Computing Multiplicative Order and Primitive Root in Finite Cyclic Group
aa r X i v : . [ c s . S C ] A ug Computing Multiplicative Order and Primitive Root in Finite CyclicGroup
Shri Prakash Dwivedi ∗ Abstract
Multiplicative order of an element a of group G is the least positive integer n such that a n = e ,where e is the identity element of G . If the order of an element is equal to | G | , it is called generatoror primitive root. This paper describes the algorithms for computing multiplicative order andprimitive root in Z ∗ p , we also present a logarithmic improvement over classical algorithms. Algorithms for computing multiplicative order or simply order and primitive root or generatorare important in the area of random number generation and discrete logarithm problem among oth-ers. In this paper we consider the problem of computing the order of an element over Z ∗ p , which ismultiplicative group modulo p . As stated above order of an element a ∈ Z ∗ p is the least positiveinteger n such that a n = 1 . In number theoretic language, we say that the order of a modulo m is n , if n is the smallest positive integer such that a n ≡
1( mod m ) . We also consider the relatedproblem of computing the primitive root in Z ∗ p . If order of an element a ∈ Z ∗ n usually denoted asord n ( a ) is equal to | Z ∗ n | i.e. order of multiplicative group modulo n , then a is called called primi-tive root or primitive element or generator [3] of Z ∗ n . It is called generator because every elementin Z ∗ n is some power of a .Efficient deterministic algorithms for both of the above problems are not known yet. However ifthe prime factorization of φ ( n ) = | Z ∗ n | is provided then efficient algorithms can be designed. Sincefactorization itself is very difficult for large numbers, and no polynomial time algorithm is knownfor this problem. Therefore no direct method is available to solve these problems when the size ofthe group or n is very large.Work has been done on searching for primitive root in F p n . Here the task is to generate a subsetof F p n , which contains at least one primitive root [8, 9]. Assuming Extended Riemann Hypothesis(ERH) it has been shown that there exists a positive integer n = (log p ) c for some constant c suchthat n mod p is primitive root over F p [10]. However searching for small primitive root not nec-essarily imply a fast method for computing primitive root. In [5] authors presented a randomizedalgorithm for generating primitive root modulo a prime with high probability, in particular the al-gorithm computes every prime factor p i of p − such that p i is less than some specified value.For computing order and primitive root in Z ∗ p , factorization of order of the group | Z ∗ p | is required,and as we mentioned before that factorization of φ ( p ) = | Z ∗ p | = p − can not be calculated effi-ciently for large p , and there is no any other approach to attack the problem, it has been suggestedto construct or generate a large prime p together with primitive root for Z ∗ p . In this setting primefactorization of ( p − is known and the task is to compute primitive root with high probability. ∗ Email: [email protected]
A group ( G, ∗ ) is an algebraic structure, which consists of a set G together with a binary op-eration * over G , such that * follows closure, associative property, G possesses a unique identityelement e , and every element a of G has unique inverse a − . When the binary operation * is clearfrom context, the group is simply represented by G . Order or size of a group is the number ofelements in G and denoted as o ( G ) = | G | . If order of a group is a finite number, then it is calledfinite group. If G is a group then order of a ∈ G is the least positive integer n such that a n = e .The set Z n = { , , ..., n − } under addition modulo n forms a group where equivalenceclass [0] n is the identity and equivalence class [ − a ] n is the inverse of [ a ] n . The set Z ∗ n = { a ∈ Z n | gcd ( a, n ) = 1 } or Z ∗ n = { < a < n | gcd ( a, n ) = 1 } under multiplication modulo n forms agroup with equivalence class [1] n as identity, and inverse of [ a ] n is denoted by [ a ] − n .A multiplicative group G is said to be cyclic group if G = h a i = { a n | n ∈ Z } , it implies thatthere exists a ∈ G such that for every b ∈ G there exists n with b = a n . Here a is called generatoror primitive root or primitive element. By definition every cyclic group consists of a generator. Forexample additive group Z n is finite cyclic group with equivalence class [1] n as a generator. Nowwe state following results, which can be found in any standard algebra texts [4, 7]. Proposition 1 . Let G be a finite group and H is a subgroup of G , then o ( H ) | o ( G ) .Let H = { a , a , ..., a n } , here | G | = n . Let there be an element b ∈ G and b / ∈ H , now bytaking product of b and elements of subgroup H , we can create n new and distinct elements of G .Which are { ba , ba , ..., ba n } . Note that if ba i = ba j , it imply that a i = a j , which is not possiblesince all a i ’s are distinct by definition. Also ba i = a j ⇒ b = a j a − i , and since H is subgroup,therefore by definition it is closed, and every element has a inverse. It imply that a j a − i ∈ H againa contradiction. By repeating in this way for every new element of G which is not already in H ,we can produce n more new and distinct elements of G . Suppose we stop after m iterations then | G | = m | H | and therefore | H | divides | G | . Proposition 2 . Let G be a finite group and a ∈ G , then o ( a ) | o ( G ) .Since h a i = { a n | n ∈ Z } is a subgroup which happened to be cyclic and generated by a . | a | divides | G | . Proposition 3 . Let G be a finite group and a ∈ G , then a o ( G ) = e .Using Proposition 2, we can write | G | = m | a | for m ∈ Z + . Hence a | G | = a m. | a | = ( a | a | ) m = e m = e . Above Proposition in number-theoretic context can be stated as follows. Proposition 4 . (Euler’s Theorem) If a is relatively prime to a positive integer n , then a φ ( n ) ≡ n ) for all a ∈ Z ∗ n .Since Z ∗ n is multiplicative group with | Z ∗ n | = φ ( n ) and identity 1. Proposition 5 . (Fermat’s Theorem) a p ≡ a ( mod p ) for any prime p and all a ∈ Z ∗ p .Restricting n to prime number p and putting φ ( p ) = p − in Euler’s theorem, Proposition 52ollows. Proposition 6 . Let G be a finite group whose order is a prime number then G is a cyclic group .Here | G | is a prime number. Suppose a ∈ G and is distinct from e . From Proposition 2 o ( h a i ) | o ( G ) and o ( h a i ) = 1 . It follows that |h a i| = | G | . Proposition 7 . The multiplicative group Z ∗ n is cyclic, if n equals to 2, 4, p e and p e for any oddprime p and positive integer e [6]. Proposition 8 . Let a, b ∈ Z ∗ n such that a has order n , b has order n and gcd ( n , n ) = 1 , i.e. n and n are relatively prime, then a.b has order n .n .We have ( ab ) n n = a n n b n n = ( a n ) n ( b n ) n = 1 . Therefore o ( ab ) | n n . Let m = o ( ab ) ,then b n m = ( a n ) m ( b n ) m = (( ab ) m ) n = 1 . Hence n | n m but gcd ( n , n ) = 1 so n | m .Similarly n | m and therefore n n | m . Proposition 9 . Let a ∈ Z ∗ n . If a p e = 1 and a p e − = 1 for some prime p and e ∈ Z + , then a hasorder p e .Let m be the multiplicative order of a , that is m is the least positive integer such that a m = 1 . If a p e = 1 then, m | p e . Since p is prime, let p e = m.p e ′ then e ′ should be one of , , , ..., e . In thecase e ′ < e , it imply that a p e − = 1 , which is contradiction and therefore e ′ = e . Proposition 10 . Let a ∈ Z ∗ p and a p − = 1 . Let prime factorization of p − be p e p e ...p e k k . Let m i be the largest integer such that a ( p − /p mii = 1 , then order of a is p e − m p e − m ...p e k − m k k [1].Algorithms for computing order and primitive root can be found in any standard computationalnumber theory and related books [1, 2, 7]. In this section we describe straight forward algorithmsto perform these tasks. Computation of Multiplicative-Order is described in Algorithm 1. Input tothis algorithm are prime factorization of order of finite cyclic group | Z ∗ p | = p − p e p e ...p e k k ,along with an element a of this group Z ∗ p . Output to this algorithm is multiplicative order of a . Algorithm 1 : Multiplicative-Order ( Z ∗ p , a ) INPUT : | Z ∗ p | = p − p e p e ...p e k k , a ∈ Z ∗ p OUTPUT : Multiplicative order n of an ← p − for ( i ← i ≤ k ; i ← i + 1) do n ← ( p − /p e i i b ← a n while ( b = 1) do b ← b p i n ← n ∗ p i end whileend forreturn n Algorithm 2 describes Primitive-Root computation. Input to this algorithm is prime factorizationof order of group Z ∗ p , and output to this algorithm is primitive root of this group. Primitive-Root isa randomized algorithm as it selects a random element a of Z ∗ p in the first step of each iteration.3 lgorithm 2 : Primitive-Root ( Z ∗ p ) INPUT : | Z ∗ p | = p − p e p e ...p e k k ∗ OUTPUT : Primitive root a of Z ∗ p Select a ∈ Z ∗ p at random for ( i ← i ≤ k ; i ← i + 1) do b ← a ( p − /p i if ( b == 1) then Primitive-Root ( Z ∗ p ) end ifend forreturn a For computing multiplicative order of an element a ∈ Z ∗ n , where prime factorization of n isgiven as n = n ∗ n ∗ ... ∗ n k = Y i n i and we are required to compute ( a n/n , a n/n , ..., a n/n k ) . Let n ′ i = n/n i for i = 1 , ..., k . There-fore ( a n/n , a n/n , ..., a n/n k ) = ( a n ′ , a n ′ , ..., a n ′ k ) . Here we assume that n ′ i is calculated as n ′ i = n/n i = n ∗ n ∗ ... ∗ n i − ∗ n i +1 ∗ ... ∗ n k . To compute n ′ i , k − multiplications arerequired. For example, to compute n ′ = n/n = n ∗ n ∗ ... ∗ n k , it requires k − multiplications.By using some precomputations n ′ i can be computed in only log k multiplications. Therefore totalcost to compute a n ′ i becomes O (log k. (log n ) ) bit operations.For k = 4 , we have n = n ∗ n ∗ n ∗ n . With precomputing: N = n ∗ n N = n ∗ n We can compute each n ′ i in only two multiplications. n ′ = n ∗ N n ′ = n ∗ N n ′ = N ∗ n n ′ = N ∗ n Similarly for k = 8 , we have N = n ∗ n , N = n ∗ n N = n ∗ n , N = n ∗ n N = N ∗ N , N = N ∗ N Now by using above precomputations, we can compute each n ′ i is only log 8 − multiplica-tions. n ′ = n ∗ N ∗ N n ′ = n ∗ N ∗ N n ′ = N ∗ n ∗ N n ′ = N ∗ n ∗ N n ′ = N ∗ n ∗ N ′ = N ∗ n ∗ N n ′ = N ∗ N ∗ n n ′ = N ∗ N ∗ n Above method is generalized in the Algorithm 3. Input to K-Exponentiation algorithm is n ∈ Z + along with with its k factors. Here, we assume that k is exact power of some positive integer thatis k = { m | m ∈ Z + } . Output of this algorithm is k integers a (1 ...k ) such that a i = a n ′ i , where n ′ i = n/n i = n ∗ n ∗ ... ∗ n i − ∗ n i +1 ∗ ... ∗ n k . Brief description of this algorithm is as follows.First precomputed values are assigned in N , N to N ...k/ etc. For loop is used to compute n ′ i values for i = 1 , , ..., k , First If loop is used to check whether i ≤ k/ depending on thatsecond (inner) If loop is used to check whether i is odd or even. If i is odd n ′ i is calculated in Ifloop, otherwise it is calculated in Else loop. Again this calculation is repeated where i > k/ inElse (outer) loop. Algorithm 3 : K-Exponentiation ( n, a ) INPUT : n = n ∗ n ∗ ... ∗ n k , a ∈ Z ∗ n OUTPUT : a (1 ...k ) = ( a n ′ , a n ′ , ..., a n ′ k ) N ← n ∗ n , N ← n ∗ n , ..., N ( k − k ← n ( k − ∗ n k N ← N ∗ N , ..., N ( k − k − k − k ← N ( k − k − ∗ N ( k − k ..........Compute N ...k/ , N ( k/ k/ ...k for ( i ← i ≤ k ; i ← i + 1) doif ( i ≤ k/ thenif ( i mod 2 == 1) then n ′ i = N ...k/ ...N ( i − i − ∗ N i +1 ∗ ( N ( i +2)( i +3) ) ...N ( k/ ...k else n ′ i = N ...k/ ...N ( i − i − ∗ N i − ∗ ( N ( i +1)( i +2) ) ...N ( k/ ...k end ifelseif ( i mod 2 == 1) then n ′ i = N ...k/ ...N ( i − i − ∗ N i +1 ∗ ( N ( i +2)( i +3) ) ...N (3 k/ ...k else n ′ i = N ...k/ ...N ( i − i − ∗ N i − ∗ ( N ( i +1)( i +2) ) ...N (3 k/ ...k end ifend ifend for Compute a (1 ...k ) = ( a n ′ , a n ′ , ..., a n ′ k ) return a (1 ...k ) Correctness of K-Exponentiation algorithm can be easily established using induction on numberof products k . 5 heorem 1. K-Exponentiation algorithm computes a i = a n ′ i for i = 1 , , ..., k where n ′ i = n ∗ n ∗ ... ∗ n i − ∗ n i +1 ∗ ... ∗ n k .Proof : Assume k = { m | m ∈ Z + } . Since m is the number of products in our case, we shalluse induction on m . For the base case we take m = 1 , therefore we have k = 2 m = 2 . It isa trivial case. Here n ′ = n and n ′ = n . As a induction hypothesis assume that the abovestatement is true for upto m = r . Given the statement for k = 2 r . We can construct the prod-ucts for k = 2 r +1 . Note that in case of k = 2 r , we have two products of length r/ which are n ∗ n ∗ ... ∗ n r/ and n ( r/ ∗ ... ∗ n r . Using these products we can construct n ∗ n ∗ ... ∗ n r =( n ∗ n ∗ ... ∗ n r/ ) ∗ ( n n/ ∗ ... ∗ n r ) . It is the first product of length r . For the secondproduct, we need two more construction of length r/ . It is n (2 r )+1 ∗ n (2 r )+2 ∗ ... ∗ n (2 r )+(2 r ) =( n (2 r )+1 ∗ n (2 r )+2 ∗ ... ∗ n (2 r )+(2 r ) / ) ∗ ( n (2 r )+((2 r ) / ∗ ... ∗ n (2 r )+(2 r ) ) . Now we have constructedboth products of length r using the products of length r / r − , and the statement followsfor k = 2 r +1 . Now, using n ′ i , we can compute a i = a n ′ i for i = 1 , , ..., k .Complexity to compute a n ′ i for a ∈ Z ∗ n is O (log k. (log n ) ) operations. Note that, we can com-pute n ′ i in O (log k ) operations. whereas a n ′ i can be computed using repeated squaring algorithmfor modular exponentiation in O ((log n ) ) operations for a ∈ Z ∗ n . In general Algorithm 3 performs (log k − . log k precomputations and using that it calculates each n ′ i in (log k − multiplications.Using K-Exponentiation algorithm as a subroutine, we can write the Modified-Multiplicative-Order algorithm. It is described in Algorithm 4. Again, input to this algorithm are prime factor-ization of order of group | Z ∗ p | = p − p e p e ...p e k k , along-with an element a ∈ Z ∗ p . Output tothis algorithm is multiplicative order of a . First step of this algorithm calls K-Exponentiation tocompute a i = a p eii for i = 1 , ..., k and stores it in list a (1 ...k ) . In the second step m i is initialized to0, for i = 1 , ..., k . After that for each i in the while loop maximum integer m i is calculated suchthat a ( p − /p mii = 1 , and using that final order is computed. Algorithm 4 : Modified-Multiplicative-Order ( Z ∗ p , a ) INPUT : | Z ∗ p | = p − p e p e ...p e k k , a ∈ Z ∗ p OUTPUT : Multiplicative order n of aa (1 ...k ) ← K-Exponentiation ( p e p e ...p e k k , a ) m (1 ...k ) ← (1 ...k ) for ( i ← i ≤ k ; i ← i + 1) dowhile ( a p i i = 1) do a i ← a p i i m i ← m i + 1 end whileend forreturn n = p e − m p e − m ...p e k − m k k Theorem 2.
Algorithm 4 computes multiplicative order of a ∈ Z ∗ p .Proof : Statement of the theorem follows from Proposition 8 and 10.Overall complexity of this algorithm is dominated by computing a i = a p eii , which is O (log k. (log p ) ) bit operations in Z ∗ p . 6 .2 Computing Primitive Root Primitive root of a finite cyclic group is an element whose order is equal to size of the group.From this basic definition of primitive root itself, we can write a simple algorithm, which selecta random element a ∈ Z ∗ p and computes it’s multiplicative order. If multiplicative order is equalto φ ( p ) = p − then it is one of the primitive root. This method is summarized in Algorithm 5named as Simple-Primitive-Root. In Algorithm 5, If loop uses to check whether order of a is equalto p − , if it is the case a is returned otherwise algorithm calls itself and go to first step. If we wantto find out least primitive root, then instead of choosing an element randomly, better way is to startfrom least value of a to consecutive higher value a + 1 , a + 2 , ... etc. Algorithm 5 : Simple-Primitive-Root ( Z ∗ p ) INPUT : | Z ∗ p | = p − p e p e ...p e k k ∗ OUTPUT : Primitive root a of Z ∗ p Select a ∈ Z ∗ p at random m ← Multiplicative-Order ( Z ∗ p , a ) if ( m == p − thenreturn a else Simple-Primitive-Root ( Z ∗ p ) end if While the above algorithm for computing primitive root using multiplicative order is simple,other methods are also there to find primitive element. One such method we have seen in Algo-rithm 2. Now we describe the Modified-Primitive-Root algorithm using K-Exponentiation. It isoutlined in Algorithm 6. Modified-Primitive-Root is almost same as Algorithm 2, except that itcalls K-Exponentiation to compute a i = a p eii for i = 1 , ..., k and stores it in list a (1 ...k ) . At anytime in the If loop, whenever algorithm detects a i = 1 , it calls itself and go to step 1 and choosesanother random element. Algorithm 6 : Modified-Primitive-Root ( Z ∗ p ) INPUT : | Z ∗ p | = p − p e p e ...p e k k ∗ OUTPUT : Primitive root a of Z ∗ p Select a ∈ Z ∗ p at random a (1 ...k ) ← K-Exponentiation ( p e p e ...p e k k , a ) for ( i ← i ≤ k ; i ← i + 1) doif ( a i == 1) then Modified-Primitive-Root ( Z ∗ p ) end ifend forreturn a Correctness of Algorithm 6 follows from Proposition 2, 8 and 9. Again the algorithm is domi-nated by the computation of a i = a p eii , which using K-Exponentiation is O (log k. (log p ) ) opera-tions instead of O ( k. (log p ) ) operations. These randomized algorithms works particularly becausefor a prime p , Z ∗ p has φ ( φ ( p )) = φ ( p − primitive roots.7 Conclusion
This paper described the algorithms for computing multiplicative order and primitive root infinite cyclic group. It also presented K-Exponentiation algorithm as a subroutine to compute orderand primitive elements. In general if the prime factorization of φ ( p ) = p − is given, or Z ∗ p isconstructed in such a way that factors of p − is available, then efficient algorithms can be designedto compute order and primitive roots. References [1] Bach, E., Shallit, J.,“Algorithmic number theory: Efficient algorithms”, MIT Press, 1997.[2] Cohen, H., “A course in computational algebraic number theory”, Springer, 1996.[3] Cormen, T.H., Leiserson, C.E., Rivest, R.L., Stein, C.,“Introduction to algorithms”, MIT Press, 2009.[4] Herstein, I.N., “Topics in algebra”, Wiley, 1975.[5] Itoh, T., Tsujii, S., “How to generate a primitive root modulo a prime”, Technical Report, 2001.[6] Niven, I., Zuckerman, H., “An introduction to the theory of numbers”, Wiley, 1966.[7] Shoup, V., “A computational introduction to number theory and algebra”, Cambridge University Press,2008.[8] Shoup, V., “Searching for primitive roots in finite fields”, Mathematics of Computation 58, 1992.[9] Shparlinski, I., “On finding primitive roots in finite fields”, Theoretical Computer Science 157, 1996.[10] Wang, Y., “On the least primitive root of a prime”, Scientia Sinica, 10, 1961.[1] Bach, E., Shallit, J.,“Algorithmic number theory: Efficient algorithms”, MIT Press, 1997.[2] Cohen, H., “A course in computational algebraic number theory”, Springer, 1996.[3] Cormen, T.H., Leiserson, C.E., Rivest, R.L., Stein, C.,“Introduction to algorithms”, MIT Press, 2009.[4] Herstein, I.N., “Topics in algebra”, Wiley, 1975.[5] Itoh, T., Tsujii, S., “How to generate a primitive root modulo a prime”, Technical Report, 2001.[6] Niven, I., Zuckerman, H., “An introduction to the theory of numbers”, Wiley, 1966.[7] Shoup, V., “A computational introduction to number theory and algebra”, Cambridge University Press,2008.[8] Shoup, V., “Searching for primitive roots in finite fields”, Mathematics of Computation 58, 1992.[9] Shparlinski, I., “On finding primitive roots in finite fields”, Theoretical Computer Science 157, 1996.[10] Wang, Y., “On the least primitive root of a prime”, Scientia Sinica, 10, 1961.