The Thirteenth Power Residue Symbol

Eric Brier1 and David Naccache2

1 Ingenico, Alixan, France [email protected] 2 DIENS, École normale supérieure, CNRS, PSL University, Paris, France [email protected]

Abstract. This paper presents an efficient deterministic algorithm for computing 13th-power residue th symbols in the cyclotomic field Q(ζ13), where ζ13 is a primitive 13 root of unity. The new algorithm finds applications in the implementation of certain cryptographic schemes and closes a gap in the corpus of algorithms for computing power residue symbols.

1 Introduction

Quadratic and higher-order residuosity are useful cryptographic building-blocks which applications in- clude encryption [6, 19, 15, 14], digital signature and authentication primitives [1, 13,2]. hαi A central operation underlying those algorithms is the evaluation of a residue symbol λ without p th factoring the modulus λ in the cyclotomic field Q(ζp), where ζp is a primitive p root of unity. For p = 2, it is well known that the Jacobi symbol can be computed by combining Euclid’s algorithm with quadratic reciprocity and the complementary laws for −1 and 2; see e.g. [10, Chapter 1]. This eliminates the necessity to factor λ. The cases p = {3, 4, 5, 7, 8, 11} are discussed in the following references:

p = 3 [19,4, 15] p = 4 [18,4] p = 5 [15] p = 7 [3] p = 8 [10, § 9] p = 11 [7] Caranay and Scheidler describe a generic algorithm in [3, § 7] for computing the pth-power residue symbol for any prime p ≤ 11, building on Lenstra’s norm-Euclidean algorithm. They also provide a detailed implementation for the case p = 7. The general case is addressed probabilistically in a recent algorithm by de Boer and Pagano [5]. So far no efficient and deterministic algorithm for p = 13 was known although the ring of cyclotomic integers modulo 13 is norm-Euclidean [12]. The following sections present such an algorithm. Subsection 1.1 is reproduced with minor modifications from [7] to avoid unnecessary reformulation.

1.1 Basic Definitions and Notation

2πi/p th th Fix ζ := ζp = e a primitive p root of unity and let ω = 1 − ζ. The number field Q(ζ) defines the p cyclotomic field. The ring of integers of Q(ζ) is Z[ζ] and is norm-Euclidean [11,9] (in particular, it is a unique factorization domain). Since ζ, ζ2, . . . , ζp−1 form an integral basis for Q(ζ), any element α ∈ Z[ζ] can be expressed as p−1 X j α = aj ζ with aj ∈ Z j=1 The norm and trace of α ∈ Z[ζ] are the rational integers respectively given by

p−1 p−1 Y X k N(α) = σk(α) and T(α) = σk(α) where σk : ζ 7→ ζ k=1 k=1

The group of units of Z[ζ] is the direct product of h±ζi and a free Abelian group E of rank r = (p − 3)/2. The generators of E are called fundamental units and will be denoted by η1, . . . , ηr. Two elements α and β are called associates if they differ only by a unit factor. We write α ∼ β. We follow the approach of Kummer. A central notion is that of primary elements (see [8, p. 158]) in Z[ζ]. Definition 1. An element α ∈ Z[ζ] is said to be primary whenever it satisfies α 6≡ 0 (mod ω) , α ≡ B (mod ω2) , αα ≡ B2 (mod p) for some B ∈ Z.

Lemma 1([3, Lemma 2.6]). Every element α ∈ Z[ζ] with α 6≡ 0 (mod ω) has a primary associate α∗ of the form ∗ e0 e1 er α = ± ζ η1 ··· ηr α where 0 ≤ e0, e1, . . . , er ≤ p − 1 . Moreover, α∗ is unique up to its sign. ut

1.2 Kummer’s Reciprocity Law

th hαi Let α, π ∈ Z[ζ] with π prime, π 6∼ ω, and π - α. The p -power residue symbol π is then defined to be p the pth-root of unity ζi such that

α(N(π)−1)/p ≡ ζi (mod π) .

This exponent i (with 0 ≤ i ≤ p − 1) is called the index of α w.r.t. π and is noted indπ(α). If π divides hαi α then π = 0. p Analogously to the Legendre symbol, the pth-power residue symbol generalizes: For any α, λ ∈ Z[ζ] with λ non-unit and gcd(λ, ω) ∼ 1, writing

Y ej λ = πj for primes πj ∈ Z[ζ] j

th hαi the generalized p -power residue symbol λ is defined as p

e α Y  α  j = λ π p j j p

Kummer [8] stated the reciprocity law in 1850 (see also [16, Art. 54]). It is restricted to so-called “regular” primes,3 which include odd primes p ≤ 13. Although initially formulated for primary primes in Z[ζ], the reciprocity law readily extends to all primary elements; see [3, Corollary 3.4]. Theorem 1 (Kummer’s Reciprocity Law). hαi hλi Let α and λ be two primary elements in Z[ζ]. Then λ = α . ut p p

2 Primary Elements

Let ζ be a 13th root of unity, K := Q(ζ) the 13th cyclotomic field, and define ω = 1 − ζ. We choose the following generating units for Z[ζ]:

i ηi = 1 + ζ for i = 1,..., 5

∗ ∗ We suppose that α, β ∈ Z[ζ] and denote by α , β their primary associates. Let the ei be defined by:

5 ∗ e0 Y ei α = ζ α ηi i=1 We then have

     ∗   −e0  −e1  −e2  −e3  −e4  −e5 α α α ζ η1 η2 η3 η4 η5 = = · · · · · · ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ β 13 β 13 β 13 β 13 β 13 β 13 β 13 β 13 β 13 The problem is thus two-fold: identifying the primary associate and having additional laws.

3 An odd prime p is said to be regular if it does not divide the class number of Q(ζp). 1 The first part can be solved by an algorithm based on the definition of primary elements and some special units. A primary element is congruent to a natural integer modulo ω2 and its complex norm is congruent to a natural integer modulo 13. One must keep in mind that 13 is equal to ω12 up to a unit. By definition, we have ζ = 1 − ω and v1, z1 ∈ N such that

v1 2 ζ · α ≡ z1 mod ω 11 2 2 The next step consists in using the unit ζ η4. This unit is ≡ 2 mod ω and its complex norm is 2 4 ≡ 4 + ω mod ω . So ∃v2, z2 ∈ N such that

v1 11 v2 2 v1 11 v2 2 4 ζ (ζ η4) · α ≡ z2 mod ω and NC/R(ζ (ζ η4) · α) ≡ z2 mod ω 3 3 2 3 The third step consists in using the unit ζ η1η2. This unit is ≡ 3 mod ω and its complex norm 4 6 is ≡ 9 + 3ω mod ω . So ∃v3, z3 ∈ N such that

v1 11 v2 3 3 v3 2 v1 11 v2 3 3 v3 2 6 ζ (ζ η4) (ζ η1η2) · α ≡ z2 mod ω and NC/R(ζ (ζ η4) (ζ η1η2) · α) ≡ z2 mod ω 10 2 7 4 4 4 2 10 6 3 4 5 6 The fourth, fifth, and sixth steps use the units ζ η1η2η3, η1η2η3η5 and ζ η1η2 η3η4η5 till the complex norm is equal to a natural integer modulo ω12 which is equal to 13 modulo a multiplicative unit. Since the units used are another set of generators of the unit group, the existence of a primary associate for any algebraic integer in the number field ensures that there is no term to cancel modulo odd powers of ω.

7 To finalize the primary representative algorithm, we reconstruct the ei exponents. One can also reduce these numbers modulo 13 since it does not spoil the primary nature of the result.

3 Additional Laws One way to address the needed additional laws is to rely on Ray Class Field Theory and on an isomorphism which is based on the Artin map and its link with the power residue symbols. We shall not prove the result here and limit ourselves to mention that we consider the Abelian extension L/K of conductor f = hω14i with 13p 13p 13p 13p 13p 13p 13p L := K( ω, ζ, η1, η2, η3, η4, η5) We will build an algorithm for computing the additional laws based on the following proposition: let 14 α ∈ {ω, ζ, η1, η2, η3, η4, η5}, let β, γ ∈ Z[ζ] be non-unit and coprime to ω. If, in addition, β ≡ γ mod ω , then we have: α α = β 13 γ 13 Being given a cyclotomic integer β for which one wants to compute the 13th residue symbol, we build a cyclotomic integer γ for which the computation is easy and which is ≡ β mod ω14. To that end, we define units: λ0 = η1 ≡ 2 mod ω 12 2 λ1 = η1 ≡ 1 + 7ω mod ω 35 2 3 λ2 = η1 η4 ≡ 1 + 8ω mod ω 14 We also need some particular primes in K to fully generate ZK mod ω . An automated search yields the i 14 primes λi = 1 + ω + ψiω for 3 ≤ i ≤ 13 where the constants ψi are given in Appendix A. i i+1 We have the property that, for 0 ≤ i ≤ 13, λi = 1 mod ω and λi 6= 1 mod ω . This ensures that if β is coprime to ω, there exists natural integers ei such that 13 Y ei 14 β ≡ λi mod ω i=0 From the above proposition, this implies (by multiplicativity of the residue symbols): 13 e α Y  α  i = , ∀α ∈ {ω, ζ, η1, η2, η3, η4, η5} β λ 13 i=0 i 13

Taking into account that only the exponents ei depend on β, one can pre-compute the residue symbols on the right-hand side. One can also make a direct link between the exponents ei and the coefficients of β when expressed as a polynomial in ω, using developments and the Newton formula to turn exponents in polynomials. The following framed paragraph summarizes this process in a synthetic way. Using the above-mentioned units, ∃uβ, vβ, wβ ∈ N such that

uβ uβ vβ 2 η1 · β ≡ 1 mod ω and η1 ζ · β ≡ 1 mod ω

uβ vβ 4 3 4 wβ 3 γ := η1 ζ (η1η2η3η4) · β ≡ 1 mod ω 11 X i Let the numbers d0, . . . , d11 be the ω-expansion of γ, i.e. γ = diω i=0 1 − d 6(1 − d ) − d Let us furthermore define d = 0 and d = 0 1 12 13 13 13 We then have (for the ∆i polynomials cf. to the Druidic Grimoire of Appendix A):       ω ζ ηi = ζ∆0 = ζ∆1 = ζ∆i+1 , for 1 ≤ i ≤ 5. β 13 β 13 β 13

4 Further Research: Beyond Thirteen?

The natural question that comes to the mind is what happens for p > 13? While considerably complex, the formulae for p = 17 and p = 19 should remain manageable. The real problem is – however – the lack of Euclidean division for p = 17 and p = 19. In other words, we have no deterministic way to decrease the norm of elements. The next barrier is p ≥ 23 (and beyond) for which the class number is 6= 1. This ensures in particular that no Euclidean division can exist. It however does not prevent Kummer reciprocity nor establishing additional laws. Finally, for p = 37 we stumble on a hardcore issue: a class number which is a multiple of 37. The prime 37 is not a regular and we cannot rely on Kummer reciprocity anymore. We propose as a future research direction the following workaround: Observe that

a a + br = b p b p Hence, if we can find an r such that c = a + br is prime in Q(ζ), we can apply the definition to get b c and, using reciprocity, obtain c p b p For the resulting algorithm to be a deterministic polynomial time algorithm, we would need theoretical results ensuring the existence of such rs under a given bound depending on the norms of a and b. References

[1] William D. Banks, Daniel Lieman, and Igor E. Shparlinski. An extremely small and effi- cient identification scheme. In E. Dawson et al., editors, Information Security and Privacy (ACISP 2000), volume 1841 of Lecture Notes in Computer Science, pages 378–384. Springer, 2000. doi:10.1007/10718964_31. [2] Éric Brier, Houda Ferradi, Marc Joye, and David Naccache. New number-theoretic cryptographic primitives. To appear in Number-Theoretic Methods in Cryptology (NutMiC 2019), Paris, France, June 24–27, 2019. Preprint available at URL https://ia.cr/2019/484. [3] Perlas C. Caranay and Renate Scheidler. An efficient seventh power residue symbol algorithm. International Journal of Number Theory, 6(8):1831–1853, 2010. doi:10.1142/s1793042110003770. [4] Ivan Bjerre Damgård and Gudmund Skovbjerg Frandsen. Efficient algorithms for the GCD and cubic residuosity in the ring of Eisenstein integers. Journal of Symbolic Computation, 39(6):643–652, 2005. doi:10.1016/j.jsc.2004.02.006. [5] Koen de Boer and Carlo Pagano. Calculating the power residue symbol and ibeta: Applications of computing the group structure of the principal units of a p-adic number field completion. In M. A. Burr et al., editors, 42nd International Symposium on Symbolic and Algebraic Computation, pages 117–124. ACM, 2017. doi:10.1145/3087604.3087637. [6] Shafi Goldwasser and Silvio Micali. Probabilistic encryption. Journal of Computer and System Sciences, 28(2):270–299, 1984. doi:10.1016/0022-0000(84)90070-9. [7] Marc Joye, Oleksandra Lapiha, Ky Nguyen, and David Naccache. The eleventh power residue symbol. Preprint available at URL https://ia.cr/2019/870. [8] Ernst E. Kummer. Allgemeine Reziprozitätsgesetze für beliebig hohe Potenzreste. Monatsberichte der Königlichen Preußischen Akademie der Wissenschaften zu Berlin, pages 154–165, 1850. Reprinted in [17, pages 345–357]. [9] Franz Lemmermeyer. The Euclidean algorithm in algebraic number fields. Expositiones Mathemat- icæ, 13(5):385–416, 1995. URL http://www.rzuser.uni-heidelberg.de/~hb3/publ/survey.pdf. Updated version, February 14, 2004. [10] Franz Lemmermeyer. Reciprocity Laws: From Euler to Eisenstein. Springer Monographs in Mathe- matics. Springer, 2000. doi:10.1007/978-3-662-12893-0. [11] Hendrik W. Lenstra, Jr. Euclid’s algorithm in cyclotomic fields. Journal of the London Mathematical Society (2), 10(4):457–465, 1975. doi:10.1112/jlms/s2-10.4.457. [12] Robert George McKenzie. The Ring of Cyclotomic Integers of Modulus Thirteen is Norm-Euclidean. PhD thesis, Michigan State University (USA), 1988. PhD Dissertation. [13] Jean Monnerat and Serge Vaudenay. Short undeniable signatures based on group homomorphisms. Journal of Cryptology, 24(3):545–587, 2011. doi:10.1007/s00145-010-9070-1. [14] Renate Scheidler. A public-key cryptosystem using purely cubic fields. Journal of Cryptology, 11(2): 109–124, 1998. doi:10.1007/s001459900038. [15] Renate Scheidler and Hugh C. Williams. A public-key cryptosystem utilizing cyclotomic fields. Designs, Codes and Cryptography, 6(2):117–131, 1995. doi:10.1007/BF01398010. [16] Henry J. S. Smith. Report on the theory of numbers (Part II). In J. W. L. Glaisher, editor, Collected Mathematical Papers, volume 1, pages 93–162. The Clarendon Press, 1894. [17] André Weil, editor. Collected Papers I: Contributions to Number Theory. Springer-Verlag, 1975. URL https://www.springer.com/gp/book/9783662488324. [18] André Weilert. Fast computation of the biquadratic residue symbol. Journal of Number Theory, 96 (1):133–151, 2002. doi:10.1006/jnth.2002.2783. [19] Hugh C. Williams. An M 3 public-key encryption scheme. In H. C. Williams, editor, Advances in Cryptology – CRYPTO ’85, volume 218 of Lecture Notes in Computer Science, pages 358–368. Springer, 1986. doi:10.1007/3-540-39799-X_26. A Druidic Grimoire

∆0 = 2 2 2 3 12(d13+d4d5+d3d5+d3d7)+11d3d4d6+d10d3+d3d4+d6d7+d5d8+d4d9 ∆1 = P5 1 3 1 2 3 2 1 k Pv k 12 i=3 diφi+1,12−i+d3(3d3+2d4d5+d3φ4,6+d4)+9φ3,4+6φ3,6+φ3,12 where φu,v = i=u di ∆2 = 3 2 2 2 4 2 12d7 +11(d4 +d8)+10(d11 +d3d4 +d3d5 +d3)+9d9 +8(d3 +d4 +d4d6 +d3d7)+7(d12 +d3d6)+6(d5d7 +d6 + 3 2 2 2 2 d4d8+d3d9)+3(d3+d5+d5d6+d6+d4d7+d3d8)+5(d10+d3d4)+4(d3+d4d5+d5+d3d6)+2d3d5+d3d4+d4+ d3d4d5 ∆3 = 2 3 2 2 2 12(d3d9+d4d8+d5d7)+10(d3d5+d5)+9(d4+d4)+7(d3(d6+d7)+d4(d5+d6))+6(d10+d9+d6+d3d4)+5(d4+ 2 4 3 2 d6 +d5)+4d3 +3(d8 +d3)+2(d3 +d3d4d5)+d12 +d3d6 ∆4 = 4 2 2 2 2 3 2 3 12(d3d4+d8)+11d3+10(d4d6+d3d7)+9(d11+d3d4+d3d5+d6)+8(d12+d3d6+d9)+7(d3+d4+d4+d6)+6d4+ 2 2 2 5(d4d5 +d5 +d3d6 +d5d7 +d4d8 +d3d9)+4(d5d6 +d4d7 +d3d8)+3(d10 +d3 +d3 +d3d4 +d3d4d5)+d3d5 +d7 + 2d5 ∆5 = 2 2 2 2 2 4 12d6 +11(d11 +d4 +d3d4 +d3d5 +d5d7 +d4d8 +d3d9)+9(d10 +d3 +d3d4 +d5)+8d6 +7(d7 +d8)+6(d3 +d3d4 + 3 2 2 2 d3d5)+5d4+4(d3d4d5+d4d6+d3d7)+3d4+2(d12+d5+d3d6+d5d6+d4d7+d3d8)+d3 ∆6 = 2 2 2 2 11(d10 + d3d4 + d6) + 10d7 + 9(d12 + d3d6) + 7(d5d6 + d4d7 + d8 + d3d8) + 6(d11 + d3d4 + d3d5 + d3d5) + 2 3 2 2 4 5(d5 + d3d4d5) + 4(d5d7 + d4d8 + d3d9) + 3(d3 + d4 + d3d4 + d4 + d4) + 2(d4d6 + d6 + d3d7) + d3 + d3 + 2 d5

ψ = 107 z = ζ11η 3   0 4 ψ = 7436 1 11 3 10 0 4 η = 1 + ζi z = ζ3η η3 4 i 1 1 2 ψ = 1000   for 1 ≤ i ≤ 5 z = ζ10η2η7η 5 0 0 1 2 1 2  2 1 2 3 ψ = 2300   z = η η4η4η 6   3 1 2 3 5 ψ = 8632 0 0 3 7 4 10 µ = 1 z = ζ4η2η10η6η3η 7 τ =   0 4 1 2 3 4 5 ψ = 4496   µ = 0 8 0 0 0 1 4 6  1 ψ = 2307   µ = 0 s = 1 + ζ 9   2 0 ψ = 2123 0 1 0 0 0 3  s = ζ 10   1 P12 i 4 3 4 ψ11 = 9183 0 0 0 0 1 1 χ = i=0 ζ s2 = η1η2η3η4 ψ12 = 6929 ψ13 = 3194

Let P,Q be two polynomials, we denote by P mod Q the reduction of P modulo Q. x mod y denotes the usual modular reduction of integers. Let P (ζ) be a polynomial in the variable ζ. We denote by P ` the polynomial P in which ζ was replaced by `. ` may be an integer, a polynomial in ζ or any otherV expression.W Let α(ζ) be a polynomial, we define:

12 Y f[α, k] = α ζi mod χ k V W The function Coefficient isolates the coefficient of a specific term in a polynomial, i.e.:

u u X i j X i Coefficient[ ix , x ] = j or equivalently: Coefficient[ ix , x, j] = j i=0 i=0 whereas CoefficientList returns the list of all the coefficients in the indicated variable, i.e.:

u X i CoefficientList[ ix , x] = {0, . . . , u} i=0 B Code in Mathematical Form

Function PrimaryRep[ α]

α∗ = α {e1, e2, e3, e4, e5, e6} = {0, 0, 0, 0, 0, 0} While[Coefficient[ α∗ 1 − ω , ω] 6≡ 0 mod 13, α∗ = ζα∗ mod χ V W e1 + + ] For[ j = 1, j ≤ 5, j + +, While[Coefficient[ (α∗(α∗ ζ12 ) mod χ) 1 − ω , ω2j ] 6≡ 0 mod 13, ∗ ∗ α = α zj mod χ V W V W ej+1 + + ] ] e = τ · e mod 13 e ∗ e1 Q5 i+1 α = αζ i=1 ηi mod χ Return[ {α∗, e}]

Function AdditionalLaws[ α]

γ = α For[ u = 0, u ≤ 2, u + +, While[ u+1 Coefficient[ γ mod (1 − ζ) , ζ, u]6≡ µu mod 13, γ = su+1γ mod χ ] ] 12 {d0, . . . , d12 }=CoefficientList[ (ω + γ) 1 − ω , ω] d12 = (1 − d0)/13 V W d13 = 6d12 − d1/13 Return[ {∆0 . . . , ∆6} mod 13]

Function Resid[ α, β]

n = f[β, 1] γ = f[β, 2] η = α(n−1)/13 mod χ mod n Let 0 ≤ q ≤ 12 such that (η − ζq)γ mod χ ≡ 0 mod n Return[ q] C Activation Code & Execution Trace in Mathematical Form

Activation Code

For[ j = 1, j ≤ 2, j + +, pj = 4 While[ pj is composite, {ρ0, . . . , ρ11} ∈R [−min, +max] for some moderate min, max P11 i rj = i=0 ρiζ pj = f[rj , 1] ] ]

Print[" α :", α = r1 ,"\n β :", β = r2 ]

Print["Residues␣␣:␣",{Resid[ α, β],Resid[ β, α]}]

{α∗, m}=PrimaryRep[ α]

β∗ =PrimaryRep[ β ][[1]]

Print["Primaries␣:␣",{Resid[ α∗, β∗ ],Resid[ β∗, α∗ ]}]

Print["Recovered␣:␣",Resid[ α∗, β∗ ]-Prepend[ m, 0].AdditionalLaws[ β∗ ] mod 13]

Execution Trace

α : 6 − 5ζ − ζ2 − 7ζ3 + 8ζ4 − 2ζ5 + 2ζ6 + 9ζ7 + 10ζ8 − 7ζ9 − 10ζ10 − 4ζ11 β : − 9 − ζ + 3ζ3 − 2ζ4 + ζ5 + 9ζ6 + 2ζ7 + 9ζ8 + 9ζ9 − 5ζ10 − 4ζ11 Residues:{ 12, 1} Primaries:{ 10, 10} Recovered: 12 D Executable Code In[ ]:= PrimaryRep Τ Mod PolynomialPowerMod f Η : Module  Mod 1 Χ  Sum For While eeaigunits Generating Α , Return ; e Mod While e Α z ; ; s Η 1 1 3 0 0 6 0 0 4 0 10 0 1 4 0 2 1 0 7 1 0 0 3 2 4 0 0 1 0 0 0 10 3 0 11 1 Χ p  s

 2   Ζ e Α ; , Mod Χ j Ζ , If 1 4 s Mod

  i Η Ω Mod Ζ Η n ,

 Coefficient Product

3 j 2 1

11

1 Α Coefficient

, 1, Χ

j Mod ^Mod 2 Α Τ : Α s Modulus , 2 Χ  Η i

Η . Η

0 s Α 1 4 ,12 0, , ; e j 2 4 , Χ Ζ

13 , 10 , , Ζ Α : e : ,1, 0, Α

e

Ζ Η Α , Η 5,  s 3 5 z s 1 2 3 e PolynomialRemainder

Η ;

2 , 6 ; : ; ; j  Η 1

Η

1 1 4 Η Array e , Table 0  Α 3 j 2 , . 13 Mod s ; 2 3 Η Ζ , Mod ,

5 Modulus ,

Ζ  Η Ζ .  Χ 3 2 ; 10  Χ  Ζ e ,6 &, 0 1 , Ζ Α

Η & 0, 3 i s 1



1 2  Ζ Η 1 , ^2, Α i 3 Η 1 , e s , 2 , i Ω

7 4

,

, j Η i n

. 2 , 3 ,5 1, , 3 Η  Ω , Ζ  2

4 ; Modulus ,

, Floor , 12 , p e 3 Η , 5 1 Ζ  12 Η  Η &; 2 5   ; 4 e

Η

6 & 3

2

 . 4 ; Η Ζ 13 1 5 2 ,

, ,

1

2 3 0, Ω &; , 2

13.nb AdditionalLaws Module Return For  CoefficientList d1 Mod While d12 d0 ;   , , 5 6 optn dinllw hog polynomials through laws addional Computing special Computing Reducing d10 Γ Coefficient ;  , u 3 5 8 11 12 4 3 3 10 12 d7 d6 12 d2 d10 d10 d1  Ζ d13 d4 d8 d3 d6 d5 d5 d4   12 , Mod , , d5 d8 d4 d5 d3 d4 d3 d6 d4 d3 Γ 0, 2 2 2 u d11 d3 12 12 d2 d13 2 Modulus ,

Χ d12 10 2 3d4 d3

u , Α , 9 12 6 3d7 d3 d6 d3 3d5 d3

5 z Α d4 , d3 d4 d6 d11 6 Α d6 d7 d9 d3 d3 d12 2, z 4d8 d4 1 d3 d10 , , 3 1  o1modulo 1 to 4  u 2 2 PolynomialRemainder d5 d4 12 u : 4 d3 5  d5 d4 5 7 8 7 d3 12 12 d0 Ω 3d6 d3 , , d3 10 1 1 2 d3 d3 d5 12 3d6 d3 d7 d3 d12 d6 d5 , 2 2 d9 d3 d7 d4 9 d3 2 13 d6 12 6 Ζ d4 2 , , d3 d7 Ω d9 Γ d4 Γ , 3 6 13, 2 6 10  d3 d7 d6 d5 d4 3 d5 Ζ polynomial 4 d3 7 2 ; , 3 12 d4 , 3d5 d3 , , . d3 d4 3 d3 d3 6d7 d6 6 2 12 Η d8 d7 4d7 d4 Ω 3d4 d3 ,0 0 0, 1, 2 2 d6 d4 3d9 d3 3 1 2 4 Ζ 3 d6 , 1 , 4 9 12 d3 d6 d7 d5 4d5 d4 10 2 Η 10 d9 d3 d8 4 2 3d d5 d4 d3 d4 1 7 2 d0 , d3 3 d8 d5 , 3 , 7 d4 d3 4d5 d4 8 6 Η 2 12 9 d10 d9 2 4d6 d4 9 Ω 3 4d6 d4 d5 5d7 d5  3 d4 4 d8 3d d5 d4 d3 d4 , Γ 5d6 d5 13 d3 , u Η 3 , 2 , d10 4 3 d3 Ω d11 4 12 4d9 d4 6   2 12 1 11 1 6 3 , ; 6 d1 , d5 d3 3d d5 d4 d3 3 3d5 d3 11 d4 , d5 d6 d8 d3 u d11 d4 5d6 d5 2 6 , 8 Ζ , d12 , d8 2 2 d4 d6 13 3 d3 d0 , u 2 , 2 4 , 1 d12 ; , d13 Ζ   , , 13.nb 3 4 13.nb

7 d3 d7 12 d5 d7 3 d8 12 d4 d8 6 d9 12 d3 d9, Print"Α : ", Α r1,"\nΒ : ", Β r2; 2 3 4 3 d10 9 d11 8 d12 3 d3 3 d3 7 d3 11 d3 Checking residue values using associates 2 2 2 3 6 d4 12 d3 d4 3 d3 d4 7 d4 9 d3 d4 7 d4 Print"Residues : ", ResidΑ, Β, ResidΒ, Α; 2 2 2 d5 d3 d5 9 d3 d5 5 d4 d5 3 d3 d4 d5 5 d5 Αs, m PrimaryRepΑ; 2 2 7 d6 5 d3 d6 8 d3 d6 10 d4 d6 4 d5 d6 9 d6 Βs PrimaryRepΒ1; d7 10 d3 d7 4 d4 d7 5 d5 d7 12 d8 4 d3 d8 Print"Primaries : ", ResidΑs, Βs, ResidΒs, Αs; 5 d4 d8 8 d9 5 d3 d9, Print"Recovered : ", 2 4 9 d10 11 d11 2 d12 d3 9 d3 6 d3 11 d4 ModResidΑs, Βs Prependm, 0.AdditionalLawsΒs, 2 2 2 3 6 d3 d4 9 d3 d4 3 d4 11 d3 d4 5 d4 9 d5 13; 6 d3 d5 11 d32 d5 4 d3 d4 d5 2 d52 8 d6 Α : 6 5 Ζ Ζ2 7 Ζ3 8 Ζ4 2 2 2 d3 d6 4 d4 d6 2 d5 d6 12 d6 7 d7 4 d3 d7 2 Ζ5 2 Ζ6 9 Ζ7 10 Ζ8 7 Ζ9 10 Ζ10 4 Ζ11 2 d4 d7 11 d5 d7 7 d8 2 d3 d8 11 d4 d8 11 d3 d9, Β : 9 Ζ 3 Ζ3 2 Ζ4 Ζ5 9 Ζ6 2 Ζ7 9 Ζ8 9 Ζ9 5 Ζ10 4 Ζ11 2 4 11 d10 6 d11 9 d12 3 d3 d3 d3 3 d4 2 2 2 3 Residues : 12, 1 3 d3 d4 11 d3 d4 3 d4 6 d3 d4 3 d4 5 d5 2 2 Primaries : 10, 10 6 d3 d5 6 d3 d5 5 d3 d4 d5 d5 11 d6 2 2 Recovered : 12 9 d3 d6 2 d4 d6 7 d5 d6 2 d6 10 d7 2 d3 d7 7 d4 d7 4 d5 d7 7 d8 7 d3 d8 4 d4 d8 4 d3 d9, 13; ;

ResidΑ, Β : Modulen fΒ, 1, Γ fΒ, 2, Η, q, Η PolynomialPowerModΑ, n 1 13, n; Forq 0, q 12, q, q IfModΧΗ Ζ  Γ, n 0, Returnq; ; ; Generating to prime elements in cyclotomic field SeedRandom1122; Forj 1, j 2, j, pj 4; While PrimeQpj, i rj SumRandomInteger10, 10 Ζ , i, 0, 11; pj frj, 1; ; ;