Pocklington's algorithm

Pocklington's algorithm is a technique for solving a congruence of the form

x^{2}\equiv a{\pmod {p}},

{\displaystyle x^{2}\equiv a{\pmod {p}},}

where x and a are integers and a is a quadratic residue.

The algorithm is one of the first efficient methods to solve such a congruence. It was described by H.C. Pocklington in 1917.^[1]

The algorithm

[edit ]

(Note: all $\equiv$ {\displaystyle \equiv } are taken to mean ${\pmod {p}}$ {\displaystyle {\pmod {p}}}, unless indicated otherwise.)

Inputs:

p, an odd prime
a, an integer which is a quadratic residue ${\pmod {p}}$ {\displaystyle {\pmod {p}}}.

Outputs:

x, an integer satisfying $x^{2}\equiv a$ {\displaystyle x^{2}\equiv a}. Note that if x is a solution, −x is a solution as well and since p is odd, $x\neq -x$ {\displaystyle x\neq -x}. So there is always a second solution when one is found.

Solution method

[edit ]

Pocklington separates 3 different cases for p:

The first case, if $p=4m+3$ {\displaystyle p=4m+3}, with $m\in \mathbb {N}$ {\displaystyle m\in \mathbb {N} }, the solution is $x\equiv \pm a^{m+1}$ {\displaystyle x\equiv \pm a^{m+1}}.

The second case, if $p=8m+5$ {\displaystyle p=8m+5}, with $m\in \mathbb {N}$ {\displaystyle m\in \mathbb {N} } and

$a^{2m+1}\equiv 1$ {\displaystyle a^{2m+1}\equiv 1}, the solution is $x\equiv \pm a^{m+1}$ {\displaystyle x\equiv \pm a^{m+1}}.
$a^{2m+1}\equiv -1$ {\displaystyle a^{2m+1}\equiv -1}, 2 is a (quadratic) non-residue so $4^{2m+1}\equiv -1$ {\displaystyle 4^{2m+1}\equiv -1}. This means that $(4a)^{2m+1}\equiv 1$ {\displaystyle (4a)^{2m+1}\equiv 1} so $y\equiv \pm (4a)^{m+1}$ {\displaystyle y\equiv \pm (4a)^{m+1}} is a solution of $y^{2}\equiv 4a$ {\displaystyle y^{2}\equiv 4a}. Hence $x\equiv \pm y/2$ {\displaystyle x\equiv \pm y/2} or, if y is odd, $x\equiv \pm (p+y)/2$ {\displaystyle x\equiv \pm (p+y)/2}.

The third case, if $p=8m+1$ {\displaystyle p=8m+1}, put $D\equiv -a$ {\displaystyle D\equiv -a}, so the equation to solve becomes $x^{2}+D\equiv 0$ {\displaystyle x^{2}+D\equiv 0}. Now find by trial and error $t_{1}$ {\displaystyle t_{1}} and $u_{1}$ {\displaystyle u_{1}} so that $N=t_{1}^{2}-Du_{1}^{2}$ {\displaystyle N=t_{1}^{2}-Du_{1}^{2}} is a quadratic non-residue. Furthermore, let

t_{n}={\frac {(t_{1}+u_{1}{\sqrt {D}})^{n}+(t_{1}-u_{1}{\sqrt {D}})^{n}}{2}},\qquad u_{n}={\frac {(t_{1}+u_{1}{\sqrt {D}})^{n}-(t_{1}-u_{1}{\sqrt {D}})^{n}}{2{\sqrt {D}}}}

{\displaystyle t_{n}={\frac {(t_{1}+u_{1}{\sqrt {D}})^{n}+(t_{1}-u_{1}{\sqrt {D}})^{n}}{2}},\qquad u_{n}={\frac {(t_{1}+u_{1}{\sqrt {D}})^{n}-(t_{1}-u_{1}{\sqrt {D}})^{n}}{2{\sqrt {D}}}}}.

The following equalities now hold:

t_{m+n}=t_{m}t_{n}+Du_{m}u_{n},\quad u_{m+n}=t_{m}u_{n}+t_{n}u_{m}\quad {\mbox{and}}\quad t_{n}^{2}-Du_{n}^{2}=N^{n}

{\displaystyle t_{m+n}=t_{m}t_{n}+Du_{m}u_{n},\quad u_{m+n}=t_{m}u_{n}+t_{n}u_{m}\quad {\mbox{and}}\quad t_{n}^{2}-Du_{n}^{2}=N^{n}}.

Supposing that p is of the form $4m+1$ {\displaystyle 4m+1} (which is true if p is of the form $8m+1$ {\displaystyle 8m+1}), D is a quadratic residue and $t_{p}\equiv t_{1}^{p}\equiv t_{1},\quad u_{p}\equiv u_{1}^{p}D^{(p-1)/2}\equiv u_{1}$ {\displaystyle t_{p}\equiv t_{1}^{p}\equiv t_{1},\quad u_{p}\equiv u_{1}^{p}D^{(p-1)/2}\equiv u_{1}}. Now the equations

t_{1}\equiv t_{p-1}t_{1}+Du_{p-1}u_{1}\quad {\mbox{and}}\quad u_{1}\equiv t_{p-1}u_{1}+t_{1}u_{p-1}

{\displaystyle t_{1}\equiv t_{p-1}t_{1}+Du_{p-1}u_{1}\quad {\mbox{and}}\quad u_{1}\equiv t_{p-1}u_{1}+t_{1}u_{p-1}}

give a solution $t_{p-1}\equiv 1,\quad u_{p-1}\equiv 0$ {\displaystyle t_{p-1}\equiv 1,\quad u_{p-1}\equiv 0}.

Let $p-1=2r$ {\displaystyle p-1=2r}. Then $0\equiv u_{p-1}\equiv 2t_{r}u_{r}$ {\displaystyle 0\equiv u_{p-1}\equiv 2t_{r}u_{r}}. This means that either $t_{r}$ {\displaystyle t_{r}} or $u_{r}$ {\displaystyle u_{r}} is divisible by p. If it is $u_{r}$ {\displaystyle u_{r}}, put $r=2s$ {\displaystyle r=2s} and proceed similarly with $0\equiv 2t_{s}u_{s}$ {\displaystyle 0\equiv 2t_{s}u_{s}}. Not every $u_{i}$ {\displaystyle u_{i}} is divisible by p, for $u_{1}$ {\displaystyle u_{1}} is not. The case $u_{m}\equiv 0$ {\displaystyle u_{m}\equiv 0} with m odd is impossible, because $t_{m}^{2}-Du_{m}^{2}\equiv N^{m}$ {\displaystyle t_{m}^{2}-Du_{m}^{2}\equiv N^{m}} holds and this would mean that $t_{m}^{2}$ {\displaystyle t_{m}^{2}} is congruent to a quadratic non-residue, which is a contradiction. So this loop stops when $t_{l}\equiv 0$ {\displaystyle t_{l}\equiv 0} for a particular l. This gives $-Du_{l}^{2}\equiv N^{l}$ {\displaystyle -Du_{l}^{2}\equiv N^{l}}, and because $-D$ {\displaystyle -D} is a quadratic residue, l must be even. Put $l=2k$ {\displaystyle l=2k}. Then $0\equiv t_{l}\equiv t_{k}^{2}+Du_{k}^{2}$ {\displaystyle 0\equiv t_{l}\equiv t_{k}^{2}+Du_{k}^{2}}. So the solution of $x^{2}+D\equiv 0$ {\displaystyle x^{2}+D\equiv 0} is got by solving the linear congruence $u_{k}x\equiv \pm t_{k}$ {\displaystyle u_{k}x\equiv \pm t_{k}}.

Examples

[edit ]

The following are 4 examples, corresponding to the 3 different cases in which Pocklington divided forms of p. All $\equiv$ {\displaystyle \equiv } are taken with the modulus in the example.

Example 0

[edit ]

x^{2}\equiv 43{\pmod {47}}.

{\displaystyle x^{2}\equiv 43{\pmod {47}}.}

This is the first case, according to the algorithm, $x\equiv 43^{(47+1)/2}=43^{12}\equiv 2$ {\displaystyle x\equiv 43^{(47+1)/2}=43^{12}\equiv 2}, but then $x^{2}=2^{2}=4$ {\displaystyle x^{2}=2^{2}=4} not 43, so we should not apply the algorithm at all. The reason why the algorithm is not applicable is that a=43 is a quadratic non residue for p=47.

Example 1

[edit ]

Solve the congruence

x^{2}\equiv 18{\pmod {23}}.

{\displaystyle x^{2}\equiv 18{\pmod {23}}.}

The modulus is 23. This is $23=4\cdot 5+3$ {\displaystyle 23=4\cdot 5+3}, so $m=5$ {\displaystyle m=5}. The solution should be $x\equiv \pm 18^{6}\equiv \pm 8{\pmod {23}}$ {\displaystyle x\equiv \pm 18^{6}\equiv \pm 8{\pmod {23}}}, which is indeed true: $(\pm 8)^{2}\equiv 64\equiv 18{\pmod {23}}$ {\displaystyle (\pm 8)^{2}\equiv 64\equiv 18{\pmod {23}}}.

Example 2

[edit ]

Solve the congruence

x^{2}\equiv 10{\pmod {13}}.

{\displaystyle x^{2}\equiv 10{\pmod {13}}.}

The modulus is 13. This is $13=8\cdot 1+5$ {\displaystyle 13=8\cdot 1+5}, so $m=1$ {\displaystyle m=1}. Now verifying $10^{2m+1}\equiv 10^{3}\equiv -1{\pmod {13}}$ {\displaystyle 10^{2m+1}\equiv 10^{3}\equiv -1{\pmod {13}}}. So the solution is $x\equiv \pm y/2\equiv \pm (4a)^{2}/2\equiv \pm 800\equiv \pm 7{\pmod {13}}$ {\displaystyle x\equiv \pm y/2\equiv \pm (4a)^{2}/2\equiv \pm 800\equiv \pm 7{\pmod {13}}}. This is indeed true: $(\pm 7)^{2}\equiv 49\equiv 10{\pmod {13}}$ {\displaystyle (\pm 7)^{2}\equiv 49\equiv 10{\pmod {13}}}.

Example 3

[edit ]

Solve the congruence $x^{2}\equiv 13{\pmod {17}}$ {\displaystyle x^{2}\equiv 13{\pmod {17}}}. For this, write $x^{2}-13=0$ {\displaystyle x^{2}-13=0}. First find a $t_{1}$ {\displaystyle t_{1}} and $u_{1}$ {\displaystyle u_{1}} such that $t_{1}^{2}+13u_{1}^{2}$ {\displaystyle t_{1}^{2}+13u_{1}^{2}} is a quadratic nonresidue. Take for example $t_{1}=3,u_{1}=1$ {\displaystyle t_{1}=3,u_{1}=1}. Now find $t_{8}$ {\displaystyle t_{8}}, $u_{8}$ {\displaystyle u_{8}} by computing

t_{2}=t_{1}t_{1}+13u_{1}u_{1}=9-13=-4\equiv 13{\pmod {17}},

{\displaystyle t_{2}=t_{1}t_{1}+13u_{1}u_{1}=9-13=-4\equiv 13{\pmod {17}},}

u_{2}=t_{1}u_{1}+t_{1}u_{1}=3+3\equiv 6{\pmod {17}}.

{\displaystyle u_{2}=t_{1}u_{1}+t_{1}u_{1}=3+3\equiv 6{\pmod {17}}.}

And similarly $t_{4}=-299\equiv 7{\pmod {17}},u_{4}=156\equiv 3{\pmod {17}}$ {\displaystyle t_{4}=-299\equiv 7{\pmod {17}},u_{4}=156\equiv 3{\pmod {17}}} such that $t_{8}=-68\equiv 0{\pmod {17}},u_{8}=42\equiv 8{\pmod {17}}.$ {\displaystyle t_{8}=-68\equiv 0{\pmod {17}},u_{8}=42\equiv 8{\pmod {17}}.}

Since $t_{8}=0$ {\displaystyle t_{8}=0}, the equation $0\equiv t_{4}^{2}+13u_{4}^{2}\equiv 7^{2}-13\cdot 3^{2}{\pmod {17}}$ {\displaystyle 0\equiv t_{4}^{2}+13u_{4}^{2}\equiv 7^{2}-13\cdot 3^{2}{\pmod {17}}} which leads to solving the equation $3x\equiv \pm 7{\pmod {17}}$ {\displaystyle 3x\equiv \pm 7{\pmod {17}}}. This has solution $x\equiv \pm 8{\pmod {17}}$ {\displaystyle x\equiv \pm 8{\pmod {17}}}. Indeed, $(\pm 8)^{2}=64\equiv 13{\pmod {17}}$ {\displaystyle (\pm 8)^{2}=64\equiv 13{\pmod {17}}}.

References

[edit ]

Leonard Eugene Dickson, "History Of The Theory Of Numbers" vol 1 p 222, Chelsea Publishing 1952

^ H.C. Pocklington, Proceedings of the Cambridge Philosophical Society, Volume 19, pages 57–58

v t e Number-theoretic algorithms
Primality tests	AKS APR Baillie–PSW Elliptic curve Pocklington Fermat Lucas Lucas–Lehmer Lucas–Lehmer–Riesel Proth's theorem Pépin's Quadratic Frobenius Solovay–Strassen Miller–Rabin
Prime-generating	Sieve of Atkin Sieve of Eratosthenes Sieve of Pritchard Sieve of Sundaram Wheel factorization
Integer factorization	Continued fraction (CFRAC) Dixon's Lenstra elliptic curve (ECM) Euler's Pollard's rho p − 1 p + 1 Quadratic sieve (QS) General number field sieve (GNFS) Special number field sieve (SNFS) Rational sieve Fermat's Shanks's square forms Trial division Shor's
Multiplication	Ancient Egyptian Long Karatsuba Toom–Cook Schönhage–Strassen Fürer's
Euclidean division	Binary Chunking Fourier Goldschmidt Newton-Raphson Long Short SRT
Discrete logarithm	Baby-step giant-step Pollard rho Pollard kangaroo Pohlig–Hellman Index calculus Function field sieve
Greatest common divisor	Binary Euclidean Extended Euclidean Lehmer's
Modular square root	Cipolla Pocklington's Tonelli–Shanks Berlekamp
Other algorithms	Chakravala Cornacchia Exponentiation by squaring Integer square root Integer relation (LLL; KZ) Modular exponentiation Montgomery reduction Schoof Trachtenberg system
Italics indicate that algorithm is for numbers of special forms

Retrieved from "https://en.wikipedia.org/w/index.php?title=Pocklington%27s_algorithm&oldid=955727513"