<buttonid="sidebar-toggle"class="icon-button"type="button"title="Toggle Table of Contents"aria-label="Toggle Table of Contents"aria-controls="sidebar">
<ahref="../print.html"title="Print this book"aria-label="Print this book">
<iid="print-button"class="fa fa-print"></i>
</a>
</div>
</div>
<divid="search-wrapper"class="hidden">
<formid="searchbar-outer"class="searchbar-outer">
<inputtype="search"name="search"id="searchbar"name="searchbar"placeholder="Search this book ..."aria-controls="searchresults-outer"aria-describedby="searchresults-header">
<p>A fundamental component of many cryptographic protocols is the algebraic structure known
as a <ahref="https://en.wikipedia.org/wiki/Field_(mathematics)">field</a>. Fields are sets of objects (usually numbers) with two associated binary
operators <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.66666em;vertical-align:-0.08333em;"></span><spanclass="mord">+</span></span></span></span> and <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.66666em;vertical-align:-0.08333em;"></span><spanclass="mord">×</span></span></span></span> such that various <ahref="https://en.wikipedia.org/wiki/Field_(mathematics)#Classic_definition">field axioms</a> hold. The real
numbers <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68889em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathbb">R</span></span></span></span></span> are an example of a field with an uncountably infinite number of
elements.</p>
<p>Halo makes use of <em>finite fields</em> which have a finite number of elements. Finite fields
are fully classified as follows:</p>
<ul>
<li>if <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68889em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathbb">F</span></span></span></span></span> is a finite field, it contains <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mord">∣</span><spanclass="mord"><spanclass="mord mathbb">F</span></span><spanclass="mord">∣</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:1.043548em;vertical-align:-0.19444em;"></span><spanclass="mord"><spanclass="mord mathnormal">p</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.849108em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.03148em;">k</span></span></span></span></span></span></span></span></span></span></span> elements for some
integer <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.83041em;vertical-align:-0.13597em;"></span><spanclass="mord mathnormal"style="margin-right:0.03148em;">k</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">≥</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">1</span></span></span></span> and some prime <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.625em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal">p</span></span></span></span>;</li>
<li>any two finite fields with the same number of elements are isomorphic. In particular,
all of the arithmetic in a prime field <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.974998em;vertical-align:-0.286108em;"></span><spanclass="mord"><spanclass="mord"><spanclass="mord mathbb">F</span></span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.15139200000000003em;"><spanstyle="top:-2.5500000000000003em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight">p</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.286108em;"><span></span></span></span></span></span></span></span></span></span> is isomorphic to addition and
multiplication of integers modulo <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.625em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal">p</span></span></span></span>, i.e. in <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.974998em;vertical-align:-0.286108em;"></span><spanclass="mord"><spanclass="mord"><spanclass="mord mathbb">Z</span></span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.15139200000000003em;"><spanstyle="top:-2.5500000000000003em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight">p</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.286108em;"><span></span></span></span></span></span></span></span></span></span>. This is why we often
refer to <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.625em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal">p</span></span></span></span> as the <em>modulus</em>.</li>
</ul>
<p>We'll write a field as <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.974998em;vertical-align:-0.286108em;"></span><spanclass="mord"><spanclass="mord"><spanclass="mord mathbb">F</span></span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.15139200000000003em;"><spanstyle="top:-2.5500000000000003em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.03588em;">q</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.286108em;"><span></span></span></span></span></span></span></span></span></span> where <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.625em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal"style="margin-right:0.03588em;">q</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:1.043548em;vertical-align:-0.19444em;"></span><spanclass="mord"><spanclass="mord mathnormal">p</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.849108em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.03148em;">k</span></span></span></span></span></span></span></span></span></span></span>. The prime <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.625em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal">p</span></span></span></span> is called its
<em>characteristic</em>. In the cases where <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.73354em;vertical-align:-0.0391em;"></span><spanclass="mord mathnormal"style="margin-right:0.03148em;">k</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">></span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">1</span></span></span></span> the field <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.974998em;vertical-align:-0.286108em;"></span><spanclass="mord"><spanclass="mord"><spanclass="mord mathbb">F</span></span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.15139200000000003em;"><spanstyle="top:-2.5500000000000003em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.03588em;">q</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.286108em;"><span></span></span></span></span></span></span></span></span></span> is a <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.03148em;">k</span></span></span></span>-degree
extension of the field <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.974998em;vertical-align:-0.286108em;"></span><spanclass="mord"><spanclass="mord"><spanclass="mord mathbb">F</span></span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.15139200000000003em;"><spanstyle="top:-2.5500000000000003em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight">p</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.286108em;"><span></span></span></span></span></span></span></span></span></span>. (By analogy, the complex numbers
<spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68889em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathbb">C</span></span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mord"><spanclass="mord mathbb">R</span></span><spanclass="mopen">(</span><spanclass="mord mathnormal">i</span><spanclass="mclose">)</span></span></span></span> are an extension of the real numbers.) However, in Halo we do
not care about extension fields. Whenever we write <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.974998em;vertical-align:-0.286108em;"></span><spanclass="mord"><spanclass="mord"><spanclass="mord mathbb">F</span></span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.15139200000000003em;"><spanstyle="top:-2.5500000000000003em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight">p</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.286108em;"><span></span></span></span></span></span></span></span></span></span> we are referring to what
we call a <em>prime field</em> which has a prime <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.625em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal">p</span></span></span></span> number of elements, i.e. <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.03148em;">k</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">1</span></span></span></span>.</p>
<p>Important notes:</p>
<ul>
<li>There are two special elements in any field: <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathcal"style="margin-right:0.02778em;">O</span></span></span></span></span>, the additive identity, and
<spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">1</span></span></span></span>, the multiplicative identity.</li>
<li>The least significant bit of a field element, when represented as an integer in binary
format, can be interpreted as its "sign" to help distinguish it from its additive
inverse (negation). This is because for some nonzero element <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.43056em;vertical-align:0em;"></span><spanclass="mord mathnormal">a</span></span></span></span> which has a least
significant bit <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">0</span></span></span></span> we have that <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.66666em;vertical-align:-0.08333em;"></span><spanclass="mord">−</span><spanclass="mord mathnormal">a</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.7777700000000001em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal">p</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mbin">−</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.43056em;vertical-align:0em;"></span><spanclass="mord mathnormal">a</span></span></span></span> has a least significant bit <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">1</span></span></span></span>, and vice
versa. We could also use whether or not an element is larger than <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">(</span><spanclass="mord mathnormal">p</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mbin">−</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span></span><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mord">1</span><spanclass="mclose">)</span><spanclass="mord">/</span><spanclass="mord">2</span></span></span></span> to give
it a "sign."</li>
</ul>
<h2><aclass="header"href="#inverses-and-groups"id="inverses-and-groups">Inverses and groups</a></h2>
<p>Any non-zero element <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.5782em;vertical-align:-0.0391em;"></span><spanclass="mord mathnormal">a</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">∈</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.974998em;vertical-align:-0.286108em;"></span><spanclass="mord"><spanclass="mord"><spanclass="mord mathbb">F</span></span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.15139200000000003em;"><spanstyle="top:-2.5500000000000003em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight">p</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.286108em;"><span></span></span></span></span></span></span></span></span></span> has a <em>multiplicative inverse</em><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord mathnormal">b</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.8141079999999999em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathnormal">a</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.8141079999999999em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mtight">−</span><spanclass="mord mtight">1</span></span></span></span></span></span></span></span></span></span></span></span>,
which is the <em>unique</em> element <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord mathnormal">b</span></span></span></span> such that <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord mathnormal">a</span><spanclass="mord mathnormal">b</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">1</span></span></span></span>.</p>
<p>A quick way of obtaining the inverse is <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8141079999999999em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathnormal">a</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.8141079999999999em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mtight">−</span><spanclass="mord mtight">1</span></span></span></span></span></span></span></span></span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.8141079999999999em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathnormal">a</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.8141079999999999em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mathnormal mtight">p</span><spanclass="mbin mtight">−</span><spanclass="mord mtight">2</span></span></span></span></span></span></span></span></span></span></span></span>. The reason for this stems
from <ahref="https://en.wikipedia.org/wiki/Fermat%27s_little_theorem">Fermat's little theorem</a>, which states that <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.664392em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathnormal">a</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.664392em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight">p</span></span></span></span></span></span></span></span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.43056em;vertical-align:0em;"></span><spanclass="mord mathnormal">a</span><spanclass="mspace allowbreak"></span><spanclass="mspace"style="margin-right:0.4444444444444444em;"></span></span><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">(</span><spanclass="mord"><spanclass="mord"><spanclass="mord mathrm">m</span><spanclass="mord mathrm">o</span><spanclass="mord mathrm">d</span></span></span><spanclass="mspace"style="margin-right:0.3333333333333333em;"></span><spanclass="mord mathnormal">p</span><spanclass="mclose">)</span></span></span></span> for any
integer <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.43056em;vertical-align:0em;"></span><spanclass="mord mathnormal">a</span></span></span></span>. If <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.43056em;vertical-align:0em;"></span><spanclass="mord mathnormal">a</span></span></span></span> is nonzero, we can divide by <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.43056em;vertical-align:0em;"></span><spanclass="mord mathnormal">a</span></span></span></span> twice to get <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8141079999999999em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathnormal">a</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.8141079999999999em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mathnormal mtight">p</span><spanclass="mbin mtight">−</span><spanclass="mord mtight">2</span></span></span></span></span></span></span></span></span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.8141079999999999em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathnormal">a</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.8141079999999999em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mtight">−</span><spanclass="mord mtight">1</span></span></span></span></span></span></span></span></span><spanclass="mord">.</span></span></span></span></p>
<p>However, it may be more intuitive to understand the set of nonzero elements of
<spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.974998em;vertical-align:-0.286108em;"></span><spanclass="mord"><spanclass="mord"><spanclass="mord mathbb">F</span></span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.15139200000000003em;"><spanstyle="top:-2.5500000000000003em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight">p</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.286108em;"><span></span></span></span></span></span></span></span></span></span> as a <ahref="https://en.wikipedia.org/wiki/Group_(mathematics)">group</a>, where the group operation is given by multiplication on the
field. We use the notation <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1.154439em;vertical-align:-0.383108em;"></span><spanclass="mord"><spanclass="mord"><spanclass="mord mathbb">F</span></span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.771331em;"><spanstyle="top:-2.4530000000000003em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight">p</span></span></span><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mbin mtight">×</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.383108em;"><span></span></span></span></span></span></span></span></span></span> for the multiplicative group over the set
<spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.974998em;vertical-align:-0.286108em;"></span><spanclass="mord"><spanclass="mord"><spanclass="mord mathbb">F</span></span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.15139200000000003em;"><spanstyle="top:-2.5500000000000003em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight">p</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.286108em;"><span></span></span></span></span></span></span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mbin">−</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span></span><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">{</span><spanclass="mord"><spanclass="mord mathcal"style="margin-right:0.02778em;">O</span></span><spanclass="mclose">}</span></span></span></span>. Groups are simpler and more limited than fields; they
have only <em>one</em> operator <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.44445em;vertical-align:0em;"></span><spanclass="mord">⋅</span></span></span></span> and fewer axioms.</p>
<blockquote>
<h4><aclass="header"href="#aside-additive-vs-multiplicative-notation"id="aside-additive-vs-multiplicative-notation">(aside) Additive vs multiplicative notation</a></h4>
<p>If <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.44445em;vertical-align:0em;"></span><spanclass="mord">⋅</span></span></span></span> is written as <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.66666em;vertical-align:-0.08333em;"></span><spanclass="mord">+</span></span></span></span> and the identity as <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">0</span></span></span></span> or <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathcal"style="margin-right:0.02778em;">O</span></span></span></span></span>, then we say the
group is "written additively". If <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.44445em;vertical-align:0em;"></span><spanclass="mord">⋅</span></span></span></span> is written as <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.66666em;vertical-align:-0.08333em;"></span><spanclass="mord">×</span></span></span></span> or omitted (i.e.
<spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.44445em;vertical-align:0em;"></span><spanclass="mord mathnormal">a</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mbin">⋅</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord mathnormal">b</span></span></span></span> written as <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord mathnormal">a</span><spanclass="mord mathnormal">b</span></span></span></span>) and the identity as <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">1</span></span></span></span>, then we say it is "written
multiplicatively". It's conventional to use additive notation for
<ahref="curves.html">elliptic curve groups</a>, and multiplicative notation when (as in this case)
the elements come from a finite field. When additive notation is used, we also write</p>
<p>for nonnegative <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.03148em;">k</span></span></span></span> and call this "scalar multiplication"; we also often use uppercase
letters for variables denoting group elements. When multiplicative notation is used, we
<p>and call this "exponentiation". In either case we call the scalar <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.03148em;">k</span></span></span></span> such that
<spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">[</span><spanclass="mord mathnormal"style="margin-right:0.03148em;">k</span><spanclass="mclose">]</span><spanclass="mord mathnormal"style="margin-right:0.03588em;">g</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.43056em;vertical-align:0em;"></span><spanclass="mord mathnormal">a</span></span></span></span> or <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1.043548em;vertical-align:-0.19444em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.03588em;">g</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.849108em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.03148em;">k</span></span></span></span></span></span></span></span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.43056em;vertical-align:0em;"></span><spanclass="mord mathnormal">a</span></span></span></span> the "discrete logarithm" of <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.43056em;vertical-align:0em;"></span><spanclass="mord mathnormal">a</span></span></span></span> to base <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.625em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal"style="margin-right:0.03588em;">g</span></span></span></span>. We can extend
scalars to negative integers by inversion, i.e. <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">[</span><spanclass="mord">−</span><spanclass="mord mathnormal"style="margin-right:0.03148em;">k</span><spanclass="mclose">]</span><spanclass="mord mathnormal">A</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mbin">+</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span></span><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">[</span><spanclass="mord mathnormal"style="margin-right:0.03148em;">k</span><spanclass="mclose">]</span><spanclass="mord mathnormal">A</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathcal"style="margin-right:0.02778em;">O</span></span></span></span></span> or
<p>The <em>order</em> of a group element <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.43056em;vertical-align:0em;"></span><spanclass="mord mathnormal">a</span></span></span></span> is defined (in multiplicative notation) as the smallest
positive integer <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.03148em;">k</span></span></span></span> such that <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.849108em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathnormal">a</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.849108em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.03148em;">k</span></span></span></span></span></span></span></span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">1</span></span></span></span>.</p>
<p>Groups always have <ahref="https://en.wikipedia.org/wiki/Generating_set_of_a_group">generators</a> which are elements that, when the group operation is
applied repeatedly with the same element some number of times, produce every other element
of the group. That is, a generator has maximal order, which we also call the order of the
group.</p>
<p>There can be many different generators. Let's assume that <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.43056em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.0037em;">α</span></span></span></span> is a generator of
<spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1.154439em;vertical-align:-0.383108em;"></span><spanclass="mord"><spanclass="mord"><spanclass="mord mathbb">F</span></span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.771331em;"><spanstyle="top:-2.4530000000000003em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight">p</span></span></span><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mbin mtight">×</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.383108em;"><span></span></span></span></span></span></span></span></span></span>, so it has order <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.7777700000000001em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal">p</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mbin">−</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">1</span></span></span></span> (equal to the number of elements in
<spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1.154439em;vertical-align:-0.383108em;"></span><spanclass="mord"><spanclass="mord"><spanclass="mord mathbb">F</span></span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.771331em;"><spanstyle="top:-2.4530000000000003em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight">p</span></span></span><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mbin mtight">×</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.383108em;"><span></span></span></span></span></span></span></span></span></span>). Therefore, for any element in <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.5782em;vertical-align:-0.0391em;"></span><spanclass="mord mathnormal">a</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">∈</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:1.154439em;vertical-align:-0.383108em;"></span><spanclass="mord"><spanclass="mord"><spanclass="mord mathbb">F</span></span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.771331em;"><spanstyle="top:-2.4530000000000003em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight">p</span></span></span><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mbin mtight">×</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.383108em;"><span></span></span></span></span></span></span></span></span></span> there is
a unique integer <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69862em;vertical-align:-0.0391em;"></span><spanclass="mord mathnormal">i</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">∈</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">{</span><spanclass="mord">0</span><spanclass="mord">.</span><spanclass="mord">.</span><spanclass="mord mathnormal">p</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mbin">−</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span></span><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mord">2</span><spanclass="mclose">}</span></span></span></span> such that <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.43056em;vertical-align:0em;"></span><spanclass="mord mathnormal">a</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.824664em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.0037em;">α</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.824664em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight">i</span></span></span></span></span></span></span></span></span></span></span>.</p>
<p>Notice that <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.66666em;vertical-align:-0.08333em;"></span><spanclass="mord mathnormal">a</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mbin">×</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord mathnormal">b</span></span></span></span> where <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8888799999999999em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal">a</span><spanclass="mpunct">,</span><spanclass="mspace"style="margin-right:0.16666666666666666em;"></span><spanclass="mord mathnormal">b</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">∈</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:1.154439em;vertical-align:-0.383108em;"></span><spanclass="mord"><spanclass="mord"><spanclass="mord mathbb">F</span></span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.771331em;"><spanstyle="top:-2.4530000000000003em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight">p</span></span></span><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mbin mtight">×</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.383108em;"><span></span></span></span></span></span></span></span></span></span> can really be interpreted as
<spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.907994em;vertical-align:-0.08333em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.0037em;">α</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.824664em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight">i</span></span></span></span></span></span></span></span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mbin">×</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.824664em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.0037em;">α</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.824664em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.05724em;">j</span></span></span></span></span></span></span></span></span></span></span> where <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.43056em;vertical-align:0em;"></span><spanclass="mord mathnormal">a</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.824664em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.0037em;">α</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.824664em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight">i</span></span></span></span></span></span></span></span></span></span></span> and <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord mathnormal">b</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.824664em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.0037em;">α</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.824664em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.05724em;">j</span></span></span></span></span></span></span></span></span></span></span>. Indeed, it holds that
<spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.907994em;vertical-align:-0.08333em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.0037em;">α</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.824664em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight">i</span></span></span></span></span></span></span></span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mbin">×</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.824664em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.0037em;">α</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.824664em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.05724em;">j</span></span></span></span></span></span></span></span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.824664em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.0037em;">α</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.824664em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mathnormal mtight">i</span><spanclass="mbin mtight">+</span><spanclass="mord mathnormal mtight"style="margin-right:0.05724em;">j</span></span></span></span></span></span></span></span></span></span></span></span> for all <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.78041em;vertical-align:-0.13597em;"></span><spanclass="mord">0</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">≤</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.85396em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal">i</span><spanclass="mpunct">,</span><spanclass="mspace"style="margin-right:0.16666666666666666em;"></span><spanclass="mord mathnormal"style="margin-right:0.05724em;">j</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel"><</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.7777700000000001em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal">p</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mbin">−</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">1</span></span></span></span>. As a result
the multiplication of nonzero field elements can be interpreted as addition modulo <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.7777700000000001em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal">p</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mbin">−</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">1</span></span></span></span>
with respect to some fixed generator <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.43056em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.0037em;">α</span></span></span></span>. The addition just happens "in the exponent."</p>
<p>This is another way to look at where <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8141079999999999em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathnormal">a</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.8141079999999999em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mathnormal mtight">p</span><spanclass="mbin mtight">−</span><spanclass="mord mtight">2</span></span></span></span></span></span></span></span></span></span></span></span> comes from for computing inverses in the
<p>We can now multiply <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.43056em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.04398em;">z</span></span></span></span> by <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.43056em;vertical-align:0em;"></span><spanclass="mord mathnormal">x</span></span></span></span> to obtain <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1.190108em;vertical-align:-0.345em;"></span><spanclass="mord"><spanclass="mopen nulldelimiter"></span><spanclass="mfrac"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.845108em;"><spanstyle="top:-2.6550000000000002em;"><spanclass="pstrut"style="height:3em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mathnormal mtight">c</span></span></span></span><spanstyle="top:-3.23em;"><spanclass="pstrut"style="height:3em;"></span><spanclass="frac-line"style="border-bottom-width:0.04em;"></span></span><spanstyle="top:-3.394em;"><spanclass="pstrut"style="height:3em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mtight">1</span></span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.345em;"><span></span></span></span></span></span><spanclass="mclose nulldelimiter"></span></span></span></span></span> and multiply <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.43056em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.04398em;">z</span></span></span></span> by <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.43056em;vertical-align:0em;"></span><spanclass="mord mathnormal">c</span></span></span></span> to obtain
<spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1.190108em;vertical-align:-0.345em;"></span><spanclass="mord"><spanclass="mopen nulldelimiter"></span><spanclass="mfrac"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.845108em;"><spanstyle="top:-2.6550000000000002em;"><spanclass="pstrut"style="height:3em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mathnormal mtight">a</span><spanclass="mord mathnormal mtight">b</span></span></span></span><spanstyle="top:-3.23em;"><spanclass="pstrut"style="height:3em;"></span><spanclass="frac-line"style="border-bottom-width:0.04em;"></span></span><spanstyle="top:-3.394em;"><spanclass="pstrut"style="height:3em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mtight">1</span></span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.345em;"><span></span></span></span></span></span><spanclass="mclose nulldelimiter"></span></span></span></span></span>, which we can then multiply by <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8888799999999999em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal">a</span><spanclass="mpunct">,</span><spanclass="mspace"style="margin-right:0.16666666666666666em;"></span><spanclass="mord mathnormal">b</span></span></span></span> to obtain their respective inverses.</p>
<p>This technique generalizes to arbitrary numbers of field elements with just a single
<p>A <em>subgroup</em> of a group <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal">G</span></span></span></span> with operation <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.44445em;vertical-align:0em;"></span><spanclass="mord">⋅</span></span></span></span>, is a subset of elements of <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal">G</span></span></span></span> that
also form a group under <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.44445em;vertical-align:0em;"></span><spanclass="mord">⋅</span></span></span></span>.</p>
<p>In the previous section we said that <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.43056em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.0037em;">α</span></span></span></span> is a generator of the <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.7777700000000001em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal">p</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mbin">−</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">1</span></span></span></span> order
multiplicative group <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1.154439em;vertical-align:-0.383108em;"></span><spanclass="mord"><spanclass="mord"><spanclass="mord mathbb">F</span></span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.771331em;"><spanstyle="top:-2.4530000000000003em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight">p</span></span></span><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mbin mtight">×</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.383108em;"><span></span></span></span></span></span></span></span></span></span>. This is a <em>composite</em> order group, and so by
the Chinese remainder theorem<supclass="footnote-reference"><ahref="#chinese-remainder">1</a></sup> it has strict subgroups. As an example
let's imagine that <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.625em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal">p</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">1</span><spanclass="mord">1</span></span></span></span>, and so <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.7777700000000001em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal">p</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mbin">−</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">1</span></span></span></span> factors into <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">5</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mbin">⋅</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">2</span></span></span></span>. Thus, there is a
generator <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8888799999999999em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal"style="margin-right:0.05278em;">β</span></span></span></span> of the <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">5</span></span></span></span>-order subgroup and a generator <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.625em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal"style="margin-right:0.05556em;">γ</span></span></span></span> of the <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">2</span></span></span></span>-order
subgroup. All elements in <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1.154439em;vertical-align:-0.383108em;"></span><spanclass="mord"><spanclass="mord"><spanclass="mord mathbb">F</span></span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.771331em;"><spanstyle="top:-2.4530000000000003em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight">p</span></span></span><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mbin mtight">×</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.383108em;"><span></span></span></span></span></span></span></span></span></span>, therefore, can be written uniquely as
<spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1.019104em;vertical-align:-0.19444em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.05278em;">β</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.824664em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight">i</span></span></span></span></span></span></span></span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mbin">⋅</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span></span><spanclass="base"><spanclass="strut"style="height:1.019104em;vertical-align:-0.19444em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.05556em;">γ</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.824664em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.05724em;">j</span></span></span></span></span></span></span></span></span></span></span> for some <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.65952em;vertical-align:0em;"></span><spanclass="mord mathnormal">i</span></span></span></span> (modulo <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">5</span></span></span></span>) and some <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.85396em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal"style="margin-right:0.05724em;">j</span></span></span></span> (modulo <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">2</span></span></span></span>).</p>
<p>If we have <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.43056em;vertical-align:0em;"></span><spanclass="mord mathnormal">a</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:1.019104em;vertical-align:-0.19444em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.05278em;">β</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.824664em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight">i</span></span></span></span></span></span></span></span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mbin">⋅</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span></span><spanclass="base"><spanclass="strut"style="height:1.019104em;vertical-align:-0.19444em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.05556em;">γ</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.824664em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.05724em;">j</span></span></span></span></span></span></span></span></span></span></span> notice what happens when we compute</p>
<p>we have effectively "killed" the <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">5</span></span></span></span>-order subgroup component, producing a value in the
<p><ahref="https://en.wikipedia.org/wiki/Lagrange%27s_theorem_(group_theory)">Lagrange's theorem (group theory)</a> states that the order of any subgroup
<spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.08125em;">H</span></span></span></span> of a finite group <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal">G</span></span></span></span> divides the order of <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal">G</span></span></span></span>. Therefore, the order of any subgroup
of <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1.154439em;vertical-align:-0.383108em;"></span><spanclass="mord"><spanclass="mord"><spanclass="mord mathbb">F</span></span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.771331em;"><spanstyle="top:-2.4530000000000003em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight">p</span></span></span><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mbin mtight">×</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.383108em;"><span></span></span></span></span></span></span></span></span></span> must divide <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.7777700000000001em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal">p</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mbin">−</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">1</span><spanclass="mord">.</span></span></span></span></p>
<p>In a field <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.974998em;vertical-align:-0.286108em;"></span><spanclass="mord"><spanclass="mord"><spanclass="mord mathbb">F</span></span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.15139200000000003em;"><spanstyle="top:-2.5500000000000003em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight">p</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.286108em;"><span></span></span></span></span></span></span></span></span></span> exactly half of all nonzero elements are squares; the remainder
are non-squares or "quadratic non-residues". In order to see why, consider an <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.43056em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.0037em;">α</span></span></span></span>
that generates the <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">2</span></span></span></span>-order multiplicative subgroup of <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1.154439em;vertical-align:-0.383108em;"></span><spanclass="mord"><spanclass="mord"><spanclass="mord mathbb">F</span></span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.771331em;"><spanstyle="top:-2.4530000000000003em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight">p</span></span></span><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mbin mtight">×</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.383108em;"><span></span></span></span></span></span></span></span></span></span> (this always
exists because <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.7777700000000001em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal">p</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mbin">−</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">1</span></span></span></span> is divisible by <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">2</span></span></span></span> since <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.625em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal">p</span></span></span></span> is prime) and <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8888799999999999em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal"style="margin-right:0.05278em;">β</span></span></span></span> that generates
the <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.61508em;vertical-align:0em;"></span><spanclass="mord mathnormal">t</span></span></span></span>-order multiplicative subgroup of <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1.154439em;vertical-align:-0.383108em;"></span><spanclass="mord"><spanclass="mord"><spanclass="mord mathbb">F</span></span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.771331em;"><spanstyle="top:-2.4530000000000003em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight">p</span></span></span><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mbin mtight">×</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.383108em;"><span></span></span></span></span></span></span></span></span></span> where <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.7777700000000001em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal">p</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mbin">−</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">1</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">2</span><spanclass="mord mathnormal">t</span></span></span></span>. Then
every element <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.5782em;vertical-align:-0.0391em;"></span><spanclass="mord mathnormal">a</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">∈</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:1.154439em;vertical-align:-0.383108em;"></span><spanclass="mord"><spanclass="mord"><spanclass="mord mathbb">F</span></span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.771331em;"><spanstyle="top:-2.4530000000000003em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight">p</span></span></span><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mbin mtight">×</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.383108em;"><span></span></span></span></span></span></span></span></span></span> can be written uniquely as
<spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.824664em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.0037em;">α</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.824664em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight">i</span></span></span></span></span></span></span></span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mbin">⋅</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span></span><spanclass="base"><spanclass="strut"style="height:1.019104em;vertical-align:-0.19444em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.05278em;">β</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.824664em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.05724em;">j</span></span></span></span></span></span></span></span></span></span></span> with <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69862em;vertical-align:-0.0391em;"></span><spanclass="mord mathnormal">i</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">∈</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.83889em;vertical-align:-0.15em;"></span><spanclass="mord"><spanclass="mord"><spanclass="mord mathbb">Z</span></span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.30110799999999993em;"><spanstyle="top:-2.5500000000000003em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight">2</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span> and <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.85396em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal"style="margin-right:0.05724em;">j</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">∈</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.83889em;vertical-align:-0.15em;"></span><spanclass="mord"><spanclass="mord"><spanclass="mord mathbb">Z</span></span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.2805559999999999em;"><spanstyle="top:-2.5500000000000003em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight">t</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span>. Half of all
elements will have <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.65952em;vertical-align:0em;"></span><spanclass="mord mathnormal">i</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">0</span></span></span></span> and the other half will have <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.65952em;vertical-align:0em;"></span><spanclass="mord mathnormal">i</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">1</span></span></span></span>.</p>
<p>Let's consider the simple case where <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.65819em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal">p</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">≡</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">3</span><spanclass="mspace allowbreak"></span><spanclass="mspace"style="margin-right:0.4444444444444444em;"></span></span><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">(</span><spanclass="mord"><spanclass="mord"><spanclass="mord mathrm">m</span><spanclass="mord mathrm">o</span><spanclass="mord mathrm">d</span></span></span><spanclass="mspace"style="margin-right:0.3333333333333333em;"></span><spanclass="mord">4</span><spanclass="mclose">)</span></span></span></span> and so <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.61508em;vertical-align:0em;"></span><spanclass="mord mathnormal">t</span></span></span></span> is odd (if <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.61508em;vertical-align:0em;"></span><spanclass="mord mathnormal">t</span></span></span></span> is
even, then <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.7777700000000001em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal">p</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mbin">−</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">1</span></span></span></span> would be divisible by <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">4</span></span></span></span>, which contradicts <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.625em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal">p</span></span></span></span> being <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">3</span><spanclass="mspace allowbreak"></span><spanclass="mspace"style="margin-right:0.4444444444444444em;"></span></span><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">(</span><spanclass="mord"><spanclass="mord"><spanclass="mord mathrm">m</span><spanclass="mord mathrm">o</span><spanclass="mord mathrm">d</span></span></span><spanclass="mspace"style="margin-right:0.3333333333333333em;"></span><spanclass="mord">4</span><spanclass="mclose">)</span></span></span></span>).
If <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.5782em;vertical-align:-0.0391em;"></span><spanclass="mord mathnormal">a</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">∈</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:1.154439em;vertical-align:-0.383108em;"></span><spanclass="mord"><spanclass="mord"><spanclass="mord mathbb">F</span></span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.771331em;"><spanstyle="top:-2.4530000000000003em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight">p</span></span></span><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mbin mtight">×</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.383108em;"><span></span></span></span></span></span></span></span></span></span> is a square, then there must exist
<spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord mathnormal">b</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.824664em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.0037em;">α</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.824664em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight">i</span></span></span></span></span></span></span></span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mbin">⋅</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span></span><spanclass="base"><spanclass="strut"style="height:1.019104em;vertical-align:-0.19444em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.05278em;">β</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.824664em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.05724em;">j</span></span></span></span></span></span></span></span></span></span></span> such that <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8141079999999999em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathnormal">b</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.8141079999999999em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight">2</span></span></span></span></span></span></span></span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.43056em;vertical-align:0em;"></span><spanclass="mord mathnormal">a</span></span></span></span>. But this means that</p>
<p>In other words, all squares in this particular field do not generate the <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">2</span></span></span></span>-order
multiplicative subgroup, and so since half of the elements generate the <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">2</span></span></span></span>-order subgroup
then at most half of the elements are square. In fact exactly half of the elements are
square (since squaring each nonsquare element gives a unique square). This means we can
assume all squares can be written as <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8888799999999999em;vertical-align:-0.19444em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.05278em;">β</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.664392em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight">m</span></span></span></span></span></span></span></span></span></span></span> for some <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.43056em;vertical-align:0em;"></span><spanclass="mord mathnormal">m</span></span></span></span>, and therefore finding the
square root is a matter of exponentiating by <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8141079999999999em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord">2</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.8141079999999999em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mtight">−</span><spanclass="mord mtight">1</span></span></span></span></span></span></span></span></span><spanclass="mspace allowbreak"></span><spanclass="mspace"style="margin-right:0.4444444444444444em;"></span></span><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">(</span><spanclass="mord"><spanclass="mord"><spanclass="mord mathrm">m</span><spanclass="mord mathrm">o</span><spanclass="mord mathrm">d</span></span></span><spanclass="mspace"style="margin-right:0.3333333333333333em;"></span><spanclass="mord mathnormal">t</span><spanclass="mclose">)</span></span></span></span>.</p>
<p>In the event that <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.65819em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal">p</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">≡</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">1</span><spanclass="mspace allowbreak"></span><spanclass="mspace"style="margin-right:0.4444444444444444em;"></span></span><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">(</span><spanclass="mord"><spanclass="mord"><spanclass="mord mathrm">m</span><spanclass="mord mathrm">o</span><spanclass="mord mathrm">d</span></span></span><spanclass="mspace"style="margin-right:0.3333333333333333em;"></span><spanclass="mord">4</span><spanclass="mclose">)</span></span></span></span> then things get more complicated because
<spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8141079999999999em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord">2</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.8141079999999999em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mtight">−</span><spanclass="mord mtight">1</span></span></span></span></span></span></span></span></span><spanclass="mspace allowbreak"></span><spanclass="mspace"style="margin-right:0.4444444444444444em;"></span></span><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">(</span><spanclass="mord"><spanclass="mord"><spanclass="mord mathrm">m</span><spanclass="mord mathrm">o</span><spanclass="mord mathrm">d</span></span></span><spanclass="mspace"style="margin-right:0.3333333333333333em;"></span><spanclass="mord mathnormal">t</span><spanclass="mclose">)</span></span></span></span> does not exist. Let's write <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.7777700000000001em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal">p</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mbin">−</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">1</span></span></span></span> as <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.849108em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord">2</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.849108em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.03148em;">k</span></span></span></span></span></span></span></span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mbin">⋅</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.61508em;vertical-align:0em;"></span><spanclass="mord mathnormal">t</span></span></span></span> with <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.61508em;vertical-align:0em;"></span><spanclass="mord mathnormal">t</span></span></span></span> odd. The
case <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.03148em;">k</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">0</span></span></span></span> is impossible, and the case <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.03148em;">k</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">1</span></span></span></span> is what we already described, so consider
<spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.83041em;vertical-align:-0.13597em;"></span><spanclass="mord mathnormal"style="margin-right:0.03148em;">k</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">≥</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">2</span></span></span></span>. <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.43056em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.0037em;">α</span></span></span></span> generates a <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.849108em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord">2</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.849108em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.03148em;">k</span></span></span></span></span></span></span></span></span></span></span>-order multiplicative subgroup and <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8888799999999999em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal"style="margin-right:0.05278em;">β</span></span></span></span> generates
the odd <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.61508em;vertical-align:0em;"></span><spanclass="mord mathnormal">t</span></span></span></span>-order multiplicative subgroup. Then every element <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.5782em;vertical-align:-0.0391em;"></span><spanclass="mord mathnormal">a</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">∈</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:1.154439em;vertical-align:-0.383108em;"></span><spanclass="mord"><spanclass="mord"><spanclass="mord mathbb">F</span></span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.771331em;"><spanstyle="top:-2.4530000000000003em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight">p</span></span></span><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mbin mtight">×</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.383108em;"><span></span></span></span></span></span></span></span></span></span>
can be written as <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.824664em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.0037em;">α</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.824664em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight">i</span></span></span></span></span></span></span></span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mbin">⋅</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span></span><spanclass="base"><spanclass="strut"style="height:1.019104em;vertical-align:-0.19444em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.05278em;">β</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.824664em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.05724em;">j</span></span></span></span></span></span></span></span></span></span></span> for <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69862em;vertical-align:-0.0391em;"></span><spanclass="mord mathnormal">i</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">∈</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.8915099999999999em;vertical-align:-0.2026199999999999em;"></span><spanclass="mord"><spanclass="mord"><spanclass="mord mathbb">Z</span></span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.3448em;"><spanstyle="top:-2.49738em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mtight"><spanclass="mord mtight">2</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.7820285714285713em;"><spanstyle="top:-2.786em;margin-right:0.07142857142857144em;"><spanclass="pstrut"style="height:2.5em;"></span><spanclass="sizing reset-size3 size1 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.03148em;">k</span></span></span></span></span></span></span></span></span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.2026199999999999em;"><span></span></span></span></span></span></span></span></span></span> and
<spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.85396em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal"style="margin-right:0.05724em;">j</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">∈</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.83889em;vertical-align:-0.15em;"></span><spanclass="mord"><spanclass="mord"><spanclass="mord mathbb">Z</span></span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.2805559999999999em;"><spanstyle="top:-2.5500000000000003em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight">t</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span>. If the element is a square, then there exists some <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord mathnormal">b</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:1.04em;vertical-align:-0.23972em;"></span><spanclass="mord sqrt"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.8002800000000001em;"><spanclass="svg-align"style="top:-3em;"><spanclass="pstrut"style="height:3em;"></span><spanclass="mord"style="padding-left:0.833em;"><spanclass="mord mathnormal">a</span></span></span><spanstyle="top:-2.76028em;"><spanclass="pstrut"style="height:3em;"></span><spanclass="hide-tail"style="min-width:0.853em;height:1.08em;"><svgwidth='400em'height='1.08em'viewBox='0 0 400000 1080'preserveAspectRatio='xMinYMin slice'><pathd='M95,702
therefore we have <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.65952em;vertical-align:0em;"></span><spanclass="mord mathnormal">i</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">≡</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.751892em;vertical-align:0em;"></span><spanclass="mord">2</span><spanclass="mord"><spanclass="mord mathnormal">i</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.751892em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mtight">′</span></span></span></span></span></span></span></span></span><spanclass="mspace allowbreak"></span><spanclass="mspace"style="margin-right:0.4444444444444444em;"></span></span><spanclass="base"><spanclass="strut"style="height:1.099108em;vertical-align:-0.25em;"></span><spanclass="mopen">(</span><spanclass="mord"><spanclass="mord"><spanclass="mord mathrm">m</span><spanclass="mord mathrm">o</span><spanclass="mord mathrm">d</span></span></span><spanclass="mspace"style="margin-right:0.3333333333333333em;"></span><spanclass="mord"><spanclass="mord">2</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.849108em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.03148em;">k</span></span></span></span></span></span></span></span><spanclass="mclose">)</span></span></span></span>, and <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.85396em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal"style="margin-right:0.05724em;">j</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">≡</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.946332em;vertical-align:-0.19444em;"></span><spanclass="mord">2</span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.05724em;">j</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.751892em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mtight">′</span></span></span></span></span></span></span></span></span><spanclass="mspace allowbreak"></span><spanclass="mspace"style="margin-right:0.4444444444444444em;"></span></span><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">(</span><spanclass="mord"><spanclass="mord"><spanclass="mord mathrm">m</span><spanclass="mord mathrm">o</span><spanclass="mord mathrm">d</span></span></span><spanclass="mspace"style="margin-right:0.3333333333333333em;"></span><spanclass="mord mathnormal">t</span><spanclass="mclose">)</span></span></span></span>. <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.65952em;vertical-align:0em;"></span><spanclass="mord mathnormal">i</span></span></span></span> would have
to be even in this case because otherwise it would be impossible to have
<spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.65952em;vertical-align:0em;"></span><spanclass="mord mathnormal">i</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">≡</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.751892em;vertical-align:0em;"></span><spanclass="mord">2</span><spanclass="mord"><spanclass="mord mathnormal">i</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.751892em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mtight">′</span></span></span></span></span></span></span></span></span><spanclass="mspace allowbreak"></span><spanclass="mspace"style="margin-right:0.4444444444444444em;"></span></span><spanclass="base"><spanclass="strut"style="height:1.099108em;vertical-align:-0.25em;"></span><spanclass="mopen">(</span><spanclass="mord"><spanclass="mord"><spanclass="mord mathrm">m</span><spanclass="mord mathrm">o</span><spanclass="mord mathrm">d</span></span></span><spanclass="mspace"style="margin-right:0.3333333333333333em;"></span><spanclass="mord"><spanclass="mord">2</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.849108em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.03148em;">k</span></span></span></span></span></span></span></span><spanclass="mclose">)</span></span></span></span> for any <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.751892em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathnormal">i</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.751892em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mtight">′</span></span></span></span></span></span></span></span></span></span></span></span>. In the case that <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.43056em;vertical-align:0em;"></span><spanclass="mord mathnormal">a</span></span></span></span> is not a square, then <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.65952em;vertical-align:0em;"></span><spanclass="mord mathnormal">i</span></span></span></span> is
odd, and so half of all elements are squares.</p>
<p>In order to compute the square root, we can first raise the element
<spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.43056em;vertical-align:0em;"></span><spanclass="mord mathnormal">a</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.824664em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.0037em;">α</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.824664em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight">i</span></span></span></span></span></span></span></span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mbin">⋅</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span></span><spanclass="base"><spanclass="strut"style="height:1.019104em;vertical-align:-0.19444em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.05278em;">β</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.824664em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.05724em;">j</span></span></span></span></span></span></span></span></span></span></span> to the power <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.61508em;vertical-align:0em;"></span><spanclass="mord mathnormal">t</span></span></span></span> to "kill" the <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.61508em;vertical-align:0em;"></span><spanclass="mord mathnormal">t</span></span></span></span>-order component, giving</p>
<p>and then raise this result to the power <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8141079999999999em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathnormal">t</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.8141079999999999em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mtight">−</span><spanclass="mord mtight">1</span></span></span></span></span></span></span></span></span><spanclass="mspace allowbreak"></span><spanclass="mspace"style="margin-right:0.4444444444444444em;"></span></span><spanclass="base"><spanclass="strut"style="height:1.099108em;vertical-align:-0.25em;"></span><spanclass="mopen">(</span><spanclass="mord"><spanclass="mord"><spanclass="mord mathrm">m</span><spanclass="mord mathrm">o</span><spanclass="mord mathrm">d</span></span></span><spanclass="mspace"style="margin-right:0.3333333333333333em;"></span><spanclass="mord"><spanclass="mord">2</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.849108em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.03148em;">k</span></span></span></span></span></span></span></span><spanclass="mclose">)</span></span></span></span> to undo the effect of the
original exponentiation on the <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.849108em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord">2</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.849108em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.03148em;">k</span></span></span></span></span></span></span></span></span></span></span>-order component:</p>
<p>(since <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.61508em;vertical-align:0em;"></span><spanclass="mord mathnormal">t</span></span></span></span> is relatively prime to <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.849108em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord">2</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.849108em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.03148em;">k</span></span></span></span></span></span></span></span></span></span></span>). This leaves bare the <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.824664em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.0037em;">α</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.824664em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight">i</span></span></span></span></span></span></span></span></span></span></span> value which we
can trivially handle. We can similarly kill the <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.849108em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord">2</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.849108em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.03148em;">k</span></span></span></span></span></span></span></span></span></span></span>-order component to obtain
<spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1.1813599999999997em;vertical-align:-0.19444em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.05278em;">β</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.9869199999999998em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.05724em;">j</span><spanclass="mbin mtight">⋅</span><spanclass="mord mtight"><spanclass="mord mtight">2</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.8913142857142857em;"><spanstyle="top:-2.931em;margin-right:0.07142857142857144em;"><spanclass="pstrut"style="height:2.5em;"></span><spanclass="sizing reset-size3 size1 mtight"><spanclass="mord mtight"><spanclass="mord mtight">−</span><spanclass="mord mtight">1</span></span></span></span></span></span></span></span></span><spanclass="mspace allowbreak mtight"></span><spanclass="mspace mtight"style="margin-right:0.5204444444444445em;"></span><spanclass="mopen mtight">(</span><spanclass="mord mtight"><spanclass="mord mtight"><spanclass="mord mathrm mtight">m</span><spanclass="mord mathrm mtight">o</span><spanclass="mord mathrm mtight">d</span></span></span><spanclass="mspace mtight"style="margin-right:0.39033333333333337em;"></span><spanclass="mord mathnormal mtight">t</span><spanclass="mclose mtight">)</span></span></span></span></span></span></span></span></span></span></span></span>, and put the values together to obtain the square root.</p>
<p>It turns out that in the cases <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.03148em;">k</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.8388800000000001em;vertical-align:-0.19444em;"></span><spanclass="mord">2</span><spanclass="mpunct">,</span><spanclass="mspace"style="margin-right:0.16666666666666666em;"></span><spanclass="mord">3</span></span></span></span> there are simpler algorithms that merge several
of these exponentiations together for efficiency. For other values of <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.03148em;">k</span></span></span></span>, the only known
way is to manually extract <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.65952em;vertical-align:0em;"></span><spanclass="mord mathnormal">i</span></span></span></span> by squaring until you obtain the identity for every single
bit of <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.65952em;vertical-align:0em;"></span><spanclass="mord mathnormal">i</span></span></span></span>. This is the essence of the <ahref="https://en.wikipedia.org/wiki/Tonelli%E2%80%93Shanks_algorithm">Tonelli-Shanks square root algorithm</a> and
describes the general strategy. (There is another square root algorithm that uses
quadratic extension fields, but it doesn't pay off in efficiency until the prime becomes
quite large.)</p>
<blockquote>
<p>TODO: describe more recent algorithms, e.g. Bernstein's table-based method and
<h2><aclass="header"href="#roots-of-unity"id="roots-of-unity">Roots of unity</a></h2>
<p>In the previous sections we wrote <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.7777700000000001em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal">p</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mbin">−</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">1</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.849108em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord">2</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.849108em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.03148em;">k</span></span></span></span></span></span></span></span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mbin">⋅</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.61508em;vertical-align:0em;"></span><spanclass="mord mathnormal">t</span></span></span></span> with <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.61508em;vertical-align:0em;"></span><spanclass="mord mathnormal">t</span></span></span></span> odd, and stated that an
element <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.5782em;vertical-align:-0.0391em;"></span><spanclass="mord mathnormal"style="margin-right:0.0037em;">α</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">∈</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:1.154439em;vertical-align:-0.383108em;"></span><spanclass="mord"><spanclass="mord"><spanclass="mord mathbb">F</span></span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.771331em;"><spanstyle="top:-2.4530000000000003em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight">p</span></span></span><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mbin mtight">×</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.383108em;"><span></span></span></span></span></span></span></span></span></span> generated the <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.849108em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord">2</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.849108em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.03148em;">k</span></span></span></span></span></span></span></span></span></span></span>-order subgroup. For
are known as the <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.43056em;vertical-align:0em;"></span><spanclass="mord mathnormal">n</span></span></span></span>th <ahref="https://en.wikipedia.org/wiki/Root_of_unity">roots of unity</a>.</p>
<p>The <strong>primitive root of unity</strong>, <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.625em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal"style="margin-right:0.03588em;">ω</span><spanclass="mpunct">,</span></span></span></span> is an <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.43056em;vertical-align:0em;"></span><spanclass="mord mathnormal">n</span></span></span></span>th root of unity such that
<p>if <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.43056em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.0037em;">α</span></span></span></span> is an <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.43056em;vertical-align:0em;"></span><spanclass="mord mathnormal">n</span></span></span></span>th root of unity, <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.43056em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.0037em;">α</span></span></span></span> satisfies <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.747722em;vertical-align:-0.08333em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.0037em;">α</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.664392em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight">n</span></span></span></span></span></span></span></span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mbin">−</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">1</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">0</span><spanclass="mord">.</span></span></span></span> If
<spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8888799999999999em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal"style="margin-right:0.0037em;">α</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel"><spanclass="mrel"><spanclass="mord vbox"><spanclass="thinbox"><spanclass="rlap"><spanclass="strut"style="height:0.8888799999999999em;vertical-align:-0.19444em;"></span><spanclass="inner"><spanclass="mrel"></span></span><spanclass="fix"></span></span></span></span></span><spanclass="mrel">=</span></span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.8388800000000001em;vertical-align:-0.19444em;"></span><spanclass="mord">1</span><spanclass="mpunct">,</span></span></span></span> then
In other words, if we square each element in the <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.43056em;vertical-align:0em;"></span><spanclass="mord mathnormal">n</span></span></span></span>th roots of unity, we would get back