Primary Elements in Cyclotomic Fields with Applications to Power Residue Symbols, and More.

Higher-order power residues have enabled the construction of numerous public-key encryption schemes, authentication schemes, and digital signatures. Their explicit characterization is however challenging; an algorithm of Caranay and Scheidler computes ?th power residue symbols, with ? 6 13 an odd prime, provided that primary elements in the corresponding cyclotomic field can be efficiently found. In this paper, we describe a new, generic algorithm to compute primary elements in cyclotomic fields; which we apply for ? = 3, 5, 7, 11, 13. A key insight is a careful selection of fundamental units as put forward by Dénes. This solves an essential step in the Caranay–Scheidler algorithm. We give a unified view of the problem. Finally, we provide the first efficient deterministic algorithm for the computation of the 9th and 16th power residue symbols. 1 MOTIVATION Quadratic residues played a central role in building the first provably secure public-key cryptosystems [10]. A number is a quadratic residue modulo =when it can be expressed as the square of an integer modulo =, although that integer may be hard to find. This notion, along with generalizations to higher powers (called higher-order power residues), have enabled the construction of numerous public-key encryption schemes, authentication schemes, and digital signatures [26, 21, 22, 1, 2, 18]. The computation of ?th power residue symbols, when ? is an odd prime 6 13, can be performed by a generic algorithm of Caranay and Scheidler [4, § 7], although the concrete implementation for a given ? remains challenging (see, e.g., [12] for the 11th power residue symbol and [3] for the 13th power residue symbol). The computation of the 4th power residue symbol [25, 7] and of the 8th power residue symbol [15, Chap. 9] (see also [11]) was solved independently. Finally, a generic algorithm was proposed by de Boer and Pagano [8], but it is inherently a probabilistic method which makes it unusable in most cryptographic settings. This leaves open the question to deterministically compute 9th residue symbols, and all power residue symbols above the 13th. In this paper, we provide a unified and simplified approach to compute primary elements in cyclotomic fields, encompassing all previously-known results. This makes the Caranay–Scheidler algorithm practical, as it fundamentally relies on the (hitherto specialized) determination of primary elements. We also describe efficient deterministic algorithms for computing the 9th and 16th power residue symbols, which were open problems. 2 DEFINITIONS AND NOTATION Throughout this paper, unless otherwise specified, ? 6 13 denotes an odd rational prime. Let Z B Z? = 42c8/? be a primitive ?th of unity and let l = 1 − Z . The ring of integers in the cyclotomic field Q(Z) is Z[Z]. It is known to be norm-Euclidean [16, 14]; in particular, Z[Z] is a unique factorization domain. Two elements U and V ofZ[Z] are called associates if they differ only by a unit factor. Wewrite U ∼ V ⇐⇒ ∃h ∈ Z[Z]× such that U = h V. The element l is a prime in Z[Z] above ?; we have l?−1 ∼ ?. Since Z is a root of the ?th cyclotomic polynomial, Φ? (I) = I?−1 + · · · + I + 1, any algebraic integer U ∈ Z[Z] can be expressed as