≤ N , where y ∈ F q and z ∈ F q ∪ { x } . We show the required running time below and then show therunning time of Algorithm 3.3. Lemma 3.20.
Let k and N be positive integers. Given y ∈ F q , z ∈ F q ∪ { x } and ρ , it takes ˜ O ((log k + N ) r log q ) bit operations to compute (cid:0) g k ( x, y, z n ) , x r − β (cid:1) for all ≤ n ≤ N .Proof. For any a, b ∈ F q , the power-modulo ( a − bx ) k (mod x r − β ) can becomputed in ˜ O ( r log k log q ). Let f ( x ) def = ( y − x ) k (mod x r − β ); f ( x ) def = ( y − ρx ) k (mod x r − β ) . By equation (3.6), g k ( x, y, z n ) ≡ f ( x ) − z n f ( x ) (mod x r − β ) . Once f and f are obtained, the GCDs (cid:0) g k ( x, y, z n ) , x r − β (cid:1) for 1 ≤ n ≤ N can be computed incrementally using ˜ O ( N r log q ). The lemma follows.Recall that r = r by assumption (Q) and z i is defined in equation (2.2). Lemma 3.21.
Algorithm 3.3 is correct and runs in ˜ O ( Z max + ( r ( r + t ) + r max + m log q ) r log q ) (3.12) bit operations, where r max = max( r , . . . , r m ) ,Z max = max( Z z , . . . , Z z m ) , where Z n is the time required for constructing a primitive n -th root of unityover F q . roof. If it returns at Step I, the algorithm is obviously correct. Otherwise,the correctness follows from Lemmas 3.7, 3.9, 3.11, 3.15, 3.16 and 3.18.We show the running time as follows. Clearly, Step I requires O ( Z z ) . For each a i , the running times are ˜ O (log r log q ) in II.1 and ˜ O ( r log k log q )in II.2 and II.3. Step II requires˜ O ( kr log q ) = ˜ O ( r t log q )since there are k + 1 elements and k = rt . Step III requires˜ O ( mr log q ) . By first computing D e ′ ( x ) in ˜ O ( r log q ), then using the intermediate resultsto compute D e ′ − ( x ) in ˜ O ( r log ℓ log q ) and so on, Step IV requires˜ O ( r log ℓ log q ) . Suppose ℓ = r or β r = 1 in Step V for the following. We are either in V.1or V.3. V.1.1 requires Z ℓ to compute ζ ℓ . By Lemma 3.20, V.1.2 and V.3.1can be done in ˜ O ((log q + ℓ ) r log q ) and ˜ O ((log q + r ) r log q ), respectively.Step V without V.2 takes˜ O ( Z ℓ + ( r + ℓ + log q ) r log q ) . The overall running time of the algorithm in this case is (3.12).Suppose ℓ = r = 2 and β r = 1. Everything remains the same except thatwe are in V.2. By Lemma 3.19 and above, the recursive call in V.2.1 requires(3.12). V.2.2, which is similar to V.3.1, requires ˜ O ((log q + r ) r log q ). Theoverall running time of the algorithm in this case is also (3.12).The lemma followsBy the running time in (3.12), Algorithm 3.3 is efficient only if t and allthe prime factors of q − ≤ i ≤ m , a primitive root z i -th of unity can be constructed efficiently over F q . Proof of Theorem 2.2. If r ∤ ( q − r -th roots over F q can be easilydone in polynomial-time. Otherwise, r | ( q − q ∈ Q , we have t + r max + Z max = O (poly(log q )) . Taking r -th roots for any r -th residue over F q can be done in polynomial-time by Lemmas 3.19 and 3.21.For constructing an r -th nonresidue ζ r e ∈ F q , we begin with ζ r , compute ζ r = r √ ζ r , then compute ζ r = r p ζ r and so on. The theorem follows.18 roof of Theorem 2.3. For any q ∈ Q , for each i , an r i -th nonresidue ζ r eii ∈ F q can be computed in deterministic polynomial by Theorem 2.2. Theproduct Q mi =1 ζ r eii is a primitive element over F q . The theorem follows.We show an interesting special case below. Theorem 3.22.
Let q = r e t + 1 be a prime power for r prime, e > , t ≥ and ( r, t ) = 1 . There is a deterministic algorithm, which runs in ˜ O (( r ( r + t ) + log q ) r log q ) bit operations for taking r -th root over F q .Further, there is a deterministic algorithm, which runs in ˜ O (( r ( r + t ) + log q ) r log q ) bit operations for constructing an r -th nonresidue over F q .Proof. Firstly, find a primitive r -th root of unity, ζ r , by [20, Alg. 5.9] in˜ O (( t + log q ) log q ). Then, use Algorithms 3.1 and 3.3 to compute an r -th root in ˜ O (log r log q ) and ˜ O (( r ( r + t ) + log q ) r log q ), respectively. Forconstructing an r -th nonresidue, it requires taking O (log q ) r -th roots. Thetheorem follows. Let N be a generalized Proth number defined in Definition 2.4. Considerthe problem of deciding the primality of N . In [19], a deterministic primal-ity test is created from a deterministic square root algorithm and Proth’stheorem; see [26] for the details of Proth’s theorem. The idea is generalized– we design a deterministic primality test using the deterministic r -th rootalgorithm presented in § § Proof of Theorem 2.5. If N is prime, an r -th nonresidue ζ r e ∈ Z /N Z can beconstructed in ˜ O (( r ( r + t ) + log N ) r log N )by Theorem 3.22. If N is composite, ζ r e Z /N Z by Theorem 4.2 below.Since all algorithms, including Algorithm 5.9 in [20], Algorithms 3.1 and 3.319n the previous section, are deterministic, the primality of N can be decidedby trying constructing an r -th nonresidue over the integer ring Z /N Z usingthese algorithms. The theorem follows.For N = r e t + 1 with r a small constant and t = ˜ O (log N ), the runningtime of our primality test is ˜ O (log N ) . It is faster than all known deterministic tests. The running time of the AKStest [2] and Lenstra-Pomerance’s modified AKS test [11] are ˜ O (log . N )and ˜ O (log N ), respectively. Assuming the Extended Riemann Hypothesis,Miller’s test [16] is deterministic with running time ˜ O (log N ).We will use the following lemma to prove Theorem 4.2. Denote Euler’sfunction by φ ( · ). Lemma 4.1.
Let n = ℓ k be a prime power for some prime ℓ and k ≥ . Let r e be a prime power with r = ℓ . If r e | φ ( n ) and r e > √ n, then k = 1 and n is a prime.Proof. We have φ ( n ) = ( ℓ − ℓ k − . Then, r e divides ( ℓ −
1) and so ℓ > r e . If k >
1, then φ ( n ) ≥ ( ℓ − ℓ > r e > n, which is a contradiction. Thus, k = 1 and n is a prime. Theorem 4.2. (Generalized Proth’s Theorem)
Let N = r e t + 1 bea generalized Proth number defined in Definition 2.4 for prime r , positiveintegers e and t such that r e > t . If a N − ≡ N ) and a ( N − /r N ) , (4.1) for some integer a , then N is a prime. roof. It is easy to see that, for any generalized Proth number, r e > √ N .
Suppose there exists an integer a satisfying equations (4.1). Let d def = ord N a be the order of a in ( Z /N Z ) × . Then, r e divides d and so r e | φ ( N ) . If N = ℓ k for some prime ℓ and k ≥
1, then N is a prime by Lemma 4.1.Suppose N = ℓ k · · · ℓ k m m for m >
1, some distinct primes ℓ , . . . , ℓ m andsome integers k , . . . , k m ≥
1. Let b ≡ a d/r e (mod N ). Then,ord N b = r e . Let d i be the order of b in ( Z /ℓ k i i Z ) × . Since b r e ≡ ℓ k i i )for all 1 ≤ i ≤ m , d i def = ord ℓ kii b = r s i for some 0 ≤ s i ≤ e . Without loss of generality, assume s ≥ s i for all1 ≤ i ≤ m . Then, b d ≡ ℓ k i i )for all 1 ≤ i ≤ m . By the Chinese Remainder Theorem, b d ≡ N ) . Therefore, r e divides both d and φ ( ℓ k ). By Lemma 4.1 with n = ℓ k , wehave k = 1. Write ℓ = r e t + 1 and N/ℓ = r e t + 1with ( r, t ) = 1. Since ℓ ( N/ℓ ) = N = r e t + 1, we have t = t t r e + t + t r e − e . Then, e ≥ e , otherwise, t is not an integer. However, N = ℓ ( N/ℓ ) > r e + e ≥ r e > N. which is a contradiction. The theorem follows.21 Solving Polynomial Equations
Let F q be the finite field of q elements. Let f ( x ) ∈ F q [ x ] be a polynomial.In this section, we consider the problem of solving the polynomial equation f ( x ) = 0 , over F q . By (1.1) and (1.2) in §
1, we may assume f is a product of distinctlinear factors. Without loss of generality, assume deg f > f (0) = 0.When the prime factors of q − F q is polynomial-time reducible to the problem of taking r -throots over F q for all prime factors r of q − f ( x ) is a divisor of x d − a for some integerdivisor d of q − d -th residue a ∈ F q withord( a ) = ( q − /d. Let ℓ be a prime factor of d and ζ ℓ ∈ F q be a primitive ℓ -th root of unity.For 0 ≤ i < ℓ , let h i ( x ) def = x d/ℓ − ζ iℓ a /ℓ ∈ F q [ x ]; g i ( x ) def = (cid:0) f ( x ) , h i ( x ) (cid:1) ∈ F q [ x ] . We have x d − a = ℓ − Y i =0 h i ( x ); f ( x ) = ℓ − Y i =0 g i ( x ) . If g i is a non-trivial factor of f for some 0 ≤ i < ℓ , we are done (or keepfactoring until the complete factorization of f is obtained.) Otherwise, f isa divisor of h i for some 0 ≤ i < ℓ . Repeat the process with d ′ = d/ℓ and a ′ = ζ iℓ a /ℓ . Initially, f ( x ) is a divisor or x q − −
1, i.e. a = 1 and d = q − f below. Algorithm 5.1 (Factoring products of linear polynomials) . The inputs arethe prime factorization q − r e · · · r e m m and a polynomial f ( x ) ∈ F q [ x ] such that f (0) = 0 and f ( x ) is a product of two or more distinct moniclinear polynomials. This algorithm returns a non-trivial factor of f .
22: Set a = 1 and d = q − ζ r j for 1 ≤ j ≤ m .II: For each 1 ≤ j ≤ m :II.1: For each 1 ≤ k ≤ e j :II.1.1: Compute b ∈ F q such that b r j = a using some algorithm.II.1.2: Compute g i ( x ) = (cid:0) f ( x ) , x d/r j − ζ ir j b (cid:1) for all 0 ≤ i < r j .II.1.3: If g i is a non-trivial factor of f for some 0 ≤ i < r j ,return g i .Otherwise, set i = i such that g i = f .II.1.4: Set a = ζ i r j b and d = d/r j . Lemma 5.2.
Algorithm 5.1 is correct.Proof.
Clearly, the loops maintain an invariant that a is an r j -th residueover F q at II.1.1. Thus, the r j -th roots of a are in F q .We show by induction that f ( x ) | ( x d − a ) is an invariant at II.1.1. When j = k = 1, we have a = 1 and d = q −
1. By the input assumption, f ( x )divides x q − −
1. Let a j ,k and d j ,k be the values of a and d at II.1.1 when j = j and k = k . Suppose f ( x ) divides x d j ,k − a j ,k . Let b j ,k def = a /r j j ,k ∈ F q ; h i,j ,k ( x ) def = x d j ,k /r j − ζ ir j b j ,k ∈ F q [ x ]; g i,j ,k ( x ) def = (cid:0) f ( x ) , h i,j ,k ( x ) (cid:1) ∈ F q [ x ] . Then, x d j ,k − a j ,k = r j − Y i =0 h i,j ,k ( x ); f ( x ) = r j − Y i =0 g i,j ,k ( x ) . If there exists g i a non-trivial factor of f , done. Otherwise, there exists aunique i such that g i = f . Denote the pair of j, k following j , k by j , k .When j = j and k = k , we have a = a j ,k = ζ i r j b j ,k and d = d j ,k = d j ,k /r j
23t II.1.1. By the definition of g i , f ( x ) divides x d − a .As a consequence, f ( x ) divides x d − a right after II.1.4. The algorithmeventually returns a non-trivial factor of f at II.1.3. Otherwise, for j = m and k = e m , we have d = 1 right after II.1.4. Then, f ( x ) divides a linearpolynomial. It is a contradiction. The lemma follows. Lemma 5.3.
Algorithm 5.1 runs in ˜ O (( Z max + R max + ( r max + log q ) deg f log q ) log q ) bit operations, where r max def = max( r , . . . , r m ) ,Z max def = max( Z r , . . . , Z r m ) ,R max def = max( R r , . . . , R r m ) , where Z n and R n are respectively the time required for constructing a prim-itive n -th root of unity and computing an n -th root over F q .Proof. Obviously, Step I requires O ( mZ max ) . II.1.1 requires O ( R r j ). In II.1.2, first compute h ( x ) def = x d/r j mod f ( x ) us-ing ˜ O (deg f log q ) and then compute (cid:0) f ( x ) , h ( x ) − ζ ir j b (cid:1) for 0 ≤ i < r j using ˜ O ( r j deg f log q ). The time required for II.1.3 and II.1.4 are clearlydominated by II.1.2. Since there are at most m X j =1 e j = O (log q )iterations, Step II requires˜ O (( R max + ( r max + log q ) deg f log q ) log q ) . The lemma follows.
Lemma 5.4.
Let F q be a finite field of q elements. For every prime factor r of q − , suppose r = O (poly(log q )) and there are deterministic polynomial-time algorithms for constructing r -th primitive root of unity and computing r -th roots over F q . Then, there is a deterministic polynomial-time algorithmsolving any polynomial equation over F q . roof. Without loss of generality, assume the input polynomial f ( x ) ∈ F q [ x ]is a product of two or more distinct monic linear polynomials and f (0) = 0.The complete factorization of f can be computed in polynomial-time usingAlgorithm 5.1 repeatedly. The overall running time is ˜ O (poly(deg f log q ))by Lemma 5.3. Since the input size is O (deg f log q ), it is a polynomial-timealgorithm. The lemma follows. Proof of Theorem 2.6.
Since q ∈ Q , the theorem is an obvious consequenceof Theorem 2.2 and Lemma 5.4. n -th Root” Problem Let F q be a finite field with q elements. For simplicity, assume the charac-teristic of F q is neither 2 nor 3. Denote an elliptic curve E over F q by the Weierstrass equation E : y = x + a x + a for some a , a ∈ F q . In the following, we study the elliptic curve “ n -th root”described in §
1. Problems (E1) and (E2) will be reduced to the problem ofsolving polynomial equations.It is well known that multiplication by n over E is an endomorphism, n ( x, y ) = (cid:18) U ( x ) V ( x ) , y U ( x ) V ( x ) (cid:19) for some polynomials U ( x ) , V ( x ) , U ( x ) , V ( x ) ∈ F q [ x ] such thatdeg U = n , deg V ≤ n − , ( U , V ) = ( U , V ) = 1 . All polynomials U , V , U and V can be computed in polynomial-time; see[25] for the details.Suppose Q = ∞ . We have Q = ( a, b ) for some a, b ∈ F q . If Q = n ( x , y )for some x , y ∈ F q , then x is a solution of f ( x ) def = U ( x ) − aV ( x ) = 025ver F q . Suppose α , . . . , α k ∈ F q are the roots of equation f ( x ) = 0. Let g i ( y ) def = y − ( α i + a α i + a ); (6.1) h i ( y ) def = yU ( α i ) − bV ( α i ); (6.2) P def = (cid:8) ( α i , β ) ∈ F q : g i ( β ) = 0 and h i ( β ) = 0 (cid:9) . (6.3)The set P is the complete set of solutions of equation (1.3). For (E1),equation (1.3) has a solution if and only if P is non-empty. For (E2), anypoint P ∈ P is a solution of equation (1.3).Suppose Q = ∞ . Denote a fixed algebraic closure of F q by F q . Let E [ n ]( F q ) def = E [ n ] ∩ E ( F q ) , where E [ n ] denotes the n -torsion subgroup of E ( F q ). Then P ∈ E [ n ]( F q )if P is a solution of equation (1.3). Let α , . . . , α k ∈ F q be the roots of theequation V ( x ) = 0 and P ′ def = { ( α i , β ) ≤ i ≤ k : g i ( β ) = 0 } , where g i is defined in equation (6.1). Problems (E1) and (E2) can be solvedsimilar to before. Proof of Theorem 2.7.
By the discussion above, the sets P and P ′ can becomputed by solving a few polynomial equations over F q . When q ∈ Q ,a degree d polynomial equation can be solved in ˜ O (poly( d log q )) by The-orem 2.6. Since n = O (poly(log q )), the degrees of all polynomials in thediscussion above are also O (poly(log q )). The theorem follows.Note that the running time of the elliptic curve n -th root algorithmdepends mostly on the finite field F q but not the curve. Once polynomialequations can be solved efficiently over F q , elliptic curve n -th roots can becomputed efficiently for any curve. Also, the number of points of E ( F q ) isnot required in the algorithm. References [1] Leonard M. Adleman, Kenneth L. Manders, and Gary L. Miller. Ontaking roots in finite fields. In
Proceedings of the 18th IEEE Symposiumon Foundations of Computer Science , pages 175–178. IEEE, 1977.262] Manindra Agrawal, Neeraj Kayal, and Nitin Saxena. PRIMES is in P.
Ann. of Math. , 160(2):781–793, 2004.[3] Paulo S. L. M. Barreto and Jos´e Felipe Voloch. Efficient computationof roots in finite fields.
Des. Codes Cryptography , 39(2):275–280, 2006.[4] Elwyn R. Berlekamp. Factoring polynomials over finite fields.
BellSystem Technical Journal , 46:1853–1859, 1967.[5] Elwyn R. Berlekamp. Factoring polynomials over large finite fields.
Math. Comp. , 24(111):713–735, 1970.[6] Johannes Buchmann and Victor Shoup. Constructing nonresidues infinite fields and the extended Riemann hypothesis.
Math. Comp. ,65(215):1311–1326, July 1996.[7] David G. Cantor and Hans Zassenhaus. A new algorithm for factoringpolynomials over finite fields.
Math. Comp. , 36(154):587–592, 1981.[8] Michele Cipolla. Un metodo per la risoluzione della congruenza disecondo grado.
Napoli Rend. , 9:154–163, 1903.[9] Sergei Evdokimov. Factorization of polynomials over finite fields insubexponential time under GRH. In Leonard Adleman and Ming-DehHuang, editors,
Algorithmic Number Theory , volume 877 of
LectureNotes in Computer Science , pages 209–219. Springer Berlin, 1994.[10] Hendrik W. Lenstra Jr. Factoring integers with elliptic curves.
Ann. ofMath. , 126:649–673, 1987.[11] Hendrik W. Lenstra Jr. and Carl Pomerance. Pri-mality testing with Gaussian periods, 2009. Preprint( http://math.dartmouth.edu/~carlp/aks102309.pdf ).[12] Erich Kaltofen and Victor Shoup. Subquadratic-time factoring of poly-nomials over finite fields.
Math. Comp. , 67(223):1179–1197, July 1998.[13] Donald E. Knuth.
The Art of Computer Programming, Volume 2:Seminumerical Algorithms . Addison-Wesley, Reading, 3rd edition,1997.[14] Derrick H. Lehmer. Computer technology applied to the theory ofnumbers. In William J. Leveque, editor,
Studies in number theory ,volume 6 of
MAA Studies in Mathematics , pages 117–151, EnglewoodCliffs, New Jersey, 1969. Prentice-Hall.2715] Arjen K. Lenstra, Hendrik W. Lenstra Jr., and L´aszl´o Lov´asz. Factoringpolynomials with rational coefficients.
Math. Annalen , 261:515–534,1982.[16] Gary L. Miller. Riemann’s hypothesis and tests for primality. In
Pro-ceedings of Seventh Annual Symposium on Theory of Computing , pages234–239. ACM, 1975.[17] Ren´e Schoof. Elliptic curves over finite fields and the computation ofsquare roots mod p . Math. Comp. , 44(170):483–494, April 1985.[18] Daniel Shanks. Five number-theoretic algorithms. In
Proc. 2nd Mani-toba Conf. Numer. Math. , pages 51–70, 1972.[19] Tsz-Wo Sze. Deterministic primality proving on proth numbers, 2010.Preprint ( http://arxiv.org/abs/0812.2596 ).[20] Tsz-Wo Sze. On taking square roots without quadratic nonresiduesover finite fields.
Math. Comp. , 80(275):1797–1811, July 2011.[21] Alberto Tonelli. Bemerkung ¨uber die Aufl¨osung quadratischer Con-gruenzen.
Nachrichten der Akademie der Wissenschaften in G¨ottingen ,pages 344–346, 1891.[22] Joachim von zur Gathen and J¨urgen Gerhard.
Modern Computer Al-gebra . Cambridge University Press, Cambridge, United Kingdom, 2ndedition, 2003.[23] Joachim von zur Gathen and Daniel Panario. Factoring polynomialsover finite fields: a survey.
J. Symb. Comput. , 31(1-2):3–17, 2001.[24] Joachim von zur Gathen and Victor Shoup. Computing Frobenius mapsand factoring polynomials. In
Proceedings of the 24th Annual ACMSymposium on Theory of Computing , pages 97–105. ACM, 1992.[25] Lawrence C. Washington.
Elliptic Curves: Number Theory and Cryp-tography . Chapman & Hall/CRC, 2nd edition, 2008.[26] Hugh C. Williams. ´Edouard Lucas and Primality Testing , volume 22of
Canadian Mathematical Society Series of Monographs and AdvancedTexts . Wiley-Interscience, 1998.[27] David Y.Y. Yun. On square-free decomposition algorithms. In