Paper 2023/828
Optimized Discrete Logarithm Computation for Faster Square Roots in Finite Fields
Abstract
For computing square roots in a finite field $GF(q)$ where $q - 1 = 2^n m$ for an odd integer $m$ and some integer $n$, the classic Tonelli-Shanks algorithm starts with an exponentiation (the exponent has size about $\log_2 q - n$ bits), followed by a discrete logarithm computation in the subgroup of $2^n$-th roots of unity in $GF(q)$; the latter operation has cost $O(n^2)$ multiplications in the field, which is prohibitive when $n$ is large. Bernstein proposed an optimized variant with lookup tables, leading to a runtime cost of $O((n/w)^2)$, using $w$-bit tables of cumulative size $O(2^w n/w)$. Sarkar recently improved on the runtime cost, down to $O((n/w)^{1.5})$, with the same overall storage cost. In this short note, we explore the use of a straightforward divide-and-conquer variant of the Pohlig-Hellman algorithm, bringing the asymptotic cost down to $O(n\log n)$, and further study some additional optimizations. The result appears to be competitive, at least in terms of number of multiplications, for some well-known fields such that the 224-bit field used in NIST standard elliptic curve P-224 (for which $n = 96$).
Metadata
- Available format(s)
-
PDF
- Category
- Implementation
- Publication info
- Preprint.
- Keywords
- square roots
- Contact author(s)
- thomas pornin @ nccgroup com
- History
- 2023-06-06: approved
- 2023-06-04: received
- See all versions
- Short URL
- https://ia.cr/2023/828
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2023/828,
author = {Thomas Pornin},
title = {Optimized Discrete Logarithm Computation for Faster Square Roots in Finite Fields},
howpublished = {Cryptology ePrint Archive, Paper 2023/828},
year = {2023},
note = {\url{https://eprint.iacr.org/2023/828}},
url = {https://eprint.iacr.org/2023/828}
}
