Cipolla's algorithm explained

In computational number theory, Cipolla's algorithm is a technique for solving a congruence of the form

x^2\equivn\pmod{p},

where

x,n\inF_p

, so n is the square of x, and where

is an odd prime. Here

F_p

denotes the finite field with

elements;

\{0,1,...,p-1\}

. The algorithm is named after Michele Cipolla, an Italian mathematician who discovered it in 1907.

Apart from prime moduli, Cipolla's algorithm is also able to take square roots modulo prime powers.^[1]

Algorithm

Inputs:

, an odd prime,

n\inF_p

, which is a square.

Outputs:

x\inF_p

, satisfying

x²⁼n.

Step 1 is to find an

a\inF_p

such that

a²-n

is not a square. There is no known deterministic algorithm for finding such an

, but the following trial and error method can be used. Simply pick an

and by computing the Legendre symbol

(	a^2-n
	p)

one can see whether

satisfies the condition. The chance that a random

will satisfy is

(p-1)/2p

. With

large enough this is about

1/2

.^[2] Therefore, the expected number of trials before finding a suitable

is about 2.

Step 2 is to compute x by computing

x=\left(a+\sqrt{a^2-n}\right)^(p+1)/2

within the field extension

F
	p²

	2-n})
F
	p(\sqrt{a

. This x will be the one satisfying

x²=n.

x²=n

, then

(-x)²=n

also holds. And since p is odd,

x ≠ -x

. So whenever a solution x is found, there's always a second solution, -x.

Example

(Note: All elements before step two are considered as an element of

F₁₃

and all elements in step two are considered as elements of

F
	13²

Find all x such that

x²=10.

Before applying the algorithm, it must be checked that

is indeed a square in

F₁₃

. Therefore, the Legendre symbol

(10|13)

has to be equal to 1. This can be computed using Euler's criterion:

(10 | 13) \equiv 10^6 \equiv 1 \pmod.

This confirms 10 being a square and hence the algorithm can be applied.

Step 1: Find an a such that

a²-n

is not a square. As stated, this has to be done by trial and error. Choose

a=2

. Then

a²-n

becomes 7. The Legendre symbol

(7|13)

has to be −1. Again this can be computed using Euler's criterion:

7^6 = 343^2 \equiv 5^2 \equiv 25 \equiv -1 \pmod.

a=2

is a suitable choice for a.

Step 2: Compute

x=\left(a+\sqrt{a^2-n}\right)^(p+1)/2=\left(2+\sqrt{-6}\right)⁷

F₁₃(\sqrt{-6})

\left(2+\sqrt{-6}\right)²=4+4\sqrt{-6}-6=-2+4\sqrt{-6}

\left(2+\sqrt{-6}\right)⁴=\left(-2+4\sqrt{-6}\right)²=-1-3\sqrt{-6}

\left(2+\sqrt{-6}\right)⁶=\left(-2+4\sqrt{-6}\right)\left(-1-3\sqrt{-6}\right)=9+2\sqrt{-6}

\left(2+\sqrt{-6}\right)⁷=\left(9+2\sqrt{-6}\right)\left(2+\sqrt{-6}\right)=6

x=6

is a solution, as well as

x=-6

. Indeed,

6^2 \equiv 10 \pmod.

Proof

The first part of the proof is to verify that

F
	p²

	2-n})
F
	p(\sqrt{a

=\{x+y\sqrt{a^2-n}:x,y\inF_p\}

is indeed a field. For the sake of notation simplicity,

\omega

is defined as

\sqrt{a^2-n}

. Of course,

a^2-n

is a quadratic non-residue, so there is no square root in

F_p

. This

\omega

can roughly be seen as analogous to the complex number i.The field arithmetic is quite obvious. Addition is defined as

\left(x₁+y₁\omega\right)+\left(x₂+y₂\omega\right)=\left(x₁+x₂\right)+\left(y₁+y_2\right)\omega

.Multiplication is also defined as usual. With keeping in mind that

\omega²=a^2-n

, it becomes

\left(x₁+y₁\omega\right)\left(x₂+y₂\omega\right)=x₁x₂+x₁y₂\omega+y₁x₂\omega+y₁y₂\omega²=\left(x₁x₂+y₁y₂\left(a^{2-n\right)\right)}+\left(x₁y₂+y₁x₂\right)\omega

.Now the field properties have to be checked.The properties of closure under addition and multiplication, associativity, commutativity and distributivity are easily seen. This is because in this case the field

F
	p²

is somewhat resembles the field of complex numbers (with

\omega

being the analogon of i).
The additive identity is

, or more formally

0+0\omega

: Let

\alpha\in

F
	p²

, then

\alpha+0=(x+y\omega)+(0+0\omega)=(x+0)+(y+0)\omega=x+y\omega=\alpha

.The multiplicative identity is

, or more formally

1+0\omega

\alpha ⋅ 1=(x+y\omega)(1+0\omega)=\left(x ⋅ 1+0 ⋅ y\left(a^{2-n\right)\right)}+(x ⋅ 0+1 ⋅ y)\omega=x+y\omega=\alpha

.The only thing left for

F
	p²

being a field is the existence of additive and multiplicative inverses. It is easily seen that the additive inverse of

x+y\omega

-x-y\omega

, which is an element of

F
	p²

, because

-x,-y\inF_p

. In fact, those are the additive inverse elements of x and y. For showing that every non-zero element

\alpha

has a multiplicative inverse, write down

\alpha=x₁+y₁\omega

and

\alpha^-1=x₂+y₂\omega

. In other words,

(x₁+y₁\omega)(x₂+y₂\omega)=\left(x₁x₂+y₁y₂\left(a^{2-n\right)\right)}+\left(x₁y₂+y₁x₂\right)\omega=1

.So the two equalities

x_1x₂+y_1y

	2-n)

	2(a

and

x_1y₂+y_1x₂=0

must hold. Working out the details gives expressions for

x₂

and

y₂

, namely

x₂=

	-1
-y
	1

x_1\left(y

	-1

	1

\right)^-1

y₂=\left(y₁\left(a^2-n\right)-

	-1
x
	1

\right)^-1

.The inverse elements which are shown in the expressions of

x₂

and

y₂

do exist, because these are all elements of

F_p

. This completes the first part of the proof, showing that

F
	p²

is a field.

The second and middle part of the proof is showing that for every element

x+y\omega\in

F
	p²

:(x+y\omega)^p=x-y\omega

.By definition,

\omega^2=a^2-n

is not a square in

F_p

. Euler's criterion then says that

\omega^p-1=\left(\omega^2\right)

	p-1
	2

=-1

.Thus

\omega^p=-\omega

. This, together with Fermat's little theorem (which says that

x^p=x

for all

x\inF_p

) and the knowledge that in fields of characteristic p the equation

\left(a+b\right)^p=a^p+b^p

holds, a relationship sometimes called the Freshman's dream, shows the desired result

(x+y\omega)^p=x^p+y^p\omega^p=x-y\omega

The third and last part of the proof is to show that if

x_{0=\left(a+\omega}

	p+1
	2

\right)

\in

F
	p²

, then

	2=n
x
	0

\inF_p

.
Compute

	2
x
	0

=\left(a+\omega\right)^p+1=(a+\omega)(a+\omega)^p=(a+\omega)(a-\omega)=a²-\omega²=a²-\left(a²-n\right)=n

.Note that this computation took place in

F
	p²

, so this

x₀\in

F
	p²

. But with Lagrange's theorem, stating that a non-zero polynomial of degree n has at most n roots in any field K, and the knowledge that

x^2-n

has 2 roots in

F_p

, these roots must be all of the roots in

F
	p²

. It was just shown that

x₀

and

-x₀

are roots of

x^2-n

F
	p²

, so it must be that

x_0,-x₀\inF_p

.^[3]

Speed

After finding a suitable a, the number of operations required for the algorithm is

4m+2k-4

multiplications,

4m-2

sums, where m is the number of digits in the binary representation of p and k is the number of ones in this representation. To find a by trial and error, the expected number of computations of the Legendre symbol is 2. But one can be lucky with the first try and one may need more than 2 tries. In the field

F
	p²

, the following two equalities hold

(x+y\omega)²=\left(x²+y²\omega²\right)+\left(\left(x+y\right)^2-x^2-y^{2\right)\omega,}

where

\omega²=a^2-n

is known in advance. This computation needs 4 multiplications and 4 sums.

\left(x+y\omega\right)^2\left(a+\omega\right)=\left(ad²-b\left(x+d\right)\right)+\left(d²-by\right)\omega,

where

d=(x+ya)

and

b=ny

. This operation needs 6 multiplications and 4 sums.

Assuming that

p\equiv1\pmod4,

(in the case

p\equiv3\pmod4

, the direct computation

x\equiv\pm

	p+1
	4

is much faster) the binary expression of

(p+1)/2

has

m-1

digits, of which k are ones. So for computing a

(p+1)/2

power of

\left(a+\omega\right)

, the first formula has to be used

n-k-1

times and the second

k-1

times.

For this, Cipolla's algorithm is better than the Tonelli–Shanks algorithm if and only if

S(S-1)>8m+20

, with

2^S

being the maximum power of 2 which divides

p-1

.^[4]

Prime power moduli

According to Dickson's "History Of Numbers", the following formula of Cipolla will find square roots modulo powers of prime:^[5] ^[6]

2^-1q^t((k+\sqrt{k²-q})^s+(k-\sqrt{k²-q})^s)\bmod{p^λ

}

where

t=(p^λ-2p^λ-1+1)/2

and

s=p^λ-1(p+1)/2

where

q=10

k=2

as in this article's example

Taking the example in the wiki article we can see that this formula above does indeed take square roots modulo prime powers.

\sqrt{10}\bmod{13³

}\equiv 1046

Now solve for

2^-1q^t

via:

2^-1

	(13³-2 ⋅ 13²+1)/2
10

\bmod{13³

}\equiv 1086

Now create the

(2+\sqrt{2²

	13² ⋅ 7
-10})

\bmod{13³

} and

(2-\sqrt{2²

	13² ⋅ 7
-10})

\bmod{13³

}(See here for mathematica code showing this above computation, rememberingthat something close to complex modular arithmetic is going on here)

As such:

(2+\sqrt{2²

	13² ⋅ 7
-10})

\bmod{13³

}\equiv 1540 and

(2-\sqrt{2²

	13² ⋅ 7
-10})

\bmod{13³

}\equiv 1540

and the final equation is:

1086(1540+1540)\bmod{13³

}\equiv 1046 which is the answer.

Sources

E. Bach, J.O. Shallit Algorithmic Number Theory: Efficient algorithms MIT Press, (1996)

Notes and References

Book: History of the Theory of Numbers . 1 . Leonard Eugene . Dickson . 218 . 1919.
R. Crandall, C. Pomerance Prime Numbers: A Computational Perspective Springer-Verlag, (2001) p. 157
Web site: M. Baker Cipolla's Algorithm for finding square roots mod p . 2011-08-24 . 2017-03-25 . https://web.archive.org/web/20170325174340/http://people.math.gatech.edu/~mbaker/pdf/cipolla2011.pdf . dead .
Book: https://doi.org/10.1007%2F3-540-45995-2_38 . 10.1007/3-540-45995-2_38 . Square Roots Modulo P . LATIN 2002: Theoretical Informatics . Lecture Notes in Computer Science . 2002 . Tornaría . Gonzalo . 2286 . 430–434 . 978-3-540-43400-9 .
"History of the Theory of Numbers" Volume 1 by Leonard Eugene Dickson, p218, Chelsea Publishing 1952read online
Michelle Cipolla, Rendiconto dell' Accademia delle Scienze Fisiche e Matematiche. Napoli, (3),10,1904, 144-150