arxiv: v1 [math.nt] 1 Sep 2015

Similar documents
Course 2BA1: Trinity 2006 Section 9: Introduction to Number Theory and Cryptography

Chapter 8. P-adic numbers. 8.1 Absolute values

b = 10 a, is the logarithm of b to the base 10. Changing the base to e we obtain natural logarithms, so a = ln b means that b = e a.

Course MA2C02, Hilary Term 2013 Section 9: Introduction to Number Theory and Cryptography

MA257: INTRODUCTION TO NUMBER THEORY LECTURE NOTES

Lecture Notes, Week 6

Chapter 8 Public-key Cryptography and Digital Signatures

NOTES ON DIOPHANTINE APPROXIMATION

Congruences and Residue Class Rings

CRYPTOGRAPHY AND NUMBER THEORY

Introduction to Elliptic Curve Cryptography. Anupam Datta

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

during transmission safeguard information Cryptography: used to CRYPTOGRAPHY BACKGROUND OF THE MATHEMATICAL

Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.

On the Big Gap Between p and q in DSA

Notes on Systems of Linear Congruences

Lecture 1: Introduction to Public key cryptography

Lattices. A Lattice is a discrete subgroup of the additive group of n-dimensional space R n.

CHAPTER 6. Prime Numbers. Definition and Fundamental Results

An integer p is prime if p > 1 and p has exactly two positive divisors, 1 and p.

THE P-ADIC NUMBERS AND FINITE FIELD EXTENSIONS OF Q p

Jonathan Sondow 209 West 97th Street Apt 6F New York, NY USA

A. Algebra and Number Theory

A PUBLIC-KEY THRESHOLD CRYPTOSYSTEM BASED ON RESIDUE RINGS

Math/Mthe 418/818. Review Questions

Mathematics of Cryptography

2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms

Homework 7 solutions M328K by Mark Lindberg/Marie-Amelie Lawn

P -adic root separation for quadratic and cubic polynomials

Local Fields. Chapter Absolute Values and Discrete Valuations Definitions and Comments

Goldbach s Conjecture on ECDSA Protocols N Vijayarangan, S Kasilingam, Nitin Agarwal

Evidence that the Diffie-Hellman Problem is as Hard as Computing Discrete Logs

7. Prime Numbers Part VI of PJE

CPSC 467b: Cryptography and Computer Security

Valuations. 6.1 Definitions. Chapter 6

Modular Counting of Rational Points over Finite Fields

A new conic curve digital signature scheme with message recovery and without one-way hash functions

Public-Key Cryptosystems CHAPTER 4

Math 120 HW 9 Solutions

The Chinese Remainder Theorem

A Guide to Arithmetic

10 Public Key Cryptography : RSA

A CLOSED-FORM SOLUTION MIGHT BE GIVEN BY A TREE. VALUATIONS OF QUADRATIC POLYNOMIALS

Chapter 5. Number Theory. 5.1 Base b representations

ICS141: Discrete Mathematics for Computer Science I

The following techniques for methods of proofs are discussed in our text: - Vacuous proof - Trivial proof

TECHNIQUES FOR COMPUTING THE IGUSA LOCAL ZETA FUNCTION

Finite Fields and Error-Correcting Codes

An Introduction to Probabilistic Encryption

QUOTIENTS OF FIBONACCI NUMBERS

Introduction to Cryptography. Lecture 8

Elliptic Curves I. The first three sections introduce and explain the properties of elliptic curves.

Representing numbers as the sum of squares and powers in the ring Z n

Spectra of Semidirect Products of Cyclic Groups

Number Theory. Modular Arithmetic

CPSC 467: Cryptography and Computer Security

Tewodros Amdeberhan, Dante Manna and Victor H. Moll Department of Mathematics, Tulane University New Orleans, LA 70118

An Introduction to Elliptic Curve Cryptography

Math.3336: Discrete Mathematics. Mathematical Induction

Name: Mathematics 1C03

1 Number Theory Basics

= 1 2x. x 2 a ) 0 (mod p n ), (x 2 + 2a + a2. x a ) 2

Elementary Number Theory and Cryptography, 2014

Some Extensions to Touchard s Theorem on Odd Perfect Numbers

M381 Number Theory 2004 Page 1

MATH 158 FINAL EXAM 20 DECEMBER 2016

x = π m (a 0 + a 1 π + a 2 π ) where a i R, a 0 = 0, m Z.

Theoretical Cryptography, Lecture 13

COUNTING NUMERICAL SEMIGROUPS BY GENUS AND SOME CASES OF A QUESTION OF WILF

9 Knapsack Cryptography

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

ECE596C: Handout #11

New Variant of ElGamal Signature Scheme

14 Diffie-Hellman Key Agreement

Introduction to Cryptography Lecture 13

Lecture 7: ElGamal and Discrete Logarithms

Part V. Chapter 19. Congruence of integers

8 Complete fields and valuation rings

CPSC 467b: Cryptography and Computer Security

CPSC 467: Cryptography and Computer Security

A Generalization of Wilson s Theorem

A Local-Global Principle for Diophantine Equations

The Elliptic Curve in https

L7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015

Math 299 Supplement: Modular Arithmetic Nov 8, 2013

Discrete Logarithms. Let s begin by recalling the definitions and a theorem. Let m be a given modulus. Then the finite set

Elliptic curves over Q p

Modular Arithmetic. Examples: 17 mod 5 = 2. 5 mod 17 = 5. 8 mod 3 = 1. Some interesting properties of modular arithmetic:

ElGamal type signature schemes for n-dimensional vector spaces

Chapter 7: Signature Schemes. COMP Lih-Yuan Deng

Public Key Algorithms

MATH 115, SUMMER 2012 LECTURE 12

Mathematical Foundations of Public-Key Cryptography

Number Theory Homework.

2 More on Congruences

Instructor: Bobby Kleinberg Lecture Notes, 25 April The Miller-Rabin Randomized Primality Test

Public Key Cryptography

Introduction to Elliptic Curve Cryptography

PROPERTIES OF THE EULER TOTIENT FUNCTION MODULO 24 AND SOME OF ITS CRYPTOGRAPHIC IMPLICATIONS

one eciently recover the entire key? There is no known method for doing so. Furthermore, the common belief is that no such ecient algorithm exists. Th

Transcription:

THE DISCRETE LAMBERT MAP arxiv:1509.0041v1 [math.nt] 1 Sep 015 ANNE WALDO AND CAIYUN ZHU July 9, 014 Abstract. The goal of this paper is to analyze the discrete Lambert map x xg x (mod p e ) which is important for security and verification of the ElGamal digital signature scheme. We use p-adic methods (p-adic interpolation and Hensel s Lemma) to count the number of solutions x of xg x c (mod p e ) where p is an odd prime and c and g are fixed integers. At the same time, we discover special patterns in the solutions. 1. Introduction Adiscretelogarithmisanintegerxsolvingthe equationg x c (mod p) forsome integers c, g, and for a prime p. Finding discrete logarithms for large primes and fixed values for c and g, referred to in this paper as the discrete logarithm problem (DLP), is thought to be difficult. The exponential function is used in different forms of public-key cryptography where the security depends on the difficulty of finding solutions to the DLP. One particular class of cryptosystems where the DLP is important are digital signature schemes, which enable a message s recipient to verify the identity of the sender. A specific digital signature scheme important for our paper is the ElGamal digital signature scheme, which is a public key system. For this system the values made public are p, g, m, and h g x (mod p), while the values known only to the sender are y and x.the signature (s 1,s ) is computed as follows: s 1 g y (mod p) and s y 1 (m xs 1 ) (mod p 1), where m is the message, p is a large prime, g is a generator for p, x {1,...,p }, and y {1,...,p } such that gcd(y,p 1) = 1. The recipient of message m also receives the signature (s 1,s ) and verifies the message by computing v 1 h s1 s s 1 (mod p) and v g m (mod p). If v 1 v (mod p) then the signature is considered authentic. In order to forge a signature, there are several methods with which to attack the system. One could solve the DLP by computing x from h g x (mod p) for a fixed g, h and prime p. Another method is to fix s 1 and solve for s, requiring finding solutions to the congruence s s 1 gm h s1 (mod p), which is equivalent to solving anotherdlpsincetherighthandsideofthiscongruenceisaconstant. Bothofthese attacks are considered to be sufficiently hard and thus not feasible as a method of forgery. Athirdmethodistofixs andsolvefors 1, requiringfindingsolutionstothe congruence h s1 s s 1 gm (mod p). Rewriting this congruence, we see that solving it for s 1 is equivalent to solving the congruence s 1 (h s 1 ) s1 g Ms 1 (mod p) for s 1. Finally, setting a = h s 1 and b = g Ms 1, we see that solving these congruences is We would like to thank the Hutchcroft Fund of the Department of Mathematics and Statistics at Mount Holyoke for funding the summer research project in 014. 1

ANNE WALDO AND CAIYUN ZHU equivalent to solving the congruence s 1 a s1 b (mod p) for s 1 with a fixed a and b. Due to its similarity to the Lambert W function [] and to distinguish it from the DLP, we will refer to the map s 1 s 1 a s1 (mod p) as the discrete Lambert map. Thus we define the discrete Lambert problem (DWP) to be the problem of finding integers x such that xg x c (mod p) for fixed integers g and c. While the DLP has been studied extensively, the DWP has received very little attention although some introductory work has been done by Chen and Lotts on the DWP modulo p [1]. The lack of attention received by the DWP is in part because it is considered to be more difficult to solve than the DLP, but due to the implications that it has on the security of the ElGamal scheme we believe that it is important to study. Finding exact formulas for the solutions seems extremely difficult, but counting the number of solutions for a fixed g and c and in an extended range of values for x is much easier. In addition, we can find patterns in the solutions that will give us insight into the DWP. Beyond finding solutions and patterns modulo an odd prime p, we also wanted to look at solutions modulo p e in a similar fashion to what Holden and Robinson [3] do for the DLP.. Counting Solutions We begin by looking at the DWP modulo p, counting the solutions and finding patterns. The following theorems describe the number of solutions: Theorem 1. If p is an odd prime, g a generator modulo p, and c 0 (mod p), then for fixed g and c, if we consider the function f(x) = xg x c 0 (mod p) (1) where x {1,...,p(p 1) x 0 mod p}, then the number of x such that f(x) 0 (mod p) is p 1 and the solution set forms a complete residue system modulo p 1. In other words, the solutions are distinct modulo p 1. Proof. Since g is a generator, we can take the logorithm of equation (1) to get log g x+x log g c (mod p 1). () In order to show the solution set of equation (1) forms a complete residue system modulo p 1, we need to show there exist p 1 distinct solutions to equation (1), one for each x 0 such that x x 0 (mod p 1), for each x 0 Z/(p 1)Z. (3) If we subtract equation (3) from equation (), we get log g x log g c x 0 (mod p 1). (4) Then when we raise equation (4) to to power of g, we get x c g x0 (mod p). (5) Finally we can apply Chinese Remainder Theorem to equations (3) and (5), for each x 0, and conclude that there exist p 1 distinct solutions and they form a complete residue system modulo p 1. We can also look at what happens when g is not a generator:

THE DISCRETE LAMBERT MAP 3 Theorem. Let p be an odd prime and m = ord p (g). For fixed g and c such that p g and p c, if we consider the function f(x) = xg x c where x {1,...,pm x 0 mod p}, then the number of x such that f(x) 0 (mod p) is equal to m, and they are all distinct modulo m. Proof. Let Then we have the following equivalent statements: x x 0 (mod m). (6) f(x) = xg x c 0 (mod p) xg x0 c 0 (mod p) xg x0 c (mod p) x cg x0 (mod p). (7) So for each x 0 {1,...,m} there is an x {1,...,p}, and so by the Chinese Remainder Theorem on equations (6) and (7) there is exactly one x {1,...,pm} such that x is a zero of f(x) where x x 0 (mod m). Hence, the number of zeros f(x) 0 (mod p) is equal to m, and they are all distinct modulo m. 3. Interpolation In order to count solutions of the DWP modulo p e, we need to interpolate the function f(x) = xg x c, defined on x Z to a function on x Z p, for p an odd prime and fixed g,c Z p. However, interpolation is only possible when g 1+pZ p [3]. In order to apply the following theorem from Katok [5], we need to show f(x) = xg x c is uniformly continuous if g 1 + pz p. Then we can interpolate f : Z Z p to a new uniformly continuous function f x0 : Z p Z p. Theorem 3 (Thm. 4.15of[5]). Let E be a subset of Z p and let Ē be its closure. Let f : E Q p be a function uniformly continuous on E. Then there exists a unique function F : Ē Q p uniformly continuous and bounded on Ē such that F(x) = f(x) if x E. Proposition 4. If p is an odd prime, c Z p is fixed, and g 1 + pz p, then f(x) = xg x c is uniformly continuous for x Z. Proof. Suppose g = 1+pA where A Z p. We know that given any ǫ > 0, there exists an N such that p N < ǫ. Let x,y Z such that x y p p N < p (N 1) = δ, or (x y) p N Z p, and x = y +bp N where b Z, then we need to show that Note that xg x c (yg y c) p < ǫ. g bpn = (1+pA) bpn = 1+bp N pa+ +(pa) bpn 1+p N Z p,

4 ANNE WALDO AND CAIYUN ZHU so we know that g bpn 1 p N Z p, or g bpn 1 p p N. Further, since y Z, y p 1. Also note that bp N g bpn p p N. Now, consider xg x yg y p = (y +bp N )g y+bpn yg y p = yg y bp N +bp N g y+bpn yg y p = g y p yg bpn +bp N g bpn y p, and since g 1+pZ p, g y p = 1 = yg bpn +bp N g bpn y p = (g bpn 1)y +bp N g bpn p ) max ( g bpn 1 p y p, bp N g bpn p p N. Hence, if p is an odd prime, c Z p is fixed, and g 1+pZ p, we have shown that f(x) = xg x c is uniformly continuous for x Z. Now we can apply Theorem 3 of [5] to interpolate f : Z Z p to a function f x0 : Z p Z p. If we let ω(g) be a (p 1) th of 1 in Z p which is also called the Teichmüllercharacterofg and g 1+pZ p, thenwecanrewriteg = ω(g) g where g = g ω(g) 1+pZ p. So we can consider a new function f x0 (x) = ω(g) x0 g x c, and we have the following proposition. Proposition 5. For an odd prime p, let g Z p such that p g and x 0 Z/(p 1)Z, and let I x0 = {x Z x x 0 (mod p 1)} Z. Then f x0 (x) = xω(g) x0 g x c defines a uniformly continuous function on Z p such that f x0 (x) = f(x) whenever x I x0. 4. Hensel s Lemma Lemma 6 (Hensel s Lemma, Cor.3.3 of [3]). Let f(x) be a convergent power series in Z p [[x]] and let a Z p such that df dx (a) 0 (mod p) and f(a) 0 (mod p). Then there exists a unique x Z p for which x a (mod p) and f(x) = 0 in Z p. Lemma 7. If we consider the function f x0 (x) = xω(g) x0 exp(xlog( g )) c for any a Z p such that f(a) 0 (mod p), then df dx (a) 0 (mod p). Proof. Consider f(x) = xg x c (mod p). If we take x 0 Z/mZ where m = ord p (g), we have f x0 (x) = xω(g) x0 exp(xlog( g )) c. Note that g 1+pZ p. Furthermore, since log( g ) pz p then by the definition of the p-adic exponential function we know that exp(xlog( g )) 1+pZ p. Taking

THE DISCRETE LAMBERT MAP 5 the derivative of f x0 (x) (see proposition 4.4.4 of [4]), we have df x0 dx (x) = ω(g)x0 exp(xlog( g ))+xω(g) x0 exp(xlog( g ))log( g ) ω(g) x0 exp(xlog( g )) (mod p) ω(g) x0 (mod p) 0 (mod p). Proposition 8. For p an odd prime, let g Z p be fixed and let m = ord p(g). Then for every x 0 Z/mZ, there is exactly one solution to the function for x Z p. f x0 (x) = ω(g) x0 g x c 0 (mod p) Proof. We know that g 1 (mod p), so the equation simplifies to xω(g) x0 c (mod p). For fixed g and x 0, this has exactly one solution. We know that g is in 1+pZ p, so we can say g x = exp(xlog( g )) = 1 + xlog( g )+x log( g ) /! + higher order terms in powers of log( g ). By the definition of the p-adic logarithm we know log( g ) pz p. Since lim i log( g )i /i! p = 0, we have a convergent power series. We showed in Lemma 7 that f x0 (x) satisfies the rest of the conditions of Hensel s Lemma, so we can apply the lemma to say there is a unique solution for x Z p such that f x0 (x) 0 (mod p). Now we can take Theorems 1 and and generalize them to consider solutions modulo p e. Theorem 9 (Generalization of Theorem ). Let p be an odd prime and m = ord p (g). For fixed g and c such that p g and p c, if we consider the function f(x) = xg x c where x {1,...,p e m x 0 mod p}, then the number of x such that f(x) 0 (mod p e ) is equal to m, and they are all distinct modulo m. Proof. We can use Hensel s Lemma to count the number of solutions modulo p e given the number of solutions modulo p. In other words, the number of solutions to f x0 (x) = xω(g) x0 exp(xlog( g )) c 0 (mod p e ) is the same as the number of solutions to f x0 (x) = xω(g) x0 exp(xlog( g )) c 0 (mod p) because of the bijection from the solution set of f x0 (x) 0 modulo p to the solution set modulo p e. We showed in Proposition8that there is exactly one x 1 {1,...,p} such that x 1 ω(g) x0 g x1 c (mod p),

6 ANNE WALDO AND CAIYUN ZHU so using Hensel s Lemma there is exactly one x 1 {1,...,p e } such that x 1 ω(g) x0 g x1 c (mod p e ). By the Chinese Remainder Theorem, there will be exactly one x {1,...,p e m} such that x x 0 (mod m) and x x 1 (mod p e ). From the interpolation above we had x x 0 (mod m), and we know that for this x {1,...,p e m}: f x0 (x) = xω(g) x0 g x c 0 (mod p e ). Since there is exactly one such x for each x 0 {1,...,m}, there are m solutions to f(x) 0 (mod p e ). Corollary 10 (Generalization of Theorem 1). If p is an odd prime, g a generator modulo p, and c 0 (mod p), then for fixed g and c, if we consider the function f(x) = xg x c (8) where x {1,...,p e (p 1) x 0 mod p}, then the number of x such that f(x) 0 (mod p e ) is p 1 and the solution set forms a complete residue system modulo p 1. Proof. Since g is a generator modulo p, m = ord p (g) = p 1. Then we can apply Theorem 9 and there are p 1 solutions to xg x c (mod p e ) and they form a complete residue system modulo p 1 because they are distinct modulo p 1. 5. Patterns in the Solutions After counting the number of solutions to the DWP, we looked at patterns relating to g and c in the solutions modulo p and modulo p e. One such pattern relates the solutions to the c values associated with them: Theorem 11. Let p be an odd prime and m = ord p (g). For fixed g and c such that p g and p c, if we consider the function f(x) = xg x c where x {1,...,p e m x 0 mod p}, then for any other c { 1,...,p e 1 (p 1) }, let x i,c and x j,c for 1 i,j m index the m solutions to and x i,c g x i,c c (mod p e ) x j,c g xj,c c (mod p e ), respectively. If c x j,c (mod p), then for each x i,c there exists a unique k, 1 k m, and x k,c such that x k,c x i,c (mod p). Proof. We know from Theorem 9 that there are m solutions to f(x) 0 (mod p e ). We will show that for fixed i,j that if c x j,c (mod p), then for all x i,c there exists a unique x k,c such that x i,c x k,c (mod p). To begin, we havethe equations x i,c g x i,c c (mod p e ) (9)

THE DISCRETE LAMBERT MAP 7 and x j,c g xj,c c (mod p e ), or equivalently Since x k,c ranges through the solutions to x j,c cg xj,c (mod p e ). (10) x k,c g x k,c c (mod p e ) (11) where k {1,...,m} and by Theorem 9 the solutions x k,c are all distinct modulo m, we can choose x k,c specifically by the Chinese Remainder Theorem so that x i,c x k,c x j,c (mod m). (1) This use of the Chinese Remainder Theorem will give a unique x k,c for each x i,c becausex i,c andx j,c arebothfixed. Now, weoriginallysaidthatc x j,c (mod p), so we have the following equivalent statements from equations (9) and (10): x i,c g x i,c cg xj,c (mod p). We can substitute c with equation (11): x i,c g x i,c (x k,c g x k,c )g xj,c (mod p) x i,c g x i,c x k,c g x k,c x j,c Finally, using equation (1) we simplify to: x i,c x k,c (mod p). (mod p). Thus, for all i {1,...,m}, there is some unique k such that x i,c x k,c (mod p) when c x j,c (mod p). Anotherpatternwefoundinvolvesthesumofthesolutionsmodulopandmodulo m: Theorem 1. Let p be an odd prime and m = ord p (g). For fixed g and c such that p g and p c, if we consider the function f(x) = xg x c where x {1,...,p e m x 0 mod p}, then for each c there are m solutions, x 1,...,x m, to f(x) 0 (mod p e ) such that m x i 0 (mod p), and for odd m m x i 0 (mod m). Proof. We know from Theorem 9 that there are m solutions to f(x) 0 (mod p e ). First, we will show that for each c the solutions sum as follows: m x i 0 (mod p).

8 ANNE WALDO AND CAIYUN ZHU Since we said in Theorem 9 that for each i {1,...,m}, x i x 0 (mod m) where x 0 {1,...,m}, we can let x i i (mod m). Then we know x i cg i (mod p). Taking the sum of these x i gives us: m m x i cg i (mod p) m 1 i=0 cg i (mod p) ( ) 1 g m c (mod p) 1 g ( ) 1 1 c (mod p) 1 g 0 (mod p). Thus, m x i 0 (mod p) for each c. Now, we will show that m x i 0 (mod m) when m is odd. Again, we have that x i i (mod m). For each i {1,...,m}, we have m m x i i (mod m) m(m+1) (mod m) 0 (mod m). Thus, m x i 0 (mod m). We conjecture that the same pattern of sums holds for solutions modulo p e and modulo ord p e(g), based on the evidence for all odd primes p 17 and 1 e 4. Conjecture 13. Let p be an odd prime, m p = ord p (g) and m p e = ord p e(g). For fixed g and c such that p g and p c, if we consider the function f(x) = xg x c where x {1,...,p e m p x 0 mod p}, then for each c there are m p solutions, x 1,...,x mp, to f(x) 0 (mod p e ) such that and for odd m m p x i 0 (mod p e ) m p x i 0 (mod m p e). We also looked some patterns for fixed x and variable c. Theorem 14. Let p be an odd prime. For a fixed x {1,...,p e } and for p g and c { 1,...,p e 1 (p 1) }, if we consider xg x c (mod p e ) and let x(g 1 ) x c (mod p e ), then c c x (mod p e ). Furthermore, if we let x( g) x c (mod p e ) then c ( 1) x c (mod p e ).

THE DISCRETE LAMBERT MAP 9 Proof. First, we will show that c c x (mod p e ). Since c xg x (mod p e ) and c x(g 1 ) x (mod p e ), we can say that c c (xg x )(x(g 1 ) x ) (mod p e ) x (g x )(g x ) (mod p e ) x (mod p e ). Hence, c c x (mod p e ). Now, we need to show that c ( 1) x c (mod p e ). We have c x( g) x (mod p e ) x( 1) x g x (mod p e ) ( 1) x xg x (mod p e ) ( 1) x c (mod p e ). Thus c ( 1) x c (mod p e ). Proposition 15. Let p be an odd prime and g be a generator modulo p e. If c = p e +p e 1, then x = pe p e 1 is one of the solutions to Proof. By hypothesis, we see that xg x c (mod p e ). xg x c = pe p e 1 g pe p e 1 pe +p e 1 pe p e 1 (p e 1) pe +p e 1 = pe p e 1 p e +p e 1 p e p e 1 = pe p e 1 p e (mod p e ) = pe (p e p e 1 ) (mod p e ) = pe (p e 1 (p 1) )) (mod p e ) 0 (mod p e ). (mod p e ) (mod p e ) Notethatifg isangeneratormodulop e, ord p e(g) = p e p e 1, thusg pe p e 1 p e 1 (mod p e ) because (p e 1) 1 (mod p e ). Proposition 16. Let n and n Z +. If gcd(p,n) = 1 and p is an odd prime, then { p ord p e(p 1) n e 1 n is even = p e 1 n is odd. Proof. We will prove this by inducting on e. For our base case, let e = 1:

10 ANNE WALDO AND CAIYUN ZHU When n is even: where m Z. (p 1) n = 1 np+ np(np 1) p + +p np = 1 mp 1 (mod p), When n is odd: where a,b Z. So our base case holds: (p 1) n = 1+np+ np(np 1) p + +p np = 1+ap 1 (mod p), and (p 1) n = 1+np np(np 1) p + +p np = 1+bp p 1 (mod p) 1 (mod p), ord p (p 1) n = { 1 n is even n is odd. For our inductive hypothesis, we assume the following: { ord p e(p 1) n p e 1 n is even = p e 1 n is odd. Now, in our inductive step we need to show: { ord p e+1(p 1) n p e n is even = p e n is odd. When n is even: where k Z. (p 1) npe = 1 np e p+ npe (np e 1) p + +p npe = 1 kp e+1 1 (mod p e+1 ), When n is even, let x be the least integer such that the following equivalent equations hold: (p 1) xn 1 (mod p e+1 ). 1 xnp+ xn(xn 1) p + +p xn 1 (mod p e+1 ). xnp+ xn(xn 1) p + +p xn 0 (mod p e+1 ). px( n+dp) 0 (mod p e+1 ).

THE DISCRETE LAMBERT MAP 11 where d Z. Since gcd(p,n) = 1, then p n+dp. Therefore p e x, hence the least x = p e = ord p e+1(p 1) n. The proof for showing ord pe +1(p 1) n = p e when n is odd is a parallel to the case when n is even. Therefore p e and p e are the least integers such that { (p 1) np e 1 (mod p e+1 ) n is even (p 1) npe 1 (mod p e+1 ) n is odd. 6. Conclusions and Future Work Following Holden and Robinson [3], we counted solutions to the discrete Lambert problem modulo powers of a prime p and we found very similar results regarding the number of solutions for x in {1,...,p e (p 1)} and {1,...,p e m} where m is the multiplicative order of g modulo p. For a given g the value m is very important in understanding the number of solutions to the DWP. In addition, we found how solutions modulo p relate to c, as well as some special properties between the sum of the solutions and p e. We also found that when g is a generator modulo p e there is a special (x,c) that satisfies the DWP. According to Chen and Lotts, when g = (p 1), the solutions to the DWP modulo p are very predictable (see Section 3.4 [1]). Therefore it is not an good choice to use in a cryptosystem. However, they did not consider the solutions to the DWP modulo p e. Due to the change in the multiplicative order of p 1 modulo p e, the patterns in the solutions to the DWP become erratic and cannot be foreseen as far as we can tell. We should mention that since this work was completed Dara Zirlin [7] has extended our research to the case where p = and has also counted the number of fixed points and two-cycles of the discrete Lambert map for all primes p. In particular, she has counted the number of solutions x to xg x x (mod p e ) and the number of solutions (h, a) to the system of congruences: hg h a (mod p e ) and ag a h (mod p e ) where x, a and h range through the appropriate sets of integers, g is fixed and p is any prime. 7. Acknowledgements We would like to thank Professor Joshua Holden and Professor Margaret Robinson for their guidance and support throughout our project during the summer of 014. References [1] J. Chen and M. Lotts, Structure and Randomness of the Discrete Lambert Map, Rose-Hulman Undergraduate Mathematics Journal 13 (Spring 01), no. 1, 64 99. [] R. M. Corless, G. H. Gonnet, D. E. G. Hare, D. J. Jeffrey, and D. E. Knuth, On the Lambert W function, Advances in Computational Mathematics 5 (1996), 39-359. [3] J. Holden and M. Robinson, Counting Fixed Points, Two-Cycles, And Collision of the Discrete Exponential Function Using p-adic Methods, Journal of the Australian Mathematical Society (010). [4] F. Q. Gouvea, p-adic Numbers: An Introduction, nd ed., Springer, July 1997. [5] S. Katok, p-adic Analysis Compared with Real, 1st ed., Student Mathematical Library, American Mathematical Society, 007.

1 ANNE WALDO AND CAIYUN ZHU [6] N. Koblitz, p-adic Numbers, p-adic Analysis, and Zeta-Functions, nd ed., Graduate Texts in Mathematics, Springer, July 1984. [7] D. Zirlin, Problems motivated by Cryptology: Counting fixed points and two-cycles of the discrete Lambert Map, Undergraduate thesis presented to the Mathematics and Statistics Department at Mount Holyoke College (015). Department of Mathematics and Statistics, Mount Holyoke College, 50 College Street, South Hadley, MA 01075, USA E-mail address: waldoa@mtholyoke.edu Department of Mathematics and Statistics, Mount Holyoke College, 50 College Street, South Hadley, MA 01075, USA E-mail address: zhuc@mtholyoke.edu

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback