Cipolla's algorithm

In computational number theory, Cipolla's algorithm is a technique for solving a congruence of the form

x 2 = n,

where $x,n \in \mathbf{F}_{p}$ , so n is the square of x, and where $p$ is an odd prime. Here $\mathbf{F}_p$ denotes the finite field with $p$ elements; $\{0,1,\dots,p-1\}$ . The algorithm is named after Michele Cipolla, an Italian mathematician who discovered it in the year 1907.

1 The algorithm
2 Example
3 Proof
4 Speed of the algorithm
5 References

The algorithm

Inputs:

$p$ , an odd prime,
$n \in \mathbf{F}_p$ , which is a square.

Outputs:

$x \in \mathbf{F}_p$ , satisfying $x 2 = n .$

Step 1 is to find an $a \in \mathbf{F}_p$ such that $a 2 - n$ is not a square. There is no known algorithm for finding such an $a$ , except the trial and error method. Simply pick an $a$ and by computing the Legendre symbol $(a 2 - n | p)$ one can see whether $a$ satisfies the condition. The chance that a random $a$ will satisfy is $(p - 1) / 2 p$ . With $p$ large enough this is about $1 / 2$ ^[1]. Therefore, the expected number of trials before finding a suitable a is about 2.

Step 2 is to compute x by computing $x=\left( a + \sqrt{a^2-n} \right)^{(p+1)/2}$ within the field $\mathbf{F}_{p^2} = \mathbf{F}_p(\sqrt{a^2-n})$ . This x will be the one satisfying $x 2 = n .$

If $x 2 = n$ , then $( - x) 2 = n$ also holds. And since p is odd, $x \neq -x$ . So whenever a solution x is found, there's always a second solution, -x.

Example

(Note: All elements before step two are considered as an element of $\mathbf{F}_{13}$ and all elements in step two are considered as elements of $\mathbf{F}_{13^2}$ ).

Find all x such that $x 2 = 10.$

Before applying the algorithm, it must be checked that $10$ is indeed a square in $\mathbf{F}_{13}$ . Therefore, the Legendre symbol $(10 | 13)$ has to be equal to 1. This can be computed using Euler's criterion; $(10 | 13) \equiv 10^6 \equiv 1 \bmod 13.$ This confirms 10 being a square and hence the algorithm can be applied.

Step 1: Find an a such that $a 2 - n$ is not a square. As stated, this has to be done by trial and error. Choose $a = 2$ . Then $a 2 - n$ becomes 7. The Legendre symbol $(7 | 13)$ has to be -1. Again this can be computed using Euler's criterion. $7^6 = 343^2 \equiv 5^2 \equiv 25 \equiv -1 \bmod 13.$ So $a = 2$ is a suitable choice for a.
Step 2: Compute $x = \left( a + \sqrt{a^2-n} \right)^{(p+1)/2} = \left( 2 + \sqrt{-6}\right)^7 .$

$\left(2+\sqrt{-6}\right)^2 = 4 + 4\sqrt{-6} - 6 = -2 + 4 \sqrt{-6} .$

$\left(2+\sqrt{-6}\right)^4 = \left(-2+4\sqrt{-6}\right)^2 = -1-3\sqrt{-6} .$

$\left(2+\sqrt{-6}\right)^6 = \left(-2 + 4\sqrt{-6}\right)\left(-1-3\sqrt{-6}\right) = 9+2\sqrt{-6} .$

$\left(2+\sqrt{-6}\right)^7 = \left(9+2\sqrt{-6}\right)\left(2+ \sqrt{-6}\right) = 6 .$

So $x = 6$ is a solution, as well as $x = - 6 = 7.$ Indeed, $62 = 36 = 10$ and $72 = 49 = 10.$

Proof

The first part of the proof is to verify that $\mathbf{F}_{p^2} = \mathbf{F}_p(\sqrt{a^2-n}) = \{x + y\sqrt{a^2-n} : x,y \in \mathbf{F}_p\}$ is indeed a field. For the sake of notation simplicity, $ω$ is defined as $\sqrt{a^2-n}$ . Of course, $a 2 - n$ is a quadratic non-residue, so there is no square root in $\mathbf{F}_p$ . This $ω$ can roughly be seen as analogous to the complex number i. The field arithmetic is quite obvious. Addition is defined as

$\left(x_1 + y_1 \omega \right) + \left(x_2 + y_2 \omega \right) = \left(x_1 + x_2 \right) + \left(y_1 + y_2\right) \omega$ .

Multiplication is also defined as usual. With keeping in mind that $ω 2 = a 2 - n$ , it becomes

$\left(x_1 + y_1 \omega \right)\left(x_2 + y_2 \omega \right) = x_1 x_2 + x_1 y_2 \omega + y_1 x_2 \omega + y_1 y_2 \omega^2 = \left( x_1 x_2 + y_1 y_2 \left(n^2-a\right)\right) + \left(x_1 y_2 + y_1 x_2 \right) \omega$ .

Now the field properties have to be checked. The properties of closure under addition and multiplication, associativity, commutativity and distributivity are easily seen. This is because in this case the field $\mathbf{F}_{p^2}$ is somewhat equivalent to the field of complex numbers (with $ω$ being the analogon of i).
The additive identity is $0$ , more formal $0 + 0ω$ : Let $\alpha \in \mathbf{F}_{p^2}$ , then

α + 0 = (x + y ω) + (0 + 0ω) = (x + 0) + (y + 0)ω = x + y ω = α

The multiplicative identity is $1$ , or more formal $1 + 0ω$ :

$\alpha \cdot 1 = (x+y\omega)(1 + 0\omega) = \left(x\cdot 1 + 0 \cdot 0 \left(n^2-a\right)\right) + (x\cdot 0 + 1 \cdot x)\omega = x+y\omega = \alpha$ .

The only thing left for $\mathbf{F}_{p^2}$ being a field is the existence of additive and multiplicative inverses. It is easily seen that the additive inverse of $x + y ω$ is $- x - y ω$ , which is an element of $\mathbf{F}_{p^2}$ , because $-x,-y \in \mathbf{F}_p$ . In fact, those are the additive inverse elements of x and y. For showing that every non-zero element $α$ has a multiplicative inverse, write down $α = x 1 + y 1 ω$ and $α - 1 = x 2 + y 2 ω$ . In other words,

$(x_1 + y_1 \omega)(x_2 + y_2 \omega) = \left( x_1 x_2 + y_1 y_2 \left(n^2-a\right)\right) + \left(x_1 y_2 + y_1 x_2 \right) \omega = 1$ .

So the two equalities $x 1 x 2 + y 1 y 2 (n 2 - a) = 1$ and $x 1 y 2 + y 1 x 2 = 0$ must hold. Working out the details gives expressions for $x 2$ and $y 2$ , namely

$x_2 = -y_1^{-1}x_1\left(y_1\left(n^2-a\right)-x_1^2y_1^{-1}\right)^{-1}$ ,

$y_2 = \left( y_1 \left(n^2-a\right) - x_1^2y_1^{-1}\right)^{-1}$ .

The inverse elements which are shown in the expressions of $x 2$ and $y 2$ do exist, because these are all elements of $\mathbf{F}_p$ . This completes the first part of the proof, showing that $\mathbf{F}_{p^2}$ is a field.

The second and middle part of the proof is showing that for every element $x+y\omega \in \mathbf{F}_{p^2} : (x+y\omega)^p = x - y\omega$ . By definition, $ω 2 = a 2 - n$ is not a square in $\mathbf{F}_p$ . Euler's criterion then says that

$\omega^{p-1} = \left(\omega^2\right)^{\frac{p-1}{2}} = -1$ .

Thus $ω p = - ω$ . This, together with Fermat's little theorem (which says that $x p = x$ for all $x \in \mathbf{F}_{p}$ ) and the knowledge that in fields of characteristic p the equation $\left(a+b\right)^p = a^p + b^p$ holds, shows the desired result

(x + y ω) p = x p + y p ω p = x - y ω

The third and last part of the proof is to show that if $x_0=\left(a+\omega \right)^{\frac{p+1}{2}} \in \mathbf{F}_{p^2}$ , then $x_0^2=n \in \mathbf{F}_p$ .
Compute

$x_0^2 = \left(a+\omega \right)^{p+1} = (a+\omega)(a+\omega)^{p}=(a+\omega)(a-\omega)=a^2 - \omega^2 = a^2 - \left(a^2 - n \right) = n$ .

Note that this computation took place in $\mathbf{F}_{p^2}$ , so this $x_0 \in \mathbf{F}_{p^2}$ . But with Lagrange's theorem, stating that a non-zero polynomial of degree n has at most n roots in any field K, and the knowledge that $x 2 - n$ has 2 roots in $\mathbf{F}_p$ , these roots must be all of the roots in $\mathbf{F}_{p^2}$ . It was just shown that $x 0$ and $- x 0$ are roots of $x 2 - n$ in $\mathbf{F}_{p^2}$ , so it must be that $x_0, -x_0 \in \mathbf{F}_p$ ^[2].

Speed of the algorithm

After finding a suitable a, the number of operations required for the algorithm is $4 m + 2 k - 4$ multiplications, $4 m - 2$ sums, where m is the number of digits in the binary representation of p and k is the number of ones in this representation. To find a by trial and error, the expected number of computations of the Legendre symbol is 2. But one can be lucky with the first try and one may need more than 2 tries. In the field $\mathbf{F}_{p^2}$ , the following two equalities hold

$(x+y\omega)^2 = \left(x^2 + y^2 \omega^2 \right) + \left(\left(x+y\right)^2-x^2-y^2\right)\omega,$

where $ω 2 = a 2 - n$ is known in advance. This computation needs 4 multiplications and 4 sums.

$\left(x+y\omega\right)^2\left(c + \omega \right) = \left( cd - b\left(x+d\right)\right) + \left(d^2 - by\right)\omega,$

where $d = (x + y c)$ and $b = n y$ . This operation needs 6 multiplications and 4 sums.

Assuming that $p \equiv 1 \pmod 4,$ (in the case $p \equiv 3 \pmod 4$ , the direct computation $x \equiv \pm n^{\frac{p+1}{4}}$ is much faster) the binary expression of $(p + 1) / 2$ has $m - 1$ digits, of which k are ones. So for computing a $(p + 1) / 2$ power of $\left(a + \omega \right)$ , the first formula has to be used $n - k - 1$ times and the second $k - 1$ times.

For this, Cipolla's algorithm is better than the Tonelli-Shanks algorithm if and only if $S (S - 1) > 8 m + 20$ , with $2 S$ being the maximum power of 2 which divides $p - 1$ .^[3]

References

^ R. Crandall, C. Pomerance Prime Numbers: A Computational Perspective Springer-Verlag, (2001) p. 157
^ M. Baker Cipolla's Algorithm for finding square roots mod p
^ Gonzalo Tornaria Square roots modulo p

E. Bach, J.O. Shallit Algorithmic Number Theory: Efficient algorithms MIT Press, (1996)

v · Number-theoretic algorithms

Primality tests	AKS · APR · Baillie–PSW · ECPP · Elliptic curve · Pocklington · Fermat · Lucas · Lucas–Lehmer · Lucas–Lehmer–Riesel · Proth's theorem · Pépin's · Solovay–Strassen · Miller–Rabin · Trial division

Sieving algorithms	Sieve of Atkin · Sieve of Eratosthenes · Sieve of Sundaram · Wheel factorization

Integer factorization algorithms	CFRAC · Dixon's · ECM · Euler's · Pollard's rho · p − 1 · p + 1 · QS · GNFS · SNFS · rational sieve · Fermat's · Shanks' square forms · Trial division · Shor's

Multiplication algorithms	Ancient Egyptian multiplication · Karatsuba algorithm · Toom–Cook multiplication · Schönhage–Strassen algorithm · Fürer's algorithm

Discrete logarithm algorithms	Baby-step giant-step · Pollard rho · Pollard kangaroo · Pohlig–Hellman · Index calculus · Function field sieve

GCD algorithms	Binary GCD · Euclidean · Extended Euclidean · Lehmer's

Modular square root algorithms	Cipolla · Pocklington's · Tonelli–Shanks

Other algorithms	Chakravala · Cornacchia · integer relation algorithm · integer square root · Modular exponentiation · Schoof's

Italics indicate that algorithm is for numbers of special forms; bold indicates deterministic algorithm for primality tests (current article is always in bold).

Categories:

Modular arithmetic
Number theoretic algorithms

Wikimedia Foundation. 2010.

Игры ⚽ Нужна курсовая?

Look at other dictionaries:

Michele Cipolla — (born 28 October 1880 in Palermo; died 7 September 1947 in Palermo) was an Italian mathematician, mainly specializing in number theory. He was a professor of Algebraic Analysis at the University of Catania and, later, the University of Palermo.… … Wikipedia
Multiplication algorithm — A multiplication algorithm is an algorithm (or method) to multiply two numbers. Depending on the size of the numbers, different algorithms are in use. Efficient multiplication algorithms have existed since the advent of the decimal system.… … Wikipedia
Williams' p + 1 algorithm — In computational number theory, Williams p + 1 algorithm is an integer factorization algorithm, one of the family of algebraic group factorisation algorithms. It was invented by Hugh C. Williams in 1982. It works well if the number N to be… … Wikipedia
Cornacchia's algorithm — In computational number theory, Cornacchia s algorithm is an algorithm for solving the Diophantine equation x2 + dy2 = m, where and d and m are coprime. The algorithm was described in 1908 by Giuseppe Cornacchia[1]. Contents 1 The algorithm … Wikipedia
AKS primality test — The AKS primality test (also known as Agrawal–Kayal–Saxena primality test and cyclotomic AKS test) is a deterministic primality proving algorithm created and published by three Indian Institute of Technology Kanpur computer scientists, Manindra… … Wikipedia
Sieve of Eratosthenes — Sieve of Eratosthenes: algorithm steps for primes below 121 (including optimization of starting from prime s square). In mathematics, the sieve of Eratosthenes (Greek: κόσκινον Ἐρατοσθένους), one of a number of prime number sieves, is a simple,… … Wikipedia
Miller–Rabin primality test — The Miller–Rabin primality test or Rabin–Miller primality test is a primality test: an algorithm which determines whether a given number is prime, similar to the Fermat primality test and the Solovay–Strassen primality test. Its original version … Wikipedia
Quadratic sieve — The quadratic sieve algorithm (QS) is a modern integer factorization algorithm and, in practice, the second fastest method known (after the general number field sieve). It is still the fastest for integers under 100 decimal digits or so, and is… … Wikipedia
Discrete logarithm — In mathematics, specifically in abstract algebra and its applications, discrete logarithms are group theoretic analogues of ordinary logarithms. In particular, an ordinary logarithm loga(b) is a solution of the equation ax = b over the… … Wikipedia
Primality test — A primality test is an algorithm for determining whether an input number is prime. Amongst other fields of mathematics, it is used for cryptography. Unlike integer factorization, primality tests do not generally give prime factors, only stating… … Wikipedia

Academic Dictionaries and Encyclopedias

Cipolla's algorithm

Contents

The algorithm

Example

Proof

Speed of the algorithm

References

Look at other dictionaries:

Share the article and excerpts

Academic Dictionaries and Encyclopedias

Wikipedia

Cipolla's algorithm

Contents

The algorithm

Example

Proof

Speed of the algorithm

References

Look at other dictionaries:

Share the article and excerpts

Direct link