CS 6260 Some Number Theory Let Z = {

Home , Quadratic residue

CS 6260 Some number theory Let Z = {. . . , −2, −1, 0, 1, 2, . . .} denote the set of integers. Let Z+ = {1, 2, . . .} denote the set of positive integers and N = {0, 1, 2, . . .} the set of non-negative integers.

If a, N are integers with N > 0 then there are unique integers r, q such that a = Nq + r and 0 ≤ r < N.

We associate to any positive integer N the following two sets: ∗ ZN ={0, 1, . . . , N − 1}, ZN={ i∈Z : 1≤i≤N−1 and gcd(i,N)=1 } Groups • Def. Let G be a non-empty set and let · denote a binary operation on G. We say that G is a group if it has the following properties:

1. Closure: For every a, b ∈ G it is the case that a · b is also in G.

2. Associativity: For every a, b, c ∈ G it is the case that (a · b) · c = a · (b · c).

3. Identity: There exists an element 1 ∈ G such that a · 1 = 1 · a = a for all a ∈ G.

4. Invertibility: For every a ∈ G there exists a unique b ∈ G such that a · b = b · a = 1.

inverse, denoted a-1 • Fact. Let N be a positive integer. Then ZN is a group under * addition modulo N, and ZN is a group under multiplication modulo N. • In any group, we can define an exponentiation operation: if i = 0 then ai is defined to be 1, i if i > 0 then a = a · a · · · a (i times) if i < 0 then ai = a-1 · a-1 · · · a-1 (j=-i times) • For all a ∈ G and all i,j ∈ Z:

• ai+j = ai · aj

• (ai)j = aij

• a-i = (ai)-1= (a-1)i • The order of a group is its size • Fact. Let G be a group and let m = |G| be its order. Then am = 1 for all a ∈ G • Fact. Let G be a group and let m = |G| be its order. i i mod m Then a = a for all a ∈ G and all i ∈ Z. * • Example. Let us work in the group Z21 ={1, 2, 4, 5, 8, 10, 11, 13, 16, 17, 19, 20} under the operation of multiplication modulo 21. m=12.

86 86 mod 12 2 mod 12 5 mod 21 = 5 mod 21 = 5 mod 21 = 25 mod 21 = 4 • If G is a group, a set S ⊆ G is called a subgroup if it is a group in its own right, under the same operation as that under which G is a group. • If we already know that G is a group, there is a simple way to test whether S is a subgroup:

- - • it is one if and only if x · y 1 ∈ S for all x, y ∈ S. Here y 1 is the inverse of y in G. • Fact. Let G be a group and let S be a subgroup of G. Then the order of S divides the order of G. Algorithms and their running times • Since in cryptography we will be working with BIG numbers, the complexity of algorithms taking numbers as inputs is measured as a function of the bit-length of the numbers.

• E.g. PrintinBinary (A), where A=2k takes k operations W t 9 in F 4 h . ig p e e 2 u u . d qu 2 t r eﬁ e v o a 9 n t lu .1 ien e In e : t h t t is S eg e a ome in n a er n d t eg in r ema d er t b i eg as v d i er in ivisio ic s i d a o er algor n n d n

o Some basic algorithms a t b f h n u t e ith a n d in ct r u m

ed Algorithm Input Output Running Time ms io n n o n b in d a y an INT-DIV a, N (N > 0) (q, r) with a = Nq + r and 0 ≤ r < N O(|a| · |N|) s g a d t t d l a ivid ime g MOD a, N (N > 0) a mod N O(|a| · |N|) kin th o ri in g eir

is EXT-GCD a, b ((a, b) "= (0, 0)) (d, a, b) with d = gcd(a, b) = aa + bb O(|a| · |b|) t g in h t a h p m ZN r MOD-ADD a, b, N (a, b ∈ ) (a + b) mod N O(|N|) e u u b t s y n

n 2 t u MOD-MULT a, b, N (a, b ∈ ZN ) ab mod N O(|N| ) n w N m in o

. ∗ ∗ 2 b in g MOD-INV a, N (a ∈ ZN ) b ∈ ZN with ab ≡ 1 (mod N) O(|N| ) er T t h time.

eg n 2 o a MOD-EXP a, n, N (a ∈ ZN ) a mod N O(|n| · |N| ) C f t er OMP b is, n s it EXPG a, n (a ∈ G) a ∈ G 2|n| G-operations a o t U , h U p N n e T er less , A f a u w T t n I io it ONA ct o h n t io s. h N n er L G > w r NU et d ise 0 u en MB , r a n in o n s t ER d d es ( ica r q et T a , r t HEOR u g ed ) r r su n o , u in a c p Y h n g . Cyclic groups and generators • If g ∈ G is any member of the group, the order of g is defined to be the least positive integer n such that gn = 1. We let = { gi : i ∈ } = {g0,g1,..., gn-1} denote the set of Zn group elements generated by g. This is a subgroup of order n.

• Def. An element g of the group is called a generator of G if =G, or, equivalently, if its order is m=|G|.

• Def. A group is cyclic if it contains a generator. • If g is a generator of G, then for every a ∈ G there is a unique integer i ∈ such that gi = a. This i is called the discrete Zm logarithm of a to base g, and we denote it by DLogG,g(a).

DLog (a) is a function that maps G to , and moreover this • G,g Zm function is a bijection.

i The function of to G defined by i → g is called the discrete • Zm exponentiation function 8 COMPUTATIONAL NUMBER THEORY

8 COMPUTATIONAL NUMBER THEORY Fig. 9.1. (The input a is not required to be relatively prime to N even though it usually will be, so is listed as coming from ZN .) In that case, each group operation is implemented via MOD-MULT and takes O(|N|2) time, so the running time of the algorithm is O(|n| · |N|2). Since n is usually Fig. 9.1. (The input a is not r3equired to be relatively prime to N even though it usually will be, so in ZN , this comes to O(|N| ). The salient fact to remember is that modular exponentiation is a is listcubedic taimes coaminlgorgitfhrm.om ZN .) In that case, each group operation is implemented via MOD-MULT and takes O(|N|2) time, so the running time of the algorithm is O(|n| · |N|2). Since n is usually Z 3 in 9.N3, thisCcoycmeslic tgoroO(u|Np|s).anThde gsaenlieneratt factotrso remember is that modular exponentiation is a cubic time algorithm. Let G be a group, let 1 denote its identity element, and let m = |G| be the order of G. If g ∈ G 9.is3 anyCmemyclbierc ogf rotheugprosupan, thde orgdereneratof g isodrsefined to be the least positive integer n such that gn = 1. We let i 0 1 n−1 Let G be a group, let 1 deno"tge# it=s id{ gent:ityi ∈elemenZn } t=, a{ngd,letg , .m. .=, g |G|}be the order of G. If g ∈ G is adnenyomemte thbeersetofofthgerogurpouelemenp, thetsorgdereneroaftedg isbydgefi. nAedfatcto wbe dthoenleaot stpropvoe,sitbivute isinteaegsyertno vsuercifhy,thisat n g t=ha1t.thWisesetletis a subgroup of G. The order of this subgroup (which, by definition, is its size) is just i 0 1 n−1 the order of g. Fact 9.6 tells"g#us=th{atgth:e ior∈derZnn}of=g d{ividg , ges,t.h.e. ,ogrder }m of the group. An element dengootfe tthhee gsetrouopf isgrcaoulledp elemena genters atorgeneroaftGedifby"gg#.=AGf,actor,weque divoanlenottlypr,oifve,itsbuotrdisereaissym.toIfverg ifisy,ais i thagtentherisatsetor oisf Ga suthbengrofourpevoferGy.aT∈heGortdhereoisf tahisunsuiqubgeroinutpeg(erwhiic∈h,Zbmy sudefichntithioatn,gis=itsa.size)Thisisijuisst thecaolledrderthoef gd.iscrFaetcte 9lo.6gatrellsithmusotfhaattothbeaseordger, andofwge denividotese itthbeyoDrdLoergmG,go(fa)t.heTghruos,upD.LoAgnGelemen,g(·) is t Z g oaf ftuhnectgioronutphaist macalledps Gatgeno erm,atorand omof Greoifver"gt#h=is fGun, ctorio, nequis iva ablenijecttlyio,nif, meaits onrindgeronise-tmo.-oIfneganisd a onto. The function of Z to G defined by i $→ gi is called the discrete exponentiation function, generator of G then for evmery a ∈ G there is a unique integer i ∈ Z such that gi = a. This i is and the discrete logarithm function is the inverse of the discrete expomnentiation function. called the discrete logarithm of a to base g, and we denote it by DLogG,g(a). Thus, DLogG,g(·) is ∗ a fEunxampctionleth9.9at maLetpspG=t1o1Z, wmh,icahndismoprime.reoverThtenhisZf1u1n=ctio{1n, 2is, 3a, 4b,ij5,ect6, io7,n8,, 9mea, 10}ninhagsoonre-tderop-o−ne1a=nd i ont1o0.. LetTheufsufinnctdiotnheosuf ZbgmrotuopsGgendefiernaedtedbbyyigr$→oupg elemenis calledts 2tahnedd5iscr. Weteeraexpiseotnhenemtiatotiothnefpuonwcteriosn, andi =th0e, .d.iscr. , 9et. We loe getar:ithm function is the inverse of the discrete exponentiation function. * • Example. Let p = 11. Then Z11 = {1,2,3,4,5,6,7,8,9,10} has Example 9.9 Let p = 11, which is pirime.0 T1 hen2 Z3 ∗ 4= {51, 26, 3,74, 58, 6,97, 8, 9, 10} has order p − 1 = order p − 1 = 10. We find the1 1subgroups generated by group 10. Let us find the subgroupsi generated by group elements 2 and 5. We raise them to the powers elements 2 andmod 15.1 W1e 2raise4 8them5 1to0 the9 7 powers3 6 0,...,9. i = 0, . . . , 9. We get: 5i mod 11 1 5 3 4 9 1 5 3 4 9 • Looking at which elements appear ini th0e r1ow 2corr3esp4ond5ing 6to 27 an8d 59, respectively, we can determine the sub•groups these 2giromoupdelemen11 1ts 2gen4erat8e: 5 10 9 7 3 6 i "2# = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10} • 5 mod 11 1 5 3 4 9 1 5 3 4 9 Looking at which elements appear"5in# th=e ro{w1, 3co, 4r,r5esp, 9}on.ding to 2 and 5, respectively, we can deter- * mine the subgro<2>ups ∗t h=ese {1,2,3,4,5,6,7,8,9,10}=group elements generate: Z11 <5> = {1,3,4,5,9}∗ Since "2# equals Z11, the element 2 is a generator. Since a generator exists, Z11 is cyclic. On the other hand, "5# '= Z∗ , so 5 is not a generator. The order of 2 is 10, while the order of 5 is 5. 11 "2# = {1, 2, 3*, 4, 5, 6, 7, 8, 9, 10} Note that these2 isor daer geners dividatore the oandrder thus10 of tZh11e g isro ucyp.clic.The table also enables us to determine the discrete logarithms to base 2 of"t5h#e d=iffer{en1,t3g,r4o,u5p, 9elemen} . ts: ∗ ∗ Since "2# equals Z11, the element 2 is a generator. Since a generator exists, Z11 is cyclic. On the ∗ a 1 2 3 4 5 6 7 8 9 10 other hand, "5# '= Z11, so 5 is not a generator. The order of 2 is 10, while the order of 5 is 5. DLogZ∗ (a) 0 1 8 2 4 9 7 3 6 5 Note that these orders divide the o11r,d2 er 10 of the group. The table also enables us to determine the discrLaettere wloegawrillithseems atowbayaseof 2idoenf tifhyine dgiffaerllenthteggrenouerpaelementors givtens: that we know one of them. The discrete exponentiation functaion1is 2con3ject4ured5 to6 be7on8e-w9ay 1(mea0 ning the discrete logarithm function is hard to compute) for some cyclic groups G. Due to this fact we often seek cyclic Z∗ DLog 11,2(a) 0 1 8 2 4 9 7 3 6 5 Later we will see a way of identifying all the generators given that we know one of them. The discrete exponentiation function is conjectured to be one-way (meaning the discrete logarithm function is hard to compute) for some cyclic groups G. Due to this fact we often seek cyclic Choosing cyclic group and generators

• The discrete log function is conjectured to be one-way (hard to compute) for some cyclic groups G. Due to this fact we often seek cyclic groups.

• Examples of cyclic groups:

* for a prime p, • Zp

• a group of prime order • We will also need generators. How to chose a candidate and test it?

α1 αn • Fact. Let G be a cyclic group and let m = |G|. Let p1 · · ·pn be the prime factorization of m and let mi = m/pi for i = 1,...,n. Then g ∈ G is a generator of G if and only if for all i = 1, . . . , n: g m i ≠ 1.

• Fact. Let G be a cyclic group of order m, and let g be a generator of i ∈ ∈ ∗ G. Then Gen(G) = { g G : i Zm } and |Gen(G)| = φ(m). Bellare and Rogaway 11

∗ Since g is a generator, it must be that ij ≡ 0 (mod m), meaning m divides ij. But i ∈ Zm so gcd(i, m) = 1. So it must be that m divides j. But j ∈ Zm and the only member of this set divisible by m is 0, so j = 0 as desired. ∗ i Next, suppose i ∈ Zm −Zm and let h = g . To show that h is not a generator it suffices to show that j ∗ there is some non-zero j ∈ Zm such that h = 1. Let d = gcd(i, m). Our assumption i ∈ Zm − Zm implies that d > 1. Let j = m/d, which is a non-zero integer in Zm because d > 1. Then the following shows that hj = 1, completing the proof: · · hj = gij = gi m/d = gm i/d = (gm)i/d = 1i/d = 1. We used hereExamplethe fact th. aLett d dusivid determinees i and tha allt g mthe= 1gener. ators of the group ∗ . Its • Z11 1 1 size is m = φ(11) = 10, and the prime factorization of 10 is 2 · 5 . ∗ Example 9.15Thus,Let uthes det testermin fore a llwhetherthe gener at ogivrs oenf th ae g∈r oZup∗ Z is11 .aLet generus firatorst use isP rthatoposit io n 9.13. ∗ 11 1 1 The size of Z11 is m = ϕ(11) = 10, and the prime factorization of 10 is 2 · 5 . Thus, the test for 2 ∗ 5 2 5 whether a givaen a≠ ∈1 Z(mod11 is a11)gen erandato rais t≠h a1t a(mod$≡ 1 11).(mod 11) and a $≡ 1 (mod 11). Let us compute a2 mod 11 and a5 mod 11 for all group elements a. We get: • a 1 2 3 4 5 6 7 8 9 10 • a2 mod 11 1 4 9 5 3 3 5 9 4 1 • a5 mod 11 1 10 1 1 1 10 10 10 1 10 The generators are those a for which the corresponding column has no entry equal to 1, meaning Gen(Z∗ ) = {2,6,7,8} . in both row•s, the ent11ry for this column is different from 1. So Gen ∗ Double-checking: | ∗ |=10,(Z11) = {∗2, 6 ={1,3,7,9}, 7, 8} . • Z11 Z10 Now, let us use Proposition 9.14 and double-check that we get the same thing. We saw in { 2i ∈ G : i ∈ Z ∗ }={ ∗21, 23, 27, 29 (mod 11)} = {2,6,7,8} Example 9.9 that 2 was a gener10ator of Z11. As per Proposition 9.14, the set of generators is ∗ i ∗ Gen(Z11) = { 2 mod 11 : i ∈ Z10 } . ∗ i This is because the size of the group is m = 10. Now, Z10 = {1, 3, 7, 9}. The values of 2 mod 11 as i ranges over this set can be obtained from the table in Example 9.9 where we computed all the powers of 2. So

i ∗ 1 3 7 9 { 2 mod 11 : i ∈ Z10 } = {2 mod 11, 2 mod 11, 2 mod 11, 2 mod 11} = {2, 6, 7, 8} .

This is the same set we obtained above via Proposition 9.13. If we try to find a generator by picking group elements at random and then testing using Proposition 9.13, each trial has probability of success ϕ(10)/10 = 4/10, so we would expect to find a generator in 10/4 trials. We can optimize slightly by noting that 1 and −1 can never be generators, and thus we only need pick candidates ∗ randomly from Z11−{1, 10}. In that case, each trial has probability of success ϕ(10)/8 = 4/8 = 1/2, so we would expect to find a generator in 2 trials.

When we want to work in a cyclic group in cryptography, the most common choice is to work ∗ over Zp for a suitable prime p. The algorithm for ﬁnding a generator would be to repeat the process of picking a random group element and testing it, halting when a generator is found. In order to make this possible we choose p in such a way that the prime factorization of the order p − 1 of 12 COMPUTATIONAL NUMBER THEORY

12 COMPUTATIONAL NUMBER THEORY ∗ Zp is known. In order to make the testing fast, we choose p so that p − 1 has few prime factors. Accordingly, it is common to choose p to equal 2q + 1 for some prime q. In this case, the prime ∗ 1 1 factorization of p−1 isZAlgorithmp2 isq kn, soowwne. nIneedordrera isefortoamaca knfindingedidthaetteesttoinognlyf aasttw, owgenerepocwhoerossetopatortsoestthwahtetph−er1ohrans oftew prime factors. it is a generator. In cAhccooosinrding gcalyn, ditidisatcoes,mmowenoptotimizechoosesligp htotlyequbyaln2oqtin+g1 tfhoar tso1meanpdrime−1 aqr.eInnevtheris case, the prime ∗ Thefacto mostrizatio commonn of p−1 ischoice21q1, soof wae groupneed∗ r ainise cryptoa cand idisa Zte toforon aly primetwo po wp∗.ers to test whether or not generators, and acco• rdingly pick the candidates from Zp − {1, p − 1} ratherp than from Zp. So the it is a generator. In choosing candidates, we optimize slightly by noting that 1 and −1 are never algorithm is as follows: ∗ ∗ • Ideagener.a Picktors, aa nrdandomaccord inelementgly pick andthe catestndid it.at esChosefrom pZ s.t.p − {the1, p −prime1} ra ther than from Zp. So the factorizationalgorithm is a soffo thellow s:order of the group (p-1) is known. E.g., chose Algorithm FIND-GENa (primep) p s.t. p=2q+1 for some prime q. q ← (p − 1)/2 Algorithm FIND-GEN(p) found ← 0 • q ← (p − 1)/2 found While ( #= 1) dofound $ ∗ • ← 0 g ← Zp − {1, p − 1W} hile (found #= 1) do If (g2 mod p #= 1•) and (g$q mo∗ d p #= 1) then found ← 1 g ← Zp − {1, p − 1} EndWhile 2 q • If (g mod p #= 1) and (g mod p #= 1) then found ← 1 Return g EndWhile • Return g Proposition 9.13 tells us that the group element g returned by this algorithm is always a generator ∗ • The probability that an iteration of the algorithm is successful in of Zp. By PropositionP9r.1op4o,sitthioenpr9o.1b3abtellsilityutshtahtaat nthiteergraotuiopnelemenof thetaglgroetriturhnmedisbysutccessfhis alguolrinithﬁmndisinaglways a generator finding∗ a generator is a generator is of Zp. By Proposition 9.14, the probability that an iteration of the algorithm is successful in ﬁnding ∗ a |gGenener(aZto)r|is ϕ(p − 1) ϕ(2q) q − 1 1 p = = ∗ = = . ∗ |Gen(Zp)| ϕ(p − 1) ϕ(2q) q − 1 1 |Zp| − 2 p − 3 2q −= 2 2q −=2 2 = = . |Z∗| − 2 p − 3 2q − 2 2q − 2 2 Thus the expected number of iterations of thpe while loop is 2. Above, we used that fact that ϕ(2q) = q − 1 which isThtruusethbeecaexpuseectqedis npurmime.ber of iterations of the while loop is 2. Above, we used that fact that ϕ(2q) = q − 1 which is true because q is prime.

9.4 Squares an9.d4 noSnqu-saresquaresand non-squares

An element a of a groAunp elemenG is catlleda ofaasquargroupe,Gorisquadrcalledatiacsquarresiduee, orifquadrit haatis ca rsquesidueare ifroitoth, ameas a nsquingare root, meaning 2 there is some b ∈ G suthcherethisatsobme=ba∈inG Gsu.chWtehalett b2 = a in G. We let QR(G) = { g ∈ G :QgR(isG)qu=ad{ragtic∈ Gresid: gueisinquGad}ratic residue in G } denote the set of all dsquenoatreesthine settheogfraollupsquGa.resWine leathevegrtooupthGe .reaWdeerleatvoecthoectkhethreaatderthistosetchecisk athat this set is a subgroup of G. subgroup of G. ∗ ∗ We are mostly interestWede ainretmohestcalyseinwterheresteedthine gtrhoeucap seG wishZerNe tfhoer gsoromeup inGtisegZerNNfo.rAsonmeintinegtegerera N. An integer a is called a square mod N or quadratic residue mod N if a mod N is a ∗member2 of QR(Z∗ ). If b2 ≡ a is called a square mod N or quadratic residue mod N if a mod N is a member of QR(ZN ). If b ≡ a N (mod N) then b is called(moda Nsqu) tahrene-roboist caoflleda moa dsquNa.re-rAnooint toegf aermoa disNca. lledAn ina tnegoner-squara is caelledmoda Nnono-squarr e mod N or quadratic non-residue mod N if a mod N∗ is a mem∗ber of Z∗ − QR(Z∗ ). We will begin by looking quadratic non-residue mod N if a mod N is a member of ZN − QR(ZN ). We Nwill beginNby looking at the case where N = p is a prime. In this case we deﬁne a function Jp: Z → {−1, 1} by at the case where N = p is a prime. In this case we deﬁne a function Jp: Z → {−1, 1} by 1 if a is a square mod p 1 if a is a square mod p  Jp(a) =  0 if a mod p = 0 Jp(a) =  0 if a mod p =0    −1 otherwise.  −1 otherwise.  for all a ∈ Z. Wecall J (a) the Legendre symbol of a. Thus, the Legendre symbol is simply a  p for all a ∈ Z. We cacoll mpJp(aact) nthoteatLioegenn fodrr teellinsymgbuols wohfetah. erTohruns,otthites aLegrguenmendrte issyma squbolarise mosimpdulylo pa. compact notation for tellinBefgoures wwehetmohvere toor dnevoteloitpsinarggtuhmene thteoisry,aitsqumaayrebmoe usefduulol tpo. look at an example. Before we move to developing the theory, it may be useful to look at an example. 12 COMPUTATIONAL NUMBER THEORY

∗ Zp is known. In order to make the testing fast, we choose p so that p − 1 has few prime factors. Accordingly, it is common to choose p to equal 2q + 1 for some prime q. In this case, the prime factorization of p−1 is 21q1, so we need raise a candidate to only two powers to test whether or not it is a generator. In choosing candidates, we optimize slightly by noting that 1 and −1 are never ∗ ∗ generators, and accordingly pick the candidates from Zp − {1, p − 1} rather than from Zp. So the algorithm is as follows:

Algorithm FIND-GEN(p) q ← (p − 1)/2 found ← 0 While (found #= 1) do $ ∗ g ← Zp − {1, p − 1} If (g2 mod p #= 1) and (gq mod p #= 1) then found ← 1 EndWhile Return g

Proposition 9.13 tells us that the group element g returned by this algorithm is always a generator ∗ of Zp. By Proposition 9.14, the probability that an iteration of the algorithm is successful in ﬁnding a generator is ∗ |Gen(Zp)| ϕ(p − 1) ϕ(2q) q − 1 1 ∗ = = = = . |Zp| − 2 Squaresp − 3 2q − 2and2q − non-squares2 2 Thus the expected number• Defof it. erAnat ioelementns of th eaw ofhile a grouploop is G2. isA calledbove, wae square,used tha ort f aquadrct thaatict ϕ(2q) = q − 1 which is true bresidueecause q ifis itp rhasime. a square root, meaning there is some b ∈ G such that b2 = a in G.

9.4 Squares and•nWone -sletq QR(uaresG) = { g ∈ G : g is quadratic residue in G } An element a of a group G is called a square, or quadratic residue if it has a square root, meaning ∗ • We are mostly interested in the case where the group G is ZN for there is some b ∈ G such that b2 = a in G. We let some integer N. QR(G) = { g ∈ G : g is quadratic residue in G } Defs. An integer a is called a square mod N or quadratic residue denote the set of all squa•res in the group G. We leave to the reader to check that this set is a 2 subgroup of G. mod N if a mod N is a member of QR(Z∗ ). If b = a (mod N) then ∗ N We are mostly interestedbin isth callede case wah square-rootere the group Gofis aZ modN for N.so meAnin integerteger N .a Aisn calledinteger aa non- QR ∗ 2 is called a square mod N or quadrsquareatic modresidue N moro dquadrN if aaticmo dnon-residueN is a memb moder of N (ifZ aN )mod. If b N≡ isa a (mod N) then b is called a squmemberare-root ofof Za ∗mo d QR(N. ZAn∗ ).in teger a is called a non-square mod N or N − N ∗ ∗ quadratic non-residue mod N if a mod N is a member of ZN − QR(ZN ). We will begin by looking at the case where N = p is a prime. In this case we deﬁne a function J : Z → {−1, 1} by • Def. Let p be a prime. Define the Legendrep symbol of a 1 if a is a square mod p  Jp(a) =  0 if a mod p = 0  −1 otherwise.   for all a ∈ Z. We call Jp(a) the Legendre symbol of a. Thus, the Legendre symbol is simply a compact notation for telling us whether or not its argument is a square modulo p. Before we move to developing the theory, it may be useful to look at an example. Bellare and Rogaway 13

∗ Example 9.16 Let p = 11, which is prime. Then Z11 = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10} has order p−1 = Bellare and Rogaway ∗ 13 10. A simple way to determine QR(Z11) is to square all the group elements in turn: a 1 2 3 4 5 6 7 8 9 10 a2 mod 11 1 4 9 5 3 3 5 9 4 1 ∗ ExampleTh9.16e squaLetres apre=exa1ct1,lywthhicoseh elemenis prime.ts thaTthaenppeaZr11in=th{e1seco, 2,n3d, 4r,ow5,, 6so, 7, 8, 9, 10} has order p−1 = Example.∗ QR(Z∗ )? 10. A simple way to deter•mine QR(Z11) is t11o∗ square all the group elements in turn: QR(Z11) = {1, 3, 4, 5, 9} . The number of squa•res is 5, whicah we1 no2tice3equ4als (5p −61)/72. T8his 9is n1ot0a coincidence, as we will see. Also notice that each square has exactly two diﬀerent square roots. (The square roots of 1 are 2 1 and 10; the square•raootmos ofd3 1a1re 5 1and46; t9he squ5 a3re ro3ots5of 49are42 a1nd 9; the square roots of 5 are 4 and 7; the square roots of 9 are 3 and 8.) The squares are exactly thQR(ose Zelemen∗ )={1,ts t 3,h∗a t4,a p5,p ea9}r in the second row, so Since 11 is prime, we kn11ow that Z11 is cyclic, and as we saw in Example 9.9, 2 is a generator. ∗ 2 (As a side remark, we note thatQaRg(enZer11a)tor=mu{st1, b3e, 4a, n5o,n9-squ} . are. Indeed, if a = b is a square, 5 10 j then a = b = 1 moRecalldulo that11 beca Z∗useis1 0cyisclicth eandorder 2 oisf tah egenergroupator. So. a = 1 modulo 11 for The numbsoermeopf osqusitivaeresj

Proof of Proposition 9.17: Let i E = { g : i ∈ Zp−1 and i is even } . ∗ ∗ ∗ We will prove that E = QR(Zp) by showing ﬁrst that E ⊆ QR(Zp) and second that QR(Zp) ⊆ E. ∗ ∗ To show that E ⊆ QR(Z ), let a ∈ E. We will show that a ∈ QR(Z ). Let i = DLogZ∗ (a). Since p p p,g 14 COMPUTATIONAL NUMBER THEORY

a ∈ E we know that i is even. Let j = i/2 and note that j ∈ Zp−1. Clearly − (gj)2 ≡ g2j mod p 1 ≡ g2j ≡ gi (mod p) , so gj is a square root of a = gi. So a is a square. ∗ ∗ 2 To show that QR(Zp) ⊆ E, let b be any element of Zp. We will show that b ∈ E. Let j = DLogZ∗ (b). Then p,g − b2 ≡ (gj)2 ≡ g2j mod p 1 ≡ g2j (mod p) , COMP∗ UTATIONAL NUMBER THEOR2 Y the14last equivalence being true because the order of the group Zp is p − 1. This shows that b ∈ E.

The number of even integers in Zp−1 is exactly (p − 1)/2 since p − 1 is even. The claim about the ∗ size of QR(Zp) thus follows from Equation (9.2). It remains to justify the claim that every square mod p has exactly two square roots mod p. This can be seen Zby−a counting argument, as follows. a ∈BelE lwaree knandowRotghaawtaiy is even. Let j = i/2 and note that j ∈ p 1. Clearly 15 − Suppose a is a square mod p. Letj 2 i =2Dj moLodgpZ∗1 (a).2jWe kni ow from the above that i is even. Let (g ) ≡ g p,g≡ g ≡ g (mod p) , x x =soig/j2isanadsquletayre=roxot+o(fpa−=1g)/i.2Smoo adis(pa−squ1)a. rTe.hen g is a square root of a. Furthermore y 2 2y 2x+(p−1) 2x p−1 Proof of Lemma(g∗ )9.19:≡ g W≡e bgegin by ob≡sergvingg tha≡t∗1a ·a1nd≡−a1 a(remobodthp)squ, ar2e roots of 1 mod To show that QR(Zp) ⊆ E, let b be any element of Zp. We will show that b ∈ E. Let j = y p, and are distinct. (It is clear that squaring either of these yields 1, so they are square roots of 1. soDgLoisgZa∗lso,g(ba).squThaenre root of a. Since i is an even number in Zp−1 and p − 1 is even, it must be that Theyp are distinct because −1 equals p−1 mod p, and p−1 "= 1 because p ≥ 3.) By Proposition 9.17, 0 ≤ x < (p − 1)/2. It follows t2hat (pj −2 1)/22j≤moyd p<−1p − 12.j Thus x &= y. This means that a has as these are the only square rboo≡ts (ogf 1). N≡ogw let ≡ g (mod p) , least two square roots. This is true for each of the (p − 1)/2 squa∗res mod p. So the only possibility the last equivalence being true because the orderp−o1f the group Z is p − 1. This shows that b2 ∈ E. is that each of these squares has exactly twbo =squgar2e rmooodts.p . p The numb2er of even integers in Zp−1 is exactly (p − 1)/2 since p − 1 is even. The claim about the Then b ≡∗ 1 (mod p), so b is a square root of 1. By the above b can only be 1 or −1. However, size of QR(Z ) thus follows from Equation (9.2). It remains to justif∗y the claim thait every square Supposinseceweg aisrpea ingentererestatoedr, bincaknnnoowtinbge 1w.h(etThere smaor llestnot apogsitivivene ava∈lueZopf isi sua csquh thaarte gmoisd1p,momead pnising mod p has exactly two square roots mod p. This can be seen by a counting argument, as follows. we wain=t tpo−kn1.)owSothtehevaolunlye cohfoticehe isLegthenatdbr≡e sym−1 b(omol Jdp(pa)),.aPs rclaopimedositio. n 9.17 tells us that

Suppose a is a square mod p. Let i = DLogZ∗ (aD)L. oWgZe∗ kn(a)ow from the above that i is even. Let J (a) = (p−,g1) p,g , x =Pri/2oofanofd letPryop=osxition+ (p −9.18:1)/2 Bymopddefi(pn−itio1)n. oTf hthene Leggx isendarsque symareborl,oowteonf eeda. Ftuorshthoerwmothraet ∗ where g is any generatoyr 2of Zp2.y This2x+(hopw−1ev) er is2xnpo−t1very useful in computing Jp(a), because it (g ) ≡ pg−1 ≡ g 1 (mo≡dgp) g if a≡is aa ·squ1 ≡arae mo(mod pd p) , requires knowing the discretea lo2 ga≡rithm of a, which is hard to compute. The following Proposition y saysso gthaist atlsohe Lega squenadrererosymot obfoals. Soinf acemo−i is1daun(lomoevadenn po)ndudmotpbhrererimewinise.Zp pca−1nabned opb−ta1inisedevenby, ritaisinmustg abetothtahte 0 ≤ x < (p − 1)/2. It follow∗s that (p − 1)/2 ≤ y < p − 1. Thus x &= y. This means that a has as powerLet(p −g b1e)/a2,genanerdahtoelpr osf uZs coanmpd letutei =thDe LoLeggZen∗ d(rae).symWebcool.nsider separately the cases of a being a p p,g leastsqutwaoresquandarae broeinotgs.aTnhoisn-squis traure.e for each of the (p − 1)/2 squares mod p. So the only possibility is that each of these squares has exactly two square roots. PropSosupitionpose a9.18is a squLetarpe ≥mo3dbpe. aThpenrime.PropTohsitenion 9.17 tells us that i is even. In that case p−1 p−1 p−1 · p−1 − ∗ 2 i 2 i 2 2 p 1 i/2 COMPUTATIONAL NUMBER THEORY Suppose we a1r6e interestedain kn≡ow(gin)Jgpw(ah≡)et≡ghera or≡n(o(gtmoa d)givpen)≡ a1 ∈(moZp dispa) ,square mod p, meaning we want to ∗know the value of the Legendre symbol Jp(a). Proposition 9.17 tells us that for anaysadesir∈ Zedp.. ∗ DLogZ ,g(a) Now suppose a is a non-square moJdp(pa.)T=hen(−P1ro)positiop n 9.1,7 tells us that i is odd. In that case Proposition 9.21 Z∗ −1 −1 Let−1p ≥ 3 be a p−r1ime −a1nd let g be a generator−o1f p. T−h1en Now one can dpeterminie pwhetheri·∗p or not(ia−1is)· pa squ+ p are mop−d1 p(i−b1y)/r2unnping thep algorithm MOD-EXP where g is aany2 g≡en(erg a)to2r xyo≡f gZ .2 T≡hisg howev2 er is2 n≡ot(gverxy) useful· gin 2co≡mpguy 2ting(Jmop(da)p,)b.ecause it on inputs a, (p − 1)/2, p.JpIf(gthmoe adplgpo)r=ith1 m ifretanudrnonsly1ifthenJp(ag ismoa dsqup) a=r1e omor Jdp(gp,moanddpif) =it1r,eturns p − 1 requires knowing the discrete logarithm of a, which is hard to compute. The following Proposition (whichHoiswtevhere saLemmafomer allaxs,9−y.1∈19Zmotells−d. pu)s tthaent taheislaastnquona-squntitayrise mo−1dmop.duTlohups,, atshdeesirLegeden. dre symbol can be says that the Legendre symp 1bols of a modulo an odd prime p can be obtained by raising a to the computed in time cubic in the length of p. power (p − 1)/2, and helps us compute the Legendre symbol. TowarTdhsetfhoePrllopowrofoinogoff PoPrfroPopproositospitionoiositn iosa9.21:nys9t.1ha8Byt, waPbermoobpegodsitinpioiswn ita9.1hsqu7t, hitaersuefoffiifllocesawndtinoogshnlylemmaowiftheitat hwerhicbohthisaofatnend buasefreul squares, or if both are non-squares. But if one is a square and the other is not, then ab mod p is in its own right. xy mod (p − 1) is even if and only if x is even or y is even . Propa nosonition-squar9.18e. ThLetis capn≥b3e bperoavedFpactsrime.by. uLetsinT hpgen ≥eit 3h beer Pa rprime.oposit ioThenn 9.17 or Proposition 9.18. We use But since p − 1 is even, xy mod (p − 1) is even exactly when xy is even, and clearly xy is even the latter in the proof. You might try, as an exerp−1 cise, to reprove the result∗ using Proposition 9.17 exactly if either x or y is even J . ( a ) ≡ a 2 ( mo d p ) for any a ∈ Z Lemmainstea9.19d. Let p ≥ 3 be a prime.• Thpen p ∗ With a cyclic g1r6oup G and gpen−1erator g of G fixed, we will be interested in the dCistOMPribUuTtioATnIONAof thLe NUMBER THEORY for any a ∈ Zp. 2 ∗ xy g ≡ − 1 ( mo d p ) for any generator g of Z PropositionDH k9.20ey g Letin Gp, ≥und3erber•apnrdime.om chToiceshenof x, y from Zm, where m = |G|. One mighpt at first think for any generattohratginofthZis∗ca. se the DH key is a random group element. The following proposition tells us that Now one can determinep w∗hether or n J o pt ( a b is mo a d squ p ) a= r e J mop ( a )d · pJ p b( yb ) r ufornn aningy ath ∈e Zalg∗ orithm MOD-EXP in the group Zp of integer•s modulo a prime, this is certainly not true. The DpH key is sign∗ificantly on inputs a, (p − 1∗)/2, p. If tPrheopalgosoitionrithm9.21retuLetrnsp1≥th3enbe aa pisrimea squanadrlete mog bde pa,gaennerdaiftoitr orfetZu.rnTshpen− 1 for all a, bmo∈ rZe lik. ely to be a square than a non-square, and in particular is thus not even almost upniformly p xy x y (which is thedsaistmeribuatsed−o1vermothde gpr)outhp•.enJpa(gis amondonp-squ) = 1areifmoand opn.lyTifhus,Jpt(hge Legmodenp)d=re1symor Jbp(ogl camondbpe) = 1 , computed in time cubic in tfhoer alenll xg,tyh∈oZf p−. . of ∗ ∈ Proof of Proposition 9.20: Uforsin ang Ppyr 1generopositatorion 9g.1 8 Zwpe andget any x,y Z∗ p-1 Towards tPrheopprosooitionf of P9.22ropoLetsitiop ≥n 39.1be8,a wpreimebeganind wletitghbtehae gfoenlloerwatinorgoflemmaZp. Thenwhich is often useful p−1 p−1 p−1 2 $ 2 2$ xy in its own right. Jp(ab moPrdopof) ≡of• (Pr aP br op) x os ← ition ≡ Z ap − 1 9.21: ; by ← Z By≡ p − J1 P p r:( o aJp ) po (· sitg J iop ( )n b =) 9 .1 1 7( mo, =3/4it dsupffi )ces. to show that ! " The two quequanalstit3ies/4.we are considforerin ang yb ogenerxtyhmobeinatord (pg −geit 1ofh) erisZ ev∗1 enor −if1,aannddonequly ifal mox isduevloenp,ormyuisstevthenen. Lemma 9.19 Let p ≥ 3 be a prime. Then p be actually equal. But since p − 1 is even, xy mod (p − 1) is even exactly when xy is even, and clearly xy is even p−1 Proof of Proposexaitionctly9.22:if eithgerBy2xPo≡rropy−ois1sitevio(ennmo9. .2d2 pw)e need only show that A quantity of cryptographic inter$est is the D$ iffie-Hellmaxn (DH) key. yHaving fixed a cyclic group ∗ Pr x ← Z − ; y ← Z − : J (g ) = 1 or J (g ) = 1 for aGnyangdengerenaertoartogr ogf fZor .it, theWDitHh akcyclicey ap sso1grociauptGedaptnod1 elemengenperatotrs gXof=G gfipxxedan, dweYwill=bgeyinotfertestheedgrinoutpheisdistribution of the p ! xy Z " the groupequelemenals 3/t4g. xyTh.eTpDhroHebfakobeylloilitgwyininingquPGestr,oupionondsiterisior1an−ndtαoellsmwhcuerhsoeicesthatoftxh,eyDfrHomkeym,iswahersque mar=e if|Geit|. Oherne Xmight at first think that in this case the DH key is a random group element. The following proposition tells us that or Y is a square, and otherwise is a no∗n-square. in the grou$p Z of integ$ ers modulo ax prime, this is cery tainly not true. The DH key is significantly α = Pr x ← Zpp−1 ; y ← Zp−1 : Jp(g ) = −1 and Jp(g ) = −1 more lik! ely to be a square than a non-square, and in particula"r is thus not even almost uniformly $ x $ y d=istrPibrutxed←oZverp−1th:e Jgrpo(gup). = −1 · Pr y ← Zp−1 : Jp(g ) = −1 ! " ! " |QR(Z∗)| |QR(Z∗)| ∗ Pr= opositionp ·9.22 Letp p ≥ 3 be a prime and let g be a generator of Zp. Then |Z∗| |Z∗| p p $ $ xy Pr x ← Zp−1 ; y ← Zp−1 : Jp(g ) = 1 (p − 1)/2 (p − 1)/2 ! " = · equalsp3−/41. p − 1 1 1 = · Pro2of of2 Proposition 9.22: By Proposition 9.22 we need only show that 1 $ $ x y = . Pr x ← Zp−1 ; y ← Zp−1 : Jp(g ) = 1 or Jp(g ) = 1 4 ! " equals 3/4. The probability in question is 1 − α where ∗ Thus 1−α = 3/4 as desired. Here we used Proposition 9.17 which told us that |QR(Zp)| = (p−1)/2. $ $ x y α = Pr x ← Zp−1 ; y ← Zp−1 : Jp(g ) = −1 and Jp(g ) = −1 ! " $ x $ y The above Propositions, combin=ed wPitr hxP←ropZopsit−1io:n J9p.1(g8 ()w=hic−h1tells· Prus yth←atZqup−a1dr:atJicp(rgesid) =u-−1 ! " ! " osity modulo a prime can be efficiently tested)∗, will later∗lead us to pinpoint weaknesses in certain ∗ QR QR cryptographic schemes in Z . | (Zp)| | (Zp)| p = ∗ · ∗ |Zp| |Zp| (p − 1)/2 (p − 1)/2 = · p − 1 p − 1 1 1 = · 2 2 1 = . 4 ∗ Thus 1−α = 3/4 as desired. Here we used Proposition 9.17 which told us that |QR(Zp)| = (p−1)/2.

The above Propositions, combined with Proposition 9.18 (which tells us that quadratic residu- osity modulo a prime can be eﬃciently tested), will later lead us to pinpoint weaknesses in certain ∗ cryptographic schemes in Zp. 18 COMPUTATIONAL NUMBER THEORY Groups of prime order base g range in the set Zm where m = |G| is the order of G. This means that arithmetic in these expon•enDefts is. moAnd uelementlo m. If G h hofas apr imegroupord erG, isth encalledm is pnon-trivialrime. This meaif itn sist hnotat an equaly non -zero exponenttohas thea midentitultiplicatiy elementve inverse mofo dultheo mgroup. In o.ther words, in working in the exponents, we can divide. It is this that turns out to be useful. As• anFactexa.mp Anleyillu non-trivialstrating how memberwe use th is,oflet a ugroups retur noft oprimethe pro orderblem o fisth ae distribution of the DH kgenerey thatatorwe lo ofok edtheat groupin Sectio. n 9.4. Recall the question is that we draw x, y independently xy ∗ at random from Zm and then ask how g is distributed over G. We saw that when G = Zp for a prime•p F≥act3, t.h Letis dist qr ib≥u 3tio ben w as primenoticeb lysuchdiﬀer thatent fr pom =u n2qifo r+m. 1In isa alsogroup prime.of prime order, the ∗ distributThenion of QR(the DZHp)k eyis, ina groupcontrast of, is primevery clo orderse to u q.nif oFurthermore,rm over G. It is ifn ogt quis itane uyn iform, because the identity element of the group has a slightly higher probability of being the DH key than ∗ 2 ∗ other grogenerup elemenatorts, ofb uZtpth, ethendevia tgion modis sma pll isen oau ggenerh to beatorneg ligofib QR(le forZgpro).ups of reasonably large size. The following proposition summarizes the result. • Fact. Let g be a generator of a group of prime order q. Then for Proposition 9.26 Suppose G is a group of order q where q is a prime, and let g be a generator of any element Z of the group G. Then for any Z ∈ G we have 1 1 1 − if Z %= 1 ' ( $ $ xy  q q Pr x ← Zq ; y ← Zq : g = Z =  ! "  1 1 2 − if Z = 1, q ' q (   where 1 denotes the identity element of G.

Proof of Proposition 9.26: First suppose Z = 1. The DH key gxy is 1 if and only if either x or y is 0 modulo q. Each is 0 with probability 1/q and these probabilities are independent, so the probability that either x or y is 0 is 2/q − 1/q2, as claimed. ∗ z xy Now suppose Z %= 1. Let z = DLogG,g(Z), meaning z ∈ Zq and g = Z. We will have g ≡ Z (mod p) if and only if xy ≡ z (mod q), by the uniqueness of the discrete logarithm. For any ﬁxed ∗ −1 x ∈ Zq, there is exactly one y ∈ Zq for which xy ≡ z (mod q), namely y = x z mod q, where −1 ∗ x is the multiplicative inverse of x in the group Zq. (Here we are making use of the fact that q is prime, since otherwise the inverse of x modulo q may not exist.) Now, suppose we choose x at random from Zq. If x = 0 then, regardless of the choice of y ∈ Zq, we will not have xy ≡ z (mod q), because z %≡ 0 (mod q). On the other hand, if x %= 0 then there is exactly 1/q probability that the randomly chosen y is such that xy ≡ z (mod q). So the probability that xy ≡ z (mod q) when both x and y are chosen at random in Zq is q − 1 1 1 1 · = 1 − q q q ' q ( as desired. Here, the ﬁrst term is because when we choose x at random from Zq, it has probability ∗ (q − 1)/q of landing in Zq.

9.6 Historical Notes

9.7 Exercises and Problems Bellare and Rogaway 17

Bellare and Rogaway 17 9.5 Groups of prime order

9.5 GroA guropusp oof pprriimemeordoerrdisera group G whose order m = |G| is a prime number. Such a group is always cyclic. These groups turn out to be quite useful in cryptography, so let us take a brief look A group oaftptrhimeemoarnderd sois mea groofutphGeirwphrooseperortdies.er m = |G| is a prime number. Such a group is always cyclic.ATnheseelemengrouptshtuorfnaougtrotuopbeGquisitecaulledsefulninoncr-trypivitoalgraifphity, isso nletotuequs taakel taobtrhiefe loidoenk tity element of the at them agnrdosoupme. of their properties. An element h of a group G is called non-trivial if it is not equal to the identity element of the group. Proposition 9.23 Suppose G is a group of order q where q is a prime, and h is any non-trivial member of G. Then h is a generator of G. Proposition 9.23 Suppose G is a group of order q where q is a prime, and h is any non-trivial member of G. Then h is a generator of G. Proof of Proposition 9.23: It suﬃces to show that the order of h is q. We know that the Proof ofoPrrderoposofitionany g9.23:roup elemenIt suﬃtcesmutostshdoividw tehatthteheorodrerderofoftheisgrqo. uWp.e Skninocew thhaet gtrhoeup has prime order order of aqn,y tghreouopnelemenly possibt mleustvadluivideseftohretohrederordoferthoefghroaurpe. 1Sinacendthqe. gBuroutphhadsoesprimenotohrdaerve order 1 since it is q, the onlynopno-tssibriviale vl,alusoesitfomr tuhste ohradvere ofrdherarqe.1 and q. But h does not have order 1 since it is non-trivial, so it must have order q. A common way to obtain a group of prime order for cryptographic schemes is as a subgroup of a A commogronupwaoyf tino toegbterains amogrdouplooaf pprrimeime.ordWerefopriccrkypatporgimeraphicp hscahvinemesg tisheasparosupbergtryoutphoaftaq = (p − 1)/2 is also group of integers modulo a prime. We pick a prime p having the property that q = (p − 1)/2 is also prime. It turns out that the subgroup of quadratic residues modulo p then has order q, and hence prime. It turns out that the subgroup of quadratic residues modulo p then has order q, and hence is a groupisofapgrimerouporodferp. rTimehe foorllodwerin. gTphreopfositlloiowninsug mmaproproizessitiothne sufactmmas forrizesfuturtehreefferactensce.for future reference. ∗ QR ∗ PropositionProp9.24ositionLet q 9.24≥ 3 bLete a pqrime≥ 3subceh athaptrimep = su2qc+h 1thisatalsop =prime.2q + T1hisenaQlsoR(Zppr)ime.is a Then (Zp) is a ∗ 2 ∗ 2 group of pgrrimeouporodferprqime. Furotrhderermoqr.e,Fifurgthiseramony rge,enerif agtoisr oafnZyp,gentheneragtomor odf pZpis, athgenenergatomor odf p is a generator of QR Z∗ ∗ ( p). QR(Zp).

∗ ∗ Note that the operation under which QR(Zp) is a group is multiplication modulo p, the same Note that the∗ operation under which QR(Zp) is a group is multiplication modulo p, the same operation under which Zp is a group. ∗ operation under which Zp is a group. ∗ Proof of Proposition 9.24: We know that QR(Zp) is a subgroup∗, hence a group in its own ∗ Proof of PropositionQ9.24:R We know that QR(Zp) is a subgroup, hence a group in its own right. Proposition 9.17 tells us that | (Zp)| is (p − 1)/2,∗which equals q in this case. Now let g be right. ∗Proposition 92.17 tells us that |QR(Z )| is (p − 1)/2, which equals∗ q in this case. Now let g be a generator of Zp and let h = g mod p. We want to showp that h is a generator of QR(Zp). As per ∗ 2 ∗ Propositioang9en.23er, awteonreedof Zopnlyanshdoletw tha=t hgismonond-tpr.iviaWl,e meawanntintgo hsh#=ow1. tInhadteedh ,iswae gknenowerathtoatr of QR(Zp). As per g2 #≡ 1 (moProdppo)sit, bioecanu9se.2g3,, bweine gneeda genoernlyatoshr, ohwas tohrdaert hp isandnoonu-tr ariviassumpl, tmeaionsnimpinglyhp#=>12.. Indeed, we know that g2 #≡ 1 (mod p), because g, being a generator, has order p and our assumptions imply p > 2. Example 9.25 Let q = 5 and p = 2q + 1 = 11. Both p and q are primes. We know from • Example. Let q = 5 and p = 2q + 1 = 11. Example 9E.1xamp6 thatle 9.25 Let q = 5 and p = 2q + 1 = 11. Both p and q are primes. We know from • QR ∗ Example 9.16 that (Z11) = {1, 3, 4, 5, 9} . ∗ This is a group of prime order 5W. e Wknowe kn thatow f2ro ism aE generxa∗ mpatorle 9.9 oft ha∗t 2 is a generator of Zp. QR(Z ) =∗ {1, 3Z, 4, 5, 9} . 2 1Q1 R Z 11 Proposition 9.24 tells us that 4 = 2 is a generator of ( 11). We can verify this by raising ∗ 4 to the pTowheriss isi =a0,g.r.o. ,u4p: of prime order 5. We know from Example 9.9 that 2 is a generator of Zp. 2 ∗ ∗ Proposition 9.24 tells Letus ’st hvaerift 4y that= 2 24 =is 2a gisen a ergeneratoratorof QofR QR((Z Z11). ).We can verify this by raising i 0 1 2 3 4 11 4 to the powers i = 0, . . . , 4: 4i mod 11 1 4 5 9 3 i 0 1 2 3∗ 4 We see that the elements of the last row are exactly those of the set QR(Z11). 4i mod 11 1 4 5 9 3 Let us now explain what we perceive to be the advantage conferred by working in a grou∗p of prime ordWer.eLetseeGthbaetathcyclice elemengroupts, aonfdthgealagensterraotwora. rWe eexaknctowlythtahtotseheodfiscrtheetsete logQarRit(hZms11)t.o

Let us now explain what we perceive to be the advantage conferred by working in a group of prime order. Let G be a cyclic group, and g a generator. We know that the discrete logarithms to