Primitive Roots in Finite Fields

The Primality Problem

• An integer p is prime if p > 1 and all positive numbers other than 1 and p itself cannot divide it.

• primes asks if an integer N is a prime number.

• Dividing N by 2, 3, . . . ,√

N is not efficient.

– The length of N is only log N , but √

N = 2^{0.5 log N}.

• A polynomial-time algorithm for primes was not found until 2002 by Agrawal, Kayal, and Saxena!

• We will focus on efficient “probabilistic” algorithms for primes (used in Mathematica, e.g.).

1: if n = a^b for some a, b > 1 then

2: return “composite”;

3: end if

4: for r = 2, 3, . . . , n − 1 do

5: if gcd(n, r) > 1 then

6: return “composite”;

7: end if

8: if r is a prime then

9: Let q be the largest prime factor of r − 1;

10: if q ≥ 4√

r log n and n^(r−1)/q 6= 1 mod r then

11: break; {Exit the for-loop.}

12: end if

13: end if

14: end for{r − 1 has a prime factor q ≥ 4√

r log n.}

15: for a = 1, 2, . . . , 2√

r log n do

16: if (x − a)ⁿ 6= (xⁿ − a) mod (x^r − 1) in Zn[ x ] then

17: return “composite”;

18: end if

19: end for

20: return “prime”; {The only place with “prime” output.}

The Primality Problem (concluded)

• NP ∩ coNP is the class of problems that have succinct certificates and succinct disqualifications.

– Each “yes” instance has a succinct certificate.

– Each “no” instance has a succinct disqualification.

– No instances have both.

• We will see that primes ∈ NP ∩ coNP.

– In fact, primes ∈ P as mentioned earlier.

Primitive Roots in Finite Fields

Theorem 48 (Lucas and Lehmer (1927)) ^a A number p > 1 is prime if and only if there is a number 1 < r < p (called the primitive root or generator) such that

1. r^p−1 = 1 mod p, and

2. r^(p−1)/q 6= 1 mod p for all prime divisors q of p − 1.

• We will prove the theorem later.

aFran¸cois Edouard Anatole Lucas (1842–1891); Derrick Henry Lehmer (1905–1991).

Derrick Lehmer (1905–1991)

Pratt’s Theorem

Theorem 49 (Pratt (1975)) primes ∈ NP ∩ coNP.

• primes is in coNP because a succinct disqualification is a divisor.

• Suppose p is a prime.

• p’s certificate includes the r in Theorem 48 (p. 396).

• Use recursive doubling to check if r^p−1 = 1 mod p in time polynomial in the length of the input, log₂ p.

– r, r², r⁴, . . . mod p, a total of ∼ log₂ p steps.

The Proof (concluded)

• We also need all prime divisors of p − 1: q₁, q₂, . . . , q_k.

• Checking r^(p−1)/qi 6= 1 mod p is also easy.

• Checking q₁, q₂, . . . , q_k are all the divisors of p − 1 is easy.

• We still need certificates for the primality of the q_i’s.

• The complete certificate is recursive and tree-like:

C(p) = (r; q₁, C(q₁), q₂, C(q₂), . . . , q_k, C(q_k)).

• C(p) can also be checked in polynomial time.

• We next prove that C(p) is succinct.

The Succinctness of the Certificate

Lemma 50 The length of C(p) is at most quadratic at 5 log²₂ p.

• This claim holds when p = 2 or p = 3.

• In general, p − 1 has k ≤ log₂ p prime divisors q₁ = 2, q₂, . . . , q_k.

– Reason: 2^k ≤ Q_k

i=1 q_i ≤ p − 1.

• C(p) requires: 2 parentheses and 2k < 2 log₂ p separators (length at most 2 log₂ p long), r (length at most log₂ p), q₁ = 2 and its certificate 1 (length at most 5 bits), the q_i’s (length at most 2 log₂ p), and the C(q_i)s.

The Proof (concluded)

• C(p) is succinct because, by induction,

|C(p)| ≤ 5 log₂ p + 5 + 5

Xk i=2

log²₂ q_i

≤ 5 log₂ p + 5 + 5

ÃXk

i=2

log₂ q_i

!₂

≤ 5 log₂ p + 5 + 5 log²₂ p − 1 2

< 5 log₂ p + 5 + 5(log₂ p − 1)²

= 5 log²₂ p + 10 − 5 log₂ p ≤ 5 log²₂ p for p ≥ 4.

A Certificate for 23

• As 7 is a primitive root modulo 23 and 22 = 2 × 11, so C(23) = (7, 2, C(2), 11, C(11)).

• As 2 is a primitive root modulo 11 and 10 = 2 × 5, so C(11) = (2, 2, C(2), 5, C(5)).

• As 2 is a primitive root modulo 5 and 4 = 2², so C(5) = (2, 2, C(2)).

• In summary,

C(23) = (7, 2, C(2), 11, (2, 2, C(2), 5, (2, 2, C(2)))).

aThanks to a lively discussion on April 24, 2008.

Basic Modular Arithmetics

• Let m, n ∈ Z⁺.

• m|n means m divides n and m is n’s divisor.

• We call the numbers 0, 1, . . . , n − 1 the residue modulo n.

• The greatest common divisor of m and n is denoted gcd(m, n).

• The r in Theorem 48 (p. 396) is a primitive root of p.

• We now prove the existence of primitive roots and then Theorem 48.

aCarl Friedrich Gauss.

Euler’s

Totient or Phi Function

• Let

Φ(n) = {m : 1 ≤ m < n, gcd(m, n) = 1}

be the set of all positive integers less than n that are prime to n (Z_n^∗ is a more popular notation).

– Φ(12) = {1, 5, 7, 11}.

• Define Euler’s function of n to be φ(n) = |Φ(n)|.

• φ(p) = p − 1 for prime p, and φ(1) = 1 by convention.

• Euler’s function is not expected to be easy to compute without knowing n’s factorization.

aLeonhard Euler (1707–1783).

    Q











I+Q/

HXOHUSKLQE 

Two Properties of Euler’s Function

The inclusion-exclusion principle^a can be used to prove the following.

Lemma 51 φ(n) = n Q

p|n(1 − ¹_p).

• If n = p^e₁¹p^e₂² · · · p^e_t^` is the prime factorization of n, then φ(n) = n

Y` i=1

µ

1 − 1 p_i

¶ .

Corollary 52 φ(mn) = φ(m) φ(n) if gcd(m, n) = 1.

aSee my Discrete Mathematics lecture notes.

A Key Lemma

Lemma 53 P

m|n φ(m) = n.

• Let Q_`

i=1 p^k_iⁱ be the prime factorization of n and consider Y`

i=1

[ φ(1) + φ(p_i) + · · · + φ(p^k_iⁱ) ]. (4)

• Equation (4) equals n because φ(p^k_i ) = p^k_i − p^k−1_i by Lemma 51.

• Expand Eq. (4) to yield X

k₁⁰≤k1,...,k⁰<sub>`</sub>≤k`

Y` i=1

φ(p^k_i⁰ⁱ).

The Proof (concluded)

• By Corollary 52 (p. 406), Y`

i=1

φ(p^k_i⁰ⁱ) = φ

à _` Y

i=1

p^k_i⁰ⁱ

! .

• So Eq. (4) becomes

X

k₁⁰≤k1,...,k<sub>`</sub><sup>0</sup>≤k`

φ

à _` Y

i=1

p^k_i⁰ⁱ

! .

• Each Q_`

i=1 p^k_i⁰ⁱ is a unique divisor of n = Q_`

i=1 p^k_iⁱ.

• Equation (4) becomes

Xφ(m).

The Density Attack for primes

Witnesses to compositeness

of n

All numbers < n

• It works, but does it work well?

• The ratio of numbers ≤ n relatively prime to n (the white area) is φ(n)/n.

The Density Attack for primes (concluded)

• When n = pq, where p and q are distinct primes, φ(n)

n = pq − p − q + 1

pq > 1 − 1

q − 1 p.

• So the ratio of numbers ≤ n not relatively prime to n (the grey area) is < (1/q) + (1/p).

– The “density attack” has probability < 2/√

n of factoring n = pq when p ∼ q = O(√

n ).

– The “density attack” to factor n = pq hence takes Ω(√

n) steps on average when p ∼ q = O(√ n ).

– This running time is exponential: Ω(2^{0.5 log2n}).

The Chinese Remainder Theorem

• Let n = n₁n₂ · · · n_k, where n_i are pairwise relatively prime.

• For any integers a₁, a₂, . . . , a_k, the set of simultaneous equations

x = a₁ mod n₁, x = a₂ mod n₂,

...

x = a_k mod n_k,

has a unique solution modulo n for the unknown x.

Fermat’s “Little” Theorem

Lemma 54 For all 0 < a < p, a^p−1 = 1 mod p.

• Consider aΦ(p) = {am mod p : m ∈ Φ(p)}.

• aΦ(p) = Φ(p).

– aΦ(p) ⊆ Φ(p) as a remainder must be between 0 and p − 1.

– Suppose am = am⁰ mod p for m > m⁰, where m, m⁰ ∈ Φ(p).

– That means a(m − m⁰) = 0 mod p, and p divides a or m − m⁰, which is impossible.

aPierre de Fermat (1601–1665).

The Proof (concluded)

• Multiply all the numbers in Φ(p) to yield (p − 1)!.

• Multiply all the numbers in aΦ(p) to yield a^p−1(p − 1)!.

• As aΦ(p) = Φ(p), a^p−1(p − 1)! = (p − 1)! mod p.

• Finally, a^p−1 = 1 mod p because p 6 |(p − 1)!.

The Fermat-Euler Theorem

Corollary 55 For all a ∈ Φ(n), a^φ(n) = 1 mod n.

• The proof is similar to that of Lemma 54 (p. 412).

• Consider aΦ(n) = {am mod n : m ∈ Φ(n)}.

• aΦ(n) = Φ(n).

– aΦ(n) ⊆ Φ(n) as a remainder must be between 0 and n − 1 and relatively prime to n.

– Suppose am = am⁰ mod n for m⁰ < m < n, where m, m⁰ ∈ Φ(n).

– That means a(m − m⁰) = 0 mod n, and n divides a or m − m⁰, which is impossible.

aProof by Mr. Wei-Cheng Cheng (R93922108) on November 24, 2004.

The Proof (concluded)

• Multiply all the numbers in Φ(n) to yield Q

m∈Φ(n) m.

• Multiply all the numbers in aΦ(n) to yield a^Φ(n) Q

m∈Φ(n) m.

• As aΦ(n) = Φ(n), Y

m∈Φ(n)

m = a^Φ(n)



 Y

m∈Φ(n)

m



 mod n.

• Finally, a^Φ(n) = 1 mod n because n 6 | Q

m∈Φ(n) m.

An Example

• As 12 = 2² × 3,

φ(12) = 12 × µ

1 − 1 2

¶ µ

1 − 1 3

¶

= 4.

• In fact, Φ(12) = {1, 5, 7, 11}.

• For example,

5⁴ = 625 = 1 mod 12.

Exponents

• The exponent of m ∈ Φ(p) is the least k ∈ Z⁺ such that m^k = 1 mod p.

• Every residue s ∈ Φ(p) has an exponent.

– 1, s, s², s³, . . . eventually repeats itself modulo p, say sⁱ = s^j mod p, which means s^j−i = 1 mod p.

• If the exponent of m is k and m<sup>`</sup> = 1 mod p, then k|`.

– Otherwise, ` = qk + a for 0 < a < k, and

m^` = m^qk+a = m^a = 1 mod p, a contradiction.

Lemma 56 Any nonzero polynomial of degree k has at most k distinct roots modulo p.

Exponents and Primitive Roots

• From Fermat’s “little” theorem, all exponents divide p − 1.

• A primitive root of p is thus a number with exponent p − 1.

• Let R(k) denote the total number of residues in Φ(p) that have exponent k.

• We already knew that R(k) = 0 for k 6 |(p − 1).

• So X

k|(p−1)

R(k) = p − 1 as every number has an exponent.

Size of R(k)

• Any a ∈ Φ(p) of exponent k satisfies x^k = 1 mod p.

• Hence there are at most k residues of exponent k, i.e., R(k) ≤ k, by Lemma 56 (p. 417).

• Let s be a residue of exponent k.

• 1, s, s², . . . , s^k−1 are distinct modulo p.

– Otherwise, sⁱ = s^j mod p with i < j.

– Then s^j−i = 1 mod p with j − i < k, a contradiction.

• As all these k distinct numbers satisfy x^k = 1 mod p, they comprise all solutions of x^k = 1 mod p.

Size of R(k) (continued)

• But do all of them have exponent k (i.e., R(k) = k)?

• And if not (i.e., R(k) < k), how many of them do?

• Suppose ` < k and ` 6∈ Φ(k) with gcd(`, k) = d > 1.

• Then

(s^{`</sup>)<sup>k/d</sup> = (s<sup>k</sup>)<sup>`/d} = 1 mod p.

• Therefore, s^` has exponent at most k/d, which is less than k.

• We conclude that

R(k) ≤ φ(k).

Size of R(k) (concluded)

• Because all p − 1 residues have an exponent, p − 1 = X

k|(p−1)

R(k) ≤ X

k|(p−1)

φ(k) = p − 1

by Lemma 52 (p. 406).

• Hence

R(k) =





φ(k) when k|(p − 1) 0 otherwise

• In particular, R(p − 1) = φ(p − 1) > 0, and p has at least one primitive root.

• This proves one direction of Theorem 48 (p. 396).

A Few Calculations

• Let p = 13.

• From p. 414, we know φ(p − 1) = 4.

• Hence R(12) = 4.

• Indeed, there are 4 primitive roots of p.

• As Φ(p − 1) = {1, 5, 7, 11}, the primitive roots are g¹, g⁵, g⁷, g¹¹ for any primitive root g.

The Other Direction of Theorem 48 (p. 396)

• We must show p is a prime only if there is a number r (called primitive root) such that

1. r^p−1 = 1 mod p, and

2. r^(p−1)/q 6= 1 mod p for all prime divisors q of p − 1.

• Suppose p is not a prime.

• We proceed to show that no primitive roots exist.

• Suppose r^p−1 = 1 mod p (note gcd(r, p) = 1).

• We will show that the 2nd condition must be violated.

The Proof (concluded)

• r^φ(p) = 1 mod p by the Fermat-Euler theorem (p. 414).

• Because p is not a prime, φ(p) < p − 1.

• Let k be the smallest integer such that r^k = 1 mod p.

• Note that k | φ(p) (p. 417).

• As k ≤ φ(p), k < p − 1.

• Let q be a prime divisor of (p − 1)/k > 1.

• Then k|(p − 1)/q.

• Therefore, by virtue of the definition of k, r^(p−1)/q = 1 mod p.

• But this violates the 2nd condition.

Function Problems

• Decisions problem are yes/no problems (sat, tsp (d), etc.).

• Function problems require a solution (a satisfying truth assignment, a best tsp tour, etc.).

• Optimization problems are clearly function problems.

• What is the relation between function and decision problems?

• Which one is harder?

Function Problems Cannot Be Easier than Decision Problems

• If we know how to generate a solution, we can solve the corresponding decision problem.

– If you can find a satisfying truth assignment efficiently, then sat is in P.

– If you can find the best tsp tour efficiently, then tsp (d) is in P.

• But decision problems can be as hard as the corresponding function problems.

fsat

• fsat is this function problem:

– Let φ(x₁, x₂, . . . , x_n) be a boolean expression.

– If φ is satisfiable, then return a satisfying truth assignment.

– Otherwise, return “no.”

• We next show that if sat ∈ P, then fsat has a polynomial-time algorithm.

An Algorithm for fsat Using sat

1: t := ²;

2: if φ ∈ sat then

3: for i = 1, 2, . . . , n do

4: if φ[ x_i = true ] ∈ sat then 5: t := t ∪ { x_i = true };

6: φ := φ[ x_i = true ];

7: else

8: t := t ∪ { x_i = false };

9: φ := φ[ x_i = false ];

10: end if 11: end for 12: return t;

13: else

14: return “no”;

15: end if

Analysis

• There are ≤ n + 1 calls to the algorithm for sat.^a

• Shorter boolean expressions than φ are used in each call to the algorithm for sat.

• So if sat can be solved in polynomial time, so can fsat.

• Hence sat and fsat are equally hard (or easy).

aContributed by Ms. Eva Ou (R93922132) on November 24, 2004.

tsp and tsp (d) Revisited

• We are given n cities 1, 2, . . . , n and integer distances d_ij = d_ji between any two cities i and j.

• tsp asks for a tour with the shortest total distance (not just the shortest total distance, as earlier).

– The shortest total distance must be at most 2^{| x |}, where x is the input.

∗ It is at most P

i,j d_ij.

• tsp (d) asks if there is a tour with a total distance at most B.

• We next show that if tsp (d) ∈ P, then tsp has a polynomial-time algorithm.

An Algorithm for tsp Using tsp (d)

1: Perform a binary search over interval [ 0, 2^{| x |} ] by calling tsp (d) to obtain the shortest distance, C;

2: for i, j = 1, 2, . . . , n do

3: Call tsp (d) with B = C and d_ij = C + 1;

4: if “no” then

5: Restore d_ij to old value; {Edge [ i, j ] is critical.}

6: end if

7: end for

8: return the tour with edges whose d_ij ≤ C;

Analysis

• An edge that is not on any optimal tour will be eliminated, with its d_ij set to C + 1.

• An edge which is not on all remaining optimal tours will also be eliminated.

• So the algorithm ends with n edges which are not eliminated (why?).

• There are O(| x | + n²) calls to the algorithm for tsp (d).

• So if tsp (d) can be solved in polynomial time, so can tsp.

• Hence tsp (d) and tsp are equally hard (or easy).