By using primitive roots how does one solve $x^2 \equiv -1 \pmod p$ for $x$, given prime $p$ (when solvable).
In particular I want to solve for very large $p$ efficiently.
Asked
Active
Viewed 259 times
2
-
2An intentionally slightly vague procedure: If $g$ is a primitive root and $x=g^a$, then $x^2=g^{2a}$. As $x^4\equiv(-1)^2=1$ we must have $g^{4a}=1=g^0$. This means that $4a$ must be a multiple of the order of $g$. Observe that $g^{2a}\not\equiv g^0$ places the further constraint that $2a$ must not be a multiple of the order of $g$. – Jyrki Lahtonen Nov 09 '20 at 09:27
-
1You do know how to calculate $g^x$ for a largish $x$ efficiently by square-and-multiply, don't you? – Jyrki Lahtonen Nov 09 '20 at 09:29
-
The only way that I know of, assuming that $p \equiv 1\pmod{4},$ is that if $a$ is r.p. to $p$ (e.g. $a=2$) then, setting $k = (p-1)$, you have that $a^k \equiv 1\pmod{p},$ by Fermat's theorem. Therefore, (and there will always be exactly 2 sol'ns), the two sol'ns are $x = a^{(k/2)}$ and $y = p - x$. – user2661923 Nov 09 '20 at 09:35
-
3It depends on exactly what you mean by efficiently. Do you want to run this by hand or program it into a computer? Do you care about speed for small numbers or asymptotic complexity more? Wikipedia lists 4 algorithms for computing modular square roots: Cipolla, Pocklington's, Tonelli–Shanks, Berlekamp. – Sophie Nov 09 '20 at 09:59
-
@user2661923 That won't do. If $x=a^{(p-1)/2}$ then $x^2=a^{p-1}\equiv1$. You need to halve the exponent one more time. You can use a random number $a$ as a base, but then your success rate drops to 50%. For if $a$ happens to be a quadratic residue, then____ – Jyrki Lahtonen Nov 09 '20 at 10:32
-
2@JyrkiLahtonen Very good point, so I had two oversights in one comment. However, can't you first spin through ${1,2,\cdots,(p-1)},$ eliminating all of the quadratic residues and then selecting the smallest remaining number as a base. – user2661923 Nov 09 '20 at 10:40
-
1I have mentioned the method with the quadratic non-residue in a question that is almost a duplicate to this. – Peter Nov 09 '20 at 10:42
-
But maybe, this question has been deleted in the mean time. – Peter Nov 09 '20 at 10:43
-
1@user2661923 In theory, yes. However, when $p\approx 10^{300}$ it will not be very efficient! It is computationally more efficient to try a random $a$ and raise it to power $(p-1)/4$. If you get $\pm1$ you try another $a$. If you get someting else, you are done. With 50% success rate with a random $a$, you will get lucky soon enough! – Jyrki Lahtonen Nov 09 '20 at 10:44
-
Why should this not be efficient ? Even for $300$-digit primes, the solution can be found in less than a second, assuming that the base is a non residue. And we have a $50/50$ chance. – Peter Nov 09 '20 at 10:46
-
2@Peter Agreed. I got the impression that usere2661923 wanted to first list all the quadratic residues :-) – Jyrki Lahtonen Nov 09 '20 at 10:48
-
1@JyrkiLahtonen Yes, that is exactly what I was thinking - first list and then eliminate all of the quadratic residues. Also, I definitely agree that your approach is better. This is my 3rd oversight. – user2661923 Nov 09 '20 at 10:56
-
@Peter Actually, although the approach that you and Jyril Lahtonen are advocating might actually be best, that is unclear. It may be possible to hybrid an approach. Suppose, for example, that you spinned through x% of the numbers in ${1,2,\cdots, p-1}$ eliminating $(1,5) \times x%$ of the quadratic residues. Then each random choice that you made would have a $\frac{(1/2)}{1 - [(1.5) \times x% ]}$ chance of not being a quadratic residue. The (1.5) factor reflects that for $a^n~ : n$ odd, both the residue $r$ and $p-r$ are eliminated. – user2661923 Nov 09 '20 at 11:10
-
1@user2661923 You should also consider that finding a non-residue is much faster than calculating the solution. Determining $(\frac{a}{p})$ , if we KNOW that $p$ is prime, is almost immediate. – Peter Nov 09 '20 at 11:13
-
@Peter Very interesting, let me see if I have this right. Option A is to compute $k\approx (p/10)$ and do $k$ computations of $a^1, a^2, \cdots, a^k.$ Option $b$ is to start with the base $a$, then change the base to $a^2$, then to $a^4$, and so on. Then you end up doing $\approx \frac{\log p}{\log 2}$ calculations, which is far fewer than $(p/10).$ Is this what you are thinking? – user2661923 Nov 09 '20 at 11:25
-
What you mention here is just the method to calculate the solutions (with which we can calculate $a^m\mod n$ efficiently. The point is that we have to apply such a calculation only once since we first search a non-residue and then apply the calculation after which we are done. – Peter Nov 09 '20 at 11:29
-
@Jyrki primitive root not necessary. Quadratic nonresidue suffices, and those are quick to find. Short 1990 article by Stan Wagon – Will Jagy Nov 09 '20 at 17:58
2 Answers
3
This uses Euler's Criterion
it is not necessary to find a primitive root. First we find a quadratic nonresidue $\pmod p.$ That is, an $a$ such that Legendre symbol $$ ( a,p) = -1 $$ Stan Wagon points out that the search for a nonresidue is quick. This is in a column in February 1990 called The Euclidean Algorithm Strikes Again.
Then $$ a^{\frac{p-1}{2}} \equiv -1 \pmod p $$ while $\frac{p-1}{2}$ is even. Thus $$ \left( a^{\frac{p-1}{4}} \right)^2 \equiv -1 \pmod p $$
Will Jagy
- 139,541
0
Unless you are enquiring on “how to compute” the primitive roots $\mod p$ themselves (or perhaps I’m misunderstanding your question?), then this is actually straightforward because once you already have a primitive root, say $r$ , modulo $p\equiv 1\pmod 4$, then we have $$(r^{(p-1)/4})^2\equiv-1\pmod p\,.$$ That is, $x= r^{(p-1)/4}$ is such a solution.
Added Later
In addition to VIVID’s comment below on finding a primitive root, it is perhaps worth remarking that there is no general formula for finding them; in general, for sufficiently large $p$, combing through $\{1,2,\ldots,\lfloor\sqrt{p}\rfloor\}$ is enough to find the least primitive root modulo $p$ (indeed, McGown and Trudgian (2020) have recently claimed that $p\ge 10^{56}$ suffices). It is also perhaps worth mentioning that you may also obtain a solution to your problem in $\{1,2,\ldots,p-1\}$ as $$x_0=r^{(p-1)/4}-\lfloor p^{-1}r^{(p-1)/4}\rfloor p\,.$$
Jack LeGrüß
- 1,423
-
Support: In case one needs a way how to find the primitive root, take a look at https://math.stackexchange.com/questions/124408/finding-a-primitive-root-of-a-prime-number – VIVID Nov 09 '20 at 10:29
-
@VIVID I am very glad that you posted this comment. It saves me the trouble of having to post a separate query. In the linked article, the first comment (by Arturo Magidin) was upvoted to +14, which (meta-cheating) indicates to me that (while I am totally ignorant here) others feel that he hit the nail on the head. However his approach, which focuses (for example) on $p=761,$ seems to require that the prime factorization of $(p-1 = 760)$ first be computed. My understanding (which could easily be wrong here) is that (for example) when $p \approx 10^{(300)}$, this is difficult. – user2661923 Nov 09 '20 at 18:35
-
@user2661923 And the comment you mentioned does also say that it is a difficult (effort-consuming) task, in general, to find a primitive root. – VIVID Nov 09 '20 at 18:59
-