Pocklington's algorithm

Last updated May 10, 2020

Pocklington's algorithm is a technique for solving a congruence of the form

The algorithm

(Note: all $\equiv$ are taken to mean ${\pmod {p}}$ , unless indicated otherwise.)

Inputs:

p, an odd prime
a, an integer which is a quadratic residue ${\pmod {p}}$ .

Outputs:

x, an integer satisfying $x^{2}\equiv a$ . Note that if x is a solution, −x is a solution as well and since p is odd, $x\neq -x$ . So there is always a second solution when one is found.

Solution method

Pocklington separates 3 different cases for p:

The first case, if $p=4m+3$ , with $m\in \mathbb {N}$ , the solution is $x\equiv \pm a^{m+1}$ .

The second case, if $p=8m+5$ , with $m\in \mathbb {N}$ and

$a^{2m+1}\equiv 1$ , the solution is $x\equiv \pm a^{m+1}$ .
$a^{2m+1}\equiv -1$ , 2 is a (quadratic) non-residue so $4^{2m+1}\equiv -1$ . This means that $(4a)^{2m+1}\equiv 1$ so $y\equiv \pm (4a)^{m+1}$ is a solution of $y^{2}\equiv 4a$ . Hence $x\equiv \pm y/2$ or, if y is odd, $x\equiv \pm (p+y)/2$ .

The third case, if $p=8m+1$ , put $D\equiv -a$ , so the equation to solve becomes $x^{2}+D\equiv 0$ . Now find by trial and error $t_{1}$ and $u_{1}$ so that $N=t_{1}^{2}-Du_{1}^{2}$ is a quadratic non-residue. Furthermore, let

t_{n}={\frac {(t_{1}+u_{1}{\sqrt {D}})^{n}+(t_{1}-u_{1}{\sqrt {D}})^{n}}{2}},\qquad u_{n}={\frac {(t_{1}+u_{1}{\sqrt {D}})^{n}-(t_{1}-u_{1}{\sqrt {D}})^{n}}{2{\sqrt {D}}}}

.

The following equalities now hold:

t_{m+n}=t_{m}t_{n}+Du_{m}u_{n},\quad u_{m+n}=t_{m}u_{n}+t_{n}u_{m}\quad {\mbox{and}}\quad t_{n}^{2}-Du_{n}^{2}=N^{n}

.

Supposing that p is of the form $4m+1$ (which is true if p is of the form $8m+1$ ), D is a quadratic residue and $t_{p}\equiv t_{1}^{p}\equiv t_{1},\quad u_{p}\equiv u_{1}^{p}D^{(p-1)/2}\equiv u_{1}$ . Now the equations

t_{1}\equiv t_{p-1}t_{1}+Du_{p-1}u_{1}\quad {\mbox{and}}\quad u_{1}\equiv t_{p-1}u_{1}+t_{1}u_{p-1}

give a solution $t_{p-1}\equiv 1,\quad u_{p-1}\equiv 0$ .

Let $p-1=2r$ . Then $0\equiv u_{p-1}\equiv 2t_{r}u_{r}$ . This means that either $t_{r}$ or $u_{r}$ is divisible by p. If it is $u_{r}$ , put $r=2s$ and proceed similarly with $0\equiv 2t_{s}u_{s}$ . Not every $u_{i}$ is divisible by p, for $u_{1}$ is not. The case $u_{m}\equiv 0$ with m odd is impossible, because $t_{m}^{2}-Du_{m}^{2}\equiv N^{m}$ holds and this would mean that $t_{m}^{2}$ is congruent to a quadratic non-residue, which is a contradiction. So this loop stops when $t_{l}\equiv 0$ for a particular l. This gives $-Du_{l}^{2}\equiv N^{l}$ , and because $-D$ is a quadratic residue, l must be even. Put $l=2k$ . Then $0\equiv t_{l}\equiv t_{k}^{2}+Du_{k}^{2}$ . So the solution of $x^{2}+D\equiv 0$ is got by solving the linear congruence $u_{k}x\equiv \pm t_{k}$ .

Examples

The following are 4 examples, corresponding to the 3 different cases in which Pocklington divided forms of p. All $\equiv$ are taken with the modulus in the example.

Example 0

x^{2}\equiv 43{\pmod {47}}.

This is the first case, according to the algorithm, $x\equiv 43^{(47+1)/2}=43^{12}\equiv 2$ , but then $x^{2}=2^{2}=4$ not 43, so we should not apply the algorithm at all. The reason why the algorithm is not applicable is that a=43 is a quadratic non residue for p=47.

Example 1

Solve the congruence

x^{2}\equiv 18{\pmod {23}}.

The modulus is 23. This is $23=4\cdot 5+3$ , so $m=5$ . The solution should be $x\equiv \pm 18^{6}\equiv \pm 8{\pmod {23}}$ , which is indeed true: $(\pm 8)^{2}\equiv 64\equiv 18{\pmod {23}}$ .

Example 2

Solve the congruence

x^{2}\equiv 10{\pmod {13}}.

The modulus is 13. This is $13=8\cdot 1+5$ , so $m=1$ . Now verifying $10^{2m+1}\equiv 10^{3}\equiv -1{\pmod {13}}$ . So the solution is $x\equiv \pm y/2\equiv \pm (4a)^{2}/2\equiv \pm 800\equiv \pm 7{\pmod {13}}$ . This is indeed true: $(\pm 7)^{2}\equiv 49\equiv 10{\pmod {13}}$ .

Example 3

Solve the congruence $x^{2}\equiv 13{\pmod {17}}$ . For this, write $x^{2}-13=0$ . First find a $t_{1}$ and $u_{1}$ such that $t_{1}^{2}+13u_{1}^{2}$ is a quadratic nonresidue. Take for example $t_{1}=3,u_{1}=1$ . Now find $t_{8}$ , $u_{8}$ by computing

t_{2}=t_{1}t_{1}+13u_{1}u_{1}=9-13=-4\equiv 13{\pmod {17}},

u_{2}=t_{1}u_{1}+t_{1}u_{1}=3+3\equiv 6{\pmod {17}}.

And similarly $t_{4}=-299\equiv 7{\pmod {17}},u_{4}=156\equiv 3{\pmod {17}}$ such that $t_{8}=-68\equiv 0{\pmod {17}},u_{8}=42\equiv 8{\pmod {17}}.$

Since $t_{8}=0$ , the equation $0\equiv t_{4}^{2}+13u_{4}^{2}\equiv 7^{2}-13\cdot 3^{2}{\pmod {17}}$ which leads to solving the equation $3x\equiv \pm 7{\pmod {17}}$ . This has solution $x\equiv \pm 8{\pmod {17}}$ . Indeed, $(\pm 8)^{2}=64\equiv 13{\pmod {17}}$ .

Related Research Articles

In number theory, the Chinese remainder theorem states that if one knows the remainders of the Euclidean division of an integer n by several integers, then one can determine uniquely the remainder of the division of n by the product of these integers, under the condition that the divisors are pairwise coprime.

In number theory, the Legendre symbol is a multiplicative function with values 1, −1, 0 that is a quadratic character modulo an odd prime number p: its value at a (nonzero) quadratic residue mod p is 1 and at a non-quadratic residue (non-residue) is −1. Its value at zero is 0.

In mathematics, modular arithmetic is a system of arithmetic for integers, where numbers "wrap around" when reaching a certain value, called the modulus. The modern approach to modular arithmetic was developed by Carl Friedrich Gauss in his book Disquisitiones Arithmeticae, published in 1801.

In number theory, the law of quadratic reciprocity is a theorem about modular arithmetic that gives conditions for the solvability of quadratic equations modulo prime numbers. Due to its subtlety, it has many formulations, but the most standard statement is:

In number theory, Euler's theorem states that if n and a are coprime positive integers, then

The Jacobi symbol is a generalization of the Legendre symbol. Introduced by Jacobi in 1837, it is of theoretical interest in modular arithmetic and other branches of number theory, but its main use is in computational number theory, especially primality testing and integer factorization; these in turn are important in cryptography.

In number theory, Euler's criterion is a formula for determining whether an integer is a quadratic residue modulo a prime. Precisely,

In number theory, an integer q is called a quadratic residue modulo n if it is congruent to a perfect square modulo n; i.e., if there exists an integer x such that:

In number theory, the Ankeny–Artin–Chowla congruence is a result published in 1953 by N. C. Ankeny, Emil Artin and S. Chowla. It concerns the class number h of a real quadratic field of discriminant d > 0. If the fundamental unit of the field is

In number theory, a congruence of squares is a congruence commonly used in integer factorization algorithms.

The quadratic sieve algorithm (QS) is an integer factorization algorithm and, in practice, the second fastest method known. It is still the fastest for integers under 100 decimal digits or so, and is considerably simpler than the number field sieve. It is a general-purpose factorization algorithm, meaning that its running time depends solely on the size of the integer to be factored, and not on special structure or properties. It was invented by Carl Pomerance in 1981 as an improvement to Schroeppel's linear sieve.

In number theory, the Kronecker symbol, written as $or, is a generalization of the Jacobi symbol to all integers . It was introduced by Leopold Kronecker.$

Gauss's lemma in number theory gives a condition for an integer to be a quadratic residue. Although it is not useful computationally, it has theoretical significance, being involved in some proofs of quadratic reciprocity.

In number theory, the law of quadratic reciprocity, like the Pythagorean theorem, has lent itself to an unusual number of proofs. Several hundred proofs of the law of quadratic reciprocity have been found.

The Tonelli–Shanks algorithm is used in modular arithmetic to solve for r in a congruence of the form r² ≡ n, where p is a prime: that is, to find a square root of n modulo p.

Cubic reciprocity is a collection of theorems in elementary and algebraic number theory that state conditions under which the congruence x³ ≡ p (mod q) is solvable; the word "reciprocity" comes from the form of the main theorem, which states that if p and q are primary numbers in the ring of Eisenstein integers, both coprime to 3, the congruence x³ ≡ p is solvable if and only if x³ ≡ q is solvable.

In mathematics, in particular the area of number theory, a modular multiplicative inverse of an integer $a$ is an integer $x$ such that the product $ax$ is congruent to 1 with respect to the modulus $m$ . In the standard notation of modular arithmetic this congruence is written as

Quartic or biquadratic reciprocity is a collection of theorems in elementary and algebraic number theory that state conditions under which the congruence x⁴ ≡ p is solvable; the word "reciprocity" comes from the form of some of these theorems, in that they relate the solvability of the congruence x⁴ ≡ p to that of x⁴ ≡ q.

References

Leonard Eugene Dickson, "History Of The Theory Of Numbers" vol 1 p 222, Chelsea Publishing 1952

↑ H.C. Pocklington, Proceedings of the Cambridge Philosophical Society, Volume 19, pages 57–58

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] H.C. Pocklington, Proceedings of the Cambridge Philosophical Society, Volume 19, pages 57–58

v t e Number-theoretic algorithms
Primality tests	AKS APR Baillie–PSW Elliptic curve Pocklington Fermat Lucas Lucas–Lehmer Lucas–Lehmer–Riesel Proth's theorem Pépin's Quadratic Frobenius Solovay–Strassen Miller–Rabin
Prime-generating	Sieve of Atkin Sieve of Eratosthenes Sieve of Sundaram Wheel factorization
Integer factorization	Continued fraction (CFRAC) Dixon's Lenstra elliptic curve (ECM) Euler's Pollard's rho p − 1 p + 1 Quadratic sieve (QS) General number field sieve (GNFS) Special number field sieve (SNFS) Rational sieve Fermat's Shanks's square forms Trial division Shor's
Multiplication	Ancient Egyptian Long Karatsuba Toom–Cook Schönhage–Strassen Fürer's
Euclidean division	Binary Chunking Fourier Goldschmidt Newton-Raphson Long Short SRT
Discrete logarithm	Baby-step giant-step Pollard rho Pollard kangaroo Pohlig–Hellman Index calculus Function field sieve
Greatest common divisor	Binary Euclidean Extended Euclidean Lehmer's
Modular square root	Cipolla Pocklington's Tonelli–Shanks Berlekamp
Other algorithms	Chakravala Cornacchia Exponentiation by squaring Integer square root LLL Modular exponentiation Montgomery reduction Schoof's
Italics indicate that algorithm is for numbers of special forms