Some Connections Between Primitive Roots and Quadratic Non-Residues Modulo a Prime Sorin Iftene Department of Computer Science “Al. I. Cuza” University Iasi, Romania Email: [email protected] Abstract—In this paper we present some interesting connec- The most important properties of the order of an element tions between primitive roots and quadratic non-residues modulo are summarized in Proposition 1. a prime. Using these correlations, we propose some polynomial Proposition 1: Let m ≥ 2, a 2 Z∗ , and k; l some integers. deterministic algorithms for generating primitive roots for primes m k with special forms (for example, for safe primes). 1) If a ≡ 1 mod m then ordm(a)jk. As a particular Index Terms—primitive roots, Legendre-Jacobi symbol, case, we obtain ordm(a)jφ(m); where φ denotes Euler’s quadratic non-residues, square roots. totient function; 2) The relation ak ≡ al mod m is equivalent with I. INTRODUCTION k ≡ l mod ord (a); Generating primitive roots modulo a prime is an funda- m mental problem in number theory, with major applications in 3) The next relation holds true cryptography. Diffie-Hellman key establishment scheme [1], k ordm(a) ElGamal public-key cryptosystem [2], Schnorr identification ordm(a mod m) = : scheme [3] and Digital Signature Scheme [4] are only a few (ordm(a); k) ∗ examples which rely on generating primitive roots or elements Definition 2: Let m ≥ 2 and α 2 Zm. The element α is of a certain order. Finding quadratic non-residues modulo a called primitive root modulo m if ordm(α) = φ(m): prime is another interesting problem in number theory. Tonelli- Remark 1: In case that α is a primitive root modulo m, ∗ Shanks algorithm ( [5], [6]) and Cippola-Lehmer algorithm every element β from the set Zm can be uniquely expressed i ( [7], [8]) for computing square roots modulo a prime and as β = α mod m; for i 2 Zφ(m). The value i will be referred Goldwasser-Micali probabilistic encryption scheme [9] are the to as the discrete logarithm (modulo m) to the base α of β most important applications that rely on generating quadratic and we will write i = logαβ. While an expression of form non-residues. β = αi mod m can be efficiently computed given α; i; m In this paper we discuss comparatively these two issues. (see, for example, [14]), the problem of finding the discrete After presenting the existing randomized algorithm for gener- logarithm modulo m to the base α of β, given α; β; m is ating primitive roots, we propose some polynomial determin- intractable. istic algorithms for generating primitive roots for primes with The most important properties of the primitive roots are special forms. The paper is structured as follows. Section 2 presented in Proposition 2. ∗ is dedicated to some mathematical preliminaries on primitive Proposition 2: Let m ≥ 2, α 2 Zm. Then roots and quadratic non-residues. Section 3 presents some con- ∗ 1) Zm has primitive roots if and only if m 2 nections between primitive roots and quadratic non-residues f2; 4; pk; 2pkg, where p is an odd prime and k ≥ 1 modulo a prime. Generating primitive roots is discussed in (Gauss’ Theorem); Section 4. The last section concludes the paper. ∗ 2) If Zm has primitive roots, then there are exactly φ(φ(m)) primitives roots modulo m; II. MATHEMATICAL BACKGROUND ∗ 3) If Zm has primitive roots, α is a primitive root modulo In this section we present some basic facts on number m if and only if the next relation holds: theory, focusing on primitive roots and quadratic non-residues. φ(m) For more details, the reader is referred to [10], [11], [12], [13]. α r 6≡ 1 mod m; Computational aspects can be found in [14]. for any prime divisor r of φ(m). A. The order of an element. Primitive roots Proposition 2(3) does not always allow to efficiently gen- ∗ erate primitive roots modulo m because computing φ(m) and Definition 1: Let m ≥ 2 and a 2 Zm. The order of a modulo m, denoted by ordm(a); is defined as factoring φ(m) are intractable for large integers m. Elements of order q may be generated via primitive roots. ∗ l ordm(a) = min(fl 2 N ja ≡ 1 mod mg) More exactly, if qjφ(m), α is a primitive root modulo m, φ(m) and β = α q mod m , then ordm(β) = q. Indeed, by the LegendreJacobi (a,n) φ(m) ord (α) q m ∗ Proposition 1(3), ordm(α mod m) = φ(m) = (ord (α); ) input: n; an odd positive integer, a 2 Zn ; m q a φ(m) output: n ; φ(m) = q: (φ(m); q ) begin t := 1; B. Quadratic (non-)residues. Square roots while a 6= 0 do ∗ Definition 3: Let p be a prime and a 2 Zp: We say that a while a mod 2 = 0 do ∗ is a quadratic residue modulo p if there exists b 2 Zp with a := a div 2; the property a = b2 mod p. Otherwise, a is a quadratic non- if n ≡ ±3 mod 8 then t := −t; residue modulo p. swap(a,n); For the simplicity of the notation, from this point forward if (a ≡ 3 mod 4 and n ≡ 3 mod 4) then t := −t; we will omit the modular reduction modulo p but the reader a := a mod n; must be aware that all computations are performed modulo p return( t) if not explicitly stated otherwise. end. If b2 = a then b will be referred to as a square root of a: We have to remark that if a is a quadratic residue modulo p; p odd Fig. 1: An algorithm for computing the Legendre-Jacobi prime, then a has exactly two square roots - if b is a square symbol root of a; then p − b is the other one. In particular, 1 has the square roots 1 and (−1) (in this case, (−1) will be regarded as 2 being p − 1) or, equivalently, a = 1 , (a = 1 _ a = (−1)). The complexity of this algorithm is O((log2(a))(log2(n))): Definition 4: The Legendre symbol of a modulo p, denoted Euler’s criterion also provides a method of computing the a as p ; is defined to be equal to ±1 depending on whether Legendre symbol of a modulo p using an exponentiation mod- 3 a is a quadratic residue modulo p: More exactly, ulo p, whose complexity is O((log2(p)) ) (see, for example, ( [14]). There are faster methods for evaluating the Legendre- a 1; if a is a quadratic residue mod p; Jacobi symbol - see, for example, [15], in which are presented = 2 p −1; otherwise: algorithms of complexity O( (log2(p)) ) for computing the log2(log2(p)) Legendre-Jacobi symbol modulo p. Thus, is important to The Jacobi symbol is a generalization of the Legendre remark that the evaluation of the Legendre-Jacobi symbol is symbol to arbitrary moduli and is defined as (the same notation much faster than an exponentiation. is used): It is known (see, for example, [16][Remark 2.151]) that a a e1 a e2 a ek for an odd prime p; half of the elements in Z∗ are quadratic = ··· ; p n p1 p2 pk non-residues modulo p. Still, no deterministic polynomial algorithm is known for finding a quadratic non-residue modulo ∗ e1 e2 ek for any odd positive integer n, a 2 Zn; where p1 p2 ··· pk a prime. A randomized algorithm for finding a quadratic is the prime factorization of n: non-residue modulo a prime p is to simply generate random The most important properties of the Legendre-Jacobi sym- ∗ elements in Zp until one is found having its Legendre- bol are summarized in Proposition 3 (for more details, see Jacobi symbol equal with −1. The expected number iterations [12], [13]). before a quadratic non-residue modulo p is found is two. An Proposition 3: 1) (Euler’s criterion) For any prime p and algorithm for generating a quadratic residue is presented next. ∗ a 2 Zp, the following relation holds true: p−1 a GenerateQuadraticNonResidue(p) a 2 = ; p input: p; an odd prime; −1 p−1 output: a quadratic non-residue modulo p; 2) = (−1) 2 ; that implies that (−1) is a quadratic p begin non-residue modulo p if and only if p ≡ 3 mod 4; p2−1 if p ≡ 3 mod 4 then return(−1) 2 8 3) p = (−1) ; that implies that 2 is a quadratic non- if p ≡ 5 mod 8 then return(2) residue modulo p if and only if p ≡ ±3 mod 8; repeat 4) ab = a b ; ∗ n n n generate randomly a 2 Zp a b 5) n = n if and only if a ≡ b mod n; in particular, until LegendreJacobi(a,p)=−1 a a mod n n = n ; return(a) a−1 n−1 a n 2 · 2 6) (law of quadratic reciprocity) n = a (−1) ; end. for any coprime odd positive integers a; n: These properties lead to the following algorithm for com- Fig. 2: An algorithm for generating a quadratic non-residue puting the Legendre-Jacobi symbol ( [12, page 113]): modulo a prime p Computing square roots modulo a prime is another funda- Proposition 5: Let p be an odd prime and α a quadratic mental problem in number theory, with major applications as non-residue modulo p. Then α is a primitive root modulo p if p−1 primality testing, factorization or elliptic point compression. and only if α r 6= 1 for any odd prime divisor r of (p − 1).