Thus,
κ
s
α
t
is a square root of
α
.
The total amount of work done outside the discrete logarithm calculation amounts to just a
handful of exponentiations modulo
p
, and so takes time
O
(
L
(
p
)
3
). The time to compute the discrete
logarithm is
O
(
h
log
h
L
(
p
)
2
). So the total running time of this procedure is
O
(
L
(
p
)
3
+
h
log
h
L
(
p
)
2
)
.
The above procedure assumed we had at hand a non-square
γ
. If
h
= 1, i.e.,
p
≡
3 (mod 4),
then
-
1 is a quadratic residue modulo
p
, and so we are done. In fact, in this case, the the output
of the above procedure is simply
α
(
p
+1)
/
4
, no matter what value of
γ
is used. One can easily show
directly that
α
(
p
+1)
/
4
is a square root of
α
, without analyzing the above procedure.
If
h >
1, we can find a non-square
γ
using a probabilistic algorithm. Simply choose
γ
at random,
test if it is a square, and repeat if not. The probability that a random element of
Z
*
p
is a square
is 1
/
2; thus, the expected number of trials is
O
(1), and hence the expected running time of this
probabilistic algorithm is
O
(
L
(
p
)
2
).
62
This
preview
has intentionally blurred sections.
Sign up to view the full version.
10.3.2
Prime-power modulus
Again, for an odd prime
p
, we know that
a
is a quadratic residue modulo
p
e
if and only if
a
is a
quadratic residue modulo
p
.
Suppose we have found an integer
z
such that
z
2
≡
a
(mod
p
), using, say, the procedure
described above. From this, we can easily compute a square root of
a
modulo
p
e
using the following
technique, which is known as
Hensel lifting
.
More generally, suppose we have integers
a, z
such that
z
2
≡
a
(mod
p
f
), for
f
≥
1, and we
want to find an integer ˆ
z
such that ˆ
z
2
≡
a
(mod
p
f
+1
).
Clearly, if ˆ
z
2
≡
a
(mod
p
f
+1
), then
ˆ
z
2
equiva
(mod
p
f
), and so ˆ
z
≡ ±
z
(mod
p
f
). So let us set ˆ
z
=
z
+
up
f
, and solve for
u
. We have
ˆ
z
2
≡
(
z
+
up
f
)
2
≡
z
2
+ 2
p
f
u
+
u
2
p
2
f
≡
z
2
+ 2
p
f
u
(mod
p
f
+1
)
.
So we want to find integer
u
such that
2
p
f
u
≡
a
-
z
2
(mod
p
f
+1
)
.
Since
p
f
|
(
z
2
-
a
), by Theorem 2.3, the above congruence holds if and only if
2
u
≡
a
-
z
2
p
f
(mod
p
)
.
From this, we can easily compute the desired value
u
.
By iterating the above procedure, starting with a square root of
a
modulo
p
, we can quickly find
a square root of
a
modulo
p
e
. We leave a detailed analysis of the running time of this procedure to
the reader.
10.3.3
Composite modulus
To find square roots modulo
n
, where
n
is an odd composite modulus, if we know the prime
factorization of
n
, then we can use the above procedures for finding square roots modulo primes
and prime powers, and then use the algorithm of the Chinese Remainder Theorem to get a square
root modulo
n
.
However, if the factorization of
n
is not known, then there is no efficient algorithm known for
computing square roots modulo
n
. In fact, one can show that the problem of finding square roots
modulo
n
is at least as hard as the problem of factoring
n
, in the sense that if there is an efficient
algorithm for computing square roots modulo
n
, then there is an efficient (probabilistic) algorithm
for factoring
n
.
This is the end of the preview.
Sign up
to
access the rest of the document.
- Spring '13
- MRR
- Math, Algebra, Number Theory
-
Click to edit the document details
