A Complete Generalization of Atkin s Square Root Algorithm

Transcription

1 Fundamenta Informaticae 15 (013) DOI /FI IOS Press A Complete Generalization of Atkin s Square Root Algorithm Armand Stefan Rotaru Institute of Computer Science, Romanian Academy Carol I no. 8, Iasi, Romania armand.rotaru@iit.academiaromana-is.ro Sorin Iftene Department of Computer Science, Alexandru Ioan Cuza University General Berthelot no. 16, Iasi, Romania siftene@info.uaic.ro Abstract. Atkin s algorithm [] for computing square roots in Z p, where p is a prime such that p 5mod 8, has been extended by Müller [15] for the casep 9mod16. In this paper we extend Atkin s algorithm to the general casep s +1mod s+1, for anys, thus providing a complete solution for the case p 1 mod 4. Complexity analysis and comparisons with other methods are also provided. Keywords: Square Roots, Efficient Computation, Complexity 1. Introduction Computing square roots in finite fields is a fundamental problem in number theory, with major applications related to primality testing [3], factorization [17] or elliptic point compression [10]. In this paper we consider the problem of finding square roots inz p, wherepis an odd prime. We have to remark that, using Hensel s lemma and Chinese remainder theorem, the problem of finding square roots modulo any composite number can be reduced to the case of prime modulus, by considering its prime factorization (for more details, see [4]). Address for correspondence: Institute of Computer Science, Romanian Academy, Carol I no. 8, Iasi, Romania

2 7 A.S. Rotaru and S. Iftene / A Complete Generalization of Atkin s Square Root Algorithm According to Bach and Shallit [4, Notes on Chapter 7, page 194] and Lemmermeyer [13, Exercise 1.16, Page 9], Lagrange was the first to derive an explicit formula for the case p 3 mod 4 in According to the same sources ([4, Exercise 1, page 188] and [13, Exercise 1.17, Page 9]), the case p 5 mod 8 was solved by Legendre in Atkin [] also found a simple solution for the case p 5 mod 8 in 199. In 004, Müller [15] extended Atkin s algorithm to the case p 9 mod 16 and left further developing Atkin s algorithm as an open problem. In this paper we extend Atkin s algorithm to the case p s + 1 mod s+1, for any s, thus providing a complete solution for the case p 1 mod 4. Müller s algorithm and our generalization use quadratic non-residues, and thus, they are probabilistic algorithms. We remark that several deterministic approaches for computing square roots modulo a prime p have also been presented in the literature. Schoof [19] proposed an impractical deterministic algorithm of complexity O((log p) 9 ). Sze [1] has recently developed a deterministic algorithm for computing square roots which is efficient (its complexity isõ((log p) ))) only for certain primes p. The paper is structured as follows. Section is dedicated to some mathematical preliminaries on quadratic residues and square roots. Section 3 presents Atkin s algorithm and its extension (Müller s algorithm), both based on computing square roots of 1 modulo p. We present our generalization in Section 4. Its performance, efficient implementation and comparisons with other methods are presented in Section 5. In the last section we briefly discuss the conclusions of our paper and the possibility of adapting our algorithm for other finite fields.. Mathematical Background In this section we will present some basic facts on quadratic residues and square roots. For simplicity of notation, from this point forward we will omit the modular reduction, but the reader must be aware that all computations are performed modulo p if not explicitly stated otherwise. Let p be a prime and a Z p. We say that a is a quadratic residue modulo p if there exists b Z p with the property a = b. Otherwise, a is a quadratic non-residue modulo p. It is easy to see that the product of two residues is a residue and that the product of a residue with a non-residue is a non-residue. If b = a then b will be referred to as a square root of a (modulo p) and we will simply denote this fact byb = a. We have to remark that ifais a quadratic residue modulo p,pprime, then a has exactly two square roots - ifbis a square root ofa, thenp b is the other one. In particular, 1 has the square roots 1 and 1 (in this case, 1 will be regarded as beingp 1) ( ) or, equivalently, a = 1 (a = 1 a = 1). a The Legendre symbol of a modulo p, denoted as, is defined to be equal to ±1 depending on p whether a is a quadratic residue modulo p. More exactly, ( ) { a 1, if a is a quadratic residue modulo p; = p 1, otherwise. Euler s criterion states that, for any prime p and a Z p, the following relation holds: a p 1 = ( ) a. p

3 A.S. Rotaru and S. Iftene / A Complete Generalization of Atkin s Square Root Algorithm 73 Euler s criterion provides a method of computing the Legendre symbol of a modulo p using an exponentiation modulop, whose complexity iso((log p) 3 ). There are faster methods for evaluating the Legendre symbol - see, for example [8], in which are presented algorithms of complexity O( (log p) log log p ) for computing the Jacobi symbol (the Jacobi symbol is a generalization of the Legendre symbol to arbitrary moduli). ( ) Another useful property is that = ( 1) p 1 8, that implies that is a quadratic residue modulo p p if and only ifp ±1mod8. If p is prime, p 3 mod 4, and a Z p is a quadratic residue modulo p then b = a p+1 4 is a square ( ) root of a modulo p. Indeed, in this case, b = a p+1 = a a p 1 a = a = a 1 = a. Thus, in this p case, finding square roots modulo p requires only a single exponentiation modulo p. In the next sections we will focus on the case p prime, p 1mod4. 3. Square Root Algorithms based on Computing 1 In this section we present two methods for computing square roots for the cases p 5 mod 8 and p 9 mod 16, both based on computing square roots of 1 modulo p Atkin s Algorithm Let p be a prime such that p 5 mod 8 and a a quadratic residue modulo p. Atkin s idea [] is to express a as a = αa(β 1) where β = 1 and aα = β. Indeed, in this case, (αa(β 1)) = a( aα β) = a( β ) = a. Moreover, in order to easily determine α, it will be convenient that β has the form β = (a) k, withk odd. Thus, the major challenge is to find 1 of the mentioned form. By Euler s criterion, the relation (a) p 1 = 1 holds (a is a quadratic residue, but is a quadratic non-residue, therefore a is a quadratic non-residue), so we can choose β as β = (a) p 1 4 and α as p 1 4 α = (a) 1 = (a) p 5 8. The resulted algorithm is presented in Figure 1. Atkin s Algorithm(p,a) input: p prime such that p 5mod8, a Z p a quadratic residue; output: b, a square root ofamodulo p; begin 1. α := (a) p 5 8 ;. β := aα ; 3. b := αa(β 1); 4. return b end. Figure 1: Atkin s algorithm

4 74 A.S. Rotaru and S. Iftene / A Complete Generalization of Atkin s Square Root Algorithm Atkin s algorithm requires one exponentiation (in Step 1) and four multiplications (two multiplications in Step and two multiplications in Step 3). 3.. Müller s Algorithm Let p be a prime such that p 9 mod 16 and a a quadratic residue modulo p. Müller [15] has extended Atkin s algorithm by expressing a as a = αad(β 1) where β = 1 and ad α = β. Indeed, in this case, (αad(β 1)) = a( ad α β) = a( β ) = a. Moreover, in order to easily determine α, it will be convenient that β has the form β = (ad ) k, withk odd. By Euler s criterion, the relation (a) p 1 = 1 holds (a and are quadratic residues, therefore a is a quadratic residue). We have two cases: (I) (a) p 1 4 = 1 - in this case we can chooseβasβ = (a) p 1 p andαasα = (a) 1 = (a) p 9 16 (d = 1); (II) (a) p 1 4 = 1 - in this case we need a quadratic non-residue d - by Euler s criterion, d p 1 = 1 and, thus, (ad ) p 1 4 = 1, so we can choose β as β = (ad ) p 1 p 1 8 and α asα = (ad 8 ) 1 = (ad ) p The above presentation is in fact a slightly modified variant of the original one - for Case (I), Müller used an arbitrary residue d. Kong et al. [11] have remarked that using d = 1 in this case leads to an important improvement of the performance of original Müller s algorithm, by requiring only one exponentiation for half of the squares in Z p (Case (I)) and two for the rest (Case (II)). The resulted algorithm is presented in Figure. In case (a) p 1 4 = 1, Müller s algorithm requires one exponentiation (Step 1) and five multiplications (two multiplications in Step, one multiplication in Step 3 and two multiplications in Step 4). In case (a) p 1 4 = 1, Müller s algorithm, besides the operations in Steps 1-3, requires one more exponentiation (Step 8) and eight more multiplications (one multiplication in Step 8, four multiplications in Step 9 and three multiplications in Step 10. Additionally, ( ) Step 7 requires, on average, two quadratic character d evaluations (generate randomly d Z p until = 1 - because half of the elements are quadratic p non-residues, two generations are required on average). It is interesting to remark that Ankeny [1] has proven that, by assuming the Extended Riemann Hypothesis (ERH), the least quadratic non-residue modulopis ino((log p) ). As a consequence, in this case, the presented probabilistic algorithm for finding a quadratic non-residue can be transformed into a deterministic polynomial time algorithm of complexity O((log p) 4 ). 4. A Complete Generalization of Atkin s Square Root Algorithm In this section we extend Atkin s algorithm to the case p s + 1 mod s+1, for any s, thus providing a complete solution for the case p 1 mod 4. For any prime p, with p 1 mod 4, we can express p 1 as p 1 = s t, where s and t is odd. If we write t as t = t + 1, we obtain that p = s+1 t + s +1 that implies that p s +1mod s+1.

5 A.S. Rotaru and S. Iftene / A Complete Generalization of Atkin s Square Root Algorithm 75 Müller s Algorithm(p,a) input: p prime such that p 9mod16, a Z p a quadratic residue; output: b, a square root ofamodulo p; begin 1. α := (a) p 9 16 ;. β := aα ; 3. ifβ = 1 4. then b := αa(β 1); 5. else 6. begin 7. generate d, a quadratic non-residue modulo p; 8. α := αd p 9 8 ; 9. β := ad α ; 10. b := αad(β 1); 11. end 1. return b end. Figure : Müller s algorithm We will express a as a = αa(β 1)d norm, whereβ = 1,dis a quadratic non-residue modulo p,norm 0, and ad norm α = β. Indeed, in this case, (αa(β 1)d norm ) = a( ad norm α β) = a( β ) = a. Moreover, in order to easily determine α, it will be convenient that β has the form β = (ad norm ) k, with k odd. The key point of our generalization is Base Case: (ad norm ) p 1 s 1 = 1, for somenorm 0. In this case, because p 1 is odd, we can choose β asβ = (ad norm ) p 1 s s, α as p 1 α = (ad norm ) s 1 = (ad norm ) p (s +1) s+1 = (ad norm ) t 1. In contrast to Müller s impractical attempt of further generalizing Atkin s approach ([15, Remark ]), we focus on finding an adequate value fornorm, the exponent ofdsuch that thebase Case is satisfied. In order to derive the value ofnorm, we use the following results: Theorem 4.1. Letpbe an odd prime, p 1 = s t (s 3,todd), a a quadratic residue modulo p, and d a quadratic non-residue modulo p. Then, for all 1 i s 1, the following statement holds ( norm N)((ad norm ) p 1 i = 1) ( norm N)((ad norm ) p 1 s 1 = 1)

6 76 A.S. Rotaru and S. Iftene / A Complete Generalization of Atkin s Square Root Algorithm Proof: We use induction oni. Initial Case - For i = s 1the reasoning is very simple. If there is a positive integer norm such that (ad norm ) p 1 s 1 = 1 then, using that d p 1 = 1 (or, (d s ) p 1 s 1 = 1), we obtain that (ad norm d s ) p 1 s 1 = 1, and, furthermore, (ad (norm + s 3) ) p 1 s 1 = 1. Thus, we may choose norm = norm + s 3. Inductive Case - Let us consider an arbitrary number i, 1 i < s 1. We assume that the statement holds for the case i+1 and we will prove it for the case i. If there is a natural number norm such that (ad norm ) p 1 i = 1, or, ((ad norm ) p 1 i+1 ) = 1, then (ad norm ) p 1 i+1 = ±1. We have two cases: If(ad norm ) p 1 i+1 = 1 then, using the inductive hypothesis, we directly obtain that( norm N)((ad norm ) p 1 s 1 = 1); If (ad norm ) p 1 i+1 = 1 then, using that d p 1 = 1 (or, equivalently, (d i ) p 1 i+1 = 1) we obtain that (ad norm d i ) p 1 i+1 = 1, and, furthermore, (ad (norm + i 1) ) p 1 i+1 = 1. Finally, using the inductive hypothesis, we obtain that the required statement holds. The previous theorem leads to the following: Corollary 4.. Let p be an odd prime, p 1 = s t (s, t odd), a a quadratic residue modulo p, and d a quadratic non-residue modulo p. Then there exists norm N such that (ad norm ) p 1 s 1 = 1. Proof: For s =, we obtain directly norm = 0, because in this case is a quadratic non-residue modulo p and the relation (a) p 1 = 1 holds. For s 3, is a quadratic residue and thus, we have (a) p 1 = 1. Using Theorem 4.1, for i = 1 (norm = 0) we obtain that there is norm N such that (ad norm ) p 1 s 1 = 1. Therefore, all other possible cases can be recursively reduced to thebase Case as presented above. In order to further clarify the points made so far, we will now give an algorithmic description of our generalization. We will use a special subroutine named FindPlace (presented in Figure 3), in which, starting with certain values for a and norm that satisfy (ad norm ) p 1 i = 1, for some i, we will search for a place j as close as possible tos 1 such that temp = (ad norm ) p 1 j = ±1. Furthermore, we will also formulate Base Case as a subroutine in Figure 4. Finally, the main part of our algorithm is presented in Figure 5.

7 A.S. Rotaru and S. Iftene / A Complete Generalization of Atkin s Square Root Algorithm 77 FindPlace(a, norm) begin 1. ifnorm = 0thentemp := (a) t. elsetemp := (ad norm ) t ; 3. j := s; 4. repeat 5. j := j 1; 6. temp := temp ; 7. until (temp = 1 temp = 1) 8. return(j, temp) end. BaseCase(a, norm) begin 1. α := (ad norm ) t 1 ;. β := (ad norm )α ; 3. b := αa(β 1)d norm ; 4. return b end. Figure 3: FindPlace Subroutine Figure 4: BaseCase Subroutine Remark 4.3. For the clarity of the presentation, we believe it is also necessary to make some comments and prove some statements on the Generalized Atkin Algorithm and its subroutines: 1. The variable norm contains the current value of the normalization exponent.. Some useful properties of the subroutine FindPlace are presented next: (a) If the outputted value j of the subroutine FindPlace is not equal to s 1, then the corresponding value temp will be 1. Proof: Because j < s 1 then at least two iterations of repeat until have been performed (because initially j = s and then j is decremented in each iteration). If we assume by contradiction that the final value of temp is 1, then the previous value temp satisfies temp = ±1 (because temp = temp in Step 6), and, thus, the algorithm had to terminate at the previous iteration. (b) Let (j,temp) and (j,temp ) be the outputs of two consecutive calls of the subroutine FindPlace. Then j < j.

8 78 A.S. Rotaru and S. Iftene / A Complete Generalization of Atkin s Square Root Algorithm Generalized Atkin Algorithm(p,a) input: p prime such that p 1 mod 4 a Z p a quadratic residue; output: b, a square root of a modulo p; begin 1. determines and t odd such that p 1 = s t;. generated, a quadratic non-residue modulo p; 3. norm := 0; 4. (j, temp) := FindPlace(a, norm); 5. while (j < s 1) 6. begin 7. norm := norm+ j ; 8. (j, temp) := FindPlace(a, norm); 9. end 10. if (temp = 1) then BaseCase(a, norm) 11. if (temp = 1) then 1. begin 13. norm := norm+ s 3 ; 14. BaseCase(a, norm); 15. end end. Figure 5: Generalized Atkin Algorithm Proof: Let us first point out that j < s 1 (otherwise, if j = s 1, there will not be another call of FindPlace, since the algorithm will end with a call ofbasecase), which implies thatj+1 s 1. Therefore, we obtaintemp = (ad norm ) p 1 j = 1. Furthermore, we have(ad norm ) p 1 j = 1, which implies that(ad norm ) p 1 j+1 = ±1, leading toj+1 j (becausej is the greatest element less than s 1 such that (ad norm ) p 1 j = ±1). 3. If p 5 mod 8, i.e., s =, then FindPlace will be called exactly once (with a and norm = 0) and it will output j = s 1 = 1 and temp = 1 - in this case, the subroutine BaseCase will directly lead to the final result (no normalization is required). Thus, we have obtained Atkin s algorithm as a particular case of our algorithm. 4. If p 9 mod16, i.e., s = 3, then FindPlace will be called exactly once (with a and norm = 0) and it will output j = s 1 = and temp = ±1. Two subcases are possible: In case temp = 1, the subroutine BaseCase will lead directly to the final result (no normalization is required);

9 A.S. Rotaru and S. Iftene / A Complete Generalization of Atkin s Square Root Algorithm 79 In casetemp = 1, the normalization exponent will be updated asnorm = = 1 and the subroutine BaseCase will be called. Consequently, the final result will be computed as b := αa(β 1)d 1 (Step 3 ofbasecase). Thus, we have obtained Müller s algorithm as a particular case of our algorithm. 5. Efficient Implementation and Performance Analysis We start with the average-case and worst-case complexity analysis of our initial algorithm and then we discuss several improvements for efficient implementation. Finally we present several comparisons with the most important generic square root computing methods, namely Tonelli-Shanks and Cippola-Lehmer Average-Case and Worst-Case Complexity Analysis We will consider the cases s 4 (for s =, s = 3, we obtain, Atkin s algorithm, and, respectively, Müller s algorithm, whose complexities have been discussed in Section 3). Our algorithm determines the value of norm by calling the subroutine FindPlace for each 1 digit in the binary expression of norm. Therefore, the algorithm makes Hw(norm) calls to FindPlace, where Hw(x) denotes the Hamming weight ofx(i.e., the number of1 s in x). Let E denote one exponentiation, M - one multiplication, and S - one squaring (all these operations are performed modulo p). Our subroutines will involve: FindPlace - if the output is (j,temp) then at most E+1M+(s j)s; BaseCase - at most 3E+6M+1S. We exclude the complexity of generating a quadratic non-residue d. All the other computations can be considered negligible (ifnorm is represented in base then the step norm := norm+ j implies only setting a certain bit to 1). In the average case, we have Hw(norm) = s, which means that our algorithm will include s calls to FindPlace and a call to BaseCase. Thus, the total number of operations is, on average, the following: s 1 s (E+1M)+ j= (s j) S+3E+6M+1S = (s )E+ (s ) M+ (s 1)(s ) 4 S+3E+6M+1S = (s+1)e+ s+10 M+ s 3s+6 4 S In contrast, in the worst case, norm will have Hw(norm) = s (i.e., all the bits from norm will be equal to 1), resulting in (s ) calls to FindPlace and a call to BaseCase. The total number of operations now becomes the following: (s )(E+1M)+ s 1 j= (s j)s+3e+6m+1s = (s )E+(s )M+ (s 1)(s ) S+3E+6M+1S = (s 1)E+(s+4)M+ s 3s+4 S Once more, we do not count the generation of a quadratic non-residue d. Consequently, both the average-case and the worst-case complexity of our initial algorithm are ino((log p) 4 ).

10 80 A.S. Rotaru and S. Iftene / A Complete Generalization of Atkin s Square Root Algorithm 5.. More Efficient Implementation It is obvious that several steps (especially the steps that involves exponentiations) of our algorithm can be performed much more efficiently compared to their raw implementation. A first solution is to precompute several powers ofd, to keep track ofd norm and(d norm ) t 1 as norm is updated and efficiently recompute the value of temp from Step of FindPlace by using the previous values. Moreover, in this case, the final exponentiations (from BaseCase) can also be performed efficiently. We will now examine the computations behind our algorithm more closely, in order to point out possible improvements, if precomputations can be afforded. We begin by defining the elements D j, 0 j s 1, D j = D j, D = d t and A j, 0 j s, A j = A j, A = (a) t. Let us denote A j D temp norm by < j,temp norm >, where temp norm is in binary form. In our algorithm, we determine the value of norm = (f s 3...f 0 ) by successively computing the digits f 0, f 1,..., f s 3, so that: s 1 0 s {}}{ T s =< s, f >= 1 T s 3 =< s 3, f 1 f }{{} >= 1 s 0 s. T =<, f s 4...f 1 f >= 1 T 1 =< 1, f s 3...f 1 f 0 00 >= 1 We remark that the last element T 1 is exactly the element from the Base Case: (ad norm ) p 1 s 1. The reader will notice that for any 0 j s, we would compute T j = A j D (f s j...f 1 f ) in a naive manner, by multiplying A j with all the ( i ) th powers of D corresponding to the 1 bits from f s j...f 1 f In order to reduce the number of modular multiplications, let us choose a fixed, small integer k, with k 1, and consider the k terms T j,t j 1,...,T j k+1, where j k +1 > 1. We obtain the following sequence: T j =< j, f s j f s 3 j...f 1 f }{{} > = 1 j+1 0 s T j 1 =< j 1, f s j+1 f s j f s 3 j...f 1 f }{{} > = 1 j 0 s. T j k+ =< j k+, f s j+k...f s j f s 3 j...f 1 f }{{} > = 1 j k+3 0 s T j k+1 =< j k+1, f s j+k 1...f s j f s 3 j...f 1 f }{{} > = 1 j k+ 0 s

11 A.S. Rotaru and S. Iftene / A Complete Generalization of Atkin s Square Root Algorithm 81 Importantly, the sequence f s 3 j...f 1 f 0 appears in all of the above terms. Let us denote the term D f s 3 j...f 1 f 0 j k+ 0 s {}}{ by aux. We notice that the T j,t j 1,...,T j k+1 can be computed in the following way, once we have determined T j+1 (and, implicitly, f s 3 j,...,f 1,f 0 ): T j T j 1 =A j D f s j s 1 }{{} S 0 =A j 1 D f s j+1 s 1 }{{}. auxk 1 f s j s D }{{} S 1 S 0 auxk T j k+ =A j k+ D f s j+k s 1 } {{ } S k T j k+1 =A j k+1 D f s j+k 1 s 1 }{{} f D s j+1 s k+ }{{} f s j+k s D }{{} S k 1 S k f s j s k+1 D }{{} aux S 1 S 0 f D s j+1 s k+1 }{{} f s j s k D aux }{{} S 1 We added underbraces with subscripts to the terms in order to highlight the fact that it is useful to see terms which have the same exponent as being part of a larger set. We will show how we can efficiently generate the powers of aux and the sets S w, for 0 w k 1. Firstly, we compute aux in the regular manner, and then aux i, for 1 i k 1, through k 1 modular squarings. This way, we use onlyk 1 modular squarings, instead of(k 1) Hw(f s 3 j...f 1 f 0 ) regular modular multiplications. Secondly, we still have to compute the sets of terms S w = {D f s j+w s k+w+z 0 z k 1 w}, for 0 w k 1. Intuitively, the set S w contains all the terms located w positions below the main diagonal, for 0 w k 1. For each w, if f s j+w = 0 (as T s j+w = 1), we do not have to compute anything because S w = {1}, while if f s j+w = 1 (as T s j+w = 1), each set can be easily generated by taking D s k+w and applying k w 1 modular squarings. Inner Loop 1. compute aux. set T j k+1 := A j k+1 aux; 3. for w = 0 to k 1 do: 4. determine f s j+w 5. update T j k+1 by setting T j k+1 := T j k+1 D s k+w 6. for i = to k w 1 do: 7. update T j k+i by setting T j k+i := Tj k+i 1 Figure 6: Inner Loop S 0

12 8 A.S. Rotaru and S. Iftene / A Complete Generalization of Atkin s Square Root Algorithm Thirdly, by storing the termst j,t j 1,...,T j k+1 we can efficiently combine the two aforementioned improvements as presented in Figure 6. For each value of w between 0 and k 1, running the inner loop generates both the necessary powers of aux and the set S w. Once the outer loop is completed, we have determined k new digits from the binary representation ofnorm. We repeat this procedure until we know all the bits ofnorm. Finally, we can also simplify the last computations of our initial algorithm. The standard procedure would be to first calculate the terms α = (ad norm ) t 1 and β = (ad norm )α, and then to generate the square root b = αa(β 1)d norm. However, if we elaborate the expression ofbwe obtain b = aαd norm (β 1) = a(a) t 1 d normt 1 d norm ((a) t (d norm ) t 1) = a(a) t 1 d t norm ((a) t (d t norm ) 1) Once we have computed (a) t 1, we can then easily modify the final run of the inner loop in order to generate D norm = (d t ) norm and to compute the value of b. When combined, our suggestions lead to a significantly improved version of our initial algorithm. The precomputation stage is as follows: Precomputation(p,a,k) input: p prime such that p 1mod4, p 1 = s t, t odd; k, 1 k s, a precomputation parameter; output: D j, 0 j s 1, D j = D j,d = d t, d quadratic non-residue, aux A = (a) t 1, A = (a) t and A s 1 k i,1 i q, whereq = s k,a s 1 k i = (a) ts 1 k i begin 1. generate and stored(by any means available);. compute and stored and D i, 0 j s 1 (by square-and-multiply exponentiation); 3. compute and storeaux A, A and A s 1 k i,1 i q (by square-and-multiply exponentiation); end Figure 7: Precomputation Subroutine We have precomputed all the required powers ofd, but only certain powers ofa. It is not necessary to keep all the powers of A, since the missing powers can be generated as they are needed. This is because the algorithm behind the third improvement uses only one stored power of A and implicitly employs k 1other powers of A, which are kept only for the duration of the outer loop. We have also computed the term aux A = (a) t 1, which is part of the final improvement. Moreover, we assume that we have enough memory capacity to storeknumbers, namelyacc h, where1 h k. These numbers are exactly T j,t j 1,...,T j k+1, as used in the description ofinner Loop.

13 A.S. Rotaru and S. Iftene / A Complete Generalization of Atkin s Square Root Algorithm 83 The main part of our improved algorithm is presented in Figure 8. Before running the actual algorithm, theprecomputation subroutine must be called. Note, however, that ifpis a priori known, Steps 1 and from Precomputation need to be performed only once (and this may be done in advance), while Step 3 must be repeated for each a. Improved Generalized Atkin Algorithm(p, a, k) input: p prime such that p 1mod4, p 1 = s t, t odd; a Z p a quadratic residue; output: b, a square root ofamodulo p; begin 1. step := s ;. aux norm := 0 = (e s 1...e 0 ) ; (the final aux norm is4 norm) 3. q := s k ; 4. rem := (s ) mod k+1; 5. fori = 1to q do 6. begin 7. Complete Accumulator Update(step, k); 8. Complete Inner Loop(step,k); 9. end 11. Final Accumulator Update and Inner Loop(step,k, rem); 1. b := a aux A aux ACC (A aux ACC 1); 13. return b end. Figure 8: Improved Generalized Atkin Algorithm The first two subroutines correspond to the Inner Loop (described in Figure 6) in the following manner: Complete Accumulator Update (presented in Figure 9) implements Steps 1 and, computing aux and T j k+1. Complete Inner Loop (presented in Figure 10) implements the loop in Steps 3 through 7, computing the bits f s j,...,f s 3 j+k. Final Accumulator Update and Inner Loop (presented in Figures 11, 1) is an incomplete combination of a Complete Accumulator Update and a Complete Inner Loop, for determining the remaining bits of norm, since s may not be an exact multiple of k. Moreover, a slight adjustment is made in order to obtain the term aux ACC = D norm = (d t ) norm. We consider the case s = separately and set aux ACC := 1 since this case does not fit in the general framework. For s >, the last part of this subroutine (Steps 15-34) computes the term T 1 which must be treated individually, as T 1 = 1 while all other T i s are equal to 1, for i s.

14 84 A.S. Rotaru and S. Iftene / A Complete Generalization of Atkin s Square Root Algorithm Complete Accumulator Update(step, k) begin s 1 1. ACC 1 := A step k+1 j=step+ (D j k ) e j ;. forj = tok doacc j := ACC j 1 ; end Figure 9: Complete Accumulator Update Subroutine Complete Inner Loop(step,k) begin 1. forj = k downto1do. begin 3. aux norm := aux norm /; 4. ifacc j = 1then 5. begin 6. ACC 1 := ACC 1 D s j ; 7. forh = to j 1doACC h := ACCh 1 ; 8. e s 1 := 1; 9. end 10. step := step 1; 11. end end Figure 10: Complete Inner Loop Subroutine

15 A.S. Rotaru and S. Iftene / A Complete Generalization of Atkin s Square Root Algorithm 85 Final Accumulator Update and Inner Loop(step,k, rem) begin 1. aux ACC := s 1 j=step+ (D j step ) e j ;. ACC 1 := A aux ACC ; 3. forj = toremdo ACC j := ACCj 1 ; 4 forj = rem 1downtodo 5. begin 6. aux norm := aux norm /; 7. ifacc j = 1then 8. begin 9. aux ACC := aux ACC D s 1 j ; 10. ACC 1 := A aux ACC ; 11. forh = toj 1doACC h := ACCh 1 ; 1. e s 1 := 1; 13. end 14. end 15. ifrem = 1then 16. ifs = thenaux ACC := 1; 17. else 18. ife s 1 = 0then 19. begin 0. aux ACC := aux ACC D s 3 ; 1. e s 1 := 1;. end 3. else begin 4. aux ACC := aux ACC D s 3 D s D s 1 ; 5. e s 1 := 0; 6. end Figure 11: Final Accumulator Update and Inner Loop Subroutine

16 86 A.S. Rotaru and S. Iftene / A Complete Generalization of Atkin s Square Root Algorithm 7. else begin 8. aux norm := aux norm /; 9. if ACC = 1then 30. begin 31. aux ACC := aux ACC D s 3 ; 3. e s 1 := 1; 33. end 34. end end Figure 1: Final Accumulator Update and Inner Loop Subroutine (continued) Example 5.1 illustrates the application of our improved algorithm. Example 5.1. Let us consider p = 189 (s = 1, t = 3) and a = 564 (564 is a quadratic residue modulo 189). We choose d = 19, k = 3 (therefore, q = 3), and obtain the following values : i D i A i i D i A i However, we will only store the D i s, for 0 i 11, as well as A 0, A, A 5, A 8 and aux A = 518. We obtain step = 10, aux norm = 0 and rem =. For i = 1, we update the accumulators so that ACC 1 = A 8 = 5164, ACC = A 9 = and ACC 3 = A 10 = 1. Entering thecomplete Inner Loop, we have: since ACC 3 = 1, we have ACC 1 = ACC 1 D 9 = 1 and ACC = ACC1 e 11 = 1,aux norm = 0/+048 = 048 and step = 9; = 1. Moreover, since ACC = 1, we get aux norm = 048/ = 104 and step = 8; since ACC 1 = 1, we get aux norm = 104/ = 51 and step = 7; Fori=, we update the accumulators so that ACC 1 = 1, ACC = 1 and ACC 3 = 1. Entering thecomplete Inner Loop, we have:

17 A.S. Rotaru and S. Iftene / A Complete Generalization of Atkin s Square Root Algorithm 87 since ACC 3 = 1, we get aux norm = 51/ = 56 and step = 6; since ACC = 1, we get aux norm = 56/ = 18 and step = 5; since ACC 1 = 1, we get aux norm = 18/ = 64 and step = 4; Fori = 3, we update the accumulators so that ACC 1 = 846, ACC = 1479 and ACC 3 = 1. Entering theinner Loop, we have: since ACC 3 = 1, we have ACC 1 = ACC 1 D 9 = and ACC = ACC 1 = 1. Furthermore, e 11 = 1, aux norm = 64/+048 = 080 and step = 3; since ACC = 1, we have ACC 1 = ACC 1 D 10 = 1. Furthermore, e 11 = 1, aux norm = 080/+048 = 3088 and step = ; since ACC 1 = 1, we get aux norm = 3088/ = 1544 and step = 1; We now perform thefinal Accumulator Update and Inner Loop. Thus, we obtainaux ACC = D 0 D 6 D 7 = 1490, ACC 1 = A aux ACC = 1 and ACC = ACC 1 = 1. Since ACC = 1, we obtain e 11 = 1, aux norm = 1544/ = 80 (thus, norm = 80/4 = 705) and aux ACC = aux ACC D 9 = 460. The final computation gives us b = a aux A aux ACC (A aux ACC 1) = ( ) = Average-Case and Worst-Case Complexity Analysis for the Improved Algorithm In the average case, we obtain the following complexities, based on the fact that norm has around s/ bits equal to 1 in its representation: If p is a priori known, Precomputation takes 1E for the terms involving A (the computation of the terms involving D can be performed in advance). Ifpis not a priori known,precomputation takes E, which means 1E for terms involving D and 1E for the terms involving A. Complete Accumulator Update takes s 4M and(k 1)S (since, on average, we uses/ bits from norm, either of which can be 0 or 1, with equal probability). Complete Inner Loop takes k M + k(k 1) 4 S (since we usek bits from norm, either of which can be0or1, with equal probability). Final Accumulator Update and Inner Loop takes k M + s 4 M +(k 1)S + k M + k(k 1) 4 S. The final computation ofbtakes 4M +1S. The estimate does not include the generation of a quadratic non-residue d. In general, the computation takes about E + s k (s 4 M + ks + k M + k(k 1) 4 S) + (k +4)M + 1S. This value is around E + 3s 4 S + s M (s k )M (sk)s + km. Taking k = s (the optimal choice) leaves us with E + 3s 4 S + s M (s s )M (s s )S + s M.

18 88 A.S. Rotaru and S. Iftene / A Complete Generalization of Atkin s Square Root Algorithm If p is a priori known, we obtain 1E + 3s 4 S + s M (s s )M (s s )S + s M. In this case, we need s precomputed elements and memory for just s additional elements. Moving on to the worst case, we consider the fact that norm s binary representation has roughly s bits which are equal to 1. This results in the following complexities: Precomputation - same as for the average case. Complete Accumulator Update takes s M and(k 1)S (since, on average, we uses/ bits from norm, and all of norm s bits are equal to1). Complete Inner Loop takes km + k(k 1) S (since we use k bits from norm, and all of norm s bits are equal to1). Final Accumulator Update and Inner Loop takes km + s k(k 1) M +(k 1)S +km + S. The final computation ofbtakes 4M +1S - same as for the average case. Again, we exclude the generation of a quadratic non-residue d. The computation takes at most about E + s k (s k(k 1) M + ks + km + S) + (k + 4)M + 1S. This value is approximately E + s S + sm + 1 (s k )M + 1 (sk)s + km. If we set k = s (the optimal choice), we have E + s S + sm + 1 (s s )M + 1 (s s )S + s M. If p is a priori known, we obtain E + s S + sm + 1 (s s )M + 1 (s s )S + s M. Like in the average case, we will need s precomputed elements and memory for just s additional eleme nts. Consequently, both the average-case and the worst-case complexity of our improved algorithm are in O((log p) 3.5 ) Comparisons with Other Methods In this section we will compare our algorithm with the most important square root algorithms, namely Tonelli-Shanks and Cippola-Lehmer. After a short overview of these algorithms, we will put forward a computational comparison of the three algorithms Tonelli-Shanks Algorithm The Tonelli-Shanks algorithm ([], [0]) reduces the problem of computing a square root to another famous problem, namely the discrete logarithm problem - given a finite cyclic group G, a generator α of it, and an arbitrary element β G, determine the unique k, 0 k G 1, such that β = α k. The element k will be referred to as the discrete logarithm of β in base α, denoted by k = log α β. Although this problem is intractable, if the order of the group is smooth, i.e., its prime factors do not exceed a given bound, there is an efficient algorithm due to Pohlig and Hellman [16]. Let us consider an odd prime p, p = s t+1, with s and t is odd, a a quadratic residue and d a quadratic non-residue (modulo p). Tonelli-Shanks algorithm is based on the following simple facts: 1. Let α = d t. Then < α > = s, or, equivalently, ord(α) = s, where < α > denotes the subgroup induced by α, and ord(α) represents the order of α (in Z p ).. Letβ = a t. Thenβ < α > andlog α β is even (this discrete logarithm is considered with respect to the subgroup induced by α).

19 A.S. Rotaru and S. Iftene / A Complete Generalization of Atkin s Square Root Algorithm 89 Thus, if we can determine k such that β = α k, then a can be computed as a = a t+1 (d 1 ) k t. Indeed, (a t+1 (d 1 ) k t ) = a t+1 (d kt ) 1 = a t+1 a t = a. Thus, the difficult part is finding k, the discrete logarithm of β in base α (in the subgroup < α > of order s ). Tonnelli and Shanks compute the element k bit by bit. Lindhurst [14] has proven that Tonelli-Shanks algorithm requires on average two exponentiations, s 4 multiplications, and two quadratic character evaluations, with the worst-case complexity O((log p) 4 ). Bernstein [5] has proposed a method of computing w bits of k at a time. His algorithm involves an exponentiation and s w multiplications, with a precomputation phase that additionally requires two quadratic character evaluations on average, an exponentiation, and about w s w multiplications, producing a table with w s w precomputed powers ofα Cippola-Lehmer Algorithm The following square root algorithm is due to Cipolla [6] and Lehmer [1]. Cipolla s method is based on arithmetic in quadratic extension fields, which is briefly reminded below. Let us consider an odd prime p and a a quadratic residue modulo p. We first generate an element z Z p such that z a is a quadratic non-residue. The extension field Z p ( z a) is constructed as follows: its elements are pairs (x,y) Z p; the addition is defined as (x,y)+(x,y ) = (x+x,y +y ); the multiplication is defined as (x,y) (x,y ) = (xx +yy (z a),xy +x y); the additive identity is(0, 0), and the multiplicative identity is(1, 0); the additive inverse of (x,y) is( x, y) and its multiplicative inverse is (x(x y (z a)) 1, y(x y (z a)) 1 ). Cipolla has remarked that a square root ofacan be computed using that (z,1) p+1 = ( a,0), and his method requires two quadratic character evaluations on average and at most 6log p multiplications ([7, page 96]). Lehmer s method is based on evaluating Lucas sequences. Let us consider the sequence (V k ) k 0 defined by V 0 =, V 1 = z, and V k = zv k 1 av k, for all k, where z Z p is generates such that z 4a is a quadratic non-residue. Lehmer has proved that a = 1 Vp+1 and his method requires two quadratic character evaluations on average and about 4.5log p multiplications ([18]). Müller [15] has proposed an improved variant that requires only log p multiplications, which will be referred to as the Improved Cipolla-Lehmer.,

20 90 A.S. Rotaru and S. Iftene / A Complete Generalization of Atkin s Square Root Algorithm Tests Results We have implemented Improved Generalized Atkin (Imp-Gen-Atk) and the fastest known algorithms, namely Tonelli-Shanks-Bernstein (Ton-Sha-Ber) and Improved Cipolla-Lehmer (Imp-Cip-Leh). For all pairs (log p,s), log p {18,56,51,104}, s {4,8,16, log p }, we have generated 3 pairs (p,a), where a is a quadratic residue modulo p and we have counted the average number of modular squarings and regular modular multiplications. We have considered two cases, depending whether p is known a priori or not. We have not included the computation required for finding a quadratic non-residue modulo p. For exponentiation we have considered the simplest method, namely the square-and-multiply exponentiation. In case of an exponent x, this method requires log x squarings and Hw(x) regular multiplications. For Improved Generalized Atkin we choose the optimal k = s, requiring s + s stored values. For Tonelli-Shanks-Bernstein, given that the number of needed precomputed values is s w w, in order to reach a number of elements comparable with ours, we choose the parameter w = (that leads to s elements). We have to remark that the performance of Improved Cipolla-Lehmer does not depend on s. We present the results for the case that p is not known a priori in Tables 1-4. In each column the first value indicates the average number of squarings and the second one denotes the average number of regular multiplications. log p Method Imp-Gen-Atk 56 / / / / 1036 Ton-Sha-Ber 55 / / / / 1076 Imp-Cip-Leh 16 / / / / 100 Table 1. Comparison between methods for s = 4, where p is unknown log p Method Imp-Gen-Atk 60 / / / / 1031 Ton-Sha-Ber 55 / / / / 1076 Imp-Cip-Leh 16 / / / / 100 Table. Comparison between methods for s = 8, where p is unknown log p Method Imp-Gen-Atk 70 / / / / 1041 Ton-Sha-Ber 55 / / / / 1178 Imp-Cip-Leh 16 / / / / 100 Table 3. Comparison between methods for s = 16, where p is unknown

21 A.S. Rotaru and S. Iftene / A Complete Generalization of Atkin s Square Root Algorithm 91 log p Method Imp-Gen-Atk 303 / / / / 1059 Ton-Sha-Ber 53 / / / / 1195 Imp-Cip-Leh 16 / / / / 100 Table 4. Comparison between methods for s = 3, where p is unknown log p Method Imp-Gen-Atk 39 / / / / 371 Ton-Sha-Ber 53 / / / / Imp-Cip-Leh 16 / / / / 100 Table 5. Comparison between methods fors = log p, wherepis unknown In case that p is not known a priori, Improved Cipolla-Lehmer is clearly the best, while our algorithm is comparable with Tonelli-Shanks-Bernstein. We are interested in determining the values of s for which our algorithm is more efficient than Improved Cipolla-Lehmer and/or Tonelli-Shanks-Bernstein considering the case that p is known a priori. We express 1E as log p S+ log p s M. To simplify the comparisons we no longer distinguish between squarings and regular multiplications. More precisely, let us first determine s such that our algorithm is more efficient than Improved Cipolla-Lehmer in terms of total computation: log p+ log p s + 3s 4 + s (s s )+ 1 4 (s s )+ s < log p We obtain the following sequence of equivalent inequalities: log p+ log p s + s s + 5s 4 + s < log p s s + 3s 4 + s < log p s s + 3s + s < log p We now turn our attention to Tonelli-Shanks-Bernstein with the parameter w =. A more thorough analysis of this algorithm gives us log p+ log p s + s 8 + 3s multiplications. We obtain the following inequality: which leads to s > 0. s s + 5s 4 + s < s 8 + 3s

22 9 A.S. Rotaru and S. Iftene / A Complete Generalization of Atkin s Square Root Algorithm We present the results for the case that p is known a priori in Tables 5-8. We remind the reader that in each column the first value indicates the average number of squarings and the second one denotes the average number of regular multiplications. log p Method Imp-Gen-Atk 18 / 7 56 / / / 50 Ton-Sha-Ber 16 / / / / 5 Imp-Cip-Leh 16 / / / / 100 Table 6. Comparison between methods for s = 4, where p is known a priori log p Method Imp-Gen-Atk 131 / / / / 5 Ton-Sha-Ber 17 / / / / 559 Imp-Cip-Leh 16 / / / / 100 Table 7. Comparison between methods for s = 8, where p is known a priori log p Method Imp-Gen-Atk 141 / / / / 54 Ton-Sha-Ber 16 / / / / 574 Imp-Cip-Leh 16 / / / / 100 Table 8. Comparison between methods for s = 16, where p is known a priori log p Method Imp-Gen-Atk 176 / / / / 560 Ton-Sha-Ber 16 / / / / 697 Imp-Cip-Leh 16 / / / / 100 Table 9. Comparison between methods for s = 3, where p is known a priori

23 A.S. Rotaru and S. Iftene / A Complete Generalization of Atkin s Square Root Algorithm 93 log p Method Imp-Gen-Atk 68 / / / / 345 Ton-Sha-Ber 16 / / / / 3417 Imp-Cip-Leh 16 / / / / 100 Table 10. Comparison between methods fors = log p, wherepis known a priori 6. Conclusions and Future Work In this paper we have extended Atkin s algorithm to the general casep s +1mod s+1, for anys, thus providing a complete solution for the case p 1 mod 4. Complexity analysis and comparisons with other methods have also been provided. An interesting problem is extending our algorithm to arbitrary finite fields. In the case of the finite fields GF(p k ), for k odd, the efficient techniques described in [11], [9] can be adapted to our case in a straightforward manner, but, to the best of our knowledge, there are no similar techniques for the case GF(p k ), for k even. We will focus on this topic in our future work. Acknowledgements We would like to thank the two anonymous reviewers for their helpful suggestions. References [1] Ankeny, N. C.: The Least Quadratic Non Residue, Annals of Mathematics, 55(1), 195, [] Atkin, A.: Probabilistic primality testing (summary by F. Morain), Technical Report 1779, INRIA, 199, URL: [3] Atkin, A., Morain, F.: Elliptic Curves and Primality Proving, Mathematics of Computation, 61(03), 1993, [4] Bach, E., Shallit, J.: Algorithmic Number Theory, Volume I: Efficient Algorithms, MIT Press, [5] Bernstein, D. J.: Faster square roots in annoying finite fields (preprint), 001, URL: [6] Cipolla, M.: Un metodo per la risoluzione della congruenza di secondo grado, Rendiconto dell Accademia delle Scienze Fisiche e Matematiche, Napoli, 9, 1903, [7] Crandall, R., Pomerance, C.: Prime Numbers. A Computational Perspective, Springer-Verlag, 001. [8] Eikenberry, S., Sorenson, J.: Efficient Algorithms for Computing the Jacobi Symbol, Journal of Symbolic Computation, 6(4), 1998, [9] Han, D.-G., Choi, D., Kim, H.: Improved Computation of Square Roots in Specific Finite Fields, IEEE Transactions on Computers, 58(), 009,

24 94 A.S. Rotaru and S. Iftene / A Complete Generalization of Atkin s Square Root Algorithm [10] IEEE Std Standard Specifications For Public-Key Cryptography, 000. [11] Kong, F., Cai, Z., Yu, J., Li, D.: Improved generalized Atkin algorithm for computing square roots in finite fields, Information Processing Letters, 98(1), 006, 1 5. [1] Lehmer, D.: Computer technology applied to the theory of numbers, Studies in number theory (W. Leveque, Ed.), 6, Prentice-Hall, [13] Lemmermeyer, F.: Reciprocity Laws. From Euler to Eisenstein, Springer-Verlag, 000. [14] Lindhurst, S.: An analysis of Shanks s algorithm for computing square roots in finite fields, in: Number theory (R.Gupta, K. Williams, Eds.), American Mathematical Society, 1999, [15] Müller, S.: On the Computation of Square Roots in Finite Fields, Designs, Codes and Cryptography, 31(3), 004, [16] Pohlig, S., Hellman, M.: An improved algorithm for computing logarithms over GF(p) and its cryptographic significance, IEEE Transactions on Information Theory, 4, 1978, [17] Pomerance, C.: The Quadratic Sieve Factoring Algorithm, Advances in Cryptology: Proceedings of EURO- CRYPT 84 (T. Beth, N. Cot, I. Ingemarsson, Eds.), 09, Springer-Verlag, [18] Postl, H.: Fast evaluation of Dickson Polynomials, in: Contributions to General Algebra (D. Dorninger, G. Eigenthaler, H. Kaiser, W. Müller, Eds.), vol. 6, B.G. Teubner, 1988, 3 5. [19] Schoof, R.: Elliptic Curves Over Finite Fields and the Computation of Square Roots modp, Mathematics of Computation, 44(170), 1985, [0] Shanks, D.: Five number-theoretic algorithms, Proceedings of the second Manitoba conference on numerical mathematics (R. Thomas, H. Williams, Eds.), 7, Utilitas Mathematica, [1] Sze, T.-W.: On taking square roots without quadratic nonresidues over finite fields, Mathematics of Computation, 80(75), 011, , (a preliminary version of this paper has appeared as arxiv e-print, available at [] Tonelli, A.: Bemerkung über die Auflösung quadratischer Congruenzen, Göttinger Nachrichten, 1891,