Boogie Math

Roots in finite fields

Square root

How do we compute a square root of an element in a finite field of characteristics of some prime pp?

It holds:

xp=xx^p = x

xp+1=x2x^{p+1} = x^2

Let’s say p=3p = 3 mod 44. Then it’s simple:

xp+14=x12x^{\frac{p+1}{4}} = x^{\frac{1}{2}}

How about in an extended field Fp(i)F_p(i) where i2+1=0i^2 + 1 = 0?

Let’s say we have an element x0+x1ix_0 + x_1 i.

If x1=0x_1 = 0, then let’s consider two options. If x0x_0 is a square, then we compute it as above for FpF_p. If it is not a square, we take x0-x_0 and compute a square root of this value in FpF_p. Let’s denote it by y0y_0. Then (y0i)2=x0(y_0 i)^2 = x_0.

Let’s observe for x10x_1 \neq 0. We need y0+iy1y_0 + i y_1 such that:

y02y12=x0y_0^2 - y_1^2 = x_0

2y0y1=x12 y_0 y_1 = x_1

We can try to have u+x12uiu + \frac{x_1}{2u} i. We see that the second formula is satisfied this way. Further, it needs to hold:

u2x124u2=x0u^2 - \frac{x_1^2}{4u^2} = x_0

u4x0u2x124=0u^4 - x_0 u^2 - \frac{x_1^2}{4} = 0

We solve the quadratic equation and get:

u=x0±x02+x122u = \sqrt{\frac{x_0 \pm \sqrt{x_0^2 + x_1^2}}{2}}

If x02+x12x_0^2 + x_1^2 is not a square, we don’t have a solution.

Note that when the element is not a square, we need to take its negation, compute the square root of this negation and multiply it by ii (as above).

Fourth root

We have x0+ix1x_0 + i x_1 and we would like to get y0+iy1y_0 + i y_1 such that

(y0+iy1)4=x0+ix1(y_0 + i y_1)^4 = x_0 + i x_1

We have

(y0+iy1)4=y046y02y12+y14+i(4y03y14y0y13).(y_0 + i y_1)^4 = y_0^4 - 6 y_0^2 y_1^2 + y_1^4 + i (4 y_0^3 y_1 - 4 y_0 y_1^3).

We can use the fact that the norm is multiplicative, so:

(y02+y12)4=x02+x12(y_0^2 + y_1^2)^4 = x_0^2 + x_1^2

Let’s denote n=y02+y12n = y_0^2 + y_1^2. We can compute nn as a fourth root in FpF_p.

We then have:

x0=y046y02(ny02)+(ny02)2x_0 = y_0^4 - 6 y_0^2 (n - y_0^2) + (n - y_0^2)^2

8y048ny02+n2x0=08 y_0^4 - 8 n y_0^2 + n^2 - x_0 = 0

Let u=y02u = y_0^2. The discriminant of the equation above is:

D=64n232(n2x0)=32(n2+x0)D = 64 n^2 - 32 (n^2 - x_0) = 32 (n^2 + x_0)

And we have:

u1,2=8n±D16u_{1,2} = \frac{8n \pm \sqrt D}{16}

=n±n2+x022= \frac{n \pm \sqrt{\frac{n^2 + x_0}{2}}}{2}

So:

y02=n±n2+x022y_0^2 = \frac{n \pm \sqrt{\frac{n^2 + x_0}{2}}}{2}

To compute y0y_0 we need to compute two square roots in FpF_p. We can then compute y1y_1 out of

x1=4y1y0(y02(ny02))x_1 = 4 y_1 y_0 (y_0^2 - (n - y_0^2))

which requires one inversion.

Thus, we can compute the fourth root of an element in Fp2F_p^2 using one fourth root in FpF_p, two square roots in FpF_p and one inversion. This is faster than repeated square roots, which would be four square roots in FpF_p and two inversions.

Note that when x1=0x_1 = 0, we have:

n4=(y02+y12)4=x02n^4 = (y_0^2 + y_1^2)^4 = x_0^2

n2=x0n^2 = x_0

So it’s either

y02=n±n2+x022=n±x02=0y_0^2 = \frac{n \pm \sqrt{\frac{n^2 + x_0}{2}}}{2} = \frac{n \pm \sqrt{x_0}}{2} = 0

or

y02=n±n2+x022=n±x02=ny_0^2 = \frac{n \pm \sqrt{\frac{n^2 + x_0}{2}}}{2} = \frac{n \pm \sqrt{x_0}}{2} = n

If nn is a square, we can take its square root:

y0=ny_0 = \sqrt n

If it is not a square, we have y0=0y_0 = 0 and we take

y1=x04y_1 = \sqrt[4]{x_0}

Montgomery modular multiplication