Finding Primitive Roots Pseudo-Deterministically

Size: px

Start display at page:

Download "Finding Primitive Roots Pseudo-Deterministically"

Blaze Stevens
5 years ago
Views:

1 Electronc Colloquum on Computatonal Complexty, Report No 207 (205) Fndng Prmtve Roots Pseudo-Determnstcally Ofer Grossman December 22, 205 Abstract Pseudo-determnstc algorthms are randomzed search algorthms whch output unque solutons (e, wth hgh probablty they output the same soluton on each executon) We present a pseudo-determnstc algorthm that, gven a prme p, fnds a prmtve root modulo p n tme exp(o( p log )) Ths mproves upon the prevous best known provable determnstc (and pseudo-determnstc) algorthm whch runs n exponental tme p 4 +o() Our algorthm matches the problem s best known runnng tme for Las Vegas algorthms whch may output d erent prmtve roots n d erent executons When the factorzaton of p s known, as may be the case when generatng prmes wth p n factored form for use n certan applcatons, we present a pseudo-determnstc polynomal tme algorthm for the case that each prme factor of p s ether of sze at most log c (p) or at least p /c for some constant c>0 Ths s a sgnfcant mprovement over a result of Gat and Goldwasser [5], whch descrbed a polynomal tme pseudo-determnstc algorthm when the factorzaton of p was of the form kq for prme q and k = poly() We remark that the Generalzed Remann Hypothess (GRH) mples that the smallest prmtve root g satsfes g apple O(log 6 (p)) Therefore, assumng GRH, gven the factorzaton of p, the smallest prmtve root can be found and verfed determnstcally by brute force n polynomal tme Introducton Pseudo-determnstc algorthms are randomzed search algorthms whch, wth hgh probablty, output the same soluton on each executon Formally, A s a pseudo-determnstc algorthm for a bnary relaton R f there exsts some functon s such that when executed on nput x, the algorthm A outputs s(x) wth hgh probablty, and (x, s(x)) 2 R In other words, when we execute A on nput x, we get the same output s(x) for almost all random seeds Standard randomzed search algorthms, on the other hand, may output a d erent y satsfyng (x, y) 2 R on each executon wth nput x In [5], Gat and Goldwasser ask whether there exsts a pseudo-determnstc algorthm that fnds a prmtve root mod p faster than the best known determnstc algorthm, whch runs n tme p 4 +o() We answer ths queston n the a rmatve: Theorem There exsts a pseudo-determnstc algorthm for Prmtve-Root that runs n expected tme L p (/2) = exp(o( p log )) ogrossma@mtedu Department of Mathematcs, MIT ISSN

2 We note that ths matches the tme bound for the best known Las Vegas algorthms for Prmtve-Root Ths problem may have cryptographc applcatons, as protocols based on the D e-hellman problem [4] rely on prmtve roots to establsh keys It may be desrable for two partes to ndependently generate the same key, or prmtve root, for F p In ths stuaton, pseudo-determnstc algorthms are helpful whle standard randomzed algorthms wll not su ce A closely related problem to Prmtve-Root s Prmtve-Root-Gven-Factorzaton Ths problem asks for a prmtve root mod p, gven both p and the factorzaton of p Prmtve-Root-Gven-Factorzaton may be relevant to applcatons snce the factorzaton of p s often known For example, protocols may requre e cent ways to verfy that an element s a prmtve root, n whch case the factorzaton of p wll be known For such applcatons, t s possble to e cently generate prmes p wth p n factored form [] Assumng the generalzed Remann Hypothess (GRH), Shoup proved n [7] that the smallest non-resdue mod p s of sze O(log 6 (p)), whch mples a brute force polynomal tme algorthm for Prmtve-Root-Gven-Factorzaton Wthout the GRH assumpton, the best determnstc algorthm remans the p 4 +o() algorthm from [2] In [5], polynomal tme pseudo-determnstc algorthms are presented for Prmtve-Root- Gven-Factorzaton when the nput prme satsfes p =kq, wth q prme and k = poly() We mprove upon ths result by fndng polynomal tme pseudo-determnstc algorthms for prmes satsfyng p = Q k = qe, where for some constant c each of the q s ether at most of sze log c (p) or at least of sze p /c (our dependence on c s exponental) It remans open to fnd a polynomal tme pseudo-determnstc algorthm for Prmtve-Root-Gven-Factorzaton for general prmes 2 Prelmnares In ths secton we establsh some lemmas we wll later use All lemmas n ths secton assume p s a prme, a, b 6 0 mod p, and ord refers to the order n F p (the multplcatve group of F p ) Lemma 2 Suppose a, b 2 F p If ord(a) and ord(b) are relatvely prme, then ord(ab) = ord(a)ord(b) Proof Frst, we note that (ab) ord(a)ord(b) = Therefore, ord(ab) ord(a)ord(b) Suppose ord(ab) < ord(a)ord(b) Let q be a prme dvdng ord(a)ord(b) ord(ab) We know that (ab) ord(a)ord(b)/q = However, q dvdes ether ord(a) or ord(b) Suppose wthout loss of generalty that q ord(a) Then =a ord(a)ord(b)/q b ord(b) (ord(a)/q) = a ord(a)ord(b)/q Therefore, ord(a) (ord(a)/q)ord(b) However, because ord(a) and ord(b) are relatvely prme, ths mples ord(a) (ord(a)/q), whch s mpossble Defnton 22 (qth resdue) Let q p be a prme We call an element a whch s a qth power (e, there exsts some b such that a = b q )aqth resdue Otherwse, we call a a qth non-resdue Lemma 23 Suppose q e s the largest power of q dvdng p dvsble by q e Then a qth non-resdue has order 2

3 Proof Suppose g s a prmtve root mod p An element a = g k satsfes ord(a) = p gcd(p,k) If a s a qth non-resdue, then we know k s not dvsble by q Therefore, q - gcd(p that ord(a) sdvsblebyq e, where q e s the largest power of q dvdng p,k) It follows The followng lemma wll show that to fnd a prmtve root modulo p, t s enough f for each prme q dvdng p wefndaq th non-resdue Lemma 24 Let p Then the product s a prmtve root = Q m = qe Suppose that for each, the element a s a q th non-resdue my a (p = )/qe )/qe = Proof We can wrte a = g k for some prmtve root g, and k not dvsble by q Then a (p g k (p )/q e must have order exactly q e, snce qe s the smallest number N such that Nk (p )/q e s dvsble by p, whch s the order of g Therefore, the element a (p )/qe has order exactly q e It follows that the orders of each of the a (p )/qe are relatvely prme, and so by Lemma 2,! my ord a (p )/qe my = The order of a (p s a prmtve root )/qe = = ord a (p )/qe s q e, so the product of the orders s Q m = qe = p Hence Q m = a(p )/qe Lemma 25 Gven p and q p, there exsts a pseudo-determnstc algorthm that fnds a qth non-resdue n tme q poly() Proof See Theorem 3 n [5] Lemma 26 Gven the factorzaton p ord(a) n poly() tme = Q m = qe and an element a 2 F p, we can compute Proof See page 329 n [8] The followng theorem from [3] gves a bound on smooth numbers (we say that n s m-smooth f all prme factors of n are at most m) Theorem 27 (Canfeld-Erdös-Pomerance) Let (x, y) denote the number of y-smooth postve ntegers bounded by x Let u = log x log y Suppose that u<( ) log x log log x for some > 0 Then holds unformly as u and x approach x u+o(u) (x, y) =u 3

4 3 Algorthm and Analyss In ths secton, we present and analyze our algorthm The dea for the algorthm s as follows Frst we factor p Now, for each prme factor q of p, we fnd a qth non-resdue We then use Lemma 24, to construct a prmtve root To fnd a qth non-resdue, we frst check f q s large or small (compared to exp( p log )) If q s small, we run the algorthm from Lemma 25 If q s large, we check the elements {, 2,,p } (n order) untl we fnd one whch s a qth non-resdue Lemma 3 guarantees that for large q, we wll encounter a qth non-resdue wthn the frst exp( p log ) elements: Lemma 3 For all su cently large p, for all q exp( p log ) dvdng p, there exsts a postve s apple exp( p log ) whch s a qth non-resdue Proof Our strategy wll be to assume Lemma 3 s false and then to wrte an nequalty comparng the number of exp( p log )-smooth numbers wth the number of qth resdues We wll then reduce ths nequalty to a contradcton We frst calculate (p, exp( p log )) We use the Canfeld-Erdös-Pomerance theorem p (Theorem 27), and see that u = p log = p log Therefore, p (p, exp(p log )) = p p log p +o p p p log log () For the sake of contradcton, assume that every element s apple exp( p log ) saqth resdue Snce the product of two elements whch are qth resdues s also a qth resdue, every exp( p log )-smooth number s a qth resdue We therefore know that (p, exp( p log )) s bounded above by the number of qth resdues, whch s p/q apple p/ exp( p log ) Combnng ths wth () yelds p (p/ exp(p log )) p p log p +o p p p log log Takng the log of both sdes gves p p p p log p + o p log log log Multplyng both sdes by And ths mples log apple p log p results n p log + p o p p log log log apple ( + o()) log 2 The above nequalty s clearly false, completng the proof p p log 4

5 Now that we have proven Lemma 3, we are ready to analyze the algorthm (Fgure ) Prmtve-Root(p) Factor p = Q m = qe 2 for each q : 3 f q > exp( p log ) 4 Compute the order of, 2,, untl an element a wth q e ord(a ) s found 5 f q apple exp( p log ) 6 Fnd a q th non-resdue a usng Lemma 25 7 return Q m = )/qe a(p Fgure : A pseudo-determnstc algorthm fndng a prmtve root modulo a gven prme p Correctness of the algorthm follows mmedately from Lemma 24 We wll now analyze the tme complexty of the algorthm: Lemma 32 The algorthm n Fgure runs n tme L p (/2) = exp(o( p log )) Proof By Lenstra and Pomerance s factorng algorthm [6], lne takes tme L p (/2) For each q > exp( p log ), by Lemma 3, n lne 4 we have to fnd the order of at most L p (/2) elements By Lemma 26, fndng the order each requres poly() tme, so lne 4 takes a total of L p (/2) poly() =L p (/2) tme For q apple exp( p log ), lne 6 takes at most exp( p log ) poly() =L p (/2) tme by Lemma 25 Snce there are at most prmes dvdng p, the loop n lne 2 takes a total of L p (/2) = L p (/2) tme Calculatng the product n lne 7 takes poly() tme Therefore, the algorthm as a whole termnates n expected tme L p (/2) We now show that the algorthm s pseudo-determnstc Note that the only randomzed steps of the algorthm are lne and lne 6 In lne, we use an algorthm that wth hgh probablty outputs the factorzaton of p, whch s always the same In lne 6, we use an algorthm whch s pseudo-determnstc by Lemma 25 Ths mples our man theorem: Theorem 33 There exsts a pseudo-determnstc algorthm for Prmtve-Root that runs n expected tme L p (/2) 4 Fndng a Prmtve Root Gven Factorzaton A related problem to Prmtve-Root s Prmtve-Root-Gven-Factorzaton: Defnton 4 The Prmtve-Root-Gven-Factorzaton problem s the problem of fndng a prmtve root mod p when both p and the factorzaton of p are gven as nput 5

6 For Prmtve-Root-Gven-Factorzaton, the best known Las-Vegas algorthm runs n polynomal tme The best prevously known pseudo-determnstc algorthm runs n tme p 4 +o() The algorthm from secton 3 mproves ths to L p (/2) In [5], Gat and Goldwasser pose as a problem to fnd a polynomal tme pseudo-determnstc algorthm for Prmtve-Root-Gven-Factorzaton The authors present a polynomal tme algorthm for the case p =kq, where q s prme and k s of sze poly() We mprove upon ths result wth a polynomal tme algorthm for all p where each prme factor of p s of sze ether at most log c (p) or at least p /c, for some constant c> Our algorthm runs n tme log c (p) poly() We descrbe our algorthm n Fgure 2 Prmtve-Root-Gven-Factorzaton(p, p for each q : 2 f q > exp( p log ) = Q m = qe ) 3 Compute the order of, 2,, untl an element a wth q e ord(a ) s found 4 f q apple exp( p log ) 5 Fnd a q th non-resdue a usng Lemma 25 6 return Q m = )/qe a(p Fgure 2: A pseudo-determnstc algorthm fndng a prmtve root modulo a prme p, gven both p and the factorzaton of p Correctness of the algorthm follows mmedately from Lemma 24 We now prove that f there s some constant c such that all q satsfy ether q < log c p or q >p /c, then the algorthm termnates n tme at most log c (p) poly() Frst, note that for large enough p, f q < log c p then q < exp( p log ) Also, f q >p /c then q > exp( p log ) To prove that lne 3 takes polynomal tme, we argue that for all fxed " > 0, for large enough p, f q >p /c then there exsts an a<log c+" (p) that s a q th non-resdue We do ths wth a smlar strategy to our proof of Lemma 3 We know that there are at most p q elements whch are q th resdues Suppose for the sake of contradcton that all a<log c+" (p) are q th resdues Ths mples that there are at least (p, log c+" (p)) elements whch are q th resdues Therefore, we have the nequalty q p q (p, log c+" (p)) By the Canfeld-Erdös-Pomerance theorem (Theorem 27), (p, log c+" (p)) = pu u+o(u), where u = Pluggng ths n and takng the log of both sdes yelds log log c+" p log + o log log c+" log (p) log log c+" (p) Smplfyng gves log q apple + o 6 log

7 But we know that q p /c Therefore, log q c c apple + o Further smplfyng now gves c apple (c + ") log + o Pluggng ths n and smplfyng yelds log log log However, the rght sde approaches c+", whereas the left sde s c Therefore, we have reached a contradcton, and so wthn the frst log c+" (p) elements that we test n lne 3, we wll encounter a q th non-resdue Therefore, lne 3 of the algorthm requres calculatng the order of up to log c+" (p) elements, each of whch takes poly() tme by Lemma 26 Lne 5 takes up to log c (p) poly() tme by Lemma 25 Snce there are at most prmes dvdng p, the loop n lne s of length up to It follows that our algorthm termnates and outputs a prmtve root n expected tme log c (p) poly() Note that on every executon of the algorthm, we output the same prmtve root, snce the only randomzed step of the algorthm s lne 5 whch s pseudo-determnstc by Lemma 25 Ths completes the proof of the followng theorem: Theorem 42 For any constant c>, there exsts a pseudo-determnstc algorthm for Prmtve- Root-Gven-Factorzaton that runs n polynomal tme for all p where each prme factor q of p satsfes ether q<log c (p) or q>p /c 5 Dscusson It would be nterestng to fnd a polynomal tme pseudo-determnstc algorthm for Prmtve- Root-Gven-Factorzaton for general prmes The slowest step n Las Vegas algorthms for Prmtve-Root s factorng p It would be nterestng to fnd an algorthm whch can verfy an element s a prmtve root wthout usng the factorzaton of p Acknowledgments I would lke to thank Shaf Goldwasser for ntroducng me to the prmtve root problem, for helpful dscussons, and for advce and encouragement on the paper I would also lke to thank Andrew Sutherland for helpful dscussons References [] Erc Bach How to generate factored random numbers SIAM Journal on Computng, 7(2):79 93, 988 [2] DA Burgess On character sums and prmtve roots Proceedngs of the London Mathematcal Socety, 3():79 92, 962 7

8 [3] E Rodney Canfeld, Paul Erdös, and Carl Pomerance On a problem of oppenhem concernng factorsato numerorum Journal of Number Theory, 7(): 28, 983 [4] Whtfeld D e and Martn E Hellman New drectons n cryptography Informaton Theory, IEEE Transactons on, 22(6): , 976 [5] Eran Gat and Shaf Goldwasser Probablstc search algorthms wth unque answers and ther cryptographc applcatons In Electronc Colloquum on Computatonal Complexty (ECCC), volume 8, page 36, 20 [6] Hendrk W Lenstra and Carl Pomerance A rgorous tme bound for factorng ntegers Journal of the Amercan Mathematcal Socety, 5(3):483 56, 992 [7] Vctor Shoup Searchng for prmtve roots n fnte felds Mathematcs of Computaton, 58(97): , 992 [8] Vctor Shoup A computatonal ntroducton to number theory and algebra Cambrdge unversty press, ECCC ISSN

THE CHINESE REMAINDER THEOREM. We should thank the Chinese for their wonderful remainder theorem. Glenn Stevens

THE CHINESE REMAINDER THEOREM. We should thank the Chinese for their wonderful remainder theorem. Glenn Stevens THE CHINESE REMAINDER THEOREM KEITH CONRAD We should thank the Chnese for ther wonderful remander theorem. Glenn Stevens 1. Introducton The Chnese remander theorem says we can unquely solve any par of