二次剩余系解法

时间：2019-08-17 00:48:36 阅读：94 评论：0 收藏：0 [点我收藏+]

标签：img end one amp note log first return ref

(Note: All $技术图片$ are taken to mean $技术图片$ , unless indicated otherwise).[edit]The algorithm

Inputs: p, an odd prime. n, an integer which is a quadratic residue (mod p), meaning that the Legendre symbol $技术图片$ .

Outputs: R, an integer satisfying $技术图片$ .

Factor out powers of 2 from p − 1, defining Q and S as: $技术图片$ with Q odd. Note that if $技术图片$ , i.e. $技术图片$ , then solutions are given directly by $技术图片$ .
Select a z such that the Legendre symbol $技术图片$ (that is, z should be a quadratic non-residue modulo p), and set $技术图片$ .
Let $技术图片$
Loop:
1. If $技术图片$ , return R.
2. Otherwise, find the lowest i, $技术图片$ , such that $技术图片$ ; e.g. via repeated squaring.
3. Let $技术图片$ , and set $技术图片$ and $技术图片$ .

Once you have solved the congruence with R the second solution is p − R.

Example

Solving the congruence $技术图片$ . It is clear that $技术图片$ is odd, and since $技术图片$ , 10 is a quadratic residue (by Euler‘s criterion).

Step 1: Observe $技术图片$ so $技术图片$ , $技术图片$ .

Step 2: Take $技术图片$ as the quadratic nonresidue (2 is a quadratic nonresidue since $技术图片$ (again, Euler‘s criterion)). Set $技术图片$

Step 3: $技术图片$

Step 4: Now we start the loop: $技术图片$ so $技术图片$ ; i.e. $技术图片$
- Let $技术图片$ , so $技术图片$ .
- Set $技术图片$ . Set $技术图片$ , and $技术图片$
- We restart the loop, and since $技术图片$ we are done, returning $技术图片$

Indeed, observe that $技术图片$ and naturally also $技术图片$ . So the algorithm yields two solutions to our congruence.

Proof

First write $技术图片$ . Now write $技术图片$ and $技术图片$ , observing that $技术图片$ . This latter congruence will be true after every iteration of the algorithm‘s main loop. If at any point, $技术图片$ then $技术图片$ and the algorithm terminates with $技术图片$ .

If $技术图片$ , then consider $技术图片$ , a quadratic non-residue of $技术图片$ . Let $技术图片$ . Then $技术图片$ and $技术图片$ , which shows that the order of $技术图片$ is $技术图片$ .

Similarly we have $技术图片$ , so the order of $技术图片$ divides $技术图片$ . Suppose the order of $技术图片$ is $技术图片$ . Since $技术图片$ is a square modulo $技术图片$ , $技术图片$ is also a square, and hence $技术图片$ .

Now we set $技术图片$ and with this $技术图片$ , $技术图片$ and $技术图片$ . As before, $技术图片$ holds; however with this construction both $技术图片$ and $技术图片$ have order $技术图片$ . This implies that $技术图片$ has order $技术图片$ with $技术图片$ .

If $技术图片$ then $技术图片$ , and the algorithm stops, returning $技术图片$ . Else, we restart the loop with analogous definitions of $技术图片$ , $技术图片$ , $技术图片$ and $技术图片$ until we arrive at an $技术图片$ that equals 0. Since the sequence of S is strictly decreasing the algorithm terminates.