This describes a way of proving CDH <=> and Square-DH. The thing I don't get - how to efficiently compute $\operatorname{CDH}(U,V)$ from $\operatorname{CDH}(U,V)^2$. Isn't square root problem is hard in general? (In case of composite order fields for example). As far as I understand computing square root is as hard as factorization of $N$, where $|G| = N$ which can be hard in non prime order group.
So what am I missing here?
This is a matter of computing square roots in $\mathbb Z/p\mathbb Z$.
If $p \equiv 3 \pmod 4$ is prime and $a$ is a quadratic residue so that the Legendre symbol $(a|p) \equiv a^{(p - 1)/2} \pmod p$ is 0 or 1, then $4 \mid p + 1$ and $$\bigl(\pm a^{(p + 1)/4}\bigr)^2 \equiv a^{(p + 1)/2} \equiv a^{(p - 1)/2 + 1} \equiv a^{(p - 1)/2} a \equiv a \pmod p.$$ Consequently, the square roots of $a$ are $\pm a^{(p + 1)/2}$. (If the Legendre symbol $(a|p)$ is -1, then $a$ is not a quadratic residue.)
If $p \equiv 5 \pmod 8$ is prime, then either $\pm a^{(p + 3)/8}$ or $\pm a^{(p + 3)/8} 2^{(p - 1)/4}$ are the square roots of $a$, depending on whether $a$ is a quartic residue modulo $p$ or not. Proof left as an exercise for the reader.
If $p \equiv 1 \pmod 8$ is prime, then there's no nice closed-form expression or deterministic algorithm for computing square roots in $\mathbb Z/p\mathbb Z$, but the Tonelli–Shanks or Cipolla algorithms can do it in constant expected number of multiplications in $\mathbb Z/p\mathbb Z$.
If $p$ is not prime, then finding square roots modulo $p$ is as hard as factoring $p$. But in discrete log systems, we usually worry about prime moduli. Proving relations between DLOG, CDH, SDH, SQRT, and FACTOR for a composite modulus is left as an exercise for the reader.
