Suppose that $p$ is an odd prime and $a$ is a quadratic residue modulo $p$. We wish to find an $x$ such that $x^2 \equiv a \mod p$. We could simply search through all congruence classes modulo $p$, but if $p$ is large then we need a faster method.

We claim that if $p \equiv 3 \mod 4$, then the congruence $x^2 \equiv a \mod p$ has a solution $x \equiv a^{(p+1)/4} \mod p$. Clearly, by squaring and using Euler's criterion we obtain

\begin{equation}
    x^2 \equiv (a^{(p+1)/4})^2 \equiv a^{(p+1)/2} \equiv a^{1 + (p-1)/2} \equiv aa^{(p-1)/2} \equiv a \mod p.
\end{equation}

Furthermore, we claim that if $p \equiv 5 \mod 8$, then the congruence $x^2 \equiv a \mod p$ has a solution $x \equiv 2^{k(p-1)/4}a^{(p+3)/8} \mod p$ for some $k \in \{0, 1\}$.

Define $i = a^{(p-1)/4}$. Then squaring and using Euler's criterion for a quadratic residue $a$ gives
\begin{equation}
    i^2 \equiv (a^{(p-1)/4})^2 \equiv a^{(p-1)/2} \equiv 1 \mod p
\end{equation}
This means that $i$ itself must be a square root of $1$ modulo $p$. Therefore, $i$ can only have two possible values $\pm 1 \mod p$.

We now square the full proposed solution
\begin{equation}
    x^2 = (2^{k(p-1)/4})^2 (a^{(p+3)/8})^2 = (2^{(p-1)/2})^k a^{(p+3)/4}.
\end{equation}
By Euler's criterion, $2^{(p-1)/2} \equiv \left(\frac{2}{p}\right) \mod p$. For primes $p \equiv 5 \mod 8$, we have $\left(\frac{2}{p}\right) = -1$. Also, $a^{(p+3)/4} = a^{1 + (p-1)/4} = aa^{(p-1)/4}$. Hence
\begin{equation}
    x^2 \equiv (-1)^k aa^{(p-1)/4} \mod p
\end{equation}
If $a^{(p-1)/4} \equiv 1 \mod p$ then we require $(-1)^k = 1$ which can be achieved by $k = 0$. On the other hand, if $a^{(p-1)/4} \equiv -1 \mod p$, then we require $(-1)^{k+1} = 1$ which is possible by choosing $k = 1$.

Now suppose that $p - 1$ is a power of $2$ and let $g$ be a primitive root modulo $p$, i.e., a generator for the multiplicative group of non-zero residues modulo $p$. To solve the congruence $x^2 \equiv a \mod p$, we substitute $x \equiv g^r \mod p$ where $r = \sum_{j>0} r_j 2^j$ with $r_j \in \{0, 1\}$. Raising each side of the original congruence to suitable powers it is possible to solve for the binary digits $r_0, r_1, r_2, \dots$ in turn. For example the first step is
\begin{equation}
    r_0 =
    \begin{cases}
        0 & a^{(p-1)/4} \equiv 1 \mod p, \\
        1 & a^{(p-1)/4} \equiv -1 \mod p.
    \end{cases}
\end{equation}


For example, let us solve the congruence $x^2 \equiv 58256 \mod 655374$. Set $a = 58256$ and $p = 65537 = 2^{16} + 1$. The method requires us to find $x$ by finding the exponent $r$ in $x \equiv g^r \mod p$, where $g$ is a primitive root and $r4 is constructed from its binary digits.

A number $g$ is a primitive root modulo $p$ if its order is $p - 1$. For a Fermat prime, this is equivalent to $g$ being a quadratic non-residue modulo $p$. We can test for this using Euler's criterion $g^((p-1)/2) \equiv -1 \mod p$.

In particular, $3^{32768} \equiv 65536 \equiv -1 \mod 65537$, so $g = 3$ is a primitive root modulo $65537$.

Let $R_k = r_0 + 2r_1 + \dots + 2^{k-1}r_{k-1}$ be the part of the exponent we have found so far. The general step to find the next bit is to compute
\begin{equation}
    (a  g^{-2R_k})^{(p-1) / 2^{k+2}} \mod p
\end{equation}
If this is $1 \bmod p$, then $r_k = 0$, while if this is $-1 \bmod p$, then $r_k = 1$. The exponent $r$ is defined modulo $(p-1)/2 = 32768$, so we need $15$ bits.

In [18]:
p = 65537
a = 58256
g = 3
s = 16
r_bits = []
R_k = 0

print("Finding the binary digits of the exponent r:")
for k in range(s - 1):
    # Calculate the modular inverse of g^(2*R_k)
    # Using Fermat's Little Theorem: g^(-n) = g^(p-1-n)
    g_inv_power = pow(g, p - 1 - (2 * R_k), p)
    # Calculate the term to be tested
    ck = (a * g_inv_power) % p
    # Calculate the exponent for the check
    exponent = (p - 1) // (2**(k + 2))
    # Perform the check
    check = pow(ck, exponent, p)
    if check == 1:
        rk = 0
    elif check == p - 1:
        rk = 1
    else:
        print(f"Error: Check for r_{k} resulted in {check}, not 1 or -1.")
    r_bits.append(rk)
    print(f"r_{k} = {rk}")
    # Update R_k for the next iteration
    if rk == 1:
        R_k += 2**k

r = 0
for k in range(len(r_bits)):
    if r_bits[k] == 1:
        r += 2**k
print(f"\nCalculated bits: {r_bits}")
print(f"The exponent r = {r}")
# Calculate the first solution x = g^r (mod p)
x1 = pow(g, r, p)
# The other solution is p - x1
x2 = p - x1
print(f"\nThe solutions are x = {x1} and x = {x2}")
print(f"{x1}^2 mod {p} = {pow(x1, 2, p)}")
print(f"{x2}^2 mod {p} = {pow(x2, 2, p)}")

Finding the binary digits of the exponent r:
r_0 = 1
r_1 = 1
r_2 = 1
r_3 = 1
r_4 = 1
r_5 = 1
r_6 = 1
r_7 = 1
r_8 = 1
r_9 = 1
r_10 = 0
r_11 = 0
r_12 = 0
r_13 = 0
r_14 = 1

Calculated bits: [1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 1]
The exponent r = 17407

The solutions are x = 62817 and x = 2720
62817^2 mod 65537 = 58256
2720^2 mod 65537 = 58256


The Tonelli-Shanks algorithm for computing square roots modulo $p$ is obtained by combining the previous methods. We begin by writing $p - 1 = 2^\alpha s$ with $s$ odd. Then we find a non-residue $n$ and compute $b \equiv n^s \mod p$. Since $s$ is odd, it suffices to solve the congruence $y^2 \equiv a^s \mod p$. We do this by substituting $y \equiv b^r \mod p$ and solving for the binary digits of $r$.

*   Decomposition: Write $p - 1$ in the form $2^\alpha s$, where $s$ is an odd number. This is done by repeatedly dividing $p - 1$ by $2$ until the result is odd.
*   Find a non-residue: Obtain an integer $n$ that is a quadratic non-residue modulo $p$. This can be done by testing small integers and using the Legendre symbol to check if $\left(\frac{n}{p}\right) = -1$.
*   Construct a generator: Compute $b \equiv n^s \mod p$. The element $b$ has order 2^\alpha in the multiplicative group of non-zero residues modulo $p$, meaning it generates the subgroup of elements whose orders are powers of $2$.
*   Reduce the problem: Transform the original problem into solving $y^2 \equiv a^s \mod p$. Once we find $y$, we can recover the original solution $x$ using the formula $x \equiv a^{-(s-1)/2}  y \mod p$.
*   Solve for $y$: The congruence $y^2 \equiv a^s \mod p$ is solved using the iterative method. We are looking for a $y$ of the form $b^r$, where $r$ is an integer whose binary digits we need to find. Let $t = a^s$. We need to solve $(b^r)^2 \equiv t \mod p$.
*   Final answer: Once the bits of $r$ are found, we compute $y \equiv b^r \mod p$. We can then compute $x$ which is one of the square roots. The other square root is $p - x$.

In [19]:
def legendre_symbol_jacobi(a, n):
    '''
    Computes the Jacobi symbol (a/n) using a robust recursive algorithm.
    n must be a positive odd integer.
    '''
    if n <= 0 or n % 2 == 0:
        raise ValueError("n must be a positive odd integer.")
    if n == 1:
        return 1
    a %= n
    if a == 0:
        return 0
    if a == 1:
        return 1
    sign = 1
    while a % 2 == 0:
        a //= 2
        n_mod_8 = n % 8
        if n_mod_8 == 3 or n_mod_8 == 5:
            sign = -sign
    if (a - 1) * (n - 1) // 4 % 2 != 0:
        sign = -sign
    return sign * legendre_symbol_jacobi(n, a)

def legendre_symbol(a, p):
    '''
    Computes the Legendre symbol (a/p) using the Jacobi symbol.
    '''
    return legendre_symbol_jacobi(a % p, p)

def tonelli_shanks(a, p):
    '''
    Solves the congruence x^2 = a (mod p) using the Tonelli-Shanks algorithm.
    Returns one of the square roots, or None if a is not a quadratic residue.
    '''
    # Check if a is a quadratic residue
    if legendre_symbol(a, p) != 1:
        return None

    # Special case for p = 3 (mod 4)
    if p % 4 == 3:
        return pow(a, (p + 1) // 4, p)

    # Decompose p - 1 into 2^alpha * s
    s = p - 1
    alpha = 0
    while s % 2 == 0:
        s //= 2
        alpha += 1

    # Find a quadratic non-residue 'n'
    n = 2
    while legendre_symbol(n, p) != -1:
        n += 1

    b = pow(n, s, p)
    a_s = pow(a, s, p)

    # Solve y^2 = a^s (mod p) by finding y = b^r
    # We find the bits r_k of the exponent r iteratively
    r_bits = []
    R_k = 0 # Represents r_0 + 2*r_1 + ...

    for k in range(alpha):
        b_inv_power = pow(b, p - 1 - (2 * R_k), p)
        check_val = (a_s * b_inv_power) % p

        exponent = 2**(alpha - 1 - k)

        check = pow(check_val, exponent, p)

        if check == p - 1:
            rk = 1
        else:
            rk = 0

        r_bits.append(rk)
        if rk == 1:
            R_k += 2**k

    # Reconstruct r from its bits
    r = R_k
    # y = b^r
    y = pow(b, r, p)

    # Recover x from y using x = a^(-(s-1)/2) * y
    s_minus_1_div_2 = (s - 1) // 2
    a_inv = pow(a, -1, p)
    term1 = pow(a_inv, s_minus_1_div_2, p)
    x = (y * term1) % p

    return x

p1 = 10708729
print(f"--- Testing for p = {p1} and a from 1 to 20 ---\n")
for a in range(1, 21):
    if legendre_symbol(a, p1) == 1:
        x = tonelli_shanks(a, p1)
        verification = pow(x, 2, p1)
        print(f"a = {a:2}: Found x = {x:8}.  Verification: {x}^2 mod {p1} = {verification}")
    else:
        print(f"a = {a:2}: Not a quadratic residue.")

print("\n--- A few other test cases ---\n")

p2, a2 = 29, 5
x2 = tonelli_shanks(a2, p2)
v2 = pow(x2, 2, p2)
print(f"p={p2}, a={a2}: Found x = {x2}. Verification: {x2}^2 mod {p2} = {v2}")

p3, a3 = 101, 22
x3 = tonelli_shanks(a3, p3)
v3 = pow(x3, 2, p3)
print(f"p={p3}, a={a3}: Found x = {x3}. Verification: {x3}^2 mod {p3} = {v3}")

p4, a4 = 41, 37
x4 = tonelli_shanks(a4, p4)
v4 = pow(x4, 2, p4)
print(f"p={p4}, a={a4}: Found x = {x4}. Verification: {x4}^2 mod {p4} = {v4}")

--- Testing for p = 10708729 and a from 1 to 20 ---

a =  1: Found x =        1.  Verification: 1^2 mod 10708729 = 1
a =  2: Found x =  5193008.  Verification: 5193008^2 mod 10708729 = 322711
a =  3: Found x =  9316627.  Verification: 9316627^2 mod 10708729 = 3
a =  4: Found x =   322711.  Verification: 322711^2 mod 10708729 = 10708725
a =  5: Found x =  4621059.  Verification: 4621059^2 mod 10708729 = 6161142
a =  6: Found x =  9115588.  Verification: 9115588^2 mod 10708729 = 968133
a =  7: Not a quadratic residue.
a =  8: Found x =   322709.  Verification: 322709^2 mod 10708729 = 9417885
a =  9: Found x =        3.  Verification: 3^2 mod 10708729 = 9
a = 10: Found x =  5539372.  Verification: 5539372^2 mod 10708729 = 10708719
a = 11: Found x =  9783176.  Verification: 9783176^2 mod 10708729 = 3579454
a = 12: Found x =  5970486.  Verification: 5970486^2 mod 10708729 = 10708717
a = 13: Not a quadratic residue.
a = 14: Not a quadratic residue.
a = 15: Found x =  5043778.  Verification: 

The complexity of the Tonelli-Shanks algorithm is determined by its main components, where operations are on numbers up to size $p$.
*   Decomposition of $p-1$: Finding $\alpha$ and $s$ takes $O(\log p)$ divisions.
Finding a non-residue: For each test, we compute a Legendre symbol, which takes $O(\log^3 p)$ time using modular exponentiation. The probability of a random number being a non-residue is about $1/2$.
*   Initial exponentiations: Computing $b = n^s$, $a^s$, and $a^{-1}$ each require one modular exponentiation, taking $O(\log^3 p)$ time.
*   Main loop: The loop runs $\alpha - 1$ times. Since $\alpha \leq \log p$, the number of iterations is $O(\log p)$. Inside the loop, the dominant operation is taking a power which is another modular exponentiation.
*   Final calculation: This step also involves a modular exponentiation.

The overall complexity is dominated by the main loop, which performs $O(\log p)$ modular exponentiations. Since each modular exponentiation on k-bit numbers takes $O(\log^3 p)$ time with basic multiplication, the total complexity is $O(\log^4 p)$. This is a polynomial-time algorithm, making it vastly more efficient than a brute-force search $O(p)$ for large primes.