We present a new algorithm for computing $m$-th roots over the finite field $\F_q$, where $q = p^n$, with $p$ a prime, and $m$ any positive integer. In the particular case $m=2$, the cost of the new algorithm is an expected $O(\M(n)\log (p) + \CC(n)\log(n))$ operations in $\F_p$, where $\M(n)$ and $\CC(n)$ are bounds for the cost of polynomial multiplication and modular polynomial composition. Known results give $\M(n) = O(n\log (n) \log\log (n))$ and $\CC(n) = O(n^{1.67})$, so our algorithm is subquadratic in $n$.
Beside its intrinsic interest, computing m-th roots over finite fields (for m an integer at least equal to 2) has found many applications in computer science. Our own interest comes from elliptic and hyperelliptic curve cryptography; there, square root computations show up in pairing-based cryptography [3] or point-counting problems [8].
Our result in this paper is a new algorithm for computing m-th roots in a degree n extension F q of the prime field F p , with p a prime. Our emphasis is on the case where p is thought to be small, and the degree n grows. Roughly speaking, we reduce the problem to m-th root extraction in a lower degree extension of F p (when m = 2, we actually reduce the problem to square root extraction over F p itself).
Our complexity model. It is possible to describe the algorithm in an abstract manner, independently of the choice of a basis of F q over F p . However, to give concrete complexity estimates, we have to decide which representation we use, the most usual choices being monomial and normal bases. We choose to use a monomial basis, since in particular our implementation is based on the library NTL [20], which uses this representation. Thus, the finite field F q = F p n is represented as F p [X]/ f , for some monic irreducible polynomial f ∈ F p [X] of degree n; elements of F q are represented as polynomials in F p [X] of degree less than n. We will briefly mention the normal basis representation later on.
The costs of all algorithms are measured in number of operations +, ×, ÷ in the base field F p (that is, we are using an algebraic complexity model).
We shall denote upper bounds for the cost of polynomial multiplication and modular composition by respectively M(n) and C(n). This means that over any field K, we can multiply polynomials of degree n in K[X] in M(n) base field operations, and that we can compute f (g) mod h in C(n) operations in K, when f, g, h are degree n polynomials. We additionally require that both M and C are super-linear functions, as in [23,Chapter 8], and that M(n) = O(C(n)). In particular, since we work in the monomial basis, multiplications and inversions in F q can be done in respectively O(M(n)) and O(M(n) log(n)) operations in F p , see again [23].
The best known bound for M(n) is O(n log(n) log log(n)), achieved by using Fast Fourier Transform [17,5]. The most well-known bound for C(n) is O(n (ω+1)/2 ), due to Brent and Kung [4], where ω is such that matrices of size n over any field K can be multiplied in O(n ω ) operations in K; this estimate assumes that ω > 2, otherwise some logarithmic terms may appear. Using the algorithm of Coppersmith and Winograd [6], we can take ω ≤ 2.37 and thus C(n) = O(n 1.69 ); an algorithm by Huang and Pan [10] actually achieves a slightly better exponent of 1.67, by means of rectangular matrix multiplication.
Main result. We will focus in this paper on the case of t-th root extraction, where t is a prime divisor of q -1; the general case of m-th root extraction, with m arbitrary, can easily be reduced to this case (see the discussion after Theorem 1).
The core of our algorithm is a reduction of t-th root extraction in F q to t-th root extraction in an extension of F p of smaller degree. Our algorithm is probabilistic of Las Vegas type, so its running time is given as an expected number of operations. With this convention, our main result is the following. Theorem 1. Let t be a prime factor of q -1, with q = p n , and let s be the order of p in Z/tZ. Given a ∈ F * q , one can decide if a is a t-th power in F * q , and if so compute one of its t-th roots, by means of the following operations:
Thus, we replace t-th root extraction in a degree n extension by a t-th root extraction in an extension of degree s ≤ min(n, t). The extension degree s is the largest one for which t still divides p s -1, so iterating the process does not bring any improvement: the t-th root extraction in F p s must be dealt with by another algorithm. The smaller s is, the better.
A useful special case is t = 2, that is, we are taking square roots; the assumption that t divides q -1 is then satisfied for all odd primes p and all n. In this case, we have s = 1, so the second step amounts to square root extraction in F p . Since this can be done in O(log(p)) expected operations in F p , the total running time of the algorithm is an expected
A previous algorithm by Kaltofen and Shoup [12] allows one to compute t-th roots in F p n in expected time O((M(t)M(n) log(p) + tC(n) + C(t)M(n)) log(n)); we discuss it further in the next section. This algorithm requires no assumption on t, so it can be used in our algorithm in the case s > 1, for t-th root extraction in F p s . Then, its expected running time is O((M(t)M(s) log(p) + tC(s) + C(t)M(s)) log(s)).
The strategy of using Theorem 1 to reduce from F q to F p s then using the Kaltofen-Shoup algorithm over F p s is never more expensive than using the Kaltofen-Shoup algorithm directly over F q
This content is AI-processed based on open access ArXiv data.
