The previous post briefly mentioned Stan Wagon’s algorithm for expressing an odd prime p as a sum of two squares when it is possible (i.e. when p = 1 mod 4). Wagon’s algorithm requires first finding a non-square mod p, i.e. a number c such that c ≠ d² mod p for any d in 1, 2, 3, … p − 1.
Wagon recommends searching for c by testing consecutive primes q as candidates. You can test whether a number q is a square mod p by computing the Legendre symbol, which is implemented in SymPy as legendre_symbol(q, p). This returns 1 if q is a quadratic residue mod p and −1 if it is not.
Here’s Python code for doing the search.
from sympy import *
def find_nonresidue(p):
q = 2
while legendre_symbol(q, p) == 1:
q = nextprime(q)
return q
Let’s start with p = 2255 − 19. This prime comes up often in cryptography, such as Curve25519. Now p = 1 mod 4, so Wagon’s algorithm applies.
The code above returns 2, i.e. the first thing we tried worked. That was kinda disappointingly easy.
Here’s another large prime used in cryptography, in the NIST curve P-384.
p = 2384 − 2128 − 296 + 232 − 1
For this value of p, find_nonresidue(p) returns 19.
Why test prime as candidates for non-residues? You could pick candidates at random, and there’s a probability 1/2 that any candidate will work, since half the integers less than p are residues and half are non-residues. It’s very likely that you’d find a solution quickly, but it’s not guaranteed. In principle, you could try a thousand candidates before one works, though that’s vanishingly unlikely. If you test consecutive primes, there is a theoretical limit on how many guesses you need to make, ff the Extended Riemann Hypothesis is true.
The next post explains why we wanted to find a non-residue.