Consequently, for the remainder of this discussion we will assume that a is a quadratic residue mod p.

Transcription

1 Computing square roots mod p We now have very effective ways to determine whether the quadratic congruence x a (mod p), p an odd prime, is solvable. What we need to complete this discussion is an effective technique to a compute a solution if one exists, that is, if = 1. p Consequently, for the remainder of this discussion we will assume that a is a quadratic residue mod p. Now it turns out that finding a solution to x a (mod p) is easy if p 3 (mod): we write p = k + 3, then set x a k+1 (mod p). By Euler s Criterion, x a k+ a k+1 a a a a a a (mod p) p so x a k+1 (mod p) is a solution to the original quadratic congruence. That is, a k+1 p+1 = a is a square root of a mod p. Of course, this method fails if p 1 (mod ). But we can further differentiate values of p if instead we work mod 8: if p 1 (mod ), then either p 1 (mod 8) or p 5 (mod 8).

2 Consider the latter case, p = 8k + 5, first. By Euler s Criterion, we have that a 1 (mod p), so a ±1 (mod p). If x a k+1 (mod p) yields a solution since x a k+ a a 1 (mod p), then setting p+3 a a a (mod p). If instead, a 1 (mod p), then x k+1 a k+1 (mod p) yields a solution since x k+ a k+ p+3 a a a 1 1 a a(mod p). p We re still left with the case p 1 (mod 8). Now we could continue this development by producing more and more complicated formulas for computing the square root of a mod p, depending on the residue class of p modulo higher and higher powers of, but thankfully this is unnecessary, as it is possible to set forth an algorithm that does this systematically.

3 Write p 1 = r s, with s odd. Taking a cue from the methods discussed above, we suggest that y a s+1 (mod p) might be a good first try at a square root for a. Observe that y a s+1 a s a (mod p). It follows that since both y and a are quadratic residues mod p, so must be. This reduces our problem to the computation of a square root for b a s (mod p), for if z b (mod p), then a s (yz 1 ) a s+1 a s a (mod p) and so yz 1 is a square root of a mod p. On the face of it, it doesn t look like we have gained much by transferring the problem of computing a square root y of a to that of computing a square root z of b. But indeed we have, since b r 1 = (a s ) r 1 = a so that a 1 (mod p) ord p b r 1 p ord p z = ord p b r ord p z is a power of r which severely limits the possible values for z.

4 For those who know some group theory, notice also that the set of nonzero residue classes mod p whose order divides a power of is a subgroup of the group of units mod p. That is, if z 1 and z have orders mod p equal to r 1 and r, respectively, then the order of z 1 z is the larger of r 1 and r, hence is also a power of ; further, the inverse of y 1 has order r 1 as well (since (z 1 ) r (z r ) 1 1). In fact, this subgroup is called the -Sylow subgroup of the group of units mod p. We will denote the set of elements y whose order mod p is a power of as S. (This means that S is the -Sylow subgroup of the group of units mod p.) It may seem that we would have to turn to finding a primitive root mod p to get at the structure of the elements in S, but it turns out to be much easier: Lemma If n is any quadratic nonresidue mod p, and m n s (mod p), then Proof By EC, m r 1 = (n s ) r 1 = n But by Fermat s Little Theorem, m r = (n s ) r S = {m,m,m 3,K,m r }. 1 (mod p). = n 1 (mod p), so we must have that ord p m = r. Thus the first r powers of m are distinct mod p and all lie in S. But as there are ϕ( k ) elements of order k, and each of these orders

5 is a factor of r, the total number of elements whose order divides r is r ϕ( k ) = ϕ(d) = r, k=0 d r hence we have acccounted for all the elements of S. The result follows. // Returning to our original problem: to solve x a (mod p), we search instead for a square root z of b a s (mod p), so that with y a s+1 (mod p), we can then compute x yz 1 (mod p), which will be the desired square root of a (since y z a (mod p).) As the order of b divides r 1, z will also lie in S and is thus some power of m = n s, where n is some quadratic nonresidue mod p. Indeed, z m k (mod p) implies that b z m k (mod p). That is, b must be some even power of m. Halving this even power will locate the desired value of z. Now one way to proceed with finding z is to simply search through all even powers of m until b appears. This will take no more than r steps. But in fact, there is a procedure that will accomplish this without having to calculate the corresponding powers of m. It is based on the

6 Lemma If ord p m = r and ord p b = u with u < r, then ord p (m r u b) = v with v < u. Proof Since but ord p m = r, we have (m r 1 ) m r 1 (mod p), whence m r 1 / 1 (mod p) m r 1 1(mod p). Similarly, b u 1 1 (mod p). Therefore, (m r u b) u 1 m r 1 b u 1 ( 1)( 1) 1 (mod p), which implies that the order of divide u 1. // m r u b mod p must The importance of this observation is that if b = 1, finding z is trivial, for then z = 1. If b 1, the lemma allows us to adjust the value of b by multiplication by a perfect square (namely, an even power of m), which replaces b with a new value b = m r u b having smaller order than b. This adjustment makes it no more difficult to find a square root (z gets adjusted by a factor of m r u 1 ), but as the order of b is smaller, it means that b is in some sense closer to 1 (whose order is the smallest possible). By repeating this process, we eventually reach a stage where b has been reduced to 1, and the computation is complete.

7 We illustrate with some examples: Example: x (mod1) Factor 1 1 = 3 5 (so that r = 3 and s = 5), and put y (mod 1) and b 5 3 (mod 1). We know that b has order dividing 3 1 ; since b 3 1(mod 1), b has order equal to. Next, take n = 3 as a quadratic nonresidue, noting by QR that 3 = 1 = 1 = and set m (mod 1). We know that z satisfies z b (mod 1), but by the lemma, multiplication of this last congruence by m r u (mod 1) serves to adjust the value of b to b 9b 1 (mod 1) and adjusts z by the factor m r u (mod 1). Also, note that replacing z with z 38z (mod 1) means that x yz z 1 (mod 1). Repeating this procedure, we have that b 1 (mod1), so a square root is z = 1, yielding x (mod 1) in one iteration.

8 We can make this computation more amenable to automation by organizing the steps as follows (here, means congruence mod p): Given: p = 1 Initialize: r = 3 ( p 1 = r s) a = s = 5 3 n 3 ( = 1) 1 m 38 ( m n s ) Iterate (until u i = 0, i.e., b i = 1): i b i ord 1 b i = u i 0 3 ( b 0 a s ) 1 1 ( b i+1 m r u i b i ) 17( x i+1 m r u i 1 xi ) The desired solution to the original congruence appears in the lower right cell of the table. 0 x i 8 (x 0 = y a s+1 )

9 Example: x 7 (mod113) Given: p = 113 Initialize: r = ( p 1 = 7) a = 7 s = 7 3 n 3 ( = 1) 113 m 0 ( m n s ) Iterate (until u i = 0, i.e., b i = 1): i ord b i = u i b i 0 1 ( b 0 a s ) 1 1 ( b i+1 m r u i b i ) Thus x 3 (mod113). x i 1 8 (x 0 = y 0 3 ( x i+1 m r u i 1 xi ) a s+1 )

10 Example: x 103 (mod61) Given: p = 61 Initialize: r = 7 ( p 1 = 7 5) a = 103 s = 5 3 n 3 ( = 1) 61 m 3 ( m n s ) Iterate (until u i = 0, i.e., b i = 1): i b i ord b i = u i 0 65 ( b 0 a s ) 1 1 ( b i+1 m r u i b i ) 1 Thus x 198 (mod61). x i 63 (x 0 = y a s+1 ) 1 365( x i+1 m r u i 1 xi ) 0 198