3 Primitive Roots, Indices and the Discrete Logarithm It is well-understood that exponential and logarithmic functions are mutual inverses when thought of as functions on the real numbers: x y = g () x = logg y This is number theory, so we want to know if something similar can be said for integers, or more precisely within modular arithmetic. The first operation, taking powers, makes perfect sense: for instance 53 ≡ 8 (mod 9). To what extent can we reverse this? In our example, is it reasonable to write, and/or make sense of, the following? 3 ≡ log5 8 (mod 9) Answering this question will lead to the notion of a discrete logarithm. 3.1 A Little Abstract Algebra: Groups, Rings and Units We start with a primer on group/ring theory. Definition 3.1. A group is a set G together with a binary operation · which satisfies the following properties: • Closure: 8x, y 2 G, we have x · y 2 G. • Associativity: 8x, y, z 2 G, we have (x · y) · z = x · (y · z). • Identity: 9e 2 G such that 8x 2 G we have e · g = g · e = g. • Inverse: 8x 2 G, 9y 2 G such that x · y = y · x = e. A group is abelian if · is commutative: that is if 8x, y 2 G we have x · y = y · x. A ring is a set R together with two binary operations + and ·, which satisfy the following: • R is an abelian group under +: the symbol 0 is often used for the additive identity element, i.e. 8x 2 R, 0 + x = x + 0 = x. • R is associative with respect to ·. • R has a multiplicative identity element, often called 1: i.e. 8x 2 R, 1 · x = x · 1 = x. • R has the distributive laws: 8x, y, z 2 R, we have x · (y + z) = x · y + x · z, (x + y) · z = x · z + y · z A ring is a field F if multiplication is commutative and every non-zero element has a multiplicative inverse: otherwise said, we require F n f0g to be an abelian group under multiplication. Rings generalize the concepts of addition and multiplication, while a field also does this for division by non-zero elements. In number theory, the prototypical examples of rings are the sets of remain- ders Zn under addition and multiplication modulo n, although we shall see others later. It is worth recalling the following related results, and how they can be rephrased in terms of groups and rings: 1 Theorem 3.2. 1. (Bezout’s´ identity) gcd(g, n) = 1 () 9h, s 2 Z such that gh + ns = 1. ) 2.( Division in Zn) gx ≡ gy (mod n) =) x ≡ y (mod n gcd(g, n). The first part of the Theorem can instead be written: gcd(g, n) = 1 () 9h 2 Z such that gh ≡ 1 (mod n) () 9h 2 Zn such that gh = 1 −1 () g has a multiplicative inverse h = g in Zn We have the following immediate consequences: Corollary 3.3. 1. The set of remainders coprime to n is an abelian group under multiplication. 2. Zn is a field if and only if n is prime. × a Definition 3.4. The set Zn := fx 2 Zn : gcd(x, n) = 1g is the group of units modulo n. aGenerally, a unit is an element with has a multiplicative inverse: the set of such forms a group under multiplication. Recall that the number of units modulo n is given by Euler’s totient function j(n). Example 3.5. In Z4, the addition and multiplication tables are +4 0 1 2 3 ·4 0 1 2 3 0 0 1 2 3 0 0 0 0 0 1 1 2 3 0 1 0 1 2 3 2 2 3 0 1 2 0 2 0 2 3 3 0 1 2 3 0 3 2 1 One can see the group of units in the second table: ·4 1 3 × Z4 = f1, 3g 1 1 3 3 3 1 × Modulo 10, we have Z10 = f1, 3, 7, 9g and, with a slight rearrangement, the multiplication table ·10 1 3 9 7 1 1 3 9 7 3 3 9 7 1 9 9 7 1 3 7 7 1 3 9 Up to relabelling, this has exactly the same form as that for Z4 under addition. We say that the groups × (Z10, ·10) and (Z4, +4) are isomorphic and that the function × m : Z10 ! Z4 : (1, 3, 9, 7) 7! (0, 1, 2, 3) is an isomorphism. 2 Definition 3.6. Groups G and H are isomorphic if there exists a function m : G ! H which satisfies: 1. m is bijective; 2. m is a homomorphism: 8g1, g2 2 G, we have m(g1 ·G g2) = m(g1) ·H m(g2). We call m an isomorphism and write G =∼ H. The above groups have another special property. Definition 3.7. The cyclic subgroup generated by g 2 G is the seta hgi = fgk : k 2 Zg = f..., g−1, e, g, g2,...g A group G is cyclic if there exists g such that G = hgi: we call g a generator of G. aIt is conventional to take g0 = e (the identity) and gk = (g−1)k if k < 0. Our definition is for groups where the operation is multiplication: in an additive group, x = g + ··· + g = kg. | {z } k times Example (3.5, mk. II). (Z4, +) is generated by 1, since h1i = f1, 1 + 1, 1 + 1 + 1, 1 + 1 + 1 + 1, . .g = f1, 2, 3, 0g = Z4 × (Z10, ·) is generated by 3, since 2 3 4 × h3i = f3, 3 , 3 , 3 ,...g = f3, 9, 7, 1g = Z10 × Both groups are cyclic, and the isomorphism m maps a generator of Z10 to a generator of Z4. In fact the generator approach allows us to spot a simple formula for the isomorphism: m(3x) = x Otherwise said, m is playing the role of log3. It is worth thinking a little about the standard (continuous) logarithms in this language. If b > 0 and b 6= 1, then the logarithm base b is a bijection + logb : R ! R such that logb(xy) = logb(x) + logb(y) + Otherwise said, logb : (R , ·) ! (R, +) is a group isomorphism. This motivates our search for discrete × logartihms: such should be isomorphisms of groups m : (Zn , ·) ! (Zj(n), +). Exercises 1. We work in the ring Z7 of remainders modulo 7. x × (a) Compute the values 3 in Z7, show that the group of units Z7 is cyclic and describe an × isomorphism m : Z7 ! Z6. (b) Use your answer to part (a) to solve the equation 3x ≡ 6 (mod 7). × 2. Find the group of units Z8 modulo 8 and show that it is not cyclic. 3. If x and y are units, prove directly that xy is also a unit. 3 3.2 Primitive Roots We have the following questions: × • Is it always possible to define a logarithm-like function m : Zn ! Zj(n) as we did above? More precisely, for which moduli n can this be done? • Given n, for what bases (e.g. g = 3 modulo 10 in the above example) can this be done? To start answering these questions, we need a new piece of terminology. × Definition 3.8. If g 2 Zn , define the order of g modulo n to be k en(g) = minfk 2 N : g ≡ 1 (mod n)g More generally, the order of a group G is its cardinality: the order of an element g 2 G is the order of the cyclic subgroup hgi. Indeed it should be easy to convince yourself that hgi = fg, g2, g3,...g = fg, g2,..., gen(g)−1, 1g since gen(g) ≡ 1 (mod n). The following proof should help if you’re stuck. × Theorem 3.9. The order of an element g 2 Zn divides j(n). This is just an special case of Lagrange’s Theorem from Group Theory: the order of an element divides the order of the group. Here is a proof adapted to our situation. Proof. We know that gen(g) ≡ 1 (mod n). Now assume that gk ≡ 1 (mod n) where k > 0. By the division algorithm, we know that there exist unique q, r 2 N such that ( k = q en(g) + r 0 ≤ r < en(g) It follows that 1 ≡ gk ≡ gq en(g)+r ≡ (gen(g))q · gr ≡ gr (mod n) This is a contradiction unless r = 0, since en(g) is the smallest positive power that raises g to obtain 1. It follows that en(g) j k. Finally, Euler’s Theorem says that gj(n) ≡ 1 (mod n): taking k = j(n) gives the result. × Our notion of a discrete logarithm is predicated on the existence of an isomorphism between Zn and × Zj(n). Otherwise said, we want Zn to be cyclic. Since a cyclic group requires a generator. × Definition 3.10. A unit g 2 Zn is a primitive root modulo n if en(g) = j(n). × Equivalently, g is a generator of the group of units: hgi = Zn . In the special case that n = p is prime, recall that j(p) = p − 1 since every non-zero element of Zp is × a unit. An element g 2 Zp is therefore a primitive root provided ep(g) = p − 1. 4 Examples 3.11. 1. Thinking back to page 2 we see that 3 is the only primitive root modulo 4: since 2 × × 3 ≡ 1 (mod 4), the subgroup of Z4 generated by 3 is h3i = f3, 1g = Z4 . 2. Also from the same page, we see that the primitive roots modulo 10 are 3 and 7.