Formulas for the Square Roots Mod p NA Carella 1
advertisement
Formulas for the Square Roots Mod p
N. A. Carella
Abstract: A method of constructing specific polynomial representations f(x) ∈ Fp[x] of the square roots function
modulo a prime p = 2kn + 1, n odd, is presented. The formulas for the cases k = 2, 3 and 4 are given.
Keywords: Square Root Modulus A Prime, Finite Fields.
Mathematical Subjects Classification (AMS): 12E20, 68W40.
1 Introduction
The polynomial representations of various functions on finite fields are important components in modern information
science. The discrete logarithm, discrete exponentiation, and nth root functions are of significant interest in the design of
cryptographic protocols. For example, the computations of the square root modulo a prime of the form p = 2r − 2s + 1 is a
step in the standard elliptic curve cryptographic protocol.
A polynomial f(x) ∈ Fp[x] is called a polynomial representation of the square root function mod p if it satisfies the equation
x ≡ ± f ( x) mod p whenever x is a quadratic residue.
Polynomial interpolation is the main tool used to construct polynomial representations of functions on finite fields. This is
a time tested method and works in every case. Polynomial interpolation is used in [1] to prove the existence of polynomial
representations f(x) of the square root function of degree deg(f) ≤ (p − 3)/2 and length (the number of nonzero terms) at
most 2k−1. A few specific polynomial representations are also given.
In this note a different method will be utilized to generate specific polynomial representations of the square root function
mod p. The result also improves the degree estimate. The first few of these polynomials are also computed.
2 Groundwork
A root of the equation x2 − a ≡ 0 mod p, a(p−1)/2 ≡ 1 mod p, is determined by a series of approximations. The number of
iterations in the algorithm used is mostly a function of the 2-adic valuation v2(p − 1) = k. Extensive details on these
algorithms are available in [2] to [8] and other sources.
Formulas for the Square Roots Mod p
Lemma 1 Let a and z be quadratic residue and quadratic nonresidue mod p = 2kn + 1, n odd, respectively. Then the
sequence of integers
k − m0
k − m1
k − mi
ω 0 = a n , ω1 = ω 0 z n 2 , ω 2 = ω1 z n 2 , ..., ω i +1 = ω i z n 2 = 1 ,
(1)
where ord pωi = 2 mi , mi < k , decrease to 1.
This is due to the fact that the sequence of orders ordp(ωi) of the ωi is a decreasing sequence of integers:
ord pω 0 = 2m0 , m0 < k , ord pω1 = 2 m1 , m1 < m0 , ..., ord pω i +1 = 1 .
(2)
A proof and background details appear in [5].
Theorem 2.
a ≡ ± a ( n +1) / 2 z n ( 2
k − m0 −1
+ 2 k − m1 −1 +L+ 2 k − mi −1 )
.
Proof: The sequence of approximations by square elements
(
(0) aω 0 = a n +1 = a ( n +1) / 2
)
2
(
(3)
(1) aω1 = aω 0 z n 2
k − m0
= a ( n +1) / 2 z n 2
(2) aω 2 = aω1 z n 2
k − m1
= a ( n +1) / 2 z n ( 2
∶
(i+1) aω i +1 = aωi z n 2
(
)
2
k − m0 −1
k − m0 −1
+ 2 k − m1 −1 )
∶
k − mi
)
2
∶
(
= a ( n +1) / 2 z n ( 2
k − m0 −1
+ 2 k − m1 −1 +L+ 2 k − mi −1 )
).
2
′converges′ to a.
Definition 3. Let p = 2kn + 1 be prime, n odd, and let z be a quadratic nonresidue modulo p. A multiplier set for the
k −1
square root mod p is defined by M k = { 1, z n , z 2 n , z 3n , ..., z ( 2 −1) n } .
The square root of any square a ∈ Fp is of the form a = ± µa ( n +1) / 2 , where µ ∈ Μk is a unique multiplier. The sequence an,
a2n, a3n, a4n, a5n, … generated by an arbitrary quadratic residue a contains information about the form of the square root of
a. The smallest multiplier µ = 1 occurs whenever the quadratic residue generates the shortest sequence an = 1. And the
k −1
largest multiplier µ = z ( 2 −1) n 2k−1 − 1 occurs whenever the quadratic residue generates the longest possible sequence
k −3
k −2
k −1
a n , a 2 n , a 4 n , ..., a 2 n = ±i, a 2 n = −1, a 2 n = 1 .
Theorem 4. Let p = 2kn + 1 be prime, and let a be a quadratic residue modulo p, then there exists a unique integer m, 0 ≤
m < 2k−2, such that
± a ( n +1) / 2 z ( 2 m +1) n
a = ( n +1) / 2 2 mn
± a
z
-2-
if ord (a n ) = 2 k −1 ,
if ord (a n ) < 2 k −1.
(4)
Formulas for the Square Roots Mod p
Since the shortest sequence an = 1 occurs if and only if the order ordp(a) = odd, the probability that a quadratic residue has
odd order is 1 / 2k−1. Thus for k ≥ 8, less than 1% of the squares a ∈ Fp have square roots of the form a = ± a ( n +1) / 2 .
Corollary 5. As n → ∞, k fixed, almost (in the sense of natural density) every quadratic residue has a square root of the
form a ≡ ± a ( n +1) / 2 z 2 mn mod p , where m < 2k−2.
Proof: The exponent e of the multiplier zen is odd if and only if the quadratic residue a has order ordp(a) = 2k−1. But the
probability that ordp(a) = 2k−1 is 2k−2 / 2k−1n = 1/2n.
3 Polynomial Representations of the Square Roots
Any function f(x) on a finite field Fq has a polynomial representation f(x) = adxd + ad−1xd−1 + ⋅⋅⋅ + a1x + a0 ∈ Fp[x] of degree
deg(f) = d ≤ q − 2. As stated before the polynomial representation f(x) ∈ Fp[x] of the square root mod p satisfies the
equation x ≡ ± f ( x) mod p , where x a quadratic residue.
Theorem 6. There is a polynomial representation fk(x) ∈ Fp[x] of the square root function of degree deg(fk) = 2k−1n − (n −
1)/2, and 2k−1 terms. Moreover it has the form
f k ( x) = 2 − ( k −1) x ( n +1) / 2 [c2 k −1 −1 x ( 2
k −1
−1) n
+ c2 k −1 − 2 x ( 2
k −1
− 2) n
+ L + c2 x 2 n + c1 x n ] .
(6)
The polynomial fk(x) is computed by considering all the possible sequences an, a2n, a3n, a4n, a5n, … generated by an
arbitrary quadratic residue a modulo p and the sequence given in (1). Each combination of the sequence is then mapped to
a unique term
z a1n (1 ± x a 2 n z a3 n )(1 ± x a 4 n z a5 n )L(1 ± x a k −1n z a k n ) ,
(7)
where 0 ≤ ai < 2k−1. For example, the first term z7n(1 − x4n)(1 − x2nz4n)(1 − xnz6n) in the polynomial f4(x) for the primes p =
24n + 1 corresponds to the maximal sequence an, a2n, a3n, a4n, a5n, … −1, 1, and the last term (1 + x4n)(1 + x2n)(1 + xn)
corresponds to the minimal sequence an = 1.
The first few of these polynomials are given below. The first two formulae are well known, but the next two are new.
(1) x = f1 ( x) = x ( n+1) / 2 ,
where p = 4n + 3
(2) x = f 2 ( x) = 2 −1 x ( n+1) / 2 [2 n (1 − x n ) + (1 + x n )] ,
where p = 22n + 5.
(3) x = f 3 ( x) = 2 −2 x ( n+1) / 2 [ z 3n (1 − x 2 n )(1 − x n z 2 n ) + z n (1 − x 2 n )(1 + x n z 2 n ) + z 2 n (1 + x 2 n )(1 − x n ) + (1 + x 2 n )(1 + x n )],
where p = 23n + 1, and z is a quadratic nonresidue modulo p.
(4) x = f 4 ( x) = 2 −3 x ( n+1) / 2 [ z 7 n (1 − x 4 n )(1 − x 2 n z 4 n )(1 − x n z 6 n ) + z 5 n (1 − x 4 n )(1 − x n z 2 n )(1 + x 2 n z 4 n )
+ z 3n (1 − x 4 n )(1 − x 2 n z 4 n )(1 + x n z 6 n ) + z n (1 − x 4 n )(1 + x n z 2 n )(1 + x 2 n z 4 n )
+ z 6 n (1 + x 4 n )(1 − x 2 n )(1 − x n z 4 n ) + z 2 n (1 + x 4 n )(1 − x 2 n )(1 + x n z 4 n )
+ z 4 n (1 + x 4 n )(1 + x 2 n )(1 − x n ) + (1 + x 4 n )(1 + x 2 n )(1 + x n )],
where p = 24n + 1, and z is a quadratic nonresidue modulo p.
-3-
(8)
Formulas for the Square Roots Mod p
REFERENCES:
[1] SJ Agou, M Deleglise, JL Nicolas, Short Polynomial Representations for Square Roots Modulo p, Designs, Codes,
Cryptography, 28, 33-44, 2003.
[2] E Bach, K Huber, Note on taking square roots modulo N, IEEE Trans. On Infor. Theory Vol. 45, No.2, 1999, pp.807809.
[3] E Bach, A Note on square roots in Finite Fields, IEEE Trans. On Infor. Theory Vol. 36, No.1, 1990, pp.55-64.
[4] E Bach, J Shallit, Algorithmic Number Theory. Vol. 1. Efficient Algorithms, MIT Press, Cambridge, MA, 1996
[5] R Kumanduri, Cristina Romero, Number Theory with Computer Applications, Prentice Hall 1998.
[6] A.J. Menezes, P.C. van Oorschot, S.A. Vanstone et al., Handbook of Cryptography, CRC Press, Boca Raton,1997.
[7] RC Peralta, A simple and fast probabilistic algorithm for computing square roots modulo a prime, IEEE Trans. On
Infor. Theory Vol. 32, No.6, 1986, pp.846-847.
[8] SM Turner, Square roots mod p, Amer. Math. Soc., Vol. 101, No. 5, 1999, pp. 443-449.
-4-
