Cube roots modulo $p$

Question

Let $a$ be a positive integer.

Is there any general method of solving equations of the form

$$x^3\equiv a$$

modulo $p$, where $p$ is a prime number?

Here are two examples:

Example 1: In $\mathbb{Z}_{13}^*$ (using multiplication as our binary operation) we have that $x^3=7$ has no solutions, since $(x^3)^4=7^4$ is equivalent to $x^{12}=1=7^4$; by Fermat's little theorem $x^{12}=x^{13-1}=1$ modulo $13$, but $1\neq 7^4$ in $\mathbb{Z}_{13}^*$.

Example 2: In $\mathbb{Z}_{19}^*$ we have, by trial and error, that $4$, $6$ and $9$ solves the equation $x^3=7$.

Is there any general way of solving such equations? For example: how would I solve the same problem, $x^3\equiv 7$, but modulo $p=41$?

For small values of $p$, like 41, just try all the possible answers. For large values of $p$, I'm afraid nothing all that much better is known. — Gerry Myerson, Feb 12 '14 at 06:17
I found this article http://ac.els-cdn.com/S0893965902000319/1-s2.0-S0893965902000319-main.pdf?_tid=8d19b00a-93ad-11e3-aa35-00000aacb362&acdnat=1392186115_d81d738d8e82c8ac7b9470e23e75ee13 . — Moses, Feb 12 '14 at 06:20
@GerryMyerson I don't quite follow your comment. Especially in the easiest case $p \equiv 2 \pmod 3$. — Erick Wong, Feb 12 '14 at 06:31
Did you find an answer that was worth marking as the answer? — Eric Towers, Feb 21 '14 at 03:33

Will Jagy · Accepted Answer · 2014-02-12T21:00:16.537

http://en.wikipedia.org/wiki/Cantor%E2%80%93Zassenhaus_algorithm with $x^3-a.........................$

Notice that there is one cube root when $p \equiv 2 \pmod 3,$ and either three cube roots or none when $p \equiv 1 \pmod 3.$ For example, $2$ has three cube roots $\pmod p$ when $p = u^2 + 27 v^2$ in integers, otherwise none (for $p \equiv 1 \pmod 3,$ in which case $p = 4 u^2 + 2 u v + 7 v^2$), and $3$ has three cube roots when $p = x^2 + xy + 61 y^2$ in integers, otherwise none when $p = 7 x^2 + 3 x y + 9 y^2.$

So, the first few primes $1 \pmod 3$ for which we can solve $x^3 \equiv 2 \pmod p $ are $$ 31, 43, 109, 127, 157, 223, 229, 277, 283, 307, 397, 433, 439, 457, 499, 601, 643, 691, 727, 733, 739, 811, 919, 997, $$ In these cases there will be three cube roots; for example, the cube roots of $2 \pmod {31}$ are $4,7,20. $

The first few primes $1 \pmod 3$ for which we can solve $x^3 \equiv 3 \pmod p $ are $$ 61, 67, 73, 103, 151, 193, 271, 307, 367, 439, 499, 523, 547, 577, 613, 619, 643, 661, 727, 757, 787, 853, 919, 967, 991, 997, $$ In these cases there will be three cube roots; for example, the cube roots of $3 \pmod {61}$ are $4,5,52. $

The first result is due to Gauss, the second to Jacobi. All necessary information is in the chapter on cubic and biquadratic reciprocity in Ireland and Rosen, but no information about algorithms for finding cube roots of general numbers mod general primes. So these were just illustrations. The Gauss result is Proposition 9.6.2 on page 119. The Jacobi result, in slightly different appearance, is Exercise 23 on page 135. I remain a little unclear what your cryptography class is expecting of you; there are algorithms for doing this, well publicized, but they were fairly difficult to invent in the first place. Certainly i have no idea what your background might be, especially what has been covered so far in your course.

You state facts. It would help me if you could illustrate or prove these fasts. — Moses, Feb 12 '14 at 09:19

score 6 · Answer 2 · answered Feb 12 '14 at 06:30

6

See this article, http://eprint.iacr.org/2013/024.pdf , for an extension of Tonelli-Shanks to the discrete cube root problem. It claims a running time proportional to that of exponentiation in $\mathbf{F}_p$.

answered Feb 12 '14 at 06:30

Eric Towers

67,037

Pierre · Answer 3 · 2022-01-05T01:06:10.183

Very complex responses (in an old post) .... If you are familiar with RSA public key cryptosystem

$m^e\equiv c (\bmod n)$ encryption

$c^d\equiv m (\bmod n)$ decryption

$e\cdot d \equiv 1 (\bmod ~\varphi(n))$

look at what happens when you set $e = 3$ : the decryption equation is exactly the problem you are trying to solve when starting from the encryption operation.

you can compute d as $d \equiv {1 \over e} \bmod ~\varphi(n)$ but this is rather unusual as $~\varphi(n))$ is even and an even moduli require a little bit more of cautious operation. Could use Hensel lifting and CRT in the general case. To make it simple, from this variant of Bezout formula,

$e({1 \over e} \bmod ~\varphi(n)) + ~\varphi(n)( {1 \over {\varphi(n)}} \bmod e)$ = $1 + e ~\varphi(n)$

let $b = {1 \over \varphi(n)} \bmod e$

this can be rewritten as

$d = {1 \over e} \bmod ~\varphi(n) = {1 + \varphi(n)(e - b) \over e}$

This is a general solution which works for any modulus n and exponent e as long as $gcd(e, ~\varphi(n)) \equiv 1$

To answer your question $\bmod n=41$

step 1 : solve $b = {1 \over 40} \bmod 3$ using the binary extended euclidean algorithm

i.e. b = 1

step 2 : compute $d = {1 \over 3} \bmod 40$ as $(1 + 40(3 - b))/3$

i.e. d = 81/3 = 27

finally $a\equiv x^3 (\bmod 41)$ is equivalent to $x\equiv a^{27} (\bmod 41)$

CQFD

Note that this is consistent with an earlier response which mention that there is only one single cube root when $n \equiv 2(\bmod 3)$

When the modulus is not a prime (a requirement for RSA cryptosystem strength, but not for a cubic root), you can extend this calculation to the case of RSA when n has two and more known factors (aka RSA multiprime and its abundant literature).

Cube roots modulo $p$

3 Answers3

Linked