A deterministic variant - Deterministic equation solving over finite fields

Proposition 3.5 Algorithm 3.3 is correct. It is probabilistic, with expected running time the cost of O(ℓ+ (logq)2₎_{operations in}_F_.

Proof. The correctness of Algorithm 3.3 follows from Proposition 3.2. The valuev used in the Proposition is equal tor−w; therefore the algorithm rightly returns “no solution” if, and only if, we havew+f > r. Note that we always haveABℓf

=au_,

so that in the endB will be an ℓf_{th root of}_au_.

To justify Step 5, note that if Bℓf

=au_{, then}

(Bxay)ℓf =axu+yℓf =a.

The running time of the deterministic parts of Algorithm 3.3 is bounded by the cost of O(ℓ + (logq)2_/_log_{ℓ) operations in} _F_{, by the Lemma and because} _W ₌

O(logq/logℓ). The cost of trying an element for being a non-power also amounts to O(logq) multiplications; we expect to try at most 2 elements, as the fraction of

non-ℓth powers inF∗_{is (ℓ}₋_1)/ℓ.

Remarks. It is easy to extend Algorithm 3.3 to a version that can takenth roots for an arbitrary integern. First we reduce to the case wherendividesq−1 by means of Algorithm 2.1; then we factorisenand apply Algorithm 3.3 one prime factor after the other.

If Algorithm 3.3 is called often with the sameFandℓ, then the table ofℓth roots of unity should be precomputed. In another direction, we could reduce the termℓin the running time to √ℓ by using a baby-step-giant-step technique instead of computing a table.

3.3 A deterministic variant

On examining the role of the Sylow group generator g in Algorithm 3.3, one sees that the property of being a generator is not essential forg to work; all we need is thatggenerates alarge enough subgroupof the Sylow group. Therefore I propose the following deterministic variant of Algorithm 3.3, where the element g is speciﬁed as part of the input, instead of the algorithm having to ﬁndg by itself. It will be used as a subroutine by the Selective Root Algorithm in the next Section. Of course, if the order ofg is too low, the algorithm will fail to compute a root.

The following generalisation of Proposition 3.2 gives more details.

Proposition 3.6 LetFbe a finite field havingqelements,ℓa prime andf a positive integer such thatℓf _divides_q

−1, andg_∈F∗_{. Let} _G_{be the subgroup of all elements}

b_∈F∗ _with _v

ℓ(ordb)≤vℓ(ordg). Then for all a∈F∗, either:

(i) ord(a)is not divisible byℓ, or:

(ii) there exist unique integersz andv, withv_≥0andz_{∈ {}1, . . . , ℓ₋1_}, such that

ord(ag−zℓv

(iii) ord(a)has more factors ℓthanord(g).

If (i)holds, thenais an ℓfth power inG. If(ii)holds, thenais an ℓfth power inG

if and only if we havev_≥f. If(iii)holds, thena is not anℓf_{th power in} _G_.

Proof. We copy the proof of Proposition 3.2, replacing everywhereF∗ _by _G _and

q₋1 by_|G_|, and gbygu_{except when}_g _{occurs inside the argument of the character}

χ. The proof goes through, except that the given element amight not be in G; but

this is exactly the third case.

Algorithm 3.7 (Deterministic Tonelli-Shanks.)

Input: a ﬁnite ﬁeldF, havingqelements, a prime numberℓ and a positive integerf withℓf _dividing_q

−1, and elementsg andaofF∗_.

Output: either an elementb ∈F∗ _{such that} _bℓf ₌_a_and _v

ℓ(ordb)≤vℓ(ordg), or, if

no suchb exists, “no solution”.

1: [Pre-processing] Write q−1 =ℓr_·_{u, where} _ℓ _{does not divide} _{u. Put} _A ₌_au

andB = 1. Compute integersxandy such thatxu+yℓf _{= 1.}

2: [Roots of unity] Replace g by gu_{. Compute} _s _{such that ord(g) =} _ℓs_{. Put}

ζ=gℓs−1

. Computeζ, ζ2_{, . . . , ζ}ℓ−1_{and store them in a sorted table.}

3: [Loop] WhileA₆= 1 do:

a: [Compute order] Computewsuch that ord(A) =ℓw_.

b: [Order too large?] Ifw+f > s, return “no solution”.

c: [Compute z] Using table lookup, ﬁnd the unique integer z, with 1_≤z _≤ ℓ−1, such thatAℓw−1 =ζz_. d: [Induction] ReplaceAbyAg(ℓw −z)ℓs−w andB byBgzℓs−w−f . 4: [Result] Output Bx_ay_.

Proposition 3.8 Algorithm 3.7 returns a correct solution whenever one exists, and “no solution” otherwise. It is deterministic and uses O(ℓ+ (logq)2₎_{operations in} _F_.

Lemma 3.9 Algorithm 3.7 can be run using O(ℓ+ logq+W2_log_ℓ)_{operations in}_F_,

whereW =vℓ(orda).

Proof. Same as for Lemma 3.4.

Proof of Proposition 3.8. As we removed the probabilistic Step 2 from Algorithm 3.3, the result is evidently deterministic. The correctness is clear from Proposition 3.6, where this time we have v = s₋w. Note that “no solution” here means that either no ℓf_{th root exists in} _F∗_{, or the orders of all existing roots have too many}

factorsℓ(i.e., more thanvℓ(ordg)).

In document Deterministic equation solving over finite fields (Page 35-37)