Primitive Roots and Discrete Logarithms

Transcription

1 Primitive Roots and Discrete Logarithms L. Felipe Martins Department of Mathematics Cleveland State University Work licensed under a Creative Commons License available at March 5, Order of an Element In this chapter, we study successive powers of an integer modulo an integer m. We know, from Euler s Theorem, that a φpmq 1 pmod mq if gcdpa,mq 1. However, there may exist smaller powers of a the are congruent to 1. This is illustrated in the table below, with m 18. In this table, a j mod 18 is computed for a relatively prime to 18, and j 1,2...,φp18q 6. m=18, phi(m)=6 j= : : : : : : So, for example pmod 18q. This observation motivates the following definition: Definition 1.1. Let m 0 be an integer and a be such that gcdpa,mq 1. The multiplicative order, or simply order of a modulo m is the smallest positive integer j such that a j 1 pmod mq. The order of a modulo m is denoted by ord m paq. We also talk about orders in terms of congruence classes. The order of and element a P Z m is defined if a is a unit (that is, a is invertible), and is the smallest 1

2 integer j such that a j 1 (as members of Z m ). We also use the symbol ord m paq to denote the order of an element in Z m. Euler s theorem guarantees that the order of a is at most φpmq, but we can say more about the order. Let s consider the following code segment, that computes the order of elements modulo 18: age: m = 22 sage: phim = euler_phi ( m) sage: print m=%d, phi(m)=%d % (m, phim) sage: R = Integers ( m) sage: units = [ a for a in R if a. is_unit ()] sage: for a in units:... print %2d: %2d % (a,r(a). multiplicative_order ()) m=22, phi(m)=10 1: 1 3: 5 5: 5 7: 10 9: 5 13: 10 15: 5 17: 10 19: 10 21: 2 Notice that the order of the elements not only are smaller than φpmq, they are actually divisors of φpmq. This will follow fro the result below, that characterizes all positive integers such that a j 1 pmod mq. Theorem 1.2. Let m 0 and a be integers such that gcdpa,mq 1. Then, for any positive integer j, a j 1 pmod mq if and only if ord m paq j. Proof. Suppose first that ord m paq divides j, that is, j qord m paq for some integer q. Then: a j a qord mpaq pa ord m paq j q 1 j 1 pmod mq For the converse, suppose that a j 1 pmod mq. Dividing j by ord m a, we obtain j qord m paq r, where 0 r ord m paq. Then: 1 a j a qord mpaq r pa ord m paq q q a r a r pmod mq. Thus, we have a nonnegative r such that a r 1 pmod mq, and r definition of ord m paq, this implies r 0, so that j qord m paq. ord m paq. By the We then have: 2

3 Corollary 1.3. Let m 0 and a be integers such that gcdpa,mq 1. Then, ord m paq φpmq. Proof. Just notice that, from Euler s theorem, a φpmq 1 pmod mq, and use the previous theorem. Let s now investigate what can be said about the order of a k, for a positive integer k. Since 1 pa k q ord mpa kq a k ord mpa kq pmod mq, we have: ord m paq k ord m pa k q. Dividing both sides by d gcdpk,ord m paqq, we get: ord m paq k d d ord mpa k q, and since ord m paq{d and k{d are relatively prime, Euclid s lemma implies: On the other hand, notice that: which implies ord m paq d ord m pa k q. pa k q ord mpaq{d pa ord m paq q k{d 1 pmod mq, ord m pa k ord mpaq q, d by Theorem 1.2. We thus conclude that ord m pa k q ord m paq{d, and we have proved the following theorem: Theorem 1.4. Let m 0 and a be integers such that gcdpa,mq 1. Then: ord m pa k q ord m paq gcdpk,ord m paq Example 1.5. Let m 18 and a 5. The following code lists the orders of a k pmod mq, both computed directly and by the formula above: sage: for k in range (1, orda ):... b = aˆk... print k=%2d: %2d %2d % \... (k,b. multiplicative_order (), orda // gcd(k,orda )) m=18, d=5 k= 1: 6 6 k= 2: 3 3 k= 3: 2 2 k= 4: 3 3 k= 5: 6 6 3

4 2 Primitive Roots and Discrete Logarithms As we have seen in the previous section, the order of an integer modulo m is always a divisor of φpmq. A natural question is whether, given a divisor d of φpmq, it is always possible to find an unit a P Z m with order d. This is investigated in the following examples. Example 2.1. Let m 12. The next code segment compares the set of divisors of φp12q with the set of possible orders of elements a P Z 12 : age: m = 12 sage: R = Integers ( m) sage: phim = euler_phi ( m) sage: divisors_phi = divisors( phim) sage: orders_set = set ([ a. multiplicative_ order ()... for a in R if a.is_unit ()])... sage: orders_list = sorted( list( orders_set )) sage: print m=%d % m sage: print Divisors of phi( m): % s % divisors_phi sage: print Orders represented : % s % orders_list m=12 Divisors of phi( m): [1, 2, 4] Orders represented : [1, 2] This example shows that not all divisors of φpmq are among the possible orders. Notice, in particular, that the highest possible order, φpmq itself, is not represented. Example 2.2. Now let s consider m 29: m=29 Divisors of phi( m): [1, 2, 4, 7, 14, 28] Orders represented : [1, 2, 4, 7, 14, 28] In this case, all possible orders are represented. As we shall see, this is always true for a prime modulus. Example 2.3. On the other hand, there are composite moduli m for which all divisors of φpmq are the order of some element. For example, m 50: m=50 Divisors of phi( m): [1, 2, 4, 5, 10, 20] Orders represented : [1, 2, 4, 5, 10, 20] The task of identifying which possible orders actually occur is simplified by the following observation: 4

5 Lemma 2.4. Let m be a positive integer. Then, the following two statements are equivalent: 1. For every divisor d of φpmq, there is an a such that ord m paq d. 2. There is an a such that ord m paq φpmq. Proof. Obviously, the first statement implies the second. To prove the converse, let a be an integer of order φpmq modulo m, and let d be a divisor of φpmq. Let k φpmq{d. Then, by Theorem 1.4: ord m pa k q that is, a k has order d modulo m. φpmq gcdpφpmq{d,φpmqq d, This motivates the following important definition: Definition 2.5. Let m be a positive integer, and a be such that gcdpa,mq 1. Then, a is said to be a primitive root modulo m if ord m paq φpmq. When considered as an element of Z m, we say that a is a generator of the group of units of Z m. Primitive roots play a fundamental role in all of number theory. The following observation gives one aspect of why they are important. Let a be a primitive root modulo m, thought of as an element of Z m. Consider the sequence of elements of Z m : Here is an example: a 1,a 2,...a φpmq. (1) Example 2.6. Let m 18, and let s find the units and primitive roots modulo 18: sage: m = 18 sage: R = Integers ( m) sage: phim = euler_phi ( m) sage: units = [ a for a in R if a. is_unit ()] sage: primitive_ roots = [ a for a in units... if a. multiplicative_ order ()== phim]... sage: print m=%d % m sage: print Units: % s % units sage: print Primitive roots: % s % primitive_ roots m=18 Units: [1, 5, 7, 11, 13, 17] Primitive roots: [5, 11] 5

6 We now choose (arbitrarily) the primitive root a 11 and compute its successive powers: sage: a = R(11) sage: [ aˆk for k in range (1, phim +1)] [11, 13, 17, 7, 5, 1] We notice that all the units of Z m are represented as a power of a. It is easy to see that the observation in this example is valid in general. Consider the list of powers in (1), where a is a primitive root modulo m. We claim that the elements in this list are distinct modulo m. Indeed, suppose that 0 i j φpmq and a i a j pmod mq. Then, (since a is invertible!), a j i 1 pmod mq, and by Theorem 1.2, ord m paq φpmq j i, which is a contradiction, since j i φpmq. We conclude that the sequence (1) is a list of φpmq distinct units of Z m. Since the number of such elements is φpmq, it follows that each unit appears exactly once in the list. The following definition is then valid: Definition 2.7. Let m be a positive integer, and assume that a is a primitive root modulo m. Let x be such that gcdpx,mq 1. We say that k is a discrete logarithm of x in the base a (for the modulo m), if: a k b pmod mq For instance, going back to Example 2.6, we can see that, for the modulus 18: 3 is a discrete logarithm of 17 in the base 11 5 is a discrete logarithm of 5 in the base 11 Notice that discrete logarithms are not unique: for example, since pmod 18q, it follows that 9 is also a discrete logarithm of 17 for the base 11. In general, suppose that k 1 and k 2 are both discrete logarithms of x in the base a. Then: a k1 x a k 2 pmod mq, so that a k 1 k 2 1 pmod mq, which, again from Theorem 1.2, implies φpmq k 1 k 2, that is: k 1 k 2 pmod φpmqq. Notice that the modulus above is φpmq, and not m! This is a very important point, which can be stated in the following way: Let m be a positive integer, a be a primitive root modulo m, and x invertible modulo m. Then, the discrete logarithm (modulo m) of x in the base a is uniquely defined modulo φpmq. 6

7 Accordingly, we will use the notation: k dlog a pbq pmod φpmqq to express the fact that k is a discrete logarithm of x in the base a. We will also use this notation when thinking in terms of congruence classes. However, special care is then needed. If we are doing computations modulo m, the discrete logarithm of x, dlog a pxq, has to be interpreted as a congruence class modulo φpmq, that is, an element of Z φpmq. We finish this section with a criterion for identifying primitive roots. Theorem 2.8. Let m 0 and a be integers such that gcdpa,mq 1. Then, a is a primitive root modulo m if and only if a φpmq{q 1 pmod mq for all prime divisors q of φpmq. Proof. It is clear that, if a φpmq{q 1 for some prime divisor q of φpmq, then the order of a is strictly smaller than φpmq, and a cannot be a primitive root. For the converse, suppose that d ord m paq φpmq. Then, there is a prime divisor q of φpmq such that q d. Since d φpmq, unique factorization implies d pφpmq{qq, and from a d 1 pmod mq it follows that a φpmq{q 1 pmod mq. Example 2.9. Let s find a primitive root modulo m (A primitive root might not exist, but m has been carefully chosen!). We start by computing φpmq and finding its prime factors: sage: m = sage: phim = euler_phi ( m) sage: pfactors = prime_ divisors ( phim) sage: print m, phim, pfactors [2, 3, 7] The exponents we will have to try have the form φpmq{q, so we generate a list with these values: sage: exps = [ phim/ q for q in pfactors] sage: exps [7203, 4802, 2058] Let s check if 2 is a primitive root modulo m: sage: R = Integers ( m) sage: a = R(2) sage: [ aˆe for e in exps] [1, 15453, 4803] 7

8 Well, since 2 φp16807q{2 1 pmod 16807q, we conclude that 2 is not a primitive root. Let s see if we have better luck with a 3: sage: a = R(3) sage: [ aˆe for e in exps] [16806, 1353, 14407] So, we conclude that 3 is a primitive root modulo It is worth pointing out that this method is quite efficient and practical provided a factorization of φpmq is available. Being able to generate primitive roots is very important for some applications. 3 Primitive Roots for Prime Moduli It is a remarkable and extremely important fact that primitive roots always exist for a prime modulus. In fact, given a prime p, we are able to say exactly how many elements have order d for each divisor d of φppq p 1. We start with a result concerning the number of elements of each possible order for a prime modulus. Theorem 3.1. Let p be a prime number, and d a positive divisor of p 1. Then, one of the following alternatives takes place: 1. There are no elements of order d in Z p. 2. There are exactly φpdq elements of order d in Z p. Proof. The statement of the theorem is equivalent to saying that, if there is an element of order d, then there must be φpdq of them. So, let s assume that we have an a P Z m such that ord m paq d. As proved in Theorem??, the polynomial x d 1 has exactly d zeros on Z p. Clearly, for any j 0, pa j q d pa d q j 1 in Z p, that is, the elements of the sequence a 1,a 2,...,a d are all zeros of x d 1. Since this list has d distinct (why?) elements, these must be all the zeros of x d 1. Now, and element x of order d is necessarily a zero of x d 1, and we conclude that x a k for some k 1,2,...d. From Theorem 1.4, the order of x is d{gcdpk,dq. Thus, ord p pxq d if and only if gcdpk,dq 1. Putting all together, we have the following: 8

9 The elements of order d in Z p are those of the form a k, where k 1,2,...,d and gcdpk,dq 1. However, the number of such elements is, by definition, φpdq. We will now proceed to show that the number of elements of order d cannot be zero (so, by the theorem above, it has to be φpdq). The proof requires the following remarkable formula discovered by Euler: Theorem 3.2. Let m be a positive integer. Then: dm φpdq m. (2) We postpone the proof of this formula until Section 4. The notation above means that the index d in the sum runs over all positive divisors of m (including m). For example, for m 24, the formula reads: φp1q φp2q φp3q φp4q φp6q φp8q φp12q φp24q 24, which can be verified in Sage: sage: m = 24 sage: sum( euler_phi (d) for d in divisors(m)) 24 We are now ready to state and prove the main result of this chapter: Theorem 3.3. Let p be a prime number. Then, if d is a positive divisor of p 1, there are φpdq elements of order d in Z p. Proof. For each positive divisor d of p 1 we let: S d ta P Z p ord p paq du. and denote by c d the number of elements in S j. Since every element of Z d appears in exactly one of the classes, we have: dp 1 On the other hand, Theorem 3.2 gives: dp 1 c d p 1. φpdq p 1. From Theorem 3.1, we know that c d 0 or c d φpp 1q, for every d. Using this fact and comparing the last two formulas implies c d φpdq for all positive divisors d of p 1. 9

10 We then have: Theorem 3.4 (Existence of primitive roots for prime moduli). Let p be a prime number. Then there are φpp 1q primitive roots in Z p. 4 Proof of Theorem 3.2 In this section, we prove Formula (2). The proof we present here is based on a combinatorial argument: we simply count the integers 1, 2,... m in a special way. We place every integer from 1 to m in a set S d, where d is a divisor of m. Namely, we let: m: S d tk P Z 1 k m and gcdpk,mq du. As an example, let s consider m 24. We start by computing the divisors of sage: m = 24 sage: dlist = divisors( m) sage: dlist [1, 2, 3, 4, 6, 8, 12, 24] To store the sets, use a Python data structure called a dictionary. The following code segment initializes the dictionary: sage: sets = {} sage: for d in dlist:... sets[d]=[] We create a dictionary with an entry for every divisor d of m, and initialize the entry to an empty list. Now, we loop over the integers 1, 2,..., m and place each integer in the entry with key gcdpk,mq: sage: for k in range (1,m+1):... sets[gcd(k,m)]. append(k) Let s now print the sets: sage: for key, elem in sets. iteritems ():... print S(%2d) = { % key,... for b in elem:... print %2d % b,... print } S( 1) = { } S( 2) = { } 10

11 S( 3) = { } S( 4) = { 4 20 } S( 6) = { 6 18 } S( 8) = { 8 16 } S(12) = { 12 } S(24) = { 24 } The first thing to observe is that, since every integer 1, 2,..., m is placed in exactly one of the sets, we have: S d m. dm All that remains is to identify the number of integers in each set S d. Notice, in the example above, that d always divides the elements of the set S d. This happens simply because, if k P S d, then d gcdpk,mq k. We can, thus, define the sets: " k * Sd 1 d k P S d, and clearly S d Sd 1. Going back to the example m 24, we compute these newly defined sets: sage: for d, s in sets. iteritems ():... sets[d] = [k//d for k in sets[d]] Here are the sets that are obtained: 1: { } 2: { } 3: { } 4: { 1 5 } 6: { 1 3 } 8: { 1 2 } 12: { 1 } 24: { 1 } Looking at these sets carefully, a pattern emerges: the elements of set Sd 1 are exactly those positive integers that are at most m{d and relatively prime to m{d. To see why this is true, let r be an arbitrary element of Sd 1. Then, r k{d, where k is an integer such that gcdpk, mq d. This implies that gcdpr, dq gcdpk{d, mq 1. Reciprocally, if 1 r d is such that gcdpr,dq 1, then, if we let k rd, we have r k{d and gcdpk,mq d, so that r P Sd 1. We conclude that S d Sd 1 φpm{dq, so that: d m φpm{dq m 11

12 But, as d runs over the set of divisors of m, so does m{d, and we get Formula (2). This formula may, at this point, seem to be a little ad hoc. The formula is placed in a wider context when multiplicative arithmetic functions are studied. 12