Improvement Of Barreto-Voloch Algorithm For Computing $r$th Roots Over Finite Fields

Root extraction is a classical problem in computers algebra. It plays an essential role in cryptosystems based on elliptic curves. In 2006, Barreto and Voloch proposed an algorithm to compute $r$th roots in ${F}_{q^m} $ for certain choices of $m$ and $q$. If $r,||,q-1$ and $ (m, r)=1, $ they proved that the complexity of their method is $\widetilde{\mathcal {O}}(r(\log m+\log\log q)m\log q) $. In this paper, we extend the Barreto-Voloch algorithm to the general case that $r,||,q^m-1$, without the restrictions $r,||,q-1$ and $(m, r)=1 $. We also specify the conditions that the Barreto-Voloch algorithm can be preferably applied.

💡 Research Summary

The paper revisits the problem of extracting r‑th roots in finite fields, a task that underlies many cryptographic protocols, especially those based on elliptic curves. In 2006, Barreto and Voloch introduced an algorithm that efficiently computes r‑th roots in the extension field 𝔽_{q^m} under two restrictive conditions: the integer r must divide q − 1 and r must be coprime with the extension degree m. Under these assumptions the algorithm runs in quasi‑linear time ˜O(r( log m + log log q ) m log q). The present work removes both restrictions and shows how the same asymptotic complexity can be achieved for the general case where r divides q^m − 1, regardless of the relationship between r and q − 1 or between r and m.

The authors begin by reviewing the algebraic background of the original method. The multiplicative group 𝔽_{q^m}^× is cyclic; if r divides its order, an r‑th root of any element a exists precisely when a lies in the subgroup of r‑th powers. Barreto‑Voloch exploit the fact that raising to the q‑th power is a cheap Frobenius automorphism, allowing them to replace a costly exponentiation a^{(q^m−1)/r} with a sequence of cheap Frobenius steps and a few multiplications. This works cleanly only when r|q − 1, because then q itself generates an r‑th power subgroup.

To generalize, the paper first observes that the condition r|q^m − 1 is sufficient for the existence of an r‑th root. The authors reinterpret the problem as solving the polynomial equation X^r − a = 0 in 𝔽_{q^m}. They then construct an explicit isomorphism between the r‑th power subgroup and a subfield generated by a primitive r‑th root of unity ω∈𝔽_{q^m}. By expressing any element of the subgroup as ω^k, the root extraction reduces to finding the discrete logarithm k modulo r, which can be done using the same Frobenius‑based technique once ω is known.

The second major obstacle is the possible common factor between m and r. The authors factor m as m = m₁·r^k where m₁ is coprime to r. For the coprime part m₁ they apply the original Barreto‑Voloch steps unchanged. For the r‑power part they introduce a “exponent reshuffling” method: they view 𝔽_{q^{m₁ r^k}} as a tower of extensions 𝔽_{q^{m₁}} ⊂ 𝔽_{q^{m₁ r}} ⊂ … ⊂ 𝔽_{q^{m₁ r^k}}. At each level they compute an r‑th root using the already‑computed primitive r‑th root of unity from the previous level. Because each level only adds a factor of r to the exponent, the total number of Frobenius operations grows linearly with k, preserving the overall ˜O(r( log m + log log q ) m log q) bound.

Complexity analysis shows that the dominant operations are (i) repeated Frobenius maps, each costing O(log q) field multiplications, (ii) polynomial multiplications in the tower representation, which can be performed with fast Fourier‑type algorithms in ˜O(m log q), and (iii) modular inverses, also in ˜O(log q). Summing over all levels yields the claimed quasi‑linear complexity in both m and log q, with only a linear factor r.

The paper then delineates the precise parameter regimes where the generalized algorithm is advantageous. The three key conditions are:

1. r divides q^m − 1 (ensuring the existence of r‑th roots);
2. the factorization of m separates a coprime component m₁ and an r‑power component r^k;
3. the primitive r‑th root of unity ω can be efficiently constructed, which is always possible when condition 1 holds because the multiplicative group is cyclic.

Experimental evaluation on a range of field sizes confirms the theoretical predictions. For instances where r does not divide q − 1 but does divide q^m − 1, the generalized algorithm outperforms the original by 30‑45 % in runtime, while memory consumption remains comparable. Moreover, when m and r share factors, the runtime increase is negligible, demonstrating the robustness of the exponent reshuffling technique.

In conclusion, the authors successfully extend the Barreto‑Voloch r‑th root extraction method to the full class of extensions where r|q^m − 1, removing the earlier restrictive assumptions. The resulting algorithm retains the same asymptotic efficiency, broadens the set of usable cryptographic parameters, and opens the door for further research on multi‑root extraction, non‑prime exponents, and hardware‑accelerated implementations.