Root extraction is a classical problem in computers algebra. It plays an essential role in cryptosystems based on elliptic curves. In 2006, Barreto and Voloch proposed an algorithm to compute $r$th roots in ${F}_{q^m} $ for certain choices of $m$ and $q$. If $r\,||\,q-1$ and $ (m, r)=1, $ they proved that the complexity of their method is $\widetilde{\mathcal {O}}(r(\log m+\log\log q)m\log q) $. In this paper, we extend the Barreto-Voloch algorithm to the general case that $r\,||\,q^m-1$, without the restrictions $r\,||\,q-1$ and $(m, r)=1 $. We also specify the conditions that the Barreto-Voloch algorithm can be preferably applied.
Consider the problem to find a solution to X r = δ in F q m , where q = p d for some prime p and some integer d > 0. Clearly, it suffices to consider the following two cases:
(1) (r, q m -1) = 1,
(2) r|q m -1
Root extraction is a classical problem in computational algebra and number theory. It plays an essential role in cryptosystems based on elliptic curves. The typical applications of root extraction are point compression in elliptic curves and operation of hashing onto elliptic curves [3,4,9].
Adleman, Manders and Miller [1] proposed a method to solve the problem, which extends Tonelli-Shanks [7,10] square root algorithm. The basic idea of Adleman-Manders-Miller rth root extraction in F q can be described as follows. If r|q -1, we write p -1 in the form r t • s, where (s, r) = 1. Given a rth residue δ, we have (δ s ) r t-1 = 1. Since (s, r) = 1, it is easy to find the least nonnegative integer α such that s|rα -1. Hence, δ rα-1 r t-1 = 1. If t -1 = 0, then δ α is a rth root of δ. From now on, we assume that t ≥ 2. Given a rth non-residue ρ ∈ F q , we have
It is easy to find that all K i satisfy X r = 1.
Since δ rα-1 r t-2 r = 1, there is a unique
Likewise, there is a unique
Consequently, we obtain j 1 , • • • , j t-1 such that
Thus, we have
The complexity of Adleman-Manders-Miller rth root extraction algorithm is O(log 4 q + rlog 3 q). Notice that the algorithm can not run in polynomial time if r is sufficiently large.
In 2006, Barreto and Voloch [2] proposed an algorithm to compute rth roots in F q m for certain choices of m and q. If r || q -1 and (m, r) = 1, where the notation a b ||c means that a b is the highest power of a dividing c, they proved that the complexity of their method is O(r(log m + log log q)m log q).
Our contributions. We extend the Barreto-Voloch root extraction method to the general case that r || q m -1, without the restrictions r || q -1 and (m, r) = 1. We also specify the conditions that the Barreto-Voloch algorithm can be preferably applied.
Barreto-Voloch method takes advantage of the periodic structure of v written in base q to compute rth roots in F q m , where v = r -1 (mod q m -1) if (r, q m -1) = 1. This advantage is based on the following fact [2]: Fact 1. Let F q m be a finite field of characteristic p and let s be a power of p. Define the map
We can compute φ n (y) with O(log n) multiplications and raisings to powers of p.
Notice that raising to powers of p has negligible cost, if we use a normal basis for F q m /F q . Since it only requires O(log n) multiplications and raisings to powers of p to compute y 1+s+•••+s n , where p is the characteristic of F q m and s is a power of p, their method becomes more efficient for certain choices of m and q. They obtained the following results [2].
Lemma 1. Given q and r with (q(q -1), r) = 1, let k > 1 be the order of q modulo r. For any m > 0, (m, k) = 1, let u, 1 ≤ u < r satisfy u(q m -1) ≡ -1 (mod r) and v = ⌊q m u/r⌋.
Then rv ≡ 1 (mod q m -1). In addition, v = a + b n-1 j=0 q jk , a, b < q 2k , n = ⌊m/k⌋.
Theorem 1. Let q be a prime power, let r > 1 be such that (q(q -1), r) = 1 and let k > 1 be the order of q modulo r. For any m > 0, (m, k) = 1, the complexity of taking rth roots in
Lemma 2. Given q and r with r | (q -1) and ((q -1)/r, r) = 1, for any m > 0, (m, r) = 1, let u, 1 ≤ u < r satisfy u(q m -1)/r ≡ -1 (mod r) and v = ⌈q m u/r⌉. Then rv ≡ 1 (mod (q m -1)/r 2 ). In addition, v = a + b n-1 j=0 q jr , a, b < q 2r , n = ⌊m/r⌋.
Theorem 2. Let q be a prime power and let r > 1 be such that r | (q-1) and ((q-1)/r, r) = 1. For any m > 0, (m, r) = 1, given x ∈ F q m one can compute the rth root of x in F q m , or show it does not exist, in O(r(log m + log log q)m log q) steps.
3 Analysis of Barreto-Voloch method
In Theorem 1, it requires that (q(q -1), r) = 1 and (m, k) = 1
where k > 1 is the order of q modulo r. These conditions imply (q m -1, r) = 1. But these are not necessary to the general case. Likewise, in Theorem 2, it requires that r || q -1 and (m, r) = 1
These imply r || q m -1. But these are not necessary, too. We will remove the restrictions and investigate the following cases:
(1) (r, p m -1) = 1;
(2)
where p is a prime. As for the general case, p m -1 = r α s, α ≥ 2, (r, s) = 1, we refer to [1].
As we mentioned before, Barreto-Voloch method takes advantage of the periodic structure of v written in base q. Precisely, in Lemma 1
where k > 1 is the order of q modulo r. From the expression, we know it requires that n = ⌊m/k⌋ ≥ 1. It is easy to find that the advantage of Barreto-Voloch method due to the periodic expansion in base q requires that m is much greater than k. That is, the length of such periodic expansion, n, should be as large as possible.
Since raising to a power of p is a linear bijection in characteristic p, the complexity of such operation is no larger than that of multiplication, namely, O(m log p) using FFT techniques [5,6,8]. In light of that q = p d for some prime
This content is AI-processed based on open access ArXiv data.
