Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

On the degree of polynomials computing square roots mod p

Kiran Kedlaya, Swastik Kopparty

TL;DR

We investigate the minimal degree of polynomials over the prime field $\f F_p$ that compute square roots on the nonzero quadratic residues. For $p \\equiv 3 \\pmod{4}$, the canonical choice $f(X) = X^{(p+1)/4}$ achieves a remarkably low degree; for $p \\equiv 1 \\pmod{4}$, the paper proves a robust lower bound of $\frac{p-1}{3}$ on the degree, and a robust version shows the bound persists under small errors. A key technical advance is a general lemma (a Mason–Stothers/abc-type statement) that powers of a low-degree polynomial cannot have too many consecutive zero coefficients, enabling the lower bound and its robust variant. The authors also obtain nontrivial upper bounds in special cases (e.g., degree $\le \frac{3p+1}{8}$ for infinitely many $p \\equiv 5 \\pmod{8}$ via Tonelli–Shanks) and give near-$\tfrac{p}{2}$ upper bounds for general $p$ using interpolation and Fourier-analytic methods; they extend the discussion to $t$th roots and connect to Reed–Solomon list-recovery. The work highlights a qualitative difference between $p \equiv 3 \\pmod{4}$ and $p \equiv 1 \\pmod{4}$ in deterministic square-root computation by low-degree polynomials.

Abstract

For an odd prime $p$, we say $f(X) \in {\mathbb F}_p[X]$ computes square roots in $\mathbb F_p$ if, for all nonzero perfect squares $a \in \mathbb F_p$, we have $f(a)^2 = a$. When $p \equiv 3 \mod 4$, it is well known that $f(X) = X^{(p+1)/4}$ computes square roots. This degree is surprisingly low (and in fact lowest possible), since we have specified $(p-1)/2$ evaluations (up to sign) of the polynomial $f(X)$. On the other hand, for $p \equiv 1 \mod 4$ there was previously no nontrivial bound known on the lowest degree of a polynomial computing square roots in $\mathbb F_p$; it could have been anywhere between $\frac{p}{4}$ and $\frac{p}{2}$. We show that for all $p \equiv 1 \mod 4$, the degree of a polynomial computing square roots has degree at least $p/3$. Our main new ingredient is a general lemma which may be of independent interest: powers of a low degree polynomial cannot have too many consecutive zero coefficients. The proof method also yields a robust version: any polynomial that computes square roots for 99\% of the squares also has degree almost $p/3$. In the other direction, a result of Agou, Deliglése, and Nicolas (Designs, Codes, and Cryptography, 2003) shows that for infinitely many $p \equiv 1 \mod 4$, the degree of a polynomial computing square roots can be as small as $3p/8$.

On the degree of polynomials computing square roots mod p

TL;DR

We investigate the minimal degree of polynomials over the prime field that compute square roots on the nonzero quadratic residues. For , the canonical choice achieves a remarkably low degree; for , the paper proves a robust lower bound of on the degree, and a robust version shows the bound persists under small errors. A key technical advance is a general lemma (a Mason–Stothers/abc-type statement) that powers of a low-degree polynomial cannot have too many consecutive zero coefficients, enabling the lower bound and its robust variant. The authors also obtain nontrivial upper bounds in special cases (e.g., degree for infinitely many via Tonelli–Shanks) and give near- upper bounds for general using interpolation and Fourier-analytic methods; they extend the discussion to th roots and connect to Reed–Solomon list-recovery. The work highlights a qualitative difference between and in deterministic square-root computation by low-degree polynomials.

Abstract

For an odd prime , we say computes square roots in if, for all nonzero perfect squares , we have . When , it is well known that computes square roots. This degree is surprisingly low (and in fact lowest possible), since we have specified evaluations (up to sign) of the polynomial . On the other hand, for there was previously no nontrivial bound known on the lowest degree of a polynomial computing square roots in ; it could have been anywhere between and . We show that for all , the degree of a polynomial computing square roots has degree at least . Our main new ingredient is a general lemma which may be of independent interest: powers of a low degree polynomial cannot have too many consecutive zero coefficients. The proof method also yields a robust version: any polynomial that computes square roots for 99\% of the squares also has degree almost . In the other direction, a result of Agou, Deliglése, and Nicolas (Designs, Codes, and Cryptography, 2003) shows that for infinitely many , the degree of a polynomial computing square roots can be as small as .
Paper Structure (9 sections, 6 theorems, 45 equations)

This paper contains 9 sections, 6 theorems, 45 equations.

Table of Contents

  1. Introduction
  2. Lower bound for polynomials computing square roots
  3. Consecutive zero coefficients in powers of polynomials
  4. Remarks
  5. A robust version
  6. Upper bound for special $p$
  7. Upper bounds for general $p$
  8. Distribution of values of $P_y(g^j)$
  9. $t$th roots

Key Result

Theorem 1.1

Let $p \equiv 1 \mod 4$. Then any polynomial that computes square roots in $\mathbb{F}_p$ has degree at least $\frac{p-1}{3}$.

Theorems & Definitions (13)

  • Theorem 1.1
  • Theorem 1.2
  • Theorem 1.3
  • Conjecture 1.1
  • proof
  • Lemma 2.1
  • proof
  • proof
  • proof
  • Theorem 5.1
  • ...and 3 more