Thus κ s α t is a square root of α The total amount of work done outside the

Thus, κ s α t is a square root of α . The total amount of work done outside the discrete logarithm calculation amounts to just a handful of exponentiations modulo p , and so takes time O ( L ( p ) 3 ). The time to compute the discrete logarithm is O ( h log h L ( p ) 2 ). So the total running time of this procedure is O ( L ( p ) 3 + h log h L ( p ) 2 ) . The above procedure assumed we had at hand a non-square γ . If h = 1, i.e., p ≡ 3 (mod 4), then - 1 is a quadratic residue modulo p , and so we are done. In fact, in this case, the the output of the above procedure is simply α ( p +1) / 4 , no matter what value of γ is used. One can easily show directly that α ( p +1) / 4 is a square root of α , without analyzing the above procedure. If h > 1, we can find a non-square γ using a probabilistic algorithm. Simply choose γ at random, test if it is a square, and repeat if not. The probability that a random element of Z * p is a square is 1 / 2; thus, the expected number of trials is O (1), and hence the expected running time of this probabilistic algorithm is O ( L ( p ) 2 ). 62

This preview has intentionally blurred sections. Sign up to view the full version.

10.3.2 Prime-power modulus Again, for an odd prime p , we know that a is a quadratic residue modulo p e if and only if a is a quadratic residue modulo p . Suppose we have found an integer z such that z 2 ≡ a (mod p ), using, say, the procedure described above. From this, we can easily compute a square root of a modulo p e using the following technique, which is known as Hensel lifting . More generally, suppose we have integers a, z such that z 2 ≡ a (mod p f ), for f ≥ 1, and we want to find an integer ˆ z such that ˆ z 2 ≡ a (mod p f +1 ). Clearly, if ˆ z 2 ≡ a (mod p f +1 ), then ˆ z 2 equiva (mod p f ), and so ˆ z ≡ ± z (mod p f ). So let us set ˆ z = z + up f , and solve for u . We have ˆ z 2 ≡ ( z + up f ) 2 ≡ z 2 + 2 p f u + u 2 p 2 f ≡ z 2 + 2 p f u (mod p f +1 ) . So we want to find integer u such that 2 p f u ≡ a - z 2 (mod p f +1 ) . Since p f | ( z 2 - a ), by Theorem 2.3, the above congruence holds if and only if 2 u ≡ a - z 2 p f (mod p ) . From this, we can easily compute the desired value u . By iterating the above procedure, starting with a square root of a modulo p , we can quickly find a square root of a modulo p e . We leave a detailed analysis of the running time of this procedure to the reader. 10.3.3 Composite modulus To find square roots modulo n , where n is an odd composite modulus, if we know the prime factorization of n , then we can use the above procedures for finding square roots modulo primes and prime powers, and then use the algorithm of the Chinese Remainder Theorem to get a square root modulo n . However, if the factorization of n is not known, then there is no efficient algorithm known for computing square roots modulo n . In fact, one can show that the problem of finding square roots modulo n is at least as hard as the problem of factoring n , in the sense that if there is an efficient algorithm for computing square roots modulo n , then there is an efficient (probabilistic) algorithm for factoring n .