J. Symbolic Computation (1998) 26, 509–523 Article No. sy980226 Efficient Algorithms for Computing the Jacobi Symbol† SHAWNA MEYER EIKENBERRY‡ AND JONATHAN P. SORENSON§ Department of Mathematics and Computer Science, Butler University, U.S.A. We present two new algorithms for computing the Jacobi Symbol: the right-shift and left-shift k-ary algorithms. For inputs of at most n bits in length, both algorithms take O(n2/ log n) time and O(n) space. This is asymptotically faster than the traditional algorithm, which is based in Euclid’s algorithm for computing greatest common divisors. In practice, we found our new algorithms to be about twice as fast for inputs of 100 to 1000 decimal digits in length. We also present parallel versions of both algorithms for 1+ the CRCW PRAM. One version takes O(n/ log log n) time using O(n ) processors, giving the first sublinear parallel algorithms for this problem. The other version takes polylog time using a subexponential number of processors. c 1998 Academic Press 1. Introduction In this paper, we present two new algorithms for computing the Jacobi symbol (see Section 2 for a definition). After a brief discussion of some applications, we review the previous work on Jacobi symbol algorithms, including both sequential and parallel com- putation models, and then we summarize our results. Solovay and Strassen (1977) observed that one may use the Jacobi symbol to proba- bilistically test for primality. Specifically, to test the integer m for primality, choose an (m 1)/2 integer a [2,m 1] uniformly at random, and compare (a/m)toa − mod m.If these do not∈ match− (modulo m), then m is composite. Otherwise, m might be prime; the probability of a composite number passing as a prime is at most 1/2. This test can be repeated to reduce the chance of error. Perhaps the most important application for the Jacobi symbol is in finding quadratic nonresidues. Nonresidues are used in computing square roots modulo a prime (see Bach (1990b, 1991) and Peralta (1986)), in writing a prime as a sum of two squares (Shallit and Rabin, 1986), and in several cryptography schemes that are based on the difficulty of computing square roots modulo a composite number (see, for example, McCurley (1990), Williams (1980, 1986), and Menezes et al. (1997)). †Computing equipment provided through a grant from the Holcomb Research Institute. A preliminary version of this paper was presented on November 3, 1995 at the AMS meeting at Kent State University, Kent, Ohio. An extended abstract appeared as Meyer and Sorenson (1996). ‡Supported by the Butler Summer Institute. §Supported by a Butler University Faculty Research Fellowship. E-mail: [email protected], URL: http://www.butler.edu/ sorenson/ ∼ 0747–7171/98/100509 + 15 $30.00/0 c 1998 Academic Press 510 S. M. Eikenberry and J. P. Sorenson As there are (p 1)/2 quadratic nonresidues modulo any odd prime p, to find a non- residue one simply− chooses integers a at random until (a/p)= 1. Under the assumption of the Extended Riemann Hypothesis (ERH), the Ankeny–Bach− theorem states that there exists a nonresidue a satisfying a 2 log2 p (Ankeny, 1952; Bach, 1990a). Thus, one may eliminate randomness by assuming≤ the validity of the unproven ERH. There are several algorithms for computing the Jacobi symbol, including the ordinary algorithm (based on Euclid’s GCD algorithm), Eisenstein’s algorithm, and Lebesgue’s algorithm (based on the least-remainder GCD algorithm); see Shallit (1990) for detailed analyses of these. The ordinary algorithm and Lebesgue’s algorithm take O(log x log y) bit operations to compute (x/y). Eisenstein’s algorithm has an exponential worst-case running time. The more recent binary algorithm (Shallit and Sorenson, 1993) takes O(log2(xy)) bit operations; this algorithm is probably the most efficient in practice. The asymptotically fastest Jacobi symbol algorithm involves computing the continued fraction expansion of x/y using Sch¨onhage’sGCD algorithm (Sch¨onhage,1971) and ex- tracting the Jacobi symbol from this information (see Gauss (1870), Bach (1990b)). This method takes only O(n log2 n log log n) bit operations, but is not considered practical. For algorithms that compute cubic and higher residuosity, see Scheidler and Williams (1995). Work on parallel Jacobi symbol algorithms is not as advanced. A straight-forward par- allelization of the binary algorithm yields an O(n) time parallel algorithm for the EREW PRAM. The only known algorithm for evaluating quadratic residuosity (Fich and Tompa, 1988) works onlyNC in finite fields, with the additional restriction that the char- acteristic be bounded by a polynomial in the input size. No algorithm is known for computing the Jacobi symbol, or even for computing GCDs;NC the question of the existence of an algorithm for GCDs is a well-known open problem in parallel com- plexity (GreenlawNCet al., 1995). See Adleman and Kompella (1988), Chor and Goldre- ich (1990), Kannan et al. (1987), and Sorenson (1994) for sublinear time and polylog time/subexponential processor parallel GCD algorithms. In this paper, we present the right-shift and left-shift k-ary Jacobi symbol algorithms, which are based on the k-ary GCD algorithms (Jebelean, 1993; Sorenson, 1994). We obtain the following results: (1) Both algorithms use at most O(log(xy)/ log k) iterations of their main loop to com- pute (x/y). See Sections 3 and 4. (2) Sequentially, both algorithms take at most O(log2(xy)/ log k) bit operations and at 2 1/2 most O(log(xy)+k log k) space when k (log(xy)) − . By setting n = log(xy) 0.4 log n 2 ≤ and k =2b c, we obtain an O(n / log n) running time using O(n) space. See Section 5. (3) In practice, we found our new algorithms to be approximately two to three times as fast as previous algorithms, including the binary algorithm, on inputs of 100–1000 decimal digits in length. See Section 6. log n 1+ (4) By choosing k =2b c, both algorithms take O(n/ log log n) time using n processors under the Common CRCW PRAM model of parallel computation. This gives the first sublinear parallel algorithms for computing the Jacobi symbol. We also obtain polylog time, subexponential processor algorithms. See Section 7. Both of our new algorithms can be readily modified to compute the Kronecker symbol. Algorithms for the Jacobi Symbol 511 2. Notation and Background We begin by reviewing the definition of the Jacobi symbol. 2.1. definitions Let a be a positive integer and let p be an odd prime. Then a is a quadratic residue (or simply residue) modulo p if gcd(a, p) = 1 and there exists an integer x such that x2 a (mod p). If a is not a quadratic residue and gcd(a, p) = 1, then we say that a is a quadratic≡ nonresidue (or nonresidue). The Legendre symbol (a/p) has the value 1 if a is a residue, 1ifa is a nonresidue, and 0 if p a. The Legendre symbol can be computed − (p 1)/2 | using (a/p) a − (mod p). Let m be≡ an odd, composite integer with prime factorization m = p p p . The Ja- 1 2 ··· l cobi symbol, a generalization of the Legendre symbol, is defined by (a/m)=(a/p1)(a/p2) (a/pl); it matches the Legendre symbol whenever m is prime. If (a/m)= 1, then a ···is a nonresidue modulo m, and if gcd(a, m) = 1 then (a/m) = 0. However, if (−a/m)=1, a may be either a residue or a nonresidue. 6 2.2. Jacobi symbol identities The Jacobi symbol satisfies the following identities which we will utilize (see Hardy and Wright (1979), Ireland and Rosen (1990) for proofs). Assume a, b are integers and n, m are odd, positive integers throughout. ab a b = ; (2.1) n n n a a a = ; (2.2) nm n m 1 (n 1)/2 − =( 1) − ; (2.3) n − 2 (n2 1)/8 =( 1) − ; (2.4) n − a a bn = ± ; (2.5) n n m n (m 1)/2 (n 1)/2 = ( 1) − · − . (2.6) n m − For simplicity, we define (0/1) = 1, but (0/n) = 0 for any integer n>1. Note that (2.5) implies that (a/n)=(a mod n/n). 2.3. Jacobi symbol algorithm outline Assume u, v are integers, with v odd and u v>0. Most Jacobi symbol algorithms compute (u/v) by doing the following: | |≥ (1) Initialize a variable t := 1; this keeps track of the value of the Jacobi symbol as the algorithm progresses. (2) If u<0, apply (2.3) above; that is, set u := u and if v mod4=3,sett := t. (3) Remove all factors of 2 from u and adjust t appropriately− using (2.1) and (2.4).− 512 S. M. Eikenberry and J. P. Sorenson (4) If u<v, then apply (2.6), thereby interchanging u and v; adjust t as required. (5) Apply (2.5) in some form to make u smaller. (6) If u = 0, then stop. The answer is t if v = 1, and the answer is 0 otherwise. If u = 0, then go back to Step 2. 6 Steps 2–6 are repeated until u = 0, which must eventually occur because one of u, v must decrease in absolute value every iteration. The difference between the ordinary, Eisenstein, Lebesgue, and binary algorithms lies in how Step 5 is performed. In the ordinary algorithm, (u/v)=(u mod v/v) is used. In Eisenstein’s algorithm, (u/v)=(u bv/v) is used, where b is the even integer nearest to u/v.